Professional Documents
Culture Documents
Contents
Contents
Introduction ............................................................................................ 23
Fortinet products .......................................................................................................... 23
Before you begin........................................................................................................... 24
How this guide is organized......................................................................................... 24
Document conventions ................................................................................................ 27
IP addresses.............................................................................................................
Cautions, Notes and Tips .........................................................................................
Typographical conventions .......................................................................................
CLI command syntax ................................................................................................
27
27
27
28
34
35
35
35
35
35
Contents
37
37
37
37
38
38
Contents
48
49
49
50
50
51
56
57
57
60
61
63
Contents
68
68
69
70
73
75
76
77
79
80
82
83
83
84
84
Contents
132
133
134
134
135
136
137
138
139
Contents
150
151
158
158
159
160
161
162
163
164
165
165
167
167
169
171
173
174
175
175
176
Contents
205
209
211
212
212
SNMP............................................................................................................................ 213
Configuring SNMP ..................................................................................................
Configuring an SNMP community...........................................................................
Fortinet MIBs ..........................................................................................................
Fortinet and FortiGate traps....................................................................................
Fortinet and FortiGate MIB fields............................................................................
214
215
217
218
221
Contents
225
225
226
228
229
230
230
231
231
232
232
234
234
235
235
236
236
236
243
244
246
246
246
252
10
Contents
281
282
283
283
284
291
294
295
296
11
Contents
314
314
314
315
315
339
340
342
343
344
344
12
Contents
353
354
355
355
356
357
372
373
376
376
386
386
386
387
13
Contents
428
429
431
432
434
435
14
Contents
454
459
460
462
475
477
480
480
483
485
488
489
489
15
Contents
498
500
501
501
502
503
504
504
504
505
505
505
506
506
507
508
513
514
515
515
516
16
Contents
529
530
530
532
533
535
545
545
545
546
548
548
549
550
550
551
17
Contents
552
553
555
555
556
562
563
563
564
565
566
566
567
568
568
568
570
18
Contents
606
608
611
611
19
Contents
628
628
629
631
632
633
634
636
637
659
660
660
661
661
664
665
Options......................................................................................................................... 667
Monitor ......................................................................................................................... 668
Firewall user monitor list ......................................................................................... 668
IM user monitor list ................................................................................................. 669
20
Contents
670
671
671
672
21
Contents
704
706
707
708
708
712
712
713
713
713
714
715
716
716
717
717
718
719
Index...................................................................................................... 731
22
Introduction
Fortinet products
Introduction
Ranging from the FortiGate-50 series for small businesses to the FortiGate-5000 series
for large enterprises, service providers and carriers, the FortiGate line combines the
FortiOS security operating system with FortiASIC processors and other hardware to
provide a high-performance array of security and networking functions including:
antivirus/antispyware/antimalware
web filtering
antispam
Fortinet products
Training
Fortinet documentation
Fortinet products
Fortinet's portfolio of security gateways and complementary products offers a powerful
blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly
updated, in-depth threat intelligence. This unique combination delivers network, content,
and application security for enterprises of all sizes, managed service providers, and
telecommunications carriers, while providing a flexible, scalable path for expansion. For
more information on the Fortinet product family, go to www.fortinet.com/products.
23
Introduction
The system time, DNS settings, administrator password, and network interfaces have
been configured.
Once that basic installation is complete, you can use this document. This document
explains how to use the web-based manager to:
This guide also contains some information about the FortiGate command line interface
(CLI), but not all the commands. For detailed information on the CLI, see the FortiGate
CLI Reference.
This document is intended for administrators, not end users.
24
Whats new in FortiOS 4.0 MR1 lists and describes some of the new features and
changes in FortiOS Version 4.0 MR1.
Introduction
System Status describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit including
serial number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics. You can also access the CLI from this page. This
section also describes status changes that you can make, including changing the unit
firmware, host name, and system time. Finally this section describes the topology
viewer that is available on all FortiGate models except those with model numbers 50
and 60.
Using virtual domains describes how to use VDOMs to operate your FortiGate unit as
multiple virtual FortiGate units, which effectively provides multiple separate firewall and
routing services to multiple networks.
System Network explains how to configure physical and virtual interfaces and DNS
settings on the FortiGate unit.
System Admin guides you through adding and editing administrator accounts, defining
admin profiles for administrators, configuring central management using the
FortiGuard Management Service or FortiManager, and defining general administrative
settings such as language, timeouts, and web administration ports.
System Maintenance details how to back up and restore the system configuration
using a management computer or a USB disk, as well as how to use revision control,
enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and
enter a license key to increase the maximum number of virtual domains.
Router Static explains how to define static routes and create route policies. A static
route causes packets to be forwarded to a destination other than the factory-configured
default gateway.
Router Dynamic explains how to configure dynamic protocols to route traffic through
large or complex networks.
Router Monitor explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
Firewall Policy describes how to add firewall policies to control connections and traffic
between FortiGate interfaces, zones, and VLAN subinterfaces. This chapter also
describes how to add DoS policies to apply DoS sensors to network traffic and how to
add sniffer policies to operate the FortiGate unit as an Intrusion Detection System
(IDS) appliance by sniffing packets for attacks without actually receiving and otherwise
processing the packets.
Firewall Address describes how to configure addresses and address groups for firewall
policies.
25
26
Introduction
Firewall Service describes available services and how to configure service groups for
firewall policies.
Firewall Schedule describes how to configure one-time and recurring schedules for
firewall policies.
Traffic Shaping describes how to create traffic shaping instances and add them to
firewall policies.
Firewall Virtual IP describes how to configure and use virtual IP addresses and IP
pools.
Firewall Load Balance describes how to use FortiGuard load balancing to intercept
incoming traffic and balance it across available servers.
Firewall Protection Profile describes how to configure protection profiles for firewall
policies.
SIP support includes some high-level information about VoIP and SIP and describes
how FortiOS SIP support works and how to configure the key SIP features.
The AntiVirus, Intrusion Protection, Web Filter, and Email filtering chapters explain how
to configure these options associated with a firewall protection profile.
Data Leak Prevention explains how to use FortiGate data leak prevention to prevent
sensitive data from leaving your network.
IPSec VPN provides information about the tunnel-mode and route-based (interface
mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager.
PPTP VPN explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients.
WAN optimization and web caching describes how to use FortiGate units to improve
performance and security of traffic passing between locations on your wide area
network (WAN) or over the Internet.
Endpoint NAC describes how to use FortiGate endpoint NAC to enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network.
Log&Report describes how to enable logging, view log files, and view the basic reports
available through the web-based manager.
Introduction
Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Note: Presents useful information, usually focused on an alternative, optional method, such
as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation
Convention
Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input*
CLI output
Emphasis
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink
Keyboard entry
Navigation
27
Document conventions
Introduction
28
Convention
Description
Square brackets [ ]
Introduction
Training
Fortinet Training Services provides a variety of training programs to serve the needs of
our customers and partners world-wide. Visit the Fortinet Training Services web site at
http://campus.training.fortinet.com, or email training@fortinet.com.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
29
Fortinet documentation
Introduction
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Base.
30
WCCP widget
Two-factor authentication
SCEP extensions
IPv6 DNS
VDOM dashboard
Password policy
Logging enhancements
Antivirus changes
31
Reliable syslog
Safe search
SNMPv3 enhancements
Schedule groups
RAID support
32
FortiOS 4.0 provided software detection on endpoints. Using FortiOS 4.0 MR1, you can
now also allow or block endpoints based on detected software. The Software Detection
List is now called an Application Detection List and you can create multiple lists.
FortiGuard services provide all application signatures. You create your application
detection list entries by selecting applications from lists of categories, vendors, and
application names. Go to Endpoint NAC > Application Detection > Detection List to create
detection lists. To view application information from FortiGuard services, go to
Endpoint NAC > Application Detection > Predefined.
Endpoint check options are no longer configured in the firewall policy. These options and
the application detection list are now selected in an Endpoint NAC profile. In the firewall
policy, you simply enable Endpoint NAC and select the Endpoint NAC profile to apply.
For more information, see Endpoint NAC on page 687.
33
By default, the Usage widget displays on the System > Status > Usage page for both
global and VDOM administrators. You can also add the Usage widget to custom webbased manager pages.
For more information, see Viewing application, policy, and DLP archive usage data on
page 102.
WCCP widget
Using the FortiOS 4.0 customizable GUI feature, you can add a WCCP widget to the
web-based manager and use this widget to add WCCP entries to the FortiGate
configuration.
For more information, see Configuring WCCP on page 183.
Single Sign-On
With the new single sign-on feature, a web bookmark can include login credentials to
automatically log the SSL VPN user into the web site. This means that once the user logs
into the SSL VPN, he or she does not have to enter any more credentials to visit
preconfigured web sites. When the administrator configures bookmarks, the web site
credentials must be the same as the users SSL VPN credentials. Users configuring their
own bookmarks can specify alternative credentials for the web site.
For more information, see Bookmarks widget on page 634.
34
The IP Pools part of the basic SSL VPN configuration (go to VPN > SSL > Config)
IP Pools added to the SSL VPN Portal Tunnel Mode configuration (go to VPN > SSL >
Portal and add a Tunnel Mode widget to an SSL VPN portal)
OS Check changes
You can now configure the client operating system checks only in the CLI, but the
supported operating systems now include Windows Vista.
config vpn ssl web portal
edit <portal_name>
set os-check enable
config os-check-list {windows-2000 | windows-xp |
windows-vista}
set action {allow | check-up-to-date | deny}
set latest-patch-level {disable | 0 - 255}
set tolerance {tolerance_num}
end
35
Two-factor authentication
Two-factor authentication
In FortiOS 4.0 MR1, PKI users can be required to authenticate by password in addition to
their certificate authentication, for both administrative and SSL VPN access. This twofactor authentication provides additional security to meet ICSA 4.0 requirements.
For more information, see Configuring peer users and peer groups on page 657.
You can also configure two-factor authentication in an SSL VPN, by using these settings:
config vpn ssl settings
set force-two-factor-auth enable
end
If this option is enabled, only users with two-factor authentication can log in to the SSL
VPN.
36
SCEP extensions
Weighted (also
called
weight-based)
The FortiGate unit load balances sessions among ECMP routes based on
weights added to ECMP routes. More traffic is directed to routes with higher
weights.
Spill-over (also
called
usage-based)
The FortiGate unit distributes sessions among ECMP routes based on how busy
the FortiGate interfaces added to the routes are.
For more information, see ECMP route failover and load balancing on page 322.
SCEP extensions
FortiOS 4.0 MR1 supports automatic update of system certificates. When a certificate is
about to expire, the FortiGate unit uses SCEP to request and download a new certificate.
This applies to both Local and CA certificates. You can also configure periodic updating of
a Certificate Revocation List (CRL).
Certificate auto-update is configured in the CLI.
The following dynamic routing commands were added or modified to support IPv6 traffic:
config redistribute6
router access-list6
Use the new router access-list6 command to add, edit, or delete access lists for
IPv6 traffic. Access lists are filters used by FortiGate unit routing processes. For an access
list to take effect, it must be called by a FortiGate unit routing process (for example, a
process that supports RIPng or OSPF).
router ospf6
Use the new router ospf6 command to configure OSPF routing for IPv6 traffic.
router prefix-list6
Use the new router prefix-list6 command to add, edit, or delete prefix lists for IPv6
traffic. A prefix list is an enhanced version of an access list that allows you to control the
length of the prefix netmask.
37
IPv6 DNS
router ripng
Use this command to configure FortiGate support for RIPng. RIPng is the next generation
(ng) version of RIP that supports IPv6. See RFC 2080 for details about RIPng for IPv6.
IPv6 DNS
In FortiOS 4.0 MR1, you can configure DNS server addresses for IPv6 traffic. For more
information about IPv6 DNS, see Configuring Networking Options on page 176.
38
VDOM dashboard
In previous FortiOS versions, only administrators with the super_admin profile could view
the dashboard. In FortiOS 4.0 MR1, VDOM administrators see their own VDOM-specific
dashboard when they log in or go to System > Status. The super_admin can view only the
global dashboard.
For more information, see VDOM and global dashboards on page 68.
P1 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 1. see
Creating a new phase 1 configuration on page 606.
P2 Proposal, Authentication in VPN > IPsec > Auto Key (IKE) > Create Phase 2. See
see Creating a new phase 2 configuration on page 611.
Authentication Algorithm, in VPN > IPsec > Manual Key > Create New. See Creating
a new manual key configuration on page 614.
39
40
Password policy
Optionally, you can set a password policy to require more secure passwords than the
FortiGate defaults. The password policy can apply to administrators or IPsec VPN preshared keys. You can:
set a minimum amount of change in the new password (available in CLI only).
41
Logging enhancements
Due to the new per-VDOM FortiAnalyzer unit feature, there are some general changes to
logging configuration.
On the Log&Report > Log Config > Log Setting page, the logging device radio buttons
are now check boxes. You can enable multiple logging devices. See Configuring how
a FortiGate unit stores logs on page 704.
For local logs on FortiGate unit with hard disks, the new SQL log storage format is the
default for all log types except DLP archiving and traffic logs. SQL log storage is the
only format from which you can generate reports. DLP archiving is not available in SQL
format.See Configuring how a FortiGate unit stores logs on page 704.
CLI changes
In the CLI, the global FortiAnalyzer configuration has moved from
system fortianalyzer to log fortianalyzer setting. The keywords within the
command are unchanged.
42
Antivirus changes
fortianalyzer override-setting
syslogd override-setting
antivirus quar-override-setting
Antivirus changes
For FortiOS 4.0 MR1, if you enable VDOMs, all UTM > Antivirus options are now
configured separately for each VDOM. In FortiOS 4.0 GA, only administrators with global
access could configure and manage the file quarantine, view the virus list, and configure
the grayware list.
In addition, the following antivirus functionality has been renamed or moved:
Go to Log & Report > Quarantined Files to view the quarantined files list. The
functionality of the quarantined files list is unchanged except that with VDOMs
enabled, the Quarantined files list is now available for each VDOM and only shows
files quarantined from that VDOM.
UTM > Antivirus > Quarantine was UTM > Antivirus > Config. Functionally is
unchanged.
Go to UTM > Virus Database to view information about the current virus database on
the FortiGate unit. For FortiGate units that support the extended virus database, you
can go to UTM > Virus Database and select the virus database to use for virus
scanning. With VDOMs enabled, you select the virus database to use for virus
scanning for the VDOM.
For FortiGate units that support the extended virus database, you can select the virus
database to use for individual protection profiles from the CLI. The Protection Profile
Antivirus > Extended AV Database option has been removed from the web-based
manager. New CLI options for selecting the antivirus database for a protection profile
are available for each protocol. For example, to select the antivirus database in the
scan protection profile for http and for FTP, enter:
config firewall profile
edit scan
set http-avdb {default | extended | normal}
set ftp-avdb {default | extended | normal}
end
Go to UTM > Virus Database to enable grayware detection. The previous UTM >
Grayware page has been removed and you can no longer enable or disable individual
grayware categories.
For more information, see Selecting the virus database on page 519.
43
Reliable syslog
Reliable syslog
Reliable syslog protects log information through authentication and data encryption and
ensures that the log messages are reliably delivered in order. FortiOS 4.0 MR1
implements the RAW profile of RFC 3195. You can configure this feature only in the CLI.
For more information, see Remote logging to a syslog server on page 707.
Safe search
FortiOS 4.0 MR1 can prevent users from disabling the safe search feature of the Google,
Yahoo!, or Bing search engines. This is important in environments such as education
where web filtering is used to block sites with inappropriate content. If users can bypass
the search engine safe search feature, the returned search results can contain
inappropriate material in either summary text or thumbnail images.
Safe search is enabled in the Web Filtering part of a protection profile.
For more information, see Web Filtering options on page 480.
44
SNMPv3 enhancements
To view the list of available character sets, enter set http-post-lang ? from within
the edit shell for the profile.
For more information, see Character sets and Web content filtering, Email filtering
banned word, and DLP scanning on page 483.
SNMPv3 enhancements
FortiOS 4.0 introduced basic support for SNMPv3, the latest version of the Simple
Network Management Protocol. FortiOS Version 4.0 MR1 adds support for
snmpEngineID
The snmpEngineID is optional, so you are not required to define an engine-id value.
To specify engine-id
config system snmp sysinfo
set engine-id <string>
end
Schedule groups
You can now create schedule groups, similar to address groups or service groups. In a
firewall policy you can select either an individual schedule or a schedule group.
For more information, see Configuring schedule groups on page 413.
45
RAID support
RAID support
Some FortiGate units that contain multiple hard disks also support redundant array of
independent disks (RAID). For more information, see Configuring the RAID array on
page 94.
46
Web-based manager
Web-based manager
This section describes the features of the user-friendly web-based manager administrative
interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate
unit.
Using HTTP or a secure HTTPS connection from any management computer running a
web browser, you can connect to the FortiGate web-based manager to configure and
manage the FortiGate unit. The recommended minimum screen resolution for the
management computer is 1280 by 1024. Some of the information displayed by the
web-based manager uses features only supported by the most recent versions most
popular web browsers. Older versions of these web browsers may not always work
correctly with the web-based manager.
You can configure the FortiGate unit for HTTP and HTTPS web-based administration from
any FortiGate interface. To connect to the web-based manager you require a FortiGate
administrator account and password. The web-based manager supports multiple
languages, but by default appears in English on first use.
You can go to System > Status to view detailed information about the status of your
FortiGate unit on the system dashboard. The dashboard displays information such as the
current FortiOS firmware version, antivirus and IPS definition versions, operation mode,
connected interfaces, and system resources. It also shows whether the FortiGate unit is
connected to a FortiAnalyzer unit and a FortiManager unit or other central management
services.
You can use the web-based manager menus, lists, and configuration pages to configure
most FortiGate settings. Configuration changes made using the web-based manager take
effect immediately without resetting the FortiGate unit or interrupting service. You can
back up your configuration at any time using the Backup Configuration button on the
button bar. The button bar is located in the upper right corner of the web-based manager.
The saved configuration can be restored at any time.
The web-based manager also includes detailed context-sensitive online help. Selecting
Online Help on the button bar displays help for the current web-based manager page.
You can use the FortiGate command line interface (CLI) to configure the same FortiGate
settings that you can configure from the web-based manager, as well as additional CLIonly settings. The system dashboard provides an easy entry point to the CLI console that
you can use without exiting the web-based manager.
This section describes:
47
Logging out
Web-based manager
a computer with an Ethernet connection to a network that can connect to the FortiGate
unit
a supported web browser. See the Knowledge Center articles Supported Windows web
browsers and Using a Macintosh and the web-based manager.
48
Web-based manager
49
Web-based manager
50
Web-based manager
Contact Customer
Support
Online Help
Logout
Back up your FortiGate
configuration
51
Web-based manager
You must register your Fortinet product to receive product updates, technical support, and
FortiGuard services. To register a Fortinet product, go to Product Registration and follow
the instructions.
the local PC that you are using to manage the FortiGate unit.
a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk
to it (see Formatting USB Disks on page 296).
52
Web-based manager
Bookmark
Print
Show Navigation
Previous
Next
Show Navigation
Open the online help navigation pane. From the navigation pane you
can use the online help table of contents, index, and search to access
all of the information in the online help. The online help is organized in
the same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous
Next
Bookmark
Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. Not
supported by all browsers.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For
information about VDOM configuration settings, see VDOM
configuration settings on page 126.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For
information about Global configuration settings, see Global
configuration settings on page 129.
To view the online help table of contents or index, and to use the search feature, select
Online Help in the button bar in the upper right corner of the web-based manager. From
the online help, select Show Navigation.
Figure 5: Online help page with navigation pane and content pane
53
Web-based manager
Contents
Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help
is organized in the same way as the FortiGate web-based manager
and the FortiGate Administration Guide.
Index
Display the online help index. You can use the index to find
information in the online help.
Search
Display the online help search. For more information, see Searching
the online help on page 54.
Show in Contents
If you search for multiple words, the search finds only those help pages that contain all
of the words that you entered. The search does not find help pages that only contain
one of the words that you entered.
The help pages found by the search are ranked in order of relevance. The higher the
ranking, the more likely the help page includes useful or detailed information about the
word or words that you are searching for. Help pages with the search words in the help
page title are ranked highest.
You can use the asterisk (*) as a search wildcard character that is replaced by any
number of characters. For example, if you search for auth* the search finds help pages
containing auth, authenticate, authentication, authenticates, and so on.
In some cases the search finds only exact matches. For example, if you search for
windows the search may not find pages containing the word window. You can work
around this using the * wildcard (for example by searching for window*).
54
Web-based manager
Logging out
Go
Search
Field
Search
Results
Function
Alt+1
Alt+2
Alt+3
Alt+4
Alt+5
Alt+7
Alt+8
Alt+9
Add an entry for this online help page to your browser bookmarks or
favorites list, to make it easier to find useful online help pages.
Logging out
The Logout button immediately logs you out of the web-based manager. Log out before
you close the browser window. If you simply close the browser or leave the web-based
manager, you remain logged in until the idle timeout (default 5 minutes) expires. To
change the timeout, see Changing the web-based manager idle timeout on page 50.
55
Web-based manager
Tabs
Page
Button bar
Menu
56
System
Router
Configure FortiGate static and dynamic routing and view the router
monitor.
Firewall
UTM
VPN
User
Configure user accounts for use with firewall policies that require user
authentication. Also configure external authentication servers such as
RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of
Firewall, IPSec, SSL, IM, and Banned Users.
Endpoint NAC
Wireless Controller
Log&Report
Configure logging and alert email. View log messages and reports.
Web-based manager
select the Edit icon for a list item to view and change the settings of the item
select the Delete icon for a list item to delete the item. The delete icon will not be
available if the item cannot be deleted. Usually items cannot be deleted if they have
been added to another configuration; you must first find the configuration settings that
the item has been added to and remove the item from them. For example, to delete a
user that has been added to a user group you must first remove the user from the user
group (see Figure 8).
Delete
Edit
If you log in as an administrator with an admin profile that allows Read Only access to a
list, you will only be able to view the items on the list (see Figure 9).
Figure 9: A web-based manager list (read only access)
View
For more information, see Admin profiles on page 254.
Session list (see Viewing the current sessions list on page 82)
Firewall policy and IPv6 policy lists (see Viewing the firewall policy list on page 366,
Viewing the DoS policy list on page 380, and Viewing the sniffer policy list on
page 383)
Intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
Firewall user monitor list (see Firewall user monitor list on page 668)
57
Web-based manager
Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693)
Log and report log access list (see Accessing and viewing log messages on
page 714).
Filters are useful for reducing the number of entries that are displayed on a list so that you
can focus on the information that is important to you.
For example, you can go to System > Status, and, in the Statistics section, select Details
on the Sessions line to view the communications sessions that the FortiGate unit is
currently processing. A busy FortiGate unit may be processing hundreds or thousands of
communications sessions. You can add filters to make it easier to find specific sessions.
For example, you might be looking for all communications sessions being accepted by a
specific firewall policy. You can add a Policy ID filter to display only the sessions for a
particular Policy ID or range of Policy IDs.
You add filters to a web-based manager list by selecting any filter icon to display the Edit
Filters window. From the Edit Filters window you can select any column name to filter, and
configure the filter for that column. You can also add filters for one or more columns at a
time. The filter icon remains gray for unfiltered columns and changes to green for filtered
columns.
Figure 10: An intrusion protection predefined signatures list filtered to display all signatures
containing apache with logging enabled, action set to drop, and severity set to
high
Filter added to
display names that
include apache
No filter added
The filter configuration is retained after leaving the web-based manager page and even
after logging out of the web-based manager or rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed in
individual columns. In all cases, you configure filters by specifying what to filter on and
whether to display information that matches the filter, or by selecting NOT to display
information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access lists,
you can combine filters with column settings to provide even more control of the
information displayed by the list. See Using filters with column settings on page 63 for
more information.
58
Web-based manager
Figure 11 shows a numeric filter configured to control the source addresses that are
displayed on the session list. In this example, a filter is enabled for the Source Address
column. The filter is configured to display only source addresses in the range of 1.1.1.11.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside
Sessions, select Details.
Figure 11: A session list with a numeric filter set to display sessions with source IP address
in the range of 1.1.1.1-1.1.1.2
59
Web-based manager
Custom filters
Other custom filters are also available. You can filter log messages according to date
range and time range. You can also set the level filter to display log messages with
multiple severity levels.
Figure 14: A log access filter set to display all log messages with level of alert, critical, error,
or warning
60
session list (see Viewing the current sessions list on page 82)
Web-based manager
intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
Firewall user monitor list (see Firewall user monitor list on page 668)
Banned user list (see NAC quarantine and the Banned User list on page 670)
log and report log access lists (see Accessing and viewing log messages on
page 714).
Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693)
Previous Page
First Page
Last Page
Next Page
Current Page
(enter a page number
to display that page)
First Page
Previous Page
Current Page
The current page number of list items that are displayed. You can
enter a page number and press Enter to display the items on that
page. For example if there are 5 pages of items and you enter 3, page
3 of the sessions will be displayed.
Next Page
Last Page
Firewall policy and IPv6 policy (see Viewing the firewall policy list on page 366)
Intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 525)
Firewall user monitor list (see Firewall user monitor list on page 668)
61
Web-based manager
Endpoint NAC list of known endpoints (see Monitoring endpoints on page 693)
Log and report log access lists (see Accessing and viewing log messages on
page 714).
Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From
Available fields, select the column headings to be displayed and then select the Right
Arrow to move them to the Show these fields in this order list. Similarly, to hide column
headings, use the Left Arrow to move them back to the Available fields list. Use Move Up
and Move Down to change the order in which to display the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 16: Example of interface list column settings
Left Arrow
Right Arrow
62
Web-based manager
For more information, see Adding filters to web-based manager lists on page 57.
Name
Description
Add
User/Group
Clear
Clear all or remove all entries from the current list. For
example, on a URL filter list you can use this icon to remove
all URLs from the current URL filter list.
63
Web-based manager
Name
Description
Clone
Comment
Hover the mouse pointer over this icon to view the text from
the Comment field.
Delete
Delete an item. This icon appears in lists where the item can
be deleted and you have edit permission for the item.
Description
Diff
Disconnect
from cluster
Download
Edit
Edit
User/Group
Enter a VDOM Enter a virtual domain and use the web-based manager to
configure settings for the virtual domain.
Expand Arrow Expand this section to reveal more fields. This icon is used in
(closed)
some dialog boxes and lists.
Expand Arrow Close this section to hide some fields. This icon is used in
(open)
some dialog boxes and lists.
64
Filter
First page
Forget AP
Insert before
Last page
Mark as
Accepted
Exempt
Temporarily
Mark as
Rogue
Restore to
Blocked State
Move to
Web-based manager
Name
Description
Next page
Reset
Reset
Revert
View
View details
65
66
Web-based manager
System Status
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a
glance you can view the current system status of the FortiGate unit including serial
number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available
globally and system status settings are configured globally for the entire FortiGate unit.
The Topology viewer is not available when VDOMs are enabled. For details, see Using
virtual domains on page 125.
This section describes:
67
System Status
CLI Console
User is logged into the current VDOM and cannot access global
configurations.
Unit Operation
Top Sessions
Traffic History
Global administrators with the super_admin admin profile can view only the
global dashboard.
Widget title
Open/Close arrow
68
History
Edit
Refresh
Close
Widget Title
Open/Close arrow
History
System Status
Edit
Refresh
Close
Select to close the display. You will be prompted to confirm the action.
System Information
License Information
Unit Operation
System Resources
CLI Console
Top Sessions
Top Viruses
Top Attacks
RAID monitor
System Information
Go to System > Status > Dashboard to find System Information.
To add the System Information widget to the dashboard go to System > Status >
Dashboard, select Add Content and select System Information from the list.
Figure 20: System Information
Serial Number
The serial number of the FortiGate unit. The serial number is specific to the
FortiGate unit and does not change with firmware upgrades.
Uptime
The time in days, hours, and minutes since the FortiGate unit was started.
System Time
The current date and time according to the FortiGate units internal clock.
Select Change to change the time or configure the FortiGate unit to get the
time from an NTP server. For more information, see Configuring system time
on page 86.
HA Status
69
System Status
Host Name
Cluster Name
The name of the HA cluster for this FortiGate unit. For more information, see
HA on page 205.
The FortiGate unit must be operating in HA mode to display this field.
Cluster Members
Virtual Cluster 1
Virtual Cluster 2
The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. For
more information, see HA on page 205.
The FortiGate unit must be operating in HA mode with virtual domains enabled
to display these fields.
Firmware Version The version of the current firmware installed on the FortiGate unit. The format
for the firmware version is
Select Update to change the firmware.
For more information, see Upgrading to a new firmware version on page 88.
FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for
endpoint control. This field appears if you can upload a FortiClient image onto
your FortiGate unit. For more information, see Configuring FortiClient installer
download and version enforcement on page 688.
Operation Mode
The operating mode of the current FortiGate unit. A FortiGate unit can operate
in NAT mode or Transparent mode. Select Change to switch between NAT and
Transparent mode. For more information, see Changing operation mode on
page 238
If virtual domains are enabled, this field shows the operating mode of the
current virtual domain. Each virtual domain can be operating in either NAT
mode or Transparent mode.
If virtual domains are enabled, the Global System Status dashboard does not
include this field.
Virtual Domain
Current
Administrators
Current User
The name of the admin account that you have used to log into the FortiGate
unit. If you are authenticated locally by password, not by PKI or remote
authentication, you can select Change Password to change the password for
this account. When you change the password you are logged out and must log
back in with the new password. For more information, see Changing an
administrator account password on page 246.
License Information
License Information displays the status of your technical support contract and FortiGuard
subscriptions. The FortiGate unit updates the license information status indicators
automatically when attempting to connect to the FortiGuard Distribution Network (FDN).
FortiGuard Subscriptions status indicators are green if the FDN was reachable and the
license was valid during the last connection attempt, grey if the FortiGate unit cannot
connect to the FDN, and orange if the FDN is reachable but the license has expired.
70
System Status
When a new FortiGate unit is powered on, it automatically searches for FortiGuard
services. If the unit is configured for central management, it will look for FortiGuard
services on the configured FortiManager system. The FortiGate unit sends its serial
number to the FortiGuard service provider, which then determines whether the FortiGate
unit is registered and has valid contracts for FortiGuard subscriptions and FortiCare
support services. If the FortiGate unit is registered and has a valid contract, the License
Information is updated.
If the FortiGate unit is not registered, any administrator with the super_admin profile sees
a reminder message that provides access to a registration form.
When a contract is due to expire within 30 days, any administrator with the super_admin
profile sees a notification message that provides access to an Add Contract form. Simply
enter the new contract number and select Add. Fortinet Support also sends contract
expiry reminders.
Optionally, you can disable notification for registration or contract inquiry.
To disable registration notification
config system global
set registration-notification disable
end
To disable contract expiry notification
config system global
set service-expire-notification disable
end
Selecting any of the Configure options will take you to the Maintenance page. For more
information, see System Maintenance on page 289.
Figure 21: License Information (example)
71
System Status
Support Contract
FortiGuard Services
AntiVirus
The FortiGuard Antivirus version, license issue date and service status. If
your license has expired, you can select Renew to renew the license.
AV Definitions
Extended set
Intrusion
Protection
IPS Definitions
The currently installed version of the IPS attack definitions. To update the
definitions manually, select Update. For more information, see Manually
updating FortiGuard definitions on page 91.
Web Filtering
The FortiGuard Web Filtering license status, expiry date and service status.
If your license has expired, you can select Renew to renew the license.
Email Filtering
Email Filtering
Rule Set
The currently installed version of the FortiGuard Email Filtering rule set. To
update the rule set manually, select Update. For more information, see
Manually updating FortiGuard definitions on page 91.
Analysis &
Management
Service
Services Account Select Change to enter a different Service Account ID. This ID is used to
validate your license for subscription services such as FortiGuard
ID
Management Service and FortiGuard Analysis Service. For more
information, see Configuring FortiGuard Analysis & Management Service
Options on page 306.
Virtual Domain
VDOMs Allowed
72
The maximum number of virtual domains the unit supports with the current
license.
For high-end FortiGate models, you can select the Purchase More link to
purchase a license key through Fortinet technical support to increase the
maximum number of VDOMs. For more information, see Adding VDOM
Licenses on page 311.
System Status
Endpoint Security
FortiClient
View information about the latest version of the FortiClient application
available from FortiGuard for EndPoint NAC. Select Download to download
Software
Windows Installer the FortiClient application installer to your PC. For more information, see
Configuring FortiClient installer download and version enforcement on
page 688.
Application
Signature
package
Unit Operation
In the Unit Operation widget, an illustration of the FortiGate units front panel shows the
status of the units Ethernet network interfaces. If a network interface is green, that
interface is connected. Pause the mouse pointer over the interface to view the name, IP
address, netmask and current status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the
reason for the system event.
You can only have one management and one logging/analyzing method displayed for
your FortiGate unit. The graphic for each will change based on which method you choose.
If none are selected, no graphic is shown.
Caution: Abruptly powering off your FortiGate unit may corrupt its configuration. Using the
reboot and shutdown options here or in the CLI ensure proper shutdown procedures are
followed to prevent any loss of configuration.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see Configuring Event
logging on page 711.
Figure 22: Unit Operation examples
73
System Status
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and number of
WAN1 / WAN2 / 1 / 2 / these interfaces vary by model.
The icon below the interface name indicates its up/down status by color.
3/4
Green indicates the interface is connected. Grey indicates there is no
connection.
For more information about the configuration and status of an interface,
pause the mouse over the icon for that interface. A tooltip displays the full
name of the interface, its alias if one is configured, the IP address and
netmask, the status of the link, the speed of the interface, and the number
of sent and received packets.
AMC-SW1/1, ...
AMC-DW1/1, ...
FortiAnalyzer
The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP connection. An X
on a red icon indicates there is no connection. A check mark on a green
icon indicates there is OFTP communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. For more information, see
Remote logging to a FortiAnalyzer unit on page 704.
FortiGuard Analysis
Service
The icon on the link between the FortiGate unit graphic and the FortiGuard
Analysis Service graphic indicates the status of their OFTP connection. An
X on a red icon indicates there is no connection. A check mark on a green
icon indicates there is OFTP communication.
Select the FortiGuard Analysis Service graphic to configure remote logging
to the FortiGuard Analysis Service. For more information, see the
FortiGuard Analysis and Management Service Administration Guide.
FortiManager
The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An X on a red
icon indicates there is no connection. A check mark on a green icon
indicates there is communication between the two units.
Select the FortiManager graphic to configure central management on your
FortiGate unit. For more information, see Central Management on
page 260.
FortiGuard
The icon on the link between the FortiGate unit graphic and the FortiGuard
Management Service Management Service graphic indicates the status of the connection. An X
on a red icon indicates there is no connection. A check mark on a green
icon indicates there is communication.
Select the FortiGuard Management Service graphic to configure central
management on your FortiGate unit. For more information, see Central
Management on page 260.
74
Reboot
Select to shutdown and restart the FortiGate unit. You will be prompted to
enter a reason for the reboot that will be entered into the logs.
Shutdown
System Status
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as
CPU and memory (RAM) usage. Any System Resources that are not displayed on the
status page can be viewed as a graph by selecting the History icon.
To see the most recent CPU and memory usage, select the Refresh icon.
Figure 23: System Resources
View History
Edit
Refresh
Close
History
CPU Usage
Memory Usage
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate
units quota, displayed as a pie chart and a percentage.
You can use the System Resources edit menu to select not to display this
information.
This is available only if you have configured logging to a FortiAnalyzer unit.
Disk Usage
The current status of the FortiGate unit disk space used, displayed as a pie
chart and a percentage.
This is available only if you have a hard disk on your FortiGate unit.
75
System Status
Edit
History
Refresh
Close
Acknowledge this
message
History
Edit
Refresh
Close
Acknowledge
this message
The following types of messages can appear in the Alert Message Console:
System restart
System shutdown
Firmware upgraded by
<admin_name>
Firmware downgraded by
<admin_name>
76
System Status
4 Select OK.
Refresh
Reset
Close
77
System Status
Refresh
Reset
Close
78
Since
The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you select Reset.
Reset
DLP
Archive
A summary of the HTTP, HTTPS, email, FTP IM, and VoIP (also called session
control) traffic that has passed through the FortiGate unit, and has archived by DLP.
The Details pages list the last 64 items of the selected type and provides links to the
FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit
is not configured, the Details pages provide a link to Log & Report > Log Config >
Log Settings.
You configure the FortiGate unit to collect DLP archive data for the widget by
configuring protection profiles to display content meta-information on the system
dashboard. To configure a protection profile, see To configure a protection profile
(DLP archive) on page 79.
You must also add the protection profile to a firewall policy. When the firewall policy
receives sessions for the selected protocols, meta-data is added to the statistics
widget.
The Email statistics are based on email protocols. POP3 and IMAP traffic is registered
as email received, and SMTP is email sent. If your FortiGate unit supports SSL content
scanning and inspection, incoming email also includes POP3S and IMAPS and
outgoing email also includes SMTPS. If incoming or outgoing email does not use these
protocols, these statistics will not be accurate.
The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols and
configured by selecting Archive in DLP Sensors for IM DLP rules.
The VoIP statistics are based on the SIP, SIMPLE and SCCP session control protocols
and configured by selecting Archive in DLP Sensors for Session Control DLP rules.
Log
A summary of traffic, viruses, attacks, spam email messages, and blocked URLs that
the FortiGate unit has logged. Also displays the number of sessions matched by DLP
and event log messages. The Details pages list the 20 most recent items, providing the
time, source, destination and other information.
DLP data loss detected actually displays the number of sessions that have matched
DLP sensors added to protection profiles. DLP collects meta-data about all sessions
matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP
log message is recorded, the DLP data loss detected number increases. If you are
using DLP for summary or full archiving the DLP data loss detected number can get
very large. This number may not indicate that data has been lost or leaked.
System Status
CLI Console
The System Status page can include a CLI console. To use the console, select it to
automatically log in to the admin account you are currently using in the web-based
manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.
Figure 28: CLI Console
Customize
The two controls located on the CLI Console widget title bar are Customize, and Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize and
reposition. The two controls on the detached CLI Console are Customize and Attach.
Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts and
colors for the text and background.
Figure 29: Customize CLI Console window
79
System Status
Preview
Text
Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the text in the CLI
Console.
Background
Select the current color swatch next to this label, then select a color from
the color palette to the right to change the color of the background in the
CLI Console.
Use external
command input box
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid
numbers range from 20 to 9999.
Font
Select a font from the list to change the display font of the CLI Console.
Size
Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have
the most sessions currently open on the FortiGate unit. The sessions are sorted by their
source or destination IP address, or the port address. The sort criteria being used is
displayed in the top right corner.
The Top Sessions widget polls the FortiGate unit for session information, and this slightly
impacts the FortiGate unit performance. For this reason when this display is not shown on
the dashboard, it is not collecting data, and not impacting system performance. When the
display is shown, information is only stored in memory.
Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.
Refresh
Close
Last updated
Number of
active
sessions
Report By
Number of
current sessions
80
System Status
Select Details to view the current sessions list, a list of all sessions currently processed by
the FortiGate unit. For more information, see Viewing the current sessions list on
page 82.
To view detailed information about the sessions represented by a bar in the chart, click on
the bar.
To change the information displayed on the Top Sessions widget
1 Selecting edit icon to change the information displayed by the Top Sessions widget:
2 Change the Top Sessions settings as required:
Figure 31: Edit menu for Top Sessions
Sort Criteria
Select the method used to sort the Top Sessions on the System Status
display. Choose one of:
Source Address
Destination Address
Port Address
Resolve Service
Display Format
Select how the Top Session information is displayed. Choose one of:
Chart
Table
Top Sessions to
Show
Refresh Interval
Select how often the display is updated. The refresh interval range is from
10 to 240 seconds. Selecting 0 will disable the automatic refresh of the
display. You will still be able to select the manual refresh option on the Top
Sessions title bar.
Shorter refresh intervals may impact the performance of your FortiGate
unit. If this occurs, try increasing the refresh interval or disabling the
automatic refresh.
81
System Status
Edit Filters
82
Virtual Domain
Select a virtual domain to list the sessions being processed by that virtual
domain. Select All to view sessions being processed by all virtual domains.
This is only available if virtual domains are enabled. For more information see
Using virtual domains on page 125.
Refresh Icon
First Page
System Status
Previous Page
Page
Enter the page number of the session to start the displayed session list. For
example if there are 5 pages of sessions and you enter 3, page 3 of the
sessions will be displayed.
The number following the / is the number of pages of sessions.
Next Page
Last Page
Total
Select to reset any display filters that may have been set.
Return
Filter Icon
The icon at the top of all columns except #, and Expiry. When selected it brings
up the Edit Filter dialog allowing you to set the display filters by column. See
Adding filters to web-based manager lists on page 57.
Protocol
The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address
Source Port
Destination
Address
Destination Port
Policy ID
The number of the firewall policy allowing this session or blank if the session
involves only one FortiGate interface (admin session, for example).
Expiry (sec)
Duration
The age of each session in seconds. The age is the amount of time the session
has been active.
Delete icon
Stop an active communication session. Your admin profile must include read
and write access to System Configuration.
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected
most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be displayed by
selecting Add Content >Top Viruses from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent viruses
that have been detected with information including the virus name, when it was last
detected, and how many times it was detected. The system stores up to 1024 entries, but
only displays up to 20 in the web-based manager.
Selecting the edit icon for Top Viruses allows changes to the:
refresh interval
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the
FortiGate unit.
The Top Attacks display is not part of the default dashboard display. It can be displayed by
selecting Add Content > Top Attacks from the drop down menu.
83
System Status
Selecting the history icon opens a window that displays up to the 20 most recent attacks
that have been detected with information including the attack name, when it was last
detected, and how many times it was detected. The FortiGate unit stores up to 1024
entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
refresh interval
Traffic History
The traffic history display shows the traffic on one selected interface over the last hour,
day, and month. This feature can help you locate peaks in traffic that you need to address
as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface being
monitored by selecting Edit, choosing the interface from the drop down menu, and
selecting Apply. Doing this will clear all the traffic history data.
Figure 33: Traffic History
Interface being
monitored
Interface
kbit/s
The units of the traffic graph. The scale varies based on traffic levels to
allow it to show traffic levels no matter how little or how much traffic there is.
Last 60 Minutes
Last 24 Hours
Last 30 Days
Three graphs showing the traffic monitored on this interface of the FortiGate
unit over different periods of time.
Certain trends may be easier to spot in one graph over the others.
Traffic In
The traffic entering the FortiGate unit on this interface is indicated with a
thin red line.
Traffic Out
The traffic leaving the FortiGate unit on this interface is indicated with a dark
green line, filled in with light green.
RAID monitor
The RAID monitor display shows the current state of the RAID array and each RAID disk.
For information on configuring the RAID array, see Configuring the RAID array on page 94.
The RAID monitor display is not part of the default dashboard display. It can be displayed
by selecting Add Content > RAID Monitor from the drop down menu.
The RAID monitor will not be displayed unless your FortiGate unit has more than one disk
installed.
84
System Status
Configure
Array Status
Array status icon
RAID Level
The RAID level of this RAID array. The RAID level is set as part of
configuring the RAID array. For more information, see RAID Level on
page 96.
The bar shows the percentage of the RAID array that is currently in
use.
Used/Free/Total
These three numbers show the amount of RAID array storage that is
being used, the amount of storage that is free, and the total storage in
the RAID array. The values are in GB.
Used added to Free should equal Total.
85
System Status
Synchronizing status Display the percent complete of the RAID array synchronization.
Synchronizing may take several hours.
When synchronizing the status of the RAID array will indicate
synchronizing is happening in the background.
Synchronizing progress bar is visible only when the RAID array is
synchronizing.
You may need to select the refresh icon in the widget title bar to update
this progress bar.
Rebuild status
Display the percent complete of the RAID array rebuild. Rebuilding the
array may take several hours.
While rebuilding the array, it is in a degraded and vulnerable state
any disk failure during a rebuild will result in data loss.
A warning is displayed indicating the RAID array is running in reduced
reliability mode until the rebuild is completed.
You may need to select the refresh icon in the widget title bar to update
this progress bar.
System Time
Refresh
Update the display of the current FortiGate system date and time.
Time Zone
Automatically adjust Select to automatically adjust the FortiGate system clock when your
time zone changes between daylight saving time and standard time.
clock for daylight
saving changes
Set Time
86
Select to set the FortiGate system date and time to the values you set
in the Hour, Minute, Second, Year, Month and Day fields.
System Status
Synchronize with
NTP Server
Server
Sync Interval
Specify how often the FortiGate unit should synchronize its time with
the NTP server. For example, a setting of 1440 minutes causes the
FortiGate unit to synchronize its time once a day.
Caution: By installing an older firmware image, some system settings may be lost. You
should always backup your configuration before changing the firmware image.
87
System Status
For more information about using the USB disk, and the FortiGuard Network see System
Maintenance on page 289.
Figure 36: Firmware Upgrade/Downgrade
Upgrade From
Select the firmware source from the drop down list of available sources.
Possible sources include Local Hard Disk, USB, and FortiGuard Network.
This field does not appear on all models.
Upgrade File
Browse to the location of the firmware image on your local hard disk.
This field is available for local hard disk and USB only.
Allow Firmware
Downgrade
More Info
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow
the appropriate procedure to change your firmware.
For more information about managing firmware, see Managing firmware versions on
page 113.
88
System Status
89
System Status
90
Time Interval
Session History
Virus History
Intrusion History
System Status
91
System Status
From
URL
The time that the email passed through the FortiGate unit.
From
To
Subject
Destination
User
Downloads
Uploads
92
System Status
Date / Time
Protocol
Kind
Local
Remote
Direction
From
To
Service
Virus
From
To
Service
Attack
From->To IP
Service
SPAM Type
93
System Status
The time that the attempt to access the URL was detected.
From
URL Blocked
The time that the attempt to access the URL was detected.
Service
Source
From
URL Blocked
From
To
Caution: A RAID array provides no redundancy in a degraded state. Any disk failure while
the raid is in a degraded state will cause data loss.
RAID Level
94
System Status
RAID level
Status
The status, or health, of RAID array. This status can be one of:
OK standard status, everything is normal
OK (Background-Synchronizing) (%) synchronizing the disks after
changing RAID level, Synchronizing progress bar shows percent complete
Degraded One or more of the disks in the array has failed, been removed,
or is not working properly. A warning is displayed about the lack of
redundancy in this state. Also, a degraded array is slower than a healthy
array. Select Rebuild RAID to fix the array.
Degraded (Background-Rebuilding) (%) The same as degraded, but the
RAID array is being rebuilt in the background. The array continues to be in a
fragile state until the rebuilding is completed.
Size
The size of the RAID array in gigabytes (GB). The size of the array depends
on the RAID level selected, and the number of disks in the array.
Rebuild RAID
Select to rebuild the array after a new disk has been added to the array, or
after a disk has been swapped in for a failed disk.
If you try to rebuild a RAID array with too few disks you will get a rebuild error.
After inserting a functioning disk, the rebuild will start.
This button is only available when the RAID array is in a degraded state and
has enough disks to be rebuilt.
You cannot restart a rebuild once a rebuild is already in progress.
Note: If a disk has failed, the number of working disks may not be enough for
the RAID level to function. In this case, replace the failed disk with a working
disk to rebuild the RAID array.
Disk#
The disks position in the array. This corresponds to the physical slot of the
disk.
If a disk is removed from the FortiGate unit, the disk is marked as not a
member of the array and its position is retained until a new disk is inserted in
that drive bay.
Status
95
System Status
Member
Capacity
The storage capacity that this drive contributes to the RAID array.
The full storage capacity of the disk is used for the RAID array automatically.
The total storage capacity of the RAID array depends on the capacity and
numbers of the disks, and the RAID level of the array.
RAID Level
When changing the RAID level, the available levels depend on the number of working
disks that are actually present in the unit. For example, RAID 5 is not available on units
with fewer than three disks. When a disk fails, becomes corrupt, or is removed you must
rebuild the RAID array. For more information, see Rebuilding the RAID array on page 97.
If the FortiGate unit only has one disk installed, the RAID monitor widget will not be
displayed as it is not possible to configure a RAID array with only one disk.
Available RAID levels include:
RAID 0
RAID 1
RAID 5
RAID 0
A RAID 0 array is also referred to as striping. The FortiGate unit writes information evenly
across all hard disks. The total space available is that of all the disks in the RAID array.
There is no redundancy available. If any single drive fails, the data on that drive cannot be
recovered. This RAID level is beneficial because it provides better performance, since the
FortiGate unit can distribute disk writing across multiple disks.
For example if your FortiGate unit has three disks each with a one TeraByte (TB) capacity,
your RAID 0 array will have a three TB capacity.
RAID 1
A RAID 1 array is also referred to as mirroring. The FortiGate unit writes information to
one hard disk, and writes a copy (a mirror image) of all information to all other hard disks.
The total disk space available is that of only one hard disk, as the others are solely used
for mirroring. This provides redundant data storage with no single point of failure. Should
any of the hard disks fail, there are several backup hard disks available. For example, if
one disk fails, the unit can still access three other hard disks and continue functioning.
In a RAID 1 array, if you have four disks of one TB capacity, the array will have a two TB
capacity. Since RAID 1 pairs disks for mirroring, if you have an odd number of disks then
one disk will not be used. If you have three disks, only two will be used in the RAID 1 array.
96
System Status
RAID 5
A RAID 5 array employs striping with a parity check. Similar to RAID 0, the FortiGate unit
writes information evenly across all drives but additional parity blocks are written on the
same stripes. The parity block is staggered for each stripe. The total disk space is the total
number of disks in the array, minus one disk for parity storage. For example, with four hard
disks, the total capacity available is actually the total for three hard disks. RAID 5
performance is typically better with reading than with writing, although performance is
degraded when one disk has failed or is missing. With RAID 5, one disk can fail without
the loss of data. If a drive fails, it can be replaced and the FortiGate unit will restore the
data on the new disk by using reference information from the parity volume.
97
System Status
Before you rebuild the RAID array, you should have a replacement disk for the one that
failed if that is the cause of the degraded array. You cannot rebuild an array that is missing
a disk. A replacement disk should be the same storage capacity as the disk it is replacing.
Also before rebuilding the array, you should backup the data if possible. As soon as the
RAID array becomes degraded you should backup the array if possible to prevent data
loss.
To rebuild the RAID array
1 Go to Status > Dashboard > RAID Monitor > Configure.
2 Verify the status of the RAID array is degraded, and the Rebuild button is not greyed
out.
3 Remove the failed disk from the FortiGate unit.
Ensure you have the correct disk.
Press the green button to unlock the disk.
Gently push the lever to the left as far as it will go to disconnect the disk.
Remove the disk from the FortiGate unit by pulling on the lever.
4 Insert the new disk into the FortiGate unit that is replacing the failed disk.
Insert the disk carefully into the FortiGate unit.
Push the front panel of the disk to make the connectionthe lever will start to move
to the right. Ensure that both sides of the disk are in line with the other disks.
When in place push the bar fully to the right, until the green button clicks.
5 Refresh your display to ensure the new disk is installed properly. If it is not recognized,
repeat steps 3 and 4 with the new disk to ensure it is properly installed.
6 On the configure screen, select Rebuild RAID.
Rebuilding the RAID array will normally take several hours. You can follow its progress
on the RAID Monitor display on the dashboard.
7 When the rebuild is complete, the status of the RAID array will change to OK.
98
System Status
If you have added the name of a module to a slot and you are planning or removing the
module and replacing it with a different type of module (for example, if you are removing a
FortiGate-ASM-S08 and replacing it with a FortiGate-ASM-FX2) you should reset the slot
to the default before removing the module. Then after adding the new module you should
add its name to the slot.
You configure AMC slot settings from the FortiGate CLI using the config system amc
command. For information about this command, see the FortiGate CLI Reference.
To change the default setting for an AMC slot
The following procedure shows how to add a FortiGate-ADM-FB8 to the first double-width
AMC slot (dw1) and how to add the name of the module to the slot configuration.
1 Enter the following CLI command to verify that the slot that you will insert the
FortiGate-ADM-FB8 module into is set to the default configuration.
This command lists the AMC slots and the settings for each one. Example command
output for a FortiGate-5001A with an empty double-width AMC slot:
get system amc
dw1
: auto
2 Power down the FortiGate unit.
3 Insert the FortiGate-ADM-FB8 module into the double-width AMC slot.
4 Power up the FortiGate unit.
As long as the slot that you have inserted the FortiGate-ADM-FB8 module into is set to
auto the FortiGate unit should automatically find the module when it powers up.
5 Add the name of the FortiGate-ADM-FB8 module to the FortiGate configuration.
config system amc
set dw1 adm-fb8
end
99
System Status
In bypass mode all traffic flows between interfaces on the FortiGate-ASM-CX4 and
FortiGate-ASM-FX2 modules and not through the FortiGate unit. You can configure a
recovery watchdog to verify that the bridged FortiGate interfaces cannot process traffic. If
you fix the problem or the problem fixes itself, the recovery watchdog automatically
detects that traffic can resume and switches the module back to normal operation by
turning off bypass mode.
To configure a FortiGate unit to operate with a FortiGate-ASM-CX4 or
FortiGate-ASM-FX2 module
1 Switch the FortiGate unit to operate in Transparent mode.
config system settings
set opmode transparent
set manageip <management_IPv4> <netmask_ipv4>
set gateway <gateway_ipv4>
end
After a short pause the FortiGate unit is operating in Transparent mode.
2 Enter the following command to verify that the slot that you will insert the
FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into is set to auto.
This command lists the AMC slots and the settings for each one. Example command
output for a FortiGate-620B with an empty AMC slot:
get system amc
sw1
: auto
3 Power down the FortiGate unit.
4 Insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into a single-width AMC
slot.
5 Power up the FortiGate unit.
As long as the slot that you have inserted the module into is set to auto the FortiGate
unit should automatically find the module when it powers up.
6 Add the name of the module to the FortiGate configuration and configure bypass and
recovery settings.
The following command configures AMC single width slot 1 (sw1) for a FortiGate-ASMCX4.
This command also enables the bypass watchdog and increases the bypass timeout
from the default value of 10 seconds to 60 seconds. This means that if a failure occurs
the bridge module will change to bypass mode 60 seconds after the bypass watchdog
detects the failure.
This command also enables watchdog recovery and sets the watchdog recovery
period to 30 seconds. This means that if a failure occurs, while the FortiGate-ASM-CX4
module is bridging the connection the AMC bypass watchdog monitors FortiGate
processes and will revert to normal operating mode (that is disable the bridging the
interfaces with the FortiGate-ASM-CX4 module) if the FortiGate unit recovers from the
failure.
config system amc
set sw1 asm-cx4
set bypass-watchdog enable
set bypass-timeout 60
set watchdog-recovery enable
set watchdog-recovery-period 30
end
100
System Status
101
System Status
ASM-CX4 in slot 2:
amc-sw2/1 <--> amc-sw2/2: mode=normal
amc-sw2/3 <--> amc-sw2/4: mode=normal
Daemon heartbeat status: normal
Last heartbeat received: 1 second(s) ago
3 Log into the web-based manager and go to System > Status > Dashboard and view the
Unit Operation widget to see the status of the AMC bridge module.
Figure 40 shows bypass mode disabled.
Figure 40: FortiGate-3810A with FortiGate-ASM-CX4 module installed in AMC slot 2
View traffic volumes by pausing the mouse pointer over each bar.
Select an application type on the graph to view information about the source addresses
that used the application and the amount of data transferred by sessions from each
source address.
Top Application Usage data collection is started by adding application control black/white
lists to protection profiles. Only information about applications matched by application
control is added to the chart or table. Sessions accepted by firewall policies that do not
include protection profiles with application control configured do not contribute to the data
displayed.
102
System Status
Edit
Reset
Refresh
Close
Edit
Reset
Refresh
Close
Reset
Edit
Refresh
Close
Applications
Bytes or
Messages
103
System Status
Sort Criteria
Report By
Select the check box to show the user name (when known) instead of
the IP address.
VDOM
Display Format
Refresh Interval
View details about firewall policies by pausing the mouse pointer over each bar in the
chart.
Select a firewall policy on the graph to view and optionally change the firewall policy.
Top Policy Usage data is collected by all firewall policies. You can configure Top Policy
Usage to show data for up to 20 firewall policies. Only firewall policies that have accepted
sessions appear on the chart or table.
104
System Status
Edit
Reset
Refresh
Close
Edit
Reset
Refresh
Close
Reset
Edit
Refresh
Close
Policy ID
Total Bytes or
Total Packets
The cumulative traffic volume for the firewall policy in bytes or packets,
depending on the Sort Criteria setting.
105
System Status
Sort Criteria
VDOM
Display Format
Refresh Interval
View details about the data by pausing the mouse pointer over each bar in the chart.
Select a bar on the graph to view more information about the data.
DLP Archive Usage data is collected by adding DLP sensors to protection profiles. Only
information about sessions matched by DLP sensors is added to the chart or table.
Sessions accepted by firewall policies that do not include protection profiles with DLP
sensors configured do not contribute to the data displayed.
Figure 47: DLP Archive Usage module
Edit
Reset
Refresh
Close
106
System Status
Reset
Edit
Refresh
Close
DLP Rule or
Policy or
Profile or
Protocol
The DLP Rule, firewall policy, protection profile or protocol, depending on the
Report By setting.
Bytes or
Messages
Report By
Sort Criteria
Protocol
VDOM
Refresh Interval
107
System Status
The Topology page consists of a large canvas upon which you can draw a network
topology diagram of your FortiGate installation.
Figure 49: Topology page
Zoom/Edit controls
Text object
Subnet object
Viewport
Viewport
control
108
System Status
Zoom in. Select to display a smaller portion of the drawing area in the viewport, making
objects appear larger.
Zoom out. Select to display a larger portion of the drawing area in the viewport, making
objects appear smaller.
Customize. Select to change the colors and the thickness of lines used in the drawing.
See Customizing the topology diagram on page 111.
Drag. Select this control and then drag objects in the diagram to arrange them.
Scroll. Select this control and then drag the drawing area background to move the
viewport within the drawing area. This has the same effect as moving the viewport
rectangle within the viewport control.
Select. Select this control and then drag to create a selection rectangle. Objects within
the rectangle are selected when you release the mouse button.
109
System Status
Address Name
Connect to interface
Select the interface or zone to associate with this address. If the field
already displays a name, changing the setting changes the interface
or zone associated with this existing address.
If the address is currently used in a firewall policy, you can choose
only the interface selected in the policy.
New addresses
110
Create a new firewall address and add a subnet object based on that
address to the topology diagram. The address is associated with the
interface you choose.
Address Name
Type
Subnet / IP Range
FQDN
Connect to interface
System Status
Preview
Canvas Size
Resize to Image
If you selected an image as Background, resize the diagram to fit within the
image.
Background
One of:
Solid
U.S. Map
World Map
Upload My
Image
Background
Color
Image path
If you selected Upload My Image for Background, enter the path to your image,
or use the Browse button to find it.
Exterior Color
Line Color
Select the color of connecting lines between subnet objects and interfaces.
Line Width
Reset to Default
111
112
System Status
Download and review the release notes for the patch release.
Install the patch release using the procedure Testing firmware before upgrading on
page 116.
Test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may
result in changes to settings or unexpected issues.
With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in
transparent mode. For more information, see the Fortinet Knowledge Center article,
Configuring NAT in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions
are configured globally. For more information, see Using virtual domains on page 125.
This section describes:
113
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard
Management server, or to a USB key. You can also back up to a FortiGuard Management
server if you have FortiGuard Analysis and Management Service enabled.
Fortinet recommends backing up all configuration settings from your FortiGate unit before
upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you
require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
114
2 Enter the following to back up the configuration file to a TFTP or FTP server:
execute backup config {tftp | ftp} <backup_filename>
<tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username>
<ftp_passwd> <encrypt_passwd>
3 Enter the following to back up the configuration to a FortiGuard Management server:
execute backup config management-station <comment>
To back up the entire configuration file through the CLI
Enter the following to back up the entire configuration file:
execute backup full-config {tftp | ftp | usb} <backup_filename>
<backup_filename> <tftp_server_ipaddress> <ftp server [:ftp
port] <ftp_username> <ftp_passwd> <encrypt_passwd>
115
116
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based
manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
To upgrade to FortiOS 4.0 through the web-based manager
1 Download the firmware image file to your management computer.
2 Log in to the web-based manager.
3 Go to System > Status and locate the System Information widget.
4 Beside Firmware Version, select Update.
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
117
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
When the upgrade is successfully installed:
After logging back in to the web-based manager, you should save the configuration
settings that carried forward. Some settings may have carried forward from FortiOS
3.0 MR7, while others may not have, such as certain IPS group settings. Go to System >
Maintenance > Backup and Restore to save the configuration settings that carried
forward.
Note: After upgrading to FortiOS 4.0, perform an Update Now to retrieve the latest
FortiGuard signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN.
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for
CLI procedure, for additional information about upgrading firmware in the CLI.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
To upgrade to FortiOS 4.0 through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiGate unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
118
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get system status
9 To update antivirus and attack definitions from the CLI, enter the following:
execute update-now
If you want to update antivirus and attack definitions from the web-based manager
instead, log in to the web-based manager and go to System > Maintenance >
FortiGuard.
119
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
DNS settings
VDOM parameters/settings
session helpers
system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current
configuration before downgrading. For more information, see Backing up your
configuration on page 114.
To downgrade through the web-based manager
1 Go to System > Status and locate the System Information widget.
2 Beside Firmware Version, select Update.
3 Enter the path and filename of the firmware image file, or select Browse and locate the
file..
4 Select OK.
The following message appears:
This version will downgrade the current firmware version. Are
you sure you want to continue?
5 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
6 Log in to the web-based manager.
Go to System > Status to verify that the firmware version under System Information
has changed to the correct firmware.
120
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
DNS settings
VDOM parameters/settings
session helpers
system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your
configuration before downgrading. For more information, see Backing up your
configuration on page 114.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
To downgrade through the CLI
1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out
192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version! Do you
want to continue? (y/n)
121
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you need to reconfigure your IP address
since the FortiGate unit reverts to default settings, including its default IP address. See
your install guide for configuring IP addresses.
8 Reconnect to the CLI.
9 Enter the following command to confirm the firmware image installed successfully:
get system status
See Restoring your configuration on page 123 to restore you previous configuration
settings.
122
123
5 Enter the following command to copy the backed -up configuration file to restore the
file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password
you entered when you backed up your configuration settings. For example, if the
backed up configuration file is confall and the IP address of the TFTP server is
192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
The FortiGate unit responds with the message:
This operation will overwrite the current settings and the
system will reboot!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads, a
message, similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
All done. Rebooting...
This may take a few minutes.
Use the CLI show shell command to verify your settings are restored, or log in to the
web-based manager.
124
Virtual domains
Virtual domains
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service providers managed security service.
Benefits of VDOMs
Some benefits of VDOMs are:
Easier administration
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. Using VDOMs can also simplify
administration of complex configurations because you do not have to manage as many
routes or firewall policies at one time. For more information, see VDOM configuration
settings on page 126.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the
FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings.
Also you can assign an administrator account restricted to that VDOM. If the VDOM is
created to serve an organization, this feature enables the organization to manage its own
configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates and NTPbased time setting use addresses and routing in the management VDOM to communicate
with the network. They can connect only to network resources that communicate with the
management virtual domain. The management VDOM is set to root by default, but you
can change it. For more information, see Changing the management VDOM on
page 139.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
125
Virtual domains
If virtual domain configuration is enabled and you log in as the default super_admin, you
can go to System > Status and look at Virtual Domain in the License Information section to
see the maximum number of virtual domains supported on your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
126
Virtual domains
The following configuration settings are exclusively part of a virtual domain and are not
shared between virtual domains. A regular VDOM administrator sees only these settings.
The default super_admin can also access these settings, but must first select which
VDOM to configure.
Table 6: VDOM configuration settings
Configuration Object
System
Network Zone
Network DNS
Database
Wireless Settings
Wireless Monitor
Wireless Rogue AP
DHCP service
Dynamic
Monitor
Firewall
Policy
Address
Service
Schedule
Virtual IP
Virtual IP Group
Load Balance
Protection Profile
UTM
AntiVirus File Filter
Intrusion Protection
Web Filter
127
Virtual domains
Email Filter
Application Control
VPN
IPSec
SSL
User
Local
Remote
Directory Service
PKI
User Group
Options
Monitor
WAN optimization
and web caching
Endpoint NAC
Wireless Controller
Log&Report
128
Logging configuration
Alert E-mail
Event Log
Log access
DLP Archive
Report Access
Virtual domains
System
Status System Time
Status Firmware
version
Network Options
Configuring interface status detection for gateway load
Detect Interface Status balancing on page 165
for Gateway Load
Balancing
Admin Administrators
129
Admin profiles
Admin Central
Management
configuration
Wireless Settings
Wireless Monitor
WIreless Rogue AP
Config HA
HA on page 205
Config SNMP
Config Replacement
Message
Certificates
Configuration backup
and restore
Maintenance Revision
Control
Maintenance Scripts
Maintenance FDN
update configuration
Log&Report
Log Configuration
Alert E-mail
130
When virtual domains are enabled, the web-based manager and the CLI are changed as
follows:
Global and per-VDOM configurations are separated. For more information, see VDOM
configuration settings on page 126, and Global configuration settings on page 129.
Within a VDOM, reduced dashboard menu options are available, and a new Global
option appears. Selecting Global exits the current VDOM.
Only super_admin profile accounts can view or configure Global level options.
One or more administrators can be configured for each VDOM; however, these admin
accounts cannot edit settings for any VDOMs for which they are not configured.
When virtual domains are enabled, the current virtual domain is displayed at the bottom
left of the screen, in the format Current VDOM: <name of the virtual domain>.
Read/write
permission
Super_admin
profile
administrator
account
yes
yes
yes
no
no
yes
no
no
yes
no
no
yes
no
no
yes
Create VLANs
no
no
no
yes
no
no
VDOM licenses
Disabling a VDOM
Inter-VDOM links
131
VDOM licenses
All FortiGate units, except the 30B, support 10 VDOMs by default.
High-end FortiGate models support the purchase of a VDOM license key from customer
service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500.
Configuring 250 or more VDOMs will result in reduced system performance.
Table 9: VDOM support by FortiGate model
FortiGate model
30B
Support
VDOMs
Default VDOM
maximum
Maximum VDOM
license
no
yes
10
10
High-end models
yes
10
500
Note: Your FortiGate unit has limited resources that are divided amongst all configured
VDOMs. These resources include system memory, and CPU. When running 250 or more
VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web
filtering, or antivirusyour FortiGate unit can only provide basic firewall functionality.
Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does
not support more than 10 VDOMs.
132
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by
connected FortiAnalyzer units. FortiAnalyzer units include VDOMs in their total number of
registered devices. For example, if three FortiGate units are registered on a FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven units. For more information, see the FortiAnalyzer
Administration Guide.
VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other
VDOMs
Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If
you attempt to name a new VDOM vsys_ha or vsys_fgfm, the FortiGate unit will
generate an error.
Note: When creating 250 or more VDOMs, you cannot enable UTM features such as
proxies, web filtering, and antivirus due to limited resources. Also when creating large
numbers of VDOMs, you may experience reduced performance. To improve performance
with multiple VDOMs, see Configuring resource usage for individual VDOMs on
page 141.
Figure 53: New Virtual Domain
133
Disabling a VDOM
When you have multiple VDOMs configured, it can be useful to disable one VDOM
temporarily instead of deleting and re-creating it later.
Disabling can be used during initial configuration, equipment changes, or even a DoS
attack.
A disabled VDOM has en empty Enable checkbox. A VDOM with a greyed-out checkbox
is the management VDOM can cannot be disabled.
Re-enabling is simply a matter of checking the Enable box and answering the prompt.
To disable a VDOM
1 Log in as a super_admin profile admin.
2 Go to System > VDOM.
3 For the VDOM to be disabled, unselect the Enable checkbox.
4 Confirm your choice when prompted.
Management VDOM
134
Delete Icon
Edit Icon
Enter Icon
Create New
Select to add a new VDOM. Enter the new VDOM name and select OK.
The VDOM must not have the same name as an existing VDOM, VLAN or
zone. The VDOM name can have a maximum of 11 characters and must
not contain spaces.
Management Virtual
Domain
Change the management VDOM to the selected VDOM in the list. The
management VDOM is then grayed out in the Enable column. The default
management VDOM is root.
For more information, see Changing the management VDOM on
page 139.
Apply
Enable
Name
Operation Mode
Interfaces
Comments
Delete icon
Edit icon
Change the description of the VDOM. The name of the VDOM cannot be
changed.
Enter icon
135
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two
VDOMs internally without using a physical interface. Inter-VDOM links have the same
security as physical interfaces, but allow more flexible configurations that are not limited
by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces,
the speed of the link depends on the CPU load, but generally it is faster than physical
interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes interVDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is to
prevent a loop. When traffic is encrypted or decrypted, it changes the content of the
packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels
does not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same virtual
cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP
services are not available.
To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link
is created, it automatically creates a pair of virtual interfaces that correspond to the two
internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name
with an added 0 or 1. So if the inter-VDOM link is called vlink the interfaces are
vlink0 and vlink1. Select the Expand Arrow beside the VDOM link to display the virtual
interfaces.
Up
Down
Delete Edit
136
5 Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces or special characters. Hyphens (-) and
underlines (_) are allowed. Remember that the name will have a 0 or 1 attached to
the end for the actual interfaces.
6 Configure VDOM link 0.
7 Select the VDOM from the menu that this interface will connect to.
8 Enter the IP address and netmask for this interface.
9 Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
10 Optionally enter a description for this interface.
11 Repeat steps 7 through 10 for VDOM link 1.
12 Select OK to save your configuration and return to the System > Interface screen.
DHCP server
zone
routing
load balancing
137
Note: You can reassign or remove an interface or subinterface once the Delete icon is
displayed. Absence of the icon means that the interface is being used in a configuration
somewhere.
Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved,
saving time you would otherwise need to remove and reconfigure it. For more information,
see Working with VDOMs and global settings on page 134.
138
SNMP
logging
alert email
FDN-based updates
Before you change the management VDOM, ensure that virtual domains are enabled on
the system dashboard screen. For more information, see Enabling virtual domains on
page 130.
Only one VDOM can be the management VDOM at any given time.
Global events are logged with the VDOM set to the management VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
The total number of communication Sessions that can be started in a VDOM. When
this limit is reached additional sessions are dropped.
The number of IPSec VPN Dal-up Tunnels that can be started in a VDOM. When this
limit is reached, additional tunnels are dropped.
139
The number of SSL VPN user sessions that can be started in a VDOM. When this limit
is reached the VDOM displays a system busy message instead of the login page when
a user attempts to login to start an SSL VPN session.
Static resources are controlled by limits in the FortiGate configuration. These limits vary by
model and are listed in the FortiGate Maximum Values Matrix. Limiting static resources
does not limit the amount of traffic that the VDOM process. Instead limiting static
resources controls the number of configuration elements that can be added to a VDOM.
You can set the following static resource limits:
The number of VPN IPSec Phase 1 and Phase 2 tunnels that can be added to a VDOM
configuration. The number of tunnels is limited by the maximum values for the
FortiGate model.
The number of Local Users and User Groups that can be added to a VDOM
configuration.
140
Figure 57: Configuring global resource limits that apply to all VDOMs
Resource
Configured
Maximum
The maximum amount of the resource allowed for each VDOM. This amount
matches the default maximum until you change it.
Default
Maximum
The default maximum value for each VDOM for this resource. This value depends
on the FortiGate model. Dynamic resources (Sessions, Dial-up Tunnels, and SSL
VPN) do not have default maximums so the default maximum for dynamic
resources is always 0 (meaning unlimited). Static resources may have a limit set or
many be set to 0 meaning they are limited by the resource limit configuration.
Note: If you set the maximum resource usage for a VDOM you cannot reduce the
default maximum global limit for all VDOMs below this maximum.
Current Usage The amount of the resource currently in use. For dynamic resources, current
usage is the number of the sessions or tunnels currently in use. For static
resources, current usage is the number of configuration items added to the
FortiGate unit.
Edit icon
Change the configured maximum for this resource. The Edit Global Resource
Limits dialog box lists the valid range of values for the configured maximum. You
can set the maximum to zero to set no limit; which means the resource is limited
by other factors such as system capacity or max values.
Reset icon
141
The Maximum value limits the amount of the resource that can be used by the VDOM.
When you add a VDOM, all maximum resource usage settings are 0 indicating that
resource limits for this VDOM are controlled by the global resource limits. You do not
have to override the maximum settings unless you need to override global limits to
further limit the resources available for the VDOM. You cannot set maximum resource
usage higher in a VDOM than the corresponding global resource limit.
Note: To set global resource limits go to System > VDOM > Global Resources. See
Setting VDOM global resource limits on page 140
The Guaranteed value represents the minimum amount of the resource available for
that VDOM. Setting the guaranteed value makes sure that other VDOMs do not use all
of a resource. A guaranteed value of 0 means that an amount of this resource is not
guaranteed for this VDOM. You only have to change guaranteed settings if your
FortiGate may become low on resources and you want to guarantee that a minimum
level is available for this VDOM.
Resource
Maximum
Override the global limit to reduce the amount of each resource available for this
VDOM. The maximum must the same as or lower than the global limit. The default
value is 0, which means the maximum is the same as the global limit.
Note: If you set the maximum resource usage for a VDOM you cannot reduce the
default maximum global limit for all VDOMs below this maximum.
142
Guaranteed
Enter the minimum amount of the resource available to this VDOM regardless of
usage by other VDOMs. The default value is 0, which means that an amount of this
resource is not guaranteed for this VDOM.
Current
143
144
System Network
Configuring interfaces
System Network
This section describes how to configure your FortiGate unit to operate in your network.
Basic network settings include configuring FortiGate interfaces and DNS options. More
advanced configuration includes adding zones and VLAN subinterfaces to the FortiGate
network configuration. Optional configurations also include configuring the FortiGate unit
as a DNS server and an explicit web proxy server
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure interface and
networking options globally for the entire FortiGate unit. All interface settings, including
adding interfaces to VDOMs, are part of the global configuration. You configure zones, the
modem interface, the DNS database, the explicit web proxy, and the Transparent mode
routing table separately for each VDOM. For more information, see Using virtual
domains on page 125.
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Configuring interfaces
Configuring zones
Configuring WCCP
Configuring interfaces
Go to System > Network > Interface to configure FortiGate interfaces. Many interface
options are available. Different options are available in NAT/Route mode and in
Transparent mode.
Some of the options available include:
aggregate several physical interfaces into an IEEE 802.3ad aggregate interface (some
models)
145
Configuring interfaces
System Network
add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs)
VLAN Interface
Edit
Delete
Interface Link Status
146
Aggregate Interface
Edit
Delete
System Network
Configuring interfaces
Figure 61: Example switch mode interface list (on supported models)
AMC
Interfaces
147
Configuring interfaces
148
System Network
Create New
Select Create New to add a new interface. Depending on the model you can
add a VLAN interface, a loopback interface, a IEEE 802.3ad aggregated
interface, or a redundant interface.
Adding VLAN interfaces on page 158
Adding loopback interfaces on page 158
Adding 802.3ad aggregate interfaces on page 159
Adding redundant interfaces on page 160
When VDOMs are enabled, you can also select Create New to add InterVDOM links. For more information see Inter-VDOM links on page 136.
Switch Mode
Show backplane
interfaces
Column Settings
Select to change the columns of information that are displayed on the interface
list. Fore more information, see Using column settings to control the columns
displayed on page 61.
Description icon
Display a description for the interface is one has been added. For more
information, see Configuring interface settings on page 151.
System Network
Configuring interfaces
Name
The names of the physical interfaces on your FortiGate unit. This includes any
alias names that have been configured.
The names of the physical interfaces depend on the model. Some names
indicate the default function of the interface such as internal, external, wan1
(wide are network), wlan (wireless LAN) and dmz. Other names are more
generic such as port1, port20, and so on.
Some FortiGate models also include a modem interface named modem. See
Configuring the modem interface on page 170.
When you combine several interfaces into an aggregate or redundant
interface, only the aggregate or redundant interface is listed, not the
component interfaces. See Adding 802.3ad aggregate interfaces on
page 159 or Adding redundant interfaces on page 160.
On FortiGate models that support switch mode, the individual interfaces in the
switch are not displayed when in switch mode. For more information, see
Switch Mode on page 150.
If you have added VLAN interfaces, they also appear in the name list, below
the physical or aggregated interface to which they have been added. See the
FortiGate VLANs and VDOMs Guide.
If you have added loopback interfaces, they also appear in the interface list,
below the physical interface to which they have been added.
If you have software switch interfaces configured, you will be able to view
them. For more information, see Adding software switch interfaces on
page 169.
If you have interface mode enabled on a FortiGate model with a switch
interface, you will see multiple internal interfaces. If switch mode is enabled,
there will only be one internal interface. For more information see Switch
Mode on page 150.
If your FortiGate unit supports AMC modules and have installed an AMC
module containing interfaces (for example, the ASM-FB4 contains 4 interfaces)
these interfaces are added to the interface status display. The interfaces are
named amc-sw1/1, amc-dw1/2, and so on. sw1 indicates it is a single width or
double width card respectively in slot 1. The last number /1 indicates the
interface number on that card - for the ASM-FB4 card there would be /1
through /4.
IP/Netmask
Access
Administrative
Status
Link Status
The status of the interface physical connection. Link status can be either up or
down. If link status is up there is an active physical connection between the
physical interface and a network switch. If link status is down the interface is
not connected to the network or there is a problem with the connection. You
cannot change link status from the web-based manager.
Link status is only displayed for physical interfaces.
MAC
Mode
Shows the addressing mode of the interface. The addressing mode can be
manual, DHCP, or PPPoE.
MTU
The maximum number of bytes per transmission unit (MTU) for the interface.
See Changing interface MTU packet size on page 167.
Secondary IP
149
Configuring interfaces
System Network
Type
Virtual Domain
The virtual domain to which the interface belongs. This column is visible when
VDOM configuration is enabled.
VLAN ID
Delete icon
Delete the interface. Available for interfaces added by selecting Create New.
For example, you can delete VLAN, loopback, aggregate, and redundant
interfaces. You can only deleted an interface if it is not used in another
configuration.
Edit icon
View icon
Switch Mode
Select switch mode to switch a group of related FortiGate interfaces to operate as a multiport switch with one IP address. Switch mode is available on FortiGate models with switch
hardware.
Note: From the FortiGate CLI you can also add software switch interfaces. See Adding
software switch interfaces on page 169.
The switch mode feature has two states - switch mode and interface mode. Switch mode
is the default mode with only one interface and one address for the entire internal switch.
Interface mode allows you to configure each of the internal switch physical interface
connections separately. This allows you to assign different subnets and netmasks to each
of the internal physical interface connections.
Selecting Switch Mode on the System > Network > Interface screen displays the Switch
Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all
configuration settings for the affected interfaces must be set to defaults. This includes
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message. The web-based manager displays the list of affected interfaces.
Figure 63: Switch Mode Management
150
System Network
Configuring interfaces
Switch Mode
Select Switch Mode. Only one internal interface is displayed. This is the default
mode.
Interface Mode
Select Interface Mode. All internal i nterfaces on the switch are displayed as
individually configurable interfaces.
Hub Mode
On some FortiGate models you can select Hub Mode. Hub mode is similar to
switch mode except t hat in hub mode the interfaces do not learn the MAC
addresses of the devices on the network they are connected to and may also
respond quicker to network changes in some circumstances. You should only
select Hub Mode if you are having network performance issues when operating
with switch mode. The configuration of the FortiGate unit is the same whether
in switch mode or hub mode.
151
Configuring interfaces
System Network
152
System Network
Configuring interfaces
153
Configuring interfaces
System Network
154
System Network
Configuring interfaces
Name
The name of the interface. You can specify and change the names of VLAN,
Enter another name for the interface that will easily distinguish this interface from
another. This is available only for physical interfaces where you cannot configure
the name. The alias can be a maximum of 15 characters.
The alias name is not part of the interface name, but it will appear in brackets
beside the interface name. It will not appears in logs.
Link Status
Indicates whether the interface is connected to a network (link status is Up) or not
(link status is Down).
155
Configuring interfaces
System Network
Type
When adding a new interface, set Type to the type of interface that you want to
add:
Set Type to VLAN to add a VLAN interface. SeeAdding VLAN interfaces on
page 158
Set Type to Loopback Interface to add a loopback interface. See Adding
loopback interfaces on page 158
On some models you can set Type to 802.3ad Aggregate to add an aggregate
interface. SeeAdding 802.3ad aggregate interfaces on page 159)
On some models you can set Type to Redundant Interface to add a redundant
interface. SeeAdding redundant interfaces on page 160
Select the name of the physical interface to which to add a VLAN interface. Once
created, the VLAN interface is listed below its physical interface in the Interface
list.
You cannot change the physical interface of a VLAN interface except when
adding a new VLAN interface.
Displayed when Type is set to VLAN.
VLAN ID
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface. You cannot change the VLAN ID except when add a new
VLAN interface.
The VLAN ID can be any number between 1 and 4094 and must match the VLAN
ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN
subinterface. For more information, see Adding VLAN interfaces on
page 158.
Displayed when Type is set to VLAN.
Virtual Domain Select the virtual domain to add the interface to.
Admin accounts with super-admin profile can change the Virtual Domain.
Physical
Interface
Members
156
This section has two different forms depending on the interface type:
Software switch interface - this section is a display-only field showing the
interfaces that belong to the software switch virtual interface. See Adding
software switch interfaces on page 169.
802.3ad aggregate or Redundant interface - this section includes available
interface and selected interface lists to enable adding or removing interfaces
from the interface. See Adding 802.3ad aggregate interfaces on page 159
and Adding redundant interfaces on page 160.
Available
Interfaces
Select interfaces from this list to include in the grouped interface - either
redundant or aggregate interface. Select the right arrow to add an interface to the
grouped interface.
Selected
interfaces
Addressing
mode
IP/Netmask
If Addressing Mode is set to Manual, enter an IPv4 address/subnet mask for the
interface.
Two FortiGate interfaces cannot have IP addresses on the same subnet.
System Network
Configuring interfaces
IPv6 Address
Enable one-arm Select to configure this interface to operate as a one-armed sniffer as part of
configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for
sniffer
attacks without actually receiving and otherwise processing the packets. Once the
interface is enabled for sniffing you cannot use the interface for other traffic. You
must add sniffer policies for the interface to actually sniff packets.
For more information on one-armed IPS, see Firewall Policy Using one-arm
sniffer policies to detect network attacks on page 382.
Enable explicit Select to enable explicit web proxying on this interface. When enabled, this
interface will be displayed on System > Network > Web Proxy under Listen on
Web Proxy
Interfaces and web traffic on this interface will be proxied according to the Web
Proxy settings. For more information, see Configuring the explicit web proxy on
page 182.
Enable DDNS
Select Enable DDNS to configure a Dynamic DNS service for this interface. For
more information, see Configuring Dynamic DNS on an interface on page 163.
Override
Default MTU
Value
To change the MTU, select Override default MTU value (1 500) and enter the
MTU size based on the addressing mode of the interface
68 to 1 500 bytes for static mode
576 to 1 500 bytes for DHCP mode
576 to 1 492 bytes for PPPoE mode
larger frame sizes if supported by the FortiGate model
Only available on physical interfaces. Virtual interfaces associated with a physical
interface inherit the physical interface MTU size.
For more information on MTU size, see Changing interface MTU packet size on
page 167.
Note: In Transparent mode, if you change the MTU of an interface, you must
change the MTU of all interfaces to match the new MTU.
Enable DNS
Query
Select to configure the interface to accept DNS queries. Select recursive or nonrecursive. For more information, see Configuring FortiGate DNS services on
page 177.
recursive
Look up domain names in the FortiGate DNS database. If the entry is not found,
relay the request to the DNS servers configured under System > Network >
Options.
nonrecursive
Look up domain names in the FortiGate DNS database. Do not relay the request
to the DNS servers configured under System > Network > Options.
Administrative Select the types of administrative access permitted for IPv4 connections to this
interface.
Access
Ipv6
Select the types of administrative access permitted for IPv6 connections to this
Administrative interface.
Access
HTTPS
PING
Interface responds to pings. Use this setting to verify your installation and for
testing.
HTTP
Allow HTTP connections to the web-based manager through this interface. HTTP
connections are not secure and can be intercepted by a third party.
SSH
SNMP
TELNET
Allow Telnet connections to the CLI through this interface. Telnet connections are
not secure and can be intercepted by a third party.
157
Configuring interfaces
System Network
Detect Interface Configure interface status detection for the main interface IP address. See
Configuring interface status detection for gateway load balancing on page 165.
Status for
Gateway Load
Balancing
Secondary IP
Address
Add additional IPv4 addresses to this interface. Select the blue arrow to expand
or hide the section. See Adding secondary IP addresses to an interface on
page 167.
Description
Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface.
Status
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
158
System Network
Configuring interfaces
4 Select OK.
To add a loopback interface - CLI
The CLI command to configure a loopback interface called loop1 with an IP address of
10.0.0.10 is:
it does not have a IP address and is not configured for DHCP or PPPoE
Interfaces included in an aggregate interface are not listed on the System > Network >
Interface list. You cannot configure the interface individually and it is not available for
inclusion in firewall policies, firewall virtual IPs, or routing.
Figure 67: Settings for an 802.3ad aggregate interface
159
Configuring interfaces
System Network
it is not monitored by HA
When an interface is included in a redundant interface, it is not listed on the System >
Network > Interface page. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, or routing.
Figure 68: Settings for a redundant interface
160
System Network
Configuring interfaces
Status
Obtained
IP/Netmask
161
Configuring interfaces
System Network
Renew
Expiry Date
The time and date when the leased IP address and netmask is no longer
valid.
Only displayed if Status is connected.
Default Gateway
Distance
Enter the administrative distance for the default gateway retrieved from
the DHCP server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 5.
Retrieve default
gateway from server
Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page.
On low end models, this is enabled by default.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Status
162
initializing
No activity.
connecting
System Network
Configuring interfaces
connected
The interface retrieves an IP address, netmask, and other settings from the
PPPoE server.
When the status is connected, PPPoE connection information is displayed.
failed
The interface was unable to retrieve an IP address and other information from
the PPPoE server.
Reconnect
User Name
Password
Unnumbered IP
Specify the IP address for the interface. If your ISP has assigned you a block
of IP addresses, use one of them. Otherwise, this IP address can be the
same as the IP address of another interface or can be any IP address.
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a
PPPoE discovery.
Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE session if it is idle for this number of
seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0
to disable.
Distance
Enter the administrative distance for the default gateway retrieved from the
PPPoE server. The administrative distance, an integer from 1-255, specifies
the relative priority of a route when there are multiple routes to the same
destination. A lower administrative distance indicates a more preferred route.
The default distance for the default gateway is 1.
Retrieve default
gateway from
server
Override internal
DNS
Enable to replace the DNS server IP addresses on the System DNS page
with the DNS addresses retrieved from the PPPoE server.
When VDOMs are enabled, you can override the internal DNS only on the
management VDOM.
163
Configuring interfaces
System Network
Server
Select a DDNS server to use. The client software for these services is built into the
FortiGate firmware. The FortiGate unit can connect only to one of these services.
Domain
Username
Enter the user name to use when connecting to the DDNS server.
Password
configure IP addresses for the local and remote endpoints of the IPSec interface so
that you can run dynamic routing over the interface or use ping to test the tunnel
164
Name
Virtual Domain
System Network
Configuring interfaces
IP
Remote IP
If you want to use dynamic routing with the tunnel or be able to ping the tunnel
interface, enter IP addresses for the local and remote ends of the tunnel. These
two addresses must not be used anywhere else in the network.
Administrative
Access
HTTPS
PING
Allow the interface to respond to pings. Use this setting to verify your
installation and for testing.
HTTP
SSH
SNMP
TELNET
Allow Telnet connections to the CLI through this interface. Telnet connections
are not secure and can be intercepted by a third party.
Description
Enable secure administrative access to this interface using only HTTPS or SSH.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 261).
165
Configuring interfaces
System Network
Interface status detection is used for ECMP route failover and load balancing. See ECMP
route failover and load balancing on page 322.
Since its possible that a response may not be received, even if the server and the network
are operating normally, the dead gateway detection configuration controls the time interval
between testing the connection to the server and the number times the test can fail before
the FortiGate unit assumes that the interface cannot connect to the server. See
Configuring Networking Options on page 176 for information about configuring dead
gateway detection.
To configure gateway failover detection for an interface, from the web-based manager go
to System > Network > Interface and edit an interface. Select Detect Interface Status for
Gateway Load Balancing, enter the IP address of the server to test connecting to and
select one or more protocols to use to test the connection to the server. If you have added
secondary IP addresses to an interface you can also configure interface status detection
separately for each secondary IP address.
Note: As long as the FortiGate unit receives responses for at least one of the protocols that
you select, the FortiGate unit assumes the server is operating and can forward packets.
Responses received to more than one protocol does not enhance the status of the server
or interface and receiving responses from fewer protocols does not reduce the status of the
server or interface.
Figure 73: Interface status detection settings
166
Detect Server
Ping
Use standard ICMP ping to confirm that the server is responding. Ping confirms
that the server can respond to an ICMP ping request.
TCP Echo
Use TCP echo to confirm that the server is responding. Select this option if the
server is configured to provide TCP echo services. In some cases a server may be
configured to reply to TCP echo requests but not to reply to ICMP pings.
TCP echo uses TCP packets on port number 7 to send a text string to the server
and expect an echo reply back from the server. The echo reply just echoes back
the same text to confirm that the server can respond to TCP requests.
FortiGate units do not recognize RST (reset) packets from TCP Echo servers as
normal TCP echo replies. If the FortiGate receives an RST response to a TCP
echo request, the FortiGate unit assumes the server is unreachable.
UDP Echo
Use UDP echo to detect the server. Select this option of the server is configured to
provide UDP echo services. In some cases a server may be configured to reply to
UDP echo requests but not to reply ICMP pings.
UDP echo uses UDP packets on port number 7 to send a text string to the server
and expects an echo reply from the server. The echo reply just echoes back the
same text to confirm that the server can respond to UDP requests.
Spillover
Threshold
Set the spillover threshold to limit the amount of bandwidth processed by the
Interface. The Spillover Thresholds range is 0-2097000 KBps.
The FortiGate unit sends all ECMP-routed sessions to the lowest numbered
interface until the bandwidth being processed by this interface reaches its spillover
threshold. The FortiGate unit then spills additional sessions over to the next lowest
numbered interface.
For more information, including the order in which interfaces are selected, see
ECMP route failover and load balancing on page 322.
System Network
Configuring interfaces
Note: For more information about TCP echo and UDP echo, see RFC 862.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces on the FortiGate unit to match the new MTU.
167
Configuring interfaces
System Network
All of the IP addresses added to an interface are associated with the single MAC address
of the physical interface and all secondary IP addresses are in the same VDOM as the
interface that are added to. You configure interface status detection for gateway load
balancing separately for each secondary IP addresses. As with all other interface IP
addresses, secondary IP addresses cannot be on the same subnet as any other primary
or secondary IP address assigned to a FortiGate interface unless they are in separate
VDOMs.
To add secondary IP addresses to an interface
1 Go to System > Network > Interface.
2 Edit the physical interface to add secondary IP addresses to.
3 Make sure the interface Addressing Mode is set to Manual and that you have added an
IP/Netmask to the interface.
4 Select the blue arrow to expand the Secondary IP Address section.
5 Configure the settings for a secondary IP address and select OK to add the address
and its configuration settings to the interface.
6 Repeat to add more secondary IP addresses.
7 Select OK or Apply at the bottom of the Edit Interface dialog to add the secondary IP
addresses to the interface.
Tip: After adding secondary IP addresses and selecting OK to save changes to the Edit
Interface dialog you should edit the interface again to make sure the secondary IP
addresses have been added as expected.
Figure 74: Adding Secondary IP Addresses
Edit
Delete
IP/Netmask
Detect Interface
Status for Gateway
Load Balancing
Administrative
Access
HTTPS
168
System Network
Configuring interfaces
PING
HTTP
SSH
SNMP
TELNET
Allow Telnet connections to the CLI through this secondary IP. Telnet
connections are not secure and can be intercepted by a third party.
OK
Secondary IP
address table
A table that displays all the secondary IP addresses that have been added to
this interface.
These addresses are not permanently added to the interface until you select
OK or Apply at the bottom of the Edit Interface dialog.
IP/Netmask
Detect Server
Enable
Detect Server
The IP address of the detect server for the secondary IP address. The same
detect server can be shared by multiple secondary IP addresses.
Detect Protocol
Administrative
Access
The administrative access methods for this address. They can be different
from the primary IP address.
Delete Icon
Edit Icon
Edit the selected secondary IP address. When you select the Edit icon the
settings for the secondary IP address to edit appear in the fields above the
secondary IP address table. You can edit these settings and select OK to
save changes to the secondary IP address.
Note: If you select the Edit icon to edit a secondary IP address and change
the IP/Netmask, when you select OK a new secondary IP address is added.
If you only wanted to change the IP/Netmask and not add a new secondary
IP address you should delete the secondary IP address that you selected the
Edit icon for.
169
Configuring zones
System Network
Configuring zones
Group interfaces into zones to simplify policy creation. By grouping interfaces into a zone
you can add one set of firewall policies for the zone instead of adding separate policies for
each interface. Once you add interfaces to a zone you cannot configure policies for the
interfaces, but only for the zone.
You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a
zone can consist of any combination of interface types. You can add zones, rename and
edit zones, and delete zones from the zone list. When you add a zone, you select the
names of the interfaces to add to the zone.
Zones are configured from virtual domains. If you have added multiple virtual domains to
your FortiGate configuration, make sure you are configuring the correct virtual domain
before adding or editing zones.
Figure 75: Zone list
Edit
Delete
Create New
Name
Block intra-zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and
No if traffic between interfaces in the same zone is not blocked.
Interface Members
Edit/View icons
Delete icon
Delete a zone.
170
System Network
You can connect a supported USB mode to any FortiGate model with a USB interface.
You can connect a supported serial model to any FortiGate model with a serial modem
port.
You can insert a supported PCMCIA modem into any FortiGate model with a PCMCIA
slot. Power off the FortiGate unit before inserting the PCMCIA modem. After inserting
the modem, when you power up the FortiGate unit it should automatically find the
modem and create the modem interface.
In redundant (backup) mode, the modem interface automatically takes over from a
selected ethernet interface when that ethernet interface is unavailable.
In standalone mode, the modem interface is the connection from the FortiGate unit to
the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure the
FortiGate unit to automatically have the modem dial up to three dialup accounts until the
modem connects to an ISP.
Other models can connect to an external modem through a USB-to-serial converter. For
these models, you must configure modem operation using the CLI.
Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the
web-based manager. See the system modem command in the FortiGate CLI Reference.
Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the config system aux command in the
FortiGate CLI Reference.
171
System Network
Note: You cannot configure and use the modem in Transparent mode.
Figure 76 shows the only the settings specific to standalone mode. The remaining settings
are common to both standalone and redundant modes and are shown in Figure 77.
Figure 76: Modem settings (Standalone)
Enable Modem
172
Modem status
Dial Now/Hang Up
System Network
Mode
Auto-dial
(Standalone mode)
Dial on demand
(Standalone mode)
Select to dial the modem when packets are routed to the modem
interface. The modem disconnects after the idle timeout period if there is
no network activity.
You cannot select Dial on demand if Auto-dial is selected.
Idle timeout
(Standalone mode)
Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redundant for
(Redundant mode)
Select the ethernet interface for which the modem provides backup
service.
Holddown
Timer
(Redundant mode)
(Redundant mode only) Enter the time (1-60 seconds) that the FortiGate
unit waits before switching back to the primary interface from the modem
interface, after the primary interface has been restored. The default is 1
second. Configure a higher value if you find the FortiGate unit switching
repeatedly between the primary interface and the modem interface.
Redial Limit
The maximum number of times (1-10) that the FortiGate unit modem
attempts to reconnect to the ISP if the connection fails. The default redial
limit is 1. Select None to have no limit on redial attempts.
Wireless Modem
Dialup Account
Phone Number
The phone number required to connect to the dialup account. Do not add
spaces to the phone number. Make sure to include standard special
characters for pauses, country codes, and other functions as required by
your modem to connect to your dialup account.
User Name
Password
173
System Network
The FortiGate unit disconnects the modem interface and switches back to the ethernet
interface when the ethernet interface is able to connect to its network. You can set a
holddown timer that delays the switch back to the ethernet interface to ensure it is stable
and fully active before switching the traffic.
The modem will disconnect after a period of network inactivity set by the value in idle
timeout. This saves money on dialup connection charges.
For the FortiGate unit to be able to switch from an ethernet interface to the modem, you
must select the name of the interface in the modem configuration and configure a ping
server for that interface. You must also configure firewall policies for connections between
the modem interface and other FortiGate interfaces.
Note: Do not add policies for connections between the modem interface and the ethernet
interface that the modem is backing up.
Holddown timer
Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit
Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Enter the ISP phone number, user name and password for up to three
dialup accounts.
4 Select Apply.
5 Configure interface status detection for the ethernet interface the modem backs up.
See Configuring interface status detection for gateway load balancing on page 165.
6 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 175.
174
System Network
Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand
Select if you want the modem to connect to its ISP whenever there are
unrouted packets.
Idle timeout
Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redial Limit
Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three
Dialup Account 2 dialup accounts.
Dialup Account 3
4 Select Apply.
5 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 175.
6 Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See Adding a static route to the routing table on page 320.
175
System Network
connecting
connected
disconnecting
hung up
The modem has disconnected from the ISP. (Standalone mode only)
The modem will not redial unless you select Dial Now.
DNS Settings
Primary DNS Server
176
System Network
Detection Interval
Fail-over Detection
Enter the number of times that interface status tests fail before the
FortiGate unit assumes that the interface is no longer functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can
specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS
server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS server
addresses automatically. To obtain these addresses automatically, at least one FortiGate
unit interface must use the DHCP or PPPoE addressing mode. See Configuring DHCP
on an interface on page 161 or Configuring PPPoE on an interface on page 162.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts
on the attached network use the interface IP address as their DNS server. DNS requests
sent to the interface are forwarded to the DNS server addresses that you configured or
that the FortiGate unit obtained automatically.
The interface relays DNS requests to the DNS servers configured for the FortiGate unit
under System > Network > Options. See To configure a FortiGate interface to relay
DNS requests to external DNS servers on page 179.
The interface resolves DNS requests using a FortiGate DNS database. DNS requests
for host names not in the FortiGate DNS database are dropped. See To configure a
FortiGate interface to resolve DNS requests using only the FortiGate DNS database
on page 179.
The interface resolves DNS requests using the FortiGate DNS database and relays
DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured for the FortiGate unit under System > Network > Options. This is called a
split DNS configuration.See To configure a split DNS configuration on page 180
If virtual domains are not enabled you can create one DNS databases that can be shared
by all the FortiGate interfaces.
If virtual domains are enabled, you create a DNS database in each VDOM. All of the
interfaces in a VDOM share the DNS database in that VDOM.
This section describes:
177
System Network
Look up domain names in the FortiGate DNS database. If the entry is not
found, relay the request to the DNS servers configured under System >
Network > Options. Can be used for a split DNS configuration.
non-recursive
Look up domain names in the FortiGate DNS database. Do not relay the
request to the DNS servers configured under System > Network > Options.
4 Go to System > Network > DNS Database and configure the FortiGate DNS database.
Add zones and entries as required. See Configuring the FortiGate DNS database on
page 180.
178
System Network
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
To configure a FortiGate interface to relay DNS requests to external DNS servers
Configure a FortiGate interface to relay DNS requests to the DNS servers configured for
the FortiGate unit under System > Network > Options.
1 Go to System > Network > Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks. See Configuring Networking
Options on page 176.
2 Go to System > Network > Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server for.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System > Network > Options. If you do not add entries to the
FortiGate DNS database all DNS requests are relayed to the DNS servers configured
under System > Network > Options.
4 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
To configure a FortiGate interface to resolve DNS requests using only the FortiGate
DNS database
Configure a FortiGate interface to resolve DNS requests using the FortiGate DNS
database and to drop requests for host names that not in the FortiGate DNS database.
1 Go to System > Network > Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks. See Configuring Networking
Options on page 176.
2 Go to System > Network > Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server for.
3 Select Enable DNS Query and select Non-Recursive.
When you select Non-Recursive only the entries in the FortiGate DNS database are
used.
4 Go to System > Network > DNS Database and configure the FortiGate DNS database.
Add zones and entries as required. See Configuring the FortiGate DNS database on
page 180.
179
System Network
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
To configure a split DNS configuration
Configure an interface to resolve DNS requests using the FortiGate DNS database and
relay DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured under System > Network > Options. This is called a split DNS configuration.
See About split DNS on page 178.
1 Go to System > Network > Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks. See Configuring Networking
Options on page 176.
2 Go to System > Network > Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server for.
3 Select Enable DNS Query and select Recursive.
The interface is configured to look up domain names in the FortiGate DNS database.
and relay the requests for names not in the FortiGate DNS database to the DNS
servers configured under System > Network > Options. You can add entries to the
FortiGate DNS database for users on the internal network.
4 Go to System > Network > DNS Database and configure the FortiGate DNS database.
Add zones and entries as required for users on the internal network. See Configuring
the FortiGate DNS database on page 180.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
180
System Network
Delete
Edit
Delete
Edit
DNS Zone
The names of the DNS zones added to the DNS database list.
Domain Name
TTL
The TTL value for the domain name which is the packet time to live in seconds.
The range is 0 to 2 147 483 647.
# of Entries
Delete icon
Edit icon
Select to add a new entry to the zone. Each zone contains entries for one domain
name.
Delete icon
Edit icon
Type
The type of DNS entry. Can be an IPv4 address (A), an IPv6 address (AAAA), a
name server (NS), a canonical name (CNAME), or a mail exchange (MX) name.
Details
Select the type of entry to add. The options change depending on the type.
Hostname
181
System Network
IP Address
IPv6 Address
Enter the hosts IP address (IPv6). Available if Type is IPv6 Address (AAAA).
Canonical Name Enter the hosts fully qualified domain name. Available if Type is
Canonical Name (CNAME).
Preference
TTL (seconds)
Enter the TTL value. Enter 0 to use the Zone TTL value.
Web proxies are configured for each VDOM when VDOMs are enabled.
For a more complete description of the FortiGate web proxy, including a configuration
example, see the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
To configure the explicit web proxy go to System > Network > Web Proxy.
Figure 80: Configuring Web Proxy settings
182
System Network
Configuring WCCP
Proxy FQDN
Enter the fully qualified domain name (FQDN) for the proxy server.
This is the domain name to enter into browsers to access the proxy
server.
The web proxy server will forward HTTP requests to the internal
network. You can include the following headers in those requests:
Client IP Header
Via Header
Enable to include the Via Header from the original HTTP request.
X-forwarded-for Header
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original
HTTPS request.
Explicit Web Proxy Options
Port
Enter the explicit web proxy server port. To use the explicit proxy,
users must add this port to their web browser proxy configuration.
The default value of 0 means 8080.
Listen on Interfaces
Displays the interfaces that are being monitored by the explicit web
proxy server.
Select the action to take when the proxy server must handle an
unknown HTTP version request or message. Choose from either
Reject or Best Effort. The Reject option is more secure.
Configuring WCCP
Using the FortiOS 4.0 customizable GUI feature you can add a WCCP widget to the
web-based manager and use this widget to add WCCP entries to the FortiGate
configuration.
Configure settings for Web Cache Communication Protocol (WCCP) version 2 to optimize
web traffic, thus reducing transmission costs and downloading time.
When a web client (on a computer) makes a request for web content, WCCP allows the
routers on the local network to redirect the web content requests to the appropriate web
cache server on the local network. If the web cache server contains the information in the
web content request, the web cache server sends the content directly to the local client. If
the web cache does not contain the requested information, the web cache server will
download the HTTP information, cache it, and send it to the local client. The local client is
not aware this caching is taking place.
For web caching to function, local network traffic must be directed through one or more
routers that are able to forward the HTTP requests to the web cache servers. The
FortiGate unit can act as a WCCP version 2 enabled router and direct web content
requests to configured web cache servers.
183
System Network
The web caching will speed up downloads by not accessing remote websites for each
HTTP request. It will also reduce the amount of data a company network sends and
receives over the Internet, reducing costs.
To configure WCCP from the web-based manager, go to System > Admin > Admin Profile
and create a custom menu layout in your administrative profile and add the WCCP page. It
is in the Additional content category. See Configuring an admin profile on page 258.
Figure 81: Adding WCCP entries
Delete
Edit
Service ID
Router IP
Group Address
The IP multicast address used by the cache servers. Enter 0.0.0.0 to have
the FortiGate unit ignore multicast WCCP traffic. Otherwise, Group Address
must be from 224.0.0.0 to 239.255.255.255.
Server List
Forward Method
Specify how the FortiGate unit forwards traffic to cache servers. You can
select GRE (the default), L2, or Any. If Forward Method is Any the cache
server determines the forward method.
Return Method
Specify how a cache server declines a redirected packet and returns it to the
FortiGate unit. You can select GRE (the default), L2, or Any. If Return
Method is Any the cache server determines the return method.
Assignment Method Specify which assignment method the FortiGate unit prefers. You can select
Hash (the default), Mask, or Any. If Assignment Method is Any the cache
server determines the assignment method.
Authentication
Password
184
System Network
Note: In NAT/Route mode the static routing table is located at System > Routing > Static.
Delete
Edit
Create New
IP/Mask
Gateway
The IP address of the next hop router to which the route directs traffic. For an
Internet connection, the next hop routing gateway routes traffic to the Internet.
Delete icon
Remove a route.
View/edit icon
Destination IP
/Mask
185
186
System Network
System Wireless
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units.
The majority of this section is applicable to all FortiWiFi units.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless
monitor are configured separately for each virtual domain. System wireless settings are
configured globally. For details, see Using virtual domains on page 125.
This section describes:
Channel assignments
Wireless settings
Wireless Monitor
Rogue AP detection
Provide an access point that clients with wireless network cards can connect to. This is
called Access Point mode, which is the default mode. All FortiWiFi units can have up to
4 wireless interfaces.
or
Connect the FortiWiFi unit to another wireless network. This is called Client mode. A
FortiWiFi unit operating in client mode can also can only have one wireless interface.
or
Monitor access points within radio range. This is called Monitoring mode. You can
designate the detected access points as Accepted or Rogue for tracking purposes. No
access point or client operation is possible in this mode. But, you can enable
monitoring as a background activity while the unit is in Access Point mode.
Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or
RADIUS servers
187
Channel assignments
System Wireless
Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you,
depending on what region of the world you are in. Set the channel for the wireless network
by going to System > Wireless > Settings. For more information see Wireless settings on
page 190.
The following tables list the channel assignments for wireless networks for each supported
wireless protocol.
Frequency
(MHz)
Regulatory Areas
34
5170
36
5180
38
5190
40
5200
42
5210
44
5220
46
5230
48
5240
52
5260
56
5280
60
5300
64
5320
149
5745
153
5765
157
5785
161
5805
Americas
Europe
Taiwan
Singapore Japan
188
System Wireless
Channel assignments
Frequency
(MHz)
Regulatory Areas
Americas
EMEA
2412
2417
2422
2427
2432
2437
2442
2447
2452
10
2457
11
2462
12
2467
13
2472
14
2484
Israel
Japan
Israel
CCK
ODFM CCK
ODFM CCK
Japan
ODFM CCK
ODFM
2412
2417
2422
2427
2432
2437
2442
2447
2452
10
2457
11
2462
12
2467
13
2472
14
2484
189
Wireless settings
System Wireless
Wireless settings
To configure the wireless settings, go to System > Wireless > Settings.
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three virtual
wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you
configure the wireless settings once, and all wireless interfaces use those settings. For
details on adding more wireless interfaces, see Adding a wireless interface on page 191.
When operating the FortiWiFi unit in Client mode, radio settings are not configurable.
Figure 83: FortiWiFi wireless parameters - Access Point mode
190
System Wireless
Wireless settings
Operation Mode
Select the wireless frequency band. Be aware what wireless cards or devices
your users have as it may limit their use of the wireless network. For example,
if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices,
they may not be able to use the wireless network.
Geography
Select your country or region. This determines which channels are available.
See Channel assignments on page 188 for channel information.
Channel
Select a channel for your wireless network or select Auto. The channels that
you can select depend on the Geography setting. See Channel assignments
on page 188 for channel information.
Tx Power
Set the transmitter power level. The higher the number, the larger the area the
FortiWiFi will broadcast. If you want to keep the wireless signal to a small area,
enter a smaller number.
Beacon Interval
Set the interval between beacon packets. Access Points broadcast Beacons
or Traffic Indication Messages (TIM) to synchronize wireless networks.
A higher value decreases the number of beacons sent, however it may delay
some wireless clients from connecting if it misses a beacon packet.
Decreasing the value will increase the number of beacons sent, while this will
make it quicker to find and connect to the wireless network, it requires more
overhead, slowing throughput.
Background
Rogue AP Scan
Perform the Monitoring mode scanning function while the unit is in Access
Point mode. Scanning occurs while the access point is idle. The scan covers
all wireless channels. Background scanning can reduce performance if the
access point is busy. See Rogue AP detection on page 196.
MAC Address
SSID
The wireless service set identifier (SSID) or network name for the wireless
interface. To communicate, an Access Point and its clients must use the same
SSID.
SSID Broadcast
Green checkmark icon indicates that the wireless interface broadcasts its
SSID. Broadcasting the SSID makes it possible for clients to connect to your
wireless network without first knowing the SSID.
This column is visible only in Access Point mode.
Security Mode
191
Wireless settings
System Wireless
Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client
mode or Monitoring mode.
Enter a name for the wireless interface. The name cannot be the same
as an existing interface, zone or VDOM.
Type
Select Wireless.
Address Mode
Administrative
Access
4 In the Wireless Settings section, complete the following and select OK:
Figure 86: Wireless interface settings (WEP)
SSID
Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must configure
their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For better
security, do not broadcast the SSID. If the interface is not broadcast, there is
less chance of an unwanted user connecting to your wireless network. If you
choose not to broadcast the SSID, you need to inform users of the SSID so
they can configure their wireless devices.
192
System Wireless
Security mode
Select the security mode for the wireless interface. Wireless users must use
the same security mode to be able to connect to this wireless interface.
None has no security. Any wireless user can connect to the wireless
network.
WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless
users of the key.
WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26
hexadecimal digits (0-9 a-f) and inform wireless users of the key.
WPA Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key containing at
least eight characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
WPA2 WPA with more security features. To use WPA2 you must select a
data encryption method and enter a pre-shared key containing at least eight
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
WPA2 Auto the same security features as WPA2, but also accepts wireless
clients using WPA security. To use WPA2 Auto you must select a data
encryption method You must also enter a pre-shared key containing at least 8
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
Key
Enter the security key. This field appears when selecting WEP64 or WEP128
security.
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto.
Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to
use Advanced Encryption Standard (AES) encryption. AES is considered
more secure that TKIP. Some implementations of WPA may not support AES.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or
WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You
can use WPA or WPA2 Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS server
name from the list. You must configure the Radius server by going to User >
RADIUS. For more information, see RADIUS on page 647.
RTS Threshold Set the Request to Send (RTS) threshold.
The RTS threshold is the maximum size, in bytes, of a packet that the
FortiWiFi will accept without sending RTS/CTS packets to the sending
wireless device. In some cases, larger packets being sent may cause
collisions, slowing data transmissions. By changing this value from the default
of 2346, you can configure the FortiWiFi unit to, in effect, have the sending
wireless device ask for clearance before sending larger transmissions. There
can still be risk of smaller packet collisions, however this is less likely.
A setting of 2346 bytes effectively disables this option.
Fragmentation Set the maximum size of a data packet before it is broken into smaller
packets, reducing the chance of packet collisions. If the packet is larger than
Threshold
the threshold, the FortiWiFi unit will fragment the transmission. If the packet
size less than the threshold, the FortiWiFi unit will not fragment the
transmission.
A setting of 2346 bytes effectively disables this option.
193
System Wireless
Alternatively, you can create a deny list. Similar to the allow list, you can configure the
wireless interface to allow all connections except those in the MAC address list.
Using MAC address filtering makes it more difficult for a hacker using random MAC
addresses or spoofing a MAC address to gain access to your network. Note you can
configure one list per WLAN interface.
To allow or deny wireless access to wireless clients based on the MAC address of the
client wireless cards, go to System > Wireless > MAC Filter.
Interface
MAC address
The list of MAC addresses in the MAC filter list for the wireless interface.
List Access
Allow or deny access to the listed MAC addresses for the wireless interface.
Enable
Edit icon
194
System Wireless
Wireless Monitor
List Access
Select to allow or deny the addresses in the MAC Address list from
accessing the wireless network.
MAC Address
Add
Remove
Select one or more MAC addresses in the list and select Remove to
deleted the MAC addresses from the list.
Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In
Access Point mode, you can see who is connected to your wireless LAN. In Client mode,
you can see which access points are within radio range.
Figure 90: Wireless monitor - AP mode
Statistics
AP Name / Name
Frequency
Noise (dBm)
S/N (dB)
Rx (KBytes)
Tx (KBytes)
195
Rogue AP detection
System Wireless
MAC Address
IP Address
AP Name
Real-time details about the access points that the client can
receive.
MAC Address
SSID
The wireless service set identifier (SSID) that this access point
broadcasts.
Channel
Rate (M)
RSSI
Rogue AP detection
On models that support Rogue Access Point Detection, you can select Monitoring mode to
scan for available wireless access points. You can also enable scanning in the
background while the unit is in Access Point mode.
To enable the monitoring mode
1 Go to System > Wireless > Settings.
2 Select Change beside the current operation mode.
3 Select Monitoring and then select OK.
4 Select OK to confirm the mode change.
5 Select Apply.
To enable background scanning
1 While in Access Point mode, go to System > Wireless > Settings.
2 Enable Background Rogue AP Scan and then select Apply.
196
System Wireless
Rogue AP detection
Refresh Interval
Refresh
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online
SSID
The wireless service set identifier (SSID) or network name for the
wireless interface.
MAC Address
Rate
First Seen
The data and time when the FortiWifi unit first detected the access point.
Last Seen
The data and time when the FortiWifi unit last detected the access point.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
Mark as Rogue AP
Select the icon to move this entry to the Rogue Access Points list.
Forget AP
Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
You can also enter information about accepted and rogue APs in the CLI without having to
detect them first. See the system wireless ap-status command in the FortiGate
CLI Reference.
197
Rogue AP detection
198
System Wireless
System DHCP
System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through the
FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
This section describes:
An interface cannot provide both a server and a relay for connections of the same type
(regular or IPSec).
Note: You can configure a Regular DHCP server on an interface only if the interface is a
physical interface with a static IP address. You can configure an IPSec DHCP server on an
interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server
for each network. The IP range of each DHCP server must match the network address
range. The routers must be configured for DHCP relay.
To configure a DHCP server, see Configuring a DHCP server on page 201.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP
requests from DHCP clients to an external DHCP server and returns the responses to the
DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the FortiGate unit.
To configure a DHCP relay see Configuring an interface as a DHCP relay agent on
page 201.
DHCP services can also be configured through the Command Line Interface (CLI). See
the FortiGate CLI Reference for more information.
199
System DHCP
192.168.1.110 to 192.168.1.210
Netmask
255.255.255.0
Default gateway
192.168.1.99
Lease time
7 days
DNS Server 1
192.168.1.99
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.
Figure 93: DHCP service list - FortiGate-200A shown
Edit
Delete
Add DHCP Server
Interface
List of FortiGate interfaces. Expand each listed interface to view the Relay and
Servers.
Server Name/
Relay IP
Type
Enable
Add DHCP Server Select to configure and add a DHCP server for this interface.
icon
200
System DHCP
Edit icon
Delete icon
Interface Name
DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
Type
DHCP Server IP
Enter the IP address of the DHCP server that will answer DHCP requests from
computers on the network connected to the interface.
201
System DHCP
202
Name
Enable
Type
IP Range
Enter the start and end for the range of IP addresses that this DHCP server
assigns to DHCP clients.
These fields are greyed out when IP Assignment Mode is set to User-group
defined method.
Network Mask
Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway
Enter the IP address of the default gateway that the DHCP server assigns to
DHCP clients.
Domain
Enter the domain that the DHCP server assigns to DHCP clients.
Lease Time
Select Unlimited for an unlimited lease time or enter the interval in days,
hours, and minutes after which a DHCP client must ask the DHCP server for
new settings. The lease time can range from 5 minutes to 100 days.
Advanced
Select to configure advanced options. The remaining options in this table are
advanced options.
System DHCP
IP Assignment
Mode
Configure how the IP addresses for an IPSec DHCP server are assigned to
Dialup IPSec VPN users. Select:
Server IP Range - The IPSec DHCP server will assign the IP addresses
as specified in IP Range, and Exclude Ranges.
User-group defined method - The IP addresses will be assigned by a user
group used to authenticate the user. The user group is used to
authenticate XAUTH users. See Dynamically assigning VPN client IP
addresses from a user group on page 665.
When User-group defined method is selected, the IP Range fields are greyed
out, and the Exclude Ranges table and controls are not visible.
DNS Server 1
DNS Server 2
DNS Server 3
Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns
to DHCP clients.
WINS Server 1
WINS Server 2
Add the IP addresses of one or two WINS servers that the DHCP server
assigns to DHCP clients.
Option 1
Option 2
Option 3
Enter up to three custom DHCP options that can be sent by the DHCP
server. Code is the DHCP option code in the range 1 to 255. Option is an
even number of hexadecimal characters and is not required for some option
codes. For detailed information about DHCP options, see RFC 2132, DHCP
Options and BOOTP Vendor Extensions.
Exclude Ranges
Add
Starting IP
End IP
Delete icon
Interface
Refresh
IP
MAC
Expire
203
204
System DHCP
System Config
HA
System Config
This section describes the configuration of several non-network features, such as HA,
SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement
messages are configured globally for the entire FortiGate unit. Changing operation mode
is configured for each individual VDOM. For details, see Using virtual domains on
page 125.
This section describes:
HA
SNMP
Replacement messages
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical
enterprise networking components: enhanced reliability and increased performance. This
section contains a brief description of HA web-based manager configuration options, the
HA cluster members list, HA statistics, and disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for
the entire FortiGate unit. For details, see Using virtual domains on page 125.
For complete information about how to configure and operate FortiGate HA clusters see
the FortiGate HA Overview, the FortiGate HA Guide.
The following topics are included in this section:
HA options
Viewing HA statistics
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to System >
Config > HA.
Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is
also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically
configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you
cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured
as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session
synchronization.
205
HA
System Config
If HA is already enabled, go to System > Config > HA to display the cluster members list.
Select Edit for the FortiGate unit with Role of master (also called the primary unit). When
you edit the HA configuration of the primary unit, all changes are synchronized to the other
units in the cluster.
Figure 97: FortiGate-3810A unit HA configuration
You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled
by logging into the web-based manager as the global admin administrator and going to
System > Config > HA. If HA is enabled, you will have to select Edit for the cluster member
before you see the virtual cluster configuration screen for that cluster unit. For more
information, seeCluster members list on page 209.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.
206
System Config
HA
Mode
Select an HA mode for the cluster or return the FortiGate units in the cluster to
standalone mode. When configuring a cluster, you must set all members of the
HA cluster to the same HA mode. You can select Standalone (to disable HA),
Active-Passive, or Active-Active.
If virtual domains are enabled you can select Active-Passive or Standalone.
Device Priority
Optionally set the device priority of the cluster unit. Each unit in a cluster can
have a different device priority. During HA negotiation, the unit with the highest
device priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two different device
priorities, one for each virtual cluster. During HA negotiation, the unit with the
highest device priority in a virtual cluster becomes the primary unit for that virtual
cluster.
Changes to the device priority are not synchronized. You can accept the default
device priority when first configuring a cluster. When the cluster is operating you
can change the device priority for different cluster units as required.
207
HA
System Config
Group Name
Enter a name to identify the cluster. The maximum length of the group name is 32
characters. The group name must be the same for all cluster units before the
cluster units can form a cluster. After a cluster is operating, you can change the
group name. The group name change is synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group name
when first configuring a cluster, however two clusters on the same network
cannot have the same group name. When the cluster is operating you can
change the group name, if required.
Password
Enable Session Select to enable session pickup so that if the primary unit fails, sessions are
picked up by the cluster unit that becomes the new primary unit.
pickup
You must enable session pickup for session failover protection. If you do not
require session failover protection, leaving session pickup disabled may reduce
HA CPU usage and reduce HA heartbeat network bandwidth usage.
Session pickup is disabled by default. You can accept the default setting for
session pickup and later choose to enable session pickup after the cluster is
operating.
208
Port Monitor
Heartbeat
Interface
VDOM
partitioning
If you are configuring virtual clustering, you can set the virtual domains to be in
virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual
domain must always be in virtual cluster 1.
For more information about configuring VDOM partitioning, see the FortiGate HA
Overview.
System Config
HA
Up and Down
Arrows
If virtual domains are enabled, you can display the cluster members list to view the status
of the operating virtual clusters. The virtual cluster members list shows the status of both
virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the global
admin administrator and go to System > Config > HA.
209
HA
System Config
Up and Down
Arrows
View HA Statistics
Displays the serial number, status, and monitor information for each cluster
unit. See Viewing HA statistics on page 211.
Up and down arrows Changes the order of cluster members in the list. The operation of the
cluster or of the units in the cluster are not affected. All that changes is the
order of the units on the cluster members list.
210
Cluster member
Illustrations of the front panels of the cluster units. If the network jack for an
interface is shaded green, the interface is connected. Pause the mouse
pointer over each illustration to view the cluster unit host name, serial
number, how long the unit has been operating (up time), and the interfaces
that are configured for port monitoring.
Hostname
The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
To change the primary unit host name, go to System > Status and select
Change beside the current host name.
To change a subordinate unit host name, from the cluster members list
select the Edit icon for a subordinate unit.
Role
Priority
The device priority of the cluster unit. Each cluster unit can have a different
device priority. During HA negotiation, the unit with the highest device
priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from
cluster
System Config
HA
Edit
Download debug log Select to download an encrypted debug log to a file. You can send this
debug log file to Fortinet Technical Support (http://support.fortinet.com) for
help diagnosing problems with the cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial
number, status, and monitor information for each cluster unit. To view HA statistics, go to
System > Config > HA and select View HA Statistics.
Figure 101: Example HA statistics (active-passive cluster)
Refresh every
Back to HA monitor Select to close the HA statistics list and return to the cluster members list.
Unit
Status
Up Time
The time in days, hours, minutes, and seconds since the cluster unit was last
started.
Monitor
CPU Usage
The current CPU status of each cluster unit. The web-based manager
displays CPU usage for core processes only. CPU usage for management
processes (for example, for HTTPS connections to the web-based manager)
is excluded. For more information about CPU usage, see System
Resources on page 75.
211
HA
System Config
Memory Usage
The current memory status of each cluster unit. The web-based manager
displays memory usage for core processes only. Memory usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded. For more information about memory
usage, see System Resources on page 75.
Active Sessions
Total Packets
The number of packets that have been processed by the cluster unit since it
last started up.
Virus Detected
Network Utilization
The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes
The number of bytes that have been processed by the cluster unit since it
last started up.
Intrusion Detected
Peer
Priority
212
System Config
SNMP
Serial Number
Displays the serial number of the cluster unit to be disconnected from the cluster.
Interface
Select the interface that you want to configure. You also specify the IP address
and netmask for this interface. When the FortiGate unit is disconnected, all
management access options are enabled for this interface.
IP/Netmask
Specify an IP address and netmask for the interface. You can use this IP address
to connect to this interface to configure the disconnected FortiGate unit.
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An
SNMP manager, or host, is a typically a computer running an application that can read the
incoming trap and event messages from the agent and send out SNMP queries to the
SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more
FortiGate units.
Using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the
FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps
from that FortiGate unit, or be able to query that unit.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and
can receive trap messages from the FortiGate unit.
To monitor FortiGate system information and receive FortiGate traps, you must first
compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files.
A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP
manager. These MIBs provide information the SNMP manager needs to interpret the
SNMP trap, event, and query messages sent by the FortiGate unit SNMP agent. For
information on how to download the MIB files, see the Fortinet Knowledge Base.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need
to use the new MIBs for FortiOS v4.0 or you may be accessing the wrong traps and fields.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on
page 217.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and
partial support of User-based Security Model (RFC 3414).
213
SNMP
System Config
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected. For more information about SNMP traps, see Fortinet and FortiGate
traps on page 218.
SNMP fields contain information about your FortiGate unit, such as percent CPU usage or
the number of sessions. This information is useful to monitor the condition of the unit, both
on an ongoing basis and to provide more information when a trap occurs. For more
information about SNMP fields, see Fortinet and FortiGate MIB fields on page 221.
The FortiGate SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. Authentication and encryption are configured in the CLI. See
the system snmp user command in the FortiGate CLI Reference.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 104: Configuring SNMP
214
SNMP Agent
Description
Enter descriptive information about the FortiGate unit. The description can be
up to 35 characters long.
Location
Enter the physical location of the FortiGate unit. The system location
description can be up to 35 characters long.
Contact
Enter the contact information for the person responsible for this FortiGate
unit. The contact information can be up to 35 characters.
Apply
Create New
Communities
The list of SNMP communities added to the FortiGate configuration. You can
add up to 3 communities.
Name
Queries
The status of SNMP queries for each SNMP community. The query status
can be enabled or disabled.
Traps
The status of SNMP traps for each SNMP community. The trap status can be
enabled or disabled.
Enable
Delete icon
Edit/View icon
System Config
SNMP
215
SNMP
System Config
Community Name
Hosts
Enter the IP address and Identify the SNMP managers that can use the
settings in this SNMP community to monitor the FortiGate unit.
IP Address
The IP address of an SNMP manager than can use the settings in this SNMP
community to monitor the FortiGate unit. You can also set the IP address to
0.0.0.0 to so that any SNMP manager can use this SNMP community.
Interface
Optionally select the name of the interface that this SNMP manager uses to
connect to the FortiGate unit. You only have to select the interface if the
SNMP manager is not on the same subnet as the FortiGate unit. This can
occur if the SNMP manager is on the Internet or behind a router.
In virtual domain mode, the interface must belong to the management VDOM
to be able to pass SNMP traps.
Delete
Add
Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a
single community.
Queries
216
Enter the Port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive configuration
information from the FortiGate unit. Select the Enable check box to activate
queries for each SNMP version.
Note: The SNMP client software and the Fortigate unit must use the same
port for queries.
System Config
SNMP
Traps
Enter the Local and Remote port numbers (port 162 for each by default) that
the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP
managers in this community. Select the Enable check box to activate traps for
each SNMP version.
Note: The SNMP client software and the Fortigate unit must use the same
port for traps.
SNMP Event
Enable each SNMP event for which the FortiGate unit should send traps to the
SNMP managers in this community.
CPU overusage traps sensitivity is slightly reduced, by spreading values out
over 8 polling cycles. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy.
Power Supply Failure event trap is available only on some FortiGate models.
AMC interfaces enter bypass mode event trap is available only on FortiGate
models that support AMC modules.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
Each Fortinet product has its own MIBif you use other Fortinet products you will need to
download their MIB files as well.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can download the two FortiGate MIB files from Fortinet Customer
Support. For information on how to download the MIB files, see the Fortinet Knowledge
Base.
Note: There were major changes to the MIB files between FortiOS v3.0 and v4.0. You need
to use the new MIBs for FortiOS v4.0 or you may mistakenly access the wrong traps and
fields.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database
to have access to the Fortinet specific information. You need to obtain and compile the
two MIBs for this release.
217
SNMP
System Config
Description
FORTINET-CORE-MIB.mib
FORTINET-FORTIGATE-MIB.mib
218
System Config
SNMP
Description
.1
.2
.3
.4
ColdStart
WarmStart
LinkUp
LinkDown
Description
.101
.102
Memory low
(fnTrapMemThreshold)
.103
.104
.105
.106
.201
Interface IP change
(fnTrapIpChange)
.999
Diagnostic trap
(fnTrapTest)
Description
.301
VPN tunnel is up
(fgTrapVpnTunUp)
.302
219
SNMP
System Config
Description
Description
.503
IPS Signature
(fgTrapIpsSignature)
.504
IPS Anomaly
(fgTrapIpsAnomaly)
.505
(fgIpsTrapSigId)
(fgIpsTrapSrcIp)
(fgIpsTrapSigMsg)
Description
.601
Virus detected
(fgTrapAvVirus)
.602
.603
.604
.605
(fgTrapAvEnterConserve)
.606
(fgTrapAvBypass)
.607
(fgTrapAvOversizePass)
.608
(fgTrapAvOversizeBlock)
(fgAvTrapVirName)
220
System Config
SNMP
Description
.401
HA switch
(fgTrapHaSwitch)
.402
HA State Change
(fgTrapHaStateChange)
.403
HA Heartbeat Failure
(fgTrapHaHBFail)
.404
HA Member Unavailable
(fgTrapHaMemberDown)
.405
HA Member Available
(fgTrapHaMemberUp)
(fgHaTrapMemberSerial)
Description
Index
fgHaSystemMode
.1
fgHaGroupId
.2
fgHaPriority
.3
fgHaOverride
.4
fgHaAutoSync
.5
221
SNMP
System Config
Description
Index
fgHaSchedule
.6
fgHaGroupName
.7
fgHaTrapMemberSerial
.8
Description
Index
fgHaStatsTable
.1
fgHaStatsSerial
.2
.3
.4
fgHaStatsNetUsage
.5
fgHaStatsSesCount
.6
fgHaStatsPktCount
.7
.8
fgHaStatsIdsCount
fgHaStatsAvCount
.10
fgHaStatsHostname
.11
Description
Index
fgAdminIdleTimeout
.1
fgAdminLcdProtection
.2
fgAdminTable
222
MIB field
Description
Index
fgVdInfo
.1
fgVdMaxVdoms
fgVdEnabled
.3
System Config
SNMP
Description
Index
fgVdTable.fgV Table of information about each virtual domaineach virtual domain has an
fgVdEntry. Each entry has the following fields.
dEntry
fgVdEntIndex
Internal virtual domain index used to uniquely identify .1
entries in this table.
This index is also used by other tables referencing a
virtual domain.
fgVdEntName
.2
fgVdEntOpMode
Description
Index
fgIpSessIndex
.1
fgIpSessProto
.2
.3
fgIpSessFromPort
The source port of the active IP session (UDP and TCP only).
.4
fgIpSessToAddr
.5
fgIpSessToPort
The destination port of the active IP session (UDP and TCP only).
.6
fgIpSessExp
.7
fgIpSessVdom
.8
Description
Index
fgFwPolicyStatsTable.fg Entries in the table for firewall policy statistics on a virtual domain.
FwPolicyStatsEntry
fgFwPolicyID
.1
fgFwPolicyPktCount
fgFwPolicyByteCount
Description
Index
fgVpnDialupIndex
.1
fgVpnDialupGateway
.2
fgVpnDialupLifetime
.3
223
SNMP
System Config
Description
Index
fgVpnDialupTimeout
Time remaining until the next key exchange (seconds) for this
tunnel.
.4
fgVpnDialupSrcBegin
.5
fgVpnDialupSrcEnd
.6
fgVpnDialupDstAddr
.7
fgVpnDialupVdom
.8
fgVpnDialUpInOctets
.9
fgVpnDialUpOutOctets
.10
Description
Index
fgVpnTunEntIndex
.1
fgVpnTunEntPhase1Name
.2
fgVpnTunEntPhase2Name
.3
fgVpnTunEntRemGwyIp
.4
fgVpnTunEntRemGwyPort
fgVpnTunEntLocGwyIp
fgVpnTunEntLocGwyPort
.6
.9
fgVpnTunEntSelectorSrcPort
.10
.11
224
fgVpnTunEntSelectorDstPort
.13
fgVpnTunEntSelectorProto
.14
fgVpnTunEntLifeSecs
fgVpnTunEntLifeBytes
.16
fgVpnTunEntTimeout
.17
fgVpnTunEntInOctets
.18
fgVpnTunEntOutOctets
.19
fgVpnTunEntStatus
.20
fgVpnTunEntVdom
.21
System Config
Replacement messages
Replacement messages
Go to System > Config > Replacement Message to change replacement messages and
customize alert email and information that the FortiGate unit adds to content streams such
as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams. For
example, if a virus is found in an email message attachment, the file is removed from the
email and replaced with a replacement message. The same applies to pages blocked by
web filtering and email blocked by email filtering.
225
Replacement messages
System Config
Reset
Edit
Name
The replacement message category. Select the expand arrow to expand or collapse
the category. Each category contains several replacement messages that are used
by different FortiGate features. The replacement messages are described below.
Description
Edit or view
icon
Reset icon
Only displayed on the a VDOM replacement message list. Select to revert to the
global version of this replacement message.
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.
226
System Config
Replacement messages
Replacement messages can be text or HTML messages. You can add HTML code to
HTML messages. Allowed Formats shows you which format to use in the replacement
message. There is a limit of 8192 characters for each replacement message. The
following fields and options are available when editing a replacement message. Different
replacement messages have different sets of fields and options.
Message Setup
Allowed Formats
Size
Message Text
The editable text of the replacement message. The message text can
include text, HTML codes (if HTML is the allowed format) and replacement
message tags.
227
Replacement messages
System Config
Antivirus Virus Scan enabled for an email protocol in a protection profile deletes
a infected file from an email message and replaces the file with this message.
File block
message
When the antivirus File Filter enabled for an email protocol in a protection profile
deletes a file that matches an entry in the selected file filter list, the file is blocked
and the email is replaced with this message.
Oversized file
message
When the antivirus Oversized File/Email is set to Block for an email protocol in a
protection profile and removes an oversized file from an email message, the file
is replaced with this message.
Fragmented
email
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked email
message with this message.
Subject of data
leak prevention
message
This message is added to the subject field of all email messages replaced by the
DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine
interface actions.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked email message
leak prevention with this message. This message also replaces any additional email messages
message
that the banned user sends until they are removed from the banned user list.
Sender banned
by data leak
prevention
message
In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email
message with this message. This message also replaces any additional email
messages that the banned user sends until the user is removed from the banned
user list.
Virus message
(splice mode)
Splice mode is enabled and the antivirus system detects a virus in an SMTP
email message. The FortiGate unit aborts the SMTP session and returns a 554
SMTP error message to the sender that includes this replacement message.
File block
Splice mode is enabled and the antivirus file filter deleted a file from an SMTP
message (splice email message. The FortiGate unit aborts the SMTP session and returns a 554
mode)
SMTP error message to the sender that includes this replacement message.
Oversized file
Splice mode is enabled and antivirus Oversized File/Email set to Block and the
message (splice FortiGate unit blocks an oversize SMTP email message. The FortiGate unit
mode)
aborts the SMTP session and returns a 554 SMTP error message to the sender
that includes this replacement message.
228
System Config
Replacement messages
Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes
an infected file being downloaded using an HTTP GET and replaces the file with
this web page that is displayed by the client browser.
Infection cache
message
Client comforting is enabled in a protection profile and the FortiGate unit blocks a
URL added to the client comforting URL cache and replaces the blocked URL
with this web page. For more information about the client comforting URL cache,
see HTTP and FTP client comforting on page 479.
File block
message
Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a
file being downloaded using an HTTP GET that matches an entry in the selected
file filter list and replaces it with this web page that is displayed by the client
browser.
Oversized file
message
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked web page or
file with this web page.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file
leak prevention with this web page. This web page also replaces any additional web pages or
message
files that the banned user attempts to access until the user is removed from the
banned user list.
Banned word
message
Web content filtering enabled in a protection profile blocks a web page being
downloaded with an HTTP GET that contains content that matches an entry in
the selected Web Content Filter list. The blocked page is replaced with this web
page.
Content-type
block message
Email headers include information about content types such as image for
pictures, and so on. If a specific content-type is blocked, the blocked message is
replaced with this web page.
URL block
message
Web URL filtering enabled in a protection profile blocks a web page with a URL
that matches an entry in the selected URL Filter list. The blocked page is
replaced with this web page.
Client block
Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a
file being uploaded by an HTTP POST that matches an entry in the selected file
filter list and replaces it with this web page that is displayed by the client browser.
Client anti-virus
Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes
an infected file being uploaded using an HTTP PUT and replaces the file with
this a web page that is displayed by the client browser.
Client filesize
Client banned
word
Web content filtering enabled in a protection profile blocks a web page being
uploaded with an HTTP PUT that contains content that matches an entry in the
selected Web Content Filter list. The client browser displays this web page.
POST block
HTTP POST Action is set to Block in a protection profile and the FortiGate unit
blocks an HTTP POST and displays this web page.
229
Replacement messages
System Config
Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected
file being downloaded using FTP and sends this message to the FTP client.
Blocked
message
Antivirus File Filter enabled for FTP in a protection profile blocks a file being
downloaded using FTP that matches an entry in the selected file filter list and
sends this message to the FTP client.
Oversized
message
Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks
an oversize file from being downloaded using FTP and sends this message to
the FTP client.
DLP message
In a DLP sensor, a rule with action set to Block replaces a blocked FTP
download with this message.
DLP ban
message
In a DLP sensor, a rule with action set to Ban blocks an FTP session and
displays this message. This message is displayed whenever the banned user
attempts to access until the user is removed from the banned user list.
Antivirus Virus Scan enabled for NTTP in a protection profile deletes an infected
file attached to an NNTP message and sends this message to the FTP client.
Blocked
message
Antivirus File Filter enabled for NNTP in a protection profile blocks a file attached
to an NNTP message that matches an entry in the selected file filter list and
sends this message to the FTP client.
Oversized
message
Data Leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked NNTP
message with this message.
Subject of data
leak prevention
message
This message is added to the subject field of all NNTP messages replaced by
the DLP sensor Block, Ban, Quarantine IP address, and Quarantine interface
actions.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP
leak prevention message with this message. This message also replaces any additional NNTP
message
messages that the banned user sends until they are removed from the banned
user list.
230
System Config
Replacement messages
Virus detected must be enabled for alert email. Antivirus Virus Scan must be
enabled in a protection profile and detect a virus.
Block message
Virus detected must be enabled for alert email. Antivirus File Filter must be
enabled in a protection profile, and block a file that matches an entry in a
selected file filter list.
Intrusion
message
Intrusion detected enabled for alert email. An IPS Sensor or a DoS Sensor
detects and attack.
Critical event
message
Disk full
message
Disk usage enabled and disk usage reaches the % configured for alert email.
If you enable Send alert email for logs based on severity for alert email, whether or not
replacement messages are sent by alert email depends on how you set the alert email Minimum
log level.
DNSBL/ORDBL From the CLI, spamrbl enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
HELO/EHLO
domain
HELO DNS lookup enabled for SMTP in a protection profile identifies an email
message as spam and adds this replacement message. HELO DNS lookup is
not available for SMTPS.
Email address
E-mail address BWL check enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
Mime header
Returned email
domain
Return e-mail DNS check enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
Banned word
Banned word check enabled for an email protocol in a protection profile identifies
an email message as spam and adds this replacement message.
Spam
submission
message
Any Email Filtering option enabled for an email protocol in a protection profile
identifies an email message as spam and adds this replacement message.
Email Filtering adds this message to all email tagged as spam. The message
describes a button that the recipient of the message can select to submit the
email signatures to the FortiGuard Antispam service if the email was incorrectly
tagged as spam (a false positive).
231
Replacement messages
System Config
The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
Example
The following is an example of a simple authentication page that meets the requirements
listed above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
232
System Config
Replacement messages
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
Table 35: Authentication replacement messages
Message name Description
Disclaimer page Enable Disclaimer and Redirect URL to selected in a firewall policy that includes
identity based policies. After a firewall user authenticates with the FortiGate unit
using HTTP or HTTPS, this disclaimer page is displayed.
The CLI includes auth-disclaimer-page-1, auth-disclaimer-page-2,
and auth-disclaimer-page-3 that you can use to increase the size of the
authentication disclaimer page replacement message. For more information, see
the FortiGate CLI Reference.
Declined
When a firewall user selects the button on the Disclaimer page to decline access
disclaimer page through the FortiGate unit, the Declined disclaimer page is displayed.
Login page
The HTML page displayed for firewall users who are required to authenticate
using HTTP or HTTPS before connecting through the FortiGate unit.
Login failed
page
The HTML page displayed if firewall users enter an incorrect user name and
password combination.
Login challenge The HTML page displayed if firewall users are required to answer a question to
page
complete authentication. The page displays the question and includes a field in
which to type the answer. This feature is supported by RADIUS and uses the
generic RADIUS challenge-access auth response. Usually, challenge-access
responses contain a Reply-Message attribute that contains a message for the
user (for example, Please enter new PIN). This message is displayed on the
login challenge page. The user enters a response that is sent back to the
RADIUS server to be verified.
The Login challenge page is most often used with RSA RADIUS server for RSA
SecurID authentication. The login challenge appears when the server needs the
user to enter a new PIN. You can customize the replacement message to ask
the user for a SecurID PIN.
Keepalive page
The HTML page displayed with firewall authentication keepalive is enabled using
the following command:
config system global
set auth-keepalive enable
end
Authentication keepalive keeps authenticated firewall sessions from ending
when the authentication timeout ends. Go to User > Options to set the
Authentication Timeout.
233
Replacement messages
System Config
HTTP error
message
Provide details for blocked HTTP 4xx and 5xx errors enabled in a protection
profile for HTTP or HTTPS blocks a web page. The blocked page is replaced
with this web page.
FortiGuard Web Override selected for a FortiGuard Web Filtering category and FortiGuard Web
Filtering
Filtering blocks a web page in this category and displays this web page. Using
override form
this web page users can authenticate to get access to the page. Go to UTM >
Web Filter > Override to add override rules. For more information, see
Configuring administrative override rules on page 553.
The %%OVRD_FORM%% tag provides the form used to initiate an override if
FortiGuard Web Filtering blocks access to a web page. Do not remove this tag
from the replacement message.
Antivirus File Filter enabled for IM in a protection profile deletes a file that
matches an entry in the selected file filter list and replaces it with this message.
File name block Antivirus File Filter enabled for IM in a protection profile deletes a file with a
message
name that matches an entry in the selected file filter list and replaces it with this
message.
Virus message
Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file
from and replaces the file with this message.
Oversized file
message
Data leak
prevention
message
In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P
message with this message.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P
leak prevention message with this message. This message also replaces any additional
message
messages that the banned user sends until they are removed from the banned
user list.
Voice chat block In an Application Control list, the Block Audio option is selected for AIM, ICQ,
message
MSN, or Yahoo! and the application control list is added to a protection profile.
Photo share
block message
234
System Config
Replacement messages
Endpoint NAC Download Portal The FortiGate unit sends this page if the Endpoint
NAC profile has the Quarantine Hosts to User Portal (Enforce compliance) option
selected. The user can download the FortiClient Endpoint Security application installer.
If you modify this replacement message, be sure to retain the %%LINK%% tag which
provides the download URL for the FortiClient installer.
Endpoint NAC Recommendation Portal The FortiGate unit sends this page if the
Endpoint NAC profile has the Notify Hosts to Install FortiClient (Warn only) option
selected. The user can either download the FortiClient Endpoint Security application
installer or select the Continue to link to access their desired destination. If you modify
this replacement message, be sure to retain both the %%LINK%% tag which provides
the download URL for the FortiClient installer and the %%DST_ADDR%% link that
contains the URL that the user requested.
To modify these messages, go to System > Config > Replacement Messages. Expand
Endpoint NAC and select the Edit icon of the message that you want to modify.
For more information about Endpoint NAC, see Endpoint NAC on page 687.
DoS Message
For a DoS Sensor the CLI quarantine option set to attacker or interface
and the DoS Sensor added to a DoS firewall policy adds a source IP, a
destination IP, or FortiGate interface to the banned user list. The FortiGate unit
displays this replacement message as a web page when the blocked user
attempts to connect through the FortiGate unit using HTTP on port 80 or when
any user attempts to connect through a FortiGate interface added to the banned
user list using HTTP on port 80. This replacement message is not displayed if
quarantine is set to both.
235
Replacement messages
System Config
Quarantine Attackers enabled in an IPS sensor filter or override and the IPS
sensor added to a protection profile adds a source IP address, a destination IP
address, or a FortiGate interface to the banned user list. The FortiGate unit
displays this replacement message as a web page when the blocked user
attempts to connect through the FortiGate unit using HTTP on port 80 or when
any user attempts to connect through a FortiGate interface added to the banned
user list using HTTP on port 80. This replacement message is not displayed if
method is set to Attacker and Victim IP Address.
DLP Message
The form must contain the %%SSL_LOGIN%% tag to provide the login form.
Description
%%AUTH_LOGOUT%%
The URL that will immediately delete the current policy and close the
session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window
which links to this tag.
236
%%CATEGORY%%
%%DEST_IP%%
System Config
Replacement messages
Description
%%EMAIL_FROM%%
The email address of the sender of the message from which the file was
removed.
%%EMAIL_TO%%
The email address of the intended receiver of the message from which
the file was removed.
The name of a file that has been removed from a content stream. This
could be a file that contained a virus or was blocked by antivirus file
blocking. %%FILE%% can be used in virus and file block messages.
%%FORTIGUARD_WF%%
%%FORTINET%%
%%LINK%%
The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
%%HTTP_ERR_CODE%%
%%HTTP_ERR_DESC%%
%%NIDSEVENT%%
%%OVERRIDE%%
The link to the FortiGuard Web Filtering override form. This is visible
only if the user belongs to a group that is permitted to create FortiGuard
web filtering overrides.
%%OVRD_FORM%%
The FortiGuard web filter block override form. This tag must be present
in the FortiGuard Web Filtering override form and should not be used in
other replacement messages.
%%PROTOCOL%%
The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.
%%QUARFILENAME%%
The name of a file that has been removed from a content stream and
added to the quarantine. This could be a file that contained a virus or
was blocked by antivirus file blocking. %%QUARFILENAME%% can be
used in virus and file block messages. Quarantining is only available on
FortiGate units with a local disk.
%%QUOTA_INFO%%
%%QUESTION%%
%%SERVICE%%
%%SOURCE_IP%%
The IP address of the request originator who would have received the
blocked file. For email this is the IP address of the users computer that
attempted to download the message from which the file was removed.
%%TIMEOUT%%
%%URL%%
The URL of a web page. This can be a web page that is blocked by web
filter content or URL blocking. %%URL%% can also be used in http virus
and file block messages to be the URL of the web page from which a
user attempted to download a file that is blocked.
%%VIRUS%%
The name of a virus that was found in a file by the antivirus system.
%%VIRUS%% can be used in virus messages
237
System Config
Default Gateway
Enter the default gateway required to reach other networks from the
FortiGate unit.
238
System Config
Enter a valid IP address and netmask for the network from which
you want to manage the FortiGate unit.
Device
Default Gateway
Enter the default gateway required to reach other networks from the
FortiGate unit.
Gateway Device
Management access
Management access defines how administrators are able to log on to the FortiGate unit to
perform management tasks such as configuration and maintenance. Methods of access
can include local access through the console connection, or remote access over a
network or modem interface using various protocols including Telnet and HTTPS.
You can configure management access on any interface in your VDOM. See Configuring
administrative access to an interface on page 165. In NAT/Route mode, the interface IP
address is used for management access. In Transparent mode, you configure a single
management IP address that applies to all interfaces in your VDOM that permit
management access. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see Configuring FortiGuard Services on page 300).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the VDOM to
which it belongs. The management computer must connect to an interface in that VDOM.
It does not matter to which VDOM the interface belongs. In both cases, the management
computer must connect to an interface that permits management access and its IP
address must be on the same network. Management access can be via HTTP, HTTPS,
telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH
are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote
administration from the Internet could compromise the security of the FortiGate unit. You
should avoid this unless it is required for your configuration. To improve the security of a
FortiGate unit that allows remote administration from the Internet:
Enable secure administrative access to this interface using only HTTPS or SSH.
Use Trusted Hosts to limit where the remote access can originate from.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 261).
239
240
System Config
System Admin
Administrators
System Admin
This section describes how to configure administrator accounts on your FortiGate unit.
Administrators access the FortiGate unit to configure its operation. The factory default
configuration has one administrator, admin. After connecting to the web-based manager
or the CLI, you can configure additional administrators with various levels of access to
different parts of the FortiGate unit configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 125.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.
Administrators
Admin profiles
Central Management
Settings
Monitoring administrators
Administrators
There are two levels of administrator accounts:
Regular
administrators
System
administrators
Includes the factory default system administrator admin, any other administrators
assigned to the super_admin profile, and any administrator that is assigned to the
super_admin_readonly profile. Any administrator assigned to the super_admin
admin profile, including the default administrator account admin, has full access
to the FortiGate unit configuration and general system settings that includes the
ability to:
enable VDOM configuration
create VDOMs
configure VDOMs
assign regular administrators to VDOMs
configure global options
customize the FortiGate web-based manager.
The super_admin admin profile cannot be changed; it does not appear in the list
of profiles in System > Admin > Admin Profile, but it is one of the selections in the
Admin Profile drop-down list in System > Admin New/Edit Administrator dialog
box.
241
Administrators
System Admin
Figure 109: New Administrator dialog box displaying super_admin readonly option
cannot delete logged-in users who are also assigned the super_admin profile
can delete other users assigned the super_admin profile and/or change the configured
authentication method, password, or admin profile, only if the other users are not
logged in
can delete the default admin account only if the default admin user is not logged in.
242
System Admin
Administrators
There is also an admin profile that allows read-only super admin privileges called
super_admin_readonly. This profile cannot be deleted or changed, similar to the
super_admin profile. The read-only super_admin profile is suitable in a situation where it is
necessary for a system administrator to troubleshoot a customer configuration without
being able to make changes. Other than being read-only, the super_admin_readonly
profile can view all the FortiGate configuration tools.
You can authenticate an administrator by using a password stored on the FortiGate unit, a
remote authentication server (such as LDAP, RADIUS, or TACACS+), or by using PKI
certificate-based authentication. To authenticate an administrator with an LDAP or
TACACS+ server, you must add the server to an authentication list, include the server in a
user group, and associate the administrator with the user group. The RADIUS server
authenticates users and authorizes access to internal network resources based on the
admin profile of the user. Users authenticated with the PKI-based certificate are permitted
access to internal network resources based on the user group they belong to and the
associated admin profile.
A VDOM/admin profile override feature supports authentication of administrators via
RADIUS. The admin user will have access depending on which VDOM and associated
admin profile he or she is restricted to. This feature is available only to wildcard
administrators, and can be set only through the FortiGate CLI. There can only be one
VDOM override user per system. For more information, see the FortiGate CLI Reference.
Edit
Create New
Name
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can
log in. For more information, see Using trusted hosts on page 254.
Profile
Type
243
Administrators
System Admin
Local
Remote
Delete icon
Edit or View
icon
Change
Password
icon
244
System Admin
Administrators
Administrator
Type
Remote
PKI
User Group
Select the administrator user group that includes the Remote server/PKI
(peer) users as members of the User Group. The administrator user group
cannot be deleted once the group is selected for authentication.
This is available only if Type is Remote or PKI.
Wildcard
Password
Enter a password for the administrator account. For improved security, the
password should be at least 6 characters long.
This is not available if Wildcard is selected or when Type is PKI.
For more information see the Fortinet Knowledge Base article Recovering lost
administrator account passwords if you forget or lose an administrator account
password and cannot log in to your FortiGate unit.
Confirm Password
Type the password for the administrator account a second time to confirm that
you have typed it correctly.
This is not available if Wildcard is selected or when PKI authentication is
selected.
245
Administrators
System Admin
Trusted Host #1
Trusted Host #2
Trusted Host #3
Enter the trusted host IP address and netmask this administrator login is
restricted to on the FortiGate unit. You can specify up to three trusted hosts.
These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0.
For more information, see Using trusted hosts on page 254.
IPv6 Trusted Host #1 Enter the trusted host IPv6 address and netmask this administrator login is
IPv6 Trusted Host #2 restricted to on the FortiGate unit. You can specify up to three trusted hosts.
IPv6 Trusted Host #3 These addresses all default to ::/0.
For more information, see Using trusted hosts on page 254.
Admin Profile
Select the admin profile for the administrator. You can also select Create New
to create a new admin profile. For more information on admin profiles, see
Configuring an admin profile on page 258.
Type
Regular.
Password
Confirm
Password
Admin Profile
246
System Admin
Administrators
The following instructions assume there is a RADIUS server on your network populated
with the names and passwords of your administrators. For information on how to set up a
RADIUS server, see the documentation for your RADIUS server.
To view the RADIUS server list, go to User > Remote > RADIUS.
Figure 114: Example RADIUS server list
Delete
Edit
Create New
Name
The name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP
Delete icon
Edit icon
247
Administrators
System Admin
Primary Server Enter the domain name or IP address of the RADIUS server.
Name/IP
Primary Server Enter the RADIUS server secret. The RADIUS server administrator can
provide this information.
Secret
Secondary
Enter the domain name or IP address of a second RADIUS server (optional).
Server Name/IP
Secondary
Server Secret
Include in every Select to add this RADIUS server to every user group in this VDOM (optional).
User Group
4 Select OK.
For further information about RADIUS authentication, see Configuring a RADIUS server
on page 648.
To create the user group (RADIUS)
1 Go to User > User Group.
2 Select Create New or select the Edit icon beside an existing RADIUS group.
3 Enter the name that identifies the user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the RADIUS server name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with a RADIUS server
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter the following information:
Name
Type
Remote.
User Group
Password
Confirm
Password
Admin Profile
248
System Admin
Administrators
For more information about using a RADIUS server to authenticate system administrators,
see the Fortinet Knowledge Base article Using RADIUS for Admin Access and
Authorization.
Admin profiles
To view the LDAP server list, go to User > Remote > LDAP.
Figure 115: Example LDAP server list
Delete
Edit
Create New
Name
The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP
Port
Common Name Identifier The common name identifier for the LDAP server.
Distinguished Name
Delete icon
Edit icon
249
Administrators
System Admin
Name
The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP
Server Port
Common Name
Identifier
Distinguished Name
The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon
View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query on page 652.
Bind Type
Anonymous
Regular
Simple
Filter
User DN
Password
Secure Connection
Protocol
Certificate
For further information about LDAP authentication, see Configuring an LDAP server on
page 650.
To create the user group (LDAP)
1 Go to User > User Group.
2 Select Create New or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the LDAP user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the LDAP server name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with an LDAP server
1 Go to System > Admin.
2 Select Create New or select the Edit icon beside an existing administrator account.
3 Enter or select the following:
250
Administrator
Type
Remote.
User Group
Wildcard
A check box that allows all accounts on the LDAP server to be administrators.
System Admin
Administrators
Password
Confirm
Password
The re-entered password that confirms the original entry in Password. Not
available if Wildcard is enabled.
Admin Profile
To view the TACACS+ server list, go to User > Remote > TACACS+.
Figure 116: Example TACACS+ server list
Delete
Edit
Create New
Server
Authentication Type
Delete icon
Edit icon
251
Administrators
System Admin
Name
Server Name/IP Enter the server domain name or IP address of the TACACS+ server.
Server Key
Enter the key to access the TACACS+ server. The maximum number is 16.
Authentication Enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates
using PAP, MSCHAP, and CHAP (in that order).
Type
4 Select OK.
For further information about TACACS+ authentication, see Configuring TACACS+
servers on page 653.
To create the user group (TACACS+)
1 Go to User > User Group.
2 Select Create New, or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the TACAS+ user group.
4 For Type, select Firewall.
5 In the Available Users/Groups list, select the TACACS+ server name and move it to
the Members list.
6 Select OK.
To configure an administrator to authenticate with a TACACS+ server
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter or select the following:
Administrator
Type
Remote.
User Group
Wildcard
Password
Confirm
Password
The re-entered password that confirms the original entry in Password. Not
available if Wildcard is enabled.
Admin Profile
252
System Admin
Administrators
Edit
Create New
Name
Subject
The text string that appears in the subject field of the certificate of the
authenticating user.
CA
Delete icon
Edit icon
Type
Firewall.
Available
Users/Groups
Select the PKI user name and move it to the Members list.
4 Select OK.
To configure an administrator to authenticate with a PKI certificate
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter or select the following:
253
Admin profiles
System Admin
Administrator
Type
PKI.
User Group
Admin Profile
Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates
FortiGate features into access control categories for which an administrator with
read/write access can enable none (deny), read only, or read/write access.
The following table lists the web-based manager pages to which each category provides
access.
254
System Admin
Admin profiles
Admin Users
Antivirus Configuration
Application Control
Auth Users
User
Email Filter
Firewall Configuration
Firewall
FortiGuard Update
IPS Configuration
Log&Report
Log&Report
Maintenance
Network Configuration
Router Configuration
Router
Spamfilter Configuration
System Configuration
VPN Configuration
VPN
Webfilter Configuration
Read-only access for a web-based manager page enables the administrator to view that
page. However, the administrator needs write access to change the settings on the page.
You can expand the firewall configuration access control to enable more granular control
of access to the firewall functionality. You can control administrator access to policy,
address, service, schedule, profile, and other virtual IP (VIP) configurations.
Note: When Virtual Domain Configuration is enabled (see Settings on page 261), only the
administrators with the admin profile super_admin have access to global settings. Other
administrator accounts are assigned to one VDOM and cannot access global configuration
options or the configuration for any other VDOM.
For information about which settings are global, see VDOM configuration settings on
page 126.
255
Admin profiles
System Admin
The admin profile has a similar effect on administrator access to CLI commands. The
following table shows which command types are available in each Access Control
category. You can access get and show commands with Read Only access. Access to
config commands requires Read-Write access.
Table 41: Admin profile control of access to CLI commands
256
Access control
system admin
system accprofile
antivirus
Application Control
application
user
dlp
Email Filter
spamfilter
firewall
Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions
individually. You can make selections for policy, address,
service, schedule, profile, and other (VIP) configurations.
For more information, see the FortiGate CLI Reference.
system autoupdate
execute update-av
execute update-ips
execute update-now
ips
system alertemail
log
system fortianalyzer
execute log
Maintenance (mntgrp)
execute
execute
execute
execute
execute
system arp-table
system dhcp
system interface
system zone
execute dhcp lease-clear
execute dhcp lease-list
execute clear system arp table
execute interface
formatlogdisk
restore
backup
batch
usb-disk
System Admin
Admin profiles
router
execute router
execute mrouter
spamfilter
vpn
execute vpn
webfilter
To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile.
Each administrator account belongs to an admin profile. An administrator with read/write
access can create admin profiles that deny access to, allow read-only, or allow both readand write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can access
the web-based manager page for that feature but cannot make changes to the
configuration. There are no Create or Apply buttons and lists display only the View (
)
icon instead of icons for Edit, Delete or other modification commands.
257
Admin profiles
System Admin
Edit
Create New
Profile Name
Delete icon
Edit icon
258
System Admin
Admin profiles
Profile Name
Access Control
None
Read Only
Read-Write
Access Control
(categories)
GUI Control
259
Central Management
System Admin
Central Management
The Central Management tab provides the option of remotely managing your FortiGate
unit by either a FortiManager unit or the FortiGuard Analysis and Management Service.
From System > Admin > Central Management, you can configure your FortiGate unit to
back up or restore configuration settings automatically to the specified central
management server. The central management server is the type of service you enable,
either a FortiManager unit or the FortiGuard Analysis and Management Service. If you
have a subscription for FortiGuard Analysis and Management Service, you can also
remotely upgrade the firmware on the FortiGate unit.
Figure 120: Central Management using FortiManager
260
Enable Central
Management
Type
Select the type of central management for this FortiGate unit. You can
select FortiManager or the FortiGuard Management Service.
System Admin
Settings
FortiManager
FortiGuard
Management Service
When you are configuring your FortiGate unit to connect to and communicate with a
FortiManager unit, the following steps must be taken because of the two different
deployment scenarios.
In the FortiManager GUI, add the FortiGate unit to the FortiManager database in
the Device Manager module
Contact the FortiManager administrator to verify the FortiGate unit displays in the
Device list in the Device Manager module
Revision control
The Revision Control tab displays a list of the backed up configuration files. The list
displays only when your FortiGate unit is managed by a central management server. For
more information, see Managing configuration revisions on page 297.
Settings
The Settings tab includes the following features that you can configure:
261
Settings
System Admin
settings for the language of the web-based manager and the number of lines displayed
in generated reports
PIN protection for LCD and control buttons (LCD-equipped models only)
To configure settings, go to System > Admin > Settings, enter or select the following and
select OK.
Figure 122: Administrators Settings
262
HTTP
HTTPS
Telnet Port
TCP port to be used for administrative telnet access. The default is 23.
SSH Port
TCP port to be used for administrative SSH access. The default is 22.
System Admin
Settings
Enable SSH v1
compatibility
Password Policy
Enable
Minimum Length
Must contain
Apply Password
Policy to
Admin Password
Require administrators to change password after a specified number
Expires after n days of days. Specify 0 to remove required periodic password changes.
Timeout Settings
Idle Timeout
Display Settings
Language
Number of lines per page to display in table lists. The default is 50.
Range is from 20 - 1000.
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route,
address and address group). Default allows configuration from CLI
only. For more information on IPv6, see the sections that include IPv6
related fields, or see FortiGate IPv6 support on page 264.
LCD Panel (LCD-equipped models only)
PIN Protection
Enable SCP
Enable Wireless Controller Enable the Wireless Controller feature. Then you can access the
Wireless Controller menu in the web-based manager and the
corresponding CLI commands. For more information, see Wireless
Controller on page 697.
Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH,
ensure that the port number is unique.
263
Monitoring administrators
System Admin
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System
Information, you will see Current Administrators. Select Details to view information about
the administrators currently logged in to the FortiGate unit.
Figure 123: System Information displaying current administrators
Disconnect
Refresh
Close
User Name
Type
From
Time
See also
264
System Admin
using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers.
FortiGate units are dual IP layer IPv6/IPv4 nodes, and support IPv6 in both NAT/Route,
and Transparent operation modes. They support IPv6 overIPv4 tunneling as well as IPv6
routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6
address to any interface on a FortiGate unitthe interface functions as two interfaces,
one for IPv4-addressed packets and another for IPv6-addressed packets.
For more information, see the FortiGate IPv6 Support Technical Note
Once IPv6 support is enabled, you can configure the IPv6 options using the web-based
manager or the CLI. Note that some IPv6 configuration is only available in the CLI.
See the FortiGate CLI Reference for information on configuring IPv6 support using the
CLI.
IP version 6 address
While 32-bits of addresses, or just under 5 billion addresses, seems like a lot, they have
been used up quickly. Between servers and routers that provide the backbone
communications of the Internet, to large companies and governments with thousands of
computers large portions of the IP address space were either reserved or used up.
In 1998, IP version 6 was designed mainly to provide more addresses but also improve
slightly on IP version 4 (IPv4). IP version 6 (IPv6) is defined in RFC 2460.
With four bytes of addresses there are a total just under 5 billion addresses. IPv6
addresses are 32 bytes long, and have no problems of ever running out. This very large
address space also allows for more logical organization of addresses which in turn
promotes more efficient network management and routing.
265
System Admin
IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each. For
example,
3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234
is a valid IPv6 address.
If a 4 digit group is 0000, it may be omitted. For example,
3f2e:6a8b:78a3:0000:1725:6a2f:0370:6234
is the same IPv6 address as
3f2e:6a8b:78a3::1725:6a2f:0370:6234
You can use the :: notation to indicate multiple consecutive omitted zero groups. There
must not be more than one use of :: in an address, as this is ambiguous. Also, you can
omit leading zeros in a group. Thus
19a4:0478:0000:0000:0000:0000:1a57:ac9e
19a4:0478:0000:0000:0000::1a57:ac9e
19a4:478:0:0:0:0:1a57:ac9e
19a4:478:0::0:1a57:ac9e
19a4:478::1a57:ac9e
are all valid and are the same address.
For IPv4-compatible or IPv4-mapped IPv6 addresses, you can enter the IPv4 portion
using either hexadecimal or dotted decimal, but the FortiGate CLI always shows the IPv4
portion in dotted decimal format. For all other IPv6 addresses, the CLI accepts and
displays only hexadecimal.
IPv6 Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4.
CIDR notation can also be used. This notation appends a slash (/) to the IP address,
followed by the number of bits in the network portion of the address.
Table 42: IPv6 netmasks
266
IP Address
3ffe:ffff:1011:f101:0210:a4ff:fee3:9566
Netmask
ffff:ffff:ffff:ffff:0000:0000:0000:0000
Network
3ffe:ffff:1011:f101:0000:0000:0000:0000
CIDR IP/Netmask
3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64
System Admin
Unspecified
::/128
Loopback
::1/128
IPv4-compatible ::/96
IPv4-mapped
::FFFF/96
Multicast
::FF00/8
Anycast
Link-local
FE80::/10
Site-local
FEC0::/10
Global
all others
using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to
carry them over IPv4 infrastructure
FortiGate units are dual IP layer IPv6/IPv4 nodesthey support both IPv4, and IPv6.
FortiGate units also support IPv6 over IPv4 tunneling.
0000:
FFFF: 874B:2B34
or
135.75.43.52
0000:0000:0000:0000:0000:
or
::
874B:2B34
or
135.75.43.52
267
System Admin
IPv4-compatible addresses are used for hosts and routers to dynamically tunnel IPv6
packets over IPv4 routing infrastructure. IPv4-mapped addresses are used for nodes that
do not support IPv6.
IPv6 tunneling
Networks using IPv6 addressing can be linked through IPv4-addressed infrastructure
using several tunneling techniques:
Table 45: Tunneling techniques
IPv6-over-IPv4
Configured
Automatic
IPv4 multicast
Dialog box - HTML-layer pop-up window. Displayed via HTML with grayed-out
background (see Figure 128).
GUI layout - web-based manager layout configured for a specific Admin Profile (see
Figure 139).
Tier 1 menu item - top-level menu item in web-based manager layout (see To create
Tier-1 and Tier-2 menu items on page 272).
Tier 2 menu item - submenu item in web-based manager layout (see To create Tier-1
and Tier-2 menu items on page 272).
Tip: Increase the timeout settings before creating or editing a GUI layout. See Settings on
page 261.
268
System Admin
Note: The current administrator Access Control settings apply only to the fixed components
of the layout (default), not to the customized items. If you want to create a completely
customized layout profile, you must set access for all fixed components to None and also
set all the standard menu items to Hide from within the GUI layout dialog box (see
Figure 128).
269
System Admin
Figure 126: Admin Profile dialog box - Log & Report access
Access denied
to other layout
items
Read-only access
selected for Log &
Report
Standard GUI
Control Menu
Layout selection
270
System Admin
Figure 127: Selection of Customize GUI Control option for Report Profile
Select Customize
to access the
layout dialog box
Figure 128: Customize GUI layout dialog box for Report Profile
Customization
drop-down menu icon
Edit Layout
Show Preview
Add Content
Customization
drop-down menu
Save layout
Cancel layout changes
In the GUI layout dialog box, select the customization drop-down menu icon beside
System and select hide (see Figure 128). Repeat for each menu item except Log&Report.
271
System Admin
To start the configuration of customized menu items, select the Create New (Tier-1 menu
item) icon in the FortiGate menu. You will need to:
Creation of new
Tier-1 menu item
Custom Log Report
4
Creation of new
Tier-2 menu item
Custom Log Menu1
6
Creation of new
Tier-2 menu item
Custom Log Menu2
After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items
across the page layout. The Create New tab icon is not available until you have created
the Tier-1 and Tier-2 menu items.
To create a new tab
1 Select the Create New tab item icon (see Figure 5).
A tab is created with the default name custom menu, and an additional Create New
icon appears beside it.
272
System Admin
2 Select and rename the default name to Custom Log Report Tab1 (see Figure 131).
3 Press Enter to save your change.
4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2.
5 To save your customized layout, select Save in the GUI layout dialog box (see
Figure 128).
Figure 130: Create New tab
273
System Admin
To add content to the page layout, select Add Content (see Figure 128). The Add content
to the Custom Log Report Tab1 dialog box appears (see Figure 133).
Figure 133: Add content dialog box
The Add content dialog box includes a search feature that you can use to find widgets.
This search employs a real-time filtering mechanism with a contains type search on the
widget names. For example, if you search on use, you will be shown User Group, IM
User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 134).
274
System Admin
Search results
For Custom Log Report Tab1, select the Log&Report category. All the items related to the
Log&Report menu item are listed (see Figure 135). Select Add next to an item that you
want to include in the tab. The item is placed in the page layout behind the Custom Log
Report Tab1 dialog box. You will see the configured layout when you close the Add
content to the Custom Log Report Tab1 dialog box. The maximum number of items that
can be placed in a page layout is 8.
For the Custom Log Report Tab1, select the following items for inclusion in the layout:
Alert E-mail
Schedule.
275
System Admin
For the Custom Log Report Tab2, select the following items for inclusion in the layout:
276
Event Log
Log Setting.
System Admin
Figure 137: Log&Report category selection for Custom Log Report Tab2
To preview a customized layout in the custom GUI layout dialog box, select Show Preview
(see Figure 139). When you have completed the configuration selections for the page
layout, select Save to close the custom GUI layout dialog box (see Figure 139). To
abandon the configuration, select Reset menus (see Figure 139). To exit the GUI layout
dialog box without saving your changes, select Cancel (see Figure 139).
277
System Admin
Figure 139: Report Profile customized GUI layout dialog box - complete
Cancel
Show Preview
Save
Reset menus
When you complete the customization, close the dialog box to return to the Admin Profile
dialog box in which you configured the custom GUI. To save the configuration, select OK
to close the Admin Profile dialog box (see Figure 125).
To view the web-based manager configuration created in Report Profile, you must log out
of the FortiGate unit, then log back in using the name and password of an administrator
assigned the Report Profile administrative profile. The FortiGate web-based manager
reflects the customized configuration of Report Profile (see Figure 140).
Figure 140: Customized web-based manager page
278
System Certificates
System Certificates
This section explains how to manage X.509 security certificates using the FortiGate webbased manager. Certificate authentication allows administrators to generate certificate
requests, install signed certificates, import CA root certificates and certificate revocation
lists, and back up and restore installed certificates and private keys.
Authentication is the process of determining if a remote host can be trusted with access to
network resources. To establish its trustworthiness, the remote host must provide an
acceptable authentication certificate by obtaining a certificate from a certification authority
(CA). The FortiGate unit can then use certificate authentication to reject or allow
administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well
as SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 125.
There are several certificates on the FortiGate unit that have been automatically
generated.
Table 46: Automatically generated FortiGate certificates
Fortinet_Firmware
Fortinet_Factory
Fortinet_Factory2
Fortinet_CA
Fortinet_CA2
System administrators can use these certificates wherever they may be required, for
example, with SSL VPN, IPSec, LDAP, and PKI.
For additional background information on certificates, see the FortiGate Certificate
Management User Guide.
279
Local Certificates
System Certificates
Local Certificates
Remote Certificates
CA Certificates
CRL
Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates
list. After you submit the request to a CA, the CA will verify the information and register the
contact information on a digital certificate that contains a serial number, an expiration date,
and the public key of the CA. The CA will then sign the certificate and send it to you to
install on the FortiGate unit.
Local certificates can update automatically online prior to expiry. This must be configured
in the CLI. See the vpn certificate local command in the FortiGate CLI Reference.
To view certificate requests and/or import signed server certificates, go to System >
Certificates > Local Certificates. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.
Figure 141: Local Certificates list
Download
View Certificate Detail
Delete
280
Generate
Import
Import a signed local certificate. For more information, see Importing a signed
server certificate on page 283.
Name
Subject
System Certificates
Local Certificates
Comments
Status
View Certificate
Detail icon
Display certificate details such as the certificate name, issuer, subject, and
valid certificate dates.
Delete icon
Delete the selected certificate request or installed server certificate from the
FortiGate configuration. This is available only if the certificate has PENDING
status.
Download icon
Save a copy of the certificate request to a local computer. You can send the
request to your CA to obtain a signed server certificate for the FortiGate unit
(SCEP-based certificates only).
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Remove/Add OU
281
Local Certificates
System Certificates
Certification Name
Subject Information
Host IP
If the FortiGate unit has a static IP address, select Host IP and enter the
public IP address of the FortiGate unit. If the FortiGate unit does not have
a public IP address, use an email address (or domain name if available)
instead.
Domain Name
If you select E-mail, enter the email address of the owner of the FortiGate
unit.
Optional Information
Organization Unit
Organization
Locality (City)
Enter the name of the city or town where the FortiGate unit is installed.
State/Province
Enter the name of the state or province where the FortiGate unit is
installed.
Country
Key Type
Key Size
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate
but they provide better security.
Enrollment Method
File Based
Online SCEP
282
System Certificates
Local Certificates
Type
Certificate File
Enter the full path to and file name of the signed server certificate.
Browse
3 Select OK.
283
Remote Certificates
System Certificates
Type
Certificate with key file Enter the full path to and file name of the previously exported
PKCS12 file.
Browse
Password
3 Select OK.
Note: The certificate file must not use 40-bit RC2-CBC encryption.
Type
Select Certificate.
Certificate file
Enter the full path to and file name of the previously exported certificate file.
Browse
Key file
Enter the full path to and file name of the previously exported key file.
Browse
Alternatively, browse to the location of the previously exported key file, select
the file, and then select OK.
Password
If a password is required to upload and open the files, type the password.
3 Select OK.
Remote Certificates
For dynamic certificate revocation, you need to use an Online Certificate Status Protocol
(OCSP) server. Remote certificates are public certificates without a private key. The
OCSP is configured in the CLI only. For more information, see the FortiGate CLI
Reference.
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
284
System Certificates
Remote Certificates
Import
Name
The names of existing Remote (OCSP) certificates. The FortiGate unit assigns
unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so
on) to the Remote (OCSP) certificates when they are imported.
Subject
Delete icon
View Certificate
Detail icon
Download icon
Local PC
Browse
The system assigns a unique name to each Remote (OCSP) certificate. The names are
numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and
so on).
285
CA Certificates
System Certificates
CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you
must obtain the corresponding root certificate and CRL from the issuing CA.
When you receive the certificate, install it on the remote clients according to the browser
documentation. Install the corresponding root certificate and CRL from the issuing CA on
the FortiGate unit.
CA certificates can update automatically online prior to expiry. This must be configured in
the CLI. See the vpn certificate local command in the FortiGate CLI Reference.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete the
Fortinet_CA certificate. To view installed CA root certificates or import a CA root
certificate, go to System > Certificates > CA Certificates. To view root certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.
Figure 148: CA Certificates list
Import
Name
The names of existing CA root certificates. The FortiGate unit assigns unique
names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA
certificates when they are imported.
Subject
Delete icon
View Certificate
Detail icon
Download icon
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has
management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates and select
Import.
Figure 149: Import CA Certificate
286
System Certificates
CRL
SCEP
Local PC
If you choose SCEP, the system starts the retrieval process as soon as you select OK.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with
certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate
unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are
valid.
To view installed CRLs, go to System > Certificates > CRL.
Figure 150: Certificate revocation list
View Certificate Detail
Download
Import
Import a CRL. For more information, see Importing a certificate revocation list
on page 288.
Name
The names of existing certificate revocation lists. The FortiGate unit assigns
unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists
when they are imported.
Subject
Delete icon
View Certificate
Detail icon
Display CRL details such as the issuer name and CRL update dates.
Download icon
287
CRL
System Certificates
To import a certificate revocation list, go to System > Certificates > CRL and select Import.
Figure 151: Import CRL
HTTP
Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP
server.
LDAP
Select to use an LDAP server to retrieve the CRL, then select the LDAP
server from the list.
SCEP
Select to use an SCEP server to retrieve the CRL, then select the Local
Certificate from the list. Enter the URL of the SCEP server from which the
CRL can be retrieved.
Local PC
The system assigns a unique name to each CRL. The names are numbered consecutively
(CRL_1, CRL_2, CRL_3, and so on).
288
System Maintenance
System Maintenance
This section describes how to maintain your system configuration as well as how to enable
and update FDN services. This section also explains the types of FDN services that are
available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is
configured globally for the entire FortiGate unit. For more information, see Using virtual
domains on page 125.
This section includes the following topics:
Backup & Restore - allows you to back up and restore your system configuration file,
remotely upgrade firmware, and import CLI commands.
Revision Control - displays all system configuration backups with the date and time of
when they were backed up. Before you can use revision control, a Central
Management server must be configured and enabled.
Scripts - displays script history execution and provides a way to upload script files to
the FortiGuard Analysis & Management Service portal web site
FortiGuard - displays all FDN subscription services, such as antivirus and IPS
definitions as well as the FortiGuard Analysis & Management Service. This tab also
provides configuration options for antivirus, IPS, web filtering, and antispam services.
License - allows you to increase the maximum number of VDOMs (on some FortiGate
models).
When backing up the system configuration, web content files and email filtering files are
also included. You can save the configuration to the management computer or to a USB
disk if your FortiGate unit includes a USB port (see Formatting USB Disks on page 296).
You can also restore the system configuration from previously downloaded backup files in
the Backup & Restore menu.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
289
System Maintenance
When virtual domain configuration is enabled, the content of the backup file depends on
the administrator account that created it. A backup of the system configuration from the
super_admin account contains global settings and the settings included in each VDOM.
Only the super_admin can restore the configuration from this file. When you back up the
system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM that the regular administrator belongs to. A
regular administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that users can
download. The FortiClient section of Backup & Restore is available if your FortiGate model
supports FortiClient.
For
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
Managing firmware versions on page 113.
290
System Maintenance
Backup
Backup configuration to: The options available for backing up your current configuration. Select
one of the displayed options:
Local PC
FortiGuard Analysis & Back up the configuration to the FortiGuard Analysis & Management
Management Service Service. If the service is not enabled, Management Station is
displayed.
USB Disk
FortiManager
Enter a password to encrypt the configuration file. You will need this
password to restore the configuration file.
Confirm
Filename
Enter the name of the backup file or select Browse to locate the file.
The Filename field is available only when you choose to back up the
configuration to a USB disk.
Backup
291
System Maintenance
Restore
Restore configuration
from:
The options available for restoring the configuration from a specific file.
Select one of the displayed options:
Local PC
USB disk
FortiGuard Analysis & Restore a configuration from the FortiGuard Analysis & Management
Management Service Service. If FortiGuard Management Services is not enabled, this option
is not displayed and instead displays Management Station.
FortiManager
Filename
Select the configuration file name from the Browse list if you are
restoring the configuration from a USB disk.
Enter the configuration file name or select Browse if you are restoring
the configuration from a file on the management computer.
Password
Enter the password you entered when backing up the configuration file.
Restore
292
System Maintenance
Figure 154: Backup & Restore options with FortiManager option enabled
\
Backup
Backup
Restore
Restore configuration Select the FortiManager option to download and restore the
configuration from the FortiManager unit.
from:
Please Select:
Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiManager unit.
The list is in numerical order, with the recent uploaded configuration
first.
Restore
For
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
Managing firmware versions on page 113.
293
System Maintenance
When restoring the configuration from a remote location, a list of revisions is displayed so
that you can choose the configuration file to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.
Figure 155: Backup & Restore Central Management options
Backup
Backup configuration Select the FortiGuard option to upload the configuration to the
FortiGuard Analysis & Management Service.
to:
The Local PC option is always available.
Comments:
Backup
Restore
Restore configuration Select the FortiGuard option to download the configuration file from
the FortiGuard Analysis & Management Service.
from:
Please Select:
Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiGuard Analysis & Management Service.
The list is in numerical order, with the recent uploaded configuration
first.
Restore
294
System Maintenance
Partition
A partition can contain one version of the firmware and the system
configuration. FortiGate-100A units and higher have two partitions.
One partition is active and the other is used as a backup.
Active
Last upgrade
Firmware Version
Upgrade from FortiGuard Select one of the available firmware versions. The list contains the
following information for each available firmware release:
network to firmware
continent (for example, North America)
version: [Please Select]
maintenance release number
patch release number
build number.
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware
downgrade
295
System Maintenance
Upgrade by File
OK
On system restart,
automatically update
FortiGate
configuration...
On system restart,
automatically update
FortiGate firmware...
Apply
Download an encrypted debug log to a file. You can send this debug
log to Fortinet Technical Support to help diagnose problems with your
FortiGate unit.
There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command syntax,
exe usb-disk format. When using a Windows system to format the disk, at the
command prompt type, format <drive_letter>: /FS:FAT /V:<drive_label>
where <drive_letter> is the letter of the connected USB drive you want to format, and
<drive_label> is the name you want to give the USB drive for identification.
296
System Maintenance
When revision control is enabled on your FortiGate unit, and configurations have been
backed up, a list of saved revisions of those backed-up configurations appears.
To view the configuration revisions, go to System > Maintenance > Revision Control.
Figure 159: Revision Control page displaying system configuration backups
Current
Page
Diff
Download
Revert
Current Page
The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
system configuration backups.
For more information, see Using page controls on web-based
manager lists on page 60.
Revision
Date/Time
The date and time this configuration was saved on the FortiGate unit.
Administrator
Comments
Any relevant information saved with the revision, such as why the
revision was saved, who saved it, and if there is a date when it can be
deleted to free up space.
Diff icon
Download icon
Revert icon
297
System Maintenance
298
Select Browse to locate the script file and then select Apply to upload
and execute the file.
If the FortiGate unit is configured to use the FortiGuard Analysis &
Management Service, the script will be saved on the server for later
use.
System Maintenance
Name
Type
The source of the script file. A local file is uploaded directly to the
FortiGate unit from the management PC and executed. A remote file
is executed on the FortiGate unit after being sent from a FortiManager
unit or the FortiGuard Analysis & Management Service.
Time
Status
Delete icon
To execute a script
1 Go to System > Maintenance > Scripts.
2 Verify that Upload Bulk CLI Command File is selected.
3 Select Browse to locate the script file.
4 Select Apply.
If the FortiGate unit is not configured for remote management, or if it is configured to use a
FortiManager unit, uploaded scripts are discarded after execution. Save script files to your
management PC if you want to execute them again later.
If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service,
the script file is saved to the remote server for later reuse. You can view the script or run it
from the FortiGuard Analysis & Management Service portal web site. For more
information about viewing or running an uploaded script on the portal web site, see the
FortiGuard Analysis & Management Service Users Guide.
299
System Maintenance
hourly, daily, or weekly scheduled antivirus definition, IPS definition, and antispam rule
set updates from the FDN
update status including version numbers, expiry dates, and update dates and times
Registering your FortiGate unit on the Fortinet Support web page provides a valid license
contract and connection to the FDN. On the Fortinet Support web page, go to Product
Registration and follow the instructions.
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to
receive scheduled updates. For more information, see To enable scheduled updates on
page 307.
You can also configure the FortiGate unit to receive push updates. When the FortiGate
unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit
using UDP port 9443. For more information, see Enabling push updates on page 308. If
the FortiGate unit is behind a NAT device, see Enabling push updates through a NAT
device on page 309.
FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points.
When the FortiGate unit is connecting to the FDN, it is connecting to the closest
FortiGuard service point. Fortinet adds new service points as required.
If the closest service point becomes unreachable for any reason, the FortiGate unit
contacts another service point and information is available within seconds. By default, the
FortiGate unit communicates with the service point via UDP on port 53. Alternately, you
can switch the UDP port used for service point communication to port 8888 by going to
System > Maintenance > FortiGuard.
If you need to change the default FortiGuard service point host name, use the hostname
keyword in the system fortiguard CLI command. You cannot change the FortiGuard
service point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web page.
300
System Maintenance
301
System Maintenance
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance >
FortiGuard. The FDN page contains four sections of FortiGuard services:
[Register]
FortiGuard Subscription
Services
302
System Maintenance
[Availability]
[Update]
Select to manually update this service on your FortiGate unit. This will
prompt you to download the update file from your local computer.
Select Update Now to immediately download current updates from
FDN directly.
[Register]
Status Icon
[Version]
[Last update date and The date of the last update and method used for last attempt to
download definition updates for this service.
method]
[Date]
Local system date when the FortiGate unit last checked for updates
for this service.
Expand arrow
303
System Maintenance
Available only if both Use override server address and Allow Push
Update are enabled.
Select to allow you to create a forwarding policy that redirects
incoming FDS push updates to your FortiGate unit.
Enter the IP address of the NAT device in front of your FortiGate unit.
FDS will connect to this device when attempting to reach the FortiGate
unit.
The NAT device must be configured to forward the FDS traffic to the
FortiGate unit on UDP port 9443. See Enabling push updates through
a NAT device on page 309.
Port
Select the port on the NAT device that will receive the FDS push
updates. This port must be forwarded to UDP port 9443 on the
FortiGate unit.
Available only if Use override push is enabled.
Schedule Updates
304
Every
Daily
Attempt to update once a day. You can specify the hour of the day to
check for updates. The update attempt occurs at a randomly
determined time within the selected hour.
Weekly
Attempt to update once a week. You can specify the day of the week
and the hour of the day to check for updates. The update attempt
occurs at a randomly determined time within the selected hour.
Update Now
Submit attack
characteristics
(recommended)
System Maintenance
Enable Cache
TTL
Enable Cache
TTL
Port Section
Select one of the following ports for your web filtering and antispam
requirements:
Test Availability
Select to test the connection to the servers. Results are shown below
the button and on the Status indicators.
To have a URL's category Select to re-evaluate a URLs category rating on the FortiGuard Web
rating re-evaluated, please Filter service.
click here.
305
System Maintenance
Account ID
Enter the name for the Analysis & Management Service that identifies
the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To configure FortiGuard Select the link please click here to configure and enable logging to the
Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to
Log&Report > Log Config > Log Setting.
please click here
This appears only after registering for the service.
To purge logs older than n Select the number of months from the list that will remove those logs
months, please click here from the FortiGuard Analysis & Management server and select the link
please click here. For example, if you select 2 months, the logs from
the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This appears only after logging is enabled and log messages are sent
to the FortiGuard Analysis server.
306
you have not registered the FortiGate unit (go to Product Registration and follow the
instructions on the web site if you have not already registered your FortiGate unit)
there is a NAT device installed between the FortiGate unit and the FDN (see Enabling
push updates through a NAT device on page 309)
your FortiGate unit connects to the Internet using a proxy server (see To enable
scheduled updates through a proxy server on page 308).
System Maintenance
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and the time of
day to check for updates.
307
System Maintenance
5 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and IPS
attack updates using its own FortiGuard server, you can use the following procedure to
add the IP address of an override FortiGuard server.
To add an override server
1 Go to System > Maintenance > FortiGuard.
2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available
options.
3 Select the Use override server address check box.
4 Type the fully qualified domain name or IP address of the FortiGuard server.
5 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from gray to green, the
FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and network
configuration for settings that may prevent the FortiGate unit from connecting to the
override FortiGuard server.
To enable scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can use the
config system autoupdate tunneling command syntax to allow the FortiGate unit
to connect (or tunnel) to the FDN using the proxy server. For more information, see the
FortiGate CLI Reference.
308
System Maintenance
Fortinet does not recommend enabling push updates as the only method for obtaining
updates. The FortiGate unit might not receive the push notification. When the FortiGate
unit receives a push notification, it makes only one attempt to connect to the FDN and
download updates.
have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE
server changes the IP address.
The FDN must be able to connect to this IP address so that your FortiGate unit can
receive push update messages. If your FortiGate unit is behind a NAT device, see
Enabling push updates through a NAT device on page 309.
If you have redundant connections to the Internet, the FortiGate unit also sends the
SETUP message when one Internet connection goes down and the FortiGate unit fails
over to another Internet connection.
In transparent mode, if you change the management IP address, the FortiGate unit also
sends the SETUP message to notify the FDN of the address change.
172.16.35.144
(external interface)
Virtual IP
10.20.6.135
(external interface)
Internet
NAT Device
FDN Server
309
System Maintenance
2 Configure the following FortiGuard options on the FortiGate unit on the internal
network.
Enable Allow push updates.
Enable Use override push IP and enter the IP address. Usually this is the IP
address of the external interface of the NAT device.
If required, change the override push update port.
3 Add a port forwarding virtual IP to the NAT device.
Set the external IP address of the virtual IP to match the override push update IP.
Usually this is the IP address of the external interface of the NAT device.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual
IP.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See To enable scheduled updates through a proxy server on
page 308 for more information.
310
Name
External Interface
Select an external interface from the list. This is the interface that
connects to the Internet.
System Maintenance
External IP
Address/Range
Mapped IP
Address/Range
Port Forwarding
Protocol
Select UDP.
Enter the external service port. The external service port is the port
that the FDN connects to. The external service port for push
updates is usually 9443. If you changed the push update port in the
FortiGuard configuration of the FortiGate unit on the internal
network, you must set the external service port to the changed push
update port.
Map to Port
Enter 9443. This is the port number to which the NAT FortiGate unit
will send the push update after it comes through the virtual IP.
FortiGate units expect push update notifications on port 9443.
4 Select OK.
To add a firewall policy to the FortiGate NAT device
1 Go to Firewall > Policy.
2 Select Create New.
3 Configure the external to internal firewall policy.
Source Interface/Zone
Source Address
Select All
Destination
Interface/Zone
Select the name of the interface of the NAT device that connects to
the internal network.
Destination Address
Schedule
Select Always.
Service
Select ANY.
Action
Select Accept.
NAT
Select NAT.
4 Select OK.
Verify that push updates to the FortiGate unit on the internal network are working by going
to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering
and AntiSpam Options. The Push Update indicator should change to green.
311
System Maintenance
Current License
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.
312
Router Static
Routing concepts
Router Static
This section explains some general routing concepts, and how to define static routes and
route policies.
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination on the network. A static route causes packets to be forwarded to a
destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to configure
the default gateway. You must either edit the factory configured static default route to
specify a different default gateway for the FortiGate unit, or delete the factory configured
route and specify your own static default route that points to the default gateway for the
FortiGate unit. For more information, see Default route and default gateway on
page 318.
You define static routes manually. Static routes control traffic exiting the FortiGate unit
you can specify through which interface the packet will leave and to which device the
packet should be routed.
As an option, you can define route policies. Route policies specify additional criteria for
examining the properties of incoming packets. Using route policies, you can configure the
FortiGate unit to route packets based on the IP source and destination addresses in
packet headers and other criteria such as on which interface the packet was received and
which protocol (service) and port are being used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured
separately for each virtual domain. For more information, see Using virtual domains on
page 125.
This section describes:
Routing concepts
Static Route
Policy Route
Routing concepts
The FortiGate unit functions as a security device on a network and packets must pass
through it. You need to understand a number of basic routing concepts in order to
configure the FortiGate unit appropriately.
Whether you administer a small or large network, this section will help you understand
how the FortiGate unit performs routing functions.
The following topics are covered in this section:
Route priority
Blackhole Route
313
Routing concepts
Router Static
Administrative Distance
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the routing
protocol being used. More hops from the source means more possible points of failure.
The administrative distance can be from 1 to 255, with lower numbers being preferred. A
distance of 255 is seen as infinite and will not be installed in the routing table.
Here is an example to illustrate how administration distance worksif there are two
possible routes traffic can take between 2 destinations with administration distances of 5
(always up) and 31 (sometimes not available), the traffic will use the route with an
administrative distance of 5. whenever possible. Different routing protocols have different
default administrative distances. The default administrative distances for any of these
routing protocols are configurable. For more information on changing the administrative
distance associated with a routing protocol, see the config routing in the FortiGate CLI
Reference.
314
Router Static
Routing concepts
Static
10
EBGP
20
OSPF
110
RIP
120
IBGP
200
Another method to manually resolve multiple routes to the same destination is to manually
change the priority of both of the routes. If the next-hop administrative distances of two
routes on the FortiGate unit are equal, it may not be clear which route the packet will take.
Configuring the priority for each of those routes will make it clear which next-hop will be
used in the case of a tie. You can set the priority for a route only from the CLI. Lower
priorities are preferred. For more information, see the FortiGate CLI Reference.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries, selects the entries having the lowest distances,
and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate
forwarding table contains only those routes having the lowest distances to each
destination. For information about how to change the administrative distance associated
with a static route, see Adding a static route to the routing table on page 320.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
You configure the priority field through the CLI. The route with the lowest value in the
priority field is considered the best route, and the primary route. The command to set the
priority field is: set priority <integer> under the config route static
command. For more information, see the FortiGate CLI Reference.
In summary, because you can use the CLI to specify which priority field settings to use
when defining static routes, you can prioritize routes to the same destination according to
their priority field settings. For a static route to be the preferred route, you must create the
route using the config router static CLI command and specify a low priority for the
route. If two routes have the same administrative distance and the same priority, then they
are equal cost multipath (ECMP) routes. Since this means there is more than one route to
the same destination, it can be confusing which route or routes to install and use.
However, you can configure ECMP Route Failover and Load Balancing to control how
sessions are load balanced among ECMP routes. See ECMP route failover and load
balancing on page 322.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like a /dev/null
interface in Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
315
Static Route
Router Static
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic enables easier
configuration of blackhole routing. Similar to a normal interface, this loopback interface
has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot
have hardware connection or link status problems, it is always available, making it useful
for other dynamic routing roles. Once configured, you can use a loopback interface in
firewall policies, routing, and other places that refer to interfaces. Loopback interfaces can
be configured from both the web-based manager and the CLI. For more information, see
Adding loopback interfaces on page 158 or the system chapter of the FortiGate CLI
Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of packets
that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address
for those packets. The gateway address specifies the next-hop router to which traffic will
be routed.
To view the static route list, go to Router > Static > Static Route.
Figure 167 shows the static route list belonging to a FortiGate unit that has interfaces
named port1 and port2. The names of the interfaces on your FortiGate unit may be
different.
316
Router Static
Static Route
Figure 167: Static Route list when IPv6 is enabled in the GUI
Expand
Arrow
Delete
Edit
Create New
Add a static route to the Static Route list. For more information, see Adding a
static route to the routing table on page 320.
Select the down arrow for the option to create an IPv6 static Route.
ECMP Route
Failover & Load
Balance Method
Select the load balancing and failover method for ECMP routes. See ECMP
route failover and load balancing on page 322.
Source based
The FortiGate unit load balances sessions among ECMP routes based on the
source IP address of the sessions to be load balanced. This is the default
load balancing method. No configuration changes are required to support
source IP load balancing.
Weighted
The FortiGate unit load balances sessions among ECMP routes based on
weights added to ECMP routes. More traffic is directed to routes with higher
weights.
After selecting weight-based you must add weights to static routes. For more
information, see Configuring weighted static route load balancing on
page 326.
Spill-over
The FortiGate unit distributes sessions among ECMP routes based on how
busy the FortiGate interfaces associated with the routes are.
After selecting spill-over you add route Spillover Thresholds to interfaces
added to ECMP routes. For more information, see Configuring interface
status detection for gateway load balancing on page 165.
The FortiGate unit sends all ECMP-routed sessions to the lowest numbered
interface until the bandwidth being processed by this interface reaches its
spillover threshold. The FortiGate unit then spills additional sessions over to
the next lowest numbered interface.
For more information, including the order in which interfaces are selected,
see Configuring spill-over or usage-based ECMP on page 323.
Apply
Select to save the ECMP Route Failover and load balance method.
Route
Select the Expand Arrow to display or hide the IPv4 static routes. By default
these routes are displayed.
This is displayed only when IPv6 is enabled in the web-based manager.
IPv6 Route
Select the Expand Arrow to display or hide the IPv6 static routes. By default
these routes are hidden.
This is displayed only when IPv6 is enabled in the web-based manager.
IP/Mask
Gateway
Device
The names of the FortiGate interfaces through which intercepted packets are
received and sent.
Distance
317
Static Route
Router Static
Weight
If ECMP Route Failover & Load Balance Method is set to weighted, add
weights for each route. Add higher weights to routes that you want to assign
more sessions to when load balancing. For more information, see
Configuring weighted static route load balancing on page 326.
For example, Figure 168 shows a FortiGate unit connected to a router. To ensure that all
outbound packets destined to any network beyond the router are routed to the correct
destination, you must edit the factory default configuration and make the router the default
gateway for the FortiGate unit.
Figure 168: Making a router the default gateway
Internet
Gateway
Router
192.168.10.1
external
FortiGate_1
internal
Internal network
192.168.20.0/24
318
Router Static
Static Route
To route outbound packets from the internal network to destinations that are not on
network 192.168.20.0/24, you would edit the default route and include the following
settings:
Gateway: 192.168.10.1
Device: Name of the interface connected to network 192.168.10.0/24 (in this example
external).
Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the
FortiGate external interface. The interface connected to the router (192.168.10.1) is the
default gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination IP
address of a packet is not on the local network but is on a network behind one of those
routers, the FortiGate routing table must include a static route to that network. For
example, in Figure 169, the FortiGate unit must be configured with static routes to
interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and
Network_2 respectively. Also firewall policies must be configured to allow traffic to pass
through the FortiGate unit along these routes. For details, see Configuring firewall policies on
page 367.
Figure 169: Destinations on networks behind internal routers
Internet
FortiGate_1
internal
192.168.10.1
dmz
192.168.11.1
Gateway
Router_2
Gateway
Router_1
Network_1
192.168.20.0/24
Network_2
192.168.30.0/24
To route packets from Network_1 to Network_2, Router_1 must be configured to use the
FortiGate internal interface as its default gateway. On the FortiGate unit, you would create
a new static route with these settings:
Destination IP/mask
192.168.30.0/24
Gateway
192.168.11.1
Device
dmz
Distance
10
319
Static Route
Router Static
To route packets from Network_2 to Network_1, Router_2 must be configured to use the
FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a
new static route with these settings:
Destination IP/mask
192.168.20.0/24
Gateway
192.168.10.1
Device
internal
Distance
10
320
Router Static
Static Route
5 Enter the gateway IP address. Continuing with the example, 172.1.2.11 would be a
valid address.
6 Enter the administrative distance of this route.
The administrative distance allows you to weight one route to be preferred over
another. This is useful when one route is unreliable. For example, if route A has an
administrative distance of 30 and route B has an administrative distance of 10, the
preferred route is route A with the smaller administrative distance of 10. If you discover
that route A is unreliable, you can change the administrative distance for route A from
10 to 40, which will make the route B the preferred route.
7 Select OK to confirm and save your new static route.
When you add a static route through the web-based manager, the FortiGate unit adds the
entry to the Static Route list.
Figure 170 shows the Edit Static Route dialog box belonging to a FortiGate unit that has
an interface named internal. The names of the interfaces on your FortiGate unit may be
different.
Figure 170: Edit Static Route
Destination
IP/Mask
Type the destination IP address and network mask of packets that the
FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved
for the default route.
Gateway
Type the IP address of the next-hop router to which the FortiGate unit will forward
intercepted packets.
Device
Select the name of the FortiGate interface through which the intercepted packets
may be routed to the next-hop router.
Distance
Type an administrative distance from 1 to 255 for the route. The distance value is
arbitrary and should reflect the distance to the next-hop router. A lower value
indicates a more preferred route.
Weight
Add weights for each route. Add higher weights to routes that you want to load
balance more sessions to. See Configuring weighted static route load balancing
on page 326.
Available if ECMP Route Failover & Load Balance Method is set to weighted.
321
Router Static
Using ECMP, if more than one ECMP route is available you can configure how the
FortiGate unit selects the route to be used for a communication session. If only one ECMP
route is available (for example, because an interface cannot process traffic because
interface status detection does not receive a reply from the configured server) then all
traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes.
FortiOS 4.0 MR1 includes three configuration options for ECMP route failover and load
balancing:
Source based
The FortiGate unit load balances sessions among ECMP routes based on the
source IP address of the sessions to be load balanced. This is the default load
(also called
source IP based) balancing method. No configuration changes are required to support source IP
load balancing.
Weighted (also
called
weight-based)
The FortiGate unit load balances sessions among ECMP routes based on
weights added to ECMP routes. More traffic is directed to routes with higher
weights.
After selecting weight-based you must add weights to static routes. See
Configuring weighted static route load balancing on page 326.
Spill-over (also
called
usage-based)
The FortiGate unit distributes sessions among ECMP routes based on how busy
the FortiGate interfaces added to the routes are.
After selecting spill-over you add route Spillover Thresholds to interfaces added
to ECMP routes. The FortiGate unit sends all ECMP-routed sessions to the
lowest numbered interface until the bandwidth being processed by this interface
reaches its spillover threshold. The FortiGate unit then spills additional sessions
over to the next lowest numbered interface.
The Spillover Thresholds range is 0-2097000 KBps.
For more information, including the order in which interfaces are selected, see
Configuring spill-over or usage-based ECMP on page 323.
You can configure only one of these ECMP route failover and load balancing methods in a
single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each
VDOM can have its own ECMP route failover and load balancing configuration.
To configure the ECMP route failover and load balancing method from the
web-based manager
1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to source based, weighted, or
spill-over.
3 Select Apply.
322
Router Static
Figure 171: Configuring ECMP route failover and load balancing method
To configure the ECMP route failover and load balancing method from the CLI
1 Enter the following command:
config system settings
set v4-ecmp-mode {source-ip-based | usage-based |
weight-based}
end
323
Router Static
Destination IP/Mask
192.168.20.0/24
Device
port3
Gateway
172.20.130.3
Distance
Destination IP/Mask
192.168.20.0/24
Device
port4
Gateway
172.20.140.4
Distance
port3
100
Interface
port4
200
Network
Distance Metric
Static
192.168.20.0/24
Static
192.168.20.0/24
Gateway
Interface
172.20.130.3
port3
172.20.140.4
port4
In this example, the FortiGate unit sends all sessions to the 192.168.20.0 network through
port3. When port3 exceeds its spillover threshold of 100 Kbps the FortiGate unit sends all
new sessions to the 192.168.20.0 network through port4.
To add route-spillover thresholds to interfaces from the CLI
1 Enter the following command to set the ECMP route failover and load balance method
to usage-based.
config system settings
set v4-ecmp-mode usage-based
end
2 Enter the following commands to add three route-spillover thresholds to three
interfaces.
config system interface
edit port1
set spillover-threshold 400
next
edit port2
set spillover-threshold 200
next
edit port3
set spillover-threshold 100
end
324
Router Static
3 Enter the following commands to add three ECMP default routes, one for each
interface.
config router static
edit 1
set dst 0.0.0.0/0.0.0.0
set gwy 172.20.110.1
set dev port1
next
edit 2
set dst 0.0.0.0/0.0.0.0
set gwy 172.20.120.2
set dev port2
next
edit 3
set dst 0.0.0.0/0.0.0.0
set gwy 172.20.130.3
set dev port3
end
4 Enter the following command to display static routes in the routing table:
get router info routing-table static
S
0.0.0.0/0 [10/0] via 172.20.110.1, port1
[10/0] via 172.20.120.2, port2
[10/0] via 172.20.130.3, port3
In this example, the FortiGate unit sends all sessions to the Internet through port1. When
port1 exceeds its spillover threshold of 400 KBps the FortiGate unit sends all new
sessions to the Internet through port2. If both port1 and port2 exceed their spillover
thresholds the FortiGate unit would send all new sessions to the Internet through port3.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to
the Internet through different ISPs. ECMP routing is set to usage-based and route
spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are
added, one for port3 and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit
sends all default route sessions out port3 until port3 is processing 100 KBps of data.
When port3 reaches its configured bandwidth limit, the FortiGate unit sends all default
route sessions out port4. When the bandwidth usage of port3 falls below 100 KBps, the
FortiGate again sends all default route sessions out port3.
325
Router Static
New sessions to designating IP addresses that are already in the routing cache; however,
use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new
sessions can continue to be sent out port3 if their destination addresses are already in the
routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its
bandwidth limit and if the routing cache does not contain a route for the destination IP
address of the new session. The limit on port4 is important only if there are additional
interfaces for spillover.
Also, the switchover to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switchover takes
place. If port3 bandwidth usage drops below the bandwidth limit during this time period,
sessions are not switched over to port4. This delay reduces route flapping. Route flapping
occurs when routes change their status frequently, forcing routers to continually change
their routing tables and broadcast the new information.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic
would usually be processed by the first interface with only spillover traffic being processed
by other interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover
thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0
which means no bandwidth limiting. If any interface has a spillover threshold of 0, no
sessions will be routed to interfaces lower in the list unless the interface goes down or is
disconnected. An interface can go down if Detect interface status for Gateway Load
Balancing does not receive a response from the configured server.
326
Router Static
Weights only affect how routes are selected for sessions to new destination IP addresses.
New sessions to IP addresses already in the routing cache are routed using the route for
the session already in the cache. So in practice sessions will not always be distributed
according to the routing weight distribution.
To add weights to static routes from the web-based manager
1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to weighted.
3 Go to Router > Static > Static Route.
4 Add new or edit static routes and add weights to them.
The following example shows two ECMP routes with weights added.
Destination IP/Mask
192.168.20.0/24
Device
port1
Gateway
172.20.110.1
Distance
10
Weight
100
Destination IP/Mask
192.168.20.0/24
Device
port2
Gateway
172.20.120.2
Distance
10
Weight
200
In this example:
one third of the sessions to the 192.168.20.0 network will use the first route and be
sent out port1 to the gateway with IP address 172.20.110.1.
the other two thirds of the sessions to the 192.168.20.0 network will use the second
route and be sent out port2 to the gateway with IP address 172.20.120.2.
327
Policy Route
Router Static
edit 1
set dst 192.168.20.0/24
set gwy 172.20.110.1
set dev port1
set weight 100
next
edit 2
set dst 192.168.20.0/24
set gwy 172.20.120.2
set dev port2
set weight 200
next
edit 3
set dst 192.168.20.0/24
set gwy 172.20.130.3
set dev port3
set weight 300
end
Note: In this example the priority remains set to 0 and the distance remains set to 10
for all three routes. Any other routes with a distance set to 10 will not have their weight
set, so will have a weight of 0 and will not be part of the load balancing.
In this example:
one sixth of the sessions to the 192.168.20.0 network will use the first route and be
sent out port1 to the gateway with IP address 172.20.110.1.
one third of the sessions to the 192.168.20.0 network will use the second route and be
sent out port2 to the gateway with IP address 172.20.120.2.
one half of the sessions to the 192.168.20.0 network will use the third route and be
sent out port3 to the gateway with IP address 172.20.130.3.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffics
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet
directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.
328
Router Static
Policy Route
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Figure 173 shows the policy route list belonging to a FortiGate unit that has interfaces
named external and internal. The names of the interfaces on your FortiGate unit may
be different.
To edit an existing policy route, see Adding a policy route on page 329.
Figure 173: Policy Route list
Delete
Edit
Move To
Create New
Incoming
Outgoing
Source
The IP source addresses and network masks that cause policy routing to occur.
Destination
The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon
Edit icon
Move To icon
After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see Moving a policy route on page 332.
329
Policy Route
Router Static
Figure 174: Example policy route to route all HTTP traffic received at port5 to port4
Protocol
To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here. The range is from 0
to 255. A value of 0 disables the feature.
Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17
for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for
multicast sessions.
For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address /
Mask
To perform policy routing based on the IP source address of the packet, type
the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination
Address / Mask
Destination Ports
To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service
Use a two digit hexadecimal bit pattern to match the service, or use a two digit
hexadecimal bit mask to mask out. For more information, see Type of
Service on page 331.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address
Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.
Incoming interface
port1
0.0.0.0/0.0.0.0
330
Router Static
Policy Route
Destination Ports
From 21 to 21
Type of Service
Outgoing interface
port10
Gateway Address
172.20.120.23
Figure 175: Example policy route to route all FTP traffic received at port1 to port10
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, with such qualities as delay, priority, reliability, and
minimum cost.
Each quality helps gateways determine the best way to route datagrams. A router
maintains a ToS value for each route in its routing table.The lowest priority TOS is 0, the
highest is 7 - when bits 3, 4,and 5 are all set to 1. The router tries to match the TOS of the
datagram to the TOS on one of the possible routes to the destination. If there is no match,
the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance
may consume limited network resources. For more information, see RFC 791 and RFC
1349.
Table 49: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2
Precedence
bit 3
Delay
bit 4
Throughput
bit 5
Reliability
bit 6
Cost
bit 7
Reserved for
future use
331
Policy Route
Router Static
For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an x
indicates that bit can be any value. Since all bits are not set, this is a good use for the bit
mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay
and high reliability.
332
Before/After
Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID
Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.
Router Dynamic
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or
complex networks. Dynamic routing protocols enable the FortiGate unit to automatically
share information about routes with neighboring routers and learn about routes and
networks advertised by them. The FortiGate unit supports these dynamic routing
protocols:
The FortiGate unit selects routes and updates its routing table dynamically based on the
rules you specify. Given a set of rules, the unit can determine the best route or path for
sending packets to a destination. You can also define rules to suppress the advertising of
routes to neighboring routers and change FortiGate routing information before it is
advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly
discover routers on the network that cannot be contacted, and to re-route traffic
accordingly until those routers can be contacted.
A useful part of the FortiOS web-based management interface is the customizable menus
and widgets. These widgets include the following routing widgets: access list, distribute
list, key chain, offset list, prefix list, and route map. For more information on these routing
widgets, see Customizable routing widgets on page 353.
This section describes:
RIP
OSPF
BGP
Multicast
333
RIP
Router Dynamic
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. The FortiGate implementation of RIP supports RIP
version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
334
Router Dynamic
RIP
Expand
Arrow
Delete
Edit
RIP Version
Select the level of RIP compatibility needed at the FortiGate unit. You
can enable global RIP settings on all FortiGate interfaces connected
to RIP-enabled networks:
1 send and receive RIP version 1 packets.
2 send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see Configuring a RIP-enabled
interface on page 337.
Advanced Options
Select the Expand Arrow to view or hide advanced RIP options. For
more information, see Selecting advanced RIP options on page 336.
Networks
IP/Netmask
Add
335
RIP
Router Dynamic
Interfaces
Create New
Interface
Send Version
Receive Version
Authentication
Passive
Expand
Arrow
336
Rip Version
Advanced Options
Default Metric
Enter the default hop count that the FortiGate unit should assign to routes
that are added to the FortiGate routing table. The range is from 1 to 16. This
metric is the hop count, with 1 being best or shortest.
This value also applies to Redistribute unless otherwise specified.
Router Dynamic
RIP
Default-information- Select to generate and advertise a default route into the FortiGate units RIPenabled networks. The generated route may be based on routes learned
originate
through a dynamic routing protocol, routes in the routing table, or both.
RIP Timers
Enter new values to override the default RIP timer settings. The default
settings are effective in most configurations if you change these settings,
ensure that the new settings are compatible with local routers and access
servers.
If the Update timer is smaller than Timeout or Garbage timers, you will get an
error.
Update
Enter the amount of time (in seconds) that the FortiGate unit will wait
between sending RIP updates.
Timeout
Enter the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum
time the FortiGate unit will keep a reachable route in the routing table while
no updates for that route are received. If the FortiGate unit receives an
update for the route before the timeout period expires, the timer is restarted.
The Timeout period should be at least three times longer than the Update
period.
Garbage
Enter the amount of time (in seconds) that the FortiGate unit will advertise a
route as being unreachable before deleting the route from the routing table.
The value determines how long an unreachable route is kept in the routing
table.
Redistribute
Select one or more of the options to redistribute RIP updates about routes
that were not learned through RIP. The FortiGate unit can use RIP to
redistribute routes learned from directly connected networks, static routes,
OSPF, and BGP.
Connected
Static
OSPF
BGP
Select to redistribute routes learned through BGP. To specify a hop count for
those routes, select Metric, and enter the hop count in the Metric field. The
range is from 1 to 16.
337
OSPF
Router Dynamic
Figure 179 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that
has an interface named internal. The names of the interfaces on your FortiGate unit may
be different.
Figure 179: New/Edit RIP Interface
Interface
Select the name of the FortiGate interface to which these settings apply. The
interface must be connected to a RIP-enabled network. The interface can be a
virtual IPSec or GRE interface.
Send Version,
Receive Version
Authentication
Passive Interface
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in
large heterogeneous networks to share routing information among routers in the same
Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change state
instead of at timed intervals, so routing overhead is reduced.
338
Router Dynamic
OSPF
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their
neighbors whenever the status of a neighbor changes or a new neighbor comes online. As
long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA
identifies the interfaces of all OSPF-enabled routers in an area, and provides information
that enables OSPF-enabled routers to select the shortest path to a destination. All LSA
exchanges between OSPF-enabled routers are authenticated.
The FortiGate unit maintains a database of link-state information based on the
advertisements that it receives from OSPF-enabled routers. To calculate the best route
(shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF)
algorithm to the accumulated link-state information. OSPF uses relative path cost metric
for choosing the best route. The path cost can be any metric, but is typically the speed of
the pathhow fast traffic will get from one point to another. The path cost, similar to
distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface.
The path cost of a route is calculated by adding together all of the costs associated with
the outgoing interfaces along the path to a destination. The lowest overall path cost
indicates the best route, and generally the fastest route.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate routing table
may include:
the addresses of networks in the local OSPF area (to which packets are sent directly)
routes to OSPF area border routers (to which packets destined for another area are
sent)
if the network contains OSPF areas and non-OSPF domains, routes to AS boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the
network topology. A single unit can support tens of thousands of routes if the OSPF
network is configured properly.
creating associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.
To define an OSPF AS
1 Go to Router > Dynamic > OSPF.
2 Under Areas, select Create New.
3 Define the characteristics of one or more OSPF areas. See Defining OSPF areas on
page 343.
4 Under Networks, select Create New.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
339
OSPF
Router Dynamic
5 Create associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS. See Specifying OSPF networks on page 344.
6 If you need to adjust the default settings of an OSPF-enabled interface, select Create
New under Interfaces.
7 Select the OSPF operating parameters for the interface. See Selecting operating
parameters for an OSPF interface on page 344.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
8 Optionally select advanced OSPF options for the OSPF AS. See Selecting advanced
OSPF options on page 342.
9 Select Apply.
Expand
Arrow
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned to
any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more
information, see Selecting advanced OSPF options on page 342.
340
Router Dynamic
OSPF
Areas
Information about the areas making up an OSPF AS. The header of an OSPF
packet contains an area ID, which helps to identify the origination of a packet
inside the AS.
Create New
Define and add a new OSPF area to the Areas list. For more information, see
Defining OSPF areas on page 343.
Area
Type
Authentication
The methods for authenticating OSPF packets sent and received through all
FortiGate interfaces linked to each area:
None authentication is disabled
Text text-based authentication is enabled
MD5 MD5 authentication is enabled.
A different authentication setting may apply to some of the interfaces in an
area, as displayed under Interfaces. For example, if an area employs simple
passwords for authentication, you can configure a different password for one
or more of the networks in that area.
Networks
The networks in the OSPF AS and their area IDs. When you add a network to
the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see Specifying OSPF networks on page 344.
Create New
Add a network to the AS, specify its area ID, and add the definition to the
Networks list.
Network
Area
The area IDs that have been assigned to the OSPF network address space.
Interfaces
Create New
Name
Interface
IP
Authentication
The methods for authenticating LSA exchanges sent and received on specific
OSPF-enabled interfaces. These settings override the area Authentication
settings.
Delete or edit an OSPF area entry, network entry, or interface definition. Icons
are visible only when there are entries in Areas, Networks, and Interfaces
sections.
341
OSPF
Router Dynamic
Expand
Arrow
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
Generate and advertise a default (external) route to the OSPF AS. You may base
the generated route on routes learned through a dynamic routing protocol, routes
in the routing table, or both.
None
Regular
Generate a default route into the OSPF AS and advertise the route to neighboring
autonomous systems only if the route is stored in the FortiGate routing table.
Always
Generate a default route into the OSPF AS and advertise the route to neighboring
autonomous systems unconditionally, even if the route is not stored in the
FortiGate routing table.
Redistribute
RIP
BGP
342
Router Dynamic
OSPF
Area
Type a 32-bit identifier for the area. The value must resemble an IP address in
dotted-decimal notation. Once you have created the OSPF area, the area IP
value cannot be changed; you must delete the area and restart.
Type
Select an area type to classify the characteristics of the network that will be
assigned to the area:
Regular If the area contains more than one router, each having at least one
OSPF-enabled interface to the area.
NSSA If you want routes to external non-OSPF domains made known to
OSPF AS and you want the area to be treated like a stub area by the rest of the
AS.
STUB If the routers in the area must send packets to an area border router in
order to reach the backbone and you do not want routes to non-OSPF domains to
be advertised to the routers in the area.
343
OSPF
Router Dynamic
Authentication Select the method for authenticating OSPF packets sent and received through all
interfaces in the area:
None Disable authentication.
Text Enables text-based password authentication. to authenticate LSA
exchanges using a plain-text password. The password is sent in clear text over
the network.
MD5 Enable MD5-based authentication using an MD5 cryptographic hash
(RFC 1321).
If required, you can override this setting for one or more of the interfaces in the
area. For more information, see Selecting operating parameters for an OSPF
interface on page 344.
Note: To assign a network to the area, see Specifying OSPF networks on page 344.
IP/Netmask
Enter the IP address and network mask of the local network that you want to assign
to an OSPF area.
Area
Select an area ID for the network. The attributes of the area must match the
characteristics and topology of the specified network. You must define the area
before you can select the area ID. For more information, see Defining OSPF areas
on page 343.
344
Router Dynamic
OSPF
You can configure different OSPF parameters for the same FortiGate interface when more
than one IP address has been assigned to the interface. For example, the same FortiGate
interface could be connected to two neighbors through different subnets. You could
configure an OSPF interface definition containing one set of Hello and dead-interval
parameters for compatibility with one neighbors settings, and a second OSPF interface
definition for the same interface to ensure compatibility with the second neighbors
settings.
To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic >
OSPF, and then under Interfaces, select Create New. To edit the operating parameters of
an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in
the row that corresponds to the OSPF-enabled interface.
Figure 184 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit
that has an interface named port1. The interface names on your FortiGate unit may
differ.
Figure 184: New/Edit OSPF Interface
Add
Name
Enter a name to identify the OSPF interface definition. For example, the
name could indicate to which OSPF area the interface will be linked.
Interface
Select the name of the FortiGate interface to associate with this OSPF
interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces
connected to the OSPF-enabled network.
IP
345
BGP
Router Dynamic
MD5 Keys
Enter the key identifier for the (first) password in the ID field (the range is
from 1 to 255) and then type the associated password in the Key field.
The password is a 128-bit hash, represented by an alphanumeric string of
up to 16 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate
interface must be configured with an identical MD5 key. If the OSPF
neighbor uses more than one password to generate MD5 hash, select the
Add icon to add additional MD5 keys to the list.
This field is available only if you selected MD5 authentication.
Hello Interval
Dead Interval
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to
exchange routing information between different ISP networks. For example, BGP enables
the sharing of network paths between the ISP network and an autonomous system (AS)
that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation
of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.
346
Router Dynamic
BGP
To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager
offers a simplified user interface to configure basic BGP options. You can also configure
many advanced BGP options through the CLI. For more information, see the router
chapter of the FortiGate CLI Reference.
Figure 185: Basic BGP options
Delete
Local AS
Enter the number of the local AS to which the FortiGate unit belongs.
Router ID
Enter a unique router ID to identify the FortiGate unit to other BGP routers. The
router ID is an IP address written in dotted-decimal format, for example
192.168.0.1.
If you change the router ID while BGP is configured on an interface, all
connections to BGP peers will be broken temporarily. The connections will reestablish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM will be
used.
Neighbors
IP
Remote AS
Add/Edit
Add the neighbor information to the Neighbors list, or edit an entry in the list.
Neighbor
Remote AS
The numbers of the autonomous systems associated with the BGP peers.
Delete icon
Networks
IP/Netmask
Add
Network
The IP addresses and network masks of major networks that are advertised to
BGP peers.
Delete icon
Note: The get router info bgp CLI command provides detailed information about
configured BGP settings. For a complete list of the command options, see the router
chapter of the FortiGate CLI Reference.
347
Multicast
Router Dynamic
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in
the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM
dense mode (RFC 3973) and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected.
A PIM domain is a logical area comprising a number of contiguous networks. The domain
contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain
also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs).
When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these
functions at any time as configured. If required for sparse mode operation, you can define
static RPs.
Note: You can configure basic options through the web-based manager. Many additional
options are available, but only through the CLI. For complete descriptions and examples of
how to use CLI commands to configure PIM settings, see multicast in the router
chapter of the FortiGate CLI Reference.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note or the FortiGate Routing Guide.
348
Router Dynamic
Multicast
Delete
Edit
Enable Multicast
Routing
Add Static RP
Apply
Create New
Interface
Mode
Status
Priority
DR Priority
349
Multicast
Router Dynamic
Interface
Select the name of the root VDOM FortiGate interface to which these
settings apply. The interface must be connected to a PIM version 2 enabled
network segment.
PIM Mode
Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers
connected to the same network segment must be running the same mode
of operation. If you select Sparse Mode, adjust the remaining options as
described below.
DR Priority
RP Candidate
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate
interface. The range is from 1 to 255.
350
Router Dynamic
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally
excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the
whole unit, and turn it off for one or two interfaces. Alternatively you can specifically
enable BFD for each neighbor router, or interface. Which method you choose will be
determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a connection as
down. The length of the timeout period is importantif it is too short connections will be
labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a
connection that is down. There is no easy number, as it varies for each network and unit.
High end FortiGate models will respond very quickly unless loaded down with traffic. Also
the size of the network will slow down the response timepackets need to make more
hops than on a smaller network. Those two factors (CPU load and network traversal time)
affect how long the timeout you select should be. With too short a timeout period, BFD will
not connect to the network device but it will keep trying. This state generates unnecessary
network traffic, and leaves the device unmonitored. If this happens, you should try setting
a longer timeout period to allow BFD more time to discover the device on the network.
351
Router Dynamic
352
Router Dynamic
Access List
Distribute List
Key Chain
Offset List
Prefix List
Route Map
Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the
network based on IP addresses. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). The
offset list is part of the RIP and OSPF routing protocols. For more information about RIP,
see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose. For more information, see Prefix List on page 356.
353
Router Dynamic
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
Figure 188: Access List GUI widget
Access-list
Enter the name of a new access list. Select Add to save the new access list.
Name
Action
The action to take when the prefix of this access list is matched. Actions can
be either permit or deny.
Prefix
The IP address prefix for this access-list. When this prefix is matched, the
action is taken. The prefix can match any address, or a specific address.
Delete Icon
Add Icon
Select to add a rule to this access-list. Rules include actions and prefixes.
Rules are processed from smallest to highest number.
For more information on access list, see the router chapter of the FortiGate CLI
Reference.
Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates
using an access or prefix list. Routes not matched by any of the distribution lists will not be
advertised. The offset list is part of the RIP and OSPF routing protocols. For more
information about OSPF, see OSPF on page 338.
Note: You must configure the access list that you want the distribution list to use before you
configure the distribution list. To configure an access list, see Access List on page 353.
Figure 189: Distribute List GUI widget
Create New
Select to create a new distribute list. This includes setting the direction,
selecting either the prefix-list or access-list, and interface.
Direction
Filter
Interface
Enable
Delete Icon
Edit Icon
For more information on the distribute list, see the router chapter of the FortiGate CLI
Reference.
354
Router Dynamic
Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key.
Keys are used for authenticating routing packets only during the specified lifetimes. The
FortiGate unit migrates from one key to the next according to the scheduled send and
receive lifetimes. The sending and receiving routers should have their system dates and
times synchronized, but overlapping the key lifetimes ensures that a key is always
available even if there is some difference in the system times.
RIP version 2 uses authentication keys to ensure that the routing information exchanged
between routers is reliable. For authentication to work both the sending and receiving
routers must be set to use authentication, and must be configured with the same keys.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 334.
Figure 190: Key Chain GUI widget
Key-chain
Enter the name for a new key-chain. Select Add to save the new key-chain.
Name
The name of the key-chain, or the number of the key on that chain.
Accept Lifetime
The start and end time that this key can accept routing packets.
Start
The start time for this key. The format is H:M:S M/D/YYYY.
End
The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Send Lifetime
The start and end time that this key can send routing packets.
Start
The start time for this key. The format is H:M:S M/D/YYYY.
End
The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Delete Icon
Add Icon
Edit Icon
For more information on key-chains, see the router chapter of the FortiGate CLI
Reference.
Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the
offset list.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 334. For more information about OSPF, see OSPF on page 338.
Figure 191: Offset List GUI widget
355
Router Dynamic
Create New
Direction
Access-list
Offset
Interface
Delete Icon
Edit Icon
For more information on the offset list, see the router chapter of the FortiGate CLI
Reference.
Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of
the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at
the top of the list. If it finds a match for the prefix it takes the action specified for that prefix.
If no match is found the default action is deny. A prefix-list should be used to match the
default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate unit routing feature
such as RIP or OSPF. For more information about RIP, see RIP on page 334. For more
information about OSPF, see OSPF on page 338.
Figure 192: Prefix List GUI widget
Prefix-list
Enter the name of a new prefix-list. Select Add to save the new prefix list
entry.
Name
The name of the prefix list, or the number of the prefix entry.
Action
Prefix
The IP address and netmask associated with this prefix. Optionally this can
be set to match any address.
GE
Select the number of bits to match in the address. This number or greater
will be matched for there to be a match.
LE
Select the number of bits to match in the address. This number or less will
be matched for there to be a match
Delete Icon
Add Icon
Edit Icon
For more information on the prefix list, see the router chapter of the FortiGate CLI
Reference.
356
Router Dynamic
Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for
forwarding packets or suppressing the routing of packets to particular destinations using
the BGP routing protocol. Compared to access lists, route maps support enhanced
packet-matching criteria. In addition, route maps can be configured to permit or deny the
addition of routes to the FortiGate unit routing table and make changes to routing
information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes:
When a single matching match-* rule is found, changes to the routing information are
made as defined through the rules set-ip-nexthop, set-metric, set-metric-type, and/or
set-tag settings.
When more than one match-* rule is defined, all of the defined match-* rules must
evaluate to TRUE or the routing information is not changed.
If no match-* rules are defined, the FortiGate unit makes changes to the routing
information only when all of the default match-* rules happen to match the attributes of
the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes.
For a route map to take effect, it must be called by a FortiGate unit routing process.
Figure 193: Route Map GUI widget
Route-map
Enter the name of a new route-map. Select Add to save the new routemap.
Name
The name of the route map, or the number of the prefix entry.
Action
Rules
The rules include the criteria to match and a value to set. The criteria to
match can be an interface, address from access or prefix list, the next-hop
to match from access or prefix list, a metrics, or other information. The
value to set can be the next-hop IP address, the metric, metric type, and a
tag number.
Delete Icon
Add Icon
Edit Icon
For more information on the route map, see the router chapter of the FortiGate CLI
Reference.
357
358
Router Dynamic
Router Monitor
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries
in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available
separately for each virtual domain. For more information, see Using virtual domains on
page 125.
This section describes:
359
Router Monitor
IP version
Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type
Select one of the following route types to search the routing table and display routes
of the selected type only:
All all routes recorded in the routing table.
Connected all routes associated with direct connections to FortiGate interfaces.
Static the static routes that have been added to the routing table manually. For
more information see Static Route on page 316.
RIP all routes learned through RIP. For more information see RIP on page 334.
OSPF all routes learned through OSPF. For more information see OSPF on
page 338.
BGP all routes learned through BGP. For more information see BGP on
page 346
HA RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
Not displayed when IP version IPv6 is selected.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network
Gateway
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Not displayed when IP version IPv6 is selected.
360
Type
The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or
BGP).
Not displayed when IP version IPv6 is selected.
Subtype
Network
The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance
The administrative distance associated with the route. A value of 0 means the route
is preferable compared to routes to the same destination.
To modify the administrative distance assigned to static routes, see Adding a static
route to the routing table on page 320. To modify this distance for dynamic routes,
see FortiGate CLI Reference.
Router Monitor
Metric
The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and the protocols they are applied to.
Hop count routes learned through RIP.
Relative cost routes learned through OSPF.
Multi-Exit Discriminator (MED) routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network.
Gateway
Interface
The interface through which packets are forwarded to the gateway of the destination
network.
Up Time
The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Not displayed when IP version IPv6 is selected.
361
362
Router Monitor
Firewall Policy
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packets source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see Firewall
Virtual IP on page 421.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see Firewall Protection Profile on page 467.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see Using virtual domains on page 125.
This section describes:
Multicast policies
363
Firewall Policy
services
time/schedule.
}Exception
}General
FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.
Figure 197: Example: Blocking FTP Incorrect policy order
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies could always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
364
Firewall Policy
Multicast policies
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies
using the following CLI command:
config firewall multicast-policy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
365
Firewall Policy
Filter
Create New
Delete
Edit
Insert Policy before
Move To
Add a new firewall policy. Select the down arrow beside Create New to add a
new section to the list to visually group the policies.
For security purposes, selecting Create New adds the new policy to the bottom
of the list. Once the policy is added to the list you can use the Move To icon to
move the policy to the required position in the list. You can also use the Insert
Policy before icon to add a new policy above another policy in the list. See How
list order affects policy matching on page 363.
Column Settings Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see
Using column settings to control the columns displayed on page 61 and
Web-based manager icons on page 63.
366
Section View
Global View
Firewall Policy
Filter icons
Edit the column filters to filter or sort the policy list according to the criteria you
specify. For more information, see Adding filters to web-based manager lists
on page 57.
ID
The policy identifier. Policies are numbered in the order they are added to the
policy list.
From
To
Source
The source address or address group to which the policy applies. For more
information, see Firewall Address on page 395.
Destination
The destination address or address group to which the policy applies. For more
information, see Firewall Address on page 395.
Schedule
The schedule that controls when the policy should be active. For more
information, see Firewall Schedule on page 411.
Service
The service to which the policy applies. For more information, see Firewall
Service on page 401.
Profile
Action
Status
From
To
VPN Tunnel
Authentication
Comments
Log
A green check mark indicates traffic logging is enabled for the policy; a grey
cross mark indicates traffic logging is disabled for the policy.
Count
The FortiGate unit counts the number of packets and bytes that hit the firewall
policy.
For example, 5/50B means that five packets and 50 bytes in total have hit the
policy.
The counter is reset when the FortiGate unit is restarted or the policy is deleted
and re-configured.
Delete icon
Edit icon
Edit a policy.
Insert Policy
Before icon
Add a new policy above the corresponding policy. Use this option to simplify
policy ordering. See How list order affects policy matching on page 363.
Move To icon
Move the corresponding policy before or after another policy in the list. For more
information, see Moving a policy to a different position in the policy list on
page 364.
Source Interface/Zone
Source Address
Destination Interface/Zone
367
Firewall Policy
Destination Address
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface. For
more information, see Overview of IPSec VPN configuration on page 603.
DENY policy actions block communication sessions, and may optionally log the denied
traffic.
IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN
tunnel, respectively, and may optionally apply NAT and allow traffic for one or both
directions. If permitted by the firewall encryption policy, a tunnel may be initiated
automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network. For more information, see Configuring
IPSec firewall policies on page 376 and Configuring SSL VPN identity-based firewall
policies on page 376.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy
or select the edit icon beside an existing firewall policy. Configure the settings as
described in the following table and in the references to specific features for IPSec, SSL
VPN and other specialized settings, and then select OK.
If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the
settings according to the following table. DoS policies are independent from firewall
policies and are used to associate DoS sensors with traffic that reaches a FortiGate
interface. DoS policies deliver packets to the IPS before they are accepted by firewall
policies. This arrangement results in more effective protection from denial service attacks
and other benefits. For more information, see Using DoS policies to detect and prevent
attacks on page 379.
If you want to create a Sniffer policy, go to Firewall > Policy > Sniffer Policy, and configure
the settings according to the following table. For more information, see Using one-arm
sniffer policies to detect network attacks on page 382.
If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin
> Settings. Select IPv6 Support on GUI. Then go to Firewall > Policy > IPv6 Policy, and
configure the settings according to the following table. Configuring IPv6 policies is the
same as configuring IPv4 policies. You can add a protection profile to and IPv6 firewall
policy and you can also configure shared traffic shaping and log allowed or denied traffic.
You cannot create IPv6 firewall policies for IPSec or SSL VPN and you cannot add
authentication to IPv6 policies.
Firewall policy order affects policy matching. Each time that you create or edit a policy,
make sure that you position it in the correct location in the list. You can create a new policy
and position it right away before an existing one in the firewall policy list, by selecting
Insert Policy before (see Viewing the firewall policy list on page 366).
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the firewall chapter of the FortiGate CLI Reference.
368
Firewall Policy
369
Firewall Policy
Source
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone on which IP packets are received. Interfaces and zones are configured
on the System Network page. For more information, see Configuring interfaces
on page 145 and Configuring zones on page 170.
If you select Any as the source interface, the policy matches all interfaces as
source.
If Action is set to IPSEC, the interface is associated with the local private
network.
If Action is set to SSL-VPN, the interface is associated with connections from
remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see Configuring addresses on page 397.
If you want to associate multiple firewall addresses or address groups with the
Source Interface/Zone, from Source Address, select Multiple. In the dialog box,
move the firewall addresses or address groups from the Available Addresses
section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the host,
server, or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the
name of the address that you reserved for tunnel mode clients.
370
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link,
or zone to which IP packets are forwarded. Interfaces and zones are configured
on the System Network page. For more information, see Configuring interfaces
on page 145 and Configuring zones on page 170.
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination
Address
Schedule
Firewall Policy
Service
Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see Configuring custom services on page 406 and
Configuring service groups on page 408.
By selecting the Multiple button beside Service, you can select multiple services
or service groups.
Action
Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT
Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY
Reject traffic matched by the policy. The only other configurable policy options
are Log Violation Traffic to log the connections denied by this policy and adding
a Comment.
IPSEC
You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See Configuring IPSec firewall policies on page 376.
SSL-VPN
You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See Configuring SSL VPN identity-based firewall
policies on page 376.
NAT
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to
an IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or
one of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE.
For details, see Configuring IP pools on page 437.
Fixed Port
Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In
most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If
Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only
one connection to that service at a time.
Note: Fixed Port is only visible if enabled from the CLI.
Enable Identity
Based Policy
Protection
Profile
Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more information,
see Firewall Protection Profile on page 467.
If you intend to apply authentication to this policy, do not make a Protection
Profile selection. The user group you choose for authentication is already linked
to a protection profile. For more information, see Adding authentication to
firewall policies on page 372.
Traffic Shaping
Select a shared traffic shaper for the policy. You can also create a new shared
traffic shaper. Shared traffic shapers control the bandwidth available to and set
the priority of the traffic as its processed by, the policy.
For information about configuring shared traffic shapers, see Configuring
shared traffic shapers on page 417.
371
Firewall Policy
Reverse
Direction
Traffic
Shaping
Select to enable reverse traffic shaping and select a shared traffic shaper. For
example, if the traffic direction that a policy controls is from port1 to port2, select
this option will also apply the policy shaping configuration to traffic from port2 to
port1.
For information about configuring shared traffic shapers, see Configuring
shared traffic shapers on page 417.
Per-IP Traffic
Shaping
Select a Per-IP traffic shaper for the policy. Per-IP traffic shaping applies traffic
shaping to the traffic generated from the IP addresses added to the Per-IP traffic
shaper added to the firewall policy.
For information about configuring per-IP traffic shapers, see Configuring Per IP
traffic shaping on page 419.
Log Allowed
Traffic
Select to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see Log&Report on page 703.
Log Violation
Traffic
Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
policies, to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see Log&Report on page 703.
Enable Endpoint Select to enable the Endpoint NAC feature and select the Endpoint NAC profile
to apply. For more information, see Endpoint NAC on page 687.
NAC
Notes:
You cannot enable Endpoint NAC in firewall policies if Redirect HTTP
Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
If the firewall policy involves a load balancing virtual IP, the Endpoint NAC
check is not performed.
Comments
HTTP
HTTPS
FTP
Telnet
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
372
Firewall Policy
page 667.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see User Group on page 658. For
information on configuring authentication settings, see Configuring identity-based firewall
policies on page 373 and Configuring SSL VPN identity-based firewall policies on
page 376.
373
Firewall Policy
Enable Identity
Based Policy
Add
Delete icon
Edit icon
Move To icon
User Group
Service
374
Move To
Edit
Delete
Firewall Policy
Schedule
The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see Firewall Schedule on page 411.
Protection Profile The protection profile to apply to this policy. You can also create a protection
profile by selecting Create New from this list. For more information, see
Firewall Protection Profile on page 467.
Traffic Shaping
The traffic shaping configuration for this policy.
For more information, see Firewall Policy on page 363.
Reverse
Select to enable the reverse traffic shaping and choose the traffic shaper. For
example, if the traffic direction that a policy controls is from port1 to port2, select
Direction
Traffic Shaping this option to apply traffic shaping to traffic from port2 to port1.
Log Allowed
Traffic
Firewall
Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory Service Include Directory Service groups defined in User > User Group. The groups are
authenticated through a domain controller using Fortinet Server Authentication
(FSAE)
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the
Fortinet Server Authentication Extension Administration Guide. For information
about configuring user groups, see User Group on page 658.
NTLM
Include Directory Service groups defined in User > User Group. If you select
this option, you must use Directory Service groups as the members of the
Authentication
authentication group for NTLM. For information about configuring user groups,
see User Group on page 658.
Certificate
Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should
also install the certificate on the network users web browser. For more
information, see Adding authentication to firewall policies on page 372.
Enable Disclaimer Select this option to display the Authentication Disclaimer replacement
and Redirect URL message HTML page after the user authenticates. The user must accept the
disclaimer to connect to the destination. For information about customizing user
to
authentication replacement messages, see User authentication replacement
messages on page 232.
You can also optionally enter an IP address or domain name to redirect user
HTTP requests after accepting the authentication disclaimer. The redirect URL
could be to a web page with extra information (for example, terms of usage).
.To prevent web browser security warnings, this should match the CN field of
the specified auth-cert, which is usually a fully qualified domain name
(FQDN).
375
Firewall Policy
VPN Tunnel
Select the VPN tunnel name defined in the phase 1 configuration. The specified
tunnel will be subject to this firewall encryption policy.
Allow Inbound
Select to enable traffic from a dialup client or computers on the remote private
network to initiate the tunnel.
Allow outbound
Select to enable traffic from computers on the local private network to initiate
the tunnel.
Inbound NAT
Outbound NAT
Select only in combination with a natip CLI value to translate the source
addresses of outbound cleartext packets into the IP address that you specify.
When a natip value is specified, the source addresses of outbound IP packets
are replaced before the packets are sent through the tunnel. For more
information, see the firewall chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.
For more information, see the FortiGate IPSec VPN User Guide.
376
Firewall Policy
Move To
Edit
Delete
377
Firewall Policy
Source
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM)
link, or zone on which IP packets are received.
Source Address
Destination
Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM)
link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN,
the interface is associated with the local private network.
Destination Address Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this
list. For more information, see Configuring addresses on page 397.
If you want to associate multiple firewall addresses or address groups with
the Destination Interface/Zone, from Destination Address, select Multiple. In
the dialog box, move the firewall addresses or address groups from the
Available Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see Firewall
Virtual IP on page 421.
If Action is set to IPSEC, the address is the private IP address to which
packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Action
SSL Client Certificate Allow traffic generated by holders of a (shared) group certificate. The
holders of the group certificate must be members of an SSL VPN user
Restrictive
group, and the name of that user group must be present in the Allowed field.
378
Cipher Strength
Select the bit level of SSL encryption. The web browser on the remote client
must be capable of matching the level that you select: Any, High >= 164, or
Medium >= 128.
User Authentication
Method
Any
For all of the above authentication methods. Local is attempted first, then
RADIUS, then LDAP.
Local
For a local user group that will be bound to this firewall policy.
RADIUS
LDAP
TACACS+
Firewall Policy
NAT
Fixed Port
Select Fixed Port to prevent NAT from translating the source port.
Note: Fixed Port is only visible if enabled from the CLI.
Add
Delete icon
Edit icon
Move To icon
Select to change the position of this identity-based policy in the identitybased policy list.
User Group
The selected user groups that must authenticate to be allowed to use this
policy.
Service
The firewall service or service group that packets must match to trigger this
policy.
Schedule
Protection Profile
Select a protection profile to apply to a firewall policy. You can also create a
protection profile by selecting Create New from this list. For more
information, see Firewall Protection Profile on page 467.
Traffic Shaping
Select a traffic shaper for the policy. You can also select to create a new
traffic shaper. Traffic Shaping controls the bandwidth available to, and sets
the priority of the traffic processed by, the policy.
For information about traffic shaping, see Traffic Shaping on page 415.
Note: The traffic shaping option can be used to traffic shape tunnel-mode
SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic
direction that a policy controls is from port1 to port2, select this option will
Traffic Shaping
also apply the policy shaping configuration to traffic from port2 to port1.
Log Allowed Traffic
Select to record messages to the traffic log whenever the policy processes
a connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the
logging severity level to Notification or lower using the Log and Report
screen. For more information see Log&Report on page 703.
Comments
379
Firewall Policy
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mentioned denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.
This section provides an introduction to configuring DoS Policies. For more information
see the FortiGate UTM User Guide.
Filter
380
Delete
Edit
Insert Policy before
Move To
Create New
Add a new DoS policy. Select the down arrow beside Create New to
add a new section to the list to visually group the policies.
Column Settings
Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table. See
Using column settings to control the columns displayed on page 61.
Section View
Global View
Filter icon
Edit the column filters to filter or sort the policy list according to the
criteria you specify. For more information, see Adding filters to
web-based manager lists on page 57.
Status
Firewall Policy
ID
A unique identifier for each policy. Policies are numbered in the order
they are created.
Source
The source address or address group to which the policy applies. For
more information, see Firewall Address on page 395.
Destination
Service
The service to which the policy applies. For more information, see
Firewall Service on page 401.
DoS
Interface
Delete icon
Edit icon
Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon
Move the corresponding policy before or after another policy in the list.
Source Interface/Zone
Source Address
Destination Address
381
Firewall Policy
Service
DoS Sensor
Select and specify a DoS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new DoS Sensor. See DoS sensors on page 537.
After you have configured the interface for one-arm sniffer mode, connect the interface to
a hub or to the SPAN port of a switch that is processing network traffic.
Figure 207: One-arm IDS topology
Internet
Hub or switch
SPAN
port
Internal
network
Then you can go to Firewall > Policy > Sniffer Policy and add Sniffer policies for that
FortiGate interface that include a DoS sensor, an IPS sensors, and an Application
black/white list to detect attacks and other activity in the traffic that the FortiGate interface
receives from the hub or switch SPAN port.
In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies
only. All packets not received by sniffer model policies are dropped. All packets received
by sniffer mode policies go through IPS inspection and are dropped after then are
analyzed by IPS.
382
Firewall Policy
One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS
sensors and the application black/white lists, the FortiGate unit records log messages for
all detected attacks and applications.
This section provides an introduction to configuring sniffer policies. For more information
see the FortiGate UTM User Guide.
Filter
Delete
Edit
Insert Policy before
Move To
Create New
Add new a sniffer policy. Select the down arrow beside Create New to
add a new section to the list to visually group the policies.
Column Settings
Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table. See
Using column settings to control the columns displayed on page 61.
Section View
Global View
Filter icon
Edit column filters to filter or sort the policy list according to the criteria
you specify. For more information, see Adding filters to web-based
manager lists on page 57.
Status
383
Firewall Policy
ID
A unique identifier for each policy. Policies are numbered in the order
they are created.
Source
The source address or address group to which the policy applies. For
more information, see Firewall Address on page 395.
Destination
Service
The service to which the policy applies. For more information, see
Firewall Service on page 401.
DoS
Sensor
Application Black/White
List
Delete icon
Edit icon
Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon
Move the corresponding policy before or after another policy in the list.
384
Source Interface/Zone
Source Address
Firewall Policy
Destination Address
Service
DoS Sensor
Select and specify a DoS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new DoS Sensor. See DoS sensors on page 537.
IPS Sensor
Select and specify an IPS sensor to have the FortiGate unit apply the
sensor to matching network traffic. You can also select Create new to
add a new IPS Sensor. See IPS sensors on page 529.
Application Black/White
List
Student A
Video Sharing
172.20.120.1
External IP
address
192.168.1.1
Internet
Student B
Search Engine
172.20.120.2
Student C
Social Networking
172.20.120.3
Student Z
The university does not give a publicly routable IP address to its students. Instead each
student uses DHCP to obtain an IP address from the 10.0.0.0/8 range from the FortiGate
unit. The FortiGate unit then uses Network Address Port Translation (NAPT) to translate
all traffic so that it appears to come from IP address 192.168.1.1.
385
Firewall Policy
For example, consider student A (IP address 10.78.33.97) who wants to connect to search
engine (IP address 172.20.120.2) and sends a packet with the following IP addresses and
port numbers:
src-ip: 10.78.33.97
dst-ip: 172.20.120.2
src-port: 10000
dst-port: 80
When this packet passes through the FortiGate unit with NAT enabled the packet is
modified to be:
src-ip: 92.168.1.1
dst-ip: 172.20.120.2
src-port: 46372
dst-port: 80
Where 192.168.1.1 is the external IP address of the FortiGate unit and 46372 is an
unused port chosen by the FortiGate unit.
The following sections describe three solutions to choosing the unused port. These
solutions provide some context for the last section which describes how FortiOS chooses
an unused port.
Global pool
In this approach there is a single pool of ports which are available for assignment. When a
port is assigned it is removed from the pool. Because the port is removed from the pool, it
is not possible to assign the same port twice. Once a port is no longer needed for NAT it is
returned to the pool so that it can be assigned again.
For example if the range is from 0x7000 (28672) to 0xF000 (61440) then there 215
(32768) possible ports that can be simultaneously used (the reason for choosing this
range is described below). The maximum number of simultaneous connections is 32768.
This maximum is independent of transport protocol.
This approach was one of the first approaches used to choosing a NAT port because it is
simple to implement. It is viable if the number of connections is unlikely to reach the pool
size, for example in the case of a NAT firewall for home use. However, it is not really a
viable solution for a large university or ISP that would usually be processing thousands of
simultaneous sessions.
This is not the approach that FortiOS uses.
386
Firewall Policy
Figure 211: Example university Internet connection topology with two Internet connections
Student Network
10.0.0.0/8
Student A
Video Sharing
172.20.120.1
External IP
address
192.168.1.1
Internet
Student B
External IP
address
192.168.2.2
Search Engine
172.20.120.2
Student C
Social Networking
172.20.120.3
Student Z
If the FortiGate configuration includes equal-cost multipath (ECMP) routing, both Internet
connections can be used simultaneously and the maximum number of connections is
N*R*P where N is the number of NAT IP addresses, R is the port range, and P is the
number of protocols. So for the case where there are two NAT IPs, the range is 32768 and
the protocols are TCP and UDP then the maximum number of simultaneous connections
is:
2*32768*2 = 131,072
This solution scales with the number of NAT IPs that can be deployed and so could
feasibly be used by a university or a small ISP.
This is not the approach that FortiOS uses.
387
Firewall Policy
dst-port: 80
And the other index is for traffic flowing in the opposite/reply direction:
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: tcp
src-port: 80
dst-port: 46372
Where 46372 is the chosen NAT port. In both cases when traffic matches either of these
indexes the session that the traffic belongs to can be uniquely identified.
Using a per NAT IP, destination IP, port, and protocol pool, when choosing the NAT port
FortiOS only has to ensure that the chosen port combined with the other four attributes are
unique to uniquely identify the session. So for example, if student A simultaneously makes
a connection to the search engine (destination IP address 172.20.120.2) on port 443 this
would create another session and the index in the reply direction would be:
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: tcp
src-port: 443
dst-port: NP
The value of NP can be any value as long as the five values together are unique. For
example, FortiOS could choose 46372 again:
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: tcp
src-port: 443
dst-port: 46372
This is acceptable because:
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: tcp
src-port: 80
dst-port: 46372
and
src-ip: 172.20.120.2
dst-ip: 192.168.1.1
proto: tcp
src-port: 443
dst-port: 46372
have different src-port values.
The result of using the per NAT IP, destination IP, port, and protocol pool approach is that
a pool of 32768 ports are available for each unique combination of src-ip, dst-ip,
proto and src-port.
The maximum number of simultaneous connections that can be supported is
N*R*P*D*Dp where N is the number of NAT IP addresses, R is the port range, P is the
number of protocols, D is the number of unique destination IP addresses and Dp the
number of unique destination ports.
Considering the large number of destination IP addresses available, the number of
simultaneous connections that can be supported is very large. To get an idea of how
large, for one destination IP address and one NAT IP address the calculation would be
N=1, R=32, 768, P=2, D=1 and Dp=32,768:
388
Firewall Policy
389
Firewall Policy
Internet
IPS Mail
Server
Home-based Workers
(no secure connection)
ISP Web
Server
172.16.10.3
192.168.100.1
Finance
Department
Help
Desk
Engineering
Department
Internal Network
Company A requires secure connections for home-based workers. Like many companies,
they rely heavily on email and Internet access to conduct business. They want a
comprehensive security solution to detect and prevent network attacks, block viruses, and
decrease spam. They want to apply different protection settings for different departments.
They also want to integrate web and email servers into the security solution.
To deal with their first requirement, Company A configures specific policies for each
home-based worker to ensure secure communication between the home-based worker
and the internal network.
1 Go to Firewall > Policy.
2 Select Create New and enter or select the following settings for Home_User_1:
390
Interface / Zone
Source: internal
Destination: wan1
Address
Source:
CompanyA_Network
Destination: Home_User_1
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home1
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Firewall Policy
Outbound NAT
no
Protection Profile
3 Select OK.
4 Select Create New and enter or select the following settings for Home_User_2:
Interface / Zone
Source: internal
Destination: wan1
Address
Source:
CompanyA_network
Destination: All
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home2_Tunnel
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Outbound NAT
no
Protection Profile
5 Select OK.
Figure 213: SOHO network topology with FortiGate-100
VPN Tunnel
Home User 1
172.20.100.6
Internet
External
172.30.120.8
FortiGate
100A
VPN Tunnel
Home User 2
172.25.106.99
DMZ
10.10.10.1
Email Server
10.10.10.2
Internal
192.168.100.1
Finance Users
192.168.100.10192.168.100.20
Engineering Users
192.168.100.51192.168.100.100
Web Server
10.10.10.3
The proposed network is based around a ForitGate 100A unit. The 15 internal computers
are behind the FortiGate unit. They now access the email and web servers in a DMZ,
which is also behind the FortiGate unit. All home-based employees now access the office
network through the FortiGate unit via VPN tunnels.
391
Firewall Policy
The library must be able to set different access levels for patrons and staff members.
The first firewall policy for main office staff members allows full access to the Internet at all
times. A second policy will allow direct access to the DMZ for staff members. A second
pair of policies is required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff
access. Enabled features include virus scanning, email filtering, IPS, and blocking of all
P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and
spyware sites.
392
Firewall Policy
A few users may need special web and catalog server access to update information on
those servers, depending on how they are configured. Special access can be allowed
based on IP address or user.
The proposed topography has the main branch staff and the catalog access terminals
going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals
first go through a FortiWiFi unit, where additional policies can be applied, to the HA
Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main branch via
VPN tunnels.
Figure 215: Proposed library system network topology
Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall >
Protection Profile.
Main office staff to Internet policy:
Source Interface
Internal
Source Address
All
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
393
Firewall Policy
Internal
Source Address
All
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
Branches
Source Address
Branch Staff
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
Branches
Source Address
Branch Staff
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
394
Firewall Address
Firewall Address
Firewall addresses and address groups define network addresses that you can use when
configuring firewall policies source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic. You can add
IPv4 addresses and address ranges, IPv6 addresses, and fully qualified domain names
(FQDNs).
You can organize related addresses into address groups and related IPv6 addresses into
IPv6 address groups to simplify your firewall policy lists.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall addresses. For details, see Using virtual domains on page 125.
This section describes:
Configuring addresses
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
395
Firewall Address
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
When representing hosts by a FQDN, the domain name can be a subdomain, such as
mail.example.com. A single FQDN firewall address may be used to apply a firewall policy
to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate
units automatically resolve and maintain a record of all addresses to which the FQDN
resolves. Valid FQDN formats include:
<host_name>.<second_level_domain_name>.<top_level_domain_name>, such as
mail.example.com
<host_name>.<top_level_domain_name>
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
396
Firewall Address
Delete
Edit
Create New
Name
Address / FQDN
The IP address and mask, IP address range, or fully qualified domain name.
Interface
The interface, zone, or virtual domain (VDOM) to which you bind the IP address.
IP/Netmask
FQDN
IPv6
Delete icon
Select to remove the address. The Delete icon appears only if a firewall policy
or address group is not currently using the address.
Edit icon
Configuring addresses
To add a firewall address go to Firewall > Address and select Create New. You can add a
static IP address, an IP address range, or a FQDN.
Caution: Be cautious when FQDN firewall addresses. Using a fully qualified domain name
in a firewall policy, while convenient, does present some security risks, because policy
matching then relies on a trusted DNS server. Should the DNS server be compromised,
firewall policies requiring domain name resolution may no longer function properly.
If IPv6 Support is enabled, to add an IPv6 firewall address, go to Firewall > Address and
select Create New > IPv6 Address.
Tip: You can also add firewall addresses when configuring a firewall policy: Go to Firewall >
Policy, select the appropriate policy tab and then Create New. From the Source Address
list, select Address > Create New.
397
Firewall Address
Address Name
Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type
Select the type of address: Subnet/IP Range or FQDN. You can enter either an IP
range or an IP address with subnet mask.
Subnet / IP
Range
Enter the firewall IP address, followed by a forward slash (/), then subnet mask, or
enter an IP address range separated by a hyphen. See About firewall addresses
on page 395.
Interface
Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address with the
interface/zone when you create a firewall policy.
IPv6 Address
Enter the firewall IPv6 address, followed by a forward slash (/), then subnet mask.
See About IPv6 firewall addresses on page 396.
Delete
Edit
Create New
398
Firewall Address
Group Name
Members
Address Group
Select to remove the address group. The Delete icon appears only if the
address group is not currently being used by a firewall policy.
Edit icon
399
400
Firewall Address
Group Name
Enter a name to identify the address group. Addresses, address groups, and
virtual IPs must have unique names.
Available
Addresses
The list of all IPv4 or IPv6 firewall addresses. Use the arrows to move selected
addresses between the lists of available and member addresses.
You cannot add IPv4 and IPv6 firewall addresses to the same address group. If
you are adding an IPv4 firewall address group only the IPv4 addresses and FQDN
addresses appear. If you are added an IPv6 firewall address group, only the IPv6
addresses appear.
Members
The list of addresses included in the address group. Use the arrows to move
selected addresses between the lists of available and member addresses.
Firewall Service
Firewall Service
Firewall services define one or more protocols and port numbers associated with each
service. Firewall policies use service definitions to match session types.
You can organize related services into service groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
services separately for each virtual domain. For more information, see Using virtual
domains on page 125.
This section describes:
401
Firewall Service
Name
Detail
The protocol (TCP, UDP, IP, ICMP) and port number or numbers of the
predefined service.
Description
AFS3
7000-7009
7000-7009
AH
ANY
all
all
AOL
TCP
5190-5194
BGP
TCP
179
CVSPSERVER
TCP
2401
UDP
2401
TCP
135
UDP
135
DHCP
UDP
67
68
DHCP6
UDP
546, 547
DNS
TCP
53
UDP
53
DCE-RPC
402
IP Protocol Port
51
ESP
50
FINGER
FTP
TCP
21
FTP_GET
TCP
21
FTP_PUT
TCP
21
GOPHER
TCP
70
GRE
TCP
79
47
Firewall Service
Description
H323
1720, 1503
HTTP
TCP
80
HTTPS
TCP
443
ICMP_ANY
ICMP
Any
IKE
UDP
500, 4500
IMAP
143
IMAPS
TCP
993
ICMP
17
ICMP
15
IRC
TCP
6660-6669
TCP
389
L2TP
TCP
1701
UDP
1701
LDAP
TCP
389
MGCP
2427, 2727
MS-SQL
1433, 1434
MYSQL
TCP
3306
NFS
TCP
111, 2049
UDP
111, 2049
IP Protocol Port
1719
NNTP
119
NTP
123
NetMeeting
TCP
123
1720
403
Firewall Service
Description
IP Protocol Port
ONC-RPC
TCP
111
UDP
111
OSPF
PC-Anywhere
TCP
5631
UDP
5632
PING
ICMP
PING6
POP3
TCP
110
POP3S
TCP
995
PPTP
TCP
1723
QUAKE
UDP
26000,
27000,
27910,
27960
RADIUS
TCP
1812, 1813
RAUDIO
UDP
7070
RDP
TCP
3389
REXEC
TCP
512
RIP
UDP
520
RLOGIN
TCP
513
RSH
TCP
514
RTSP
SAMBA
404
89
58
47
TCP
554, 7070,
8554
554
139
Firewall Service
Description
SCCP
2000
SIP
UDP
5060
SIPMSNmessenger
TCP
1863
SMTP
25
SMTPS
465
SNMP
161-162
TCP
1080
UDP
1080
SQUID
TCP
3128
SSH
TCP
22
UDP
22
SYSLOG
UDP
514
TALK
UDP
517-518
TCP
TCP
0-65535
TELNET
TCP
23
TFTP
UDP
69
TIMESTAMP
ICMP
13
TRACEROUTE
TCP
33434
UDP
33434
UDP
UDP
0-65535
UUCP
540
VDOLIVE
TCP
7000-7010
VNC
TCP
5900
WAIS
TCP
210
SOCKS
IP Protocol Port
161-162
405
Firewall Service
Description
IP Protocol Port
WINFRAME
TCP
1494
WINS
1512
X-WINDOWS
1512
6000-6063
Delete
Edit
Create New
Service Name
Detail
Delete icon
Remove the custom service. The Delete icon appears only if the service is not
currently being used by a firewall policy.
Edit icon
406
Firewall Service
Delete
Name
Protocol Type
Select TCP/UDP.
Protocol
Select TCP or UDP as the protocol of the port range being added.
Source Port
Specify the source port number range for the service by entering the low and
high port numbers. If the service uses one port number, enter this number in
both the Low and High fields. The default values allow the use of any source
port.
Destination Port Specify the destination port number range for the service by entering the low
and high port numbers. If the service uses one port number, enter this number
in both the Low and High fields.
Add
If your custom service requires more than one port range, select Add to allow
more source and destination ranges.
Delete Icon
Name
Protocol Type
Select ICMP.
Type
Code
407
Firewall Service
Name
Protocol Type
Select IP.
Protocol Number
Delete
Edit
Create New
Group Name
Members
Delete icon
Remove the entry from the list. The Delete icon appears only if the service group
is not selected in a firewall policy.
Edit icon
408
Firewall Service
To organize services into a service group, go to Firewall > Service > Group.
Tip: You can also create custom service groups when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Service
list, select Service Group > Create New.
Figure 227: Service Group
Group Name
Available
Services
The list of configured and predefined services available for your group, with
custom services at the bottom. Use the arrows to move selected services
between this list and Members.
Members
The list of services in the group. Use the arrows to move selected services
between this list and Available Services.
409
410
Firewall Service
Firewall Schedule
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules
or recurring schedules. One-time schedules are in effect only once for the period of time
specified in the schedule. Recurring schedules are in effect repeatedly at specified times
of specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
schedules separately for each virtual domain. For more information, see Using virtual
domains on page 125.
This section describes:
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 228: Recurring schedule list
Delete
Edit
Create New
Name
Day
The initials of the days of the week on which the schedule is active.
Start
Stop
411
Firewall Schedule
Delete icon
Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon
Name
Select
Start
Stop
Delete
Edit
412
Create New
Name
Start
Stop
Firewall Schedule
Delete icon
Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon
Name
Start
Stop
413
Firewall Schedule
414
Group Name
Available
Schedules
The list of recurring and one-time schedules available for your group. Use the
arrow buttons to move selected schedules between this list and Members.
Members
The list of schedules in the group. Use the arrows to move selected schedules
between this list and Available Schedule.
Traffic Shaping
Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSLVPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and
ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures minimum and
maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
For more information about firewall policy, see Firewall Policy on page 363.
Note: For more information about traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.
Traffic priority
415
Traffic priority
Traffic Shaping
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total
bandwidth available to all traffic controlled by the policy. If multiple users start multiple
communications session using the same policy, all of these communications sessions
must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy
does not allow any traffic.
Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of
different types of traffic. Important and latency-sensitive traffic should be assigned a high
priority. Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and ecommerce
traffic. Then you can assign a high priority to the policy that controls voice traffic and a
medium priority to the policy that controls e-commerce traffic. During a busy time, if both
voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic
will be transmitted before the ecommerce traffic.
416
Traffic Shaping
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Since packets must be received by the FortiGate unit before they are subject to traffic
shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped
packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface ethernet
statistics show no errors, collisions or buffer overruns. If any of these problems do appear,
then FortiGate and switch settings may require adjusting. For more information, see the
FortiGate Traffic Shaping Technical Note.
417
Traffic Shaping
Edit
Delete
Name
Delete icon
Edit icon
Select Per Policy to apply this traffic shaper to a single firewall policy that uses it.
Select For all policies using this shaper to apply this traffic shaper to all firewall
policies that use it.
Shaping Methods Configure the traffic shaping methods used by the shared traffic shaper.
Guaranteed
Bandwidth
Maximum
Bandwidth
Select to limit bandwidth in order to keep less important services from using
bandwidth needed for more important ones.
Do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero), or
the firewall policy that the shared traffic shaper is added to will not allow any
traffic.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support ecommerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Quotas and
Accounting
418
Traffic Shaping
Edit
Delete
Delete
Per-IP Traffic Shaper list
Create New
Name
Delete icon
Edit icon
IP List
IP/Range
Add the IP addresses or IP add ranges that this per-IP traffic shaper
applies to.
Delete icon
Add
419
Traffic Shaping
None
Generate Accounting Log Enable to monitor and write accounting log messages that record the
volume of traffic accepted by the traffic shaper. Select the log period:
every
Hour, Day, Week, or Month.
420
Firewall Virtual IP
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets
IP addresses with the virtual IPs mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see Configuring virtual IPs on page 426.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode
on page 442.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
This section describes:
Virtual IP Groups
Configuring IP pools
Configuring IP Pools
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
421
Firewall Virtual IP
When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policys Destination Address is a virtual IP, FortiGate units compares packets destination
address to the virtual IPs external IP address. If they match, the FortiGate unit applies the
virtual IPs inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
the dynamic NATs load balancing style, if using dynamic NAT mapping
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.
Static NAT
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is
Port Forwarding always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
Server Load
Balancing
Server Load
Dynamic, one-to-many NAT mapping with port forwarding: an external IP
Balancing with address is translated to one of the mapped IP addresses, as determined by the
Port Forwarding selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
422
Firewall Virtual IP
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
sources public IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 236: the web server on a
private network, the client computer on another network, such as the Internet, and the
FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate units external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.
Figure 236: A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.
Figure 237: Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computers IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.
423
Firewall Virtual IP
When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computers IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web servers private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
servers network. The client has no indication that the web servers IP address is not the
virtual IP. As far as the client is concerned, the FortiGate units virtual IP is the web server.
Figure 238: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the clients IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interfaces IP address is 10.10.10.1, and its bound virtual IPs
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1
424
Firewall Virtual IP
Virtual IP, load balance virtual server and load balance real server limitations
The following limitations apply when adding virtual IPs, Load balancing virtual servers,
and load balancing real servers. Load balancing virtual servers are actually server load
balancing virtual IPs. You can add server load balance virtual IPs from the CLI.
When port forwarding, the count of mapped port numbers and external port
numbers must be the same. The web-based manager does this automatically but
the CLI does not.
Virtual IP and virtual server names must be different from firewall address or
address group names.
Delete
Edit
Create New
Name
IP
Service Port
The external port number or port number range. This field is empty if the virtual
IP does not specify port forwarding.
Map to IP/IP
Range
Map to Port
The mapped to port number or port number range. This field is empty if the
virtual IP does not specify port forwarding.
Delete icon
Remove the virtual IP from the list. The Delete icon only appears if the virtual IP
is not selected in a firewall policy.
Edit icon
Edit the virtual IP to change any virtual IP option including the virtual IP name.
425
Firewall Virtual IP
Name
Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type
426
Firewall Virtual IP
External IP
Address/Range
Enter the external IP address that you want to map to an address on the
destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP
Address/Range
Enter the real IP address on the destination network to which the external IP
address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding
Protocol
External Service
Port
Enter the external interface port number for which you want to configure port
forwarding.
This option appears only if Port Forwarding is enabled.
Map to Port
Enter the port number on the destination network to which the external port
number is mapped.
You can also enter a port number range to forward packets to multiple ports on
the destination network.
For a virtual IP with static NAT, if you add a map to port range the FortiGate unit
calculates the external port number range and adds the port number range to
the External Service port field.
This option appears only if Port Forwarding is enabled.
To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
Adding a static NAT virtual IP for a single IP address on page 428
Adding a static NAT virtual IP for an IP address range on page 429
Adding static NAT port forwarding for a single IP address and a single port on
page 431
Adding static NAT port forwarding for an IP address range and a port range on
page 432
Adding dynamic virtual IPs on page 434
Adding a virtual IP with port translation only on page 435
4 Select OK.
The virtual IP appears in the virtual IP list.
5 To implement the virtual IP, select the virtual IP in a firewall policy.
For example, to add a firewall policy that maps public network addresses to a private
network, you might add an external to internal firewall policy and select the Source
Interface/Zone to which a virtual IP is bound, then select the virtual IP in the
Destination Address field of the policy. For details, see Configuring firewall policies on
page 367.
427
Firewall Virtual IP
1
2
Source IP 10.10.10.2
Destination IP 10.10.10.42
Server IP
10.10.10.42
Internal IP
10.10.10.2
1
2
Source IP 192.168.37.55
Destination IP 192.168.37.4
Virtual IP
192.168.37.4
Client IP
192.168.37.55
Name
static_NAT
428
Type
Static NAT
External IP
Address/Range
Mapped IP
Address/Range
The IP address of the server on the internal network. Since there is only one
IP address, leave the second field blank.
Firewall Virtual IP
4 Select OK.
To add a static NAT virtual IP for a single IP address to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP address packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination address of these packets from the external IP to the DMZ network IP
address of the web server.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
Source Interface/Zone
external
Source Address
Destination Interface/Zone
dmz1
Destination Address
simple_static_nat
Schedule
always
Service
HTTP
Action
ACCEPT
3 Select NAT.
4 Select OK.
Source IP 10.10.10.2
Destination IP 10.10.10.43
Source IP 10.10.10.2
Destination IP 10.10.10.44
1
2
1
2
1
2
Source IP 172.168.37.55
Destination IP 192.168.37.4
2
3
Source IP 172.20.37.126
Destination IP 192.168.37.5
2
3
1
2
Source IP 172.199.190.25
Destination IP 192.168.37.6
Internal network
Client IP
172.168.37.55
Server IP
10.10.10.42
Server IP
10.10.10.43
Virtual IPs
192.168.37.4
Internal IP
10.10.10.2
192.168.37.5
192.168.37.6
Internet
Server IP
10.10.10.44
Client IP
172.20.37.126
Client IP
172.199.190.25
429
Firewall Virtual IP
Name
static_NAT_range
External Interface
wan1
Type
Static NAT
External IP
Address/Range
Mapped IP
Address/Range
4 Select OK.
To add a static NAT virtual IP with an IP address range to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses of these packets from the wan1 IP to the DMZ network IP
addresses of the servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
430
Source Interface/Zone
wan1
Source Address
Destination
Interface/Zone
dmz1
Destination Address
static_NAT_range
Schedule
always
Service
HTTP
Action
ACCEPT
Firewall Virtual IP
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000
on a private network. Attempts to communicate with 192.168.37.4, port 80 from the
Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The
computers on the Internet are unaware of this translation and see a single computer at
192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 246: Static NAT virtual IP port forwarding for a single IP address and a single port
example
3
1
2
1
2
Source IP 192.168.37.55
Destination IP 192.168.37.4
Destination Port 80
Source IP 10.10.10.2
Destination IP 10.10.10.42
Destination port 8000
Server IP
10.10.10.42
Internal IP
10.10.10.2
Virtual IP
192.168.37.4
Client IP
192.168.37.55
To add static NAT virtual IP port forwarding for a single IP address and a single port
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.
Figure 247: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address
and a single port
Name
Port_fwd_NAT_VIP
External Interface
wan1
431
Firewall Virtual IP
Type
Static NAT
External IP
Address/Range
Mapped IP
Address/Range
Port Forwarding
Selected
Protocol
TCP
The port traffic from the Internet will use. For a web server, this will
typically be port 80.
Map to Port
The port on which the server expects traffic. Since there is only one
port, leave the second field blank.
4 Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a single port
to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses and ports of these packets from the external IP to the dmz network
IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
Source Interface/Zone
wan1
Source Address
Destination
Interface/Zone
dmz1
Destination Address
Port_fwd_NAT_VIP
Schedule
always
Service
HTTP
Action
ACCEPT
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to
ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network.
Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are
translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.5 rather
than a FortiGate unit with a private network behind it.
432
Firewall Virtual IP
Figure 248: Static NAT virtual IP port forwarding for an IP address range and a port range
example
To add static NAT virtual IP port forwarding for an IP address range and a port
range
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the external interface of
the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.
Figure 249: Virtual IP options: Static NAT port forwarding virtual IP for a range of IP
addresses and a range of ports
Name
Port_fwd_NAT_VIP_port_range
External Interface
external
Type
Static NAT
External IP
Address/Range
Mapped IP
Address/Range
Port Forwarding
Selected
433
Firewall Virtual IP
Protocol
TCP
The ports that traffic from the Internet will use. For a web server,
this will typically be port 80.
Map to Port
The ports on which the server expects traffic. Define the range by
entering the first port of the range in the first field and the last port of
the range in the second field. If there is only one port, leave the
second field blank.
4 Select OK.
To add static NAT virtual IP port forwarding for an IP address range and a port
range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination addresses and ports of these packets from the external IP to the dmz
network IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
Source Interface/Zone
external
Source Address
Destination
Interface/Zone
dmz1
Destination Address
Port_fwd_NAT_VIP_port_range
Schedule
always
Service
HTTP
Action
ACCEPT
3 Select NAT.
4 Select OK.
434
Firewall Virtual IP
435
Virtual IP Groups
Firewall Virtual IP
To disable arp-reply
In some cases, when you have completed this configuration the FortiGate unit will drop
the packets received on the External Interface. To make sure this does not happen you
can log into the FortiGate CLI and use the following procedure to disable arp replies for
the port translation only virtual IP.
1 Log into the FortiGate CLI.
2 Enter the following command where <vip_name> is the name of the port translation
only virtual IP.
config firewall vip
edit <vip_name>
set arp-reply disable
end
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy
list. For example, instead of having five identical policies for five different but related virtual
IPs located on the same network interface, you might combine the five virtual IPs into a
single virtual IP group, which is used by a single firewall policy.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP
address(es) and port number(s).
Delete
Edit
Create New
Select to add a new VIP group. See Configuring VIP groups on page 436.
Group Name
Members
Interface
Delete icon
Remove the VIP group from the list. The Delete icon only appears if the VIP
group is not being used in a firewall policy.
Edit icon
Edit the VIP group information, including the group name and membership.
436
Firewall Virtual IP
Configuring IP pools
Group Name
Interface
Select the interface for which you want to create the VIP group. If you
are editing the group, the Interface box is grayed out.
Configuring IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly
selected from the IP pool, rather than the IP address assigned to that FortiGate unit
interface. In Transparent mode, IP pools are available only from the FortiGate CLI.
An IP pool defines a single IP address or a range of IP addresses. A single IP address in
an IP pool becomes a range of one IP address. For example, if you enter an IP pool as
1.1.1.1 the IP pool is actually the address range 1.1.1.1 to 1.1.1.1.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the
interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
For example, consider a FortiGate unit with the following IP addresses for the port1 and
port2 interfaces:
IP_pool_1: 1.1.1.10-1.1.1.20
IP_pool_2: 2.2.2.10-2.2.2.20
IP_pool_3: 2.2.2.30-2.2.2.40
437
Configuring IP pools
Firewall Virtual IP
The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.302.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool and select an IP pool to
translate the source address of packets leaving the FortiGate unit to an address randomly
selected from the IP pool.
438
Original address
Change to
192.168.1.1
172.16.30.1
Firewall Virtual IP
192.168.1.2
172.16.30.2
......
......
192.168.1.254
172.16.30.254
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you enable fixedport in such a case, the FortiGate unit preserves the original source
port. But conflicts may occur since users may have different sessions using the same TCP
5 tuples.
Original address
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
......
......
192.168.1.10
172.16.30.19
192.168.1.11
172.16.30.10
192.168.1.12
172.16.30.11
192.168.1.13
172.16.30.12
......
......
Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses are used and the rest of them are not be used.
Original address
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
192.168.1.3
172.16.30.12
Delete
Edit
439
Configuring IP Pools
Firewall Virtual IP
Create New
Name
Start IP
Enter the start IP defines the start of the IP pool address range.
End IP
Enter the end IP defines the end of the IP pool address range.
Delete icon
Select to remove the entry from the list. The Delete icon only appears if the IP
pool is not being used in a firewall policy.
Edit icon
Select to edit the IP pool. You can change the Name, Interface, IP
Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
Figure 253: New Dynamic IP Pool
Name
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and
end of an address range. The start of the range must be lower than the end of
the range. The start and end of the IP range does not have to be on the same
subnet as the IP address of the interface to which you are adding the IP pool.
440
Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.
Firewall Virtual IP
Router Without
NAT
Internal
10.1.3.0/16
External
Internet
10.1.2.0/24
DMZ
172.16.1.2
Router Without
NAT
172.16.1.1
172.16.1.3
To allow the local users to access the server, you can use fixed port and IP pool to allow
more than one user connection while using virtual IP to translate the destination port from
8080 to 80.
To create an IP pool
1 Go to Firewall > Virtual IP > IP Pool.
2 Select Create New.
3 Enter the following information and select OK.
Name
pool-1
IP Range/Subnet 10.1.3.1-10.1.3.254
server-1
External Interface
Internal
Type
Static NAT
External IP Address/Range
172.16.1.1
Note this address is the same as the server address.
Mapped IP Address/Range
172.16.1.1.
Port Forwarding
Enable
Protocol
TCP
8080
Map to Port
80
441
Firewall Virtual IP
internal
Source Address
10.1.1.0/24
Destination
Interface/Zone
dmz
Destination Address
server-1
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
Dynamic IP Pool
4 Select OK.
Enable NAT to translate the source addresses of packets as they pass through the
FortiGate unit.
Add virtual IPs to translate destination addresses of packets as they pass through the
FortiGate unit.
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two
different networks with two different subnet addresses. Then you can create firewall
policies to translate source or destination addresses for packets as they are relayed by the
FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the
management IP. To support NAT in Transparent mode you can add a second
management IP. These two management IPs must be on different subnets. When you add
two management IP addresses, all FortiGate unit network interfaces will respond to
connections to both of these IP addresses.
In the example shown in Figure 255, all of the PCs on the internal network (subnet
address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of
the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results
in a typical NAT mode firewall. When a PC on the internal network attempts to connect to
the Internet, the PC's default route sends packets destined for the Internet to the FortiGate
unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default
route of 10.1.1.99.
442
Firewall Virtual IP
The example describes adding an internal to wan1 firewall policy to relay these packets
from the internal interface out the wan1 interface to the Internet. Because the wan1
interface does not have an IP address of its own, you must add an IP pool to the wan1
interface that translates the source addresses of the outgoing packets to an IP address on
the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all
packets sent by a PC on the internal network that are accepted by the internal to wan1
policy leave the wan1 interface with their source address translated to 10.1.1.201. These
packets can now travel across the Internet to their destination. Reply packets return to the
wan1 interface because they have a destination address of 10.1.1.201. The internal to
wan1 NAT policy translates the destination address of these return packets to the IP
address of the originating PC and sends them out the internal interface to the originating
PC.
Use the following steps to configure NAT in Transparent mode
Router
10.1.1.0/24
Transparent mode
Management IPs:
10.1.1.99
192.168.1.99
WAN 1
Internal network
192.168.1.0/24
Internal
DMZ
DMZ network
10.1.1.0/24
443
Firewall Virtual IP
444
445
Internet/Intranet
User
LAN/WAN
Real Server
Real Server
Real Server
Delete
Edit
446
Create New
Name
Type
Comments
Virtual Server IP
The external port number that you want to map to a port number on the
destination network. Sessions with this destination port are load
balanced by this virtual server.
Health Check
The health check monitor selected for this virtual server. For more
information, see Health Check on page 450.
Persistence
Delete icon
Remove the virtual server from the list. The Delete icon only appears if
the virtual server is not bound to a real server.
Edit icon
Edit the virtual server to change any virtual server option including the
virtual server name.
447
Name
Enter the name for the virtual server. This name is not the hostname for the
FortiGate unit.
Type
Select the protocol to be load balanced by the virtual server. If you select a
general protocol such as IP, TCP, or UDP the virtual server load balances all IP,
TCP, or UDP sessions. If you select specific protocols such as HTTP, HTTPS, or
SSL you can apply additional server load balancing features such as Persistence
and HTTP Multiplexing.
Select HTTP to load balance only HTTP sessions with destination port
number that matches the Virtual Server Port setting. Change Virtual Server
Port to match the destination port of the sessions to be load balanced (usually
port 80 for HTTP sessions). You can also select HTTP Multiplex. You can also
set Persistence to HTTP Cookie to select cookie-based persistence. See the
description of the config firewall VIP command in the FortiGate CLI
Reference for information about advanced HTTP Cookie persistence options.
Select HTTPS to load balance only HTTPS sessions with destination port
number that matches the Virtual Server Port setting. Change Virtual Server
Port to match the destination port of the sessions to be load balanced (usually
port 443 for HTTPS sessions). You can also select HTTP Multiplex. You can
also set Persistence to HTTP Cookie to select cookie-based persistence. You
can also set Persistence to SSL Session ID. See the description of the
config firewall VIP command in the FortiGate CLI Reference for
information about advanced HTTP Cookie persistence options and advanced
SSL options. HTTPS is available on FortiGate units that support SSL
acceleration.
Select IP to load balance all sessions accepted by the firewall policy that
contains this virtual server.
Select SSL to load balance only SSL sessions with destination port number
that matches the Virtual Server Port setting. Change Virtual Server Port to
match the destination port of the sessions to be load balanced.See the
description of the config firewall VIP command in the FortiGate CLI
Reference for information about advanced SSL options.
Select TCP to load balance only TCP sessions with destination port number
that matches the Virtual Server Port setting. Change Virtual Server Port to
match the destination port of the sessions to be load balanced.
Select UDP to load balance only UDP sessions with destination port number
that matches the Virtual Server Port setting. Change Virtual Server Port to
match the destination port of the sessions to be load balanced.
Interface
Select the virtual server external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to the
destination network.
Virtual Server The IP address of the virtual server. This is an IP address on the external
interface that you want to map to an address on the destination network.
IP
Virtual server Enter the external port number that you want to map to a port number on the
destination network. Sessions with this destination port are load balanced by this
Port
virtual server.
448
Configure persistence to make sure that a user is connected to the same server
every time they make a request that is part of the same session.
When you configure persistence, the FortiGate unit load balances a new session
to a real server according to the Load Balance Method. If the session has an
HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent
sessions with the same HTTP cookie or SSL session ID to the same real server.
You can configure persistence if Type is set to HTTP, HTTPS, or SSL.
Select None for no persistence. Sessions are distributed solely according to
the Load Balance Method. Setting Load Balance Method to Static (the
default) results in behavior equivalent to persistence. See the description of
Load Balance Method for more information.
Select HTTP Cookie so that all HTTP or HTTPS sessions with the same
HTTP session cookie are sent to the same real server. HTTP Cookie is
available if Type is set to HTTP or HTTPS. See the description of the config
firewall VIP command in the FortiGate CLI Reference for information
about advanced HTTP Cookie persistence options.
Select SSL Session ID so that all sessions with the same SSL session ID are
sent to the same real server. SSL Session ID is available if Type is set to
HTTPS or SSL.
Note: The Static load balancing method provides persistence as long as the
number of real servers does not change.
HTTP
Select to use the FortiGate unit to multiplex multiple client connections into a few
Multiplexing connections between the FortiGate unit and the real server. This can improve
performance by reducing server overhead associated with establishing multiple
connections. The server must be HTTP/1.1 compliant.
This option appears only if HTTP or HTTS are selected for Type.
Note: Additional HTTP Multiplexing options are available in the CLI. For more
information, see the FortiGate CLI Reference.
Preserve
Client IP
449
SSL
Offloading
Select to accelerate clients SSL connections to the server by using the FortiGate
unit to perform SSL operations, then select which segments of the connection
will receive SSL offloading.
Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the connection
between the client and the FortiGate unit. The segment between the
FortiGate unit and the server will use clear text communications. This results
in best performance, but cannot be used in failover configurations where the
failover path does not have an SSL accelerator.
Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the connection: the
segment between client and the FortiGate unit, and the segment between the
FortiGate unit and the server. The segment between the FortiGate unit and
the server will use encrypted communications, but the handshakes will be
abbreviated. This results in performance which is less than the other option,
but still improved over communications without SSL acceleration, and can be
used in failover configurations where the failover path does not have an SSL
accelerator. If the server is already configured to use SSL, this also enables
SSL acceleration without requiring changes to the servers configuration.
SSL 3.0 and TLS 1.0 are supported.
SSL Offloading appears only if HTTPS or SSL are selected for Type, and only on
FortiGate models with hardware that supports SSL acceleration.
Note: Additional SSL Offloading options are available in the CLI. For more
information, see the FortiGate CLI Reference.
Certificate
Select the certificate to use with SSL Offloading. The certificate key size must be
1024 or 2048 bits. 4096-bit keys are not supported.
This option appears only if HTTPS or SSL are selected for Type, and is available
only if SSL Offloading is selected.
Health Check Select which health check monitor configuration will be used to determine a
servers connectivity status.
For information on configuring health check monitors, see Configuring health
check monitors on page 451.
Comments
3 Select OK.
Delete
Edit
450
Create New
Select to add real servers. For more information, see To create a real
server on page 451.
IP Address
Select the blue arrow beside a virtual server name to view the IP
addresses of the real servers that are bound to it.
Port
The port number on the destination network to which the external port
number is mapped.
Weight
The weight value of the real server. The higher the weight value, the
higher the percentage of connections the server will handle.
Max Connections
Delete icon
Edit icon
Select the virtual server to which you want to bind this real server.
IP
Port
Enter the port number on the destination network to which the external
port number is mapped.
Weight
Enter the weight value of the real server. The higher the weight value,
the higher the percentage of connections the server will handle. A
range of 1-255 can be used. This option is available only if the
associated virtual servers load balance method is Weighted.
Maximum Connections Enter the limit on the number of active connections directed to a real
server. A range of 1-99999 can be used. If the maximum number of
connections is reached for the real server, the FortiGate unit will
automatically switch all further connection requests to another server
until the connection number drops below the specified limit.
Setting Maximum Connections to 0 means that the FortiGate unit does
not limit the number of connections to the real server.
3 Select OK.
451
Delete
Edit
Create New
Select to add a health check monitor configuration. For more information, see
To create a health check monitor configuration on page 452.
Name
The name of the health check monitor configuration. The names are grouped
by the health check monitor types.
Details
The details of the health check monitor configuration, which vary by the type of
the health check monitor, and do not include the interval, timeout, or retry,
which are settings common to all types.
This field is empty if the type of the health check monitor is PING.
Delete
Select to remove the health check monitor configuration. This option appears
only if the health check monitor configuration is not currently being used by a
virtual server configuration.
Edit
452
Name
Type
Port
Enter the port number used to perform the health check. If you set the Port
to 0, the health check monitor uses the port defined in the real server. This
way you can use a single health check monitor for different real servers.
This option does not appear if the Type is PING.
URL
For HTTP health check monitors, add a URL that the FortiGate unit uses
when sending a get request to check the health of a HTTP server. The URL
should match an actual URL for the real HTTP servers. The URL is optional.
The URL would not usually include an IP address or domain name. Instead
it should start with a / and be followed by the address of an actual web
page on the real server. For example, if the IP address of the real server is
10.10.10.1, the URL /test_page.htm causes the FortiGate unit to send an
HTTP get request to http://10.10.10.1/test_page.htm.
This option appears only if Type is HTTP.
Matched Content For HTTP health check monitors, add a phrase that a real HTTP server
should include in response to the get request sent by the FortiGate unit
using the content of the URL option. If the URL returns a web page, the
Matched Content should exactly match some of the text on the web page.
You can use the URL and Matched Content options to verify that an HTTP
server is actually operating correctly by responding to get requests with
expected web pages. Matched content is only required if you add a URL.
For example, you can set Matched Content to server test page if the real
HTTP server page defined by the URL option contains the phrase server
test page. When the FortiGate unit receives the web page in response to
the URL get request, the system searches the content of the web page for
the Matched Content phrase.
This option appears only if Type is HTTP.
Interval
Timeout
Enter the number of seconds which must pass after the server health check
to indicate a failed health check.
Retry
Enter the number of times, if any, a failed health check will be retried before
the server is determined to be inaccessible.
3 Select OK.
Virtual Server
Real Server
Health Status
Display the health status according to the health check results for each real
server. A green arrow means the server is up. A red arrow means the server is
down.
Monitor Events
Active Sessions
RTT (ms)
Display the Round Trip Time of each real server. By default, the RTT is <1".
This value will change only when ping monitoring is enabled on a real server.
453
Bytes Processed
Graceful
Stop/Start
Select to start or stop real servers. When stopping a server, the FortiGate unit
will not accept new sessions but will wait for the active sessions to finish.
virtual server
1
2
Source IP 172.199.190.25
Destination IP 192.168.37.4
DMZ network
Real HTTP
Server IP
10.10.10.42
Real HTTP
Server IP
10.10.10.43
Virtual Server IP
192.168.37.4
dmz1 IP
10.10.10.2
Client IP
172.199.190.25
Real HTTP
Server IP
10.10.10.44
454
Name
HTTP_health_chk_1
Type
HTTP
Port
80
URL
/index.html
Matched Content
Fortinet products
Interval
10 seconds
Timeout
2 seconds
Retry
4 Select OK.
To add the HTTP virtual server
1 Go to Firewall > Load Balance > Virtual Server.
2 Select Create New.
3 Add an HTTP virtual server that allows users on the Internet to connect to the real
servers on the internal network. In this example, the FortiGate wan1 interface is
connected to the Internet.
455
456
Name
Load_Bal_VS1
Type
HTTP
Interface
wan1
Virtual Server IP
192.168.37.4
The public IP address of the web server.
The virtual server IP address is usually a static IP address
obtained from your ISP for your web server. This address must be
a unique IP address that is not used by another host and cannot be
the same as the IP address of the external interface the virtual IP
will be using. However, the external IP address must be routed to
the selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
80
First Alive
Persistence
HTTP cookie
HTTP Multiplexing
Select.
The FortiGate unit multiplexes multiple client into a few
connections between the FortiGate unit and a real HTTP server.
This can improve performance by reducing server overhead
associated with establishing multiple connections.
Preserve Client IP
Select
The FortiGate unit preserves the IP address of the client in the XForwarded-For HTTP header.
Health Check
4 Select OK.
To add the real servers and associate them with the virtual server
1 Go to Firewall > Load Balance > Real Server.
2 Select Create New.
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network.
Figure 267: Configuration for the real server at IP address 10.10.10.42
Load_Bal_VS1
IP
10.10.10.42
Port
80
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Load_Bal_VS1
IP
10.10.10.43
Port
80
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Load_Bal_VS1
IP
10.10.10.44
Port
80
457
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
Source Interface/Zone
wan1
Source Address
458
Destination Address
Load_Bal_VS1
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
virtual server
1
2
Source IP 172.199.190.25
Destination IP 192.168.37.4
Port 80
DMZ network
Real HTTP
Server IP
10.10.10.42
Virtual Server IP
192.168.37.4
Real HTTP
Server IP
10.10.10.43
dmz1 IP
10.10.10.2
Client IP
172.199.190.25
Real HTTP
Server IP
10.10.10.44
To complete this configuration, all of the steps would be the same as in Configuring a
virtual web server with three real web servers on page 454 except for configuring the real
servers.
To add the real servers and associate them with the virtual server
Use the following steps to configure the FortiGate unit to port forward HTTP packets to the
three real servers on ports 8080, 8081, and 8082.
1 Go to Firewall > Load Balance > Real Server.
2 Select Create New.
3 Configure three real servers that include the virtual server Load_Bal_VS1. Each real
server must include the IP address of a real server on the internal network and have a
different port number.
Configuration for the first real server.
Virtual Server
Load_Bal_VS1
IP
10.10.10.42
Port
8080
Weight
Maximum Connections
459
Virtual Server
Load_Bal_VS1
IP
10.10.10.43
Port
8081
Weight
Maximum Connections
Load_Bal_VS1
IP
10.10.10.44
Port
8082
Weight
Maximum Connections
All_Load_Balance
Type
IP
Interface
port2
Virtual Server IP
192.168.20.20
Weighted
All other virtual server settings are not required or cannot be changed.
4 Select OK.
To add the real servers and associate them with the virtual server
1 Go to Firewall > Load Balance > Real Server.
2 Select Create New.
3 Configure three real servers that include the virtual server All_Load _Balance.
Because the Load Balancing Method is Weighted, each real server includes a weight.
Servers with a greater weight receive a greater proportion of forwarded connections,
Configuration for the first real server.
460
Virtual Server
All_Load_Balance
IP
10.10.10.1
Port
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
All_Load_Balance
IP
10.10.10.2
Port
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
All_Load_Balance
IP
10.10.10.3
Port
Weight
Maximum Connections
0
Setting Maximum Connections to 0 means the FortiGate unit does
not limit the number of connections to the real server. Since the
virtual server uses First Alive load balancing you may want to limit
the number of connections to each real server to limit the traffic
received by each server. In this example, the Maximum
Connections is initially set to 0 but can be adjusted later if the real
servers are getting too much traffic.
461
Source Interface/Zone
port2
Source Address
All_Load_Balance
Schedule
always
Service
ANY
Action
ACCEPT
NAT
Select
CLI configuration
Load balancing is configured from the CLI using the config firewall vip command
and by setting type to server-load-balance. The default weight is 1 and does not
have to be changed for the first real server.
Use the following command to add the virtual server and the three weighted real servers.
config firewall vip
edit All_Load_Balance
set type server-load-balance
set server-type ip
set extintf port2
set extip 192.168.20.20
set ldb-method weighted
config realservers
edit 1
set ip 10.10.10.1
next
edit 2
set ip 10.10.10.2
set weight 2
next
edit 3
set ip 10.10.10.3
set weight 3
end
end
462
HTTP_Load_Balance
Type
HTTP
Interface
port2
Virtual Server IP
192.168.20.20
80
In this example the virtual server uses port 8080 for HTTP
sessions instead of port 80.
Static
Persistence
HTTP cookie
3 Select OK.
4 Select Create New.
5 Add the HTTPs virtual server that also includes HTTP Cookie persistence.
Name
HTTPS_Load_Balance
Type
HTTPS
Interface
port2
Virtual Server IP
192.168.20.20
443
Static
Persistence
HTTP cookie
6 Select OK.
To add the real servers and associate them with the virtual servers
1 Go to Firewall > Load Balance > Real Server.
2 Select Create New.
3 Configure three real servers for HTTP that include the virtual server
HTTP_Load_Balance.
Configuration for the first HTTP real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.1
Port
80
Weight
Maximum Connections
463
Virtual Server
HTTP_Load_Balance
IP
10.10.10.2
Port
80
Weight
Maximum Connections
HTTP_Load_Balance
IP
10.10.10.3
Port
80
Weight
Maximum Connections
4 Configure three real servers for HTTPS that include the virtual server
HTTPS_Load_Balance.
Configuration for the first HTTPS real server.
Virtual Server
HTTP_Load_Balance
IP
10.10.10.1
Port
443
Weight
Maximum Connections
HTTP_Load_Balance
IP
10.10.10.2
Port
443
Weight
Maximum Connections
464
Virtual Server
HTTPS_Load_Balance
IP
10.10.10.3
Port
443
Weight
Maximum Connections
port2
Source Address
all
HTTP_Load_Balance
Schedule
always
Service
HTTP
Action
ACCEPT
NAT
Select
port2
Source Address
all
HTTPS_Load_Balance
Schedule
always
Service
HTTPS
Action
ACCEPT
NAT
Select
465
466
antivirus protection
web filtering
email filtering
IPS
dashboard statistics
467
application control
468
Strict
Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The
strict protection profile may not be useful under normal circumstances, but it is
available when maximum protection is required.
Scan
Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic. Quarantine is
also selected for all content services. On FortiGate models with a hard drive, if
antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate
hard disk. If a FortiAnalyzer unit is configured, files are quarantined remotely.
Quarantine permits system administrators to inspect, recover, or submit
quarantined files to Fortinet for analysis.
Web
Apply virus scanning and web content filtering to HTTP traffic. Add this protection
profile to firewall policies that control HTTP traffic.
Unfiltered
Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content
protection for content traffic is required. Add this protection profile to firewall
policies for connections between highly trusted or highly secure networks where
content does not need to be protected.
Delete
Edit
Create New
Name
Delete icon
Delete a protection profile from the list. The Delete icon appears only if the
protection profile is not currently selected in a firewall policy or user group.
Edit icon
intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between
clients and servers (FortiGate SSL acceleration speeds up decryption)
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and DLP archiving
469
Figure 271: FortiGate SSL content scanning and inspection packet flow
3
1
2
Decrypted
packets
Protection Profile content
scanning and inspection
applied (antivirus, web filtering,
spam filtering, DLP,
content archiving)
Encrypted
packets
Content scanning
and inspection
SSL Decrypt/
Encrypt Process
Session encrypted
5 using SSL session
certificate and key
Protection
profile
1
2
Firewall
Encrypted
packets
HTTPS, IMAPS,
Encrypted packets
POP3S, or
forwarded to destination SMTPS Server
110C
111C
310B
620B
3016B
3600A
3810A
5005FA2
5001A.
470
While the SSL sessions are being set up, the client and server communicate in clear text
to exchange SSL session keys. The session keys are based on the client and server
certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a
built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the
client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt
process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the
client and server and uses these keys to decrypt the SSL traffic to apply content scanning
and inspection.
Some client programs (for example, web browsers) can detect this key replacement and
will display a security warning message. The traffic is still encrypted and secure, but the
security warning indicates that a key substitution has occurred.
You can stop these security warnings by importing the signing CA certificate used by the
server into the FortiGate unit SSL content scanning and inspection configuration. Then the
FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The
CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL
content scanning and encryption.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another
signing CA certificate. To do this you need the signing CA certificate file, the CA certificate
key file, and the CA certificate password.
All SSL content scanning and inspection uses the same signing CA certificate. If your
FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is
used by all virtual domains.
To add a signing CA certificate for SSL content scanning and inspection
1 Obtain a copy of the signing CA certificate file, the CA certificate key file, and the
password for the CA certificate.
2 Go to System > Certificates > Local Certificates and select Import.
3 Set Type to Certificate.
4 For Certificate file use the Browse button to select the signing CA certificate file.
5 For Key file use the Browse button to select the CA certificate key file.
6 Enter the CA certificate Password.
Figure 272: Importing a signing CA certificate for SSL content scanning and inspection
7 Select OK.
The CA certificate is added to the Local Certificates list. In this example the signing CA
certificate name is Example_CA. This name comes from the certificate file and key file
name. If you want the certificate to have a different name, change these file names.
8 Add the imported signing CA certificate to the SSL content scanning and inspection
configuration. Use the following CLI command if the certificate name is Example_CA.
471
472
Predefined firewall
services
The IMAPS, POP3S and SMTPS predefined services. You can select
these services in a firewall policy and a DoS policy. For more information,
see Table 50, Predefined services, on page 402.
Protocol Recognition
The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS,
POP3S, and SMTPS. Go to Firewall > Protection Profile. Add or edit a
protection profile and configure Protocol Recognition for HTTPS, IMAPS,
POP3S, and SMTPS.
Using protocol recognition you can also configure the FortiGate unit to just
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
Antivirus and DLP content inspection and DLP archiving to HTTPS. Using
SSL content scanning and inspection to decrypt HTTPS also allows you to
apply more web filtering and FortiGuard Web Filtering options to HTTPS.
For more information, see Protocol recognition options on page 475.
Antivirus
Antivirus quarantine
Web Filtering
FortiGuard Web
Filtering
Email Filtering
DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the
steps below:
Go to UTM > Data Leak Prevention > Rule to add DLP rules. For
HTTPS, add an HTTP rule and select HTTPS POST and HTTPS GET.
For IMAPS, POP3S, and SMTPS, add an Email rule and select
IMAPS, POP3S, and SMTPS. See Adding or configuring DLP rules
on page 588.
Go to UTM > Data Leak Prevention > Sensor and add the DLP rules to
a DLP sensor. See Adding or editing a rule or compound rule in a DLP
sensor on page 577.
Go to Firewall > Protection Profile. Add or edit a protection profile and
use Data Leak Prevention Sensor to add the DLP sensor to a
protection profile. Note: In a protection profile, if you set Protocol
Recognition > HTTPS Content Filtering Mode to URL Filtering, DLP
rules cannot inspect HTTPS. Set this option to Deep Scan.
Go to Firewall > Policy and add the protection profile to a firewall
policy. See Data Leak Prevention Sensor options on page 488.
DLP archiving
DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules
for the protocol to be archived. See DLP archiving on page 580.
473
Displaying DLP meta- DLP archive information on the Log and Archive Statistics widget on the
system dashboard for HTTPS, IMAPS, POP3S, and SMTPS.
information on the
Go to Firewall > Protection Profile. Add or edit a protection profile and
system dashboard
open Data Leak Prevention Sensor. For Displaying content metainformation on the system dashboard select HTTPS, IMAPS, POP3S, and
SMTPS as required.
These options display meta-information on the Statistics dashboard
widget. For more information, see Viewing DLP Archive information on
the Statistics widget on page 91.
Archive SPAM email
Expand Arrow
474
Expand Arrow
Profile Name
Comments
Protocol Recognition
Anti-Virus
IPS
Web Filtering
FortiGuard Web Filtering See FortiGuard Web Filtering options on page 483.
Email Filtering
Application Control
Logging
475
Figure 274: Protection profile Protocol Recognition options (SSL content scanning and
inspection)
Add or
Remove
Port
Numbers
Edit Monitored
Ports
Add or
Remove
Port
Numbers
Edit Monitored
Ports
Note: If your FortiGate unit supports SSL content scanning and inspection, you must set
HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS
content scanning protection profile options.
476
HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and
inspection, you can select the content filtering mode used for
HTTPS traffic. The mode can be:
URL Filtering
Protocol
Monitored Ports
The port numbers that the protection profile monitors for each
content protocol. You can select multiple port numbers to monitor
for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP,
and FTP you can also select Inspect All Ports to monitor all ports
for these content protocols. Monitoring all ports means the
protection profile uses protocol recognition techniques to
determine the protocol of a communication session independent
of the port number that the session uses.
Edit icon
Select to monitor all ports for the content protocol. This option is
available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP.
Specify Ports
Select this option and then enter the port numbers to monitor for
the content protocol. You can specify up to 20 ports for each
content protocol.
Anti-Virus options
You can apply antivirus options through a protection profile for the HTTP, SMTP, POP3,
IMAP, NNTP, and content protocols.
If your FortiGate unit includes SSL content inspection and filtering, you can also apply
antivirus scanning options through a protection profile for HTTPS, IMAPS, POP3S, and
SMTPS content protocols. For more information, see SSL content scanning and
inspection on page 469.
Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS
Content Filtering Mode is set to URL Filtering. For more information, see Protocol
recognition options on page 475.
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Anti-Virus, enter the information as described below, and select
OK. For more antivirus configuration options, see AntiVirus on page 509.
477
Figure 276: Protection Profile Anti-Virus options (including SSL content scanning and
inspection)
Virus Scan
Select virus scanning for each protocol. Virus Scan includes grayware,
as well as heuristic scanning. However, by default neither is enabled.
To enable specific grayware, go to UTM > AntiVirus > Grayware. To
enable heuristic scanning, see the config antivirus heuristic
command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the splice option
for each protocol in the config firewall profile command in
the FortiGate CLI Reference. For details on splicing behavior for each
protocol, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
File Filter
Select to filter files, then under Option, specify a file filter, which can
consist of file name patterns and file types. For more information, see
File Filter on page 513.
Quarantine
Select for each protocol to quarantine suspect files for later inspection
or submission to Fortinet for analysis.
This option appears only if the FortiGate unit has a hard drive or a
configured FortiAnalyzer unit, and will take effect only if you have first
enabled and configured the quarantine. For more information, see
File Quarantine on page 516.
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and
SMTP as well as IMAPS, POP3S, and SMTPS if SSL content
scanning and inspection is supported). Fragmented email messages
cannot be scanned for viruses.
Comfort Clients
Interval
The time in seconds before client comforting starts sending data after
the download has begun, and also the time interval between sending
subsequent data.
Amount
Oversized File/Email
478
Select client comforting for the HTTP, FTP, and HTTPS protocols. See
HTTP and FTP client comforting on page 479.
Threshold
If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in memory is
10% of the FortiGate units RAM.
Method
Expires
Add signature to outgoing Create and enable a signature to append to outgoing SMTP email
messages. The signature will also be appended to outgoing SMTPS
emails
email messages if your FortiGate unit supports SSL content scanning
and inspection.
479
IPS options
You can use the IPS options in a protection profile to enable IPS for the protection profile
and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS,
select an IPS Sensor, and select OK.
For more information on IPS, see Intrusion Protection on page 523.
Figure 277: Protection Profile IPS options
IPS
480
Note: Protection profile web filtering also includes FortiGuard Web Filtering. For
information about FortiGuard Web Filtering, see FortiGuard Web Filtering options on
page 483.
You can configure web filtering for HTTP and HTTPS traffic. If your FortiGate unit supports
SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode
in the Protocol Recognition part of this protection profile to Deep Scan, you can select the
same web filtering options for HTTPS and HTTP. For more information, see SSL content
scanning and inspection on page 469 and Protocol recognition options on page 475.
Filters defined in the web filtering settings are turned on through a protection profile. To
configure web filtering options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Web Filtering, enter the information as described below, and
select OK.
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you
have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering
and blocking invalid URLs for HTTPS.
Figure 278: Protection Profile Web Filtering options
Select to filter HTTP and HTTPS web pages based on matching the
content of the web page with the words or patterns in the selected web
content filter list. For more information, see Web content filter on
page 544.
Select the web content filter list to add to the protection profile. For
more information, see Creating a new web content filter list on
page 545.
Threshold
Select to block HTTP and HTTPS web pages based on matching the
URL of the web page with a URL in the selected URL filter list. For
more information, see URL filter on page 547.
Select the URL filter list to add to this protection profile. For more
information, see Creating a new URL filter list on page 548.
481
Select to block web sites whose SSL certificates CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
Normal
Block
Block HTTP POST requests. When the post request is blocked the
FortiGate unit sends a web page to the users web browser instead of
the requested POST page. You can configure the content of this web
page by going to from System > Config > Replacement Message by
customizing the HTTP > POST message.
Comfort
Use the comfort amount and interval settings to send comfort bytes
to the server in case the client connection is too slow. Select this
option to prevent a server timeout when scanning or other filtering tool
is turned on.
Safe Search
Enforce the strictest level the safe search feature of the Google,
Yahoo!, and Bing search engines. This feature works by manipulating
search URL requests to add code used by the safe search features of
the search engines.
Enforcing safe searching provides additional protection in
environments such as schools or other environments that use web
filtering to block sites with inappropriate content. Web Filtering alone
may not block offensive content that appears search results. This
offensive content could include offensive text in search results or
offensive images in image search results.
Enforce the strict filtering level of safe search protection for Google
searches by adding &safe=on to search URL requests. Strict filtering
filters both explicit text and explicit images.
Yahoo!
Enforce filtering out adult web, video, and image search results from
Yahoo! searches by adding &vm=r to search URL requests.
Bing
Enforce the strict level of safe search protection for Bing searches by
adding adlt=strict to search URL requests.
Blocked pages are replaced with a message indicating that the page is not accessible
according to the Internet usage policy. To configure replacement messages, go to
System > Config > Replacement Messages.
For more information on web filter configuration options, see Web Filter on page 541.
For details on how web URL filter lists are used with HTTP and HTTPS URLs, see URL
formats on page 550.
482
Character sets and Web content filtering, Email filtering banned word,
and DLP scanning
The FortiGate unit converts HTTP, HTTPS, and email content to the UTF-8 character set
before applying email filtering banned word checking, web filtering and DLP content
scanning as specified in the protection profile.
For email messages, while parsing the MIME content, the FortiGate unit converts the
content to UTF-8 encoding according to the email message charset field before applying
Email filtering banned word checking and DLP scanning.
For HTTP get pages, the FortiGate unit converts the content to UTF-8 encoding according
to the character set specified for the page before applying web content filtering and DLP
scanning.
For HTTP post pages, because character sets are not always accurately indicated in
HTTP posts, you can use the following CLI command to specify up to five character set
encodings.
config firewall profile
edit <profile_name>
set http-post-lang <charset1> [<charset2> ... <charset5>]
end
The FortiGate unit performs a forced conversion of HTTP post pages to UTF-8 for each
specified character set. After each conversion the FortiGate unit applies web content
filtering and DLP scanning to the content of the converted page.
Caution: Specifying multiple character sets reduces web filtering and DLP performance.
To view the list of available character sets, enter set http-post-lang ? from within
the edit shell for the protection profile. Separate multiple character set names with a
space. You can add up to 5 character set names.
483
Enable FortiGuard Web Select to enable FortiGuard Web Filtering for this protection profile.
Filtering
Enable FortiGuard Web Select to enable category overrides. For more information, see
FortiGuard Web filtering overrides on page 552 and Configuring
Filtering Overrides
administrative override rules on page 553.
Display a replacement message for 400 and 500-series HTTP errors. If
Provide details for
blocked HTTP 4xx and the error is allowed through, malicious or objectionable sites can use
these common error pages to circumvent web filtering. Only supported
5xx errors
for HTTPS if your FortiGate unit supports SSL content scanning and
inspection.
Block images that have been rated by FortiGuard. Blocked images are
Rate images by URL
(blocked images will be replaced on the originating web pages with blanks. Rated image file
replaced with blanks) types include GIF, JPEG, PNG, BMP, and TIFF. Only supported for
HTTPS if your FortiGate unit supports SSL content scanning and
inspection.
Allow websites when a Allow web pages that return a rating error from the web filtering service.
rating error occurs
484
Strict Blocking
This option is enabled by default. Strict Blocking only has an effect when
either a URL fits into a protection profile category and classification or
Rate URLs by domain and IP address is enabled. With Rate URLs by
domain and IP address enabled, all URLs have two categories and up to
two classifications (one set for the domain and one set for the IP
address). All URLs belong to at least one category (including the Unrated
category) and may also belong to a classification.
If you enable Strict Blocking, a site is blocked if it is in at least one
blocked category or classification and only allowed if all categories or
classifications it falls under are allowed.
If you do not enable Strict Blocking, a site is allowed if it belongs to at
least one allowed category or classification and only blocked if all
categories or classifications it falls under are allowed.
For example, suppose that a protection profile blocks Search Engines
but allows Image Search, and that the URL images.example.com falls
into the General Interest / Search Engines category and the Image
Search classification.
With Strict Blocking enabled, this URL is blocked because it belongs to
the Search Engines category, which is blocked.
With Strict Blocking disabled, the URL is allowed because it is classified
as Image Search, which the profile allows. It would be blocked only if
both the Search Engines category and Image Search classification were
blocked.
Select to send both the URL and the IP address of the requested site for
checking, and thus provide additional security against attempts to bypass
the FortiGuard system.
However, because IP rating is not updated as quickly as URL rating,
some false ratings may occur.
Category
Classification
485
session. If FortiGuard Antispam does not find a match, the email server sends the email to
the recipient. The email checksum filter calculates the checksum of an email message and
sends this checksum to the FortiGuard servers to determine if the checksum is in the
blacklist. The FortiGate unit then passes or marks/blocks the email message according to
the server response.
To configure email filtering options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Email Filtering, enter the information as described below,
and select OK.
You can configure email filtering for IMAP, POP3, and SMTP email. If your FortiGate unit
supports SSL content scanning and inspection you can also configure email filtering for
IMAPS, POP3S, and SMTPS email. For information about SSL content scanning and
inspection, see SSL content scanning and inspection on page 469.
For more information about the FortiGuard Antispam service, see FortiGuard Antispam
service on page 301 and Configuring the FortiGate unit for FDN and FortiGuard
subscription services on page 302.
For more email filter configuration options, see Email filtering on page 559.
For information about character sets and email filter banned word, see Character sets
and Web content filtering, Email filtering banned word, and DLP scanning on page 483.
Note: Some popular email clients cannot filter messages based on the MIME header. For
these clients, select to tag email message subject lines instead.
Figure 280: Protection Profile Email Filtering options
IP address check
URL check
E-mail checksum check Select to enable the FortiGuard Antispam email message checksum
blacklist.
486
Spam submission
Select to look up the source domain name (from the SMTP HELO
command) for SMTP email messages.
E-mail address BWL list Select the email address black/white list to add to the protection
profile. For more information, see Creating a new email address list
on page 568.
Return e-mail DNS check
Select the banned word list to add to the protection profile. For more
information, see Creating a new banned word list on page 563.
Threshold
Spam Action
487
Tag Location
Tag Format
display DLP archive meta-information on the Log and Archive Statistics system
dashboard widget
archive spam email (requires a FortiAnalyzer unit or the FortiGuard Analysis and
Management Service).
To configure DLP sensor options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Data Leak Prevention Sensor. Select a DLP sensor, enter the
information as described below, and select OK.
For information about DLP, see Data Leak Prevention on page 575.
For information about character sets and DLP scanning, see Character sets and Web
content filtering, Email filtering banned word, and DLP scanning on page 483.
Figure 281: Data Leak Prevention Sensor options
Figure 282: Data Leak Prevention Sensor options (SSL content scanning inspection and
FortiAnalyzer unit configured)
488
Data Leak
Prevention
Sensor
Select the check box and then specify the DLP sensor to add to the protection
profile. For more information, see Adding and configuring a DLP sensor on
page 577.
Display DLP
metainformation on
the system
dashboard
For each protocol, select whether or not to display DLP archiving data in the
dashboard Log and Archive Statistics widget. You can select HTTP, HTTPS, FTP,
IMAP, POP3, and SMTP.
If your FortiGate unit supports SSL content scanning and inspection you can also
select IMAPS, POP3S, and SMTPS.
For more information about the Log and Archive Statistics widget, see Log and
Archive Statistics on page 77.
Archive
SPAMed emails
to
FortiAnalyzer/
FortiGuard
For each email protocol, select to archive email messages identified as spam by
FortiGate Email filtering or by FortiGuard Antispam. You must configure the
FortiGate unit to log to a FortiAnalyzer unit or enable the FortiGuard Analysis and
Management Service. For more information, see Configuring spam email
message archiving on page 585.
Application
Black/White List
Select the check box and then specify the application control black/white list
to add to the protection profile. For more information, see Creating a new
application control black/white list on page 597.
Logging options
You can enable logging options in a protection profile to write log messages when the
options that you have enabled in this protection profile perform an action. For example, if
you enable antivirus protection you could also enable the antivirus protection profile
logging options to write a an antivirus log message every time a virus is detected by this
protection profile.
To record these log messages you must first configure how the FortiGate unit stores log
messages. See Configuring how a FortiGate unit stores logs on page 704.
For information about viewing log messages, see Accessing and viewing log messages
on page 714.
You can also view and customize reports based on these log messages. See Viewing
Executive Summary reports from SQL logs on page 724 and Viewing FortiAnalyzer
reports on page 724.
To configure Logging options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Logging, select logging options, and select OK.
489
Antivirus
If antivirus settings are enabled for this protection profile, select the
following options to record Antivirus Log messages.
Viruses
Blocked Files
Oversized Files /
E-mails
Web Filtering
If Web Filtering settings are enabled for this protection profile, select the
following options to record Web Filter Log messages.
Content Block
Record a log message when this protection profile matches the content
of a web page with the web content filter added to this protection profile.
The log message records whether the web page was blocked or
exempted.
URL Filter
Record a log message when this protection profile matches the URL of
a web page with the web URL filter added to this protection profile. The
log message records whether the web page was blocked, exempted, or
allowed.
Invalid Domain Name Record a log message when this protection profile detects an invalid
domain name. A domain name is considered invalid if the name fails a
Warnings
reverse DNS lookup.
FortiGuard Web Filtering If FortiGuard Web Filtering settings are enabled for this protection
profile, select the following option to record Web Filter Log messages.
Rating Errors (HTTP
only)
Email Filtering
Log Spam
IPS
490
Log Intrusions
Application Control
Log Application
Control
Record a log message when the Application Control list added to this
protection profile detects an application. The log message records the
application detected and the action taken by application control.
If Data Leak Prevention is enabled for this protection profile, select the
following option to record DLP Log messages.
Log DLP
Record a log message when the data leak prevention sensor added to
this protection profile matches the content of a session.
491
492
SIP support
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and
conducting multiuser calls over TCP/IP networks using any media. Due to the complexity
of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is
stateful. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans
SIP calls and makes adjustments, to both the firewall state and call data, to ensure a
seamless call is established through the FortiGate unit regardless of its operation mode,
NAT, route, or transparent. FortiGate units support SIP RFC 3261.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available for managing SIP use.
This section includes some information about VoIP and SIP. It also describes how FortiOS
SIP support works and how to configure the key SIP features. For more configuration
information, see the FortiGate CLI Reference.
The FortiGate unit supports the following SIP features:
RTP Pinholing
request control
rate limiting
event logging
communication archiving
NAT IP preservation
SIP stateful HA
IPv6 support
Configuring SIP
493
SIP support
In proxy mode (shown in Figure 285), SIP clients send requests to the proxy server. The
proxy server either handles the requests or forwards them to other SIP servers. Proxy
servers can insulate and hide SIP users by proxying the signaling messages. To the other
users on the VoIP network, the signaling invitations look as if they come from the SIP
proxy server.
Figure 285: SIP in proxy mode
SIP Proxy Server
2. Client A dials Client B
and a request is sent to the SIP proxy server
IP Network
4. Client B is
notified of incoming
call by proxy server
phone rings
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
When the SIP server operates in redirect mode (shown in Figure 286), the SIP client
sends its signaling request to a SIP server, which then looks up the destination address.
The SIP server returns the destination address to the originator of the call, who uses it to
signal the destination SIP client.
Figure 286: SIP in redirect mode
SIP Redirect Server
2. Client A dials Client B and
request is sent to SIP redirect server
IP Network
5. Client B is
notified of incoming
call by redirect server
phone rings
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
494
SIP support
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
This section uses scenarios to explain the FortiGate SIP NAT support.
217.10.69.11
SIP Server
RTP Server
217.233.122.132
Internet
10.72.0.57
495
SIP support
217.10.69.11
SIP Server
RTP Server
217.233.122.132
10.72.0.60
Internet
10.72.0.57
In the scenario, shown in Figure 288, the SIP phone connects to a VIP (10.72.0.60). The
FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG
will open the Real-time Transport Protocol (RTP) pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenariothe RTP server hides its real
address.
Figure 289: SIP destination NAT-RTP server hidden
219.29.81.21
192.168.200.99
RTP Server
10.0.0.60
217.233.90.60
Internet
SIP Server
In this scenario, shown in Figure 289, a SIP phone connects to the Internet. The VoIP
service provider only publishes a single public IP (a VIP). The SIP phone connects to the
FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact
header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection
information (which tells the SIP phone which RTP IP it should contact) also to
217.233.90.60.
496
SIP support
192.168.0.21 - 192.168.0.23
219.29.81.20
RTP Server
10.0.0.60
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Internet
SIP Server
SIP: 217.233.90.60
In this scenario, shown in Figure 290, assume there is a SIP server and a separate media
gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect
to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2 The SIP server carries out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.
497
Configuring SIP
SIP support
You need to configure the FortiOS SIP support in the following order:
1 Create a firewall protection profile that enables SIP (see Enabling SIP support and
setting rate limiting from the web-based manager on page 498).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the SIP or ANY pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see Firewall Policy on page 363.
3 Configure advanced SIP features as required (see Configuring SIP on page 498).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP
statistics using the web-based manager. You can do this plus configure many other SIP
support features from the CLI.
This section describes the following SIP configuration options:
Enabling SIP support and setting rate limiting from the web-based manager
Preserving NAT IP
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to:
498
add this protection profile to a firewall policy that accepts SIP traffic.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
SIP support
Configuring SIP
From the web-based manager, you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.
Enabling SIP in an application control list actually enables the SIP application level
gateway (SIP ALG) for sessions accepted by a firewall policy that includes the SIP
application.
Tip: The SIP and SCCP application control list entries are used only for enabling the SIP or
SCCP application level gateways (ALGs). They are not like any other application control list
entry. For example, you cannot use the SIP and SCCP application control list entries to
block SIP or SCCP traffic. From the CLI SIP is application number 12 and SCCP is
application number 13.
Tip: The SIP.TCP and SIP.UDP application control list entries are normal application
control list entries and are not involved with the SIP ALG. You can use the SIP.TCP or
SIP.UDP application control list entries to block SIP sessions.
To enable SIP and set REGISTER and INVITE rate limiting from the web-based
manager
1 Go to UTM > Application Control.
2 If you want to enable SIP for an existing application control list, select the Edit icon for
an application control list. Otherwise, select Create New to add a new application
control list.
3 Then, select Create New in the list to add a new application to the list.
4 Set Application to SIP.
You can optionally set Category to voip to make the SIP application easier to find.
5 Optionally configure REGISTER and INVITE limiting.
For example:
Set Limit REGISTER request to 100.
Set Limit INVITE request to 100.
Figure 291: Example SIP Application control configuration
6 Select OK.
7 Go to Firewall > Profile and add the application control list to a protection profile.
8 Go to Firewall > Policy and add the protection profile to a firewall policy that accepts
SIP sessions.
For more information about application control, see Application Control on page 595.
499
Configuring SIP
SIP support
500
SIP support
Configuring SIP
Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions
(SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your
network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects
against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests
that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS
attacks by limiting the number of SCCP call setup messages that the FortiGate unit
receives per minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per
second (or minute) than the configured rate, the extra messages are dropped.
If you are experiencing denial of service attacks from traffic using these VoIP protocols,
you can enable VoIP rate limiting and limit the rates for your network. Limit the rates
depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be
handling. You can adjust the settings if some calls are lost or if the amount of SIP or
SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For
more information, see the description of the config sip, config sccp, and config
simple subcommands of the application command in the FortiGate CLI Reference.
You can also block SIMPLE sessions by enabling block login for the SIMPLE application.
For more information, see Application Control on page 595.
501
Configuring SIP
SIP support
502
Description
block-ack {enable |
disable}
block-audio {enable |
disable}
block-bye {enable |
disable}
block-cancel {enable |
disable}
block-info {enable |
disable}
block-invite {enable |
disable}
block-long-lines
{enable | disable}
Enable to block SIP requests with headers exceeding the value set
in max-line-length.
block-notify {enable |
disable}
SIP support
Configuring SIP
Description
block-options {enable
| disable}
block-prack {enable |
disable}
block-publish {enable
| disable}
block-refer {enable |
disable}
block-unknown {enable
| disable}
block-update {enable |
disable}
call-keepalive
<minutes_int>
max-dialogs
<calls_int>
max-line-length
<length_int>
Enter the maximum SIP header line length. The value must be
between 78 and 4096. The default is 998 characters. Enable
block-long-lines to enforce this limit.
open-contact-pinhole
{disable | enable}
open-register-pinhole
{disable | enable}
reg-diff-port {enable
| disable}
rfc2543-branch {enable Enable to support RFC 2543-complaint SIP calls involving branch
commands that are missing or that are valid for RFC 2543 but
| disable}
invalid for RFC 3261. RFC 3261 is the most recent SIP RFC. RFC
3261 obsoletes RFC 2543.
rtp {enable | disable} Enable to allow RTP traffic.
strict-register
{enable | disable}
503
Configuring SIP
SIP support
504
SIP support
Configuring SIP
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line.
This allows the SIP server to parse this IP for billing purposes.
From the CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set nat-trace enable
end
end
In addition, you can overwrite or append the SDP i line:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set preserve-override {enable | disable}
end
end
where selecting enable removes the original source IP address from the SDP i line and
disable appends the address.
505
Configuring SIP
SIP support
For Contact in Requests, if a Record-Route header is present and the request comes
from the external network, the SIP Contact header is not translated.
If contact-fixup is disabled, the FortiGate ALG must be able to identify the external
network. To identify the external network, you must use the config system
interface command to set the external keyword to enable for the interface that is
connected to the external network.
From the CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set contact-fixup {enable | disable}
end
end
506
SIP support
Configuring SIP
Usually you would want to open these pinholes. Keeping the closed may prevent SIP from
functioning properly through the FortiGate unit.They can be disabled, however, for
interconnect scenarios (where all SIP traffic is between proxies and traveling over a single
session). In some cases these settings can also be disabled in access scenarios if it is
known that all users will be registering regularly so that their contact information can be
learned from the register request.
You might want to prevent pinholes from being opened to avoid creating a pinhole for
every register or non-register request. Each pinhole uses additional system memory,
which can affect system performance if there are hundreds or thousands of users, and
requires refreshing which can take a relatively long amount of time if there are thousands
of active calls.
To stop the FortiGate unit from opening register and non-register pinholes:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set open-register-pinhole disable
set open-contact-pinhole disable
end
end
You can selectively enable SIP block options to block SIP messages that you consider a
security risk or that are not required for you implementation. For example, enter the
following command to block SIP OPTIONS and PUBLISH messages:
config application list
edit <list_name>
config entries
edit 1
set category voip
set application SIP
set block-options enable
set block-publish enable
end
end
507
Configuring SIP
SIP support
508
AntiVirus
Order of operations
AntiVirus
This section describes how to configure the antivirus options associated with firewall
protection profiles. From a protection profile you can configure the FortiGate unit to apply
antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP sessions. If your
FortiGate unit supports SSL content scanning and inspection you can also configure
antivirus protection for HTTPS, IMAPS,POP3S, and SMTPS sessions. For more
information, see SSL content scanning and inspection on page 469.
This section provides an introduction to antivirus settings. For more information see the
FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, UTM > Antivirus options are
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
This section describes:
Order of operations
Antivirus tasks
File Filter
File Quarantine
Order of operations
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
File size
File pattern
File type
Virus scan
Grayware
Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file fakefile.EXE is recognized as a blocked pattern, the FortiGate unit will
send the end user a replacement message and the file will be deleted or quarantined. The
virus scan, grayware, heuristics, and file type scans will not be performed as the file is
already been determined to be a threat and has been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.
509
Antivirus tasks
AntiVirus
Block
File or message
is buffered
Start
Oversized
file/email
action
File/email
exceeds
oversized
threshold
Yes
Pass
Block
file/email
Block
Matching
file pattern
action
No
File
Pattern
Match?
Yes
Allow
No
File/email
exceeds
oversized
threshold
Pass
file/email
Yes
Pass
file/email
No
No
Yes
AV scan
detects
infection?
Block
Allow
Matching
file type
action
Yes
File type
match?
No
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your
network unparalleled antivirus protection. The first four tasks have specific functions, the
fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The tasks will be
discussed in the order that they are applied followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is enabled
by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to
Pass.
For more information, see Anti-Virus options on page 477.
510
AntiVirus
Antivirus tasks
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The
FortiGate unit will check the file against the file pattern setting you have configured. If the
file is a blocked pattern, .EXE for example, then it is stopped and a replacement
message is sent to the end user. No other levels of protections are applied. If the file is not
a blocked pattern the next level of protection is applied.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition
filter. The FortiGate unit will check the file against the file type setting you have configured.
If the file is a blocked type, then it is stopped and a replacement message is sent to the
end user. No other levels of protections are applied. If the file is not a blocked type, the
next level of protection is applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus
definitions are keep up to date through the FortiNet Distribution Network. The list is
updated on a regular basis so you do not have to wait for a firmware upgrade. For more
information on updating virus definitions, see FortiGuard antivirus on page 511.
Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware
checking can be turned on and off as required. Grayware signatures are kept up to date
because the are included in the antivirus definitions. For more information on see
Selecting the virus database on page 519.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of
virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through
the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the
FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the
Fortinet Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and
FortiGuard subscription services on page 302 for more information.
511
AntiVirus
Antivirus setting
Virus Scan
File Filter
Quarantine
512
AntiVirus
File Filter
File Filter
Configure the FortiGate file filter to block files by:
File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the file
pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see Configuring the file filter list on page 516.
File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name. For details about supported
file types, see Built-in patterns and supported file types on page 513.
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take either of these actions toward files that match a configured file
pattern or type:
Block: the file is blocked and a replacement messages will be sent to the user. If both
file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.
The FortiGate unit can take actions against the following file types:
513
File Filter
AntiVirus
activemime
aspack
base64
bat
binhex
bzip
bzip2
cab
class
cod
elf
exe
fsg
gzip
hlp
hta
html
jad
javascript
lzh
mime
msc
msoffice
petite
prc
rar
sis
tar
upx
uue
zip
unknown
ignored
Note: The unknown type is any file type that is not listed in the table. The ignored type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Create New
Select Create New to add a new file filter list to the catalog.
Name
# Entries
The number of file patterns or file types in each file filter list.
Profiles
The protection profiles each file filter list has been applied to.
DLP Rule
Comments
Delete icon
Select to remove the file filter list from the catalog. The delete icon is only
available if the file filter list is not selected in any protection profiles.
Edit icon
File filter lists are selected in protection profiles. For more information, see Anti-Virus
options on page 477.
514
AntiVirus
File Filter
Name
Comments
The file filter list has the following icons and features:
Name
File filter list name. To change the name, edit the text in the name field and
select OK.
Comment
Optional comment. To add or edit comment, enter text in comment field and
select OK.
OK
If you make changes to the list name or comments, select OK to save the
changes.
Create New
Select Create New to add a new file pattern or type to the file filter list.
Filter
Action
Files matching the file patterns and types can be set to Block or Allow. For
information about actions, see File Filter on page 513.
Enable
Delete icon
Edit icon
Move To icon
Select to move the file pattern or type to any position in the list.
515
File Quarantine
AntiVirus
To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.
Filter Type
Pattern
Enter the file pattern. The file pattern can be an exact file name or can include
wildcards. The file pattern can be 80 characters long.
File Type
Select a file type from the list. For information about supported file types, see Builtin patterns and supported file types on page 513.
Action
Select an action from the drop down list: Block or Allow. For more information about
actions, see File Filter on page 513.
Enable
File Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View the file
name and status information about the file in the Quarantined Files list. Submit specific
files and add file patterns to the AutoSubmit list so they will automatically be uploaded to
Fortinet for analysis.
FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files
stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. To
configure quarantine to a FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
To configure and enable file quarantine
1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination.
For details, see Configuring quarantine options on page 518.
2 Go to Firewall > Protection Profile > Antivirus to enable quarantine for required
protocols in the protection profiles. For details, see Configuring a protection profile on
page 474.
You can configure a protection profile to quarantine blocked and infected files from
HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP Traffic. If your FortiGate unit supports
SSL content scanning and inspection you can also quarantine blocked and infected
files from HTTPS, IMAPS, POP3S, and SMTPS traffic. To enable HTTPS quarantine
you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition
part of the protection profile. For more information, see SSL content scanning and
inspection on page 469.
3 Go to Firewall > Policy and add the protection profile to a firewall policy.
516
AntiVirus
File Quarantine
File Pattern
The current list of file patterns that will be automatically uploaded. Create a
pattern by using ? or * wildcard characters. Enable the check box to enable all
file patterns in the list.
Delete icon
Edit icon
File Pattern
Enable
Note: To enable automatic uploading of the configured file patterns, go to UTM >
AntiVirus > Quarantine, select Enable AutoSubmit, and select Use File Pattern.
517
File Quarantine
AntiVirus
Figure 300: Quarantine Configuration (SSL content scanning and inspection and quarantine
to disk)
518
AntiVirus
Options
Quarantine Infected Files: Select the protocols from which to quarantine infected
files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to quarantine
suspicious files identified by heuristic scanning.
Quarantine Blocked Files. Select the protocols from which to quarantine blocked
files identified by antivirus file filtering. The Quarantine Blocked Files option is not
available for IM and HTTPS because a file name is blocked before downloading
and cannot be quarantined.
Age Limit
The time limit in hours for which to keep files in quarantine. The age limit is used
to formulate the value in the TTL column of the quarantined files list. When the
limit is reached, the TTL column displays EXP. and the file is deleted (although the
entry in the quarantined files list is maintained). Entering an age limit of 0 (zero)
means files are stored on disk indefinitely, depending on low disk space action.
Max Filesize to The maximum size of quarantined files in MB. Setting the maximum file size too
large may affect performance.
Quarantine
Low Disk Space Select the action to take when the local disk is full: overwrite the oldest file or drop
the newest file.
Quarantine to
FortiAnalyzer
Enable
AutoSubmit
Enable AutoSubmit: enables the automatic submission feature. Select one or both
of the options below.
Use File Pattern: Enables the automatic upload of files matching the file patterns
in the autoSubmit list.
Use File Status: Enables the automatic upload of quarantined files based on their
status. Select either Heuristics or Block Pattern.
Apply
519
AntiVirus
Usually the FortiGuard AV definitions are updated automatically from the FortiGuard
Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure
automatic antivirus definition updates from the FDN.
You can also update the antivirus definitions manually from the system dashboard (go to
System > Status).
antivirus The FortiGate unit spreads the antivirus scanning tasks across several
CPUs (symmetric multiprocessing).
throughput Default setting. The FortiGate unit uses a single CPU to process traffic.
Use optimize antivirus in conjunction with antivirus failopen to ensure maximum efficiency
and safeguard against system crashes if the system does become overloaded because of
high traffic.
520
AntiVirus
The heuristic engine is disabled by default. You need to enable it to pass suspected files
to the recipient and send a copy to the file quarantine. Once enabled in the CLI, heuristic
scanning is enabled in a protection profile when Virus Scan is enabled.
Use the heuristic command to change the heuristic scanning mode.
521
522
AntiVirus
Intrusion Protection
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and
prevention with low latency and excellent reliability. With intrusion Protection, you can
create multiple IPS sensors, each containing a complete configuration based on
signatures. Then, you can apply any IPS sensor to each protection profile. You can also
create DoS sensors to examine traffic for anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection settings. For
more information about Intrusion Protection, see the FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
This section describes:
Signatures
Custom signatures
Protocol decoders
IPS sensors
DoS sensors
523
Signatures
Intrusion Protection
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive
detection.
For more information about FortiGate logging and alert email, see Log&Report on
page 703.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
524
Intrusion Protection
Signatures
By using only the signatures you require, you can improve system performance and
reduce the number of log messages and alert email messages the IPS sensor generates.
For example, if the FortiGate unit is not protecting a web server, do not include any web
server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.
To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You
can also use filters and column settings to display the signatures you want to view. For
more information, see Using display filters on page 526.
Figure 302: Predefined signature list
Current page
Filter
By default, the signatures are sorted by name. To sort the table by another column, select
the header of the column to sort by.
Current Page
The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can
also readjust the column order. For more information, see Using column
settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
525
Signatures
Intrusion Protection
If you have applied filtering to the predefined signature list display, select this
option to clear all filters and display all the signatures.
Filter icons
Edit the column filters to filter or sort the predefined signature list according to
the criteria you specify. For more information, see Adding filters to web-based
manager lists on page 57.
Name
The name of the signature. Each name is also a link to the description of the
signature in the FortiGuard Center Vulnerability Encyclopedia.
Severity
The severity rating of the signature. The severity levels, from lowest to highest,
are Information, Low, Medium, High, and Critical.
Target
Protocols
OS
Applications
Enable
The default status of the signature. A green circle indicates the signature is
enabled. A gray circle indicates the signature is not enabled.
Action
ID
Logging
The default logging behavior of the signature. A green circle indicates logging is
enabled. A gray circle indicates logging is disabled.
Group
A functional group that is assigned to that signature. This group is only for
reference and cannot be used to define filters.
Packet Log
The default packet log status of the signature. A green circle indicates that the
packet log is enabled. A gray circle indicates that the packet log is not enabled.
Revision
The revision level of the signature. If the signature is updated, the revision
number will be incremented.
Tip: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.
526
Intrusion Protection
Custom signatures
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion
Protection system for diverse network environments. The FortiGate predefined signatures
represent common attacks. If you use an unusual or specialized application or an
uncommon platform, you can add custom signatures based on the security alerts released
by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to scan
traffic. For more information about creating IPS sensors, see Adding an IPS sensor on
page 530.
For more information about custom signatures, see the FortiGate UTM User Guide.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Edit
Delete
Create New
Name
Signature
Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.
527
Protocol decoders
Intrusion Protection
Name
Signature
Enter the custom signature, using the appropriate syntax. For more information,
see the FortiGate UTM User Guide.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal
traffic patterns that do not meet the protocol requirements and standards. For example,
the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the
HTTP protocol standards.
528
Protocols
Ports
Intrusion Protection
IPS sensors
IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You
can define signatures for specific types of traffic in separate IPS sensors, and then select
those sensors in profiles designed to handle that type of traffic. For example, you can
specify all of the web-server related signatures in an IPS sensor, and the sensor can then
be used by a protection profile in a policy that controls all of the traffic to and from a web
server protected by the FortiGate unit.
The FortiGuard Service periodically updates the pre-defined signatures, with signatures
added to counter new threats. Because the signatures included in filters are defined by
specifying signature attributes, new signatures matching existing filter specifications will
automatically be included in those filters. For example, if you have a filter that includes all
signatures for the Windows operating system, your filter will automatically incorporate new
Windows signatures as they are added.
Edit
Delete
Create New
Add a new IPS sensor. For more information, see Adding an IPS
sensor on page 530.
Name
Comments
Five default IPS sensors are provided with the default configuration.
all_default
Includes all signatures. The sensor is set to use the default enable
status and action of each signature.
all_default_pass
Includes all signatures. The sensor is set to use the default enable
status of each signature, but the action is set to pass.
protect_client
529
IPS sensors
Intrusion Protection
protect_email_server
protect_http_server
Name
Comment
530
Intrusion Protection
IPS sensors
Edit
Delete
Move To
View
The name of the IPS sensor. You can change it at any time.
Comments
An optional comment describing the IPS sensor. You can change it at any time.
OK
Add a new filter to the end of the filter list. For more information, see
Configuring filters on page 532.
Name
Signature
attributes
Signature attributes specify the type of network traffic the signature applies to.
Severity
Target
The type of system targeted by the attack. The targets are client
and server.
Protocol
OS
Application
Enable
The status of the signatures included in the filter. The signatures can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Logging
The logging status of the signatures included in the filter. Logging can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Action
The action of the signatures included in the filter. The action can be set to pass
all, block all, reset all, or default. The default setting uses the action of each
individual signature as displayed in the signature list.
Count
The number of signatures included in the filter. Overrides are not included in this
total.
Delete icon
Edit icon
Insert icon
Move to icon
After selecting this icon, enter the destination position in the window that
appears, and select OK.
531
IPS sensors
Intrusion Protection
View Rules icon Open a window listing all of the signatures included in the filter.
IPS sensor overrides:
Add Pre-defined Select to create an override based on a pre-defined signature.
Override
Add Custom
Override
Name
Enable
The status of the override. A green circle indicates the override is enabled. A
gray circle indicates the override is not enabled.
Logging
The logging status of the override. A green circle indicates logging is enabled. A
gray circle indicates logging is not enabled.
Action
The action set for the override. The action can be set to pass, block, or reset.
Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of
the IPS sensor containing the filter you want to edit. When the sensor window opens,
select the Edit icon of the filter you want to change, or select Add Filter to create a new
filter. Enter the information as described below and select OK.
Figure 309: Edit IPS Filter
Right Arrow
Left Arrow
532
Name
Severity
Select All, or select Specify and then choose one or more severity rating. Severity
defines the relative importance of each signature. Signatures rated critical detect
the most dangerous attacks while those rated as info pose a much smaller threat.
Intrusion Protection
IPS sensors
Target
Select All, or select Specify and then choose the type of system targeted by the
attack. The choices are server or client.
OS
Select All, or select Specify and then select one or more operating systems that
are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems. These
signatures will be automatically included in any filter regardless of whether a
single, multiple, or all operating systems are specified.
Protocol
Select All, or select Specify to list what network protocols are used by the attack.
Use the Right Arrow to move the ones you want to include in the filter from the
Available to the Selected list, or the Left Arrow to remove previously selected
protocols from the filter.
Application
Select All, or select Specify to list the applications or application suites vulnerable
to the attack. Use the Right Arrow to move the ones you want to include in the
filter from the Available to the Selected list, or the Left Arrow to remove previously
selected protocols from the filter.
Quarantine
Attackers (to
Banned Users
List)
Select to enable NAC quarantine for this filter. For more information about NAC
quarantine, see NAC quarantine and the Banned User list on page 670.
The FortiGate unit deals with the attack according to the IPS sensor or DoS
sensor configuration regardless of this setting.
Method
Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
targets address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the attacker
IP address to the target (victim) IP address. Traffic from the attacker IP address to
addresses other than the victim IP address is allowed. The attacker and target IP
addresses are added to the banned user list as one entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the banned
user list.
Expires
You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Signature
Settings
Configure whether the filter overrides the following signature settings or accepts
the settings in the signatures.
Enable
Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or disable each
according to the individual default values shown in the signature list.
Logging
Select from the options to specify whether the FortiGate unit will create log entries
for the signatures included in the filter: enable all, disable all, or enable or disable
logging for each according to the individual default values shown in the signature
list.
Action
Select from the options to specify what the FortiGate unit will do with traffic
containing a signature match: pass all, block all, reset all, or block or pass traffic
according to the individual default values shown in the signature list.
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature to be
included in the filter. If the severity is changed to high, and the target is changed to server,
the filter includes only signatures checking for high priority attacks targeted at servers.
533
IPS sensors
Intrusion Protection
To add an individual signature, not included in any filters, to an IPS sensor. This is the
only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes have no effect. These settings must be explicitly set when creating the override.
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the sensor in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.
To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor
and select the Edit icon of the IPS sensor containing the override you want to edit. When
the sensor window opens, select the Edit icon of the override you want to change.
Figure 310: Configure IPS override
534
Signature
Select the browse icon to view the list of available signatures. From this list,
select a signature the override will apply to and then select OK.
Enable
Action
Select Pass, Block or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified
signature.
Logging
Packet Log
Select to save packets that trigger the override to the FortiGate hard drive for
later examination.
Quarantine
Attackers (to
Banned Users List)
Select to enable NAC quarantine for this override. For more information
about NAC quarantine, see NAC quarantine and the Banned User list on
page 670.
The FortiGate unit deals with the attack according to the IPS sensor or DoS
sensor configuration regardless of this setting.
Intrusion Protection
IPS sensors
Method
Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
target address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attacker IP address to the target (victim) IP address. Traffic from the attacker
IP address to addresses other than the victim IP address is allowed. The
attacker and target IP addresses are added to the banned user list as one
entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the
banned user list.
Expires
You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Exempt IP
Enter IP addresses to exclude from the override. The override will then apply
to all IP addresses except those defined as exempt. The exempt IP
addresses are defined in pairs, with a source and destination, and traffic
moving from the source to the destination is exempt from the override.
Source
Destination:
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
535
IPS sensors
Intrusion Protection
Note: Setting packet-log-history to a value larger than 1 can affect the maximum
performance of the FortiGate unit because network traffic must be buffered. The
performance penalty depends on the model, the setting, and the traffic load.
536
Intrusion Protection
DoS sensors
5 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
6 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that
does not fit known or common traffic patterns and behavior. For example, one type of
flooding is the denial of service (DoS) attack that occurs when an attacking system starts
an abnormally large number of sessions with a target system. The large number of
sessions slows down or disables the target system so legitimate users can no longer use
it. This type of attack gives the DoS sensor its name, although it is capable of detecting
and protecting against a number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the detection
threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you
can configure. When a sensor detects an anomaly, it applies the configured action. One
sensor can be selected for use in each DoS policy, allowing you to configure the anomaly
thresholds separately for each interface. Multiple sensors allow great granularity in
detecting anomalies because each sensor can be configured for the specific needs of the
interface it is attached to by the DoS policy.
The traffic anomaly detection list can be updated only when the FortiGate firmware image
is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.
537
DoS sensors
Intrusion Protection
Create New
Name
Comments
Delete icon
Edit icon
To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit
icon of an existing DoS sensor, or select Create New to create a new DoS sensor.
Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For
more information, see Configuring NAC quarantine on page 671.
538
Intrusion Protection
DoS sensors
Comments
Anomalies Configuration
Name
Enable
Select the check box to enable the DoS sensor to detect when the
specified anomaly occurs. Selecting the check box in the header row will
enable sensing of all anomalies.
Logging
Select the check box to enable the DoS sensor to log when the anomaly
occurs. Selecting the check box in the header row will enable logging for all
anomalies. Anomalies that are not enabled are not logged.
Action
Select Pass to allow anomalous traffic to pass when the FortiGate unit
detects it, or set Block to prevent the traffic from passing.
Threshold
Description
tcp_syn_flood
tcp_port_scan
539
Intrusion Protection
Description
tcp_src_session
tcp_dst_session
udp_flood
udp_scan
udp_src_session
udp_dst_session
icmp_flood
icmp_sweep
icmp_src_session
icmp_dst_session
540
Web Filter
Web Filter
This chapter describes how to configure FortiGate web filtering for HTTP traffic. If your
FortiGate unit supports SSL content scanning and inspection you can also configure web
filtering for HTTPS traffic. For information about SSL content scanning and inspection, see
SSL content scanning and inspection on page 469. if your FortiGate unit does not
support HTTPS content scanning and inspection you can configure URL filtering for
HTTPS traffic.
The three main sections of the web filtering function, the Web Content Filter, the URL
Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide
maximum control and protection for the Internet users.
This section provides an introduction to configuring web filtering. For more information see
the FortiGate UTM User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
This section describes:
URL filter
541
Web Filter
542
Web Filter
Table 55: Web filter and Protection Profile protocol recognition configuration
Protection Profile web filtering options
n/a
Enable or disable web page filtering based on Add words and patterns to block or exempt web
the web content filter list for HTTP or HTTPS pages containing those words or patterns.
traffic.
Table 57: Web filter and Protection Profile web URL filtering configuration
Protection Profile web filtering options
Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt or block
traffic based on the URL filter list.
web pages from specific sources.
Table 58: Web filter and Protection Profile web script filtering and download configuration
Protection Profile web filtering options
n/a
543
Web Filter
Table 59: Web filter and Protection Profile FortiGuard web filtering configuration
Protection Profile web filtering options
Classification/Action
When selected, users can access web sites
that provide content cache, and provide
searches for image, audio, and video files.
Choose from allow, block, log, or allow
override.
For each pattern you can select Block or Exempt. Block, blocks access to a web page that
matches with the pattern. Exempt allows access to the web page even if other entries in
the list that would block access to the page.
544
Web Filter
Create New
Name
# Entries
Profiles
The protection profiles each web content filter list has been applied to.
Comment
Optional description of each web content filter list. The comment text must be
less than 63 characters long. Otherwise, it will be truncated.
Delete icon
Select to remove the web content filter list from the catalog. The delete icon is
only available if the web content filter list is not selected in any protection
profiles.
Edit icon
Select to edit the web content filter list, list name, or list comment.
Select web content filter lists in protection profiles. For more information, see Web
Filtering options on page 480.
Name
Comment
545
Web Filter
Note: Enable UTM > Web Filtering > Web Content Filter in a firewall Protection Profile to
activate the content filter settings.
The web content filter list has the following icons and features:
Name
Web content filter list name. To change the name, edit text in the name field and
select OK.
Comment
Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create new
Previous Page
icon
Check Box
Select the check box to enable all the patterns in the list. Clear the check box to
disable all of the patterns in the list. Use the check box for individual patterns to
enable or disable them.
Pattern
Pattern type
The pattern type used in the pattern list entry. Pattern type can be wildcard or
regular expression. See Using wildcards and Perl regular expressions on
page 571.
Language
The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western.
Action
Score
A numerical weighting applied to the pattern. The score values of all the matching
patterns appearing on a page are added, and if the total is greater than the
threshold value set in the protection profile, the page is blocked.
Delete icon
Edit icon
Select to edit the following information: Banned Word, Pattern Type, Language,
and Enable.
546
Web Filter
URL filter
Action
Pattern
Enter the content pattern. Web content patterns can be one word or a text string
up to 80 characters long.
For a single word, the FortiGate unit checks all web pages for that word. For a
phrase, the FortiGate checks all web pages for any word in the phrase. For a
phrase in quotation marks, the FortiGate unit checks all web pages for the entire
phrase.
Pattern Type
Select a pattern type from the dropdown list: Wildcard or Regular Expression.
Language
The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western.
Score
Enable
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns
using text and regular expressions (or wildcard characters) to allow or block URLs. The
FortiGate unit allows or blocks web pages matching any specified URLs or patterns and
displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
547
URL filter
Web Filter
The URL filter list catalogue has the following icons and features:
Create New
Name
# Entries
Profiles
The protection profiles each URL filter list has been applied to.
Comment
Delete icon
Select to remove the URL filter list from the catalog. The delete icon is only
available if the URL filter list is not selected in any protection profiles.
Edit icon
Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see Web Filtering
options on page 480.
548
Name
Comment
Web Filter
URL filter
complete URLs
IP addresses
To view the URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon of the
URL filter list you want to view.
Figure 321: URL filter list
The URL filter list has the following icons and features:
Name
URL filter list name. To change the name, edit text in the name field and select
OK.
Comment
Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New
Previous Page
icon
URL
The current list of blocked/exempt URLs. Select the check box to enable all
the URLs in the list.
Type
Action
The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Delete icon
Edit icon
Select to edit the following information: URL, Type, Action, and Enable.
Move icon
549
URL filter
Web Filter
To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New
or edit an existing list.
Figure 322: New URL Filter
URL
Enter the URL. Do not include http://. For details about URL
formats, see URL formats on page 550.
Type
Action
Enable
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on
page 550), follow these rules:
550
Web Filter
URL filter
Type a top-level URL or IP address to control access to all pages on a web site. For
example, www.example.com or 192.168.144.155 controls access to all pages at
this web site.
Enter a top-level URL followed by the path and filename to control access to a single
page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls the news page on this web site.
To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls access to
www.example.com, mail.example.com, www.finance.example.com, and so
on.
Control access to all URLs that match patterns created using text and regular
expressions (or wildcard characters). For example, example.* matches
example.com, example.org, example.net and so on.
FortiGate web pattern blocking supports standard regular expressions.
Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Move to
(URL)
Enter the URL before or after which the new URL is to be located in the list.
551
Web Filter
552
Web Filter
Return
URL/Category
Scope
Off-site URLs
A green check mark indicates that the off-site URL option is set to Allow,
which means that the overwrite web page will display the contents from offsite domains. A gray cross indicates that the off-site URL option is set to
Block, which means that the overwrite web page will not display the
contents from off-site domains. For details, see Configuring administrative
override rules on page 553.
Initiator
Expiry Date
Delete icon
Edit icon
Select to edit the following information: Type, URL, Scope, User, Off-site
URLs, and Override Duration.
553
Web Filter
Type
URL
Scope
Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.
User
User Group
Select a user group from the dropdown list. User groups must be
configured before FortiGuard Web Filtering configuration. For more
information, see User Group on page 658.
Off-site URLs
This option defines whether the override web page will display the images
and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want to visit a
site whose images are served from a different domain. You can create a
directory override for the site and view the page. If the offsite feature was
set to deny, all the images on the page will appear broken because they
come from a different domain for which the existing override rule does not
apply. If you set the offsite feature to allow, the images on the page will then
show up.
Only users that apply under the scope for the page override can see the
images from the temporary overrides. The users will not be able to view
any pages on the sites where the images come from (unless the pages are
served from the same directory as the images themselves) without having
to create a new override rule.
To create an override for categories, go to UTM > Web Filter > Override.
Figure 326: New Override Rule - Categories
554
Web Filter
Type
Select Categories.
Categories
Classifications
Scope
Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.
User
User Group
IP
Profile
Off-site URLs
Select Allow or Block. See the previous table for details about off-site
URLs.
Add
Delete icon
The local ratings list has the following icons and features:
Create New
Search
1 - 3 of 3
555
Web Filter
URL
The rated URL. Select the green arrow to sort the list by URL.
Category
The category or classification in which the URL has been placed. If the URL is
rated in more than one category or classification, trailing dots appear. Select
the gray funnel to open the Category Filter dialog box. When the list has been
filtered, the funnel changes to green.
Delete icon
Edit icon
Clear Filter
Category Name
Enable Filter
Select to enable the filter for the category or the individual sub-category.
Classification Name
Enable Filter
556
Web Filter
URL
Category Name
Enable Filter
Select to enable the filter for the category or the individual sub-category.
Classification Name
Enable Filter
Generate a text and pie chart format report on FortiGuard Web Filtering for any protection
profile. The FortiGate unit maintains statistics for allowed, blocked, and monitored web
pages for each category. View reports for a range of hours or days, or view a complete
report of all activity.
To create a web filter report go to UTM > Web Filter > Reports.
557
Web Filter
Report Type
Select the time frame for the report. Choose from hour, day, or all historical
statistics.
Report Range
Select the time range (24 hour clock) or day range (from six days ago to today)
for the report. For example, for an hour report type with a range of 13 to 16, the
result is a category block report for 1 pm to 4 pm today. For a day report type
with a range of 0 to 3, the result is a category block report for 3 days ago to today.
Get Report
Allowed
The number of allowed web addresses accessed in the selected time frame.
Blocked
The number of blocked web addresses accessed in the selected time frame.
Monitored
The number of monitored web addresses accessed in the selected time frame.
See also
558
Email filtering
Email filtering
This chapter describes how to configure FortiGate email filtering for IMAP, POP3, and
SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can
also configure email filtering for IMAPS, POP3S, and SMTPS email traffic. For information
about SSL content scanning and inspection, see SSL content scanning and inspection
on page 469.
If you enable virtual domains (VDOMs) on the FortiGate unit, Email filtering is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
This section provides an introduction to configuring email filtering. For more information
see the FortiGate UTM User Guide.
This section describes:
Banned word
559
Email filtering
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If
the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or
SMTPS email messages are substituted with a configurable replacement message.
560
Email filtering
Table 60: Email filtering and Protection Profile email filtering configuration (Continued)
Protection Profile Email filtering options
n/a
n/a
Spam Action
n/a
561
Banned word
Email filtering
Table 60: Email filtering and Protection Profile email filtering configuration (Continued)
Protection Profile Email filtering options
Banned word
Control spam by blocking email messages containing specific words or patterns. You can
add words, phrases, wild cards and Perl regular expressions to match content in email
messages.
For information, about wild cards and Perl regular expressions, see Using wildcards and
Perl regular expressions on page 571.
Note: Perl regular expression patterns are case sensitive for banned words. To make a
word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
562
Create New
Add a new list to the catalog. For more information, see Creating a new
banned word list on page 563.
Name
Email filtering
Banned word
# Entries
Profiles
The protection profiles each banned word list has been applied to.
Comments
Delete icon
Remove the banned word list from the catalog. The delete icon is available
only if the banned word list is not selected in any protection profiles.
Edit icon
To use the banned word list, select banned word lists in protection profiles. For more
information, see Email Filtering options on page 485.
Name
Comments
563
Banned word
Email filtering
Name
Banned word list name. To change the name, edit text in the name field and
select OK.
Comments
Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New
Current Page
The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of the banned word list.
Remove All
Entries icon
Pattern
The list of banned words. Select the check box to enable all the banned words in
the list.
Pattern Type
The pattern type used in the banned word list entry. Choose from wildcard or
regular expression. For more information, see Using wildcards and Perl regular
expressions on page 571.
Language
Where
The location where the FortiGate unit searches for the banned word: Subject,
Body, or All.
Score
A numerical weighting applied to the banned word. The score values of all the
matching words appearing in an email message are added, and if the total is
greater than the Banned word check value set in the protection profile, the email
is processed according to whether the spam action is set to Discard or Tagged
in the protection profile. The score for a banned word is counted once even if the
word appears multiple times on the web page in the email. For more information,
see Configuring a protection profile on page 474.
564
Pattern
Enter the banned word pattern. A pattern can be part of a word, a whole word,
or a phrase. Multiple words entered as a pattern are treated as a phrase. The
phrase must appear exactly as entered to match. You can also use wildcards
or regular expressions to have a pattern match multiple words or phrases.
Pattern Type
Select the pattern type for the banned word. Choose from wildcard or regular
expression. For more information, see Using wildcards and Perl regular
expressions on page 571.
Language
Email filtering
Where
Select where the FortiGate unit should search for the banned word: Subject,
Body, or All.
Score
Enable
4 Select OK.
Create New
Name
# Entries
Profiles
The protection profiles each IP address list has been applied to.
Comments
Delete icon
Remove the IP address list from the catalog. The delete icon is available only if
the IP address list is not selected in any protection profiles.
Edit icon
565
Email filtering
Name
Comments
Move To
Edit
Delete
Name
IP address list name. To change the name, edit text in the name field and
select OK.
Comments
Optional comment. To add or edit a comment, enter text in the comments field
and select OK.
Create New
Current Page
The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the IP address
list.
566
Email filtering
Action
The action to take on email from the configured IP address. Actions are: Spam
to apply the configured spam action, Clear to bypass this and remaining email
filters, or Reject (SMTP or SMTPS) to drop the session.
If an IP address is set to reject but mail is delivered from that IP address via
using POP3 or IMAP, the email messages will be marked as spam.
Delete icon
Edit icon
Move To icon
Adding an IP address
After creating an IP address list, you can add IP addresses to the list.
Enter an IP address or a pair of IP address and mask in the following formats:
To add an IP address go to UTM > Email Filter > IP Address. Select Edit for the IP
address list name to which you want to add an IP address. Then select Create New.
Figure 338: Adding an IP address
IP Address/Mask
Action
Select: Mark as Spam to apply the spam action configured in the protection
profile, Mark as Clear to bypass this and remaining email filters, or Mark as
Reject (SMTP or SMTPS) to drop the session.
Enable
567
Email filtering
Create New
Name
# Entries
Profiles
The protection profiles each email address list has been applied to.
Comments
Delete icon
Remove the email address list from the catalog. The delete icon is only
available if the email address list is not selected in any protection profiles.
Edit icon
You enable email filter addresses in protection profiles. For more information, see Email
Filtering options on page 485.
Name
Comment
568
Email filtering
Delete
Edit
Move To
Remove All Entries
Name
The email address list name. To change the name, edit text in the name field
and select OK.
Comments
Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New
Current Page
The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the email
address list.
Pattern Type
Action
The action to take on email from the configured address. Actions are: Spam to
apply the spam action configured in the protection profile, or Clear to let the
email message bypass this and remaining email filters.
Delete icon
Edit icon
Move To icon
569
Email filtering
E-Mail Address
Pattern Type
Action
Select: Mark as Spam to apply the spam action configured in the protection
profile, or Mark as Clear to bypass this and remaining email filters.
Enable
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header or header key. The second part is
called the value. Spammers often insert comments into header values or leave them
blank. These malformed headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain
types of content that are common in spam messages. Mark the email as spam or clear for
each header configured.
570
Email filtering
To match a special character such as '.' and * use the escape character \. For example:
In Perl regular expressions, * means match 0 or more times of the character before it, not
0 or more times of any character. For example:
To match any character 0 or more times, use .* where . means any character and the *
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
571
Email filtering
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression test not only matches the word test but also any word
that contains test such as atest, mytest, testimony, atestb. The notation \b
specifies the word boundary. To match exactly the word test, the expression should be
\btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and Email Filter filters.
To make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language, regardless of case.
572
Expression
Matches
abc
^abc
abc$
a|b
Either a or b
^abc|abc$
ab{2,4}c
ab{2,}c
ab*c
ab+c
ab?c
a.c
a\.c
a.c exactly
[abc]
[Aa]bc
[abc]+
[^abc]+
\d\d
/i
\w+
100\s*mk
abc\b
abc when followed by a word boundary (for example, in abc! but not in
abcd)
perl\B
perl when not followed by a word boundary (for example, in perlert but
not in perl stuff)
Email filtering
Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x
Used to add regular expressions within other text. If the first character in
a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern
must contain a second '/'. The pattern between / will be taken as a
regular expressions, and anything after the second / will be parsed as a
list of regular expression options ('i', 'x', etc). An error occurs if the
second '/' is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
573
Email filtering
574
DLP Sensors
DLP Sensors
DLP archiving
DLP Rules
DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. The DLP
sensor also includes settings such as action, archive, and severity for each rule or
compound rule. Once a DLP sensor is configured, it can be specified in a protection
profile. Any traffic handled by the policy in which the protection profile is specified will
enforce the DLP sensor configuration.
Delete
Edit
575
DLP Sensors
Create New
Name
Comment
Protection Profiles
The names of the protection profiles that the DLP sensor has been
added to.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one DLP archive entry, quarantine item, or ban entry
from the same content.
Content_Archive
DLP archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM traffic.
For each rule in the sensor, Archive is set to Full. No blocking or quarantine is
performed. See DLP archiving on page 580.
You can add the All-Session-Control rule to also archive session control
content.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and
SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic.
Content_Summary DLP summary archive all email (POP3, IMAP, and SMTP), FTP, HTTP, and IM
traffic. For each rule in the sensor, Archive is set to Summary Only. No
blocking or quarantine is performed. See DLP archiving on page 580.
You can add the All-Session-Control rule to also archive session control
content.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can edit the All-Email rule to archive POP3S, IMAPS, and
SMTPS traffic. You can also edit the All-HTTP rule to archive HTTPS traffic.
576
Credit-Card
The number formats used by American Express, Visa, and Mastercard credit
cards are detected in HTTP and email traffic.
As provided, the sensor is configured not to archive matching traffic and an
action of None is set. Configure the action and archive options as required.
Large-File
Files larger than 5MB will be detected if attached to email messages or if send
using HTTP or FTP.
As provided, the sensor is configured not to archive matching traffic and an
action of None is set. Configure the action and archive options as required.
SSN-Sensor
The number formats used by U.S. Social Security and Canadian Social
Insurance numbers are detected in email and HTTP traffic.
As provided, the sensor is configured not to archive matching traffic and an
action of None is set. Configure the action and archive options as required.
DLP Sensors
Delete
Edit
Name
Comment
Create New
Select Create New to add a new rule or compound rule to the sensor.
Enable
You can disable a rule or compound rule by clearing this check box.
The item will be listed as part of the sensor, but it will not be used.
Rule name
The names of the rules and compound rules included in the sensor.
Action
The action configured for each rule. If the selected action is None, no
action will be listed.
Although archiving is enabled independent of the action, the Archive
designation appears with the selected action.
For example, if you select the Block action and set Archive to Full for a
rule, the action displayed in the sensor rule list is Block, Archive.
Comment
577
DLP Sensors
To edit a rule or compound rule already included in a sensor, go to UTM > Data Leak
Prevention > Sensor and select the Edit icon of the sensor to be configured. Select the
edit icon of the rule or compound rule to edit. Change the settings for the rule or
compound rule.
Figure 347: Adding a DLP rule to a DLP sensor
578
DLP Sensors
Action
Select the action to be taken against traffic matching the configured DLP rule or DLP
compound rule. The actions are:
None prevents the DLP rule from taking any action on network traffic. Other
matching rules in the same sensor and other sensors may still operate on
matching traffic.
Block prevents the traffic matching the rule from being delivered. The matching
message or download is replaced with the Data leak prevention replacement
message.
Exempt prevents any DLP sensors from taking action on matching traffic. This
action overrides any other action from any matching sensors.
Ban if the user is authenticated, blocks all traffic to or from the user using the
protocol that triggered the rule and the user will be added to the Banned User list.
If the user is not authenticated, all traffic of the protocol that triggered the rule from
the users IP address will be blocked. If the user that is banned is using HTTP,
FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and
inspection) the FortiGate unit displays the Banned by data leak prevention
replacement message for the protocol. If the user is using IM, the IM and P2P
Banned by data leak prevention message replaces the banned IM message and
this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP
(or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning
and inspection) the Mail Banned by data leak prevention message replaces the
banned email message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Ban Sender blocks email or IM traffic from the sender of matching email or IM
messages and adds the sender to the Banned User list. This action is available
only for email and IM protocols. For email, the sender is determined by the From:
address in the email header. For IM, all members of an IM session are senders
and the senders are determined by finding the IM user IDs in the session. Similar
to Ban, the IM or Mail Banned by data leak prevention message replaces the
banned message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Quarantine IP address blocks access through the FortiGate unit for any IP
address that sends traffic matching a sensor with this action. The IP address is
added to the Banned User list. The FortiGate unit displays the NAC Quarantine
DLP Message replacement message for all connection attempts from this IP
address until the IP address is removed from the banned user list.
Quarantine Interface blocks access to the network for all users connecting to the
interface that received traffic matching a sensor with this action. The FortiGate unit
displays the NAC Quarantine DLP Message replacement message for all
connection attempts to the interface until the interface is removed from the banned
user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality
similar to NAC quarantine. However, these DLP options cause DLP to block users
and IP addresses at the application layer while NAC quarantine blocks IP addresses
and interfaces at the network layer. For more information, see NAC quarantine and
the Banned User list on page 670.
For more information about configuring DLP replacement messages, see
Replacement messages on page 225.
If you have configured DLP to block IP addresses and if the FortiGate unit receives
sessions that have passed through a NAT device, all traffic from that NAT device
could be blocked not just individual users. You can avoid this problem by
implementing authentication or where possible select Ban Sender.
Archive
Configure DLP archiving for the rule. Archive is available for Email, FTP, HTTP, IM,
and Session Control rules and compound rules. The options are:
Disable, do not archive.
Full, perform full DLP archiving.
Summary Only, perform summary DLP archiving.
See DLP archiving on page 580.
579
DLP archiving
Severity
Enter the severity of the content that the rule or compound rule is a match for. Use the
severity to indicate the seriousness of the problems that would result from the content
passing through the FortiGate unit. For example, if the DLP rule finds high-security
content the severity could be 5. On the other hand if the DLP rule finds any content
the severity should be 1.
DLP adds the severity to the severity field of the log message generated when the
rule or compound rule matches content. The higher the number the greater the
severity.
Expires
When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify
how long the ban will last. Select Indefinite for a ban ending only if the offender is
manually removed from the banned user list, or select After and enter the required
number of minutes, hours or days the ban will last. When the specified duration
expires, the offender is automatically removed from the banned user list.
Member
Type
Select Rule or Compound Rule. The rules of the selected type will be displayed in the
table below.
Name
Description The optional description entered for each rule or compound rule.
DLP archiving
You can use DLP archiving to collect and view historical logs that have been archived to a
FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is
available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate
configuration (see Remote logging to a FortiAnalyzer unit on page 704). The FortiGuard
Analysis and Management server becomes available when you subscribe to the
FortiGuard Analysis and Management Service (see the FortiGuard Analysis and
Management Service Administration Guide).
You can configure full DLP archiving and summary DLP archiving. Full DLP archiving
includes all content, for example, full email DLP archiving includes complete email
messages and attachments. Summary DLP archiving includes just the meta data about
the content, for example, email message summary records include only the email header.
You can archive Email, FTP, HTTP, IM, MMS, and session control content:
Email content includes IMAP, POP3, and SMTP sessions. Email content can also
include email messages tagged as spam by FortiGate Email filtering. If your FortiGate
unit supports SSL content scanning and inspection, Email content can also include
IMAPS, POP3S, and SMTPS sessions.
HTTP content includes HTTP sessions. If your FortiGate unit supports SSL content
scanning and inspection HTTP content can also include HTTPS sessions.
For more information about SSL content scanning and inspection, see SSL content
scanning and inspection on page 469.
Session control content includes SIP, SIMPLE and SCCP sessions. Only summary
DLP archiving is available for SIP and SCCP. Full and summary DLP archiving is
available for SIMPLE.
You add DLP sensors to archive Email, Web, FTP, IM, and session control content.
Archiving of spam email messages is configured in protection profiles.
580
DLP archiving
Note: Enabling full DLP archiving reduces the amount of system memory available for virus
scanning. Fortinet recommends against using full DLP archiving if antivirus scanning is also
configured because of these memory constraints. Especially on FortiGate units with low
system memory.
581
DLP archiving
3 Verify that Rule is set to Always so that the rule matches all HTTP and HTTPS post
and get sessions.
4 Select OK to save the changes to the rule.
5 Go to UTM > Data Leak Prevention > Sensor and edit the Content_Archive sensor.
Figure 350: The Content_Archive DLP sensor
582
DLP archiving
8 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile.
9 Select the Data Leak Prevention Sensor expand arrow.
10 Select Data Leak Prevention Sensor and select the Content_Archive sensor from the
list.
Figure 352: Adding the Content_Archive DLP sensor to a protection profile
11 Add the protection profile to a firewall policy that accepts HTTP and HTTPS traffic.
To DLP archive all email messages that contain the string confidential
This procedure describes how to add a DLP rule that finds the string confidential in the
body of POP3, IMAP, and SMTP email messages. To archive all email messages that
contain this string you must add the DLP rule to a DLP sensor and configure the sensor for
full DLP archiving.
1 Go to UTM > Data Leak Prevention > Rule and add a rule to find the string
confidential in POP3, SMTP, and IMAP email messages.
583
DLP archiving
Figure 353: DLP rule to find the string confidential in the body of email messages
2 Go to UTM > Data Leak Prevention > Sensor and add a new sensor.
3 Edit the sensor and select Create New to add a rule to the sensor.
4 Configure the rule as follows:
584
Action
None
Archive
Full
Severity
1 (Lowest)
Member type
Rule
Email_confidential
Select
DLP archiving
5 Go to Firewall > Policy > Protection Profile and add a new or edit a protection profile.
6 Select the Data Leak Prevention Sensor expand arrow.
7 Select Data Leak Prevention Sensor and select the new sensor from the list.
8 Add the protection profile to a firewall policy that accepts email traffic.
585
DLP Rules
Note: Infected files are clearly indicated in the DLP Archive Email message list.
DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the
data to be protected so the FortiGate unit can recognize it. For example, an included rule
uses regular expressions to describe Social Security number:
([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4}
Rather than having to list every possible Social Security number, this regular expression
describes the structure of a Social Security number. The pattern is easily recognizable by
the FortiGate unit. For more information about regular expressions, see Using wildcards
and Perl regular expressions on page 571.
DLP rules can be combined into compound rules and they can be included in sensors. If
rules are specified directly in a sensor, traffic matching any single rule will trigger the
configured action. If the rules are first combined into a compound rule and then specified
in a sensor, every rule in the compound rule must match the traffic to trigger the configured
action.
Individual rules in a sensor are linked with an implicit OR condition while rules within a
compound rule are linked with an implicit AND condition.
586
DLP Rules
Delete
Edit
Create New
Name
Comments
Compound Rules
DLP Sensors
If the rule is used in any sensors, the sensor names are listed here.
Caution: Before use, examine the rules closely to ensure you understand how they will
affect the traffic on your network.
587
DLP Rules
All-Email, All-FTP,
.These rules will detect all traffic of the specified type.
All-HTTP, All-IM, All-NNTP,
All-Session-Control
Email-AmEx,
Email-Canada-SIN,
Email-US-SSN,
Email-Visa-Mastercard
HTTP-AmEx,
HTTP-Canada-SIN,
HTTP-US-SSN,
HTTP-Visa-Mastercard
Email-Not-Webex,
HTTP-Post-Not-Webex
These rules prevent DLP from matching email or HTTP pages that
contain the string WebEx.
Large-Attachment
This rule detects files larger than 5MB attached to SMTP, POP3, and
IMAP email messages.
Large-FTP-Put
This rule detects files larger than 5MB sent using the FTP PUT
protocol. Files received using FTP GET are not examined.
Large-HTTP-Post
This rule detects files larger than 5MB sent using the HTTP POST
protocol. Files received using HTTP GET are not examined.
588
Name
Comments
DLP Rules
Protocol
Select the type of content traffic that the DLP rule the rule will apply to.
The available rule options vary depending on the protocol that you
select. You can select the following protocols: Email, HTTP, FTP,
NNTP, Instant Messaging and Session Control.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can configure
the rule to apply to file transfers using any or all of the supported IM
protocols (AIM, ICQ, MSN, and Yahoo!).
Only file transfers using the IM protocols are subject to DLP rules. IM
messages are not scanned.
HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the rule to
apply to HTTP post or HTTP get traffic or both.
HTTPS POST, HTTPS
GET
When you select the HTTP protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also configure the
HTTP rule to apply to HTTPS get or HTTPS post sessions or both. For
more information about SSL content scanning and inspection, see
Configuring SSL content scanning and inspection on page 472.
To scan these encrypted traffic types, you must set HTTPS Content
Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol
Recognition section of the protection profile. If URL Filtering is
selected, the DLP sensors will not scan HTTPS content.
When you select the FTP protocol, you can configure the rule to apply
to FTP put, or FTP get sessions or both.
When you select the Email protocol, you can configure the rule to
apply to any or all of the supported email protocols (SMTP, IMAP, and
POP3).
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also configure the rule
to apply to SMTPS, IMAPS, POP3S or any combination of these
protocols.
For more information about SSL content scanning and inspection, see
Configuring SSL content scanning and inspection on page 472.
SIP, SIMPLE, SCCP
File Options
When you select the Session Control protocol, you can configure the
rule to apply to any or all of the supported session control protocols
(SIP, SIMPLE, and SCCP). The only rule option for the session control
protocols is Always. This option matches all session control traffic is
used for session control DLP archiving.
You can select file options for any protocol to configure how the DLP
rule handles archive files, MS-Word files, and PDF files found in
content traffic. File options appear when you select File Type rule
option.
Scan archive contents When selected, files within archives are extracted and scanned in the
same way as files that are not archived.
Scan archive files
whole
When selected, archives are scanned as a whole. The files within the
archive are not extracted and scanned individually.
When selected, MS Word DOC files are scanned. All binary and
metadata information is included.
If you are scanning for text entered in a DOC file, use the
Scan MS-Word option. Binary formatting codes and file information
may appear within the text, causing text matches to fail.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word
by the DLP scanner. To scan the contents of DOCX files, select the
Scan archive contents option.
When selected, the text contents of PDF documents are extracted and
scanned for a match. All metadata and binary information is ignored.
589
DLP Rules
Rule
590
When selected, PDF files are scanned. All binary and metadata
information is included.
If you are scanning for text in PDF files, use the Scan PDF Text
option. Binary formatting codes and file information may appear within
the text, causing text matches to fail.
Use the Rule settings to configure the content that the DLP rule
matches.
Always
Attachment size
Attachment type
Search email messages for file types or file patterns as specified in the
selected file filter.
This option is available for Email.
Authenticated User
Body
CGI parameters
Search for the specified CGI parameters in any web page with CGI
code.
This option is available for HTTP.
Cookie
File text
File type
Search for the specified file patterns and file types. The patterns and
types configured in file filter lists and a list is selected in the DLP rule.
For more information about file filter lists, see File Filter on page 513.
This option is available for FTP, HTTP, IM, and NNTP.
Hostname
Search for the specified host name when contacting a HTTP server.
HTTP header
Receiver
Search for the specified string in the message recipient email address.
This option is available for Email.
Sender
Search for the specified string in the message sender user ID or email
address. This option is available for Email and IM.
For email, the sender is determined by the From: address in the email
header. For IM, all members of an IM session are senders and the
senders are determined by finding the IM user IDs in the session.
Server
Subject
Transfer size
Check the total size of the information transfer. In the case of email
traffic for example, the transfer size includes the message header,
body, and any encoded attachment.
URL
User group
Search for traffic from any user in the specified user group.
Rule operators:
matches/does not match
This operator specifies whether the FortiGate unit is searching for the
presence of specified string, or for the absence of the specified string.
Matches: The rule will be triggered if the specified string is found in
network traffic.
Does not match: The rule will be triggered if the specified string is
not found in network traffic.
ASCII/UTF-8
Regular
Expression/Wildcard
is/is not
==/>=/<=/!=
Rule 2 checks SMTP traffic for the word sale in the message body
When the sensor is used, either rule could be activated its configured condition is true. If
only one condition is true, only the corresponding rule would be activated. Depending on
the contents of the SMTP traffic, neither, either, or both could be activated.
If you remove these rules from the sensor, add them to a compound rule, and add the
compound rule to the sensor, the conditions in both rules have to be present in network
traffic to activate the compound rule. If only one condition is present, the message passes
without any rule or compound rule being activated.
By combining the individually configurable attributes of multiple rules, compound rules
allow you to specify far more detailed and specific conditions to trigger an action.
591
Delete
Edit
Create New
Name
Comments
DLP sensors
If the compound rule is used in any sensors, the sensor names are
listed here.
Add Rule
Delete Rule
592
Name
Comments
Protocol
Select the type of content traffic that the DLP compound rule applies
to. The rules that you can add to the compound rule vary depending
on the protocol that you select. You can select the following protocols:
Email, HTTP, FTP, NNTP, and Instant Messaging.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can select the
supported IM protocols for which to add rules. Only the rules that
include all of the selected protocols can be added to the compound
rule.
HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the compound
rule to apply to HTTP post or HTTP get sessions or both. Only the
rules that include all of the selected options can be added to the
compound rule.
HTTPS POST, HTTPS
GET
When you select the HTTP protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can configure the
compound rule to apply to HTTPS post or HTTPS get sessions or
both. Only the rules that include all of the selected options can be
added to the compound rule.
For more information about SSL content scanning and inspection, see
Configuring SSL content scanning and inspection on page 472.
To scan these encrypted traffic types, you must set HTTPS Content
Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol
Recognition section of the protection profile. If URL Filtering is
selected, the DLP sensors will not scan HTTPS content.
When you select the FTP protocol, you can configure the compound
rule to apply to FTP put, or FTP get sessions or both. Only the rules
that include all of the selected options can be added to the compound
rule.
When you select the Email protocol, you can select the supported
email protocols for which to add rules. Only the rules that include all of
the selected protocols can be added to the compound rule.
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports
SSL content scanning and inspection, you can also select the SMTPS,
IMAPS, POP3S protocols. Only the rules that include all of the
selected protocols can be added to the compound rule.
For more information about SSL content scanning and inspection, see
Configuring SSL content scanning and inspection on page 472.
Rules
Select the rule to include in the compound rule. Only the rules that
include all of the selected protocols can be added to the compound
rule.
Use the add rule and delete rule icons to add and remove rules from
the compound rule. Select the add rule icon and then select rule from
the list.
593
594
Application Control
Application Control
This section describes how to configure the application control options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, the application control
configuration of each VDOM is entirely separate. For example, application black/white lists
created in one VDOM will not be visible in other VDOMs. For details, see Using virtual
domains on page 125.
This section provides an introduction to configuring application control. For more
information see the FortiGate UTM User Guide.
This section describes:
595
Application Control
596
Create New
Name
# of Entries
Profiles
Comment
Delete icon
Edit icon
Application Control
Name
Comments
597
Application Control
Name
Comments
List Type
Select Black List to allow application traffic from the applications not
appearing on the application black/white list. The applications
specified in the list will be handled to the action configured in each
entry.
Select White List to block application traffic from the applications not
appearing on the application black/white list. The applications
specified in the list will be handled to the action configured in each
entry.
ID
Category
Application
The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action
If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Logging
Delete icon
Edit icon
Insert Application Before Select to create a new application entry above the entry in which you
selected the icon.
icon
Move To icon
598
Application Control
Figure 363: The application control black/white list entry for FTP
Category
Application
The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action
If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Options
Session TTL
The applications session TTL. If this option is not enabled, the TTL
defaults to the setting of the config system session-ttl CLI
command.
Enable Logging
When enabled, the FortiGate unit will log the occurrence and the
action taken if traffic when the specified application is detected.
In addition to these option, some IM applications and VoIP protocols have additional
options:
IM options
Block Login
Select to prevent the sending and receiving of files using the selected
IM system.
Block Audio
Inspect Non-standard Select to allow the FortiGate unit to examine non-standard ports for
the IM client traffic.
Port
Display content meta- Select to include meta-information detected for the IM system on the
FortiGate unit dashboard.
information on the
system dashboard
VoIP options
Limit Call Setup
Enter the maximum number of calls each client can set up per minute.
Limit REGISTER
request
Enter the maximum number of invite requests per second allowed for
the firewall policy.
Enable Logging of
Violations
599
Application Control
Other options
Command
Method
Program Number
UUID
600
Automatic Refresh
Interval
Select the automatic refresh interval for statistics. Set the interval from
none to 30 seconds.
Refresh
Reset Stats
Application Control
Users
Chat
Messages
File Transfers
Voice Chat
P2P Usage
VoIP Usage
601
602
Application Control
IPSec VPN
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units support
both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
This section describes:
Auto Key
Manual Key
Concentrator
Monitoring VPNs
3 Create a firewall policy to permit communication between your private network and the
VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interfacebased VPN, the firewall policy action is ACCEPT. See Configuring firewall policies on
page 367.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
603
IPSec VPN
For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User
Guide.
Route-based
You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration.
You need only one firewall policy, even if either end of the VPN can initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create the
VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is
bound to the local interface you selected. You then define an ACCEPT firewall policy to
permit traffic to flow between the virtual IPSec interface and another network interface. If
either end of the VPN can initiate the connection, you need two firewall policies, one for
each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System
> Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN,
inter-VDOM link or wireless interfaces are displayed under their associated interface
names in the Name column. For more information, see Configuring interfaces on
page 145. As with other interfaces, you can include a virtual IPSec interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can create the
equivalent function for a route-based VPN in any of the following ways:
Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-site
connections, since the number of policies required increases rapidly as the number of
spokes increases.
Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more
than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
604
IPSec VPN
Auto Key
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You
can configure several routes for the same IP traffic with different route metrics. You can
also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through
VPN tunnels. If the primary VPN connection fails or the priority of a route changes through
dynamic routing, an alternative route will be selected to forward traffic through the
redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec interface. You
can do this in the CLI. For more information, including an example configuration, see the
monitor-phase1 keyword for the ipsec vpn phase1-interface command in the
FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec
interface. For more information, see the default-gw keyword for the
vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to
generate unique Internet Key Exchange (IKE) keys automatically during the IPSec
phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to
set up a secure connection for the tunnel and authenticate the remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Figure 365: Auto Key list
Delete
Edit
Create Phase 1
Create Phase 2
Phase 1
Phase 2
Interface Binding
The names of the local interfaces to which IPSec tunnels are bound. These
can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
605
Auto Key
IPSec VPN
whether the various phase 1 parameters will be exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (Aggressive mode)
whether a special identifier, certificate distinguished name, or group name will be used
to identify the remote VPN peer or client when a connection attempt is made.
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and
select Create Phase 1. For information about how to choose the correct phase 1 settings
for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 366: New Phase 1
606
Name
Remote Gateway
IP Address
Dynamic DNS
If you selected Dynamic DNS, type the domain name of the remote
peer.
IPSec VPN
Auto Key
Local Interface
Mode
Authentication Method
Pre-shared Key
If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name
Peer Options
Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
607
Auto Key
IPSec VPN
Accept peer ID in dialup Authenticate multiple FortiGate or FortiClient dialup clients that use
unique identifiers and unique pre-shared keys (or unique pre-shared
group
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see User Group on page 658.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this peer
certificate only
Advanced
608
IPSec VPN
Auto Key
Add
Delete
IKE Version
IPv6 Version
Select if you want to use IPv6 addresses for the remote gateway and
interface IP addresses. This is available only when Enable IPSec
Interface Mode is enabled and IPv6 Support is enabled in the
administrative settings.
Local Gateway IP
P1 Proposal
609
Auto Key
IPSec VPN
610
DH Group
Keylife
Type the time (in seconds) that must pass before the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID
If the FortiGate unit will act as a VPN client and you are using peer IDs
for authentication purposes, enter the identifier that the FortiGate unit
will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the
local server certificate that the FortiGate unit will use for authentication
purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with
other dialup clients (that is, the tunnel will be dedicated to this FortiGate
dialup client), set Mode to Aggressive.
XAuth
Nat-traversal
Select the check box if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared) to connect reliably.
Keepalive Frequency
Select this check box to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required. You can use this option to receive
notification whenever a tunnel goes up or down, or to keep the tunnel
connection open when no traffic is being generated inside the tunnel.
(For example, in scenarios where a dialup client or dynamic DNS peer
connects from an IP address that changes periodically, traffic may be
suspended while the IP address changes).
With Dead Peer Detection selected, you can use the config vpn
ipsec phase1 (tunnel mode) or config vpn ipsec phase1interface (interface mode) CLI command to optionally specify a retry
count and a retry interval. For more information, see the FortiGate CLI
Reference.
IPSec VPN
Auto Key
Name
Phase 1
Select the phase 1 tunnel configuration. For more information, see Creating a
new phase 1 configuration on page 606. The phase 1 configuration describes
how remote VPN peers or clients will be authenticated on this tunnel, and how the
connection to the remote peer or client will be secured.
Advanced
611
Auto Key
IPSec VPN
Add
Delete
P2 Proposal
612
Encryption
Authentication
Enable replay
detection
Enable perfect
forward secrecy
(PFS)
DH Group
Select one Diffie-Hellman group (1, 2, 5 or 14). This must match the DH
Group that the remote peer or dialup client uses.
Keylife
Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172 800 seconds, or from 5120 to 2 147 483 648 KB.
IPSec VPN
Auto Key
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see Internet browsing configuration on page 616.
Quick Mode
Selector
Source port
Type the port number that the local VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Destination
address
Destination port
Type the port number that the remote VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Protocol
613
Manual Key
IPSec VPN
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec
VPN User Guide.
Figure 370: Manual Key list
Delete
Edit
Create New
Create a new manual key configuration. See Creating a new manual key
configuration on page 614.
Tunnel Name
Remote Gateway
Encryption Algorithm
Authentication
Algorithm
614
IPSec VPN
Manual Key
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and
select Create New.
Figure 371: New Manual Key
Name
Type a name for the VPN tunnel. The maximum name length is 15 characters
for an interface mode VPN, 35 characters for a policy-based VPN.
Local SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles outbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Remote SPI value in
the manual key configuration at the remote peer.
Remote SPI
Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles inbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Local SPI value in
the manual key configuration at the remote peer.
Remote Gateway
Type the IP address of the public interface to the remote peer. The address
identifies the recipient of ESP datagrams.
Local Interface
This option is available in NAT/Route mode only. Select the name of the
interface to which the IPSec tunnel will be bound. The FortiGate unit obtains
the IP address of the interface from the network interface settings. For more
information, see Configuring interfaces on page 145.
Encryption
Algorithm
Encryption Key
615
IPSec VPN
Authentication
Algorithm
Create a virtual interface for the local end of the VPN tunnel. Select this check
box to create a route-based VPN, clear it to create a policy-based VPN.
This is available only in NAT/Route mode.
Source Address
Select All.
Destination Interface/Zone
Destination Address
Action
Select IPSEC.
VPN Tunnel
Inbound NAT
616
Source Interface/Zone
Source Address
Select All.
Destination Interface/Zone
Destination Address
Select All.
IPSec VPN
Concentrator
Action
Select ACCEPT.
NAT
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote
peers radiate from a single, central FortiGate unit. Site-to-site connections between the
remote peers do not exist; however, You can establish VPN tunnels between any two of
the remote peers through the FortiGate unit hub.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect
to the hub are known as spokes. The hub functions as a concentrator on the network,
managing all VPN connections between the spokes. VPN traffic passes from one tunnel to
the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and
step-by-step procedures about how to set up a hub-and-spoke configuration, see the
FortiGate IPSec VPN User Guide.
Figure 372: Concentrator list
Delete
Edit
Create New
617
Monitoring VPNs
IPSec VPN
Right Arrow
Left Arrow
Concentrator Name
Available Tunnels
A list of defined IPSec VPN tunnels. Select a tunnel from the list and then
select the right arrow. Repeat these steps until all of the tunnels associated
with the spokes are included in the concentrator.
Members
Monitoring VPNs
You can use the IPSec monitor to view activity on IPSec VPN tunnels and start or stop
those tunnels. The display provides a list of addresses, proxy IDs, and timeout information
for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.
You can use filters to control the information displayed in the list. For more information,
see Adding filters to web-based manager lists on page 57.
To view active tunnels, go to VPN > IPSec > Monitor.
Figure 374: IPSec Monitor list
Current Page
Type
Select the types of VPN to display: All, Dialup, or Static IP or Dynamic DNS.
Column
Settings
Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see Using
column settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
Clear All Filters Select to clear any column display filters you might have applied.
618
Current Page
The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of monitored VPNs.
Filter icons
Edit the column filters to filter or sort the IPSec monitor list according to the
criteria you specify. For more information, see Adding filters to web-based
manager lists on page 57.
Name
Remote
Gateway
The public IP address of the remote host device, or if a NAT device exists in front
of the remote host, the public IP address of the NAT device.
IPSec VPN
Monitoring VPNs
Remote Port
The UDP port of the remote host device, or if a NAT device exists in front of the
remote host, the UDP port of the NAT device. Zero (0) indicates that any port can
be used.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate
unit. The page may display a network range if the source address in the firewall
encryption policy was expressed as a range of IP addresses.
Proxy ID
Destination
Tunnel up or
tunnel down
icon
A green arrow means the tunnel is currently processing traffic. Select to bring
down the tunnel.
A red arrow means the tunnel is not processing traffic. Select to bring up the
tunnel.
For Dialup VPNs, the list provides status information about the VPN tunnels established
by dialup clients, including their IP addresses. The number of tunnels shown in the list can
change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information
about VPN tunnels, active or not, to remote peers that have static IP addresses or domain
names. You can also start and stop individual tunnels from the list.
619
Monitoring VPNs
620
IPSec VPN
PPTP VPN
PPTP VPN
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or
Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been
configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit
to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP
sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to
configure VPN PPTP separately for each virtual domain. For more information, see Using
virtual domains on page 125.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP
client IP from a local address range or use the server defined in the PPTP user group. You
select which method to use for IP address retrieval and, in the case of the user group
server, provide the IP address and the user group.
This section explains how to specify a range of IP addresses for PPTP clients or configure
the PPTP client-side IP address to be used in the tunnel setup. For information about how
to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User
Guide.
Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You
configure the PPTP tunnel configuration by creating a customized FortiGate screen.
621
PPTP VPN
For information about creating customized screens in the FortiGate web-based manager,
see Customizable web-based manager on page 268.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (webbased manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peers remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
622
PPTP VPN
Figure 376: Edit PPTP range options, showing both Range and User Group
Enable PPTP
Enable PPTP. You must add a user group before you can select the
option. See User Group on page 658.
IP Mode
Range
User Group
Starting IP
Ending IP
Local IP
Type the IP address to be used for the peers remote IP on the PPTP
client side.
User Group
Disable PPTP
Syntax
config vpn pptp
set eip <address_ipv4>
set ip-mode {range | usrgrp}
set local-ip <address_localip>
set sip <address_ipv4>
set status {disable | enable}
set usrgrp <group_name>
end
Variables
Description
Default
eip <address_ipv4>
0.0.0.0
623
624
PPTP VPN
ip-mode
{range | usrgrp}
local-ip
<address_localip>
sip <address_ipv4>
status
{disable | enable}
usrgrp <group_name>
eip <address_ipv4>
0.0.0.0
disable
0.0.0.0
SSL VPN
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. SSL VPN does not require the installation of
specialized client software on end users computers, and is ideal for applications including
web-based email, business and government directories, file sharing, remote backup,
remote system management, and consumer-level electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
web-only mode, for thin remote clients equipped with a web-browser only.
tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal. The FortiGate SSL VPN web portal has a
widget-based layout with customizable themes. Each widget is displayed in a 1- or 2column format with the ability to modify settings, minimize the widget window, or other
functions depending on the type of content within the widget.
When users have complete administrative rights over their computers and use a variety of
applications, tunnel mode allows remote clients to access the local internal network as if
they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode
support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured
separately for each virtual domain. For details, see Using virtual domains on page 125.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.
ssl.root
625
ssl.root
SSL VPN
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdomname>. The root
VDOM, called ssl.root, appears in the firewall policy interface lists and static route
interface lists. You can use the ssl-root interface to allow access to additional networks
and facilitate a connected users ability to browse the Internet through the FortiGate unit.
SSL VPN tunnel-mode access requires the following firewall policies:
External > Internal, with the action set to SSL, with an SSL user group
Access also requires a new static route: Destination network - <ssl tunnel mode assigned
range> interface ssl.root.
If you are configuring Internet access through an SSL VPN tunnel, you must add the
following configuration: ssl.root > External, with the action set to Accept, NAT enabled.
To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL >
Config and select Enable SSL-VPN. When you have completed configuring the settings,
select Apply.
Figure 377: SSL-VPN Settings
626
SSL VPN
IP Pools
Server Certificate
Require Client Certificate If you want to enable the use of group certificates for authenticating
remote clients, select the check box. Afterward, when the remote client
initiates a connection, the FortiGate unit prompts the client for its clientside certificate as part of the authentication process.
Encryption Key
Algorithm
Select the algorithm for creating a secure SSL connection between the
remote client web browser and the FortiGate unit.
Default - RC4(128
bits) and higher
If the web browser on the remote client can match a cipher suite greater
than or equal to 128 bits, select this option.
High - AES(128/256
bits) and 3DES
If the web browser on the remote client can match a high level of SSL
encryption, select this option to enable cipher suites that use more than
128 bits to encrypt data.
If you are not sure which level of SSL encryption the remote client web
browser supports, select this option to enable a cipher suite greater
than or equal to 64 bits.
Idle Timeout
Type the period of time (in seconds) to control how long the connection
can remain idle before the system forces the user to log in again. The
range is from 10 to 28800 seconds. You can also set the value to 0 to
have no idle connection timeout. This setting applies to the SSL VPN
session. The interface does not time out when web application sessions
or tunnels are up.
WINS Server #1
WINS Server #2
Apply
627
SSL VPN
Bookmarks widget
To use a default SSL VPN web portal configuration, select the Edit icon next to the web
portal in the Portal list. The SSL VPN web portal that you select will open.
Figure 378: Default web portals
Edit button
628
SSL VPN
OK/Cancel
General tab
Name
Applications
Portal Message
Enter the caption that appears at the top of the web portal home page.
Theme
Select the color scheme for the web portal home page from the list.
Page Layout
Select the one or two page column format for the web portal home
page.
629
SSL VPN
Allow network share access Enable to allow the user to copy files between the virtual
desktop and network drives.
Allow printing
Quit the virtual desktop and By default, the virtual desktop remains in effect even if the user
closes the browser. Enable to automatically close the virtual
logout session when
desktop and logout if the user closes the browser.
browser is closed
Application Control List
6 Select OK.
7 Select Apply.
630
SSL VPN
Enable to clear client cache when the SSL VPN session ends.
Host Check
AV
AV-FW
Check for both antivirus and firewall software recognized by the Windows
Security Center.
Custom
FW
None
Interval
Select how often to recheck the host. Range is every 120 seconds to 259 200
seconds. Enter 0 to not recheck the host during the session.
Policy
The list of acceptable security applications for clients. These application names
are from the Host Check list. This field is available if Host Check is Custom.
Select Edit to choose the host check applications to use. Use the arrow buttons
to move applications between the Available and Selected lists. Clients will be
checked for the applications in the Selected list. Select OK.
5 Select OK.
631
SSL VPN
632
OK
Select to save the configuration. If you select OK, you exit out of the
SSL VPN web portal configuration window.
Cancel
Apply
Settings
Select to edit the General or Advanced settings for the SSL VPN web
portal. See SSL VPN web portal on page 627.
Help
Indicates the location of the SSL VPN web portal online help icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Log out
Indicates the location of the SSL VPN web portal log out icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Session Information
Displays the login name of the user, the amount of time the user has
been logged in, and the inbound and outbound traffic of HTTP and
HTTPS.
Bookmarks
SSL VPN
Connection Tool
Tunnel Mode
Edit
Remove widget
Select to close the widget and remove it from the web portal home
page.
OK
Cancel
Name
633
SSL VPN
Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is
selected from a bookmark list, a pop-up window appears with the requested web page.
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and
Samba replace the bookmarks page with an HTML file-browser.
A web bookmark can include login credentials to automatically log the SSL VPN user into
the web site. This means that once the user logs into the SSL VPN, he or she does not
have to enter any more credentials to visit preconfigured web sites. When the
administrator configures bookmarks, the web site credentials must be the same as the
users SSL VPN credentials. Users configuring their own bookmarks can specify
alternative credentials for the web site.
To configure the Bookmarks widget
1 Open the web portal.
2 If the Bookmarks widget is missing, add it by selecting Bookmarks from the Add Widget
list in the top right corner of the web portal window.
3 Select the Edit icon in the Bookmarks widget title bar.
4 Optionally, you can change the Name of the Bookmarks widget.
5 Select the Applications check boxes for the types of bookmarks that you want to
support.
6 Select OK.
To add or edit bookmarks
1 Open the web portal.
2 In the Bookmarks widget, do one of the following:
To add a bookmark, select Add.
To edit an existing bookmark, select the Edit button and then select the bookmark.
3 Enter or edit the following information:
Name
Type
Select the type of application to which the bookmark links. For example, select
HTTP/HTTPS for a web site.
Only the application types that you configured for this widget are in the list. You
can select Edit in the widget title bar to enable additional application types. See
To configure the Bookmarks widget.
Location
Description
SSO
634
Enter a required login page field name, User Name for example.
SSL VPN
Value
Add
Enter another Field Name / Value pair, for the password, for example.
A new set of Field Name / Value fields is added. Fill them in.
4 Select OK.
5 If there is a Done button, you can select another bookmark to edit or select Done to
leave the edit mode.
6 Select Apply at the top of the web portal page to save the changes that you made.
Figure 383: Using the Bookmarks widget to add a bookmark
Remove widget
Edit
Add bookmark
window
Select OK
Bookmark
added
635
SSL VPN
Select
bookmark
to edit
Delete
bookmark
Bookmark
detail
window
Select
OK
Select
Done
Bookmarks
widget with
list of bookmarks
To delete bookmarks
1 Open the web portal.
2 In the Bookmarks widget, select the Edit button.
3 Select the X to the right of the bookmark that you want to delete.
4 Select Done.
636
SSL VPN
3 In the Connection Tool widget select the Edit icon in the widget title bar.
4 Enter the following information:
Name
Applications
Select the types of server applications or network services that will be available
to users through the Connection Tool widget.
Type
Select the server/application that the FortiGate unit will use to establish a
connection.
5 Select OK.
To use the Connection Tool widget
1 Open the web portal.
2 In the Connection Tool widget, from the Type list select the type network service you
want to use.
The available types of network service depend on the widget configuration. See To
configure the Connection Tool widget.
3 In the Host field, enter the URL, host name, or IP address as appropriate.
4 Select Go.
Enter a name for the Tunnel Mode widget. The default is Tunnel Mode.
IP Mode
Range
User Group
IP Pools
Select Edit to select the range or subnet firewall addresses that represent
IP address ranges reserved for tunnel-mode SSL VPN clients. If the
appropriate addresses do not exist, go to Firewall > Address to create them.
You cannot add the all firewall address or a FQDN firewall address. You
also cannot add an address group that includes the all firewall address or a
FQDN address.
Split tunneling
The remaining items in the widget are available to the user during an SSL VPN
session.
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
637
SSL VPN
Bytes sent:
Bytes received:
The number of bytes of data received by the client from the FortiGate
unit since the tunnel was established.
<status information>
638
Connect
Initiate a session and establish an SSL VPN tunnel with the FortiGate unit.
Disconnect
End the session and close the tunnel to the FortiGate unit.
Refresh now
SSL VPN
Delete
Edit
Clone
Delete
Edit
Create New
Name
Action
The action configured for each virtual desktop application control list:
Block the applications on this list and allow all others
or Allow the applications on this list and block all others.
Edit icon
Delete icon
Clone icon
Make a copy of an application control list. Make a copy and then modify it to
create a new application control list.
Add button
Name
Enter the name of the application to be added to the application control list. This
can be any name and does not have to match the official name of the application.
MD5 Signatures Enter one or more known MD5 signatures for the application executable file.You
can use a third-party utility to calculate MD5 signatures or hashes for any file.
You can enter multiple signatures to match multiple versions of the application.
639
SSL VPN
Delete
Edit
640
Create New
Name
The name of the applications added to the host check list. The name does not
need to match the actual application name.
Type
The type of host check application. Can be AV for antivirus or FW for firewall.
Version
Edit icon
Delete icon
SSL VPN
GUID
Enter the globally unique identifier (GUID) for the host check application. The
GUID is usually in the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx, where each x
is a hexadecimal digit. Windows uses GUIDs to identify applications in the
Windows Registry.
Add button
If you do not know the GUID, add alternative checks for the application. The host
check software is considered found only if all checks succeed.
Action
Select one of
Require If the item is found, the client meets the check item condition.
Deny If the item is found, the client is considered to not meet the check item
condition. Use this option if it is necessary to prevent use of a particular security
product.
MD5 Signatures If Type is File or Process, enter one or more known MD5 signatures for the
application executable file.You can use a third-party utility to calculate MD5
signatures or hashes for any file. You can enter multiple signatures to match
multiple versions of the application.
Delete
No.
User
Source IP
Begin Time
Description
Action
Delete icon
641
642
SSL VPN
User
User
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to control
access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is
configured separately for each virtual domain. For details, see Using virtual domains on
page 125.
This section describes:
Remote
RADIUS
LDAP
TACACS+
PKI
Directory Service
User Group
Options
Monitor
Configure local user accounts. For each user, you can choose whether the password is
verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a
TACACS+ server. For more information, see Local user accounts on page 644.
Configure IM user profiles. For IM users, you can configure user lists that either allow
or block use of network resources.FortiGate. For more information, see IM user
monitor list on page 669.
Configure your FortiGate unit to authenticate users by using your RADIUS, LDAP, or
TACACS+ servers. For more information, see RADIUS on page 647, LDAP on
page 649, and TACACS+ on page 652.
Configure access to the FortiGate unit if you use a Directory Service server for
authentication. For more information, see Configuring a Directory Service server on
page 655.
Configure for certificate-based authentication for administrative access (HTTPS webbased manager), IPSec, SSL-VPN, and web-based firewall authentication. For more
information, see PKI on page 656.
643
User
You can configure your FortiGate unit to authenticate system administrators with your
FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with certificate-based
authentication using PKI. For more information, see System Admin on page 241. You
can change the authentication timeout value or select the protocol supported for Firewall
authentication. For more information, see Options on page 667. You can view lists of
currently authenticated users, authenticated IM users, and banned users. For more
information, see Monitor on page 668.
For each network resource that requires authentication, you specify which user groups are
permitted access to the network. There are three types of user groups: Firewall, Directory
Service, and SSL VPN. For more information, see Firewall user groups on page 659,
Directory Service user groups on page 660, and SSL VPN user groups on page 660.
Delete
Edit
644
Create New
User Name
User
Type
The authentication type to use for this user. The authentication types are Local
(user and password stored on FortiGate unit), LDAP, RADIUS, and TACACS+
(user and password matches a user account stored on the authentication
server).
Delete icon
Edit icon
Note: Deleting the user name deletes the authentication configured for the user.
To add a Local user, go to User > Local, select Create New, and enter or select the
following:
Figure 390: Local user
User Name
Disable
Password
Select to authenticate this user using a password stored on the FortiGate unit
and then enter the password. The password should be at least six characters.
LDAP
RADIUS
TACACS+
645
User
Create New
Protocol
Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or All.
Policy
Protocol
Username
The name selected by the user when registering with an IM protocol. The
same user name can be used for multiple IM protocols. Each user
name/protocol pair appears separately in the list.
Policy
The policy applied to the user when attempting to use the protocol: Block
or Deny.
Edit icon
Delete icon
To add an IM user, go to User > Local > IM, select Create New, and enter or select the
following:
Figure 392: Edit User dialog
Protocol
Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!.
Username
Policy
The IM user monitor list displays information about instant messaging users who are
currently connected. For more information, see IM user monitor list on page 669.
646
User
Remote
If you want to block a protocol that is older than the ones listed above, use the CLI
command:
config imp2p old-version
For more information, see the FortiGate CLI Reference.
Remote
Remote authentication is generally used to ensure that employees working offsite can
remotely access their corporate network with appropriate security measures in place. In
general terms, authentication is the process of attempting to verify the (digital) identity of
the sender of a communication such as a login request. The sender may be someone
using a computer, the computer itself, or a computer program. Since a computer system
should be used only by those who are authorized to do so, there must be a measure in
place to detect and exclude any unauthorized access.
On a FortiGate unit, you can control access to network resources by defining lists of
authorized users, called user groups. To use a particular resource, such as a network or
VPN tunnel, the user must:
correctly enter a user name and password to prove his or her identity, if asked to do so.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication function of
the RADIUS server. To use the RADIUS server for authentication, you must configure the
server before you configure the FortiGate users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection. You can override the default authentication
scheme by selecting a specific authentication protocol or changing the default port for
RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the config
system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Figure 393: Example RADIUS server list
Delete
Edit
Create New
Name
647
RADIUS
User
Edit icon
The RADIUS server can use several different authentication protocols during the
authentication process:
If you have not selected a protocol, the default protocol configuration uses PAP, MSCHAPv2, and CHAP, in that order.
To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and
enter or select the following:
Figure 394: RADIUS server configuration
648
User
LDAP
Name
Enter the name that is used to identify the RADIUS server on the
FortiGate unit.
Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16
characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS
server, if you have one.
Secondary Server Secret
Enter the RADIUS server secret key for the secondary RADIUS
server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme
Include in every User Group Select to have the RADIUS server automatically included in all user
groups.
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
If you have configured LDAP support and require a user to authenticate using an LDAP
server, the FortiGate unit contacts the LDAP server for authentication. To authenticate
with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP
server cannot authenticate the user, the FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of
password expiration, that is available from some LDAP servers. Nor does the FortiGate
LDAP supply information to the user about why authentication failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
649
LDAP
User
Delete
Edit
Create New
Name
The name that identifies the LDAP server on the FortiGate unit.
Common Name The common name identifier for the LDAP server. Most LDAP servers use cn.
However, some servers use other common name identifiers such as uid.
Identifier
Distinguished
Name
The distinguished name used to look up entries on the LDAP servers use. The
distinguished name reflects the hierarchy of LDAP database object classes
above the common name identifier.
Delete icon
Edit icon
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the
information below and select OK.
650
User
LDAP
Query
Name
Enter the name that identifies the LDAP server on the FortiGate unit.
Server Name/IP
Server Port
Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when you
select Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name
Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The FortiGate unit passes this distinguished
name unchanged to the server. The maximum number of characters is
512.
Query icon
View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query.
Bind Type
Regular
Anonymous
Simple
Filter
Enter the filter to use for group searching. Available if Bind Type is
Regular or Anonymous.
User DN
Password
Secure Connection
651
TACACS+
User
Protocol
Certificate
Select a certificate to use for authentication from the list. The certificate
list comes from CA certificates at System > Certificates >
CA Certificates.
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the DN field. To see the
distinguished name associated with the Common Name identifier, select the Expand
Arrow beside the CN identifier and then select the DN from the list. The DN you select is
displayed in the Distinguished Name field. Select OK to save your selection in the
Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name,
select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name
Query tree.
Figure 397: Example LDAP server Distinguished Name Query tree
TACACS+
In recent years, remote network access has shifted from terminal access to LAN access.
Users connect to their corporate network (using notebooks or home PCs) with computers
that use complete network connections and have the same level of access to the
corporate network resources as if they were physically in the office. These connections
are made through a remote access server. As remote access technology has evolved, the
need for network access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+
allows a client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS+ server is 49.
To view the list of TACACS+ servers, go to User > Remote > TACACS+.
652
User
TACACS+
Delete
Edit
Create New
Server
Authentication Type
Delete icon
Edit icon
ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To add a new TACACS+ server, go to User > Remote > TACACS+, select Create New,
and enter or select the following:
Figure 399: TACACS+ server configuration
653
Directory Service
User
Name
Server Name/IP
Server Key
Enter the key to access the TACACS+ server. The server key should be a
maximum of 16 characters in length.
Authentication Type
Select the authentication type to use for the TACACS+ server. Selection
includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using
PAP, MSCHAP, and CHAP (in that order).
Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication
services by storing information about network resources across a domain (a logical group
of computers running versions of an operating system) in a central directory database.
Each person who uses computers within a domain receives his or her own unique
account/user name. This account can be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as domain controllers.
A domain controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.
FortiGate units use firewall policies to control access to resources based on user groups
configured in the policies. Each FortiGate user group is associated with one or more
Directory Service user groups. When a user logs in to the Windows or Novell domain, a
Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the users IP
address and the names of the Directory Service user groups to which the user belongs.
The FSAE has two components that you must install on your network:
The domain controller (DC) agent must be installed on every domain controller to
monitor user logins and send information about them to the collector agent.
The collector agent must be installed on at least one domain controller to send the
information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user
group database. Because the domain controller authenticates users, the FortiGate unit
does not perform authentication. It recognizes group members by their IP address.
You must install the Fortinet Server Authentication Extensions (FSAE) on the network and
configure the FortiGate unit to retrieve information from the Directory Service server. For
more information about FSAE, see the Fortinet Server Authentication Extension
Administration Guide.
To view the list of Directory Service servers, go to User > Directory Service.
654
User
Directory Service
Edit
Add User/Group
Create New
Name
AD Server
Domain
Groups
FSAE Collector IP
Delete icon
Edit icon
Add User/Group
Add a user or group to the list. You must know the distinguished name
for the user or group.
Edit Users/Group
655
PKI
User
Name
Enter the name of the Directory Service server. This name appears in the list of
Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where this
collector agent is installed. The maximum number of characters is 63.
IP/Name
Port
Enter the TCP port used for Directory Service. This must be the same as the
FortiGate listening port specified in the FSAE collector agent configuration.
Password
Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server
Select the check box and select an LDAP server to access the Directory
Service.
PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library
that takes a list of peers, peer groups, and/or user groups and returns authentication
successful or denied notifications. Users only need a valid certificate for successful
authenticationno user name or password are necessary. Firewall and SSL VPN are the
only user groups that can use PKI authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration settings
available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.
Figure 402: Example PKI User list
Delete
Edit
656
User
PKI
Name
Subject
The text string that appears in the subject field of the certificate of the
authenticating user.
CA
Delete icon
Edit icon
the text from the subject field of the certificate of the authenticating peer user, or the
CA certificate used to authenticate the peer user.
You can add or modify other configuration settings for PKI authentication. For more
information, see the FortiGate CLI Reference.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
value for either subject or ca. If you do not do so, and then open the user record in the webbased manager, you will be prompted to enter a subject or ca value before you can
continue.
To create a peer user for PKI authentication, go to User > PKI, select Create New., and
enter the following:
Figure 403: PKI user
Name
Subject
Enter the text string that appears in the subject field of the certificate of the
authenticating user. This field is optional.
CA
Enter the CA certificate that must be used to authenticate this user. This
field is optional.
657
User Group
User
Two-factor authentication
Require two-factor
authentication
Password
Note: You must enter a value for at least one of Subject or CA.
You can configure peer user groups only through the CLI. For more information, see the
FortiGate CLI Reference.
User Group
A user group is a list of user identities. An identity can be:
a local user account (user name and password) stored on the FortiGate unit
a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN.
For information about each type, see Firewall user groups on page 659, Directory
Service user groups on page 660, and SSL VPN user groups on page 660. For
information on configuring each type of user group, see Configuring a user group on
page 661.
In most cases, the FortiGate unit authenticates users by requesting each user name and
password. The FortiGate unit checks local user accounts first. If the unit does not find a
match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when the FortiGate unit finds a matching user name and
password.
For a Directory Service user group, the Directory Service server authenticates users when
they log in to the network. The FortiGate unit receives the users name and IP address
from the FSAE collector agent. For more information about FSAE, see the Fortinet Server
Authentication Extension Administration Guide.
You can configure user groups to provide authenticated access to:
658
User
User Group
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user groups
appropriate to your authentication needs.
For more information, see Creating a new phase 1 configuration on page 606.
For information about configuring a Firewall user group, see Configuring a user group on
page 661.
You can also use a firewall user group to provide override privileges for FortiGuard web
filtering. For more information, see Configuring FortiGuard Web filtering override options
on page 664. For detailed information about FortiGuard Web Filter, including the override
feature, see FortiGuard Web Filtering on page 552.
659
User Group
User
A Directory Service user group provides access to a firewall policy that requires Directory
Service type authentication and lists the user group as one of the allowed groups. The
members of the user group are Directory Service users or groups that you select from a
list that the FortiGate unit receives from the Directory Service servers that you have
configured. See Directory Service on page 654.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering
override options on page 664. For detailed information about FortiGuard Web Filter,
including the override feature, see FortiGuard Web Filtering on page 552.
For information on configuring user groups, see Configuring a user group on page 661.
For information on configuring user groups, see Configuring a user group on page 661.
For information on configuring SSL VPN user group options, see Configuring SSL VPN
identity-based firewall policies on page 376.
660
User
User Group
Expand Arrow
Edit
Create New
Group Name
The name of the user group. User group names are listed by type of user
group: Firewall, Directory Service and SSL VPN. For more information, see
Firewall user groups on page 659, Directory Service user groups on
page 660, and SSL VPN user groups on page 660.
Members
The Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory
Service users/user groups or PKI users found in the user group.
Delete icon
Edit icon
Note: You cannot add local users to a group that is used to authenticate administrators.
661
User Group
User
Expand Arrow
Left Arrow
Expand Arrow
662
Left Arrow
User
User Group
Left Arrow
Name
Type
Firewall
Directory Service
Select this group in any firewall policy that requires Directory Service
authentication. See Adding authentication to firewall policies on
page 372.
SSL VPN
Select this group in any firewall policy with Action set to SSL VPN.
Not available in Transparent mode.
See Configuring SSL VPN identity-based firewall policies on
page 376.
Portal
Select the SSL VPN web portal configuration to use with the User
Group. For more information, see SSL VPN web portal on page 627.
Available Users/Groups
or Available Members*
Members
663
User Group
User
Allow to create FortiGuard Select to allow members of this group to request an override on the
FortiGuard Web Filtering Block page. The firewall protection profile
Web Filtering overrides
governing the connection must have FortiGuard overrides enabled.
The protection profile may have more than one user group as an
override group. Members of an override group can authenticate on the
FortiGuard Web Filter Block Override page to access the blocked site.
For more information, see FortiGuard Web Filtering on page 552.
Override Scope
User
User Group
IP
Profile
Any user with the specified protection profile of the user group.
Ask
Override Type
Directory
Domain
Categories
Ask
Off-site URLs
664
The override can apply to just the user who requested the override, or
include others. Select one of the following from the list:
Select one of the following from the list to set permissions for users
linking to sites off the blocked site:
User
User Group
Allow
Deny
Ask
Override Time
Constant
Ask
Protection Profiles
Available
One protection profile can have several user groups with override
permissions. Verification of the user group occurs once the user name
and password are entered. The overrides can still be enabled or not
enabled on a profile-wide basis regardless of the user groups that
have permissions to override the profile.
The list of defined protection profiles applied to user groups that have
override privileges.
665
User Group
User
Figure 409: Using RADIUS records to assign IP addresses for SSL VPN Tunnel Mode
5 Go to User > User Group and create a new user group or edit an SSL VPN user group.
6 Set Type to SSL VPN.
7 Select the name of the Portal that contains the tunnel mode widget.
8 Add the RADIUS server that assigns IP addresses to the Members list and save the
SSL VPN user group.
9 Go to Firewall > Policy and select Create New.
10 Set Action to SSL VPN.
11 Add an identity based policy and add the SSL VPN user group containing the RADIUS
server and the portal to the Selected User Groups list.
12 Configure the remaining firewall policy settings as required.
To dynamically assign IP addresses for dialup IPSec VPN
To use a RADIUS server to assign IP addresses for dialup IPSec VPN users you
configure an IPSec DHCP server for your IPSec VPN configuration and configure
advanced settings to set IP Assignment Mode to User-group defined method. You must
also add the RADIUS server to a firewall user group. Then in the phase 1 configuration of
the dialup VPN you configure advanced settings to set XAUTH to server mode and select
the firewall user group that you added the RADIUS server to.
1 Go to System > DHCP and add or edit the IPSec DHCP server used by the IPSec VPN
configuration.
2 Select Advanced and set IP Assignment Mode to User-group defined method and save
the changes to the DHCP server.
3 Go to User > User Group and create a new user group or edit a Firewall user group.
4 Set Type to Firewall.
5 Add the RADIUS server that assigns IP addresses to the Members list and save the
Firewall user group.
6 Go to VPN > IPSec and create or edit a User Phase 1 with Remote Gateway set to
Dialup User.
7 Select Advanced.
8 Set XAUTH to Enable as Server.
9 Set User Group to the firewall user group containing the RADIUS server.
10 Configure the remaining IPSec VPN settings as required.
666
User
Options
Options
You can define setting options for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can be idle
before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (depending on the connection protocol):
HTTPS
FTP
Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen
control which protocols support the authentication challenge. Users must connect with a
supported protocol first so they can subsequently connect with other protocols. If HTTPS
is selected as a method of protocol support, it allows the user to authenticate with a
customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user will be
challenged to authenticate. For user ID and password authentication, users must provide
their user names and passwords. For certificate authentication (HTTPS or HTTP
redirected to HTTPS only), you can install customized certificates on the FortiGate unit
and the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default FortiGate
certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.
667
Monitor
User
Authentication Timeout
Protocol Support
Certificate
If using HTTPS protocol support, select the Local certificate to use for
authentication. Available only if HTTPS protocol support is selected.
Apply
Monitor
You can go to User > Monitor to view lists of currently authenticated users, authenticated
IM users, and banned users. For each authenticated user, the list includes the user name,
user group, how long the user has been authenticated (Duration), how long until the users
session times out (Time left), and the method of authentication used. The list of IM users
includes the source IP address, protocol, and last time the protocol was used. The
Banned User list includes users configured by administrators in addition to those
quarantined based on AV, IPS, or DLP rules.
The following lists are available:
668
User
Monitor
Refresh
Current Page
Stop individual
authentication session
Refresh
Current Page
The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of logged in users.
Column Settings
Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see
Using column settings to control the columns displayed on page 61 and
Web-based manager icons on page 63.
De-authenticate All Stop authenticated sessions for all users in the Firewall user monitor list.
User(s) must re-authenticate with the firewall to resume their communication
Users
session.
Filter icons
Edit the column filters to filter or sort the firewall user monitor list according to
the criteria you specify. For more information, see Adding filters to web-based
manager lists on page 57.
User Name
User Group
Duration
Time-left
Length of time remaining until the user session times out. Only available if the
authentication time of the session will be automatically extended
(authentication keepalive is enabled). If authentication keepalive is not
enabled, the value in Time-left will be N/A. For more information, see the
FortiGate CLI Reference.
IP Address
Traffic Volume
The amount of traffic through the FortiGate unit generated by the user.
Method
Authentication method used for the user by the FortiGate unit (authentication
methods can be FSAE, firewall authentication, or NTLM).
669
User
Protocol
Filter the list by selecting the protocol for which to display current users: AIM, ICQ,
MSN, or Yahoo. All current users can also be displayed.
Protocol
User Name The name selected by the user when registering with an IM protocol. The same user
name can be used for multiple IM protocols. Each user name/protocol pair appears
separately in the list.
Source IP
Last Login The last time the current user used the protocol.
Block
Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view
the Banned User list, go to User > Monitor > Banned User. When you configure NAC
quarantine settings, you can specify how long to block the IP addresses or interfaces.
FortiGate administrators can manually enable access again by removing IP addresses or
interfaces from the Banned User list. Removing an IP address from the Banned User list
means the user can start accessing network services through the FortiGate unit again.
Removing an interface from the list means the interface can resume normal receiving and
processing of communication sessions. For more information, see The Banned User list
on page 672.
670
User
SMTP email message, you can configure DLP to block all SMTP email from a sender
identified in the From: field of the email messages, without blocking the user from web
browsing. DLP will also add the senders name to the Banned User list. For more
information about using actions in DLP sensors, see Adding or editing a rule or
compound rule in a DLP sensor on page 577.
To configure NAC quarantine for an IPS sensor, go to UTM > Intrusion Protection >
IPS Sensor. Add or edit an IPS sensor. To add NAC quarantine to a filter, select Add
Filter, enable Quarantine Attackers (to Banned Users List) select a Method, and
configure Expires. You can also add NAC quarantine to pre-defined and custom
overrides in an IPS sensor. For more information, see Configuring filters on page 532
and Configuring pre-defined and custom overrides on page 533.
To configure NAC quarantine for a DoS sensor, you create or edit a DoS sensor and
from the CLI configure NAC quarantine for one or more of the 12 anomaly types. To
configure NAC quarantine for an anomaly, you set quarantine to attacker to block
the attacker, both to block both the attacker and the target, or interface to block the
interface that received the attack.
You can add the DoS sensor from the web-based manager or the CLI but you can only
configure NAC quarantine from the CLI. The following example shows how to edit a
DoS sensor named QDoS_sensor, set quarantine to attacker for the
udp_dst_session and set the quarantine expiry time to 30 minutes. The example
also shows how to set quarantine to both for the icmp_flood anomaly:
671
User
Users or IP addresses that are banned or quarantined by Data Leak Prevention Set various options in a DLP sensor to add users or IP addresses to the Banned User
list. For more information, see Adding or editing a rule or compound rule in a DLP
sensor on page 577.
To view the Banned User list, go to User > Monitor > Banned User.
Figure 413: Banned User list
Clear
Current Page
Delete
672
User
Current Page
The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of banned users or IP
addresses.
Clear icon
Remove all users and IP addresses from the Banned User list.
Application
Protocol
The protocol that was used by the user or IP address added to the Banned User
list.
Cause or rule The FortiGate function that caused the user or IP address to be added to the
Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention.
Created
The date and time the user or IP address was added to the Banned User list.
Expires
The date and time the user or IP address will be automatically removed from the
Banned User list. If Expires is Indefinite you must manually remove the user or host
from the list.
Delete icon
Delete the selected user or IP address from the Banned User list.
673
674
User
675
Edit
Delete
Enable/
Disable
Rules
Move To
Create New
Add a new WAN optimization rule. New rules are added to the bottom of the list.
Status
ID
The rule identifier. Rules are numbered in the order they are added to the rule
list.
Source
The source address or address range that the rule matches. See About WAN
optimization addresses on page 679.
Destination
The destination address or address range that the rule matches. See About
WAN optimization addresses on page 679.
Port
The destination port number or port number range that the rule matches.
Method
Indicates whether you have selected byte caching in the WAN optimization rule.
Auto-Detect
Indicates whether the rule is an active (client) rule, a passive (server) rule or if
auto-detect is off. If auto-detect is off, the rule can be a peer-to-peer rule or a
Web Cache Only rule.
Protocol
The protocol optimization WAN optimization technique applied by the rule. See
the FortiGate WAN Optimization, Web Cache, and Web Proxy User Guide.
Peer
For a peer-to-peer rule, the name of the peer WAN optimizer at the other end of
the link.
Mode
Indicates whether the rule applies Full Optimization or Web Cache Only.
SSL
Secure Tunnel
Delete icon
Edit icon
Edit a rule.
Insert WAN
Add a new rule above the corresponding rule (the New rule screen appears).
Optimization
Rule Before icon
Move To icon
676
Move the corresponding rule before or after another rule in the list. See Moving
a rule to a different position in the rule list on page 677.
677
Mode
Select Full Optimization to add a rule that can apply all WAN optimization features.
Select Web Cache Only to add a rule that just applies web caching. If you select
Web Cache Only, you can configure the source and destination address and port
for the rule. You can also select Transparent Mode and Enable SSL.
Source
Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 679.
Only packets whose source address header contains an IP address matching this
IP address or address range will be accepted by and subject to this rule.
For a passive rule, the server (passive) source address range should be
compatible with the source addresses of the matching client (active) rule. To match
one passive rule with many active rules, the passive rule source address range
should include the source addresses of all of the active rules.
Destination
Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 679.
Only a packet whose destination address header contains an IP address matching
this IP address or address range will be accepted by and subject to this rule.
Tip: For a Web Cache Only rule, if you set Destination to 0.0.0.0, the rule caches
web pages on the Internet or any network.
For a passive rule, the server (passive) destination address range should be
compatible with the destination addresses of the matching client (active) rule. To
match one passive rule with many active rules, the passive rule destination
address range should include the destination addresses of all of the active rules.
678
Port
Enter a single port number or port number range. Only packets whose destination
port number matches this port number or port number range will be accepted by
and subject to this rule.
For a passive rule, the server (passive) port range should be compatible with the
port range of the matching client (active) rule. To match one passive rule with many
active rules, the passive rule port range should include the port ranges of all of the
active rules.
Auto-Detect
Protocol
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Active.
Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of these
protocols. For information about protocol optimization, see the FortiGate WAN
Optimization, Web Cache, and Web Proxy User Guide.
Select TCP if the WAN optimization tunnel accepts sessions that use more than
one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol.
Peer
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off.
Select the peer host ID of the peer that this peer-to-peer WAN optimization rule will
start a WAN optimization tunnel with. You can also select [Create New ...] to add a
new peer.
Enable Web
Cache
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Passive. If Auto-Detect is set to Off, then Protocol must be set to HTTP.
Select to apply WAN optimization web caching to the sessions accepted by this
rule. For more information, see the FortiGate WAN Optimization, Web Cache, and
Web Proxy User Guide.
Transparent
Mode
Servers receiving packets after WAN optimization see different source addresses
depending on whether or not you select Transparent Mode. You can select this
option if Auto-Detect is set to Active or Off. You can also select it for Web Cache
Only rules.
Select this option to keep the original source address of the packets when they are
sent to servers. The servers appear to receive traffic directly from clients. The
server network should be configured to route traffic with client source IP addresses
from the server side FortiGate unit to the server and back to the server side
FortiGate unit.
If this option is not selected, the server side FortiGate unit changes the source
address of the packets received by servers to the address of the server side
FortiGate unit interface that sends the packets to the servers. So servers appear to
receive packets from the server side FortiGate unit. Routing on the server network
is usually simpler in this case because client addresses are not involved, but the
server sees all traffic as coming from the server side FortiGate unit and not from
individual clients.
Enable Byte
Caching
Available only if Mode is set to Full Optimization, and Auto-Detect is set to Off or
Active.
Select to apply WAN optimization byte caching to the sessions accepted by this
rule. For more information, see the FortiGate WAN Optimization, Web Cache, and
Web Proxy User Guide.
Enable SSL
Enable Secure Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or
Off.
Tunnel
If you select Enable Secure Tunnel, the WAN optimization tunnel is encrypted
using SSL encryption. You must also add an authentication group to the rule. For
more information, see the FortiGate WAN Optimization, Web Cache, and Web
Proxy User Guide.
Authentication Available only if Mode is set to Full Optimization, and Auto-Detect is set to Active or
Off.
Group
Select this option and select an authentication group from the list if you want
groups of FortiGate units to authenticate with each other before starting the WAN
optimization tunnel. You must also select an authentication group if you select
Enable Secure Tunnel.
You must add identical authentication groups to both of the FortiGate units that will
participate in the WAN optimization tunnel started by the rule. For more
information, see Configuring authentication groups on page 681.
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
679
When representing hosts by an IP range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP range formats include:
Delete
Edit
Local Host ID
Enter the local host ID of this FortiGate unit and select Apply. If you add this
FortiGate unit as a peer to another FortiGate unit, use this ID as its peer host ID.
Apply
680
Edit icon
Delete icon
Delete a peer.
Peer Host ID
The peer host ID of the peer FortiGate unit. This is the local host ID added to the
peer FortiGate unit.
IP Address
The IP address of the FortiGate unit. Usually this is the IP address of the
FortiGate interface connected to the WAN.
Delete
Edit
Name
681
Authentication
method
Peer(s)
The host IDs of the peers added to the authentication group. When you add
the authentication group to a WAN optimization rule, only these FortiGate
units can authenticate to use this WAN optimization rule. Peer(s) can be any
peer, a peer added to the FortiGate unit peer list (defined peers), or a
selected peer.
Edit icon
Delete icon
Name
Add or change the name of the authentication group. Select this name when
adding the authentication group to a rule.
Other FortiGate units that participate in WAN optimization tunnels with this
FortiGate unit must have an authentication group with the same name.
Authentication
Method
Certificate (list)
Password
Peer Acceptance
Accept Any Peer Authenticate with any peer. Use this setting if you do not know the peer host
IDs or IP addresses of the peers that will use this authentication group. This
setting is most often used for WAN optimization with the FortiClient
application.
Accept Defined
Peers
Specify Peer
Authenticate with the selected peer only. Select this option and then select
the peer to add to this authentication group.
682
Refresh icon
Period
Select a time period to show traffic summary for. You can select:
Last 10 Minutes
Last 1 Hour
Last 1 Day
Last 1 Week
Last 1 Month
Reduction Rate
LAN
The amount of data in MB received from the LAN for each application.
WAN
The amount of data in MB sent across the WAN for each application. The
greater the difference between the LAN and WAN data, the greater the
amount of data reduced by WAN optimization byte caching, web caching,
and protocol optimization.
Bandwidth
Optimization
This section shows network bandwidth optimization per time Period. A line
or column chart compares an applications pre-optimized (LAN data) size
with its optimized size (WAN data).
Refresh icon
683
Period
Protocol
Chart Type
Note: For more information about many of these web cache settings, see RFC 2616.
Always revalidate
Set the maximum object size to cache. The default size is 512000 KB. This
object size determines the maximum object size to store in the web cache.
Objects retrieved that are larger than the maximum size are still delivered to
the client but are not stored in the web cache.
Negative Response Set how long in minutes to cache negative responses. The default is 0,
meaning negative responses are not cached. The content server might send
Duration
a client error code (4xx HTTP response) or a server error code (5xx HTTP
response) as a response to some requests. If the web cache is configured to
cache these negative responses, it returns that response in subsequent
requests for that page or image for the specified number of minutes.
684
Fresh Factor
Set the fresh factor as a percentage. The default is 100, and the range is 1 to
100. For cached objects that do not have an expiry time, the web cache
periodically checks the server to see if the objects have expired. The higher
the fresh factor the less often the checks occur. For example, if you set the
Max TTL value and Default TTL at 7200 minutes (5 days) and set the Fresh
Factor at 20, the web cache will check the cached objects 5 times before
they expire, but if you set the Fresh Factor at 100, the web cache will check
once.
Max TTL
The maximum amount of time (Time to Live) an object can stay in the web
cache without the cache checking to see if it has expired on the server. The
default is 7200 minutes (120 hours or 5 days).
Min TTL
The minimum amount of time an object can stay in the web cache before the
web cache checks to see if it has expired on the server. The default is 5
minutes.
Default TTL
The default expiry time for objects that do not have an expiry time set by the
web server. The default expiry time is 1440 minutes (24 hours).
Explicit Proxy
Indicates whether the explicit proxy has been enabled for the FortiGate unit.
See Configuring the explicit web proxy on page 182.
Enable Cache
Explicit Proxy
Select to enable using the WAN optimization web cache to cache for the
explicit proxy.
Ignore
If-modified-since By default, if the time specified by the if-modified-since (IMS) header in the
client's conditional request is greater than the last modified time of the object
in the cache, it is a strong indication that the copy in the cache is stale. If so,
HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based
on the last modified time of the cached object. Enable ignoring If-modifiedsince to override this behavior.
HTTP 1.1
Conditionals
HTTP 1.1 provides additional controls to the client over the behavior of
caches toward stale objects. Depending on various cache-control headers,
the FortiGate unit can be forced to consult the OCS before serving the object
from the cache. For more information about the behavior of cache-control
header values, see RFC 2616.
Pragma-nocache
IE Reload
685
Cache Expired
Objects
Applies only to type-1 objects. When this option is selected, expired type-1
objects are cached (if all other conditions make the object cacheable).
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect the
efficiency of the FortiGate units bandwidth. If you do not want to completely
no-cache
ignore PNC in client requests (which you can do by selecting to ignore
Pragma-no-cache, above), you can nonetheless lower the impact on the
bandwidth by selecting Revalidate Pragma-no-cache. When this option is
selected, a client's non-conditional PNC-GET request results in a conditional
GET request sent to the OCS if the object is already in the cache. This gives
the OCS a chance to return the 304 Not Modified response, which consumes
less server-side bandwidth, because the OCS has not been forced to
otherwise return full content. By default, Revalidate Pragma-no-cache is
disabled and is not affected by changes in the top-level profile. When the
Substitute Get for PNC configuration is enabled, the revalidate PNC
configuration has no effect.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, you should also configure byte-range
support when you configure the Revalidate pragma-no-cache option.
686
Endpoint NAC
Endpoint NAC
Endpoint Network Access Control (NAC) enforces the use of the FortiClient End Point
Security (Enterprise Edition) application on your network. It can also allow or deny
endpoints access to the network based on the applications installed on them.
FortiClient enforcement can check that the endpoint is running the most recent version of
the FortiClient application, that the antivirus signatures are up-to-date and that the firewall
is enabled. An endpoint is most often a single PC with a single IP address being used to
access network services through a FortiGate unit.
You enable endpoint NAC in a firewall policy. When traffic attempts to pass through the
firewall policy, the FortiGate unit runs compliance checks on the originating host on the
source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints
are redirected to a web portal that explains the non-compliance and provides a link to
download the FortiClient application installer.
To ease introduction of endpoint NAC on your network, the FortiGate unit can optionally
recommend non-compliant users install FortiClient software but allow them to continue
without doing so.
You can monitor the endpoints that are subject to endpoint NAC, viewing information
about the computer, its operating system and detected applications.
Note: Endpoint NAC does not function if enabled in a firewall policy that contains a load
balance VIP.
Monitoring endpoints
Enable Central Management by the FortiGuard Analysis & Management Service if you
will use FortiGuard Services to update the FortiClient application or antivirus
signatures. You do not need to enter account information. See Central Management
on page 260.
Configure the minimum required version of FortiClient and the source of FortiClient
installer downloads for non-compliant endpoints. See Configuring FortiClient installer
download and version enforcement on page 688.
687
Endpoint NAC
Define application detection lists to specify which applications are allowed or not
allowed. Optionally, you can deny access to endpoints that have applications installed
that are not on the detection list. See Configuring application detection lists on
page 689.
Configure Endpoint NAC profiles which specify the FortiClient enforcement settings
and the application detection list to apply. You select the Endpoint NAC profile to use
when you enable Endpoint NAC in the firewall policy.
Optionally, modify the inactivity timeout for endpoints. The default is 5 minutes. After
that time period, the FortiGate unit rechecks the endpoint for Endpoint NAC
compliance. To change the timeout, adjust the compliance-timeout value in the
config endpoint-control settings CLI command.
You can also modify the appearance of the Endpoint NAC Download Portal and the
Endpoint NAC Recommendation Portal. These are replacement messages. For more
information, see Endpoint NAC replacement messages on page 235.
Information
FortiGuard Availability FortiGuard Services is available if the indicator is green.
FortiClient Endpoint
Versions
688
Endpoint NAC
AV Signature Package The latest AV signature package available from FortiGuard Services.
Application Signature
Package
FortiClient Downloads The number of FortiClient software downloads through this FortiGate
unit.
Update Now
FortiClient Installer
Download Location
Custom URL
Enforce Minimum Version From the list select either Latest Available or a specific FortiClient
version as the minimum requirement for endpoints.
The list contains the FortiClient versions available from the selected
FortiClient Installer Download Location.
Fortinet recommends that administrators deploy a FortiClient version
update to their users or ask users to install the update and then wait a
reasonable period of time for the updates to be installed before
updating the minimum version required to the most recent version.
Note: Select This FortiGate or Custom URL if you want to provide a customized FortiClient
application. This is required if a FortiManager unit will centrally manage FortiClient
applications. For information about customizing the FortiClient application, see the
FortiClient Administration Guide.
689
Endpoint NAC
Edit
Delete
Edit
Insert
Move To
Name
Comments
# of Entries
Profiles
The Endpoint NAC profiles that use this application detection list.
Edit
690
Other Applications
(not specified below)
Select what to do if applications not included in this list are installed on the
endpoint:
Allow allow the endpoint to connect
Deny quarantine the endpoint
Monitor include this endpoints information in statistics and logs
Create New
Category
Vendor
Application
Status
Endpoint NAC
Action
Delete
Edit
Insert
Move To
Move this entry. Enter the ID of another entry and select Before or After.
Page
Shows the current page number in the list. Select the left and right
arrows to display the first, previous, next or last page of known
endpoints.
Column Settings
Select the columns to display in the list. You can also determine the
order in which they appear. For more information, see Using column
settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
Filter icons
Edit the column filters to filter or sort the endpoints list according to the
criteria you specify. For example, you could add a filter to the Detected
Software column to display all endpoints running BitTorrent software.
For more information, see Adding filters to web-based manager lists
on page 57.
691
Endpoint NAC
Delete
Edit
Profile list
Create New
Name
FortiClient Enforcement
Delete
Edit
692
Anti-virus Enabled
Anti-virus Up-to-date
Firewall Enabled
Endpoint NAC
Monitoring endpoints
Monitoring endpoints
To view the list of known endpoints, go to Endpoint NAC > Monitor > Endpoints. An
endpoint is added to the list when it uses a firewall policy that has Endpoint NAC enabled.
Once an endpoint is added to the list it remains there until you manually delete it or until
the FortiGate unit restarts. Every time an endpoint accesses network services through the
FortiGate unit (or attempts to access services) the entry for the endpoint is updated.
The endpoints list can provide an inventory of the endpoints on your network. Entries for
endpoints not running the FortiClient application include the IP address, last update time,
and traffic volume/attempts. The non-compliant status indicates the endpoint is not
running the FortiClient application.
Entries for endpoints running the FortiClient application show much more information,
depending on what is available for the FortiClient application to gather. Detailed
information you can view includes endpoint hardware (CPU and model name) and the
software running on the endpoints. You can adjust column settings and filters to display
this information in many different forms.
From the endpoints list, you can view information for each endpoint, temporarily exempt
end points from endpoint NAC, and restore exempted end points to their blocked state.
Figure 425: Endpoints list (showing one endpoint that does not have FortiClient software
installed)
Refresh
Non-Compliant
Non-Compliant
But Temporarily
Exempted
View
Exempt Temporarily
Restore to Blocked
State
693
Monitoring endpoints
Endpoint NAC
Refresh
Status
Page
Shows the current page number in the list. Select the left and right
arrows to display the first, previous, next or last page of known
endpoints.
Column Settings
Select the columns to display in the list. You can also determine the
order in which they appear. For more information, see Using column
settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
Filter icons
Edit the column filters to filter or sort the endpoints list according to the
criteria you specify. For example, you could add a filter to the Detected
Software column to display all endpoints running BitTorrent software.
For more information, see Adding filters to web-based manager lists
on page 57.
View icon
View details about a selected endpoint. Select this icon to display the
information about the endpoint found by the FortiClient application.
Exempt Temporarily icon Exempt the selected endpoint from endpoint NAC. This means an
endpoint that is blocked and added to the endpoint list can temporarily
access network services through the FortiGate unit. When you select
this icon you can specify how long the end point is exempted from
endpoint NAC. The default exempt duration is 600 seconds.
Restore to Blocked State Resume blocking access for a temporarily exempted endpoint.
icon
694
Information columns
AV signature
Computer Manufacturer
Computer Model
CPU Model
Description
Detected Software
FortiClient Version
Host Name
IP Address
Last User
Last Update
The time that the status of the endpoint was last verified by the
FortiGate unit. The FortiClient application is not required to obtain this
information.
Endpoint NAC
Monitoring endpoints
Memory Size
OS Version
System Uptime
Traffic Volume/Attempts If the endpoint is compliant, this column displays the amount of data
passed through the FortiGate unit by communication sessions
originating from the endpoint. If the endpoint is non-compliant, this
column displays the number of times the endpoint has attempted to
connect through the FortiGate unit. The FortiClient application is not
required to obtain this information.
User
695
Monitoring endpoints
696
Endpoint NAC
Wireless Controller
Configuration overview
Wireless Controller
Most FortiGate units, but not FortiWiFi models, can act as a wireless network controller,
managing the wireless Access Point (AP) functionality of FortiWiFi units. All units must be
running the most recent FortiOS 4.0 firmware.
You create virtual access points that can be associated with multiple physical access
points. Clients can roam amongst the physical access points, extending the range of the
wireless network.
The following topics are included in this section:
Configuration overview
Enabling the wireless controller
Configuring FortiWiFi units as managed access points
Configuring a virtual wireless access point
Configuring a physical access point
Configuring DHCP for your wireless LAN
Configuring firewall policies for the wireless LAN
Monitoring wireless clients
Monitoring rogue APs
Configuration overview
To set up a wireless network using the Wireless Controller feature, you need to:
Configure each virtual access point (VAP). A VAP has the SSID and security
configuration settings you would find on a wireless access point device. Optionally, you
can limit the number of simultaneous wireless clients who can use this VAP.
Configure each physical access point (AP). The AP settings include the radio settings
and rogue AP scan settings. You select the VAPs that will be carried on the physical
access point. Optionally, you can limit the number of simultaneous clients this AP will
accept.
Configure firewall policies to enable communication between the wireless LAN and
other networks.
697
Wireless Controller
698
Name
Enter a name to identify the VAP. This is also the name of the virtual
network interface you will use in firewall policies.
SSID
Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers with this network name.
Wireless Controller
SSID Broadcast
Security mode
Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
None has no security. Any wireless user can connect to the wireless
network.
WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0?9 a?f) and inform wireless
users of the key.
WEP128 128-bit WEP. To use WEP128 you must enter a Key
containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the
key.
WPA Wi-Fi protected access (WPA) security. To use WPA you must
select a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server, the wireless clients must have accounts on the
RADIUS server.
WPA2 WPA with more security features. To use WPA2 you must select
a data encryption method and enter a pre-shared key containing at least
eight characters or select a RADIUS server. If you select a RADIUS server
the wireless clients must have accounts on the RADIUS server.
WPA2 Auto the same security features as WPA2, but also accepts
wireless clients using WPA security. To use WPA2 Auto you must select a
data encryption method You must also enter a pre-shared key containing
at least 8 characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
Data Encryption
Key Index
Many wireless clients can configure up to four WEP keys. Select which
key clients must use.with this access point. This is available when you
select a WEP Security Mode.
Key
Enter the encryption key that the clients must use. This is available when
you select a WEP Security Mode.
Authentication
Maximum Clients Enter the maximum number of clients permitted to connect simultaneously.
Enter 0 for no limit.
2 Select OK.
699
Wireless Controller
Serial Number
Enter the serial number of the FortiWiFi unit. This field is completed
automatically if the AP discovers this AC and registers itself.
Name
Admin
Last Error
Rogue AP Scan
Rogue AP scanning detects other APs and reports them on the Wireless
Controller > Rogue AP page.
Select one of the following:
Dedicated AP performs scanning only and does not provide service.
Background AP performs scanning during idle periods while acting as
an AP.
Disabled Do not perform scanning. Scanning can reduce performance.
Radio
Select the wireless frequency band. Keep in mind the capabilities of your
users wireless cards or devices.
Geography
Channel
Select a channel for your wireless network or select Auto. The channels
that you can select depend on the Geography setting.
TX Power
Set the transmitter power level. The higher the number, the larger the area
the AP will cover.
Maximum Clients
Virtual AP
In the Available list, select the virtual APs to be carried on this physical AP
and then select the right-arrow button to move them to the Selected list.
2 Select OK.
700
Wireless Controller
Page
Shows the current page number in the list. Select the left and right
arrows to display the first, previous, next or last page of known
endpoints.
Column Settings
Select the columns to display in the list. You can also determine the
order in which they appear. For more information, see Using column
settings to control the columns displayed on page 61 and Web-based
manager icons on page 63.
Filter icons
Edit the column filters to filter or sort the endpoints list according to the
criteria you specify. For example, you could add a filter to the Detected
Software column to display all endpoints running BitTorrent software.
For more information, see Adding filters to web-based manager lists
on page 57.
Information columns
Association Time
How long the client has been connected to this access point.
Bandwidth Rx
Bandwidth Tx
Bandwidth Tx/Rx
Idle Time
The total time this session that the client was idle.
IP
MAC
Physical AP
The name of the physical access point with which the client is
associated.
Signal Strength/Noise
Virtual AP
The name of the virtual access point with which the client is associated.
701
Wireless Controller
Unknown Access Points are detected access points that have not been designated as
either Rogue or Accepted.
Figure 428: Rogue Access Point list
Refresh Interval
Refresh
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online
SSID
The wireless service set identifier (SSID) or network name for the
wireless interface.
MAC Address
Rate
First Seen
The data and time when the FortiWifi unit first detected the access point.
Last Seen
The data and time when the FortiWifi unit last detected the access point.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
702
Mark as Rogue AP
Select the icon to move this entry to the Rogue Access Points list.
Forget AP
Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
Log&Report
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network
protection functions. They also allow you to compile reports from the detailed log
information gathered. Reports provide historical and current analysis of network activity to
help identify security issues that will reduce and prevent network misuse and abuse.
This section provides an introduction to FortiGate logging and reporting. For more
information see the Logging and Reporting in FortiOS 4.0.
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis tools and
data storage. Detailed log reports provide historical as well as current analysis of network
activity. Detailed log reports also help identify security issues, reducing network misuse
and abuse. The FortiGate unit can send all log message types, including quarantine files
and DLP archives, to a FortiAnalyzer unit for storage. The FortiAnalyzer unit can upload
log files to an FTP server for archival purposes. For more information about configuring
the FortiGate unit to send log messages to a FortiAnalyzer unit, see Remote logging to a
FortiAnalyzer unit on page 704.
If you have a subscription for the FortiGuard Analysis and Management Service, your
FortiGate unit can send logs to a FortiGuard Analysis server. This service provides
another way to store and view logs, as well as archiving email messages. For more
information, see the FortiGuard Analysis and Management Service Administration Guide.
For details and descriptions of log messages and formats, see the FortiGate Log Message
Reference.
This section provides information about how to enable logging, view log messages, and
configure reports. If you have VDOMs enabled, see Using virtual domains on page 125
for more information.
The following topics are included in this section:
Log types
703
Log&Report
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in transparent mode. For example, SSL VPN events are not available in transparent mode.
Expand
Arrow
704
Log&Report
Alert
Critical
Functionality is affected.
Error
Warning
Notification
Information
Debug
705
Log&Report
FortiAnalyzer
(Hostname)
The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is
its product name, for example, FortiAnalyzer-400.
FortiGate
(Device ID)
Registration
Status
The status of whether or not the FortiGate unit is registered with the
FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full
privileges. For more information, see the FortiAnalyzer Administration Guide.
Connection
Status
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Privileges
Allocated
Space
Used Space
Total Free
Space
The permissions of the device for sending and viewing logs, reports, DLP
archives, and quarantined logs.
Tx indicates the FortiGate unit is allowed to transmit log packets to the
FortiAnalyzer unit.
Rx indicates the FortiGate unit is allowed to display reports and logs stored
on the FortiAnalyzer unit.
A check mark indicates the FortiGate unit has permissions to send or view log
information and reports. An X indicates the FortiGate unit is not allowed to send
or view log information.
You can also test the connection status between the FortiGate unit and the FortiAnalyzer
unit by using the following CLI command:
execute log fortianalyzer test-connectivity
The command displays the connection status and the amount of disk usage in percent.
For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.
706
Log&Report
Deletes the oldest log entry and continues logging when the maximum log
disk space is reached.
Do not log
Stops log messages going to the FortiGuard Analysis server when the
maximum log disk space is reached.
IP/FQDN
The IP address or fully qualified domain name of the syslog server. For
example, the FQDN could be log.example.com.
Port
The port number for communication with the syslog server, typically port 514.
The FortiGate unit logs all messages at and above the logging severity level
you select. For more information about the logging levels, see Log severity
levels on page 727.
707
Facility
Log&Report
Enable CSV Format If you enable CSV format, the FortiGate unit produces the log in Comma
Separated Value (CSV) format. If you do not enable CSV format the
FortiGate unit produces plain text files.
708
Log&Report
To configure the FortiGate unit to save logs on the local hard disk
1 Go to Log&Report > Log Config > Log Setting.
2 Select Local Logging & Archiving and select the check box beside Disk.
3 Select Minimum log level for memory logs
The FortiGate unit logs all messages at and above the logging severity level you
select. For more information about the logging levels, see Log severity levels on
page 727.
4 Change the When log disk is full setting if required.
5 Change the Log rolling settings if required.
6 Select which log message types are saved as SQL logs.
7 Select Apply.
709
Log&Report
710
SMTP Server
Email from
Email to
Enter up to three email address recipients for the alert email message.
Authentication
SMTP user
Enter the user name for logging on to the SMTP server to send alert
email messages. You need to do this only if you have enabled the
SMTP authentication.
Password
Enter the password for logging on to the SMTP server to send alert
email. You need to do this only if you selected SMTP authentication.
Select to have the alert email sent for one or multiple events that
occur, such as an administrator logging in and out.
Interval Time
(1-9999 minutes)
Intrusion detected
Virus detected
HA status changes
Log&Report
Violation traffic
detected
Firewall authentication Select if you require an alert email message based on firewall
authentication failures.
failure
SSL VPN login failure Select if you require an alert email message based on any SSL VPN
logins that failed.
Administrator
login/logout
L2TP/PPTP/PPPoE
errors
Configuration changes Select if you require an alert email message based on any changes
made to the FortiGate configuration.
FortiGuard license
expiry time (1-100
days)
Enter the number of days before the FortiGuard license expiry time
notification is sent.
Disk Usage
Select if you require an alert email when the internal hard disk or AMC
disk reaches a disk usage level. You can set the disk usage level at
which the alert email is sent.
L2TP/PPTP/PPPoE
service event
Admin event
HA activity event
All high availability events, such as link, member, and state information.
Firewall
All firewall-related events, such as user authentication.
authentication event
711
Log&Report
Pattern update event All pattern update events, such as antivirus and IPS pattern updates and
update failures.
SSL VPN user
All user authentication events for an SSL VPN connection, such as logging
authentication event in, logging out and timeout due to inactivity.
SSL VPN
All administration events related to SSL VPN, such as SSL configuration
administration event and CA certificate loading and removal.
SSL VPN session
event
All session activity such as application launches and blocks, timeouts, and
verifications.
All related VIP server health monitor events that occur when the VIP health
monitor is configured, such as an interface failure.
712
Log&Report
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example,
when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized
file or email that is logged, it records an antivirus log. You can also apply filters to
customize what the FortiGate unit logs, which are:
Blocked Files The FortiGate unit logs all instances of blocked files.
Oversized Files/Emails The FortiGate unit logs all instances of files and email
messages exceeding defined thresholds.
AV Monitor The FortiGate unit logs all instances of viruses, blocked files, and
oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM
traffic.
713
Log&Report
Attack Signature The FortiGate unit logs all detected and prevented attacks based
on the attack signature, and the action taken by the FortiGate unit.
Attack Anomaly The FortiGate unit logs all detected and prevented attacks based
on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.
You can view attack log messages from either the Memory or Remote tab.
To enable the attack logs
1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the expand arrow beside Logging to reveal the available options.
4 Select Log Intrusions under IPS.
5 Select OK.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see Intrusion Protection on page 523.
Disk to view log messages stored on a hard disk such as an internal hard disk or an
AMC hard disk.
Log Access provides tabs for viewing logs according to these locations. Each tab provides
options for viewing log messages, such as search and filtering options, and choice of log
type. The Remote tab displays logs stored on either the FortiGuard Analysis server or
FortiAnalyzer unit, whichever one is configured for logging.
Log information is displayed in the Log Access menu. Different tabs in Log Access display
log information stored on the FortiAnalyzer unit, FortiGate system memory and hard disk if
available, including the FortiGuard Analysis server.
The columns that appear reflect the content found in the log file. The top portion of the Log
Access page includes navigational features to help you move through the log messages
and locate specific information.
To view log messages, go to Log&Report > Log Access and then select the tab that
corresponds to the log storage device used: Remote, Memory or Disk. If you are logging
to the FortiGate units hard disk, select Edit beside a rolled log file to view log messages.
714
Log&Report
Current
Page
Log Type
Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
Current Page
By default, the first page of the list of items is displayed. The total number of
pages displays after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see Using page controls on web-based manager lists
on page 60.
Column Settings
Select to add or remove columns. This changes what log information appears
in Log Access. For more information, see Column settings on page 718.
Raw or Formatted
Clear all filter settings. For more information, see Filtering log messages on
page 719.
715
Log&Report
Delete
View
Download
Log Type
Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
Refresh
File name
The names of the log files of the displayed log type stored on the FortiGate hard
disk.
When a log file reaches its maximum size, the FortiGate unit saves the log files
with an incremental number, and starts a new log file with the same name. For
example, if the current attack log is alog.log, any subsequent saved logs appear
as alog.n, where n is the number of rolled logs.
Size (bytes)
Last access
time
The time a log message was recorded on the FortiGate unit. The time is in the
format name of day month date hh:mm:ss yyyy, for example Fri Feb
16 12:30:54 2007.
Clear the current log file. Clearing deletes only the current log messages of that
log file. The log file is not deleted.
Download icon
Download the log file or rolled log file. Select either Download file in Normal
format or Download file in CSV format. Select Return to return to the Disk tab
page. Downloading the current log file includes only current log messages.
View icon
Delete icon
Delete rolled logs. Fortinet recommends to download the rolled log file before
deleting it because the rolled log file cannot be retrieved after deleting it.
716
Log&Report
Current
Page
Log Type
Refresh
Current Page
By default, the first page of the list of items is displayed. The total number of
pages appears after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous, next,
or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see Using page controls on web-based manager lists
on page 60.
Column Settings Select to add or remove columns. This changes what log information appears in
Log Access. For more information, see Column settings on page 718.
Raw or Formatted By default, log messages is displayed in Formatted mode. Select Formatted to
view log messages in Raw mode, without columns. When in Raw mode, select
Formatted to switch back to viewing log messages organized in columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Filters
Clear all filter settings. For more information, see Filtering log messages on
page 719.
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.
717
Log&Report
Column settings
By using Column Settings, you can customize the view of log messages in Formatted
view. By adding columns, changing their order, or removing them, you can view only the
log information you want.
The Column Settings feature is available only in Formatted view.
Figure 438: Column settings for viewing log messages
Select the right arrow to move selected fields from the Available fields list to
the Show these fields in this order list.
<-
Select the left arrow to move selected fields from the Show these fields in this
order list to the Available fields list.
Move up
Move the selected field up one position in the Show these fields in this order
list.
Move down
Move the selected field down one position in the Show these fields in this
order list.
7 Select OK.
Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.
You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the host name that you
configured for the FortiGate unit, for example Headquarters.
718
Log&Report
Filter icon
(disabled)
Filter icon
(enabled)
You have configured the FortiGate unit for remote logging and archiving to a
FortiAnalyzer unit. See Remote logging to a FortiAnalyzer unit on page 704.
You have subscribed to the FortiGuard Analysis and Management Service. See the
FortiGuard Analysis and Management Service Administration Guide.
Select the following tabs to view DLP archives for one of these protocols.
E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email
archives.
719
Log&Report
If you need to view logs in Raw format, select Raw beside the Column Settings icon. For
more information, see Column settings on page 718.
For information about configuring DLP archiving, see DLP archiving on page 580.
The file quarantine list displays the following information about each quarantined file:
720
Source
Sort by
Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate
Count. Select Apply to complete the sort.
Filter
Filter the list. Choose either Status (infected, blocked, or heuristics) or Service
(IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Select Apply to complete the
filtering. Heuristics mode is configurable through the CLI only.
If your FortiGate unit supports SSL content scanning and inspection Service can
also be IMAPS, POP3S, SMTPS, or HTTPS.
Apply
Select to apply the sorting and filtering selections to the list of quarantined files.
Delete
Page Controls
Use the controls to page through the list. For details, see Using page controls
on web-based manager lists on page 60.
Remove All
Entries
File Name
Date
The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm.
This value indicates the time that the first file was quarantined if duplicates are
quarantined.
Log&Report
Service
The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,
SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Status
Status
Description
Specific information related to the status, for example, File is infected with
W32/Klez.h or File was stopped by file block pattern.
DC
Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL
Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status
Y indicates the file has been uploaded to Fortinet for analysis, N indicates the
file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon
Submit icon
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.
The following procedure describes how to clone a report schedule. When you clone a
report schedule, a duplicate of the original is used as a basis for a new one.
To view the list of report schedules, go to Log&Report > Report Config.
To configure a report schedule, go to Log&Report > Report Config, select Create New,
enter the appropriate information and then select OK.
721
Log&Report
Delete
Edit
Clone
Name
Description
Report Layout
The name of the report layout used for the report schedule.
Schedule
Clone icons
722
Name
Description
Report Layout
Select a configured report layout from the list. You must apply a report
layout to a report schedule. For more information, see the
FortiAnalyzer Administration Guide.
Language
Select the language you want used in the report schedule from the list.
Log&Report
Schedule
Select one of the following to have the report generate once only,
daily, weekly, or monthly at a specified date or time period.
Once
Daily
Select to generate the report every date at the same time, and then
enter the hour and minute time period for the report. The format is
hh:mm.
These Days
Select to generate the report on specified days of the week, and then
select the days of the week check boxes.
These Dates
Virtual Domain
User
Group
LDAP Query
Select the LDAP Query check box and then select an LDAP directory
or Windows Active Directory group from the list.
Time Period
Select to include the time period of the logs to include in the report.
Relative to Report
Runtime
Select a time period from the list. For example, this year.
Specify
Select to specify the date, day, year and time for the report to run.
From Select the beginning date and time of the log time range.
To Select the ending date and time of the log time range.
Output
Select the format you want the report to be in and if you want to apply
an output template.
Output Types
Select the type of file format for the generated report. You can choose
from PDF, MS Word, Text, and MHT.
Email/Upload
Select the check box if you want to apply a report output template from
the list.
This list is empty if a report output template does not exist. For more
information, see the FortiAnalyzer Administration Guide.
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
723
Log&Report
Schedule
Display Column
Select where to display the report, either first or second column of the
Executive Summary.
The report updates at the configured time. To update the report immediately, select the
Refresh icon near the right end of the widget title bar. You can also select the Edit icon
to change the report update schedule.
724
Log&Report
Report Files
The name of the generated report. Select the name to view the report.
You can also select the expand arrow to view the report and the select the rolled
report to view the report.
Date
Size(bytes)
Other Formats
Displays the formats PDF, RTF or MHT or all if these formats were chosen in the
report schedule.
725
Log&Report
726
Time Period
Select a time range to view for the graphical analysis. You can choose from
one day, three days, one week or one month. The default is one day. When
you refresh your browser or go to a different menu, the settings revert to
default.
Services
By default all services are selected. When you refresh your browser or go to
a different menu, all services revert to default settings. Clear the check
boxes beside the services you do not want to include in the graphical
analysis.
Browsing
DNS
Email
FTP
Gaming
Instant Messaging
Newsgroups
P2P
Streaming
TFTP
VoIP
Generic TCP
Generic UDP
Generic ICMP
Generic IP
Log&Report
Bandwidth Per
Service
This bar graph is based on what services you select, and is updated when
you select Apply. The graph is based on date and time, which is the current
date and time.
Top Protocols
Ordered by Total
Volume
This bar graph displays the traffic volume for various protocols, in
decreasing order of volume. The bar graph does not update when you
select different services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the Memory
tab.
Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.
727
Log types
Log&Report
Description
Generated by
0 - Emergency
1 - Alert
2 - Critical
Functionality is affected.
3 - Error
4 - Warning
5 - Notification
6 - Information
6 - Debug
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor
activity that is occurring on your network. For example, you can enable logging of IM/P2P
features, to obtain detailed information on the activity occurring on your network where
IM/P2P programs are used.
Before enabling FortiGate features, you need to configure what type of logging device will
store the logs. For more information, see Configuring how a FortiGate unit stores logs on
page 704.
This topic also provides details on each log type and explains how to enable logging of the
log type.
Note: If the FortiGate unit is in transparent mode, certain settings and options for logging
may not be available because they are not available in transparent mode. For example,
SSL VPN events are not available in transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can
configure logging of traffic controlled by firewall policies and for traffic between any source
and destination addresses. You can also filter to customize the traffic logged:
Allowed traffic The FortiGate unit logs all traffic that is allowed according to the
firewall policy settings.
Violation traffic The FortiGate unit logs all traffic that violates the firewall policy
settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load because
other-traffic logs log individual traffic packets. Fortinet recommends logging firewall
policy traffic since it minimizes the load. Logging other-traffic is disabled by default.
728
Log&Report
Firewall policy traffic logging records the traffic that is both permitted and denied by the
firewall policy, based on the protection profile. Firewall policy traffic logging records
packets that match the policy.
To enable firewall policy traffic logging
1 Go to Firewall > Policy.
2 Select the expand arrow to view the policy list for a policy.
3 Select Edit beside the policy that you want.
If required, create a new firewall policy by selecting Create New. For more information,
see Firewall Policy on page 363.
4 Select Log Allowed Traffic.
5 Select OK.
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in transparent mode, make sure that VDOM
allows access for enabling traffic logs.
729
Log&Report
next
edit port2
set log enable
end
4 Use the following command to enable logging of other traffic.
config log syslogd filter
set other-traffic enable
end
5 Go to UTM > Intrusion Protection > IPS Sensor and select Create New to add an IPS
Sensor.
Edit the IPS Sensor and select Add Pre-defined Override to add the following
predefined IPS signatures to the sensor.
Invalid.Protocol.Header
TCP.Bad.Flags
TCP.Invalid.Packet.Size
Enable each of these signatures, set Action to Block and enable Logging.
6 Enter the following CLI commands to add a DoS policy (called an interface policy in the
CLI) that includes the IPS Sensor.
config firewall interface-policy
edit 1
set interface <interface_name>
set srcaddr all
set dstaddr all
set service ANY
set ips-sensor-status enable
set ips-sensor <sensor_name>
end
Where <sensor_name> is the name of the IPS sensor added above.
730
Index
Index
Symbols
Numerics
802.3ad aggregate interface
creating, 159
A
accept action
firewall policy, 683, 684
access profile, See admin profile, 257
accessing logs stored in hard disk, 716
action
email filter banned word, 564
email filter IP address, 567
firewall policy, 367
action type
email filter email address, 569
active sessions
HA statistics, 212
add signature to outgoing email
protection profile, 479
adding, configuring or defining
admin profile, 258
administrative access to interface, 165
administrator account, 244
administrator password, 246
administrator settings, 261
antispam advanced options, 570
antispam email address list, 568, 570
antispam IP address, 567
antispam IP address list, 566
antivirus file filter list, 515, 516
antivirus file patterns, 516
antivirus file quarantine, 516
antivirus log, 713
antivirus quarantine options, 518
antivirus scanning options, 477
application control options, 489
attack log (IPS), 714
authentication settings, 667
authentication, firewall policy, 372
autosubmit list, 517
banned word list, 563, 564
basic traffic report, graphical view, 727
BFD, 351
BFD on BGP, 352
BFD on OSPF, 353
BGP settings, 346
CA certificates, 286
Certificate Revocation List (CRL), 288
cipher suite, 627
combined IP pool and virtual IP, 440
custom firewall service, 406
custom service, firewall, 406
custom signatures, 527
customized CLI console, 68
DHCP interface settings, 161
731
Index
732
Index
aggregate interface
creating, 159
AH, predefined service, 402
alert email, 709
options, 709
SMTP user, 710
alert message console
viewing, 76
ALG
SIP, 495
allow inbound
IPSec firewall policy, 376
allow outbound
IPSec firewall policy, 376
allow web sites when a rating error occurs
protection profile, 484
allowed
web category report, 558
AMC
bridge module, 99
configuring AMC modules, 98
AMC module, 149
configuring, 98
antispam
port 53, 305
port 8888, 305
antispam email address list
adding, 568
viewing, 568
antispam IP address list
viewing, 566
antispam. See also Email filter, 559
antivirus
av_failopen, 520
CLI configuration, 520
configure antivirus heuristic, 520
file block, 513
file block list, 515
heuristics, 520
optimize, 520
quarantine, 516
quarantine files list, 720
scanning large files, 521
splice, 478, 487
streaming mode, 478, 487
system global av_failopen, 520
system global optimize, 520
virus list, 519
antivirus and attack definitions, 307
antivirus options
protection profile, 477
antivirus updates, 307
manual, 91
through a proxy server, 308
ANY
service, 402
AOL
service, 402
append tag format
protection profile, 488
append tag to location
protection profile, 488
B
back to HA monitor
HA statistics, 211
backing up
3.0 config to FortiUSB, 115
3.0 configuration, 114
config using web-based manager, 3.0, 114
configuration, 52
backup (redundant) mode
modem, 171
backup and restore, system maintenance, 290
733
Index
backup mode
modem, 173
band
wireless setting, 191
bandwidth
guaranteed, 418
maximum, 418, 676, 681
banned word
character set, 483
banned word (email filter)
action, 564
adding words to the banned word list, 564
catalog, 562
language, 564
pattern, 564
banned word (spam filter)
language, 564
list, 563
pattern, 564
pattern type, 564
banned word check
protection profile, 487
banned word list
creating new, 563
banned word list catalog
viewing, 562
beacon interval
wireless setting, 191
BFD
configuring on BGP, 352
configuring on OSPF, 353
disabling, 352
BGP
AS, 346
flap, 346
graceful restart, 346
MED, 346
RFC 1771, 346
service, 402
settings, viewing, 346
stabilizing the network, 346
black/white list, 565
blackhole route, 315
blackhole routing, 158
block, 504
block login (IM)
protection profile, 489
blocked
web category report, 558
Boot Strap Router (BSR), 348
BOOTP, 203
branch, 508
bridge mode, 99
bridge module
AMC, 99
button bar
features, 51
734
C
CA certificates
importing, 286
viewing, 286
catalog
banned word, 562
content filter, 545
email address back/white list, 568
IP address black/white list, 565
URL filter, 548
viewing file pattern, 514
category
protection profile, 485
web category report, 558
category block
configuration options, 552
reports, 557
central management, 260
revision control, 261
Certificate Name
IPSec VPN, phase 1, 607
certificate, security. See system certificate
certificate, server, 627
certificate. See system certificates
channel
wireless setting, 191
character set
converting, 483
DLP, 483
email filter, 483
web filtering, 483
CIDR, 28, 266, 395, 679
cipher suite
SSL VPN, 627
CLI, 47
admin profile, 256
connecting to from the web-based manager, 51
CLI command
PPTP tunnel setup, 623
CLI configuration
antivirus, 520
customizing CLI console, 68
using in web-based manager, 79
web category block, 557
CLI console, 79
client certificates
SSL VPN, 627
client comforting, 479
cluster member, 209
cluster members list, 210
priority, 210
role, 210
cluster unit
disconnecting from a cluster, 212
code, 407
column settings, 718
configuring, 61
using with filters, 63
comfort clients
protection profile, 478
Index
comforting
client, 479
command line interface (CLI), 24
comments
firewall policy, 372, 379
comments, documentation, 30
concentrator
adding, 617
equivalent for route-based VPN, 604
IPSec tunnel mode, 617
IPSec VPN, policy-based, 617
Concentrator Name
IPSec VPN, concentrator, 617
config antivirus heuristic
CLI command, 520
configuration
backing up the configuration, 52
configuring
WAN optimization peer, 680
WAN optimization rule, 675
connecting
modem, dialup account, 175
web-based manager, 48
conservation mode, 220
conserve mode, 76
contact information
SNMP, 214
contacting customer support, 51
content archiving
DLP archiving, 580
content block
catalog, 545
web filter, 544
content filtering
character set, 483
content filtering mode
HTTPS, 477
content scanning
SSL, 469
content streams
replacement messages, 225
CPU load, 132
CPU usage
HA statistics, 211
CRL (Certificate Revocation List)
importing, 288
viewing, 287
custom service
adding, 406
adding a TCP or UDP custom service, 406
list, 406
custom signatures
intrusion protection, 527
viewing, 527
customer service, 29, 132
customer support
contacting, 51
customized GUI
PPTP tunnel setup, 621
CVSPSERVER, concurrent versions system proxy server,
402
cx4, 99
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
D
dashboard, 47, 67
dashboard statistics
protection profile, 488
data encryption
wireless setting, 193
data leak prevention sensor, 488
data leak protection, 575
compound rule, 591
rule, 586
sensor, 575
date
quarantine files list, 720
daylight saving changes, 86
DC
quarantine files list, 721
DCE-RPC
firewall service, 402
Dead Peer Detection
IPSec VPN, phase 1, 610
default
password, 24
default gateway, 318
default route, 318
Designated Routers (DR), 348
destination
firewall policy, 367, 370, 375, 378
destination IP address
system status, 83
destination NAT
SIP, 496
destination network address translation (DNAT)
virtual IPs, 423, 424
destination port, custom services, 407
device priority
HA, 207
subordinate unit, 212
DH Group
IPSec VPN, phase 1, 610
IPSec VPN, phase 2, 612
DHCP
and IP Pools, 371
configuring relay agent, 201
configuring server, 201
servers and relays, 199
service, 200
system, 199
transparent mode, 199
viewing address leases, 203
DHCP (Dynamic Host Configuration Protocol)
configuring on an interface, 161
service, 402
DHCP6
service, 402
DHCP-IPSec
IPSec VPN, phase 2, 613
diagnose
commands, 51
diagram
topology viewer, 107
735
Index
dialup VPN
monitor, 618
Directory Service
configuring server, 654, 655
FSAE, 655
disclaimer
administrator login, 232
disconnecting
modem, dialup account, 175
disk space
quarantine, 519
display content meta-information on dashboard
protection profile option, 489
display content meta-information on the system dashboard
protection profile, 488
Distinguished Name
query, 652
DLP
archiving, 580
character set, 483
content archiving, 580
DLP archive
viewing, 91, 586, 719
DLP archiving, 580
DLP. See data leak protection
DNAT
virtual IPs, 423, 424
DNS
service, 402
split, 177, 180
documentation
commenting on, 30
Fortinet, 30
domain name, 396
DoS policy, 379
configuring, 381, 384
viewing, 380
DoS sensor, 537
IPS, 480
list, 538
SCCP, 501
SIP, 501
dotted-decimal notation, 343
double NAT, 440
downgrading. See also reverting
3.0 using the CLI, 121
3.0 using web-based manager, 120
download
quarantine files list, 721
duplicates
quarantine files list, 721
Dynamic DNS
IPSec VPN, phase 1, 606
monitor, 618
network interface, 163
VPN IPSec monitor, 618
dynamic IP pool
SIP, 497
dynamic resources
VDOM resource limits, 139, 140
736
E
ECMP, 315
eip
vpn pptp, 623, 624
email
oversize threshold, 478
email address
action type, 569
adding to the email address list, 570
back/white list catalog, 568
BWL check, protection profile, 487
list, email filter, 568
pattern type, 569
email alert, 709
email filter, 559
adding words to the banned word list, 564
email address list, 568
IP address, 565
IP address list, 566
Perl regular expressions, 571
email filtering options
protection profile, 485
enable FortiGuard Web Filtering
protection profile, 484
enable FortiGuard Web Filtering overrides
protection profile, 484
Enable perfect forward secrecy (PFS)
IPSec VPN, phase 2, 612
Enable replay detection
IPSec VPN, phase 2, 612
enable session pickup
HA, 208
Encryption
IPSec VPN, phase 2, 612
Encryption Algorithm
IPSec VPN, manual key, 614, 615
Encryption Key
IPSec VPN, manual key, 615
end IP
IP pool, 440
enhanced reliability, 205
Equal Cost Multipath (ECMP), 315
equal-cost multi-path (ECMP), 322
ESP
service, 402
example
firewall policy, 389
source IP address and IP pool address matching, 438
exclude range
adding to DHCP server, 203
expire
system status, 83
expired
subscription, 303
Index
explicit mode
WAN optimization, 679
exported server certificates
importing, 283
external interface
virtual IP, 426
external IP address
virtual IP, 427
external service port
virtual IP, 427
F
fail-open, CLI command for IPS, 540
FDN
attack updates, 239
HTTPS, 306
override server, 304
port 443, 306
port 53, 305
port 8888, 305
port forwarding connection, 309
proxy server, 308
push update, 304
troubleshooting connectivity, 306
updating antivirus and attack definitions, 307
FDS, 300
file block
antivirus, 513
default list of patterns, 513
list, antivirus, 515
protection profile, 478
file name
quarantine files list, 720
file pattern
catalog, 514
quarantine autosubmit list, 517
filter
filtering information on web-based manager lists, 57
IPS sensor, 532
quarantine files list, 720
using with column settings, 63
web-based manager lists, 57
FINGER
service, 402
firewall, 363, 395, 401, 411, 421, 467
address list, 397
configuring, 363, 395, 467
configuring firewall service, 401
configuring service group, 408
configuring virtual IP, 421
configuring, schedule, 411
custom service list, 406
one-time schedule, 412
overview, 363, 395, 401, 467
overview, firewall schedule, 411
overview, virtual IP, 421
policy list, 366
policy matching, 363
predefined services, 401
recurring schedule, 411
virtual IP list, 425
firewall address
adding, 397
address group, 398
address name, 398
create new, 397
IP range/subnet, 398
list, 397
name, 397
subnet, 398
firewall address group
adding, 399
available addresses, 400
group name, 400
members, 400
firewall IP pool list, 439
firewall IP pool options, 440
firewall policy
accept action, 683, 684
action, 367
adding, 367
adding a protection profile, 468
allow inbound, 376
allow outbound, 376
authentication, 372, 379
changing the position in the policy list, 364, 677
comments, 372, 379
configuring, 367
creating new, 366, 418, 419
deleting, 364, 677
destination, 367, 370, 375, 378
example, 389
guaranteed bandwidth, 418
ID, 367
inbound NAT, 376
insert policy before, 367, 676
list, 366
log traffic, 372, 375, 379
matching, 363
maximum bandwidth, 418, 676, 681
modem, 175
moving, 364, 677
multicast, 365
outbound NAT, 376
protection profile, 371
schedule, 367, 370
service, 367, 371
source, 367, 370, 378
SSL VPN options, 376
traffic priority, 676, 681
traffic shaping, 371, 375, 379
user groups, 659
firewall protection profile
default protection profiles, 468
list, 469
options, 474
737
Index
firewall service
AFS3, 402
AH, 402
ANY, 402
AOL, 402
BGP, 402
CVSPSERVER, 402
DCE-RPC, 402
DHCP, 402
DHCP6, 402
DNS, 402
ESP, 402
FINGER, 402
FTP, 402
FTP_GET, 402
FTP_PUT, 402
GOPHER, 402
GRE, 402
group list, 408
H323, 403
HTTP, 403
HTTPS, 403
ICMP_ANY, 403
IKE, 403
IMAP, 403
INFO_ADRESS, 403
INFO_REQUEST, 403
Internet-Locator-Service, 403
IRC, 403
L2TP, 403
LDAP, 403
MGCP, 403
MS-SQL, 403
MYSQL, 403
NetMeeting, 403
NFS, 403
NNTP, 403
NTP, 403
ONC-RPC, 404
OSPF, 404
PC-Anywhere, 404
PING, 404
PING6, 404
POP3, 404
PPTP, 404
QUAKE, 404
RAUDIO, 404
REXEC, 404
RIP, 404
RLOGIN, 404
RSH, 404
RTSP, 404
SAMBA, 404
SCCP, 405
SIP, 405
SIP-MSNmessenger, 405
SMTP, 405
SNMP, 405
SOCKS, 405
SQUID, 405
SSH, 405
SYSLOG, 405
TALK, 405
TCP, 405
738
TELNET, 405
TFTP, 405
TIMESTAMP, 405
UDP, 405
UUCP, 405
VDOLIVE, 405
viewing custom service list, 406
viewing list, 401
VNC, 405
WAIS, 405
WINFRAME, 406
WINS, 406
X-WINDOWS, 406
firmware
reverting to previous version, 89
upgrading to a new version, 88
viewing, 294
firmware version, 88
fixed port
IP pool, 438
FortiAnalyzer, 23, 704
accessing logs, 716
configuring report schedules, 721
logging to, 704
printing reports, 725
VDOM, 126
FortiBridge, 23
FortiClient, 23
system maintenance, 290
FortiGate documentation
commenting on, 30
FortiGate SNMP event, 217
FortiGate-ASM-CX4, 99
FortiGate-ASM-FB4, 149
FortiGate-ASM-FX2, 99
FortiGuard, 23
Antispam, 24
Antivirus, 24
changing the host name, 557
CLI configuration, 557
configuration options, 552
configuring FortiGuard Web filtering options, 483
manually configuring definition updates, 91
override options for user group, 664
report allowed, 558
report blocked, 558
report category, 558
report profiles, 558
report range, 558
report type, 558
reports, 557
web filter, 552
FortiGuard Analysis Service
accessing logs on FortiGuard Analysis server, 717
FortiGuard Antispam
email checksum check, 486
IP address check, 486
FortiGuard Distribution Network. See FDN
FortiGuard Distribution Server. See FDS
FortiGuard Intrusion Prevention System (IPS), 72
FortiGuard Management Services
remote management options, 293
Index
G
geography
wireless setting, 191
GOPHER
service, 402
graceful restart, 346
graphical user interface. See web-based manager
grayware
updating antivirus and attack definitions, 307
GRE, 338
service, 402
group name
HA, 208
grouping services, 408
groups
user, 658
guaranteed bandwidth
firewall policy, 418
traffic shaping, 418
GUI. See web-based manager
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
H
H323
service, 403
HA, 205, 210
changing cluster unit host names, 210
cluster member, 210
cluster members list, 209
configuring, 205
device priority, 207
disconnecting a cluster unit, 212
enable session pickup, 208
group name, 208
hash map, 208
heartbeat interface, 208
host name, 210
interface monitoring, 208
mode, 207
password, 208
port monitor, 208
router monitor, 360
routes, 360
session pickup, 208
subordinate unit device priority, 212
subordinate unit host name, 212
VDOM partitioning, 206, 208
viewing HA statistics, 211
HA statistics
active sessions, 212
back to HA monitor, 211
CPU usage, 211
intrusion detected, 212
memory usage, 212
monitor, 211
network utilization, 212
refresh every, 211
status, 211
total bytes, 212
total packets, 212
unit, 211
up time, 211
virus detected, 212
HA virtual clustering, 206
health check monitor
configuring, 451
heartbeat, HA
interface, 208
HELO DNS lookup
protection profile, 487
help
navigating using keyboard shortcuts, 55
searching the online help, 54
using FortiGate online help, 52
heuristics
antivirus, 520
quarantine, 521
high availability (HA), 205
high availability See HA, 205
host name
changing, 87
changing for a cluster, 210
viewing, 87
739
Index
hostname
cluster members list, 210
HTTP, 451
service, 403
virus scanning large files, 521
HTTPS, 47, 239
service, 403
HTTPS content filtering mode, 477
hub-and-spoke
IPSec VPN (see also concentrator), 604
I
ICMP custom service, 407
code, 407
protocol type, 407
type, 407
ICMP echo request, 451
ICMP_ANY
service, 403
ID
firewall policy, 367
idle timeout
changing for the web-based manager, 50
IEEE 802.11a, channels, 188
IEEE 802.11b, channels, 189
IEEE 802.11g, channels, 189
IEEE 802.3ad, 159
IKE
service, 403
IMAP
service, 403
inbound NAT
IPSec firewall policy, 376
index number, 28
INFO_ADDRESS
service, 403
INFO_REQUEST
service, 403
insert policy before
firewall policy, 367, 676
inspection
SSL, 469
installation, 24
interface
adding system settings, 151
administrative access, 157, 165, 168
administrative status, 149
configuring administrative access, 165
GRE, 338
loopback, 149, 316
modem, configuring, 170
MTU, 157
proxy ARP, 426, 446
wireless, 187
WLAN, 187
Interface Mode, 151
interface monitoring, 208
HA, 208
internet browsing
IPSec VPN configuration, 616
740
Internet-Locator-Service
service, 403
inter-VDOM links, 136
introduction
Fortinet documentation, 30
intrusion detected
HA statistics, 212
intrusion protection
custom signature list, 527
DoS sensor list, 538
DoS sensor, protection profile, 480
fail-open, CLI command for IPS, 540
filter, 532
IPS sensor list, 529
IPS sensor, protection profile, 480
predefined signature list, 525
protection profile options, 480
protocol decoder, 528
protocol decoder list, 528
signatures, 524
socket-size, CLI command for IPS, 540
Intrusion Protection definitions, 91
IP
virtual IP, 425
IP address
action, antispam, 567
antispam black/white list catalog, 565
BWL check, protection profile, 487
defining PPTP range, 621, 623
email filter, 565
IPSec VPN, phase 1, 606
list, email filter, 566
PPTP user group, 621, 623
IP address, configuring secondary, 167
IP custom service, 408
protocol number, 408
protocol type, 408
IP pool
adding, 440
configuring, 440
creating new, 440
DHCP, 371
end IP, 440
fixed port, 438
IP range/subnet, 440, 441
list, 439
name, 440, 441
options, 440
PPPoE, 371
proxy ARP, 426, 446
SIP, 497
start IP, 440
transparent mode, 442
IP range/subnet
firewall address, 398
IP pool, 440, 441
IPS
see intrusion protection
IPS sensor
filter, 532
options, protection profile, 480
IPS sensors
creating, 529
Index
IPSec, 338
IPSec firewall policy
allow inbound, 376
allow outbound, 376
inbound NAT, 376
outbound NAT, 376
IPSec Interface Mode
IPSec VPN, manual key, 616
IPSec VPN, phase 1, 609
IPSec VPN
adding manual key, 614
authentication for user group, 658
Auto Key list, 605
concentrator list, 617
configuring phase 1, 606
configuring phase 1 advanced options, 608
configuring phase 2, 611
configuring phase 2 advanced options, 611
configuring policy-, route-based Internet browsing, 616
Manual Key list, 614
monitor list, 618
remote gateway, 658
route-based vs policy-based, 604
IPv6, 264, 316
IPv6 support
settings, 263
IRC
service, 403
K
Keepalive Frequency
IPSec VPN, phase 1, 610
key
license, 311
wireless setting, 193
keyboard shortcut
online help, 55
Keylife
IPSec VPN, phase 1, 610
IPSec VPN, phase 2, 612
L
L2TP, 659
service, 403
language
changing the web-based manager language, 49
email filter banned word, 564
spam filter banned word, 564
web content block, 546
web-based manager, 49, 263
LDAP
configuring server, 649, 650
service, 403
user authentication, 644
LDAP Distinguished Name query, 652
LDAP server
authentication, 246
configuring authentication, 249
license key, 311
licenses
viewing, 70
limit
VDOM resources, 139
lists
using web-based manager, 57
load balancer, 445
local certificates
options, 281
viewing, 280
Local Gateway IP
IPSec VPN, phase 1, 609
Local ID
IPSec VPN, phase 1, 610
Local Interface
IPSec VPN, manual key, 615
IPSec VPN, phase 1, 607
local ratings
configuring, 556
local ratings list
viewing, 555
Local SPI
IPSec VPN, manual key, 615
local user, 644
local user account
configuring, 644
log
attack anomaly, 714
attack signature, 714
column settings, 718
raw or formatted, 715
to FortiAnalyzer, 704
traffic, firewall policy, 372, 375, 379
log traffic
firewall policy, 372, 375
log types, 728
antivirus, 713
attack, 714
email filter, 713
event, 711
traffic, 728
web filter, 713
741
Index
logging, 716
accessing logs in memory, 715
accessing logs on FortiAnalyzer unit, 716
accessing logs on FortiGuard Analysis server, 717
alert email, configuring, 709
applying through protection profile, 489
basic traffic reports, 725
blocked files, 490
configuring FortiAnalyzer report schedules, 721
configuring graphical system memory report, 727
content block, 490
customizing display of log messages, 717
DLP archive, 719
FortiGuard Analysis server, 706
intrusions, 491
invalid domain name warnings, 490
log severity levels, 727
log types, 728
oversized files/emails, 490
printing FortiAnalyzer reports, 725
rating errors, 490
searching, filtering logs, 719
SIP, 501
spam, 490
storing logs, 704
testing FortiAnalyzer configuration, 705
to a FortiAnalyzer unit, 704
to memory, 708
to syslog server, 707
URL block, 490
viewing DLP archives, 586, 719
viewing raw or formatted logs, 715
viruses, 490
logging out
web-based manager, 55
loopback interface, 149, 316
lost password
recovering, 49, 245, 246
low disk space
quarantine, 519
M
MAC address
filtering, 193
MAC filter
wireless, 193
MAC filter list
configuring, 194
viewing, 194
major version, 88
Management Information Base (MIB), 213
management VDOM, 135, 139
Manual Key
IPSec VPN, 614
map to IP
virtual IP, 425
map to port
virtual IP, 425, 427
matched content, 453
matching
firewall policy, 363
742
Index
N
Name
IP pool, 440, 441
IPSec VPN, manual key, 615
IPSec VPN, phase 1, 606
IPSec VPN, phase 2, 611
NAPT, 385
NAT
in transparent mode, 442
inbound, IPSec firewall policy, 376
multicast, 350
NAPT, 385
outbound, IPSec firewall policy, 376
port selection, 385
preserving SIP NAT IP, 505
push update, 309
SIP, 495
SIP contact headers, 506
symmetric, 424
NAT virtual IP
adding for single IP address, 428
adding static NAT virtual IP for IP address range, 429
Nat-traversal
IPSec VPN, phase 1, 610
netmask
administrator account, 246
NetMeeting
service, 403
network
topology viewer, 107
Network Address Port Translation, 385
network address translation (NAT), 422
Network Attached Storage (NAS), 248
Network Time Protocol, 87
network utilization
HA statistics, 212
NFS
service, 403
NNTP
service, 403
not registered
subscription, 303
notification, 709
Not-so-stubby Area (NSSA), 343
not-so-stubby area (NSSA), 360
Novel edirectory, 654
NTP, 87
service, 403
sync interval, 87
synchronizing with an NTP server, 87
O
object identifier (OID), 221
OCSP certificates
importing, 285
OFTP connection, 74
ONC-RPC
service, 404
one-time schedule
adding, 413
configuring, 413
creating new, 412
list, 412
start, 413
stop, 413
online help
content pane, 53
keyboard shortcuts, 55
navigation pane, 53
search, 54
using FortiGate online help, 52
operation mode, 24, 238
wireless setting, 191
operational history
viewing, 90
optimize
antivirus, 520
OSPF
area ID, 344
AS, 341
authentication, 344, 345
Dead Interval, 346
dead packets, 346
GRE, 345
Hello Interval, 346
Hello protocol, 338
interface definition, 344
IPSec, 345
link-state, 338
LSA, 345
multiple interface parameter sets, 345
neighbor, 338
network, 341
network address space, 345
NSSA, 343, 360
path cost, 339
regular area, 343
service, 404
settings, 340
stub, 343
virtual lan, 344
virtual link, 343
VLAN, 345
OSPF AS, 338
defining, 339
outbound NAT
IPSec firewall policy, 376
override server
adding, 308
oversize threshold, 478
oversized file/email
protection profile, 478
P
P1 Proposal
IPSec phase 1, 609
P2 Proposal
IPSec VPN, phase 2, 612
packets
VDOM, 126
743
Index
page controls
web-based manager, 60
PAP, 648
pass fragmented email
protection profile, 478
password
administrator, 24
configuring authentication password, 246
HA, 208
recovering lost password, 49, 245, 246
PAT
virtual IPs, 422
patch number, 88
pattern, 28
default list of file block patterns, 513
email filter banned word, 564
spam filter banned word, 564
pattern type
email filter email address, 569
spam filter banned word, 564
web content block, 546
PC-Anywhere
service, 404
peer group
configuring, 657
Peer option
IPSec VPN, phase 1, 607
peer user
configuring, 657
Perl regular expressions
email filter, 571
persistence, 449
Phase, 611
phase 1
IPSec VPN, 606, 611
phase 1 advanced options
IPSec VPN, 608
phase 2
IPSec VPN, 611
phase 2 advanced options
IPSec VPN, 611
PIM
BSR, 348
dense mode, 348
DR, 348
RFC 2362, 348
RFC 3973, 348
RP, 348
sparse mode, 348
PING, 451
service, 404
PING6
firewall service, 404
pinholing
RTP, 504
SIP, 504
PKI, 656
authentication, 252
744
policy
accept action, 683, 684
action, 367
adding, 367
allow inbound, 376
allow outbound, 376
authentication, 372, 379
changing the position in the policy list, 364, 677
comments, 372, 379
configuring, 367
creating new, 366, 418, 419
deleting, 364, 677
destination, 367
DoS, 379
example, 389
guaranteed bandwidth, 418
ID, 367
inbound NAT, 376
insert policy before, 367, 676
list, 366
log traffic, 372, 375, 379
matching, 363
maximum bandwidth, 418, 676, 681
move, 364, 677
multicast, 365
outbound NAT, 376
protection profile, 371
schedule, 367, 370
service, 367, 371
sniffer, 382
source, 367
SSL VPN options, 376
traffic priority, 676, 681
traffic shaping, 371, 375, 379
policy route
moving in list, 332
policy-based routing, 328
POP3
service, 404
port
NAT, 385
port 53, 305
port 8888, 305
port 9443, 309
port address translation
virtual IPs, 422
port forwarding, 422
port monitor
HA, 208
port monitoring, 208
PPPoE
and IP Pools, 371
PPPoE (Point-to-Point Protocol over Ethernet)
RFC 2516, 162
PPTP, 621, 659
service, 404
PPTP IP address
user group, 621, 623
PPTP range
defining addresses, 621, 623
PPTP tunnel setup
CLI command, 623
customized GUI, 621
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20091022
http://docs.fortinet.com/ Feedback
Index
Q
QUAKE
service, 404
quarantine
age limit, 519
antivirus, 516
autosubmit list, 517
autosubmit list file pattern, 517
configuring, 518
configuring the autosubmit list, 517
enable AutoSubmit, 519
enabling uploading autosubmit file patterns, 517
heuristics, 521
low disk space, 519
max filesize to quarantine, 519
options, 519
protection profile, 478
745
Index
R
RADIUS
configuring server, 648
servers, 647
user authentication, 644
viewing server list, 647
WPA Radius, 193
RADIUS authentication
VDOM, 139
RADIUS server
authentication, 246, 247
wireless setting, 193
range
web category reports, 558
rate images by URL
protection profile, 484
rate limiting
SCCP, 501
SIMPLE, 501
SIP, 499, 500, 501
rate URLs by domain and IP address
protection profile, 485
RAUDIO
service, 404
read & write access level
administrator account, 86, 88, 243
read only access level
administrator account, 86, 243, 246
real servers
configuring, 450
monitoring, 453
recurring schedule
adding, 412
configuring, 412
creating new, 411
list, 411
select, 412
start, 412
stop, 412
redirect
SIP, 493
redundant interface
adding system settings, 160
746
redundant mode
configuring, 173
refresh every
HA statistics, 211
registering
Fortinet product, 52
regular administrator, 241
regular expression, 28
relay
DHCP, 199, 201
reliable
delivery of syslog messages, 707
remote administration, 165, 239
remote certificates
options, 284
viewing, 284
Remote Gateway
IPSec manual key setting, 615
IPSec VPN, manual key, 614
IPSec VPN, phase 1, 606
remote peer
manual key configuration, 614
Remote SPI
IPSec VPN, manual key, 615
remote user authentication, 647
Rendezvous Point (RP), 348
replacement messages, 225
report
basic traffic, 725
configuring report schedules, 721
FortiAnalyzer, printing, 725
FortiGuard, 557
type, category block, 558
viewing FortiAnalyzer reports, 724
web category block, 557
resource limits
dynamic resources, 139, 140
static resources, 139, 140
VDOM, 139
resource usage
VDOM, 141
restoring 3.0 configuration, 123
using the CLI, 123
using web-based manager, 123
return email DNS check
protection profile, 487
Reverse Path Forwarding (RPF), 350
revision control, 261
REXEC
firewall service, 404
RFC, 348
RFC 1058, 334
RFC 1213, 213, 217
RFC 1215, 219
RFC 1321, 344
RFC 1349, 331
RFC 1771, 346
RFC 2132, 203
RFC 2362, 348
RFC 2385, 346
RFC 2453, 334
Index
S
safe search, 482
SAMBA
service, 404
scan
default protection profile, 468
SCCP
DoS sensor, 501
firewall service, 405
protection profile, 501
rate limiting, 501
schedule
antivirus and attack definition updates, 307
firewall policy, 367, 370
one-time schedule list, 412
organizing schedules into groups, 413
recurring schedule list, 411
schedule group
adding, 413
scheduled updates
through a proxy server, 308
screen resolution
minimum recommended, 47
search
online help, 54
online help wildcard, 54
safe searching, 482
searching
routing table, 361
Secure Copy (SCP), 263
security
MAC address filtering, 193
security certificates. See system certificates
security mode
wireless setting, 193
select
recurring schedule, 412
sensor
DoS, 537
IPS, 529
separate server certificates
importing, 284
server
DHCP, 199
server certificate, 627
server certificates
importing, 283, 284
server health, 453
server load balance port forwarding virtual IP
adding, 459
server load balance virtual IP
adding, 454
service
AH, 402
ANY, 402
AOL, 402
BGP, 402
custom service list, 406
CVSPSERVER, 402
DCE-RPC, 402
DHCP, 200, 402
DHCP6, 402
DNS, 402
ESP, 402
FINGER, 402
firewall policy, 367, 371
FTP, 402
FTP_GET, 402
FTP_PUT, 402
GOPHER, 402
GRE, 402
group, 408
H323, 403
HTTPS, 403
747
Index
ICMP_ANY, 403
IKE, 403
IMAP, 403
INFO_ADDRESS, 403
INFO_REQUEST, 403
Internet-Locator-Service, 403
IRC, 403
L2TP, 403
LDAP, 403
MGCP, 403
MS-SQL, 403
MYSQL, 403
NetMeeting, 403
NFS, 403
NNTP, 403
NTP, 403
ONC-RPC, 404
organizing services into groups, 409
OSPF, 404
PC-Anywhere, 404
PING, 404
PING6, 404
POP3, 404
PPTP, 404
predefined, 401
QUAKE, 404
quarantine files list, 721
RAUDIO, 404
REXEC, 404
RIP, 404
RLOGIN, 404
RSH, 404
RTSP, 404
SAMBA, 404
SCCP, 405
service name, 402
SIP, 405
SIP-MSNmessenger, 405
SMTP, 405
SNMP, 405
SOCKS, 405
SQUID, 405
SSH, 405
SYSLOG, 405
TALK, 405
TCP, 405
TELNET, 405
TFTP, 405
TIMESTAMP, 405
UDP, 405
UUCP, 405
VDOLIVE, 405
VNC, 405
WAIS, 405
WINFRAME, 406
WINS, 406
X-WINDOWS, 406
service group, 408
adding, 408, 409
create new, 408
list, 408
service port
virtual IP, 425
service set identifier (SSID), 146
748
Index
SNMP
configuring community, 215
contact information, 214
event, 217
manager, 213, 215
MIB, 221
MIBs, 217
queries, 216
RFC 12123, 217
RFC 1215, 219
RFC 2665, 217
service, 405
traps, 217, 218
v3, 213
SNMP Agent, 214
SNMP communities, 214
socket-size, CLI command for IPS, 540
SOCKS
service, 405
sorting
quarantine files list, 720
URL filter list, 551
source
firewall policy, 367, 370, 378
source IP address
system status, 83
source IP port
system status, 83
source NAT
SIP, 495
source port, 407
spam action
protection profile, 487
spam email
archiving, 585
spam filter
adding an email address or domain to the email address
list, 570
banned word list, 563
see email filter, 485
spam filter, see email filter, 559
spilt DNS, 177, 180
splice, 478, 487
split-DNS, 177, 180
SQUID
service, 405
SSH, 239
service, 405
SSID
wireless setting, 192
SSID broadcast
wireless setting, 192
SSL
content inspection, 469
content scanning, 469
inspection, 469
service definition, 403, 404
SSL VPN
checking client certificates, 627
configuring settings, 626
default web portal, 628
firewall policy, 376
setting the cipher suite, 627
specifying server certificate, 627
specifying timeout values, 627
web-only mode, 625
SSL VPN Client Certificate, 376
SSL VPN login message, 236
SSL VPN web portal, 627
default, 628
standalone mode
modem, 171, 174
start
IP pool, 440
one-time schedule, 413
recurring schedule, 412
static default route, 318
static IP
monitor, 618
static NAT port forwarding
adding for IP address and port range, 432
adding for single address and port, 431
static resources
VDOM resource limits, 139, 140
static route
adding, 320
adding policy, 329
administrative distance, 314
concepts, 313
creating, 316
default gateway, 318
default route, 318
editing, 316
moving in list, 332
overview, 313
policy, 328
policy list, 329
selecting, 314
table building, 314
table priority, 315
table sequence, 315
viewing, 316
statistics
viewing, 91
viewing HA statistics, 211
status
HA statistics, 211
interface, 149
quarantine files list, 721
vpn pptp, 624
status description
quarantine files list, 721
stop
one-time schedule, 413
recurring schedule, 412
streaming mode, 478, 487
strict
default protection profile, 468
strict blocking (HTTP only)
protection profile, 485
749
Index
string, 28
stub
OSPF area, 343
subnet
adding object, 110
firewall address, 398
subscription
expired, 303
not registered, 303
valid license, 303
super administrator, 241
switch mode, 150
sync interval
NTP, 87
synchronize
with NTP Server, 87
SYSLOG
service, 405
syslog
reliable, 707
system administrators, 241
system certificate
FortiGate unit self-signed security certificate, 48
system certificates
CA, 286
CRL, 287
importing, 283
OCSP, 285
requesting, 281, 282
viewing, 280
system configuration, 205
system DHCP see also DHCP, 199
system global av_failopen
antivirus, 520
system global optimize
antivirus, 520
system idle timeout, 239
system information
viewing, 69
system maintenance
advanced, 296
backup and restore, 290
creating scripts, 299
enabling push updates, 308
firmware, 294
firmware upgrade, 295
managing configuration, 289
push update through a NAT device, 309
remote FortiManager options, 292
remote management options, 293
revision control, 297
scripts, 298
updating antivirus and attack definitions, 307
uploading scripts, 299
USB disks, 296
VDOM, 290
system resources
viewing, 75
system status
viewing, 68
system status widgets
customizing, 68
750
system time
configuring, 86
system wireless. See wireless
T
TACACS+
configuring server, 652, 653
user authentication, 644
TACACS+ server
authentication, 246, 251
tag format
protection profile, 488
tag location
protection profile, 488
TALK
service, 405
TCP, 451
service, 405
TCP custom service, 407
adding, 406
destination port, 407
protocol type, 407
source port, 407
technical support, 29, 132
TELNET
service, 405
TFTP
service, 405
threshold
oversize, 478
time
configuring, 86
timeout
settings, 263
timeout values
specifying for SSL VPN, 627
TIMESTAMP
service, 405
top attacks
viewing, 83
top sessions
viewing, 80
top viruses
viewing, 83
topology viewer, 107
total bytes
HA statistics, 212
total packets
HA statistics, 212
tracking
SIP, 503
traffic history
viewing, 84
Traffic Priority, 676, 681
traffic priority
firewall policy, 676, 681
traffic shaping, 676, 681
traffic reports
viewing, 725
Index
traffic shaping
configuring, 417
firewall policy, 371, 375, 379
guaranteed bandwidth, 418
guaranteed bandwidth and maximum bandwidth, 415
maximum bandwidth, 418, 676, 681
priority, 416
traffic priority, 676, 681
transparent mode
IP pools, 442
NAT, 442
VDOMs, 126
VIP, 442
virtual IP, 442
WAN optimization, 679
traps
SNMP, 218
troubleshooting
FDN connectivity, 306
trusted host
administrators options, 246
security issues, 254
TTL
quarantine files list, 721
tunnel mode
SSL VPN, SSL VPN
tunnel mode, 625
Tunnel Name
IPSec VPN, manual key, 614
Tx Power
wireless setting, 191
type, 407
virtual IP, 426
U
UDP custom service, 407
adding, 406
destination port, 407
protocol type, 407
source port, 407
UDP service, 405
unfiltered
default protection profile, 468
unit
HA statistics, 211
unit operation
viewing, 73
up time
HA statistics, 211
update
push, 308
upgrading
3.0 using web-based manager, 117
4.0 using the CLI, 118
backing up using the CLI, 3.0, 114
firmware, 88
FortiGate unit to 3.0, 117
using the web-based manager, 117
using web-based manager, 3.0, 114
upload status
quarantine files list, 721
URL block
adding a URL to the web filter block list, 550
configuring overrides, 553
local categories, 555
web filter, 547
URL filter
adding new list, 548
catalog, 548
sorting in list, 551
viewing list, 549
URL formats, 550
USB disk, 290
auto-install, 296
backup and restore configuration, 289
formatting, 296
system maintenance, 296
user authentication
overview, 643
PKI, 656
remote, 647
user group
configuring, 661
PPTP source IP address, 621, 623
user groups
configuring, 658
Directory Service, 660
firewall, 659
SSL VPN, 660
viewing, 661
usrgrp
vpn pptp, 624
UTF-8
character set, 483
UUCP
service, 405
V
valid license, 303
value parse error, 28
VDOLIVE
service, 405
VDOM
adding interface, 135
assigning administrator, 138
assigning interface, 137
configuration settings, 127
dynamic resource limits, 139, 140
enabling multiple VDOMs, 130
FortiAnalyzer, 126
inter-VDOM links, 136
license key, 311
limited resources, 132
management VDOM, 135
maximum number, 132
NAT/Route, 126
packets, 126
RADIUS authentication, 139
resource limits, 139
resource usage, 141
static resource limits, 139, 140
system maintenance, 290
transparent mode, 126
751
Index
VDOM partitioning
HA, 208
verifying
downgrade to 2.80 MR11, 121
upgrade to 4.0, 119
viewing
address group list, 398
admin profiles list, 257
administrators, 264
administrators list, 243
Alert Message Console, 76
antispam email address list catalog, 568
antispam IP address list, 566
antispam IP address list catalog, 565
antivirus file filter list, 515
antivirus file pattern list catalog, 514
antivirus list, 519
antivirus quarantined files list, 720
autosubmit list, 517
banned word list, 563
banned word list catalog, 562
BGP settings, 346
CA certificates, 286
certificates, 280
cluster members list, 209
CRL (Certificate Revocation List), 287
custom service list, firewall service, 406
custom signatures, 527
DHCP address leases, 203
DLP archive, 91
DLP archives, 586, 719
DoS sensor list, 538
firewall policy list, 366
firewall service group list, 408
firewall service list, 401
firmware, 294
FortiAnalyzer reports, 724
FortiGuard support contract, 302
HA statistics, 211
hostname, 87
IP pool list, 440
IPS sensor list, 529
IPS sensor options, 480
IPSec VPN auto key list, 605
IPSec VPN concentrator list, 617
IPSec VPN manual key list, 614
IPSec VPN monitor list, 618
LDAP server list, 649
licenses, 70
local ratings list, 555
modem status, 176
multicast settings, 348
one-time schedule list, 412
operational history, 90
protection profile list, 469
protocol decoder list, 528
RADIUS server list, 647
recurring schedule list, 411
remote certificates, 284
revision control, 297
RIP settings, 334
routing information, 359
session list, 82
static route, 316
752
statistics, 91
system information, 69
system resources, 75
system status, 68
system topology, 107
TACACS+ server, 652
top attacks, 83
top sessions, 80
top viruses, 83
traffic history, 84
traffic reports, 725
unit operation, 73
URL filter list, 549
URL filter list catalog, 548
URL override list, 552
user group list, 661
VIP group list, 436
virtual IP group list, 436
virtual IP list, 425
virtual IP pool list, 440
web content block list, 545
web content filter list, 545
web content filter list catalog, 545
wireless monitor, 195
viewport, 108
VIP
transparent mode, 442
VIP group
configuring, 436
Virtual IP
transparent mode, 442
virtual IP, 426, 446
configuring, 426
create new, 425, 436
destination network address translation (DNAT), 423, 424
external interface, 426
external IP address, 427
external service port, 427
IP, 425
list, 425
map to IP, 425
map to port, 425, 427
NAT, 422
PAT, 422
port address translation, 422
protocol, 427
server down, 453
service port, 425
SNAT, 423
source network address translation, 423
type, 426
virtual IP group
configuring, 436
virtual IP group list
viewing, 436
virtual IP, port translation only
adding, 435
virtual IPSec
configuring interface, 164
virtual servers
configuring, 446
virus detected
HA statistics, 212
Index
W
WAIS
service, 405
WAN optimization
explicit mode, 679
monitoring, 682
transparent mode, 679
WAN optimization peer
configuring, 680
WAN optimization rule
configuring, 675
web
default protection profile, 468
web category block
changing the host name, 557
CLI configuration, 557
configuration options, 552
report allowed, 558
report blocked, 558
report category, 558
report profiles, 558
report range, 558
report type, 558
reports, 557
web content block
language, 546
pattern type, 546
protection profile, 481
web content filter
web filter, 546
web content filter list
web filter, 545
web equivalent privacy, 193
753
Index
wireless
band, 191
beacon interval, 191
channel, 191
configuration, 187
data encryption, 193
fragmentation threshold, 193
geography, 191
interface, 187
key, 193
MAC filter, 193
operation mode, 191
pre-shared key, 193
RADIUS server, 193
RTS threshold, 193
security, 192
security mode, 193
settings FortiWiFi-50B, 190
settings FortiWiFi-60A, 190
settings FortiWiFi-60AM, 190
settings FortiWiFi-60B, 190
SSID, 192
SSID broadcast, 192
Tx power, 191
viewing monitor, 195
WLAN
interface, 187
754
WLAN interface
adding to a FortiWiFi-50B, 191
adding to a FortiWiFi-60A, 191
adding to a FortiWiFi-60AM, 191
adding to a FortiWiFi-60B, 191
WPA, 187, 192, 193
WPA Radius
wireless security, 193
WPA2, 187, 193
WPA2 Auto, 187, 193
WPA2 Radius
wireless security, 193
X
X.509 security certificates. See system certificates
XAuth
IPSec VPN, phase 1, 610
X-Forwarded-For (XFF), 183
X-WINDOWS
service, 406
Z
zones
configuring, 170
www.fortinet.com
www.fortinet.com