Professional Documents
Culture Documents
FortiGate Administration Guide 01 30007 0203 20090112
FortiGate Administration Guide 01 30007 0203 20090112
FortiGate
Version 3.0 MR7
Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates,
technical support, and FortiGuard services.
www.fortinet.com
Contents
Contents
Whats new in 3.0 MR7..................................................................... 19
3.0 MR7 new features and changes ............................................................... 21
FSAE...........................................................................................................
AMC support ...............................................................................................
Dashboard...................................................................................................
FortiGuard Analysis and Management Service...........................................
Virtual domains ...........................................................................................
VDOM and Global icons in documentation .................................................
Modem support ...........................................................................................
SNMP..........................................................................................................
Router .........................................................................................................
Authentication .............................................................................................
SSL VPN client tunnel mode for Mac OS and Linux ...................................
Standalone SSL VPN client ........................................................................
SSL VPN Virtual Desktop application .........................................................
SSL VPN URL obscuration .........................................................................
Intrusion Protection .....................................................................................
Log messages.............................................................................................
Content archiving ........................................................................................
Alert email ...................................................................................................
Email archiving ............................................................................................
HA primary unit acts as a router for subordinate unit management traffic ..
HA heartbeat IP addresses .........................................................................
Interface display order.................................................................................
21
21
22
22
22
23
23
23
23
24
24
24
24
24
24
25
25
25
26
26
27
28
Introduction ...................................................................................... 29
Introducing the FortiGate units ...................................................................... 29
FortiGate-5000 series chassis ....................................................................
About the FortiGate-5000 series boards .....................................................
FortiGate-AMC modules .............................................................................
FortiGate-3810A..........................................................................................
FortiGate-3600A..........................................................................................
FortiGate-3016B..........................................................................................
FortiGate-3600 ............................................................................................
FortiGate-3000 ............................................................................................
FortiGate-1000A/AFA2................................................................................
FortiGate-1000 ............................................................................................
FortiGate-800/800F.....................................................................................
FortiGate-500A............................................................................................
FortiGate-500 ..............................................................................................
FortiGate-400A............................................................................................
FortiGate-400 ..............................................................................................
FortiGate-310B............................................................................................
FortiGate-300A............................................................................................
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
30
31
32
32
32
33
33
33
34
34
34
35
35
35
35
36
36
Contents
FortiGate-300 ..............................................................................................
FortiGate-224B ...........................................................................................
FortiGate-200A ...........................................................................................
FortiGate-200 ..............................................................................................
FortiGate-100A ...........................................................................................
FortiGate-100 ..............................................................................................
FortiGate-60B .............................................................................................
FortiWiFi-60B ..............................................................................................
FortiGate-60/60M/ADSL .............................................................................
FortiWiFi-60/60A/60AM...............................................................................
FortiWiFi-50B ..............................................................................................
FortiGate-50B .............................................................................................
FortiGate-50A .............................................................................................
36
36
37
37
37
37
38
38
38
39
39
39
39
40
40
40
41
41
41
Web-based manager........................................................................ 47
Common web-based manager tasks ............................................................. 48
Connecting to the web-based manager ......................................................
Changing your FortiGate administrator password ......................................
Changing the web-based manager language .............................................
Changing administrative access to your FortiGate unit ..............................
Changing the web-based manager idle timeout .........................................
Connecting to the FortiGate CLI from the web-based manager .................
48
49
50
50
51
51
Contents
57
57
58
61
62
64
101
102
103
103
104
105
106
Contents
111
112
115
116
117
118
120
122
122
123
125
130
132
133
134
134
134
Contents
167
171
173
174
175
176
177
179
180
182
188
189
191
192
192
192
Contents
197
197
198
199
201
203
204
205
221
222
223
223
224
231
235
236
236
237
Contents
256
256
256
257
258
268
268
270
272
273
274
274
277
278
279
279
Contents
283
284
285
285
302
303
304
306
307
308
10
Contents
341
343
344
346
348
350
352
353
11
Contents
367
369
370
373
375
375
378
379
380
388
389
389
389
396
399
401
401
12
Contents
416
417
418
419
436
437
437
438
438
441
442
13
Contents
451
452
453
453
454
Quarantine...................................................................................................... 454
Viewing the Quarantined Files list.............................................................
Viewing the AutoSubmit list ......................................................................
Configuring the AutoSubmit list.................................................................
Configuring quarantine options .................................................................
455
456
457
457
461
461
461
462
469
470
470
472
473
14
Contents
482
483
483
484
485
485
486
487
487
488
488
489
490
491
492
492
493
495
495
496
497
497
Antispam......................................................................................... 499
Antispam ........................................................................................................ 499
Order of spam filtering............................................................................... 499
Anti-spam filter controls............................................................................. 500
Banned word .................................................................................................. 502
Viewing the banned word list catalog ........................................................
Creating a new banned word list ...............................................................
Viewing the antispam banned word list .....................................................
Adding words to the banned word list .......................................................
502
503
503
504
15
Contents
505
506
506
507
508
508
509
510
511
512
512
512
513
517
518
518
518
Statistics......................................................................................................... 518
Viewing overview statistics ....................................................................... 518
Viewing statistics by protocol .................................................................... 520
User................................................................................................................. 521
Viewing the Current Users list...................................................................
Viewing the User List ................................................................................
Adding a new user to the User List ...........................................................
Configuring a policy for unknown IM users ...............................................
521
522
522
523
16
Contents
529
530
531
532
533
533
534
535
536
537
537
538
538
538
539
540
540
541
542
549
551
553
554
17
Contents
561
562
563
563
568
569
570
572
Index................................................................................................ 577
18
DHCP maximum values increase All FortiGate units now have a maximum
of 200 addresses reserved for DHCP. See the FortiGate Maximum Values
Matrix.
Network interface status display A new column, Link Status, has been
added to the Network Interface list, and Status has been renamed
Administration Status. See Interfaces on page 107.
Network interface DNS settings Some of the DNS settings available for
network interfaces in DHCP or PPPoE mode have been changed to reduce the
number of DNS requests the FortiGate unit sends out. Override Internal DNS
is enabled by default to promote the use of learned DNS servers. See
Configuring DHCP on an interface on page 118 and Configuring an interface
for PPPoE or PPPoA on page 120.
DNS cache poisoning protection The FortiGate DNS server has been
updated to protect against DNS cache poisoning. For information about DNS
cache poisoning, see the FortiGuard Center item
BailiWicked.Red.Metasploit.DNS.Spoofing and the US CERT article Multiple
DNS implementations vulnerable to cache poisoning.
19
20
Modem You can connect a USB modem to any FortiGate unit USB port. You
can also disable PPP echo requests for modem interfaces. See Modem
support on page 23.
IPv6 IPv6 Phase II has been implemented. This includes more IPv6
functions on the web-based manager and more IPv6 commands in the CLI.
See FortiGate IPv6 support on page 217.
Firewall addresses FortiOS 3.0 MR7 now supports firewall addresses with
wildcard netmasks. See Firewall Address on page 315.
SIP servers While most SIP servers use 5060 as the source port in the
register response, some do not follow this rule. You can now configure the
FortiGate unit, through the CLI, to accept a SIP register response with any
source port number, by enabling the config firewall profile config
sip reg-diff-port keyword.
IPSec interfaces You can now use an IPSec interface as the source
interface for an IPSec firewall policy, making it possible to allow traffic between
an interface-based VPN and a policy-based VPN. See Configuring firewall
policies on page 297 and IPSec firewall policy options on page 306
SSL VPN See SSL VPN client tunnel mode for Mac OS and Linux on
page 24, Standalone SSL VPN client on page 24, SSL VPN Virtual Desktop
application on page 24, and SSL VPN URL obscuration on page 24
IPS filters IPS filters now display more information about IPS signatures.
See Intrusion Protection on page 24.
Log messages There are several new log messages as well as changes to
existing ones. See Log messages on page 25.
Content archiving You can now enable content archiving of HTTP, FTP,
SMTP, POP3, HTTPS, and IMAP content without having to enable other
features as well. See Content archiving on page 25.
Alert email You can now define an alternate port for outgoing alert email.
Alert email categories that display in the Log Config menu may not all display
when in VDOMs or Transparent mode. See Alert email on page 25.
FSAE
Using the Fortinet Server Authentication Extension (FSAE), FortiGate units
provide transparent user authentication on Windows networks with an Active
Directory server. In FortiOS 3.0 MR7, FSAE is now also available for Novell
networks eDirectory. Note the following changes in the web-based manager
menu:
In User > User Group, the Windows AD user group type is now
Directory Service.
Configuration on the FortiGate unit is the same for Windows AD and Novell
eDirectory.
Using FSAE, FortiGate units can now keep better track of frequently changing
user IP addresses on Windows AD networks.
For information about installing and configuring FSAE on Windows AD and Novell
eDirectory, see the FSAE Administration Guide.
AMC support
AMC module interfaces are now named with upper case letters. For example, a
single width AMC card in slot 2 with four network interfaces would have interfaces
named AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and AMC-SW2/4.
You can use the new CLI command config system amc to make it easier to
manage your AMC module configuration. You use this command to specify the
type of module inserted into your FortiGate AMC slots. If you have to temporarily
remove the module from the slot, the FortiGate unit keeps the configuration
settings for the module. And when you re-install the module, the FortiGate unit will
recognize it and resume operating with the configuration settings that were in
place before the module was removed.
For example, if you have a FortiGate-ASM-FB4 module installed in AMC slot
SW1, you can enter the following command:
config system amc
set sw1 asm-fb4
end
You can then add configuration settings for the AMC-SW2/1, AMC-SW2/2, AMCSW2/3, and AMC-SW2/4 interfaces.
If you shut down your FortiGate unit, remove the FortiGate-ASM-FB4 module, and
re-start the FortiGate unit, the AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and
AMC-SW2/4 interfaces still appear in web-based manager interface lists, but with
link status down. All configuration settings for these interfaces are also still
available. If you had not entered the above command, the interfaces would have
disappeared from the interface list and the configuration settings would have been
lost.
21
Similarly, if you shut down your FortiGate unit again, reinstall the FortiGate-ASMFB4 module (or install a new FortiGate-ASM-FB4 module), and restart the
FortiGate unit the AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and AMC-SW2/4
interfaces appear in web-based manager interface lists with link status up.
Other options for the config system amc command are described in the
FortiGate CLI Reference.
Dashboard
If you have installed an AMC hard drive, an icon for the drive that displays the
model name appears on the Unit Operation dashboard widget and a disk usage
graph appears on the System Resources widget.
From the System Information widget you can now update firmware from multiple
sources including:
For more information see Upgrading to a new firmware version on page 82.
The session list available from the Statistics widget now displays the total number
of sessions being processed by the FortiGate unit.
The Top Attacks widget now displays the names of detected attacks, not just the
attack signature number.
Virtual domains
FortiOS MR7 includes the following enhancements to Virtual Domains:
The root domain may not be disabled even if it is not the management VDOM.
Modems can now be assigned to VDOMs other than the root VDOM, similar to
other interfaces; this means that modems are no longer global.
When VDOMs are in both NAT and TP operation modes, some interface fields
will be displayed as -. Only the super admin can view all the VDOMs.
Packets that pass through inter-VDOM links have their inter-VDOM link
counter reset when they are encrypted or decrypted. Previously packets were
limited to a maximum of three passes through inter-VDOM links.
22
Modem support
You can now connect a supported USB modem to the USB port of any FortiGate
model that includes a USB port. Previously only models with internal modems
supported USB modems. For more information, see Configuring the modem
interface on page 129.
Because PPP echo requests are not supported by all ISPs, a flag has been added
to the modem configuration to disable PPP echo requests if required.
You must use the config system modem CLI command to enable a modem
before it will display in the web-based manager interface list.
SNMP
The following commands were added to the CLI to reflect the new events added
to SNMP communities:
av-bypass
av-conserve
av-oversize-blocked
av-oversize-pass
ips-pkg-update
Previously, a trap could be triggered by a transient high CPU spike. This problem
has now been fixed.
You can now view a complete list of SNMP MIBs that FortiOS supports from the
support web site. If you have a subscription to central management services, this
service allows you to generate an HTML file of the complete, current list of MIBs.
Router
The web-based manager checks RIP timer values and will display an error
message if the timers are incorrect. For example, update timer has to be smaller
than the timeout or garbage timers. For more information see Selecting
advanced RIP options on page 270.
For the config router bgp command, the router-id field now has a default
value. If the router-id is not set, the highest IP address in this VDOM will be
used.
The maximum number of configurable BGP neighbors is now 1,000.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
23
Authentication
The maximum number of remote authentication servers (LDAP, RADIUS, and
TACACS+) has been increased from 6 to 10.
The Distinguished Name (DN) for LDAP has been increased to 512 characters.
For the following FortiGate models, the maximum number of local certificates has
been increased as follows:
FortiGate-50/60B/100/200 - 200
Intrusion Protection
Intrusion protection filters contain more information about the type and number of
signatures that are included in the filter. See Configuring IPS sensors on
page 470.
A new Count column has been added to the filters list. This column displays the
number of signatures are included in the filter.
Each filter also has a View Rules icon that, when selected, displays a complete list
of the included signatures.
24
Log messages
FortiOS 3.0 MR7 includes the following changes to log messages:
There are three new sub-types for the event log: vip ssl, ldb-monitor and
his-performance.
Log messages now contain the fields device_id and devname to help identify
HA members.
Quote marks are now included in the log message where a field in the
message does not contain any information.
The severity level of IPSec negotiation logs is now Notification; alert email now
sends any IPSec tunnel error message with a severity of Error or higher.
The count field has been added to attack logs to indicate the number of attack
reports on the FortiGate side.
See the FortiGate Logging Technical Note and the FortiGate Log Message
Reference for more information:
Content archiving
Previously, to content archive HTTP, FTP, SMTP, POP3, and IMAP data, you had
to enable virus scanning. To content archive HTTPS data you had to enable Web
URL filtering.
In FortiOS 3.0 MR7, you can now content archive all of these protocols without
enabling these additional features.
Alert email
Depending on your configuration, in FortiOS 3.0 MR7 not all alert email categories
are displayed in Log&Report > Log Config. If you have VDOMs enabled, you will
not see FortiGuard options.
The following alert email categories are also not available:
Disk usage warning (if your FortiGate unit does not contain a hard disk)
SSL VPN login failure (if you are using Transparent mode)
You can now change the port to use for sending alert email messages by using
the port keyword of the config system global CLI command.
Reports
Because of changes to FortiAnalyzer reports brought about by FortiAnalyzer 3.0
MR7, the FortiGate Report Access and Report Config settings and pages have
changed as well.
25
In Log&Report > Report Config, there is a new tab called Schedule. The
Schedule tab displays all report schedules that have been configured for your
FortiGate unit, both from the FortiGate web-based manager and the FortiAnalyzer
web-based manager. This tab also allows you to configure report schedules,
provided there is a report profile.
After upgrading to FortiOS 3.0 MR7, all previously configured reports are
converted to their equivalent in FortiOS 3.0 MR7. This conversion process splits
previously configured reports into two: one report layout and one schedule. This
split may not contain all the settings previously configured because of the new
settings in FortiOS 3.0 MR7. We recommend that you review all reports carried
forward from FortiOS 3.0 MR6 and familiarize yourself with how reports are now
configured, from both the FortiGate and FortiAnalyzer web-based managers.
For more information about configuring report schedules in FortiOS 3.0 MR7, see
FortiAnalyzer report schedules on page 551. For additional information, see the
FortiAnalyzer Administration Guide.
Email archiving
Using the FortiGate internal or AMC hard disk, FortiOS 3.0 MR7 provides
failure-proof email archiving by first storing email archive data on the internal or
AMC hard disk.
If you are using the FortiGuard Analysis and Management Service, the FortiGate
unit uploads and verifies content archived data to the FortiGuard Analysis and
Management Service in small batches to reduce overhead. The data is not
deleted from the internal or AMC hard disk until it has been successfully uploaded
to and verified on the FortiGuard Analysis and Management Service.
A similar approach is taken with archiving to a FortiAnalyzer unit, except that only
the AMC hard disk can be used to store archived data on the FortiGate unit and
archived data is uploaded in batches according to a specified schedule.
DNS queries
SNMP traps.
Subordinate units send this management traffic over the HA heartbeat link to the
primary unit. The primary unit forwards the management traffic to its destination.
Previously, the primary unit used an HA proxy for all subordinate unit
management traffic. This proxy design meant that the primary unit acted like an
application-level firewall or proxy server for the subordinate unit. However, this
design has some limitations.
26
Now the primary unit acts like a router for most subordinate unit management
traffic. Instead of sending management traffic to the HA proxy, the subordinate
unit sends traffic to its destination over the HA heartbeat link. The primary unit
uses simple routing to send the traffic through the primary unit and on to its
destination. The primary unit also routes replies back to the subordinate unit in the
same way.
HA uses a hidden VDOM called vsys_ha for HA operations. The vsys_ha VDOM
includes the HA heartbeat interfaces, and all communication over the HA
heartbeat link goes through the vsys_ha VDOM. To provide communication from a
subordinate unit to the network, HA adds hidden inter-VDOM links between the
primary unit management VDOM and the primary unit vsys_ha VDOM. By default,
root is the management VDOM.
Management traffic from the subordinate unit originates in the subordinate unit
vsys_ha VDOM. The vsys_ha VDOM routes the management traffic over the HA
heartbeat link to the primary unit vsys_ha VDOM. This management traffic is then
routed to the primary unit management VDOM and from there out onto the
network.
Note: DNS queries and FortiGuard Web Filtering rating requests are still handled by the HA
proxy so that the primary unit and subordinate units share the same DNS query cache and
the same FortiGuard Web Filtering cache.
Figure 1: Subordinate unit management traffic path
vsys_ha
169.254.0.1
Network
vsys_ha
HA link
169.254.0.65
root
169.254.0.2
169.254.0.66
Primary unit
root
Subordinate unit
HA heartbeat IP addresses
Previously, HA heartbeat interfaces were assigned IP addresses in the 10.0.0.x
range. FortiOS 3.0 MR7 uses link-local IP4 addresses (RFC 3927) in the
169.254.0.x range for HA heartbeat interface IP addresses and for inter-VDOM
link interface IP addresses. When a cluster initially starts up, the primary unit
heartbeat interface IP address is 169.254.0.1. Subordinate units are assigned
heartbeat interface IP addresses in the range 169.254.0.2 to 169.254.0.63. HA
inter-VDOM link interfaces on the primary unit are assigned IP addresses
169.254.0.65 and 169.254.0.66.
The ninth line of the following CLI command output shows the HA heartbeat
interface IP address of the primary unit.
27
port1
port2 through 9
port10
Previously, interface names were displayed in hash map order, rather than purely
by alphabetic order or purely by interface number value comparisons. As a result,
the list was sorted primarily in alphabetic order by interface name (for example,
base1 is before port1), then secondarily by index numbers:
port1
port10
Note: This change does not interfere with HA heartbeat interface failover. In FortiOS 3.0
MR7 as well as previous FortiOS versions, HA heartbeat interface failover uses the same
hash map order to select the HA heartbeat interface to use. If more than one HA heartbeat
interface has the highest priority, the interface with the highest priority that is also highest in
the interface hash map order is used for all HA heartbeat communication. If this interface
fails or becomes disconnected, the heartbeat interface with the highest priority that is next
highest in hash map order handles all heartbeat communication. For information about HA
heartbeat interfaces, see HA options on page 167.
28
Introduction
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
FortiGate ASIC-accelerated multi-threat security systems improve network
security, reduce network misuse and abuse, and help you use communications
resources more efficiently without compromising the performance of your
network. FortiGate Systems are ICSA-certified for Antivirus, Firewall, IPSec,
SSL-TLS, IPS, Intrusion detection, and AntiSpyware services.
FortiGate Systems are dedicated, easily managed security devices that deliver a
full suite of capabilities including:
The FortiGate security system uses Fortinets Dynamic Threat Prevention System
(DTPS) technology, which leverages breakthroughs in chip design, networking,
security and content analysis. The unique ASIC-accelerated architecture analyzes
content and behavior in real-time, enabling key applications to be deployed right
at the network edge where they are most effective at protecting your networks.
This chapter contains the following sections:
FortiGate documentation
29
Introduction
14
PWR ACC
CONSOLE
CONSOLE
USB
USB
USB
CONSOLE
USB
CONSOLE
USB
STA IPM
STA IPM
PWR ACC
STA IPM
INT
FLT
OK
LED MODE
EXT
FLT
CLK
12
10
14
E2
E1
13
11
15
12
14
10
E2
ZRE
Z
R
E
2
E1
13
11
15
Z
R
E
1
Z
R
E
0
R
S
2
3
2
SYSTEM
HOT SWAP
INT
FLT
EXT
FLT
OK
ZRE
8
CLK
Z
R
E
2
Z
R
E
1
Z
R
E
0
R
S
2
3
2
STATUS
SERIAL
2
Hot Swap
ETH0
Service
5000SM
10/100
link/Act
10/100
link/Act
ETH0 ETH1
SERIAL
1
RESET
5050SAP
ALARM
ETH0
Service
5000SM
10/100
link/Act
10/100
link/Act
STATUS
Hot Swap
SMC
12
OK
INT
FLT
RESET
LED MODE
RESET
LED MODE
HOT SWAP
5000SM
10/100
link/Act
10/100
link/Act
EXT
FLT
SMC
RESET
INT
FLT
HOT SWAP
CONSOLE
CLK
SYSTEM
5000SM
10/100
link/Act
10/100
link/Act
EXT
FLT
OK
POWER
STATUS
Hot Swap
1
ZRE
CLK
CONSOLE
ZRE
RESET
5
3
9
7
4
2
ETH0
Service
13
11
8
6
5
3
15
12
10
9
7
4
2
E1
14
13
11
8
6
E2
15
12
10
E1
14
LED MODE
PWR ACC
ETH0 ETH1
E2
HOT SWAP
USB
CONSOLE
PWR ACC
RESET
PWR ACC
USB
Z
R
E
2
CONSOLE
Z
R
E
1
Z
R
E
2
PWR ACC
Z
R
E
1
Z
R
E
0
R
S
2
3
2
Z
R
E
0
12
R
S
2
3
2
CONSOLE
SYSTEM
CONSOLE
USB
USB
USB
USB
USB
USB
USB
USB
SYSTEM
CONSOLE
ALARM
10
PWR ACC
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
E
T
H
O
PWR ACC
MANAGEMENT
E
T
H
O
SERIAL 2
RESET
PWR ACC
PWR ACC
MANAGEMENT
SERIAL 1
L
2
1
3
R
R
CA
ITI MAJO MINO USER USER USER
CR
E
T
H
O
MANAGEMENT
T
SE
RE
E
T
H
O
ETH0 ETH1
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
11
MANAGEMENT
5140
13
ETH0 ETH1
ETH0
Service
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
RESET
STATUS
Hot Swap
PSU A
PSU B
FILTER
USB
CONSOLE
USB
CONSOLE
62
53
62
53
ALT
ON/OFF
RESET
STATUS
IPM
PWR
ALT
ON/OFF
RESET
STATUS
FA N T R AY
FA N T R AY
PWR
IPM
FA N T R AY
FortiGate-5140 chassis
You can install up to 14 FortiGate-5000 series boards in the 14 slots of the
FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains
two redundant hot swappable DC power entry boards that connect to -48 VDC
Data Center DC power. The FortiGate-5140 chassis also includes three hot
swappable cooling fan trays.
FortiGate-5050 chassis
You can install up to five FortiGate-5000 series boards in the five slots of the
FortiGate-5050 ATCA chassis. The FortiGate-5050 is a 5U chassis that contains
two redundant DC power connections that connect to -48 VDC Data Center DC
power. The FortiGate-5050 chassis also includes a hot swappable cooling fan
tray.
FortiGate-5020 chassis
You can install one or two FortiGate-5000 series boards in the two slots of the
FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains
two redundant AC to DC power supplies that connect to AC power. The
FortiGate-5020 chassis also includes an internal cooling fan tray.
30
Introduction
FortiGate-5001A board
The FortiGate-5001A board is a high-performance ACTA-compliant security
system that contains two front panel gigabit ethernet interfaces, two base
backplane gigabit interfaces, and two fabric backplane gigabit interfaces. The
fabric interfaces are reserved for future 10-gigabit operation but can be used now
for board to board 1-gigabit operation. The FortiGate-5001A-DW front panel also
includes a double-width Advanced Mezzanine Card (AMC) opening. You can
install a supported FortiGate ADM module such as the FortiGate-ADM-XB2 or the
FortiGate-ADM-FB8 in the AMC opening. The FortiGate-ADM-XB2 adds two
accelerated 10-gigabit interfaces to the FortiGate-5001A board and the
FortiGate-ADM-FB8 adds 8 accelerated 1 gigabit interfaces.
The FortiGate-5001A board supports high-end features including 802.1Q VLANs
and multiple virtual domains and FortiOS Carrier MMS content processing, GTP
protection, and SIP extensions.
FortiGate-5005FA2 board
The FortiGate-5001SX board is an independent high-performance
ACTA-compliant security system with eight Gigabit ethernet interfaces; two of
which include Fortinet technology to accelerate small packet performance. The
FortiGate-5005FA2 board also supports high-end features including 802.1Q
VLANs, multiple virtual domains and specialized FortiGate-5000 series features
such as base and fabric backplane switching and FortiOS Carrier MMS content
processing, GTP protection, and SIP extensions.
FortiGate-5001SX board
The FortiGate-5001SX board is an independent high-performance
ACTA-compliant security system with eight Gigabit ethernet interfaces. The
FortiGate-5001SX board supports high-end features including 802.1Q VLANs and
multiple virtual domains and specialized FortiGate-5000 series features such as
base and fabric backplane switching and FortiOS Carrier MMS content
processing, GTP protection, and SIP extensions.
FortiGate-5001FA2 board
The FortiGate-5001FA2 board is an independent high-performance
ACTA-compliant security system with six Gigabit ethernet interfaces. The
FortiGate-5001FA2 board is similar to the FortiGate-5001SX board except that
two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate
small packet performance.
31
Introduction
FortiGate-5002FB2 board
The FortiGate-5002FB2 board is an independent high-performance ACTA
compliant FortiGate security system with a total of 6 Gigabit ethernet interfaces.
Two of the FortiGate-5002FB2 interfaces include Fortinet technology to accelerate
small packet performance.
FortiGate-AMC modules
The FortiGate-AMC modules (including the
FortiGate-ADM-XB2, FortiGate-ADM-FB8,
FortiGate-ASM-FB4, and the FortiGate-ASM-SO8)
ASM-FB4
add additional capabilities such as accelerated
interfaces, hard disk space and so on to FortiGate
units, such as the FortiGate-3600A unit, FortiGate-3810unit , and the
FortiGate-5001A board that contain AMC slots.
HS
OOS
PWR
OT
LINK
ACT
LINK
ACT
3
LINK
4
ACT
LINK
ACT
FortiGate-3810A
The FortiGate-3810A
multi-threat security
appliance is the first
standalone security
appliance offering
optional 10-Gigabit
Ethernet interfaces. Four AMC expansion slots allow the FortiGate-3810A to be
customized for your exact performance needs. Up to 26 Gbps firewall
performance can be achieved in a full configuration with just a single 2U rackmount appliance.
AMC-DW1
AMC-SW1
-E4
AMC-DW2
AMC-SW2
USB
Esc
Enter
CONSOLE
AUX
10
STATUS
POWER
Base unit provides eight 10/100/1000 interfaces plus two SFP (fiber) interfaces
FortiGate-3600A
The FortiGate-3600A
multi-threat security
appliance establishes
a new level of priceperformance and
flexibility for multigigabit capacity
network security systems. With ten gigabit Ethernet interfaces and up to six Gbps
throughput, the FortiGate-3600A enables a new generation of high performance
protection against blended threats.
CONSOLE
PWR
Esc
Enter
1
2
3
4
5
6
7
8
9
10
MODEM
USB
Hi-Temp
32
Introduction
Provides eight gigabit copper (10/100/1000) interfaces and two gigabit fiber
(SFP) interfaces for greater flexibility and to meet the needs of large enterprise
and service provider networks
FortiGate-3016B
The FortiGate-3016B
multi-threat security
appliance is a carrierclass device with
sixteen gigabit
Ethernet interfaces
and a full complement of network protection features. Each interface of the
FortiGate-3016B provides wire-speed firewall performance using Fortinet's
advanced FortiASIC network processor technology. Multiple FortiGate-3016Bs
can be deployed in redundant clusters to ensure failsafe operation.
FG-AMC-SW
Esc
CONSOLE
11
13
15
17
MODEM
10
12
14
16
18
Enter
POWER
STATUS
The FortiGate-3016B is the ideal solution for large enterprises and Managed
Security Service Providers (MSSPs) looking to add new security services.
The highly available architecture and redundant hot-swappable power supplies
ensure failsafe operation, and AMC expansion provide additional connectivity,
performance and storage capacity.
FortiGate-3600
The FortiGate-3600
unit provides carrierclass levels of
performance and
reliability demanded by
large enterprises and
service providers. The unit uses multiple CPUs and FortiASIC chips to deliver
throughput of 4Gbps, meeting the needs of the most demanding applications. The
FortiGate-3600 unit includes redundant power supplies, which minimize singlepoint failures, and supports load-balanced operation. The high-capacity, reliability
and easy management makes the FortiGate-3600 a natural choice for managed
service offerings.
Esc
POWER
Hi-Temp
5/HA
INT
Enter
INTERNAL
5/HA
EXT
EXTERNAL
FortiGate-3000
The FortiGate-3000
unit provides the
carrier-class levels of
performance and
reliability demanded
by large enterprises and service providers. The unit uses multiple CPUs and
FortiASIC chips to deliver a throughput of 3Gbps, meeting the needs of the most
demanding applications. The FortiGate-3000 unit includes redundant power
supplies to minimize single-point failures, including load-balanced operation and
redundant failover with no interruption in service. The high capacity, reliability, and
easy management of the FortiGate-3000 makes it a natural choice for managed
service offerings.
Esc
POWER
Hi-Temp
4/HA
INT
EXT
Enter
4/HA
INTERNAL
EXTERNAL
33
Introduction
FortiGate-1000A/AFA2
The FortiGate-1000A/AFA2 Security System is a high performance solution that
delivers gigabit throughput with exceptional reliability for the most demanding
large enterprise. The FortiGate-1000AFA2 optionally provides 2 additional fiber
interfaces featuring FortiAccel ASIC technology enhancing small packet
performance. The FortiGate-1000A/AFA2 deploys easily in existing networks and
can be used for antivirus and content filtering only or can be deployed as a
complete network protection solution. High Availability (HA) operation and
redundant hot-swappable power supplies ensure non-stop operation in missioncritical applications.
The FortiGate-1000A
offers 10 tri-speed
10/100/1000 Base-TX
interfaces.
The FortiGate1000AFA2 offers 10
tri-speed interfaces +
two Small Form-factor
Pluggable (SFP)
FortiAccel ASIC
accelerated interfaces for line rate performance of all packet sizes ideal for
applications such as VOIP.
CONSOLE
A1
USB
A2
FortiGate-1000
The FortiGate-1000 unit is
designed for larger
enterprises. The FortiGate1000 meets the needs of the most demanding applications, using multiple CPUs
and FortiASIC chips to deliver a throughput of 2Gps. The FortiGate-1000 unit
includes support for redundant power supplies to minimize single-interface
failures, load-balanced operation, and redundant failover with no interruption in
service.
Esc
Enter
4 / HA
INTERNAL
EXTERNAL
FortiGate-800/800F
The FortiGate-800/800F
Multi-Threat Security
system provides the
performance, flexibility, and security necessary to protect today's most demanding
large enterprise networks. The FortiGate-800 can be deployed as a high
performance antivirus and web content filtering gateway, or as a complete network
protection solution leveraging firewall, VPN, IPS and antispam capabilities.
INTERNAL
Esc
Enter
EXTERNAL
DMZ
HA
CONSOLE
USB
PWR
INTERNAL
Esc
EXTERNAL
DMZ
HA
CONSOLE
USB
Enter
800F
34
Introduction
FortiGate-500A
The FortiGate-500A MultiThreat Security system
provides higher
performance, flexibility, and security necessary to protect today's growing
enterprise networks. The FortiGate-500A platform features two 10/100/1000 trispeed ethernet interfaces providing flexibility for networks running at or upgrading
to gigabit speeds, four user-definable 10/100 interfaces for redundant WAN links,
high availability, and multi-zone capabilities that allow administrators a high
degree of flexibility to segment their network into zones for granular control of
network traffic, and an internal 4-port switch for direct connectivity with the
FortiGate-500A.
Esc
CONSOLE
Enter
USB
10/100
LAN
L1
L2
L3
L4
10/100/1000
FortiGate-500
The FortiGate-500 unit is
designed for larger
enterprises. The flexibility,
reliability, and easy management makes the FortiGate-500 a natural choice for
managed service offerings. The FortiGate-500 supports high availability (HA).
INTERNAL
Esc
EXTERNAL
DMZ
HA
Enter
FortiGate-400A
The FortiGate-400A MultiThreat Security system
provides higher
performance, flexibility, and security necessary to protect today's growing
enterprise networks. The FortiGate-400A platform features two 10/100/1000 trispeed ethernet interfaces for networks running at or upgrading to gigabit speeds
and 4 user-definable 10/100 interfaces provide redundant WAN links, high
availability, and multi-zone capabilities, allowing administrators a high degree of
flexibility to segment their network into zones and create policies to control
network traffic between zones.
Esc
CONSOLE
Enter
USB
10/100
10/100/1000
You can deploy the FortiGate-400A as a high performance antivirus and web
content filtering gateway, or as a complete network protection solution leveraging
firewall, intrusion detection and prevention, spam filtering and VPN capabilities.
FortiGate-400
The FortiGate-400 unit is
designed for larger
enterprises. The FortiGate400 unit is capable of throughput up to 500Mbps and supports high availability
(HA), which includes automatic failover with no session loss.
Esc
Enter
CONSOLE
4 / HA
35
Introduction
FortiGate-310B
The FortiGate-310B is
designed to raise the
expectations of mid-range
security devices. Incorporating FortiASIC network processors for firewall/VPN
acceleration and the FortiASIC Content Processor for content inspection
acceleration, the FortiGate-310B yields unmatched multi-threat performance
metrics. AMC module options offer both flexibility and the highest port density of
any product in its class. The FortiGate-310B's accelerated security throughput and
high port density relieves medium sized organizations of the restraints that have
historically prevented internal network security segmentation.
NP2 Powered
STATUS
ALARM
POWER
HA
1/2
3/4
7/8
5/6
ASM
CONSOLE
USB
9/10
Link aggregation
FortiGate-300A
The FortiGate-300A MultiThreat Security system
provides performance,
flexibility, and security necessary to protect today's growing small and medium
sized enterprise networks. The FortiGate-300A platform features two 10/100/1000
tri-speed ethernet interfaces for networks running at or upgrading to gigabit
speeds and 4 user-definable 10/100 interfaces.
Esc
CONSOLE
Enter
USB
10/100
10/100/1000
FortiGate-300
The FortiGate-300 unit is
designed for larger
enterprises. The FortiGate300 unit features high availability (HA), which includes automatic failover with no
session loss. This feature makes the FortiGate-300 an excellent choice for
mission-critical applications.
Esc
Enter
FortiGate-224B
The FortiGate-224B converges
network and security products
that uniquely integrate multiple
layers of threat protection with granular network access controls. The
FortiGate-224B delivers configurable interface-level access control that combines
traditional FortiOS security technologies with layer 2 switching hardware. The
result is a complete and effective Local Area Network (LAN) security solution.
1
11
13
15
17
19
21
23
10
12
14
16
18
20
22
24
25
26
WAN1
WAN2
USB
CONSOLE
36
Introduction
FortiGate-200A
The FortiGate-200A MultiThreat Security system is an
ideal solution for small to
medium sized businesses. The FortiGate-200A platform features dual WAN link
support for redundant internet connections, and an integrated 4-port switch that
eliminates the need for an external hub or switch, giving networked devices a
direct connection to the FortiGate-200A unit.
CONSOLE
Esc
USB
INTERNAL
Enter
DMZ1
DMZ2
WAN1
WAN2
FortiGate-200
The FortiGate-200 unit is
designed for small
businesses, home offices or
even branch office
applications. The FortiGate200 unit is an easy-to-deploy and easy-to-administer solution. The FortiGate-200
also supports high availability (HA).
POWER
STATUS
INTERNAL EXTERNAL
DMZ
CONSOLE
INTERNAL
EXTERNAL
DMZ
FortiGate-100A
The FortiGate-100A system is an
ideal solution for small offices. The
FortiGate-100A features dual WAN
A
link support for redundant internet
connections, and an integrated 4-port switch that eliminates the need for an
external hub or switch, giving networked devices a direct connection to the
FortiGate-100A.
INTERNAL
PWR
STATUS
WAN 1
WAN 2
DMZ 1
DMZ 2
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
FortiGate-100
The FortiGate-100 unit is designed
for SOHO, SMB and branch office
applications.
INTERNAL
EXTERNAL
DMZ
POWER
STATUS
37
Introduction
FortiGate-60B
The FortiGate-60B multi-threat
security solution offers Small and
Medium Business and
SOHO/ROBO users enterpriseclass protection against blended
threats targeting 3G broadband, wireless LAN and wired infrastructure. The
FortiGate-60B supports a wide array of wireless broadband PC Cards. The
FortiGate-60B offers enterprise-class security for the SOHO/ROBO users and the
flexibility needed for quick Point of Sales deployment.
INTERNAL
POWER STATUS
HA
ALARM
WAN 1
WAN 2
DMZ
FortiGate-60B offers a PC Card slot, dual WAN link support for redundant internet
connections, a DMZ interface and 6 built-in switch interfaces. The FortiGate-60B
also offers an integrated analog modem for dial backup capability.
The FortiGate-60B is ideal for small businesses and enterprise remote offices
where complete security including Firewall, IPSec and SSL VPN, Intrusion
prevention, Antivirus, Web filtering and Antispam are needed.
The FortiGate-60B also supports wide range of 3G wireless PC Cards for instant
Point of Sales deployment.
FortiWiFi-60B
The FortiWiFi-60B multi-threat
security solution offers Small and
Medium Business and SOHO/ROBO
users enterprise-class protection
against blended threats targeting 3G
broadband, wireless LAN and wired
infrastructure. The FortiWiFi-60B
supports a wide array of wireless
broadband PC Cards and optional
built-in 802.11 a/b/g wireless support.
The FortiWiFi-60B offers enterprise-class security for the SOHO/ROBO users and
the flexibility needed for quick Point of Sales deployment.
1
POWER STATUS
HA
ALARM
Wifi
WAN 1
WAN 2
DMZ
INTERNAL
The FortiWiFi-60B is the only dual wireless enabled platform with supports for
both WiFi and 3G wireless simultaneously. Integrated 802.11a/b/g wireless LAN
access point with a DMZ, Dual WAN and 6 switch interfaces provide ample of
connectivity options for the remote office or small size business.
The FortiWiFi-60B supports a wide range of 3G wireless PC Cards to provide an
ideal wireless broadband and wireless LAN gateway
FortiGate-60/60M/ADSL
The FortiGate-60ADSL offers an
integrated ADSL modem for Internet
connectivity. It supports multiple
ADSL standards, including ANSI
T1.413 issue 2, ITU G.dmt and ITU G.lite, as well as support for Annex A.
INTERNAL
PWR
STATUS
LINK 100
LINK 100
LINK 100
DMZ
WAN1
WAN2
LINK 100
LINK 100
LINK 100
LINK 100
38
Introduction
FortiWiFi-60/60A/60AM
The FortiWiFi-60 model provides a
secure, wireless LAN solution for
wireless connections. It combines
mobility and flexibility with FortiWiFi
Antivirus Firewall features, and can
be upgraded to future radio
technologies. The FortiWiFi-60
serves as the connection point
between wireless and wired networks
or the center-point of a standalone
wireless network.
INTERNAL
PWR
WLAN
DMZ
WAN1
WAN2
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
LINK 100
FortiWiFi-50B
The FortiWiFi-50B adds wireless
connectivity by providing standard
802.11 b/g support. The FortiWiFi50B can be powered by standard
based Power Over Ethernet (POE)
devices to ease installation and
deployment.
WAN1
(PoE)
WLAN
INTERNAL
WAN2
LINK / ACT
STATUS
10/100
FortiGate-50B
The FortiGate-50B offers dual
WAN interfaces for load
balancing or redundant internet
connections. The FortiGate-50B
provides three integrated switch interfaces for multi-user environments in a small
remote office. It is ideally suited for remote offices, retail stores, broadband
telecommuter sites and many other applications.
WAN1
POWER
INTERNAL
WAN2
LINK / ACT
STATUS
10/100
FortiGate-50A
The FortiGate-50A unit is designed for
telecommuters and small remote
A
offices with 10 or fewer employees.
The FortiGate-50 unit includes an
external modem interface that can be used as a backup or stand alone connection
to the Internet.
PWR
STATUS
INTERNAL
EXTERNAL
LINK 100
LINK 100
39
Introduction
FortiAnalyzer
FortiAnalyzer provides network administrators with the information they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. FortiAnalyzer features include:
collects logs from FortiGate units and syslog devices and FortiClient
FortiClient
FortiClient Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
virus scanning.
40
Introduction
FortiManager
FortiManager meets the needs of large enterprises (including managed security
service providers) responsible for establishing and maintaining security policies
across many dispersed FortiGate installations. With FortiManager you can
configure multiple FortiGate units and monitor their status. You can also view realtime and historical logs for FortiGate units. FortiManager emphasizes ease of use,
including easy integration with third party systems.
FortiBridge
FortiBridge products are designed to provide enterprise organizations operating
FortiGate units in Transparent mode with continuous network traffic flow in the
event of a power outage or a FortiGate system failure. The FortiBridge unit
bypasses the FortiGate unit to make sure that the network can continue
processing traffic. FortiBridge products are easy to use and deploy, including
providing customizable actions a FortiBridge unit takes in the event of a power
outage or FortiGate system failure.
FortiMail
FortiMail provides powerful, flexible heuristic scanning and reporting
capabilities to incoming and outgoing email traffic. The FortiMail unit has reliable,
high performance features for detecting and blocking malicious attachments and
spam, such as FortiGuard Antispam/Antivirus support, heuristic scanning,
greylisting, and Bayesian scanning. Built on Fortinets award winning FortiOS and
FortiASIC technology, FortiMail antivirus technology extends full content
inspection capabilities to detect the most advanced email threats.
41
Introduction
The most recent version of this document is available from the FortiGate page of
the Fortinet Technical Documentation web site. The information in this document
is also available in a slightly different form as FortiGate web-based manager
online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the
Fortinet Technical Documentation web site as well as from the Fortinet Knowledge
Center.
This administration guide contains the following chapters:
42
System Status describes the System Status page, the dashboard of your
FortiGate unit. At a glance you can view the current system status of the
FortiGate unit including serial number, uptime, FortiGuard license information,
system resource usage, alert messages and network statistics. This section
also describes status changes that you can make, including changing the unit
firmware, host name, and system time. Finally this section also describes the
topology viewer that is available on all FortiGate models except those with
model numbers 50 and 60.
Using virtual domains describes how to use virtual domains to operate your
FortiGate unit as multiple virtual FortiGate units, providing separate firewall
and routing services to multiple networks.
System Network explains how to configure physical and virtual interfaces and
DNS settings on the FortiGate unit.
Router Static explains how to define static routes and create route policies. A
static route causes packets to be forwarded to a destination other than the
factory configured default gateway.
Introduction
Router Monitor explains how to interpret the Routing Monitor list. The list
displays the entries in the FortiGate routing table.
Firewall Virtual IP describes how to configure and use virtual IP addresses and
IP pools.
SIP support incudes some high-level information about VoIP and SIP and
describes how FortiOS SIP support works and how to configure the key SIP
features.
VPN PPTP explains how to use the web-based manager to specify a range of
IP addresses for PPTP clients.
AntiVirus explains how to enable antivirus options when you create a firewall
protection profile.
Web Filter explains how to configure web filter options when a firewall
protection profile is created.
IM, P2P & VoIP explains how to configure IM, P2P, and VoIP options when a
firewall protection profile is created. You can view IM, P2P, and VoIP statistics
to gain insight into how the protocols are being used within the network.
Log&Report describes how to enable logging, view log files, and view the basic
reports available through the web-based manager.
Document conventions
The following document conventions are used in this guide:
43
FortiGate documentation
Introduction
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Typographic conventions
Fortinet documentation uses the following typographical conventions:
Convention
Example
Menu commands
Keyboard input
In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples
Document names
File content
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Program output
Welcome!
Variables
<address_ipv4>
The chapter or section contains VDOM configuration settings,
see VDOM configuration settings on page 97.
The chapter or section contains Global configuration settings,
see Global configuration settings on page 98.
FortiGate documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiGate product documentation is available:
44
Introduction
FortiGate documentation
45
Introduction
46
Web-based manager
Web-based manager
This section describes the features of the user-friendly web-based manager
administrative interface (sometimes referred to as a graphical user interface, or
GUI) of your FortiGate unit.
Using HTTP or a secure HTTPS connection from any management computer
running a web browser, you can connect to the FortiGate web-based manager to
configure and manage the FortiGate unit. The recommended minimum screen
resolution for the management computer is 1280 by 1024.
You can configure the FortiGate unit for HTTP and HTTPS web-based
administration from any FortiGate interface. To connect to the web-based
manager you require a FortiGate administrator account and password. The
web-based manager supports multiple languages, but by default appears in
English on first use.
Figure 2: Example FortiGate-5001SX Web-based manager dashboard (default
configuration)
You can go to System > Status to view detailed information about the status of
your FortiGate unit on the system dashboard. The dashboard displays information
such as the current FortiOS firmware version, antivirus and IPS definition
versions, operation mode, connected interfaces, and system resources. It also
shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a
FortiManager unit or other central management services.
47
Web-based manager
You can use the web-based manager menus, lists, and configuration pages to
configure most FortiGate settings. Configuration changes made using the
web-based manager take effect immediately without resetting the FortiGate unit or
interrupting service. You can back up your configuration at any time using the
Backup Configuration button on the button bar. The button bar is located in the
upper right corner of the web-based manager. The saved configuration can be
restored at any time.
The web-based manager also includes detailed context-sensitive online help.
Selecting Online Help on the button bar displays help for the current web-based
manager page.
You can use the FortiGate command line interface (CLI) to configure the same
FortiGate settings that you can configure from the web-based manager, as well as
additional CLI-only settings. The system dashboard provides an easy entry point
to the CLI console that you can use without exiting the web-based manager.
This section describes:
Logging out
48
Web-based manager
Start your web browser and browse to https:// followed by the IP address of the
FortiGate unit interface that you can connect to.
For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99.
(remember to include the s in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a
self-signed security certificate, which is offered to remote clients whenever they
initiate a HTTPS connection to the FortiGate unit. When you connect, the
FortiGate unit displays two security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate units
self-signed security certificate. If you do not accept the certificate, the FortiGate
unit refuses the connection. If you accept the certificate, the FortiGate login page
appears. The credentials entered are encrypted before they are sent to the
FortiGate unit. If you choose to accept the certificate permanently, the warning is
not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you
that the FortiGate certificate distinguished name differs from the original request.
This warning occurs because the FortiGate unit redirects the connection. This is
an informational message. Select OK to continue logging in.
Type the password for the administrator account in the Password field.
Select Login.
Select OK.
Note: You can also add new administrator accounts by selecting Create New. For more
information about adding administrators, changing administrator account passwords and
related configuration settings, see System Administrators on page 195.
49
Web-based manager
Select Apply.
The web-based manager displays the dashboard in the selected language. All
web-based manager pages are displayed with the selected language.
Figure 3: System > Admin > Settings displayed in Simplified Chinese
50
Web-based manager
Choose an interface for which to change administrative access and select Edit.
Select OK.
For more information about changing administrative access see Administrative
access to an interface on page 125 and Changing administrative access to your
FortiGate unit on page 50.
Select Apply.
51
Web-based manager
Contact Customer
Support
Online Help
Logout
Back up your FortiGate
Configuration
You must register your Fortinet product to receive product updates, technical
support, and FortiGuard services. To register a Fortinet product, go to Product
Registration and follow the instructions.
the local PC that you are using to manage the FortiGate unit.
a USB disk if your FortiGate unit has a USB port and you have connected a
USB disk to it (see USB Disks on page 238).
52
Web-based manager
Show Navigation
Previous
Next
Bookmark
Print
Email
Show
Navigation
Open the online help navigation pane. From the navigation pane you can
use the online help table of contents, index, and search to access all of
the information in the online help. The online help is organized in the
same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous
Next
53
Web-based manager
Bookmark
Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. You
cannot use the Bookmark icon to add an entry to your favorites list if you
are viewing online help from Internet Explorer running on a management
PC with Windows XP and service pack 2 installed.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For information
about VDOM configuration settings, see VDOM configuration settings
on page 97.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For information
about Global configuration settings, see Global configuration settings
on page 98.
To view the online help table of contents or index, and to use the search feature,
select Online Help in the button bar in the upper right corner of the web-based
manager. From the online help, select Show Navigation.
Figure 7: Online help page with navigation pane and content pane
Contents
Index Search
Show in Contents
Contents
Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help is
organized in the same way as the FortiGate web-based manager and the
FortiGate Administration Guide.
Index
Display the online help index. You can use the index to find information in
the online help.
Search
Display the online help search. For more information, see Searching the
online help on page 54.
Show in
Contents
If you have used the index, search, or hyperlinks to find information in the
online help, the table of contents may not be visible or the table of
contents may be out of sync with the current help page. You can select
Show in Contents to display the location of the current help page within
the table of contents.
54
If you search for multiple words, the search finds only those help pages that
contain all of the words that you entered. The search does not find help pages
that only contain one of the words that you entered.
The help pages found by the search are ranked in order of relevance. The
higher the ranking, the more likely the help page includes useful or detailed
information about the word or words that you are searching for. Help pages
with the search words in the help page title are ranked highest.
Web-based manager
You can use the asterisk (*) as a search wildcard character that is replaced by
any number of characters. For example, if you search for auth* the search
finds help pages containing auth, authenticate, authentication,
authenticates, and so on.
In some cases the search finds only exact matches. For example, if you
search for windows the search may not find pages containing the word
window. You can work around this using the * wildcard (for example by
searching for window*).
From any web-based manager page, select the online help button.
Select Search.
In the search field, enter one or more words to search for and then press the Enter
key on your keyboard or select Go.
The search results pane lists the names of all the online help pages that contain
all the words that you entered. Select a name from the list to display that help
page.
Figure 8: Searching the online help system
Go
Search
Field
Search
Results
Alt+8
Alt+9
Function
Display the table of contents.
Display the index.
Display the Search tab.
Go to the previous page.
Go to the next page.
Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if
you have comments on or corrections for the online help or any other Fortinet
technical documentation product.
Print the current online help page.
Add an entry for this online help page to your browser bookmarks or favorites list,
to make it easier to find useful online help pages.
55
Logging out
Web-based manager
Logging out
The Logout button immediately logs you out of the web-based manager. Log out
before you close the browser window. If you simply close the browser or leave the
web-based manager, you remain logged in until the idle timeout (default 5
minutes) expires. To change the timeout, see Changing the web-based manager
idle timeout on page 51.
Tabs
Page
Button bar
Menu
56
Web-based manager
Router
Configure FortiGate static and dynamic routing and view the router
monitor.
Firewall
VPN
User
Configure user accounts for use with firewall policies that require user
authentication. Also configure external authentication servers such as
RADIUS, LDAP, TACACS+, and Windows AD.
AntiVirus
Intrusion
Protection
Web Filter
AntiSpam
IM, P2P & VoIP Configure monitoring and control of internet messaging, peer-to-peer
messaging, and voice over IP (VoIP) traffic.
Log&Report
Configure logging and alert email. View log messages and reports.
select the Edit icon for a list item to view and change the settings of the item
select the Delete icon for a list item to delete the item. The delete icon will not
be available if the item cannot be deleted. Usually items cannot be deleted if
they have been added to another configuration; you must first find the
configuration settings that the item has been added to and remove the item
from them. For example, to delete a user that has been added to a user group
you must first remove the user from the user group (see Figure 10).
Delete
Edit
If you log in as an administrator with an access profile that allows Read Only
access to a list, you will only be able to view the items on the list (see Figure 11).
57
Web-based manager
View
For more information, see Access profiles on page 208.
Firewall policy and IPv6 policy list (see Viewing the firewall policy list on
page 295)
Log and report log access list (see Accessing Logs on page 539).
Filters are useful for reducing the number of entries that are displayed on a list so
that you can focus on the information that is important to you.
For example, you can go to System > Status, and, in the Statistics section, select
Details on the Sessions line to view the communications sessions that the
FortiGate unit is currently processing. A busy FortiGate unit may be processing
hundreds or thousands of communications sessions. You can add filters to make it
easier to find specific sessions. For example, you might be looking for all
communications sessions being accepted by a specific firewall policy. You can
add a Policy ID filter to display only the sessions for a particular Policy ID or range
of Policy IDs.
You add filters to a web-based manager list by selecting any filter icon to display
the Edit Filters window. From the Edit Filters window you can select any column
name to filter, and configure the filter for that column. You can also add filters for
one or more columns at a time. The filter icon remains gray for unfiltered columns
and changes to green for filtered columns.
Figure 12: An intrusion protection predefined signatures list filtered to display all
signatures containing apache with logging enabled, action set to drop,
and severity set to high
Filter added to
display names that
include apache
No filter added
The filter configuration is retained after leaving the web-based manager page and
even after logging out of the web-based manager or rebooting the FortiGate unit.
58
Web-based manager
Different filter styles are available depending on the type of information displayed
in individual columns. In all cases, you configure filters by specifying what to filter
on and whether to display information that matches the filter, or by selecting NOT
to display information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access
lists, you can combine filters with column settings to provide even more control of
the information displayed by the list. See Using filters with column settings on
page 63 for more information.
59
Web-based manager
The text string can be blank and it can also be very long. The text string can also
contain special characters such as <, &, > and so on. However, filtering ignores
characters following a < unless the < is followed by a space (for example, filtering
ignores <string but not < string). Filtering also ignores matched opening and
closing < and > characters and any characters inside them (for example, filtering
ignores <string> but does not ignore >string>).
Figure 14: A firewall policy list filter set to display all policies that do not include a
source address with a name that contains My_Address
Custom filters
Other custom filters are also available. You can filter log messages according to
date range and time range. You can also set the level filter to display log
messages with multiple severity levels.
60
Web-based manager
Figure 16: A log access filter set to display all log messages with level of alert,
critical, error, or warning
log and report log access lists (see Accessing Logs on page 539).
Previous Page
First Page
Last Page
Next Page
Current Page
(enter a page number
to display that page)
First Page
Previous Page
Current Page
The current page number of list items that are displayed. You can enter
a page number and press Enter to display the items on that page. For
example if there are 5 pages of items and you enter 3, page 3 of the
sessions will be displayed.
Total Number of The number of pages of list items that you can view.
Pages
61
Web-based manager
Next Page
Last Page
Firewall policy and IPv6 policy (see Viewing the firewall policy list on
page 295)
Log and report log access lists (see Accessing Logs on page 539).
Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From
Available Fields, select the column headings to be displayed and then select the
Right Arrow to move them to the Show these fields in this order list. Similarly, to
hide column headings, use the Left Arrow to move them back to the Available
fields list. Use Move up and Move down to change the order in which to display
the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 18: Example of interface list column settings
Left Arrow
62
Right Arrow
Web-based manager
For more information, see Adding filters to web-based manager lists on page 58.
63
Web-based manager
Name
Description
Clear
Clear all or remove all entries from the current list. For
example, on a URL filter list you can use this icon to remove
all URLs from the current URL filter list.
Delete
Delete an item. This icon appears in lists where the item can
be deleted and you have edit permission for the item.
Description
Disconnect
from cluster
Download
Edit
Enter a VDOM Enter a virtual domain and use the web-based manager to
configure settings for the virtual domain.
Expand Arrow Expand this section to reveal more fields. This icon is used in
(closed)
some dialog boxes and lists.
Expand Arrow Close this section to hide some fields. This icon is used in
(open)
some dialog boxes and lists.
64
Filter
First page
Insert before
Last page
Move to
Next page
Web-based manager
Name
Description
View
View details
65
66
Web-based manager
System Status
Status page
System Status
This section describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit
including serial number, uptime, FortiGuard license information, system
resource usage, alert messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is
available globally and system status settings are configured globally for the entire
FortiGate unit. The Topology viewer is not available when VDOMs are enabled.
For details, see Using virtual domains on page 95.
This section describes:
Status page
Viewing Statistics
Topology
Status page
View the System Status page, also known as the system dashboard, for a
snapshot of the current operating status of the FortiGate unit. FortiGate
administrators whose access profiles permit read access to System Configuration
can view system status information.
When the FortiGate unit is part of an HA cluster, the System Status page includes
basic high availability (HA) cluster status such as including the name of the cluster
and the cluster members including their host names. To view more complete
status information for the cluster, go to System > Config > HA. For more
information, see HA on page 167. HA is not available on FortiGate 50A, and
50AM models.
FortiGate administrators whose access profiles permit write access to system
configuration can change or update FortiGate unit information. For information on
access profiles, see Access profiles on page 208.
67
Status page
System Status
To view this page, your access profile must permit read access to system
configuration. If you also have system configuration write access, you can modify
system information and update FortiGuard - AV and FortiGuard - IPS definitions.
For information on access profiles, see Access profiles on page 208.
The System Status page is customizable. You can select which widgets to display,
where they are located on the page, and if they are minimized or maximized. Each
display has an icon associated with it for easy recognition when minimized.
Figure 21: System Status page
Select Add Content to add any of the widgets not currently shown on the System
Status page. Any widgets currently on the System Status page will be greyed out
in the Add Content menu, as you can only have one of each display on the
System Status page. Optionally select Back to Default to restore the historic
System Status page configuration.
Position your mouse over a displays titlebar to see your available options for that
display. The options vary slightly from display to display.
Figure 22: A minimized display
Widget title
Disclosure arrow
68
History
Edit
Refresh
Close
Widget Title
Disclosure arrow
System Status
Status page
History
Edit
Refresh
Close
System Information
License Information
Unit Operation
System Resources
Statistics
CLI Console
Top Sessions
Top Viruses
Top Attacks
Traffic History
System Information
Go to System > Status to find System Information.
Figure 23: System Information
Serial Number
The serial number of the FortiGate unit. The serial number is specific
to the FortiGate unit and does not change with firmware upgrades.
Uptime
The time in days, hours, and minutes since the FortiGate unit was
started.
System Time
The current date and time according to the FortiGate units internal
clock.
Select Change to change the time or configure the FortiGate unit to
get the time from an NTP server. See Configuring system time on
page 80.
HA Status
69
Status page
System Status
Host Name
Cluster Name
Cluster Members
Virtual Cluster 1
Virtual Cluster 2
The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2.
See HA on page 167.
The FortiGate unit must be operating in HA mode with virtual
domains enabled to display these fields.
Firmware Version
FortiClient Version The currently stored version of FortiClient. Select Update to upload a
FortiClient software image to this FortiGate unit from your
management computer.
This option is available only on FortiGate models that provide a portal
from which hosts can download FortiClient software, such as
FortiGate-3600 and 5005 models.
Operation Mode
Virtual Domain
Current
Administrators
License Information
License Information displays the status of your technical support contract and
FortiGuard subscriptions. The FortiGate unit updates the license information
status indicators automatically when attempting to connect to the FortiGuard
Distribution Network (FDN). FortiGuard Subscriptions status indicators are green
if the FDN was reachable and the license was valid during the last connection
attempt, grey if the FortiGate unit cannot connect to the FDN, and orange if the
FDN is reachable but the license has expired.
Selecting any of the Configure options will take you to the Maintenance page. For
more information, see System Maintenance on page 229.
70
System Status
Status page
Support Contract
FortiGuard Subscriptions
AntiVirus
AV Definitions
Intrusion Protection
IPS Definitions
Web Filtering
Antispam
Analysis &
Management
Services
Services Account ID
Virtual Domain
VDOMs Allowed
71
Status page
System Status
Unit Operation
In the Unit Operation area, an illustration of the FortiGate units front panel shows
the status of the units Ethernet network interfaces. If a network interface is green,
that interface is connected. Pause the mouse pointer over the interface to view the
name, IP address, netmask and current up/down status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter
the reason for the system event.
You can only have one management and one logging/analyzing method displayed
for your FortiGate unit. The graphic for each will change based on which method
you choose. If none are selected, no graphic is shown.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see Event log on
page 536.
Figure 25: Unit Operation (FortiGate-800)
72
System Status
Status page
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and
number of these interfaces vary by model.
1/2/3/4
The icon below the interface name indicates its up/down status by
color. Green indicates the interface is connected. Grey indicates
there is no connection.
For more information about the configuration and status of an
interface, pause the mouse over the icon for that interface. A
tooltip displays the full name of the interface, its alias if one is
configured, the IP address and netmask, the status of the link, the
speed of the interface, and the number of sent and received
packets.
AMC-SW1/1, ...
AMC-DW1/1, ...
FortiAnalyzer
The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP
connection. An X on a red icon indicates there is no connection.
A check mark on a green icon indicates there is OFTP
communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. See Logging to a
FortiAnalyzer unit on page 529.
FortiGuard Analysis
Service
The icon on the link between the FortiGate unit graphic and the
FortiGuard Analysis Service graphic indicates the status of their
OFTP connection. An X on a red icon indicates there is no
connection. A check mark on a green icon indicates there is OFTP
communication.
Select the FortiGuard Analysis Service graphic to configure
remote logging to the FortiGuard Analysis Service. See
FortiGuard Analysis and Management Service on page 526.
FortiManager
The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An X
on a red icon indicates there is no connection. A check mark on a
green icon indicates there is communication between the two
units.
Select the FortiManager graphic to configure central management
on your FortiGate unit. See Central Management on page 212.
FortiGuard
The icon on the link between the FortiGate unit graphic and the
Management Service FortiGuard Management Service graphic indicates the status of
the connection. An X on a red icon indicates there is no
connection. A check mark on a green icon indicates there is
communication.
Select the FortiGuard Management Service graphic to configure
central management on your FortiGate unit. See Central
Management on page 212.
Reboot
Shutdown
Reset
73
Status page
System Status
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such
as CPU and memory (RAM) usage. Any System Resources that are not displayed
on the status page can be viewed as a graph by selecting the History icon.
Figure 28: System Resources
History
CPU Usage
Memory Usage
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this
FortiGate units quota, displayed as a pie chart and a percentage.
This is available only if you have configured logging to a
FortiAnalyzer unit.
The following types of messages can appear in the Alert Message Console:
74
System restart
Firmware upgraded by
<admin_name>
System Status
Status page
Firmware downgraded by
<admin_name>
If there is insufficient space for all of the messages within the Alert Message
Console widget, select History to view the entire list in a new window.
To clear alert messages, select the History icon and then select Clear Alert
Messages, which is located at the top of the pop-up window. This will
acknowledge and hide all current alert messages from your FortiGate unit.
Selecting Edit brings up Custom Alert Display options that offers the
customizations for your alert message display:
Statistics
The Statistics widget is designed to allow you to see at a glance what is
happening on your FortiGate unit with regards to network traffic and attack
attempts.
You can quickly see the amount and type of traffic as well as any attack attempts
on your system. To investigate an area that draws your attention, select Details for
a detailed list of the most recent activity.
The information displayed in the statistics widget is derived from log messages
that can be saved to a FortiAnalyzer unit, saved locally, or backed up to an
external source such as a syslog server. You can use this data to see trends in
network activity or attacks over time.
Note: The Email statistics are based on email protocols. POP3 traffic is registered as
incoming email, and SMTP is outgoing email. If incoming or outgoing email does not use
these protocols, these statistics will not be accurate.
For detailed procedures involving the Statistics list, see Viewing Statistics on
page 85.
75
Status page
System Status
Reset
Since
The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you
select Reset.
Reset
Reset the Content Archive and Attack Log statistic counts to zero.
Sessions
Content Archive
Attack Log
CLI Console
The System Status page can include a CLI. To use the console, select it to
automatically log in to the admin account you are currently using in the web-based
manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI
Console.
Figure 31: CLI Console
Customize
The two controls located on the CLI Console widgets title bar are Customize, and
Detach.
76
System Status
Status page
Detach moves the CLI Console widget into a pop-up window that you can resize
and reposition. The two controls on the detached CLI Console are Customize and
Attach. Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts
and colors for the text and background.
Figure 32: Customize CLI Console window
Preview
Text
Select the current color swatch next to this label, then select a
color from the color palette to the right to change the color of the
text in the CLI Console.
Background
Select the current color swatch next to this label, then select a
color from the color palette to the right to change the color of the
background in the CLI Console.
Use external
command input box
Console buffer length Enter the number of lines the console buffer keeps in memory.
Valid numbers range from 20 to 9999.
Font
Select a font from the list to change the display font of the CLI
Console.
Size
Top Sessions
Top Sessions displays a bar graph representing the IP addresses that have the
most sessions open of the FortiGate unit. The sessions are sorted by either their
source or destination IP address. The sort criteria being used is displayed in the
top right corner.
77
Status page
System Status
The Top Sessions display polls the kernel for session information, and this slightly
impacts the FortiGate unit performance. For this reason when this display is not
shown on the dashboard, it is not collecting data, and not impacting system
performance. When the display is shown, information is only stored in memory
and a reboot will reset the statistics to zero.
The Top Sessions display is not part of the default dashboard display. It can be
displayed by selecting Add Content, and selecting Top Sessions from the drop
down menu.
Selecting edit for Top Sessions allows changes to the:
refresh interval
Sort Criteria
Number of
active
sessions
Destination
IP address
of sessions
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been
detected most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be
displayed by selecting Add Content, and selecting Top Viruses from the drop
down menu.
Selecting the history icon opens a window that displays up to the 20 most recent
viruses that have been detected with information including the virus name, when it
was last detected, and how many times it was detected. The system stores up to
1024 entries, but only displays up to 20 in the GUI.
Selecting the edit icon for Top Viruses allows changes to the:
refresh interval
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks
detected by the FortiGate unit.
78
System Status
Status page
The Top Attacks display is not part of the default dashboard display. It can be
displayed by selecting Add Content > Top Attacks from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent
attacks that have been detected with information including the attack name, when
it was last detected, and how many times it was detected. The FortiGate unit
stores up to 1024 entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
refresh interval
Traffic History
The traffic history display shows the traffic on one selected interface over the last
hour, day, and month. This feature can help you locate peaks in traffic that you
need to address as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface
being monitored by selecting Edit, choosing the interface from the drop down
menu, and selecting Apply. Doing this will clear all the traffic history data.
Figure 34: Traffic History
Interface being
monitored
Interface
kbit/s
The units of the traffic graph. The scale varies based on traffic
levels to allow it to show traffic levels no matter how little or how
much traffic there is.
Last 60 Minutes
Last 24 Hours
Last 30 Days
Traffic In
Traffic Out
79
System Status
In the System Information section, select Change on the System Time line.
Select the time zone and then either set the date and time manually or configure
synchronization with an NTP server.
Figure 35: Time Settings
System Time
Refresh
Update the display of the current FortiGate system date and time.
Time Zone
Automatically adjust Select to automatically adjust the FortiGate system clock when your
time zone changes between daylight saving time and standard
clock for daylight
time.
saving changes
Set Time
Select to set the FortiGate system date and time to the values you
set in the Hour, Minute, Second, Year, Month and Day fields.
Synchronize with
NTP Server
Server
Sync Interval
Specify how often the FortiGate unit should synchronize its time
with the NTP server. For example, a setting of 1440 minutes causes
the FortiGate unit to synchronize its time once a day.
80
System Status
In the Host Name field of the System Information section, select Change.
Select OK.
The new host name is displayed in the Host Name field, and in the CLI prompt,
and is added to the SNMP System Name.
For more information about using the USB disk, and the FortiGuard Network see
System Maintenance on page 229.
Figure 36: Firmware Upgrade/Downgrade
Upgrade From
Select the firmware source from the drop down list of available
sources.
Possible sources include Local Hard Disk, USB, and FortiGuard
Network.
Upgrade File
81
System Status
Upgrade Partition
more info
Log into the web-based manager as the super admin, or an administrator account
that has system configuration read and write privileges.
In the System Information section, select Update on the Firmware Version line.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, closes all sessions, restarts, and displays the FortiGate login. This
process takes a few minutes.
82
Go to System > Status and check the Firmware Version to confirm that the
firmware upgrade is successfully installed.
Update antivirus and attack definitions. For information about updating antivirus
and attack definitions, see FortiGuard on page 241.
System Status
Log into the web-based manager as the super admin, or an administrator account
that has system configuration read and write privileges.
In the System Information section, select Update on the Firmware Version line.
Type the path and filename of the firmware image file, or select Browse and locate
the file.
Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiGate login. This
process takes a few minutes.
Go to System > Status and check the Firmware Version to confirm that the
firmware is successfully installed.
10
83
System Status
Select History in the upper right corner of the System Resources section.
Figure 37: Sample system resources history
Time Interval
Session History
Virus History
Intrusion History
84
Download the latest AV definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
System Status
Viewing Statistics
In the Update File field, type the path and filename for the AV definitions update
file, or select Browse and locate the AV definitions update file.
Download the latest attack definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
In the License Information section, in the IPS Definitions field of the FortiGuard
Subscriptions, select Update.
The Intrusion Prevention System Definitions Update dialog box appears.
In the Update File field, type the path and filename for the attack definitions
update file, or select Browse and locate the attack definitions update file.
Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
Go to System > Status to confirm that the IPS Definitions version information has
updated.
Viewing Statistics
The System Status Statistics provide information about sessions, content
archiving and network protection activity.
85
Viewing Statistics
System Status
Virtual Domain
Refresh Icon
First Page
Previous Page
Page
Enter the page number of the session to start the displayed session list.
For example if there are 5 pages of sessions and you enter 3, page 3 of
the sessions will be displayed.
The number following the / is the number of pages of sessions.
Next Page
Last Page
Total
Select to reset any display filters that may have been set.
Filter Icon
The icon at the top of all columns except #, and Expiry. When selected it
brings up the Edit Filter dialog allowing you to set the display filters by
column. See Adding filters to web-based manager lists on page 58.
Protocol
The service protocol of the connection, for example, udp, tcp, or icmp.
Destination
Address
86
Policy ID
The number of the firewall policy allowing this session or blank if the
session involves only one FortiGate interface (admin session, for
example).
Expiry (sec)
Delete icon
System Status
Viewing Statistics
From
URL
The time that the email passed through the FortiGate unit.
From
To
Subject
87
Viewing Statistics
System Status
Destination
User
Downloads
Uploads
Date / Time
Protocol
Kind
Local
Remote
Direction
88
From
System Status
Viewing Statistics
To
Service
Virus
From
To
Service
Attack
From->To IP
Service
SPAM Type
The time that the attempt to access the URL was detected.
From
URL Blocked
89
Topology
System Status
Topology
The Topology page provides a way to diagram and document the networks
connected to your FortiGate unit. It is available on all FortiGate models except
FortiGate-50 and FortiGate-60. The Topology viewer is not available if Virtual
Domains (VDOMs) are enabled.
Go to System > Status > Topology to view the system topology. The Topology
page consists of a large canvas upon which you can draw a network topology
diagram of your FortiGate installation.
Figure 39: Topology page
Zoom/Edit controls
Text object
Subnet object
Viewport
Viewport
control
90
System Status
Topology
91
Topology
System Status
The FortiGate unit object shows the link status of the units interfaces. Green
indicates the interface is up. Grey indicates the interface is down. Select the
interface to view its IP address and netmask, if assigned.
Address Name
Connect to interface
New addresses
92
Address Name
Type
Subnet / IP Range
System Status
Topology
FQDN
Connect to interface
Preview
Canvas Size
Resize to Image
Background
One of:
Solid - a solid color selected in Background Color
U.S. Map - a map of the United States.
World Map - a map of the world.
Upload My Image - upload the image from Image Path.
Background Color
Image path
Exterior Color
Line Color
Line Width
Reset to Default
93
Topology
94
System Status
Virtual domains
Virtual domains
Enabling VDOMs
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or
more virtual units that function as multiple independent units. A single FortiGate
unit is then flexible enough to serve multiple departments of an organization,
separate organizations, or be the basis for a service providers managed security
service.
Some benefits of VDOMs are:
Easier administration
Maintain Security
Easier administration
VDOMs provide separate security domains that allow separate zones, user
authentication, firewall policies, routing, and VPN configurations. Using VDOMs
can also simplify administration of complex configurations because you do not
have to manage as many routes or firewall policies at one time. See VDOM
configuration settings on page 97.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all
of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall
policies, routing settings, and VPN settings.
Also you can optionally assign an administrator account restricted to that VDOM.
If the VDOM is created to serve an organization, this feature enables the
organization to manage its own configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates
and NTP-based time setting use addresses and routing in the management
VDOM to communicate with the network. They can connect only to network
resources that communicate with the management virtual domain. The
management VDOM is set to root by default, but can be changed. For more
information see Changing the Management VDOM on page 106.
95
Virtual domains
Maintain Security
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can
create firewall policies for connections between VLAN subinterfaces or zones in
the VDOM. Packets do not cross the virtual domain border internally. To travel
between VDOMs a packet must pass through a firewall on a physical interface.
The packet then arrives at another VDOM on a different interface where it must
pass through another firewall before entering. Both VDOMs are on the same
FortiGate unit. Inter-VDOMs change this in that they are internal interfaces,
however their packets go through all the same security measures as on physical
interfaces.
Without VDOMs, administrators can easily access settings across the FortiGate.
This can lead to security issues or far-reaching configuration errors. However,
administrator permissions are specific to one VDOM. An admin on one VDOM
can't change information on another VDOM. Any configuration changes, and
potential errors, will apply only to that VDOM and limit any potential down time.
The remainder of FortiGate functionality is global - it applies to all VDOMs. This
means there is one intrusion prevention configuration, one antivirus configuration,
one web filter configuration, one protection profile configuration, and so on. As
well, VDOMs share firmware versions, antivirus and attack databases. The
operating mode, NAT/Route or Transparent, is independently selectable for each
VDOM. For a complete list of shared configuration settings, see Global
configuration settings on page 98.
If virtual domain configuration is enabled and you log in as the default super
admin, you can go to System > Status and look at Virtual Domain in the License
Information section to see the maximum number of virtual domains supported on
your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
96
Virtual domains
System
Zone
Routing Table
(Transparent mode)
Modem
Wireless Monitor
DHCP services
Operation mode
(NAT/Route or
Transparent)
Management IP
(Transparent mode)
Router
Static
Dynamic
Monitor
Firewall
Policy
Address
Service
Schedule
Virtual IP
IP pool
Protection Profile
VPN
IPSec
PPTP
SSL
User
97
Virtual domains
Local
Remote
Directory Service
PKI
User Group
Authentication
Antivirus
File Filter
IPS Sensor
DoS Sensor
Web Filter
Content Block
URL FIlter
Black/White List
User
Alert E-mail
Event Log
Log access
Content Archive
Report Config
Report Access
System
98
Virtual domains
Host name
System Time
Firmware version
Web-based manager
language
Dead gateway
detection
Wireless Settings
HA configuration
HA on page 167
SNMP configuration
Replacement
messages
Administrators
Access profiles
Certificates
FortiManager and
Central Management
configuration
Configuration backup
and restore
Scripts
FDN update
configuration
Antivirus
Quarantine
Configuration
Alert E-mail
Report Config
Report Access
99
Enabling VDOMs
Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM
operation on the FortiGate unit.
To enable virtual domains
1
When you are in a VDOM, there are reduced menu options available, and a
new Global entry appears.
Only super admin profile accounts can view or configure global options.
One or more administrators can be setup for each VDOM, but can only edit
that VDOMs settings.
When virtual domains are enabled, you can see what the current virtual domain is
by looking at the bottom left of the screen. It will say Current VDOM: followed by
the name of the virtual domain.
100
no
yes
no
yes
no
yes
no
yes
Create VLANs
no
yes
Select Apply.
101
Management VDOM
102
Create New
Select to add a new VDOM. Enter the new VDOM name and
select OK.
The VDOM must not have the same name as an existing VDOM,
VLAN or zone. The VDOM name can be a maximum of 11
characters long without spaces.
Management Virtual
Domain
Apply
Enable
Name
Operation Mode
Interfaces
Comments
Delete icon
Edit icon
Enter icon
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate
between 2 VDOMs internally without using a physical interface. Inter-VDOM links
have the same security as physical interfaces, but allow more flexible
configurations that are not limited by the number of physical interfaces on your
FortiGate unit. As with all virtual interfaces, the speed of the link depends on the
CPU load but generally it is faster than physical interfaces. There are no MTU
settings for inter-VDOM links. DHCP support includes inter-VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is
to prevent a loop. When traffic is encrypted or decrypted it changes the content of
the packets and this resets the inter-VDOM counter. However using IPIP or GRE
tunnels do not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same
virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however
regular DHCP services are not available.
On the interface screen, an inter-VDOM link has an entry for the link. This can be
expanded to show the 2 virtual interfaces in that link. The type of interface for the
link is VDOM link and each of the virtual interfaces is pair type. Each of the
virtual interfaces is named using the inter-VDOM link name with an added 0 or
1. So if the inter-VDOM link is called vlink the interfaces would be vlink0 and
vlink1.
Note: Inter-VDOM links can not refer to a domain that is in transparent mode.
103
Log in as admin.
Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces, or special characters. Hyphens (-) and
underlines (_) are allowed. Remember that the name will have a 0 or 1
attached to the end for the actual interfaces.
Select the VDOM from the menu. This is the VDOM this interface will connect to,
and is different from the VDOM for the other interface in the VDOM link.
Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
10
11
Select OK to save your confrontation and return to the System > Interface
screen.
104
DHCP server
zone
routing
firewall policy
IP pool
Instead of deleting a VDOM, you can disable a VDOM. This has the benefit of
preserving your configuration and saving the time to remove and re-configure it
later.
To assign an interface to a VDOM
1
Log in as admin.
Configure other settings as required and select OK. For more information on the
other interfaces settings see Interface settings on page 112.
The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP
addresses for this interface are deleted. You should manually delete any routes
that include this interface, and create new routes for this interface in the new
VDOM. Otherwise your network traffic will not be properly routed.
105
While configuring this admin account, select the VDOM this administrator
manages from the Virtual Domain list.
Select Apply.
SNMP
logging
alert email
FDN-based updates
Before you change the management VDOM, ensure virtual domains are enabled
on the system dashboard screen.
Only one VDOM can be the management VDOM at any given time.
Global events are logged with the VDOM set to the management VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
Select the VDOM to be the new management VDOM from the drop down list of
VDOMs.
This drop down list is located to the immediate left of the Apply button.
106
System Network
Interfaces
System Network
This section describes how to configure your FortiGate unit to operate in your
network. Basic network settings include configuring FortiGate interfaces and DNS
settings. More advanced configuration includes adding VLAN subinterfaces and
zones to the FortiGate network configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most
system network settings globally for the entire FortiGate unit. For example, all
interface settings, including adding interfaces to VDOMs, are part of the global
configuration. However, zones, the modem interface, and the Transparent mode
routing table are configured separately for each virtual domain. For details, see
Using virtual domains on page 95.
This section describes:
Interfaces
Configuring zones
VLAN overview
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate
interfaces. You can:
add wireless interfaces (FortiWiFi models 50B, 60A, 60AM, and 60B) and
service set identifiers (SSIDs) (see Adding a wireless interface on page 152)
add and configure VDOM links (see Inter-VDOM links on page 103)
107
Interfaces
System Network
configure the modem (see Configuring the modem interface on page 129)
For information about VLANs, see FortiGate units and VLANs on page 139.
Figure 47: Interface list - regular admin view
Figure 48: Interface list - admin view with virtual domains enabled
Create New
Switch Mode
show backplane Select to make the two backplane interfaces visible as port9 and port10.
Once visible these interfaces can be treated as regular physical
interfaces
interfaces.
This option is available only on 5000 models.
Column Settings Select to change the which columns of information about the network
interfaces is displayed. For more information, see Column Settings on
page 110.
108
System Network
Interfaces
Description icon The tooltip for this icon displays the Description field for this interface.
For more information see Interface settings on page 112.
Name
IP/Netmask
Access
Administrative
Status
109
Interfaces
System Network
Link Status
MAC
Mode
MTU
Secondary IP
Type
Virtual Domain
The virtual domain to which the interface belongs. This column is visible
only to the super admin and only when virtual domain configuration is
enabled.
VLAN ID
Column Settings
Go to System > Network > Column Settings to change which information about
the interfaces is displayed.
The VDOM field is only available for display when VDOMs are enabled.
Figure 49: Column Settings
110
Available fields
Right arrow
Move selected fields to the Show these fields in this order list.
Left arrow
System Network
Interfaces
Move up
Move selected item up in the Show these fields in this order list.
The corresponding column is moved to the left on the network
interface display.
Move down
Move selected item down in the Show these fields in this order list.
The corresponding column is moved to the right on the network
interface display.
Switch Mode
The internal interface is a switch with either four or six physical interface
connections, depending on the FortiGate unit model. Normally the internal
interface is configured as a single interface shared by all physical interface
connections - a switch.
The switch mode feature has two states - switch mode and interface mode.
Switch mode is the default mode with only one interface and one address for the
entire internal switch. Interface mode allows you to configure each of the internal
switch physical interface connections separately. This allows you to assign
different subnets and netmasks to each of the internal physical interface
connections.
Note: Interfaces that are part of the switch can not be used for VLANs.
FortiGate unit models 100A and 200A Rev2.0 and higher have four internal
interface connections. The FortiGate-60B and FortiWifi-60B have six internal
interface connections. Consult your release notes for the most current list of
supported models for this feature.
Selecting Switch Mode on the System > Network > Interface screen takes you to
the Switch Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all
references to internal interfaces must be removed. This includes references such as
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message.
Figure 50: Switch Mode Management
Switch Mode
Interface Mode
Switch Mode can also be configured using CLI commands. For more information
see the FortiGate CLI Reference.
111
Interfaces
System Network
Interface settings
Go to System > Network > Interface and select Create New. Selecting the
Create New arrow enables you to create Inter-VDOM links. For more information
on Inter-VDOM links, see Inter-VDOM links on page 103.
Some types of interfaces such as loopback interfaces can only be configured
using CLI commands. For more information see Configuring interfaces with CLI
commands on page 123. To be able to configure a DHCP server on an interface,
that interface must have a static IP address.
You cannot create a virtual IPSec interface on this screen, but you can specify its
endpoint addresses, enable administrative access and provide a description if you
are editing an existing interface. For more information, see Configuring a virtual
IPSec interface on page 122.
Figure 51: Create New Interface settings
112
System Network
Interfaces
Name
Alias
Enter another name for the interface that will easily distinguish this
interface from another. This is available only for physical interfaces
where where you cannot configure the name. The alias can be a
maximum of 15 characters.
The alias name is not part of the interface name, but it will appear in
brackets beside the interface name. It will not appears in logs.
Type
The type of the interfaces. When creating a new interface, this is VLAN
by default.
On models 300A, 310B, 400A, 500A, 620B, 800 and higher, you can
create VLAN, 802.3ad Aggregate, and Redundant interfaces.
On FortiGate 100A and 200A models of Rev2.0 and higher and on
all 60B models, software switch is a valid type. You cannot edit this
type in the GUI.
On FortiWiFi models 50B, 60A, 60AM, and 60B, you can support up
to four SSIDs by adding up to three wireless interfaces (for a total of
four wireless interfaces).
Select the name of the physical interface on which to create the VLAN.
Once created, the VLAN subinterface is listed below its physical
interface in the Interface list.
You cannot change the interface of an existing VLAN subinterface.
This field is only displayed when Type is set to VLAN.
VLAN ID
Virtual Domain Select the virtual domain to which this VLAN subinterface belongs.
Admin accounts with super-admin profile can change the VDOM for a
VLAN when VDOM configuration is enabled. See Using virtual
domains on page 95.
Physical
Interface
Members
This section has two different forms depending on the interface type:
Software switch interface - this section is a display-only field showing
the interfaces that belong to the software switch virtual interface
Available
Interfaces
Select interfaces from this list to include in the grouped interface - either
redundant or aggregate interface. Select the right arrow to add an
interface to the grouped interface.
Selected
interfaces
113
Interfaces
System Network
Addressing
mode
IP/Netmask
DDNS
Select DDNS to configure a Dynamic DNS service for this interface. See
Configuring Dynamic DNS on an interface on page 122.
Ping Server
To enable dead gateway detection, enter the IP address of the next hop
router on the network connected to the interface and select Enable. See
Dead gateway detection on page 137.
PING
HTTP
SSH
SNMP
TELNET
MTU
To change the MTU, select Override default MTU value (1 500) and
enter the MTU size based on the addressing mode of the interface
68 to 1 500 bytes for static mode
Description
Administrative Select either up (green arrow) or down (red arrow) as the status of this
interface.
Status
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
114
System Network
Interfaces
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
115
Interfaces
System Network
Addressing mode
IPoA
EoA
DHCP
PPPoE
PPPoA
IP/Netmask
Gateway
Connect to Server
Virtual Circuit Identification Enter the VPI and VCI values your ISP provides.
MUX Type
it does not have a IP address and is not configured for DHCP or PPPoE
Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you
will lose the acceleration. For example, if you aggregate two accelerated interfaces you will
get slower throughput than if the two interfaces were separate.
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
116
System Network
Interfaces
In the Available Interfaces list, select each interface that you want to include in the
aggregate interface and move it to the Selected Interfaces list.
Select OK.
117
Interfaces
System Network
it is not monitored by HA
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
In the Available Interfaces list, select each interface that you want to include in the
redundant interface and move it to the Selected Interfaces list.
In a failover situation, the interface activated will be the next interface down the
Selected Interfaces list.
Select OK.
118
System Network
Interfaces
Status
Obtained
IP/Netmask
Renew
Expiry Date
The time and date when the leased IP address and netmask is no
longer valid.
Only displayed if Status is connected.
Default
Gateway
Distance
119
Interfaces
System Network
Retrieve default
Enable Retrieve default gateway from server to retrieve a default
gateway from server gateway IP address from the DHCP server. The default gateway is
added to the static routing table.
Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved
from the DHCP server instead of the DNS server IP addresses on
the DNS page.
On FortiGate models numbered 100 and lower, you should also
enable Obtain DNS server address automatically in System >
Network > Options. See DNS Servers on page 136.
When VDOMs are enabled, you can override the internal DNS
only on the management VDOM.
Connect to Server
120
System Network
Interfaces
Status
initializing
failed
Password
Unnumbered IP
Specify the IP address for the interface. If your ISP has assigned you a
block of IP addresses, use one of them. Otherwise, this IP address can
be the same as the IP address of another interface or can be any IP
address.
Initial Disc
Timeout
Enter Initial discovery timeout. Enter the time to wait before starting to
retry a PPPoE or PPPoA discovery.
Initial PADT
timeout
Distance
Enter the administrative distance for the default gateway retrieved from
the PPPoE or PPPoA server. The administrative distance, an integer
from 1-255, specifies the relative priority of a route when there are
multiple routes to the same destination. A lower administrative
distance indicates a more preferred route. The default distance for the
default gateway is 1.
Retrieve default
gateway from
server
121
Interfaces
System Network
Override internal Enable Override internal DNS to replace the DNS server IP addresses
on the System DNS page with the DNS addresses retrieved from the
DNS
PPPoE or PPPoA server.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Connect to server Enable Connect to Server so that the interface automatically attempts
to connect to a PPPoE or PPPoA server when you select OK or Apply.
Disable this option if you are configuring the interface offline.
Enable DDNS.
Server
Select a DDNS server to use. The client software for these services is built
into the FortiGate firmware. The FortiGate unit can connect only to one of
these services.
Domain
Username Enter the user name to use when connecting to the DDNS server.
Password Enter the password to use when connecting to the DDNS server.
Go to System > Network > Interface and select Edit on an IPSec interface to:
122
System Network
Interfaces
configure IP addresses for the local and remote endpoints of the IPSec
interface so that you can run dynamic routing over the interface or use ping to
test the tunnel
Name
Virtual Domain
IP
Remote IP
If you want to use dynamic routing with the tunnel or be able to ping
the tunnel interface, enter IP addresses for the local and remote
ends of the tunnel. These two addresses must not be used
anywhere else in the network.
Administrative
Access
HTTPS
PING
HTTP
SSH
SNMP
TELNET
Description
123
Interfaces
System Network
Loopback interface
Loopback interface
A loopback interface is an always up virtual interface that is not connected to any
other interfaces. Loopback interfaces connect to a Fortigate units interface IP
address without depending on a specific external port.
A loopback interface is not connected to hardware, so it is not affected by
hardware problems. As long as the FortiGate unit is functioning, the loopback
interface is active. This always up feature is useful in dynamic routing where the
Fortigate unit relies on remote routers and the local Firewall policies to access to
the loopback interface.
The CLI command to configure a loopback interface called loop1 with an IP
address of 10.0.0.10 is:
config system interface
edit loop1
set type loopback
set ip 10.0.0.10 255.255.255.0
end
For more information, see config system interface in the FortiGate CLI Reference.
124
System Network
Interfaces
Secondary IP Addresses
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 215).
Select OK.
125
Interfaces
System Network
FortiGate models numbered 3 000 and higher support jumbo frames - frames
larger than the traditional 1 500 bytes. Some models support a jumbo frame limit
of 9 000 bytes while others support 16 110 bytes. NP2-accelerated interfaces
support a jumbo frame limit of 16 000 bytes. FA2-accelerated interfaces do not
support jumbo frames. Jumbo frames are much larger than the maximum
standard Ethernet frames (packets) size of 1 500 bytes. As new Ethernet
standards have been implemented (such as Gigabit Ethernet), 1 500 byte frames
remain in the standard for backward compatibility.
To be able to send jumbo frames over a route, all Ethernet devices on that route
must support jumbo frames, otherwise your jumbo frames are not recognized and
are dropped.
If you have standard ethernet and jumbo frame traffic on the same interface,
routing alone cannot route them to different routes based only on frame size.
However you can use VLANs to make sure the jumbo frame traffic is routed over
network devices that support jumbo frames. VLANs will inherit the MTU size from
the parent interface. You will need to configure the VLAN to include both ends of
the route as well as all switches and routers along the route. For more information
on VLAN configurations, see the VLAN and VDOM guide.
To change the MTU size of the packets leaving an interface
1
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply
separate firewall policies for each IP address on an interface. You can also
forward traffic and use RIP or OSPF routing with secondary IP addresses.
There can be up to 32 secondary IP addresses per interface including primary,
secondary, and any other IP addresses assigned to the interface. Primary and
secondary IP addresses can share the same ping generator.
The following restrictions must be in place before you are able to assign a
secondary IP address:
126
System Network
Interfaces
IP/Netmask
Ping Server
Administrative
Access
HTTPS
PING
HTTP
SSH
SNMP
TELNET
Add
Secondary IP table
127
Configuring zones
System Network
Enable
Access
Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation.
You can configure policies for connections to and from a zone, but not between
interfaces in a zone.
You can add zones, rename and edit zones, and delete zones from the zone list.
When you add a zone, you select the names of the interfaces and VLAN
subinterfaces to add to the zone.
Zones are configured from virtual domains. If you have added multiple virtual
domains to your FortiGate configuration, make sure you are configuring the
correct virtual domain before adding or editing zones.
Figure 63: Zone list
Create New
Name
Block intra-zone
traffic
Interface Members Names of the interfaces added to the zone. Interface names depend
on the FortiGate model.
Edit/View icons
Delete icon
Delete a zone.
128
Select OK.
System Network
Zone Name
Block intra-zone
traffic
Interface members Select the interfaces that are part of this zone. This list includes
configured VLANs.
In standalone mode, the modem interface is the connection from the FortiGate
unit to the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure
the FortiGate unit to automatically have the modem dial up to three dialup
accounts until the modem connects to an ISP.
FortiGate models 50AM, 60M have a built-in modem. For these models, you can
configure modem operation in the web-based manager. See Configuring modem
settings.
Other models can connect to an external modem through a USB-to-serial
converter. For these models, you must configure modem operation using the CLI.
Initially modem interfaces are disabled, and must be enabled in the CLI to be
visible in the web-based manager. See the system modem command in the
FortiGate CLI Reference.
Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the config system aux command in the FortiGate
CLI Reference.
129
System Network
Figure 65 shows the only the settings specific to standalone mode. The remaining
settings are common to both standalone and redundant modes and are shown in
Figure 66.
Figure 65: Modem settings (Standalone)
130
System Network
Enable Modem
Modem status
Dial Now/Hang Up
Mode
Auto-dial
(Standalone mode)
Dial on demand
(Standalone mode)
Select to dial the modem when packets are routed to the modem
interface. The modem disconnects after the idle timeout period if
there is no network activity.
You cannot select Dial on demand if Auto-dial is selected.
Idle timeout
(Standalone mode)
Redundant for
(Redundant mode)
Select the ethernet interface for which the modem provides backup
service.
Holddown
Timer
(Redundant mode)
(Redundant mode only) Enter the time (1-60 seconds) that the
FortiGate unit waits before switching back to the primary interface
from the modem interface, after the primary interface has been
restored. The default is 1 second. Configure a higher value if you
find the FortiGate unit switching repeatedly between the primary
interface and the modem interface.
131
System Network
Redial Limit
Wireless Modem
IP address connected to
Dialup Account
Phone Number
User Name
Password
132
System Network
Holddown timer
Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit
Enter the maximum number of times to retry if the ISP does not
answer.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Enter the ISP phone number, user name and password for up to
three dialup accounts.
Select Apply.
Configure a ping server for the ethernet interface the modem backs up.
See To add a ping server to an interface on page 137.
Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 134.
Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand
Select if you want the modem to connect to its ISP whenever there
are unrouted packets.
Idle timeout
133
System Network
Redial Limit
Enter the maximum number of times to retry if the ISP does not
answer.
Dialup Account 1
Dialup Account 2
Dialup Account 3
Enter the ISP phone number, user name and password for up to
three dialup accounts.
Select Apply.
Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 134.
Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See Adding a static route to the routing table on page 262.
Select Apply.
134
System Network
not active
connecting
connected
disconnecting
hung up
The modem has disconnected from the ISP. (Standalone mode only)
The modem will not redial unless you select Dial Now.
Select OK.
Figure 67: Configuring Networking Options - FortiGate models 200 and higher
135
System Network
Figure 68: Configuring Networking Options - FortiGate models 100 and lower
Use the following DNS server This option applies only to FortiGate models 100 and
lower.
addresses
Use the specified Primary and Secondary DNS server
addresses.
Primary DNS Server
Enable DNS forwarding from This option applies only to FortiGate models 100 and
lower operating in NAT/Route mode.
Select the interfaces that forward DNS requests they
receive to the DNS servers that you configured.
Dead Gateway Detection
Detection Interval
Fail-over Detection
Enter the number of times that the ping test fails before
the FortiGate unit assumes that the gateway is no longer
functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You
can specify the IP addresses of the DNS servers to which your FortiGate unit
connects. DNS server IP addresses are usually supplied by your ISP.
136
System Network
You can configure FortiGate models numbered 100 and lower to obtain DNS
server addresses automatically. To obtain these addresses automatically, at least
one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See
Configuring DHCP on an interface on page 118 or Configuring an interface for
PPPoE or PPPoA on page 120.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces.
Hosts on the attached network use the interface IP address as their DNS server.
DNS requests sent to the interface are forwarded to the DNS server addresses
that you configured or that the FortiGate unit obtained automatically.
Set Ping Server to the IP address of the next hop router on the network.
Select Enable.
Select OK.
Ensure your FortiGate unit is in Transparent mode. For more details see
Changing operation mode on page 193.
Create New
IP
137
VLAN overview
System Network
Mask
Gateway
The IP address of the next hop router to which the route directs traffic.
Distance
Delete icon
Remove a route.
View/edit icon
Move To icon
Select OK.
Figure 70: Transparent mode route settings
Destination IP Enter the destination IP address and netmask for the route.
/Mask
To create a default route, set the Destination IP and Mask to 0.0.0.0.
Gateway
Enter the IP address of the next hop router to which the route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
Distance
VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as
if they were on the same LAN segment, regardless of their location. For example,
the workstations and servers for an accounting department could be scattered
throughout an office or city and connected to numerous network segments, but
still belong to the same VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated
as a broadcast domain. Devices in VLAN 1 can connect with other devices in
VLAN 1, but cannot connect with devices in other VLANs. The communication
among devices on a VLAN is independent of the physical network.
138
System Network
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets
sent and received by the devices in the VLAN. VLAN tags are 4-byte frame
extensions that contain a VLAN identifier as well as other information.
For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.
Figure 71: Basic VLAN topology
Internet
Untagged packets
Router
VL AN 1
VL AN 2
VL AN 1
VLAN Switch
VL AN 1 Network
VL AN 2
VL AN 2 Network
139
System Network
FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks
between an IEEE 802.1Q-compliant switch (or router) and the FortiGate units.
Normally the FortiGate unit internal interface connects to a VLAN trunk on an
internal switch, and the external interface connects to an upstream Internet router.
The FortiGate unit can then apply different policies for traffic on each VLAN that
connects to the internal interface.
When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN
IDs that match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal
interface. If the IDs dont match, traffic will not be delivered. The FortiGate unit
directs packets with VLAN IDs to subinterfaces with matching VLAN IDs. For
example packets from the sending system VLAN ID#101 are delivered to the
recipient systems VLAN ID#101.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate
unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN
tags from incoming packets and add different VLAN tags to outgoing packets.
140
System Network
Internet
Untagged packets
External 172.16.21.2
FortiGate unit
Internal 192.168.110.126
802.1Q
trunk
Fa 0/24
VLAN 100
Fa 0/9
Fa 0/3
VLAN Switch
VLAN 200
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
If you are an administrator with a super-admin profile, you can create VLAN
subinterfaces for any virtual domain. If not, you can only create VLAN
subinterfaces in your own VDOM.
See Using virtual domains on page 95 for information about virtual domains.
141
System Network
Select OK.
The FortiGate unit adds the new VLAN subinterface to the interface that you
selected in step 4.
To add firewall policies for a VLAN subinterface
After you add a VLAN subinterface you can add firewall policies for connections
between a VLAN subinterface or from a VLAN subinterface to a physical interface.
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
See About firewall addresses on page 315.
142
System Network
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
VLAN2
VLAN Switch
or router
VLAN1
External
VLAN1
VLAN2
VLAN3
VLAN
trunk
Internet
VLAN Switch
or router
VLAN3
Internet
Router
Untagged packets
VLAN Switch
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
FortiGate unit
in Transparent mode
VLAN Trunk
VL AN 1
VL AN 2
VL AN 3
VLAN Switch
VL AN 1
VL AN 1 Network
VL AN 2
VL AN 2 Network
VL AN 3
VL AN 3 Network
143
System Network
Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.
Note: A VLAN must not have the same name as a virtual domain or zone.
Select the physical interface that receives the VLAN packets intended for this
VLAN subinterface.
Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
Select OK.
The FortiGate unit adds the new subinterface to the interface that you selected in
step 4.
144
System Network
Select Create New to add firewall addresses that match the source and
destination IP addresses of VLAN packets.
See About firewall addresses on page 315.
ARP Forwarding
One solution to the duplicate ARP packet problem is to enable ARP forwarding.
When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets
that resolve the delivery problems caused by duplicate ARP packets. However,
this also opens up your network to potential hacking attempts that spoof packets.
For more secure solutions, see the FortiGate VLANs and VDOMs Guide.
145
146
System Network
System Wireless
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi
units. The majority of this section is applicable to all FortiWiFi units. Where
indicated, some features may not be available on the FortiWiFi-60.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and
wireless monitor are configured separately for each virtual domain. System
wireless settings are configured globally. For details, see Using virtual domains
on page 95.
This section describes:
Channel assignments
Wireless Monitor
Provide an access point that clients with wireless network cards can connect
to. This is called Access Point mode, which is the default mode. All FortiWiFi
units except the FortiWiFi-60 can have up to 4 wireless interfaces.
or
Connect the FortiWiFi unit to another wireless network. This is called Client
mode. A FortiWiFi unit operating in client mode can also can only have one
wireless interface.
Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys
or RADIUS servers
147
Channel assignments
System Wireless
Channel assignments
Depending on the wireless protocol selected, you have specific channels available
to you, depending on what region of the world you are in. Set the channel for the
wireless network by going to System > Wireless > Settings. For more
information see System wireless settings on page 150.
The following tables list the channel assignments for wireless networks for each
supported wireless protocol.
148
Channel
number
Frequency
(MHz)
34
5170
36
5180
38
5190
40
5200
42
5210
44
5220
46
5230
48
5240
52
5260
56
5280
60
5300
64
5320
149
5745
153
5765
157
5785
161
5805
Regulatory Areas
Americas
Europe
Taiwan
Singapore
Japan
System Wireless
Channel assignments
Frequency
(MHz)
2412
2417
2422
2427
2432
2437
2442
2447
2452
10
2457
11
2462
12
2467
13
2472
14
2484
Regulatory Areas
Americas
EMEA
Israel
Japan
149
System Wireless
2412
2417
2422
2427
2432
2437
2442
2447
2452
10
2457
11
2462
12
2467
13
2472
14
2484
Israel
CCK
Japan
ODFM
CCK
ODFM
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three more
wireless interfaces. All wireless interfaces use the same wireless parameters.
That is, you configure the wireless settings once, and all wireless interfaces use
those settings. For details on adding more wireless interfaces, see Adding a
wireless interface on page 152.
When operating the FortiWiFi in Client mode, wireless settings are not
configurable.
150
System Wireless
Geography
Channel
Select a channel for your wireless network or select Auto. The channels
that you can select depend on the Geography setting. See Channel
assignments on page 148 for channel information.
Tx Power
Set the transmitter power level. The higher the number, the larger the
area the FortiWiFi will broadcast. If you want to keep the wireless signal
to a small area, enter a smaller number.
Beacon Interval Set the interval between beacon packets. Access Points broadcast
Beacons or Traffic Indication Messages (TIM) to synchronize wireless
networks.
A higher value decreases the number of beacons sent, however it may
delay some wireless clients from connecting if it misses a beacon
packet.
Decreasing the value will increase the number of beacons sent, while
this will make it quicker to find and connect to the wireless network, it
requires more overhead, slowing throughput.
Wireless interface list
Interface
The name of the wireless interface. To add more wireless interfaces, see
Adding a wireless interface on page 152.
MAC Address
SSID
The wireless service set identifier (SSID) or network name for the
wireless interface. Clients who want to use the wireless interface must
configure their computers to connect to the network that broadcasts this
network name.
151
System Wireless
SSID Broadcast Green checkmark icon indicates that the wireless interface broadcasts
its SSID. Broadcasting the SSID makes it possible for clients to connect
to your wireless network without first knowing the SSID.
Security Mode
Displays information about the security mode for the wireless interface.
Name
Enter a name for the wireless interface. The name cannot be the
same as an existing interface, zone or VDOM.
Type
Select Wireless.
Address Mode
Administrative
Access
In the Wireless Settings section, complete the following and select OK:
Figure 76: Wireless interface settings (WEP64)
152
System Wireless
SSID
Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers to connect to the network that broadcasts this
network name.
SSID
Broadcast
Security mode Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
None has no security. Any wireless user can connect to the wireless
network.
Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server the wireless clients must have accounts on
the RADIUS server.
WPA2 provides more security features and is more secure than WPA.
To use WPA2 you must select a data encryption method and enter a
pre-shared key containing at least eight characters or select a
RADIUS server. If you select a RADIUS server the wireless clients
must have accounts on the RADIUS server.
Key
Enter the security key. This field appears when selecting WEP64 or
WEP128 security.
Data
Encryption
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA,
WPA2, or WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security.
You can use WPA or WPA2 Radius security to integrate your wireless
network configuration with a RADIUS or Windows AD server. Select a
RADIUS server name from the list. You must configure the Radius server
by going to User > RADIUS. For more information, see RADIUS
servers on page 424.
153
System Wireless
MAC Address
154
Geography
Channel
Select a channel for your wireless network or select Auto. The channels
that you can select depend on the Geography setting. See Channel
assignments on page 148 for channel information.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
System Wireless
SSID
Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers to connect to the network that broadcasts this
network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For
better security, do not broadcast the SSID. If the interface is not
broadcast, there is less chance of an unwanted user connecting to your
wireless network. If you choose not to broadcast the SSID, you need to
inform users of the SSID so they can configure their wireless devices.
Security mode
Key
Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
None has no security. Any wireless user can connect to the wireless
network.
Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server the wireless clients must have accounts on
the RADIUS server.
Enter the security key. This field appears when selecting WEP64 or
WEP128 security.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA
security.
Radius Server
Name
Select to use a RADIUS server when selecting WPA security. You can
use WPA Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS
server name from the list. You must configure the Radius server by
going to User > RADIUS. For more information, see RADIUS servers
on page 424.
Advanced
Tx Power
Set the transmitter power level. The higher the number, the larger the
area the FortiWiFi will broadcast. If you want to keep the wireless signal
to a small area, enter a smaller number.
Beacon Interval Set the interval between beacon packets. Access Points broadcast
Beacons or Traffic Indication Messages (TIM) to synchronize wireless
networks.
A higher value decreases the number of beacons sent, however it may
delay some wireless clients from connecting if it misses a beacon
packet.
Decreasing the value will increase the number of beacons sent, while
this will make it quicker to find and connect to the wireless network, it
requires more overhead, slowing throughput.
155
System Wireless
Set the maximum size of a data packet before it is broken into smaller
packets, reducing the chance of packet collisions. If the packet size is
larger than the threshold, the FortiWiFi unit will fragment the
transmission. If the packet is smaller than the threshold, the FortiWiFi
unit will not fragment the transmission.
A setting of 2346 bytes effectively disables this option.
156
System Wireless
MAC address
The list of MAC addresses in the MAC filter list for the wireless
interface.
List Access
Allow or deny access to the listed MAC addresses for the wireless
interface.
Enable
Select to enable the MAC filtering for the wireless interface. When
not selected MAC filtering options are not applied to the interface.
Edit icon
Select to allow or deny the addresses in the MAC Address list from
accessing the wireless network.
MAC Address
Add
Remove
Select one or more MAC addresses in the list and select Remove to
deleted the MAC addresses from the list.
157
System Wireless
Select to enable the MAC filtering for the wireless interface. When
not selected MAC filtering options are not applied to the interface.
Access for PCs not Select whether to allow or deny access to unlisted MAC addresses.
listed below
158
MAC Address
Allow or Deny
Add
Allow List
Deny List
Arrow buttons
Remove (below
Allow list)
Remove (below
Deny list)
System Wireless
Wireless Monitor
Wireless Monitor
Go to System > Wireless > Monitor to see who is connected to your wireless
LAN.
Figure 82: FortiWiFi-50B, 60A, 60AM, and 60B wireless monitor
Statistics
AP Name
Frequency
Noise (dBm)
S/N (dB)
Rx (KBytes)
Tx (KBytes)
Clients
MAC Address
IP Address
AP Name
ID
159
Wireless Monitor
160
System Wireless
System DHCP
System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through
the FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see Using virtual domains on
page 95.
This section describes:
An interface cannot provide both a server and a relay for connections of the same
type (regular or IPSec).
Note: You can configure a Regular DHCP server on an interface only if the interface has a
static IP address. You can configure an IPSec DHCP server on an interface that has either
a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A
DHCP server dynamically assigns IP addresses to hosts on the network
connected to the interface. The host computers must be configured to obtain their
IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP
server for each network. The IP range of each DHCP server must match the
network address range. The routers must be configured for DHCP relay.
To configure a DHCP server, see Configuring a DHCP server on page 163.
You can configure a FortiGate interface as a DHCP relay. The interface forwards
DHCP requests from DHCP clients to an external DHCP server and returns the
responses to the DHCP clients. The DHCP server must have appropriate routing
so that its response packets to the DHCP clients arrive at the FortiGate unit.
161
System DHCP
192.168.1.110 to 192.168.1.210
Netmask
255.255.255.0
Default gateway
192.168.1.99
Lease time
7 days
DNS Server 1
192.168.1.99
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to
change the DHCP server settings to match.
Figure 84: DHCP service list - FortiGate-200A shown
Edit
Delete
Add DHCP Server
162
System DHCP
Interface
Server Name/
Relay IP
Type
Enable
Add DHCP Server Select to configure and add a DHCP server for this interface.
icon
Edit icon
Delete icon
Interface Name
DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
Type
DHCP Server IP
Enter the IP address of the DHCP server that will answer DHCP
requests from computers on the network connected to the interface.
Select the select the Add DHCP Server icon to create a new DHCP server, or
select the Edit icon beside an existing DHCP server to change its settings.
Select OK.
163
System DHCP
164
Name
Enable
Type
IP Range
Enter the start and end for the range of IP addresses that this DHCP
server assigns to DHCP clients.
Network Mask
Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway
Enter the IP address of the default gateway that the DHCP server
assigns to DHCP clients.
Domain
Enter the domain that the DHCP server assigns to DHCP clients.
Lease Time
Advanced
DNS Server 1
DNS Server 2
DNS Server 3
WINS Server 1
WINS Server 2
Add the IP addresses of one or two WINS servers that the DHCP
server assigns to DHCP clients.
Option 1
Option 2
Option 3
System DHCP
Exclude Ranges
Add
Starting IP
End IP
Delete icon
Interface
Refresh
IP
MAC
Expire
165
166
System DHCP
System Config
HA
System Config
This section describes the configuration of several non-network features, such as
HA, SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and
replacement messages are configured globally for the entire FortiGate unit.
Changing operation mode is configured for each individual VDOM. For details,
see Using virtual domains on page 95.
This section describes:
HA
SNMP
Replacement messages
HA
FortiGate high availability (HA) provides a solution for two key requirements of
critical enterprise networking components: enhanced reliability and increased
performance. This section contains a brief description of HA web-based manager
configuration options, the HA cluster members list, HA statistics, and
disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured
globally for the entire FortiGate unit. For details, see Using virtual domains on
page 95.
For complete information about how to configure and operate FortiGate HA
clusters see the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet
Knowledge Center.
HA is not available on FortiGate models 50Aand 50AM. HA is available on all
other FortiGate models, including the FortiGate-50B.
The following topics are included in this section:
HA options
Viewing HA statistics
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to
System > Config > HA.
167
HA
System Config
You can configure HA options for a FortiGate unit with virtual domains (VDOMs)
enabled by logging into the web-based manager as the global admin administrator
and then going to System > Config > HA.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.
168
System Config
HA
Mode
Select an HA mode for the cluster or return the FortiGate units in the
cluster to standalone mode. When configuring a cluster, you must set all
members of the HA cluster to the same HA mode. You can select
Standalone (to disable HA), Active-Passive, or Active-Active. If virtual
domains are enabled you can select Active-Passive or Standalone.
Device Priority
Optionally set the device priority of the cluster unit. Each cluster unit can
have a different device priority. During HA negotiation, the unit with the
highest device priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two device
priorities, one for each virtual cluster. During HA negotiation, the unit
with the highest device priority in a virtual cluster becomes the primary
unit for that virtual cluster.
Changes to the device priority are not synchronized. You can accept the
default device priority when first configuring a cluster. When the cluster
is operating you can change the device priority for different cluster units
as required.
169
HA
System Config
Group Name
Enter a name to identify the cluster. The maximum length of the group
name is 32 characters. The group name must be the same for all cluster
units before the cluster units can form a cluster. After a cluster is
operating, you can change the group name. The group name change is
synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group
name when first configuring a cluster. When the cluster is operating you
can change the group name, if required. Two clusters on the same
network cannot have the same group name.
Password
Enable Session Select to enable session pickup so that if the primary unit fails, all
sessions are picked up by the cluster unit that becomes the new primary
pickup
unit.
Session pickup is disabled by default. You can accept the default setting
for session pickup and then chose to enable session pickup after the
cluster is operating.
Port Monitor
170
System Config
HA
Heartbeat
Interface
port2 through 9
port10
Hash map order sorts interfaces in the following order:
port1
port10
If you are configuring virtual clustering, you can set the virtual domains
to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2.
The root virtual domain must always be in virtual cluster 1. For more
information about configuring VDOM partitioning, see the FortiGate HA
Overview.
171
HA
System Config
Up and Down
Arrows
If virtual domains are enabled, you can display the cluster members list to view the
status of the operating virtual clusters. The virtual cluster members list shows the
status of both virtual clusters including the virtual domains added to each virtual
cluster.
To display the virtual cluster members list for an operating cluster log in as the
global admin administrator and go to System > Config > HA.
Figure 91: Example FortiGate-5001SX virtual cluster members list
Up and Down
Arrows
View HA Statistics
Up and down arrows Changes the order of cluster members in the list. The operation of
the cluster or of the units in the cluster are not affected. All that
changes is the order of the units on the cluster members list.
172
System Config
HA
Cluster member
Hostname
The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
To change the primary unit host name, go to System > Status
and select Change beside the current host name.
Role
Priority
The device priority of the cluster unit. Each cluster unit can have a
different device priority. During HA negotiation, the unit with the
highest device priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from
cluster
Edit
Download debug log Select to download an encrypted debug log to a file. You can send
this debug log file to Fortinet Technical Support
(http://support.fortinet.com) to help diagnose problems with the
cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA statistics to display the
serial number, status, and monitor information for each cluster unit. To view HA
statistics, go to System > Config > HA and select View HA Statistics.
173
HA
System Config
Refresh every
Back to HA monitor Select to close the HA statistics list and return to the cluster members
list.
Unit
Status
Up Time
The time in days, hours, minutes, and seconds since the cluster unit
was last started.
Monitor
CPU Usage
Memory Usage
Active Sessions
Total Packets
The number of packets that have been processed by the cluster unit
since it last started up.
Virus Detected
Network Utilization The total network bandwidth being used by all of the cluster unit
interfaces.
Total Bytes
The number of bytes that have been processed by the cluster unit
since it last started up.
174
System Config
HA
To change the host name and device priority of a subordinate unit in an operating
cluster with virtual domains enabled, log in as the global admin administrator and
go to System > Config > HA to display the cluster members list. Select Edit for
any slave (subordinate) unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this
subordinate unit. These changes only affect the configuration of the subordinate
unit.
Figure 93: Changing the subordinate unit host name and device priority
Peer
Priority
Serial Number
Displays the serial number of the cluster unit to be disconnected from the
cluster.
Interface
Select the interface that you want to configure. You also specify the IP
address and netmask for this interface. When the FortiGate unit is
disconnected, all management access options are enabled for this
interface.
IP/Netmask
Specify an IP address and netmask for the interface. You can use this IP
address to connect to this interface to configure the disconnected
FortiGate unit.
175
SNMP
System Config
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware
on your network. You can configure the hardware, or FortiGate SNMP agent, to
report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager is a computer running an application that can read
the incoming traps from the agent and track the information.
Using an SNMP manager, you can access SNMP traps and data from any
FortiGate interface or VLAN subinterface configured for SNMP management
access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the
FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps
from that FortiGate unit, or be able to query it.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 95: Configuring SNMP
176
SNMP Agent
Description
Location
Enter the physical location of the FortiGate unit. The system location
description can be up to 35 characters long.
Contact
Enter the contact information for the person responsible for this
FortiGate unit. The contact information can be up to 35 characters.
Apply
Create New
Communities
System Config
SNMP
Name
Queries
The status of SNMP queries for each SNMP community. The query
status can be enabled or disabled.
Traps
The status of SNMP traps for each SNMP community. The trap
status can be enabled or disabled.
Enable
Delete icon
Edit/View icon
177
SNMP
System Config
178
Community Name
Hosts
Enter the IP address and Identify the SNMP managers that can use
the settings in this SNMP community to monitor the FortiGate unit.
IP Address
Interface
Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiGate unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiGate unit. This can occur if the SNMP manager is on the
Internet or behind a router.
In virtual domain mode, the interface must belong to the
management VDOM to be able to pass SNMP traps.
Delete
Add
Add a blank line to the Hosts list. You can add up to 8 SNMP
managers to a single community.
Queries
Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiGate unit. Select the Enable
check box to activate queries for each SNMP version.
Traps
Enter the Local and Remote port numbers (port 162 for each by
default) that the FortiGate unit uses to send SNMP v1 and SNMP
v2c traps to the SNMP managers in this community. Select the
Enable check box to activate traps for each SNMP version.
SNMP Event
Enable each SNMP event for which the FortiGate unit should send
traps to the SNMP managers in this community.
CPU overusage traps sensitivity is slightly reduced, by spreading
values out over 8 polling cycles. This prevents sharp spikes due to
CPU intensive short-term events such as changing a policy.
Power Supply Failure event trap is available only on FortiGate3810A, and FortiGate-3016B units.
System Config
SNMP
Select OK.
To configure SNMP access (Transparent mode)
Enter the IP address that you want to use for management access and the
netmask in the Management IP/Netmask field.
Select Apply.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard
RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of
RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiGate unit configuration.
The FortiGate MIB is listed in Table 10 along with the two RFC MIBs. You can
obtain these MIB files from Fortinet technical support. To be able to communicate
with the SNMP agent, you must compile all of these MIBs into your SNMP
manager.
Your SNMP manager may already include standard and private MIBs in a
compiled database that is ready to use. You must add the Fortinet proprietary MIB
to this database. If the standard MIBs used by the Fortinet SNMP agent are
already compiled into your SNMP manager you do not have to compile them
again.
Table 10: Fortinet MIBs
MIB file name or RFC
Description
FORTIOS-300.mib
179
SNMP
System Config
FortiGate traps
The FortiGate agent can send traps to SNMP managers that you have added to
SNMP communities. To receive traps, you must load and compile the Fortinet 3.0
MIB into the SNMP manager.
FortiManager related traps are only sent if a FortiManager unit is configured to
manage this FortiGate unit.
All traps sent include the trap message as well as the FortiGate unit serial number
and hostname.
Table 11: Generic FortiGate traps
Trap message
Description
ColdStart
WarmStart
LinkUp
LinkDown
fnTrapTest
Description
CPU usage exceeds 80%. This threshold can be set in the CLI
using config system global.
Memory low
(fnTrapMemLow)
Interface IP change
(fnTrapIpChange)
Description
VPN tunnel is up
(fnTrapVpnTunUp)
(fnVpnTrapLocalGateway)
180
System Config
SNMP
Description
IPS Anomaly
(fnTrapIpsAnomaly)
IPS Signature
(fnTrapIpsSignature)
(fnIpsTrapSigId)
(fnIpsTrapSrcIp)
(fnIpsTrapSigMsg)
Description
Virus detected
(fnTrapAvVirus)
Oversize file/email detected The FortiGate unit antivirus scanner detects an oversized
file.
(fnTrapAvOversize)
Filename block detected
(fnTrapAvPattern)
(fnTrapAvEnterConserve)
(fnTrapAvBypass)
(fnTrapAvOversizePass)
(fnTrapAvOversizeBlock)
(fnAvTrapVirName)
Description
Log full
(fnTrapLogFull)
181
SNMP
System Config
Description
HA switch
(fnTrapHaSwitch)
HA Heartbeat Failure
(fnTrapHaHBFail)
(fnTrapHaMemberDown)
(fnTrapHaMemberUp)
(fnTrapHaStateChange)
(fnHaTrapMemberSerial)
Description
Description
(fnFMTrapDeployComplete)
(fnFMTrapDeployInProgress)
(fnFMTrapConfChange)
(fnFMTrapIfChange)
182
System Config
SNMP
Description
fnSysModel
fnSysSerial
fnSysVersion
fnSysVersionAv
fnSysVersionNids
fnSysHaMode
fnSysOpMode
fnSysCpuUsage
fnSysMemUsage
fnSysSesCount
Description
fnHaGroupId
fnHaPriority
fnHaOverride
fnHaAutoSync
fnHaStatsTable
fnHaStatsIndex
fnHaStatsSerial
fnHaStatsCpuUsage
fnHaStatsMemUsage
fnHaStatsNetUsage
fnHaStatsSesCount
fnHaStatsPktCount
fnHaStatsByteCount
fnHaStatsIdsCount
fnHaStatsAvCount
fnHaStatsHostname
183
SNMP
System Config
Description
fnAdminNumber
fnAdminTable
Table of administrators.
fnAdminIndex
fnAdminName
fnAdminAddr
fnAdminMask
Description
fnUserNumber
fnUserTable
fnUserName
fnUserAuth
fnUserState
Description
fnOptIdleTimeout
The idle period in minutes after which the administrator must reauthenticate.
fnOptAuthTimeout
fnOptLanguage
fnOptLcdProtection
184
MIB field
Description
fnLogOption
Logging preferences.
System Config
SNMP
Description
Description
Description
fnVdNumber
fnVdMaxVdoms
fnVdEnabled
fnVdTable
fnVdIndex
fnVdName
fnVdSesCount
fnVdOpMode
185
SNMP
System Config
Description
fnIpSessIndex
fnIpSessProto
fnIpSessToPort
fnIpSessToAddr
fnIpSessExp
fnIpSessVdom
Description
186
MIB field
Description
fnVpnDialupIndex
fnVpnDialupGateway
fnVpnDialupLifetime
fnVpnDialupTimeout
fnVpnDialupSrcBegin
fnVpnDialupSrcEnd
fnVpnDialupDstAddr
fnVpnDialupVdom
fnVpnDialupInOctets
fnVpnDialupOutOctets
System Config
SNMP
Description
fnVpnTunEntIndex
fnVpnTunEntPhase1Name
fnVpnTunEntPhase2Name
fnVpnTunEntRemGwyIp
fnVpnTunEntRemGwyPort
fnVpnTunEntLocGwyIp
fnVpnTunEntLocGwyPort
fnVpnTunEntSelectorSrcBeginIp
fnVpnTunEntSelectorSrcEndIp
fnVpnTunEntSelectorSrcPort
fnVpnTunEntSelectorDstBeginIp
fnVpnTunEntSelectorDstEndIp
fnVpnTunEntSelectorDstPort
fnVpnTunEntSelectorProto
fnVpnTunEntLifeSecs
fnVpnTunEntLifeBytes
fnVpnTunEntTimeout
fnVpnTunEntInOctets
fnVpnTunEntOutOctets
fnVpnTunEntStatus
fnVpnTunEntVdom
187
Replacement messages
System Config
Replacement messages
Go to System > Config > Replacement Messages to change replacement
messages and customize alert email and information that the FortiGate unit adds
to content streams such as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams.
For example, if a virus is found in an email message, the file is removed from the
email and replaced with a replacement message. The same applies to pages
blocked by web filtering and email blocked by spam filtering.
188
System Config
Replacement messages
Name
ftp sessions
Description
Edit or view
icon
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.
189
Replacement messages
System Config
Replacement messages can be text or HTML messages. You can add HTML code
to HTML messages. Allowed Formats shows you which format to use in the
replacement message. There is a limitation of 8192 characters for each
replacement message. The following fields and options are available when editing
a replacement message. Different replacement messages have different sets of
fields and options.
Message Setup
Allowed Formats
Size
Message Text
Description
%%AUTH_LOGOUT%%
The URL that will immediately delete the current policy and close
the session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL The auth-keepalive page can prompt the user to open a new
%%
window which links to this tag.
%%CATEGORY%%
%%DEST_IP%%
%%EMAIL_FROM%%
The email address of the sender of the message from which the
file was removed.
%%EMAIL_TO%%
The name of a file that has been removed from a content stream.
This could be a file that contained a virus or was blocked by
antivirus file blocking. %%FILE%% can be used in virus and file
block messages.
190
System Config
Replacement messages
Description
%%OVERRIDE%%
%%OVRD_FORM%%
The FortiGuard web filter block override form. This tag must be
present in the FortiGuard Web Filtering override form and should
not be used in other replacement messages.
%%PROTOCOL%%
The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.
%%QUARFILENAME%% The name of a file that has been removed from a content stream
and added to the quarantine. This could be a file that contained a
virus or was blocked by antivirus file blocking.
%%QUARFILENAME%% can be used in virus and file block
messages. Quarantining is only available on FortiGate units with a
local disk.
%%QUESTION%%
%%SERVICE%%
%%SOURCE_IP%%
%%TIMEOUT%%
%%URL%%
The URL of a web page. This can be a web page that is blocked
by web filter content or URL blocking. %%URL%% can also be used
in http virus and file block messages to be the URL of the web
page from which a user attempted to download a file that is
blocked.
%%VIRUS%%
The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
Example
The following is an example of a simple authentication page that meets the
requirements listed above.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
191
Replacement messages
System Config
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"
TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text">
</TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%"
TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
The form must contain the %%SSL_LOGIN%% tag to provide the login form.
192
System Config
Go to System > Config > Operation Mode or select Change beside Operation
Mode on the System Status page for the virtual domain.
Default Gateway
Go to System > Config > Operation Mode or select Change beside Operation
Mode on the System Status page for the virtual domain.
193
System Config
Interface IP/Netmask
Device
Default Gateway
Gateway Device
Management access
You can configure management access on any interface in your VDOM. See
Administrative access to an interface on page 125. In NAT/Route mode, the
interface IP address is used for management access. In Transparent mode, you
configure a single management IP address that applies to all interfaces in your
VDOM that permit management access. The FortiGate also uses this IP address
to connect to the FDN for virus and attack updates (see FortiGuard on
page 241).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the
VDOM to which it belongs. The management computer must connect to an
interface in that VDOM. It does not matter to which VDOM the interface belongs.
In both cases, the management computer must connect to an interface that
permits management access and its IP address must be on the same network.
Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those
services are enabled on the interface. HTTPS and SSH are preferred as they are
more secure.
You can allow remote administration of the FortiGate unit. However, allowing
remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration. To
improve the security of a FortiGate unit that allows remote administration from the
Internet:
194
Use Trusted Hosts to limit where the remote access can originate from.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 215).
System Administrators
Administrators
System Administrators
This section describes how to configure administrator accounts on your FortiGate
unit. Administrators access the FortiGate unit to configure its operation. In its
factory default configuration, the unit has one administrator, admin. After
connecting to the web-based manager or the CLI, you can configure additional
administrators with various levels of access to different parts of the FortiGate unit
configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system
administrators are configured globally for the entire FortiGate unit. For details, see
Using virtual domains on page 95.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.
Administrators
Access profiles
Central Management
Settings
Monitoring administrators
Administrators
There are two levels of administrator accounts:
Regular
administrators
System
administrators
195
Administrators
System Administrators
Cannot delete logged-in users who are also assigned the super_admin profile
Can delete other users assigned the super_admin profile and/or change the
configured authentication method, password, or access profile, only if the other
users are not logged in
Can delete the default admin account only if the default admin user is not
logged in
There is also an access profile that allows read-only super admin privileges,
super_admin_readonly. The super_admin_readonly profile cannot be deleted or
changed, similar to the super_admin profile. This read-only super-admin profile is
suitable in a situation where it is necessary for a system administrator to
troubleshoot a customer configuration without being able to make changes. Other
than being read-only, the super_admin_readonly profile has full access to the
FortiGate unit configuration.
196
System Administrators
Administrators
Type
Regular.
Password
Confirm
Password
Access Profile
When you select Type > Regular, you will see Local as the entry in the Type
column when you view the list of administrators. For more details, see Viewing
the administrators list on page 204.
You may also configure additional features. For more information, see
Configuring an administrator account on page 205.
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
197
Administrators
System Administrators
create a user group with the RADIUS server as its only member
Note: Access to the FortiGate is according to the VDOM associated with the administrator
account.
The following procedures assume that there is a RADIUS server on your network
populated with the names and passwords of your administrators. For information
on how to set up a RADIUS server, see the documentation for your RADIUS
server.
Figure 101:Example RADIUS server list
Create New
Name
The name that identifies the RADIUS server on the FortiGate unit.
Edit icon
A name that identifies the RADIUS server. Use this name when you
create the user group.
Select OK.
You may also provide information regarding a secondary RADIUS server, custom
authentication scheme, and a NAS IP/Called Station ID. In addition, you can
configure the RADIUS server to be included in every user group in the associated
VDOM. For more information, see Configuring a RADIUS server on page 425.
198
System Administrators
Administrators
In the Group Name field, type a name for the administrator group.
In the Available Users list, select the RADIUS server name and move it to the
Members list.
Select OK.
To configure an administrator to authenticate with a RADIUS server
10
Type
Remote.
User Group
Password
Confirm
Password
Access Profile
You may also configure additional features. For more information, see
Configuring an administrator account on page 205.
199
Administrators
System Administrators
Create New
Name
The name that identifies the LDAP server on the FortiGate unit.
Common Name
Identifier
Distinguished
Name
Delete icon
Edit icon
The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP
Server Port
Common Name
Identifier
Distinguished Name The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon
View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to
the Distinguished Name.
For more information, see Using Query on page 429.
Bind Type
Filter
User DN
Password
Protocol
Certificate
Select OK.
For further information about LDAP authentication, see Configuring an LDAP
server on page 427.
200
System Administrators
Administrators
In the Group Name field, type a name for the administrator group.
In the Available Users list, select the LDAP server name and move it to the
Members list.
Select OK.
To configure an administrator to authenticate with an LDAP server
Type
Remote.
User Group
Password
Confirm
Password
Access Profile
You may also configure additional features. For more information, see
Configuring an administrator account on page 205.
201
Administrators
System Administrators
Create New
Server
Authentication Type
Delete icon
Edit icon
Server Name/IP
Server Key
Authentication Type
In the Group Name field, type a name for the administrator group.
In the Available Users list, select the TACACS+ server name and move it to the
Members list.
Select OK.
To configure an administrator to authenticate with a TACACS+ server
202
Type
Remote.
User Group
System Administrators
Administrators
Password
Confirm
Password
Access Profile
You may also configure additional features. For more information, see
Configuring an administrator account on page 205.
Create New
User Name
Subject
The text string that appears in the subject field of the certificate of
the authenticating user.
Issuer
Delete icon
Edit icon
Note: The following fields in the PKI User List correspond to the noted fields in the PKI
User dialog:
User Name: Name
Subject: Subject
CA: Issuer (CA certificate)
In the Group Name field, type a name for the administrator group.
In the Available Users list, select the PKI user name and move it to the Members
list.
203
Administrators
System Administrators
Select OK.
To configure an administrator to authenticate with a PKI certificate
Type
PKI.
User Group
Access Profile
You may also configure additional features. For more information, see
Configuring an administrator account on page 205
204
Create New
Name
Trusted hosts
Profile
Type
System Administrators
Administrators
Delete icon
Select the Change Password icon next to the administrator account you want to
change the password for.
Select OK.
205
Administrators
System Administrators
Administrator
Type
User Group
Wildcard
Password
Confirm
Password
Trusted Host #1 Optionally, type the trusted host IP address and netmask that
Trusted Host #2 administrator login is restricted to on the FortiGate unit. You can specify
Trusted Host #3 up to three trusted hosts. These addresses all default to 0.0.0.0/0.
Setting trusted hosts for all of your administrators can enhance the
security of your system. For more information, see Using trusted hosts
on page 207.
Access Profile Select the access profile for the administrator. The pre-configured
super_admin profile provides full access to the FortiGate unit. You can
also select Create New to create a new access profile. For more
information on access profiles, see Configuring an access profile on
page 211.
206
System Administrators
Administrators
In the Administrator field, type a login name for the administrator account.
If you are using RADIUS authentication for this administrator but not using the
wildcard option, the administrator name must match an account on the RADIUS
server.
Select Regular.
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
If you are using remote authentication for this administrator (RADIUS, LDAP, or
TACACS+):
Select Remote.
Select Wildcard if you want all accounts on the RADIUS, LDAP, or TACACS+
server to be administrators of this FortiGate unit.
Type and confirm the password for the administrator account. This step does
not apply if you are using Remote Wildcard or PKI certificate-based
authentication.
Select the administrators user group from the User Group list.
Select PKI.
Select the administrators user group from the User Group list.
If required, type Trusted Host IP address(es) and netmask(s) from which the
administrator can log into the web-based manager.
Select OK.
207
Access profiles
System Administrators
The trusted host addresses all default to 0.0.0.0/0. If you set one of the 0.0.0.0/0
addresses to a non-zero address, the other 0.0.0.0/0 will be ignored. The only way
to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0. However, this
configuration is less secure.
Access profiles
Each administrator account belongs to an access profile. The access profile
separates FortiGate features into access control categories for which you can
enable none (deny), read only, or read/write access. The following table lists the
web-based manager pages to which each category provides access:
Table 34: Access profile control of access to Web-based manager pages
Access control
Admin Users
Antivirus Configuration
AntiVirus
Auth Users
User
Firewall Configuration
Firewall
FortiGuard Update
IM, P2P & VoIP Configuration IM, P2P & VoIP > Statistics
IM, P2P & VoIP > User > Current Users
IM, P2P & VoIP > User > User List
IM, P2P & VoIP > User > Config
IPS Configuration
Intrusion Protection
Maintenance
Network Configuration
Router Configuration
Router
Spamfilter Configuration
AntiSpam
System Configuration
VPN Configuration
VPN
Webfilter Configuration
Web Filter
208
System Administrators
Access profiles
You can now expand the firewall configuration access control to enable more
granular control of access to the firewall functionality. You can control
administrator access to policy, address, service, schedule, profile, and other (VIP)
configurations.
Note: When Virtual Domain Configuration is enabled (see Settings on page 215), only the
administrators with the access profile super_admin have access to global settings. When
Virtual Domain Configuration is enabled, other administrator accounts are assigned to one
VDOM and cannot access global configuration options or the configuration for any other
VDOM.
For information about which settings are global, see VDOM configuration settings on
page 97.
The access profile has a similar effect on administrator access to CLI commands.
The following table shows which command types are available in each access
control category. You can access get and show commands with read access.
Access to config commands requires write access.
Table 35: Access profile control of access to CLI commands
Access control
system admin
system accprofile
antivirus
user
firewall
Use the set fwgrp custom and config
fwgrp-permission commands to set some
firewall permissions individually. Selections can
be made for policy, address, service, schedule,
profile, and other (VIP) configurations. For more
information, see FortiGate CLI Reference.
system autoupdate
execute update-av
execute update-ips
execute update-now
imp2p
ips
alertemail
log
system fortianalyzer
execute log
Maintenance (mntgrp)
execute
execute
execute
execute
execute
system arp-table
system dhcp
system interface
system zone
execute dhcp lease-clear
execute dhcp lease-list
execute clear system arp table
execute interface
formatlogdisk
restore
backup
batch
usb-disk
209
Access profiles
System Administrators
router
execute router
execute mrouter
spamfilter
vpn
execute vpn
webfilter
Go to System > Admin > Access Profile to add access profiles for FortiGate
administrators. Each administrator account belongs to an access profile. You can
create access profiles that deny access to, allow read-only, or allow both readand write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can
access the web-based manager page for that feature but cannot make changes to
the configuration. There are no Create or Apply buttons and lists display only the
View (
) icon instead of icons for Edit, Delete or other modification commands.
210
Create New
Profile Name
System Administrators
Access profiles
Delete icon
Edit icon
Profile Name
Access Control
Access Control lists the items that can customized access control
settings configured.
None
Read Only
Read-Write
Access Control
categories
211
Central Management
System Administrators
Central Management
The Central Management tab provides the option of remotely managing your
FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and
Management Service.
From System > Admin > Central Management, you can configure your
FortiGate unit to back up or restore configuration settings automatically to the
specified central management server. The central management server is the type
of service you enable, either a FortiManager unit or the FortiGuard Analysis and
Management Service. If you have a subscription for FortiGuard Analysis and
Management Service, you can also remotely upgrade the firmware on the
FortiGate unit.
Figure 111:Central Management configurations - FortiManager and FortiGuard
Analysis and Management Service
212
Type
System Administrators
Central Management
Allow script updates initiated Enable to allow the management server to automatically
update scripts.
by the management server
Allow firmware upgrades
initiated by the management
server (FortiGuard Analysis
and Management Service
only)
The Revision Control tab, which is part of Central Management, displays a list of
the backed up configuration files. The list displays only when your FortiGate unit is
managed by a central management server.
From the Revision Control tab, you can download a backed up configuration file,
revert to a selected revision, or compare two revisions.
Figure 113:Configuration back ups on the Revision Control page
Current Page
Diff
Revert
Download
213
Central Management
System Administrators
Current Page
By default, the first page of the list of items is displayed. The total
number of pages appears after the current page number. For
example, if 3/54 appears, you are currently viewing page 3 of 54
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and
then press Enter.
For more information, see Using page controls on web-based
manager lists on page 61.
Revision
Date/Time
Displays the date and time when this configuration was saved on
the FortiGate unit.
Administrator
Comments
Diff icon
Download icon
Revert icon
214
notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.
System Administrators
Settings
Settings
Go to System > Admin > Settings to set the following options:
Display settings that include the language of the web-based manager and the
number of lines displayed in generated reports
PIN protection for LCD and control buttons (LCD-equipped models only)
HTTPS
Telnet Port
SSH Port
Enable v1
compatibility
Timeout Settings
215
Monitoring administrators
System Administrators
Idle Timeout
Display Settings
Language
IPv6 Support on GUI Enable if you want to configure IPv6 options from the GUI
(Firewall policy, route, address and address group).
Default allows configuration from CLI only.
LCD Panel (LCD-equipped models only)
PIN Protection
Enable SCP
Note: If you make a change to the default port number for HTTP, HTTPS, telnet, or SSH,
ensure that the port number is unique.
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under
System Information, you will see Current Administrators. Click on Details to view
information about the administrators currently logged in to the FortiGate unit.
Figure 115:System Information > Current Administrators
216
System Administrators
Disconnect
Refresh
Close
check box
Select and then select Disconnect to log off this administrator. This is
available only if your access profile gives you System Configuration
write access. You cannot log off the default admin user.
User Name
Type
From
Time
using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4
headers to carry them over IPv4 infrastructure.
FortiGate units are dual IP layer IPv6/IPv4 nodes. They support IPv6 overIPv4
tunneling, routing, firewall policies and IPSec VPN. You can assign both an IPv4
and an IPv6 address to any interface on a FortiGate unit - the interface functions
as two interfaces, one for IPv4-addressed packets and another for IPv6addressed packets.
For more information, see the FortiGate IPv6 Support Technical Note available
from the Fortinet Knowledge Center.
Before you can work with IPv6 on the web-based manager, you must enable IPv6
support.
To enable IPv6 support, go to System > Admin > Settings, then under Display
Settings, select IPv6 Support on GUI.
After you enable IPv6 support in the web-based manager, you can:
Once IPv6 support is enabled, you can configure the IPv6 options using the webbased manager or the CLI.
See the FortiGate CLI Reference for information on configuring IPv6 support
using the CLI.
217
218
System Administrators
System Certificates
Local Certificates
System Certificates
This section explains how to manage X.509 security certificates using the
FortiGate web-based manager. Certificate authentication allows administrators to
generate certificate requests, install signed certificates, import CA root certificates
and certificate revocation lists, and back up and restore installed certificates and
private keys.
Authentication is the process of determining if a remote host can be trusted, which
ultimately controls remote access to network resources. To establish its
trustworthiness, the remote host must provide an acceptable authentication
certificate by obtaining a certificate from a certification authority (CA). The
application can accept or reject any certificate. The FortiGate device can use
certificate authentication to allow administrative access via HTTPS, and to
authenticate IPSec VPN peers or clients and SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates
are configured globally for the entire FortiGate unit. For details, see Using virtual
domains on page 95.
For additional background information on certificates, see the FortiGate
Certificate Management User Guide.
This section describes:
Local Certificates
Remote Certificates
CA Certificates
CRL
Local Certificates
Certificate requests and installed server certificates are displayed in the Local
Certificates list. After you submit the request to a CA, the CA will verify the
information and register the contact information on a digital certificate that
contains a serial number, an expiration date, and the public key of the CA. The CA
will then sign and send the signed certificate to you to install on the FortiGate unit.
To view certificate requests and/or import signed server certificates, go to System
> Certificates > Local Certificates. To view certificate details, select the View
Certificate Detail icon in the row that corresponds to the certificate.
219
Local Certificates
System Certificates
Delete
Generate
Import
Name
Subject
Comments
Status
View Certificate
Detail icon
Delete icon
Download icon
220
System Certificates
Local Certificates
Remove/Add OU
Certification Name
Subject Information
Host IP
221
Local Certificates
System Certificates
Domain Name
Optional Information
Organization Unit
Organization
Locality (City)
State/Province
Country
Key Type
Key Size
Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are
slower to generate but they provide better security.
Enrollment Method
File Based
Online SCEP
222
In the Local Certificates list, select the Download icon in the row that corresponds
to the generated certificate request.
System Certificates
Local Certificates
Using the web browser on the management computer, browse to the CA web
site.
When you receive the signed certificate from the CA, install the certificate on the
FortiGate unit. See Importing a signed server certificate on page 223.
Certificate File
Enter the full path to and file name of the signed server certificate.
Browse
223
Remote Certificates
System Certificates
Enter the full path to and file name of the previously exported
PKCS12 file.
Browse
Password
Certificate file
Enter the full path to and file name of the previously exported
certificate file.
Key file
Enter the full path to and file name of the previously exported key
file.
Browse
Password
Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.
224
System Certificates
Remote Certificates
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
To view installed Remote (OCSP) certificates or import a Remote (OCSP)
certificate, go to System > Certificates > Remote. To view certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.
Import
Name
Subject
Delete icon
View Certificate
Detail icon
Download icon
Local PC
Browse
The system assigns a unique name to each Remote (OCSP) certificate. The
names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2,
REMOTE_Cert_3, and so on).
225
CA Certificates
System Certificates
CA Certificates
When you apply for a signed personal or group certificate to install on remote
clients, you must obtain the corresponding root certificate and CRL from the
issuing CA.
When you receive the signed personal or group certificate, install the signed
certificate on the remote client(s) according to the browser documentation. Install
the corresponding root certificate and CRL from the issuing CA on the FortiGate
unit.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete
the Fortinet_CA certificate. To view installed CA root certificates or import a CA
root certificate, go to System > Certificates > CA Certificates. To view root
certificate details, select the View Certificate Detail icon in the row that
corresponds to the certificate.
Figure 125:CA Certificates list
Name
Subject
Delete icon
View Certificate
Detail icon
Download icon
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that
has management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates
and select Import.
226
System Certificates
CRL
SCEP
Local PC
When you select OK and you have elected to import a certificate via the SCEP
server, the system starts the retrieval process immediately.
The system assigns a unique name to each CA certificate. The names are
numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired
with certificate status information. Installed CRLs are displayed in the CRL list.
The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and
remote clients are valid.
To view installed CRLs, go to System > Certificates > CRL.
Figure 127:Certificate revocation list
Name
Subject
Delete icon
View Certificate
Detail icon
Display CRL details such as the issuer name and CRL update dates.
See example Figure 128.
Download icon
227
CRL
System Certificates
To import a certificate revocation list, go to System > Certificates > CRL and
select Import.
Figure 129:Import CRL
HTTP
Select to use an HTTP server to retrieve the CRL. Enter the URL
of the HTTP server.
LDAP
SCEP
Local PC
The system assigns a unique name to each CRL. The names are numbered
consecutively (CRL_1, CRL_2, CRL_3, and so on).
228
System Maintenance
System Maintenance
This section describes how to maintain your system configuration as well as
information about enabling and updating FDN services. This section also explains
the types of FDN services that are available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance
is configured globally for the entire FortiGate unit. For more information, see
Using virtual domains on page 95.
This section includes the following topics:
Revision Control
Scripts
FortiGuard
License
Backup and Restore provides the ability to back up and restore your system
configuration file, remotely upgrade firmware, and import CLI commands.
Revision Control displays all system configuration backups with the date and
time of when they were backed up. This tab displays only if the FortiGuard
Analysis and Management Service is enabled.
FortiGuard displays all FDN subscription services, such as antivirus and IPS
definitions as well as the FortiGuard Analysis and Management Service. The
FortiGuard tab also provides configuration for antivirus, IPS, web filtering, and
antispam services.
Scripts displays script history execution and provides a way to upload script
files to the FortiGuard Analysis and Management Service portal web site
When backing up the system configuration, web content files and spam filtering
files are also included. You can save the configuration to the management
computer or to a USB disk if your FortiGate unit includes a USB port (see USB
Disks on page 238). You can also restore the system configuration from
previously downloaded backup files in the Backup and Restore menu.
229
System Maintenance
When virtual domain configuration is enabled, the content of the backup file
depends on the administrator account that created it. A backup of the system
configuration from the super admin account contains global settings and the
settings included in each VDOM. Only the super admin can restore the
configuration from this file. When you back up the system configuration from a
regular administrator account, the backup file contains the global settings and the
settings for the VDOM that the regular administrator belongs to. A regular
administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that
users can download. The FortiClient section of Backup and Restore is available if
your FortiGate model supports FortiClient. This feature is currently available on
FortiGate-1000A, 3600A, and 5005FA2 models.
Figure 130:Backup and Restore page on a FortiGate-3000 unit
The following each explains their corresponding part or section of the Backup &
Restore page. For example, Backup and Restore on page 231 contains detailed
information about that part of the Backup and Restore page, such as what
locations you can choose to back up and restore a configuration file to.
These sections are:
Firmware
FortiClient
Advanced
Note: The Firmware Section is available only on FortiGate-100A units and higher. If you
have a FortiGate-100 unit or lower, you can upgrade or downgrade the firmware by going to
System > Status and selecting Update for Firmware Version.
230
System Maintenance
System
Displays the date and time of the last local or remote backup.
Configuration If you backed up the configuration file using a USB disk, only the date
(Last Backup:) displays. Time is not saved when backing up using a USB disk.
Backup
Local PC
USB Disk
FortiGuard
FortiManager
231
System Maintenance
Restore
Encrypt
configuration
file
Password
Confirm
Filename
Backup
Local PC
USB Disk
FortiGuard
FortiManager
Filename
Password
Restore
Note: The radio button, Management Station, appears when the FortiGuard Analysis and
Management Service is disabled. The FortiGuard radio button appears when FortiGuard
Analysis and Management Service is enabled.
232
System Maintenance
Backup
Restore
Comments:
Backup
Please Select: Select the configuration file you want to restore from the list.
This list includes the comments you included in the Comment
field before it was uploaded to the FortiManager unit.
The list is in numerical order, with the recent uploaded
configuration first.
Restore
233
System Maintenance
notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.
Backup
Displays the options available for backing up your current configuration to the
FortiGuard Analysis and Management Service server.
Backup configuration Select the FortiGuard option to upload the
configuration to the FortiGuard Analysis and
to:
Management Service server.
The Local PC option is always available.
Restore
234
Comments:
Backup
System Maintenance
Restore
notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.
Firmware
The Firmware section displays the current version of firmware installed on your
FortiGate unit, and also displays the firmware version currently in use if there is
more than one firmware image saved on the FortiGate unit.
Figure 134:Two firmware images displaying on a FortiGate-1000A unit in the
Firmware section on the Backup and Restore page
Partition
Active
Last Upgrade
Firmware Version
Boot alternate
firmware
235
System Maintenance
Firmware Upgrade
The Firmware Upgrade section of the Backup and Restore page displays options
for upgrading to a new version using the FortiGuard Analysis and Management
Service if that option is available to you. Using the FortiGuard Analysis and
Management Service to upgrade the firmware on your FortiGate unit is only
available on certain FortiGate units. You must register for the service by
contacting customer support.
Detailed firmware version information is provided if you have subscribed for the
FortiGuard Analysis and Management Service.
Figure 135:Firmware Upgrade section of the Backup and Restore page
Upgrade method
[Please Select]
Select one of the available firmware versions. The list contains the
following information for each available firmware release:
continent (for example, North America)
build number
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware
downgrade
Upgrade by File
OK
FortiClient
If your FortiGate unit supports the host check function, you can view version
information for the FortiClient application stored on the unit, including uploading a
current firmware version of the FortiClient application.
Some FortiGate units provide a host check function that can determine whether
users computers have FortiClient Host Security software installed. Users who fail
the host check are redirected to a web portal where they can download the
FortiClient application. For more information, see Options to detect FortiClient on
hosts on page 308.
236
System Maintenance
Software Image
Antivirus
Database
Antivirus Engine
Select the port for the web portal where users are redirected if they
fail the FortiClient host check. Select Save after changing the port
number to commit the change.
The default port number is 8009. Change the port number only if it
causes a conflict on your network.
Advanced
The Advanced section on the Backup and Restore page includes the USB Auto
Install feature and the debug log.
Figure 137:Options available in the Advanced section
237
Revision Control
System Maintenance
Advanced (USB
Auto-Install,
Download Debug
Log)
This section is only available if the FortiGate unit includes a USB port.
You must connect a USB disk to the FortiGate unit USB port to use the
USB auto-install feature. See USB Disks on page 238.
Select the options as required and restart the FortiGate unit.
If you select both configuration and firmware update, both occur on the
same reboot. The FortiGate unit will not reload a firmware or
configuration file that is already loaded.
On system restart,
automatically
update FortiGate
configuration
On system restart,
automatically
update FortiGate
firmware
Apply
Download Debug Download an encrypted debug log to a file. You can send this debug
log to Fortinet Technical Support to help diagnose problems with your
Log
FortiGate unit.
USB Disks
FortiGate units with USB port(s) support USB disks for backing up and restoring
configurations.
FortiUSB and generic USB disks are supported, but the generic USB disk must be
formatted as a FAT16 disk. No other partition type is supported.
There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command
syntax, exe usb-disk format. When using a Windows system to format the
disk, at the DOS command prompt or similar prompt type, format
<drive_letter>: /FS:FAT /V:<drive_label> where <drive_letter> is
the letter of the connected USB drive you want to format, and <drive_label> is the
name you want to give the USB drive for identification.
Note: Formatting the USB disk deletes all information on the disk. Back up the information
on the USB disk before formatting to ensure all information on the disk is recoverable.
Revision Control
The Revision Control tab enables you to manage multiple versions of
configuration files and appears only after registering and configuring the
FortiGuard Analysis and Management Service. Revision Control requires a
configured central management server. This server can either be a FortiManager
unit or the FortiGuard Analysis and Management Service.
238
System Maintenance
Revision Control
When Revision Control is enabled on your FortiGate unit, and configurations were
backed up, a list of saved revisions of those backed up configurations display.
Figure 138:Revision Control page displaying system configuration back ups
Current Page
Diff
Download
Revert
Current Page
By default, the first page of the list of items is displayed. The total
number of pages appears after the current page number. For example,
if 3/54 appears, you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
For more information, see Using page controls on web-based
manager lists on page 61.
Revision
Date/Time
Displays the date and time when this configuration was saved on the
FortiGate unit.
Administrator
Comments
Diff icon
239
Scripts
System Maintenance
Scripts
If you have FortiGuard Analysis and Management Service enabled, you can
configure and manage scripts. Scripts are files that are comprised of command
text and are usually composed in a plain text editor.
From the Script tab, you can upload bulk CLI command files and view what files
were uploaded or executed to the FortiGate unit. The uploaded script files appear
on the FortiGuard Analysis and Management Service portal web site.
After executing scripts, you can view script execution history on the Script page.
The past ten executed scripts display.
Figure 139:Script execution history in System > Maintenance > Script
Select Browse to location the script file and then select Apply to
upload the file to the FortiGuard Analysis and Management
Service portal web site.
Script Execution
History (past 10
scripts)
Type
Time
Status
240
System Maintenance
FortiGuard
If you are using a TFTP or FTP server, start the server now.
If you want, you can enter a password for accessing the file.
The FortiGate unit reboots. This may take a few minutes.
After creating the script file, you can then upload it to the FortiGuard Analysis and
Management Service portal web site.
Uploading scripts
After you have created a script file, you can then upload the script file in System >
Maintenance > Script. After the script uploads, you can view or configure to run
the script on the FortiGuard Analysis and Management portal web site.
All script files that are uploaded in System > Maintenance > Script are uploaded
to the FortiGuard Analysis and Management Service portal web site.
To execute a script
1
Verify that the radio button is selected for Upload Bulk CLI Command File.
Select Apply.
The following message appears:
Settings successfully uploaded. Please wait while the system restarts.
The FortiGate unit restarts and reboots. This may take a few minutes.
You can view the script or run the script from the FortiGuard Analysis and
Management Service portal web site. For more information about viewing or
running an uploaded script on the portal web site, see the FortiGuard Analysis
and Management Service Administration Guide.
FortiGuard
The FortiGuard tab enables you to configure your FortiGate unit to use the
FortiGuard Distribution Network (FDN) and FortiGuard Services. The FDN
provides updates to antivirus and IPS attack definitions. FortiGuard Services
provides online IP address black list, URL black list, and other spam filtering tools.
241
FortiGuard
System Maintenance
Hourly, daily, or weekly scheduled antivirus and attack definition updates from
the FDN,
Update status including version numbers, expiry dates, and update dates and
times,
Registering your FortiGate unit on the Fortinet Support web page provides a valid
license contract and connection to the FDN. On the Fortinet Support web page, go
to Product Registration and follow the instructions.
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443
to receive scheduled updates. For information about configuring scheduled
updates, see To enable scheduled updates on page 249.
You can also configure the FortiGate unit to receive push updates. When the
FortiGate unit is receiving push updates, the FDN must be able to route packets to
the FortiGate unit using UDP port 9443. For information about configuring push
updates, see Enabling push updates on page 250. If the FortiGate unit is behind
a NAT device, see Enabling push updates through a NAT device on page 251.
FortiGuard Services
Worldwide coverage of FortiGuard services are provided by FortiGuard Service
Points. When the FortiGate unit is connecting to the FDN, it is connecting to the
closest FortiGuard Service Point. Fortinet adds new Service Points as required.
By default, the FortiGate unit communicates with the closest Service Point. If the
Service Point becomes unreachable for any reason, the FortiGate unit contacts
another Service Point and information is available within seconds. By default, the
FortiGate unit communicates with the Service Point via UDP on port 53.
Alternately, the UDP port used for Service Point communication can be switched
to port 8888 by going to System > Maintenance > FortiGuard.
If you need to change the default FortiGuard Service Point host name, use the
hostname keyword in the system fortiguard CLI command. You cannot
change the FortiGuard Service Point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web
page.
242
System Maintenance
FortiGuard
Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license.
FortiGuard Antispam license management is performed by Fortinet servers; there
is no need to enter a license number. The FortiGate unit automatically contacts a
FortiGuard Antispam Service Point when enabling FortiGuard Antispam. Contact
Fortinet Technical support to renew the FortiGuard Antispam license after the free
trial expires.
You can globally enable FortiGuard Antispam in System > Maintenance >
FortiGuard and then configure Spam Filtering options in each firewall protection
profile in Firewall > Protection Profile. For more information, see Spam Filtering
options on page 373.
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System >
Maintenance > FortiGuard. The FDN page contains four sections of FortiGuard
services.
The four sections are:
243
FortiGuard
System Maintenance
Support Contract The availability or status of your FortiGate unit support contract. The
status displays can be one of the following: Unreachable, Not
Registered or Valid Contract.
If Valid Contract is shown, the FortiOS firmware version and contract
expiry date displays. A green checkmark also displays.
[Register]
FortiGuard
Subscription
Services
Intrusion Protection
IPS Definitions
Web Filtering
AntiSpam
Management Service
Analysis Service
Not Registered
Valid License
Valid Contract
The option Subscribe displays if Availability is Not
Registered.
The option Renew displays if Availability has expired.
244
[Update]
[Register]
System Maintenance
FortiGuard
[Renew]
Status Icon Indicates the status of the subscription service. The icon
corresponds to the availability description.
Grey (Unreachable) FortiGate unit is not able to
connect to service
[Last update The date of the last update and method used for last
date and
attempt to download definition updates for this service.
method]
[Date]
Expand Arrow
245
FortiGuard
System Maintenance
Schedule Updates
246
Daily
Weekly
Update Now
Submit attack
characteristics
(recommended)
System Maintenance
FortiGuard
Enable
Select to enable FortiGuard Web Filter service.
Web Filter
Enable Cache Select to enable caching of web filter queries.
This improves performance by reducing FortiGate unit
requests to the FortiGuard server. The cache uses 6 percent of
the FortiGate memory. When the cache is full, the least
recently used IP address or URL is deleted.
The Enable Cache is only available if Enable Web Filter is
selected.
TTL
Enable
AntiSpam
Port
Section
Select one of the following ports for your web filtering and antispam
requirements:
Use Default
Port (53)
Use Alternate Select to use port 8888 for transmitting with FortiGuard
Antispam servers.
Port (8888)
Test
Select to test the connection to the servers. Results are shown below the
Availability button and on the Status indicators.
please
click here
247
System Maintenance
Account ID
Enter the name for the Management and Analysis Services that
identifies the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To launch the service Select to go directly to the FortiGuard Analysis and Management
Service portal web site to either view logs or configuration. You
portal, please click
can also select this to register your FortiGate unit with the
here
FortiGuard Analysis and Management Service.
To configure...please Select the link, please click here, to configure and enable logging
to the FortiGuard Analysis server. The link redirects you to
click here.
Log&Report > Log Config > Log Setting.
This displays only after registering for the service.
To purge...please
click here.
Select the number of months from the list that will remove those
logs from the FortiGuard Analysis server and select the link,
please click here. For example, if you select 2 months, the logs
from the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This displays only after logging is enabled and log messages are
sent to the FortiGuard Analysis server.
248
you have not registered the FortiGate unit (Go to Product Registration and
follow the instructions on the web site if you have not already registered your
FortiGate unit).
there is a NAT device installed between the FortiGate unit and the FDN (see
Enabling push updates through a NAT device on page 251).
your FortiGate unit connects to the Internet using a proxy server (see To
enable scheduled updates through a proxy server on page 250).
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
System Maintenance
Go to System > Status and select Change on the System Time line in the
System Information section.
Verify that the time zone is set correctly for the region where your FortiGate unit is
located.
Select the Expand Arrow beside Web Filtering and AntiSpam Options to reveal
the available options.
Select the Expand Arrow beside Antivirus and IPS Options to reveal the available
options.
Select the Expand Arrow beside AntiVirus and IPS Options to reveal the available
options.
249
System Maintenance
Every
Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily
Once a day. You can specify the time of day to check for updates.
Weekly
Once a week. You can specify the day of the week and the time of day to
check for updates.
Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and
IPS attack updates using their own FortiGuard server, you can use the following
procedure to add the IP address of an override FortiGuard server.
To add an override server
Type the fully qualified domain name or IP address of the FortiGuard server.
Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from gray to green,
the FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate
unit cannot connect to the override server. Check the FortiGate configuration and
network configuration for settings that would prevent the FortiGate unit from
connecting to the override FortiGuard server.
To enable scheduled updates through a proxy server
If your FortiGate unit must connect to the Internet through a proxy server, you can
use the config system autoupdate tunneling command syntax to allow
the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. For
more information, see the FortiGate CLI Reference.
250
System Maintenance
have set the interface addressing mode to DHCP or PPPoE and your DHCP or
PPPoE server changes the IP address.
The FDN must be able to connect to this IP address for your FortiGate unit to be
able to receive push update messages. If your FortiGate unit is behind a NAT
device, see Enabling push updates through a NAT device on page 251.
If you have redundant connections to the Internet, the FortiGate unit also sends
the SETUP message when one Internet connection goes down and the FortiGate
unit fails over to another Internet connection.
In Transparent mode, if you change the management IP address, the FortiGate
unit also sends the SETUP message to notify the FDN of the address change.
Virtual IP
10.20.6.135
(external interface)
Internet
Internal Network
FortiGate unit
NAT Device
FDN
Server
251
System Maintenance
The procedure, General procedure, configures both the FortiGate unit and NAT
device so that they FortiGate unit can receive push updates.
General procedure
1
Register the FortiGate unit on the internal network so that it has a current support
license and can receive push updates.
Configure the following FortiGuard options on the FortiGate unit on the internal
network.
Add an override push update IP. Usually this would be the IP address of the
external interface of the NAT device
Set the external IP address of the virtual IP to match the override push update
IP. Usually this would be the IP address of the external interface of the NAT
device.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See To enable scheduled updates through a proxy server on
page 250 for more information.
Select the Expand Arrow beside AntiVirus and IPS Options to reveal the available
options.
Select Apply.
You can add changes to the Use override push configuration if the external IP
address of the external service port changes; select Apply to update the push
information on the FDN.
The FortiGate unit sends the override push IP address and port to the FDN. The
FDN now uses this IP address and port for push updates to the FortiGate unit on
the internal network. Push updates will not actually work until a virtual IP is added
to the NAT device so that the NAT device accepts push update packets and
forwards them to the FortiGate unit on the internal network.
The following procedure, To add a port forwarding virtual IP to the FortiGate NAT
device, enables you to configure the NAT device to use port forwarding to push
update connections from the FDN to the FortiGate unit on the internal network.
252
System Maintenance
External
Interface
Select an external interface from the list. This is the interface on the
NAT device that connects to the Internet.
Type
External IP
Address/Range
Enter the IP address and/or range. This is the IP address that the FDN
connects to send push updates to the FortiGate unit on the internal
network. This would usually be the IP address of the external interface
of the NAT device. This IP address must be the same as the IP in
User override push update for the FortiGate unit on the internal
network.
Mapped IP
Address/Range
Enter the IP address and/or range of the FortiGate unit on the Internal
network.
Port Forwarding Select Port Forwarding. When you select Port Forwarding, the options
Protocol, External Services Port and Map to Port appear.
Protocol
Select UDP.
External Service Enter the external service port. The external service port is the port
that the FDN connects to. The external service port for push updates
Port
is usually 9443. If you changed the push update port in the FortiGuard
configuration of the FortiGate unit on the internal network, you must
set the external service port to the changed push update port.
Map to Port
Select HTTP Multiplexing to enable the FortiGate unit to use its HTTP
proxy to multiplex multiple client connections destined for the web
server into fewer connections, improving performance.
Preserve Client IP is available only when HTTP Multiplexing is
selected. This preserves the IP address of the client in the XForwarded-For HTTP header.
Select OK.
To add a firewall policy to the FortiGate NAT device
Select OK.
Verify that push updates to the FortiGate unit on the internal network are working
by going to System > Maintenance > FortiGuard and select Test Availability.
The Push Update indicator should change to green.
253
License
System Maintenance
License
If you have a FortiGate-3000 unit or higher, you can purchase a license key from
Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By
default, FortiGate units support a maximum of 10 VDOMs.
The license key is a 32-character string supplied by Fortinet. Fortinet requires the
serial number of the FortiGate unit to generate the license key.
The license key is entered in System > Maintenance > License in the Input
License Key field. This appears only on the FortiGate-3000 unit and higher. The
following does not appear on any other FortiGate unit.
Figure 145:License key for additional VDOMs
Current License
Note: VDOMs created on a registered FortiGate unit are considered real devices by the
FortiAnalyzer unit and it includes VDOMs in the total number of registered devices. For
example, three FortiGate units are registered on the FortiAnalyzer unit and contain four
VDOMs: the total number of registered FortiGate units on the FortiAnalyzer unit is seven.
For more information, see the FortiAnalyzer Administration Guide.
254
Router Static
Routing concepts
Router Static
This section explains some general routing concepts, and how to define static
routes and route policies.
A route provides the FortiGate unit with the information it needs to forward a
packet to a particular destination on the network. A static route causes packets to
be forwarded to a destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to
configure the default gateway. You must either edit the factory configured static
default route to specify a different default gateway for the FortiGate unit, or delete
the factory configured route and specify your own static default route that points to
the default gateway for the FortiGate unit. See Default route and default gateway
on page 259.
You define static routes manually. Static routes control traffic exiting the FortiGate
unityou can specify through which interface the packet will leave and to which
device the packet should be routed.
As an option, you can define route policies. Route policies specify additional
criteria for examining the properties of incoming packets. Using route policies, you
can configure the FortiGate unit to route packets based on the IP source and
destination addresses in packet headers and other criteria such as on which
interface the packet was received and which protocol (service) and port are being
used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Routing concepts
Static Route
Policy Route
Routing concepts
The FortiGate unit works as a security device on a network and packets must
pass through it. You need to understand a number of basic routing concepts in
order to configure the FortiGate unit appropriately.
Whether you administer a small or large network, this module will help you
understand how the FortiGate unit performs routing functions.
The following topics are covered in this section:
Route priority
Blackhole Route
255
Routing concepts
Router Static
256
Router Static
Routing concepts
Static
10
EBGP
20
RIP
120
OSPF
110
IBGP
200
Another method is to manually change the priority of both of the routes. If the
next-hop administrative distances of two routes on the FortiGate unit are equal, it
may not be clear which route the packet will take. Configuring the priority for each
of those routes will make it clear which next-hop will be used in the case of a tie.
You can set the priority for a route only from the CLI. Lower priorities are
preferred. For more information see the FortiGate CLI Reference.
All entries in the routing table are associated with an administrative distance. If the
routing table contains several entries that point to the same destination (the
entries may have different gateways or interface associations), the FortiGate unit
compares the administrative distances of those entries, selects the entries having
the lowest distances, and installs them as routes in the FortiGate forwarding table.
As a result, the FortiGate forwarding table contains only those routes having the
lowest distances to every possible destination. For information about how to
change the administrative distance associated with a static route, see Adding a
static route to the routing table on page 262.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing
preference.
You configure the priority field through the CLI. The route with the lowest value in
the priority field is considered the best route, and it is also the primary route. The
command to set the priority field is: set priority <integer> under the
config route static command. For more information, see the FortiGate CLI
Reference.
In summary, because you can use the CLI to specify which sequence numbers or
priority field settings to use when defining static routes, you can prioritize routes to
the same destination according to their priority field settings. For a static route to
be the preferred route, you must create the route using the config router
static CLI command and specify a low priority for the route. If two routes have
the same administrative distance and the same priority, then they are equal cost
multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be
confusing which route or routes to install and use. However, if you have enabled
load balancing with ECMP routes, then different sessions will resolve this problem
by using different routes to the same address. For more information, see load
balancing in Configuring virtual IPs on page 338.
257
Static Route
Router Static
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like
/dev/null in Linux programming.
Blackhole routes are used to dispose of packets instead of responding to
suspicious inquiries. This provides added security since the originator will not
discover any information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are
not in use, traffic to those addresses (traffic which may be valid or malicious) can
be directed to a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added
to enable easier configuration of blackhole routing. Similar to a normal interface,
this loopback interface has fewer parameters to configure, and all traffic sent to it
stops there. Since it cannot have hardware connection or link status problems, it is
always available, making it useful for other dynamic routing roles. Once
configured, you can use a loopback interface in firewall policies, routing, and other
places that refer to interfaces. You configure this feature only from the CLI. For
more information see the system chapter of the FortiGate CLI Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of
packets that you intend the FortiGate unit to intercept, and by specifying a
(gateway) IP address for those packets. The gateway address specifies the nexthop router to which traffic will be routed.
Note: You can use the config router static6 CLI command to add, edit, or delete
static routes for IPv6 traffic. For more information, see the router chapter of the FortiGate
CLI Reference.
To view the static route list, go to Router > Static > Static Route.
258
Router Static
Static Route
Figure 146 shows the static route list belonging to a FortiGate unit that has
interfaces named port1 and port2. The names of the interfaces on your
FortiGate unit may be different.
Figure 146:Static Route list when IPv6 is enabled in the GUI
Expand
Arrow
Delete
Edit
Create New
Add a static route to the Static Route list. For more information, see
Adding a static route to the routing table on page 262.
Select the down arrow to create an IPv6 static Route.
Route
Select the Expand Arrow to display or hide the IPv4 static routes. By
default these routes are displayed.
This is displayed only when IPv6 is enabled in the GUI.
IPv6 Route
Select the Expand Arrow to display or hide the IPv6 static routes. By
default these routes are hidden.
This is displayed only when IPv6 is enabled in the GUI.
IP/Mask
Gateway
Device
Distance
259
Static Route
Router Static
For example, Figure 147 shows a FortiGate unit connected to a router. To ensure
that all outbound packets destined to any network beyond the router are routed to
the correct destination, you must edit the factory default configuration and make
the router the default gateway for the FortiGate unit.
Figure 147:Making a router the default gateway
Internet
Gateway
Router
192.168.10.1
external
FortiGate_1
internal
Internal network
192.168.20.0/24
To route outbound packets from the internal network to destinations that are not
on network 192.168.20.0/24, you would edit the default route and include the
following settings:
Gateway: 192.168.10.1
Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to
the FortiGate external interface. The interface behind the router (192.168.10.1) is
the default gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination
IP address of a packet is not on the local network but is on a network behind one
of those routers, the FortiGate routing table must include a static route to that
network. For example, in Figure 148, the FortiGate unit must be configured with
static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward
packets to Network_1 and Network_2 respectively.
260
Router Static
Static Route
Internet
FortiGate_1
internal
dmz
Gateway / Router_1
Gateway / Router_2
192.168.10.1
192.168.11.1
Network_1
192.168.20.0/24
Network_2
192.168.30.0/24
261
Static Route
Router Static
If the FortiGate unit reaches the next-hop router through an interface other than
the interface that is currently selected in the Device field, select the name of the
interface from the Device field.
In the Gateway field, type the IP address of the next-hop router to which outbound
traffic may be directed.
Select OK.
Enter the FortiGate unit interface closest to this subnet, or connected to it.
Enter the gateway IP address. Continuing with the example 172.1.2.3 would be a
valid address.
262
Router Static
Policy Route
Destination
IP/Mask
Type the destination IP address and network mask of packets that the
FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved
for the default route.
Gateway
Type the IP address of the next-hop router to which the FortiGate unit will
forward intercepted packets.
Device
Select the name of the FortiGate interface through which the intercepted
packets may be routed to the next-hop router.
Distance
Type an administrative distance from 1 to 255 for the route. The distance
value is arbitrary and should reflect the distance to the next-hop router. A
lower value indicates a more preferred route.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be
useful if you want to route certain types of network traffic differently. You can use
incoming traffics protocol, source address or interface, destination address, or
port number to determine where to send the traffic. For example, generally
network traffic would go to the router of a subnet, but you might want to direct
SMTP or POP3 traffic addressed to that subnet directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives
at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and
attempts to match the packet with a policy. If a match is found and the policy
contains enough information to route the packet (a minimum of the IP address of
the next-hop router and the FortiGate interface for forwarding packets to it), the
FortiGate unit routes the packet using the information in the policy. If no policy
route matches the packet, the FortiGate unit routes the packet using the routing
table.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy
routing to occur. If the attributes of a packet match all the specified conditions, the
FortiGate unit routes the packet through the specified interface to the specified
gateway.
Figure 150 shows the policy route list belonging to a FortiGate unit that has
interfaces named external and internal. The names of the interfaces on your
FortiGate unit may be different.
263
Policy Route
Router Static
To edit an existing policy route, see Adding a policy route on page 264.
Figure 150:Policy Route list
Delete
Edit
Move To
Create New Add a policy route. See Adding a policy route on page 264.
#
Incoming
Outgoing
Source
The IP source addresses and network masks that cause policy routing to
occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon
Move To
icon
After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see Moving a policy route on page 265.
Protocol
264
Router Static
Policy Route
Incoming Interface Select the name of the interface through which incoming packets
subjected to the policy are received.
Source Address /
Mask
Destination
Address / Mask
Destination Ports
Type of Service
Outgoing Interface Select the name of the interface through which packets affected by
the policy will be routed.
Gateway Address
Type the IP address of the next-hop router that the FortiGate unit can
access through the specified interface. A value of 0.0.0.0 is not
valid.
Before/After
Policy route ID
Enter the Policy route ID of the route in the Policy route table to
move the selected route before or after.
265
Policy Route
266
Router Static
Router Dynamic
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through
large or complex networks. Dynamic routing protocols enable the FortiGate unit to
automatically share information about routes with neighboring routers and learn
about routes and networks advertised by them. The FortiGate unit supports these
dynamic routing protocols:
Note: You can configure basic RIP, OSPF, and BGP routing options through the web-based
manager. Many additional options are available but only through the CLI. For complete
descriptions and examples of how to use CLI commands to configure RIP, OSPF, and BGP
settings, see the config router chapter of FortiGate CLI Reference.
The FortiGate unit selects routes and updates its routing table dynamically based
on the rules you specify. Given a set of rules, the unit can determine the best route
or path for sending packets to a destination. You can also define rules to suppress
the advertising of routes to neighboring routers and change FortiGate routing
information before it is advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to
quickly discover routers on the network that cannot be contacted, and to re-route
traffic accordingly until those routers can be contacted.
This section describes:
RIP
OSPF
BGP
Multicast
267
RIP
Router Dynamic
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended
for small, relatively homogeneous networks. The FortiGate implementation of RIP
supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
268
Router Dynamic
RIP
Delete
Edit
RIP Version
Select the level of RIP compatibility needed at the FortiGate unit. You can
enable global RIP settings on all FortiGate interfaces connected to RIPenabled networks:
Select 1 to send and receive RIP version 1 packets.
Select 2 to send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see Configuring a RIP-enabled interface
on page 272.
Advanced
Options
Select the Expand Arrow to view or hide advanced RIP options. For more
information, see Selecting advanced RIP options on page 270.
Networks
IP/Netmask
Enter the IP address and netmask that defines the RIPenabled network.
Add
269
RIP
Router Dynamic
Interfaces
Interface
Send Version
Receive Version The versions of RIP used to listen for updates on each
interface: 1, 2, or both.
Delete and
Edit icons
Authentication
Passive
Expand
Arrow
270
Rip Version
Advanced Options
Router Dynamic
RIP
Default Metric
Enter the default hop count that the FortiGate unit should assign
to routes that are added to the FortiGate routing table. The range
is from 1 to 16. This metric is the hop count, with 1 being best or
shortest.
This value also applies to Redistribute unless otherwise specified.
Default-informationoriginate
RIP Timers
Enter new values to override the default RIP timer settings. The
default settings are effective in most configurations if you
change these settings, ensure that the new settings are
compatible with local routers and access servers.
If the Update timer is smaller than Timeout or Garbage timers,
you will get an error.
Redistribute
Update
Timeout
Garbage
Static
OSPF
BGP
271
RIP
Router Dynamic
Figure 155 shows the New/Edit RIP Interface dialog box belonging to a FortiGate
unit that has an interface named internal. The names of the interfaces on your
FortiGate unit may be different.
Figure 155:New/Edit RIP Interface
272
Interface
Send Version,
Receive Version
Authentication
Passive Interface
Router Dynamic
OSPF
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often
used in large heterogeneous networks to share routing information among routers
in the same Autonomous System (AS). FortiGate units support OSPF version 2
(see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change
state instead of at timed intervals, so routing overhead is reduced.
The FortiGate unit dynamically updates its routing table based on the results of
the SPF calculation to ensure that an OSPF packet will be routed using the
shortest path to its destination. Depending on the network topology, the entries in
the FortiGate routing table may include:
the addresses of networks in the local OSPF area (to which packets are sent
directly)
273
OSPF
Router Dynamic
routes to OSPF area border routers (to which packets destined for another
area are sent)
The number of routes that a FortiGate unit can learn through OSPF depends on
the network topology. A single unit can support tens of thousands of routes if the
OSPF network is configured properly.
creating associations between the OSPF areas that you defined and the local
networks to include in the OSPF AS
If you are using the web-based manager to perform these tasks, follow the
procedures summarized below.
To define an OSPF AS
1
Define the characteristics of one or more OSPF areas. See Defining OSPF
areas on page 278.
Create associations between the OSPF areas that you defined and the local
networks to include in the OSPF AS. See Specifying OSPF networks on
page 279.
Select the OSPF operating parameters for the interface. See Selecting operating
parameters for an OSPF interface on page 279.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
Optionally select advanced OSPF options for the OSPF AS. See Selecting
advanced OSPF options on page 277.
Select Apply.
274
Router Dynamic
OSPF
Expand
Arrow
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned
to any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced
Options
Select the Expand Arrow to view or hide advanced OSPF settings. For more
information, see Selecting advanced OSPF options on page 277.
275
OSPF
Router Dynamic
Areas
Define and add a new OSPF area to the Areas list. For
more information, see Defining OSPF areas on page 278.
Area
The unique 32-bit identifiers of areas in the AS, in dotteddecimal notation. Area ID 0.0.0.0 references the backbone
of the AS and cannot be changed or deleted.
Type
Interfaces
The networks in the OSPF AS and their area IDs. When you add a network
to the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see Specifying OSPF networks on page 279.
Create New
Add a network to the AS, specify its area ID, and add the
definition to the Networks list.
Network
Area
The area IDs that have been assigned to the OSPF network
address space.
Name
Interface
IP
276
Router Dynamic
OSPF
Expand
Arrow
Router ID
Redistribute
Generate and advertise a default (external) route to the OSPF AS. You
may base the generated route on routes learned through a dynamic
routing protocol, routes in the routing table, or both.
None
Regular
Always
RIP
BGP
Note: You can configure many additional advanced OSPF options through the CLI. For
details, see the router chapter of the FortiGate CLI Reference.
277
OSPF
Router Dynamic
278
Area
Type a 32-bit identifier for the area. The value must resemble an IP
address in dotted-decimal notation. Once you have created the OSPF
area, the area IP value cannot be changed; you must delete the area
and restart.
Type
Select an area type to classify the characteristics of the network that will
be assigned to the area:
Regular - If the area contains more than one router, each having at
least one OSPF-enabled interface to the area.
STUB - If the routers in the area must send packets to an area border
router in order to reach the backbone and you do not want routes to
non-OSPF domains to be advertised to the routers in the area.
Router Dynamic
OSPF
Authentication Select the method for authenticating OSPF packets sent and received
through all interfaces in the area:
None - Disable authentication.
IP/Netmask
Enter the IP address and network mask of the local network that you want
to assign to an OSPF area.
Area
Select an area ID for the network. The attributes of the area must match
the characteristics and topology of the specified network. You must define
the area before you can select the area ID. For more information, see
Defining OSPF areas on page 278.
279
OSPF
Router Dynamic
You can configure different OSPF parameters for the same FortiGate interface
when more than one IP address has been assigned to the interface. For example,
the same FortiGate interface could be connected to two neighbors through
different subnets. You could configure an OSPF interface definition containing one
set of Hello and dead-interval parameters for compatibility with one neighbors
settings, and a second OSPF interface definition for the same interface to ensure
compatibility with the second neighbors settings.
To select OSPF operating parameters for a FortiGate interface, go to Router >
Dynamic > OSPF, and then under Interfaces, select Create New. To edit the
operating parameters of an OSPF-enabled interface, go to Router > Dynamic >
OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled
interface.
Figure 160 shows the New/Edit OSPF Interface dialog box belonging to a
FortiGate unit that has an interface named port1. The interface names on your
FortiGate unit may differ.
Figure 160:New/Edit OSPF Interface
Add
Name
Enter a name to identify the OSPF interface definition. For example, the
name could indicate to which OSPF area the interface will be linked.
Interface
Select the name of the FortiGate interface to associate with this OSPF
interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces
connected to the OSPF-enabled network.
IP
Password
280
Router Dynamic
BGP
MD5 Keys
Enter the key identifier for the (first) password in the ID field (the range is
from 1 to 255) and then type the associated password in the Key field.
The password is a 128-bit hash, represented by an alphanumeric string of
up to 16 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate
interface must be configured with an identical MD5 key. If the OSPF
neighbor uses more than one password to generate MD5 hash, select the
Add icon to add additional MD5 keys to the list.
This field is available only if you selected MD5 authentication.
Hello Interval
Dead Interval
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by
ISPs to exchange routing information between different ISP networks. For
example, BGP enables the sharing of network paths between the ISP network
and an autonomous system (AS) that uses RIP, OSPF, or both to route packets
within the AS. The FortiGate implementation of BGP supports BGP-4 and
complies with RFC 1771.
281
BGP
Router Dynamic
Delete
282
Local AS
Enter the number of the local AS to which the FortiGate unit belongs.
Router ID
Neighbors
Remote AS
Add/Edit
Neighbor
Remote AS
Delete icon
Router Dynamic
Multicast
Networks
Add
Network
Delete icon
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode (RFC
2362) and PIM dense mode (RFC 3973) and can service multicast servers or
receivers on the network segment to which a FortiGate interface is connected.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note.
283
Multicast
Router Dynamic
Delete
Edit
Enable Multicast
Routing
Add Static RP
Apply
Create New
Interface
Mode
Status
Priority
DR Priority
Delete and Edit icons Delete or edit the PIM settings on the interface.
284
Router Dynamic
Multicast
Interface
PIM Mode
DR Priority
RP Candidate
RP Candidate Priority Enter the priority number for advertising RP candidacy on the
FortiGate interface. The range is from 1 to 255.
285
Router Dynamic
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This
generally excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for
the whole unit, and turn it off for one or two interfaces. Alternatively you can
specifically enable BFD for each neighbor router, or interface. Which method you
choose will be determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a
connection as down. The length of the timeout period is importantif it is too short
connections will be labeled down prematurely, and if it is too long time will be
wasted waiting for a reply from a connection that is down. There is no easy
number, as it varies for each network and unit. High end FortiGate models will
respond very quickly unless loaded down with traffic. Also the size of the network
will slow down the response timepackets need to make more hops than on a
smaller network. Those two factors (CPU load and network traversal time) affect
how long the timeout you select should be. With too short a timeout period, BFD
will not connect to the network device but it will keep trying. This state generates
unnecessary network traffic, and leaves the device unmonitored. If this happens,
you should try setting a longer timeout period to allow BFD more time to discover
the device on the network.
286
Router Dynamic
287
Router Dynamic
288
Router Monitor
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is
available separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
289
Router Monitor
IP version
Type
Select one of the following route types to search the routing table and display
routes of the selected type only:
All - all routes recorded in the routing table.
Static - the static routes that have been added to the routing table
manually. For more information see Static Route on page 258.
RIP - all routes learned through RIP. For more information see RIP on
page 268.
OSPF - all routes learned through OSPF. For more information see
OSPF on page 273.
BGP - all routes learned through BGP. For more information see BGP on
page 281
HA - RIP, OSPF, and BGP routes synchronized between the primary unit
and the subordinate units of a high availability (HA) cluster. HA routes are
maintained on subordinate units and are visible only if you are viewing the
router monitor from a virtual domain that is configured as a subordinate
virtual domain in a virtual cluster. For details about HA routing
synchronization, see the FortiGate High Availability User Guide.
Network
Gateway
Apply Filter Select to search the entries in the routing table based on the specified search
criteria and display any matching routes.
290
Type
The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF,
or BGP).
Subtype
OSPF inter area - the destination is in the OSPF AS, but the FortiGate
unit is not connected to that area.
External 2 - the destination is outside the OSPF AS. In this case, the
metric of the redistributed route is equivalent to the external cost only,
expressed as an OSPF cost.
OSPF NSSA 1 - same as External 1, but the route was received through a
not-so-stubby area (NSSA).
OSPF NSSA 2 - same as External 2, but the route was received through a
not-so-stubby area.
Network
Distance
The administrative distance associated with the route. A value of 0 means the
route is preferable compared to routes to the same destination.
To modify the administrative distance assigned to static routes, see Adding a
static route to the routing table on page 262. To modify this distance for
dynamic routes, see FortiGate CLI Reference.
Router Monitor
Metric
The metric associated with the route type. The metric of a route influences
how the FortiGate unit dynamically adds it to the routing table. The following
are types of metrics and when they are applied.
Hop count - routes learned through RIP.
Gateway
Interface
The interface through which packets are forwarded to the gateway of the
destination network.
Up Time
The total accumulated amount of time that a route learned through RIP,
OSPF, or BGP has been reachable.
From the Type list, select the type of route to display. For example, select
Connected to display all connected routes, or select RIP to display all routes
learned through RIP.
If you want to display routes to a specific network, type the IP address and
netmask of the network in the Networks field.
If you want to display routes to a specific gateway, type the IP address of the
gateway in the Gateway field.
291
292
Router Monitor
Firewall Policy
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit,
between FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection
acceptance and packet processing for traffic attempting to pass through. When
the firewall receives a connection packet, it analyzes the packets source address,
destination address, and service (by port number), and attempts to locate a
firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow
when it receives matching packets. Some instructions are required, such as
whether to drop or accept and process the packets, while other instructions, such
as logging and authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and
destination IP addresses and port numbers. For details on using virtual IPs and IP
pools, see Firewall Virtual IP on page 333.
Policy instructions may also include protection profiles, which can specify
application-layer inspection and other protocol-specific protection and logging. For
details on using protection profiles, see Firewall Protection Profile on page 365.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual
domain to configure its firewall policies. For details, see Using virtual domains on
page 95.
This section describes:
Multicast policies
293
Firewall Policy
services
time/schedule.
}Exception
}General
FTP connections would immediately match the deny policy, blocking the
connection. Other kinds of services do not match the FTP policy, and so policy
evaluation would continue until reaching the matching general policy. This policy
order has the intended effect. But if you reversed the order of the two policies,
positioning the general policy before the policy to block FTP, all connections,
including FTP, would immediately match the general policy, and the policy to block
FTP would never be applied. This policy order would not have the intended effect.
Figure 166:Example: Blocking FTP Incorrect policy order
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you
would position those policies above other potential matches in the policy list.
Otherwise, the other matching policies could always take precedence, and the
required authentication, IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
294
Firewall Policy
Multicast policies
In the firewall policy list, note the ID of a firewall policy that is before or after your
intended destination.
In the row corresponding to the firewall policy that you want to move, select the
Move To icon.
Select Before or After, and enter the ID of the firewall policy that is before or after
your intended destination. This specifies the policys new position in the firewall
policy list.
Select OK.
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast
policies using the following CLI command:
config firewall multicast-policy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.
295
Firewall Policy
Filter
Delete
Edit
Insert Policy before
Move To
296
Create New
Column Settings
Customize the table view. You can select the columns to hide
or display and specify the column displaying order in the
table.
Filter icon
Edit the column filters to filter or sort the policy list according
to the criteria you specify. For more information, see Adding
filters to web-based manager lists on page 58.
ID
Source
Destination
Schedule
Service
Profile
Action
Status
From
To
VPN Tunnel
Authentication
Comments
Log
Firewall Policy
Count
Delete icon
Edit icon
Move To icon
Source Interface/Zone
Source Address
Destination Interface/Zone
Destination Address
If the initial packet matches the firewall policy, the FortiGate unit performs the
configured Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
DENY policy actions block communication sessions, and may optionally log
the denied traffic.
IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL
VPN tunnel, respectively, and may optionally apply NAT and allow traffic for
one or both directions. If permitted by the firewall encryption policy, a tunnel
may be initiated automatically whenever a packet matching the policy arrives
on the specified network interface, destined for the local private network. For
more information, see IPSec firewall policy options on page 306 and SSLVPN firewall policy options on page 307.
297
Firewall Policy
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add
a policy or select the edit icon beside an existing firewall policy. Configure the
settings as described in the following table and in the references to specific
features for IPSec, SSL VPN and other specialized settings, and then select OK.
Alternatively, if you want to use IPv6 firewall addresses in your firewall policy, first
go to System > Admin > Settings. Select IPv6 Support on GUI. Then go to
Firewall > Policy > IPv6 Policy, and configure the settings according to the
following table.
Firewall policy order affects policy matching. Each time that you create or edit a
policy, make sure that you position it in the correct location in the list. You can
create a new policy and position it right away before an existing one in the firewall
policy list, by selecting Insert Policy before (see Viewing the firewall policy list on
page 295).
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the firewall chapter of the FortiGate CLI Reference.
Figure 169:Firewall Policy options
298
Firewall Policy
Source
Interface/Zone
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see Configuring addresses on
page 317.
If you want to associate multiple firewall addresses or address groups
with the Source Interface/Zone, from Source Address, select Multiple. In
the dialog box, move the firewall addresses or address groups from the
Available Addresses section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the
host, server, or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients,
select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients,
select the name of the address that you reserved for tunnel mode
clients.
Destination
Interface/Zone
Destination
Address
Schedule
299
Firewall Policy
Service
Select the name of a firewall service or service group that packets must
match to trigger this policy.
You can select from a wide range of predefined firewall services, or you
can create a custom service or service group by selecting Create New
from this list. For more information, see Configuring custom services
on page 325 and Configuring service groups on page 327.
By selecting the Multiple button beside Service, you can select multiple
services or service groups.
Action
Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending
on this selection.
ACCEPT
Accept traffic matched by the policy. You can configure NAT, protection
profiles, log traffic, shape traffic, set authentication options, or add a
comment to the policy.
DENY
Reject traffic matched by the policy. The only other configurable policy
options are Log Violation Traffic to log the connections denied by this
policy and adding a Comment.
IPSEC
SSL-VPN
NAT
Protection
Profile
300
Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is
translated. In most cases, if Fixed Port is selected, Dynamic IP pool is
also selected. If Dynamic IP pool is not selected, a policy with Fixed Port
selected can allow only one connection to that service at a time.
Select a protection profile to apply antivirus, web filtering, web category
filtering, spam filtering, IPS, content archiving, and logging to a firewall
policy. You can also create a protection profile by selecting Create New
from this list. For more information, see Firewall Protection Profile on
page 365.
If you intend to apply authentication to this policy, do not make a
Protection Profile selection. The user group you choose for
authentication is already linked to a protection profile. For more
information, see Adding authentication to firewall policies on page 302.
Firewall Policy
Log Allowed
Traffic
Log Violation
Traffic
Available only if Action is set to DENY. Select Log Violation Traffic, for
Deny policies, to record messages to the traffic log whenever the policy
processes a connection. You must also enable traffic log for a logging
location (syslog, WebTrends, local disk if available, memory, or
FortiAnalyzer) and set the logging severity level to Notification or lower
using the Log and Report screen. For more information, see
Log&Report on page 525.
Authentication
Check
FortiClient is
Installed and
Running
Firewall policies can deny access for hosts that do not have FortiClient
Host Security software installed and operating. For more information,
see Options to detect FortiClient on hosts on page 308.
This option appears only on FortiGate-1000A, FortiGate-3600A, and
FortiGate-5005FA2 models.
Traffic Shaping Traffic Shaping controls the bandwidth available to, and sets the priority
of the traffic processed by, the policy.
Note: To ensure that traffic shaping is working at its best, make sure that
the interface ethernet statistics show no errors, collisions, or buffer
overruns. If any of these problems do appear, then FortiGate and switch
settings may require adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth
to 0 (zero), or the policy will not allow any traffic.
For information about traffic shaping, see Adding traffic shaping to
firewall policies on page 304 and Traffic shaping considerations on
page 305.
Guaranteed Select a value to ensure there is enough bandwidth available for a highBandwidth priority service. Be sure that the sum of all Guaranteed Bandwidth in all
firewall policies is significantly less than the bandwidth capacity of the
interface.
Maximum
Bandwidth
Traffic
Priority
Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a
policy for connecting to a secure web server needed to support
e-commerce traffic should be assigned a high traffic priority. Less
important services should be assigned a low priority. The firewall
provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not
apply any traffic shaping rule to a policy, the policy is set to high priority
by default.
Distribute firewall policies over all three priority queues.
User
Authentication
Disclaimer
301
Firewall Policy
Redirect URL
Comments
HTTP
HTTPS
FTP
Telnet.
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled
protocols the network user applies to trigger the authentication challenge. The
authentication style will be one of two types. For certificate-based (HTTPS or
HTTP redirected to HTTPS only) authentication, you must install customized
certificates on the FortiGate unit and on the browsers of network users, which the
FortiGate unit matches. For user name and password-based (HTTP, FTP, and
Telnet) authentication, the FortiGate unit prompts network users to input their
firewall user name and password.
For example, if you want to require HTTPS certificate-based authentication before
allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall
policy) that includes SMTP, POP3 and HTTPS services. Prior to using either
POP3 or SMTP, the network user would send traffic using the HTTPS service,
which the FortiGate unit would use to verify the network users certificate; upon
successful certificate-based authentication, the network user would then be able
to access his or her email.
In most cases, you should ensure that users can use DNS through the FortiGate
unit without authentication. If DNS is not available, users will not be able to use a
domain name when using a supported authentication protocol to trigger the
FortiGate units authentication challenge.
Note: If you do not install certificates on the network users web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users web browsers may then deem as invalid. For
information on installing certificates, see System Certificates on page 219.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see Authentication
302
Firewall Policy
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first
create users, assign them to a firewall user group, and assign a protection profile
to that user group. For information on configuring user groups, see User groups
on page 435. For information on configuring authentication settings, see
Authentication firewall policy options (non-SSL-VPN) on page 303 and SSLVPN firewall policy options on page 307.
Right Arrow
Left Arrow
Authentication
Firewall
Directory Service
(FSAE)
NTLM Authentication Include Directory Service groups defined in User > User Group.
If you select this option, you must use Directory Service groups
as the members of the authentication group for NTLM. For
information about configuring user groups, see User groups on
page 435.
303
Firewall Policy
Available Groups
Allowed
Guest Profile
Certificate
304
Firewall Policy
The bandwidth available for traffic controlled by a policy is used for both the
control and data sessions and for traffic in both directions. For example, if
guaranteed bandwidth is applied to an internal and an external FTP policy, and a
user on an internal network uses FTP to put and get files, both the put and get
sessions share the bandwidth available to the traffic controlled by the policy.
The guaranteed and maximum bandwidth available for a policy is the total
bandwidth available to all traffic controlled by the policy. If multiple users start
multiple communications session using the same policy, all of these
communications sessions must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using
the same service if these multiple instances are controlled by different policies.
For example, you can create one FTP policy to limit the amount of bandwidth
available for FTP for one network address and create another FTP policy with a
different bandwidth availability for another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero),
the policy does not allow any traffic.
Traffic Priority
You can set traffic priority to manage the relative priorities of different types of
traffic. Important and latency-sensitive traffic should be assigned a high priority.
Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when
bandwidth is not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and
e-commerce traffic. Then you can assign a high priority to the policy that controls
voice traffic and a medium priority to the policy that controls e-commerce traffic.
During a busy time, if both voice and e-commerce traffic are competing for
bandwidth, the higher priority voice traffic will be transmitted before the
e-commerce traffic.
305
Firewall Policy
Traffic shaping applied to a firewall policy is enforced for traffic which may flow in
either direction. Therefore a session which may be set up by an internal host to an
external one, through an Internal-to-External policy, will have traffic shaping
applied even if the data stream flows external to internal. One example may be an
FTP get or a SMTP server connecting to an external one, in order to retrieve
email.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates.
Traffic shaping is not effective during periods when traffic exceeds the capacity of
the FortiGate unit. Since packets must be received by the FortiGate unit before
they are subject to traffic shaping, if the FortiGate unit cannot process all of the
traffic it receives, then dropped packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface
ethernet statistics show no errors, collisions or buffer overruns. If any of these
problems do appear, then FortiGate and switch settings may require adjusting.
For more information, see the FortiGate Traffic Shaping Technical Note.
VPN Tunnel
Select the VPN tunnel name defined in the phase 1 configuration. The
specified tunnel will be subject to this firewall encryption policy.
Allow Inbound
Allow outbound
Inbound NAT
Outbound NAT
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.
For more information, see the Defining firewall policies chapter of the FortiGate
IPSec VPN User Guide.
306
Firewall Policy
Left Arrow
SSL Client Certificate
Restrictive
Cipher Strength
Select the bit level of SSL encryption. The web browser on the
remote client must be capable of matching the level that you
select: Any, High >= 164, or Medium >= 128.
User Authentication
Method
Local
For a local user group that will be bound to this firewall policy.
RADIUS
LDAP
Any
Available Groups
Select the name of the user group requiring SSL VPN access,
and then select the Right Arrow. Do not select more than one
user group unless all members of the selected user groups
have identical access requirements.
For information about how to create a firewall encryption policy for SSL VPN
users, see the SSL VPN administration tasks chapter of the FortiGate SSL VPN
User Guide.
If you select NAT (above, in the same dialog box), the IP address of the outgoing
interface of the FortiGate unit is used as the source address for new sessions
started by SSL VPN.
The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN
traffic, but has no effect on web-mode SSL VPN traffic.
307
Firewall Policy
AV Disabled
Firewall Disabled
308
Firewall Policy
Internet
IPS Mail
Server
Home-based Workers
(no secure connection)
ISP Web
Server
172.16.10.3
192.168.100.1
Finance
Department
Help
Desk
Engineering
Department
Internal Network
Company A requires secure connections for home-based workers. Like many
companies, they rely heavily on email and Internet access to conduct business.
They want a comprehensive security solution to detect and prevent network
attacks, block viruses, and decrease spam. They want to apply different protection
settings for different departments. They also want to integrate web and email
servers into the security solution.
To deal with their first requirement, Company A configures specific policies for
each home-based worker to ensure secure communication between the homebased worker and the internal network.
1
Select Create New and enter or select the following settings for Home_User_1:
309
Firewall Policy
Source: internal
Destination: wan1
Address
Source:
CompanyA_Network
Destination: Home_User_1
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home1
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Outbound NAT
no
Protection Profile
Select OK.
Select Create New and enter or select the following settings for Home_User_2:
310
Interface / Zone
Interface / Zone
Source: internal
Destination: wan1
Address
Source:
CompanyA_network
Destination: All
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
Home2_Tunnel
Allow Inbound
yes
Allow outbound
yes
Inbound NAT
yes
Outbound NAT
no
Protection Profile
Select OK.
Firewall Policy
VPN Tunnel
Home User 1
172.20.100.6
Internet
External
172.30.120.8
FortiGate
100A
VPN Tunnel
Home User 2
172.25.106.99
DMZ
10.10.10.1
Email Server
10.10.10.2
Internal
192.168.100.1
Finance Users
192.168.100.10192.168.100.20
Engineering Users
192.168.100.51192.168.100.100
Web Server
10.10.10.3
The proposed network is based around a ForitGate 100A unit. The 15 internal
computers are behind the FortiGate unit. They now access the email and web
servers in a DMZ, which is also behind the FortiGate unit. All home-based
employees now access the office network through the FortiGate unit via VPN
tunnels.
311
Firewall Policy
The library must be able to set different access levels for patrons and staff
members.
The first firewall policy for main office staff members allows full access to the
Internet at all times. A second policy will allow direct access to the DMZ for staff
members. A second pair of policies is required to allow branch staff members the
same access.
The staff firewall policies will all use a protection profile configured specifically for
staff access. Enabled features include virus scanning, spam filtering, IPS, and
blocking of all P2P traffic. FortiGuard web filtering is also used to block
advertising, malware, and spyware sites.
A few users may need special web and catalog server access to update
information on those servers, depending on how they are configured. Special
access can be allowed based on IP address or user.
The proposed topography has the main branch staff and the catalog access
terminals going through a FortiGate HA cluster to the servers in a DMZ. The public
access terminals first go through a FortiWiFi unit, where additional policies can be
applied, to the HA Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main
branch via VPN tunnels.
312
Firewall Policy
Policies are configured in Firewall > Policy. Protection Profiles are configured in
Firewall > Protection Profile.
Main office staff to Internet policy:
Source Interface
Internal
Source Address
All
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
Internal
Source Address
All
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
313
Firewall Policy
Branches
Source Address
Branch Staff
Destination Interface
External
Destination Address
All
Schedule
Always
Action
Accept
Branches
Source Address
Branch Staff
Destination Interface
DMZ
Destination Address
Servers
Schedule
Always
Action
Accept
314
Firewall Address
Firewall Address
Firewall addresses and address groups define network addresses that you can
use when configuring firewall policies source and destination address fields. The
FortiGate unit compares the IP addresses contained in packet headers with
firewall policy source and destination addresses to determine if the firewall policy
matches the traffic.
You can organize related addresses into address groups to simplify your firewall
policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses
are configured separately for each virtual domain, and you must first enter the
virtual domain to configure its firewall addresses. For details, see Using virtual
domains on page 95.
This section describes:
About firewall addresses
Viewing the firewall address list
Configuring addresses
Viewing the address group list
Configuring address groups
The netmask corresponds to the subnet class of the address being added, and
can be represented in either dotted decimal or CIDR format. The FortiGate unit
automatically converts CIDR formatted netmasks to dotted decimal format. For
example, the netmask can be a:
netmask for a single computer: 255.255.255.255, or /32
netmask for a class A subnet: 255.0.0.0, or /8
netmask for a class B subnet: 255.255.0.0, or /16
netmask for a class C subnet: 255.255.255.0, or /24
netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
315
Firewall Address
<host_name>.<second_level_domain_name>.<top_level_domain_name>,
such as mail.example.com
<host_name>.<top_level_domain_name>
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses are configurable only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
Settings on page 215.
Delete
Edit
316
Firewall Address
Configuring addresses
Create New
Name
Address/FQDN
Interface
The interface, zone, or virtual domain (VDOM) to which you bind the IP
address.
Delete icon
Select to remove the address. The Delete icon only appears if the
address is not currently being used by a firewall policy or address
group.
Edit icon
Configuring addresses
You can use one of three methods to represent hosts in firewall addresses:
IP/Mask, IP Range, or FQDN.
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses are configurable only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
Settings on page 215.
317
Firewall Address
Address Name
Type
Subnet/IP Range Enter the firewall IP address, followed by a forward slash (/), then
subnet mask, or enter an IP address range separated by a hyphen.
Interface
Select the interface, zone, or virtual domain (VDOM) link to which you
want to bind the IP address. Select Any if you want to bind the IP
address with the interface/zone when you create a firewall policy.
Select OK.
Delete
Edit
Create New
Group Name
Members
Delete icon
Select to remove the address group. The Delete icon only appears if the
address group is not currently being used by a firewall policy.
Edit icon
318
Firewall Address
Group Name
Available
Addresses
The list of all configured and default firewall addresses. Use the arrows
to move selected addresses between the lists of available and member
addresses.
Members
The list of addresses included in the address group. Use the arrows to
move selected addresses between the lists of available and member
addresses.
Select OK.
319
320
Firewall Address
Firewall Service
Firewall Service
Firewall services define one or more protocols and port numbers associated with
each service. Service definitions are used by firewall policies to match session
types.
You can organize related services into service groups to simplify your firewall
policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall services are
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Name
Detail
321
Firewall Service
322
Service name
Description
IP Protocol Port
AH
ANY
all
all
AOL
TCP
5190-5194
BGP
TCP
179
DCE-RPC
135
51
135
DHCP
UDP
67
68
DNS
TCP
53
UDP
53
ESP
FINGER
TCP
79
FTP
TCP
21
FTP_GET
TCP
21
FTP_PUT
TCP
21
GOPHER
TCP
70
GRE
47
H323
1720, 1503
HTTP
80
HTTPS
443
50
TCP
Firewall Service
Description
IP Protocol Port
ICMP_ANY
ICMP
N/A
IKE
UDP
500
IMAP
TCP
143
ICMP
17
ICMP
15
IRC
TCP
6660-6669
TCP
389
L2TP
TCP
1701
LDAP
TCP
389
MGCP
2427, 2727
NFS
111, 2049
NNTP
TCP
119
NTP
123
NetMeeting
1720
OSPF
89
PC-Anywhere
UDP
5632
PING
ICMP
PING6
POP3
PPTP
58
TCP
110
1723
323
Firewall Service
Description
QUAKE
26000,
27000,
27910,
27960
RAUDIO
UDP
7070
REXEC
TCP
512
RIP
UDP
520
RLOGIN
TCP
513
RSH
TCP
514
SAMBA
139
SCCP
TCP
2000
SIP
5060
SIPMSNmessenger
TCP
1863
SMTP
TCP
25
SNMP
TCP
161-162
UDP
161-162
TCP
22
UDP
22
SYSLOG
UDP
514
TALK
UDP
517-518
TCP
TCP
0-65535
TELNET
TCP
23
TFTP
UDP
69
TIMESTAMP
ICMP
13
UDP
0-65535
UUCP
UDP
540
VDOLIVE
TCP
7000-7010
SSH
324
IP Protocol Port
Firewall Service
Description
WAIS
IP Protocol Port
210
WINFRAME
TCP
1494
X-WINDOWS
TCP
6000-6063
Delete
Edit
Create New
Service Name
Detail
Delete icon
Select to remove the custom service. The Delete icon only appears if
the service is not currently being used by a firewall policy.
Edit icon
325
Firewall Service
Delete
Name
Protocol Type
Select TCP/UDP.
Protocol
Select TCP or UDP as the protocol of the port range being added.
Source Port
Specify the Source Port number range for the service by entering the
low and high port numbers. If the service uses one port number, enter
this number in both the Low and High fields. The default values allow
the use of any source port.
Destination Port Specify the Destination Port number range for the service by entering
the low and high port numbers. If the service uses one port number,
enter this number in both the Low and High fields.
Add
If the custom service being created requires more than one port range,
select Add to allow more source and destination ranges.
Delete Icon
Name
Protocol Type
Select ICMP.
Type
Code
326
Firewall Service
Name
Protocol Type
Select IP.
Delete
Edit
Create New
Group Name
Members
Delete icon
Select to remove the entry from the list. The Delete icon only appears if
the service group is not selected in a firewall policy.
Edit icon
327
Firewall Service
Service groups can contain both predefined and custom services. Service groups
cannot contain other service groups.
To organize services into a service group, go to Firewall > Service > Group.
Service groups can also be created during firewall policy configuration by
selecting Create New from the Service drop-down menu.
Figure 188:Service Group
328
Group Name
Available
Services
The list of configured and predefined services. Use the arrows to move
selected services between the lists of available and member services.
Members
The list of services in the group. Use the arrows to move selected
services between the lists of available and member services.
Firewall Schedule
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time
schedules or recurring schedules. One-time schedules are in effect only once for
the period of time specified in the schedule. Recurring schedules are in effect
repeatedly at specified times of the day on specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall schedules
are configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 189:Recurring schedule list
Delete
Edit
Create New
Name
Day
The initials of the days of the week on which the schedule is active.
Start
Stop
Delete icon
Select to remove the schedule from the list. The Delete icon only
appears if the schedule is not being used in a firewall policy.
Edit icon
329
Firewall Schedule
Name
Select
Start
Stop
Delete
Edit
330
Create New
Name
Start
Stop
Delete icon
Select to remove the schedule from the list. The Delete icon only
appears if the schedule is not being used in a firewall policy.
Edit icon
Firewall Schedule
Name
Start
Stop
331
332
Firewall Schedule
Firewall Virtual IP
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to
translate IP addresses and ports of packets received by a network interface,
including a modem interface.
When the FortiGate unit receives inbound packets matching a firewall policy
whose Destination Address field is a virtual IP, the FortiGate unit applies NAT,
replacing packets IP addresses with the virtual IPs mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT;
however, IP pools configure dynamic translation of packets IP addresses based
on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static
translation of a packets IP addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it
to a NAT firewall policy. For details, see Configuring virtual IPs on page 338.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode
on page 361.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs
are configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Virtual IP Groups
IP pools
Configuring IP Pools
333
Firewall Virtual IP
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not
DENY to apply bidirectional NAT, also known as inbound NAT.
When comparing packets with the firewall policy list to locate a matching policy, if
a firewall policys Destination Address is a virtual IP, FortiGate units compares
packets destination address to the virtual IPs external IP address. If they match,
the FortiGate unit applies the virtual IPs inbound NAT mapping, which specifies
how the FortiGate unit translates network addresses and/or port numbers of
packets from the receiving (external) network interface to the network interface
connected to the destination (mapped) IP address or IP address range.
In addition to specifying IP address and port mappings between interfaces, virtual
IP configurations can optionally bind an additional IP address or IP address range
to the receiving network interface. By binding an additional IP address, you can
configure a separate set of mappings that the FortiGate unit can apply to packets
whose destination matches that bound IP address, rather than the IP address
already configured for the network interface.
Depending on your configuration of the virtual IP, its mapping may involve port
address translation (PAT), also known as port forwarding or network address port
translation (NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies
by your selection of:
the dynamic NATs load balancing style, if using dynamic NAT mapping
The following table describes combinations of PAT and/or NAT that are possible
when configuring a firewall policy with a virtual IP.
Static NAT
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP
Port Forwarding address is always translated to the same mapped IP address, and an
external port number is always translated to the same mapped port
number.
If using IP address ranges, the external IP address range corresponds
to a mapped IP address range containing an equal number of IP
addresses, and each IP address in the external range is always
translated to the same IP address in the mapped range. If using port
number ranges, the external port number range corresponds to a
mapped port number range containing an equal number of port
numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
334
Firewall Virtual IP
Server Load
Balancing
Server Load
Dynamic, one-to-many NAT mapping with port forwarding: an external
Balancing with IP address is translated to one of the mapped IP addresses, as
Port Forwarding determined by the selected load balancing algorithm for more even
traffic distribution. The external IP address is not always translated to
the same mapped IP address.
Server load balancing requires that you configure at least one real
server, but can use up to eight. Real servers can be configured with
health check monitors. Health check monitors can be used to gauge
server responsiveness before forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
sources public IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a
web server on a private network that is protected by a FortiGate unit. Reduced to
its essence, this example involves only three hosts, as shown in Figure 193: the
web server on a private network, the client computer on another network, such as
the Internet, and the FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP
on the FortiGate units external interface. The FortiGate unit receives the packets.
The addresses in the packets are translated to private network IP addresses, and
the packet is forwarded to the web server on the private network.
Figure 193:A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and
a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its
external interface, and matches them to a firewall policy for the virtual IP. The
virtual IP settings map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes
the packets addresses. The source address is changed to 10.10.10.2 and the
destination is changed to 10.10.10.42. The FortiGate unit makes a note of this
translation in the firewall session table it maintains internally. The packets are then
sent on to the web server.
335
Firewall Virtual IP
Figure 194:Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no
reference to the client computers IP address, except in its session table. The web
server has no indication that another network exists. As far as the server can tell,
all packets are sent by the FortiGate unit.
When the web server replies to the client computer, address translation works
similarly, but in the opposite direction. The web server sends its response packets
having a source IP address of 10.10.10.42 and a destination IP address of
10.10.10.2. The FortiGate unit receives these packets on its internal interface.
This time, however, the session table is used to recall the client computers IP
address as the destination address for the address translation. In the reply
packets, the source address is changed to 192.168.37.4 and the destination is
changed to 192.168.37.55. The packets are then sent on to the client computer.
The web servers private IP address does not appear in the packets the client
receives. After the FortiGate unit translates the network addresses, there is no
reference to the web servers network. The client has no indication that the web
servers IP address is not the virtual IP. As far as the client is concerned, the
FortiGate units virtual IP is the web server.
Figure 195:Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the
firewall policy. If the NAT check box is not selected when building the firewall
policy, the resulting policy does not perform full NAT; instead, it performs
destination network address translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped
private IP address, but does not translate the source address. The web server
would be aware of the clients IP address. For reply traffic, the FortiGate unit
translates packets private network source IP address to match the destination
address of the originating packets, which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply
traditional outbound NAT to connections outbound from private network IP
addresses to public network IP addresses. However, if virtual IP configurations
exist, FortiGate units use virtual IPs inbound NAT mappings in reverse to apply
outbound NAT, causing IP address mappings for both inbound and outbound
traffic to be symmetric.
336
Firewall Virtual IP
VIP requirements
Virtual IPs have the following requirements.
Delete
Edit
Create New
Name
IP
Service Port
The external port number or port number range. This field is empty if the
virtual IP does not specify port forwarding.
Map to IP/IP
Range
Map to Port
The mapped to port number or port number range. This field is empty if
the virtual IP does not specify port forwarding.
Delete icon
Remove the virtual IP from the list. The Delete icon only appears if the
virtual IP is not selected in a firewall policy.
Edit icon
Edit the virtual IP to change any virtual IP option including the virtual IP
name.
337
Firewall Virtual IP
Name
External Interface Select the virtual IP external interface from the list. The external
interface is connected to the source network and receives the packets
to be forwarded to the destination network. You can select any
FortiGate interface, VLAN subinterface, VPN interface, or modem
interface.
338
Type
Select Static NAT or Server Load Balance. For details about VIP
types, see How virtual IPs map connections through FortiGate units
on page 333.
External IP
Address/Range
Firewall Virtual IP
Mapped IP
Address/Range
Method
If you select Server Load Balance, you can select one of the following
load balancing methods.
Static: The traffic load is spread evenly across all servers, no
additional server is required.
Round Robin: Directs request to the next server, and treats all
servers as equals regardless of response time or number of
connections. Dead servers or non responsive servers are avoided.
A separate server is required.
Port Forwarding
Protocol
External Service
Port
Enter the external interface port number for which you want to
configure port forwarding.
This option appears only if Port Forwarding is enabled.
Map to Port
Real Servers
If you select Server Load Balancing for the Type, enter the real server
IP addresses. At least one IP address is required, but you can enter
up to eight (8) real server IP addresses per virtual IP (VIP).
To enter a server IP address, select Add under Real Servers and
enter the following information:
IP: Enter the IP address of the server.
Port: If you enable port forwarding, enter the port number on the
destination network to which the external port number is mapped.
339
Firewall Virtual IP
HTTP Multiplexing Select to use the FortiGate units HTTP proxy to multiplex multiple
client connections destined for the web server into a few connections
between the FortiGate unit and the web server. This can improve
performance by reducing server overhead associated with
establishing multiple connections. The server must be HTTP/1.1
compliant.
This option appears only if Port Forwarding is selected.
Note: Additional HTTP Multiplexing options are available in the CLI.
For details, see the FortiGate CLI Reference.
Preserve Client IP Select to preserve the IP address of the client in the X-ForwardedFor HTTP header. This can be useful if you require logging on the
server of the clients original IP address. If this option is not selected,
the header will contain the IP address of the FortiGate unit.
This option appears only if Port Forwarding is selected, and is
available only if HTTP Multiplexing is selected.
SSL Offloading
Certificate
To configure a virtual IP
340
Firewall Virtual IP
Configure the virtual IP by entering the virtual IP address, if any, that will be bound
to the network interface, and selecting the mapping type and mapped IP
address(es) and/or port(s). For configuration examples of each type, see:
Adding static NAT port forwarding for a single IP address and a single port on
page 344
Adding static NAT port forwarding for an IP address range and a port range
on page 346
Select OK.
The virtual IP appears in the virtual IP list.
341
Firewall Virtual IP
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Figure 199:Virtual IP options: static NAT virtual IP for a single IP address
Name
static_NAT
Static NAT
External IP
Address/Range
Map to IP/IP Range The IP address of the server on the internal network. Since there is
only one IP address, leave the second field blank.
Select OK.
To add a static NAT virtual IP for a single IP address to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users
on the Internet attempt to connect to the web server IP address packets pass
through the FortiGate unit from the external interface to the dmz1 interface. The
virtual IP translates the destination address of these packets from the external IP
to the DMZ network IP address of the web server.
external
Source Address
342
Destination Address
simple_static_nat
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
Firewall Virtual IP
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to three individual web servers on the DMZ network. In this example, the
wan1 interface of the FortiGate unit is connected to the Internet and the dmz1
interface is connected to the DMZ network.
Figure 201:Virtual IP options: static NAT virtual IP with an IP address range
343
Firewall Virtual IP
Name
static_NAT_range
External Interface
wan1
Type
Static NAT
Select OK.
To add a static NAT virtual IP with an IP address range to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on
the Internet attempt to connect to the server IP addresses, packets pass through
the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP
translates the destination addresses of these packets from the wan1 IP to the
DMZ network IP addresses of the servers.
wan1
Source Address
static_NAT_range
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42,
port 8000 on a private network. Attempts to communicate with 192.168.37.4,
port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the
FortiGate unit. The computers on the Internet are unaware of this translation and
see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a
private network behind it.
344
Firewall Virtual IP
Figure 202:Static NAT virtual IP port forwarding for a single IP address and a single
port example
To add static NAT virtual IP port forwarding for a single IP address and a
single port
1
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Figure 203:Virtual IP options: Static NAT port forwarding virtual IP for a single IP
address and a single port
Name
Port_fwd_NAT_VIP
External Interface
wan1
Type
Static NAT
345
Firewall Virtual IP
Port Forwarding
Selected
Protocol
TCP
The port traffic from the Internet will use. For a web server,
this will typically be port 80.
Map Port
Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a
single port to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on
the Internet attempt to connect to the web server IP addresses, packets pass
through the FortiGate unit from the wan1 interface to the dmz1 interface. The
virtual IP translates the destination addresses and ports of these packets from the
external IP to the dmz network IP addresses of the web servers.
wan1
Source Address
Port_fwd_NAT_VIP
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are
mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a
private network. Attempts to communicate with 192.168.37.5, port 82 from the
Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the
FortiGate unit. The computers on the Internet are unaware of this translation and
see a single computer at 192.168.37.5 rather than a FortiGate unit with a private
network behind it.
346
Firewall Virtual IP
Figure 204:Static NAT virtual IP port forwarding for an IP address range and a port
range example
To add static NAT virtual IP port forwarding for an IP address range and a
port range
1
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the external
interface of the FortiGate unit is connected to the Internet and the dmz1 interface
is connected to the DMZ network.
Name
Port_fwd_NAT_VIP_port_range
External Interface
external
Type
Static NAT
Port Forwarding
Selected
Protocol
TCP
The ports that traffic from the Internet will use. For a web
server, this will typically be port 80.
Map Port
Select OK.
347
Firewall Virtual IP
To add static NAT virtual IP port forwarding for an IP address range and a
port range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users
on the Internet attempt to connect to the web server IP addresses, packets pass
through the FortiGate unit from the external interface to the dmz1 interface. The
virtual IP translates the destination addresses and ports of these packets from the
external IP to the dmz network IP addresses of the web servers.
1
external
Source Address
Port_fwd_NAT_VIP_port_range
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
348
Firewall Virtual IP
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Figure 206:Virtual IP options: server load balancing virtual IP
Name
Load_Bal_VIP
External Interface
wan1
Type
Method
Real Servers
If you select Server Load Balancing for the VIP type, enter
the real server IP addresses. For details about real server
settings, see Configuring virtual IPs on page 338.
Select OK.
To add a server load balance virtual IP to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on
the Internet attempt to connect to the web servers IP address, packets pass
through the FortiGate unit from the wan1 interface to the dmz1 interface. The
virtual IP translates the destination address of these packets from the external IP
to the dmz network IP addresses of the web servers.
349
Firewall Virtual IP
Source Interface/Zone
wan1
Source Address
Server_Load_Bal_VIP
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
350
Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Firewall Virtual IP
Name
Load_Bal_VIP_port_forward
External Interface
wan1
Type
Method
Real Servers
If you select Server Load Balancing for the VIP type, enter
the real server IP addresses. For details about real server
settings, see Configuring virtual IPs on page 338.
Port Forwarding
Selected
Protocol
TCP
The ports that traffic from the Internet will use. For a web
server, this will typically be port 80.
Select OK.
351
Firewall Virtual IP
wan1
Source Address
Load_Bal_VIP_port_forward
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
Enter the Map to IP address to which to map the external IP address. For
example, the IP address of a PPTP server on an internal network.
Enter the External Service Port number for which to configure dynamic port
forwarding.
The external service port number must match the destination port of the packets
to be forwarded. For example, if the virtual IP provides PPTP passthrough access
from the Internet to a PPTP server, the external service port number should be
1723 (the PPTP port).
352
Firewall Virtual IP
Virtual IP Groups
10
Enter the Map to Port number to be added to packets when they are forwarded.
Enter the same number as the External Service Port if the port is not to be
translated.
11
Select OK.
Enter the Map to IP address to which to map the external IP address. For
example, the IP address of a PPTP server on an internal network.
Enter the External Service Port number for which to configure dynamic port
forwarding.
The external service port number must match the destination port of the packets
to be forwarded. For example, if the virtual IP provides PPTP passthrough access
from the Internet to a PPTP server, the external service port number should be
1723 (the PPTP port).
10
Enter the Map to Port number to be added to packets when they are forwarded.
11
Select OK.
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall
policy list. For example, instead of having five identical policies for five different
but related virtual IPs located on the same network interface, you might combine
the five virtual IPs into a single virtual IP group, which is used by a single firewall
policy.
Firewall policies using VIP Groups are matched by comparing both the member
VIP IP address(es) and port number(s).
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
353
Firewall Virtual IP
Delete
Edit
Create New
Group Name
Members
Interface
Delete icon
Remove the VIP group from the list. The Delete icon only appears if the
VIP group is not being used in a firewall policy.
Edit icon
Edit the VIP group information, including the group name and
membership.
354
Firewall Virtual IP
Group Name
Interface
Select the interface for which you want to create the VIP
group. If you are editing the group, the Interface box is
grayed out.
Delete
Edit
Create New
Name
Details
355
IP pools
Firewall Virtual IP
Name
Type
HTTP
PING
Port
URL
Matched Content
Enter the HTTP reply content that must be present to indicate proper
server connectivity.
This option appears only if Type is HTTP.
Interval
Timeout
Enter the number of seconds which must pass after the server health
check to indicate a failed health check.
Retry
Enter the number of times, if any, a failed health check will be retried
before the server is determined to be inaccessible.
Select OK.
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses
randomly selected from the IP pool, rather than the IP address assigned to that
FortiGate unit interface. In Transparent mode, IP pools are available from the
FortiGate CLI.
An IP pool defines an address or a range of IP addresses, all of which respond to
ARP requests on the interface to which the IP pool is added.
Select Enable Dynamic IP Pool in a firewall policy to translate the source address
of outgoing packets to an address randomly selected from the IP pool. An IP pool
list appears when the policy destination interface is the same as the IP pool
interface.
With an IP pool added to the internal interface, you can select Dynamic IP pool for
policies with the internal interface as the destination.
Add multiple IP pools to any interface and select the IP pool to use when
configuring a firewall policy.
A single IP address is entered normally. For example, 192.168.110.100 is a
valid IP pool address. If an IP address range is required, use either of the
following formats.
356
Firewall Virtual IP
IP pools
Change to
192.168.1.1
172.16.30.1
192.168.1.2
172.16.30.2
......
......
192.168.1.254
172.16.30.254
357
Firewall Virtual IP
Original address
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
......
......
192.168.1.10
172.16.30.19
192.168.1.11
172.16.30.10
192.168.1.12
172.16.30.11
192.168.1.13
172.16.30.12
......
......
Change to
192.168.1.1
172.16.30.10
192.168.1.2
172.16.30.11
192.168.1.3
172.16.30.12
Delete
Edit
358
Create New
Name
Start IP
End IP
Firewall Virtual IP
Configuring IP Pools
Delete icon
Select to remove the entry from the list. The Delete icon only appears if
the IP pool is not being used in a firewall policy.
Edit icon
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
Figure 213:New Dynamic IP Pool
Name
Interface
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the
start and end of an address range. The start of the range must be lower
than the end of the range. The start and end of the IP range does not
have to be on the same subnet as the IP address of the interface to
which you are adding the IP pool.
Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.
359
Firewall Virtual IP
To allow the local users to access the server, you can use fixed port and IP pool to
allow more than one user connection while using virtual IP to translate the
destination port from 8080 to 80.
To create an IP pool
1
pool-1
Interface
DMZ
IP Range/Subnet 10.1.3.1-10.1.3.254
server-1
External
Interface
Internal
Type
Static NAT
External IP
172.16.1.1
Address/Range Note this address is the same as the server address.
Mapped IP
172.16.1.1.
Address/Range
Port Forwarding Enable
Protocol
360
TCP
Firewall Virtual IP
80
internal
Source Address
10.1.1.0/24
server-1
Schedule
always
Service
HTTP
Action
ACCEPT
Select NAT.
Select OK.
Enable NAT to translate the source addresses of packets as they pass through
the FortiGate unit.
For NAT firewall policies to work in NAT/Route mode you must have two
interfaces on two different networks with two different subnet addresses. Then
you can create firewall policies to translate source or destination addresses for
packets as they are relayed by the FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address,
the management IP. To support NAT in Transparent mode you can add a second
management IP. These two management IPs must be on different subnets. When
you add two management IP addresses, all FortiGate unit network interfaces will
respond to connections to both of these IP addresses.
In the example network shown in Figure 215, all of the PCs on the internal
network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as
their default route. One of the management IPs of the FortiGate unit is set to
192.168.1.99. This configuration results in a typical NAT mode firewall. When a
PC on the internal network attempts to connect to the Internet, the PC's default
route sends packets destined for the Internet to the FortiGate unit internal
interface.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
361
Firewall Virtual IP
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a
default route of 10.1.1.99.
The example describes adding an internal to wan1 firewall policy to relay these
packets from the internal interface out the wan1 interface to the Internet. Because
the wan1 interface does not have an IP address of its own, you must add an IP
pool to the wan1 interface that translates the source addresses of the outgoing
packets to an IP address on the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201.
So all packets sent by a PC on the internal network that are accepted by the
internal to wan1 policy leave the wan1 interface with their source address
translated to 10.1.1.201. These packets can now travel across the Internet to their
destination. Reply packets return to the wan1 interface because they have a
destination address of 10.1.1.201. The internal to wan1 NAT policy translates the
destination address of these return packets to the IP address of the originating PC
and sends them out the internal interface to the originating PC.
Use the following steps to configure NAT in Transparent mode
Router
10.1.1.0/24
Transparent mode
Management IPs:
10.1.1.99
192.168.1.99
WAN 1
Internal network
192.168.1.0/24
Internal
DMZ
DMZ network
10.1.1.0/24
362
Firewall Virtual IP
Enter the following command to add an internal to wan1 firewall policy with NAT
enabled that also includes an IP pool:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set scraddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set ippool enable
set poolname nat-out
end
Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.
363
364
Firewall Virtual IP
antivirus protection
web filtering
spam filtering
IPS
content archiving
365
Scan
Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic.
Quarantine is also selected for all content services. On FortiGate models
with a hard drive, if antivirus scanning finds a virus in a file, the file is
quarantined on the FortiGate hard disk. If a FortiAnalyzer unit is
configured, files are quarantined remotely. Quarantine permits system
administrators to inspect, recover, or submit quarantined files to Fortinet
for analysis.
Web
Apply virus scanning and web content blocking to HTTP traffic. Add this
protection profile to firewall policies that control HTTP traffic.
Unfiltered
Delete
Edit
366
Create New
Name
Delete icon
Delete a protection profile from the list. The Delete icon appears only if
the protection profile is not currently selected in a firewall policy or user
group.
Edit icon
Profile Name
Comments
AntiVirus
Web Filtering
FortiGuard Web Filtering See FortiGuard Web Filtering options on page 370.
Spam Filtering
IPS
Content Archive
IM & P2P
VoIP
Logging
Anti-Virus options
You can apply antivirus scanning options through a protection profile.
In general, client comforting provides a visual display of progress for web page
loading or file downloads. Without client comforting, users have no indication that
the download has started until the FortiGate unit has completely buffered and
scanned the download, and they may cancel or repeatedly retry the transfer,
thinking it has failed. The appearance of a client comforting message (for
example, a progress bar) is browser-dependent. In some instances, there will be
no visual client comforting cue.
367
For email scanning, the oversize threshold refers to the final size of the email after
encoding by the email client, including attachments. Email clients can use a
variety of encoding types; some result in larger file sizes than the original
attachment. The most common encoding, base64, translates 3 bytes of binary
data into 4 bytes of base64 data. As a result, a file may be blocked or logged as
oversized even if the attachment is several megabytes smaller than the configured
oversize threshold.
To configure antivirus options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Anti-Virus, enter the information as
described below, and select OK. For more antivirus configuration options, see
AntiVirus on page 447.
Figure 218:Protection Profile Anti-Virus options
368
Virus Scan
Select virus scanning for each protocol (HTTP, FTP, IMAP, POP3,
SMTP, IM). Virus Scan includes grayware, as well as heuristic
scanning. However, by default neither is enabled. To enable
specific grayware, go to AntiVirus > Config > Grayware. To
enable heuristic scanning, see the config antivirus
heuristic command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning
by splice, the FortiGate unit simultaneously scans and streams
traffic to the destination, terminating the stream to the destination
if a virus is detected. For details on configuring splicing, see the
splice option for each protocol in the config firewall
profile command in the FortiGate CLI Reference. For details on
splicing behavior for each protocol, see the Knowledge Center
article FortiGate Proxy Splice and Client Comforting Technical
Note.
Extended AV
Database
Select to scan for viruses that have not been recently observed in
the wild.
In addition to the FortiGuard Antivirus wild list database, which
contains viruses currently being detected in the wild, some
FortiGate models are also equipped with an extended antivirus
database that contains viruses not recently observed in the wild.
This option appears only on models with more than one partition,
such as the FortiGate-3810A.
File Filter
Select to filter files, then under Options, specify a file filter, which
can consist of file name patterns and file types. For more
information, see File Filter on page 450.
Quarantine
Pass Fragmented
Emails
Comfort Clients
Interval
Amount
Oversized File/Email Select Block or Pass for files and email messages exceeding
configured thresholds for each protocol.
Threshold
Add signature to
outgoing emails
If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in
memory is 10% of the FortiGate units RAM.
Create and enable a signature to append to outgoing email (SMTP
only).
Threshold
369
Web content exempt list Select which content exemptions will be used with this
protection profile.
Web URL Filter
Web URL filter list
ActiveX Filter
Cookie Filter
Blocked pages are replaced with a message indicating that the page is not
accessible according to the Internet usage policy.
If the combined scores of the content block patterns appearing on a web page
exceed the threshold value, the page will be blocked. For details, see Viewing the
web content block list on page 483.
For more information on web filter configuration options, see Web Filter on
page 479. For details on how web URL filter lists are used with HTTP and HTTPS
URLs, see URL formats on page 490.
370
Rate images by URL (blocked Block images that have been rated by FortiGuard.
images will be replaced with Blocked images are replaced on the originating web
pages with blanks. Rated image file types include GIF,
blanks)
JPEG, PNG, BMP, and TIFF.
Allow websites when a rating Allow web pages that return a rating error from the web
filtering service.
error occurs
371
Strict Blocking
Rate URLs by domain and IP Select to send both the URL and the IP address of the
requested site for checking, and thus provide additional
address
security against attempts to bypass the FortiGuard
system.
However, because IP rating is not updated as quickly as
URL rating, some false ratings may occur.
372
Category
Classification
FortiGuard AntiSpam
IP address check
URL check
E-mail checksum
check
373
Spam submission
E-mail address BWL check Select to enable the checking of incoming email addresses
against the configured spam filter email address list.
E-mail address BWL list Select which email address black/white list will be used with
this protection profile.
374
Threshold
Spam Action
Tag Location
Tag Format
IPS options
You can apply IPS sensor options through a protection profile.
To configure IPS options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile.
Then select the Expand Arrow beside IPS, enter the information as described
below, and select OK.
For more information on IPS, see Intrusion Protection on page 463.
Figure 222:Protection profile IPS options
IPS
375
The FortiGate unit only allows one sixteenth of its memory for transferring content
archive files. For example, for FortiGate units with 128RAM, only 8MB of memory
is used when transferring content archive files. It is recommended not to enable
full content archiving if antivirus scanning is also configured because of these
memory constraints.
You can store content archives locally, if your FortiGate unit has a hard drive, or
remotely, on a FortiAnalyzer unit or FortiGuard Analysis and Management
Service, provided that the FortiAnalyzer unit or FortiGuard Analysis and
Management Service is first configured. For instructions on configuring and
viewing remotely stored content archives, see Logging to a FortiAnalyzer unit on
page 529 and Content Archive on page 545.
To configure Content Archive options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing
protection profile. Then select the Expand Arrow beside Content Archive, enter
the information as described below, and select OK.
Figure 223:Protection Profile Content Archive options
Email Protocols
IM Protocols
376
Archive to
FortiAnalyzer/FortiGuard
None
Summary
Full
Archive to
FortiAnalyzer/FortiGuard
None
Summary
Full
Archive IM to
FortiAnalyzer/FortiGuard
377
IM/P2P options
You can apply IM and P2P options through a protection profile.
Any changes to IM protection profile options made while IM users are logged in
will take effect only upon their next login. For example, you cannot use Block
Login to disconnect currently logged-in users.
For more IM configuration options, see IM, P2P & VoIP on page 515.
To configure IM/P2P options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IM / P2P, enter the information as
described below, and select OK.
Figure 224:Protection Profile IM/P2P options
378
Block Login
Select to block file transfers for AIM, ICQ, MSN, and Yahoo
protocols.
Block Audio
Action
Limit (KBytes/s)
VoIP options
You can apply VoIP options through a protection profile. FortiGate units support
rate limiting for the following types of VoIP traffic:
Rate limiting of these VoIP protocols can be used to protect the FortiGate unit and
your network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting
protects against SIP DoS attacks by limiting the number of SIP register and invite
requests that the FortiGate unit receives per second. Rate limiting protects
against SCCP DoS attacks by limiting the number of SCCP call setup messages
that the FortiGate unit receives per minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages
per second (or minute) than the configured rate, the extra messages are dropped.
If you are experiencing denial of service attacks from traffic using these VoIP
protocols you can enable VoIP rate limiting and limit the rates for your network.
Limits the rates depending on the amount of SIP and SCCP traffic that you expect
the FortiGate unit to be handling. You can adjust the settings if some calls are lost
or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE
extensions. For more information, see the description of the config sip,
config sccp, and config simple subcommands of the firewall profile
command in the FortiGate CLI Reference. You can also block SIMPLE sessions
by enabling block login for the SIMPLE IM/P2P protection profile option. See
IM/P2P options on page 378.
For more information about FortiGate SIP support see SIP support on page 383.
To configure VoIP options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside VoIP, enter the information as
described below, and select OK.
Figure 225:Protection Profile VoIP options
SIP
SCCP
379
Enter a rate limit for SIP INVITE requests (per second, per
policy). If this option is set to zero (0), requests are not
limited.
Enter a rate limit to SCCP call setup (calls per minute, per
client) between call clients and the call manager. If this
option is set to zero (0), setups are not limited.
Logging options
You can enable Logging options in a protection profile to write event log messages
when the options that you have enabled in this protection profile perform an
action. For example, if you enable Antivirus protection you could also enable the
Anti-virus > Viruses protection profile logging options to write an event log
message every time a virus is detected by this protection profile.
For more information about enabling and configuring event logs, see Event log
on page 536.
To configure Logging options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Logging, enter the information as
described below, and select OK.
Figure 226:Protection Profile Logging options
Antivirus
Web Filtering
380
Viruses
Blocked Files
Oversized Files /
E-mails
Content Block
URL Filter
ActiveX Filter
Cookie Filter
Spam Filtering
Log Spam
IPS
Log Intrusions
IM and P2P
Log IM Activity
VoIP
Go to Firewall > Policy. Alternatively, go to Firewall > IPv6 Policy if you require
a protection profile for a firewall to support IPv6.
If virtual domains are enabled on the FortiGate unit, protection profiles are applied
separately in firewall policies for each virtual domain (VDOM). To access firewall
policies, first select a virtual domain from the main menu.
Select Create New to add a policy, or select Edit for the policy to which you want
to apply the protection profile.
For example, if you want to apply a protection profile containing HTTP antivirus
scanning, select policies whose Service is a service or service group containing
HTTP.
If you are creating a new firewall policy, configure other required policy options.
For more information, see Configuring firewall policies on page 297.
Select OK.
381
382
SIP support
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing
and conducting multiuser calls over TCP/IP networks using any media. Due to the
complexity of the call setup, not every firewall can handle SIP calls correctly, even
if the firewall is stateful. The FortiGate unit SIP pre-defined service tracks and
scans SIP calls. The FortiGate unit can make all necessary adjustments, to both
the firewall state and call data, to ensure a seamless call is established through
the FortiGate unit regardless of its operation mode, NAT, route, or transparent.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available and makes
managing SIP use easy.
This section includes some high-level information about VoIP and SIP. It also
describes how FortiOS SIP support works and how to configure the key SIP
features. For more configuration information, see FortiGate CLI Reference.
The FortiGate unit supports the following SIP features:
RTP Pinholing
Request control
Rate limiting
Events logging
Communication archiving
NAT IP preservation
Note: Some of the features described in this chapter are available for FortiOS Carrier only.
383
SIP support
IP Network
4. Client B is
notified of incoming
call by proxy server
phone rings
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
When the SIP server operates in redirect mode (shown in Figure 228), the SIP
client sends its signaling request to a SIP server, which then looks up the
destination address. The SIP server returns the destination address to the
originator of the call, who uses it to signal the destination SIP client.
Figure 228:SIP in redirect mode
SIP Redirect Server
2. Client A dials Client B and
request is sent to SIP redirect server
IP Network
5. Client B is
notified of incoming
call by redirect server
phone rings
RTP Session
SIP Client A
(a@example.com)
SIP Client B
(b@example.com)
384
SIP support
The FortiGate unit can effectively secure VoIP solutions since it supports VoIP
protocols such as SIP, MGCP, and H.323, and associates state at the signaling
layer with packet flows at the media layer. Using SIP ALG controls, the FortiGate
unit understands the VoIP signaling protocols used in the network and can
dynamically open and close ports (pinholes) for each specific VoIP call to maintain
security.
The FortiGate Intrusion-prevention system (IPS) provides another strategic line of
defense, particularly against VoIP network predators. With its deep-packet
inspection capabilities, the FortiGate IPS can provide continuous surveillance
across multiple network sectors simultaneously, recognizing network traffic
expected within each and alerting network managers to malicious packets and
other protocol anomalies.
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
Because of its complexity, this section uses scenarios to explain the FortiGate SIP
NAT support.
217.10.69.11
SIP Server
RTP Server
217.233.122.132
Internet
10.72.0.57
385
SIP support
217.10.69.11
SIP Server
RTP Server
217.233.122.132
10.72.0.60
Internet
10.72.0.57
In this scenario, the SIP phone connects to a VIP (10.72.0.60). The FortiGate SIP
ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG will
open the RTP pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenario - the RTP server hides
its real address.
Figure 231:SIP destination NAT-RTP server hidden
192.168.200.99
219.29.81.21
RTP Server
10.0.0.60
217.233.90.60
Internet
SIP Server
In this scenario, a SIP phone connects to the Internet. The VoIP service provider
only publishes a single public IP (a VIP). The SIP phone would connect to the
FortiGate unit (217.233.90.60) and the FortiGate unit would translate the SIP
contact header to the SIP server (10.0.0.60). The SIP server would change the
SIP/SDP connection information (which tells the SIP phone which RTP IP it
should contact) also to 217.233.90.60.
386
SIP support
219.29.81.10
219.29.81.20
RTP Server
10.0.0.60
SIP Server
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
SIP: 217.233.90.60
Internet
In this scenario, assuming there is a SIP server and a separate media gateway.
The SIP server is configured in such a way that the SIP phone (219.29.81.20) will
connect to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will
connect to 217.233.90.65.
What happens is as follows:
1
The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP
contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
The FortiGate ALG opens pinholes, assuming that it knows the ports to be
opened.
You need to create a SIP triggering firewall policy (also called a dummy policy)
for RTP so that the FortiGate ALG knows the ports to be opened. This requires
that RTP VIPs must be created, and firewall policies need to be created using
those VIPs.
RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the
SIP contact header to 192.168.0.21.
387
SIP support
Create a firewall protection profile that enables SIP (see Enabling SIP support
and setting rate limiting on page 388).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open
the RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the webbased manager and CLI. You then apply the profile to a firewall policy. You can
apply a profile to multiple policies.
Create a firewall policy that allows SIP and includes a SIP-enabled protection
profile. Specifically, select the SIP or Any pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the
firewall policies. If the packet matches a policy, the FortiGate firewall inspects and
processes the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see Firewall Policy on page 293.
Configuring SIP
You configure most SIP features through the CLI. You can also enable SIP
support, set two rate limits, enable SIP logging, and view SIP statistics using the
web-based manager.
If you want to Enable SIP for an existing profile, select the Edit icon. Otherwise,
select Create New.
Expand VoIP.
Figure 233:Enabling SIP and setting rate limit
388
SIP support
Configuring SIP
SIP
Select to enable SIP support and set rate limiting for SIP and SIMPLE
traffic.
Rate limit for SIP and SIMPLE traffic is useful to protect a SIP server
within a company. Most SIP servers do not have integrated controls and
it is very easy to flood the servers with INVITES or REGISTER requests
to exhaust their resources.
Limit REGISTER Enter a rate limit for SIP REGISTER requests (per second, per policy).
If this option is set to zero (0), requests are not limited.
Request
Limit INVITE
Request
Enter a rate limit for SIP INVITE requests (per second, per policy). If this
option is set to zero (0), requests are not limited.
In CLI, you can enable rate limiting for a more extensive range of SIP requests,
including ACK, INFO, NOTIFY, OPTIONS, PRACK, REFER, SUBSCRIBE, and
UPDATE. For more information, see FortiGate CLI Reference.
4
Select OK.
Log VoIP
Activity
389
SIP support
edit <profile_name>
config sip
set status enable
set call-keepalive <integer>
end
end
390
SIP support
Configuring SIP
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the
SDP i line. This allows the SIP server to parse this IP for billing purposes.
In CLI, type the following commands:
config firewall profile
edit <profile_name>
config sip
set status enable
set nat-trace enable
end
end
In addition, you can overwrite or append the SDP i line:
config firewall profile
edit <profile_name>
config sip
set status enable
set preserve-override {enable | disable}
end
end
where selecting enable removes the original source IP address from the SDP i
line and disable appends the address.
391
SIP support
392
VPN IPSEC
VPN IPSEC
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units
support both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Auto Key
Manual Key
Concentrator
Monitor
Define the phase 1 parameters that the FortiGate unit needs to authenticate
remote peers or clients and establish a secure a connection. See Creating a new
phase 1 configuration on page 396.
Define the phase 2 parameters that the FortiGate unit needs to create a VPN
tunnel with a remote peer or dialup client. See Creating a new phase 2
configuration on page 401.
Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique IPSec
encryption and authentication keys automatically. If a remote VPN peer or client requires a
specific IPSec encryption or authentication key, you must configure the FortiGate unit to use
manual keys instead. For more information, see Manual Key on page 404.
393
VPN IPSEC
Route-based
You create a policy-based VPN by defining an IPSEC firewall policy between two
network interfaces and associating it with the VPN tunnel (phase 1 or manual key)
configuration. You need only one firewall policy, even if either end of the VPN can
initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create
the VPN phase 1 or manual key configuration. This creates a virtual IPSec
interface that is bound to the local interface you selected. You then define an
ACCEPT firewall policy to permit traffic to flow between the virtual IPSec interface
and another network interface. If either end of the VPN can initiate the connection,
you need two firewall policies, one for each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to
System > Network > Interface.) The names of all tunnels bound to physical,
aggregate, VLAN, inter-VDOM link or wireless interfaces are displayed under their
associated interface names in the Name column. For more information, see
Interfaces on page 107. As with other interfaces, you can include a virtual IPSec
interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can
create the equivalent function for a route-based VPN in any of the following ways:
394
Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-tosite connections, since the number of policies required increases rapidly as the
number of spokes increases.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
VPN IPSEC
Auto Key
Put all the IPSec interfaces into a zone and then define a single zone-to-zone
policy.
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must
be more than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel
redundancy. You can configure several routes for the same IP traffic with different
route metrics. You can also configure the exchange of dynamic (RIP, OSPF, or
BGP) routing information through VPN tunnels. If the primary VPN connection
fails or the priority of a route changes through dynamic routing, an alternative
route will be selected to forward traffic through the redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec
interface. You can do this in the CLI. For more information, including an example
configuration, see the monitor-phase1 keyword for the ipsec vpn phase1interface command in the FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual
IPSec interface. For more information, see the default-gw keyword for the
vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client)
to generate unique Internet Key Exchange (IKE) keys automatically during the
IPSec phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1
parameters to set up a secure connection for the tunnel and authenticate the
remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Figure 235:Auto Key list
Delete
Edit
Create Phase 1
Create Phase 2
395
Auto Key
VPN IPSEC
Phase 1
Phase 2
Interface Binding
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE)
and select Create Phase 1. For information about how to choose the correct
phase 1 settings for your particular situation, see the FortiGate IPSec VPN User
Guide.
Figure 236:New Phase 1
396
VPN IPSEC
Auto Key
Name
Remote Gateway
IP Address
Dynamic DNS
If you selected Dynamic DNS, type the domain name of the remote
peer.
Local Interface
Mode
Pre-shared Key
If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name
397
Auto Key
VPN IPSEC
Peer Options
Accept any
peer ID
Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
Accept this
peer ID
Accept peer ID Authenticate multiple FortiGate or FortiClient dialup clients that use
in dialup group unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see User groups on page 435.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this
This option is available when Authentication Method is set to RSA
peer certificate Signature.
Authenticate remote peers or dialup clients that use a security
only
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see PKI
authentication on page 431.
Accept this
This option is available when Authentication Method is set to RSA
peer certificate Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
group only
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the user chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see PKI authentication on page 431.
Advanced
398
VPN IPSEC
Auto Key
Add
Delete
Enable IPSec
Interface Mode
IPv6 Version
Select if you want to use IPv6 addresses for the remote gateway and
interface IP addresses. This is available only when Enable IPSec
Interface Mode is enabled.
Local Gateway IP
399
Auto Key
VPN IPSEC
400
DH Group
Keylife
Type the time (in seconds) that must pass before the IKE encryption
key expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172800 seconds.
Local ID
If the FortiGate unit will act as a VPN client and you are using peer
IDs for authentication purposes, enter the identifier that the FortiGate
unit will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of
the local server certificate that the FortiGate unit will use for
authentication purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel
with other dialup clients (that is, the tunnel will be dedicated to this
FortiGate dialup client), set Mode to Aggressive.
XAuth
Nat-traversal
Select the check box if a NAT device exists between the local
FortiGate unit and the VPN peer or client. The local FortiGate unit
and the VPN peer or client must have the same NAT traversal setting
(both selected or both cleared) to connect reliably.
VPN IPSEC
Auto Key
Keepalive
Frequency
Dead Peer
Detection
Name
Phase 1
Advanced
401
Auto Key
VPN IPSEC
You can use a number of additional advanced phase 2 settings to enhance the
operation of the tunnel. To modify IPSec phase 2 advanced parameters, go to
VPN > IPSEC Auto Key (IKE), select Create Phase 2, and then select Advanced.
For information about how to choose the correct advanced phase 2 settings for
your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 239:Phase 2 advanced settings
Add
Delete
P2 Proposal
Encryption
Authentication
402
VPN IPSEC
Auto Key
Enable replay
detection
Enable perfect
forward secrecy
(PFS)
DH Group
Select one Diffie-Hellman group (1, 2, or 5). This must match the
DH Group that the remote peer or dialup client uses.
Keylife
Select the method for determining when the phase 2 key expires:
Seconds, KBytes, or Both. If you select Both, the key expires when
either the time has passed or the number of KB have been
processed. The range is from 120 to 172800 seconds, or from
5120 to 2147483648 KB.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when
no data is being processed.
DHCP-IPSec
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see Internet browsing configuration on page 407.
Quick Mode
Selector
Source port
Type the port number that the local VPN peer uses to
transport traffic related to the specified service
(protocol number). The range is from 0 to 65535. To
specify all ports, type 0.
403
Manual Key
VPN IPSEC
Destination
address
Destination port
Type the port number that the remote VPN peer uses
to transport traffic related to the specified service
(protocol number). The range is from 0 to 65535. To
specify all ports, type 0.
Protocol
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec
VPN tunnel. You would define manual keys in situations where:
You require prior knowledge of the encryption or authentication key (that is,
one of the VPN peers requires a specific IPSec encryption or authentication
key).
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you
define manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers in a
secure manner.
For general information about how to configure an IPSec VPN, see the FortiGate
IPSec VPN User Guide.
Figure 240:Manual Key list
Delete
Edit
404
Create New
Tunnel Name
Remote Gateway
Encryption
Algorithm
Authentication
Algorithm
VPN IPSEC
Manual Key
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key
and select Create New.
Figure 241:New Manual Key
Name
Type a name for the VPN tunnel. The maximum name length is 15
characters for an interface mode VPN, 35 characters for a policybased VPN.
Local SPI
Remote SPI
Remote Gateway
Type the IP address of the public interface to the remote peer. The
address identifies the recipient of ESP datagrams.
405
Manual Key
VPN IPSEC
Local Interface
Encryption
Algorithm
Authentication
Algorithm
If you selected:
DES, type a 16-character hexadecimal number (0-9, a-f).
If you selected:
MD5, type a 32-character hexadecimal number (0-9, a-f)
separated into two segments of 16 characters.
IPSec Interface
Mode
406
Create a virtual interface for the local end of the VPN tunnel. Select
this check box to create a route-based VPN, clear it to create a policybased VPN.
This is available only in NAT/Route mode.
VPN IPSEC
Select All.
Destination Interface/Zone
Action
Select IPSEC.
VPN Tunnel
Inbound NAT
Select OK.
To configure a route-based VPN Internet browsing configuration
Select All.
Destination Interface/Zone
Select All.
Action
Select ACCEPT.
NAT
Select OK.
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of
remote peers radiate from a single, central FortiGate unit. Site-to-site connections
between the remote peers do not exist; however, You can establish VPN tunnels
between any two of the remote peers through the FortiGate unit hub.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that
connect to the hub are known as spokes. The hub functions as a concentrator
on the network, managing all VPN connections between the spokes. VPN traffic
passes from one tunnel to the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
407
Concentrator
VPN IPSEC
Delete
Edit
Create New
Right Arrow
Left Arrow
408
Available Tunnels
A list of defined IPSec VPN tunnels. Select a tunnel from the list and
then select the right arrow. Repeat these steps until all of the tunnels
associated with the spokes are included in the concentrator.
Members
VPN IPSEC
Monitor
Monitor
You can use the monitor to view activity on IPSec VPN tunnels and start or stop
those tunnels. The display provides a list of addresses, proxy IDs, and timeout
information for all active tunnels, including tunnel mode and route-based
(interface mode) tunnels.
You can use filters control the information displayed in the list. For more
information, see Adding filters to web-based manager lists on page 58.
To view active tunnels, go to VPN > IPSEC > Monitor.
Figure 244:Monitor list
Current Page
Type
Clear All Filters
Current Page
Name
Remote Gateway
Remote Port
Proxy ID Source
Proxy ID
Destination
For Dialup VPNs, the list provides status information about the VPN tunnels
established by dialup clients, including their IP addresses. The number of tunnels
shown in the list can change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing
information about VPN tunnels, active or not, to remote peers that have static IP
addresses or domain names. You can also start and stop individual tunnels from
the list.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
409
Monitor
410
VPN IPSEC
VPN PPTP
PPTP Range
VPN PPTP
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers.
Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit
that has been configured to act as a PPTP server. As an alternative, you can
configure the FortiGate unit to forward PPTP packets to a PPTP server on the
network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of
PPTP sessions is 254.
This section explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients. For information about how to perform other related
PPTP VPN setup tasks, see the FortiGate PPTP VPN User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN PPTP is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
PPTP Range
The PPTP address range is the range of addresses reserved for remote PPTP
clients. When the remote PPTP client establishes a connection, the FortiGate unit
assigns an IP address from a reserved range of IP addresses to the client PPTP
interface. The PPTP client uses the assigned IP address as its source address for
the duration of the connection.
To enable PPTP and specify the PPTP address range, go to VPN > PPTP >
PPTP Range, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
Figure 245:Edit PPTP range
Enable PPTP
Select to enable PPTP. You must add a user group before you can
select the option. See User groups on page 435.
Starting IP
Ending IP
User Group
Select the name of the PPTP user group that you defined.
Disable PPTP
411
PPTP Range
412
VPN PPTP
VPN SSL
VPN SSL
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that
can be used with a standard Web browser. SSL VPN does not require the
installation of specialized client software on end users computers, and is ideal for
applications including web-based email, business and government directories, file
sharing, remote backup, remote system management, and consumer-level
electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
web-only mode, for thin remote clients equipped with a web-browser only.
tunnel mode, for remote computers that run a variety of client and server
applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL
VPN security in the FortiGate unit and the SSL security in the web browser. After
the connection has been established, the FortiGate unit provides access to
selected services and network resources through a web portal.
When users have complete administrative rights over their computers and use a
variety of applications, tunnel mode allows remote clients to access the local
internal network as if they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in
NAT/Route mode support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.
413
ssl.root
VPN SSL
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdom_name>. The
root VDOM, called ssl.root, appears in the firewall policy interface lists and static
route interface lists. You can use the ssl-root interface to allow access to
additional networks and facilitate a connected users ability to browse the Internet
through the FortiGate unit.
The SSL VPN tunnel-mode access requires the following firewall policies:
External > Internal, with the action set to SSL, with an SSL user group
Access also requires a new static route: Destination network - <ssl tunnel mode
assigned range> interface ssl.root.
If you are configuring Internet access through an SSL VPN tunnel, you must add
the following configuration: ssl.root > External, with the action set to Accept, NAT
enabled.
To enable and configure SSL VPN, go to VPN > SSL > Config.
Figure 246:SSL-VPN Settings
414
VPN SSL
Tunnel IP Range
Specify the range of IP addresses reserved for tunnelmode SSL VPN clients. Type the starting and ending
address that defines the range of reserved IP
addresses.
Server Certificate
Default - RC4(128
bits) and higher
High - AES(128/256
bits) and 3DES
Idle Timeout
Portal Message
WINS Server #1
WINS Server #2
Apply
415
VPN SSL
Delete
No.
User
Source IP
Begin Time
Description
Action
416
VPN SSL
Edit
Bookmark Name The types and names of links to remote server applications and
network services.
Link
Bookmark Name Type the text to display in the hyperlink. The name is displayed in the
Bookmarks list.
417
VPN SSL
Application Type Select the abbreviated name of the server application or network
service from the drop-down list:
Web
Telnet
FTP
SMB/CIFS
VNC
RDP
SSH
URL/Host/Folder Type the information that the FortiGate unit needs to forward client
requests to the correct server application or network service:
If the application type is Web, type the URL of the web server (for
example, www.example.com).
If the application type is FTP, type the IP address of the FTP host
as a root directory/folder (for example, //server/folder/).
If the application type is VNC, type the IP address of the VNC host
(for example, 10.10.10.10).
If the application type is RDP, type the IP address of the RDP host
(for example, 10.10.10.10).
If the application type is SSH, type the IP address of the SSH host
(for example, 10.10.10.10).
Edit
Group Name
Bookmarks
418
VPN SSL
Right Arrow
Left Arrow
Name
Type the name of the bookmark group. The name will be displayed in
the Bookmark Group list.
Available
Bookmarks
Used Bookmarks The list of bookmarks that belong to the bookmark group.
Right Arrow
Left Arrow
Create New
419
420
VPN SSL
User Authentication
User Authentication
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to
control access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication
is configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Remote authentication
RADIUS servers
LDAP servers
TACACS+ servers
PKI authentication
User groups
Authentication settings
Configure local user accounts. For each user, you can choose whether the
password is verified by the FortiGate unit, by a RADIUS server, by an LDAP
server, or by a TACACS+ server. See Local user accounts on page 422.
Configure access to the FortiGate unit if you use a Directory Service server for
authentication. See Configuring a Directory Service server on page 434.
You can configure your FortiGate unit to authenticate system administrators with
your FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with
certificate-based authentication using PKI. See System Administrators on
page 195. You can change the authentication timeout value or select the protocol
supported for Firewall authentication. See Authentication settings on page 445.
421
User Authentication
For each network resource that requires authentication, you specify which user
groups are permitted access to the network. There are three types of user groups:
Firewall, Directory Service, and SSL VPN. See Firewall user groups on
page 436, Directory Service user groups on page 437, and SSL VPN user
groups on page 437.
Delete
Edit
Create New
User Name
Type
The authentication type to use for this user. The authentication types
are Local (user and password stored on FortiGate unit), LDAP,
RADIUS, and TACACS+ (user and password matches a user account
stored on the authentication server).
Delete icon
Edit icon
Note: Deleting the user name deletes the authentication configured for the user.
422
User Authentication
Remote authentication
User Name
Disable
Password
LDAP
RADIUS
TACACS+
Remote authentication
Remote authentication is generally used to ensure that employees working offsite
can remotely access their corporate network with appropriate security measures
in place. In general terms, authentication is the process of attempting to verify the
(digital) identity of the sender of a communication such as a login request. The
sender may be someone using a computer, the computer itself, or a computer
program. Since a computer system should be used only by those who are
authorized to do so, there must be a measure in place to detect and exclude any
unauthorized access.
423
RADIUS servers
User Authentication
On a FortiGate unit, you can control access to network resources by defining lists
of authorized users, called user groups. To use a particular resource, such as a
network or VPN tunnel, the user must:
correctly enter a user name and password to prove his or her identity, if asked
to do so.
RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS) servers provide
authentication, authorization, and accounting functions. FortiGate units use the
authentication function of the RADIUS server.To use the RADIUS server for
authentication, you must configure the server before you configure the FortiGate
users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate
using a RADIUS server, the FortiGate unit sends the users credentials to the
RADIUS server for authentication. If the RADIUS server can authenticate the
user, the user is successfully authenticated with the FortiGate unit. If the RADIUS
server cannot authenticate the user, the FortiGate unit refuses the connection.
You can override the default authentication scheme by selecting a specific
authentication protocol or changing the default port for RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the config
system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Figure 254:Example RADIUS server list
Delete
Edit
Create New
Name
The name that identifies the RADIUS server on the FortiGate unit.
424
Delete icon
Edit icon
User Authentication
RADIUS servers
If you have not selected a protocol, the default protocol configuration uses PAP,
MS-CHAPv2, and CHAP, in that order.
To add a new RADIUS server, go to User > Remote > RADIUS and select Create
New.
Figure 255:RADIUS server configuration
Name
Secondary Server Name/IP Enter the domain name or IP address of the secondary
RADIUS server, if you have one.
425
LDAP servers
User Authentication
Authentication Scheme
Include in every User Group Select to have the RADIUS server automatically included in
all user groups.
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to
maintain authentication data that may include departments, people, groups of
people, passwords, email addresses, and printers. An LDAP consists of a datarepresentation scheme, a set of defined operations, and a request/response
network.
If you have configured LDAP support and require a user to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To
authenticate with the FortiGate unit, the user enters a user name and password.
The FortiGate unit sends this user name and password to the LDAP server. If the
LDAP server can authenticate the user, the FortiGate unit successfully
authenticates the user. If the LDAP server cannot authenticate the user, the
FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in
RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating
user names and passwords. FortiGate LDAP supports all LDAP servers compliant
with LDAP v3. In addition, FortiGate LDAP supports LDAP over SSL/TLS. To
configure SSL/TLS authentication, refer to the FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as
notification of password expiration, that is available from some LDAP servers. Nor
does the FortiGate LDAP supply information to the user about why authentication
failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
Figure 256:Example LDAP server list
Delete
Edit
426
User Authentication
LDAP servers
Create New
Name
The name that identifies the LDAP server on the FortiGate unit.
Common Name The common name identifier for the LDAP server. Most LDAP servers
use cn. However, some servers use other common name identifiers
Identifier
such as uid.
Distinguished
Name
Delete icon
Edit icon
You can use simple authentication if the user records all fall under one dn. If the
users are under more than one dn, use the anonymous or regular type, which can
search the entire LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular
type and provide values for user name and password.
427
LDAP servers
User Authentication
To add an LDAP server, go to User > Remote > LDAP and select Create New.
Enter the information below and select OK.
Figure 257:LDAP server configuration
Query
Name
Enter the name that identifies the LDAP server on the FortiGate
unit.
Server Name/IP
Server Port
Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when
you select Secure Connection.
Common Name
Identifier
Enter the common name identifier for the LDAP server. The
maximum number of characters is 20.
Distinguished Name
Enter the base distinguished name for the server using the
correct X.500 or LDAP format. The FortiGate unit passes this
distinguished name unchanged to the server. The maximum
number of characters is 512.
Query icon
View the LDAP server Distinguished Name Query tree for the
LDAP server that you are configuring so that you can crossreference to the Distinguished Name.
For more information, see Using Query.
Bind Type
Filter
428
Regular
Anonymous
Simple
User Authentication
TACACS+ servers
User DN
Password
Secure Connection
Protocol
Certificate
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address,
and all the distinguished names associated with the Common Name Identifier for
the LDAP server. The tree helps you to determine the appropriate entry for the DN
field. To see the distinguished name associated with the Common Name identifier,
select the Expand Arrow beside the CN identifier and then select the DN from the
list. The DN you select is displayed in the Distinguished Name field. Select OK to
save your selection in the Distinguished Name field of the LDAP Server
configuration.
To see the users within the LDAP Server user group for the selected
Distinguished Name, select the Expand arrow beside the Distinguished Name in
the LDAP Distinguished Name Query tree.
Figure 258:Example LDAP server Distinguished Name Query tree
TACACS+ servers
In recent years, remote network access has shifted from terminal access to LAN
access. Users connect to their corporate network (using notebooks or home PCs)
with computers that use complete network connections and have the same level
of access to the corporate network resources as if they were physically in the
office. These connections are made through a remote access server. As remote
access technology has evolved, the need for network access security has
become increasingly important.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
429
TACACS+ servers
User Authentication
Delete
Edit
Create New
Server
Authentication Type
Delete icon
Edit icon
ASCII
Machine-independent technique that uses representations of English
characters. Requires user to type a user name and password that are sent in
clear text (unencrypted) and matched with an entry in the user database stored
in ASCII format.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that
order.
To add a new TACACS+ server, go to User > Remote > TACACS+ and select
Create New.
430
User Authentication
PKI authentication
Name
Server Name/IP
Server Key
Authentication Type
PKI authentication
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication
library that takes a list of peers, peer groups, and/or user groups and returns
authentication successful or denied notifications. Users only need a valid
certificate for successful authenticationno user name or password are
necessary. Firewall and SSL VPN are the only user groups that can use PKI
authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration
settings available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.
Figure 261:Example PKI User list
Delete
Edit
431
PKI authentication
User Authentication
Name
Subject
The text string that appears in the subject field of the certificate of
the authenticating user.
CA
Delete icon
Edit icon
the text from the subject field of the certificate of the authenticating peer user,
or the CA certificate used to authenticate the peer user.
You can add or modify other configuration settings for PKI authentication. For
information about them, see the FortiGate CLI Reference.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
value for either subject or ca. If you do not do so, and then open the user record in the webbased manager, you will be prompted to enter a subject or ca value before you can
continue.
To create a peer user for PKI authentication, go to User > PKI and select Create
New.
Figure 262:PKI user
Name
Subject
Enter the text string that appears in the subject field of the
certificate of the authenticating user. This field is optional.
CA
Note: You must enter a value for at least one of Subject or CA.
432
User Authentication
You can configure peer user groups only through the CLI. For more information,
see the FortiGate CLI Reference.
The domain controller (DC) agent must be installed on every domain controller
to monitor user logins and send information about them to the collector agent.
The collector agent must be installed on at least one domain controller to send
the information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain
controller user group database. Because the domain controller authenticates
users, the FortiGate unit does not perform authentication. It recognizes group
members by their IP address.
You must install the Fortinet Server Authentication Extensions (FSAE) on the
network and configure the FortiGate unit to retrieve information from the Directory
Service server. For more information about FSAE, see the FSAE Technical Note.
433
User Authentication
To view the list of Directory Service servers, go to User > Directory Service.
Figure 263:Example Directory Service server list
Delete
Edit User/Group
Edit
Add User/Group
Create New
Name
Domain
Groups
FSAE Collector IP
Delete icon
Edit icon
Add User/Group
Add a user or group to the list. You must know the distinguished
name for the user or group.
Edit Users/Group
434
User Authentication
User groups
To add a new Directory Service server, go to User > Directory Service and select
Create New. You can enter information for up to five collector agents.
Figure 264:Directory Service server configuration
Name
Enter the name of the Directory Service server. This name appears in
the list of Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where
this collector agent is installed. The maximum number of characters is
IP/Name
63.
Port
Enter the TCP port used for Directory Service. This must be the same
as the FortiGate listening port specified in the FSAE collector agent
configuration.
Password
Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server
Select the check box and select an LDAP server to access the
Directory Service.
User groups
A user group is a list of user identities. An identity can be:
a local user account (user name and password) stored on the FortiGate unit
Each user group belongs to one of three types: Firewall, Directory Service or
SSL VPN. For information about each type, see Firewall user groups on
page 436, Directory Service user groups on page 437, and SSL VPN user
groups on page 437. For information on configuring each type of user group, see
Configuring a user group on page 438.
In most cases, the FortiGate unit authenticates users by requesting each user
name and password. The FortiGate unit checks local user accounts first. If the unit
does not find a match, it checks the RADIUS, LDAP, or TACACS+ servers that
belong to the user group. Authentication succeeds when the FortiGate unit finds a
matching user name and password.
435
User groups
User Authentication
For a Directory Service user group, the Directory Service server authenticates users
when they log in to the network. The FortiGate unit receives the users name and
IP address from the FSAE collector agent. For more information about FSAE, see
the FSAE Technical Note.
You can configure user groups to provide authenticated access to:
For more information, see Creating a new phase 1 configuration on page 396.
For information about configuring a Firewall user group, see Configuring a user
group on page 438.
436
User Authentication
User groups
You can also use a firewall user group to provide override privileges for
FortiGuard web filtering. For more information, see Configuring FortiGuard
override options for a user group (Firewall or Directory Service) on page 441. For
detailed information about FortiGuard Web Filter, including the override feature,
see FortiGuard - Web Filter on page 491.
A Directory Service user group provides access to a firewall policy that requires
Directory Service type authentication and lists the user group as one of the
allowed groups. The members of the user group are Directory Service users or
groups that you select from a list that the FortiGate unit receives from the
Directory Service servers that you have configured. See Directory Service
servers on page 433.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see Configuring FortiGuard
override options for a user group (Firewall or Directory Service) on page 441. For
detailed information about FortiGuard Web Filter, including the override feature,
see FortiGuard - Web Filter on page 491.
For information on configuring user groups, see Configuring a user group on
page 438.
437
User groups
User Authentication
Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.
Expand Arrow
Create New
Group Name
The name of the user group. User group names are listed by type of
user group: Firewall, Directory Service and SSL VPN. For more
information, see Firewall user groups on page 436, Directory
Service user groups on page 437, and SSL VPN user groups on
page 437.
Members
Protection Profile The protection profile associated with this user group.
Delete icon
Edit icon
Note: If you try to add LDAP servers or local users to a group configured for administrator
authentication, an Entry not found error occurs.
438
User Authentication
User groups
Left Arrow
Expand Arrow
Figure 267:User group configuration - Directory Service
Right Arrow
Expand Arrow
Left Arrow
439
User groups
User Authentication
Left Arrow
Expand Arrow
440
Name
Type
Directory Service
SSL VPN
Protection Profile
Available
Users/Groups or
Available Members*
Members
FortiGuard Web
Filtering Override
User Authentication
User groups
Expand Arrow
Allow to create
FortiGuard Web
Filtering overrides
Override Scope
The override can apply to just the user who requested the override,
or include others. Select one of the following from the list:
User
User Group
IP
Profile
Ask
441
User groups
User Authentication
Override Type
Off-site URLs
Override Time
Protection Profiles
Available
Domain
Categories
Ask
Select one of the following from the list to set permissions for users
linking to sites off the blocked site:
Allow
Deny
Ask
Ask
One protection profile can have several user groups with override
permissions. Verification of the user group occurs once the user
name and password are entered. The overrides can still be enabled
or not enabled on a profile-wide basis regardless of the user groups
that have permissions to override the profile.
Permission Granted The list of defined protection profiles applied to user groups that
have override privileges.
For
442
User Authentication
User groups
Expand Arrow
Allow Split Tunneling Select to allow split tunneling for this group. Split tunneling
ensures that only the traffic for the private network is sent to
the SSL VPN gateway. Internet traffic is sent through the
usual unencrypted route. Not selected as default.
Restrict tunnel IP
range for this group
Type the starting and ending IP address range for this group
if you want to override a previously defined Tunnel IP range.
For more information, see the FortiGate SSL VPN User
Guide.
Select the check box to enable the web portal to provide
access to web applications and then select each of the
applications that users in this group are permitted to access.
Host Check
Check FortiClient AV Select to allow the client to connect only if it is running
Installed and Running FortiClient with virus scanning enabled. For more
information about this software, see the Fortinet Technical
Documentation web site.
Check FortiClient FW Select to allow the client to connect only if it is running
Installed and Running FortiClient Host Security FW software. For more information
about this software, see the Fortinet Technical
Documentation web site.
Check for Third Party Select to allow the client to connect only if it running
FortiClient with firewall enabled. For information about
AV Software
supported products for Windows XP SP2, see Table 39 on
page 444. For all other Microsoft Windows versions, Norton
(Symantec) AntiVirus or McAfee VirusScan software is
supported.
443
User groups
User Authentication
Check for Third Party Select to allow the client to connect only if it has supported
firewall software installed. The software must be installed
Firewall Software
and enabled (running).
See Table 39 on page 444 for supported products for
Windows XP SP2. For all other Microsoft Windows versions,
Norton (Symantec) AntiVirus or McAfee VirusScan software
is supported.
Require Virtual
Desktop Connection
Bookmarks
Select to allow the SSL VPN user group to use the preconfigured bookmark group that you select from the list. For
more information, see the FortiGate SSL VPN User Guide.
Redirect URL
Customize portal message Type or edit a custom web portal home page caption for this
group.
for this group
444
AV
Firewall
McAfee
Sophos Anti-Virus
F-Secure
Secure Resolutions
AhnLab
Kaspersky
ZoneAlarm
User Authentication
Authentication settings
Authentication settings
You can define settings for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can
be idle before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication
challenge is normally issued for any of the four protocols (depending on the
connection protocol):
HTTPS
FTP
Telnet.
The selections made in the Protocol Support list of the Authentication Settings
screen control which protocols support the authentication challenge. Users must
connect with a supported protocol first so they can subsequently connect with
other protocols. If HTTPS is selected as a method of protocol support, it allows the
user to authenticate with a customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user
will be challenged to authenticate. For user ID and password authentication, users
must provide their user names and passwords. For certificate authentication
(HTTPS or HTTP redirected to HTTPS only), you can install customized
certificates on the FortiGate unit and the users can also have customized
certificates installed on their browsers. Otherwise, users will see a warning
message and have to accept a default FortiGate certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.
Authentication Timeout
Protocol Support
445
Authentication settings
446
User Authentication
Certificate
Apply
AntiVirus
Order of operations
AntiVirus
This section describes how to configure the antivirus options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, most antivirus
options are configured separately for each virtual domain. However, the
quarantine, the virus list and the grayware list are part of the global configuration.
Only administrators with global access can configure and manage the quarantine,
view the virus list, and configure the grayware list. For details, see Using virtual
domains on page 95.
This section describes:
Order of operations
Antivirus tasks
File Filter
Quarantine
Order of operations
Antivirus scanning function includes various modules and engines that perform
separate tasks. The FortiGate unit performs antivirus processing in the following
order:
File size
File filter
Virus scan
Grayware
Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed.
For example, if the file fakefile.EXE is recognized as a blocked pattern, the
FortiGate unit will send the end user a replacement message and the file will be
deleted or quarantined. The virus scan, grayware, heuristics, and file type scans
will not be performed as the file is already been determined to be a threat and has
been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.
447
Antivirus tasks
AntiVirus
Pass
FTP/NNTTP/SMTP/POP3/IMAP
after Web Filter spam checking
Oversize:
Size bigger
than threshold?
Buffered
contents
File Pattern:
Blocked file?
Virus Scan:
Infected?
Block
Grayware?
File Type:
Blocked file type?
Heuristic scan
(enable through
CLI)
Content
Inspection
Pass
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer
your network unparalleled antivirus protection. The first four tasks have specific
functions, the fourth, the heuristics, is to cover any new, previously unknown, virus
threats. To ensure that your system is providing the most protection available, all
virus definitions and signatures are updated regularly through the FortiGuard
antivirus services. The tasks will be discussed in the order that they are applied
followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is
enabled by setting the Oversized File/Email option under Firewall > Protection
Profile > Antivirus to Pass.
For more information, see Anti-Virus options on page 367.
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter.
The FortiGate unit will check the file against the file pattern setting you have
configured. If the file is a blocked pattern, .EXE for example, then it is stopped
and a replacement message is sent to the end user. No other levels of protections
are applied. If the file is not a blocked pattern the next level of protection is
applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The
virus definitions are keep up to date through the FortiNet Distribution Network.
The list is updated on a regular basis so you do not have to wait for a firmware
upgrade. For more information on updating virus definitions, see FortiGuard
antivirus on page 449.
448
AntiVirus
Grayware
Once past the virus scan, the incoming file will be checked for grayware.
Grayware configurations can be turned on and off as required and are kept up to
date in the same manner as the antivirus definitions. For more information on
configuring grayware please see Viewing and configuring the grayware list on
page 459.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the
heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs
tests on the file to detect virus-like behavior or known virus indicators. In this way,
heuristic scanning may detect new viruses, but may also produce some false
positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type
recognition filter. The FortiGate unit will check the file against the file type setting
you have configured. If the file is a blocked type, then it is stopped and a
replacement message is sent to the end user. No other levels of protections are
applied. If the file is not a blocked type, the next level of protection is applied.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic
updates of virus and IPS (attack) engines and definitions, as well as the local
spam DNSBL, through the FortiGuard Distribution Network (FDN). The
FortiGuard Center also provides the FortiGuard antivirus virus and attack
encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for
details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard Center. See Configuring the FortiGate
unit for FDN and FortiGuard subscription services on page 243 for more
information.
449
File Filter
AntiVirus
Antivirus setting
Virus Scan
File Filter
Quarantine
File Filter
Configure the FortiGate file filter to block files by:
File pattern: Files can be blocked by name, extension, or any other pattern.
File pattern blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the
file pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block.
For details, see Configuring the file filter list on page 454.
450
AntiVirus
File Filter
File type: In addition to file pattern (file name) checking, you can also configure
the FortiGate unit to analyze the file and determine the file type of the files,
regardless of the file name. For details about supported file types, see Built-in
patterns and supported file types on page 451.
For standard operation, you can choose to disable File Filter in the Protection
Profile, and enable it temporarily to block specific threats as they occur.
The FortiGate unit can take any of the following three actions towards the files that
match a configured file pattern or type:
Block: the file will be blocked and a replacement messages will be sent to the
user. If both File Filter and Virus Scan are enabled, the FortiGate unit blocks
files that match enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to
bottom. If a file does not match any specified patterns or types, it is passed along
to antivirus scanning (if enabled). In effect, files are passed if not explicitly
blocked.
Using the allow action, this behavior can be reversed with all files being blocked
unless explicitly passed. Simply enter all the file patterns or types to be passed
with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with
a block action. Allowed files continue to antivirus scanning (if enabled) while files
not matching any allowed patterns are blocked by the wildcard at the end.
451
File Filter
AntiVirus
The FortiGate unit can take actions against the following file types:
Table 41: Supported file types
exe
bat
mime
javascript
html
hta
msoffice elf
gzip
rar
tar
lzh
upx
zip
cab
bzip2
bzip
activemime hlp
arj
base64
binhex
uue
fsg
aspack
jad
cod
msc
petite
sis
prc
class
unknown ignored
Note: The unknown type is any file type that is not listed in the table. The ignored type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Create New
Select Create New to add a new file filter list to the catalog.
Name
# Entries
The number of file patterns or file types in each file filter list.
Profiles
The protection profiles each file filter list has been applied to.
Comments
Delete icon
Select to remove the file filter list from the catalog. The delete icon is
only available if the file filter list is not selected in any protection
profiles.
Edit icon
The file filter list will be used in protection profiles. For more information, see AntiVirus options on page 367.
452
AntiVirus
File Filter
Name
Comment
The file filter list has the following icons and features:
Name
File filter list name. To change the name, edit text in the name field
and select OK.
Comment
OK
Create New
Select Create New to add a new file pattern or type to the file filter list.
Filter
Action
Files matching the file patterns and types can be set to block, allow, or
intercept. For information about actions, see File Filter on page 450.
Enable
Delete icon
Edit icon
Move To icon
Select to move the file pattern or type to any position in the list.
453
Quarantine
AntiVirus
To add a file pattern or type go to AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.
Filter Type
Select File Name Pattern if you want to add a file pattern; select
File Type and then select a file type from the supported file type
list.
Pattern
Enter the file pattern. The file pattern can be an exact file name or
can include wildcards. The file pattern can be 80 characters long.
File Type
Select a file type from the list. For information about supported file
types, see Built-in patterns and supported file types on
page 451.
Action
Select an action from the drop down list: Block, Allow, or Intercept.
For more information about actions, see File Filter on page 450.
Enable
Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View
the file name and status information about the file in the quarantined file list.
Submit specific files and add file patterns to the AutoSubmit list so they will
automatically be uploaded to Fortinet for analysis.
FortiGate units without a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit. Files stored on the FortiAnalyzer can be retrieved for viewing.
To configure the FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
File quarantine configuration involves several steps.
To configure and enable file quarantine
454
Go to AntiVirus > Quarantine > Config to configure the quarantine service and
destination. For details, see Configuring quarantine options on page 457.
AntiVirus
Quarantine
The quarantined files list has the following features and displays the following
information about each quarantined file:
Source
Sort by
Sort the list. Choose from: status, service, file name, date, TTL, or
duplicate count. Select Apply to complete the sort.
Filter
Apply
Delete
Page Controls
Use the controls to page through the list. For details, see Using page
controls on web-based manager lists on page 61.
Remove All
Entries
File Name
Date
The date and time the file was quarantined, in the format dd/mm/yyyy
hh:mm. This value indicates the time that the first file was quarantined
if the duplicate count increases.
455
Quarantine
AntiVirus
Service
The service from which the file was quarantined (HTTP, FTP, IMAP,
POP3, SMTP, IM, or NNTP).
Status
Status
Description
DC
Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL
Time to live in the format hh:mm. When the TTL elapses, the FortiGate
unit labels the file as EXP under the TTL heading. In the case of
duplicate files, each duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status
Download icon
Submit icon
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.
456
Create New
File Pattern
Delete icon
Edit icon
AntiVirus
Quarantine
File Pattern
Enable
Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >
Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.
457
AntiVirus
Age limit
The time limit in hours for which to keep files in quarantine. The age limit
is used to formulate the value in the TTL column of the quarantined files
list. When the limit is reached, the TTL column displays EXP. and the file
is deleted (although a record is maintained in the quarantined files list).
Entering an age limit of 0 (zero) means files are stored on disk
indefinitely, depending on low disk space action.
Max filesize to
quarantine
The maximum size of quarantined files in MB. Setting the maximum file
size too large may affect performance.
Low disk space Select the action to take when the local disk is full: overwrite the oldest
file or drop the newest file.
FortiAnalyzer
Enable
AutoSubmit
Apply
458
AntiVirus
459
AntiVirus
Enabling a grayware category blocks all files listed in the category. The categories
may change or expand when the FortiGate unit receives updates. You can choose
to enable the following grayware categories:
460
Adware
BHO
Block browser helper objects. BHOs are DLL files that are often
installed as part of a software package so the software can control
the behavior of Internet Explorer 4.x and later. Not all BHOs are
malicious, but the potential exists to track surfing habits and gather
other information.
Dial
Download
Game
Block games. Games are usually joke or nuisance games that you
may want to block from network users.
HackerTool
Hijacker
Joke
Keylog
Misc
NMT
P2P
AntiVirus
Plugin
RAT
Spy
Toolbar
461
AntiVirus
462
Intrusion Protection
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly
detection and prevention with low latency and excellent reliability. With intrusion
Protection, you can create multiple IPS sensors, each containing a complete
configuration based on signatures. Then, you can apply any IPS sensor to each
protection profile. You can also create DoS sensors to examine traffic for
anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection
settings. For more information about Intrusion Protection, see the FortiGate
Intrusion Protection System (IPS) Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection
is configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Signatures
Custom signatures
Protocol decoders
IPS sensors
DoS sensors
463
Intrusion Protection
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest
signatures, or download the updated attack definition file manually. Alternately,
you can configure the FortiGate unit to allow push updates of the latest attack
definition files as soon as they are available from the FortiGuard Distribution
Network.
You can also create custom attack signatures for the FortiGate unit to use in
addition to an extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it
generates an attack log message. You can configure the FortiGate unit to add the
message to the attack log and send an alert email to administrators, as well as
schedule how often it should send this alert email. You can also reduce the
number of log messages and alerts by disabling signatures for attacks that will not
affect your network. For example, you do not need to enable signatures to detect
web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for forensics and
false positive detection.
For more information about FortiGate logging and alert email, see Log&Report
on page 525.
464
Intrusion Protection
Signatures
Signatures
The FortiGate Intrusion Protection system can use signatures once you have
grouped the required ones in an IPS sensor, and then selected the IPS sensor in
the protection profile. If required, you can override the default settings of the
signatures specified in an IPS sensor. The FortiGate unit provides a number of
pre-built IPS sensors, but you should check their settings before using them, to
ensure they meet your network requirements.
By using only the signatures you require, you can improve system performance
and reduce the number of log messages and alert email messages the IPS
sensor generates. For example, if the FortiGate unit is not protecting a web
server, do not include any web server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.
To view the predefined signature list, go to Intrusion Protection > Signature >
Predefined. You can also use filters to display the signatures you want to view.
For more information, see Using display filters on page 466.
Figure 283:Predefined signature list
Current page
Filter
By default, the signatures are sorted by name. To sort the table by another
column, select the header of the column to sort by.
Current Page
The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
signatures.
Column
Settings
465
Signatures
Intrusion Protection
Clear All Filters If you have applied filtering to the predefined signature list display, select
this option to clear all filters and display all the signatures.
Name
The name of the signature, linked to the FortiGuard Center web page
about the signature.
Severity
The severity rating of the signature. The severity levels, from lowest to
highest, are Information, Low, Medium, High, and Critical.
Target
Protocols
OS
Applications
Enable
The default status of the signature. A green circle indicates the signature
is enabled. A gray circle indicates the signature is not enabled.
Action
Drop prevents the traffic with detected signatures from reaching its
destination.
If Logging is enabled, the action appears in the status field of the log
message generated by the signature.
ID
Logging
Group
Packet Log
The default packet log status of the signature. A green circle indicates
that the packet log is enabled. A gray circle indicates that the packet log
is not enabled.
Revision
Note: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.
466
Select the filter icon beside any column name in the signature table.
In Edit Filters, specify the filtering criteria. The criteria will vary depending on the
column name.
Select OK.
Intrusion Protection
Custom signatures
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate
Intrusion Protection system for diverse network environments. The FortiGate
predefined signatures represent common attacks. If you use an unusual or
specialized application or an uncommon platform, you can add custom signatures
based on the security alerts released by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to
scan traffic. For more information about creating IPS sensors, see Adding an IPS
sensor on page 470.
For more information about custom signatures, see the FortiGate Intrusion
Protection System (IPS) Guide.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Edit
Delete
Create New
Name
Signature
Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
467
Protocol decoders
Intrusion Protection
Name
Signature
Enter the custom signature, using the appropriate syntax. For more
information, see Custom signature syntax in the FortiGate Intrusion
Protection System (IPS) Guide.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the
abnormal traffic patterns that do not meet the protocol requirements and
standards. For example, the HTTP decoder monitors traffic to identify any HTTP
packets that do not meet the HTTP protocol standards.
468
Protocols
Ports
Intrusion Protection
IPS sensors
IPS sensors
You can group signatures into IPS sensors for easy selection in protection
profiles. You can define signatures for specific types of traffic in separate IPS
sensors, and then select those sensors in profiles designed to handle that type of
traffic. For example, you can specify all of the web-server related signatures in an
IPS sensor, and the sensor can then be used by a protection profile in a policy
that controls all of the traffic to and from a web server protected by the FortiGate
unit.
The FortiGuard Service periodically updates the pre-defined signatures, with
signatures added to counter new threats. Because the signatures included in
filters are defined by specifying signature attributes, new signatures matching
existing filter specifications will automatically be included in those filters. For
example, if you have a filter that includes all signatures for the Windows operating
system, your filter will automatically incorporate new Windows signatures as they
are added.
Edit
Delete
Create New
Name
Comments
Five default IPS sensors are provided with the default configuration.
all_default
all_default_pass
469
IPS sensors
Intrusion Protection
protect_client
protect_email_server
protect_http_server
Name
Comment
470
Intrusion Protection
IPS sensors
To view an IPS sensor, go to Intrusion Protection > IPS Sensor and select the
Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three
parts: the sensor attributes, the filters, and the overrides.
Figure 289:Edit IPS sensor
Signature attributes
Insert
Edit
Move To
View Rules
Delete
The name of the IPS sensor. You can change it at any time.
Comments
OK
Add a new filter to the end of the filter list. For more information, see
Configuring filters on page 472.
Name
Signature
attributes
Target
Protocol
OS
Application
Enable
The status of the signatures included in the filter. The signatures can be
set to enabled, disabled, or default. The default setting uses the default
status of each individual signature as displayed in the signature list.
Logging
The logging status of the signatures included in the filter. Logging can
be set to enabled, disabled, or default. The default setting uses the
default status of each individual signature as displayed in the signature
list.
Action
The action of the signatures included in the filter. The action can be set
to pass all, block all, reset all, or default. The default setting uses the
action of each individual signature as displayed in the signature list.
Count
Delete icon
471
IPS sensors
Intrusion Protection
Edit icon
Insert icon
Move to icon
After selecting this icon, enter the destination position in the window
that appears, and select OK.
View Rules icon Open a window listing all of the signatures included in the filter.
Name
Enable
Logging
Action
The action set for the override. The action can be set to pass, block, or
reset.
Configuring filters
To configure a filter, go to Intrusion Protection > IPS Sensor. Select the Edit icon
of the IPS sensor containing the filter you want to edit. When the sensor window
opens, select the Edit icon of the filter you want to change, or select Add Filter to
create a new filter. Enter the information as described below and select OK.
Figure 290:Edit IPS Filter
Right Arrow
Left Arrow
472
Intrusion Protection
IPS sensors
Name
Severity
Select All, or select Specify and then one or more severity ratings.
Severity defines the relative importance of each signature. Signatures
rated critical detect the most dangerous attacks while those rated as
info pose a much smaller threat.
Target
Select All, or select Specify and then the type of systems targeted by the
attack. The choices are server or client.
OS
Select All, or Select Specify and then select one or more operating
systems that are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems.
These signatures will be automatically included in any filter regardless
of whether a single, multiple, or all operating systems are specified.
Protocol
Select All, or select Specify to list what network protocols are used by
the attack. Use the Right Arrow to move the ones you want to include in
the filter from the Available to the Selected list, or the Left Arrow to
remove previously selected protocols from the filter.
Application
Enable
Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or
disable each according to the individual default values shown in the
signature list.
Logging
Select from the options to specify whether the FortiGate unit will create
log entries for the signatures included in the filter: enable all, disable all,
or enable or disable logging for each according to the individual default
values shown in the signature list.
Action
Select from the options to specify what the FortiGate unit will do with
traffic containing a signature match: pass all, block all, reset all, or block
or pass traffic according to the individual default values shown in the
signature list.
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature
to be included in the filter. If the severity is changed to high, and the target is changed
to server, the filter includes only signatures checking for high priority attacks targeted
at servers.
To add an individual signature, not included in any filters, to an IPS sensor. This is
the only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes have no effect. These settings must be explicitly set when creating the
override.
473
IPS sensors
Intrusion Protection
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.
Signature
Select the browse icon to view the list of available signatures. From this
list, select a signature the override will apply to and then select OK.
Enable
Action
Select one of Pass, Block or Reset. When the override is enabled, the
action determines what the FortiGate will do with traffic containing the
specified signature.
Logging
Packet Log
Select to save packets that trigger the override to the FortiGate hard
drive for later examination. This option is only valid on FortiGate units
with an internal hard drive.
Exempt IP:
Enter IP addresses to exclude from the override. The override will then
apply to all IP addresses except those defined as exempt. The exempt
IP addresses are defined in pairs, with a source and destination, and
traffic moving from the source to the destination is exempt from the
override.
Source
474
Intrusion Protection
DoS sensors
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network
traffic that does not fit known or common traffic patterns and behavior. For
example, one type of flooding is the denial of service (DoS) attack that occurs
when an attacking system starts an abnormally large number of sessions with a
target system. The large number of sessions slows down or disables the target
system so legitimate users can no longer use it. This type of attack gives the DoS
sensor its name, although it is capable of detecting and protecting against a
number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the
detection threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types
that you can configure. Each sensor examines the network traffic in sequence,
from top to bottom. When a sensor detects an anomaly, it applies the configured
action. Multiple sensors allow great granularity in detecting anomalies because
each sensor can be configured to examine traffic from a specific address, to a
specific address, on a specific port, in any combination.
When arranging the DoS sensors, place the most specific sensors at the top and
the most general at the bottom. For example, a sensor with one protected address
table entry that includes all source addresses, all destination addresses, and all
ports will match all traffic. If this sensor is at the top of the list, no subsequent
sensors will ever execute.
The traffic anomaly detection list can be updated only when the FortiGate
firmware image is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.
ID
A unique identifier for each DoS sensor. The ID does not indicate the
sequence in which the sensors examine network traffic.
Status
Name
Comments
475
DoS sensors
Intrusion Protection
Delete
Edit icon
Insert DoS Sensor Create a new DoS sensor before the current sensor.
before icon
Move To icon
Move the current DoS sensor to another position in the list. After
selecting this icon, enter the destination position in the window that
appears, and select OK.
To configure DoS sensors, go to Intrusion Protection > DoS Sensor. Select the
Edit icon of an existing DoS sensor, or select Create New to create a new DoS
sensor.
Figure 293:Edit DoS Sensor
476
Name
Comments
Intrusion Protection
DoS sensors
Anomaly configuration
Name
Enable
Select the check box to enable the DoS sensor to detect when the
specified anomaly occurs. Selecting the check box in the header row will
enable sensing of all anomalies.
Logging
Select the check box to enable the DoS sensor to log when the anomaly
occurs. Selecting the check box in the header row will enable logging for all
anomalies. Anomalies that are not enabled are not logged.
Action
Select Pass to allow anomalous traffic to pass when the FortiGate unit
detects it, or set Block to prevent the traffic from passing.
Threshold
Protected addresses
Each entry in the protected address table includes a source and destination IP
address as well as a destination port. The DoS sensor will be applied to traffic
matching the three attributes in any table entry.
Note: A new DoS sensor has no protected address table entries. If no addresses are
entered, the DoS sensor cannot match any traffic and will not function.
Destination
Destination
Port
Source
Add
Description
tcp_syn_flood
tcp_port_scan
tcp_src_session
477
Intrusion Protection
Description
tcp_dst_session
udp_flood
udp_scan
udp_src_session
udp_dst_session
icmp_flood
icmp_sweep
icmp_src_session
icmp_dst_session
478
Web Filter
Web Filter
The three main sections of the web filtering function, the Web Filter Content
Block, the URL Filter, and the FortiGuard Web filter, interact with each other in
such a way as to provide maximum control and protection for the Internet users.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Content block
URL filter
Antivirus scanning
The URL filter list is processed in order from top to bottom. (In FortiOS v2.80 the
URL filter is processed as an unordered list.) An exempt match stops all further
checking including AV scanning. An allow match exits the URL filter list and
checks the other web filters.
Local ratings are checked prior to other FortiGuard Web Filtering categories.
The FortiGate unit applies the rules in this order and failure to comply with a rule
will automatically block a site despite what the setting for later filters might be.
479
Web Filter
480
Web Filter
Table 43: Web filter and Protection Profile web content block configuration
Protection Profile web filtering options
Table 44: Web filter and Protection Profile web URL filtering configuration
Protection Profile web filtering options
Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt
traffic based on the URL filter list.
or block web pages from specific
sources.
Table 45: Web filter and Protection Profile web script filtering and download
configuration
Protection Profile web filtering options
n/a
Table 46: Web filter and Protection Profile web category filtering configuration
Protection Profile web filtering options
Enable FortiGuard Web Filtering (HTTP only). FortiGuard Web Filter > Configuration
Enable FortiGuard Web Filtering Overrides
(HTTP only).
481
Content block
Web Filter
Table 46: Web filter and Protection Profile web category filtering configuration
Protection Profile web filtering options
Classification/Action
When selected, users can access web sites
that provide content cache, and provide
searches for image, audio, and video files.
Choose from allow, block, log, or allow
override.
Content block
Control web content by blocking specific words or patterns. If enabled in the
protection profile, the FortiGate unit searches for words or patterns on requested
web pages. If matches are found, values assigned to the words are totalled. If a
user-defined threshold value is exceeded, the web page is blocked.
Use Perl regular expressions or wildcards to add banned word patterns to the list.
See Using wildcards and Perl regular expressions on page 511.
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i blocks all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
The web content block list catalogue has the following icons and features:
482
Create New
Select Create New to add a new web content block list to the catalog.
Name
# Entries
Web Filter
Content block
Profiles
The protection profiles each web content block list has been applied
to.
Comment
Optional description of each web content block list. The comment text
must be less than 63 characters long. Otherwise, it will be truncated.
Spaces will also be replaced by the plus sign ( + ).
Delete icon
Select to remove the web content block list from the catalog. The
delete icon is only available if the web content block list is not
selected in any protection profiles.
Edit icon
Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see
Web Filtering options on page 369.
Name
Comment
Note: Enable Web Filtering > Web Content Block in a firewall Protection Profile to activate
the content block settings.
The web content block list has the following icons and features:
483
Content block
Web Filter
Name
Web content block list name. To change the name, edit text in the name
field and select OK.
Comment
Create new
Total
Page up icon
Banned word
The current list of patterns. Select the check box to enable all the
patterns in the list.
Pattern type
The pattern type used in the pattern list entry. Choose from wildcard or
regular expression. See Using wildcards and Perl regular expressions
on page 511.
Language
Score
A numerical weighting applied to the pattern. The score values of all the
matching patterns appearing on a page are added, and if the total is
greater than the threshold value set in the protection profile, the page is
blocked.
Delete icon
Edit icon
484
Banned Word
Enter the content block pattern. For a single word, the FortiGate
checks all web pages for that word. For a phrase, the FortiGate
checks all web pages for any word in the phrase. For a phrase in
quotation marks, the FortiGate unit checks all web pages for the
entire phrase.
Pattern Type
Language
Score
Enable
Web Filter
Content block
The web content exempt list catalogue has the following icons and features:
Create New
Select Create New to add a new web content exempt list to the catalog.
Name
# Entries
Profiles
The protection profiles each web content block list has been applied to.
Comment
Delete icon
Select to remove the web content block list from the catalog. The delete
icon is only available if the web content block list is not selected in any
protection profiles.
Edit icon
Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see
Web Filtering options on page 369.
Name
Comment
485
Content block
Web Filter
Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to
activate the content exempt settings.
The web content exempt list has the following icons and features:
Name
Web content exempt list name. To change the name, edit text in the
name field and select OK.
Comment
Create new
Total
Page up icon
486
Remove All
Entries icon
Pattern
The current list of patterns. Select the check box to enable all the
patterns in the list.
Pattern type
The pattern type used in the pattern list entry. Choose from wildcard or
regular expression. See Using wildcards and Perl regular expressions
on page 511.
Language
Delete icon
Edit icon
Web Filter
URL filter
Pattern Word
Enter the content exempt pattern. For a single word, the FortiGate
checks all web pages for that word. For a phrase, the FortiGate
checks all web pages for any word in the phrase. For a phrase in
quotation marks, the FortiGate unit checks all web pages for the
entire phrase.
Pattern Type
Language
Enable
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add
patterns using text and regular expressions (or wildcard characters) to allow or
block URLs. The FortiGate unit allows or blocks web pages matching any
specified URLs or patterns and displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
487
URL filter
Web Filter
The URL filter list catalogue has the following icons and features:
Create New
Select Create New to add a new web content URL list to the catalog.
Name
# Entries
Profiles
The protection profiles each URL filter list has been applied to.
Comment
Delete icon
Select to remove the URL filter list from the catalog. The delete icon
is only available if the URL filter list is not selected in any protection
profiles.
Edit icon
Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see Web
Filtering options on page 369.
Name
Comment
complete URLs
IP addresses
To view the URL filter list go to Web Filter > URL Filter. Select the edit icon of the
URL filter list you want to view.
488
Web Filter
URL filter
The URL filter list has the following icons and features:
Name
URL filter list name. To change the name, edit text in the name field
and select OK.
Comment
Create New
Page up icon
URL
Type
Action
The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other
web filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Delete icon
Edit icon
Move icon
To add a URL to the URL filter list go to Web Filter > URL Filter. Select Create
New or edit an existing list.
489
URL filter
Web Filter
URL
Enter the URL. Do not include http://. For details about URL
formats, see URL formats on page 490.
Type
Action
Enable
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on
page 489), follow these rules:
Enter a top-level URL followed by the path and filename to control access to a
single page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls the news page on this web site.
To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls
access to www.example.com, mail.example.com,
www.finance.example.com, and so on.
Control access to all URLs that match patterns created using text and regular
expressions (or wildcard characters). For example, example.* matches
example.com, example.org, example.net and so on.
FortiGate web pattern blocking supports standard regular expressions.
490
Web Filter
Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Drag and drop a URL or select the Move icon to the right of the URL to be moved.
Select OK.
Figure 306:Move URL Filter
Move to
(URL)
Enter the URL before or after which the new URL is to be located
in the list.
491
Web Filter
492
Web Filter
Create New
Return
URL/Category
Scope
Off-site URLs
A green check mark indicates that the off-site URL option is set to
Allow, which means that the overwrite web page will display the
contents from off-site domains. A gray cross indicates that the offsite URL option is set to Block, which means that the overwrite
web page will not display the contents from off-site domains. For
details, see Configuring administrative override rules on
page 493.
Initiator
Expiry Date
Delete icon
Edit icon
Type
URL
Scope
User
User Group
Select a user group from the dropdown list. User groups must be
configured before FortiGuard Web Filtering configuration. For
more information, see User groups on page 435.
493
Web Filter
Off-site URLs
This option defines whether the override web page will display the
images and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want
to visit a site whose images are served from a different domain.
You can create a directory override for the site and view the page.
If the offsite feature was set to deny, all the images on the page
will appear broken because they come from a different domain for
which the existing override rule does not apply. If you set the
offsite feature to allow, the images on the page will then show up.
Only users that apply under the scope for the page override can
see the images from the temporary overrides. The users will not
be able to view any pages on the sites where the images come
from (unless the pages are served from the same directory as the
images themselves) without having to create a new override rule.
To create an override for categories, go to Web Filter > FortiGuard - Web Filter >
Override.
Figure 309:New Override Rule - Categories
494
Type
Select Categories.
Categories
Classifications
Web Filter
Scope
User
User Group
IP
Profile
Off-site URLs
Select Allow or Block. See the previous table for details about offsite URLs.
Add
Delete icon
The local ratings list has the following icons and features:
Create New
Search
1 - 3 of 3
Page up icon
URL
The rated URL. Select the green arrow to sort the list by URL.
495
Web Filter
Category
Delete icon
Edit icon
Clear Filter
Category Name
Enable Filter
Select to enable the filter for the category or the individual subcategory.
Classification Name
Enable Filter
496
Web Filter
URL
Category Name
Enable Filter
Select to enable the filter for the category or the individual subcategory.
Classification Name
Enable Filter
Generate a text and pie chart format report on FortiGuard Web Filtering for any
protection profile. The FortiGate unit maintains statistics for allowed, blocked, and
monitored web pages for each category. View reports for a range of hours or days,
or view a complete report of all activity.
To create a web filter report go to Web Filter > FortiGuard - Web Filter >
Reports.
497
Web Filter
Report Type
Select the time frame for the report. Choose from hour, day, or all
historical statistics.
Report Range
Select the time range (24 hour clock) or day range (from six days ago to
today) for the report. For example, for an hour report type with a range
of 13 to 16, the result is a category block report for 1 pm to 4 pm today.
For a day report type with a range of 0 to 3, the result is a category
block report for 3 days ago to today.
Get Report
498
Category
Allowed
Blocked
Monitored
Antispam
Antispam
Antispam
This section explains how to configure the spam filtering options associated with a
firewall protection profile.
If you enable virtual domains (VDOMs) on the FortiGate unit, Antispam is
configured separately for each virtual domain. For details, see Using virtual
domains on page 95.
This section describes:
Antispam
Banned word
Black/White List
Antispam
You can configure the FortiGate unit to manage unsolicited commercial email by
detecting and identifying spam transmissions from known or suspected spam
servers.
The FortiGuard Antispam service from Fortinet is designed to manage spam. This
service includes an IP address black list, a URL black list, and spam filtering tools.
The FortiGuard Center accepts submission of spam email messages as well as
reports of false positives. For more information on the FortGuard Center, visit the
FortiGuard Center website at www.fortiguardcenter.com.
499
Antispam
Antispam
DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop
IP, HELO DNS lookup.
Return e-mail DNS check, FortiGuard Anti Spam check, DNSBL & ORDBL check
on public IP extracted from header.
IP BWL check.
Return e-mail DNS check, FortiGuard AntiSpam check, DNSBL & ORDBL check.
500
AntiSpam setting
Antispam
Antispam
Table 47: AntiSpam and Protection Profile spam filtering configuration (Continued)
Protection Profile spam filtering options
AntiSpam setting
n/a
n/a
Spam Action
n/a
501
Banned word
Antispam
Table 47: AntiSpam and Protection Profile spam filtering configuration (Continued)
Protection Profile spam filtering options
AntiSpam setting
Banned word
Control spam by blocking email messages containing specific words or patterns. If
enabled in the protection profile, the FortiGate unit searches for words or patterns
in email messages. If matches are found, values assigned to the words are
totalled. If a user-defined threshold value is exceeded, the message is marked as
spam. If no match is found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list.
Note: Perl regular expression patterns are case sensitive for antispam banned words. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
502
Antispam
Banned word
Create New
Add a new list to the catalog. For more information, see Creating a
new banned word list on page 503.
Name
# Entries
Profiles
The protection profiles each antispam banned word list has been
applied to.
Comments
Delete icon
Remove the antispam banned word list from the catalog. The delete
icon is available only if the antispam banned word list is not selected
in any protection profiles.
Edit icon
Modify the antispam banned word list, list name, or list comment.
To use the banned word list, select antispam banned word lists in protection
profiles. For more information, see Spam Filtering options on page 373.
Name
Comments
503
Banned word
Antispam
To view the banned word list, go to AntiSpam > Banned Word and select the edit
icon of the banned word list you want to view.
Figure 317:Sample banned word List
Remove All Entries
Edit
Delete
Current Page
Name
Banned word list name. To change the name, edit text in the name field
and select OK.
Comments
Create New
Current Page
The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of the
banned word list.
Remove All
Entries icon
Pattern
The list of banned words. Select the check box to enable all the banned
words in the list.
Pattern Type
The pattern type used in the banned word list entry. Choose from
wildcard or regular expression. For more information, see Using
wildcards and Perl regular expressions on page 511.
Language
Where
The location where the FortiGate unit searches for the banned word:
Subject, Body, or All.
Score
504
Antispam
Black/White List
Select OK.
To add a banned word
For the banned word list name to which you want to add a banned word, select
Edit.
Pattern
Enter the word or phrase you want to include in the banned word list.
Pattern Type
Select the pattern type for the banned word. Choose from wildcard or
regular expression. For more information, see Using wildcards and Perl
regular expressions on page 511.
Language
Where
Select where the FortiGate unit should search for the banned word:
Subject, Body, or All.
Score
Enable
Select OK.
Black/White List
The FortiGate unit uses both an IP address list and an email address list to filter
incoming email, if enabled in the protection profile.
When performing an IP address list check, the FortiGate unit compares the IP
address of the message sender to the IP address list in sequence. When
performing an email list check, the FortiGate unit compares the email address of
the message sender to the email address list in sequence. If a match is found, the
action associated with the IP address or email address is taken. If no match is
found, the message is passed to the next enabled spam filter.
505
Black/White List
Antispam
Create New
Name
# Entries
Profiles
Comments
Delete icon
Remove the antispam IP address list from the catalog. The delete
icon is available only if the antispam IP address list is not selected in
any protection profiles.
Edit icon
Name
Comments
506
Antispam
Black/White List
To view the antispam IP address list, go to AntiSpam > Black/White List > IP
Address and select the edit icon of the antispam IP address list you want to view.
Figure 320:Sample IP address list
Remove All Entries
Current Page
Move To
Edit
Delete
Name
Antispam IP address list name. To change the name, edit text in the
name field and select OK.
Comments
Create New
Current Page
The current page number of list items that are displayed. Select the
left and right arrows to display the first, previous, next or last page of
the IP address list.
Action
Delete icon
Edit icon
Move To icon
507
Black/White List
Antispam
To add an IP address go to AntiSpam > Black/White List > IP Address. For the IP
address list name to which you want to add an IP address, select Edit. Then select
Create New.
IP Address/Mask
Action
Enable
Create New
Name
# Entries
Profiles
The protection profiles each antispam email address list has been
applied to.
Comments
Delete icon
Remove the antispam email address list from the catalog. The delete
icon is only available if the antispam email address list is not selected
in any protection profiles.
Edit icon
Edit the antispam email address list, list name, or list comment.
You enable antispam email addresses in protection profiles. For more information, see
Spam Filtering options on page 373.
508
Antispam
Black/White List
Name
Comment
Delete
Edit
Move To
Remove All Entries
Name
Antispam email address list name. To change the name, edit text in
the name field and select OK.
Comments
Create New
Current Page
The current page number of list items that are displayed. Select the
left and right arrows to display the first, previous, next or last page of
the IP address list.
Pattern Type
Action
The action to take on email from the configured address. Actions are:
Spam to apply the spam action configured in the protection profile, or
Clear to let the email message bypass this and remaining spam
filters.
Delete icon
Edit icon
Move To icon
509
Antispam
E-Mail Address
Pattern Type
Action
Enable
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header or header key. The second
part is called the value. Spammers often insert comments into header values or
leave them blank. These malformed headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with
certain types of content that are common in spam messages. Mark the email as
spam or clear for each header configured.
510
Antispam
To match a special character such as '.' and * use the escape character \. For
example:
To match any character 0 or more times, use .* where . means any character
and the * means 0 or more times. For example, the wildcard match pattern
forti*.com should therefore be fort.*\.com.
511
Antispam
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression test not only matches the word test but
also any word that contains test such as atest, mytest, testimony, atestb.
The notation \b specifies the word boundary. To match exactly the word test,
the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of bad language,
regardless of case.
512
Expression
Matches
abc
^abc
abc$
a|b
Either of a and b
^abc|abc$
ab{2,4}c
ab{2,}c
ab*c
ab+c
ab?c
a.c
a\.c
a.c exactly
[abc]
[Aa]bc
[abc]+
[^abc]+
\d\d
/i
\w+
100\s*mk
Antispam
abc when followed by a word boundary (for example, in abc! but not in
abcd)
perl\B
perl when not followed by a word boundary (for example, in perlert but
not in perl stuff)
\x
Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x
Used to add regular expressions within other text. If the first character in
a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern
must contain a second '/'. The pattern between / will be taken as a
regular expressions, and anything after the second / will be parsed as a
list of regular expression options ('i', 'x', etc). An error occurs if the
second '/' is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
513
514
Antispam
Overview
Overview
Statistics
User
Overview
Instant Messenger (IM), Peer to Peer (P2P), and Voice over Internet Protocol
(VoIP) protocols are gaining in popularity as an essential way to communicate
between two or more individuals in real time. Some companies even rely on IM
protocols for critical business applications such as Customer/Technical Support.
The most common IM protocols in use today include AOL Instant Messenger,
Yahoo Instant Messenger, MSN messenger, and ICQ. Although these are the
most popular ones, there are always new protocols being developed as well as
newer versions of older ones.
P2P protocols are most commonly used to transfer files from one user to another
and can use large amounts of bandwidth.
VoIP is increasingly being used by businesses to cut down on the cost of long
distance voice communications.
Some organizations need to control or limit the use of IM/P2P and VoIP protocols
in order to more effectively manage bandwidth use.
With FortiOS firmware, you can control and monitor the usage of IM/P2P
applications and VoIP protocols.
FortiOS supports two VoIP protocols: Session Initiation Protocol (SIP) and Skinny
Client Control Protocol (SCCP).
Fortinet Inc. recognizes that IM/P2P applications are becoming part of doing
business but also, if abused, can seriously decrease productivity and network
performance.
515
Overview
FortiGate units allow you to set up user lists that either allow or block the use of
applications, to determine which applications are allowed and how much
bandwidth can be used by the applications.
By combining comprehensive protection policies and easy-to-view statistical
reports, you can see which applications are being used and for what purpose,
making it easy to control IM/P2P applications and to maximize productivity.
The FortiOS system comes with an impressive list of supported IM/P2P protocols
and can be kept up-to-date with upgrades available for download from the Fortinet
Distribution Network. There is no need to wait for firmware upgrade to stay ahead
of the latest protocols.
FortiOS also provides ways for you to deal with unknown protocols even before
upgrades are available. For details, see Configuring IPS signatures for
unsupported IM/P2P protocols on page 518.
FortiOS uses IPS signatures to detect IM/P2P/VoIP sessions. Table 49 on
page 516 lists the IM/P2P/VoIP applications that are currently recognized by
FortiOS. The table includes the IPS signatures, the applications associated with
the signatures, and the locations of the signatures
Note: Applications in Table 49 on page 516 marked as bold can connect to multiple P2P
networks. Turning on IM and P2P signatures will help improve IPS performance. For
example, if you want to use IPS, but you do not want to block IM or P2P applications, you
should leave IM/P2P signatures enabled. Normally, if you turn off other signatures, the
performance will be better, but for IM/P2P, it is the opposite.
Table 49: IM/P2P applications covered by FortiOS 3.0
IPS
Applications
Instant Messaging
MSN Messenger
SIMPLE
Yahoo Messenger
P2P
516
BitComet
Bitspirit
Azureus
Shareaza
eMule
Overnet
Edonkey2K
Shareaza
BearShare
MLdonkey
iMesh
BearShare
Shareaza
LimeWire
Xolox
Swapper
iMesh
MLdonkey
Gnucleus
Morpheus
Openext
Mutella
Qtella
Qcquisition
Acquisition
NapShare
gtk-gnutella
KaZaA
Skype
WinNY
Ares Galaxy
VoIP
SIP (Firewall > Protection Profile > VoIP)
SIP
SCCP
Go to IM, P2P & VoIP > User > Config to configure IM settings for unknown
users. See Configuring a policy for unknown IM users on page 523.
Finally, go to Firewall > Policy to create policies to use all the settings. See
Configuring firewall policies on page 297.
517
Statistics
Select OK.
Note: To detect new IM/P2P applications or new versions of the existing
applications, you only need to update the IPS package, available through the
FortiNet Distribution Network (FDN). No firmware upgrade is needed.
If you want to block a protocol that is older than the ones listed above, use the CLI
command: For details see the FortiGate CLI Reference.
config imp2p old-version.
Statistics
You can view the IM, P2P and VoIP statistics to gain insight into how the protocols
are being used within the network. Overview statistics are provided for all
supported IM, P2P and VoIP protocols. Detailed individual statistics are provided
for each IM protocol.
518
Statistics
Select the automatic refresh interval for statistics. Set the interval
from none to 30 seconds.
Refresh
Reset Stats
Users
(Users) Blocked.
Chat
File Transfers
Voice Chat
Total Messages.
519
Statistics
P2P Usage
VoIP Usage
Calls failed/Dropped
Calls Succeeded
The IM/P2P Protocol tab has the following icons and features:
520
User
Automatic Refresh
Interval
Select the automatic refresh interval for statistics. Set the interval
from none to 30 seconds.
Protocol
Users
Chat
Messages
File Transfers
Voice Chat
User
After IM users connect through the firewall, the FortiGate unit displays which
users are connected in the Current Users list. You can analyze the list and decide
which users to allow or block. A policy can be configured to deal with unknown
users.
Note: If virtual domains are enabled on the FortiGate unit, IM features are configured
globally. To access these features, select Global Configuration on the main menu.
Filter the list by selecting the protocol for which to display current
users: AIM, ICQ, MSN, or Yahoo. All current users can also be
displayed.
Protocol
User Name
Source IP
521
User
Last Login
Block
Select to add the user name to the permanent black list. Each
user name/protocol pair must be explicitly blocked by the
administrator.
Policy
Edit icon
Delete icon
Protocol
Username
Policy
522
User
Select the protocols that unknown users are allowed to use. The
unknown users are added to a temporary white list.
Automatically Block
List of Temporary
Users
New users who have been added to the temporary white or black
lists. User information includes Protocol, Username, and the
Policy applied to the user.
Note: If the FortiGate unit is rebooted, the list is cleared.
Protocol
Username
Policy
The policy applied to the user when attempting to use the protocol:
Block or Deny.
Permanently Allow
Select to add the user to the permanent white list. The user
remains online and is listed in IM, P2P & VoIP > Users > User List.
Permanently Block
Select to add the user to the permanent black list. The user is
listed in IM, P2P & VoIP > Users > User List.
Apply
523
User
524
Log&Report
FortiGate logging
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and
network protection functions. They also allow you to compile reports from the
detailed log information gathered. Reports provide historical and current analysis
of network activity to help identify security issues that will reduce and prevent
network misuse and abuse.
This section provides information about how to enable logging, view log
messages, and configure reports. If you have VDOMs enabled, see Using virtual
domains on page 95 for more information.
The following topics are included in this section:
FortiGate logging
Storing logs
Log types
Accessing Logs
Content Archive
Alert Email
Reports
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in Transparent mode. For example, SSL VPN events are not available in Transparent
mode.
FortiGate logging
A FortiGate unit can log many different network activities and traffic including:
spam filtering
525
Log&Report
When customizing the logging location, you can also customize what minimum log
severity level the FortiGate unit should log these events at. There are six severity
levels to choose from. For more information, see Log severity levels on
page 527.
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis
tools and data storage. Detailed log reports provide historical as well as current
analysis of network activity. Detailed log reports also help identify security issues,
reducing network misuse and abuse. The FortiGate unit can send all log message
types, including quarantine files and content archives, to a FortiAnalyzer unit for
storage. The FortiAnalyzer unit can upload log files to an FTP server for archival
purposes. For more information about configuring the FortiGate unit to send log
messages to a FortiAnalyzer unit, see Logging to a FortiAnalyzer unit on
page 529.
If you have a subscription for the FortiGuard Analysis and Management Service,
your FortiGate unit can send logs to a FortiGuard Analysis server. This service
provides another way to store and view logs, as well as archiving email
messages. For more information, see FortiGuard Analysis and Management
Service on page 526. Fortinet recommends reviewing the FortiGuard Analysis
and Management Service Administration Guide to learn more about the logging,
reporting, and remote management features from the FortiGuard Analysis and
Management Service portal web site.
The FortiGate unit can also send log messages to either a Syslog server or
WebTrends server for storage and archival purposes. If your FortiGate unit has a
hard disk, you can also send logs to it by using the CLI. For more information
about configuring logging to the hard disk, see the FortiGate CLI Reference.
In the FortiGate web-based manager, you can view log messages available in
system memory, on a FortiAnalyzer unit running firmware version 3.0 or higher, or,
if available, the hard disk. You can use customizable filters to easily locate specific
information within the log files.
For details and descriptions of log messages and formats, see the FortiGate Log
Message Reference.
526
Log&Report
When the FortiGate unit connects to the logging and reporting network for the first
time, it retrieves its assigned primary analysis server, contract term, and storage
space quota from the main analysis server. The main analysis server contains this
information so it can maintain and monitor the status of each of the servers.
After configuring logging to the assigned primary analysis server, the FortiGate
unit begins sending encrypted logs to the primary analysis server through TCP
port 514. The connection between the main analysis server and the FortiGate unit
is secured using FCP over HTTPS, through port 443.
Fortinet recommends reviewing the FortiGuard Analysis and Management
Service Administration Guide because it contains very detailed information about
this FortiGuard service. This administration guide contains information about:
registering your FortiGate unit, or multiple FortiGate units, for this FortiGuard
service
Note: After upgrading your FortiGate firmware, you need to re-enter your account ID and
then update the service to re-connect to the servers that support logging and reporting. You
may need to update the service from the portal web site as well.
527
Log&Report
Description
0 - Emergency
1 - Alert
2 - Critical
Functionality is affected.
3 - Error
4 - Warning
5 - Notification
6 - Information
The Debug severity level, not shown in Table 50, is rarely used. It is the lowest log
severity level and usually contains some firmware status information that is useful
when the FortiGate unit is not functioning properly. Debug log messages are
generated only if the log severity level is set to Debug. Debug log messages are
generated by all types of FortiGate features.
Storing logs
The type and frequency of log messages you intend to save determines the type
of log storage to use. For example, if you want to log traffic and content logs, you
need to configure the FortiGate unit to log to a FortiAnalyzer unit or Syslog server.
The FortiGate system memory is unable to log traffic and content logs because of
their frequency and large file size.
Storing log messages to one or more locations, such as a FortiAnalyzer unit or
Syslog server, may be a better solution for your logging requirements than the
FortiGate system memory. Configuring your FortiGate unit to log to a FortiGuard
Analysis server may also be a better log storage solution if you do not have a
FortiAnalyzer unit and want to create reports. This particular log storage solution
is available to all FortiGate units running FortiOS 3.0 MR6 or higher, through a
subscription to the FortiGuard Analysis and Management Service. For more
information, see FortiGuard Analysis and Management Service on page 526.
If your FortiGate unit has a hard disk, you can also enable logging to the hard disk
from the CLI. See the FortiGate CLI Reference for more information before
enabling logging to the hard disk.
528
Log&Report
Storing logs
If you require logging to multiple FortiAnalyzer units or Syslog servers, see the
FortiGate CLI Reference.
Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and
Canada and may affect your location. It is recommended to verify if your location observes
this change, since it affects the scope of the report. Fortinet has released supporting
firmware. See the Fortinet Knowledge Center article, New Daylight Saving Time support,
for more information.
Expand
Arrow
Select the Expand Arrow beside Remote Logging to reveal the available options.
Select FortiAnalyzer.
From the Minimum log level list, select one of the following:
Emergency
Alert
Critical
Functionality is affected.
Error
Warning
Notification
Information
Debug
529
Storing logs
Log&Report
Enter the static IP address of the FortiAnalyzer unit in the Static IP Address field.
Select Apply.
The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate
unit after you have configured log settings on the FortiGate unit. Contact a
FortiAnalyzer administrator to complete the rest of the configuration.
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard
Analysis server, and vice versa. If you require a backup solution for one of these logging
devices, using a Syslog server or WebTrends server is preferred.
Select the Expand Arrow beside Remote Logging to reveal the available options.
Select FortiAnalyzer.
Select Discover.
The FortiGate unit searches within the same subnet for a response from any
available FortiAnalyzer units.
Select Apply.
Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the CLI
before Automatic Discovery can carry traffic. Use the procedure in the Fortinet Knowledge
Center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to
also carry traffic when using the Automatic Discovery feature.
530
Log&Report
Storing logs
Select the Expand Arrow beside Remote Logging to reveal the available options.
FortiAnalyzer
(Hostname)
FortiGate
(Device ID)
Registration
Status
The status of whether or not the FortiGate unit is registered with the
FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have
full privileges. For more information, see the FortiAnalyzer
Administration Guide.
Connection
The connection status between FortiGate and FortiAnalyzer units. A
Status
green check mark indicates there is a connection and a gray X
indicates there is no connection.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Allocated
The amount of space designated for logs, including
Space
quarantine files and content archives.
531
Storing logs
Log&Report
Privileges
You can also test the connection status between the FortiGate unit and the
FortiAnalyzer unit by using the following CLI command:
execute log fortianalyzer test-connectivity
The command displays the connection status and the amount of disk usage in
percent. For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.
532
Select the Expand Arrow beside Remote Logging to reveal the available options.
Deletes the oldest log entry and continues logging when the
maximum log disk space is reached.
Do not log
Select Apply.
Log&Report
Storing logs
Logging to memory
The FortiGate system memory has a limited capacity for log messages. The
FortiGate system memory displays only the most recent log entries. It does not
store traffic and content logs in system memory due to their size and the
frequency of log entries. When the system memory is full, the FortiGate unit
overwrites the oldest messages. All log entries are cleared when the FortiGate
unit restarts.
If your FortiGate unit has a hard disk, use the CLI to enable logging to it. You can
also upload logs stored on the hard disk to a FortiAnalyzer unit. For more
information, see the FortiGate CLI Reference.
To configure the FortiGate unit to save logs in memory
1
Select the Expand Arrow beside the check box to reveal the available Memory
options.
533
Storing logs
Log&Report
Select the Expand Arrow beside the check box to reveal the Syslog options.
Name/IP
Port
The port number for communication with the syslog server, typically
port 514.
Minimum log
level
The FortiGate unit logs all messages at and above the logging
severity level you select. For more information about the logging
levels, see Table 50, Log severity levels, on page 528.
Facility
Enable CSV
Format
If you enable CSV format, the FortiGate unit produces the log in
Comma Separated Value (CSV) format. If you do not enable CSV
format the FortiGate unit produces plain text files.
Select Apply.
Note: If more than one Syslog server is configured, the Syslog servers and their settings
appear on the Log Settings page. You can configure multiple Syslog servers in the CLI. For
more information, see the FortiGate CLI Reference.
Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting
server. FortiGate log formats comply with WebTrends Enhanced Log Format
(WELF) and are compatible with NetIQ WebTrends Security Reporting Center and
Firewall Suite 4.1.
Use the CLI to configure the FortiGate unit to send log messages to WebTrends.
After logging into the CLI, enter the following commands:
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Keywords and variables
Description
Default
server <address_ipv4>
No default.
status
{disable | enable}
disable
Example
This example shows how to enable logging to a WebTrends server and to set an
IP address for the server.
534
Log&Report
Log types
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better
monitor activity that is occurring on your network. For example, you can enable
logging of IM/P2P features, to obtain detailed information on the activity occurring
on your network where IM/P2P programs are used.
This topic also provides details on each log type and explains how to enable
logging of the log type.
Before enabling FortiGate features, you need to configure what type of logging
device will store the logs. For more information, see Storing logs on page 528.
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because they do not support logging, or are not available in
Transparent mode. For example, SSL VPN events are not available in Transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You
can configure logging of traffic controlled by firewall policies and for traffic
between any source and destination addresses. You can also filter to customize
the traffic logged:
Allowed traffic The FortiGate unit logs all traffic that is allowed according to
the firewall policy settings.
Violation traffic The FortiGate unit logs all traffic that violates the firewall
policy settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load
because other-traffic logs log individual traffic packets. Fortinet recommends
logging firewall policy traffic since it minimizes the load. Logging other-traffic is
disabled by default.
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in Transparent mode, make sure that VDOM
allows access for enabling traffic logs.
535
Log types
Log&Report
Select the Expand Arrow to view the policy list for a policy.
Select OK.
Event log
The Event Log records management and activity events, such as when a
configuration has changed, or VPN and High Availability (HA) events occur.
When you are logged into VDOMs that are in Transparent mode, or if all VDOMs
are in Transparent mode, certain options may not be available such as VIP ssl
event or CPU and memory usage event. You can enable event logs only when you
are logged in to a VDOM; you cannot enable event logs in the root VDOM.
To enable the event logs
536
IPSec negotiation
event
DHCP service
event
L2TP/PPTP/PPPoE
service event
Admin event
HA activity event
Firewall
authentication
event
Pattern update
event
SSL VPN
administration
event
Log&Report
Log types
All related VIP server health monitor events that occur when the
VIP health monitor is configured, such as an interface failure.
Select Apply.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For
example, when the FortiGate unit detects an infected file, blocks a file type, or
blocks an oversized file or email that is logged, it records an antivirus log. You can
also apply filters to customize what the FortiGate unit logs, which are:
Blocked Files The FortiGate unit logs all instances of blocked files.
Oversized Files/Emails The FortiGate unit logs all instances of files and
email messages exceeding defined thresholds.
AV Monitor The FortiGate unit logs all instances of viruses, blocked files,
and oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP,
and IM traffic.
Select the Expand Arrow beside Logging to reveal the available options.
Select OK.
Select the Expand Arrow beside Logging to reveal the available options.
Select the FortiGuard Web Filtering Rating Errors (HTTP only) check box, to log
FortiGuard filtering.
Select OK.
537
Log types
Log&Report
Select the Expand Arrow beside Logging to reveal the available options.
Select OK.
Attack Signature The FortiGate unit logs all detected and prevented attacks
based on the attack signature, and the action taken by the FortiGate unit.
Attack Anomaly The FortiGate unit logs all detected and prevented attacks
based on unknown or suspicious traffic patterns, and the action taken by the
FortiGate unit.
Select the Expand Arrow beside Logging to reveal the available options.
Select OK.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see Intrusion Protection on page 463.
538
Select the Expand Arrow beside Logging to reveal the available options.
Select OK.
Log&Report
Accessing Logs
VoIP log
You can log Voice over Internet Protocol (VoIP) calls. You can also configure VoIP
rate limiting for Session Initiated Protocol (SIP) and Skinny Client Control Protocol
(SCCP) or Skinny protocol. SIP and SCCP are two types of VoIP protocols.
Rate limiting is generally different between SCCP and SIP. For SIP, rate limiting is
for that SIP traffic flowing through the FortiGate unit. For SCCP, the call setup rate
is between the FortiGate unit and the clients because the call manager normally
resides on the opposite side of the FortiGate unit from the clients.
To enable VoIP logs
1
Select the Expand Arrow beside Logging to reveal the available options.
Select OK.
To configure VoIP activity (rate limiting)
Select the Expand Arrow beside VoIP to reveal the available options.
Enter a number for requests per second in the Limit REGISTER request
(requests/sec/policy) (SIP only) field.
Enter a number for requests per second in the Limit INVITE request
(requests/sec/policy) (SIP only) field
Enter a number for the maximum calls per minute in the Limit Call Setup
(calls/min/client) (SCCP only) field.
Select OK.
Accessing Logs
You can use the Log Access feature in the FortiGate web-based manager to view
logs stored in memory, on a hard disk, or stored on a FortiAnalyzer unit running
FortiAnalyzer 3.0, or on the FortiGuard Analysis server.
Log Access provides tabs for viewing logs according to these locations. Each tab
provides options for viewing log messages, such as search and filtering options,
and choice of log type. The Remote tab displays logs stored on either the
FortiGuard Analysis server or FortiAnalyzer unit.
For the FortiGate unit to access logs on a FortiAnalyzer unit, the FortiAnalyzer
unit must run firmware version 3.0 or higher.
539
Accessing Logs
Log&Report
Delete
View
540
Log Type
Select the type of log you want to view. Some log files, such as the
traffic log, cannot be stored to memory due to the volume of information
logged.
File name
The names of the log files of the displayed Log Type stored on the
FortiGate hard disk.
When a log file reaches its maximum size, the FortiGate unit saves the
log files with an incremental number, and starts a new log file with the
same name. For example, if the current attack log is alog.log, any
subsequent saved logs appear as alog.n, where n is the number of
rolled logs.
Size (bytes)
Last access
time
The time a log message was recorded on the FortiGate unit. The time is
in the format name of day month date hh:mm:ss yyyy, for
example Fri Feb 16 12:30:54 2007.
Clear the current log file. Clearing deletes only the current log
messages of that log file. The log file is not deleted.
Log&Report
Accessing Logs
Download icon
Download the log file or rolled log file. Select either Download file in
Normal format link or Download file in CSV format link. Select the
Return link to return to the Disk tab page. Downloading the current log
file includes only current log messages.
View icon
Delete icon
Current
Page
Log Type
Current Page
By default, the first page of the list of items is displayed. The total
number of pages appears after the current page number. For
example, if 3/54 appears, you are currently viewing page 3 of 54
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
For more information, see Using page controls on web-based
manager lists on page 61.
Column Settings Select to add or remove columns. This changes what log information
appears in Log Access. For more information, see Column settings
on page 543.
Raw or Formatted By default, log messages is displayed in Formatted mode. Select
Formatted to view log messages in Raw mode, without columns.
When in Raw mode, select Formatted to switch back to viewing log
messages organized in columns.
When log messages are displayed in Formatted view, you can
customize the columns, or filter log messages.
Clear All Filters
Clear all filter settings. For more information, see Filtering log
messages on page 545.
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.
541
Log&Report
Current
Page
542
Log&Report
Log Type
Select the type of log you want to view. Some log files, such as the
traffic log, cannot be stored to memory due to the volume of
information logged.
Current Page
By default, the first page of the list of items is displayed. The total
number of pages displays after the current page number. For example,
if 3/54 appears, you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
For more information, see Using page controls on web-based
manager lists on page 61.
Column Settings Select to add or remove columns. This changes what log information
appears in Log Access. For more information, see Column settings
on page 543.
Raw or Formatted By default, log messages are displayed in Formatted mode. Select
Formatted to view log messages in Raw mode, without columns.
When in Raw mode, select Formatted to switch back to viewing log
messages organized in columns.
When log messages are displayed in Formatted view, you can
customize the columns, or filter log messages.
Clear All Filters
Clear all filter settings. For more information, see Filtering log
messages on page 545.
Column settings
By using Column Settings, you can customize the view of log messages in
Formatted view. By adding columns, changing their order, or removing them, you
can view only the log information you want.
The Column Settings feature is available only in Formatted view.
543
Log&Report
Select the View icon if you are viewing a log file on a FortiAnalyzer unit.
Select a column name and select one of the following to change the views of the
log information:
->
Select the right arrow to move selected fields from the Available fields
list to the Show these fields in this order list.
<-
Select the left arrow to move selected fields from the Show these fields
in this order list to the Available fields list.
Move up
Move the selected field up one position in the Show these fields in this
order list.
Move down
Move the selected field down one position in the Show these fields in
this order list.
Select OK.
Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.
You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the Host name that you
configured for the FortiGate unit, for example Headquarters.
544
Log&Report
Content Archive
Column Filter
(disabled)
Filter icon
(enabled)
The filter settings that are applied remain until you log out of the web-based
manager. Log filters automatically reset to default settings when you log into the
web-based manager.
To filter log messages
1
Select OK.
Content Archive
You can use Content Archive to view archived logs stored on the FortiAnalyzer
unit from the FortiGate web-based manager and the content archives of HTTP,
FTP, Email, IM, and VoIP that are stored on the FortiAnalyzer unit. You can also
view content summaries of HTTP, FTP, Email, IM, and VoIP if you have
subscribed to the FortiGuard Analysis and Management Service.
Before viewing content archives, you need to enable this feature on your
FortiGate unit, within a protection profile. For more information, see Firewall
Protection Profile on page 365.
545
Content Archive
Log&Report
The FortiGate unit allocates only one sixteenth of its memory for transferring
content archive files. For example, FortiGate units with 128RAM use only 8MB of
memory when transferring content archive files. It is recommended not to enable
full content archiving if antivirus scanning is also configured because of these
memory constraints.
Note: Infected files are clearly indicated in the Content Archive menu so that you know
which content archives are infected and which are not.
Select the content archives you require beside Display content meta-information
on the system dashboard.
Select the available options in each list you require for Archive to
FortiAnalyzer/FortiGuard.
Select the check boxes for Archive SPAMed email to FortiAnalyzer, if required.
Select OK.
Note: Email content archiving is also supported on the FortiGuard Analysis server.
546
Select the archived log type tab to view: Email, Web, FTP, IM, VOIP.
Log&Report
Alert Email
Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send
email notification about a specific activity or event logged. For example, if you
require notification about administrators logging in and out, you can configure an
alert email that is sent whenever an administrator logs in and out.
You can also base alert email messages on the severity levels of the logs.
Figure 339:Alert Email options
547
Alert Email
Log&Report
SMTP Server
Email from
Email To
Enter up to three email address recipients for the alert email message.
Enter the user name for logging on to the SMTP server to send alert
email messages. You need to do this only if you have enabled the SMTP
authentication.
Password
Enter the password for logging on to the SMTP server to send alert
email. You need to do this only if you selected SMTP authentication.
Select Test Connectivity to send a test email message to the email account you
configured in the above step.
Select Send alert email for the following if you require sending an
email based on one or more of the following:
Interval Time
(1-9999 minutes)
Intrusion detected
Virus detected
Web access
blocked
HA status changes
Violation traffic
detected
Firewall authentication Select if you require an alert email message based on firewall
authentication failures.
failure
SSL VPN login failure
Administrator
login/logout
L2TP/PPTP/PPPoE
errors
Configuration changes Select if you require an alert email message based on any
changes made to the FortiGate configuration.
548
FortiGuard license
expiry time
(1-9999 days)
Select Send an alert based on severity if you require sending an alert email
based on log severity level.
Select the minimum severity level in the Minimum severity level list if you are
sending an alert based on severity.
Select Apply.
Log&Report
Reports
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.
Reports
You can use the Log&Report menu to configure FortiAnalyzer report schedules
and to view generated FortiAnalyzer reports. You can also configure basic traffic
reports, which use the log information stored in your FortiGate system memory to
present basic traffic information in a graphical format.
549
Reports
Log&Report
Time Period
Select a time range to view for the graphical analysis. You can choose
from one day, three days, one week or one month. The default is one
day. When you refresh your browser or go to a different menu, the
settings revert to default.
Services
By default all services are selected. When you refresh your browser or
go to a different menu, all services revert to default settings. Clear the
check boxes beside the services you do not want to include in the
graphical analysis.
Browsing
Streaming
DNS
TFTP
VoIP
FTP
Generic TCP
Gaming
Generic UDP
Instant Messaging
Generic ICMP
Newsgroups
Generic IP
P2P
Bandwidth Per
Service
This bar graph is based on what services you select, and is updated
when you select Apply. The graph is based on date and time, which is
the current date and time.
Top Protocols
Ordered by
Total Volume
This bar graph displays the traffic volume for various protocols, in
decreasing order of volume. The bar graph does not update when you
select different Services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the
Memory tab.
Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.
Select the time period to include in the graph from the Time Period list.
Clear the services to exclude them from the graph. All services are selected by
default.
Select Apply.
The graph refreshes and displays the content you specified in the above
procedure. The Top Protocols Ordered by Total Volume graph does not change.
Note: If you require a more specific and detailed report, you can configure a simple report
from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate
over 140 different reports providing you with more options than the FortiGate unit provides.
If you need to configure a FortiAnalyzer report schedule, see FortiAnalyzer report
schedules on page 551.
550
Log&Report
Reports
Delete
Edit
Clone
Create New
Name
Description
Report Layout
The name of the report layout used for the report schedule.
Schedule
Delete and Edit icons Delete or edit a report schedule in the list.
Clone
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
Description
551
Reports
Log&Report
Report Layout
Select a configured report layout from the list. You must apply a
report layout to a report schedule. For more information, see the
FortiAnalyzer Administration Guide.
Language
Select the language you want used in the report schedule from the
list.
Schedule
Select one of the following to have the report generate once only,
daily, weekly, or monthly at a specified date or time period.
Time Period
Once
Daily
These Days
These Dates
User
Group
LDAP Query
Select to include the time period of the logs to include in the report.
Relative to
Select a time period from the list. For example,
Report Runtime this year.
Specify
Output
552
Select the format you want the report to be in and if you want to
apply an output template.
Output Types
Email/Upload
Select OK.
Log&Report
Reports
Select Edit.
Select OK.
To delete a report schedule
Select Delete in the row of the report schedule you want deleted.
To clone a report schedule
Select Clone in the same row of the report schedule that will be the basis of a new
report schedule.
553
Reports
Log&Report
Report Files
The name of the generated report. Select the name to view the
report.
You can also select the Expand Arrow to view the report and the
select the rolled report to view the report.
Date
Size(bytes)
Other Formats
Displays the formats PDF, RTF or MHT or all if these formats were
chosen in the report schedule.
554
Select Print.
download and review the release notes for the patch release
install the patch release using the procedure Testing firmware before
upgrading on page 557
test the patch release until you are satisfied that it applies to your configuration
Installing a patch release without reviewing release notes or testing the firmware
may result in changes to settings or unexpected issues.
FortiOS 3.0 also enables you to configure your FortiGate unit to use NAT while in
Transparent mode. See Adding NAT firewall policies in transparent mode on
page 361.
If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware
versions are configured globally. For more information, see Using virtual
domains on page 95.
This chapter includes the following sections:
Note: Fortinet does not support upgrading from FortiOS 3.0 MR4 or earlier to FortiOS
3.0 MR7. You must upgrade to FortiOS 3.0 MR5 or MR6 before upgrading to FortiOS
3.0 MR7. Fortinet supports upgrading from the most recent patch release of FortiOS
3.0 MR5 and MR6 to FortiOS 3.0 MR7.
555
Select OK.
556
Copy the new firmware image file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
557
10
11
12
Type R.
The FortiGate firmware image installs and saves to system memory. The
FortiGate unit starts running the new firmware image with the current
configuration.
When you are done testing the firmware, you can reboot the FortiGate unit and
resume using the original firmware.
Note: Before upgrading to FortiOS 3.0, ensure FortiOS 2.80 MR11 is installed.
558
Enter the path and filename of the firmware image file, or select Browse and
locate the file.
Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
When the upgrade is successfully installed:
Clear the browsers cache and log into the web-based manager.
After logging back into the web-based manager, you should save the
configuration settings that carried forward. Some settings may have carried
forward from FortiOS 2.80 MR11, while others may not have such as certain IPS
group settings. Go to System > Maintenance > Backup and Restore to save the
configuration settings that carried forward.
Note: After upgrading to FortiOS 3.0, perform an Update Now to retrieve the latest
AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN. See the
FortiGate Administration Guide for more information about updating AV/NIDS signatures.
559
See the Fortinet Knowledge Center article, Loading FortiGate firmware using
TFTP for CLI procedure, for additional information about upgrading firmware using
the CLI.
To upgrade to FortiOS 3.0 using the CLI
1
Copy the new firmware image file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Enter the following command to copy the firmware image from the TFTP server to
the FortiGate unit:
execute restore image <name_str> <tftp_ip4>
When <name_str> is the name of the firmware image file and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server er is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiGate unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
Enter the following command to confirm the firmware image installed successfully:
get system status
560
Note: The FortiGate-1000A-FA2 does not support downgrading to FortiOS 2.80 because
with the introduction of the FortiClient Check feature, the flash card has a different partition
layout than it did in FortiOS 2.80.
Select Apply.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
561
Select Apply.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
Operation mode
Interface IP/Management IP
DNS settings
VDOM parameters/settings
Session helpers
System accprofiles
If you created additional settings in FortiOS 3.0, make sure to back up the current
configuration before downgrading. See Backing up your FortiOS 3.0
configuration on page 561 for more information.
Note: Installing FortiOS 2.80 firmware on a partition in FortiOS 3.0 MR5 will not overwrite
the other partition.
Select Update.
Select OK.
The following message appears:
The new image does not support CC mode. Do you want to
continue to upgrade?
Select OK.
The following message appears:
This version will downgrade the current firmware version.
Are you sure you want to continue?
Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiGate login. This
process takes a few minutes.
562
Copy the new firmware image file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Enter the following command to copy the firmware image from the TFTP server to
the FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4>
is the IP address of the TFTP server. For example, if the firmware image file name
is image.out and the IP address of the TFTP server er is 192.168.1.168, enter:
execute restore image tftp image.out
192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version! Do
you want to continue? (y/n)
Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a
message similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you need to reconfigure your IP
address since the FortiGate unit reverts to default settings, including its default IP
address. See your install guide for configuring IP addresses.
563
Enter the following command to confirm the firmware image installed successfully:
get system status
See Restoring your configuration on page 564 to restore you FortiOS 2.80 MR11
configuration settings.
Type the location of the file or select Browse to locate the file.
Select OK.
The FortiGate unit restores the configuration settings for FortiOS 2.80 MR11. This
may take a few minutes since the FortiGate unit will reboot.
You can verify that the configuration settings are restored by logging into the
web-based manager and going through the various menus and tabs.
Copy the backed up configuration file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
564
Enter the following command to copy the backed up configuration file to restore
the file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the
password you entered when you backed up your configuration settings. For
example, if the backed up configuration file is confall and the IP address of the
TFTP server is 192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
The FortiGate unit responds with the message:
This operation will overwrite the current settings and the
system will reboot!
Do you want to continue? (y/n)
Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads,
a message, similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
All done. Rebooting...
This may take a few minutes.
Use the show shell command to verify your settings are restored, or log into the
web-based manager.
565
Select Apply.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
To back up your current configuration using the CLI
Select OK.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
566
Select Update.
Type the path and filename of the firmware image file, or select Browse to locate
the file.
Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
After successfully upgrading to FortiOS 3.0 MR2:
Clear the browsers cache and log into the web-based manager.
Copy the new firmware image file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Enter the following command to copy the firmware image from the TFTP server to
the FortiGate unit:
execute restore image <name_str> <tftp_ip4>
When <name_str> is the name of the firmware image file and <tftp_ip> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image image.out 192.168.1.168
The FortiGate unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
567
Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version and restarts. This process takes a few minutes.
Enter the following command to confirm the firmware image installed successfully:
get system status
Update antivirus and attack definitions (see the FortiGate Administration Guide),
or from the CLI enter:
execute update-now
operation modes
interface IP/management IP
DNS settings
VDOM parameters/settings
session helpers
568
Select Apply.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
To back up your current configuration in FortiOS 3.0 MR2 or higher using
the FortiUSB key
Select OK.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
Select Update.
Select OK.
The following message appears:
The new image does not support CC mode. Do you want to
continue to upgrade?
Select OK.
The following message appears:
This version will downgrade the current firmware version.
Are you sure you want to continue?
Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware
version, resets the configuration, restarts, and displays the FortiGate login. This
process takes a few minutes.
Go to System > Status > Firmware Version to verify the Firmware Version has
changed to FortiOS 3.0 MR1.
569
Copy the new firmware image file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Enter the following command to copy the firmware image from the TFTP server to
the FortiGate unit.
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is
the IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiGate unit responds with the following message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a
message similar to the following is displayed:
Get image from tftp server. OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue ? (y/n)
Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you will need to reconfigure your IP
address since the FortiGate unit reverts to default settings, including its default IP
address. See your FortiGate units install guide for configuring IP addresses.
9
10
570
Select OK.
The FortiGate unit restores the configuration settings for FortiOS 3.0 MR1. This
may take a few minutes since the FortiGate unit reboots.
You can verify the configuration settings are restored by logging into the
web-based manager and going through the menus and tabs to see that your
settings are restored.
To restore your FortiOS 3.0 MR1 configuration using the CLI
Copy the backed up configuration file to the root directory of the TFTP server.
Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
Enter the following command to copy the backed up configuration file to restore
the file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the
password you entered when you backed up your configuration settings. For
example, if the backed up configuration file is confall and the IP address of the
TFTP server is 192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads,
a message similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
This may take a few minutes.
Use the show shell command to verify your settings are restored, or log into the
web-based manager.
571
Select OK.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
To restore configuration settings using the FortiUSB key from the CLI
Type y.
This may take a few minutes.
IPSec-related settings
The following parameters for both phase 1 and phase 2 policy-based IPSec
tunnels are not carried forward.
phase 1:
config vpn ipsec phase1
572
phase 2:
config vpn ipsec phase2
set bindtoif <interface_name>
set internetbrowsing <interface_name>
573
FortiGate-3016B upgrade
The interface names on the FortiGate-3016B unit changed in FortiOS 3.0 MR7 to
match the port names on the face plate of the unit. The following table explains the
new naming scheme:
574
mgmt1
port 2
mgmt2
port 3
port1
port 4
port2
port 5
port3
port 6
port4
port 7
port5
port 8
port6
port 9
port7
port 10
port8
port 11
port9
port 12
port10
port 13
port11
port 14
port12
port 15
port13
port16
port14
port 17
port15
port 18
port16
NTP configuration
The following NTP-related configuration commands are now under config
system ntp in the CLI:
config ntpserver
set ntpsync
set syncinterval
System interface
Previously, the command dns-server-override was available only for
interfaces configured in the management VDOM. In FortiOS 3.0 MR7, VLAN
interfaces cannot be created under a FortiGate switch interface, and therefore,
any VLANs under the switch interfaces are not carried forward to FortiOS
3.0 MR7.
575
Configuring reports
Configuring reports in FortiOS 3.0 MR7 has drastically changed. All reports
configured under the command, config log report, are not carried forward.
Reports that do carry forward are placed as correctly as possible in their FortiOS
3.0 MR7 configuration. You may need to reconfigure some settings if so, contact
a FortiAnlayzer administrator before reconfiguring settings because you will need
to know if report layouts are available for your report schedules.
FortiGuard configuration
The default setting for the command, central-mgmt-auto-backup, was
changed to enable.
Firewall policy
The commands, auth-path, auth-cert and auth-redirect-addr settings
may not carry forward if the authentication group is not selected in the firewall
policy.
System IPv6
The command, config system ipv6-tunnel is carried forward, now under
config system sit-tunnel in FortiOS 3.0 MR7.
Global setting
The command, allow-interface-subnet-overlap, previously under
global settings, is carried forward into every VDOM and found under
config system setting.
576
Index
Index
Symbols
, 469
Numerics
802.3ad aggregate interface
creating, 116
A
access profile
administrator account, 208
CLI commands list, 209
configuring, 211
viewing list, 210
accessing logs stored in hard disk, 540
action
firewall policy, 296
protection profile P2P option, 378
spam filter banned word, 504
spam filter IP address, 507
action type
spam filter email address, 509
active sessions
HA statistics, 174
ActiveX filter
protection profile, 370
add signature to outgoing email
protection profile, 369
adding, configuring or defining
access profile, 211
administrative access to interface, 125
administrator account, 205
administrator password, 205
administrator settings, 215
ADSL interface settings, 115
advanced SSL VPN user group options, 442
alert email, 547
antispam advanced options, 510
antispam email address list, 508, 510
antispam IP address, 507
antispam IP address list, 506
antivirus file filter list, 453, 454
antivirus file patterns, 454
antivirus file quarantine, 454
antivirus log, 537
antivirus quarantine options, 457
antivirus scanning options, 367
attack log (IPS), 538
authentication settings, 445
authentication, firewall policy, 302
automatic discovery, 530
autosubmit list, 457
banned word list, 503, 504
basic traffic report, graphical view, 550
BFD, 286
BFD on BGP, 287
BFD on OSPF, 288
BGP settings, 282
CA certificates, 226
Certificate Revocation List (CRL), 228
cipher suite, 415
combined IP pool and virtual IP, 359
content archive, 546
content archive options, 375
custom firewall service, 325
custom IM/P2P/VoIP protocols, 518
custom service, firewall, 325
custom signatures, 467
customized CLI console, 68
DHCP interface settings, 118
DHCP relay agent, 163
DHCP server, 163
Directory Service server, 433, 434
Directory Service user groups, 437
DoS sensors, 475
Dynamic DNS on an interface, 122
dynamic virtual IP, 352
event logs, 536
fail-open, IPS, 478
firewall address, 317
firewall address group, 318
firewall policy, 296, 297
firewall policy traffic logging, 535
firewall policy, adding to VLAN subinterface, 145
firewall policy, modem connections, 134
firewall protection profile, 367
firewall schedule, 329
firewall service group, 327
firewall user groups, 436
firewall virtual IP, 333
firmware upgrade, 236
firmware version, 81
FortiAnalyzer report schedules, 551
FortiClient checking, 308
FortiGuard override options for a user group, 441
FortiGuard Web Filtering options, 370
FortiWiFi-50B settings, 150, 152
FortiWiFi-60 MAC filter list, 157
FortiWiFi-60 settings, 154
FortiWiFi-60A settings, 150, 152
FortiWiFi-60AM, 152
FortiWiFi-60AM settings, 150
FortiWiFi-60B settings, 150, 152
gateway for default route, 261
grayware list, 459
HA, 167
HA device priority, 174
HA subordinate unit host name, 174
health check monitor, 355
IM user, 522
577
Index
578
Index
579
Index
ARP, 338
proxy ARP, 338
AS
OSPF, 273
attachments
viruses, 189
attack updates
manual, 84
scheduling, 249
through a proxy server, 250
Authentication
IPSec VPN, phase 2, 402
authentication
client certificates and SSL VPN, 415
configuring remote authentication, 197
defining settings, 445
firewall policy, 301, 302, 303
MD5, 279
RIP, 272
server certificate and SSL VPN, 415
Authentication Algorithm
IPSec VPN, manual key, 404, 406
Authentication Key
IPSec VPN, manual key, 406
Authentication Method
IPSec VPN, phase 1, 397
Auto Key
IPSec VPN, 395
Autokey Keep Alive
IPSec VPN, phase 2, 403
automatic discovery, 530
autonomous system (AS), 273, 281
AutoSubmit
quarantine, 458
autosubmit list
configuring, 457
enabling uploading, 457
quarantine files, 456
av_failopen
antivirus, 461
B
back to HA monitor
HA statistics, 174
backing up
2.80 MR11 configuration, 556
3.0 config, 561
3.0 config to FortiUSB, 561
3.0 config to PC, 561
config using web-based manager, 2.80 MR11, 556
FortiGate configuration, 52
system configuration, 231
backing up 3.0 config using web-based manager, CLI,
FortiUSB key, 566
backing up previous config to PC, FortiUSB key, 568
backup (redundant) mode
modem, 129
backup and restore, system maintenance, 231
backup mode
modem, 132
580
band
wireless setting, 151
bandwidth
guaranteed, 301
maximum, 301
banned word
web content block, 484, 486
banned word (spam filter)
action, 504
adding words to the banned word list, 504
catalog, 502
language, 504, 505
list, 503
pattern, 504, 505
pattern type, 504, 505
banned word check
protection profile, 374
banned word list
creating new, 503
banned word list catalog
viewing, 502
beacon interval
wireless setting, 151, 155
BFD
configuring on BGP, 287
configuring on OSPF, 288
disabling, 287
BGP
AS, 281
flap, 281
graceful restart, 281
MED, 281
RFC 1771, 281
service, 322
settings, viewing, 282
stabilizing the network, 281
BHO
grayware category, 460
black/white list, 505
blackhole route, 258
block, 390
block audio (IM)
protection profile, 378
block file transfers (IM)
protection profile, 378
block login (IM)
protection profile, 378
blocked
web category report, 498
bookmark
online help icon, 54
Boot Strap Router (BSR), 283
BOOTP, 164
browsing log information, 542
button bar
features, 52
C
CA certificates
importing, 226
viewing, 226
Index
catalog
banned word, 502
content block, 482
content exempt, 485
email address back/white list, 508
IP address black/white list, 505
URL filter, 487
viewing file pattern, 452
category
protection profile, 372
web category report, 498
category block
configuration options, 492
reports, 497
central management, 212
certificate authentication, 219
Certificate Name
IPSec VPN, phase 1, 397
certificate, security. See system certificate
certificate, server, 415
certificate. See system certificates
channel
wireless setting, 151
channel, wireless setting
FortiWiFi-60, 154
CIDR, 315
cipher suite
SSL VPN, 415
CLI, 48
access profile, 209
connecting to from the web-based manager, 51
CLI configuration
antivirus, 461
customizing CLI console, 68
system network, 123
using in web-based manager, 76
web category block, 497
CLI console, 76
client certificates
SSL VPN, 415
cluster member, 171
cluster members list, 173
priority, 173
role, 173
cluster unit
disconnecting from a cluster, 175
code, 326
column settings, 543
configuring, 62
system network, 110
using with filters, 63
comfort clients
protection profile, 369
comments
firewall policy, 302
on documentation, sending, 46
concentrator
adding, 408
equivalent for route-based VPN, 395
IPSec tunnel mode, 407
IPSec VPN, policy-based, 407
Concentrator Name
IPSec VPN, concentrator, 408
config antivirus heuristic
CLI command, 461
configuration
backing up FortiGate configuration, 52
restore, 232
connect to server, 116
connecting
modem, dialup account, 134
web-based manager, 48
conservation mode, 181
contact information
SNMP, 176
contacting customer support, 52
content archive
viewing, 87
content archive options
full, 375
metadata, 375
protection profile, 375
summary, 375
content block
catalog, 482
web filter, 482
content exempt
catalog, 485
content streams
replacement messages, 188
contents
online help icon, 54
cookie filter
protection profile, 370
CPU usage
HA statistics, 174
CRL (Certificate Revocation List)
importing, 228
viewing, 227
custom service
adding, 325
adding a TCP or UDP custom service, 325
list, 325
custom signatures
intrusion protection, 467
viewing, 467
customer service, 46
customer support
contacting, 52
D
dashboard, 47, 67
data encryption
wireless setting, 153
date
quarantine files list, 455
DC
quarantine files list, 456
DCE-RPC
firewall service, 322
Dead Peer Detection
IPSec VPN, phase 1, 401
581
Index
582
documentation
commenting on, 46
Fortinet, 44
domain name, 316
DoS sensor, 475
IPS, 375
list, 475
SCCP, 379
SIP, 379
dotted-decimal notation, 278
double NAT, 359
downgrading. See also reverting
2.80 MR11 using the CLI, 563
2.80 MR11 using web-based manager, 562
download
grayware category, 460
quarantine files list, 456
DSCP, 308
dummy policy
SIP, 387
duplicates
quarantine files list, 456
Dynamic DNS
IPSec VPN, phase 1, 397
monitor, 409
network interface, 122
VPN IPSec monitor, 409
dynamic IP pool
SIP, 386
dynamic routing, 267
OSPF, 273
PIM, 283
dynamic virtual IP
adding, 352
E
ECMP, 258
email
online help icon, 53
email address
action type, 509
adding to the email address list, 510
back/white list catalog, 508
BWL check, protection profile, 374
list, spam filter, 509
pattern type, 509
email blocked as spam, 189
enable FortiGuard Web Filtering
protection profile, 371
enable FortiGuard Web Filtering overrides
protection profile, 371
Enable perfect forward secrecy (PFS)
IPSec VPN, phase 2, 403
Enable replay detection
IPSec VPN, phase 2, 403
enable session pickup
HA, 170
encrypt configuration file
backup configuration, 232
Encryption
IPSec VPN, phase 2, 402
Index
Encryption Algorithm
IPSec VPN, manual key, 404, 406
Encryption Key
IPSec VPN, manual key, 406
end IP
IP pool, 358
Equal Cost Multipath (ECMP), 258
ESP
service, 322
Ethernet over ATM (EoA), 115
example
firewall policy, 308
source IP address and IP pool address matching,
357
exclude range
adding to DHCP server, 165
expire
system status, 86
expired
subscription, 245
exported server certificates
importing, 223
external interface
virtual IP, 338
external IP address
virtual IP, 338
external service port
virtual IP, 339
F
fail-open, CLI command for IPS, 478
FDN
attack updates, 194
HTTPS, 248
override server, 246
port 443, 248
port 53, 247
port 8888, 247
port forwarding connection, 251
proxy server, 250
push update, 246
troubleshooting connectivity, 248
updating antivirus and attack definitions, 249
FDS, 241
file block
antivirus, 450
default list of patterns, 451
list, antivirus, 453
protection profile, 368
file name
quarantine files list, 455
file pattern
catalog, 452
quarantine autosubmit list, 456
filter
filtering information on web-based manager lists,
58
IPS sensor, 472
quarantine files list, 455
using with column settings, 63
web-based manager lists, 58
FINGER
service, 322
firewall, 293, 315, 321, 329, 333, 365
address list, 316
configuring, 293, 315, 365
configuring firewall service, 321
configuring service group, 327
configuring virtual IP, 333
configuring, schedule, 329
custom service list, 325
one-time schedule, 330
overview, 293, 315, 321, 365
overview, firewall schedule, 329
overview, virtual IP, 333
policy list, 295
policy matching, 293
predefined services, 321
recurring schedule, 329
virtual IP list, 337
firewall address
adding, 317
address group, 318
address name, 318
create new, 317
IP range/subnet, 318
list, 316
name, 317
subnet, 318
firewall address group
adding, 319
available addresses, 319
group name, 319
members, 319
firewall IP pool list, 358
firewall IP pool options, 359
583
Index
firewall policy
action, 296
adding, 297
adding a protection profile, 381
allow inbound, 306
allow outbound, 306
authentication, 301, 302, 303
changing the position in the policy list, 294
comments, 302
configuring, 297
creating new, 296
deleting, 294
destination, 296, 299, 303
differentiated services, 308
DiffServ, 308
example, 308
fixed port NAT option, 300
FortiClient checking, 308
guaranteed bandwidth, 301
ID, 296
inbound NAT, 306
insert policy before, 297
list, 295
log traffic, 301, 304
matching, 293
maximum bandwidth, 301
modem, 134
moving, 294
multicast, 295
outbound NAT, 306
protection profile, 300
schedule, 296, 299, 304
service, 296, 300
source, 296, 299
SSL VPN options, 307
traffic shaping, 301, 304
user groups, 436
firewall protection profile
default protection profiles, 366
list, 366
options, 367
firewall service
AH, 322
ANY, 322
AOL, 322
BGP, 322
DCE-RPC, 322
DHCP, 322
DNS, 322
ESP, 322
FINGER, 322
FTP, 322
FTP_GET, 322
FTP_PUT, 322
GOPHER, 322
GRE, 322
group list, 327
H323, 322
HTTP, 322
HTTPS, 322
ICMP_ANY, 323
IKE, 323
IMAP, 323
INFO_ADRESS, 323
584
INFO_REQUEST, 323
Internet-Locator-Service, 323
IRC, 323
L2TP, 323
LDAP, 323
MGCP, 323
NetMeeting, 323
NFS, 323
NNTP, 323
NTP, 323
OSPF, 323
PC-Anywhere, 323
PING, 323
PING6, 323
POP3, 323
PPTP, 323
QUAKE, 324
RAUDIO, 324
REXEC, 324
RIP, 324
RLOGIN, 324
RSH, 324
SAMBA, 324
SCCP, 324
SIP, 324
SIP-MSNmessenger, 324
SMTP, 324
SNMP, 324
SSH, 324
SYSLOG, 324
TALK, 324
TCP, 324
TELNET, 324
TFTP, 324
TIMESTAMP, 324
UDP, 324
UUCP, 324
VDOLIVE, 324
viewing custom service list, 325
viewing list, 321
WAIS, 325
WINFRAME, 325
X-WINDOWS, 325
firmware
reverting to previous version, 83
upgrading to a new version, 82
viewing, 235
fixed port
firewall policy NAT option, 300
IP pool, 357
FortiAnalyzer, 40, 529
accessing logs, 541
configuring report schedules, 551
logging to, 529
printing reports, 554
VDOM, 96
FortiBridge, 40
FortiClient, 40
Host Security checking, 308
system maintenance, 230
viewing version, 236
FortiGate 4000, 109
FortiGate documentation
commenting on, 46
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
Index
FortiManager, 40
backup configuration, 231
restore configuration, 232
FortiManager Management Services
revision control, 238
Fortinet customer service, 46
Fortinet documentation, 44
Fortinet Family Products, 40
Fortinet Knowledge Center, 46
Fortinet MIB, 179, 182
FortiWiFi-50B
wireless settings, 150
FortiWiFi-60A
wireless settings, 150
FortiWiFi-60AM
wireless settings, 150
FortiWiFi-60B
wireless settings, 150
fragmentation threshold
wireless setting, 154, 156
FSAE
Directory Service server, 434
FSAE-related enhancements for 3.0 MR7, 21
FTP
service, 322
FTP_GET
service, 322
FTP_PUT
service, 322
fully qualified domain name (FQDN), 316
G
game
grayware category, 460
Geography, 154
geography
wireless setting, 151, 154
GOPHER
service, 322
graceful restart, 281
graphical user interface. See web-based manager
grayware
adware, 460
antivirus, 459
BHO, 460
dial, 460
download, 460
game, 460
hijacker, 460
joke, 460
keylog, 460
misc, 460
NMT, 460
P2P, 460
plugin, 461
RAT, 461
spy, 461
toolbar, 461
updating antivirus and attack definitions, 249
GRE, 272
service, 322
585
Index
group name
HA, 170
grouping services, 327
groups
user, 435
guaranteed bandwidth
firewall policy, 301
traffic shaping, 301
GUI. See web-based manager
H
H323
service, 322
HA, 167, 173
changing cluster unit host names, 173
cluster logging, 528
cluster member, 173
cluster members list, 171
configuring, 167
device priority, 169
disconnecting a cluster unit, 175
enable session pickup, 170
group name, 170
heartbeat interface, 171
host name, 173
interface monitoring, 170
mode, 169
out of band management, 109
password, 170
port monitor, 170
router monitor, 290
routes, 290
session pickup, 170
subordinate unit device priority, 174
subordinate unit host name, 174
VDOM partitioning, 171
viewing HA statistics, 173
HA statistics
active sessions, 174
back to HA monitor, 174
CPU usage, 174
intrusion detected, 174
memory usage, 174
monitor, 174
network utilization, 174
refresh every, 174
status, 174
total bytes, 174
total packets, 174
unit, 174
up time, 174
virus detected, 174
health check monitor
configuring, 355
heartbeat, HA
interface, 171
HELO DNS lookup
protection profile, 374
help
navigating using keyboard shortcuts, 55
searching the online help, 54
using FortiGate online help, 53
586
heuristics
antivirus, 461
quarantine, 461
high availability See HA, 167
hijacker
grayware category, 460
host name
changing, 80
changing for a cluster, 173
viewing, 80
hostname
cluster members list, 173
HTTP, 355
service, 322
virus scanning large files, 462
HTTPS, 47, 194
service, 322
hub-and-spoke
IPSec VPN (see also concentrator), 394
I
ICMP custom service, 326
code, 326
protocol type, 326
type, 326
ICMP echo request, 355
ICMP_ANY
service, 323
ID
firewall policy, 296
idle timeout
changing for the web-based manager, 51
IEEE 802.11a, channels, 148
IEEE 802.11b, channels, 149
IEEE 802.11g, channels, 150
IEEE 802.3ad, 116
IKE
service, 323
IM
adding user, 522
applying through protection profile, 378
configuring unknown users, 523
viewing current user list, 521
IM, P2P & VoIP, 515
IM/P2P/VoIP
viewing statistics, 518
viewing statistics by protocol, 520
viewing user list, 522
IMAP
service, 323
inbound NAT
IPSec firewall policy, 306
index
online help icon, 54
INFO_ADDRESS
service, 323
INFO_REQUEST
service, 323
insert policy before
firewall policy, 297
Index
IP pool
adding, 359
configuring, 359
creating new, 358
DHCP, 300
end IP, 358
fixed port, 357
interface, 359
IP range/subnet, 359, 360
list, 358
name, 359, 360
options, 359
PPPoE, 300
proxy ARP, 338
SIP, 386
start IP, 358
transparent mode, 361
IP range/subnet
firewall address, 318
IP pool, 359, 360
IPS
see intrusion protection
IPS sensor
filter, 472
options, protection profile, 375
IPSec, 272
IPSec firewall policy
allow inbound, 306
allow outbound, 306
inbound NAT, 306
outbound NAT, 306
IPSec Interface Mode
IPSec VPN, manual key, 406
IPSec VPN, phase 1, 399
IPSec VPN
adding manual key, 405
authentication for user group, 436
Auto Key list, 395
concentrator list, 407
configuring phase 1, 396
configuring phase 1 advanced options, 399
configuring phase 2, 401
configuring phase 2 advanced options, 401
configuring policy-, route-based Internet browsing,
407
Manual Key list, 404
monitor list, 409
remote gateway, 436
route-based vs policy-based, 394
IPv6, 217, 258
IRC
service, 323
ISP, 115
J
java applet filter
protection profile, 370
joke
grayware category, 460
587
Index
K
Keepalive Frequency
IPSec VPN, phase 1, 401
key
license, 254
wireless setting, 153, 155
keyboard shortcut
online help, 55
Keylife
IPSec VPN, phase 1, 400
IPSec VPN, phase 2, 403
keylog
grayware category, 460
Knowledge Center, 46
L
L2TP, 436
service, 323
language
changing the web-based manager language, 50
spam filter banned word, 504, 505
web content block, 484, 486
web-based manager, 50, 216
LDAP
configuring server, 426, 427
service, 323
SSL VPN, 307
user authentication, 423
LDAP Distinguished Name query, 429
LDAP server
authentication, 197
configuring authentication, 199
license key, 254
licenses
viewing, 70
limit (P2P)
protection profile, 378
lists
using web-based manager, 57
588
local certificates
options, 221
viewing, 219
Local Gateway IP
IPSec VPN, phase 1, 399
Local ID
IPSec VPN, phase 1, 400
Local Interface
IPSec VPN, manual key, 406
IPSec VPN, phase 1, 397
local PC
backup configuration, 231
restore configuration, 232
local ratings
configuring, 496
local ratings list
viewing, 495
Local SPI
IPSec VPN, manual key, 405
local user, 422
local user account
configuring, 423
log
attack anomaly, 538
attack signature, 538
column settings, 543
messages, 542
raw or formatted, 543
to FortiAnalyzer, 529
traffic, firewall policy, 301, 304
log messages
viewing, 542
log traffic
firewall policy, 301, 304
log types, 535
antivirus, 537
attack, 538
event, 536
IM, P2P, 538
spam filter, 538
traffic, 535
VOIP, 539
web filter, 537
Index
logging, 540
accessing logs in memory, 540
accessing logs on FortiAnalyzer unit, 541
accessing logs on FortiGuard Analysis server, 542
ActiveX filter, 380
alert email, configuring, 547
applying through protection profile, 380
basic traffic reports, 549
blocked files, 380
browsing log messages, 542
cluster, HA, 528
configuring content archive, 546
configuring FortiAnalyzer report schedules, 551
configuring graphical system memory report, 550
connecting using automatic discovery, 530
content archive, 545
content block, 380
cookie filter, 380
customizing display of log messages, 543
FortiGuard Analysis server, 532
IM activity, 381
intrusions, 381
java applet filter, 380
log severity levels, 527
log types, 535
oversized files/emails, 380
P2P activity, 381
printing FortiAnalyzer reports, 554
rating errors, 381
reports, 549
searching, filtering logs, 545
SIP, 389
spam, 381
storing logs, 528
testing FortiAnalyzer configuration, 531
to a FortiAnalyzer unit, 529
to memory, 533
to syslog server, 533
to WebTrends, 534
URL block, 380
viewing content archives, 546
viewing raw or formatted logs, 543
viruses, 380
web site, FortiGuard Analysis Service, 527
logging out
web-based manager, 56
loopback interface, 109, 258
lost password
recovering, 49, 197, 206, 207
low disk space
quarantine, 458
M
MAC address
filtering, 156
wireless setting, 154
MAC filter
configuring FortiWiFi-60, 157
wireless, 156
MAC filter list
configuring, 156
viewing, 156
management VDOM, 102, 106
FortiGate Version 3.0 MR7 Administration Guide
01-30007-0203-20090112
Manual Key
IPSec VPN, 404
map to IP
virtual IP, 337
map to port
virtual IP, 337, 339
matched content, 356
matching
firewall policy, 293
max filesize to quarantine
quarantine, 458
maximum bandwidth, 301
firewall policy, 301
traffic shaping, 301
MD5
OSPF authentication, 279, 280
Members
IPSec VPN, concentrator, 408
memory usage
HA statistics, 174
menu
web-based manager menu, 57
messages, log, 542
MGCP
service, 323
mheader, 510
MIB, 182
FortiGate, 179
RFC 1213, 179
RFC 2665, 179
misc
grayware category, 460
Mode
IPSec VPN, phase 1, 397
mode
HA, 169
modem
adding firewall policies, 134
backup mode, 132
connecting and disconnecting to dialup account,
134
redundant (backup) mode, 129
standalone mode, 129, 133
viewing status, 134
modem interface
configuring, 129
monitor
administrator logins, 216
HA statistics, 174
IPSec VPN, 409
routing, 289
moving a firewall policy, 294
MS-CHAP, 425
MS-CHAP-V2, 425
MTU size, 114, 125
multicast, 283
multicast destination NAT, 285
multicast policy, 295
multicast settings
overriding, 285
viewing, 284
Multi-Exit Discriminator (MED), 281
589
Index
590
Name
IP pool, 359, 360
IPSec VPN, manual key, 405
IPSec VPN, phase 1, 397
IPSec VPN, phase 2, 401
NAT
in transparent mode, 361
inbound, IPSec firewall policy, 306
multicast, 285
outbound, IPSec firewall policy, 306
preserving SIP NAT IP, 391
push update, 251
SIP, 385
symmetric, 336
NAT virtual IP
adding for single IP address, 341
adding static NAT virtual IP for IP address range,
343
Nat-traversal
IPSec VPN, phase 1, 400
netmask
administrator account, 206, 207
NetMeeting
service, 323
network
topology viewer, 90
network address translation (NAT), 334
network utilization
HA statistics, 174
next
online help icon, 53
NFS
service, 323
NMT
grayware category, 460
NNTP
service, 323
not registered
subscription, 245
Not-so-stubby Area (NSSA), 278
not-so-stubby area (NSSA), 290
Novel edirectory, 433
NTP
service, 323
online help
content pane, 53
keyboard shortcuts, 55
navigation pane, 54
search, 54
using FortiGate online help, 53
operation mode, 193
wireless setting, 151, 154
operational history
viewing, 84
optimize
antivirus, 461
OSPF
area ID, 279
AS, 276
authentication, 279, 280
Dead Interval, 281
dead packets, 281
GRE, 280
Hello Interval, 281
Hello protocol, 273
interface definition, 279
IPSec, 280
link-state, 273
LSA, 280
multiple interface parameter sets, 280
neighbor, 273
network, 276
network address space, 280
NSSA, 278, 290
path cost, 273
regular area, 278
service, 323
settings, 274
stub, 278
virtual lan, 279
virtual link, 278
VLAN, 280
OSPF AS, 273
defining, 274
out of band, 109
outbound NAT
IPSec firewall policy, 306
override server
adding, 250
oversized file/email
protection profile, 369
P1 Proposal
IPSec phase 1, 399
P2 Proposal
IPSec VPN, phase 2, 402
P2P, 378
grayware category, 460
supported protocols list, 516
packets
VDOM, 96
page controls
web-based manager, 61
PAP, 425
Index
policy
action, 296
adding, 297
allow inbound, 306
allow outbound, 306
authentication, 301, 302, 303
changing the position in the policy list, 294
comments, 302
configuring, 297
creating new, 296
deleting, 294
destination, 296
differentiated services, 308
DiffServ, 308
example, 308
fixed port NAT option, 300
FortiClient checking, 308
guaranteed bandwidth, 301
ID, 296
inbound NAT, 306
insert policy before, 297
list, 295
log traffic, 301, 304
matching, 293
maximum bandwidth, 301
move, 294
multicast, 295
outbound NAT, 306
protection profile, 300
schedule, 296, 299, 304
service, 296, 300
source, 296
SSL VPN options, 307
traffic shaping, 301, 304
policy route
moving in list, 265
policy-based routing, 263
POP3
service, 323
port 53, 247
port 8888, 247
port 9443, 251
port address translation
virtual IPs, 334
port forwarding, 334
port monitor
HA, 170
PPPoE
and IP Pools, 300
PPPoE (Point-to-Point Protocol over Ethernet)
configuring ADSL interface, 115
RFC 2516, 120
PPTP, 411, 436
service, 323
PPTP range
defining addresses, 411
predefined services, 321
predefined signature
default action, 466
list, 465
Pre-shared Key
IPSec VPN, phase 1, 397
591
Index
pre-shared key
wireless setting, 153, 155
previous
online help icon, 53
print
online help icon, 53
priority
cluster members, 173
private key
importing, 223, 224
product registration, 52
products, family, 40
profile
category block reports, 498
proposal
IPSec phase 1, 399
IPSec VPN, phase 2, 402
protection profile
action (P2P), 378
ActiveX, 370
add signature to outgoing email, 369
adding to a firewall policy, 381
allow web sites when a rating error occurs, 371
antivirus options, 367
append tag format, 375
append tag to location, 374
archive content meta-information, 376, 377
banned word check, 374
block audio (IM), 378
block file transfers (IM), 378
block login (IM), 378
category, 372
comfort clients, 369
configuring IM/P2P/VoIP, 518
content archive options, 375
cookie filter, 370
default protection profiles, 366
display content meta-information on dashboard,
376
DoS sensor, 375
email address BWL check, 374
enable FortiGuard Web Filtering, 371
enable FortiGuard Web Filtering overrides, 371
file block, 368
firewall policy, 300
FortiGuard Antispam IP address check, 373
FortiGuard email checksum check, 373
HELO DNS lookup, 374
inspect non-standard port (IM), 378
IP address BWL check, 374
IPS sensor, 375
IPS sensor options, 375
java applet filter, 370
limit (P2P), 378
list, 366
logging, ActiveX filter, 380
logging, blocked files, 380
logging, content block, 380
logging, cookie filter, 380
logging, IM activity, 381
logging, intrusions, 381
logging, java applet filter, 380
592
Index
Q
QoS, 308
QUAKE
service, 324
quality of service, 308
quarantine
age limit, 458
antivirus, 454
autosubmit list, 456
autosubmit list file pattern, 456
configuring, 457
configuring the autosubmit list, 457
enable AutoSubmit, 458
enabling uploading autosubmit file patterns, 457
heuristics, 461
low disk space, 458
max filesize to quarantine, 458
options, 458
protection profile, 369
quarantine files list
antivirus, 455
apply, 455
date, 455
DC, 456
download, 456
duplicates, 456
file name, 455
filter, 455
service, 456
sorting, 455
status, 456
status description, 456
TTL, 456
upload status, 456
query, 429
Quick Mode Selector
IPSec VPN, phase 2, 403
R
RADIUS
configuring server, 425
servers, 424
SSL VPN, 307
user authentication, 423
viewing server list, 424
WPA Radius, 153
RADIUS server
authentication, 197, 198
wireless setting, 153
RADIUS server name
wireless setting, 155
range
web category reports, 498
RAT
grayware category, 461
rate images by URL
protection profile, 371
rate limiting
SCCP, 379
SIMPLE, 378, 379
SIP, 379, 388
593
Index
594
RSH
firewall service, 324
RTP, 385
pinholing, 390
RTS threshold
wireless setting, 154, 156
S
SAMBA
service, 324
scan
default protection profile, 366
SCCP
DoS sensor, 379
firewall service, 324
protection profile, 379
rate limiting, 379
schedule
antivirus and attack definition updates, 249
firewall policy, 296, 299, 304
one-time schedule list, 330
recurring schedule list, 329
scheduled updates
through a proxy server, 250
screen resolution
minimum recommended, 47
search
online help, 54
online help icon, 54
online help wildcard, 55
searching
routing table, 291
security
MAC address filtering, 156
security certificates. See system certificates
security mode
wireless setting, 153, 155
select
recurring schedule, 330
sensor
DoS, 475
IPS, 469
separate server certificates
importing, 224
server
DHCP, 161
log WebTrends setting, 534
server certificate, 415
server certificates
importing, 223, 224
server health, 356
server load balance port forwarding virtual IP
adding, 350
server load balance virtual IP
adding, 348
Index
service
AH, 322
ANY, 322
AOL, 322
BGP, 322
custom service list, 325
DCE-RPC, 322
DHCP, 162, 322
DNS, 322
ESP, 322
FINGER, 322
firewall policy, 296, 300
FTP, 322
FTP_GET, 322
FTP_PUT, 322
GOPHER, 322
GRE, 322
group, 327
H323, 322
HTTPS, 322
ICMP_ANY, 323
IKE, 323
IMAP, 323
INFO_ADDRESS, 323
INFO_REQUEST, 323
Internet-Locator-Service, 323
IRC, 323
L2TP, 323
LDAP, 323
MGCP, 323
NetMeeting, 323
NFS, 323
NNTP, 323
NTP, 323
organizing services into groups, 328
OSPF, 323
PC-Anywhere, 323
PING, 323
PING6, 323
POP3, 323
PPTP, 323
predefined, 321
QUAKE, 324
quarantine files list, 456
RAUDIO, 324
REXEC, 324
RIP, 324
RLOGIN, 324
RSH, 324
SAMBA, 324
SCCP, 324
service name, 322
SIP, 324
SIP-MSNmessenger, 324
SMTP, 324
SNMP, 324
SSH, 324
SYSLOG, 324
TALK, 324
TCP, 324
TELNET, 324
TFTP, 324
TIMESTAMP, 324
UDP, 324
UUCP, 324
VDOLIVE, 324
WAIS, 325
WINFRAME, 325
X-WINDOWS, 325
service group, 327
adding, 327, 328
create new, 327
list, 327
service port
virtual IP, 337
service set identifier (SSID), 107
Session Initiation Protocol for Instant Messaging and
Presence Leveraging Extensions. See SIMPLE
Session Initiation Protocol. See SIP
session list
viewing, 85
session pickup
HA, 170
settings, 152
administrators, 215
Shortest Path First (SPF), 273
show in contents
online help icon, 54
show navigation
online help icon, 53
signatures
custom, intrusion protection signatures, 467
SIMPLE
protection profile, 378, 379
rate limiting, 378, 379
SIP, 383
accepting register response, 392
ALG, 385
application level gateway, 385
archiving communication, 390
blocking requests, 390
configuring, 388
configuring advanced features, 389
controlling client connection, 391
controlling the SIP ALG, 392
destination NAT, 385
different source and destination NAT for SIP and
RTP, 387
DoS sensor, 379
dummy firewall policy, 387
enabling, 388
logging, 389
NAT, 385
NAT with dynamic IP pool, 386
operating modes, 383
preserving NAT IP, 391
protection profile, 379, 389
proxy, 383
rate limiting, 379, 388
redirect, 383
RTP pinholing, 390
service, 324
source NAT, 385
support workflow, 388
triggering firewall policy, 387
turning on tracking, 389
viewing statistics, 389
595
Index
VoIP, 383
SIP requests, 390
SIP support workflow, 388
SIP-MSNmessenger
service, 324
Skinny Call Control Protocol. See SCCP
SMTP
service, 324
user, 548
SNAT
virtual IPs, 335
SNMP
configuring community, 177
contact information, 176
event, 178
manager, 176, 177
MIB, 182
MIBs, 179
queries, 178
RFC 12123, 179
RFC 1215, 180
RFC 2665, 179
service, 324
traps, 178, 180
SNMP Agent, 176
SNMP communities, 176
socket-size, CLI command for IPS, 478
software switch, 113
sorting
quarantine files list, 455
URL filter list, 491
source
firewall policy, 296, 299
source IP address
system status, 86
source IP port
system status, 86
source NAT
SIP, 385
source port, 326
spam action
protection profile, 374
spam filter, 499
adding an email address or domain to the email
address list, 510
adding words to the banned word list, 504
banned word list, 503
email address list, 509
IP address, 505
IP address list, 506
Perl regular expressions, 511
spam filtering options
protection profile, 373
splice, 368
spy
grayware category, 461
SSH, 194
service, 324
SSID
wireless setting, 153, 155
SSID broadcast
wireless setting, 153, 155
596
SSL
service definition, 322
SSL VPN
bookmark, 416
bookmark group, 418
checking client certificates, 415
configuring settings, 414
firewall policy, 307
monitoring sessions, 416
setting the cipher suite, 415
specifying server certificate, 415
specifying timeout values, 415
terminating sessions, 416
tunnel IP range, 415
web-only mode, 413
SSL VPN Client Certificate, 307
SSL VPN login message, 192
SSL VPN user group
configuring advanced options, 442
standalone mode
modem, 129, 133
start
IP pool, 358
one-time schedule, 331
recurring schedule, 330
static IP
monitor, 409
static NAT port forwarding
adding for IP address and port range, 346
adding for single address and port, 344
static route
adding, 138, 262
adding policy, 264
administrative distance, 256
concepts, 255
creating, 258
default gateway, 259
default route, 259
editing, 258
moving in list, 265
overview, 255
policy, 263
policy list, 263
selecting, 256
table building, 256
table priority, 257
table sequence, 257
viewing, 258
viewing in transparent mode, 137
statistics
viewing, 85
viewing HA statistics, 173
status
HA statistics, 174
interface, 109
log WebTrends setting, 534
quarantine files list, 456
status description
quarantine files list, 456
stop
one-time schedule, 331
recurring schedule, 330
streaming mode, 368
Index
strict
default protection profile, 366
strict blocking (HTTP only)
protection profile, 372
stub
OSPF area, 278
subnet
adding object, 92
firewall address, 318
subscription
expired, 245
not registered, 245
valid license, 245
superadministrator, 195
support
Fortinet technical support, 46
switch mode, 111
sync interval, 80
SYSLOG
service, 324
system administrators, 195
system certificate
FortiGate unit self-signed security certificate, 49
system certificates, 219
CA, 226
CRL, 227
importing, 223
OCSP, 225
requesting, 221, 222
viewing, 219
system configuration, 167
backup, 231
system DHCP see also DHCP, 161
system global av_failopen
antivirus, 461
system global optimize
antivirus, 461
system idle timeout, 194
system information
viewing, 69
system maintenance
advanced, 237
backup and restore, 231
creating scripts, 240
enabling push updates, 250
firmware, 235
firmware upgrade, 236
FortiClient, 236
managing configuration, 229
push update through a NAT device, 251
remote FortiManager options, 233
remote management options, 234
revision control, 238
scripts, 240
updating antivirus and attack definitions, 249
uploading scripts, 241
USB disks, 238
VDOM, 230
system resources
viewing, 74
system status
viewing, 67
T
TACACS+
configuring server, 429, 430
user authentication, 423
TACACS+ server
authentication, 197, 201
tag format
protection profile, 375
tag location
protection profile, 374
TALK
service, 324
TCP, 355
service, 324
TCP custom service, 326
adding, 325
destination port, 326
protocol type, 326
source port, 326
technical support, 46
TELNET
service, 324
TFTP
service, 324
time
configuring, 80
timeout values
specifying for SSL VPN, 415
TIMESTAMP
service, 324
toolbar
grayware category, 461
top attacks
viewing, 78
top sessions
viewing, 77
top viruses
viewing, 78
topology viewer, 90
total bytes
HA statistics, 174
total packets
HA statistics, 174
tracking
SIP, 389
traffic history
viewing, 79
traffic reports
viewing, 549
traffic shaping
firewall policy, 301, 304
guaranteed bandwidth, 301
maximum bandwidth, 301
597
Index
transparent mode
IP pools, 361
NAT, 361
VDOMs, 96
VIP, 361
virtual IP, 361
VLAN, 143
traps
SNMP, 180
trigging policy
SIP, 387
troubleshooting
FDN connectivity, 248
trusted host
administrator account, 207
administrators options, 206
security issues, 207
TTL
quarantine files list, 456
tunnel IP range
SSL VPN, 415
tunnel mode
SSL VPN, SSL VPN
tunnel mode, 413
Tunnel Name
IPSec VPN, manual key, 404
Tx Power
wireless setting, 151, 155
type, 326
virtual IP, 338
U
UDP custom service, 326
adding, 325
destination port, 326
protocol type, 326
source port, 326
UDP service, 324
unfiltered
default protection profile, 366
unit
HA statistics, 174
unit operation
viewing, 72
up time
HA statistics, 174
update
push, 250
upgrading
3.0 MR1 to 3.0 MR2 (and higher) using the CLI, 567
3.0 MR1 to 3.0 MR2 (and higher) using web-based
manager, 567
3.0 using the CLI, 559
3.0 using web-based manager, 559
backing up using the CLI, 2.80 MR11, 556
firmware, 82
FortiGate unit to 3.0, 558
using the web-based manager, 559
using web-based manager, 2.80 MR11, 556
598
upload status
quarantine files list, 456
URL block
adding a URL to the web filter block list, 489
configuring overrides, 493
local categories, 495
web filter, 487
URL filter
adding new list, 488
catalog, 487
sorting in list, 491
viewing list, 488
URL formats, 490
USB disk, 231
auto-install, 238
backup and restore configuration, 229
backup configuration, 231
formatting, 238
restore configuration, 232
system maintenance, 238
user authentication
LDAP, SSL VPN, 307
local, SSL VPN, 307
overview, 421
PKI, 431
RADIUS, SSL VPN, 307
remote, 423
user group
configuring, 438
user groups
configuring, 435
Directory Service, 437
firewall, 436
SSL VPN, 437
viewing, 438
UUCP
service, 324
V
valid license, 245
VDOLIVE
service, 324
VDOM
adding interface, 103
assigning administrator, 105
assigning interface, 104
configuration settings, 97
enabling multiple VDOMs, 100
FortiAnalyzer, 96
inter-VDOM links, 103
license key, 254
management VDOM, 102
NAT/Route, 96
packets, 96
system maintenance, 230
transparent mode, 96
VDOM partitioning
HA, 171
verifying
downgrade to 2.80 MR11, 563
upgrade to 3.0, 560
Index
viewing
access profiles list, 210
address group list, 318
administrators, 216
administrators list, 204
Alert Message Console, 74
antispam email address list catalog, 508
antispam IP address list, 506
antispam IP address list catalog, 505
antivirus file filter list, 453
antivirus file pattern list catalog, 452
antivirus list, 458
antivirus quarantined files list, 455
autosubmit list, 456
banned word list, 503
banned word list catalog, 502
BGP settings, 282
CA certificates, 226
certificates, 219
cluster members list, 171
content archive, 87
content archives, 546
CRL (Certificate Revocation List), 227
current IM user list, 521
custom service list, firewall service, 325
custom signatures, 467
DHCP address leases, 165
DoS sensor list, 475
firewall policy list, 295
firewall service group list, 327
firewall service list, 321
firmware, 235
FortiAnalyzer reports, 553
FortiClient version, 236
FortiGuard support contract, 244
grayware list, 459
HA statistics, 173
hostname, 80
IM/P2P/VoIP statistics, 518
IM/P2P/VoIP statistics by protocol, 520
IM/P2P/VoIP user list, 522
IP pool list, 358
IPS sensor list, 469
IPS sensor options, 375
IPSec VPN auto key list, 395
IPSec VPN concentrator list, 407
IPSec VPN manual key list, 404
IPSec VPN monitor list, 409
LDAP server list, 426
licenses, 70
local ratings list, 495
log messages, 542
modem status, 134
multicast settings, 284
one-time schedule list, 330
operational history, 84
protection profile list, 366
protocol decoder list, 468
RADIUS server list, 424
recurring schedule list, 329
remote certificates, 224
revision control, 238
RIP settings, 268
routing information, 289
session list, 85
SIP statistics, 389
SSL VPN bookmark groups, 418
SSL VPN bookmarks, 416
SSL VPN sessions, 416
static route, 258
static route (transparent mode), 137
statistics, 85
system information, 69
system resources, 74
system status, 67
system topology, 90
TACACS+ server, 429
top attacks, 78
top sessions, 77
top viruses, 78
traffic history, 79
traffic reports, 549
unit operation, 72
URL filter list, 488
URL filter list catalog, 487
URL override list, 492
user group list, 438
VIP group list, 354
virtual IP group list, 354
virtual IP list, 337
virtual IP pool list, 358
web content block list, 483
web content block list catalog, 482
web content exempt list, 486
web content exempt list catalog, 485
wireless monitor, 159
viewport, 90
VIP
transparent mode, 361
VIP group
configuring, 354
Virtual Circuit Identification (VCI), 116
Virtual IP
transparent mode, 361
virtual IP, 338
configuring, 338
create new, 337, 354
destination network address translation (DNAT),
335, 336
external interface, 338
external IP address, 338
external service port, 339
health check monitor, 355
IP, 337
list, 337
map to IP, 337
map to port, 337, 339
NAT, 334
PAT, 334
port address translation, 334
protocol, 339
server down, 356
service port, 337
SNAT, 335
source network address translation, 335
type, 338
virtual IP group
configuring, 354
599
Index
W
WAIS
service, 325
web
default protection profile, 366
web category block
changing the host name, 497
CLI configuration, 497
configuration options, 492
report allowed, 498
report blocked, 498
report category, 498
report profiles, 498
report range, 498
report type, 498
reports, 497
600
Index
wireless
adding advanced settings, 155
adding settings for WiFi-60, 154
band, 151
beacon interval, 151, 155
channel, 151
channel, FortiWiFi-60, 154
configuration, 147
data encryption, 153
fragmentation threshold, 154, 156
geography, 151, 154
interface, 147
key, 153, 155
MAC address, 154
MAC filter, 156
operation mode, 151, 154
pre-shared key, 153, 155
RADIUS server, 153
RADIUS server name, 155
RTS threshold, 154, 156
security, 153, 155
security mode, 153, 155
settings FortiWiFi-50B, 150
settings FortiWiFi-60A, 150
settings FortiWiFi-60AM, 150
settings FortiWiFi-60B, 150
SSID, 153, 155
SSID broadcast, 153, 155
Tx power, 151, 155
viewing monitor, 159
WLAN
interface, 147
interface, creating on WiFi-60, 154
WLAN interface
adding to a FortiWiFi-50B, 152
adding to a FortiWiFi-60A, 152
adding to a FortiWiFi-60AM, 152
adding to a FortiWiFi-60B, 152
WPA, 147, 153, 155
WPA Radius
wireless security, 153
WPA2, 147, 153
WPA2 Auto, 147, 153
WPA2 Radius
wireless security, 153
X
X.509 security certificates. See system certificates
XAuth
IPSec VPN, phase 1, 400
X-WINDOWS
service, 325
Z
zones
configuring, 128
601
Index
602
www.fortinet.com
www.fortinet.com