Professional Documents
Culture Documents
FortiGate Administration Guide 01-400-89802-20090424 PDF
FortiGate Administration Guide 01-400-89802-20090424 PDF
Version 4.0
Administration Guide
Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ............................................................................................ 21
Fortinet products .......................................................................................................... 21
About this document .................................................................................................... 21
Document conventions ................................................................................................ 24
IP addresses............................................................................................................. 24
CLI constraints.......................................................................................................... 24
Cautions, Notes and Tips ......................................................................................... 24
Typographical conventions ....................................................................................... 25
Registering your Fortinet product............................................................................... 25
Customer service and technical support.................................................................... 25
Training .......................................................................................................................... 26
Fortinet documentation ............................................................................................... 26
Tools and Documentation CD................................................................................... 26
Fortinet Knowledge Center ...................................................................................... 26
Comments on Fortinet technical documentation ..................................................... 26
Antispam............................................................................................... 495
Antispam...................................................................................................................... 495
Order of spam filtering ............................................................................................ 495
Anti-spam filter controls .......................................................................................... 496
Banned word ............................................................................................................... 498
Viewing the banned word list catalog ..................................................................... 498
Creating a new banned word list ............................................................................ 499
Viewing the antispam banned word list .................................................................. 499
Adding words to the banned word list..................................................................... 500
IP address and email address black/white lists ....................................................... 501
Viewing the antispam IP address list catalog ......................................................... 501
Creating a new antispam IP address list ................................................................ 501
Viewing the antispam IP address list ...................................................................... 502
Adding an antispam IP address.............................................................................. 503
Viewing the antispam email address list catalog .................................................... 503
Creating a new antispam email address list ........................................................... 504
Viewing the antispam email address list................................................................. 504
Configuring the antispam email address list ........................................................... 505
Options......................................................................................................................... 590
Monitor ......................................................................................................................... 591
Firewall user monitor list ......................................................................................... 591
IPSEC monitor list................................................................................................... 592
SSL VPN monitor list .............................................................................................. 593
IM user monitor list ................................................................................................. 594
NAC quarantine and the Banned User list................................................................ 595
NAC quarantine and DLP ....................................................................................... 595
NAC quarantine and DLP replacement messages ................................................. 595
Configuring NAC quarantine................................................................................... 596
The Banned User list .............................................................................................. 596
Index...................................................................................................... 679
Introduction
Ranging from the FortiGate-50 series for small businesses to the FortiGate-5000 series
for large enterprises, service providers and carriers, the FortiGate line combines the
FortiOS security operating system with FortiASIC processors and other hardware to
provide a high-performance array of security and networking functions including:
firewall, VPN, and traffic shaping
Intrusion Prevention system (IPS)
antivirus/antispyware/antimalware
web filtering
antispam
application control (for example, IM and P2P)
VoIP support (H.323, SIP, and SCCP)
Layer 2/3 routing
multiple redundant WAN interface options
FortiGate appliances provide cost-effective, comprehensive protection against network,
content, and application-level threats, including complex attacks favored by
cybercriminals, without degrading network availability and uptime. FortiGate platforms
include sophisticated networking features, such as high availability (active/active,
active/passive) for maximum network uptime, and virtual domain capabilities to separate
various networks requiring different security policies.
This chapter contains the following sections:
Fortinet products
About this document
Document conventions
Registering your Fortinet product
Customer service and technical support
Fortinet documentation
Fortinet products
Fortinet's portfolio of security gateways and complementary products offers a powerful
blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly
updated, in-depth threat intelligence. This unique combination delivers network, content,
and application security for enterprises of all sizes, managed service providers, and
telecommunications carriers, while providing a flexible, scalable path for expansion. For
more information on the Fortinet product family, go to www.fortinet.com/products.
This section of the guide contains a brief explanation of the structure of the guide, and
gives an overview of each chapter.
The administration guide describes web-based manager functions in the same order as
the web-based manager (or GUI) menu. The document begins with several chapters that
provide an overview to help you start using the product: the FortiGate web-based
manager, System Status, Managing Firmware, and Using virtual domains. Following
these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a
separate chapter. Then User, WAN optimization, Endpoint Control, and Log&Report are
all described in single chapters. The document concludes with a detailed index.
VDOM and Global icons appear in this administration guide to indicate that a chapter or
section is part of either the VDOM or Global configuration. VDOM and Global
configuration settings apply only to a FortiGate unit operating with virtual domains
enabled. No distinction is made between these configuration settings when virtual
domains are not enabled.
The most recent version of this document is available from the FortiGate page of the
Fortinet Technical Documentation web site. The information in this document is also
available in a slightly different form as FortiGate web-based manager online help.
You can also find more information about FortiOS from the same FortiGate page, as well
as from the Fortinet Knowledge Center.
This administration guide contains the following chapters:
Whats new in FortiOS 4.0 lists and describes some of the new features and changes
in FortiOS Version 4.0.
Web-based manager introduces the features of the FortiGate web-based manager,
and explains how to connect to it. It also includes information about how to use the
web-based manager online help.
System Status describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit including
serial number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics. You can also access the CLI from this page. This
section also describes status changes that you can make, including changing the unit
firmware, host name, and system time. Finally this section describes the topology
viewer that is available on all FortiGate models except those with model numbers 50
and 60.
Managing firmware versions describes upgrading and managing firmware versions.
You should review this section before upgrading your FortiGate firmware because it
contains important information about how to properly back up your current
configuration settings and what to do if the upgrade is unsuccessful.
Using virtual domains describes how to use virtual domains to operate your FortiGate
unit as multiple virtual FortiGate units, which effectively provides multiple separate
firewall and routing services to multiple networks.
System Network explains how to configure physical and virtual interfaces and DNS
settings on the FortiGate unit.
System Wireless describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
System DHCP explains how to configure a FortiGate interface as a DHCP server or
DHCP relay agent.
System Config contains procedures for configuring HA and virtual clustering,
configuring SNMP and replacement messages, and changing the operation mode.
System Admin guides you through adding and editing administrator accounts, defining
admin profiles for administrators, configuring central management using the
FortiGuard Analysis and Management Service or FortiManager, defining general
administrative settings such as language, timeouts, and web administration ports.
System Certificates explains how to manage X.509 security certificates used by
various FortiGate features such as IPSec VPN and administrator authentication.
System Maintenance details how to back up and restore the system configuration
using a management computer or a USB disk, use revision control, enable FortiGuard
services and FortiGuard Distribution Network (FDN) updates, and enter a license key
to increase the maximum number of virtual domains.
Router Static explains how to define static routes and create route policies. A static
route causes packets to be forwarded to a destination other than the factory configured
default gateway.
Router Dynamic explains how to configure dynamic protocols to route traffic through
large or complex networks.
Router Monitor explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
Firewall Policy describes how to add firewall policies to control connections and traffic
between FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall Address describes how to configure addresses and address groups for firewall
policies.
Firewall Service describes available services and how to configure service groups for
firewall policies.
Firewall Schedule describes how to configure one-time and recurring schedules for
firewall policies.
Traffic Shaping how to create traffic shaping instances and add them to firewall
policies.
Firewall Virtual IP describes how to configure and use virtual IP addresses and IP
pools.
Firewall Load Balance describes how to use FortiGuard load balancing to intercept
incoming traffic and balance it across available servers.
Firewall Protection Profile describes how to configure protection profiles for firewall
policies.
SIP support includes some high-level information about VoIP and SIP and describes
how FortiOS SIP support works and how to configure the key SIP features.
AntiVirus explains how to enable antivirus options when you create a firewall protection
profile.
Intrusion Protection explains how to configure IPS options when a firewall protection
profile is created.
Web Filter explains how to configure web filter options when a firewall protection profile
is created.
Antispam explains how to configure spam filter options when a firewall protection
profile is created.
Data Leak Prevention explains how use FortiGate data leak prevention to prevent
sensitive data from leaving your network.
Application Control describes how to configure the application control options
associated with firewall protection profiles.
IPSec VPN provides information about the tunnel-mode and route-based (interface
mode) Internet Protocol Security (IPSec) VPN options available through the web-
based manager.
PPTP VPN explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients.
SSL VPN provides information about basic SSL VPN settings.
User describes how to control access to network resources through user
authentication.
WAN optimization and web caching describes how to use FortiGate units to improve
performance and security of traffic passing between locations on your wide area
network (WAN) or over the Internet by applying WAN optimization and web caching.
Endpoint control describes how to use FortiGate end point control to enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network.
Log&Report describes how to enable logging, view log files, and view the basic reports
available through the web-based manager.
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
CLI constraints
CLI constraints, such as <address_ipv4>, indicate which data types or string patterns
are acceptable input for a given parameter or variable value. CLI constraint conventions
are described in the CLI Reference document for each product.
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Also presents useful information, but usually focused on an alternative, optional
method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Publication For details, see the FortiGate Administration Guide.
The chapter or section contains VDOM configuration settings, see
VDOM configuration settings on page 104.
The chapter or section contains Global configuration settings, see
Global configuration settings on page 107.
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email them at
training@fortinet.com.
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
Table 2 shows the FortiGate models that support some of the major new FortiOS 4.0
features. All other new FortiOS 4.0 features are available on all models except for the
FortiGate-30 model which supports a reduced feature set.
Table 2: New FortiOS 4.0 feature support
Application Control
The new Application Control UTM feature allows your FortiGate unit to detect and take
action against network traffic depending on the application generating the traffic. Based on
FortiGate Intrusion Protection protocol decoders, application control is a more user-
friendly and powerful way to use Intrusion Protection features to log and manage the
behavior of application traffic passing through the FortiGate unit. Application control uses
IPS protocol decoders that can analyze network traffic to detect application traffic even if
the traffic uses non-standard ports or protocols.
The FortiGate unit can recognize the network traffic generated by more than 70
applications. You can create application control lists that specify what action will be taken
with the traffic of the applications you need to manage. You specify the application control
list in the protection profile applied to the network traffic you need to monitor. You can also
create multiple application control lists, each tailored to a particular network, for example.
For more information, see Application Control on page 523.
3600A
3810A
5005FA2
5001A.
For more information, see SSL content scanning and inspection on page 399.
WAN Optimization
You can use the new FortiGate WAN Optimization feature to improve performance and
security across a WAN by applying a number of related techniques including protocol and
application-based data compression and optimization data deduction (a technique that
reduces how often the same data is transmitted across the WAN), web caching, secure
tunneling and SSL acceleration.
For more information, see WAN optimization and web caching on page 599.
Endpoint control
The new Endpoint Compliance feature (also called endpoint control) replaces the FortiOS
3.0 Check FortiClient Installed and Running firewall options. You can enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network and ensure that clients
have both the most recent version of the FortiClient software and the most up-to-date
antivirus signatures.
The FortiGate unit retrieves FortiClient software and antivirus updates from the FortiGuard
Distribution Network. If the FortiGate unit contains a hard disk drive, these files are cached
to more efficiently serve downloads to multiple end points. Go to Endpoint Control >
FortiClient to see the software and antivirus signature versions that the endpoint control
feature enforces.
The Endpoint Compliance feature also provides monitoring. The FortiGate unit gathers
information from client PCs when they use a firewall policy with the Enable Endpoint
Compliance Check option enabled.
For more information, see Endpoint control on page 641 and Endpoint Compliance
Check options on page 336.
IPS extensions
FortiOS 4.0 includes the following new IPS features:
DoS policies for applying IPS sensors
NAC quarantine in DoS Sensors
Adding IPS sensors to a DoS policy from the CLI
One-arm IDS (sniffer mode)
IPS interface policies for IPv6
IPS Packet Logging
Internet
SPAN
port
Hub or switch
Internal
network
To enable sniffer mode on a FortiGate unit port5 interface, enter the following CLI
commands:
config system interface
edit port5
WCCP v2 support
You can now use WCCP v2 to configure a FortiGate unit to optimize web traffic, thus
reducing transmission costs and downloading time. This traffic includes user requests to
view pages on Web servers and the replies to those requests. When a user requests a
page from a web server, the FortiGate unit sends that request to a cache server (also
called a web-cache server). If the cache server has a copy of the requested page in
storage, the cache server sends the user that page. Otherwise, the cache server retrieves
the requested page, caches a copy of it, and forwards it to the user.
The FortiGate unit supports WCCP v2 by transparently redirecting selected types of traffic
to a group of cache servers. When WCCP is enabled, the FortiGate unit maintains a web
cache server list in the WCCP database.
To configure WCCP support you use the config system wccp command to enable
WCCP support. Then you enable WCCP for firewall policies using the wccp keyword.
When these WCCP-enabled firewall policies accept traffic, the traffic is re-directed to a
cache server. The FortiGate unit uses the information in the WCCP database to determine
the cache server to redirect the traffic to.
Finally you must configure interfaces connected to WCCP cache servers to accept wccp
messages.
If virtual domains are enabled, you configure WCCP separately for each virtual domain.
To configure WCCP
You configure WCCP from the CLI.
1 Start WCCP and configure WCCP database settings:
config system wccp
edit <service-id>
set router-id <interface_ipv4>
set server-list <server_ipv4mask>
set group-address <ip_mulicast_ipv4>
set password <password>
set forward-method {GRE | L2 | any}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
next
end
Variable Description Default
authentication Enable or disable using use MD5 authentication for the
{disable | enable} WCCP configuration.
<service-id> 0-255. 0 for HTTP. 1
router-id An IP address known to all cache servers. This IP address 0.0.0.0
<interface_ipv4> identifies a FortiGate interface IP address to the cache
servers. If all cache servers connect to the same FortiGate
interface, <interface_ipv4> can be 0.0.0.0, and the
FortiGate unit uses the IP address of that interface as the
router-id.
If the cache servers can connect to different FortiGate
interfaces, you must set router-id to a single IP address,
and this IP address must be added to the configuration of
the cache servers.
server-list The IP addresses of the cache servers. 0.0.0.0
<server_ipv4mask> 0.0.0.0
group-address The IP multicast address used by the cache servers. 0.0.0.0
0.0.0.0 means the FortiGate unit ignores multicast WCCP
traffic. Otherwise, group-address must be from
224.0.0.0 to 239.255.255.255.
password The MD5 authentication password. Maximum length is 8
<password_str> characters.
forward-method Specifies how the FortiGate unit forwards traffic to cache GRE
{GRE | L2 | any} servers. If forward-method is any the cache server
determines the forward method.
return-method {GRE Specifies how a cache server declines a redirected packet GRE
| L2 | any} and return it to the firewall. If return-method is any the
cache server determines the return method.
assignment-method Specifies which assignment method the FortiGate prefers. If HASH
{HASH | MASK | any} assignment-method is any the cache server determines
the assignment method
2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy.
config firewall policy
Edit <policy_id>
(configure the firewall policy)
set wccp {enable | disable}
next
end
3 Configure the interfaces that connected to cache servers to accept WCCP traffic.
config system interface
edit <interface_name)
(configure the interface)
set wccp {enable | disable}
next
edit <interface_name)
(configure the interface)
set wccp {enable | disable}
next
end
File Quarantine
The Quarantine tab is renamed File Quarantine to distinguish it from the NAC Quarantine
feature that quarantines traffic. For more information, see Viewing the File Quarantine
list on page 447.
Logging improvements
Logs provide more information about the FortiGate unit operation, including:
event log for VPN tunnel up/down (IPSec, SSL, PPTP VPNs), including authenticated
user name, local and remote IP addresses
event log for VPN tunnel re-key
event log for VPN tunnel periodic statistics (configurable period)
logs for new Data Leak Prevention feature
attacks detected by IPS
inclusion of Admin Profile in Administrator login event log
increase in memory of log entries increased to 1024 bytes from 512 bytes to reduce
the number of truncated logs. This reduces the number of logs that can be stored.
For more information, see Log&Report on page 647.
Web-based manager
This section describes the features of the user-friendly web-based manager administrative
interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate
unit.
Using HTTP or a secure HTTPS connection from any management computer running a
web browser, you can connect to the FortiGate web-based manager to configure and
manage the FortiGate unit. The recommended minimum screen resolution for the
management computer is 1280 by 1024.
You can configure the FortiGate unit for HTTP and HTTPS web-based administration from
any FortiGate interface. To connect to the web-based manager you require a FortiGate
administrator account and password. The web-based manager supports multiple
languages, but by default appears in English on first use.
You can go to System > Status to view detailed information about the status of your
FortiGate unit on the system dashboard. The dashboard displays information such as the
current FortiOS firmware version, antivirus and IPS definition versions, operation mode,
connected interfaces, and system resources. It also shows whether the FortiGate unit is
connected to a FortiAnalyzer unit and a FortiManager unit or other central management
services.
You can use the web-based manager menus, lists, and configuration pages to configure
most FortiGate settings. Configuration changes made using the web-based manager take
effect immediately without resetting the FortiGate unit or interrupting service. You can
back up your configuration at any time using the Backup Configuration button on the
button bar. The button bar is located in the upper right corner of the web-based manager.
The saved configuration can be restored at any time.
The web-based manager also includes detailed context-sensitive online help. Selecting
Online Help on the button bar displays help for the current web-based manager page.
You can use the FortiGate command line interface (CLI) to configure the same FortiGate
settings that you can configure from the web-based manager, as well as additional CLI-
only settings. The system dashboard provides an easy entry point to the CLI console that
you can use without exiting the web-based manager.
This section describes:
Common web-based manager tasks
Changing your FortiGate administrator password
Changing the web-based manager language
Changing administrative access to your FortiGate unit
Changing the web-based manager idle timeout
Connecting to the FortiGate CLI from the web-based manager
Button bar features
Contacting Customer Support
Backing up your FortiGate configuration
Using FortiGate Online Help
Logging out
Web-based manager pages
Web-based manager icons
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
Note: You can also add new administrator accounts by selecting Create New. For more
information about adding administrators, changing administrator account passwords and
related configuration settings, see System Admin on page 209.
Contact Customer
Support
Online Help
Logout
Back up your FortiGate
Configuration
Show Navigation Open the online help navigation pane. From the navigation pane you
can use the online help table of contents, index, and search to access
all of the information in the online help. The online help is organized in
the same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous Display the previous page in the online help.
Next Display the next page in the online help
Email Send an email to Fortinet Technical Documentation at
techdoc@fortinet.com if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Print Print the current online help page.
Bookmark Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. You
cannot use the Bookmark icon to add an entry to your favorites list if
you are viewing online help from Internet Explorer running on a
management PC with Windows XP and service pack 2 installed.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For
information about VDOM configuration settings, see VDOM
configuration settings on page 104.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For
information about Global configuration settings, see Global
configuration settings on page 107.
To view the online help table of contents or index, and to use the search feature, select
Online Help in the button bar in the upper right corner of the web-based manager. From
the online help, select Show Navigation.
Figure 8: Online help page with navigation pane and content pane
Contents Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help
is organized in the same way as the FortiGate web-based manager
and the FortiGate Administration Guide.
Index Display the online help index. You can use the index to find
information in the online help.
Search Display the online help search. For more information, see Searching
the online help on page 50.
Show in Contents If you have used the index, search, or hyperlinks to find information in
the online help, the table of contents may not be visible or the table of
contents may be out of sync with the current help page. You can select
Show in Contents to display the location of the current help page
within the table of contents.
You can use the asterisk (*) as a search wildcard character that is replaced by any
number of characters. For example, if you search for auth* the search finds help pages
containing auth, authenticate, authentication, authenticates, and so on.
In some cases the search finds only exact matches. For example, if you search for
windows the search may not find pages containing the word window. You can work
around this using the * wildcard (for example by searching for window*).
Go
Search
Field
Search
Results
Key Function
Alt+1 Display the table of contents.
Alt+2 Display the index.
Alt+3 Display the Search tab.
Alt+4 Go to the previous page.
Alt+5 Go to the next page.
Alt+7 Send an email to Fortinet Technical Documentation at
techdoc@fortinet.com if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Alt+8 Print the current online help page.
Alt+9 Add an entry for this online help page to your browser bookmarks or
favorites list, to make it easier to find useful online help pages.
Logging out
The Logout button immediately logs you out of the web-based manager. Log out before
you close the browser window. If you simply close the browser or leave the web-based
manager, you remain logged in until the idle timeout (default 5 minutes) expires. To
change the timeout, see Changing the web-based manager idle timeout on page 47.
Figure 10: Parts of the web-based manager (shown for the FortiGate-50B)
Menu
Delete
Edit
If you log in as an administrator with an admin profile that allows Read Only access to a
list, you will only be able to view the items on the list (see Figure 12).
View
Firewall policy and IPv6 policy lists (see Viewing the firewall policy list on page 321)
Intrusion protection predefined signatures list (see Viewing the predefined signature
list on page 457)
Firewall user monitor list (see Firewall user monitor list on page 591)
IPSec VPN Monitor (see IPSEC monitor list on page 592)
Endpoint control list of known endpoints (see Monitoring endpoints on page 644)
Log and report log access list (see Accessing Logs on page 662).
Filters are useful for reducing the number of entries that are displayed on a list so that you
can focus on the information that is important to you.
For example, you can go to System > Status, and, in the Statistics section, select Details
on the Sessions line to view the communications sessions that the FortiGate unit is
currently processing. A busy FortiGate unit may be processing hundreds or thousands of
communications sessions. You can add filters to make it easier to find specific sessions.
For example, you might be looking for all communications sessions being accepted by a
specific firewall policy. You can add a Policy ID filter to display only the sessions for a
particular Policy ID or range of Policy IDs.
You add filters to a web-based manager list by selecting any filter icon to display the Edit
Filters window. From the Edit Filters window you can select any column name to filter, and
configure the filter for that column. You can also add filters for one or more columns at a
time. The filter icon remains gray for unfiltered columns and changes to green for filtered
columns.
Figure 13: An intrusion protection predefined signatures list filtered to display all signatures
containing apache with logging enabled, action set to drop, and severity set to
high
Filter added to
display names that
include apache No filter added
The filter configuration is retained after leaving the web-based manager page and even
after logging out of the web-based manager or rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed in
individual columns. In all cases, you configure filters by specifying what to filter on and
whether to display information that matches the filter, or by selecting NOT to display
information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access lists,
you can combine filters with column settings to provide even more control of the
information displayed by the list. See Using filters with column settings on page 59 for
more information.
Figure 14: A session list with a numeric filter set to display sessions with source IP address
in the range of 1.1.1.1-1.1.1.2
Figure 15: A firewall policy list filter set to display all policies that do not include a source
address with a name that contains My_Address
Figure 16: An intrusion protection predefined signature list filter set to display all signatures
with Action set to block
Custom filters
Other custom filters are also available. You can filter log messages according to date
range and time range. You can also set the level filter to display log messages with
multiple severity levels.
Figure 17: A log access filter set to display all log messages with level of alert, critical, error,
or warning
Last Page
Current Page The current page number of list items that are displayed. You can
enter a page number and press Enter to display the items on that
page. For example if there are 5 pages of items and you enter 3, page
3 of the sessions will be displayed.
Total Number of Pages The number of pages of list items that you can view.
Next Page Display the next page of items in the list.
Last Page Display the last page of items in the list.
Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From
Available fields, select the column headings to be displayed and then select the Right
Arrow to move them to the Show these fields in this order list. Similarly, to hide column
headings, use the Left Arrow to move them back to the Available fields list. Use Move Up
and Move Down to change the order in which to display the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 21: A pre-defined signatures list displaying pre-defined signatures for the Veritas and
Winamp applications
For more information, see Adding filters to web-based manager lists on page 53.
Expand Arrow Close this section to hide some fields. This icon is used in
(open) some dialog boxes and lists.
Filter Set a filter on one or more columns in this table. See Adding
filters to web-based manager lists on page 53.
Insert before Add a new item to a list so that it precedes the current item.
Used in lists when the order of items in the list is significant,
for example firewall policies, IPS Sensors, and DoS Sensors.
Last page View the last page of a list.
Move to Change the position of an item in a list. Used in lists when the
order of items in the list is significant, for example firewall
policies, IPS Sensors, and DoS Sensors.
Next page View the next page of a list.
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a
glance you can view the current system status of the FortiGate unit including serial
number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available
globally and system status settings are configured globally for the entire FortiGate unit.
The Topology viewer is not available when VDOMs are enabled. For details, see Using
virtual domains on page 103.
This section describes:
Status page
Changing system information
Changing the FortiGate firmware
Viewing operational history
Manually updating FortiGuard definitions
Viewing Statistics
Topology
Status page
View the System Status page, also known as the system dashboard, for a snapshot of the
current operating status of the FortiGate unit. FortiGate administrators whose admin
profiles permit write access to system configuration can change or update FortiGate unit
information. For more information on admin profiles, see Admin profiles on page 222.
When the FortiGate unit is part of an HA cluster, the System Status page includes basic
high availability (HA) cluster status such as including the name of the cluster and the
cluster members including their host names. To view more specialized HA status
information for the cluster, go to System > Config > HA. For more information, see HA on
page 177.
Note: The information on the System Status page applies to the whole HA cluster, not just
the Master unit. This includes information such as URLs visited, emails sent and received,
and viruses caught.
FortiGate administrators whose admin profiles permit write access to system configuration
can change or update FortiGate unit information. For information on admin profiles, see
Admin profiles on page 222.
To view this page, your admin profile must permit read access to system configuration. If
you also have system configuration write access, you can modify system information and
update FortiGuard - AV and FortiGuard - IPS definitions. For information on admin
profiles, see Admin profiles on page 222.
The System Status page is customizable. You can select which widgets to display, where
they are located on the page, and if they are minimized or maximized. Each display has
an icon associated with it for easy recognition when minimized.
Select Add Content to add any of the widgets not currently shown on the System Status
page. Any widgets currently on the System Status page will be greyed out in the Add
Content menu, as you can only have one of each display on the System Status page.
Optionally select Back to Default to restore the historic System Status page configuration.
Position your mouse over a displays titlebar to see your available options for that display.
The options vary slightly from display to display.
History
Widget title Edit
Disclosure arrow Refresh
Close
System Information
License Information
Unit Operation
System Resources
Alert Message Console
Statistics
CLI Console
Top Sessions
Top Viruses
Top Attacks
Traffic History
System Information
Go to System > Status to find System Information.
Serial Number The serial number of the FortiGate unit. The serial number is specific
to the FortiGate unit and does not change with firmware upgrades.
Uptime The time in days, hours, and minutes since the FortiGate unit was
started.
System Time The current date and time according to the FortiGate units internal
clock.
Select Change to change the time or configure the FortiGate unit to
get the time from an NTP server. For more information, see
Configuring system time on page 78.
HA Status The status of high availability for this unit.
Standalone indicates the unit is not operating in HA mode.
Active-Passive or Active-Active indicate the unit is operating in HA
mode.
Select Configure to configure the HA status for this unit. For more
information, see HA on page 177.
Host Name The host name of the current FortiGate unit.
Select Change to change the host name.
For more information, see Changing the FortiGate unit host name
on page 78.
If the FortiGate unit is in HA mode, this field is not displayed.
Cluster Name The name of the HA cluster for this FortiGate unit. For more
information, see HA on page 177.
The FortiGate unit must be operating in HA mode to display this field.
Cluster Members The FortiGate units in the HA cluster. Information displayed about
each member includes host name, serial number, and whether the
unit is a primary (master) or subordinate (slave) unit in the cluster. For
more information, see HA on page 177.
The FortiGate unit must be operating in HA mode with virtual
domains disabled to display this field.
Virtual Cluster 1 The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2.
Virtual Cluster 2 For more information, see HA on page 177.
The FortiGate unit must be operating in HA mode with virtual
domains enabled to display these fields.
Firmware Version The version of the current firmware installed on the FortiGate unit.
The format for the firmware version is
Select Update to change the firmware.
For more information, see Upgrading to a new firmware version on
page 80.
FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit
used for endpoint control. This field appears if you can upload a
FortiClient image onto your FortiGate unit. See Configuring
FortiClient required version and installer download on page 642.
Operation Mode The operating mode of the current FortiGate unit. Except for model
224B in switch view, a FortiGate unit can operate in NAT mode or
Transparent mode. Select Change to switch between NAT and
Transparent mode. For more information, see Changing operation
mode on page 206
If virtual domains are enabled, this field shows the operating mode of
the current virtual domain. Each virtual domain can be operating in
either NAT mode or Transparent mode.
Virtual Domain Status of virtual domains on your FortiGate unit. Select enable or
disable to change the status of virtual domains feature. Multiple
VDOM operation is not available on a FortiGate-224B unit in switch
view.
If you enable or disable virtual domains, your session will be
terminated and you will need to log in again. For more information,
see Using virtual domains on page 103.
Current The number of administrators currently logged into the FortiGate unit.
Administrators Select Details to view more information about each administrator that
is currently logged in. The additional information includes user name,
type of connection, IP address from which they are connecting, and
when they logged in.
License Information
License Information displays the status of your technical support contract and FortiGuard
subscriptions. The FortiGate unit updates the license information status indicators
automatically when attempting to connect to the FortiGuard Distribution Network (FDN).
FortiGuard Subscriptions status indicators are green if the FDN was reachable and the
license was valid during the last connection attempt, grey if the FortiGate unit cannot
connect to the FDN, and orange if the FDN is reachable but the license has expired.
Selecting any of the Configure options will take you to the Maintenance page. For more
information, see System Maintenance on page 253.
Support Contract The Fortinet technical support contract number and expiry
date, or registration status.
If Not Registered appears, select Register to register the
unit.
If Expired appears, select Renew for information on
renewing your technical support contract. Contact your local
reseller.
FortiGuard Subscriptions
AntiVirus The FortiGuard Antivirus version, license issue date and
service status. If your license has expired, you can select
Renew two renew the license.
AV Definitions The currently installed version of the FortiGuard Antivirus
definitions. To update the definitions manually, select
Update. For more information, see Manually updating
FortiGuard definitions on page 82.
Intrusion Protection The FortiGuard Intrusion Prevention System (IPS) license
version, license issue date and service status. If your license
has expired, you can select Renew two renew the license.
IPS Definitions The currently installed version of the IPS attack definitions.
To update the definitions manually, select Update. For more
information, see Manually updating FortiGuard definitions
on page 82.
Web Filtering The FortiGuard Web Filtering license, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
Antispam The FortiGuard Antispam license type, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
AS Rule Set The currently installed version of the antispam rule set. To
update the rule set manually, select Update. For more
information, see Manually updating FortiGuard definitions
on page 82.
Analysis and The FortiGuard Analysis and Management Service license,
Management Service license expiry date, and reachability status.
Services Account ID Select change to enter a different Service Account ID. This
ID is used to validate your license for subscription services
such as the FortiGuard Analysis and Management Service.
Virtual Domain
VDOMs Allowed The maximum number of virtual domains the unit supports
with the current license.
For high-end FortiGate, you can select the Purchase More
link to purchase a license key through Fortinet technical
support to increase the maximum number of VDOMs. See
Adding VDOM Licenses on page 276.
Unit Operation
In the Unit Operation area, an illustration of the FortiGate units front panel shows the
status of the units Ethernet network interfaces. If a network interface is green, that
interface is connected. Pause the mouse pointer over the interface to view the name, IP
address, netmask and current status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the
reason for the system event.
You can only have one management and one logging/analyzing method displayed for
your FortiGate unit. The graphic for each will change based on which method you choose.
If none are selected, no graphic is shown.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see Event log on
page 659.
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and
WAN1 / WAN2 / 1 / 2 / number of these interfaces vary by model.
3/4 The icon below the interface name indicates its up/down status by
color. Green indicates the interface is connected. Grey indicates
there is no connection.
For more information about the configuration and status of an
interface, pause the mouse over the icon for that interface. A
tooltip displays the full name of the interface, its alias if one is
configured, the IP address and netmask, the status of the link, the
speed of the interface, and the number of sent and received
packets.
AMC-SW1/1, ... If your FortiGate unit supports Advanced Mezzanine Card (AMC)
AMC-DW1/1, ... modules and if you have installed an AMC module containing
network interfaces (for example, the FortiGate-ASM-FB4 contains
4 interfaces) these interfaces are added to the interface status
display. The interfaces are named for the module, and the
interface. For example AMC-SW1/3 is the third network interface
on the SW1 module, and AMC-DW2/1 is the first network interface
on the DW2 module.
AMC modules support hard disks as well, such as the ASM-S08
module. When a hard disk is installed, ASM-S08 is visible as well
as a horizontal bar and percentage indicating how full the hard
disk is.
FortiAnalyzer The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP
connection. An X on a red icon indicates there is no connection.
A check mark on a green icon indicates there is OFTP
communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. See Logging to a
FortiAnalyzer unit on page 650.
FortiGuard Analysis The icon on the link between the FortiGate unit graphic and the
Service FortiGuard Analysis Service graphic indicates the status of their
OFTP connection. An X on a red icon indicates there is no
connection. A check mark on a green icon indicates there is OFTP
communication.
Select the FortiGuard Analysis Service graphic to configure
remote logging to the FortiGuard Analysis Service. See
FortiGuard Analysis and Management Service on page 648.
FortiManager The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An X
on a red icon indicates there is no connection. A check mark on a
green icon indicates there is communication between the two
units.
Select the FortiManager graphic to configure central management
on your FortiGate unit. See Central Management on page 226.
FortiGuard The icon on the link between the FortiGate unit graphic and the
Management Service FortiGuard Analysis and Management Service graphic indicates
the status of the connection. An X on a red icon indicates there is
no connection. A check mark on a green icon indicates there is
communication.
Select the FortiGuard Analysis and Management Service graphic
to configure central management on your FortiGate unit. See
Central Management on page 226.
Reboot Select to shutdown and restart the FortiGate unit. You will be
prompted to enter a reason for the reboot that will be entered into
the logs.
Shutdown Select to shutdown the FortiGate unit. You will be prompted for
confirmation, and also prompted to enter a reason for the
shutdown that will be entered into the logs.
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as
CPU and memory (RAM) usage. Any System Resources that are not displayed on the
status page can be viewed as a graph by selecting the History icon.
To see the most recent CPU and memory usage, select the Refresh icon.
The following types of messages can appear in the Alert Message Console:
If there is insufficient space for all of the messages within the Alert Message Console
widget, select History to view the list of alerts in a new window.
To clear alert messages, select the History icon and then select Clear Alert Messages,
which is located at the top of the pop-up window. This will acknowledge and hide all
current alert messages from your FortiGate unit.
Select Edit to display Custom Alert Display options that offer the following customizations
for your alert message display:
Do not display system shutdown and restart.
Do not display firmware upgrade and downgrade.
Do not display conserve mode messages
Statistics
The Statistics widget is designed to allow you to see at a glance what is happening on
your FortiGate unit with regards to network traffic and attack attempts.
You can quickly see the amount and type of traffic as well as any attack attempts on your
system. To investigate an area that draws your attention, select Details for a detailed list of
the most recent activity.
The information displayed in the statistics widget is derived from log messages that can be
saved to a FortiAnalyzer unit, saved locally, or backed up to an external source such as a
syslog server. You can use this data to see trends in network activity or attacks over time.
Various configuration settings are required to actually collect data for the statistics widget.
See the descriptions of content archive and attack log for details.
For detailed procedures involving the Statistics list, see Viewing Statistics on page 83.
Refresh
Reset
Close
Close
Since The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you select Reset.
Reset Reset the Content Archive and Attack Log statistic counts to zero.
Sessions The number of communications sessions being handled by the FortiGate unit. Select
Details for detailed information. See Viewing the session list on page 83.
Content A summary of the HTTP, HTTPS, email, FTP and IM traffic that has passed through
Archive the FortiGate unit, and whose metadata has been content archived.
The Details pages list the last 64 items of the selected type and provides links to the
FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit
is not configured, the Details pages provide a link to Log & Report > Log Config >
Log Settings.
You configure the FortiGate unit to collect content archive data for the statistics widget
by configuring protection profiles to display content meta-information on the system
dashboard. To configure a protection profile, go to Firewall > Protection Profile. Create
or edit a protection profile and configure Data Leak Prevention Sensor > Display
content meta-information on the system dashboard and select the protocols to collect
statistics for. By default meta-data is collected and displayed on the statistics widget for
all protocols. For more information, see Data Leak Prevention Sensor options on
page 419.
You must also add the protection profile to a firewall policy. When the firewall policy
receives sessions for the selected protocols, meta-data is added to the statistics
widget.
You can configure a protection profile to collect statistics for HTTP, HTTPS, FTP, IMAP,
POP3, and SMTP traffic. If your FortiGate unit supports SSL content scanning and
inspection, a protection profile can also collect statistics for IMAPS, POP3S, and
SMTPS traffic. For more information, see SSL content scanning and inspection on
page 399. By default meta-data is collected and displayed on the statistics widget for
all of these protocols.
The Email statistics are based on email protocols. POP3 and IMAP traffic is registered
as incoming email, and SMTP is outgoing email. If your FortiGate unit supports SSL
content scanning and inspection, incoming email also includes POP3S and IMAPS
and outgoing email also includes SMTPS. If incoming or outgoing email does not use
these protocols, these statistics will not be accurate.
The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols. You can also
configure displaying meta-information on the system dashboard for these IM protocols.
Attack Log A summary of viruses, attacks, spam email messages, and blocked URLs that the
FortiGate unit has intercepted. Also displays the number of sessions matched by DLP.
The Details pages list the 20 most recent items, providing the time, source, destination
and other information.
DLP data loss detected actually displays the number of sessions that have matched
DLP sensors added to protection profiles. DLP collects meta-data about all sessions
matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP
log message is recorded, the DLP data loss detected number increases. If you are
using DLP for content summary or full content archiving the DLP data loss detected
number can get very large. This number may not indicate that data has been lost or
leaked. For more information, see Adding or editing a rule in a DLP sensor on
page 513.
CLI Console
The System Status page can include a CLI. To use the console, select it to automatically
log in to the admin account you are currently using in the web-based manager. You can
copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.
Customize
The two controls located on the CLI Console widgets title bar are Customize, and Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize and
reposition. The two controls on the detached CLI Console are Customize and Attach.
Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts and
colors for the text and background.
Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have
the most sessions open on the FortiGate unit. The sessions are sorted by their source or
destination IP address, or the port address. The sort criteria being used is displayed in the
top right corner.
The Top Sessions display polls the kernel for session information, and this slightly impacts
the FortiGate unit performance. For this reason when this display is not shown on the
dashboard, it is not collecting data, and not impacting system performance. When the
display is shown, information is only stored in memory.
Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.
Last updated
Sort Criteria
Number of
active
sessions
The Top Sessions display is not part of the default dashboard display. It can be displayed
by selecting Add Content > Top Sessions.
To view detailed information about all displayed sessions at once, select Details. This
changes the Top Sessions display to a table format, without opening a new window. To
return to the chart display, select Return. The table displays more detailed information
about sessions than the chart display, including:
the session protocol such as tcp or udp
source address and port
destination address and port
the ID of the policy, if any, that applies to the session
how long until the session expires
which virtual domain the session belongs to
To view detailed information about a single session bar in the chart, click on the bar. The
display will change to the table format, with the filters set to only show the selected
information.
Selecting edit for Top Sessions allows changes to the:
refresh interval
sort criteria to change between source and destination addresses of the sessions
number of top sessions to show
Sort Criteria Select the method used to sort the Top Sessions on the System
Status display. Choose one of:
Source Address
Destination Address
Port Address
Display UserName Select to include the username associated with this source IP
address, if available. In the table display format this will be a
separate column.
Display UserName is available only when the sort criteria is
Source Address.
Resolve Host Name Select to resolve the IP address to the host name.
Resolve Host Name is not available when the sort criteria is
Destination Port.
Resolve Service Select to resolve a port addresses into their commonly associated
service names. Any port address without a service, will continue to
be displayed as the port address. For example port 443 would
resolve to HTTPS.
Resolve Service is only available when the sort criteria is
Destination Port.
Display Format Select how the Top Session information is displayed. Choose one
of:
Chart
Table
Top Sessions to Select the number of sessions to display. Choose to display 5, 10,
Show 15, or 20 sessions.
Refresh Interval Select how often the display is updated. The refresh interval range
is from 10 to 240 seconds. Selecting 0 will disable the automatic
refresh of the display. You will still be able to select the manual
refresh option on the Top Sessions title bar.
Shorter refresh intervals may impact the performance of your
FortiGate unit. If this occurs, try increasing the refresh interval or
disabling the automatic refresh.
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected
most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be displayed by
selecting Add Content, and selecting Top Viruses from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent viruses
that have been detected with information including the virus name, when it was last
detected, and how many times it was detected. The system stores up to 1024 entries, but
only displays up to 20 in the GUI.
Selecting the edit icon for Top Viruses allows changes to the:
refresh interval
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the
FortiGate unit.
The Top Attacks display is not part of the default dashboard display. It can be displayed by
selecting Add Content > Top Attacks from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent attacks
that have been detected with information including the attack name, when it was last
detected, and how many times it was detected. The FortiGate unit stores up to 1024
entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
refresh interval
top attacks to show
Traffic History
The traffic history display shows the traffic on one selected interface over the last hour,
day, and month. This feature can help you locate peaks in traffic that you need to address
as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface being
monitored by selecting Edit, choosing the interface from the drop down menu, and
selecting Apply. Doing this will clear all the traffic history data.
Interface being
monitored
Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to
distinguish the unit from others in the cluster.
Note: To access firmware updates for your FortiGate model, you will need to register your
FortiGate unit with Customer Support. For more information go to
http://support.fortinet.com or contact Customer Support.
For more information about using the USB disk, and the FortiGuard Network see System
Maintenance on page 253.
Upgrade From Select the firmware source from the drop down list of available
sources.
Possible sources include Local Hard Disk, USB, and FortiGuard
Network.
Upgrade File Browse to the location of the firmware image on your local hard
disk.
This field is available for local hard disk and USB only.
Upgrade Partition The number of the partition being updated.
This field is available only if your FortiGate unit has more than one
firmware partition.
more info Select to go to the FortiGuard Center to learn more about firmware
updates through the FortiGuard network.
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow
the appropriate procedure to change your firmware.
For more information about managing firmware, see Managing firmware versions on
page 91.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure To update antivirus and attack definitions on page 272 to
make sure that antivirus and attack definitions are up to date.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure To update antivirus and attack definitions on page 272 to
make sure that antivirus and attack definitions are up to date.
Time Interval Select the time interval for the graphs to display.
CPU Usage History CPU usage for the preceding interval.
Memory Usage History Memory usage for the preceding interval.
Session History Number of sessions over the preceding interval.
Network Utilization History Network utilization for the preceding interval.
Virus History Number of Viruses detected over the preceding interval.
Intrusion History Number of intrusion attempts detected over the preceding
interval.
Note: For information about configuring automatic FortiGuard updates, see Configuring
FortiGuard Services on page 264.
Viewing Statistics
The System Status Statistics provide information about sessions, content archiving and
network protection activity.
Virtual Domain Select a virtual domain to list the sessions being processed by that virtual
domain. Select All to view sessions being processed by all virtual domains.
This is only available if virtual domains are enabled. For more information
see Using virtual domains on page 103.
Refresh Icon Update the session list.
First Page Select to go to the first displayed page of current sessions.
Previous Page Select to go to the page of sessions immediately before the current page
Page Enter the page number of the session to start the displayed session list. For
example if there are 5 pages of sessions and you enter 3, page 3 of the
sessions will be displayed.
The number following the / is the number of pages of sessions.
Next Page Select to go to the next page of sessions.
Last Page Select to go to the last displayed page of current sessions.
Total The total number sessions.
Clear All Filters Select to reset any display filters that may have been set.
Filter Icon The icon at the top of all columns except #, and Expiry. When selected it
brings up the Edit Filter dialog allowing you to set the display filters by
column. See Adding filters to web-based manager lists on page 53.
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address The source IP address of the connection.
Source Port The source port of the connection.
Destination The destination IP address of the connection.
Address
Destination Port The destination port of the connection.
Policy ID The number of the firewall policy allowing this session or blank if the session
involves only one FortiGate interface (admin session, for example).
Expiry (sec) The time, in seconds, before the connection expires.
Delete icon Stop an active communication session. Your admin profile must include
read and write access to System Configuration.
Date and Time The time when the URL was accessed.
From The IP address from which the URL was accessed.
URL The URL that was accessed.
Date and Time The time that the email passed through the FortiGate unit.
From The senders email address.
To The recipients email address.
Subject The subject line of the email.
Date and Time The time when the virus was detected.
From The senders email address or IP address.
To The intended recipients email address or IP address.
Service The service type, such as POP or HTTP.
Virus The name of the virus that was detected.
Date and Time The time that the attack was detected.
From The source of the attack.
To The target host of the attack.
Service The service type.
Attack The type of attack that was detected and prevented.
Date and Time The time that the spam was detected.
From->To IP The sender and intended recipient IP addresses.
From->To Email Accounts The sender and intended recipient email addresses.
Service The service type, such as SMTP, POP or IMAP.
SPAM Type The type of spam that was detected.
Date and Time The time that the attempt to access the URL was detected.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.
Date and Time The time that the attempt to access the URL was detected.
Service The service type, such as HTTP, SMTP, POP or IMAP.
Source The source address of the session.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.
From The senders email address or IP address.
To The intended recipients email address or IP address.
Topology
The Topology page provides a way to diagram and document the networks connected to
your FortiGate unit.The Topology viewer is not available if Virtual Domains (VDOMs) are
enabled.
Go to System > Status > Topology to view the system topology. The Topology page
consists of a large canvas upon which you can draw a network topology diagram of your
FortiGate installation.
Zoom out. Select to display a larger portion of the drawing area in the
viewport, making objects appear smaller.
Drag. Select this control and then drag objects in the diagram to
arrange them.
Scroll. Select this control and then drag the drawing area
background to move the viewport within the drawing area. This has
the same effect as moving the viewport rectangle within the viewport
control.
Select. Select this control and then drag to create a selection
rectangle. Objects within the rectangle are selected when you
release the mouse button.
Select from existing Create a subnet object based on an existing firewall address. The
address/group object has the name of the firewall address and is connected by a line
to the interface associated with that address. For more information
about firewall addresses, see Firewall Address on page 345.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Connect to interface Select the interface or zone to associate with this address. If the field
already displays a name, changing the setting changes the interface
or zone associated with this existing address.
If the address is currently used in a firewall policy, you can choose
only the interface selected in the policy.
New addresses Create a new firewall address and add a subnet object based on that
address to the topology diagram. The address is associated with the
interface you choose.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Type Select the type of address: Subnet/IP Range or FQDN.
Subnet / IP Range If Type is Subnet / IP Range, enter the firewall IP address, followed by
a forward slash and then the subnet mask. Alternatively, enter IP
range start address, followed by a hyphen (-) and the IP range end
address.
FQDN If Type is FQDN, enter the fully qualified domain name.
Connect to interface Select the interface or zone to associate with this address.
Preview A simulated topology diagram showing the effect of the selected appearance
options.
Canvas Size The size of the drawing in pixels.
Resize to Image If you selected an image as Background, resize the diagram to fit within the
image.
Background One of:
Solid A solid color selected in Background Color.
U.S. Map A map of the United States.
World Map A map of the world.
Upload My Upload the image from Image Path
Image
Background Select the color of the diagram background.
Color
Image path If you selected Upload My Image for Background, enter the path to your image,
or use the Browse button to find it.
Exterior Color Select the color of the border region outside your diagram.
Line Color Select the color of connecting lines between subnet objects and interfaces.
Line Width Select the thickness of connecting lines.
Reset to Default Reset all topology diagram settings to default.
Note: For more information about the settings that are available on the Backup and
Restore page, (such as remotely backing up to a FortiManager unit), see System
Maintenance on page 253.
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard
Analysis and Management server, or to a USB key. You can also back up to a FortiGuard
Analysis and Management server if you have FortiGuard Analysis and Management
Service enabled.
Fortinet recommends backing up all configuration settings from your FortiGate unit before
upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you
require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
2 Enter the following to back up the configuration file to a TFTP or FTP server:
execute backup config {tftp | ftp} <backup_filename>
<tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username>
<ftp_passwd> <encrypt_passwd>
3 Enter the following to back up the configuration to a FortiGuard Analysis and
Management server:
execute backup config management-station <comment>
After successfully backing up your configuration file, either from the CLI or the web-based
manager, proceed with upgrading to FortiOS 4.0.
The following procedure describes how to upgrade to FortiOS 4.0 in the web-based
manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
When the upgrade is successfully installed:
ping to your FortiGate unit to verify there is still a connection.
clear the browsers cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration
settings that carried forward. Some settings may have carried forward from FortiOS
3.0 MR7, while others may not have, such as certain IPS group settings. Go to System >
Maintenance > Backup and Restore to save the configuration settings that carried
forward.
Note: After upgrading to FortiOS 4.0, perform an Update Now to retrieve the latest
AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN. See the
FortiGate Administration Guide for more information about updating AV/NIDS signatures.
The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for
CLI procedure, for additional information about upgrading firmware in the CLI.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get system status
9 To update antivirus and attack definitions from the CLI, enter the following:
execute update-now
If you want to update antivirus and attack definitions from the web-based manager
instead, log in to the web-based manager and go to System > Maintenance >
FortiGuard.
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current
configuration before downgrading. For more information, see Backing up your
configuration on page 92.
When downgrading to a previous firmware, only the following settings are retained:
operation mode
Interface IP/Management IP
route static table
DNS settings
VDOM parameters/settings
admin user account
session helpers
system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your
configuration before downgrading. For more information, see Backing up your
configuration on page 92.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you need to reconfigure your IP address
since the FortiGate unit reverts to default settings, including its default IP address. See
your install guide for configuring IP addresses.
8 Reconnect to the CLI.
9 Enter the following command to confirm the firmware image installed successfully:
get system status
See Restoring your configuration on page 101 to restore you previous configuration
settings.
5 Enter the following command to copy the backed -up configuration file to restore the
file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password
you entered when you backed up your configuration settings. For example, if the
backed up configuration file is confall and the IP address of the TFTP server is
192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
The FortiGate unit responds with the message:
This operation will overwrite the current settings and the
system will reboot!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads, a
message, similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
All done. Rebooting...
This may take a few minutes.
Use the CLI show shell command to verify your settings are restored, or log in to the
web-based manager.
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service providers managed security service.
Benefits of VDOMs
Some benefits of VDOMs are:
Easier administration
Continued security maintenance
Savings in physical space and power
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. Using VDOMs can also simplify
administration of complex configurations because you do not have to manage as many
routes or firewall policies at one time. For more information, see VDOM configuration
settings on page 104.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the
FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings.
Also you can assign an administrator account restricted to that VDOM. If the VDOM is
created to serve an organization, this feature enables the organization to manage its own
configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates and NTP-
based time setting use addresses and routing in the management VDOM to communicate
with the network. They can connect only to network resources that communicate with the
management virtual domain. The management VDOM is set to root by default, but you
can change it. For more information, see Changing the management VDOM on
page 116.
Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum
number of FortiGate units allowed by the FortiAnalyzer units license. The total number of
devices registered can be seen on the FortiAnalyzer units System Status page under
License Information.
If virtual domain configuration is enabled and you log in as the default super_admin, you
can go to System > Status and look at Virtual Domain in the License Information section to
see the maximum number of virtual domains supported on your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
The following configuration settings are exclusively part of a virtual domain and are not
shared between virtual domains. A regular VDOM administrator sees only these settings.
The default super_admin can also access these settings, but must first select which
VDOM to configure.
Table 6: VDOM configuration settings
Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM operation
on the FortiGate unit.
VDOM licenses
All FortiGate units, except the 30B, support 10 VDOMs by default.
High-end FortiGate models support the purchase of a VDOM license key from customer
service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500.
Configuring 250 or more VDOMs will result in reduced system performance.
Note: Your FortiGate unit has limited resources that are divided amongst all configured
VDOMs. These resources include system memory, and CPU. When running 250 or more
VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web
filtering, or antivirusyour FortiGate unit can only provide basic firewall functionality.
Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does
not support more than 10 VDOMs.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.
Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If
you attempt to name a new VDOM vsys_ha or vsys_fgfm, the FortiGate unit will
generate an error.
Note: When creating 250 or more VDOMs, you cannot enable UTM features such as
proxies, web filtering, and antivirus due to limited resources. Also when creating large
numbers of VDOMs, you may experience reduced performance. To improve performance
with multiple VDOMs, see VDOM resource limits on page 117.
Disabled VDOM
Management VDOM
Create New Select to add a new VDOM. Enter the new VDOM name and select OK.
The VDOM must not have the same name as an existing VDOM, VLAN or
zone. The VDOM name can have a maximum of 11 characters and must
not contain spaces.
Management Virtual Change the management VDOM to the selected VDOM in the list. The
Domain management VDOM is then grayed out in the Enable column. The default
management VDOM is root.
For more information, see Changing the management VDOM on
page 116.
Apply Select to save your changes to the Management VDOM.
Enable There are three states this column can be in.
A green check mark indicates this VDOM is enabled, and that you can
select the Enter icon to change to that VDOM.
An empty check box indicates this VDOM is disabled. When disabled,
the configuration of that VDOM is preserved. The Enter icon is not
available.
A grayed-out check box indicates this VDOM is the management
VDOM. It cannot be deleted or changed to disabled; it is always active.
Name The name of the VDOM.
Operation Mode The VDOM operation mode, either NAT or Transparent.
When a VDOM is in Transparent mode, SNMP can display the
management address, address type and subnet
mask for that VDOM. For more information, see SNMP on page 185.
Interfaces The interfaces associated with this VDOM, including virtual interfaces.
Every VDOM includes an SSL VPN virtual interface named for that VDOM.
For the root VDOM this interface is ssl.root.
Comments Comments added by an admin when this VDOM was created.
Delete icon Delete the VDOM.
The Delete icon appears only when there are no configuration objects
associated with that VDOM. For example, you must remove all referring
interfaces, profiles, and so on before you can delete the VDOM.
If the icon does not appear and you do not want to delete all the referring
configuration, you can disable the VDOM instead. The disabled VDOM
configuration remains in memory, but the VDOM is not usable until it is
enabled.
Edit icon Change the description of the VDOM. The name of the VDOM cannot be
changed.
Enter icon Enter the selected VDOM.
After entering a VDOM you will only be able to view and change settings
specific to that VDOM.
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two
VDOMs internally without using a physical interface. Inter-VDOM links have the same
security as physical interfaces, but allow more flexible configurations that are not limited
by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces,
the speed of the link depends on the CPU load, but generally it is faster than physical
interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes inter-
VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is to
prevent a loop. When traffic is encrypted or decrypted, it changes the content of the
packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels
does not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same virtual
cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP
services are not available.
To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link
is created, it automatically creates a pair of virtual interfaces that correspond to the two
internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name
with an added 0 or 1. So if the inter-VDOM link is called vlink the interfaces are
vlink0 and vlink1. Select the Expand Arrow beside the VDOM link to display the virtual
interfaces.
5 Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces or special characters. Hyphens (-) and
underlines (_) are allowed. Remember that the name will have a 0 or 1 attached to
the end for the actual interfaces.
6 Configure VDOM link 0.
7 Select the VDOM from the menu that this interface will connect to.
8 Enter the IP address and netmask for this interface.
9 Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
10 Optionally enter a description for this interface.
11 Repeat steps 7 through 10 for VDOM link 1.
12 Select OK to save your configuration and return to the System > Interface screen.
Note: You can reassign or remove an interface or subinterface once the Delete icon is
displayed. Absence of the icon means that the interface is being used in a configuration
somewhere.
Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved,
saving time you would otherwise need to remove and reconfigure it.
Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that
account is assigned to another VDOM or removed.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
Note: The resource limits vary for different FortiGate models. The resource limits are
increased when two or more FortiGates are in HA mode due to the increased resources
that are available to the HA cluster.
If you enter a value that is not valid, the web-based manager displays the range of valid
values.
System Network
This section describes how to configure your FortiGate unit to operate in your network.
Basic network settings include configuring FortiGate interfaces and DNS settings. More
advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate
network configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most system
network settings globally for the entire FortiGate unit. For example, all interface settings,
including adding interfaces to VDOMs, are part of the global configuration. However,
zones, the modem interface, and the Transparent mode routing table are configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
This section describes:
Interfaces
Configuring zones
Configuring the modem interface
Configuring Networking Options
Web Proxy
Routing table (Transparent Mode)
VLAN overview
VLANs in NAT/Route mode
VLANs in Transparent mode
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces.
You can:
modify the configuration of a physical interface
add and configure VLAN subinterfaces
aggregate several physical interfaces into an IEEE 802.3ad interface (models 300A,
400A, 500A, and 800 or higher)
combine physical interfaces into a redundant interface
add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) (see
Adding a wireless interface on page 163)
add and configure VDOM links (see Inter-VDOM links on page 113)
view loopback interfaces
configure the modem (see Configuring the modem interface on page 139)
change which information about the interfaces is displayed
For information about VLANs, see FortiGate units and VLANs on page 151.
Figure 53: Interface list - admin view with virtual domains enabled
Name The names of the physical interfaces on your FortiGate unit. This includes any
alias names that have been configured.
The name, including number, of a physical interface depends on the model.
Some names indicate the default function of the interface such as Internal,
External and DMZ. Other names are generic such as port1.
FortiGate models numbered 50 and 60 provide a modem interface. Also
models with a USB port support a connected modem. See Configuring the
modem interface on page 139.
The oob/ha interface is the FortiGate-4000 out of band management interface.
You can connect to this interface to manage the FortiGate unit. This interface is
also available as an HA heartbeat interface.
On FortiGate models 300A, 310B, 400A, 500A, 620B, and 800 or higher, if you
combine several interfaces into an aggregate interface, only the aggregate
interface is listed, not the component interfaces. The same is true for
redundant interfaces. See Creating an 802.3ad aggregate interface on
page 127 or Creating a redundant interface on page 128.
If you have added VLAN subinterfaces, they also appear in the name list,
below the physical or aggregated interface to which they have been added.
See VLAN overview on page 150.
If you have loopback virtual interfaces configured you will be able to view them.
You can only edit these interfaces in the CLI. For more information on these
interfaces see Configuring interfaces with CLI commands on page 134 or the
config system interface command in the FortiGate CLI Reference.
If you have software switch interfaces configured, you will be able to view
them. You can only edit these interfaces in the CLI. For more information on
these interfaces see Configuring interfaces with CLI commands on page 134
or the config system switch-interface command in the
FortiGate CLI Reference.
If virtual domain configuration is enabled, you can view information only for the
interfaces that are in your current virtual domain, unless you are using the
super admin account.
If VDOMs are enabled, you will be able to create, edit, and view inter-VDOM
links. For more information see Inter-VDOM links on page 113.
If you have interface mode enabled on a FortiGate model 100A or 200A
Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models, you will
see multiple internal interfaces. If switch mode is enabled, there will only be
one internal interface. For more information see Switch Mode on page 122.
If your FortiGate unit supports AMC modules and have installed an AMC
module containing interfaces (for example, the FortiGate-ASM-FB4 contains 4
interfaces) these interfaces are added to the interface status display. The
interfaces are named AMC-SW1/1, AMC-DW1/2, and so on. SW1 indicates it
is a single width or double width card respectively in slot 1. The last number /1
indicates the interface number on that card - for the ASM-FB4 card there would
be /1 through /4.
IP/Netmask The current IP address/netmask of the interface.
In VDOM mode, when VDOMs are not all in NAT or Transparent mode some
values may not be available for display and will be displayed as - instead.
When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in
this column.
Access The administrative access configuration for the interface.
See Administrative access to an interface on page 135.
Administrative The administrative status for the interface.
Status If the administrative status is a green arrow, the interface is up and can accept
network traffic. If the administrative status is a red arrow, the interface is
administratively down and cannot accept traffic. To change the administrative
status, select Bring Down or Bring Up.
Link Status The status of physical connection.
The status of a non-physical interface will always be down.
MAC The MAC address of the interface.
Mode Shows the addressing mode of this interface such as manual, DHCP, or
PPPoE.
MTU The maximum number of bytes per transmission unit. Anything over 1500 are
jumbo frames. See Interface MTU packet size on page 135.
Column Settings
Go to System > Network > Column Settings to change which information about the
interfaces is displayed.
The VDOM field is only available for display when VDOMs are enabled.
Available fields The list of fields (columns) not currently being displayed.
Show these fields in The list of fields (columns) currently being displayed.
this order They are displayed in order. Top to bottom of the list will be displayed left to
right on screen respectively.
Right arrow Move selected fields to the Show these fields in this order list.
Left arrow Move selected fields to the Available fields list.
Move up Move selected item up in the Show these fields in this order list. The
corresponding column is moved to the left on the network interface display.
Move down Move selected item down in the Show these fields in this order list. The
corresponding column is moved to the right on the network interface
display.
Switch Mode
The internal interface is a switch with either four or six physical interface connections,
depending on the FortiGate model. Normally the internal interface is configured as a
single interface shared by all physical interface connections - a switch.
The switch mode feature has two states - switch mode and interface mode. Switch mode
is the default mode with only one interface and one address for the entire internal switch.
Interface mode allows you to configure each of the internal switch physical interface
connections separately. This allows you to assign different subnets and netmasks to each
of the internal physical interface connections.
FortiGate models 100A and 200A Rev2.0 and higher have four internal interface
connections. The FortiGate-60B and FortiWifi-60B have six internal interface connections.
Consult your release notes for the most current list of supported models for this feature.
Selecting Switch Mode on the System > Network > Interface screen displays the Switch
Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all
references to internal interfaces must be removed. This includes references such as
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message.
Switch Mode Select Switch Mode. Only one internal interface is displayed. This is the default
mode.
Interface Mode Select Interface Mode. All internal i nterfaces on the switch are displayed as
individually configurable interfaces.
Switch Mode can also be configured using CLI commands. For more information see the
FortiGate CLI Reference.
Interface settings
Go to System > Network > Interface and select Create New.
Selecting the Create New arrow enables you to create Inter-VDOM links. For more
information on Inter-VDOM links, see Inter-VDOM links on page 113.
Some types of interfaces such as loopback interfaces can only be configured using CLI
commands. For more information, see Configuring interfaces with CLI commands on
page 134 or the FortiGate CLI Reference
To be able to configure a DHCP server on an interface, that interface must have a static IP
address.
You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint
addresses, enable administrative access and provide a description if you are editing an
existing interface. For more information, see Configuring a virtual IPSec interface on
page 133.
Physical This section has two different forms depending on the interface type:
Interface Software switch interface - this section is a display-only field showing the
Members interfaces that belong to the software switch virtual interface
802.3ad aggregate or Redundant interface - this section includes available
interface and selected interface lists to enable adding or removing interfaces
from the interface.
Available Select interfaces from this list to include in the grouped interface - either
Interfaces redundant or aggregate interface. Select the right arrow to add an interface to the
grouped interface.
Selected These interfaces are included in the aggregate or redundant interface.
interfaces Select the left arrow to remove an interface from the grouped interface.
For redundant interfaces, the interfaces will be activated during failover from the
top of the list to the bottom
Addressing Select the type of addressing mode as Manual, DHCP, or PPPoE.
mode To configure a static IP address for the interface, select Manual.
By default, low-end models are configured to DHCP addressing mode with
Override Internal DNS and Retrieve default Gateway from DHCP server both
enabled. These settings allow for easy out-of-the-box configuration.
You can also configure the interface for dynamic IP address assignment. For
more information, see Configuring DHCP on an interface on page 130 or
Configuring an interface for PPPoE on page 131.
IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field. The IP address must
be on the same subnet as the network to which the interface connects.
Two interfaces cannot have IP addresses on the same subnet.
This field is only available when Manual addressing mode is selected.
DDNS Select DDNS to configure a Dynamic DNS service for this interface. For more
information, see Configuring Dynamic DNS on an interface on page 132.
Ping Server To enable dead gateway detection, enter the IP address of the next hop router on
the network connected to the interface and select Enable. For more information,
see Dead gateway detection on page 146.
Explicit Web Select to enable explicit web proxying on this interface. When enabled, this
Proxy interface will be displayed on System > Network > Web Proxy under Listen on
Interfaces and web traffic on this interface will be proxied according to the Web
Proxy settings. For more information, see Web Proxy on page 147.
Administrative Select the types of administrative access permitted on this interface.
Access
HTTPS Allow secure HTTPS connections to the web-based manager through this
interface.
PING Interface responds to pings. Use this setting to verify your installation and for
testing.
HTTP Allow HTTP connections to the web-based manager through this interface. HTTP
connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to
this interface. See Configuring SNMP on page 186.
TELNET Allow Telnet connections to the CLI through this interface. Telnet connections are
not secure and can be intercepted by a third party.
MTU To change the MTU, select Override default MTU value (1 500) and enter the
MTU size based on the addressing mode of the interface
68 to 1 500 bytes for static mode
576 to 1 500 bytes for DHCP mode
576 to 1 492 bytes for PPPoE mode
up to 16 110 bytes for jumbo frames (on FortiGate models that support jumbo
frames)
NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes
FA2-accelerated interfaces do not support jumbo frames
This field is available only on physical interfaces. VLANs inherit the parent
interface MTU size by default.
For more information on MTU and jumbo frames, see Interface MTU packet size
on page 135.
Secondary IP Add additional IP addresses to this interface. Select the blue arrow to expand or
Address hide the section. See Secondary IP Addresses on page 136.
Description Enter a description up to 63 characters.
Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface.
Status Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you
will lose the acceleration. For example, if you aggregate two accelerated interfaces you will
get slower throughput than if the two interfaces were separate.
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
When an interface is included in an aggregate interface, it is not listed on the System >
Network > Interface screen. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, IP pools, or routing.
In a redundant interface, traffic is only going over one interface at any time. This differs
from an aggregated interface where traffic is going over all interfaces for increased
bandwidth. This difference means redundant interfaces can have more robust
configurations with fewer possible points of failure. This is important in a fully-meshed HA
configuration.
FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and
higher implements redundant interfaces.
An interface is available to be in a redundant interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address and is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
it is not monitored by HA
it is not one of the FortiGate 5000 series backplane interfaces
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
When an interface is included in a redundant interface, it is not listed on the System >
Network > Interface page. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, IP pools, or routing.
5 In the Available Interfaces list, select each interface that you want to include in the
redundant interface and move it to the Selected Interfaces list.
In a failover situation, the interface activated will be the next interface down the
Selected Interfaces list.
6 If this interface operates in NAT/Route mode, you need to configure addressing for it.
For information about dynamic addressing, see:
Configuring DHCP on an interface on page 130
Configuring an interface for PPPoE on page 131
7 Configure other interface options as required.
8 Select OK.
Status Displays DHCP status messages as the FortiGate unit connects to the
DHCP server and gets addressing information. Select Status to refresh
the addressing mode status message.
Only displayed if you selected Edit.
Status can be one of:
initializing - No activity.
connecting - interface attempts to connect to the DHCP server.
connected - interface retrieves an IP address, netmask, and other
settings from the DHCP server.
failed - interface was unable to retrieve an IP address and other
settings from the DHCP server.
Obtained The IP address and netmask leased from the DHCP server.
IP/Netmask Only displayed if Status is connected.
Renew Select to renew the DHCP license for this interface.
Only displayed if Status is connected.
Expiry Date The time and date when the leased IP address and netmask is no longer
valid.
Only displayed if Status is connected.
Default Gateway The IP address of the gateway defined by the DHCP server.
Only displayed if Status is connected, and if Receive default gateway
from server is selected,.
Distance Enter the administrative distance for the default gateway retrieved from
the DHCP server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 1.
Retrieve default Enable to retrieve a default gateway IP address from the DHCP server.
gateway from server The default gateway is added to the static routing table.
Enabled by default on low-end models.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page.
On low end models, this is enabled by default.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Connect to Server Enable so that the interface automatically attempts to connect to a DHCP
server. Disable this option if you are configuring the interface offline.
Status Displays PPPoE status messages as the FortiGate unit connects to the
PPPoE server and gets addressing information. Select Status to refresh the
addressing mode status message.
Only displayed if you selected Edit.
Status can be one of the following 4 messages.
initializing No activity.
Server Select a DDNS server to use. The client software for these services is built into the
FortiGate firmware. The FortiGate unit can connect only to one of these services.
Domain Enter the fully qualified domain name of the DDNS service.
Username Enter the user name to use when connecting to the DDNS server.
Password Enter the password to use when connecting to the DDNS server.
Loopback interface
A loopback interface is an always up virtual interface that is not connected to any other
interfaces. Loopback interfaces connect to a Fortigate units interface IP address without
depending on a specific external port.
A loopback interface is not connected to hardware, so it is not affected by hardware
problems. As long as the FortiGate unit is functioning, the loopback interface is active.
This always up feature is useful in dynamic routing where the Fortigate unit relies on
remote routers and the local Firewall policies to access to the loopback interface.
The CLI command to configure a loopback interface called loop1 with an IP address of
10.0.0.10 is:
config system interface
edit loop1
set type loopback
set ip 10.0.0.10 255.255.255.0
end
For more information, see config system interface in the FortiGate CLI Reference.
Similar to aggregate interfaces, a soft switch interface functions like a normal interface. A
soft switch interface has one IP address. You create firewall policies to and from soft
switch interfaces and soft switch interfaces can be added to zones. There are some
limitations; soft switch interfaces cannot be monitored by HA or used as HA heartbeat
interfaces.
To add interfaces to a software switch group, no configuration settings can refer to those
interfaces. This includes default routes, VLANs, inter-VDOM links, and policies. You can
view available interfaces on the CLI when entering the set member command by using
? or <TAB> to scroll through the available list.
The CLI command to configure a software switch interface called soft_switch with port1,
external and dmz interfaces is:
config system switch-interface
edit soft_switch
set members port1 external dmz
end
For more information, see config system switch-interface in the FortiGate CLI Reference.
FortiGate models numbered 3 000 and higher support jumbo frames - frames larger than
the traditional 1 500 bytes. Some models support a jumbo frame limit of 9 000 bytes while
others support 16 110 bytes. NP2-accelerated interfaces support a jumbo frame limit of
16 000 bytes. FA2-accelerated interfaces do not support jumbo frames. Jumbo frames are
much larger than the maximum standard Ethernet frames (packets) size of 1 500 bytes.
As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500
byte frames remain in the standard for backward compatibility.
To be able to send jumbo frames over a route, all Ethernet devices on that route must
support jumbo frames, otherwise your jumbo frames are not recognized and are dropped.
If you have standard ethernet and jumbo frame traffic on the same interface, routing alone
cannot route them to different routes based only on frame size. However you can use
VLANs to make sure the jumbo frame traffic is routed over network devices that support
jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to
configure the VLAN to include both ends of the route as well as all switches and routers
along the route. For more information on VLAN configurations, see the VLAN and VDOM
guide.
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU
value of VLAN subinterfaces on the modified interface.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
See also
Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply
separate firewall policies for each IP address on an interface. You can also forward traffic
and use RIP or OSPF routing with secondary IP addresses.
There can be up to 32 secondary IP addresses per interface including primary, secondary,
and any other IP addresses assigned to the interface. Primary and secondary IP
addresses can share the same ping generator.
The following restrictions must be in place before you are able to assign a secondary IP
address:
A primary IP address must be assigned to the interface.
The interface must use manual addressing mode.
By default, IP addresses cannot be part of the same subnet. To allow interface subnet
overlap use the CLI command:
Access The administrative access methods for this address. They can be different
from the primary IP address.
Delete Icon Select to remove this secondary IP entry.
Note: It is recommended that after adding a secondary IP, you refresh the secondary IP
table and verify your new address is listed. If not, one of the restrictions (have a primary IP
address, use manual addressing mode, more than one IP on the same subnet, more than
32 IP addresses assigned to the interface, etc.) prevented the address from being added.
See also
Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can
configure policies for connections to and from a zone, but not between interfaces in a
zone.
You can add zones, rename and edit zones, and delete zones from the zone list. When
you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to
the zone.
Zones are configured from virtual domains. If you have added multiple virtual domains to
your FortiGate configuration, make sure you are configuring the correct virtual domain
before adding or editing zones.
Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the config system aux command in the
FortiGate CLI Reference.
Note: You cannot configure and use the modem in Transparent mode.
Figure 68 shows the only the settings specific to standalone mode. The remaining settings
are common to both standalone and redundant modes and are shown in Figure 69.
Note: Do not add policies for connections between the modem interface and the ethernet
interface that the modem is backing up.
Redundant for From the list, select the interface to back up.
Holddown timer Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three
Dialup Account 2 dialup accounts.
Dialup Account 3
4 Select Apply.
5 Configure a ping server for the ethernet interface the modem backs up.
See To add a ping server to an interface on page 146.
6 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 144.
Auto-dial Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand Select if you want the modem to connect to its ISP whenever there are
unrouted packets.
Idle timeout Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three
Dialup Account 2 dialup accounts.
Dialup Account 3
4 Select Apply.
5 Configure firewall policies for network connectivity through the modem interface.
See Adding firewall policies for modem connections on page 144.
6 Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See Adding a static route to the routing table on page 284.
Note: The modem must be in Standalone mode before connecting or disconnecting from a
dialup account.
Figure 70: Configuring Networking Options - FortiGate models 200 and higher
Figure 71: Configuring Networking Options - FortiGate models 100 and lower
Obtain DNS server address This option applies only to FortiGate models 100 and lower.
automatically Select to obtain the DNS server IP address when DHCP is used on
an interface, also obtain the DNS server IP address. Available only
in NAT/Route mode. You should also enable Override internal DNS
in the DHCP settings of the interface. See Configuring DHCP on an
interface on page 130.
Use the following DNS This option applies only to FortiGate models 100 and lower.
server addresses Use the specified Primary DNS Server and Secondary DNS Server
addresses.
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Local Domain Name Enter the domain name to append to addresses with no domain
portion when performing DNS lookups.
Enable DNS forwarding This option applies only to FortiGate models 100 and lower
from operating in NAT/Route mode.
Select the interfaces that forward DNS requests they receive to the
configured DNS servers.
Dead Gateway Detection Dead gateway detection confirms connectivity using a ping server
added to an interface configuration. For information about adding a
ping server to an interface, see Dead gateway detection on
page 146.
Detection Interval Enter a number in seconds to specify how often the FortiGate unit
pings the target.
Fail-over Detection Enter the number of times that the ping test fails before the FortiGate
unit assumes that the gateway is no longer functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can
specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS
server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS server
addresses automatically. To obtain these addresses automatically, at least one FortiGate
unit interface must use the DHCP or PPPoE addressing mode. See Configuring DHCP
on an interface on page 130 or Configuring an interface for PPPoE on page 131.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts
on the attached network use the interface IP address as their DNS server. DNS requests
sent to the interface are forwarded to the DNS server addresses that you configured or
that the FortiGate unit obtained automatically.
4 Select Enable.
5 Select OK.
Web Proxy
You can use the Web Proxy settings and FortiGate interface settings to enable explicit
HTTP and HTTPS proxying on one or more interfaces. When enabled, the FortiGate unit
becomes a web proxy server. All HTTP and HTTPS session received by interfaces with
Explicit web proxy enabled are intercepted by the explicit web proxy relayed to their
destinations.
To use the explicit proxy, users must add the IP address of a FortiGate interface and the
explicit proxy port number to the proxy configuration settings of their web browsers.
On FortiGate units that support WAN optimization you can also enable web caching for
the explicit proxy. For more information, see Web caching on page 610.
To enable explicit web proxy on an interface, go to System > Network > Interface, select
the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that
belong to the current VDOM and have explicit web proxy enabled will be displayed. If you
enable the web proxy on an interface that has VLANs on it, the VLANs will only be
enabled for web proxy if you manually enable each of them. Web proxy is not in the Global
Network section when VDOMs are enabled.
Note: To enable protection profiles for explicit web proxy traffic, you must configure 2
VDOMs and use inter-VDOM routing to pass the web traffic between them.
Web proxies are configured for each VDOM when VDOMs are enabled.
To configure web proxies go to System > Network > Web Proxy.
Proxy FQDN Enter the fully qualified domain name (FQDN) for the proxy server.
This is the domain name to enter into browsers to access the proxy
server.
Max HTTP request length Enter the maximum length of an HTTP request. Larger requests
will be rejected.
Max HTTP message length Enter the maximum length of an HTTP message. Larger messages
will be rejected.
Add headers to Forwarded The web proxy server will forward HTTP requests to the internal
Requests network. You can include the following headers in those requests:
Client IP Header Enable to include the Client IP Header from the original HTTP
request.
Via Header Enable to include the Via Header from the original HTTP request.
X-forwarded-for Header Enable to include the X-Forwarded-For (XFF) HTTP header.
The XFF HTTP header identifies the originating IP address of a
web client or browser that is connecting through an HTTP proxy,
and the remote addresses it passed through to this point.
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original
HTTPS request.
Explicit Web Proxy Options Web proxies can be transparent or explicit. Transparent web proxy
does not modify the web traffic in any way, but just forwards it to the
destination. Explicit web proxy can modify web traffic to provide
extra services and administration.
Explicit web proxy is configured with the following options.
Enable Explicit Web Enable the explicit web proxy.
Proxy
Port Enter the explicit web proxy server port. To use the explicit proxy,
users must add this port to their web browser proxy configuration.
Listen on Interfaces Displays the interfaces that are being monitored by the explicit web
proxy server.
Unknown HTTP version Select the action to take when the proxy server must handle an
unknown HTTP version request or message. Choose from either
Reject or Best Effort. The Reject option is more secure.
Note: Only interfaces that have explicit web proxy enabled and are in the current VDOM
will be displayed. If an interface has a VLAN subinterface configured, it must be enabled
separately for explicit web proxy. Enabled interfaces will be displayed independent of
explicit web proxy being enabled or not on the Web Proxy screen.
5 Go to System > Network > Web Proxy and select Enable Explicit Proxy.
6 Enter a Port number for the explicit proxy.
For example, 8888.
7 Select Apply to save your changes.
Destination IP /Mask Enter the destination IP address and netmask for the route.
To create a default route, set the IP and netmask to 0.0.0.0.
Gateway Enter the IP address of the next hop router to which the route directs traffic.
For an Internet connection, the next hop routing gateway routes traffic to
the Internet.
Distance The administration distance or relative preferability of the route. An
administration distance of 1 is most preferred.
VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as if they
were on the same LAN segment, regardless of their location. For example, the
workstations and servers for an accounting department could be scattered throughout an
office or city and connected to numerous network segments, but still belong to the same
VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a
broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but
cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and
received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain
a VLAN identifier as well as other information.
For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.
Internet
Untagged packets
Router
VL AN 1
VL AN 2
VL AN 1 VLAN switch VL AN 2
When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN IDs that
match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. If the
IDs dont match, traffic will not be delivered. The FortiGate unit directs packets with VLAN
IDs to subinterfaces with matching VLAN IDs. For example packets from the sending
system VLAN ID#101 are delivered to the recipient systems VLAN ID#101.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit
can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from
incoming packets and add different VLAN tags to outgoing packets.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set allow-interface-
subnet-overlap enable to allow IP address overlap. If you enter this command,
multiple VLAN interfaces can have an IP address that is part of a subnet used by another
interface. This command is recommended for advanced users only.
Internet
Untagged packets
External 172.16.21.2
FortiGate unit
Internal 192.168.110.126
802.1Q
trunk
Fa 0/24
Fa 0/3 Fa 0/9
VLAN 100 VLAN 200
VLAN switch
Note: A VLAN must not have the same name as a virtual domain or zone.
8 Select OK.
The FortiGate unit adds the new VLAN subinterface to the interface that you selected
in step 4.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
Figure 77 shows a FortiGate unit operating in Transparent mode with 2 virtual domains
and configured with three VLAN subinterfaces.
Figure 77: FortiGate unit with two virtual domains in Transparent mode
FortiGate unit
VLAN1
Internal root virtual domain External
VLAN1 VLAN1
VLAN2 VLAN1 VLAN1 VLAN2
VLAN3 VLAN3 Internet
VLAN2
VLAN New virtual domain VLAN
VLAN trunk trunk VLAN
Switch VLAN2 VLAN2 Switch
or router VLAN3 VLAN3 or router
VLAN3
Figure 78 shows a FortiGate unit operating in Transparent mode and configured with
three VLAN subinterfaces. In this configuration, the FortiGate unit would provide virus
scanning, web content filtering, and other services to each VLAN.
Internet
Router
Untagged packets
VLAN Switch
VL AN 1
VLAN Trunk VL AN 2
VL AN 3
FortiGate unit
in Transparent mode
VL AN 1
VLAN Trunk VL AN 2
VL AN 3
VLAN Switch
Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.
Note: A VLAN must not have the same name as a virtual domain or zone.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
See About firewall addresses on page 345.
3 Go to Firewall > Policy.
4 Add firewall policies as required.
ARP Forwarding
One solution to the duplicate ARP packet problem is to enable ARP forwarding.
When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets that
resolve the delivery problems caused by duplicate ARP packets. However, this also opens
up your network to potential hacking attempts that spoof packets.
For more secure solutions, see the FortiGate VLANs and VDOMs Guide.
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units.
The majority of this section is applicable to all FortiWiFi units.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless
monitor are configured separately for each virtual domain. System wireless settings are
configured globally. For details, see Using virtual domains on page 103.
This section describes:
FortiWiFi wireless interfaces
Channel assignments
Wireless settings
Wireless MAC Filter
Wireless Monitor
Rogue AP detection
Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you,
depending on what region of the world you are in. Set the channel for the wireless network
by going to System > Wireless > Settings. For more information see Wireless settings on
page 162.
The following tables list the channel assignments for wireless networks for each supported
wireless protocol.
Wireless settings
To configure the wireless settings, go to System > Wireless > Settings.
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three virtual
wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you
configure the wireless settings once, and all wireless interfaces use those settings. For
details on adding more wireless interfaces, see Adding a wireless interface on page 163.
When operating the FortiWiFi unit in Client mode, radio settings are not configurable.
Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client
mode or Monitoring mode.
Name Enter a name for the wireless interface. The name cannot be the same
as an existing interface, zone or VDOM.
Type Select Wireless.
Address Mode The wireless interface can only be set as a manual address. Enter a
valid IP address and netmask.
If the FortiWiFi is running in Transparent mode, this field does not
appear. The interface will be on the same subnet as the other interfaces.
Administrative Set the administrative access for the interface.
Access
4 In the Wireless Settings section, complete the following and select OK:
SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must configure
their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For better
security, do not broadcast the SSID. If the interface is not broadcast, there is
less chance of an unwanted user connecting to your wireless network. If you
choose not to broadcast the SSID, you need to inform users of the SSID so
they can configure their wireless devices.
Security mode Select the security mode for the wireless interface. Wireless users must use
the same security mode to be able to connect to this wireless interface.
None has no security. Any wireless user can connect to the wireless
network.
WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless
users of the key.
WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26
hexadecimal digits (0-9 a-f) and inform wireless users of the key.
WPA Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key containing at
least eight characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
WPA2 WPA with more security features. To use WPA2 you must select a
data encryption method and enter a pre-shared key containing at least eight
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
WPA2 Auto the same security features as WPA2, but also accepts wireless
clients using WPA security. To use WPA2 Auto you must select a data
encryption method You must also enter a pre-shared key containing at least 8
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
Key Enter the security key. This field appears when selecting WEP64 or WEP128
security.
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto.
Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to
use Advanced Encryption Standard (AES) encryption. AES is considered
more secure that TKIP. Some implementations of WPA may not support AES.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or
WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You
can use WPA or WPA2 Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS server
name from the list. You must configure the Radius server by going to User >
RADIUS. For more information, see RADIUS on page 571.
RTS Threshold Set the Request to Send (RTS) threshold.
The RTS threshold is the maximum size, in bytes, of a packet that the
FortiWiFi will accept without sending RTS/CTS packets to the sending
wireless device. In some cases, larger packets being sent may cause
collisions, slowing data transmissions. By changing this value from the default
of 2346, you can configure the FortiWiFi unit to, in effect, have the sending
wireless device ask for clearance before sending larger transmissions. There
can still be risk of smaller packet collisions, however this is less likely.
A setting of 2346 bytes effectively disables this option.
Fragmentation Set the maximum size of a data packet before it is broken into smaller
Threshold packets, reducing the chance of packet collisions. If the packet is larger than
the threshold, the FortiWiFi unit will fragment the transmission. If the packet
size less than the threshold, the FortiWiFi unit will not fragment the
transmission.
A setting of 2346 bytes effectively disables this option.
Alternatively, you can create a deny list. Similar to the allow list, you can configure the
wireless interface to allow all connections except those in the MAC address list.
Using MAC address filtering makes it more difficult for a hacker using random MAC
addresses or spoofing a MAC address to gain access to your network. Note you can
configure one list per WLAN interface.
To allow or deny wireless access to wireless clients based on the MAC address of the
client wireless cards, go to System > Wireless > MAC Filter.
List Access Select to allow or deny the addresses in the MAC Address list from
accessing the wireless network.
MAC Address Enter the MAC address to add to the list.
Add Add the entered MAC address to the list.
Remove Select one or more MAC addresses in the list and select Remove to
deleted the MAC addresses from the list.
Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In
Access Point mode, you can see who is connected to your wireless LAN. In Client mode,
you can see which access points are within radio range.
Rogue AP detection
Rogue Access Point Detection scans for wireless access points in Monitoring mode. You
can also enable scanning in the background while the unit is in Access Point mode.
Refresh Interval Set time between information updates. none means no updates.
Refresh Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online A green checkmark indicates an active access point. A grey X indicates
that the access point is inactive.
SSID The wireless service set identifier (SSID) or network name for the
wireless interface.
MAC Address The MAC address of the Wireless interface.
Signal Strength /Noise The signal strength and noise level.
Channel The wireless radio channel that the access point uses.
Rate The data rate of the access point.
First Seen The data and time when the FortiWifi unit first detected the access point.
Last Seen The data and time when the FortiWifi unit last detected the access point.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
Mark as Rogue AP Select the icon to move this entry to the Rogue Access Points list.
Forget AP Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
You can also enter information about accepted and rogue APs in the CLI without having to
detect them first. See the system wireless ap-status command in the FortiGate
CLI Reference.
System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through the
FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
This section describes:
FortiGate DHCP servers and relays
Configuring DHCP services
Viewing address leases
Note: You can configure a Regular DHCP server on an interface only if the interface has a
static IP address. You can configure an IPSec DHCP server on an interface that has either
a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server
for each network. The IP range of each DHCP server must match the network address
range. The routers must be configured for DHCP relay.
To configure a DHCP server, see Configuring a DHCP server on page 173.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP
requests from DHCP clients to an external DHCP server and returns the responses to the
DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the FortiGate unit.
To configure a DHCP relay see Configuring an interface as a DHCP relay agent on
page 173.
DHCP services can also be configured through the Command Line Interface (CLI). See
the FortiGate CLI Reference for more information.
Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP
requests pass through the FortiGate unit.
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.
Edit
Delete
Interface List of FortiGate interfaces. Expand each listed interface to view the Relay and
Servers.
Server Name/ Name of FortiGate DHCP server or IP address of DHCP server accessed by
Relay IP relay.
Type Type of DHCP relay or server: Regular or IPSec.
Enable Green check mark icon indicates that server or relay is enabled.
Add DHCP Server Select to configure and add a DHCP server for this interface.
icon
DNS Server 1 Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns
DNS Server 2 to DHCP clients.
DNS Server 3
WINS Server 1 Add the IP addresses of one or two WINS servers that the DHCP server
WINS Server 2 assigns to DHCP clients.
Option 1 Enter up to three custom DHCP options that can be sent by the DHCP
Option 2 server. Code is the DHCP option code in the range 1 to 255. Option is an
Option 3 even number of hexadecimal characters and is not required for some option
codes. For detailed information about DHCP options, see RFC 2132, DHCP
Options and BOOTP Vendor Extensions.
Exclude Ranges
Add Add an range of IP addresses to exclude.
You can add up to 16 exclude ranges of IP addresses that the DHCP server
cannot assign to DHCP clients. No range can exceed 65536 IP addresses.
Starting IP Enter the first IP address of the exclude range.
End IP Enter the last IP address of the exclude range.
Delete icon Delete the exclude range.
System Config
This section describes the configuration of several non-network features, such as HA,
SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement
messages are configured globally for the entire FortiGate unit. Changing operation mode
is configured for each individual VDOM. For details, see Using virtual domains on
page 103.
This section describes:
HA
SNMP
Replacement messages
Operation mode and VDOM management access
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical
enterprise networking components: enhanced reliability and increased performance. This
section contains a brief description of HA web-based manager configuration options, the
HA cluster members list, HA statistics, and disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for
the entire FortiGate unit. For details, see Using virtual domains on page 103.
For complete information about how to configure and operate FortiGate HA clusters see
the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center.
HA is not available on FortiGate models 50A and 50AM. HA is available on all other
FortiGate models, including the FortiGate-50B.
The following topics are included in this section:
HA options
Cluster members list
Viewing HA statistics
Changing subordinate unit host name and device priority
Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to System >
Config > HA.
Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is
also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically
configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you
cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured
as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session
synchronization.
If HA is already enabled, go to System > Config > HA to display the cluster members list.
Select Edit for the FortiGate unit with Role of master (also called the primary unit). When
you edit the HA configuration of the primary unit, all changes are synchronized to the other
cluster units.
You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled
by logging into the web-based manager as the global admin administrator and then going
to System > Config > HA.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.
Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to
standalone mode. When configuring a cluster, you must set all members of the
HA cluster to the same HA mode. You can select Standalone (to disable HA),
Active-Passive, or Active-Active. If virtual domains are enabled you can select
Active-Passive or Standalone.
Device Priority Optionally set the device priority of the cluster unit. Each cluster unit can have a
different device priority. During HA negotiation, the unit with the highest device
priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two device priorities,
one for each virtual cluster. During HA negotiation, the unit with the highest
device priority in a virtual cluster becomes the primary unit for that virtual cluster.
Changes to the device priority are not synchronized. You can accept the default
device priority when first configuring a cluster. When the cluster is operating you
can change the device priority for different cluster units as required.
Group Name Enter a name to identify the cluster. The maximum length of the group name is 32
characters. The group name must be the same for all cluster units before the
cluster units can form a cluster. After a cluster is operating, you can change the
group name. The group name change is synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group name
when first configuring a cluster. When the cluster is operating you can change the
group name, if required. Two clusters on the same network cannot have the
same group name.
Password Enter a password to identify the cluster. The maximum password length is 15
characters. The password must be the same for all cluster units before the cluster
units can form a cluster.
The default is no password. You can accept the default password when first
configuring a cluster. When the cluster is operating, you can add a password, if
required. Two clusters on the same network must have different passwords.
Enable Session Select to enable session pickup so that if the primary unit fails, all sessions are
pickup picked up by the cluster unit that becomes the new primary unit.
Session pickup is disabled by default. You can accept the default setting for
session pickup and then chose to enable session pickup after the cluster is
operating.
Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify that the
monitored interfaces are functioning properly and connected to their networks.
If a monitored interface fails or is disconnected from its network, the interface
leaves the cluster and a link failover occurs. The link failover causes the cluster to
reroute the traffic being processed by that interface to the same interface of
another cluster unit that still has a connection to the network. This other cluster
unit becomes the new primary unit.
Port monitoring (also called interface monitoring) is disabled by default. Leave
port monitoring disabled until the cluster is operating and then only enable port
monitoring for connected interfaces.
You can monitor up to 16 interfaces. This limit only applies to FortiGate units with
more than 16 physical interfaces.
Heartbeat Select to enable or disable HA heartbeat communication for each interface in the
Interface cluster and set the heartbeat interface priority. The heartbeat interface with the
highest priority processes all heartbeat traffic. If two or more heartbeat interfaces
have the same priority, the heartbeat interface with the lowest hash map order
value processes all heartbeat traffic. The web-based manager lists interfaces in
alphanumeric order:
port1
port2 through 9
port10
Hash map order sorts interfaces in the following order:
port1
port10
port2 through port9
The default heartbeat interface configuration is different for each FortiGate unit.
This default configuration usually sets the priority of two heartbeat interfaces to
50. You can accept the default heartbeat interface configuration if you connect
one or both of the default heartbeat interfaces together.
The heartbeat interface priority range is 0 to 512. The default priority when you
select a new heartbeat interface is 0.
You must select at least one heartbeat interface. If heartbeat communication is
interrupted, the cluster stops processing traffic. For more information about
configuring heartbeat interfaces, see the FortiGate HA Overview.
You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate
units with more than 8 physical interfaces.
VDOM If you are configuring virtual clustering, you can set the virtual domains to be in
partitioning virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual
domain must always be in virtual cluster 1. For more information about
configuring VDOM partitioning, see the FortiGate HA Overview.
To display the cluster members list, log into an operating cluster and go to System >
Config > HA.
If virtual domains are enabled, you can display the cluster members list to view the status
of the operating virtual clusters. The virtual cluster members list shows the status of both
virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the global
admin administrator and go to System > Config > HA.
View HA Statistics Displays the serial number, status, and monitor information for each cluster
unit. See Viewing HA statistics on page 182.
Up and down arrows Changes the order of cluster members in the list. The operation of the
cluster or of the units in the cluster are not affected. All that changes is the
order of the units on the cluster members list.
Cluster member Illustrations of the front panels of the cluster units. If the network jack for an
interface is shaded green, the interface is connected. Pause the mouse
pointer over each illustration to view the cluster unit host name, serial
number, how long the unit has been operating (up time), and the interfaces
that are configured for port monitoring.
Hostname The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
To change the primary unit host name, go to System > Status and
select Change beside the current host name.
To change a subordinate unit host name, from the cluster members list
select the Edit icon for a subordinate unit.
Role The status or role of the cluster unit in the cluster.
Role is MASTER for the primary (or master) unit
Role is SLAVE for all subordinate (or backup) cluster units
Priority The device priority of the cluster unit. Each cluster unit can have a different
device priority. During HA negotiation, the unit with the highest device
priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from Select to disconnect a selected cluster unit from the cluster. See
cluster Disconnecting a cluster unit from a cluster on page 184.
Edit Select to change a cluster unit HA configuration.
For a primary unit, select Edit to change the cluster HA configuration
(including the device priority) of the primary unit.
For a primary unit in a virtual cluster, select Edit to change the virtual
cluster HA configuration; including the virtual cluster 1 and virtual
cluster 2 device priority of this cluster unit.
For a subordinate unit, select Edit to change the subordinate unit host
name and device priority. See Changing subordinate unit host name
and device priority on page 183.
For a subordinate unit in a virtual cluster, select Edit to change the
subordinate unit host name and the device priority of the subordinate
unit for the selected virtual cluster. See Changing subordinate unit host
name and device priority on page 183.
Download debug log Select to download an encrypted debug log to a file. You can send this
debug log file to Fortinet Technical Support (http://support.fortinet.com) to
help diagnose problems with the cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial
number, status, and monitor information for each cluster unit. To view HA statistics, go to
System > Config > HA and select View HA Statistics.
Refresh every Select to control how often the web-based manager updates the HA
statistics display.
Back to HA monitor Select to close the HA statistics list and return to the cluster members list.
Unit The host name and serial number of the cluster unit.
Status Indicates the status of each cluster unit. A green check mark indicates that
the cluster unit is operating normally. A red X indicates that the cluster unit
cannot communicate with the primary unit.
Up Time The time in days, hours, minutes, and seconds since the cluster unit was last
started.
Monitor Displays system status information for each cluster unit.
CPU Usage The current CPU status of each cluster unit. The web-based manager
displays CPU usage for core processes only. CPU usage for management
processes (for example, for HTTPS connections to the web-based manager)
is excluded.
Memory Usage The current memory status of each cluster unit. The web-based manager
displays memory usage for core processes only. Memory usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded.
Active Sessions The number of communications sessions being processed by the cluster
unit.
Total Packets The number of packets that have been processed by the cluster unit since it
last started up.
Virus Detected The number of viruses detected by the cluster unit.
Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes The number of bytes that have been processed by the cluster unit since it
last started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running
on the cluster unit.
To change the host name and device priority of a subordinate unit in an operating cluster
with virtual domains enabled, log in as the global admin administrator and go to System >
Config > HA to display the cluster members list. Select Edit for any slave (subordinate)
unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this subordinate unit.
These changes only affect the configuration of the subordinate unit.
Figure 98: Changing the subordinate unit host name and device priority
Peer View and optionally change the subordinate unit host name.
Priority View and optionally change the subordinate unit device priority.
The device priority is not synchronized among cluster members. In a functioning cluster
you can change device priority to change the priority of any unit in the cluster. The next
time the cluster negotiates, the cluster unit with the highest device priority becomes the
primary unit.
The device priority range is 0 to 255. The default device priority is 128.
Serial Number Displays the serial number of the cluster unit to be disconnected from the cluster.
Interface Select the interface that you want to configure. You also specify the IP address
and netmask for this interface. When the FortiGate unit is disconnected, all
management access options are enabled for this interface.
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP address
to connect to this interface to configure the disconnected FortiGate unit.
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An
SNMP manager is a typically a computer running an application that can read the
incoming trap and event messages from the agent and send out SNMP queries to the
SNMP agents. Another name for an SNMP manager is a host. A FortiManager unit can
act as an SNMP manager, or host, to a FortiGate unit.
Using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and
can receive trap messages from the FortiGate unit. To monitor FortiGate system
information and receive FortiGate traps, you must first compile the proprietary Fortinet and
FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a
list of SNMP data objects that are used by the SNMP manager. These MIBs provide the
information the SNMP manager needs to interpret the SNMP trap, event, and query
messages of the FortiGate unit SNMP agent.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-
like MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on
page 188.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and
partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected. For more information about SNMP traps, see Fortinet and FortiGate
traps on page 189.
SNMP fields contain information about your FortiGate unit. This information is useful to
monitor the condition of the unit, both on an ongoing basis and to provide more
information when a trap occurs. For more information about SNMP fields, see Fortinet
and FortiGate MIB fields on page 192.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can obtain these MIB files from Fortinet technical support. To be able to
communicate with the FortiGate SNMP agent, you must compile all of these MIBs into
your SNMP manager.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database.
You need to obtain and compile the two MIBs for this release.
Table 13: Fortinet MIBs
Replacement messages
Go to System > Config > Replacement Messages to change replacement messages and
customize alert email and information that the FortiGate unit adds to content streams such
as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams. For
example, if a virus is found in an email message, the file is removed from the email and
replaced with a replacement message. The same applies to pages blocked by web
filtering and email blocked by spam filtering.
Name The replacement message category. Select the expand arrow to expand or collapse
the category. Each category contains several replacement messages that are used
by different FortiGate features. The replacement messages are described below.
Description A description of the replacement message.
Edit or view Select to change or view a replacement message.
icon
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.
Replacement messages can be text or HTML messages. You can add HTML code to
HTML messages. Allowed Formats shows you which format to use in the replacement
message. There is a limit of 8192 characters for each replacement message. The
following fields and options are available when editing a replacement message. Different
replacement messages have different sets of fields and options.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol
Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile,
these replacement messages can also replace web pages downloaded using the HTTPS
protocol.
Table 29: HTTP replacement messages
Example
The following is an example of a simple authentication page that meets the requirements
listed above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
If the FortiGate unit supports SSL content scanning and inspection and if Protocol
Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile,
these replacement messages can also replace web pages downloaded using the HTTPS
protocol.
Table 35: FortiGuard Web Filtering replacement messages
Tag Description
%%AUTH_LOGOUT%% The URL that will immediately delete the current policy and close the
session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window
which links to this tag.
%%CATEGORY%% The name of the content category of the web site.
%%DEST_IP%% The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that sent
the email containing the virus. For HTTP this is the IP address of web
page that sent the virus.
%%EMAIL_FROM%% The email address of the sender of the message from which the file was
removed.
%%EMAIL_TO%% The email address of the intended receiver of the message from which
the file was removed.
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page.
%%FILE%% The name of a file that has been removed from a content stream. This
could be a file that contained a virus or was blocked by antivirus file
blocking. %%FILE%% can be used in virus and file block messages.
%%FORTIGUARD_WF%% The FortiGuard - Web Filtering logo.
%%FORTINET%% The Fortinet logo.
%%LINK%% The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
%%HTTP_ERR_CODE%% The HTTP error code. 404 for example.
%%HTTP_ERR_DESC%% The HTTP error description.
Tag Description
%%NIDSEVENT%% The IPS attack message. %%NIDSEVENT%% is added to alert email
intrusion messages.
%%OVERRIDE%% The link to the FortiGuard Web Filtering override form. This is visible
only if the user belongs to a group that is permitted to create FortiGuard
web filtering overrides.
%%OVRD_FORM%% The FortiGuard web filter block override form. This tag must be present
in the FortiGuard Web Filtering override form and should not be used in
other replacement messages.
%%PROTOCOL%% The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.
%%QUARFILENAME%% The name of a file that has been removed from a content stream and
added to the quarantine. This could be a file that contained a virus or
was blocked by antivirus file blocking. %%QUARFILENAME%% can be
used in virus and file block messages. Quarantining is only available on
FortiGate units with a local disk.
%%QUESTION%% Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVICE%% The name of the web filtering service.
%%SOURCE_IP%% The IP address of the request originator who would have received the
blocked file. For email this is the IP address of the users computer that
attempted to download the message from which the file was removed.
%%TIMEOUT%% Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
%%URL%% The URL of a web page. This can be a web page that is blocked by web
filter content or URL blocking. %%URL%% can also be used in http virus
and file block messages to be the URL of the web page from which a
user attempted to download a file that is blocked.
%%VIRUS%% The name of a virus that was found in a file by the antivirus system.
%%VIRUS%% can be used in virus messages
Management IP/Netmask Enter the management IP address and netmask. This must be a
valid IP address for the network from which you want to
manage the FortiGate unit.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.
Interface IP/Netmask Enter a valid IP address and netmask for the network from which
you want to manage the FortiGate unit.
Device Select the interface to which the Interface IP/Netmask settings
apply.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.
Gateway Device Select the interface to which the default gateway is connected.
Management access
You can configure management access on any interface in your VDOM. See
Administrative access to an interface on page 135. In NAT/Route mode, the interface IP
address is used for management access. In Transparent mode, you configure a single
management IP address that applies to all interfaces in your VDOM that permit
management access. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see Configuring FortiGuard Services on page 264).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the VDOM to
which it belongs. The management computer must connect to an interface in that VDOM.
It does not matter to which VDOM the interface belongs. In both cases, the management
computer must connect to an interface that permits management access and its IP
address must be on the same network. Management access can be via HTTP, HTTPS,
telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH
are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote
administration from the Internet could compromise the security of the FortiGate unit. You
should avoid this unless it is required for your configuration. To improve the security of a
FortiGate unit that allows remote administration from the Internet:
Use secure administrative user passwords.
Change these passwords regularly.
Enable secure administrative access to this interface using only HTTPS or SSH.
Use Trusted Hosts to limit where the remote access can originate from.
Do not change the system idle timeout from the default value of 5 minutes (see
Settings on page 228).
System Admin
This section describes how to configure administrator accounts on your FortiGate unit.
Administrators access the FortiGate unit to configure its operation. The factory default
configuration has one administrator, admin. After connecting to the web-based manager
or the CLI, you can configure additional administrators with various levels of access to
different parts of the FortiGate unit configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 103.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.
Administrators
There are two levels of administrator accounts:
Regular An administrator with any admin profile other than super_admin. A regular
administrators administrator account has access to configuration options as determined by its
Admin Profile. If virtual domains are enabled, the regular administrator is
assigned to one VDOM and cannot access global configuration options or the
configuration for any other VDOM. For information about which options are global
and which are per VDOM, see VDOM configuration settings on page 104 and
Global configuration settings on page 107.
System Includes the factory default system administrator admin, any other administrators
administrators assigned to the super_admin profile, and any administrator that is assigned to the
super_admin_readonly profile. Any administrator assigned to the super_admin
admin profile, including the default administrator account admin, has full access
to the FortiGate unit configuration and general system settings that includes the
ability to:
enable VDOM configuration
create VDOMs
configure VDOMs
assign regular administrators to VDOMs
configure global options
customize the FortiGate web-based manager.
The super_admin admin profile cannot be changed; it does not appear in the list
of profiles in System > Admin > Admin Profile, but it is one of the selections in the
Admin Profile drop-down list in System > Admin New/Edit Administrator dialog
box.
Figure 105: New Administrator dialog box displaying super_admin readonly option
Note: The password of users with the super_admin admin profile can be reset in the CLI. If
the password of a user who is logged in is changed, the user will be logged out and
prompted to re-authenticate with the new password.
Example: For a user ITAdmin with the admin profile super_admin, to set the password to
123456:
config sys admin
edit ITAdmin
set password 123456
end
Example: For a user ITAdmin with the admin profile super_admin, to reset the password
from 123456 to the default empty:
config sys admin
edit ITAdmin
unset password 123456
end
There is also an admin profile that allows read-only super admin privileges,
super_admin_readonly. This profile cannot be deleted or changed, similar to the
super_admin. The read-only super_admin profile is suitable in a situation where it is
necessary for a system administrator to troubleshoot a customer configuration without
being able to make changes. Other than being read-only, the super_admin_readonly
profile can view all the FortiGate configuration tools.
You can authenticate an administrator by using a password stored on the FortiGate unit,
an LDAP, RADIUS, or TACACS+ server, or by using PKI certificate-based authentication.
To authenticate an administrator with an LDAP or TACACS+ server, you must add the
server to an authentication list, include the server in a user group, and associate the
administrator with the user group.The RADIUS server authenticates users and authorizes
access to internal network resources based on the admin profile of the user. Users
authenticated with the PKI-based certificate are permitted access to internal network
resources based on the user group they belong to and the associated admin profile.
A VDOM/admin profile override feature supports authentication of administrators via
RADIUS. The admin user will have access depending on which VDOM and associated
admin profile he or she is restricted to. This feature is available only to wildcard
administrators, and can be set only through the FortiGate CLI. There can only be one
VDOM override user per system. For more information, see the FortiGate CLI Reference.
Change password
Delete
Edit
Note: If you forget or lose an administrator account password and cannot log in to your
FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator
account passwords.
Note: Access to the FortiGate unit depends on the VDOM associated with the administrator
account.
The following instructions assume that there is a RADIUS server on your network
populated with the names and passwords of your administrators. For information on how
to set up a RADIUS server, see the documentation for your RADIUS server.
To view the RADIUS server list, go to User > Remote > RADIUS.
Delete
Edit
Delete
Edit
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Server Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server.
Identifier
Distinguished Name The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query on page 577.
Bind Type The type of binding for LDAP authentication.
Anonymous Bind using anonymous user search.
Regular Bind using a user name/password and then search.
Simple Bind using a simple password authentication without a search.
Filter Filter used for group searching. Available only if Bind Type is
Anonymous or Regular.
User DN Distinguished name of user to be authenticated. Available only if Bind
Type is Regular.
Password Password of user to be authenticated. Available only if Bind Type is
Regular.
Secure Connection A check box that enables a secure LDAP server connection for
authentication.
Protocol The secure LDAP protocol to use for authentication. Available only if
Secure Connection is selected.
Certificate The certificate to use for authentication. Available only if Secure
Connection is selected.
For further information about LDAP authentication, see Configuring an LDAP server on
page 575.
Delete
Edit
Delete
Edit
Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates
FortiGate features into access control categories for which an administrator with
read/write access can enable none (deny), read only, or read/write access.
The following table lists the web-based manager pages to which each category provides
access:
Table 39: Admin profile control of access to Web-based manager pages
Read-only access enables the administrator to view the web-based manager page. The
administrator needs write access to change the settings on the page.
You can expand the firewall configuration access control to enable more granular control
of access to the firewall functionality. You can control administrator access to policy,
address, service, schedule, profile, and other virtual IP (VIP) configurations.
Note: When Virtual Domain Configuration is enabled (see Settings on page 228), only the
administrators with the admin profile super_admin have access to global settings. Other
administrator accounts are assigned to one VDOM and cannot access global configuration
options or the configuration for any other VDOM.
For information about which settings are global, see VDOM configuration settings on
page 104.
The admin profile has a similar effect on administrator access to CLI commands. The
following table shows which command types are available in each Access Control
category. You can access get and show commands with Read Only access. Access to
config commands requires Read-Write access.
Table 40: Admin profile control of access to CLI commands
Delete
Edit
Central Management
The Central Management tab provides the option of remotely managing your FortiGate
unit by either a FortiManager unit or the FortiGuard Analysis and Management Service.
From System > Admin > Central Management, you can configure your FortiGate unit to
back up or restore configuration settings automatically to the specified central
management server. The central management server is the type of service you enable,
either a FortiManager unit or the FortiGuard Analysis and Management Service. If you
have a subscription for FortiGuard Analysis and Management Service, you can also
remotely upgrade the firmware on the FortiGate unit.
Figure 117: Central Management using the FortiGuard Analysis and Management Service
Enable Central Enables the Central Management feature on the FortiGate unit.
Management
Type Select the type of central management for this FortiGate unit. You can
select FortiManager or the FortiGuard Analysis and Management
Service.
FortiManager Select to use FortiManager as the central management service for the
FortiGate unit.
Enter the IP address or name of the FortiManager unit in the IP/Name
field.
If your organization is operating a FortiManager cluster, add the IP
address or name of the primary FortiManager unit to the IP/Name field
and add the IP address or name of the backup FortiManager units to
the Trusted FortiManager list.
Status indicates whether or not the FortiGate unit can communicate wit
the FortiManager unit added to the IP/Name field.
Select Register to include the FortiManager unit in the Trusted
FortiManager List.
A red arrow-down indicates that there is no connection enabled; a
green arrow-up indicates that there is a connection.
A yellow caution symbol appears when your FortiGate unit is
considered an unregistered device by the FortiManager unit.
FortiGuard Analysis Select to use the FortiGuard Analysis Management Service as the
and Management central management service for the FortiGate unit.
Service Enter the Account ID in the Account ID field. If you do not have an
account ID, register for the FortiGuard Analysis and Management
Service on the FortiGuard Analysis and Management Service website.
Select Change to go directly to System > Maintenance > FortiGuard.
Under Analysis and Management Service Options, enter the account
ID in the Account ID field.
When you are configuring your FortiGate unit to connect to and communicate with a
FortiManager unit, the following steps must be taken because of the two different
deployment scenarios.
FortiGate is directly reachable from FortiManager:
In the FortiManager GUI, add the FortiGate unit to the FortiManager database in
the Device Manager module
Change the FortiManager IP address
Change the FortiGate IP address
FortiGate behind NAT
In System > Admin > Central Management, choose FortiManager
Add the FortiManager unit to the Trusted FortiManager List, if applicable
Change the FortiManager IP address
Change the FortiGate IP address
Contact the FortiManager administrator to verify the FortiGate unit displays in the
Device list in the Device Manager module
Revision control
The Revision Control tab displays a list of the backed up configuration files. The list
displays only when your FortiGate unit is managed by a central management server. For
more information, see Managing configuration revisions on page 261.
Settings
The Settings tab includes the following features that you can configure:
ports for HTTP/HTTPS administrative access and SSL VPN login
the idle timeout setting
settings for the language of the web-based manager and the number of lines displayed
in generated reports
PIN protection for LCD and control buttons (LCD-equipped models only)
SCP capability for users logged in via SSH
IPv6 support on the web based manager.
To configure settings, go to System > Admin > Settings, enter or select the following and
select OK.
SSH Port TCP port to be used for administrative SSH access. The default is 22.
Enable SSH v1 Enable compatibility with SSH v1 in addition to v2. (Optional)
compatibility
Timeout Settings
Idle Timeout The number of minutes that an administrative connection can be idle
before the administrator must log in again. The maximum is 480
minutes (8 hours). To improve security, keep the idle timeout at the
default value of 5 minutes.
Display Settings
Language The language the web-based manager uses. Choose from English,
Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese
or French.
You should select the language that the management computer
operating system uses.
Lines per Page Number of lines per page to display in table lists. The default is 50.
Range is from 20 - 1000.
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route,
address and address group). Default allows configuration from CLI
only.
Note: IPv6 is not supported in Transparent mode.
LCD Panel (LCD-equipped models only)
PIN Protection Select and enter a 6-digit PIN.
Administrators must enter the PIN to use the control buttons and LCD.
Enable SCP Enable users logged in through the SSH to be able to use the SCP to
copy the configuration file.
Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH,
ensure that the port number is unique.
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System
Information, you will see Current Administrators. Select Details to view information about
the administrators currently logged in to the FortiGate unit.
See also
To enable IPv6 support, go to System > Admin > Settings, then under Display Settings,
select IPv6 Support on GUI.
After you enable IPv6 support in the web-based manager, you can:
create IPv6 static routes (see Router Static)
monitor IPv6 routes (see Router Monitor)
Tip: Increase the timeout settings before creating or editing a GUI layout. See Settings on
page 228.
Note: The current administrator Access Control settings apply only to the fixed components
of the layout (default), not to the customized items. If you want to create a completely
customized layout profile, you must set access for all fixed components to None and also
set all the standard menu items to Hide from within the GUI layout dialog box (see
Figure 124).
Figure 122: Admin Profile dialog box - Log & Report access
Access denied
to other layout
items
Read-only access
selected for Log &
Report
Standard GUI
Control Menu
Layout selection
Figure 123: Selection of Customize GUI Control option for Report Profile
]
Select Customize
to access the
layout dialog box
Figure 124: Customize GUI layout dialog box for Report Profile
Customization
drop-down menu Save layout
Cancel layout changes
In the GUI layout dialog box, select the customization drop-down menu icon beside
System and select hide (see Figure 124). Repeat for each menu item except Log&Report.
To start the configuration of customized menu items, select the Create New (Tier-1 menu
item) icon in the FortiGate menu. You will need to:
configure Tier-1 and Tier-2 menu items
add tabs to each of these items as required
add content to the page layout.
Figure 125: Creating Tier-1 and Tier-2 menu items in FortiGate menu
1 2
Creation of new
Tier-1 menu item
Custom Log Report
3 4
Creation of new
Tier-2 menu item
Custom Log Menu1
5 6
Creation of new
Tier-2 menu item
Custom Log Menu2
After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items
across the page layout. The Create New tab icon is not available until you have created
the Tier-1 and Tier-2 menu items.
2 Select and rename the default name to Custom Log Report Tab1 (see Figure 127).
3 Press Enter to save your change.
4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2.
5 To save your customized layout, select Save in the GUI layout dialog box (see
Figure 124).
Creation of tab
Custom Log Report Tab1
To add content to the page layout, select Add Content (see Figure 124). The Add content
to the Custom Log Report Tab1 dialog box appears (see Figure 129).
The Add content dialog box includes a search feature that you can use to find widgets.
This search employs a real-time filtering mechanism with a contains type search on the
widget names. For example, if you search on use, you will be shown User Group, IM
User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 130).
Search results
For Custom Log Report Tab1, select the Log&Report category. All the items related to the
Log&Report menu item are listed (see Figure 131). Select Add next to an item that you
want to include in the tab. The item is placed in the page layout behind the Custom Log
Report Tab1 dialog box. You will see the configured layout when you close the Add
content to the Custom Log Report Tab1 dialog box. The maximum number of items that
can be placed in a page layout is 8.
For the Custom Log Report Tab1, select the following items for inclusion in the layout:
Alert E-mail
Schedule.
Close the Edit Layout dialog box.
Figure 131: Log&Report category selection for Custom Log Report Tab1
For the Custom Log Report Tab2, select the following items for inclusion in the layout:
Event Log
Log Setting.
Figure 133: Log&Report category selection for Custom Log Report Tab2
To preview a customized layout in the custom GUI layout dialog box, select Show Preview
(see Figure 135). When you have completed the configuration selections for the page
layout, select Save to close the custom GUI layout dialog box (see Figure 135). To
abandon the configuration, select Reset menus (see Figure 135). To exit the GUI layout
dialog box without saving your changes, select Cancel (see Figure 135).
Figure 135: Report Profile customized GUI layout dialog box - complete
Cancel
Show Preview
Save
Reset menus
When you complete the customization, close the dialog box to return to the Admin Profile
dialog box in which you configured the custom GUI. To save the configuration, select OK
to close the Admin Profile dialog box (see Figure 121).
To view the web-based manager configuration created in Report Profile, you must log out
of the FortiGate unit, then log back in using the name and password of an administrator
assigned the Report Profile administrative profile. The FortiGate web-based manager
reflects the customized configuration of Report Profile (see Figure 136).
System Certificates
This section explains how to manage X.509 security certificates using the FortiGate web-
based manager. Certificate authentication allows administrators to generate certificate
requests, install signed certificates, import CA root certificates and certificate revocation
lists, and back up and restore installed certificates and private keys.
Authentication is the process of determining if a remote host can be trusted with access to
network resources. To establish its trustworthiness, the remote host must provide an
acceptable authentication certificate by obtaining a certificate from a certification authority
(CA). The FortiGate unit can then use certificate authentication to reject or allow
administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well
as SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are
configured globally for the entire FortiGate unit. For details, see Using virtual domains on
page 103.
There are several certificates on the FortiGate unit that have been automatically
generated:
System administrators can use these certificates wherever they may be required, for
example, with SSL VPN, IPSec, LDAP, and PKI.
For additional background information on certificates, see the FortiGate Certificate
Management User Guide.
Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates
list. After you submit the request to a CA, the CA will verify the information and register the
contact information on a digital certificate that contains a serial number, an expiration date,
and the public key of the CA. The CA will then sign the certificate and send it to you to
install on the FortiGate unit.
To view certificate requests and/or import signed server certificates, go to System >
Certificates > Local Certificates. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.
Download
View Certificate Detail
Delete
Generate Generate a local certificate request. For more information, see Generating a
certificate request on page 245.
Import Import a signed local certificate. For more information, see Importing a signed
server certificate on page 247.
Name The names of existing local certificates and pending certificate requests.
Subject The Distinguished Names (DNs) of local signed certificates.
Comments A description of the certificate.
Status The status of the local certificate. PENDING designates a certificate request
that needs to be downloaded and signed.
View Certificate Display certificate details such as the certificate name, issuer, subject, and
Detail icon valid certificate dates.
Delete icon Delete the selected certificate request or installed server certificate from the
FortiGate configuration. This is available only if the certificate has PENDING
status.
Download icon Save a copy of the certificate request to a local computer. You can send the
request to your CA to obtain a signed server certificate for the FortiGate unit
(SCEP-based certificates only).
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Remove/Add OU
Certification Name Enter a certificate name. Typically, this would be the name of the
FortiGate unit. To enable the export of a signed certificate as a PKCS12
file later on if required, do not include spaces in the name.
Subject Information Enter the information needed to identify the FortiGate unit:
Host IP If the FortiGate unit has a static IP address, select Host IP and enter the
public IP address of the FortiGate unit. If the FortiGate unit does not have
a public IP address, use an email address (or domain name if available)
instead.
Domain Name If the FortiGate unit has a static IP address and subscribes to a dynamic
DNS service, use a domain name if available to identify the FortiGate unit.
If you select Domain Name, enter the fully qualified domain name of the
FortiGate unit. Do not include the protocol specification (http://) or any
port number or path names. If a domain name is not available and the
FortiGate unit subscribes to a dynamic DNS service, an unable to verify
certificate message may be displayed in the users browser whenever
the public IP address of the FortiGate unit changes.
E-Mail If you select E-mail, enter the email address of the owner of the FortiGate
unit.
Optional Information Complete as described or leave blank.
Organization Unit Enter the name of your department or departments. You can enter a
maximum of 5 Organization Units. To add or remove a unit, use the plus
(+) or minus (-) icon.
Organization Enter the legal name of your company or organization.
Locality (City) Enter the name of the city or town where the FortiGate unit is installed.
State/Province Enter the name of the state or province where the FortiGate unit is
installed.
Country Select the country where the FortiGate unit is installed.
e-mail Enter the contact email address.
Key Type Only RSA is supported.
Key Size Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate
but they provide better security.
Enrollment Method Select one of the following methods:
File Based Select to generate the certificate request.
Online SCEP Select to obtain a signed SCEP-based certificate automatically over the
network.
CA Server URL: Enter the URL of the SCEP server from which to retrieve
the CA certificate.
Challenge Password: Enter the CA server challenge password.
Certificate File Enter the full path to and file name of the signed server certificate.
Browse Alternatively, browse to the location on the management computer where the
certificate has been saved, select the certificate, and then select OK.
Certificate with key Enter the full path to and file name of the previously exported PKCS12 file.
file
Browse Alternatively, browse to the location on the management computer where the
PKCS12 file has been saved, select the file, and then select OK.
Password Type the password needed to upload the PKCS12 file.
Certificate file Enter the full path to and file name of the previously exported certificate file.
Browse Alternatively, browse to the location of the previously exported certificate file,
select the file, and then select OK.
Key file Enter the full path to and file name of the previously exported key file.
Browse Alternatively, browse to the location of the previously exported key file, select the
file, and then select OK.
Password If a password is required to upload and open the files, type the password.
Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.
For dynamic certificate revocation, you need to use an Online Certificate Status Protocol
(OCSP) server. Remote certificates are public certificates without a private key. The
OCSP is configured in the CLI only. For more information, see the FortiGate CLI
Reference.
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to
System > Certificates > Remote. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.
Import Import a public OCSP certificate. See Importing CA certificates on page 250.
Name The names of existing Remote (OCSP) certificates. The FortiGate unit assigns
unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so
on) to the Remote (OCSP) certificates when they are imported.
Subject Information about the Remote (OCSP) certificate.
Delete icon Delete a Remote (OCSP) certificate from the FortiGate configuration.
View Certificate Display certificate details.
Detail icon
Download icon Save a copy of the Remote (OCSP) certificate to a local computer.
The system assigns a unique name to each Remote (OCSP) certificate. The names are
numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and
so on).
CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you
must obtain the corresponding root certificate and CRL from the issuing CA.
When you receive the certificate, install it on the remote clients according to the browser
documentation. Install the corresponding root certificate and CRL from the issuing CA on
the FortiGate unit.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete the
Fortinet_CA certificate. To view installed CA root certificates or import a CA root
certificate, go to System > Certificates > CA Certificates. To view root certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.
For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has
management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates and select
Import.
If you choose SCEP, the system starts the retrieval process as soon as you select OK.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with
certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate
unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are
valid.
To view installed CRLs, go to System > Certificates > CRL.
Download
Import Import a CRL. For more information, see Importing a certificate revocation list
on page 251.
Name The names of existing certificate revocation lists. The FortiGate unit assigns
unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists
when they are imported.
Subject Information about the certificate revocation lists.
Delete icon Delete the selected CRL from the FortiGate configuration.
View Certificate Display CRL details such as the issuer name and CRL update dates.
Detail icon
Download icon Save a copy of the CRL to a local computer.
Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest
version of the CRL is retrieved automatically from the server when the FortiGate unit does
not have a copy of it or when the current copy expires.
To import a certificate revocation list, go to System > Certificates > CRL and select Import.
HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP
server.
LDAP Select to use an LDAP server to retrieve the CRL, then select the LDAP
server from the list.
SCEP Select to use an SCEP server to retrieve the CRL, then select the Local
Certificate from the list. Enter the URL of the SCEP server from which the
CRL can be retrieved.
Local PC Select to use a local administrators PC to upload a public certificate. Enter
the location, or browse to the location on the management computer where
the certificate has been saved, select the certificate, and then select OK.
The system assigns a unique name to each CRL. The names are numbered consecutively
(CRL_1, CRL_2, CRL_3, and so on).
System Maintenance
This section describes how to maintain your system configuration as well as how to enable
and update FDN services. This section also explains the types of FDN services that are
available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is
configured globally for the entire FortiGate unit. For more information, see Using virtual
domains on page 103.
This section includes the following topics:
About the Maintenance menu
Managing configuration revisions
Using script files
Configuring FortiGuard Services
Troubleshooting FDN connectivity
Updating antivirus and attack definitions
Enabling push updates
Adding VDOM Licenses
When virtual domain configuration is enabled, the content of the backup file depends on
the administrator account that created it. A backup of the system configuration from the
super_admin account contains global settings and the settings included in each VDOM.
Only the super_admin can restore the configuration from this file. When you back up the
system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM that the regular administrator belongs to. A
regular administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that users can
download. The FortiClient section of Backup & Restore is available if your FortiGate model
supports FortiClient. This feature is currently available on FortiGate-1000A, 3600A, and
5005FA2 models.
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
For
Managing firmware versions on page 91.
Note: The Firmware section is available only on FortiGate-100A units and higher. If you
have a FortiGate-60B unit or lower, you can upgrade or downgrade the firmware by going
to System > Status and selecting the Update link that appears beside Firmware Version.
Figure 149: Backup & Restore options with FortiGuard services option enabled
Backup
Backup configuration to: The options available for backing up your current configuration. Select
one of the displayed options:
Local PC Back up the configuration to the management computer the FortiGate
unit is connected to. Local PC is always displayed regardless of
whether a USB disk is available, FortiGuard Analysis and Management
Service is enabled, or the FortiGate unit is connected to a
FortiManager unit.
FortiGuard | Back up the configuration to the FortiGuard Analysis and Management
Management Station Service. If the service is not enabled, Management Station is
displayed.
USB Disk Back up the configuration file to the USB disk connected to the
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes
a USB port. If you do not connect a USB disk, this option is grayed out.
For more information, see Formatting USB Disks on page 261.
After successfully connecting to the FortiManager unit from your FortiGate unit, you can
back up your configuration to the FortiManager unit. You can also restore your
configuration.
The automatic configuration backup is available only in local mode on the FortiManager
unit.
A list of revisions is displayed when restoring the configuration from a remote location.
The list allows you to choose the configuration to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.
Figure 150: Backup & Restore options with FortiManager option enabled
\
After registering, you can back up or restore your configuration. The FortiGuard Analysis
and Management Service is useful when administering multiple FortiGate units without
having a FortiManager unit.
You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis
and Management Service. Upgrading the firmware is available in the Firmware Upgrade
section of the backup and restore menu. See Upgrading and downgrading firmware
through FortiGuard on page 259 for more information about upgrading firmware from the
backup and restore menu.
Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
For
Managing firmware versions on page 91.
When restoring the configuration from a remote location, a list of revisions is displayed so
that you can choose the configuration file to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.
Backup The options available for backing up your current configuration to the
FortiGuard Analysis and Management Service.
Backup configuration Select the FortiGuard option to upload the configuration to the
to: FortiGuard Analysis and Management Service.
The Local PC option is always available.
Comments: Enter a description or information about the file in the Comments field.
This is optional.
Backup Select to back up the configuration file to the FortiGuard Analysis and
Management Service.
A confirmation message appears after successful completion of the
backup.
Restore The options for restoring a configuration file.
Restore configuration Select the FortiGuard option to download the configuration file from
from: the FortiGuard Analysis and Management Service.
Please Select: Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiGuard Analysis and Management Service.
The list is in numerical order, with the recent uploaded configuration
first.
Restore Select to restore the configuration from the FortiGuard Analysis and
Management Service.
Partition A partition can contain one version of the firmware and the system
configuration. FortiGate-100A units and higher have two partitions.
One partition is active and the other is used as a backup.
Active A green check mark indicates the partition currently in use.
Last upgrade The date and time of the last update to this partition.
Firmware Version The version and build number of the FortiGate firmware. If your
FortiGate model has a backup partition, you can:
Select Upload to replace with firmware from the management
computer or a USB disk. The USB disk must be connected to the
FortiGate unit USB port. See Formatting USB Disks on page 261.
Select Upload and Reboot to replace the existing firmware and
make this the active partition.
Boot alternate firmware Restart the FortiGate unit using the backup firmware.
This is available only for FortiGate-100 units or higher.
Figure 153: Firmware Upgrade section of the Backup & Restore page
Upgrade from FortiGuard Select one of the available firmware versions. The list contains the
network to firmware following information for each available firmware release:
version: [Please Select] continent (for example, North America)
maintenance release number
patch release number
build number.
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware Select to allow installation of older versions than the one currently
downgrade installed.
This is useful if the current version changed functionality you need and
you have to revert to an older firmware image.
Upgrade by File Select Browse to locate a file on your local PC to upload to the
FortiGate unit.
OK Select OK to enable your selection.
On system restart, Automatically update the configuration on restart. Ensure that the
automatically update default configuration file name matches the configuration file name on
FortiGate the USB disk.
configuration... If the configuration file on the disk matches the currently installed
configuration, the FortiGate unit skips the configuration update
process.
On system restart, Automatically update the firmware on restart. Ensure that the default
automatically update image name matches the firmware file name on the USB disk.
FortiGate firmware... If the firmware image on the disk matches the currently installed
firmware, the FortiGate unit skips the firmware update process.
Caution: Formatting the USB disk deletes all information on the disk. Back up the
information on the USB disk before formatting to ensure all information on the disk is
recoverable.
There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command syntax,
exe usb-disk format. When using a Windows system to format the disk, at the
command prompt type, format <drive_letter>: /FS:FAT /V:<drive_label>
where <drive_letter> is the letter of the connected USB drive you want to format, and
<drive_label> is the name you want to give the USB drive for identification.
Diff
Revert
Download
Current Page The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
system configuration backups.
For more information, see Using page controls on web-based
manager lists on page 57.
Revision An incremental number indicating the order in which the configurations
were saved. These may not be consecutive numbers if configurations
are deleted.
The most recent, and highest, number is first in the list.
Date/Time The date and time this configuration was saved on the FortiGate unit.
Administrator The administrator account that was used to back up this revision.
Comments Any relevant information saved with the revision, such as why the
revision was saved, who saved it, and if there is a date when it can be
deleted to free up space.
Diff icon Select to compare two revisions.
A window will appear, from which you can view and compare the
selected revision to one of:
the current configuration
a selected revision from the displayed list including revision history
and templates
a specified revision number.
Download icon Download this revision to your local PC.
Revert icon Restore the previous selected revision. You will be prompted to confirm
this action.
Execute Script from Scripts can be uploaded directly to the FortiGate unit from the
management PC. If you have configured either a FortiManager unit or
the FortiGuard Analysis and Management Service, scripts that have
been stored remotely can also be run on the FortiGate unit.
Upload Bulk CLI Select Browse to locate the script file and then select Apply to upload
Command File and execute the file.
If the FortiGate unit is configured to use the FortiGuard Analysis and
Management Service, the script will be saved on the server for later
use.
Select From remote Select to execute a script from the FortiManager unit or the FortiGuard
management station Analysis and Management Service. Choose the script you want to run
from the list of all scripts stored remotely.
Script Execution History A list of the 10 most recently executed scripts.
(past 10 scripts)
Name The name of the script file.
Type The source of the script file. A local file is uploaded directly to the
FortiGate unit from the management PC and executed. A remote file
is executed on the FortiGate unit after being sent from a FortiManager
unit or the FortiGuard Analysis and Management Service.
Time The date and time the script file was executed.
Status The status of the script file, if its execution succeeded or failed.
Delete icon Delete the script entry from the list.
Tip: An unencrypted configuration file uses the same structure and syntax as a script file.
You can save a configuration file and copy the required parts to a new file, making any edits
you require. You can generate script files more quickly this way.
Caution: Commands that require the FortiGate unit to reboot when entered on the
command line will also force a reboot if included in a script.
To execute a script
1 Go to System > Maintenance > Scripts.
2 Verify that Upload Bulk CLI Command File is selected.
3 Select Browse to locate the script file.
4 Select Apply.
If the FortiGate unit is not configured for remote management, or if it is configured to use a
FortiManager unit, uploaded scripts are discarded after execution. Save script files to your
management PC if you want to execute them again later.
If the FortiGate unit is configured to use the FortiGuard Analysis and Management
Service, the script file is saved to the remote server for later reuse. You can view the script
or run it from the FortiGuard Analysis and Management Service portal web site. For more
information about viewing or running an uploaded script on the portal web site, see the
FortiGuard Analysis and Management Service Users Guide.
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to
receive scheduled updates. For more information, see To enable scheduled updates on
page 272.
You can also configure the FortiGate unit to receive push updates. When the FortiGate
unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit
using UDP port 9443. For more information, see Enabling push updates on page 273. If
the FortiGate unit is behind a NAT device, see Enabling push updates through a NAT
device on page 274.
FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points.
When the FortiGate unit is connecting to the FDN, it is connecting to the closest
FortiGuard service point. Fortinet adds new service points as required.
If the closest service point becomes unreachable for any reason, the FortiGate unit
contacts another service point and information is available within seconds. By default, the
FortiGate unit communicates with the service point via UDP on port 53. Alternately, you
can switch the UDP port used for service point communication to port 8888 by going to
System > Maintenance > FortiGuard.
If you need to change the default FortiGuard service point host name, use the hostname
keyword in the system fortiguard CLI command. You cannot change the FortiGuard
service point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web page.
Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license.
FortiGuard license management is performed by Fortinet servers. There is no need to
enter a license number. The FortiGate unit automatically contacts a FortiGuard service
point when enabling FortiGuard category blocking. Contact Fortinet Technical Support to
renew a FortiGuard license after the free trial.
You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard
and then configure FortiGuard Web Filtering options for each profile in Firewall >
Protection Profiles. For more information, see FortiGuard Web Filtering options on
page 413.
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance >
FortiGuard. The FDN page contains four sections of FortiGuard services:
Support Contract and FortiGuard Subscription Services
Downloading antivirus and IPS updates
Configuring Web Filtering and AntiSpam Options
Configuring Analysis and Management Service Options
Support Contract The availability or status of your FortiGate unit support contract. The
status displays can be one of the following: Unreachable, Not
Registered or Valid Contract.
If Valid Contract is shown, the FortiOS firmware version and contract
expiry date appear. A green checkmark also appears.
[Register] Select to register your FortiGate unit support contract.
This option is available only when the support contract is not
registered.
FortiGuard Subscription Availability and status information for each of the FortiGuard
Services subscription services including:
AntiVirus
Intrusion Protection
Web Filtering
AntiSpam
Analysis and Management Service
[Availability] The availability of this service on this FortiGate unit, dependent on
your service subscription. The status can be Unreachable, Not
Registered, Valid License, or Valid Contract.
The option Subscribe appears if Availability is Not Registered.
The option Renew appears if Availability has expired.
[Update] Select to manually update this service on your FortiGate unit. This will
prompt you to download the update file from your local computer.
Select Update Now to immediately download current updates from
FDN directly.
[Register] Select to register the service. This is displayed in Analysis and
Management Service.
Status Icon Indicates the status of the subscription service. The icon corresponds
to the availability description.
Gray (Unreachable) FortiGate unit is not able to connect to service.
Orange (Not Registered) FortiGate unit can connect, but is not
subscribed to this service.
Yellow (Expired) FortiGate unit had a valid license that has expired.
Green (Valid license) FortiGate unit can connect to FDN and has a
registered support contract.
If the Status icon is green, the expiry date is displayed.
[Version] The version number of the definition file currently installed on the
FortiGate unit for this service.
[Last update date and The date of the last update and method used for last attempt to
method] download definition updates for this service.
[Date] Local system date when the FortiGate unit last checked for updates
for this service.
Use override server Select to configure an override server if you cannot connect to the
address FDN or if your organization provides updates using their own
FortiGuard server.
When selected, enter the IP address or domain name of a FortiGuard
server and select Apply. If the FDN Status still indicates no connection
to the FDN, see Troubleshooting FDN connectivity on page 271.
Allow Push Update Select to allow push updates. Updates are then sent automatically to
your FortiGate unit when they are available, eliminating any need for
you to check if they are available.
Allow Push Update The status of the FortiGate unit for receiving push updates:
status icon Gray (Unreachable) - theFortiGate unit is not able to connect to push
update service
Yellow (Not Available) - the push update service is not available with
current support license
Green (Available) - the push update service is allowed. See
Enabling push updates on page 273.
If the icon is gray or yellow, see Troubleshooting FDN connectivity
on page 271.
Use override push IP Available only if both Use override server address and Allow Push
Update are enabled.
Select to allow you to create a forwarding policy that redirects
incoming FDS push updates to your FortiGate unit.
Enter the IP address of the NAT device in front of your FortiGate unit.
FDS will connect to this device when attempting to reach the FortiGate
unit.
The NAT device must be configured to forward the FDS traffic to the
FortiGate unit on UDP port 9443. See Enabling push updates through
a NAT device on page 274.
Port Select the port on the NAT device that will receive the FDS push
updates. This port must be forwarded to UDP port 9443 on the
FortiGate unit.
Available only if Use override push is enabled.
Schedule Updates Select this check box to enable scheduled updates.
Every Attempt to update once every 1 to 23 hours. Select the number of
hours between each update request.
Daily Attempt to update once a day. You can specify the hour of the day to
check for updates. The update attempt occurs at a randomly
determined time within the selected hour.
Weekly Attempt to update once a week. You can specify the day of the week
and the hour of the day to check for updates. The update attempt
occurs at a randomly determined time within the selected hour.
Update Now Select to manually initiate an FDN update.
Submit attack Fortinet recommends that you select this check box. It helps to
characteristics improve the quality of IPS signature.
(recommended)
Enable Web Filter Select to enable the FortiGuard Web Filter service.
Enable Cache Select to enable caching of web filter queries.
This improves performance by reducing FortiGate unit requests to the
FortiGuard server. The cache uses 6 percent of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is
deleted.
Available if Enable Web Filter is selected.
TTL Time to live. The number of seconds to store blocked IP addresses
and URLs in the cache before contacting the server again.TTL must
be between 300 and 86400 seconds.
Available only if both Enable Web Filter and Enable Cache are
selected.
Account ID Enter the name for the Analysis and Management Service that
identifies the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To launch the service Select to go directly to the FortiGuard Analysis and Management
portal, please click here Service portal web site to view logs or configuration. You can also
select this to register your FortiGate unit with the FortiGuard Analysis
and Management Service.
To configure FortiGuard Select the link please click here to configure and enable logging to the
Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to
please click here Log&Report > Log Config > Log Setting.
This appears only after registering for the service.
To purge logs older than n Select the number of months from the list that will remove those logs
months, please click here from the FortiGuard Analysis & Management server and select the link
please click here. For example, if you select 2 months, the logs from
the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This appears only after logging is enabled and log messages are sent
to the FortiGuard Analysis server.
Note: Updating antivirus and IPS attack definitions can cause a very short
disruption in traffic scanning while the FortiGate unit applies the new signature
definitions. Fortinet recommends scheduling updates when traffic is light to
minimize disruption.
Every Once every 1 to 23 hours. Select the number of hours and minutes
between each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of
day to check for updates.
5 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and IPS
attack updates using its own FortiGuard server, you can use the following procedure to
add the IP address of an override FortiGuard server.
4 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from gray to green, the
FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and network
configuration for settings that may prevent the FortiGate unit from connecting to the
override FortiGuard server.
If you have redundant connections to the Internet, the FortiGate unit also sends the
SETUP message when one Internet connection goes down and the FortiGate unit fails
over to another Internet connection.
In transparent mode, if you change the management IP address, the FortiGate unit also
sends the SETUP message to notify the FDN of the address change.
Internal Virtual IP
network 172.16.35.144 10.20.6.135
(external interface) (external interface)
Internet
Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See To enable scheduled updates through a proxy server on
page 273 for more information.
4 Select OK.
Source Interface/Zone Select the name of the interface that connects to the Internet.
Source Address Select All
Destination Select the name of the interface of the NAT device that connects to
Interface/Zone the internal network.
Destination Address Select the virtual IP added to the NAT device.
Schedule Select Always.
Service Select ANY.
Action Select Accept.
NAT Select NAT.
4 Select OK.
Verify that push updates to the FortiGate unit on the internal network are working by going
to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering
and AntiSpam Options. The Push Update indicator should change to green.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.
Router Static
This section explains some general routing concepts, and how to define static routes and
route policies.
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination on the network. A static route causes packets to be forwarded to a
destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to configure
the default gateway. You must either edit the factory configured static default route to
specify a different default gateway for the FortiGate unit, or delete the factory configured
route and specify your own static default route that points to the default gateway for the
FortiGate unit. For more information, see Default route and default gateway on
page 281.
You define static routes manually. Static routes control traffic exiting the FortiGate unit
you can specify through which interface the packet will leave and to which device the
packet should be routed.
As an option, you can define route policies. Route policies specify additional criteria for
examining the properties of incoming packets. Using route policies, you can configure the
FortiGate unit to route packets based on the IP source and destination addresses in
packet headers and other criteria such as on which interface the packet was received and
which protocol (service) and port are being used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured
separately for each virtual domain. For more information, see Using virtual domains on
page 103.
This section describes:
Routing concepts
Static Route
Policy Route
Routing concepts
The FortiGate unit works as a security device on a network and packets must pass
through it. You need to understand a number of basic routing concepts in order to
configure the FortiGate unit appropriately.
Whether you administer a small or large network, this module will help you understand
how the FortiGate unit performs routing functions.
The following topics are covered in this section:
How the routing table is built
How routing decisions are made
Multipath routing and determining the best routeRoute priority
Route priority
Blackhole Route
Another method is to manually change the priority of both of the routes. If the next-hop
administrative distances of two routes on the FortiGate unit are equal, it may not be clear
which route the packet will take. Configuring the priority for each of those routes will make
it clear which next-hop will be used in the case of a tie. You can set the priority for a route
only from the CLI. Lower priorities are preferred. For more information, see the FortiGate
CLI Reference.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries, selects the entries having the lowest distances,
and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate
forwarding table contains only those routes having the lowest distances to every possible
destination. For information about how to change the administrative distance associated
with a static route, see Adding a static route to the routing table on page 284.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
You configure the priority field through the CLI. The route with the lowest value in the
priority field is considered the best route, and it is also the primary route. The command to
set the priority field is: set priority <integer> under the config route static
command. For more information, see the FortiGate CLI Reference.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address. For more information, see load balancing in Configuring virtual IPs on
page 370.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in
Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to
enable easier configuration of blackhole routing. Similar to a normal interface, this
loopback interface has fewer parameters to configure, and all traffic sent to it stops there.
Since it cannot have hardware connection or link status problems, it is always available,
making it useful for other dynamic routing roles. Once configured, you can use a loopback
interface in firewall policies, routing, and other places that refer to interfaces. You
configure this feature only from the CLI. For more information, see the system chapter of
the FortiGate CLI Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of packets
that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address
for those packets. The gateway address specifies the next-hop router to which traffic will
be routed.
Note: You can use the config router static6 CLI command to add, edit, or delete
static routes for IPv6 traffic. For more information, see the router chapter of the FortiGate
CLI Reference.
Note: Unless otherwise specified, static route examples and procedures are for IPv4 static
routes.
To view the static route list, go to Router > Static > Static Route.
Figure 163 shows the static route list belonging to a FortiGate unit that has interfaces
named port1 and port2. The names of the interfaces on your FortiGate unit may be
different.
Figure 163: Static Route list when IPv6 is enabled in the GUI
Expand
Arrow
Delete
Edit
Create New Add a static route to the Static Route list. For more information, see Adding a
static route to the routing table on page 284.
Select the down arrow to create an IPv6 static Route.
Route Select the Expand Arrow to display or hide the IPv4 static routes. By default
these routes are displayed.
This is displayed only when IPv6 is enabled in the GUI.
IPv6 Route Select the Expand Arrow to display or hide the IPv6 static routes. By default
these routes are hidden.
This is displayed only when IPv6 is enabled in the GUI.
IP/Mask The destination IP addresses and network masks of packets that the FortiGate
unit intercepts.
Gateway The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
Device The names of the FortiGate interfaces through which intercepted packets are
received and sent.
Distance The administrative distances associated with each route. The values represent
distances to next-hop routers.
Delete and Edit Delete or edit an entry in the list.
icons
Note: For network traffic to pass, even with the correct routes configured, you must have
the appropriate firewall policies. For details, see Configuring firewall policies on page 323.
For example, Figure 164 shows a FortiGate unit connected to a router. To ensure that all
outbound packets destined to any network beyond the router are routed to the correct
destination, you must edit the factory default configuration and make the router the default
gateway for the FortiGate unit.
Internet
Gateway
Router
192.168.10.1
external
FortiGate_1
internal
Internal network
192.168.20.0/24
To route outbound packets from the internal network to destinations that are not on
network 192.168.20.0/24, you would edit the default route and include the following
settings:
Destination IP/mask: 0.0.0.0/0.0.0.0
Gateway: 192.168.10.1
Device: Name of the interface connected to network 192.168.10.0/24 (for example
external).
Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the
FortiGate external interface. The interface behind the router (192.168.10.1) is the default
gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination IP
address of a packet is not on the local network but is on a network behind one of those
routers, the FortiGate routing table must include a static route to that network. For
example, in Figure 165, the FortiGate unit must be configured with static routes to
interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and
Network_2 respectively.
Internet
FortiGate_1
internal dmz
192.168.10.1 192.168.11.1
Gateway Gateway
Router_1 Router_2
Network_1 Network_2
192.168.20.0/24 192.168.30.0/24
To route packets from Network_1 to Network_2, Router_1 must be configured to use the
FortiGate internal interface as its default gateway. On the FortiGate unit, you would create
a new static route with these settings:
Destination IP/mask: 192.168.30.0/24
Gateway: 192.168.11.1
Device: dmz
Distance: 10
To route packets from Network_2 to Network_1, Router_2 must be configured to use the
FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a
new static route with these settings:
Destination IP/mask: 192.168.20.0/24
Gateway: 192.168.10.1
Device: internal
Distance: 10
Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your
FortiGate unit, you may have problems configuring a static route. After trying to either
Renew your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable
dynamic-gateway under config system interface for the modem interface. Doing
this will remove the need to specify a gateway for this interfaces route. For more
information see FortiGate CLI Reference.
Destination Type the destination IP address and network mask of packets that the
IP/Mask FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved
for the default route.
Gateway Type the IP address of the next-hop router to which the FortiGate unit will forward
intercepted packets.
Device Select the name of the FortiGate interface through which the intercepted packets
may be routed to the next-hop router.
Distance Type an administrative distance from 1 to 255 for the route. The distance value is
arbitrary and should reflect the distance to the next-hop router. A lower value
indicates a more preferred route.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffics
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet
directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces
named external and internal. The names of the interfaces on your FortiGate unit may
be different.
To edit an existing policy route, see Adding a policy route on page 286.
Delete
Edit
Move To
Create New Add a policy route. See Adding a policy route on page 286.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see Moving a policy route on page 287.
Protocol To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header, and RFC 5237 includes a list of the assigned
protocol numbers. The range is from 0 to 255. A value of 0 disables the
feature.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address / To perform policy routing based on the IP source address of the packet, type
Mask the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination To perform policy routing based on the IP destination address of the packet,
Address / Mask type the destination address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match to define the service, or use
a two digit hexadecimal bit mask to mask out.
For example if you want the policy to apply to service 14 you would use a bit
pattern of 0E. If you wanted to ignore all odd numbered services you would
use a bit mask of 01.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.
Before/After Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or
complex networks. Dynamic routing protocols enable the FortiGate unit to automatically
share information about routes with neighboring routers and learn about routes and
networks advertised by them. The FortiGate unit supports these dynamic routing
protocols:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP).
The FortiGate unit selects routes and updates its routing table dynamically based on the
rules you specify. Given a set of rules, the unit can determine the best route or path for
sending packets to a destination. You can also define rules to suppress the advertising of
routes to neighboring routers and change FortiGate routing information before it is
advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see Using virtual domains on
page 103.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly
discover routers on the network that cannot be contacted, and to re-route traffic
accordingly until those routers can be contacted.
A useful part of the FortiOS web-based management interface is the customizable menus
and widgets. These widgets include the following routing widgets: access list, distribute
list, key chain, offset list, prefix list, and route map. For more information on these routing
widgets, see Customizable routing widgets on page 309.
This section describes:
RIP
OSPF
BGP
Multicast
Bi-directional Forwarding Detection (BFD)
Customizable routing widgets
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. The FortiGate implementation of RIP supports RIP
version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
Expand
Arrow
Delete
Edit
RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You
can enable global RIP settings on all FortiGate interfaces connected
to RIP-enabled networks:
1 send and receive RIP version 1 packets.
2 send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see Configuring a RIP-enabled
interface on page 293.
Advanced Options Select the Expand Arrow to view or hide advanced RIP options. For
more information, see Selecting advanced RIP options on page 292.
Networks The IP addresses and network masks of the major networks
(connected to the FortiGate unit) that run RIP. When you add a
network to the Networks list, the FortiGate interfaces that are part of
the network are advertised in RIP updates. You can enable RIP on all
FortiGate interfaces whose IP addresses match the RIP network
address space.
IP/Netmask Enter the IP address and netmask that defines the RIP-enabled
network.
Add Select to add the network information to the Networks list.
Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see Customizable routing widgets on page 309. For more information on CLI
routing commands, see the router chapter of the FortiGate CLI Reference.
Expand
Arrow
Rip Version Select the version of RIP packets to send and receive.
Advanced Options Select the Expand Arrow to view or hide advanced options.
Default Metric Enter the default hop count that the FortiGate unit should assign to routes
that are added to the FortiGate routing table. The range is from 1 to 16. This
metric is the hop count, with 1 being best or shortest.
This value also applies to Redistribute unless otherwise specified.
Default-information- Select to generate and advertise a default route into the FortiGate units RIP-
originate enabled networks. The generated route may be based on routes learned
through a dynamic routing protocol, routes in the routing table, or both.
RIP Timers Enter new values to override the default RIP timer settings. The default
settings are effective in most configurations if you change these settings,
ensure that the new settings are compatible with local routers and access
servers.
If the Update timer is smaller than Timeout or Garbage timers, you will get an
error.
Update Enter the amount of time (in seconds) that the FortiGate unit will wait
between sending RIP updates.
Timeout Enter the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum
time the FortiGate unit will keep a reachable route in the routing table while
no updates for that route are received. If the FortiGate unit receives an
update for the route before the timeout period expires, the timer is restarted.
The Timeout period should be at least three times longer than the Update
period.
Garbage Enter the amount of time (in seconds) that the FortiGate unit will advertise a
route as being unreachable before deleting the route from the routing table.
The value determines how long an unreachable route is kept in the routing
table.
Redistribute Select one or more of the options to redistribute RIP updates about routes
that were not learned through RIP. The FortiGate unit can use RIP to
redistribute routes learned from directly connected networks, static routes,
OSPF, and BGP.
Connected Select to redistribute routes learned from directly connected networks. To
specify a hop count for those routes, select Metric, and enter the hop count
in the Metric field. The valid hop count range is from 1 to 16.
Static Select to redistribute routes learned from static routes. To specify a hop
count for those routes, select Metric, and enter the hop count in the Metric
field. The range is from 1 to 16.
OSPF Select to redistribute routes learned through OSPF. To specify a hop count
for those routes, select Metric, and enter the hop count in the Metric field.
The range is from 1 to 16.
BGP Select to redistribute routes learned through BGP. To specify a hop count for
those routes, select Metric, and enter the hop count in the Metric field. The
range is from 1 to 16.
Note: Additional options such as split-horizon and key-chains can be configured per
interface through the CLI. For more information, see the router chapter of the FortiGate
CLI Reference or the Fortinet Knowledge Center.
Figure 172 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that
has an interface named internal. The names of the interfaces on your FortiGate unit may
be different.
Interface Select the name of the FortiGate interface to which these settings apply. The
interface must be connected to a RIP-enabled network. The interface can be a
virtual IPSec or GRE interface.
Send Version, Select to override the default RIP-compatibility setting for sending and
Receive Version receiving updates through the interface: RIP version 1, version 2 or Both.
Authentication Select an authentication method for RIP exchanges on the specified interface:
None Disable authentication.
Text Select if the interface is connected to a network that runs RIP version
2. Type a password (up to 35 characters) in the Password field. The FortiGate
unit and the RIP updates router must both be configured with the same
password. The password is sent in clear text over the network.
MD5 Authenticate the exchange using MD5.
Passive Interface Select to suppress the advertising of FortiGate unit routing information over
the specified interface. Clear the check box to allow the interface to respond
normally to RIP requests.
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in
large heterogeneous networks to share routing information among routers in the same
Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change state
instead of at timed intervals, so routing overhead is reduced.
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their
neighbors whenever the status of a neighbor changes or a new neighbor comes online. As
long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA
identifies the interfaces of all OSPF-enabled routers in an area, and provides information
that enables OSPF-enabled routers to select the shortest path to a destination. All LSA
exchanges between OSPF-enabled routers are authenticated.
The FortiGate unit maintains a database of link-state information based on the
advertisements that it receives from OSPF-enabled routers. To calculate the best route
(shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF)
algorithm to the accumulated link-state information. OSPF uses relative path cost metric
for choosing the best route. The path cost can be any metric, but is typically the speed of
the pathhow fast traffic will get from one point to another. The path cost, similar to
distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface.
The path cost of a route is calculated by adding together all of the costs associated with
the outgoing interfaces along the path to a destination. The lowest overall path cost
indicates the best route, and generally the fastest route.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summary-
LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate routing table
may include:
the addresses of networks in the local OSPF area (to which packets are sent directly)
routes to OSPF area border routers (to which packets destined for another area are
sent)
if the network contains OSPF areas and non-OSPF domains, routes to AS boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the
network topology. A single unit can support tens of thousands of routes if the OSPF
network is configured properly.
To define an OSPF AS
1 Go to Router > Dynamic > OSPF.
2 Under Areas, select Create New.
3 Define the characteristics of one or more OSPF areas. See Defining OSPF areas on
page 299.
4 Under Networks, select Create New.
5 Create associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS. See Specifying OSPF networks on page 300.
6 If you need to adjust the default settings of an OSPF-enabled interface, select Create
New under Interfaces.
7 Select the OSPF operating parameters for the interface. See Selecting operating
parameters for an OSPF interface on page 301.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
8 Optionally select advanced OSPF options for the OSPF AS. See Selecting advanced
OSPF options on page 298.
9 Select Apply.
Expand
Arrow
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned to
any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more
information, see Selecting advanced OSPF options on page 298.
Areas Information about the areas making up an OSPF AS. The header of an OSPF
packet contains an area ID, which helps to identify the origination of a packet
inside the AS.
Create New Define and add a new OSPF area to the Areas list. For more information, see
Defining OSPF areas on page 299.
Area The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation.
Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or
deleted.
Type The types of areas in the AS:
Regular - a normal OSPF area
NSSA - a not so stubby area
Stub - a stub area.
For more information, see Defining OSPF areas on page 299.
Authentication The methods for authenticating OSPF packets sent and received through all
FortiGate interfaces linked to each area:
None authentication is disabled
Text text-based authentication is enabled
MD5 MD5 authentication is enabled.
A different authentication setting may apply to some of the interfaces in an
area, as displayed under Interfaces. For example, if an area employs simple
passwords for authentication, you can configure a different password for one
or more of the networks in that area.
Networks The networks in the OSPF AS and their area IDs. When you add a network to
the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see Specifying OSPF networks on page 300.
Create New Add a network to the AS, specify its area ID, and add the definition to the
Networks list.
Network The IP addresses and network masks of networks in the AS on which OSPF
runs. The FortiGate unit may have physical or VLAN interfaces connected to
the network.
Area The area IDs that have been assigned to the OSPF network address space.
Interfaces Any additional settings needed to adjust OSPF operation on a FortiGate
interface. For more information, see Selecting operating parameters for an
OSPF interface on page 301.
Create New Create additional/different OSPF operating parameters for a unit interface
and add the configuration to the Interfaces list.
Name The names of OSPF interface definitions.
Interface The names of FortiGate physical or VLAN interfaces having OSPF settings
that differ from the default values assigned to all other interfaces in the same
area.
IP The IP addresses of the OSPF-enabled interfaces having additional/different
settings.
Authentication The methods for authenticating LSA exchanges sent and received on specific
OSPF-enabled interfaces. These settings override the area Authentication
settings.
Delete and Edit Delete or edit an OSPF area entry, network entry, or interface definition. Icons
icons are visible only when there are entries in Areas, Networks, and Interfaces
sections.
Expand
Arrow
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
Expand Arrow Select to view or hide Advanced Options.
Default Information Generate and advertise a default (external) route to the OSPF AS. You may
base the generated route on routes learned through a dynamic routing
protocol, routes in the routing table, or both.
None Prevent the generation of a default route.
Regular Generate a default route into the OSPF AS and advertise the route to
neighboring autonomous systems only if the route is stored in the FortiGate
routing table.
Always Generate a default route into the OSPF AS and advertise the route to
neighboring autonomous systems unconditionally, even if the route is not
stored in the FortiGate routing table.
Redistribute Select one or more of the options listed to redistribute OSPF link-state
advertisements about routes that were not learned through OSPF. The
FortiGate unit can use OSPF to redistribute routes learned from directly
connected networks, static routes, RIP, and BGP.
Connected Select to redistribute routes learned from directly connected networks.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
Static Select to redistribute routes learned from static routes.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
RIP Select to redistribute routes learned through RIP.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
BGP Select to redistribute routes learned through BGP.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see Customizable routing widgets on page 309. For more information on CLI
routing commands, see the router chapter of the FortiGate CLI Reference.
Note: If required, you can define a virtual link to an area that has lost its physical
connection to the OSPF backbone. Virtual links can be set up only between two FortiGate
units that act as area border routers. For more information on virtual links, see the
FortiGate CLI Reference.
Area Type a 32-bit identifier for the area. The value must resemble an IP address in
dotted-decimal notation. Once you have created the OSPF area, the area IP
value cannot be changed; you must delete the area and restart.
Type Select an area type to classify the characteristics of the network that will be
assigned to the area:
Regular If the area contains more than one router, each having at least one
OSPF-enabled interface to the area.
NSSA If you want routes to external non-OSPF domains made known to
OSPF AS and you want the area to be treated like a stub area by the rest of the
AS.
STUB If the routers in the area must send packets to an area border router in
order to reach the backbone and you do not want routes to non-OSPF domains to
be advertised to the routers in the area.
Authentication Select the method for authenticating OSPF packets sent and received through all
interfaces in the area:
None Disable authentication.
Text Enables text-based password authentication. to authenticate LSA
exchanges using a plain-text password. The password is sent in clear text over
the network.
MD5 Enable MD5-based authentication using an MD5 cryptographic hash
(RFC 1321).
If required, you can override this setting for one or more of the interfaces in the
area. For more information, see Selecting operating parameters for an OSPF
interface on page 301.
Note: To assign a network to the area, see Specifying OSPF networks on page 300.
IP/Netmask Enter the IP address and network mask of the local network that you want
to assign to an OSPF area.
Area Select an area ID for the network. The attributes of the area must match
the characteristics and topology of the specified network. You must define
the area before you can select the area ID. For more information, see
Defining OSPF areas on page 299.
Add
Name Enter a name to identify the OSPF interface definition. For example, the
name could indicate to which OSPF area the interface will be linked.
Interface Select the name of the FortiGate interface to associate with this OSPF
interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces
connected to the OSPF-enabled network.
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to
exchange routing information between different ISP networks. For example, BGP enables
the sharing of network paths between the ISP network and an autonomous system (AS)
that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation
of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.
BGP has the capability to gracefully restart. This capability limits the effects of software
problems by allowing forwarding to continue when the control plane of the router fails. It
also reduces routing flaps by stabilizing the network.
Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the router chapter of
the FortiGate CLI Reference.
Delete
Local AS Enter the number of the local AS to which the FortiGate unit belongs.
Router ID Enter a unique router ID to identify the FortiGate unit to other BGP routers. The
router ID is an IP address written in dotted-decimal format, for example
192.168.0.1.
If you change the router ID while BGP is configured on an interface, all
connections to BGP peers will be broken temporarily. The connections will re-
establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM will be
used.
Neighbors The IP addresses and AS numbers of BGP peers in neighboring autonomous
systems.
IP Enter the IP address of the neighbor interface to the BGP-enabled network.
Remote AS Enter the number of the AS that the neighbor belongs to.
Add/Edit Add the neighbor information to the Neighbors list, or edit an entry in the list.
Neighbor The IP addresses of BGP peers.
Remote AS The numbers of the autonomous systems associated with the BGP peers.
Delete icon Delete a BGP neighbor entry.
Networks The IP addresses and network masks of networks to advertise to BGP peers.
The FortiGate unit may have a physical or VLAN interface connected to those
networks.
IP/Netmask Enter the IP address and netmask of the network to be advertised.
Add Add the network information to the Networks list.
Network The IP addresses and network masks of major networks that are advertised to
BGP peers.
Delete icon Delete a BGP network definition.
Note: The get router info bgp CLI command provides detailed information about
configured BGP settings. For a complete list of the command options, see the router
chapter of the FortiGate CLI Reference.
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in
the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM
dense mode (RFC 3973) and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected.
A PIM domain is a logical area comprising a number of contiguous networks. The domain
contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain
also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs).
When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these
functions at any time as configured. If required for sparse mode operation, you can define
static RPs.
Note: You can configure basic options through the web-based manager. Many additional
options are available, but only through the CLI. For complete descriptions and examples of
how to use CLI commands to configure PIM settings, see multicast in the router
chapter of the FortiGate CLI Reference.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note.
Add Static RP
Delete
Edit
Enable Multicast Select to enable PIM version 2 routing. A firewall policy must be created on
Routing PIM-enabled interfaces to pass encapsulated packets and decapsulated data
between the source and destination,
Add Static RP If required for sparse mode operation, enter the IP address of a Rendezvous
Point (RP) that may be used as the root of a packet distribution tree for a
multicast group. Join messages from the multicast group are sent to the RP,
and data from the source is sent to the RP.
If an RP for the specified IPs multicast group is already known to the Boot
Strap Router (BSR), the RP known to the BSR is used and the static RP
address that you specify is ignored.
Apply Save the specified static RP addresses.
Create New Create a new multicast entry for an interface.
You can use the new entry to fine-tune PIM operation on a specific FortiGate
interface or override the global PIM settings on a particular interface. For
more information, see Overriding the multicast settings on an interface on
page 306.
Interface The names of FortiGate interfaces having specific PIM settings.
Mode The mode of PIM operation (Sparse or Dense) on that interface.
Status The status of parse-mode RP candidacy on the interface.
To change the status of RP candidacy on an interface, select the Edit icon in
the row that corresponds to the interface.
Priority The priority number assigned to RP candidacy on that interface. Available
only when RP candidacy is enabled.
DR Priority The priority number assigned to Designated Router (DR) candidacy on the
interface. Available only when sparse mode is enabled.
Delete and Edit Delete or edit the PIM settings on the interface.
icons
Interface Select the name of the root VDOM FortiGate interface to which these
settings apply. The interface must be connected to a PIM version 2 enabled
network segment.
PIM Mode Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers
connected to the same network segment must be running the same mode
of operation. If you select Sparse Mode, adjust the remaining options as
described below.
DR Priority Enter the priority number for advertising DR candidacy on the FortiGate
units interface. The range is from 1 to 4 294 967 295.
The unit compares this value to the DR interfaces of all other PIM routers on
the same network segment, and selects the router having the highest DR
priority to be the DR.
RP Candidate Enable RP candidacy on the interface.
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate
interface. The range is from 1 to 255.
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally
excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the
whole unit, and turn it off for one or two interfaces. Alternatively you can specifically
enable BFD for each neighbor router, or interface. Which method you choose will be
determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a connection as
down. The length of the timeout period is importantif it is too short connections will be
labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a
connection that is down. There is no easy number, as it varies for each network and unit.
High end FortiGate models will respond very quickly unless loaded down with traffic. Also
the size of the network will slow down the response timepackets need to make more
hops than on a smaller network. Those two factors (CPU load and network traversal time)
affect how long the timeout you select should be. With too short a timeout period, BFD will
not connect to the network device but it will keep trying. This state generates unnecessary
network traffic, and leaves the device unmonitored. If this happens, you should try setting
a longer timeout period to allow BFD more time to discover the device on the network.
Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the
network based on IP addresses. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). The
offset list is part of the RIP and OSPF routing protocols. For more information about RIP,
see RIP on page 289. For more information about OSPF, see OSPF on page 294.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose. For more information, see Prefix List on page 312.
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
Access-list Enter the name of a new access list. Select Add to save the new access list.
Name The name of the access list.
Action The action to take when the prefix of this access list is matched. Actions can
be either permit or deny.
Prefix The IP address prefix for this access-list. When this prefix is matched, the
action is taken. The prefix can match any address, or a specific address.
Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates
using an access or prefix list. Routes not matched by any of the distribution lists will not be
advertised. The offset list is part of the RIP and OSPF routing protocols. For more
information about OSPF, see OSPF on page 294.
Note: You must configure the access list that you want the distribution list to use before you
configure the distribution list. To configure an access list, see Access List on page 309.
Create New Select to create a new distribute list. This includes setting the direction,
selecting either the prefix-list or access-list, and interface.
Direction The name of the access list.
Filter The prefix-list or access-list to apply to this interface.
Interface The interface to apply the filter on.
Enable A green check indicates this distribute list is enabled.
Delete Icon Select to remove a distribution list rule.
Edit Icon Select to change the direction, filter, or interface of the distribute list.
For more information on the distribute list, see the router chapter of the FortiGate CLI
Reference.
Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key.
Keys are used for authenticating routing packets only during the specified lifetimes. The
FortiGate unit migrates from one key to the next according to the scheduled send and
receive lifetimes. The sending and receiving routers should have their system dates and
times synchronized, but overlapping the key lifetimes ensures that a key is always
available even if there is some difference in the system times.
RIP version 2 uses authentication keys to ensure that the routing information exchanged
between routers is reliable. For authentication to work both the sending and receiving
routers must be set to use authentication, and must be configured with the same keys.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 289.
Key-chain Enter the name for a new key-chain. Select Add to save the new key-chain.
Name The name of the key-chain, or the number of the key on that chain.
Accept Lifetime The start and end time that this key can accept routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Send Lifetime The start and end time that this key can send routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in seconds,
or a set time as with the start time.
Delete Icon Select to remove a key or key-chain
Add Icon Select to add keys to the key-chain.
Edit Icon Select to edit an existing key.
For more information on key-chains, see the router chapter of the FortiGate CLI
Reference.
Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the
offset list.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see RIP on page 289. For more information about OSPF, see OSPF on page 294.
For more information on the offset list, see the router chapter of the FortiGate CLI
Reference.
Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of
the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at
the top of the list. If it finds a match for the prefix it takes the action specified for that prefix.
If no match is found the default action is deny. A prefix-list should be used to match the
default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate unit routing feature
such as RIP or OSPF. For more information about RIP, see RIP on page 289. For more
information about OSPF, see OSPF on page 294.
Prefix-list Enter the name of a new prefix-list. Select Add to save the new prefix list
entry.
Name The name of the prefix list, or the number of the prefix entry.
Action The action of the prefix entry. Actions can be permit or deny.
Prefix The IP address and netmask associated with this prefix. Optionally this can
be set to match any address.
GE Select the number of bits to match in the address. This number or greater
will be matched for there to be a match.
LE Select the number of bits to match in the address. This number or less will
be matched for there to be a match
Delete Icon Select to remove a prefix entry or list.
Add Icon Select to add a prefix entry to a list.
Edit Icon Select to edit an existing prefix entry.
For more information on the prefix list, see the router chapter of the FortiGate CLI
Reference.
Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for
forwarding packets or suppressing the routing of packets to particular destinations using
the BGP routing protocol. Compared to access lists, route maps support enhanced
packet-matching criteria. In addition, route maps can be configured to permit or deny the
addition of routes to the FortiGate unit routing table and make changes to routing
information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes:
When a single matching match-* rule is found, changes to the routing information are
made as defined through the rules set-ip-nexthop, set-metric, set-metric-type, and/or
set-tag settings.
Route-map Enter the name of a new route-map. Select Add to save the new route-
map.
Name The name of the route map, or the number of the prefix entry.
Action The action of the route map. Actions can be permit or deny.
Rules The rules include the criteria to match and a value to set. The criteria to
match can be an interface, address from access or prefix list, the next-hop
to match from access or prefix list, a metrics, or other information. The
value to set can be the next-hop IP address, the metric, metric type, and a
tag number.
Delete Icon Select to remove a route map or entry.
Add Icon Select to add a route map entry to a route map.
Edit Icon Select to edit an existing route map entry.
For more information on the route map, see the router chapter of the FortiGate CLI
Reference.
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries
in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available
separately for each virtual domain. For more information, see Using virtual domains on
page 103.
This section describes:
Viewing routing information
Searching the FortiGate routing table
Interface The interface through which packets are forwarded to the gateway of the destination
network.
Up Time The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packets source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see Firewall
Virtual IP on page 365.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see Firewall Protection Profile on page 397.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see Using virtual domains on page 103.
This section describes:
How list order affects policy matching
Multicast policies
Viewing the firewall policy list
Configuring firewall policies
Firewall policy examples
}Exception
}General
FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies could always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies
using the following CLI command:
config firewall multicast-policy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.
Filter
Delete
Edit
Insert Policy before
Move To
Create New Add a firewall policy. Select the down arrow beside Create New to add a firewall
policy or firewall policy section. A firewall policy section visually groups firewall
policies. For more information, see Configuring firewall policies on page 323.
Column Settings Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table. For more information, see
Using column settings to control the columns displayed on page 58 and
Web-based manager icons on page 60.
Section View Select to display firewall policies organized by source and destination interfaces.
Note: Section View is not available if any policy selects Any as the source or
destination interface.
Global View Select to list all firewall policies in order according to a sequence number.
Filter icons Edit the column filters to filter or sort the policy list according to the criteria you
specify. For more information, see Adding filters to web-based manager lists
on page 53.
ID The policy identifier. Policies are numbered in the order they are added to the
policy list.
From The source interface of the policy. Global view only.
To The destination interface of the policy. Global view only.
Source The source address or address group to which the policy applies. For more
information, see Firewall Address on page 345.
Destination The destination address or address group to which the policy applies. For more
information, see Firewall Address on page 345.
Schedule The schedule that controls when the policy should be active. For more
information, see Firewall Schedule on page 361.
Service The service to which the policy applies. For more information, see Firewall
Service on page 351.
Profile The protection profile that is associated with the policy.
Action The response to make when the policy matches a connection attempt.
Status Select the checkbox to enable a policy or deselect it to disable a policy.
From The source interface.
To The destination interface.
VPN Tunnel The VPN tunnel the VPN policy uses.
Authentication The user authentication method the policy uses.
Comments Comments entered when creating or editing the policy.
Log A green check mark indicates traffic logging is enabled for the policy; a grey
cross mark indicates traffic logging is disabled for the policy.
Count The FortiGate unit counts the number of packets and bytes that hit the firewall
policy.
For example, 5/50B means that five packets and 50 bytes in total have hit the
policy.
The counter is reset when the FortiGate unit is restarted or the policy is deleted
and re-configured.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Add a new policy above the corresponding policy (the New Policy screen
Before icon appears).
Move To icon Move the corresponding policy before or after another policy in the list. For more
information, see Moving a policy to a different position in the policy list on
page 320.
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the firewall chapter of the FortiGate CLI Reference.
Source Select the name of the FortiGate network interface, virtual domain (VDOM) link,
Interface/Zone or zone on which IP packets are received. Interfaces and zones are configured
on the System Network page. For more information, see Interfaces on
page 119 and Configuring zones on page 138.
If you select Any as the source interface, the policy matches all interfaces as
source.
If Action is set to IPSEC, the interface is associated with the local private
network.
If Action is set to SSL-VPN, the interface is associated with connections from
remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see Configuring addresses on page 347.
If you want to associate multiple firewall addresses or address groups with the
Source Interface/Zone, from Source Address, select Multiple. In the dialog box,
move the firewall addresses or address groups from the Available Addresses
section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the host,
server, or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the
name of the address that you reserved for tunnel mode clients.
Destination Select the name of the FortiGate network interface, virtual domain (VDOM) link,
Interface/Zone or zone to which IP packets are forwarded. Interfaces and zones are configured
on the System Network page. For more information, see Interfaces on
page 119 and Configuring zones on page 138.
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination Select the name of a firewall address to associate with the Destination
Address Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see Configuring addresses on page 347.
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see Firewall
Virtual IP on page 365.
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule Select a one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see Firewall Schedule on page 361.
Service Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see Configuring custom services on page 357 and
Configuring service groups on page 359.
By selecting the Multiple button beside Service, you can select multiple services
or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY Reject traffic matched by the policy. The only other configurable policy options
are Log Violation Traffic to log the connections denied by this policy and adding
a Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See IPSec firewall policy options on page 330.
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or
add a comment to the policy. See Configuring SSL VPN identity-based firewall
policies on page 331.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support e-commerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Reverse Select to enable the reverse traffic shaping. For example, if the traffic direction
Direction that a policy controls is from port1 to port2, select this option will also apply the
Traffic policy shaping configuration to traffic from port2 to port1.
Shaping
Log Allowed Select to record messages to the traffic log whenever the policy processes a
Traffic connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see Log&Report on page 647.
Log Violation Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
Traffic policies, to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see Log&Report on page 647.
Comments Add information about the policy. The maximum length is 63 characters.
In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate units
authentication challenge.
Note: If you do not install certificates on the network users web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users web browsers may then deem as invalid. For
information on installing certificates, see System Certificates on page 243.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see Options on
page 590.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see User Group on page 583. For
information on configuring authentication settings, see Identity-based firewall policy
options (non-SSL-VPN) on page 328 and Configuring SSL VPN identity-based firewall
policies on page 331.
Edit
Delete
Service The firewall service or service group that packets must match to trigger this policy.
Profile The protection profile to apply antivirus, web filtering, web category filtering, spam
filtering, IPS, content archiving, and logging to this policy. You can also create a
protection profile by selecting Create New from this list. For more information, see
Firewall Protection Profile on page 397.
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see Firewall Policy on page 319.
Reverse Select to enable the reverse traffic shaping. For example, if the
Direction traffic direction that a policy controls is from port1 to port2, select
Traffic this option will also apply the policy shaping configuration to traffic
from port2 to port1.
Shaping
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-based policy,
a green check mark appears. Otherwise, a white cross mark appears.
Delete icon Select to remove this policy.
Edit icon Select to modify this policy.
Firewall Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory Include Directory Service groups defined in User > User Group. The groups are
Service (FSAE) authenticated through a domain controller using Fortinet Server Authentication
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the FSAE
Technical Note. For information about configuring user groups, see User Group
on page 583.
NTLM Include Directory Service groups defined in User > User Group. If you select this
Authentication option, you must use Directory Service groups as the members of the
authentication group for NTLM. For information about configuring user groups,
see User Group on page 583.
Certificate Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should also
install the certificate on the network users web browser. For more information,
see Adding authentication to firewall policies on page 327.
Right Arrow
Left Arrow
6 From the Available User Groups list, select one or more user groups that must
authenticate to be allowed to use this policy. Select the right arrow to move the
selected user groups to the Selected User Groups list.
7 Select services in the Available Services list and then select the right arrow to move
them to the Selected Services list.
8 Select a schedule from the Schedule drop-down list. There is no default.
9 Optionally, select a Protection Profile, enable User Authentication Disclaimer or Log
Allowed Traffic.
10 Optionally, select Traffic Shaping and choose a traffic shaper.
11 Select OK.
VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration. The specified
tunnel will be subject to this firewall encryption policy.
Allow Inbound Select to enable traffic from a dialup client or computers on the remote private
network to initiate the tunnel.
Allow outbound Select to enable traffic from computers on the local private network to initiate
the tunnel.
Inbound NAT Select to translate the source IP addresses of inbound decrypted packets into
the IP address of the FortiGate interface to the local private network.
Outbound NAT Select only in combination with a natip CLI value to translate the source
addresses of outbound cleartext packets into the IP address that you specify.
When a natip value is specified, the source addresses of outbound IP packets
are replaced before the packets are sent through the tunnel. For more
information, see the firewall chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.
For more information, see the Defining firewall policies chapter of the FortiGate IPSec
VPN User Guide.
Note: The SSL-VPN option is only available from the Action list after you have added SSL
VPN user groups. To add SSL VPN user groups, see SSL VPN user groups on page 585.
Source Interface/Zone Select the name of the FortiGate network interface, virtual domain
(VDOM) link, or zone on which IP packets are received.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see Configuring addresses on
page 347.
If Action is set to SSL-VPN and the policy is for web-only mode clients,
select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients,
select the name of the address that you reserved for tunnel mode
clients.
Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain
(VDOM) link, or zone to which IP packets are forwarded. If Action is
set to SSL-VPN, the interface is associated with the local private
network.
Destination Address Select the name of a firewall address to associate with the Destination
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see Configuring addresses on
page 347.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The
applied translation varies by the settings specified in the virtual IP, and
whether you select NAT (below). For more information on using virtual
IPs, see Firewall Virtual IP on page 365.
If Action is set to IPSEC, the address is the private IP address to
which packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Action Select SSL-VPN to configure the firewall encryption policy to accept
SSL VPN traffic. This option is available only after you have added a
SSL-VPN user group.
SSL Client Certificate Allow traffic generated by holders of a (shared) group certificate. The
Restrictive holders of the group certificate must be members of an SSL VPN user
group, and the name of that user group must be present in the
Allowed field.
Cipher Strength Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High >= 164, or Medium >= 128.
User Authentication Select the authentication server type by which the user will be
Method authenticated:
Any For all of the above authentication methods. Local is attempted first,
then RADIUS, then LDAP.
Local For a local user group that will be bound to this firewall policy.
RADIUS For remote clients that will be authenticated by an external RADIUS
server.
LDAP For remote clients that will be authenticated by an external LDAP
server.
TACACS+ For remote clients that will be authenticated by an external TACACS+
server.
NAT Enable or disable Network Address Translation (NAT) of the source
address and port of packets accepted by the policy. When NAT is
enabled, you can also configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select
the NAT option, the FortiGate unit performs destination NAT (DNAT)
rather than full NAT. Source NAT (SNAT) is not performed.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Enable Identity Based Select to configure a SSL-VPN firewall policy that requires
Policy authentication.
Add Select to configure the valid authentication methods, user group
names, and services. For more information, see User Group on
page 583.
Comments Add information about the policy. The maximum length is 63
characters.
To create an identity based firewall policy, select the Enable Identity Based Policy check
box. A table opens below the check box. Select Add. The New Authentication Rule dialog
opens (see Figure 197).
User Group
Available User Groups List of user groups available for inclusion in the firewall policy. To add
a user group to the list, select the name and then select the Right
Arrow.
Selected User Groups List of user groups that are included in the firewall policy. To remove a
user group from the list, select the name and then select the Left
Arrow.
Service
Available Services List of available services to include in the firewall policy. To add a
service to the list, select the name and then select the Right Arrow.
Selected Services List of services that are included in the firewall policy. To remove a
service from the list, select the name and then select the Left Arrow.
Schedule Select a one-time or recurring schedule that controls when the policy
is in effect.
You can also create schedules by selecting Create New from this list.
For more information, see Firewall Schedule on page 361.
Protection Profile Select a protection profile to apply antivirus, web filtering, web
category filtering, spam filtering, IPS, content archiving, and logging to
a firewall policy. You can also create a protection profile by selecting
Create New from this list. For more information, see Firewall
Protection Profile on page 397.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a
new traffic shaper. Traffic Shaping controls the bandwidth available to,
and sets the priority of the traffic processed by, the policy.
For information about traffic shaping, see Traffic Shaping on
page 423.
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic
Traffic Shaping direction that a policy controls is from port1 to port2, select this option
will also apply the policy shaping configuration to traffic from port2 to
port1.
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic
Traffic Shaping direction that a policy controls is from port1 to port2, select this option
will also apply the policy shaping configuration to traffic from port2 to
port1.
Log Allowed Traffic Select to record messages to the traffic log whenever the policy
processes a connection. You must also enable traffic log for a logging
location (syslog, WebTrends, local disk if available, memory, or
FortiAnalyzer) and set the logging severity level to Notification or lower
using the Log and Report screen. For more information see
Log&Report on page 647.
For information about how to create a firewall encryption policy for SSL VPN users, see
the SSL VPN administration tasks chapter of the FortiGate SSL VPN User Guide.
Move Up
or Move Down
Delete
Edit
Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used
as the source address for new sessions started by SSL VPN.
Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic,
but has no effect on web-mode SSL VPN traffic.
Enable Endpoint Check that the source hosts of this firewall policy have FortiClient
Compliance Check Endpoint Security software installed. Make sure that all of these hosts
are capable of installing the software.
You cannot enable Endpoint Compliance Check in firewall policies if
Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in
User > Options > Authentication.
Enforce FortiClient AV Check that the FortiClient Endpoint Security application has the
Up-to-date antivirus (real-time protection) feature enabled and is using the latest
version of the antivirus signatures available from FortiGuard Services.
Collect System Collect information about the host computer, its operating system and
Information from the specific installed applications. This information is displayed in the
Endpoints Endpoints list. See Monitoring endpoints on page 644.
Redirect The non-compliant user sees a web page that explains why they are
Non-conforming non-compliant. The page also provides links to download a FortiClient
Clients to Download application installer. To edit this web page go to System > Config >
Replacement Messages and edit the Endpoint Control Download
Portal Portal replacement message.
If the redirect is not enabled, the non-compliant user simply has no
network access.
Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance
check is not performed.
DoS policies
DoS policies are primarily used to apply DoS sensors to network traffic based on the
FortiGate interface it is leaving or entering as well as the source and destination
addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic
that does not fit known or common traffic patterns and behavior. A common example of
anomalous traffic is the denial of service attack. A denial of service occurs when an
attacking system starts an abnormally large number of sessions with a target system. The
large number of sessions slows down or disables the target system so legitimate users
can no longer use it.
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mention denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.
Create New Add a firewall policy. Select the down arrow beside Create New to add
a firewall policy or firewall policy section. A firewall policy section
visually groups firewall policies. For more information, see
Configuring DoS policies on page 338.
Column Settings Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table.
Section View Select to display firewall polices organized by interface.
Global View Select to list all firewall policies in order according to a sequence
number.
Filter icon Edit the column filters to filter or sort the policy list according to the
criteria you specify. For more information, see Adding filters to
web-based manager lists on page 53.
Status When selected, the DoS policy is enabled. Clear the checkbox to
disable the policy.
ID A unique identifier for each policy. Policies are numbered in the order
they are created.
Source The source address or address group to which the policy applies. For
more information, see Firewall Address on page 345.
Destination The destination address or address group to which the policy applies.
For more information, see Firewall Address on page 345.
Service The service to which the policy applies. For more information, see
Firewall Service on page 351.
DoS The DoS sensor selected in this policy.
Interface The interface to which this policy applies.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Before icon Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon Move the corresponding policy before or after another policy in the list.
Internet
192.168.100.1
Internal Network
Company A requires secure connections for home-based workers. Like many companies,
they rely heavily on email and Internet access to conduct business. They want a
comprehensive security solution to detect and prevent network attacks, block viruses, and
decrease spam. They want to apply different protection settings for different departments.
They also want to integrate web and email servers into the security solution.
To deal with their first requirement, Company A configures specific policies for each
home-based worker to ensure secure communication between the home-based worker
and the internal network.
1 Go to Firewall > Policy.
2 Select Create New and enter or select the following settings for Home_User_1:
Outbound NAT no
Protection Profile Select the check mark and select standard_profile
3 Select OK.
4 Select Create New and enter or select the following settings for Home_User_2:
5 Select OK.
Email Server
Internal
10.10.10.2
192.168.100.1
The proposed network is based around a ForitGate 100A unit. The 15 internal computers
are behind the FortiGate unit. They now access the email and web servers in a DMZ,
which is also behind the FortiGate unit. All home-based employees now access the office
network through the FortiGate unit via VPN tunnels.
The library must be able to set different access levels for patrons and staff members.
The first firewall policy for main office staff members allows full access to the Internet at all
times. A second policy will allow direct access to the DMZ for staff members. A second
pair of policies is required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff
access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all
P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and
spyware sites.
A few users may need special web and catalog server access to update information on
those servers, depending on how they are configured. Special access can be allowed
based on IP address or user.
The proposed topography has the main branch staff and the catalog access terminals
going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals
first go through a FortiWiFi unit, where additional policies can be applied, to the HA
Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main branch via
VPN tunnels.
Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall >
Protection Profile.
Main office staff to Internet policy:
Firewall Address
Firewall addresses and address groups define network addresses that you can use when
configuring firewall policies source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic.
You can organize related addresses into address groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall addresses. For details, see Using virtual domains on page 103.
This section describes:
About firewall addresses
Viewing the firewall address list
Configuring addresses
Viewing the address group list
Configuring address groups
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
x.x.x.[x-x], such as 192.168.110.[100-120]
x.x.x.*, such as 192.168.110.*
When representing hosts by a FQDN, the domain name can be a subdomain, such as
mail.example.com. A single FQDN firewall address may be used to apply a firewall policy
to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate
units automatically resolve and maintain a record of all addresses to which the FQDN
resolves. Valid FQDN formats include:
<host_name>.<second_level_domain_name>.<top_level_domain_name>, such as
mail.example.com
<host_name>.<top_level_domain_name>
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
Settings on page 228.
Create Options
Delete
Edit
Address / FQDN The IP address and mask, IP address range, or fully qualified domain name.
Interface The interface, zone, or virtual domain (VDOM) to which you bind the IP address.
Delete icon Select to remove the address. The Delete icon appears only if a firewall policy
or address group is not currently using the address.
Edit icon Select to edit the address.
Configuring addresses
You can use one of the following methods to represent hosts in firewall addresses:
IP/Netmask, FQDN, or IPv6.
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
Settings on page 228.
Address Name Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type Select the type of address: Subnet/IP Range or FQDN. You can enter either
an IP range or an IP address with subnet mask.
Subnet / IP Enter the firewall IP address, followed by a forward slash (/), then subnet
Range mask, or enter an IP address range separated by a hyphen.
Interface Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address with the
interface/zone when you create a firewall policy.
4 Select OK.
Tip: You can also create firewall addresses when configuring a firewall policy: Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Source
Address list, select Address > Create New.
Create Options
Delete
Edit
Group Name Enter a name to identify the address group. Addresses, address groups, and
virtual IPs must have unique names.
Available The list of all configured and default firewall addresses. Use the arrows to
Addresses move selected addresses between the lists of available and member
addresses.
Members The list of addresses included in the address group. Use the arrows to move
selected addresses between the lists of available and member addresses.
4 Select OK.
Tip: You can also create firewall address groups when configuring a firewall policy: Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Source
Address list, select Address Group > Create New.
Firewall Service
Firewall services define one or more protocols and port numbers associated with each
service. Firewall policies use service definitions to match session types.
You can organize related services into service groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
services separately for each virtual domain. For more information, see Using virtual
domains on page 103.
This section describes:
Viewing the predefined service list
Viewing the custom service list
Configuring custom services
Viewing the service group list
Configuring service groups
Delete
Edit
Delete
Destination Port Specify the destination port number range for the service by entering the low
and high port numbers. If the service uses one port number, enter this number
in both the Low and High fields.
Add If your custom service requires more than one port range, select Add to allow
more source and destination ranges.
Delete Icon Remove the entry from the list.
Delete
Edit
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules
or recurring schedules. One-time schedules are in effect only once for the period of time
specified in the schedule. Recurring schedules are in effect repeatedly at specified times
of specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
schedules separately for each virtual domain. For more information, see Using virtual
domains on page 103.
This section describes:
Viewing the recurring schedule list
Configuring recurring schedules
Viewing the one-time schedule list
Configuring one-time schedules
Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule
will take effect at the start time but end at the stop time on the next day. You can use this
technique to create recurring schedules that run from one day to the next. For example, to
prevent game playing except at lunchtime, you might set the start time for a recurring
schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that
runs for 24 hours, set the start and stop times to 00.
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Delete
Edit
Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.
Tip: You can also create recurring schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select Recurring > Create New.
Delete
Edit
Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.
Tip: You can also create one-time schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select One-time > Create New.
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets
IP addresses with the virtual IPs mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see Configuring virtual IPs on page 370.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode
on page 386.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
configured separately for each virtual domain. For details, see Using virtual domains on
page 103.
This section describes:
How virtual IPs map connections through FortiGate units
Viewing the virtual IP list
Configuring virtual IPs
Virtual IP Groups
Viewing the VIP group list
Configuring VIP groups
IP pools
Viewing the IP pool list
Configuring IP Pools
Double NAT: combining IP pool with virtual IP
Adding NAT firewall policies in transparent mode
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policys Destination Address is a virtual IP, FortiGate units compares packets destination
address to the virtual IPs external IP address. If they match, the FortiGate unit applies the
virtual IPs inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
static vs. dynamic NAT mapping
the dynamic NATs load balancing style, if using dynamic NAT mapping
full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to
the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is
Port Forwarding always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
Server Load Dynamic, one-to-many NAT mapping: an external IP address is translated to one
Balancing of the mapped IP addresses, as determined by the selected load balancing
algorithm for more even traffic distribution. The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP
Balancing with address is translated to one of the mapped IP addresses, as determined by the
Port Forwarding selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one real server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
sources public IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 221: the web server on a
private network, the client computer on another network, such as the Internet, and the
FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate units external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.
The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.
Figure 222: Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computers IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.
When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computers IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web servers private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
servers network. The client has no indication that the web servers IP address is not the
virtual IP. As far as the client is concerned, the FortiGate units virtual IP is the web server.
Figure 223: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the clients IP address. For reply traffic, the FortiGate unit translates packets private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interfaces IP address is 10.10.10.1, and its bound virtual IPs
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1
VIP requirements
Virtual IPs have the following requirements.
The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
The Mapped IP Address/Range must not include any interface IP addresses.
If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the
External IP Address/Range cannot be 0.0.0.0.
When port forwarding, the External IP Address/Range cannot include any other
interface IP addresses.
When port forwarding, the count of mapped port numbers and external port
numbers must be the same, and the last port number in the range must not exceed
65535.
Virtual IP names must be different from address or address group names.
A physical external IP address can be used as the external VIP IP address.
Duplicate entries or overlapping ranges are not permitted.
Delete
Edit
Name Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type VIP type is Static NAT, read only.
External IP Enter the external IP address that you want to map to an address on the
Address/Range destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP Enter the real IP address on the destination network to which the external IP
Address/Range address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding Select to perform port address translation (PAT).
To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
Adding a static NAT virtual IP for a single IP address on page 372
Adding a static NAT virtual IP for an IP address range on page 373
Adding static NAT port forwarding for a single IP address and a single port on
page 375
Adding static NAT port forwarding for an IP address range and a port range on
page 377
Adding dynamic virtual IPs on page 378
Adding a virtual IP with port translation only on page 379
4 Select OK.
The virtual IP appears in the virtual IP list.
5 To implement the virtual IP, select the virtual IP in a firewall policy.
For example, to add a firewall policy that maps public network addresses to a private
network, you might add an external to internal firewall policy and select the Source
Interface/Zone to which a virtual IP is bound, then select the virtual IP in the
Destination Address field of the policy. For details, see Configuring firewall policies on
page 323.
Figure 227: Virtual IP options: static NAT virtual IP for a single IP address
Name static_NAT
External Interface wan1
Type Static NAT
4 Select OK.
3 Select NAT.
4 Select OK.
Figure 229: Virtual IP options: static NAT virtual IP with an IP address range
Name static_NAT_range
External Interface wan1
Type Static NAT
External IP The Internet IP address range of the web servers.
Address/Range The external IP addresses are usually static IP addresses obtained
from your ISP for your web server. These addresses must be
unique IP addresses that are not used by another host and cannot
be the same as the IP addresses of the external interface the virtual
IP will be using. However, the external IP addresses must be routed
to the selected interface. The virtual IP addresses and the external
IP address can be on different subnets. When you add the virtual
IP, the external interface responds to ARP requests for the external
IP addresses.
Mapped IP The IP address range of the servers on the internal network. Define
Address/Range the range by entering the first address of the range in the first field
and the last address of the range in the second field.
4 Select OK.
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000
on a private network. Attempts to communicate with 192.168.37.4, port 80 from the
Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The
computers on the Internet are unaware of this translation and see a single computer at
192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 230: Static NAT virtual IP port forwarding for a single IP address and a single port
example
To add static NAT virtual IP port forwarding for a single IP address and a single port
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.
Figure 231: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address
and a single port
Name Port_fwd_NAT_VIP
External Interface wan1
Type Static NAT
External IP The Internet IP address of the web server.
Address/Range The external IP address is usually a static IP address obtained from
your ISP for your web server. This address must be a unique IP
address that is not used by another host and cannot be the same
as the IP address of the external interface the virtual IP will be
using. However, the external IP address must be routed to the
selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
Mapped IP The IP address of the server on the internal network. Since there is
Address/Range only one IP address, leave the second field blank.
Port Forwarding Selected
Protocol TCP
External Service Port The port traffic from the Internet will use. For a web server, this will
typically be port 80.
Map to Port The port on which the server expects traffic. Since there is only one
port, leave the second field blank.
4 Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a single port
to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses and ports of these packets from the external IP to the dmz network
IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to
ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network.
Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are
translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.5 rather
than a FortiGate unit with a private network behind it.
Figure 232: Static NAT virtual IP port forwarding for an IP address range and a port range
example
To add static NAT virtual IP port forwarding for an IP address range and a port
range
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the external interface of
the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.
Name Port_fwd_NAT_VIP_port_range
External Interface external
Type Static NAT
To add static NAT virtual IP port forwarding for an IP address range and a port
range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination addresses and ports of these packets from the external IP to the dmz
network IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Note: To apply port forwarding to the external interface without binding a virtual IP address
to it, enter the IP address of the network interface instead of a virtual IP address, then
configure port forwarding as usual.
10 Enter the Map to Port number to be added to packets when they are forwarded.
11 Select OK.
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy
list. For example, instead of having five identical policies for five different but related virtual
IPs located on the same network interface, you might combine the five virtual IPs into a
single virtual IP group, which is used by a single firewall policy.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP
address(es) and port number(s).
Delete
Edit
Create New Select to add a new VIP group. See Configuring VIP groups on page 380.
Group Name The name of the virtual IP group.
Members Lists the group members.
Interface Displays the interface that the VIP group belongs to.
Delete icon Remove the VIP group from the list. The Delete icon only appears if the VIP
group is not being used in a firewall policy.
Edit icon Edit the VIP group information, including the group name and membership.
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly
selected from the IP pool, rather than the IP address assigned to that FortiGate unit
interface. In Transparent mode, IP pools are available from the FortiGate CLI.
An IP pool defines an address or a range of IP addresses, all of which respond to ARP
requests on the interface to which the IP pool is added.
Select Enable Dynamic IP Pool in a firewall policy to translate the source address of
outgoing packets to an address randomly selected from the IP pool. An IP pool list
appears when the policy destination interface is the same as the IP pool interface.
With an IP pool added to the internal interface, you can select Dynamic IP pool for policies
with the internal interface as the destination.
Add multiple IP pools to any interface and select the IP pool to use when configuring a
firewall policy.
A single IP address is entered normally. For example, 192.168.110.100 is a valid IP
pool address. If an IP address range is required, use either of the following formats.
x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
x.x.x.[x-x], for example 192.168.110.[100-120]
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you use fixed port in such a case, the FortiGate unit preserves the original source port.
But conflicts may occur since users may have different sessions using the same TCP 5
tuples.
192.168.1.2 172.16.30.11
...... ......
192.168.1.10 172.16.30.19
192.168.1.11 172.16.30.10
192.168.1.12 172.16.30.11
192.168.1.13 172.16.30.12
...... ......
Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses will used and the rest of them will not be used.
Delete
Edit
Create New Select to add an IP pool.
Name Enter the name of the IP pool.
Start IP Enter the start IP defines the start of an address range.
End IP Enter the end IP defines the end of an address range.
Delete icon Select to remove the entry from the list. The Delete icon only appears if the IP
pool is not being used in a firewall policy.
Edit icon Select to edit the following information: Name, Interface, IP Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
To allow the local users to access the server, you can use fixed port and IP pool to allow
more than one user connection while using virtual IP to translate the destination port from
8080 to 80.
To create an IP pool
1 Go to Firewall > Virtual IP > IP Pool.
Name pool-1
Interface DMZ
IP 10.1.3.1-10.1.3.254
Range/Subnet
Name server-1
External Internal
Interface
Type Static NAT
External IP 172.16.1.1
Address/Range Note this address is the same as the server address.
Mapped IP 172.16.1.1.
Address/Range
Port Forwarding Enable
Protocol TCP
External Service 8080
Port
Map to Port 80
4 Select NAT.
5 Select OK.
Internet
Internal network
Transparent mode 192.168.1.0/24
Management IPs:
Router 10.1.1.99
192.168.1.99
DMZ
DMZ network
10.1.1.0/24
Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.
Internet/Intranet
User
LAN/WAN
Real Server
Delete
Edit
Create New Select to add virtual servers. For more information, see To create a
virtual server on page 391.
Name Name of the virtual server. This name is not the hostname for the
FortiGate unit.
Type The communication protocol used by the virtual server.
Comments Comments on the virtual server.
Virtual Server IP The IP address of the virtual server.
Virtual server Port The port number to which the virtual server communicates.
Load Balance Method Load balancing methods include:
Static: The traffic load is spread evenly across all servers, no
additional server is required.
Round Robin: Directs requests to the next server, and treats all
servers as equals regardless of response time or number of
connections. Dead servers or non responsive servers are avoided. A
separate server is required.
Weighted: Servers with a higher weight value will receive a larger
percentage of connections. Set the server weight when adding a
server.
First Alive: Always directs requests to the first alive real server.
Least RTT: Directs requests to the server with the least round trip
time. The round trip time is determined by a Ping monitor and is
defaulted to 0 if no Ping monitors are defined.
Least Session: Directs requests to the server that has the least
number of current connections. This method works best in
environments where the servers or other equipment you are load
balancing have similar capabilities.
Health Check The health check monitor selected for this virtual server. For more
information, see Health Check on page 392.
Persistence Persistence is the process of ensuring that a user is connected to the
same server every time they make a request within the boundaries of a
single session.
Depending on the type of protocol selected for the virtual server, the
following persistence options are available:
None: No persistence option is selected.
HTTP Cookie: Persistence time is equal to the cookie age. Cookie
ages are set in CLI under config firewall vip.
SSL Session ID: Persistence time is equal to the SSL sessions. SSL
session states are set in CLI under config firewall vip.
Delete icon Remove the virtual server from the list. The Delete icon only appears if
the virtual server is not bound to a real server.
Edit icon Edit the virtual server to change any virtual server option including the
virtual server name.
Name Enter the name for the virtual server. This name is not the hostname for
the FortiGate unit.
Type Enter the communication protocol used by the virtual server.
Interface Select the virtual server external interface from the list. The external
interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Virtual Server IP Enter the IP address of the virtual server.
Virtual server Port The port number to which the virtual server communicates.
Load Balance Select a load balancing method. For more information, see Load
Method Balance Method on page 390.
Persistence Select a persistence for the virtual server. For more information, see
Persistence on page 390.
HTTP Multiplexing Select to use the FortiGate units HTTP proxy to multiplex multiple client
connections destined for the web server into a few connections between
the FortiGate unit and the web server. This can improve performance by
reducing server overhead associated with establishing multiple
connections. The server must be HTTP/1.1 compliant.
This option appears only if HTTP or HTTS are selected for Type.
Note: Additional HTTP Multiplexing options are available in the CLI. For
more information, see the FortiGate CLI Reference.
Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-For
HTTP header. This can be useful if you require logging on the server of
the clients original IP address. If this option is not selected, the header
will contain the IP address of the FortiGate unit.
This option appears only if HTTP or HTTS are selected for Type, and is
available only if HTTP Multiplexing is selected.
SSL Offloading Select to accelerate clients SSL connections to the server by using the
FortiGate unit to perform SSL operations, then select which segments of
the connection will receive SSL offloading.
Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the
connection between the client and the FortiGate unit. The segment
between the FortiGate unit and the server will use clear text
communications. This results in best performance, but cannot be
used in failover configurations where the failover path does not have
an SSL accelerator.
Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the
connection: the segment between client and the FortiGate unit, and
the segment between the FortiGate unit and the server. The segment
between the FortiGate unit and the server will use encrypted
communications, but the handshakes will be abbreviated. This results
in performance which is less than the other option, but still improved
over communications without SSL acceleration, and can be used in
failover configurations where the failover path does not have an SSL
accelerator. If the server is already configured to use SSL, this also
enables SSL acceleration without requiring changes to the servers
configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
SSL Offloading appears only if HTTPS or SSL are selected for Type, and
only on FortiGate models with hardware that supports SSL acceleration.
Note: Additional SSL Offloading options are available in the CLI. For
more information, see the FortiGate CLI Reference.
Certificate Select the certificate to use with SSL Offloading. The certificate key size
must be 1024 or 2048 bits. 4096-bit keys are not supported.
This option appears only if HTTPS or SSL are selected for Type, and is
available only if SSL Offloading is selected.
Health Check Select which health check monitor configuration will be used to
determine a servers connectivity status.
For information on configuring health check monitors, see Configuring
health check monitors on page 393.
Comments Any comments or notes about this virtual server.
3 Select OK.
Delete
Edit
Create New Select to add real servers. For more information, see To create a real
server on page 393.
IP Address Select the blue arrow beside a virtual server name to view the IP
addresses of the real servers that are bound to it.
Port The port number on the destination network to which the external port
number is mapped.
Weight The weight value of the real server. The higher the weight value, the
higher the percentage of connections the server will handle.
Max Connection The limit on the number of active connections directed to a real server. If
the maximum number of connections is reached for the real server, the
FortiGate unit will automatically switch all further connection requests to
another server until the connection number drops below the specified
limit.
Delete icon Remove the real server from the list.
Edit icon Edit the real server to change any virtual server option.
Virtual Server Select the virtual server to which you want to bind this real server.
IP Enter the IP address of the real server.
Port Enter the port number on the destination network to which the external
port number is mapped.
Weight Enter the weight value of the real server. The higher the weight value,
the higher the percentage of connections the server will handle. A
range of 1-255 can be used. This option is available only if the
associated virtual servers load balance method is Weighted.
Max Connection Enter the limit on the number of active connections directed to a real
server. A range of 1-99999 can be used. If the maximum number of
connections is reached for the real server, the FortiGate unit will
automatically switch all further connection requests to another server
until the connection number drops below the specified limit.
3 Select OK.
Delete
Edit
Create New Select to add a health check monitor configuration. For more information, see
To create a health check monitor configuration on page 394.
Name The name of the health check monitor configuration. The names are grouped
by the health check monitor types.
Details The details of the health check monitor configuration, which vary by the type of
the health check monitor, and do not include the interval, timeout, or retry,
which are settings common to all types.
This field is empty if the type of the health check monitor is PING.
Delete Select to remove the health check monitor configuration. This option appears
only if the health check monitor configuration is not currently being used by a
virtual server configuration.
Edit Select to change the health check monitor configuration.
Timeout Enter the number of seconds which must pass after the server health check
to indicate a failed health check.
Retry Enter the number of times, if any, a failed health check will be retried before
the server is determined to be inaccessible.
3 Select OK.
Note: If the firewall policy requires authentication, do not select the protection profile in the
firewall policy. The protection profile is specific to the authenticating user group. For details
on configuring the protection profile associated with the user group, see Configuring a user
group on page 586.
application control
logging for traffic which violates the protection profile.
Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The
strict protection profile may not be useful under normal circumstances, but it is
available when maximum protection is required.
Scan Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic. Quarantine is
also selected for all content services. On FortiGate models with a hard drive, if
antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate
hard disk. If a FortiAnalyzer unit is configured, files are quarantined remotely.
Quarantine permits system administrators to inspect, recover, or submit
quarantined files to Fortinet for analysis.
Web Apply virus scanning and web content blocking to HTTP traffic. Add this
protection profile to firewall policies that control HTTP traffic.
Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content
protection for content traffic is required. Add this protection profile to firewall
policies for connections between highly trusted or highly secure networks where
content does not need to be protected.
Note: Content archiving is disabled by default with the unfiltered protection
profile.
Delete
Edit
Delete
Edit
Figure 248: FortiGate SSL content scanning and inspection packet flow
3 1
2
Decrypted
packets
Encrypted 3
2
1 3
2
1
Encrypted
packets Firewall packets
While the SSL sessions are being set up, the client and server communicate in clear text
to exchange SSL session keys. The session keys are based on the client and server
certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a
built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the
client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt
process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the
client and server and uses these keys to decrypt the SSL traffic to apply content scanning
and inspection.
Some client programs (for example, web browsers) can detect this key replacement and
will display a security warning message. The traffic is still encrypted and secure, but the
security warning indicates that a key substitution has occurred.
You can stop these security warnings by importing the signing CA certificate used by the
server into the FortiGate unit SSL content scanning and inspection configuration. Then the
FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The
CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL
content scanning and encryption.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another
signing CA certificate. To do this you need the signing CA certificate file, the CA certificate
key file, and the CA certificate password.
All SSL content scanning and inspection uses the same signing CA certificate. If your
FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is
used by all virtual domains.
Figure 249: Importing a signing CA certificate for SSL content scanning and inspection
7 Select OK.
The CA certificate is added to the Local Certificates list. In this example the signing CA
certificate name is Example_CA. This name comes from the certificate file and key file
name. If you want the certificate to have a different name, change these file names.
8 Add the imported signing CA certificate to the SSL content scanning and inspection
configuration. Use the following CLI command if the certificate name is Example_CA.
Predefined firewall The IMAPS, POP3S and SMTPS predefined services. You can select
services these services in a firewall policy and a DoS policy. For more information,
see Table 43, Predefined services, on page 352.
Protocol Recognition The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS,
POP3S, and SMTPS. Go to Firewall > Protection Profile. Add or edit a
protection profile and configure Protocol Recognition for HTTPS, IMAPS,
POP3S, and SMTPS.
Using protocol recognition you can also configure the FortiGate unit to just
perform URL filtering of HTTPS or to use SSL content scanning and
inspection to decrypt HTTPS so that the FortiGate unit can also apply
Antivirus and DLP content inspection and content archiving to HTTPS.
Using SSL content scanning and inspection to decrypt HTTPS also allows
you to apply more web filtering and FortiGuard Web Filtering options to
HTTPS.
For more information, see Protocol recognition options on page 405.
Antivirus Antivirus options including virus scanning, file filtering, and client
comforting for HTTPS, IMAPS, POP3S, and SMTPS.
Go to Firewall > Protection Profile. Add or edit a protection profile and
configure Anti-Virus for HTTPS, IMAPS, POP3S, and SMTPS. For more
information, see Anti-Virus options on page 407.
Antivirus quarantine Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S,
and SMTPS sessions.
Go to UTM > AntiVirus > Config. You can quarantine infected files,
suspicious files, and blocked files found in IMAPS, POP3S, and SMTPS
sessions. You can also quarantine infected files and suspicious files found
in HTTPS sessions. For more information, see Configuring quarantine
options on page 449.
Web Filtering Web filtering options for HTTPS:
Web Content Block
Web Content Exempt
Web URL Filter
ActiveX Filter
Cookie Filter
Java Applet Filter
Web Resume Download Block
Block invalid URLs
HTTP POST Action
Go to Firewall > Protection Profile. Add or edit a protection profile and
configure Web Filtering for HTTPS. For more information, see Web
Filtering options on page 411.
Displaying content Meta-information on the system dashboard for HTTPS, IMAPS, POP3S,
meta-information on and SMTPS.
the system dashboard Go to Firewall > Protection Profile. Add or edit a protection profile and
open Data Leak Prevention Sensor. For Displaying content meta-
information on the system dashboard select HTTPS, IMAPS, POP3S, and
SMTPS as required.
These options display meta-information on the Statistics dashboard
widget. For more information, see Statistics on page 71.
Content archiving Content archiving of email tagged as spam by FortiGate Spam Filtering in
SPAM email IMAPS, POP3S, and SMTPS sessions. Content archiving SPAM email is
available only if you have configured logging to a FortiAnalyzer unit or to
the FortiGuard Analysis and Management Service.
Go to Firewall > Protection Profile. Add or edit a protection profile and
select the Expand Arrow to view Data Leak Prevention Sensor. For
Archive SPAMed emails to FortiAnalyzer/FortiGuard, select IMAPS,
POP3S, and SMTPS as required. For more information, see Data Leak
Prevention Sensor options on page 419 and Content Archive on
page 667.
Expand Arrow
Expand Arrow
To configure protocol recognition options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Protocol Recognition, enter the information as described
below, and select OK.
Figure 251: Protection profile Protocol Recognition options (SSL content scanning and
inspection)
Add or
Remove
Port
Numbers
Edit Monitored
Ports
Add or
Remove
Port
Numbers
Edit Monitored
Ports
Note: If your FortiGate unit supports SSL content scanning and inspection, you must set
HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS
content scanning protection profile options.
HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and
inspection, you can select the content filtering mode used for
HTTPS traffic. The mode can be:
URL Filtering This option limits HTTPS content filtering to URL filtering only. If
you select this option the FortiGate unit does not perform SSL
content scanning and inspection of HTTPS traffic. Instead the
FortiGate unit just applies web filtering to HTTPS URLs. Also, if
you select URL Filtering, you cannot select any Anti-Virus options
for HTTPS. Under Web Filtering you can select only Web URL
Filter and Block invalid URLs for HTTPS. Selecting URL Filtering
also limits the FortiGuard Web Filtering options that you can
select for HTTPS.
Deep Scan (Decryption on Select this option to apply full SSL content scanning and
SSL Traffic) inspection of HTTPS traffic.
Protocol The names of the content protocols that you can configure
recognition for: HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, and
FTP.
If your FortiGate unit supports SSL content scanning and
inspection the content protocols also include SMTPS, POP3S,
and IMAPS.
Monitored Ports The port numbers that the protection profile monitors for each
content protocol. You can select multiple port numbers to monitor
for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP,
and FTP you can also select Inspect All Ports to monitor all ports
for these content protocols. Monitoring all ports means the
protection profile uses protocol recognition techniques to
determine the protocol of a communication session independent
of the port number that the session uses.
Edit icon Select Edit for a content protocol to configure how the protection
profile monitors traffic for that content protocol. Select one of the
following options:
Inspect All Ports Select to monitor all ports for the content protocol. This option is
available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP.
Specify Ports Select this option and then enter the port numbers to monitor for
the content protocol. You can specify up to 20 ports for each
content protocol.
Anti-Virus options
You can apply antivirus options through a protection profile for the HTTP, SMTP, POP3,
IMAP, NNTP, and content protocols.
If your FortiGate unit includes SSL content inspection and filtering, you can also apply
antivirus scanning options through a protection profile for HTTPS, IMAPS, POP3S, and
SMTPS content protocols. For more information, see SSL content scanning and
inspection on page 399.
Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS
Content Filtering Mode is set to URL Filtering. For more information, see Protocol
recognition options on page 405.
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Anti-Virus, enter the information as described below, and select
OK. For more antivirus configuration options, see AntiVirus on page 439.
Figure 254: Protection Profile Anti-Virus options (SSL content scanning and inspection)
Virus Scan Select virus scanning for each protocol. Virus Scan includes grayware,
as well as heuristic scanning. However, by default neither is enabled.
To enable specific grayware, go to UTM > AntiVirus > Grayware. To
enable heuristic scanning, see the config antivirus heuristic
command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the splice option
for each protocol in the config firewall profile command in
the FortiGate CLI Reference. For details on splicing behavior for each
protocol, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
Extended AV Database Select to scan for viruses that have not been recently observed in the
wild.
In addition to the FortiGuard Antivirus wild list database, which
contains viruses currently being detected in the wild, some FortiGate
models are also equipped with an extended antivirus database that
contains viruses not recently observed in the wild.
This option appears only on some FortiGate models.
File Filter Select to filter files, then under Option, specify a file filter, which can
consist of file name patterns and file types. For more information, see
File Filter on page 443.
Quarantine Select for each protocol to quarantine suspect files for later inspection
or submission to Fortinet for analysis.
This option appears only if the FortiGate unit has a hard drive or a
configured FortiAnalyzer unit, and will take effect only if you have first
enabled and configured the quarantine. For more information, see
File Quarantine on page 446.
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and
SMTP as well as IMAPS, POP3S, and SMTPS if SSL content
scanning and inspection is supported). Fragmented email messages
cannot be scanned for viruses.
Comfort Clients Select client comforting for the HTTP, FTP, and HTTPS protocols. See
HTTP and FTP client comforting on page 410.
Interval The time in seconds before client comforting starts sending data after
the download has begun, and also the time interval between sending
subsequent data.
Amount The number of bytes sent at each interval.
Oversized File/Email Select Block or Pass for files and email messages exceeding
configured thresholds for each protocol.
For email scanning, the oversize threshold refers to the final size of
the email, including attachments, after encoding by the email client.
Email clients can use a variety of encoding types; some result in larger
file sizes than the original attachment. The most common encoding,
base64, translates 3 bytes of binary data into 4 bytes of base64 data.
As a result, a file may be blocked or logged as oversized even if the
attachment is several megabytes smaller than the configured oversize
threshold.
Threshold If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in memory is
10% of the FortiGate units RAM.
Allow Invalid Server If your FortiGate unit supports SSL content scanning and inspection,
Certificate you can allow HTTPS, IMAPS, POP3S, and SMTPS sessions that
include an invalid server certificate. If these options are not selected,
HTTPS, IMAPS, POP3S, and SMTPS with invalid server certificates
are blocked. Use this feature to validate server certificates.
Quarantine Virus Sender Select Enabled to quarantine or ban either the IP address of the
(to Banned Users List) sender of the virus or the FortiGate interface that received the virus.
The senders IP address or the interface that received the virus is
added to the banned users list. For more information about the
banned user list including how to manage the duration of items and
how to remove them manually, see NAC quarantine and the Banned
User list on page 595.
Method If a virus is found, select the method used to quarantine the virus
sender. You can select Source IP Address to add the senders source
IP address to the banned users list, or you can select Viruss Incoming
Interface to add the interface that received the virus to the banned
user list.
Expires Select Indefinite to permanently quarantine virus senders. Only a
FortiGate administrator can remove them from the banned users list.
Or, configure how long the virus sender remains on the banned user
list in minutes, hours, or days. A FortiGate administrator can manually
remove a virus sender from the banned user list before the expiry
time.
Add signature to outgoing Create and enable a signature to append to outgoing SMTP email
emails messages. The signature will also be appended to outgoing SMTPS
email messages if your FortiGate unit supports SSL content scanning
and inspection.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this risk.
Keeping the client comforting interval high and the amount low will reduce the amount of
potentially infected data that is downloaded.
IPS options
You can use the IPS options in a protection profile to enable IPS for the protection profile
and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS,
select an IPS Sensor, and select OK.
For more information on IPS, see Intrusion Protection on page 455.
Note: Protection profile web filtering also includes FortiGuard Web Filtering. For
information about FortiGuard Web Filtering, see FortiGuard Web Filtering options on
page 413.
You can configure web filtering for HTTP and HTTPS traffic. If your FortiGate unit supports
SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode
in the Protocol Recognition part of this protection profile to Deep Scan, you can select the
same web filtering options for HTTPS and HTTP. For more information, see SSL content
scanning and inspection on page 399 and Protocol recognition options on page 405.
Filters defined in the web filtering settings are turned on through a protection profile. To
configure web filtering options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Web Filtering, enter the information as described below, and
select OK.
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you
have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering
and blocking invalid URLs for HTTPS.
Figure 257: Protection Profile Web Filtering options (SSL content scanning and inspection)
Web Content Block Select to block HTTP and HTTPS web pages based on matching the
content of the web page with the words or patterns in the selected web
content block list. For more information, see Web content block on
page 478.
Web content block list Select the web content block list to add to the protection profile. For
more information, see Creating a new web content block list on
page 479.
Threshold Enter a web content block threshold.
Each entry in the web content block list added to the protection profile
incudes a score. When a web page is matched with an entry in the
content block list the score is recorded. If a web page matches more
than one entry the score for the web page increases. When the total
score for a web page equals or exceeds the threshold the page is
blocked.
The default score for content block list entry is 10 and the default
threshold is 10. This means that by default a web page is blocked by a
single match. You can change the scores and threshold so that web
pages can only be blocked if there are multiple matches.
Web Content Exempt Select to exempt HTTP and HTTPS web pages from web filtering and
virus scanning based on matching the content of the web page with
the words or patterns in the selected web exempt block list. For more
information, see Web content block on page 478.
Web content exempt Select the web content exempt list add to the protection profile. For
list more information, see Creating a new web content exempt list on
page 482.
Web URL Filter Select to block HTTP and HTTPS web pages based on matching the
URL of the web page with a URL in the selected URL filter list. For
more information, see URL filter on page 483.
Web URL filter list Select the URL filter list to add to this protection profile. For more
information, see Creating a new URL filter list on page 484.
For more information, see SSL content scanning and inspection on page 399 and
Protocol recognition options on page 405.
To configure FortiGuard Web Filtering options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard
Web Filtering. Enter the information as described below, and select OK.
Figure 259: Protection Profile FortiGuard Web Filtering options (SSL content scanning and
inspection)
Enable FortiGuard Web Select to enable FortiGuard Web Filtering for this protection
Filtering profile.
Enable FortiGuard Web Select to enable category overrides. For more information, see
Filtering Overrides Viewing the override list on page 488 and Configuring
administrative override rules on page 489.
Provide details for blocked Display a replacement message for 400 and 500-series HTTP
HTTP 4xx and 5xx errors errors. If the error is allowed through, malicious or objectionable
sites can use these common error pages to circumvent web
filtering. Only supported for HTTPS if your FortiGate unit supports
SSL content scanning and inspection.
Rate images by URL (blocked Block images that have been rated by FortiGuard. Blocked images
images will be replaced with are replaced on the originating web pages with blanks. Rated
blanks) image file types include GIF, JPEG, PNG, BMP, and TIFF. Only
supported for HTTPS if your FortiGate unit supports SSL content
scanning and inspection.
Allow websites when a rating Allow web pages that return a rating error from the web filtering
error occurs service.
Strict Blocking This option is enabled by default. Strict Blocking only has an effect
when either a URL fits into a protection profile category and
classification or Rate URLs by domain and IP address is enabled.
With Rate URLs by domain and IP address enabled, all URLs
have two categories and up to two classifications (one set for the
domain and one set for the IP address). All URLs belong to at
least one category (including the Unrated category) and may also
belong to a classification.
If you enable Strict Blocking, a site is blocked if it is in at least one
blocked category or classification and only allowed if all categories
or classifications it falls under are allowed.
If you do not enable Strict Blocking, a site is allowed if it belongs to
at least one allowed category or classification and only blocked if
all categories or classifications it falls under are allowed.
For example, suppose that a protection profile blocks Search
Engines but allows Image Search, and that the URL
images.example.com falls into the General Interest / Search
Engines category and the Image Search classification.
With Strict Blocking enabled, this URL is blocked because it
belongs to the Search Engines category, which is blocked.
With Strict Blocking disabled, the URL is allowed because it is
classified as Image Search, which the profile allows. It would be
blocked only if both the Search Engines category and Image
Search classification were blocked.
Rate URLs by domain and IP Select to send both the URL and the IP address of the requested
address site for checking, and thus provide additional security against
attempts to bypass the FortiGuard system.
However, because IP rating is not updated as quickly as URL
rating, some false ratings may occur.
Block HTTP redirects by Enable to block HTTP redirects.
rating Many web sites use HTTP redirects legitimately; however, in some
cases, redirects may be designed specifically to circumvent web
filtering, as the initial web page could have a different rating than
the destination web page of the redirect. Not supported for
HTTPS.
Category FortiGuard Web Filtering provides many content categories for
filtering web traffic. Categories reflect the subject matter of the
content.
For each category, select to Allow or Block and, if the category is
blocked, whether or not to Allow Override to permit users to
override the filter if they successfully authenticate. You can also
select to log each traffic occurrence of the category.
Classification In addition to content categories, FortiGuard Web Filtering
provides functional classifications that block whole classes of web
sites based upon their functionality, media type, or source, rather
than the web sites subject matter.
Using classifications, you can block web sites that host cached
content or that facilitate image, audio, or video searches, or web
sites from spam URLs. Classification is in addition to, and can be
configured separately from, the category.
For each class, select to Allow or Block and, if the class is blocked,
whether or not to Allow Override to permit users to override the
filter if they successfully authenticate. You can also select to log
each traffic occurrence of the class.
extract any URL links. These URL links are sent to a FortiGuard Antispam server to
determine if any are listed. Spam messages often contain URL links to advertisements
(also called spamvertizing). If a URL match is found, FortiGuard Antispam terminates the
session. If FortiGuard Antispam does not find a match, the email server sends the email to
the recipient. The email checksum filter calculates the checksum of an email message and
sends this checksum to the FortiGuard servers to determine if the checksum is in the
blacklist. The FortiGate unit then passes or marks/blocks the email message according to
the server response.
To configure spam filtering options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Spam Filtering, enter the information as described below,
and select OK.
You can configure spam filtering for IMAP, POP3, and SMTP email. If your FortiGate unit
supports SSL content scanning and inspection you can also configure spam filtering for
IMAPS, POP3S, and SMTPS email. For information about SSL content scanning and
inspection, see SSL content scanning and inspection on page 399.
For more information about this service, see FortiGuard Antispam service on page 265
and Configuring the FortiGate unit for FDN and FortiGuard subscription services on
page 266.
For more spam filter configuration options, see Antispam on page 495.
Note: Some popular email clients cannot filter messages based on the MIME header. For
these clients, select to tag email message subject lines instead.
Figure 261: Protection Profile Spam Filtering options (SSL content scanning and inspection)
FortiGuard AntiSpam Select one or more check boxes to enable protocols (IMAP, POP3,
SMTP), then apply the options that you need. If your FortiGate unit
supports SSL content scanning and inspection you can also enable
FortiGuard Antispam for IMAPS, POP3S, and SMTPS.
IP address check Select to enable the FortiGuard AntiSpam filtering IP address
blacklist.
URL check Select to enable the FortiGuard AntiSpam spam filtering URL
blacklist.
E-mail checksum check Select to enable the FortiGuard Antispam email message checksum
blacklist.
Spam submission Select to add a spam submission message and a link to the
message body of all email messages marked as spam by
FortiGuard Antispam. If the receiver considers that the email
message is not spam, he or she can use the link in the message to
inform FortiGuard Antispam. You can change the content of this
message by going to System > Config > Replacement Messages
and customizing the Spam > Spam submission message. For more
information, see Spam replacement messages on page 200.
IP address BWL check Select to compare the IP address of email message senders to the
selected IP address black/white list and, if a match is found, to take
the action configured in the list for the IP address. For more
information, see IP address and email address black/white lists on
page 501.
IP address BWL check Select the IP address black/white list to add to the protection profile.
list For more information, see Creating a new antispam IP address list
on page 501.
HELO DNS lookup Select to look up the source domain name (from the SMTP HELO
command) for SMTP email messages.
E-mail address BWL check Select to compare the email address of message senders to the
selected email address black/white list and if a match is found to
take the action configured in the list for the email address. For more
information, see IP address and email address black/white lists on
page 501.
E-mail address BWL list Select the email address black/white list to add to the protection
profile. For more information, see Creating a new antispam email
address list on page 504.
Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or
from address has an A or MX record.
Banned word check Select to block email messages based on matching the content of
the message with the words or patterns in the selected spam filter
banned word list. For more information, see Banned word on
page 498.
Banned word list Select the banned word list to add to the protection profile. For more
information, see Creating a new banned word list on page 499.
Threshold Enter a spam filter banned word block threshold.
Each entry in the banned word list added to the protection profile
incudes a score. When an email message is matched with an entry
in the banned word list, the score is recorded. If an email message
matches more than one entry, the score for the email message
increases. When the total score for an email message equals or
exceeds the threshold, the message is tagged as spam.
The default score for a banned word list entry is 10 and the default
threshold is 10. This means that by default an email message is
tagged as spam by a single match. You can change the scores and
threshold so email messages are only tagged as spam if there are
multiple matches.
Spam Action Select to either tag or discard email that the FortiGate unit
determines to be spam. Tagging adds the text in the Tag Format
field to the subject line or header of email identified as spam.
Note: When you enable virus scanning for SMTP and SMTPS in the
Anti-virus section of the protection profile, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the splice option
for each protocol in the config firewall profile command in
the FortiGate CLI Reference. For details on splicing behavior for
SMTP, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
When virus scanning is enabled for SMTP the FortiGate unit can
only discard spam email if a virus is detected. Discarding
immediately drops the connection. If virus scanning is not enabled,
you can choose to either tag or discard SMTP spam.
Tag Location Select to add the tag to the subject or MIME header of email
identified as spam.
If you select to add the tag to the subject line, the FortiGate unit
converts the entire subject line, including the tag, to UTF-8 format.
This improves display for some email clients that cannot properly
display subject lines that use more than one encoding. For details on
preventing conversion of subject line to UTF-8, see the System
Settings chapter of the FortiGate CLI Reference.
To add the tag to the MIME header, you must enable
spamhdrcheck in the CLI for each protocol (IMAP, SMTP, and
POP3). For more information see profile in the FortiGate CLI
Reference.
Tag Format Enter a word or phrase with which to tag email identified as spam.
When typing a tag, use the same language as the FortiGate units
current administrator language setting. Tag text using other
encodings may not be accepted. For example, when entering a
spam tag that uses Japanese characters, first verify that the
administrator language setting is Japanese; the FortiGate unit will
not accept a spam tag written in Japanese characters while the
administrator language setting is English. For details on changing
the language setting, see Settings on page 228.
Tags must not exceed 64 bytes. The number of characters
constituting 64 bytes of data varies by text encoding, which may vary
by the FortiGate administrator language setting.
Figure 263: Data Leak Prevention Sensor options (SSL content scanning inspection and
FortiAnalyzer unit configured)
Data Leak Select the check box and then specify the DLP sensor to add to the protection
Prevention profile. For more information, see Adding and configuring a DLP sensor on
Sensor page 512.
Display content For each protocol, select whether or not to display the content summary in the
meta- Dashboard Statistics widget. You can select HTTP, FTP, IMAP, POP3, and SMTP.
information on If your FortiGate unit supports SSL content scanning and inspection you can also
the system select HTTPS, IMAPS, POP3S, and SMTPS.
dashboard For more information about the statistics widget, see Statistics on page 71.
Archive For each email protocol, select to content archive email messages identified as
SPAMed emails spam by the FortiGate spam filtering or by FortiGuard Antispam. You must
to configure the FortiGate unit to log to a FortiAnalyzer unit to configure this option.
FortiAnalyzer/ For information about content archiving spam, see Configuring spam email
message content archiving on page 668.
FortiGuard
Application Control Select the check box and then specify the application control list to add to
List the protection profile. For more information, see Creating a new application
control list on page 524.
Logging options
You can enable logging options in a protection profile to write event log messages when
the options that you have enabled in this protection profile perform an action. For
example, if you enable antivirus protection you could also enable the antivirus protection
profile logging options to write an event log message every time a virus is detected by this
protection profile.
For more information about enabling and configuring event logs, see Event log on
page 659.
To configure Logging options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Logging, enter the information as described below, and select
OK.
Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSL-
VPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and
ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures minimum and
maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
For more information about firewall policy, see Firewall Policy on page 319.
Note: For more information about traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.
However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy
does not allow any traffic.
Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of
different types of traffic. Important and latency-sensitive traffic should be assigned a high
priority. Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and ecommerce
traffic. Then you can assign a high priority to the policy that controls voice traffic and a
medium priority to the policy that controls e-commerce traffic. During a busy time, if both
voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic
will be transmitted before the ecommerce traffic.
To ensure that traffic shaping is working at its best, make sure that the interface ethernet
statistics show no errors, collisions or buffer overruns. If any of these problems do appear,
then FortiGate and switch settings may require adjusting. For more information, see the
FortiGate Traffic Shaping Technical Note.
Edit
Delete
Create New Add a traffic shaper. For more information, see To create a traffic shaper on
page 425.
Name The name of a traffic shaper.
Delete icon Select to remove a traffic shaper.
Edit icon Select to modify a traffic shaper.
Maximum Select to limit bandwidth in order to keep less important services from using
Bandwidth bandwidth needed for more important ones.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support ecommerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
3 Select OK.
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and
conducting multiuser calls over TCP/IP networks using any media. Due to the complexity
of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is
stateful. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans
SIP calls and makes adjustments, to both the firewall state and call data, to ensure a
seamless call is established through the FortiGate unit regardless of its operation mode,
NAT, route, or transparent.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available for managing SIP use.
This section includes some information about VoIP and SIP. It also describes how FortiOS
SIP support works and how to configure the key SIP features. For more configuration
information, see the FortiGate CLI Reference.
The FortiGate unit supports the following SIP features:
stateful SIP tracking
RTP Pinholing
request control
rate limiting
vents logging
communication archiving
NAT IP preservation
client connection control
register response acceptance
Application Layer Gateway (ALG) control
SIP stateful HA
This section describes:
VoIP and SIP
The FortiGate unit and VoIP security
How SIP support works
Configuring SIP
In proxy mode (shown in Figure 270), SIP clients send requests to the proxy server. The
proxy server either handles the requests or forwards them to other SIP servers. Proxy
servers can insulate and hide SIP users by proxying the signaling messages. To the other
users on the VoIP network, the signaling invitations look as if they come from the SIP
proxy server.
IP Network 4. Client B is
notified of incoming
RTP Session
call by proxy server
phone rings
When the SIP server operates in redirect mode (shown in Figure 271), the SIP client
sends its signaling request to a SIP server, which then looks up the destination address.
The SIP server returns the destination address to the originator of the call, who uses it to
signal the destination SIP client.
IP Network 5. Client B is
notified of incoming
RTP Session call by redirect server
phone rings
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
This section uses scenarios to explain the FortiGate SIP NAT support.
217.233.122.132
Internet
10.72.0.57
10.72.0.60 217.233.122.132
Internet
10.72.0.57
In the scenario, shown in Figure 273, the SIP phone connects to a VIP (10.72.0.60). The
FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG
will open the Real-time Transport Protocol (RTP) pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenariothe RTP server hides its real
address.
RTP Server
10.0.0.60
217.233.90.60
Internet
SIP Server
In this scenario, shown in Figure 274, a SIP phone connects to the Internet. The VoIP
service provider only publishes a single public IP (a VIP). The SIP phone connects to the
FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact
header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection
information (which tells the SIP phone which RTP IP it should contact) also to
217.233.90.60.
Figure 275: Different source and destination NAT for SIP and RTP
RTP Servers
192.168.0.21 - 192.168.0.23 219.29.81.10 219.29.81.20
RTP Server
10.0.0.60
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Internet
SIP: 217.233.90.60
SIP Server
In this scenario, shown in Figure 275, assume there is a SIP server and a separate media
gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect
to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2 The SIP server carries out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.
You need to configure the FortiOS SIP support in the following order:
1 Create a firewall protection profile that enables SIP (see Enabling SIP support and
setting rate limiting from the web-based manager on page 432).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the SIP or Any pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see Firewall Policy on page 319.
3 Configure advanced SIP features as required (see Configuring SIP on page 432).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP
statistics using the web-based manager. You need to configure most features, however,
through the CLI.
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to:
enable SIP in an application control list
select this application control list in a protection profile
add this protection profile to a firewall policy that accepts SIP traffic.
From the web-based manager, you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.
To enable SIP and set rate limiting from the web-based manager
1 Go to UTM > Application Control.
2 If you want to enable SIP for an existing application control list, select the Edit icon for
an application control list. Otherwise, select Create New to add a new application list.
3 Then, select Create New in the application list to add a new application to the
application control list.
4 Set Application to SIP.
5 Select OK.
6 Make sure the application control list is selected in a protection profile and that the
protection profile is added to a firewall policy.
For more information about application control, see Application Control on page 523.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For
more information, see the description of the config sip, config sccp, and config
simple subcommands of the application command in the FortiGate CLI Reference.
You can also block SIMPLE sessions by enabling block login for the SIMPLE application.
For more information, see Application Control on page 523.
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line.
This allows the SIP server to parse this IP for billing purposes.
From the CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set nat-trace enable
end
end
In addition, you can overwrite or append the SDP i line:
config application list
edit <list_name>
config entries
edit 12
set preserve-override {enable | disable}
end
end
where selecting enable removes the original source IP address from the SDP i line and
disable appends the address.
edit 12
set contact-fixup {enable | disable}
end
end
AntiVirus
This section describes how to configure the antivirus options associated with firewall
protection profiles. From a protection profile you can configure the FortiGate unit to apply
antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP sessions. If your
FortiGate unit supports SSL content scanning and inspection you can also configure
antivirus protection for HTTPS, IMAPS,POP3S, and SMTPS sessions. For more
information, see SSL content scanning and inspection on page 399.
If you enable virtual domains (VDOMs) on the FortiGate unit, most antivirus options are
configured separately for each virtual domain. However, the file quarantine, the virus list
and the grayware list are part of the global configuration. Only administrators with global
access can configure and manage the file quarantine, view the virus list, and configure the
grayware list. For details, see Using virtual domains on page 103.
This section describes:
Order of operations
Antivirus tasks
Antivirus settings and controls
File Filter
File Quarantine
Viewing the virus database information
Viewing and configuring the grayware list
Antivirus CLI configuration
Order of operations
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
File size
File pattern
File type
Virus scan
Grayware
Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file fakefile.EXE is recognized as a blocked pattern, the FortiGate unit will
send the end user a replacement message and the file will be deleted or quarantined. The
virus scan, grayware, heuristics, and file type scans will not be performed as the file is
already been determined to be a threat and has been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.
File/email
Oversized
exceeds
file/email
Block Yes oversized
action
threshold
Pass
No
Matching File
Block Pattern
file pattern
file/email Match?
Block action Yes
Allow No
File/email
exceeds Pass
Pass oversized file/email
Yes
file/email threshold
No
No
Block
Yes
Allow
AV scan Matching
detects file type File type
infection? action match?
Yes
No
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your
network unparalleled antivirus protection. The first four tasks have specific functions, the
fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The tasks will be
discussed in the order that they are applied followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is enabled
by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to
Pass.
For more information, see Anti-Virus options on page 407.
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The
FortiGate unit will check the file against the file pattern setting you have configured. If the
file is a blocked pattern, .EXE for example, then it is stopped and a replacement
message is sent to the end user. No other levels of protections are applied. If the file is not
a blocked pattern the next level of protection is applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus
definitions are keep up to date through the FortiNet Distribution Network. The list is
updated on a regular basis so you do not have to wait for a firmware upgrade. For more
information on updating virus definitions, see FortiGuard antivirus on page 441.
Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware
configurations can be turned on and off as required and are kept up to date in the same
manner as the antivirus definitions. For more information on configuring grayware please
see Viewing and configuring the grayware list on page 452.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition
filter. The FortiGate unit will check the file against the file type setting you have configured.
If the file is a blocked type, then it is stopped and a replacement message is sent to the
end user. No other levels of protections are applied. If the file is not a blocked type, the
next level of protection is applied.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of
virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through
the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the
FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the
Fortinet Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and
FortiGuard subscription services on page 266 for more information.
Note: If virtual domains are enabled, you configure antivirus file filtering and antivirus
settings in protection profiles separately for each virtual domain. Antivirus file quarantine
and grayware settings are part of the global configuration.
File Filter
Configure the FortiGate file filter to block files by:
File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the file
pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see Configuring the file filter list on page 445.
File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name. For details about supported
file types, see Built-in patterns and supported file types on page 443.
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take any of the following three actions towards the files that match
a configured file pattern or type:
Allow: the file will be allowed to pass.
Block: the file will be blocked and a replacement messages will be sent to the user. If
both file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.
Note: The unknown type is any file type that is not listed in the table. The ignored type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Create New Select Create New to add a new file filter list to the catalog.
Name The available file filter lists.
# Entries The number of file patterns or file types in each file filter list.
Profiles The protection profiles each file filter list has been applied to.
DLP Rule The DLP rules in which each filter is used.
Comments Optional description of each file filter list.
Delete icon Select to remove the file filter list from the catalog. The delete icon is only
available if the file filter list is not selected in any protection profiles.
Edit icon Select to edit the file filter, its name and comment.
The file filter list will be used in protection profiles. For more information, see Anti-Virus
options on page 407.
The file filter list has the following icons and features:
Name File filter list name. To change the name, edit text in the name field and select
OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
OK If you make changes to the list name or comments, select OK to save the
changes.
Create New Select Create New to add a new file pattern or type to the file filter list.
Filter The current list of file patterns and types.
Action Files matching the file patterns and types can be set to block, allow, or
intercept. For information about actions, see File Filter on page 443.
Enable Clear the checkbox to disable the file pattern or type.
Delete icon Select to remove the file pattern or type from the list.
Edit icon Select to edit the file pattern/type and action.
Move To icon Select to move the file pattern or type to any position in the list.
To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.
Filter Type Select File Name Pattern if you want to add a file pattern; select File Type and then
select a file type from the supported file type list.
Pattern Enter the file pattern. The file pattern can be an exact file name or can include
wildcards. The file pattern can be 80 characters long.
File Type Select a file type from the list. For information about supported file types, see Built-
in patterns and supported file types on page 443.
Action Select an action from the drop down list: Block, Allow, or Intercept. For more
information about actions, see File Filter on page 443.
Enable Select to enable the pattern.
File Quarantine
FortiGate units with a local disk, or FortiGate unit with a single width AMC slot containing a
FortiGate-ASM-S08 module, or a FortiGate-ASM-SAS module can quarantine blocked
and infected files. View the file name and status information about the file in the
Quarantined Files list. Submit specific files and add file patterns to the AutoSubmit list so
they will automatically be uploaded to Fortinet for analysis.
FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files
stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. To
configure quarantine to a FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
The file quarantine list displays the following information about each quarantined file:
Status The reason the file was quarantined: infected, heuristics, or blocked.
Status Specific information related to the status, for example, File is infected with
Description W32/Klez.h or File was stopped by file block pattern.
DC Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the
file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon Select to download the corresponding file in its original format.
This option is available only if the FortiGate unit has a local hard disk.
Submit icon Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the FortiGate unit has a local hard disk.
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.
Create New Select to add a new file pattern to the AutoSubmit list.
File Pattern The current list of file patterns that will be automatically uploaded. Create a
pattern by using ? or * wildcard characters. Enable the check box to enable all
file patterns in the list.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: File Pattern and Enable.
File Pattern Enter the file pattern or file name to be upload automatically to Fortinet.
Enable Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to AntiVirus > File
Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.
Figure 285: Quarantine Configuration (SSL content scanning and inspection and quarantine
to disk)
Options Quarantine Infected Files: Select the protocols from which to quarantine infected
files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to quarantine
suspicious files identified by heuristic scanning.
Quarantine Blocked Files. Select the protocols from which to quarantine blocked
files identified by antivirus file filtering. The Quarantine Blocked Files option is not
available for IM and HTTPS because a file name is blocked before downloading
and cannot be quarantined.
Age limit The time limit in hours for which to keep files in quarantine. The age limit is used
to formulate the value in the TTL column of the quarantined files list. When the
limit is reached, the TTL column displays EXP. and the file is deleted (although the
entry in the quarantined files list is maintained). Entering an age limit of 0 (zero)
means files are stored on disk indefinitely, depending on low disk space action.
Max filesize to The maximum size of quarantined files in MB. Setting the maximum file size too
quarantine large may affect performance.
Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop
the newest file.
FortiAnalyzer Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit.
See Log&Report on page 647 for more information about configuring a
FortiAnalyzer unit.
Enable Enable AutoSubmit: enables the automatic submission feature. Select one or both
AutoSubmit of the options below.
Use file pattern: Enables the automatic upload of files matching the file patterns in
the autoSubmit list.
Use file status: Enables the automatic upload of quarantined files based on their
status. Select either Heuristics or Block Pattern.
Heuristics is configurable through the CLI only. See Antivirus CLI configuration
on page 453.
Apply Select to save the configuration.
Usually the FortiGuard AV definitions are updated automatically from the FortiGuard
Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure
automatic antivirus definition updates from the FDN.
You can also update the antivirus definitions manually from the system dashboard (go to
System > Status).
Enabling a grayware category blocks all files listed in the category. The categories may
change or expand when the FortiGate unit receives updates. You can choose to enable
the following grayware categories:
Adware Block adware programs. Adware is usually embedded in freeware programs and
causes ads to pop up whenever the program is opened or used.
BHO Block browser helper objects. BHOs are DLL files that are often installed as part of a
software package so the software can control the behavior of Internet Explorer 4.x
and later. Not all BHOs are malicious, but the potential exists to track surfing habits
and gather other information.
Dial Block dialer programs. Dialers allow others to use the PC modem to call premium
numbers or make long distance calls.
Download Block download programs. Download components are usually run at Windows startup
and are designed to install or download other software, especially advertising and dial
software.
Game Block games. Games are usually joke or nuisance games that you may want to block
from network users.
HackerTool Block hacker tools.
Hijacker Block browser hijacking programs. Browser hijacking occurs when a spyware type
program changes web browser settings, including favorites or bookmarks, start
pages, and menu options.
Joke Block joke programs. Joke programs can include custom cursors and programs that
appear to affect the system.
Keylog Block keylogger programs. Keylogger programs can record every keystroke made on
a keyboard including passwords, chat, and instant messages.
Misc Block any programs included in the miscellaneous grayware category.
NMT Block network management tools. Network management tools can be installed and
used maliciously to change settings and disrupt network security.
P2P Block peer to peer communications programs. P2P, while a legitimate protocol, is
synonymous with file sharing programs that are used to swap music, movies, and
other files, often illegally.
Plugin Block browser plugins. Browser plugins can often be harmless Internet browsing tools
that are installed and operate directly from the browser window. Some toolbars and
plugins can attempt to control or record and send browsing preferences.
RAT Block remote administration tools. Remote administration tools allow outside users to
remotely change and monitor a computer on a network.
Spy Block spyware programs. Spyware, like adware, is often included with freeware.
Spyware is a tracking and analysis program that can report your activities, such as
web browsing habits, to the advertisers web site where it may be recorded and
analyzed.
Toolbar Block custom toolbars. While some toolbars are harmless, spyware developers can
use these toolbars to monitor web habits and send information back to the developer.
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and
prevention with low latency and excellent reliability. With intrusion Protection, you can
create multiple IPS sensors, each containing a complete configuration based on
signatures. Then, you can apply any IPS sensor to each protection profile. You can also
create DoS sensors to examine traffic for anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection settings. For
more information about Intrusion Protection, see the FortiGate Intrusion Protection
System (IPS) Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is
configured separately for each virtual domain. For details, see Using virtual domains on
page 103.
This section describes:
About intrusion protection
Signatures
Custom signatures
Protocol decoders
IPS sensors
DoS sensors
Intrusion protection CLI configuration
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive
detection.
For more information about FortiGate logging and alert email, see Log&Report on
page 647.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
By using only the signatures you require, you can improve system performance and
reduce the number of log messages and alert email messages the IPS sensor generates.
For example, if the FortiGate unit is not protecting a web server, do not include any web
server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You
can also use filters and column settings to display the signatures you want to view. For
more information, see Using display filters on page 458.
By default, the signatures are sorted by name. To sort the table by another column, select
the header of the column to sort by.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can
also readjust the column order. For more information, see Using column
settings to control the columns displayed on page 58 and Web-based
manager icons on page 60.
Clear All Filters If you have applied filtering to the predefined signature list display, select this
option to clear all filters and display all the signatures.
Filter icons Edit the column filters to filter or sort the predefined signature list according to
the criteria you specify. For more information, see Adding filters to web-based
manager lists on page 53.
Name The name of the signature. Each name is also a link to the description of the
signature in the FortiGuard Center Vulnerability Encyclopedia.
Severity The severity rating of the signature. The severity levels, from lowest to highest,
are Information, Low, Medium, High, and Critical.
Target The target of the signature: servers, clients, or both.
Protocols The protocol the signature applies to.
OS The operating system the signature applies to.
Applications The applications the signature applies to.
Enable The default status of the signature. A green circle indicates the signature is
enabled. A gray circle indicates the signature is not enabled.
Action The default action for the signature:
Pass allows the traffic to continue without any modification.
Drop prevents the traffic with detected signatures from reaching its
destination.
If Logging is enabled, the action appears in the status field of the log message
generated by the signature.
ID A unique numeric identifier for the signature.
Logging The default logging behavior of the signature. A green circle indicates logging is
enabled. A gray circle indicates logging is disabled.
Group A functional group that is assigned to that signature. This group is only for
reference and cannot be used to define filters.
Packet Log The default packet log status of the signature. A green circle indicates that the
packet log is enabled. A gray circle indicates that the packet log is not enabled.
Revision The revision level of the signature. If the signature is updated, the revision
number will be incremented.
Tip: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion
Protection system for diverse network environments. The FortiGate predefined signatures
represent common attacks. If you use an unusual or specialized application or an
uncommon platform, you can add custom signatures based on the security alerts released
by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to scan
traffic. For more information about creating IPS sensors, see Adding an IPS sensor on
page 462.
For more information about custom signatures, see the FortiGate Intrusion Protection
System (IPS) Guide.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Edit
Delete
Note: Custom signatures are an advanced feature. This document assumes the user has
previous experience creating intrusion detection signatures.
Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal
traffic patterns that do not meet the protocol requirements and standards. For example,
the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the
HTTP protocol standards.
IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You
can define signatures for specific types of traffic in separate IPS sensors, and then select
those sensors in profiles designed to handle that type of traffic. For example, you can
specify all of the web-server related signatures in an IPS sensor, and the sensor can then
be used by a protection profile in a policy that controls all of the traffic to and from a web
server protected by the FortiGate unit.
The FortiGuard Service periodically updates the pre-defined signatures, with signatures
added to counter new threats. Because the signatures included in filters are defined by
specifying signature attributes, new signatures matching existing filter specifications will
automatically be included in those filters. For example, if you have a filter that includes all
signatures for the Windows operating system, your filter will automatically incorporate new
Windows signatures as they are added.
Edit
Delete
Create New Add a new IPS sensor. For more information, see Adding an IPS
sensor on page 462.
Name The name of each IPS sensor.
Comments An optional description of the IPS sensor.
Delete and Edit icons Delete or edit an IPS sensor.
Five default IPS sensors are provided with the default configuration.
all_default Includes all signatures. The sensor is set to use the default enable
status and action of each signature.
all_default_pass Includes all signatures. The sensor is set to use the default enable
status of each signature, but the action is set to pass.
protect_client Includes only the signatures designed to detect attacks against clients;
uses the default enable status and action of each signature.
protect_email_server Includes only the signatures designed to detect attacks against
servers and the SMTP, POP3, or IMAP protocols; uses the default
enable status and action of each signature.
protect_http_server Includes only the signatures designed to detect attacks against
servers and the HTTP protocol; uses the default enable status and
action of each signature.
Name The name of the IPS sensor. You can change it at any time.
Comments An optional comment describing the IPS sensor. You can change it at any time.
OK Select to save changes to Name or Comments
IPS sensor filters:
Add Filter Add a new filter to the end of the filter list. For more information, see
Configuring filters on page 464.
# Current position of each filter in the list.
Name The name of the filter.
Signature Signature attributes specify the type of network traffic the signature applies to.
attributes
Severity The severity of the included signatures.
Target The type of system targeted by the attack. The targets are client
and server.
Protocol The protocols to which the signatures apply. Examples include
HTTP, POP3, H323, and DNS.
OS The operating systems to which the signatures apply.
Application The applications to which the signatures apply.
Enable The status of the signatures included in the filter. The signatures can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Logging The logging status of the signatures included in the filter. Logging can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Action The action of the signatures included in the filter. The action can be set to pass
all, block all, reset all, or default. The default setting uses the action of each
individual signature as displayed in the signature list.
Count The number of signatures included in the filter. Overrides are not included in this
total.
Delete icon Delete the filter.
Edit icon Edit the filter.
Insert icon Create a new filter and insert it above the current filter.
Move to icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
View Rules icon Open a window listing all of the signatures included in the filter.
Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of
the IPS sensor containing the filter you want to edit. When the sensor window opens,
select the Edit icon of the filter you want to change, or select Add Filter to create a new
filter. Enter the information as described below and select OK.
Right Arrow
Left Arrow
Target Select All, or select Specify and then the type of systems targeted by the attack.
The choices are server or client.
OS Select All, or select Specify and then select one or more operating systems that
are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems. These
signatures will be automatically included in any filter regardless of whether a
single, multiple, or all operating systems are specified.
Protocol Select All, or select Specify to list what network protocols are used by the attack.
Use the Right Arrow to move the ones you want to include in the filter from the
Available to the Selected list, or the Left Arrow to remove previously selected
protocols from the filter.
Application Select All, or select Specify to list the applications or application suites vulnerable
to the attack. Use the Right Arrow to move the ones you want to include in the
filter from the Available to the Selected list, or the Left Arrow to remove previously
selected protocols from the filter.
Quarantine Select to enable NAC quarantine for this filter. For more information about NAC
Attackers (to quarantine, see NAC quarantine and the Banned User list on page 595.
Banned Users The FortiGate unit deals with the attack according to the IPS sensor or DoS
List) sensor configuration regardless of this setting.
Method Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
targets address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attackers IP address to the target (victims) IP address. Traffic from the attackers
IP address to addresses other than the victims IP address is allowed. The
attackers and targets IP addresses are added to the banned user list as one
entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the banned
user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Signature Configure whether the filter overrides the following signature settings or accepts
Settings the settings in the signatures.
Enable Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or disable each
according to the individual default values shown in the signature list.
Logging Select from the options to specify whether the FortiGate unit will create log entries
for the signatures included in the filter: enable all, disable all, or enable or disable
logging for each according to the individual default values shown in the signature
list.
Action Select from the options to specify what the FortiGate unit will do with traffic
containing a signature match: pass all, block all, reset all, or block or pass traffic
according to the individual default values shown in the signature list.
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature to be
included in the filter. If the severity is changed to high, and the target is changed to server,
the filter includes only signatures checking for high priority attacks targeted at servers.
To add an individual signature, not included in any filters, to an IPS sensor. This is the
only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes have no effect. These settings must be explicitly set when creating the override.
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.
To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor
and select the Edit icon of the IPS sensor containing the override you want to edit. When
the sensor window opens, select the Edit icon of the override you want to change.
Signature Select the browse icon to view the list of available signatures. From this list,
select a signature the override will apply to and then select OK.
Enable Select to enable the signature override.
Action Select Pass, Block or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified
signature.
Logging Select to enable creation of a log entry if the signature is discovered in
network traffic.
Packet Log Select to save packets that trigger the override to the FortiGate hard drive for
later examination.
Quarantine Select to enable NAC quarantine for this override. For more information
Attackers (to about NAC quarantine, see NAC quarantine and the Banned User list on
Banned Users List) page 595.
The FortiGate unit deals with the attack according to the IPS sensor or DoS
sensor configuration regardless of this setting.
Method Select Attackers IP address to block all traffic sent from the attackers IP
address. The attackers IP address is also added to the banned user list. The
targets address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attackers IP address to the target (victims) IP address. Traffic from the
attackers IP address to addresses other than the victims IP address is
allowed. The attackers and targets IP addresses are added to the banned
user list as one entry.
Select Attacks Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the
banned user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Exempt IP Enter IP addresses to exclude from the override. The override will then apply
to all IP addresses except those defined as exempt. The exempt IP
addresses are defined in pairs, with a source and destination, and traffic
moving from the source to the destination is exempt from the override.
Source The exempt source IP address. Enter 0.0.0.0/0 to include all source IP
addresses.
Destination: The exempt destination IP address. Enter 0.0.0.0/0 to include all
destination IP addresses.
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
Note: Setting packet-log-history to a value larger than 1 can affect the maximum
performance of the FortiGate unit because network traffic must be buffered. The
performance penalty depends on the model, the setting, and the traffic load.
5 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
6 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that
does not fit known or common traffic patterns and behavior. For example, one type of
flooding is the denial of service (DoS) attack that occurs when an attacking system starts
an abnormally large number of sessions with a target system. The large number of
sessions slows down or disables the target system so legitimate users can no longer use
it. This type of attack gives the DoS sensor its name, although it is capable of detecting
and protecting against a number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the detection
threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you
can configure. Each sensor examines the network traffic in sequence, from top to bottom.
When a sensor detects an anomaly, it applies the configured action. Multiple sensors
allow great granularity in detecting anomalies because each sensor can be configured to
examine traffic from a specific address, to a specific address, on a specific port, in any
combination.
When arranging the DoS sensors, place the most specific sensors at the top and the most
general at the bottom. For example, a sensor with one protected address table entry that
includes all source addresses, all destination addresses, and all ports will match all traffic.
If this sensor is at the top of the list, no subsequent sensors will ever execute.
The traffic anomaly detection list can be updated only when the FortiGate firmware image
is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.
Create New Add a new DoS sensor to the bottom of the list.
ID A unique identifier for each DoS sensor. The ID does not indicate the
sequence in which the sensors examine network traffic.
Status Select to enable the DoS sensor.
Name The DoS sensor name.
Comments An optional description of the DoS sensor.
Delete Delete the DoS sensor.
Edit icon Edit the following information: Action, Severity, and Threshold.
Insert DoS Sensor Create a new DoS sensor before the current sensor.
before icon
Move To icon Move the current DoS sensor to another position in the list. After
selecting this icon, enter the destination position in the window that
appears, and select OK.
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.
To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit
icon of an existing DoS sensor, or select Create New to create a new DoS sensor.
Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For
more information, see Configuring NAC quarantine on page 596.
Source The IP address of the traffic source. 0.0.0.0/0 matches all addresses.
Add After entering the required destination address, destination port, and
source address, select Add to add protected address to the Protected
Addresses list. The DoS sensor will be invoked only on traffic matching all
three of the entered values. If no addresses appear in the list, the sensor
will not be applied to any traffic.
Anomaly Description
tcp_syn_flood If the SYN packet rate, including retransmission, to one destination IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_port_scan If the SYN packets rate, including retransmission, from one source IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP address
exceeds the configured threshold value, the action is executed.
tcp_dst_session If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
udp_flood If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP address
exceeds the configured threshold value, the action is executed.
udp_dst_session If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
icmp_flood If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_src_session If the number of concurrent ICMP connections from one source IP
address exceeds the configured threshold value, the action is executed.
icmp_dst_session If the number of concurrent ICMP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
Web Filter
This chapter describes how to configure FortiGate web filtering for HTTP traffic. If your
FortiGate unit supports SSL content scanning and inspection you can also configure web
filtering for HTTPS traffic. For information about SSL content scanning and inspection, see
SSL content scanning and inspection on page 399. if your FortiGate unit does not
support HTTPS content scanning and inspection you can configure URL filtering for
HTTPS traffic.
The three main sections of the web filtering function, the Web Filter Content Block, the
URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to
provide maximum control and protection for the Internet users.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
This section describes:
Order of web filtering
How web filtering works
Web filter controls
Web content block
URL filter
FortiGuard - Web Filter
The first section, the URL exempt and block filters, will allow you to decide what action to
take for specific addresses. For example, if you want to exempt www.google.com from
being scanned, you can add it to the URL exempt list. Then no web filtering or virus
scanning will be taken to this web site.
If you have blocked a pattern but want certain users to have access to URLs within that
pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to
specify which users have access to which blocked URLs and how long they have that
access. For example, you want user1 to be able to access www.example.com for 1 hour.
You can use this section to set up the exemption. Any user listed in an override must fill
out an online authentication form before the FortiGate unit will grant access to the blocked
URL.
FortiGuard Web Filter also lets you create local categories to block groups of URLs. Once
you have created the category, you can use the local rating to add specific sites to the
local category you have created. You then use the Firewall > Protection Profile to tell the
FortiGuard Unit what action to take with the Local category. The local ratings overwrite the
FortiGuard ratings.
Finally the FortiGuard unit applies script filtering for ActiveX, Cookie, and Java applet,
which can be configured in Firewall > Protection Profile > Web Filtering.
Once you have finished configuring all of these settings, you still have to turn them all on
in the Firewall > Protection Profile > Web filtering and Firewall > Protection Profile >
FortiGuard Web Filtering. By enabling them here, you are telling the FortiGate unit to start
using the filters as you have configured them.
This section describes how to configure web filtering options. Web filtering functions must
be enabled in the active protection profile for the corresponding settings in this section to
have any effect.
Note: Enabled means that the filter will be used when you turn on web filtering. It does not
mean that the filter is turned on. To turn on all enabled filters you must go to Firewall >
Protection Profile.
Table 47: Web filter and Protection Profile protocol recognition configuration
Table 48: Web filter and Protection Profile web content block configuration
Table 49: Web filter and Protection Profile web URL filtering configuration
Table 50: Web filter and Protection Profile web script filtering and download configuration
Table 51: Web filter and Protection Profile FortiGuard web filtering configuration
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are
configured globally. To access these features, select Global Configuration on the main
menu.
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i blocks all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
Create New Select to add a new web content block list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied to.
Comment Optional description of each web content block list. The comment text must be
less than 63 characters long. Otherwise, it will be truncated. Spaces will also
be replaced by the plus sign ( + ).
Delete icon Select to remove the web content block list from the catalog. The delete icon is
only available if the web content block list is not selected in any protection
profiles.
Edit icon Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see Web
Filtering options on page 411.
To view the web content block list go to UTM > Web Filter > Web Content Block and select
the Edit icon of the web content block list you want to view.
Note: Enable UTM > Web Filtering > Web Content Block in a firewall Protection Profile to
activate the content block settings.
The web content block list has the following icons and features:
Name Web content block list name. To change the name, edit text in the name field and
select OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create new Select to add a pattern to the web content block list.
Total The number of patterns in the web content block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon
Banned word The current list of patterns. Select the check box to enable all the patterns in the
list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or regular
expression. See Using wildcards and Perl regular expressions on page 506.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, French, Japanese, Korean, Thai, or Western.
Score A numerical weighting applied to the pattern. The score values of all the matching
patterns appearing on a page are added, and if the total is greater than the
threshold value set in the protection profile, the page is blocked.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Banned Word, Pattern Type, Language,
and Enable.
Banned Word Enter the content block pattern. For a single word, the FortiGate checks all
web pages for that word. For a phrase, the FortiGate checks all web pages
for any word in the phrase. For a phrase in quotation marks, the FortiGate
unit checks all web pages for the entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or Regular
Expression.
Language Select a language from the dropdown list.
Score Enter a score for the pattern.
Each entry in the web content block list incudes a score. When you add a
web content block list to a protection profile you configure a web content
block threshold for the protection profile.
When a web page is matched with an entry in the content block list the
score is recorded. If a web page matches more than one entry the score for
the web page increases. When the total score for a web page equals or
exceeds the threshold the page is blocked.
The default score for a content block list entry is 10 and the default
threshold is 10. This means that by default a web page is blocked by a
single match. You can change the scores and threshold so that web pages
can only be blocked if there are multiple matches. For more information,
see Web Filtering options on page 411.
Enable Select to enable the pattern.
The web content exempt list catalogue has the following icons and features:
Create New Select to add a new web content exempt list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied to.
Comment Optional description of each web content block list.
Delete icon Select to remove the web content block list from the catalog. The delete
icon is only available if the web content block list is not selected in any
protection profiles.
Edit icon Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see Web
Filtering options on page 411.
Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to
activate the content exempt settings.
The web content exempt list has the following icons and features:
Name Web content exempt list name. To change the name, edit text in the name field
and select OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create new Select to add a pattern to the web content exempt list.
Total The number of patterns in the web content exempt list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon
Pattern The current list of patterns. Select the check box to enable all the patterns in the
list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or regular
expression. See Using wildcards and Perl regular expressions on page 506.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, French, Japanese, Korean, Thai, or Western.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Pattern, Pattern Type, Language, and
Enable.
Pattern Word Enter the content exempt pattern. For a single word, the FortiGate checks all web
pages for that word. For a phrase, the FortiGate checks all web pages for any
word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all
web pages for the entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or regular Expression.
Language Select a language from the dropdown list.
Enable Select to enable the pattern.
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns
using text and regular expressions (or wildcard characters) to allow or block URLs. The
FortiGate unit allows or blocks web pages matching any specified URLs or patterns and
displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
The URL filter list catalogue has the following icons and features:
Create New Select to add a new web content URL list to the catalog.
Name The available URL filter lists.
# Entries The number of URL patterns in each URL filter list.
Profiles The protection profiles each URL filter list has been applied to.
Comment Optional description of each URL filter list.
Delete icon Select to remove the URL filter list from the catalog. The delete icon is only
available if the URL filter list is not selected in any protection profiles.
Edit icon Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see Web Filtering
options on page 411.
The URL filter list has the following icons and features:
Name URL filter list name. To change the name, edit text in the name field and select
OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Select to add a URL to the URL block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Clear All URL Select to clear the table.
Filters icon
URL The current list of blocked/exempt URLs. Select the check box to enable all
the URLs in the list.
Type The type of URL: Simple or Regex (regular expression).
Action The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Delete icon Select to remove an entry from the list.
Edit icon Select to edit the following information: URL, Type, Action, and Enable.
Move icon Select to open the Move URL Filter dialog box.
Note: Type a top-level domain suffix (for example, com without the leading period) to
block access to all URLs with this suffix.
To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New
or edit an existing list.
URL Enter the URL. Do not include http://. For details about URL
formats, see URL formats on page 486.
Type Select a type from the dropdown list: Simple or Regex (regular
expression).
Action Select an action from the dropdown list: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web
filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Enable Select to enable the URL.
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on
page 485), follow these rules:
Control access to all URLs that match patterns created using text and regular
expressions (or wildcard characters). For example, example.* matches
example.com, example.org, example.net and so on.
FortiGate web pattern blocking supports standard regular expressions.
Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Scope The user or user group who may use the override.
Off-site URLs A green check mark indicates that the off-site URL option is set to Allow,
which means that the overwrite web page will display the contents from off-
site domains. A gray cross indicates that the off-site URL option is set to
Block, which means that the overwrite web page will not display the
contents from off-site domains. For details, see Configuring administrative
override rules on page 489.
Initiator The creator of the override rule.
Expiry Date The expiry date of the override rule.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: Type, URL, Scope, User, Off-site
URLs, and Override Duration.
Off-site URLs This option defines whether the override web page will display the images
and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want to visit a
site whose images are served from a different domain. You can create a
directory override for the site and view the page. If the offsite feature was
set to deny, all the images on the page will appear broken because they
come from a different domain for which the existing override rule does not
apply. If you set the offsite feature to allow, the images on the page will then
show up.
Only users that apply under the scope for the page override can see the
images from the temporary overrides. The users will not be able to view
any pages on the sites where the images come from (unless the pages are
served from the same directory as the images themselves) without having
to create a new override rule.
Override End Time Specify when the override rule will end.
To create an override for categories, go to UTM > Web Filter > Override.
The local ratings list has the following icons and features:
Antispam
This chapter describes how to configure FortiGate spam filtering for IMAP, POP3, and
SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can
also configure spam filtering for IMAPS, POP3S, and SMTPS email traffic. For information
about SSL content scanning and inspection, see SSL content scanning and inspection
on page 399.
If you enable virtual domains (VDOMs) on the FortiGate unit, Antispam is configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
This section describes:
Antispam
Banned word
IP address and email address black/white lists
Advanced antispam configuration
Using wildcards and Perl regular expressions
Antispam
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers.
The FortiGuard Antispam Service uses both a sender IP reputation database and a spam
signature database, along with sophisticated spam filtering tools, to detect and block a
wide range of spam messages. Using FortiGuard Antispam protection profile settings you
can enable IP address checking, URL checking, E-mail checksum check, and Spam
submission. Updates to the IP reputation and spam signature databases are provided
continuously via the global FortiGuard distribution network.
From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and
signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam
IP reputation database, or whether a URL or email address is in the signature database.
Table 52: AntiSpam and Protection Profile spam filtering configuration (Continued)
Table 52: AntiSpam and Protection Profile spam filtering configuration (Continued)
Banned word
Control spam by blocking email messages containing specific words or patterns. You can
add words, phrases, wild cards and Perl regular expressions to match content in email
messages.
For information, about wild cards and Perl regular expressions, see Using wildcards and
Perl regular expressions on page 506.
Note: Perl regular expression patterns are case sensitive for antispam banned words. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
Edit
Delete
Create New Add a new list to the catalog. For more information, see Creating a new
banned word list on page 499.
Name The available antispam banned word lists.
Name Banned word list name. To change the name, edit text in the name field and
select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Select to add a word or phrase to the banned word list.
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of the banned word list.
Remove All Clear the table.
Entries icon
Pattern The list of banned words. Select the check box to enable all the banned words in
the list.
Pattern Type The pattern type used in the banned word list entry. Choose from wildcard or
regular expression. For more information, see Using wildcards and Perl regular
expressions on page 506.
Language The character set to which the banned word belongs.
Where The location where the FortiGate unit searches for the banned word: Subject,
Body, or All.
Score A numerical weighting applied to the banned word. The score values of all the
matching words appearing in an email message are added, and if the total is
greater than the Banned word check value set in the protection profile, the email
is processed according to whether the spam action is set to Discard or Tagged
in the protection profile. The score for a banned word is counted once even if the
word appears multiple times on the web page in the email. For more information,
see Configuring a protection profile on page 404.
Delete and Edit Delete or edit the banned word.
icons
Pattern Enter the word or phrase you want to include in the banned word list.
Pattern Type Select the pattern type for the banned word. Choose from wildcard or regular
expression. For more information, see Using wildcards and Perl regular
expressions on page 506.
Language Select the character set for the banned word.
Where Select where the FortiGate unit should search for the banned word: Subject,
Body, or All.
Edit
Delete
Current Page
Move To
Edit
Delete
Name Antispam IP address list name. To change the name, edit text in the name field
and select OK.
Comments Optional comment. To add or edit a comment, enter text in the comments field
and select OK.
Create New Add an IP address to the antispam IP address list.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the IP address
list.
Remove All Entries Clear the table.
icon
IP address/Mask The list of IP addresses.
Action The action to take on email from the configured IP address. Actions are: Spam
to apply the configured spam action, Clear to bypass this and remaining spam
filters, or Reject (SMTP or SMTPS) to drop the session.
If an IP address is set to reject but mail is delivered from that IP address via
using POP3 or IMAP, the email messages will be marked as spam.
Edit
Delete
Profiles The protection profiles each antispam email address list has been applied to.
Comments Optional description of each antispam email address list.
Delete icon Remove the antispam email address list from the catalog. The delete icon is
only available if the antispam email address list is not selected in any
protection profiles.
Edit icon Edit the antispam email address list, list name, or list comment.
You enable antispam email addresses in protection profiles. For more information, see
Spam Filtering options on page 416.
Delete
Edit
Move To
Remove All Entries
Name Antispam email address list name. To change the name, edit text in the name
field and select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Add an email address to the email address list.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the IP address
list.
Remove All Entries Clear the table.
icon
Email address The list of email addresses.
Pattern Type The pattern type used in the email address entry.
Action The action to take on email from the configured address. Actions are: Spam to
apply the spam action configured in the protection profile, or Clear to let the
email message bypass this and remaining spam filters.
Delete icon Remove the email address from the list.
Edit icon Edit the address information.
Move To icon Move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example, if you
have abc@example.com listed as clear and *@example.com as spam, you
must put abc@example.com above *@example.com for abc@example.com
to take effect.
MIME headers are added to email to describe content type and content encoding, such as
the type of text in the email body or the program that generated the email. Some examples
of MIME headers include:
X-mailer: outgluck
X-Distribution: bulk
Content_Type: text/html
Content_Type: image/jpg
The first part of the MIME header is called the header or header key. The second part is
called the value. Spammers often insert comments into header values or leave them
blank. These malformed headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain
types of content that are common in spam messages. Mark the email as spam or clear for
each header configured.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL
or ORDBL server, it must be able to look up this name on the DNS server. For information
on configuring DNS, see Configuring Networking Options on page 145.
Note: To add a question mark (?) character to a regular expression from the FortiGate CLI,
enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression
from the CLI you must add precede it with another backslash character. For example,
fortinet\\.com.
To match a special character such as '.' and * use the escape character \. For example:
To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, * means match 0 or more times of the character before it, not
0 or more times of any character. For example:
forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use .* where . means any character and the *
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression test not only matches the word test but also any word
that contains test such as atest, mytest, testimony, atestb. The notation \b
specifies the word boundary. To match exactly the word test, the expression should be
\btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam filters. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language, regardless of case.
Expression Matches
abc abc (the exact character sequence, but anywhere in the string)
^abc abc at the beginning of the string
abc$ abc at the end of the string
a|b Either a or b
^abc|abc$ The string abc at the beginning or at the end of the string
ab{2,4}c a followed by two, three or four bs followed by a c
ab{2,}c a followed by at least two bs followed by a c
ab*c a followed by any number (zero or more) of bs followed by a c
ab+c a followed by one or more b's followed by a c
ab?c a followed by an optional b followed by a c; that is, either abc or
ac
a.c a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] Any one of a, b and c
[Aa]bc Either of Abc and abc
[abc]+ Any (nonempty) string of as, bs and cs (such as a, abba,
acbabcacaa)
[^abc]+ Any (nonempty) string which does not contain any of a, b, and c
(such as defg)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ A word: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings 100 and mk optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b abc when followed by a word boundary (for example, in abc! but not in
abcd)
perl\B perl when not followed by a word boundary (for example, in perlert but
not in perl stuff)
\x Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in
a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern
must contain a second '/'. The pattern between / will be taken as a
regular expressions, and anything after the second / will be parsed as a
list of regular expression options ('i', 'x', etc). An error occurs if the
second '/' is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.
Current Page
DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. Once a DLP
sensor is configured, it can be specified in a protection profile. Any traffic handled by the
policy in which the protection profile is specified will enforce the DLP sensor configuration.
Caution: Before use, examine the sensors and rules in the sensors closely to ensure you
understand how they will affect the traffic on your network.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one content archive entry, quarantine item, or ban
entry from the same content.
Content_Archive All non-encrypted email, FTP, HTTP, IM, and NNTP traffic is archived
to a FortiAnalyzer unit or the FortiGuard Analysis and Management
Service. Traffic is only archived. No blocking or quarantine is
performed.
If you have a FortiGate unit that supports supports SSL content
scanning and inspection, you can modify this sensor to archive
encrypted traffic as well.
Content_Summary A summary of all non-encrypted email, FTP, HTTP, IM, and NNTP
traffic is saved to a FortiAnalyzer unit or the FortiGuard Analysis and
Management Service. No blocking or quarantine is performed.
If you have a FortiGate unit that supports supports SSL content
scanning and inspection, you can modify this sensor to archive a
summary of encrypted traffic as well.
Credit-Card The number formats used by American Express, Visa, and
Mastercard credit cards are detected in HTTP and email traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
as required.
Large-File Files larger than 5MB will be detected if attached to email messages
or if send using HTTP or FTP.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
as required.
SSN-Sensor The number formats used by U.S. Social Security and Canadian
Social Insurance numbers are detected in email and HTTP traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
as required.
Action Select the action to be taken against traffic matching the configured DLP rule or DLP
compound rule. The actions are:
None prevents the DLP rule from taking any action on network traffic. Other
matching rules in the same sensor and other sensors may still operate on
matching traffic.
Block prevents the traffic matching the rule from being delivered. The matching
message or download is replaced with the Data leak prevention replacement
message.
Exempt prevents any DLP sensors from taking action on matching traffic. This
action overrides any other action from any matching sensors.
Ban if the user is authenticated, blocks all traffic to or from the user using the
protocol that triggered the rule and the user will be added to the Banned User list.
If the user is not authenticated, all traffic of the protocol that triggered the rule from
the users IP address will be blocked. If the user that is banned is using HTTP,
FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and
inspection) the FortiGate unit displays the Banned by data leak prevention
replacement message for the protocol. If the user is using IM, the IM and P2P
Banned by data leak prevention message replaces the banned IM message and
this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP
(or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning
and inspection) the Mail Banned by data leak prevention message replaces the
banned email message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Ban Sender blocks email or IM traffic from the sender of matching email or IM
messages and adds the sender to the Banned User list. This action is available
only for email and IM protocols. For email, the sender is determined by the From:
address in the email header. For IM, all members of an IM session are senders
and the senders are determined by finding the IM user IDs in the session. Similar
to Ban, the IM or Mail Banned by data leak prevention message replaces the
banned message and this message is forwarded to the recipient. These
replacement messages also replace all subsequent communication attempts until
the user is removed from the banned user list.
Quarantine IP address blocks access through the FortiGate unit for any IP
address that sends traffic matching a sensor with this action. The IP address is
added to the Banned User list. The FortiGate unit displays the NAC Quarantine
DLP Message replacement message for all connection attempts from this IP
address until the IP address is removed from the banned user list.
Quarantine Interface blocks access to the network for all users connecting to the
interface that received traffic matching a sensor with this action. The FortiGate unit
displays the NAC Quarantine DLP Message replacement message for all
connection attempts to the interface until the interface is removed from the banned
user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality
similar to NAC quarantine. However, these DLP options cause DLP to block users
and IP addresses at the application layer while NAC quarantine blocks IP addresses
and interfaces at the network layer. For more information, see NAC quarantine and
the Banned User list on page 595.
For more information about configuring DLP replacement messages, see
Replacement messages on page 194.
If you have configured DLP to block IP addresses and if the FortiGate unit receives
sessions that have passed through a NAT device, all traffic from that NAT device
could be blocked not just individual users. You can avoid this problem by
implementing authentication or where possible select Ban Sender.
Archive Content archive all traffic matching the DLP rule or compound rule. For more
information about content archiving, see Content Archive on page 667.
Expires When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify
how long the ban will last. Select Indefinite for a ban ending only if the offender is
manually removed from the banned user list, or select After and enter the required
number of minutes, hours or days the ban will last. When the specified duration
expires, the offender is automatically removed from the banned user list.
Member Select Rule or Compound Rule. The rules of the selected type will be displayed in the
Type table below.
Name The names of all available rules or compound rules.
Description The optional description entered for each rule or compound rule.
Tip: The None action can be extremely useful when used with the Archive function.
Together, these two settings will have a rule log matching traffic but it to pass. This can be
useful when adding a new rule to FortiGate unit handling live traffic. The effect of the new
rule can be checked before it has any effect on network traffic.
DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the
data to be protected so the FortiGate unit can recognize it. For example, an included rule
uses regular expressions to describe Social Security number:
([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4}
Rather than having to list every possible Social Security number, this regular expression
describes the structure of a Social Security number. The pattern is easily recognizable by
the FortiGate unit. For more information about regular expressions, see Using wildcards
and Perl regular expressions on page 506.
DLP rules can be combined into compound rules and they can be included in sensors. If
rules are specified directly in a sensor, traffic matching any single rule will trigger the
configured action. If the rules are first combined into a compound rule and then specified
in a sensor, every rule in the compound rule must match the traffic to trigger the configured
action.
Individual rules in a sensor are linked with an implicit OR condition while rules within a
compound rule are linked with an implicit AND condition.
Note: These rules affect only unencrypted traffic types. If you are using a FortiGate unit
able to decrypt and examine encrypted traffic, you can enable those traffic types in these
rules to extend their functionality if required.
Caution: Before use, examine the rules closely to ensure you understand how they will
affect the traffic on your network.
All-Email, All-FTP, .These rules will detect all traffic of the specified type.
All-HTTP, All-IM, All-NNTP
Email-AmEx, These four rules detect American Express numbers, Canadian Social
Email-Canada-SIN, Insurance Numbers, U.S. Social Security Numbers, or Visa and
Email-US-SSN, Mastercard numbers within the message bodies of SMTP, POP3, and
IMAP email traffic.
Email-Visa-Mastercard
HTTP-AmEx, These four rules detect American Express numbers, Canadian Social
HTTP-Canada-SIN, Insurance Numbers, U.S. Social Security Numbers, or Visa and
HTTP-US-SSN, Mastercard numbers within POST command in HTTP traffic. The
HTTP POST is used to send information to a web server.
HTTP-Visa-Mastercard
As written, these rules are designed to detect data the user is sending
to web servers. This rule does not detect the data retrieved with the
HTTP GET command, which is used to retrieve load web pages.
Large-Attachment This rule detects files larger than 5MB attached to SMTP, POP3, and
IMAP email messages.
Large-FTP-Put This rule detects files larger than 5MB sent using the FTP PUT
protocol. Files received using FTP GET are not examined.
Large-HTTP-Post This rule detects files larger than 5MB sent using the HTTP POST
protocol. Files received using HTTP GET are not examined.
File Options You can select file options for any protocol to configure how the DLP
rule handles archive files, MS-Word files, and PDF files found in
content traffic.
Scan archive contents When selected, files within archives are extracted and scanned in the
same way as files that are not archived.
Scan archive files When selected, archives are scanned as a whole. The files within the
whole archive are not extracted and scanned individually.
Scan MS-Word text When selected the text contents of MS Word DOC documents are
extracted and scanned for a match. All metadata and binary
information is ignored.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word
by the DLP scanner. To scan the contents of DOCX files, select the
Scan archive contents option.
Scan MS-Word file When selected, MS Word DOC files are scanned. All binary and
whole metadata information is included.
If you are scanning for text entered in a DOC file, use the
Scan MS-Word option. Binary formatting codes and file information
may appear within the text, causing text matches to fail.
Note: Office 2007/2008 DOCX files are not recognized as MS-Word
by the DLP scanner. To scan the contents of DOCX files, select the
Scan archive contents option.
Scan PDF text When selected, the text contents of PDF documents are extracted and
scanned for a match. All metadata and binary information is ignored.
Scan PDF file whole When selected, PDF files are scanned. All binary and metadata
information is included.
If you are scanning for text in PDF files, use the Scan PDF Text
option. Binary formatting codes and file information may appear within
the text, causing text matches to fail.
Rule Use the Rule settings to configure the content that the DLP rule
matches.
Attachment size Check the attachment file size.
This option is available for Email.
Attachment type Search email messages for file types or file patterns as specified in the
selected file filter.
This option is available for Email.
Authenticated User Search for traffic from the specified authenticated user.
Binary file pattern Search for the specified binary string in network traffic.
Body Search for the specified string in the message or page body.
This option is available for Email, HTTP, and NNTP.
CGI parameters Search for the specified CGI parameters in any web page with CGI
code.
This option is available for HTTP.
Cookie Search the contents of cookies for the specified text.
This option is available for HTTP.
File is/not encrypted Check whether the file is or is not encrypted. Encrypted files are
archives and MS Word files protected with passwords. Because they
are password protected, the FortiGate unit cannot scan the contents
of encrypted files.
File text Search for the specified text in transferred text files.
This option is available in FTP, IM, and NNTP.
File type Search for the specified file patterns and file types. The patterns and
types configured in file filter lists and a list is selected in the DLP rule.
For more information about file filter lists, see File Filter on page 443.
This option is available for FTP, HTTP, IM, and NNTP.
Hostname Search for the specified host name when contacting a HTTP server.
HTTP header Search for the specified string in HTTP headers.
Receiver Search for the specified string in the message recipient email address.
This option is available for Email.
Sender Search for the specified string in the message sender user ID or email
address. This option is available for Email and IM.
For email, the sender is determined by the From: address in the email
header. For IM, all members of an IM session are senders and the
senders are determined by finding the IM user IDs in the session.
Server Search for the servers IP address in a specified address range.
This option is available for FTP, NNTP.
Subject Search for the specified string in the message subject.
This option is available for Email.
Transfer size Check the total size of the information transfer. In the case of email
traffic for example, the transfer size includes the message header,
body, and any encoded attachment.
URL Search for the specified URL in HTTP traffic.
User group Search for traffic from any user in the specified user group.
Rule operators:
matches/does not match This operator specifies whether the FortiGate unit is searching for the
presence of specified string, or for the absence of the specified string.
Matches: The rule will be triggered if the specified string is found in
network traffic.
Does not match: The rule will be triggered if the specified string is
not found in network traffic.
ASCII/UTF-8 Select the encoding used for text files and messages.
Regular Select the means by which patterns are defined.
Expression/Wildcard For more information about wildcards and regular expressions, see
Using wildcards and Perl regular expressions on page 506
is/is not This operator specifies if the rule is triggered when a condition is true
or not true.
Is: The rule will be triggered if the rule is true.
Is not: The rule will be triggered if the rule is not true.
For example, if a rule specifies that a file type is found within a
specified file type list, all matching files will trigger the rule.
Conversely, if the rule specifies that a file type is not found in a file
type list, only the file types not in the list would trigger the rule.
==/>=/<=/!= These operators allow you to compare the size of a transfer or
attached file to an entered value.
== is equal to the entered value.
>= is greater than or equal to the entered value.
<= is less than or equal to the entered value.
!= is not equal to the entered value.
Rule 2 checks SMTP traffic for the word sale in the message body
When the sensor is used, either rule could be activated its configured condition is true. If
only one condition is true, only the corresponding rule would be activated. Depending on
the contents of the SMTP traffic, neither, either, or both could be activated.
If you remove these rules from the sensor, add them to a compound rule, and add the
compound rule to the sensor, the conditions in both rules have to be present in network
traffic to activate the compound rule. If only one condition is present, the message passes
without any rule or compound rule being activated.
By combining the individually configurable attributes of multiple rules, compound rules
allow you to specify far more detailed and specific conditions to trigger an action.
Add rule
Application Control
This section describes how to configure the application control options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, the application control
configuration of each VDOM is entirely separate. For example, application lists created in
one VDOM will not be visible in other VDOMs. For details, see Using virtual domains on
page 103.
This section describes:
What is application control?
FortiGuard application control database
Viewing the application control lists
Creating a new application control list
Configuring an application control list
Adding or configuring an application control list entry
Application control statistics
Create New Select Create New to add a new application control list.
Name The available application control lists.
# of Entries The number of application rules in each application control list.
Profiles The protection profile each application control list has been applied to.
If the list has not been applied to a protection profile, this field will be
blank.
Comment An optional description of each application control list.
Delete icon Select to remove the application control list. The delete icon is only
available if the application control list is not selected in any protection
profiles.
Edit icon Select to edit the application control list.
Figure 346: The create a new application control list dialog window
Session TTL The applications session TTL. If this option is not enabled, the TTL
defaults to the setting of the config system session-ttl CLI
command.
Enable Logging When enabled, the FortiGate unit will log the occurrence and the
action taken if traffic from the specified application is detected.
In addition to these option, some IM applications and VoIP protocols have additional
options:
IM options
Block Login Select to prevent users from logging in to the selected IM system.
Block File Transfers Select to prevent the sending and receiving of files using the selected
IM system.
Block Audio Select to prevent audio communication using the selected IM system.
Inspect Non-standard Select to allow the FortiGate unit to examine non-standard ports for
Port the IM client traffic.
Display content meta- Select to include meta-information detected for the IM system on the
information on the FortiGate unit dashboard.
system dashboard
VoIP options
Limit Call Setup Enter the maximum number of calls each client can set up per minute.
Limit REGISTER Enter the maximum number of register requests per second allowed
request for the firewall policy.
Limit INVITE request Enter the maximum number of invite requests per second allowed for
the firewall policy.
Enable Logging of Select to enable logging of violations.
Violations
Other options
Command Some of traffic types include a command option. Specify a command
that appears in the traffic that you want to block or pass.
For example, enter GET as a command in the FTP.Command
application to have the FortiGate unit examine FTP traffic for the GET
command. Multiple commands can be entered.
Method A method option is available for HTTP, RTSP, and SIP protocols.
Specify a method that appears in the traffic that you want to block or
pass.
For example, enter POST as a method in the HTTP.Method application
to have the FortiGate unit examine HTTP traffic for the POST method.
Multiple methods can be entered.
Program Number Enter the program number appearing in Sun Remote Procedure Calls
(RPC) that you want to block or pass. Multiple program numbers can
be entered.
UUID Enter the UUID appearing in Microsoft Remote Procedure Calls
(MSRPC) that you want to block or pass. Multiple UUIDs can be
entered.
Automatic Refresh Select the automatic refresh interval for statistics. Set the interval from
Interval none to 30 seconds.
Refresh Click to refresh the page with the latest statistics.
Reset Stats Click to reset the statistics to zero.
Users For each IM protocol, the following user information is listed:
Current Users
(Users) Since Last Reset
(Users) Blocked.
Chat For each IM protocol, the following chat information is listed:
Total Chat Sessions
Server-based Chat (Sessions)
Group Chat (Sessions)
Direct/Private Chat (Sessions)
Messages For each IM protocol, the following message information is listed:
Total Messages
Sent
Received
File Transfers For each IM protocol, the following file transfer information is listed:
(Files transferred) Since Last Reset
(Files) Sent
(Files) Received
(Files) Blocked.
Voice Chat For each IM protocol, the following voice chat information is listed:
(Voice chats) Since Last Reset
(Voice chats) Blocked.
P2P Usage For each P2P protocol, the following usage information is listed:
Total Bytes (transferred)
Average Bandwidth.
If the action for a P2P application is set to pass, the statistics will
display the total usage of the P2P application. Applications set to
Block will not affect the statistics.
Note that the same application can have different actions set in
different application control lists. In this case, the traffic handled by the
lists with the Pass action will be reflected in the statistics. The traffic
handled by the lists with the Block action will not be reflected.
VoIP Usage For SIP and SCCP protocol, the following information is listed:
Active Sessions (phones connected, etc)
Total Calls (since last reset)
Calls Failed/Dropped
Calls Succeeded
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units support
both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
This section describes:
Overview of IPSec VPN configuration
Policy-based versus route-based VPNs
Auto Key
Manual Key
Internet browsing configuration
Concentrator
Monitoring VPNs
Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique
IPSec encryption and authentication keys automatically. If a remote VPN peer or client
requires a specific IPSec encryption or authentication key, you must configure the
FortiGate unit to use manual keys instead. For more information, see Manual Key on
page 541.
3 Create a firewall policy to permit communication between your private network and the
VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface-
based VPN, the firewall policy action is ACCEPT. See Configuring firewall policies on
page 323.
For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User
Guide.
Policy-based Route-based
Available in NAT/Route or Transparent Available only in NAT/Route mode
mode
Requires a firewall policy with IPSEC Requires only a simple firewall policy with
action that specifies the VPN tunnel. One ACCEPT action. A separate policy is required
policy controls connections in both for connections in each direction.
directions.
You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration.
You need only one firewall policy, even if either end of the VPN can initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create the
VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is
bound to the local interface you selected. You then define an ACCEPT firewall policy to
permit traffic to flow between the virtual IPSec interface and another network interface. If
either end of the VPN can initiate the connection, you need two firewall policies, one for
each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System
> Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN,
inter-VDOM link or wireless interfaces are displayed under their associated interface
names in the Name column. For more information, see Interfaces on page 119. As with
other interfaces, you can include a virtual IPSec interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can create the
equivalent function for a route-based VPN in any of the following ways:
Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-site
connections, since the number of policies required increases rapidly as the number of
spokes increases.
Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more
than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You
can configure several routes for the same IP traffic with different route metrics. You can
also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through
VPN tunnels. If the primary VPN connection fails or the priority of a route changes through
dynamic routing, an alternative route will be selected to forward traffic through the
redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec interface. You
can do this in the CLI. For more information, including an example configuration, see the
monitor-phase1 keyword for the ipsec vpn phase1-interface command in the
FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec
interface. For more information, see the default-gw keyword for the
vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to
generate unique Internet Key Exchange (IKE) keys automatically during the IPSec
phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to
set up a secure connection for the tunnel and authenticate the remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Edit
Delete
Create Phase 1 Create a new phase 1 tunnel configuration. For more information, see
Creating a new phase 1 configuration on page 534.
Create Phase 2 Create a new phase 2 configuration. For more information, see Creating a
new phase 2 configuration on page 538.
Phase 1 The names of existing phase 1 tunnel configurations.
Phase 2 The names of existing phase 2 configurations.
Interface Binding The names of the local interfaces to which IPSec tunnels are bound. These
can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
Delete and Edit icons Delete or edit a phase 1 configuration.
Local Interface This option is available in NAT/Route mode only. Select the name of
the interface through which remote peers or dialup clients connect to
the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of
the interface that you selected. Optionally, you can specify a unique
IP address for the VPN gateway in the Advanced settings. For more
information, see Local Gateway IP on page 537.
Mode Select Main or Aggressive:
In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer has a dynamic IP address and is
authenticated by a pre-shared key, you must select Aggressive
mode if there is more than one dialup phase1 configuration for the
interface IP address.
When the remote VPN peer has a dynamic IP address and is
authenticated by a certificate, you must select Aggressive mode if
there is more than one phase 1 configuration for the interface IP
address and these phase 1 configurations use different proposals.
Peer Options settings may require a particular mode. See Peer
Options, below.
Authentication Method Select Preshared Key or RSA Signature.
Pre-shared Key If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name If you selected RSA Signature, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to the
remote peer or dialup client during phase 1 negotiations. For
information about obtaining and loading the required server
certificate, see the FortiGate Certificate Management User Guide.
Peer Options One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any peer ID Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
Accept this peer ID This option is available only if the remote peer has a dynamic IP
address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peers
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the Local ID field, accessed by selecting Config in the
Policy section of the VPN connections Advanced Settings.
Accept peer ID in dialup Authenticate multiple FortiGate or FortiClient dialup clients that use
group unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see User Group on page 583.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this peer This option is available when Authentication Method is set to
certificate only RSA Signature.
Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see PKI on
page 581.
Accept this peer This option is available when Authentication Method is set to
certificate group only RSA Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the user chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see PKI on page 581.
Advanced Define advanced phase 1 parameters. For more information, see
Defining phase 1 advanced settings on page 536.
Add
Delete
To configure phase 2 settings, go to VPN > IPSEC > Auto Key (IKE) and select Create
Phase 2. For information about how to choose the correct phase 2 settings for your
particular situation, see the FortiGate IPSec VPN User Guide.
Add
Delete
P2 Proposal Select the encryption and authentication algorithms that will be proposed to
the remote VPN peer. You can specify up to three proposals. To establish a
VPN connection, at least one of the proposals that you specify must match
configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the
second Authentication field. To specify only one proposal, select Delete to
remove the second proposal. To specify a third proposal, select Add.
It is invalid to set both Encryption and Authentication to NULL.
Encryption Select one of the following symmetric-key algorithms:
NULL Do not use an encryption algorithm.
DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
3DES Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 192-bit key.
AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 256-bit key.
Authentication Select one of the following message digests to check the authenticity of
messages during an encrypted session:
NULL Do not use a message digest.
MD5 Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 Secure Hash Algorithm 1, which produces a 160-bit message
digest.
Enable replay Optionally enable or disable replay detection. Replay attacks occur when an
detection unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forward secrecy forcing a new Diffie-Hellman exchange whenever keylife expires.
(PFS)
DH Group Select one Diffie-Hellman group (1, 2, or 5). This must match the DH Group
that the remote peer or dialup client uses.
Keylife Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172 800 seconds, or from 5120 to 2 147 483 648 KB.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for
phase 2 configurations associated with a dialup phase 1 configuration.
You also need configure a DHCP server or relay on the private network
interface. You must configure the DHCP parameters separately. For more
information, see System DHCP on page 171.
If you configure the DHCP server to assign IP addresses based on RADIUS
user group attributes, you must also set the Phase 1 Peer Options to Accept
peer ID in dialup group and select the appropriate user group. See Creating
a new phase 1 configuration on page 534.
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind the
dialup server, selecting the check box will cause the FortiGate unit to act as
a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see Internet browsing configuration on page 544.
Quick Mode Optionally specify the source and destination IP addresses to be used as selectors
Selector for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the
default value 0.0.0.0/0 unless you need to circumvent problems caused by
ambiguous IP addresses between one or more of the private networks making up
the VPN. You can specify a single host IP address, an IP address range, or a
network address. You may optionally specify source and destination port numbers
and a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured to use
firewall addresses as selectors. This option exists only in the CLI. For more
information, see the dst-addr-type, dst-name, src-addr-type and src-
name keywords for the vpn ipsec phase2 command in the FortiGate CLI
Reference.
Source address If the FortiGate unit is a dialup server, type the source IP
address that corresponds to the local senders or network
behind the local VPN peer (for example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a
server or host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100 for an address range).
A value of 0.0.0.0/0 means all IP addresses behind the
local VPN peer.
If the FortiGate unit is a dialup client, source address must
refer to the private network behind the FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Destination Type the destination IP address that corresponds to the
address recipients or network behind the remote VPN peer (for
example, 192.168.20.0/24 for a subnet, or
172.16.5.1/32 for a server or host, or 192.168.10.[80-
100] for an address range). A value of 0.0.0.0/0 means all
IP addresses behind the remote VPN peer.
Destination port Type the port number that the remote VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Protocol Type the IP protocol number of the service. The range is from
0 to 255. To specify all services, type 0.
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec
VPN User Guide.
Delete
Edit
Create New Create a new manual key configuration. See Creating a new manual key
configuration on page 542.
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption Algorithm The names of the encryption algorithms specified in the manual key
configurations.
Authentication The names of the authentication algorithms specified in the manual key
Algorithm configurations.
Delete and Edit icons Delete or edit a manual key configuration.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and
select Create New.
Name Type a name for the VPN tunnel. The maximum name length is 15 characters
for an interface mode VPN, 35 characters for a policy-based VPN.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles outbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Remote SPI value in
the manual key configuration at the remote peer.
Remote SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles inbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Local SPI value in
the manual key configuration at the remote peer.
Remote Gateway Type the IP address of the public interface to the remote peer. The address
identifies the recipient of ESP datagrams.
Local Interface This option is available in NAT/Route mode only. Select the name of the
interface to which the IPSec tunnel will be bound. The FortiGate unit obtains
the IP address of the interface from the network interface settings. For more
information, see Interfaces on page 119.
Encryption Select one of the following symmetric-key encryption algorithms:
Algorithm DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
3DES Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 192-bit key.
AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 256-bit key.
Note: The algorithms for encryption and authentication cannot both be NULL.
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote
peers radiate from a single, central FortiGate unit. Site-to-site connections between the
remote peers do not exist; however, You can establish VPN tunnels between any two of
the remote peers through the FortiGate unit hub.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect
to the hub are known as spokes. The hub functions as a concentrator on the network,
managing all VPN connections between the spokes. VPN traffic passes from one tunnel to
the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and
step-by-step procedures about how to set up a hub-and-spoke configuration, see the
FortiGate IPSec VPN User Guide.
Delete
Edit
Create New Define a new concentrator for an IPSec hub-and-spoke configuration. For
more information, see Defining concentrator options on page 545.
Concentrator Name The names of existing IPSec VPN concentrators.
Members The tunnels that are associated with the concentrators.
Delete and Edit Delete or edit a concentrator.
icons
Right Arrow
Left Arrow
Monitoring VPNs
To view active VPN tunnels, go to User > Monitor > IPSEC. For more information, see
IPSEC monitor list on page 592.
PPTP VPN
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or
Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been
configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit
to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP
sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to
configure VPN PPTP separately for each virtual domain. For more information, see Using
virtual domains on page 103.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP
client IP from a local address range or use the server defined in the PPTP user group. You
select which method to use for IP address retrieval and, in the case of the user group
server, provide the IP address and the user group.
This section explains how to specify a range of IP addresses for PPTP clients or configure
the PPTP client-side IP address to be used in the tunnel setup. For information about how
to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User
Guide.
Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You
configure the PPTP tunnel configuration by creating a customized FortiGate screen.
For information about creating customized screens in the FortiGate web-based manager,
see Customizable web-based manager on page 231.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-
based manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peers remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
Figure 360: Edit PPTP range options, showing both Range and User Group
Enable PPTP Enable PPTP. You must add a user group before you can select the
option. See User Group on page 583.
IP Mode Select a method of determining the IP address for the PPTP connection:
Range Enable to specify a local address range to reserve for remote PPTP
clients.
User Group Select to specify that the PPTP client IP address is determined by the
PPTP user group server.
Starting IP Type the starting address in the range of reserved IP addresses.
Ending IP Type the ending address in the range of reserved IP addresses.
Local IP Type the IP address to be used for the peers remote IP on the PPTP
client side.
User Group Select the PPTP user group from the list.
Disable PPTP Select to disable PPTP support.
Syntax
config vpn pptp
set eip <address_ipv4>
set ip-mode {range | usrgrp}
set local-ip <address_localip>
set sip <address_ipv4>
set status {disable | enable}
set usrgrp <group_name>
end
Variables Description Default
eip <address_ipv4> The ending address of the PPTP address range. 0.0.0.0
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. SSL VPN does not require the installation of
specialized client software on end users computers, and is ideal for applications including
web-based email, business and government directories, file sharing, remote backup,
remote system management, and consumer-level electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
web-only mode, for thin remote clients equipped with a web-browser only.
tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal. The FortiGate SSL VPN web portal has a
widget-based layout with customizable themes. Each widget is displayed in a 1- or 2-
column format with the ability to modify settings, minimize the widget window, or other
functions depending on the type of content within the widget.
When users have complete administrative rights over their computers and use a variety of
applications, tunnel mode allows remote clients to access the local internal network as if
they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode
support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured
separately for each virtual domain. For details, see Using virtual domains on page 103.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdomname>. The root
VDOM, called ssl.root, appears in the firewall policy interface lists and static route
interface lists. You can use the ssl-root interface to allow access to additional networks
and facilitate a connected users ability to browse the Internet through the FortiGate unit.
SSL VPN tunnel-mode access requires the following firewall policies:
External > Internal, with the action set to SSL, with an SSL user group
Note: If required, you can enable SSL version 2 encryption (for compatibility with older
browsers) through a FortiGate CLI command. For more information, see the ssl
settings command in the FortiGate CLI Reference.
To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL >
Config and select Enable SSL-VPN. When you have completed configuring the settings,
select Apply.
Encryption Key Select the algorithm for creating a secure SSL connection between the
Algorithm remote client web browser and the FortiGate unit.
Default - RC4(128 If the web browser on the remote client can match a cipher suite greater
bits) and higher than or equal to 128 bits, select this option.
High - AES(128/256 If the web browser on the remote client can match a high level of SSL
bits) and 3DES encryption, select this option to enable cipher suites that use more than
128 bits to encrypt data.
Low - RC4(64 bits), If you are not sure which level of SSL encryption the remote client web
DES and higher browser supports, select this option to enable a cipher suite greater
than or equal to 64 bits.
Idle Timeout Type the period of time (in seconds) to control how long the connection
can remain idle before the system forces the user to log in again. The
range is from 10 to 28800 seconds. You can also set the value to 0 to
have no idle connection timeout. This setting applies to the SSL VPN
session. The interface does not time out when web application sessions
or tunnels are up.
Apply Select to save and apply settings.
Delete
General tab
To configure the SSL VPN web portal General tab, go to VPN > SSL > Portal and select
Create New. The SSL VPN web portal General tab is displayed. Use the General tab to
configure basic settings required for the SSL VPN web portal. To edit settings for an
existing web portal configuration, select Settings to open the General tab.
Figure 364: SSL VPN web portal - Create New/Settings, General tab
Advanced tab
To configure the SSL VPN web portal Advanced tab, go to VPN > SSL > Portal and select
Create New then select Advanced. The SSL VPN web portal Advanced tab is displayed.
Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients
and apply other advanced settings. To edit settings for an existing web portal
configuration, select Settings > Advanced to open the Advanced tab.
Figure 365: SSL VPN web portal - Create New/Settings, Advanced tab
Latest Patch Level - If you set Action to Check Latest Version, enter
the latest acceptable patch number.
Tolerance - If you set Action to Check Latest Version, set Tolerance
to 0 if clients must have the latest patch. Set Tolerance to a number to
control how close clients must be to the latest patch. For example, if
the latest patch level is 4 and tolerance is 2, clients will be accepted
with patch 2, 3, 4, 5, or 6.
Figure 366: SSL VPN web portal - full-access Default configuration window
OK Select to save the configuration. If you select OK, you exit out of the
SSL VPN web portal configuration window.
Cancel Select to exit the configuration window without saving any changes.
Apply Select to apply any changes made in the web portal configuration. If
you select Apply, you will not leave the portal configuration window.
Settings Select to edit the General or Advanced settings for the SSL VPN web
portal. See SSL VPN web portal on page 554.
Help Indicates the location of the SSL VPN web portal online help icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Log out Indicates the location of the SSL VPN web portal log out icon. You
cannot change or move this icon. Active when SSL VPN web portal is
activated by user.
Add Widget list Select to add a widget to the SSL VPN web portal configuration.
Session Information Displays the login name of the user, the amount of time the user has
been logged in, and the inbound and outbound traffic of HTTP and
HTTPS.
Bookmarks Displays configured bookmarks, allows for the addition of new
bookmarks and editing of existing bookmarks.
Connection Tool Enter the URL or IP address for a connection tool application/server
(selected when configuring the Connection Tool). You can also check
connectivity to a host or server on the network behind the FortiGate
unit by selecting the Type Ping.
Tunnel Mode Displays tunnel information and actions in user mode. The
administrator can configure a split-tunneling option.
Remove widget
Edit
Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is
selected from a bookmark list, a pop-up window appears with the requested web page.
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and
Samba replace the bookmarks page with an HTML file-browser.
Adding bookmarks
To add bookmarks, in the Bookmarks widget title bar select Edit, then select Add. The Add
bookmark window opens. When you finish creating the bookmark, select OK in the Add
bookmark window and then in the Bookmarks widget.
Add bookmark
window
Select OK
Bookmark
added
Editing bookmarks
To edit bookmarks, in the Bookmarks widget title bar, select Edit.
Delete
bookmark
Select
bookmark
to edit
Bookmark
detail
window
Select
OK
Select
Done
Bookmarks
widget with
list of bookmarks
Remove widget
Edit
Remove widget
Edit
Edit Select to edit the information in the Tunnel Mode widget. Opens the
Tunnel Mode configuration window.
Remove widget Select to close the Tunnel Mode widget and remove it from the web
portal home page.
OK Select OK to save the configuration. If you select OK, the Tunnel
Mode configuration window closes.
Cancel Select to exit the Tunnel Mode configuration window without saving
any changes made.
Name Enter a name for the Tunnel Mode widget.
IP Mode Select the mode by which the IP address is assigned to the user.
Range The user IP is allocated from a configured range of IP addresses.
User Group The user IP is assigned on a per-user basis using a RADIUS received
from the RADIUS user group used to authenticate the user. See
Dynamically assigning VPN client IP addresses from a RADIUS
record on page 573.
Split tunneling Select to enable split tunneling.
Start IP Enter the starting IP address for the split tunnel range.
End IP Enter the ending IP address for the split tunnel range.
Connect Initiate a session and establish an SSL VPN tunnel with the FortiGate
unit.
Disconnect End the session and close the tunnel to the FortiGate unit.
Refresh now Refresh the Fortinet SSL VPN Client page (web portal).
Link status Indicates the state of the SSL VPN tunnel:
Up is displayed when an SSL VPN tunnel with the FortiGate unit has
been established.
Down is displayed when a tunnel connection has not been initiated.
Bytes sent: Displays the number of bytes of data transmitted from the client to the
FortiGate unit since the tunnel was established.
Bytes received: The number of bytes of data received by the client from the FortiGate
unit since the tunnel was established.
<status information> Displays detailed information about the tunnel connection (for
example, Fortinet SSL VPN client connected to server.)
User
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to control
access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is
configured separately for each virtual domain. For details, see Using virtual domains on
page 103.
This section describes:
Getting started - User authentication
Local user accounts
Remote
RADIUS
LDAP
TACACS+
PKI
Directory Service
User Group
Options
Monitor
NAC quarantine and the Banned User list
You can configure your FortiGate unit to authenticate system administrators with your
FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with certificate-based
authentication using PKI. For more information, see System Admin on page 209. You
can change the authentication timeout value or select the protocol supported for Firewall
authentication. For more information, see Options on page 590. You can view lists of
currently authenticated users, active SSL VPN sessions, activity on VPN IPSec tunnels,
authenticated IM users, and banned users. For more information, see Monitor on
page 591.
For each network resource that requires authentication, you specify which user groups are
permitted access to the network. There are three types of user groups: Firewall, Directory
Service, and SSL VPN. For more information, see Firewall user groups on page 584,
Directory Service user groups on page 585, and SSL VPN user groups on page 585.
Delete
Edit
Type The authentication type to use for this user. The authentication types are Local
(user and password stored on FortiGate unit), LDAP, RADIUS, and TACACS+
(user and password matches a user account stored on the authentication
server).
Delete icon Delete the user.
The delete icon is not available if the user belongs to a user group.
Edit icon Edit the user account.
Note: Deleting the user name deletes the authentication configured for the user.
To add a Local user, go to User > Local, select Create New, and enter or select the
following:
Note: If virtual domains are enabled on the FortiGate unit, IM features are configured
globally. To access these features, select Global Configuration on the main menu.
The IM user list displays information about configured instant messaging user policies.
The list can be filtered by protocol and policy.
To view the list of IM users, go to User > Local > IM.
To add an IM user, go to User > Local > IM, select Create New, and enter or select the
following:
Protocol Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!.
Username Enter a name for the user.
Policy Select a policy from the dropdown list: Allow or Block.
The IM user monitor list displays information about instant messaging users who are
currently connected. For more information, see IM user monitor list on page 594.
Remote
Remote authentication is generally used to ensure that employees working offsite can
remotely access their corporate network with appropriate security measures in place. In
general terms, authentication is the process of attempting to verify the (digital) identity of
the sender of a communication such as a login request. The sender may be someone
using a computer, the computer itself, or a computer program. Since a computer system
should be used only by those who are authorized to do so, there must be a measure in
place to detect and exclude any unauthorized access.
On a FortiGate unit, you can control access to network resources by defining lists of
authorized users, called user groups. To use a particular resource, such as a network or
VPN tunnel, the user must:
belong to one of the user groups that is allowed access
correctly enter a user name and password to prove his or her identity, if asked to do so.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication function of
the RADIUS server. To use the RADIUS server for authentication, you must configure the
server before you configure the FortiGate users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection. You can override the default authentication
scheme by selecting a specific authentication protocol or changing the default port for
RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the config
system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Delete
Edit
Create New Add a new RADIUS server. The maximum number is 10.
Name Name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP Domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user group.
Edit icon Edit a RADIUS server configuration.
The RADIUS server can use several different authentication protocols during the
authentication process:
MS-CHAP-V2 is the Microsoft challenge-handshake authentication protocol v2
MS-CHAP is the Microsoft challenge-handshake authentication protocol v1
CHAP (challenge-handshake authentication protocol) provides the same functionality
as PAP, but does not send the password and other user information over the network to
a security server
PAP (password authentication protocol) is used to authenticate PPP connections. PAP
transmits passwords and other user information in clear text (unencrypted).
If you have not selected a protocol, the default protocol configuration uses PAP, MS-
CHAPv2, and CHAP, in that order.
To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and
enter or select the following:
Name Enter the name that is used to identify the RADIUS server on the
FortiGate unit.
Primary Server Name/IP Enter the domain name or IP address of the primary RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16
characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS
server, if you have one.
Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS
server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme Select Use Default Authentication Scheme to authenticate with the
default method. The default authentication scheme uses PAP, MS-
CHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol from the list: MS-
CHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your
RADIUS server needs.
NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more
information about RADIUS Attribute 31, see RFC 2548 Microsoft
Vendor-specific RADIUS Attributes). If you do not enter an IP
address, the IP address that the FortiGate interface uses to
communicate with the RADIUS server will be applied.
Include in every User Group Select to have the RADIUS server automatically included in all user
groups.
For the FortiGate unit to dynamically assign an IP address, the VPN users must be
configured for RADIUS authentication and you must include the IP address to assign to
the user in the Framed-IP-Address RADIUS field. You configure each type of VPN
differently. In each case you are associating the VPN configuration that assigns IP
addresses to users with a user group.
Assigning IP addresses in this way does not replace assigning IP addresses from a
configured IP address range. In fact, you can configure an IP address range as well as
enable assigning IP addresses from a RADIUS server. If you use both methods, the
FortiGate unit attempts to assign the IP address from the RADIUS record first.
Figure 378: Using RADIUS records to assign IP addresses for SSL VPN Tunnel Mode
PPTP VPN
You can dynamically assign IP addresses to PPTP VPN clients using RADIUS records by
configuring the PPTP VPN to use the user group for getting IP addresses:
config vpn pptp
set status enable
set ip-mode usrgrp
...
end
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
If you have configured LDAP support and require a user to authenticate using an LDAP
server, the FortiGate unit contacts the LDAP server for authentication. To authenticate
with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP
server cannot authenticate the user, the FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of
password expiration, that is available from some LDAP servers. Nor does the FortiGate
LDAP supply information to the user about why authentication failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
Delete
Edit
Create New Add a new LDAP server. The maximum number is 10.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server. Most LDAP servers use cn.
Identifier However, some servers use other common name identifiers such as uid.
Distinguished The distinguished name used to look up entries on the LDAP servers use. The
Name distinguished name reflects the hierarchy of LDAP database object classes
above the common name identifier.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
Binding is said to occur when the LDAP server successfully authenticates the user and
allows the user access to the LDAP server based on his or her permissions.
You can configure the FortiGate unit to use one of three types of binding:
anonymous - bind using anonymous user search
regular - bind using user name/password and then search
simple - bind using a simple password authentication without a search.
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the
information below and select OK.
Query
Name Enter the name that identifies the LDAP server on the FortiGate unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when you
select Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The FortiGate unit passes this distinguished
name unchanged to the server. The maximum number of characters is
512.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see Using Query.
Bind Type Select the type of binding for LDAP authentication.
Regular Connect to the LDAP server directly with user name/password, then
receive accept or reject based on search of given values.
Anonymous Connect as an anonymous user on the LDAP server, then retrieve the
user name/password and compare them to given values.
Simple Connect directly to the LDAP server with user name/password
authentication.
Filter Enter the filter to use for group searching. Available if Bind Type is
Regular or Anonymous.
User DN Enter the Distinguished name of the user to be authenticated.
Available if Bind Type is Regular.
Password Enter the password of the user to be authenticated. Available if Bind
Type is Regular.
Secure Connection Select to use a secure LDAP server connection for authentication.
Protocol Select a secure LDAP protocol to use for authentication. Depending on
your selection, the value in Server Port will change to the default port
for the selected protocol. Available only if Secure Connection is
selected.
LDAPS: port 636
STARTTLS: port 389
Certificate Select a certificate to use for authentication from the list. The certificate
list comes from CA certificates at System > Certificates >
CA Certificates.
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the DN field. To see the
distinguished name associated with the Common Name identifier, select the Expand
Arrow beside the CN identifier and then select the DN from the list. The DN you select is
displayed in the Distinguished Name field. Select OK to save your selection in the
Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name,
select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name
Query tree.
TACACS+
In recent years, remote network access has shifted from terminal access to LAN access.
Users connect to their corporate network (using notebooks or home PCs) with computers
that use complete network connections and have the same level of access to the
corporate network resources as if they were physically in the office. These connections
are made through a remote access server. As remote access technology has evolved, the
need for network access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+
allows a client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS+ server is 49.
To view the list of TACACS+ servers, go to User > Remote > TACACS+.
Delete
Edit
Create New Add a new TACACS+ server. The maximum number is 10.
Server The server domain name or IP address of the TACACS+ server.
Authentication Type The supported authentication method. TACACS+ authentication methods
include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+ server.
Edit icon Edit this TACACS+ server.
ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.
CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but more secure as it does not send the
password and other user information over the network to the security server.
MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To add a new TACACS+ server, go to User > Remote > TACACS+, select Create New,
and enter or select the following:
Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication
services by storing information about network resources across a domain (a logical group
of computers running versions of an operating system) in a central directory database.
Each person who uses computers within a domain receives his or her own unique
account/user name. This account can be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as domain controllers.
A domain controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.
FortiGate units use firewall policies to control access to resources based on user groups
configured in the policies. Each FortiGate user group is associated with one or more
Directory Service user groups. When a user logs in to the Windows or Novell domain, a
Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the users IP
address and the names of the Directory Service user groups to which the user belongs.
The FSAE has two components that you must install on your network:
The domain controller (DC) agent must be installed on every domain controller to
monitor user logins and send information about them to the collector agent.
The collector agent must be installed on at least one domain controller to send the
information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user
group database. Because the domain controller authenticates users, the FortiGate unit
does not perform authentication. It recognizes group members by their IP address.
You must install the Fortinet Server Authentication Extensions (FSAE) on the network and
configure the FortiGate unit to retrieve information from the Directory Service server. For
more information about FSAE, see the FSAE Technical Note.
To view the list of Directory Service servers, go to User > Directory Service.
Delete
Edit User/Group
Add User/Group Add a user or group to the list. You must know the distinguished name
for the user or group.
Edit Users/Group Select users and groups to add to the list.
Note: You can create a redundant configuration on your FortiGate unit if you install a
collector agent on two or more domain controllers. If the current (or first) collector agent
fails, the FortiGate unit switches to the next one in its list of up to five collector agents.
Name Enter the name of the Directory Service server. This name appears in the list of
Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where this
IP/Name collector agent is installed. The maximum number of characters is 63.
Port Enter the TCP port used for Directory Service. This must be the same as the
FortiGate listening port specified in the FSAE collector agent configuration.
Password Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server Select the check box and select an LDAP server to access the Directory
Service.
PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library
that takes a list of peers, peer groups, and/or user groups and returns authentication
successful or denied notifications. Users only need a valid certificate for successful
authenticationno user name or password are necessary. Firewall and SSL VPN are the
only user groups that can use PKI authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration settings
available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
value for either subject or ca. If you do not do so, and then open the user record in the web-
based manager, you will be prompted to enter a subject or ca value before you can
continue.
To create a peer user for PKI authentication, go to User > PKI, select Create New., and
enter the following:
Note: You must enter a value for at least one of Subject or CA.
You can configure peer user groups only through the CLI. For more information, see the
FortiGate CLI Reference.
User Group
A user group is a list of user identities. An identity can be:
a local user account (user name and password) stored on the FortiGate unit
a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN.
For information about each type, see Firewall user groups on page 584, Directory
Service user groups on page 585, and SSL VPN user groups on page 585. For
information on configuring each type of user group, see Configuring a user group on
page 586.
In most cases, the FortiGate unit authenticates users by requesting each user name and
password. The FortiGate unit checks local user accounts first. If the unit does not find a
match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when the FortiGate unit finds a matching user name and
password.
For a Directory Service user group, the Directory Service server authenticates users when
they log in to the network. The FortiGate unit receives the users name and IP address
from the FSAE collector agent. For more information about FSAE, see the
FSAE Technical Note.
You can configure user groups to provide authenticated access to:
Firewall policies that require authentication
See Adding authentication to firewall policies on page 327.
You can choose the user groups that are allowed to authenticate with these policies.
Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.
For more information, see Creating a new phase 1 configuration on page 534.
For information about configuring a Firewall user group, see Configuring a user group on
page 586.
You can also use a firewall user group to provide override privileges for FortiGuard web
filtering. For more information, see Configuring FortiGuard Web filtering override options
on page 589. For detailed information about FortiGuard Web Filter, including the override
feature, see FortiGuard - Web Filter on page 487.
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.
A Directory Service user group provides access to a firewall policy that requires Directory
Service type authentication and lists the user group as one of the allowed groups. The
members of the user group are Directory Service users or groups that you select from a
list that the FortiGate unit receives from the Directory Service servers that you have
configured. See Directory Service on page 579.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering
override options on page 589. For detailed information about FortiGuard Web Filter,
including the override feature, see FortiGuard - Web Filter on page 487.
For information on configuring user groups, see Configuring a user group on page 586.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.
For information on configuring user groups, see Configuring a user group on page 586.
For information on configuring SSL VPN user group options, see Configuring SSL VPN
identity-based firewall policies on page 331.
Delete
Note: By default, the FortiGate web-based manager displays Firewall options. The
following figures show the variations that display for each of the user group types: Firewall,
Directory Service, and SSL VPN.
Note: If you try to add LDAP servers or local users to a group configured for administrator
authentication, an Entry not found error occurs.
Right Arrow
Right Arrow
Left Arrow
Expand Arrow
Right Arrow
Left Arrow
Expand Arrow
Allow to create FortiGuard Select to allow members of this group to request an override
Web Filtering overrides on the FortiGuard Web Filtering Block page. The firewall
protection profile governing the connection must have
FortiGuard overrides enabled.
The protection profile may have more than one user group as
an override group. Members of an override group can
authenticate on the FortiGuard Web Filter Block Override
page to access the blocked site.
For more information, see FortiGuard - Web Filter on
page 487.
Override Scope The override can apply to just the user who requested the
override, or include others. Select one of the following from
the list:
User Only the user.
User Group The user group to which the user belongs.
IP Any user at the users IP address.
Profile Any user with the specified protection profile of the user
group.
Ask Authenticating user, who chooses the override scope.
User Only the user.
Override Type Select from the list to allow access to:
Directory Only the lowest level directory in the URL.
Options
You can define setting options for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can be idle
before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (depending on the connection protocol):
HTTP (can also be set to redirect to HTTPS)
HTTPS
FTP
Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen
control which protocols support the authentication challenge. Users must connect with a
supported protocol first so they can subsequently connect with other protocols. If HTTPS
is selected as a method of protocol support, it allows the user to authenticate with a
customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user will be
challenged to authenticate. For user ID and password authentication, users must provide
their user names and passwords. For certificate authentication (HTTPS or HTTP
redirected to HTTPS only), you can install customized certificates on the FortiGate unit
and the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default FortiGate
certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.
Monitor
You can go to User > Monitor to view lists of currently authenticated users, active SSL
VPN sessions, activity on VPN IPSec tunnels, authenticated IM users, and banned users.
For each authenticated user, the list includes the user name, user group, how long the
user has been authenticated (Duration), how long until the users session times out (Time
left), and the method of authentication used. VPN tunnel information includes user name,
IP address of the remote client, connection type (IPSec), Proxy ID source/destination
(IPSec), and start time of the sessions (SSL). The list of IM users includes the source IP
address, protocol, and last time the protocol was used. The Banned User list includes
users configured by administrators in addition to those quarantined based on AV, IPS, or
DLP rules.
The following lists are available:
Firewall user monitor list
IPSEC monitor list
SSL VPN monitor list
IM user monitor list
NAC quarantine and the Banned User list
Refresh
Current Page
Stop individual
authentication session
Current Page
Type Select the types of VPN to display: All, Dialup, or Static IP or Dynamic DNS.
Column Customize the table view. You can select the columns to hide or display and
Settings specify the column displaying order in the table. For more information, see Using
column settings to control the columns displayed on page 58 and Web-based
manager icons on page 60.
Clear All Filters Select to clear any column display filters you might have applied.
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of monitored VPNs.
Filter icons Edit the column filters to filter or sort the IPSec monitor list according to the
criteria you specify. For more information, see Adding filters to web-based
manager lists on page 53.
Name The name of the phase 1 configuration for the VPN.
Remote The public IP address of the remote host device, or if a NAT device exists in front
Gateway of the remote host, the public IP address of the NAT device.
Remote Port The UDP port of the remote host device, or if a NAT device exists in front of the
remote host, the UDP port of the NAT device. Zero (0) indicates that any port can
be used.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate
unit. The page may display a network range if the source address in the firewall
encryption policy was expressed as a range of IP addresses.
Proxy ID When a FortiClient dialup client establishes a tunnel:
Destination If VIP addresses are not used, the Proxy ID Destination field displays the
public IP address of the remote host Network Interface Card (NIC).
If VIP addresses were configured (manually or through FortiGate DHCP
relay), the Proxy ID Destination field displays either the VIP address belonging
to the FortiClient dialup client, or the subnet address from which VIP
addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field
displays the IP address of the remote private network.
Tunnel up or A green arrow means the tunnel is currently processing traffic. Select to bring
tunnel down down the tunnel.
icon A red arrow means the tunnel is not processing traffic. Select to bring up the
tunnel.
For Dialup VPNs, the list provides status information about the VPN tunnels established
by dialup clients, including their IP addresses. The number of tunnels shown in the list can
change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information
about VPN tunnels, active or not, to remote peers that have static IP addresses or domain
names. You can also start and stop individual tunnels from the list.
To view the list of active SLS VPN sessions, go to User > Monitor > SSL.
Delete
To view the list of active IM users, go to User > Monitor > IM.
Protocol Filter the list by selecting the protocol for which to display current users: AIM, ICQ,
MSN, or Yahoo. All current users can also be displayed.
# The position number of the IM user in the list.
Protocol The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user
name can be used for multiple IM protocols. Each user name/protocol pair appears
separately in the list.
Source IP The Address from which the user initiated the IM session.
Last Login The last time the current user used the protocol.
Block Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.
Caution: If you have configured NAC quarantine to block IP addresses and if the FortiGate
unit receives sessions that have passed through a NAT device, all trafficnot just
individual userscould be blocked from that NAT device.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view
the Banned User list, go to User > Monitor > Banned User. When you configure NAC
quarantine settings, you can specify how long to block the IP addresses or interfaces.
FortiGate administrators can manually enable access again by removing IP addresses or
interfaces from the Banned User list. Removing an IP address from the Banned User list
means the user can start accessing network services through the FortiGate unit again.
Removing an interface from the list means the interface can resume normal receiving and
processing of communication sessions. For more information, see The Banned User list
on page 596.
When an interface is blocked by NAC quarantine or a DLP sensor with action set to
Quarantine Interface, any user attempting to start an HTTP session through this interface
using TCP port 80 will also be connected by the FortiGate unit to one of the four NAC
quarantine web pages.
The DLP Ban and Ban Sender options also send messages to blocked users. For more
information, see Adding or editing a rule in a DLP sensor on page 513.
All sessions started by users or IP addresses on the Banned User list are blocked until the
user or IP address is removed from the list. All sessions to an interface on the list are
blocked until the interface is removed from the list.
You can configure NAC quarantine to add users or IP addresses to the Banned User list
under the following conditions:
Users or IP addresses that originate attacks detected by IPS - To quarantine users
or IP addresses that originate attacks, enable and configure Quarantine Attackers in
an IPS Sensor Filter. For more information, see Configuring filters on page 464.
IP addresses or interfaces that send viruses detected by virus scanning - To
quarantine IP addresses that send viruses or interfaces that accept traffic containing a
virus, enable Quarantine Virus Sender in a protection profile. For more information,
see Anti-Virus options on page 407.
Users or IP addresses that are banned or quarantined by Data Leak Prevention -
Set various options in a DLP sensor to add users or IP addresses to the Banned User
list. For more information, see Adding or editing a rule in a DLP sensor on page 513.
To view the Banned User list, go to User > Monitor > Banned User.
Clear
Current Page
Delete
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of banned users or IP
addresses.
Clear icon Remove all users and IP addresses from the Banned User list.
# The position number of the user or IP address in the list.
Application The protocol that was used by the user or IP address added to the Banned User
Protocol list.
Cause or rule The FortiGate function that caused the user or IP address to be added to the
Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention.
Created The date and time the user or IP address was added to the Banned User list.
Expires The date and time the user or IP address will be automatically removed from the
Banned User list. If Expires is Indefinite you must manually remove the user or host
from the list.
Delete icon Delete the selected user or IP address from the Banned User list.
FortiGate-3600A
FortiGate-3810A
FortiGate-5001A-SW
The 310B, 620B, 3600A, 3016B, 3810A and 5001A-SW must include a
FortiGate-ASM-S08 module or FortiGate-ASM-SAS module or you must configure iSCSI
to support web caching and byte caching.
Q: What happens if my FortiGate unit doesnt include the FortiGate-ASM-S08 module or
FortiGate-ASM-SAS module?
A: You can still configure and use WAN optimization even if the FortiGate unit does not
have a hard disk. If the hard disk is not available WAN optimization can still apply all
features except web caching and byte caching. If you have an iSCSI device on your
network, you can use the CLI to configure WAN optimization to use iSCSI for web caching
and byte caching.
Q: How does WAN Optimization accept sessions?
A: WAN optimization uses rules to select traffic to be optimized. But, before WAN
optimization rules can accept traffic, the traffic must be accepted by a FortiGate firewall
policy. All sessions accepted by a firewall policy that also match a WAN optimization rule
are processed by WAN optimization.
Q: Can you apply protection profiles to WAN optimization traffic?
A: Within the same VDOM, you cannot apply a protection profile and WAN optimization to
the same communication session. As of FortiOS 4.0, in a single VDOM if a firewall policy
includes a protection profile, all sessions accepted by the policy are processed by the
protection profile and are not processed by WAN optimization. To apply a protection
profile to WAN optimization traffic you can use two VDOMs and an inter-VDOM link (or
two FortiGate units). On the client end of a WAN optimization link, sessions leaving a LAN
should be processed by a protection profile first. Then using the inter-vdom link you can
apply WAN optimization in a second VDOM before sending the session over the WAN
optimization tunnel.
If you want to apply a protection profile to WAN optimized traffic on the server end of a
WAN optimization tunnel before the traffic enters the destination LAN, you also require
two VDOMs. The first VDOM should terminate the WAN optimization tunnel. Then an
inter-VDOM link is required to a second VDOM that applies a protection profile to the
sessions before the sessions are sent to the receiving LAN.
This may be changed in later FortiOS versions.
Q: Does FortiGate WAN optimization work with other vendors WAN optimization or
acceleration features?
A: No, FortiGate WAN optimization is proprietary to Fortinet. FortiGate WAN optimization
is compatible with FortiClient WAN optimization.
Q: Can the web cache feature be used for caching HTTPs sessions.
A: Yes, if you import the correct certificates.
Q: To use FortiGate WAN optimization or Web caching, do end users need to configure
their web browsers to use the FortiGate unit as a proxy server?
A: No WAN optimization is transparent to users.
WAN
WAN
Peer optimization
(FortiClient) tunnel
Note: The FortiGate units can be operating in NAT/Route or Transparent mode and do not
have to be operating in the same mode. WAN optimization is configured for each VDOM
and one or both of the units can be operating with multiple VDOMs enabled. If a FortiGate
unit or VDOM is operating in Transparent mode with WAN optimization enabled, WAN
optimization uses the management IP address as the address of the FortiGate unit instead
of the address of an interface.
3 1
2
3 1 3 1
2 2
Packets in WAN
Packets Optimization Tunnel Packets
Port 7810
WAN WAN
Client Optimization WAN Optimization Server
Client Server
A tunnel is started with a client side WAN optimization peer attempts to start a WAN
optimization tunnel with a server side WAN optimization peer. Before the tunnel can be
started the peers must authenticate with each other and then agree on the tunnel
configuration. Then the peers bring up the tunnel and WAN optimization communication
over the tunnel starts.
Note: Once a tunnel has been established multiple WAN optimization sessions can start
and stop between peers without restarting the tunnel.
All peers must have a unique host ID that identifies each peer. You can add the host ID
to a peer from the web-based manager by going to WAN Opt. & Cache > Peer,
entering a host ID in the Local Host ID field and selecting Apply. The host ID can be up
to 25 characters long and can include spaces.
All peers must know the host IDs and IP addresses of all of the other peers that they
can start WAN optimization tunnels with. You can add these host IDs and IP addresses
from the web-based manager by going to WAN Opt. & Cache > Peer and selecting
Create New. Enter the other peers host ID in the Peer Host ID field, enter the other
peers IP address in the IP Address field and select OK. The IP address will be the
source IP address of tunnel requests sent by the peer. Usually this would be the IP
address of the peers interface that is connected to the WAN, that is the IP address of
the interface from which tunnel requests are sent.
Some WAN optimization rules require you to include a peer and others do not. Even if you
are not required to add a peer to a WAN optimization rule, WAN optimization requires
local and peer IDs to be added as described above.
Authentication Groups
Adding peers is not strictly a requirement. Instead you can configure authentication
groups that accept any peer. However, for this to work both peers must have the same
authentication group (with the same name) and both peers must have the same certificate
or pre-shared key. This configuration is useful if you have many peers or if peer IP
addresses change. For example, you could have many travelling users running FortiClient
and participating in WAN optimization using PCs with IP addresses that are always
changing as the users travel to different customer sites. This configuration is also useful if
you have FortiGate units that get external IP addresses using DHCP or PPPoE. For more
information, see Configuring authentication groups on page 635.
Note: Some protocols, for example CIFS, may not function as expected if transparent
mode is not selected. In most cases you should select transparent mode and make sure
routing on the server network is configured as required to support transparent mode.
If transparent mode is not enabled, the source address of the packets received by servers
is changed to the address of the FortiGate unit interface that sends the packets to the
servers. So servers appear to receive packets from the FortiGate unit. Routing on the
server network is simpler in this case because client addresses are not involved, but the
server sees all traffic as coming from the FortiGate unit and not from individual clients.
Note: Do not confuse WAN optimization transparent mode with FortiGate unit transparent
mode. WAN optimization transparent mode is configured in individual WAN optimization
rules. FortiGate transparent mode is a system setting that controls how the FortiGate unit
(or a VDOM) processes traffic.
WAN optimization uses these various data storage devices for web caching and byte
caching. All of these options can provide similar web caching and byte caching
performance. If you add more than one storage location (for example, by adding iSCSI to
a FortiGate that already has a FortiGate-ASM-S08 module) you can configure different
storage locations for web caching and byte caching.
If you have not installed a FortiGate-ASM-S08 or ASM-SAS module in a FortiGate unit
with a single-width AMC slot you can still configure and use iSCSI for full WAN
optimization.
A hard disk, the ASM-SAS module, or iSCSI is only required for web caching and byte
caching. All other WAN optimization features, including SSL acceleration, are supported if
the hard disk, SAS, or iSCSI is not available.
You configure iSCSI support from the FortiGate CLI. See the FortiGate CLI Reference for
more information.
Edit
Delete
Enable/ Insert
Disable Before
Rules
Move To
Create New Add a new WAN optimization rule. New rules are added to the bottom of the list.
Status Select to enable a rule or deselect to disable a rule. A disabled rule is out of
service.
ID The rule identifier. Rules are numbered in the order they are added to the rule
list.
Source The source address or address range that the rule matches.
Destination The destination address or address range that the rule matches.
Port The destination port number or port number range that the rule matches.
Method Indicates whether you have selected byte caching in the WAN optimization rule.
Auto-Detect Indicates whether the rule is an active (client) rule, a passive (server) rule or if
auto-detect is off. If auto-detect is off the rule can be a peer to peer rule or a web
cache only rule.
Protocol The protocol optimization WAN optimization technique applied by the rule. See
Protocol optimization on page 623.
Peer For a peer to peer rule, the name of the peer WAN optimizer at the other end of
the link.
Mode Indicates whether the rule applies full optimization or web cache only.
SSL Indicates whether the rule is configured for SSL offloading.
Secure Tunnel Indicates whether the rule is configured to used a WAN optimization tunnel.
Delete icon Delete a rule from the list.
Edit icon Edit a rule.
Insert WAN Add a new rule above the corresponding rule (the New rule screen appears).
Optimization
Rule Before icon
Move To icon Move the corresponding rule before or after another rule in the list. See How list
order affects rule matching on page 606 and Moving a rule to a different
position in the rule list on page 607.
For example, you might have a general WAN optimization rule that applies WAN
optimization features but does not apply secure tunneling to most WAN traffic but you
want to apply secure tunneling to FTP traffic (FTP traffic uses port 21). In this case, you
would add a the rule that creates a secure tunnel for FTP session above the general rule.
Exception
General
FTP sessions (using port 21) would immediately match the secure tunnel rule. Other kinds
of services would not match the FTP rule, and so rule evaluation would continue until
reaching the matching general rule. This rule order has the intended effect. But if you
reversed the order of the two rules, positioning the general rule before the FTP rule, all
session, including FTP, would immediately match the general rule, and the rule to secure
FTP would never be applied. This rule order would not have the intended effect.
General
Exception
Similarly, if specific traffic requires exceptional WAN optimization rule settings, you would
position those rules above other potential matches in the rule list. Otherwise, the other
matching rules will take precedence, and the required authentication, IPSec VPN, or SSL
VPN might never occur.
Mode Select Full Optimization to add a rule that can apply all WAN optimization features.
Select Web Cache Only to add a rule that just applies web caching. If you select
Web Cache Only you can configure the source and destination address and port to
the rule. You can also select Transparent Mode and Enable SSL.
Source Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 622.
Only packets whose source address header contains an IP address matching this
IP address or address range will be accepted by and subject to this rule.
For a passive rule, the server (passive) source address range should be
compatible with the source addresses of the matching client (active) rule. To match
one passive rule with many active rules the passive rule source address range
should include the source addresses of all of the active rules.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an
IP address range separated by a hyphen. See About WAN optimization
addresses on page 622.
Only packets whose destination address header contains an IP address matching
this IP address or address range will be accepted by and subject to this rule.
For a web-cache only rule, if you set you set Destination to 0.0.0.0 the rule caches
web pages on the Internet or any network.
For a passive rule, the server (passive) destination address range should be
compatible with the destination addresses of the matching client (active) rule. To
match one passive rule with many active rules the passive rule destination address
range should include the destination addresses of all of the active rules.
Port Enter a single port number or port number range. Only packets whose destination
port number matches this port number or port number range will be accepted by
and subject to this rule.
For a passive rule the server (passive) port range should be the same or a subset
of the matching client (active) rule port range.
For a passive rule, the server (passive) port range should be compatible with the
port range of the matching client (active) rule. To match one passive rule with many
active rules the passive rule port range should include the port ranges of all of the
active rules.
Auto-Detect Specify whether the rule is an Active (client) rule, a Passive (server) rule or if auto-
detect is Off. If auto-detect is off the rule is a peer to peer rule.
For an Active (client) rule you must select all of the WAN optimization features to
be applied by the rule. You can select the protocol to optimize, transparent mode,
byte-caching, SSL offloading, secure tunneling, and an authentication group.
A Passive (server) rule uses the settings in the active rule on the client FortiGate
unit to apply WAN optimization settings. You can also select web caching for a
passive rule.
If Auto-Detect is Off, the rule must include all required WAN optimization features
and you must select a Peer for the rule. Select this option to configure peer to
peer WAN optimization where this rule can start a WAN optimization tunnel with
this peer only.
Auto-Detect is not available if you set Mode to Web Cache Only.
Protocol Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of these
protocols. For information about protocol optimization, see Protocol optimization
on page 623.
Select TCP if the WAN optimization tunnel accepts sessions that use more than
one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol.
You can select a protocol if Auto-Detect is set to Off or Active.
Peer Select the peer host ID of the peer that this peer to peer WAN optimization rule will
start a WAN optimization tunnel with. You can also select Create New to add a new
peer.
You can select a peer if Auto-Detect is set to Off.
Transparent Servers receiving packets after WAN optimization see different source addresses
Mode depending on whether you select transparent mode or not. You can select
Transparent mode if Auto-Detect is set to Active or Off. You can also select
transparent mode for web cache only rules.
Select transparent mode to keep the original source address of the packets when
they are sent to servers. The servers appear to receive traffic directly from clients.
Routing on the server network should be able to route traffic with client source IP
addresses from the FortiGate unit to the server and back to the FortiGate unit.
If transparent mode is not selected, the source address of the packets received by
servers is changed to the address of the FortiGate unit interface that sends the
packets to the servers. So servers appear to receive packets from the FortiGate
unit. Routing on the server network is usually simpler in this case because client
addresses are not involved, but the server sees all traffic as coming from the
FortiGate unit and not from individual clients.
Some protocols, for example CIFS, may not function as expected if transparent
mode is not selected. In most cases you should select transparent mode and make
sure routing on the server network is configured as required to support transparent
mode.
Enable Byte Select to apply WAN optimization byte caching to the sessions accepted by this
Caching rule. For more information, see Byte caching on page 624.
Enable SSL Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to
offload SSL encryption and decryption from one or more HTTP servers to the
FortiGate unit. If you enable SSL offloading you should configure the rule to accept
SSL-encrypted traffic, for example, by configuring the rule to accept HTTPS traffic
by setting Port to 443.
If you enable SSL offloading, from the FortiGate CLI you must also use the config
wanopt ssl-server command to add an SSL server for each HTTP server that
you wan to offload SSL encryption/decryption for. For more information, see SSL
offloading for WAN optimization and web caching on page 624.
You can select SSL offloading if Auto-Detect is set to Active or Off. You can also
select SSL offloading for web cache only rules.
Enable Secure If you select Enable Secure Tunnel the WAN optimization tunnel is encrypted using
Tunnel SSL encryption. If you enable the secure tunnel you must also add an
authentication group to the rule. For more information, see Secure tunnelling on
page 630.
You can enable secure tunnelling if Auto-Detect is set to Active or Off.
Authentication Select Authentication Group and select an authentication group from the list if you
Group want the FortiGate units to authenticate with each other before starting the WAN
optimization tunnel. You must also select an authentication group if you select
Enable Secure Tunnel.
You must add identical authentication groups to both of the FortiGate units that will
participate in the WAN optimization tunnel started by the rule. For more
information, see Configuring authentication groups on page 635.
Web caching
FortiGate WAN optimization web caching is a form of object caching that accelerates web
applications and web servers by reducing bandwidth usage, server load, and perceived
latency. Web caching supports explicit and transparent proxy caching of HTTP 1.0 and
HTTP 1.1 web sites. See RFC 2616 for information about web caching for HTTP 1.1. Web
caching involves storing HTML pages, images, servlet responses and other web based
objects for later retrieval. FortiGate units cache these objects on a hard disk installed in
the FortiGate unit or on a remove iSCSI or SAS device.
There are three significant advantages to using web caching to improve WAN
performance:
Reduced WAN bandwidth consumption because fewer requests and responses go
over the WAN
Reduced web server load because there are fewer requests for web servers to handle
Reduced latency because responses for cached requests are available from a local
FortiGate unit instead of from across the WAN or Internet.
You can use web caching to cache any web traffic that passes through the FortiGate unit,
including web pages from web servers on a LAN, WAN or on the Internet. The FortiGate
unit caches web objects for all HTTP traffic processed by WAN optimization rules that
include web caching.
You can add WAN optimization rules for web caching only. You can also add web caching
to WAN optimization rules for HTTP traffic that also include byte caching, protocol
optimization, and other WAN optimization features.
Note: You can also enable web caching for the FortiGate explicit web proxy. For more
information, see To enable web caching for the explicit web proxy on page 149.
Web caching cannot determine whether a file is compressed (for example a zip file) or not
and caches compressed (for example, zipped) and non-compressed versions of the same
file separately. If the HTTP protocol considers the compressed and uncompressed
versions of a file the same object only the compressed or uncompressed file will be
cached.
WAN, LAN,
or Internet
11010010101
Web Cache
Note: Since only one FortiGate unit is involved in the web cache configuring you do not
need to change the WAN optimization peer configuration for this scenario.
Port Usually you would set the port to 80 to cache normal HTTP traffic. But you can
change the Port to a different number (for example 8080) or to a port number
range so that the FortiGate unit provides web caching for HTTP traffic using
other ports.
Enable SSL In this example SSL offloading is disabled. For an example of a reverse proxy
web cache configuration that also includes only one FortiGate unit and enables
SSL offloading, see SSL offloading and reverse proxy web caching for an
internet web server on page 627.
WAN
IP address IP address
172.10.10.1 172.20.20.1
11010010101
Web Cache
For web caching to work, the WAN optimization tunnel must accept HTTP (and optionally
HTTPS) traffic. To do this, the active rule on the client side must include the ports used for
HTTP (and HTTPS) traffic. Set Protocol set to HTTP to perform protocol optimization of
the HTTP traffic. You can also enable SSL offloading, secure tunneling, and add an
authentication group.
Figure 408: Adding an active WAN optimization rule compatible with web caching
2 Select Create New and add a Peer Host ID and the IP address for the server side
FortiGate unit.
3 Go to Firewall > Policy and add a firewall policy that accepts traffic to be web cached.
4 Go to WAN Opt. & Cache > Rule and select Create New.
5 Configure the rule.
2 Select Create New and add a Peer Host ID and the IP address for the client side
FortiGate unit.
3 Go to WAN Opt. & Cache > Rule and select Create New.
4 Configure the rule.
For web caching to work the WAN optimization tunnel must allow HTTP (and optionally
HTTPS) traffic. To do this, the WAN optimization rule must include the ports used for
HTTP (and HTTPS) traffic. Set Protocol to HTTP to perform protocol optimization of the
HTTP traffic. You can also enable transparent mode, byte caching, SSL offloading, secure
tunneling, and add an authentication group.
WAN
IP Address IP Address
172.20.34.12 192.168.30.12
11010010101
Web Cache
Figure 411: Adding the server side Peer Host ID to the client side peer list
Figure 412: Adding web caching to a peer to peer WAN optimization rule
2 Select Create New and add a Peer Host ID and the IP address for the server side
FortiGate unit.
Figure 413: Adding the client side Peer Host ID to the server side peer list
2 Select Create New and add a Peer Host ID and the IP address for the client side
FortiGate unit.
WAN
IP address IP address
172.30.120.1 192.168.20.1
This example configuration includes three active rules on the client side FortiGate unit and
one passive rule in the server side FortiGate unit. The active rules do the following:
Optimize HTTP traffic from IP addresses 172.20.120.100 to 172.20.120.150
Optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200
To configure peers on the client side FortiGate unit and add a firewall policy
1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client side FortiGate
unit.
2 Select Create New and add a Peer Host ID and the IP address for the server side
FortiGate unit.
3 Go to Firewall > Policy and add a firewall policy that accepts traffic to be optimized.
4 Select Create New to add the active rule to optimize HTTP traffic for IP addresses
172.20.120.100 to 172.20.120.150.
Figure 417: HTTP, FTP, and CIFS rules in the rule list
2 Select Create New and add a Peer Host ID and the IP address for the client side
FortiGate unit.
3 Go to WAN Opt. & Cache > Rule and select Create New.
4 Add the passive rule. The source address matches the 172.20.120.100 to
172.20.120.200 IP address range and the 1-65535 port range. You can also enable
web caching for the HTTP traffic.
WAN
IP address IP address
172.20.34.12 192.168.30.12
2 Select Create New and add a Peer Host ID and the IP address for the server side
FortiGate unit.
Protocol MAPI
Peer Peer_Fgt_2
Transparent Mode Enable
Enable Byte Caching Enable
7 Select OK to save the rule.
The rule is added to the bottom of the WAN optimization list.
8 If required, move the rule to a different position in the list.
See Moving a rule to a different position in the rule list on page 607.
2 Select Create New and add a Peer Host ID and the IP address for the peer side
FortiGate unit.
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
x.x.x.[x-x], such as 192.168.110.[100-120]
x.x.x.*, such as 192.168.110.*
Protocol optimization
FortiGate WAN optimization applies protocol optimization techniques to optimize
bandwidth use across the WAN. These techniques can improve the efficiency of
communication across the WAN optimization tunnel by reducing the amount of traffic
required by communication protocols. Protocol optimization can be applied to specific
protocols such as CIFS, FTP, HTTP, and MAPI to apply specific techniques based on the
protocol.
For example, Common Internet File System (CIFS) provides file access, record locking,
read/write privileges, change notification, server name resolution, request batching, and
server authentication. CIFS is a fairly chatty protocol, requiring many background
transactions to successfully transfer a single file. This is usually not a problem across a
LAN. However, across WAN latency and bandwidth reduction can slow down CIFS
performance.
When you set Protocol to CIFS in a WAN optimization rule, the FortiGate units at either
end of the WAN optimization tunnel use a number of techniques to reduce the amount of
background transactions that occur over the WAN for CIFS traffic.
You can only select one protocol in a WAN optimization rule. For best performance you
should separate the traffic by protocol by creating different WAN optimization rules for
each protocol. For example, to optimize HTTP traffic you should set port to 80 so that only
HTTP traffic is accepted by this WAN optimization rule. For an example configuration that
uses multiple rules for different protocols, see Configuring client/server (active-passive)
WAN optimization on page 617.
If the WAN optimization accepts a range of different types of traffic, you can set Protocol to
TCP to employ TCP optimization. This technique applies general optimization techniques
to TCP traffic. Applying TCP optimization to a range of different types of traffic is not as
effective as applying more protocol-specific optimization to specific types of traffic. TCP
protocol optimization uses techniques such as TCP SACK support, TCP window scaling
and window size adjustment, and TCP connection pooling to remove TCP bottlenecks.
Byte caching
FortiGate WAN optimization Byte Caching breaks large units of application data (for
example, a file being downloaded in from a web page) into small chunks of data, labelling
each chunk of data with a hash of the chunk, and storing those chunks and their hashes in
a database. The database is stored on a storage device such s a hard disk or an iSCSI
device. Then, instead of sending the actual data over the WAN tunnel, the FortiGate unit
sends the hashes. The FortiGate unit at the other end of the tunnel receives the hashes
and compares them with the hashes in its local byte caching database. If any hashes
match, that data does not have to be transmitted over the WAN optimization tunnel. The
data for any hashes that does not match is transferred over the tunnel and added to that
byte caching database. Then the unit of application data (the file being downloaded) is
reassembled and sent to its destination.
Byte caching is not application specific. Bytes cached from a file in an email can be used
to optimize downloading that same file, or a similar file from a web page.
The result is less data is transmitted over the WAN. Initially, byte caching may reduce
performance until a large enough byte caching database is built up.
Select Byte caching in a WAN optimization rule to enable byte caching. The Protocol
setting does not affect byte caching. Data is byte cached when it is processed by a WAN
optimization rule that includes byte caching.
Byte caching cannot determine whether a file is compressed (for example a zip file) or not
and caches compressed (for example, zipped) and non-compressed versions of the same
file separately.
A number of SSL offloading configurations are possible. This section includes two.
WAN
IP address IP address
172.20.120.1 192.168.10.1
3 1
2
When the client side FortiGate unit accepts an HTTPS connection for 192.168.10.20 the
SSL server configuration provides the information that the client side FortiGate unit needs
to decrypt the traffic and send it in clear text across a WAN optimization tunnel to the
server side FortiGate unit. The server side FortiGate unit then forwards the clear text
packets to the web server.
The web server CA is not downloaded from the server side to the client side FortiGate
unit. Instead the client side FortiGate unit proxies the SSL parameters from the client side
to the server side which returns an SSL key and other required information to the client
side FortiGate unit so that the client FortiGate unit can decrypt and encrypt HTTPS traffic.
Note: In this peer-to-peer configuration you do not need to add a WAN optimization rule to
the server side FortiGate unit as long as the server side FortiGate unit includes the Peer
Host ID of the client FortiGate unit in its peer list. However, you could set Auto-Detect to
Active on the client side FortiGate and add then a passive rule to the server side FortiGate
unit.
Note: In this example the secure tunnel and the authentication group configurations are not
required, but are added to protect the privacy of the WAN optimization tunnel. Instead of
the secure tunnel configuration, you could configure a route-based IPSec VPN between the
FortiGate units and use IPSec to protect the privacy of the WAN optimization tunnel.
2 Select Create New and add a Peer Host ID and the IP address for the peer side
FortiGate unit.
Name SSL_auth_grp
Authentication Method Pre-shared key
Password <pre-shared_key>
Peer Acceptance Specify Peer: Web_servers
5 Go to WAN Opt. & Cache > Rule and select Create New to add the WAN optimization
rule:
2 Select Create New and add a Peer Host ID and the IP address for the peer side
FortiGate unit.
Name SSL_auth_grp
Authentication Method Pre-shared key
Password <pre-shared_key>
Peer Acceptance Specify Peer: User_net
5 Go to System > Certificates > Local Certificates and select Import to import the web
servers CA. Set the name of the local certificate to Web_Server_Cert_1.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
6 Enter the following command to add the SSL server to the server side FortiGate unit.
config wanopt ssl-server
edit example_server
set ip 192.168.10.20
set port 443
set ssl-cert Web_Server_Cert_1
end
Configure other ssl-server settings as required for your configuration.
SSL offloading and reverse proxy web caching for an internet web server
This example shows how to configure SSL offloading for a reverse proxy web cache only
WAN optimization configuration. In this configuration, clients on the Internet use HTTPS to
browse to a web server. The FortiGate unit intercepts the HTTPS traffic and a web cache
only WAN optimization rule with SSL offloading enabled decrypts the traffic before
sending it to the web server. The FortiGate unit also caches pages from the web server.
Replies from the web server are encrypted by the FortiGate unit before returning to the
web browsing clients.
The web cache only rule enables transparent mode because the FortiGate unit is
performing NAT between the Internet and the HTTP server and the web server network is
not configured to route Internet traffic between the FortiGate unit and the web server.
In this configuration the FortiGate unit is operating in reverse proxy mode. Reverse proxy
caches can be placed directly in front of a particular server. Web caching on the FortiGate
unit reduces the number of requests that the web server must handle therefore leaving it
free to process new requests that it has not serviced before.
Some benefits of a reverse proxy configuration:
Avoid the capital expense of purchasing additional web servers by instead increasing
the capacity of existing servers.
Serve more requests for static content from web servers.
Serve more requests for dynamic content from web servers.
Reducing operating expenses including the cost of bandwidth required to serve
content.
Accelerate the response time of web server and accelerate page download times to
end users, delivering a faster and better experience to site visitors.
When planning a reverse proxy implementation the web server's content should be written
so that it is cache aware to take full advantage of the reverse proxy cache.
In Reverse Proxy mode, the FortiGate unit functions more like a web server with respect
to the clients it services. Unlike internal clients, external clients are not reconfigured to
access the proxy server. Instead, the site URL routes the client to the FortiGate unit as if it
were a web server. Replicated content is delivered from the proxy cache to the external
client without exposing the web server or the private network residing safely behind the
firewall.
In this example, the site URL translates to IP address 192.168.10.1 which is the port2 IP
address of the FortiGate unit. The port2 interface is connected to the Internet. You could
also use a different IP address and route traffic for this IP address to the FortiGate unit
port2 interface.
This example also includes two web cache only rules. One that accepts the HTTP traffic
for web caching and one that accepts the HTTPS traffic for SSL offloading and web
caching. You could also add only one rule for both the HTTP and HTTPS traffic.
This example assumes all HTTP traffic uses port 80 and all HTTPS traffic using port 443.
The FortiGate unit includes the web server CA and an SSL server configuration for IP
address 172.10.20.30 and port to 443.
Web Cache
Only rule that
includes SSL offloading
HTTP
Internet
Web Server
port2 port1 (port 80)
IP address IP address IP address: 172.10.20.30
192.168.10.1 172.10.20.2
Encrypted Decrypted
Traffic Traffic
3 1 3 1
2
2
Name Reverse_proxy_VIP
External Interface port2
Type Static NAT
External IP Address/Range 192.168.10.1
Mapped IP Address/Range port1
Destination Address 172.10.20.30
2 Go to Firewall > Policy and select Create New to add a port2 to port1 firewall policy
that accepts HTTP and HTTPS traffic from the Internet.
Do not select a protection profile. Set the destination address to the virtual IP. You do
not have to enable NAT.
3 Go to WAN Opt. & Cache > Rule and select Create New to add a web cache only WAN
optimization rule that accepts the HTTP traffic accepted by the firewall policy.
Set destination to the IP address that is translated by the virtual IP (192.168.10.1) and
not to the server IP (172.10.20.30). Enable transparent mode.
Secure tunnelling
Select Enable Secure Tunnel in WAN optimization rules to use SSL to encrypt the traffic in
the WAN optimization tunnel. The FortiGate units use FortiASIC acceleration to accelerate
SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same
TCP port as a non-secure tunnel (TCP port 7810).
You must configure and add an authentication group to the WAN optimization rule to use
secure tunneling. The authentication group configures the certificate or pre-shared key
parameters required by the secure tunnel. The WAN optimization rules at both ends of the
tunnel should have compatible authentication group configurations. For example, they
should have the same certificates or the same pre-shared key.
Name auth-fc
Authentication Certificate
Method
Certificate Fortinet_Firmware
Peer Acceptance Accept Any Peer
Network
iSCSI
Server
192.168.20.100
You cannot list these WAN optimization storages using the execute scsi-dev
command. Instead, you can use the following command to list the WAN optimization
storages that you have added:
get wanopt storage
== [ web_cache_sto ]
name: web_cache_sto partition-label: 77A2A1AB1D0EF8B7 partition-
size: 39999 storage-size: 15000
== [ byte_cache_sto ]
name: byte_cache_sto partition-label: 77A2A1AB1D0EF8B7
partition-size: 39999 storage-size: 24999
7 Enter the following commands to configure web caching to use the web_cache_sto
storage and byte caching to use the byte_cache_sto storage.
config wanopt cache-storage
set web-cache-storage web_cache_sto
set byte-cache-storage byte_cache_sto
Configuring peers
Go to WAN Opt. & Cache > Peer to configure WAN optimization peers. From here you can
add the Local Host ID that identifies the FortiGate unit for WAN optimization and add an
the peer Host ID and IP address of each FortiGate unit that a FortiGate unit can create
WAN optimization tunnels with.
Delete
Edit
Peer Host ID The Peer Host ID of the peer FortiGate unit. This is the local host id added to the
peer FortiGate unit.
IP Address The IP address of the FortiGate unit. Usually this would be the IP address of the
FortiGate interface connected to the WAN.
Delete
Edit
Pre-shared key If you select Pre-shared key add a pre-shared key. All peers that use this
authentication group must have the same authentication group with the
same pre-shared key.
If you selected Pre-shared Key, type the pre-shared key that the FortiGate
unit will use to authenticate itself to the remote peer. The key must contain at
least 6 printable characters and should be known only by network
administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric
characters.
Peer Acceptance One or more of the following options are available to authenticate VPN peers
or clients, depending on the Remote Gateway and Authentication Method
settings.
Accept any peer Authenticate with any peer. Use this setting if you dont know the peer host
IDs or IP addresses of the peers that will use this authentication group. This
setting is most often used for WAN optimization with FortiClient.
Accept defined Authenticate with any peer in the FortiGate unit peer list.
peers
Specify Peer Authenticate with the selected peer only. Select the peer to add to this
authentication group.
If the tunnel request includes an authentication group the authentication will be based on
the settings of this group as follows:
The server side FortiGate unit searches its own configuration for the name of the
authentication group in the tunnel request. If no match is found, the authentication fails.
If a match is found, the server side FortiGate unit compares the authentication method
in the client and server authentication groups. If the methods do not match, the
authentication fails.
If the authentication methods match the server side FortiGate unit tests the peer
acceptance settings in its copy of the authentication group.
If the setting is accept any peer, the authentication is successful.
If the setting is specify peer the server side FortiGate unit compares the client side
Local Host ID in the tunnel request with the peer name in the server side
authentication group. If the names match authentication is successful. If a match is
not found, authentication fails.
If the setting is accept defined peers, the server side FortiGate unit compares the
client side Local Host ID in the tunnel request with the with the server side peer list.
If a match is found authentication is successful. If a match is not found
authentication fails.
If the tunnel request does not include an authentication group authentication will be based
on the client side Local Host ID in the tunnel request. The server side FortiGate unit
searches its peer list to match the client side Local Host ID in the tunnel request. If a
match is found, authentication is successful. If a match is not found authentication fails.
If the server side FortiGate unit successfully authenticates the tunnel request, the server
side FortiGate unit sends back a tunnel setup response message. This message includes
the server side Local Host ID and the authentication group that matches the one in the
tunnel request.
The client side FortiGate unit then performs the same authentication procedure as the
server side FortiGate unit did. If both sides succeed tunnel setup continues.
Traffic Summary Provides traffic optimization information. The piechart illustrates percentage
of traffic for supported applications processed during the selected Period.
The table displays how much traffic has been reduced by WAN optimization
by comparing the amount of LAN and WAN traffic for each protocol.
Refresh icon Refresh the Traffic Summary.
Period Select a time period to show traffic summary for. You can select:
Last 10 Minutes
Last 1 Hour
Last 1 Day
Last 1 Week
Last 1 Month
Reduction Rate Displays each applications optimization rate. For example, a rate of 80%
means the amount of data processed by that application has been reduced
by 20%.
LAN The amount of data in Mbytes received from the LAN for each application.
WAN The amount of data in Mbytes sent across the WAN for each application.
The greater the difference between the LAN and WAN data the greater the
amount of data reduced by WAN optimization byte caching, web caching,
and protocol optimization.
Bandwidth Shows network bandwidth optimization per time Period. A line or column
Optimization chart compares an applications pre-optimized (LAN data) size with its
optimized size (WAN data).
Refresh icon Select to refresh the Bandwidth Optimization display.
Period Select a time frame to show bandwidth optimization. You can select:
Last 10 Minutes
Last 1 Hour
Last 1 Day
Last 1 Week
Last 1 Month
Protocol Select All to display bandwidth optimization for all applications. Select an
individual protocol to display bandwidth optimization for that individual
protocol.
Chart Type Select to display bandwidth optimization with a line chart or a column chart.
Always revalidate Select to always to revalidates requested cached object with content on the
server before serving it to the client.
Max Cache Object Set the maximum object size to cache. The default size is 512000 kbytes
Size (512 Mbytes). This object size determines the maximum object size to store
in the web cache. All objects retrieved that are larger than the maximum size
are delivered to the client but are not stored in the web cache.
Negative Response Set how long in minutes to cache negative responses. The default is 0,
Duration meaning negative responses are not cached. The content server might send
a client error code (4xx HTTP response) or a server error code (5xx HTTP
response) as a response to some requests. If the web cache is configured to
cache these negative responses, it returns that response in subsequent
requests for that page or image for the specified number of minutes.
Fresh Factor Set the fresh factor as a percentage. The default is 100, and the range is 1 to
100. For cached objects that dont have an expiry time, the web cache
periodically checks the server to see if the object has expired. The higher the
fresh factor the less often the checks occur.
Max TTL The maximum amount of time an object can stay in the web cache without
checking to see if it has expired on the server. The default is 7200 minutes
(120 hours or 5 days).
Min TTL The minimum amount of time an object can stay in the web cache before
checking to see if it has expired on the server. The default is 5 minutes.
Default TTL The default expiry time for objects that do not have an expiry time set by the
web server. The default expiry time is 1440 minutes (24 hours).
Explicit Proxy Indicates whether the explicit proxy has been enabled for the FortiGate unit.
See Web Proxy on page 147.
Enable Explicit Select to enable using the WAN optimization web cache to cache for the
Proxy explicit proxy.
Ignore
If-modified-since Be default, the time specified by the if-modified-since (IMS) header in the
client's conditional request is greater than the last modified time of the object
in the cache, it is a strong indication that the copy in the cache is stale. If so,
HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based
on the last modified time of the cached object. Enable ignoring If-modified-
since to override this behavior.
HTTP 1.1 HTTP 1.1 provides additional controls to the client over the behavior of
Conditionals caches concerning the staleness of the object. Depending on various Cache-
Control headers, the FortiGate unit can be forced to consult the OCS before
serving the object from the cache. For more information about the behavior
of cache-control header values, see RFC 2616.
Pragma-no- Typically, if a client sends an HTTP GET request with a pragma no-cache
cache (PNC) or cache-control nocache header, a cache must consult the OCS
before serving the content. This means that the FortiGate unit always re-
fetches the entire object from the OCS, even if the cached copy of the object
is fresh.
Because of this, PNC requests can degrade performance and increase
server-side bandwidth utilization. However, if ignore Pragma-no-cache is
enabled, then the PNC header from the client request is ignored. The
FortiGate unit treats the request as if the PNC header is not present at all.
IE Reload Some versions of Internet Explorer issue Accept / header instead of Pragma
nocache header when you select Refresh. When an Accept header has only
the / value, the FortiGate unit treats it as a PNC header if it is a type-N object.
When ignore IE Reload is enabled, the FortiGate unit ignores the PNC
interpretation of the Accept: / header.
Cache Expired Applies only to type-1 objects. When Cache Expired Objects is enabled,
Objects type-1 objects that are already expired at the time of acquisition are cached
(if all other conditions make the object cacheable). When this setting is
disabled, already expired type-1 objects become non-cacheable at the time
of acquisition.
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect the
no-cache efficiency of the FortiGate unit from a bandwidth gain perspective. If you do
not want to completely ignore PNC in client requests (which you can do by
using the ignore PNC option configuration), you can lower the impact of the
PNC by enabling the revalidate-pragma-no-cache setting. When the
revalidate-pragma-no-cache setting is enabled, a client's non-conditional
PNC-GET request results in a conditional GET request sent to the OCS if the
object is already in the cache. This gives the OCS a chance to return the 304
Not Modified response, consuming less server-side bandwidth, because it
has not been forced to return full content even though the contents have not
actually changed. By default, the revalidate PNC configuration is disabled
and is not affected by changes in the top-level profile. When the Substitute
Get for PNC configuration is enabled, the revalidate PNC configuration has
no effect.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, the revalidate pragma-no-cache option
should be configured along with byte-range support.
Endpoint control
Endpoint control enforces the use of the FortiClient End Point Security (Enterprise Edition)
application on your network. The compliance check ensures that the endpoint is running
the most recent version of the FortiClient application and, optionally, checks that the
FortiClient antivirus signatures are up-to-date on the endpoint. An endpoint is most often a
single PC with a single IP address being used to access network services through a
FortiGate unit.
You enable endpoint control in a firewall policy. When traffic attempts to pass through the
firewall policy, the FortiGate unit runs compliance checks on the originating host on the
source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints
receive a message telling them that they are non-compliant, or they are redirected to a
web portal where they can download the FortiClient application installer.
You can monitor the endpoints that are subject to endpoint control, by viewing information
about the computer and its operating system. If you configure software detection, you can
also see the applications that are installed on endpoints.
This section describes:
Configuring endpoint control
Monitoring endpoints
Note: You cannot enable Endpoint Compliance Check in firewall policies if Redirect
HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options >
Authentication.
You can also modify the appearance of the FortiClient Download Portal. Go to System >
Config > Replacement Messages > Endpoint Control and edit the Endpoint Control
Download Portal. This is an HTML page. Be sure to retain the %%LINK%% tag which
provides the download URL for the FortiClient installer. For more information about
modifying replacement messages, see Endpoint control replacement message on
page 204.
FortiClient Installer Select one of the following options to determine the link that the
Download Location FortiClient Download Portal provides to non-compliant users to
download the FortiClient installer.
FortiGuard The FortiClient application is provided by the FortiGuard Distribution
Distribution Network Network. The FortiGate unit must be able to access the FortiGuard
Distribution Network. See Configuring FortiGuard Services on
page 264.
If the FortiGate unit contains a hard disk drive, the files from
FortiGuard Services are cached to more efficiently serve downloads to
multiple end points.
This FortiGate Users download a FortiClient installer file from this FortiGate unit.
This option is available only on FortiGate models that support upload
of FortiClient installer files. Upload your FortiClient installer file using
the execute restore forticlient CLI command. For more
information, refer to the FortiGate CLI Reference.
Custom URL Specify a URL from which users can download the FortiClient installer.
You can use this option to provide custom installer files even if your
FortiGate unit does not have storage space for them.
Minimum FortiClient Select the minimum requirement for the FortiClient version that must
Version Required be installed on the endpoints:
Latest Available Endpoints must have the latest FortiClient version
available from the download location installed.
FortiClient Enterprise Edition 4.0.0 Endpoints must have
FortiClient Enterprise Edition 4.0.0 installed.
FortiClient Enterprise Edition 4.0.1 Endpoints must have
FortiClient Enterprise Edition 4.0.1 installed.
Specify Enter the FortiClient version that endpoints must have
installed.
Fortinet recommends that administrators deploy a FortiClient version
update to their users or ask users to install the update and then wait a
reasonable period of time for the updates to be installed before
updating the minimum version required to the most recent version.
Note: Select This FortiGate or Custom URL if you want to provide a customized FortiClient
application. This is required if a FortiManager unit will centrally manage FortiClient
applications. For information about customizing the FortiClient application, see the
FortiClient Administration Guide.
Delete
Edit
Create New Add an application to detect. See Viewing and configuring the software detection
list on page 643.
Name A descriptive name for the application.
Pattern A pattern to match the application name as it appears in the endpoints Windows
Registry.
FortiClient matches the pattern against the endpoints Windows Registry. If
FortiClient finds a match, an entry is added to the Detected Software list for the
endpoint. Go to Endpoint Control > Endpoints to view all detected endpoints and
the Detected Software on each endpoint.
The pattern can consist of complete application names (for example, AppName) or
partial names (for example, App). Patterns are not case sensitive. The Detected
Software list shows the complete application name found in the registry by
FortiClient.
Patterns can be wildcards or Perl regular expressions. For example, you can use
regular expressions in a search to distinguish between product names with the
same base name, such as My App and My App Reader. To detect My App
only, enter the pattern My App$. For more information about using wildcards and
Perl regular expressions, see Using wildcards and Perl regular expressions on
page 506.
Delete icon Remove this item from the list.
Edit icon Modify this item. See Viewing and configuring the software detection list on
page 643.
Monitoring endpoints
To view the list of known endpoints, go to Endpoint Control > Endpoints. An endpoint is
added to the list when it uses a firewall policy that has Endpoint Compliance Check
enabled.
Once an endpoint is added to the list it remains there until you manually delete it or until
the FortiGate unit restarts. Every time an endpoint accesses network services through the
FortiGate unit (or attempts to access services) the entry for the endpoint is updated.
The endpoints list can provide an inventory of the endpoints on your network. Entries for
endpoints not running the FortiClient application include the IP address, last update time,
and traffic volume/attempts. The non-compliant status indicates the endpoint is not
running the FortiClient application.
Entries for endpoints running the FortiClient application show much more information,
depending on what is available for the FortiClient application to gather. Detailed
information you can view includes endpoint hardware (CPU and model name) and the
software running on the endpoints. You can adjust column settings and filters to display
this information in many different forms.
From the endpoints list, you can view information for each endpoint, temporarily exempt
end points from endpoint control, and restore exempted end points to their blocked state.
Figure 429: Endpoints list (showing one endpoint that does not have FortiClient software
installed)
Refresh
Non-Compliant View
Exempt Temporarily
Filter icons Edit the column filters to filter or sort the endpoints list according to the
criteria you specify. For example, you could add a filter to the Detected
Software column to display all endpoints running BitTorrent software.
For more information, see Adding filters to web-based manager lists
on page 53.
View icon View details about a selected endpoint. Select this icon to display the
information about the endpoint found by the FortiClient application.
Exempt Temporarily icon Exempt the selected endpoint from endpoint control. This means an
endpoint that is blocked and added to the endpoint list can temporarily
access network services through the FortiGate unit. When you select
this icon you can specify how long the end point is exempted from
endpoint control. The default exempt duration is 600 seconds.
Restore to Blocked State Re-enable blocking access to a temporarily exempted endpoint.
icon
Information columns Select Column Settings determine which of the following columns to
display. All information that appears in the columns is reported by the
FortiClient application running on the endpoint, unless otherwise noted.
AV signature The version of the FortiClient antivirus signatures installed on the
endpoint.
Computer Manufacturer The name of the manufacturer of the endpoint.
Computer Model The model name of the endpoint.
CPU Model The CPU running on the endpoint.
Description The description of the endpoint.
Detected Software The software applications detected on this endpoint. See Viewing and
configuring the software detection list on page 643.
You can control the applications that appear in the Detected Software
column by editing the Detected Software filter. See Adding filters to
web-based manager lists on page 53.
FortiClient Version The version of the FortiClient application running on the endpoint.
Host Name The host name of the endpoint.
Installed FCT Features The FortiClient features enabled on the endpoint.
IP Address The IP address of the endpoint as found from the communication
session. The FortiClient application is not required to obtain this
information.
Last User The last user to log in to the endpoint.
Last Update The time that the status of the endpoint was last verified by the
FortiGate unit. The FortiClient application is not required to obtain this
information.
Memory Size The amount of memory installed on the endpoint.
OS Version The version of the operating system running on the endpoint.
System Uptime The system up time of the endpoint.
Traffic Volume/Attempts If the endpoint is compliant, this column displays the amount of data
passed through the FortiGate unit by communication sessions
originating from the endpoint. If the endpoint is non-compliant, this
column displays the number of times the endpoint has attempted to
connect through the FortiGate unit. The FortiClient application is not
required to obtain this information.
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network
protection functions. They also allow you to compile reports from the detailed log
information gathered. Reports provide historical and current analysis of network activity to
help identify security issues that will reduce and prevent network misuse and abuse.
This section provides information about how to enable logging, view log messages, and
configure reports. If you have VDOMs enabled, see Using virtual domains on page 103
for more information.
The following topics are included in this section:
FortiGate logging
FortiGuard Analysis and Management Service
Log severity levels
High Availability cluster logging
Storing logs
Log types
Accessing Logs
Viewing log information
Customizing the display of log messages
Content Archive
Alert Email
Reports
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in Transparent mode. For example, SSL VPN events are not available in Transparent
mode.
FortiGate logging
A FortiGate unit can log many different network activities and traffic including:
overall network traffic
system-related events including system restarts, HA and VPN activity
anti-virus infection and blocking
web filtering, URL and HTTP content blocking
signature and anomaly attack and prevention
spam filtering
Instant Messaging and Peer-to-Peer traffic
VoIP telephone calls.
When customizing the logging location, you can also customize what minimum log
severity level the FortiGate unit should log these events at. There are six severity levels to
choose from. For more information, see Log severity levels on page 649.
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis tools
and data storage. Detailed log reports provide historical as well as current analysis of
network activity. Detailed log reports also help identify security issues, reducing network
misuse and abuse. The FortiGate unit can send all log message types, including
quarantine files and content archives, to a FortiAnalyzer unit for storage. The
FortiAnalyzer unit can upload log files to an FTP server for archival purposes. For more
information about configuring the FortiGate unit to send log messages to a FortiAnalyzer
unit, see Logging to a FortiAnalyzer unit on page 650.
If you have a subscription for the FortiGuard Analysis and Management Service, your
FortiGate unit can send logs to a FortiGuard Analysis server. This service provides
another way to store and view logs, as well as archiving email messages. For more
information, see FortiGuard Analysis and Management Service on page 648. Fortinet
recommends reviewing the FortiGuard Analysis and Management Service Administration
Guide to learn more about the logging, reporting, and remote management features from
the FortiGuard Analysis and Management Service portal web site.
The FortiGate unit can also send log messages to either a Syslog server or WebTrends
server for storage and archival purposes. If your FortiGate unit has a hard disk, you can
also send logs to it by using the CLI. For more information about configuring logging to the
hard disk, see the FortiGate CLI Reference.
In the FortiGate web-based manager, you can view log messages available in system
memory, on a FortiAnalyzer unit running firmware version 3.0 or higher, or, if available, the
hard disk. You can use customizable filters to easily locate specific information within the
log files.
For details and descriptions of log messages and formats, see the FortiGate Log Message
Reference.
Note: After upgrading your FortiGate firmware, you need to re-enter your account ID and
then update the service to re-connect to the servers that support logging and reporting. You
may need to update the service from the portal web site as well.
Levels Description
0 - Emergency The system has become unstable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
The Debug severity level, not shown in Table 55, is rarely used. It is the lowest log
severity level and usually contains some firmware status information that is useful when
the FortiGate unit is not functioning properly. Debug log messages are generated only if
the log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate features.
Storing logs
The type and frequency of log messages you intend to save determines the type of log
storage to use. For example, if you want to log traffic and content logs, you need to
configure the FortiGate unit to log to a FortiAnalyzer unit or Syslog server. The FortiGate
system memory is unable to log traffic and content logs because of their frequency and
large file size.
Storing log messages to one or more locations, such as a FortiAnalyzer unit or Syslog
server, may be a better solution for your logging requirements than the FortiGate system
memory. Configuring your FortiGate unit to log to a FortiGuard Analysis server may also
be a better log storage solution if you do not have a FortiAnalyzer unit and want to create
reports. This particular log storage solution is available to all FortiGate units running
FortiOS 3.0 MR6 or higher, through a subscription to the FortiGuard Analysis and
Management Service. For more information, see FortiGuard Analysis and Management
Service on page 648.
If your FortiGate unit has a hard disk, you can also enable logging to the hard disk from
the CLI. See the FortiGate CLI Reference for more information before enabling logging to
the hard disk.
If you require logging to multiple FortiAnalyzer units or Syslog servers, see the FortiGate
CLI Reference.
Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and
Canada and may affect your location. It is recommended to verify if your location observes
this change, since it affects the scope of the report. Fortinet has released supporting
firmware. See the Fortinet Knowledge Center article, New Daylight Saving Time support,
for more information.
Expand
Arrow
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard
Analysis server, and vice versa. If you require a backup solution for one of these logging
devices, using a Syslog server or WebTrends server is preferred.
The Automatic Discovery feature must be enabled on the FortiAnalyzer side to work
properly. The FortiAnalyzer unit requires 3.0 firmware (and higher) to use this feature.
Fortinet recommends contacting a FortiAnalyzer administrator to verify Automatic
Discovery is enabled on the FortiAnalyzer unit before using this feature.
Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the
CLI before Automatic Discovery can carry traffic. Use the procedure in the Fortinet
Knowledge Center article, Fortinet Discovery Protocol in Transparent mode, to enable the
interface to also carry traffic when using the Automatic Discovery feature.
FortiAnalyzer The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is
(Hostname) its product name, for example, FortiAnalyzer-400.
FortiGate The serial number of the FortiGate unit.
(Device ID)
Registration The status of whether or not the FortiGate unit is registered with the
Status FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full
privileges. For more information, see the FortiAnalyzer Administration Guide.
Connection The connection status between FortiGate and FortiAnalyzer units. A green
Status check mark indicates there is a connection and a gray X indicates there is no
connection.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Allocated The amount of space designated for logs, including quarantine
Space files and content archives.
Used Space The amount of used space.
Total Free The amount of unused space.
Space
Privileges The permissions of the device for sending and viewing logs, reports, content
archives, and quarantined logs.
Tx indicates the FortiGate unit is allowed to transmit log packets to the
FortiAnalyzer unit.
Rx indicates the FortiGate unit is allowed to display reports and logs stored
on the FortiAnalyzer unit.
A check mark indicates the FortiGate unit has permissions to send or view log
information and reports. An X indicates the FortiGate unit is not allowed to send
or view log information.
You can also test the connection status between the FortiGate unit and the FortiAnalyzer
unit by using the following CLI command:
execute log fortianalyzer test-connectivity
The command displays the connection status and the amount of disk usage in percent.
For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.
Logging to memory
The FortiGate system memory has a limited capacity for log messages. The FortiGate
system memory displays only the most recent log entries. It does not store traffic and
content logs in system memory due to their size and the frequency of log entries. When
the system memory is full, the FortiGate unit overwrites the oldest messages. All log
entries are cleared when the FortiGate unit restarts.
If your FortiGate unit has a hard disk, use the CLI to enable logging to it. You can also
upload logs stored on the hard disk to a FortiAnalyzer unit. For more information, see the
FortiGate CLI Reference.
Note: You can configure logging to an AMC disk and schedule when to upload logs to a
FortiAnalyzer unit.
The AMC disk is available on FortiGate models with a single-width AMC slot such as the
310B, 620B, 3600A, 3016B, 3810A and 5001A-SW.
Enable CSV If you enable CSV format, the FortiGate unit produces the log in Comma
Format Separated Value (CSV) format. If you do not enable CSV format the
FortiGate unit produces plain text files.
Note: If more than one Syslog server is configured, the Syslog servers and their settings
appear on the Log Settings page. You can configure multiple Syslog servers in the CLI. For
more information, see the FortiGate CLI Reference.
Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are
compatible with NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.
Use the CLI to configure the FortiGate unit to send log messages to WebTrends. After
logging into the CLI, enter the following commands:
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Example
This example shows how to enable logging to a WebTrends server and to set an IP
address for the server.
config log webtrends setting
set status enable
set server 172.16.125.99
end
For more information about setting the options for the types of logs sent to WebTrends,
see the Log chapter in the FortiGate CLI Reference.
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor
activity that is occurring on your network. For example, you can enable logging of IM/P2P
features, to obtain detailed information on the activity occurring on your network where
IM/P2P programs are used.
Before enabling FortiGate features, you need to configure what type of logging device will
store the logs. For more information, see Storing logs on page 650.
This topic also provides details on each log type and explains how to enable logging of the
log type.
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because they do not support logging, or are not available in
Transparent mode. For example, SSL VPN events are not available in Transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can
configure logging of traffic controlled by firewall policies and for traffic between any source
and destination addresses. You can also filter to customize the traffic logged:
Allowed traffic The FortiGate unit logs all traffic that is allowed according to the
firewall policy settings.
Violation traffic The FortiGate unit logs all traffic that violates the firewall policy
settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load because
other-traffic logs log individual traffic packets. Fortinet recommends logging firewall
policy traffic since it minimizes the load. Logging other-traffic is disabled by default.
Firewall policy traffic logging records the traffic that is both permitted and denied by the
firewall policy, based on the protection profile. Firewall policy traffic logging records
packets that match the policy.
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in Transparent mode, make sure that VDOM
allows access for enabling traffic logs.
6 Enter the following CLI commands to add a DoS policy (called an interface policy in the
CLI) that includes the IPS Sensor.
config firewall interface-policy
edit 1
set interface <interface_name>
set srcaddr all
set dstaddr all
set service ANY
set ips-sensor-status enable
set ips-sensor <sensor_name>
end
Where <sensor_name> is the name of the IPS sensor added above.
Event log
The Event Log records management and activity events, such as when a configuration
has changed, or VPN and High Availability (HA) events occur.
When you are logged into VDOMs that are in Transparent mode, or if all VDOMs are in
Transparent mode, certain options may not be available such as VIP ssl event or CPU and
memory usage event. You can enable event logs only when you are logged in to a VDOM;
you cannot enable event logs in the root VDOM.
System Activity All system-related events, such as ping server failure and gateway
event status.
IPSec negotiation All IPSec negotiation events, such as progress and error reports.
event
DHCP service All DHCP-events, such as the request and response log.
event
L2TP/PPTP/PPPoE All protocol-related events, such as manager and socket creation
service event processes.
Admin event All administrative events, such as user logins, resets, and configuration
updates.
HA activity event All high availability events, such as link, member, and state information.
Firewall All firewall-related events, such as user authentication.
authentication event
Pattern update All pattern update events, such as antivirus and IPS pattern updates
event and update failures.
SSL VPN user All user authentication events for an SSL VPN connection, such as
authentication event logging in, logging out and timeout due to inactivity.
SSL VPN All administration events related to SSL VPN, such as SSL configuration
administration event and CA certificate loading and removal.
SSL VPN session All session activity such as application launches and blocks, timeouts,
event and verifications.
VIP ssl event All server-load balancing events happening during SSL session,
especially details about handshaking.
VIP server health All related VIP server health monitor events that occur when the VIP
monitor event health monitor is configured, such as an interface failure.
CPU & memory All real-time CPU and memory events, at 5-minute intervals.
usage (every 5 min)
4 Select Apply.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example,
when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized
file or email that is logged, it records an antivirus log. You can also apply filters to
customize what the FortiGate unit logs, which are:
You can view attack log messages from either the Memory or Remote tab.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see Intrusion Protection on page 455.
Accessing Logs
You can use the Log Access feature in the FortiGate web-based manager to view logs
stored in memory, on a hard disk, or stored on a FortiAnalyzer unit running FortiAnalyzer
3.0, or on the FortiGuard Analysis server.
Log Access provides tabs for viewing logs according to these locations. Each tab provides
options for viewing log messages, such as search and filtering options, and choice of log
type. The Remote tab displays logs stored on either the FortiGuard Analysis server or
FortiAnalyzer unit, whichever one is configured for logging.
For the FortiGate unit to access logs on a FortiAnalyzer unit, the FortiAnalyzer unit must
run firmware version 3.0 or higher.
Figure 433: Viewing log files stored on the FortiGate hard disk
Delete
Clear View
log
Download
Log Type Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
File name The names of the log files of the displayed Log Type stored on the FortiGate
hard disk.
When a log file reaches its maximum size, the FortiGate unit saves the log files
with an incremental number, and starts a new log file with the same name. For
example, if the current attack log is alog.log, any subsequent saved logs appear
as alog.n, where n is the number of rolled logs.
Size (bytes) The size of the log file in bytes.
Last access The time a log message was recorded on the FortiGate unit. The time is in the
time format name of day month date hh:mm:ss yyyy, for example Fri Feb
16 12:30:54 2007.
Clear log icon Clear the current log file. Clearing deletes only the current log messages of that
log file. The log file is not deleted.
Download icon Download the log file or rolled log file. Select either Download file in Normal
format or Download file in CSV format. Select Return to return to the Disk tab
page. Downloading the current log file includes only current log messages.
View icon View a log files log messages.
Delete icon Delete rolled logs. Fortinet recommends to download the rolled log file before
deleting it because the rolled log file cannot be retrieved after deleting it.
Current
Page
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.
Log Type Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
Current Page By default, the first page of the list of items is displayed. The total number of
pages displays after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see Using page controls on web-based manager lists
on page 57.
Column Settings Select to add or remove columns. This changes what log information appears
in Log Access. For more information, see Column settings on page 666.
Raw or Formatted By default, log messages are displayed in Formatted mode. Select Formatted
to view log messages in Raw mode, without columns. When in Raw mode,
select Formatted to switch back to viewing log messages organized in
columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Filters Clear all filter settings. For more information, see Filtering log messages on
page 667.
Filtering is also another way to customize the display of log messages. By using the filter
icon, you can display specific information of log messages. For example, you may want to
display only event log messages that have a severity level of alert.
Note: For more information about filtering log messages, see Adding filters to web-based
manager lists on page 53.
Column settings
By using Column Settings, you can customize the view of log messages in Formatted
view. By adding columns, changing their order, or removing them, you can view only the
log information you want.
The Column Settings feature is available only in Formatted view.
-> Select the right arrow to move selected fields from the Available fields list to
the Show these fields in this order list.
<- Select the left arrow to move selected fields from the Show these fields in this
order list to the Available fields list.
Move up Move the selected field up one position in the Show these fields in this order
list.
Move down Move the selected field down one position in the Show these fields in this
order list.
7 Select OK.
Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.
You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the host name that you
configured for the FortiGate unit, for example Headquarters.
Filter icon
Filter icon
(enabled)
(disabled)
Content Archive
The Content Archive menu allows users to view historical logs that have been archived to
a FortiAnalyzer unit or FortiGuard Analysis server. A FortiGuard Analysis server becomes
available when you subscribe to the FortiGuard Analysis and Management Service. For
more information, see FortiGuard Analysis and Management Service on page 648.
You can configure full content archiving and summary content archiving. Full content
archiving includes all content, for example, content archiving email includes complete
email messages and attachments. Summary content archiving includes just the meta data
about the content, for example, email message summary records include only the email
header.
You can content archive Email, Web, FTP, IM, and VoIP content. Email content includes
IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged
as spam by FortiGate spam filtering. Web content includes HTTP sessions. IM content
includes AIM, ICQ, MSN, and Yahoo! sessions. VoIP content includes SIP, SIMPLE and
SCCP sessions. Only summary content archiving is available for SIP and SCCP. Full and
summary content archiving is available for SIMPLE.
If your FortiGate unit supports SSL content scanning and inspection Web content can also
include HTTPS sessions and Email content can also include IMAPS, POP3S, and SMTPS
sessions. For more information about SSL content scanning and inspection, see SSL
content scanning and inspection on page 399.
You use data leak prevention (DLP) sensors to content archive Email, Web, FTP, and IM
content. VoIP content archiving is configured using application control CLI commands.
Content archiving of spam email messages is configured in protection profiles.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one content archive entry from the same content.
In most cases you would probably not want to content archive email identified as spam so
you can leave these options disabled. However, if you want to content archive email
identified as Spam you can use the following procedure to enabled content archiving of
email identified as spam.
Note: Infected files are clearly indicated in the Content Archive message list so that you
know which content archives are infected and which are not.
Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send email
notification about a specific activity or event logged. For example, if you require
notification about administrators logging in and out, you can configure an alert email that is
sent whenever an administrator logs in and out.
You can also base alert email messages on the severity levels of the logs.
Violation traffic Select if you require an alert email message based on violated traffic
detected that is detected by the FortiGate unit.
Firewall authentication Select if you require an alert email message based on firewall
failure authentication failures.
SSL VPN login failure Select if you require an alert email message based on any SSL VPN
logins that failed.
Administrator Select if you require an alert email message based on whether
login/logout administrators log in or out.
IPSec tunnel errors Select if you require an alert email message based on whether there is
an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE Select if you require an alert email message based on errors that
errors occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any changes
made to the FortiGate configuration.
FortiGuard license Enter the number of days before the FortiGuard license expiry time
expiry time (1-100 notification is sent.
days)
FortiGuard log quota Select if you require an alert email message based on the FortiGuard
usage Analysis server log disk quota getting full.
Send alert email for logs Select if you want to send an alert email that is based on a specified
based on severity log severity, such as warning.
Minimum log level Select a log severity from the list. For more information about log
severity levels, see Log severity levels on page 649.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.
Reports
You can use the Log&Report menu to configure FortiAnalyzer report schedules and to
view generated FortiAnalyzer reports. You can also configure basic traffic reports, which
use the log information stored in your FortiGate system memory to present basic traffic
information in a graphical format.
Figure 439: Viewing the basic traffic report from a FortiGate-60 unit
Time Period Select a time range to view for the graphical analysis. You can choose from
one day, three days, one week or one month. The default is one day. When
you refresh your browser or go to a different menu, the settings revert to
default.
Services By default all services are selected. When you refresh your browser or go to
a different menu, all services revert to default settings. Clear the check
boxes beside the services you do not want to include in the graphical
analysis.
Browsing
DNS
Email
FTP
Gaming
Instant Messaging
Newsgroups
P2P
Streaming
TFTP
VoIP
Generic TCP
Generic UDP
Generic ICMP
Generic IP
Bandwidth Per This bar graph is based on what services you select, and is updated when
Service you select Apply. The graph is based on date and time, which is the current
date and time.
Top Protocols This bar graph displays the traffic volume for various protocols, in
Ordered by Total decreasing order of volume. The bar graph does not update when you
Volume select different Services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the Memory
tab.
Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.
Note: If you require a more specific and detailed report, you can configure a simple report
from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate
over 140 different reports providing you with more options than the FortiGate unit provides.
If you need to configure a FortiAnalyzer report schedule, see FortiAnalyzer report
schedules on page 674.
For information about how to configure a report layout, see the FortiAnalyzer
Administration Guide.
The following procedure describes how to clone a report schedule. When you clone a
report schedule, a duplicate of the original is used as a basis for a new one.
To view the list of report schedules, go to Log&Report > Report Config.
To configure a report schedule, go to Log&Report > Report Config, select Create New,
enter the appropriate information and then select OK.
Delete
Edit
Clone
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
Report Files The name of the generated report. Select the name to view the report.
You can also select the Expand Arrow to view the report and the select the
rolled report to view the report.
Date The date the report was generated on.
Size(bytes) The size of the report in bytes.
Other Formats Displays the formats PDF, RTF or MHT or all if these formats were chosen in the
report schedule.
Index
Symbols content archive, 668
custom firewall service, 357
, 461 custom service, firewall, 357
custom signatures, 459
Numerics customized CLI console, 64
DHCP interface settings, 130
802.3ad aggregate interface DHCP relay agent, 173
creating, 127 DHCP server, 173
Directory Service server, 579, 581
A Directory Service user groups, 585
accept action DoS sensors, 470
firewall policy, 638 Dynamic DNS on an interface, 132
dynamic virtual IP, 378
access profile, See admin profile, 224
event logs, 659
accessing logs stored in hard disk, 662 fail-open, IPS, 472
action firewall address, 347
firewall policy, 322 firewall address group, 348
spam filter banned word, 500 firewall policy, 322, 323, 425
spam filter IP address, 502 firewall policy traffic logging, 657
action type firewall policy, adding to VLAN subinterface, 156
spam filter email address, 505 firewall policy, modem connections, 144
active sessions firewall protection profile, 404
HA statistics, 183 firewall schedule, 361
ActiveX filter firewall service group, 359
protection profile, 413 firewall user groups, 584
add signature to outgoing email firewall virtual IP, 365
protection profile, 409 firmware upgrade, 259
adding, configuring or defining firmware version, 79
admin profile, 225 FortiAnalyzer report schedules, 674
administrative access to interface, 135 FortiGuard override options for a user group, 589
administrator account, 212 FortiGuard Web Filtering options, 413
administrator password, 212 FortiWiFi-50B settings, 162, 163
administrator settings, 228 FortiWiFi-60B settings, 162, 163
alert email, 672 gateway for default route, 283
antispam advanced options, 505 grayware list, 452
antispam email address list, 504, 505 HA, 177
antispam IP address, 503 HA device priority, 183
antispam IP address list, 501 HA subordinate unit host name, 183
antivirus file filter list, 444, 446 health check monitor, 393
antivirus file patterns, 446 IM/P2P/VoIP applications, older versions, 570
antivirus file quarantine, 446 interface settings, 123
antivirus log, 660 inter-VDOM links, 113
antivirus quarantine options, 449 IP pool, 383
antivirus scanning options, 407 IPS log (attack), 661
application control options, 420 IPS options, 411
attack log (IPS), 661 IPS sensor filters, 464
authentication settings, 590 IPS sensors, 461
authentication, firewall policy, 327 IPSec encryption policy, 330
automatic discovery, 651 IPSec VPN concentrator, 545
autosubmit list, 449 IPSec VPN phase 1, 534
banned word list, 499, 500 IPSec VPN phase 1 advanced options, 536
basic traffic report, graphical view, 674 IPSec VPN phase 2, 538
BFD, 307 IPSec VPN phase 2 advanced options, 539
BFD on BGP, 308 IPv6 support, 230
BFD on OSPF, 308 LDAP authentication, 216
BGP settings, 303 LDAP server, 575
CA certificates, 249 license key, 276
Certificate Revocation List (CRL), 251 local ratings, 492
cipher suite, 553 local URL block categories, 491
combined IP pool and virtual IP, 384 local user account, 568
log message display, 665 system configuration backup and restore, FortiManager,
logging options, 421 256
logging to a FortiAnalyzer unit, 650 system configuration, central management options, 258
logging to a FortiGuard Analysis server, 653 system status widgets, 64
logging to a Syslog server, 654 system time, 78
logging to memory, 654 TACACS+ authentication, 218
logging to WebTrends, 655 TACACS+ server, 578
MAC filter list, 166 topology diagram, 89, 90
modem connections, firewall policy, 144 updates for FDN and FortiGuard services, 266
modem interface, 139 URL filter list, 484, 485
MTU size, 136 URL overrides, 489
multicast settings, 305 user authentication settings, 590
NAT virtual IP, 372 user group, 586
OCSP certificates, 249 user groups, 583
one-time schedule, 363 VDOM configuration settings, 105, 111
OSPF areas, 299 VDOM configuration settings, advanced, 109
OSPF AS, 295 VDOM configuration settings, global, 107
OSPF basic settings, 296 VDOM interface, 113
OSPF interface, operating parameters, 301 VDOM, new, 110
OSPF networks, 300 VIP group, 380
OSPF settings, advanced, 298 virtual IP, 370
override server, 272 virtual IP group, 380
password, 214 virtual IP, port translation only, 379
password, administrator, 212 virtual IPSec interface, 133
peer users and peer groups, 582 VLAN subinterface, 153
ping server, 146 VPN firewall policy-based internet browsing, 544
PKI authentication, 220 VPN route-based internet browsing, 544
policy, 323, 327 web content block list, 479, 480
policy route, 286 web content exempt list, 482, 483
PPPoE or PPPoA interface settings, 131 web filtering options, 411
PPTP range, 547, 549 wireless interface, 163
PPTP VPN, 547, 549 zone, 138
protection profile, 398 address
push updates, 274 firewall address group, 348
RADIUS authentication, 214 list, 346
RADIUS server, 572 address group, 348
recurring schedule, 362 adding, 348
redundant interface, 128 creating new, 348
redundant mode, 142 list, 348
remote authentication, 214 Address Name
RIP settings, advanced, 292 firewall address, 347
RIP settings, basic, 290 admin
RIP-enabled interface, 293 administrator account, 45
scripts, 263
admin profile
secondary IP address, 136
administrator account, 222
SIP advanced features, 434
CLI commands list, 223
SNMP community, 186
configuring, 225
socket-size, IPS, 473
viewing list, 224
spam filter log, 661
spam filtering options, 416 administrative access
SSL VPN options, firewall policy, 331 changing, 46
SSL VPN settings, 552 interface settings, 126, 134, 137
SSL VPN user groups, 585 monitoring logins, 229
standalone mode, 143 administrative distance, 278
static NAT port forwarding, IP address and port range, 377 administrative interface. See web-based manager
static NAT port forwarding, single address and port, 375 administrator
static NAT virtual IP, IP address range, 373 assigning to VDOM, 115
static route (transparent mode), 149 administrator account
static route, adding to routing table, 284 admin, 45
subnet object, 89 admin profile, 222
system administrators, 209 configuring, 212
system certificates, 247 netmask, 213
system configuration backup and restore, 254 administrator login
disclaimer, 200
T traffic shaping
configuring, 425
TACACS+ firewall policy, 326, 329, 335
configuring server, 578 guaranteed bandwidth, 326, 425
user authentication, 568 guaranteed bandwidth and maximum bandwidth, 423
TACACS+ server maximum bandwidth, 326, 426, 606, 635
authentication, 214, 218 priority, 424
tag format traffic priority, 606, 635
protection profile, 419 WAN optimization, 604
tag location transparent mode
protection profile, 419 IP pools, 386
TALK NAT, 386
service, 356 VDOMs, 104
TCP, 393 VIP, 386
service, 356 virtual IP, 386
TCP custom service, 357, 358 VLAN, 154
adding, 357 WAN optimization, 604, 609
destination port, 358 traps
protocol type, 357 SNMP, 189
source port, 357 troubleshooting
technical support, 25, 109 FDN connectivity, 271
TELNET trusted host
service, 356 administrators options, 213
TFTP security issues, 221
service, 356 TTL
threshold quarantine files list, 448
oversize, 409 tunnel
time WAN optimization, 602
configuring, 78 tunnel IP range
timeout SSL VPN, 552
settings, 229 tunnel mode
timeout values SSL VPN, SSL VPN
specifying for SSL VPN, 553 tunnel mode, 551
TIMESTAMP Tunnel Name
service, 356 IPSec VPN, manual key, 542
toolbar Tx Power
grayware category, 453 wireless setting, 163
top attacks type, 358
viewing, 77 virtual IP, 370
top sessions
viewing, 74 U
top viruses UDP custom service, 357, 358
viewing, 76 adding, 357
topology viewer, 87 destination port, 358
total bytes protocol type, 357
HA statistics, 183 source port, 357
total packets UDP service, 356
HA statistics, 183 unfiltered
tracking default protection profile, 398
SIP, 434 unit
traffic history HA statistics, 183
viewing, 77 unit operation
Traffic Priority, 606, 635 viewing, 68
traffic priority up time
firewall policy, 606, 635 HA statistics, 183
traffic shaping, 606, 635 update
traffic reports push, 273
viewing, 673
upgrading VDOM
3.0 using web-based manager, 95 adding interface, 113
4.0 using the CLI, 96 assigning administrator, 115
backing up using the CLI, 3.0, 92 assigning interface, 114
firmware, 80 configuration settings, 105
FortiGate unit to 3.0, 95 enabling multiple VDOMs, 108
using the web-based manager, 95 FortiAnalyzer, 104
using web-based manager, 3.0, 92 inter-VDOM links, 113
upload status license key, 276
quarantine files list, 448 limited resources, 110
URL block management VDOM, 112
adding a URL to the web filter block list, 485 maximum number, 110
configuring overrides, 489 NAT/Route, 104
local categories, 491 packets, 104
web filter, 483 RADIUS authentication, 116
URL filter system maintenance, 254
adding new list, 484 transparent mode, 104
catalog, 484 VDOM partitioning
sorting in list, 487 HA, 180
viewing list, 485 verifying
URL formats, 486 downgrade to 2.80 MR11, 99
USB disk, 254 upgrade to 4.0, 97
auto-install, 260 viewing
backup and restore configuration, 253 address group list, 348
formatting, 261 admin profiles list, 224
system maintenance, 261 administrators, 229
user authentication administrators list, 211
overview, 567 Alert Message Console, 70
PKI, 581 antispam email address list catalog, 503
remote, 571 antispam IP address list, 502
user group antispam IP address list catalog, 501
configuring, 586 antivirus file filter list, 445
PPTP source IP address, 547, 549 antivirus file pattern list catalog, 444
antivirus list, 451
user groups
antivirus quarantined files list, 447
configuring, 583
autosubmit list, 448
Directory Service, 585
banned word list, 499
firewall, 584
banned word list catalog, 498
SSL VPN, 585
BGP settings, 303
viewing, 586
CA certificates, 249
usrgrp certificates, 244
vpn pptp, 550 cluster members list, 180
UUCP content archive, 84
service, 356 content archives, 670
CRL (Certificate Revocation List), 251
V custom service list, firewall service, 356
custom signatures, 459
valid license, 267
DHCP address leases, 175
VDOLIVE DoS sensor list, 470
service, 356 firewall policy list, 321
firewall service group list, 359
firewall service list, 351
firmware, 259
FortiAnalyzer reports, 677
FortiGuard support contract, 266
grayware list, 452
HA statistics, 182
hostname, 78
IP pool list, 383
IPS sensor list, 461
IPS sensor options, 411
IPSec VPN auto key list, 533
IPSec VPN concentrator list, 544
IPSec VPN manual key list, 541
W
WAIS
service, 356