FortiGate ™

Version 4.0 MR2
Administration Guide

This document will be updated in June 2010 to include additional information for FortiOS 4.0 MR2. For more information, contact techdoc@fortinet.com.

FortiGate Administration Guide Version 4.0 MR2 07 May 2010 01-420-89802-20100507 © Copyright 2010 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Contents
Introduction ............................................................................................ 15
Fortinet products .......................................................................................................... 15 Before you begin........................................................................................................... 16 How this guide is organized......................................................................................... 16 Document conventions ................................................................................................ 18 IP addresses............................................................................................................. Cautions, Notes and Tips ......................................................................................... Typographical conventions ....................................................................................... CLI command syntax ................................................................................................ 18 18 18 19

Registering your Fortinet product............................................................................... 21 Fortinet products End User License Agreement ....................................................... 21 Customer service and technical support.................................................................... 21 Training .......................................................................................................................... 21 Fortinet documentation ............................................................................................... 21 Tools and Documentation CD................................................................................... 21 Fortinet Knowledge Base ......................................................................................... 22 Comments on Fortinet technical documentation ..................................................... 22

Web-based manager .............................................................................. 23
Web-based manager pages.......................................................................................... 23 Main menus in the web-based manager................................................................... Using web-based manager lists................................................................................ Adding filters to web-based manager lists ................................................................ Using page controls on web-based manager lists .................................................... Using column settings to control the columns displayed .......................................... Using filters with column settings.............................................................................. Connecting to the web-based manager.................................................................... Modifying current settings......................................................................................... Changing your FortiGate administrator password .................................................... Changing the web-based manager language........................................................... Changing administrative access to your FortiGate unit ............................................ Changing the web-based manager idle timeout ....................................................... Switching VDOMs..................................................................................................... Connecting to the FortiGate CLI from the web-based manager ............................... Contacting Customer Support .................................................................................. Logging out ............................................................................................................... 25 25 26 27 28 29 30 31 31 32 32 33 33 33 33 34

Common web-based manager tasks........................................................................... 30

Using FortiGate Online Help ........................................................................................ 34 Searching the online help ......................................................................................... 36

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

3

Contents

System Dashboard................................................................................. 39
Dashboard overview ..................................................................................................... 40 Adding dashboards................................................................................................... 40 Adding widgets to a dashboard ................................................................................ 40 VDOM and global dashboards.................................................................................. 41 System Information....................................................................................................... 42 Configuring system time ........................................................................................... 43 Changing the FortiGate unit host name.................................................................... 44 Changing the FortiGate firmware.............................................................................. 45 License Information ...................................................................................................... 45 Unit Operation ............................................................................................................... 48 System Resources ........................................................................................................ 50 Viewing operational history....................................................................................... 50 Alert Message Console................................................................................................. 51 Log and Archive Statistics ........................................................................................... 52 Viewing DLP archive information on the Statistics widget ........................................ 54 Viewing the Attack Log ............................................................................................. 54 CLI Console ................................................................................................................... 55 Top Sessions................................................................................................................. 56 Top Viruses.................................................................................................................... 58 Top Attacks.................................................................................................................... 59 Traffic History................................................................................................................ 59 Top Policy Usage .......................................................................................................... 60 DLP Archive Usage ....................................................................................................... 61 RAID monitor ................................................................................................................. 61 Top Application Usage ................................................................................................. 64 Storage........................................................................................................................... 64 P2P Usage...................................................................................................................... 65 Per-IP Bandwidth Usage............................................................................................... 65 VoIP Usage .................................................................................................................... 65 IM Usage ........................................................................................................................ 65 FortiGuard...................................................................................................................... 66

Firmware management practices ......................................................... 67
Backing up your configuration .................................................................................... 68 Backing up your configuration through the web-based manager ............................. 68 Backing up your configuration through the CLI......................................................... 68 Backing up your configuration to a USB key ............................................................ 69 Testing firmware before upgrading............................................................................. 70

4

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Contents

Upgrading your FortiGate unit..................................................................................... 71 Upgrading to FortiOS 4.0 through the web-based manager..................................... 71 Upgrading to FortiOS 4.0 through the CLI ................................................................ 72 Verifying the upgrade................................................................................................ 73 Reverting to a previous firmware image..................................................................... 74 Downgrading to a previous firmware through the web-based manager ................... 74 Verifying the downgrade ........................................................................................... 75 Downgrading to a previous firmware through the CLI .............................................. 75 Restoring your configuration....................................................................................... 77 Restoring your configuration settings in the web-based manager............................ 77 Restoring your configuration settings in the CLI ....................................................... 77

Using virtual domains............................................................................ 79
Virtual domains overview............................................................................................. 79 VDOMs and global settings ...................................................................................... 80 Switching between VDOMs ...................................................................................... 80 Global and per-VDOM settings................................................................................. 80 VDOM configuration settings....................................................................................... 80 VDOM licenses .............................................................................................................. 82 Global VDOM resource limits....................................................................................... 82 Global resource usage for individual VDOMs........................................................... 83

System Network ..................................................................................... 85
Configuring interfaces.................................................................................................. 85 Switch Mode ............................................................................................................. 88 Configuring interface settings ................................................................................... 88 Adding VLAN interfaces............................................................................................ 91 Adding loopback interfaces....................................................................................... 91 Adding 802.3ad aggregate interfaces....................................................................... 92 Adding redundant interfaces..................................................................................... 93 Configuring DHCP on an interface ........................................................................... 94 Configuring PPPoE on an interface .......................................................................... 94 Configuring Dynamic DNS on an interface ............................................................... 95 Configuring virtual IPSec interfaces.......................................................................... 96 Configuring administrative access to an interface .................................................... 96 Configuring interface status detection for gateway load balancing........................... 97 Changing interface MTU packet size........................................................................ 98 Adding secondary IP addresses to an interface ....................................................... 99 Adding software switch interfaces .......................................................................... 100 Adding an sFlow agent to a FortiGate interface ..................................................... 101 Configuring zones....................................................................................................... 102

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

5

Contents

Configuring the modem interface.............................................................................. 103 Configuring modem settings ................................................................................... Redundant mode configuration............................................................................... Standalone mode configuration .............................................................................. Adding firewall policies for modem connections ..................................................... Connecting and disconnecting the modem............................................................. Checking modem status ......................................................................................... 104 105 106 107 107 107

Configuring Networking Options............................................................................... 108 DNS Servers........................................................................................................... 108 Configuring FortiGate DNS services......................................................................... 108 About split DNS ...................................................................................................... 109 Configuring FortiGate DNS services....................................................................... 109 Configuring the FortiGate DNS database ............................................................... 112 Configuring the explicit web proxy ........................................................................... 112 Configuring explicit web proxy settings................................................................... 114 Configuring WCCP...................................................................................................... 116 Routing table (Transparent Mode)............................................................................. 116

System Wireless................................................................................... 119
FortiWiFi wireless interfaces ..................................................................................... 119 Channel assignments ................................................................................................. 120 IEEE 802.11a channel numbers ............................................................................. 120 IEEE 802.11b channel numbers ............................................................................. 120 IEEE 802.11g channel numbers ............................................................................. 121 Wireless settings......................................................................................................... 122 Adding a wireless interface..................................................................................... 123 Wireless MAC Filter .................................................................................................... 124 Managing the MAC Filter list................................................................................... 125 Wireless Monitor ......................................................................................................... 125 Rogue AP detection .................................................................................................... 126 Viewing wireless access points .............................................................................. 126

System DHCP Server ........................................................................... 129
FortiGate DHCP servers and relays .......................................................................... 129 Configuring DHCP services ....................................................................................... 130 Configuring an interface as a DHCP relay agent.................................................... 130 Configuring a DHCP server .................................................................................... 130 Viewing address leases.............................................................................................. 132 Reserving IP addresses for specific clients ............................................................ 132

6

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Contents

System Config ...................................................................................... 133
HA ................................................................................................................................. 133 HA options .............................................................................................................. Cluster members list ............................................................................................... Viewing HA statistics .............................................................................................. Changing subordinate unit host name and device priority...................................... Disconnecting a cluster unit from a cluster ............................................................. Configuring SNMP .................................................................................................. Configuring an SNMP community........................................................................... Fortinet MIBs .......................................................................................................... Fortinet and FortiGate traps.................................................................................... Fortinet and FortiGate MIB fields............................................................................ VDOM and global replacement messages ............................................................. Viewing the replacement messages list.................................................................. Changing replacement messages .......................................................................... Mail replacement messages ................................................................................... HTTP replacement messages ................................................................................ Web Proxy replacement messages ........................................................................ FTP replacement messages................................................................................... NNTP replacement messages................................................................................ Alert Mail replacement messages........................................................................... Spam replacement messages ................................................................................ Administration replacement message..................................................................... User authentication replacement messages........................................................... FortiGuard Web Filtering replacement messages .................................................. IM and P2P replacement messages....................................................................... Endpoint NAC replacement messages................................................................... NAC quarantine replacement messages ................................................................ Traffic quota control replacement messages.......................................................... SSL VPN replacement message ............................................................................ Replacement message tags ................................................................................... 133 135 136 137 137 139 139 141 142 145 150 150 151 151 152 153 154 155 155 156 156 157 158 159 159 160 161 161 161

SNMP............................................................................................................................ 138

Replacement messages ............................................................................................. 149

Operation mode and VDOM management access ................................................... 163 Changing the operation mode ................................................................................ 163 Management access............................................................................................... 163

System Admin ...................................................................................... 165
Administrators............................................................................................................. 165 Viewing the administrators list ................................................................................ Configuring an administrator account ..................................................................... Changing an administrator account password........................................................ Configuring regular (password) authentication for administrators .......................... Configuring remote authentication for administrators ............................................. Configuring PKI certificate authentication for administrators ..................................
FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

167 167 168 168 169 172

7

Contents

Admin profiles ............................................................................................................. 173 Viewing the admin profiles list ................................................................................ 175 Configuring an admin profile................................................................................... 176 Central Management................................................................................................... 176 Configuration revision ............................................................................................. 177 Settings ........................................................................................................................ 178 Monitoring administrators.......................................................................................... 179 FortiGate IPv6 support ............................................................................................... 180 Configuring IPv6 on FortiGate units........................................................................ 180

System Certificates.............................................................................. 187
Local Certificates ....................................................................................................... 188 Generating a certificate request.............................................................................. Downloading and submitting a certificate request .................................................. Importing a signed server certificate....................................................................... Importing an exported server certificate and private key ........................................ Importing separate server certificate and private key files...................................... 189 190 190 190 191

Remote Certificates .................................................................................................... 191 Importing Remote (OCSP) certificates ................................................................... 192 CA Certificates ............................................................................................................ 192 Importing CA certificates......................................................................................... 193 CRL............................................................................................................................... 193 Importing a certificate revocation list ...................................................................... 193

System Maintenance............................................................................ 195
Maintenance overview ................................................................................................ 195 Configuration Revision............................................................................................... 196 Firmware ...................................................................................................................... 197 Backing up and restoring configuration files ........................................................... 198 FortiGuard.................................................................................................................... 200 FortiGuard Distribution Network ............................................................................. 200 FortiGuard services ................................................................................................ 200 Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 201 Troubleshooting FDN connectivity ........................................................................... 205 Updating antivirus and attack definitions................................................................. 205 Enabling push updates............................................................................................... 207 Enabling push updates when a FortiGate unit IP address changes ....................... 208 Enabling push updates through a NAT device ....................................................... 208 Advanced ..................................................................................................................... 211 Creating script files ................................................................................................. 212 Uploading script files .............................................................................................. 212

8

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Contents

Adding VDOM Licenses.............................................................................................. 213 Disk............................................................................................................................... 213

AMC module configuration ................................................................. 215
Configuring AMC modules......................................................................................... 215 Auto-bypass and recovery for AMC bridge module ................................................ 216 Enabling or disabling bypass mode for AMC bridge modules ............................... 217

Configuring RAID ................................................................................. 219
Configuring the RAID array........................................................................................ 219 RAID disk configuration .......................................................................................... 219 RAID levels .................................................................................................................. 220 Rebuilding the RAID array.......................................................................................... 221 Why rebuild the RAID array? .................................................................................. 222 How to rebuild the RAID array ................................................................................ 222

Router Static ........................................................................................ 225
Routing concepts ....................................................................................................... 225 How the routing table is built .................................................................................. How routing decisions are made ........................................................................... Multipath routing and determining the best route ................................................... Route priority ......................................................................................................... Blackhole Route...................................................................................................... 226 226 226 227 227

Static Route ................................................................................................................ 228 Working with static routes ...................................................................................... 228 Default route and default gateway ......................................................................... 230 Adding a static route to the routing table ............................................................... 232 ECMP route failover and load balancing .................................................................. 233 Configuring spill-over or usage-based ECMP......................................................... 235 Configuring weighted static route load balancing ................................................... 238 Policy Route ............................................................................................................... 239

Router Dynamic.................................................................................... 243
RIP ................................................................................................................................ 243 Advanced RIP options ............................................................................................ 244 RIP-enabled interface ............................................................................................. 245 OSPF ............................................................................................................................ 246 Defining an OSPF AS—Overview .......................................................................... Basic OSPF settings............................................................................................... Advanced OSPF options ........................................................................................ Defining OSPF areas.............................................................................................. OSPF networks....................................................................................................... Operating parameters for an OSPF interface ......................................................... 246 247 248 249 250 250

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

9

.................................................................................. 278 Custom services ...................................................................................................................... 261 Policy............................................................................................................................................................................................................................ 288 Virtual IP....................................................................................................................Contents BGP ............................................................................................................................................................... 285 Traffic Shaper ................................................... 284 One-time schedule list .... Protocol Options ......................................................................................................................................................................fortinet.......................................................................................... 287 Virtual IP..................................... IP pools................................. 282 Custom service groups .............................................................................................................................................. Central NAT Table ................. 276 Service .......................................................................................................................................................................................................................................... 275 Address list .................................... 254 Multicast destination NAT ........................................................................ 257 Viewing routing information ................................................................................................................ 284 Recurring schedule list ........................................... Virtual IP ........................................................... 254 Bi-directional Forwarding Detection (BFD) ...................................................................................... 285 Schedule groups................................................................................................................................................................................................................................................ 286 Per-IP traffic shaping .............................0 MR2 Administration Guide 01-420-89802-20100507 http://docs............................. 283 Schedule ......................................................................................................................................... 257 Searching the FortiGate routing table..................... 252 Multicast...................................................... 286 Shared traffic shapers........................................................................................... IPv6 Policy .................. 262 267 270 271 271 272 273 Address........................................................... 275 Address Group.......com/ • Feedback ..... DoS Policy ................................................................................................ load balance virtual server and load balance real server limitations.................................................................................................................................................. VIP group....................................................................................... Sniffer Policy .......................................... 258 Firewall............................................ Identity-based firewall policies ................................................................................................................................ 253 Overriding the multicast settings on an interface................................... 277 Predefined service list............ 255 Router Monitor ........................................................................................................................................................................................................................ 261 Policy ....................................... 255 Configuring BFD ............. 288 288 290 290 10 FortiGate Version 4.........................................................................................................................................................................................................................

......................................................................................................................................................................................................................................................................................................................................................................................... 300 301 303 304 306 310 313 314 315 Intrusion Protection ........................ Web Content Filter........................................................................................................0 MR2 Administration Guide 01-420-89802-20100507 http://docs.............................................. Monitoring the servers ..... 291 295 296 297 UTM .................................................................. Protocol Decoder ...............................................................................................................................................................................................................................................................com/ • Feedback 11 ............................... 315 Packet logging configuration.. IP Address .............................................................................................................................................................................................................................................................................................................................................................. 316 318 322 324 326 327 327 328 330 331 333 334 Email Filter......... Predefined ................................................ 338 340 342 347 FortiGate Version 4...................... Custom ............. 328 Using wildcards and Perl regular expressions .... 299 UTM overview .............................................................................................................................................. File Filter ..................... 305 Packet logging................. Compound rules ........................................................................................................................................................................................................................................................................................................ 300 Profile................................................................................................................................................................................................................................................................................................................................................................................................................................................ DLP archiving ...............................................................................................................................................................................................................................................................................................................................................................Contents Load Balance.............................................................................. Banned Word............................................................................................. Rule ............................................................................................................................................ DoS sensor ............... Quarantine ............................................................................................................................................................ 316 Web Filter.................... Virus Database .................................................................... Local Ratings ............. 299 AntiVirus ... Override ......................................................................... 338 Sensor ........................ 291 Virtual servers............... URL Filter......................................fortinet...................................... FortiGuard Quota............................................................. IPS Sensor.................................................. Real servers.................................................................................... Reports ................................................................................................. 335 Data Leak Prevention....................................................................................................................................................... E-mail Address .............................. Local Categories.................................................................................................................... 316 Profile.............................. Profile.................................................................................................................................................................................... Health check monitors ...............................................................

.............................................................................................................................................. 367 PPTP configuration using CLI commands ....................................................................................................................... 355 Phase 1 configuration ................................................................................... 377 WAN optimization and web caching .......................... 347 Application Control List .................................................................................................................................................... 350 VoIP ....... Phase 2 advanced configuration settings ............................................................................................................ 368 SSL VPN.............................................................fortinet........................................................................................................................................................................................... 382 WAN optimization monitoring............................................................................................................................................................................................................................... 383 Web cache settings......................................................................... 375 Host Check ............................................................................................................................................................................. 369 General configuration steps......................... 370 Portal ......... 363 Concentrator ........................................................ 354 Auto Key (IKE) .................................................................. Phase 1 advanced configuration settings ......................................... 348 Application List............................................................ 379 WAN optimization rules.................................................................................................................. 367 PPTP configuration using FortiGate web-based manager......................................................................................................... 355 357 359 360 Manual Key ................ 382 Peer authentication groups........................................................................... 364 PPTP VPN .................................................................... 369 SSL VPN overview .............................. 371 Portal settings ................. 351 IPsec VPN .................................................................................................................... Phase 2 configuration ...........com/ • Feedback .......................................................................... 374 Virtual Desktop Application Control ....................................................................................... 353 IPsec VPN overview ..................................Contents Application Control................................................................................................................. 370 Config............................................................................... 376 SSL VPN monitor list ............................................................................... 361 New manual key configuration ................................................................... 353 Policy-based versus route-based VPNs ...................................................................... 362 Internet browsing ............................................................................................................................................................................................................................ 364 Monitoring VPNs ........ 384 12 FortiGate Version 4...................................................................................................................................................................................... 351 Profile....................................................................................................... 379 WAN optimization peers.....................................0 MR2 Administration Guide 01-420-89802-20100507 http://docs........................................................................................................................................... 373 Portal widgets .............

............................................................................. Viewing the application database ......................................................................................................................................................... 387 IM users ..................... 401 Endpoint............................................................ 390 Firewall user groups .. 386 User ........ 412 Configuring a virtual wireless access point ....................................................................................... 408 Monitoring endpoints ............................................................................................................................................................................................................... 403 Endpoint configuration overview ............................................................................................. 396 Directory Service.............................................................................................................................. 393 LDAP ............................................ Configuring application sensors...... 393 RADIUS ......................................................................................... Configuring FortiClient installer download and version enforcement................................... 411 Configuration overview ............................................................................................................................0 MR2 Administration Guide 01-420-89802-20100507 http://docs...................................................... 400 The Banned User list .... 387 Local user accounts........................................................................................... 408 Configuring assets ..................................................................................................................................... 391 392 392 393 Remote .................. 398 Peer users and peer groups ........................................................................................................................................................................................................... 389 User Group ..................................................................... 399 Monitor ............................................. 388 Authentication settings....................................................................................... 387 User ......................... 399 Firewall user monitor list ................................................................................................................................................................................................................................................................................................................................................. 403 NAC ...................................... 408 Configuring scans ...................................................Contents Cache exempt list........................................................................................................................................ 400 IM user monitor list ................................................................................................................................................................................................................ 404 405 406 407 Network Vulnerability Scan........................................................................................................................................................ Directory Service user groups ....................... SSL VPN user groups................................com/ • Feedback 13 .................................. 397 PKI ........................... 404 Configuring Endpoint profiles............................................................................................................................................. 411 Enabling the wireless controller.................................................... 412 Configuring a physical access point.......................................................................................................... 394 TACACS+ .............................................................................................. Dynamically assigning VPN client IP addresses from a user group ....................................................... 409 Wireless Controller .............. 412 Configuring FortiWiFi units as managed access points .................... 414 FortiGate Version 4...............................................................................................................................................................fortinet..........................................

.......................................................................................com/ • Feedback .................... 418 Examples ... 417 Log&Report overview ....................................................... 428 Accessing and viewing log messages...................................................................................................................... 422 Remote logging to a FortiAnalyzer unit.......................................................................................................... 420 Logging all FortiGate traffic.............................................................................................fortinet.................................................................................... 423 424 425 425 426 426 Event Log............................................................................................................................................. Remote logging to the FortiGuard Analysis and Management Service ............................................................................. 429 Archived logs ...... 432 Executive Summary reports from SQL logs............................................................................................................................................................................................................................................................... 415 Configuring firewall policies for the wireless LAN ............................................. 432 FortiOS reports ................................................................................................................ 420 Log message .................................................................................................................. 415 Monitoring wireless clients ........................................................................ Local logging to disk ......................................................................................................... 437 FortiAnalyzer report schedules ........................Contents Configuring DHCP for your wireless LAN ................................................................................................................................................. 439 14 FortiGate Version 4................................................................................................................................................................................ 427 Alert E-mail ...............................0 MR2 Administration Guide 01-420-89802-20100507 http://docs.................................................................................................................................................................. 437 Index............................. Local archiving..................................... 430 Quarantine ............................................................................... 431 Reports............................................................... 416 Log&Report ...................... 417 What are logs? .................................................................................. 415 Monitoring rogue APs.......................................................................................... 421 How a FortiGate unit stores logs.... 418 Log types and subtypes......................... Remote logging to a syslog server ............................................. Local logging to memory.....

managed service providers. content. and application-level threats.fortinet. go to www. This unique combination delivers network. the FortiGate line combines the FortiOS™ security operating system with FortiASIC™ processors and other hardware to provide a high-performance array of security and networking functions including: • • • • • • • • • firewall. SIP. FortiGate platforms include sophisticated networking features. IM and P2P) VoIP support (H.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. in-depth threat intelligence.com/ • Feedback 15 .Introduction Fortinet products Introduction Ranging from the FortiGate®-50 series for small businesses to the FortiGate-5000 series for large enterprises. The following topics are included in this section: • • • • • • • • Fortinet products Before you begin How this guide is organized Registering your Fortinet product Fortinet products End User License Agreement Customer service and technical support Training Fortinet documentation Fortinet products Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance. and application security for enterprises of all sizes. and SCCP) Layer 2/3 routing multiple redundant WAN interface options FortiGate appliances provide cost-effective. and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example. such as high availability (active/active. service providers and carriers.323. active/passive) for maximum network uptime. scalable path for expansion. including complex attacks favored by cybercriminals. VPN. FortiGate Version 4. content.fortinet. without degrading network availability and uptime. comprehensive protection against network. For more information on the Fortinet product family. and telecommunications carriers. and virtual domain capabilities to separate various networks requiring different security policies. integrated multi-threat protection. and constantly updated.com/products. while providing a flexible.

Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60. FortiGuard Antivirus and FortiGuard Antispam updates are completed. as well as from the Fortinet Knowledge Base. Once that basic installation is complete. see the FortiGate CLI Reference.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This administration guide contains the following chapters: • Web-based manager introduces the features of the FortiGate web-based manager. and explains how to connect to it. system resource usage. This document is intended for administrators.Before you begin Introduction Before you begin This FortiGate Version 4. You can also access the CLI from this page.com/ • Feedback . including changing the unit firmware.fortinet. FortiGuard license information. This section also describes status changes that you can make.0 MR2 Administration Guide provides detailed information for system administrators about FortiGate™ web-based manager and FortiOS options and how to use them. For detailed information on the CLI. It is assumed that you have already successfully installed a FortiGate unit by following the instructions in the FortiGate Installation Guide for your model. uptime. and system time. At a glance you can view the current system status of the FortiGate unit including serial number. The operation mode has been configured. you can use this document. This document explains how to use the web-based manager to: • • • maintain the FortiGate unit. You can also learn more about the FortiOS product from the same FortiGate page. administrator password. host name. This guide also contains some information about the FortiGate command line interface (CLI). the guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. the dashboard of your FortiGate unit. and network interfaces have been configured. but not all the commands. and then concludes with a detailed index. not end users. The first chapters provide an overview to help you start using the product or to learn what’s new. System Dashboard describes the System Status page. Firmware. including backups reconfigure basic items that were configured during installation configure advanced features. The system time. It also explains how to use the web-based manager online help. The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. DNS settings. How this guide is organized This section of the guide contains a brief explanation of the structure of the guide and provides a chapter-by-chapter summary. The FortiGate unit is integrated into your network. alert messages and network statistics. At this stage: • • • • • You have administrative access to the web-based manager and/or CLI. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. Following these chapters. • 16 FortiGate Version 4.

Introduction How this guide is organized • Firmware management practices describes upgrading and managing firmware versions. User describes how to control access to network resources through user authentication. System Config contains procedures for configuring HA and virtual clustering. Firewall introduces you to the Firewall menu. and enter a license key to increase the maximum number of virtual domains. System Maintenance details how to back up and restore the system configuration using a management computer or a USB disk. System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit. which includes information about the menus and settings available within this menu. and defining general administrative settings such as language. IPsec VPN introduces you to the IPsec VPN menu. System Certificates explains how to manage X. Endpoint describes how to use FortiGate endpoint NAC to enforce the use of FortiClient End Point Security (Enterprise Edition) in your network. configuring central management using the FortiGuard Management Service or FortiManager. and provides information about basic SSL VPN settings. Using virtual domains describes how to use VDOMs to operate your FortiGate unit as multiple virtual FortiGate units. which effectively provides multiple separate firewall and routing services to multiple networks. • • • • • • • • • • • • • • • • • • FortiGate Version 4. & Web Cache menu. A static route causes packets to be forwarded to a destination other than the factory-configured default gateway.com/ • Feedback 17 . as well as how to use revision control. and changing the operation mode. System DHCP Server explains how to configure a FortiGate interface as a DHCP server or DHCP relay agent. enable FortiGuard services and FortiGuard Distribution Network (FDN) updates.fortinet. timeouts.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. configuring SNMP and replacement messages. System Admin guides you through adding and editing administrator accounts. Router Monitor explains how to interpret the Routing Monitor list. defining admin profiles for administrators. WAN optimization and web caching introduces you to the WAN Opt. You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. data leak prevention and web filtering. and web administration ports. UTM introduces you to the UTM menu.509 security certificates used by various FortiGate features such as IPSec VPN and administrator authentication. Router Dynamic introduces you to the Router’s Dynamic menu. which includes antivirus. which provides settings for helping you to improve performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet. including the available menus and settings that are available within the Dynamic menu. PPTP VPN explains how to use the web-based manager to specify a range of IP addresses for PPTP clients. Router Static explains how to define static routes and create route policies. SSL VPN introduces you to the SSL VPN menu. The list displays the entries in the FortiGate routing table.

Notes and Tips Fortinet technical documentation uses the following guidance and styles for cautions. Note: Presents useful information. managing the wireless Access Point (AP) functionality of FortiWiFi units. notes and tips. IP addresses To avoid publication of public IP addresses that belong to Fortinet or any other organization. • Document conventions Fortinet technical documentation uses the conventions described below.com/ • Feedback . optional method. available at http://ietf. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets.Document conventions Introduction • Wireless Controller describes how to configure a FortiGate unit to act as a wireless network controller.txt?number-1918. often tailored to your workplace activity. such as a shortcut. Typographical conventions Fortinet documentation uses the following typographical conventions: 18 FortiGate Version 4. which includes reports as well as logging information. usually focused on an alternative.org/rfc/rfc1918. Log&Report introduces you to the Log&Report menu. Cautions.fortinet. Tip: Highlights useful additional information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment. to perform a step.

Note: Links typically go to the most recent version. This link appears at the bottom of each page of this document. or check box label CLI input* config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat HTTP connections are not secure and can be intercepted by a third party. For more information. Go to VPN > IPSEC > Auto Key (IKE).com/ • Feedback 19 . Brackets. indicate which data types or string patterns are acceptable value input. Table 2: Command syntax Convention Square brackets [ ] Description A non-required word or series of words. such as <address_ipv4>.</H4> Visit the Fortinet Technical Support web site.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. text box. field.com. see “CLI command syntax” on page 19. see the FortiGate CLI Reference. CLI output Emphasis File content Hyperlink Keyboard entry Navigation Publication CLI command syntax This guide uses the following conventions to describe syntax to use when entering commands in the Command Line Interface (CLI). <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service. For more information. * For conventions used to represent command syntax. https://support. go to http://docs. braces. such as: verbose 3 FortiGate Version 4. Constraint notations.fortinet. Type a name for the remote VPN peer or client.com/. To access earlier releases.Introduction Document conventions Table 1: Typographical conventions in Fortinet technical documentation Convention Example Button. From Minimum log level. such as Central_Office_1. menu. select Notification.fortinet. and pipes are used to denote valid permutations of the syntax. see the FortiGate Administration Guide. For example: [verbose {1 | 2 | 3}] indicates that you may either omit or type both the verbose word and its accompanying option.fortinet.

• <xxx_pattern>: A regular expression or word with wild cards that matches possible variations. • <xxx_v6mask>: A dotted decimal IPv6 netmask. such as 192. in a space-delimited list. in any order. unless the set of options is surrounded by square brackets [ ].168. Mutually exclusive options.1. Curly braces { } Options delimited by vertical bars | Options delimited by spaces 20 FortiGate Version 4. For example: {enable | disable} indicates that you must enter either enable or disable.com. to add snmp to the previous example. • <xxx_index>: An index number referring to another part of the configuration. • <xxx_str>: A string of characters that is not another data type. You must enter at least one of the options.255. such as: ping https ssh Note: To change the options. • <xxx_ipv6>: An IPv6 address.1. such as *@example. such as 192. Strings containing spaces or special characters must be surrounded in quotes or use escape sequences • <xxx_int>: An integer number that is not another data type. For example.255.0. For example: <retries_int> indicates that you should enter a number of retries.255. such as 255. such as P@ssw0rd. you must re-type the entire list. • <xxx_v4mask>: A dotted decimal IPv4 netmask.fortinet.Document conventions Introduction Table 2: Command syntax Angle brackets < > A word constrained by data type. or if the list is comma-delimited. • <xxx_email>: An email address. To define acceptable input. • <xxx_ipv6mask>: A dotted decimal IPv6 address and netmask separated by a space.99.168.com/ • Feedback . such as mail. such as 5. instead of replacing it. the angled brackets contain a descriptive name followed by an underscore ( _ ) and suffix that indicates the valid data type. • <xxx_fqdn>: A fully qualified domain name (FQDN). • <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask separated by a space. • <xxx_ipv4range>: An IPv4 address range. such as policy_A.99/24. Data types include: • <xxx_name>: A name referring to another part of the configuration. Non-mutually exclusive options. such as such as 192.168. A word or series of words that is constrained to a set of options delimited by either vertical bars or spaces.1.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. but must not enter both.com.99 255.example. • <xxx_ipv4/mask>: A dotted decimal IPv4 address and CIDRnotation netmask separated by a slash.0.com to match all email addresses ending in @example.255. such as admin@mail.com.example. such as 0 for the first static route. you would type: ping https snmp ssh If the option adds to or subtracts from the existing list of options. • <xxx_ipv4>: An IPv4 address. the exception will be noted. For example: {http https ping snmp ssh telnet} indicates that you may enter all or a subset of those options. such as 15 for the number of minutes.

fortinet. Visit the Fortinet Training Services web site at http://campus.com. see the Fortinet Knowledge Base article Registration Frequently Asked Questions. For a list of required information. take a moment to register your Fortinet product at the Fortinet Technical Support web site.com.fortinet. Tools and Documentation CD The documentation for your product is available on the Fortinet Tools and Documentation CD shipped with your product. https://support. For more information. http://docs.com. provides the most up-to-date versions of Fortinet publications. In addition to the Fortinet Technical Documentation web site.fortinet. The documents on this CD are current at shipping time. require product registration. and other specific information. Customer service and technical support Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly.Introduction Registering your Fortinet product Registering your Fortinet product Before you begin configuring and customizing features. technical support. configure them easily. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file. you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD.Technical Support Requirements.com/ • Feedback 21 .fortinet.training.fortinet. FortiGate Version 4. visit the Fortinet Technical Support web site at https://support. and on the Fortinet Knowledge Base. To learn about the technical support services that Fortinet provides. Fortinet documentation The Fortinet Technical Documentation web site. Training Fortinet Training Services provides a variety of training programs to serve the needs of our customers and partners world-wide. Fortinet products End User License Agreement See the Fortinet products End User License Agreement.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. a network diagram. http://docs. and operate them reliably in your network. and FortiGuard Antivirus and other FortiGuard services. For the most current versions of Fortinet documentation. visit the Fortinet Technical Documentation web site. or email training@fortinet.fortinet.com.com. such as firmware updates. as well as additional technical documentation such as technical notes.com. Many Fortinet customer services. see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide .

technical notes. examples.fortinet. a glossary. Visit the Fortinet Knowledge Base at http://kb. FAQs.com 22 FortiGate Version 4. such as troubleshooting and how-to articles. and more.Fortinet documentation Introduction Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation. Comments on Fortinet technical documentation Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.fortinet.com.com/ • Feedback .0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

com/ • Feedback 23 . Using HTTP or a secure HTTPS connection from any management computer running a web browser. lists. The following topics are included in this section: • • • Web-based manager pages Common web-based manager tasks Using FortiGate Online Help Web-based manager pages The web-based manager interface consists of main menus. menus (and with several menus). sub-menus. The web-based manager also includes detailed context-sensitive online help. You can use the web-based manager menus. you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. and system resources. The button bar is located in the upper right corner of the web-based manager. Selecting Online Help on the button bar displays help for the current web-based manager page. To connect to the web-based manager you require a FortiGate administrator account and password. You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. Some of the information displayed by the web-based manager uses features only supported by the most recent versions most popular web browsers. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager. The navigation is as follows: System > Dashboard > Dashboard or UTM > Antivirus > Profile. The dashboard displays information such as the current FortiOS firmware version.fortinet. You can go to System > Dashboard > Status to view detailed information about the status of your FortiGate unit on the system dashboard. FortiGate Version 4. antivirus and IPS definition versions. You can use the FortiGate command line interface (CLI) to configure the FortiGate same settings that you can configure from the web-based manager. operation mode. and configuration pages to configure most FortiGate settings. connected interfaces. as well as additional CLIonly settings. The recommended minimum screen resolution for the management computer is 1280 by 1024. The web-based manager supports multiple languages.Web-based manager Web-based manager pages Web-based manager This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface. or GUI) of your FortiGate unit. Older versions of these web browsers may not always work correctly with the web-based manager. The saved configuration can be restored at any time. but by default appears in English on first use. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services.

A main menu that is not shown in Figure 1 is the Current VDOM main menu. it is displayed on that menu’s page. which appears only when VDOMs are enabled. as well as the menus within the System main menu. as well as displaying information. for example. with the Widget icon and Dashboard icon at the top of the page. A menu’s page contains the icons necessary to configure settings.fortinet. System Resources and Unit Operation widgets. Figure 1: Explanation of the web-based manager interface Main menu Menu Sub-menu A menu’s page. In this explanation.Web-based manager pages Web-based manager The information that displays when you go to.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the Status page displays the System Information. In Figure 1. see “Switching VDOMs” on page 33. for example the Profile page. The page also includes the Widget and Dashboard icons. In Figure 1. This topic contains the following: • • • • • • Main menus in the web-based manager Using web-based manager lists Adding filters to web-based manager lists Using page controls on web-based manager lists Using column settings to control the columns displayed Using filters with column settings 24 FortiGate Version 4.com/ • Feedback . For more information about the Current VDOM menu. you can also see the submenus that are available in the Dashboard menu. the Status page is shown. UTM > Antivirus > Profile.

Web-based manager Web-based manager pages Main menus in the web-based manager The web-based manager interface provides access to configuration options for all major FortiGate features (see Figure 1 on page 24) from the main menus. FortiGate Version 4. If you log in as an administrator with an admin profile that allows Read-Write access to a list. There are lists of network interfaces. you must first find the configuration settings that the item has been added to and remove the item from them. depending on the list you will usually be able to: • • • Select Create New to add a new item to the list. Also configure virtual IP addresses and IP pools. certificates. PPTP is configured in the CLI. For more information. and Windows AD. virtual domains. To switch between VDOMs. and Banned Users. and application control. Appears only when VDOMs are enabled on the FortiGate unit. LDAP. The web-based manager contains the following main menus: System Configure system settings. View log messages and reports. Also configure external authentication servers such as RADIUS. If you log in as an administrator with an admin profile that allows Read Only access to a list. Configure a FortiGate unit to act as a wireless network controller. Allows you to quickly switch between VDOMs. see “Admin profiles” on page 173. Configure WAN optimization and web caching to improve performance and security of traffic passing between locations on your wide area network (WAN) or from the Internet to your web servers. such as network interfaces. system time and set system options. Configure monitoring of Firewall. The delete icon will not be available if the item cannot be deleted. For example.com/ • Feedback 25 . view FortiClient configuration information. Configure user accounts for use with firewall policies that require user authentication. intrusion protection. you will only be able to view the items on the list. DHCP services. IPSec. & Cache Wireless Controller Log&Report Current VDOM Using web-based manager lists Many of the web-based manager pages contain lists. data leak prevention. IM. and configure software detection patterns. and others. Router Firewall UTM VPN User Endpoint WAN Opt. select a VDOM from the drop-down list that is beside Current VDOM. Configure logging and alert email. users. firewall policies. managing the wireless Access Point (AP) functionality of FortiWiFi units.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Modify and/or change the settings of an item in the list on a page Remove an item from the list. Configure end points. Usually items cannot be deleted if they have been added to another configuration. High Availability (HA). TACACS+. Configure FortiGate static and dynamic routing and view the router monitor. SSL. administrators. to delete a user that has been added to a user group you must first remove the user from the user group . Configure antivirus and antispam protection. Configure firewall policies that apply network protection features. web filtering. administrators. Configure IPSec and SSL virtual private networking.

From the Edit Filters window you can select any column name to filter. You can add filters to make it easier to find specific sessions. or port numbers) you can filter by a single number or a range of numbers. and. You can also add filters for one or more columns at a time.fortinet. and “Sniffer Policy” on page 273) Intrusion protection predefined signatures list (see “Predefined” on page 313) Firewall user monitor list (see “Firewall user monitor list” on page 400) IPSec VPN Monitor (see “Monitoring VPNs” on page 364) Endpoint NAC list of known endpoints (see “Monitoring endpoints” on page 409) Log and report log access list (see “Accessing and viewing log messages” on page 429). The filter icon remains gray for unfiltered columns and changes to green for filtered columns. you can go to System > Dashboard > Status. In all cases. See “Using filters with column settings” on page 29 for more information. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. you could configure a source address column to display only entries for a single IP address or for all addresses in a range of addresses. you configure filters by specifying what to filter on and whether to display information that matches the filter. select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing.Web-based manager pages Web-based manager Adding filters to web-based manager lists You can add filters to control the information that is displayed complex lists in the web-based manager. you might be looking for all communications sessions being accepted by a specific firewall policy. Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you. See the following web-based manager pages for examples of lists with filters: • • • • • • • Session list (see “Viewing the current sessions list” on page 57) Firewall policy and IPv6 policy lists (see “Policy” on page 261. To specify a range. You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window. For example. in the Statistics section. “DoS Policy” on page 271. and configure the filter for that column. for example 25-50. IP addresses. predefined signature and log and report log access lists.com/ • Feedback . For example. Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters. Filters for columns that contain numbers If the column includes numbers (for example. firewall policy IDs. IPv6 policy. Different filter styles are available depending on the type of information displayed in individual columns. separate the top and bottom values of the range with a hyphen. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs. For example. 26 FortiGate Version 4. The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit. On firewall policy. or by selecting NOT to display information that does not match the filter.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you can combine filters with column settings to provide even more control of the information displayed by the list.

Filters for columns that can contain only specific items For columns that can contain only specific items (for example. you can only filter on a single selected item.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. &. error.fortinet. go to System > Dashboard > Status. Figure 2: A log access filter set to display all log messages with level of alert. beside Sessions. Filters for columns containing text strings If the column includes text strings (for example. The text string can be blank and it can also be very long. Custom filters Other custom filters are also available. or that does not equal or does not contain the text string. filtering ignores <string but not < string). or warning Using page controls on web-based manager lists The web-based manager includes page controls to make it easier to view lists that contain more items than you can display on a typical browser window.Web-based manager Web-based manager pages To view the session list. > and so on. names and log messages) you can filter by a text string. Web-based manager pages with page controls include: • • session list (see “Viewing the current sessions list” on page 57) Router Monitor (see “Router Monitor” on page 257) FortiGate Version 4. critical. However. In the Statistics section. filtering ignores <string> but does not ignore >string>). You can also set the level filter to display log messages with multiple severity levels. You can also specify whether to match the capitalization (case) of the text string.com/ • Feedback 27 . a log message severity or a pre-defined signature action) you can select a single item from a list. You can filter log messages according to date range and time range. filtering ignores characters following a < unless the < is followed by a space (for example. In this case. select Details. You can also filter information that is an exact match for the text string (equals). Filtering also ignores matched opening and closing < and > characters and any characters inside them (for example. that contains the text string. The text string can also contain special characters such as <.

Display the previous page of items in the list. you can format some web-based manager lists so that information that is important to you is easy to find and less important information is hidden or less distracting.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Web-based manager pages Web-based manager • • • • • • • • intrusion protection predefined signatures list (see “Predefined” on page 313) web filtering lists (see “Web Filter” on page 316) antispam lists (see “Email Filter” on page 328) Firewall user monitor list (see “Firewall user monitor list” on page 400) IPSec VPN Monitor (see “Monitoring VPNs” on page 364) Banned user list (see “The Banned User list” on page 401) log and report log access lists (see “Accessing and viewing log messages” on page 429). The current page number of list items that are displayed. Total Number of Pages Next Page Last Page Using column settings to control the columns displayed Using column settings. Display the next page of items in the list.com/ • Feedback 28 . page 3 of the sessions will be displayed. On web-based manager pages that contain complex lists. The number of pages of list items that you can view. Display the last page of items in the list. For example if there are 5 pages of items and you enter 3.fortinet. you can change column settings to control the information columns that are displayed for the list and to control the order in which they are displayed. Web-based manager pages with column settings controls include: • • • • • • Network interface list (see “Configuring interfaces” on page 85) Firewall policy and IPv6 policy (see “Policy” on page 261) Intrusion protection predefined signatures list (see “Predefined” on page 313) Firewall user monitor list (see “Firewall user monitor list” on page 400) IPSec VPN Monitor (see “Monitoring VPNs” on page 364) Endpoint NAC list of known endpoints (see “Monitoring endpoints” on page 409) FortiGate Version 4. Endpoint NAC list of known endpoints (see “Monitoring endpoints” on page 409) Figure 3: Page controls Previous Page First Page Total Number of Pages Last page Current Page (enter a page number to display that page) Next page First Page Previous Page Current Page Display the first page of items in the list. You can enter a page number and press Enter to display the items on that page.

you can change interface list column headings to display only the IP/Netmask. For example. and interface Type for each interface.Web-based manager Web-based manager pages • Log and report log access lists (see “Accessing and viewing log messages” on page 429). To change column settings on a list that supports it. to hide column headings. MTU. Then apply a filter to Applications so that only selected applications are listed. IPv6 policy. you might want to sort the list by application so that all signatures for each application are grouped together. select the column headings to be displayed and then select the Right Arrow to move them to the “Show these fields in this order” list. IPSec monitor and log and report log access lists you can combine filters with column settings to provide even more control of the information displayed by the list. Figure 4: Example of column settings that appear in Endpoint > Monitor > Endpoint Monitor Using filters with column settings On firewall policy. you can go to Intrusion Protection > Predefined and configure the Intrusion Protection predefined signatures list to show only the names of signatures that protect against vulnerabilities for a selected application. In the pre-defined signatures list you can also sort the list by different columns. set Column Settings to only display Applications and Name.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. From Available fields.fortinet. Note: Any changes that you make to the column settings of a list are stored in the FortiGate configuration and will display the next time that you access the list. firewall user monitor. MAC address. select Column Settings. FortiGate Version 4. To do this.com/ • Feedback 29 . predefined signature. For example. Use Move Up and Move Down to change the order in which to display the columns. Similarly. use the Left Arrow to move them back to the Available fields list.

fortinet. see “Adding filters to web-based manager lists” on page 26. Common web-based manager tasks This topic describes the following common web-based manager tasks: • • • • • • • • • • Connecting to the web-based manager Modifying current settings Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Switching VDOMs Connecting to the FortiGate CLI from the web-based manager Contacting Customer Support Logging out Connecting to the web-based manager To connect to the web-based manager.com/ • Feedback 30 . you require: • • • a FortiGate unit connected to your network according to the instructions in the QuickStart Guide and Install Guide for your FortiGate unit the IP address of a FortiGate interface that you can connect to a computer with an Ethernet connection to a network that can connect to the FortiGate unit FortiGate Version 4.Common web-based manager tasks Web-based manager Figure 5: A pre-defined signatures list displaying pre-defined signatures for the Veritas and Winamp applications For more information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Just before the login page is displayed. the FortiGateunit refuses the connection. On some pages. 3 Type the password for the administrator account in the Password field. The credentials entered are encrypted before they are sent to the FortiGate unit. To support a secure HTTPS authentication method. the FortiGate unit ships with a selfsigned security certificate. The grayed icons are now accessible. If you choose to accept the certificate permanently. When you connect. (remember to include the “s” in https://). Changing your FortiGate administrator password By default. The first warning prompts you to accept and optionally install the FortiGate unit’s selfsigned security certificate.168. 2 With the icon or icons now accessible. which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit.com/ • Feedback 31 . FortiGate Version 4. 2 Type admin or the name of a configured administrator in the Name field. the FortiGate unit displays two security warnings in a browser. all icons may not be accessible when you highlight the row. the login page appears. For improved security. and you are back to the list on the page. You should add a password to the admin administrator account to prevent anybody from logging into the FortiGate and changing configuration options. such as changing an administrator’s password. Modifying current settings When you are modifying current settings.99. Select OK to continue logging in. For example.1. After the modifications are made. within the row of the setting you want to change. This warning occurs because the FortiGate unit redirects the connection. the warning is not displayed again.Web-based manager Common web-based manager tasks • a supported web browser.99. This is an informational message.1. the check box is unselected and the row unhighlighted. Use the procedure “To access icons for modifying items within a list” on page 31 whenever you are modifying current settings. you must highlight the item and then select the applicable icon because all available icons are inaccessible otherwise. See the Knowledge Base articles Microsoft Windows WEB browsers supported by Fortinet products web-based manager (GUI) web browsers and Mac OS browsers for use with Fortinet hardware web-based manager (GUI). select the check box to highlight the row. This way of accessing icons is explained in the following procedure.168. To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the FortiGate unit interface that you can connect to. 4 Select Login. a second warning informs you that the FortiGate certificate distinguished name differs from the original request. To access icons for modifying items within a list 1 In the Check box column. If you accept the certificate. browse to https://192. select the icon that you want to use to make modifications with (such as the Edit icon). you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add. if the IP address is 192. you can log into the web-based manager by using the admin administrator account and no password.fortinet. If you do not accept the certificate.

and select Apply.Common web-based manager tasks Web-based manager To change an administrator’s password. see the Fortinet Knowledge Base article Recovering a lost FortiGate administrator account password. edit the administrator.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select OK to save the new password. You can also add new administrator accounts by selecting Create New. select the language you want from the Language drop-down list. and then change the password. go to System > Admin > Administrators. Traditional Chinese. Japanese. you should select the language that the management computer operating system uses. go to System > Admin > Settings.com/ • Feedback . For best results. and under Display Settings. changing administrator account passwords and related configuration settings. Changing the web-based manager language You can change the web-based manager to display language in English. or French. You can change administrative access by: • enabling or disabling administrative access from any FortiGate interface 32 FortiGate Version 4.fortinet. Spanish. Korean. To change the language. Simplified Chinese. Figure 6: The admin Settings page displaying the Portuguese language Changing administrative access to your FortiGate unit Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings. The web-based manager pages display the chosen language. The default configuration of your FortiGateunit allows administrative access to one or more of the interfaces of the unit as described in your FortiGate unit QuickStart Guide and Install Guide. For more information about adding administrators. see “System Admin” on page 165 Note: If you forget or lose an administrator account password and cannot log into your FortiGate unit.

This menu displays a drop-down list beside it. To connect to the CLI console. As well. You are automatically logged in to the CLI. To switch to a VDOM using the Current VDOM menu. You are automatically redirected to that VDOM. quick way to access a VDOM.fortinet. and then select Apply to save the changes. go to System > Network > Interface. From this page you can: • • • • • visit the Fortinet Knowledge Base log into Customer Support (Support Login) register your Fortinet product (Product Registration) view Fortinet Product End of Life information find out about Fortinet Training and Certification FortiGate Version 4. The drop-down list contains all the configured VDOMs on that FortiGate unit. Select OK to save the changes. To change administrative access. For more information about changing administrative access see “Configuring administrative access to an interface” on page 96. and under Idle Timeout enter the time in minutes. go to System > Dashboard > Status. and select the administrative access type or types for that interface. a menu appears in the left column called Current VDOM. select the VDOM that you want to switch to from the drop-down list beside Current VDOM. This idle timeout is recommended to prevent someone from using the web-based manager from a PC that is logged into the web-based manager and then left unattended. Contacting Customer Support The Contact Customer Support button opens the Fortinet Support web page in a new browser window.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Web-based manager Common web-based manager tasks • • • • enabling or disabling securing HTTPS administrative access to the web-based manager (recommended) enabling or disabling HTTP administrative access to the web-based manager (not recommended) enabling or disabling secure SSH administrative access to the CLI (recommended) enabling or disabling SSH or Telnet administrative access to the CLI (not recommended). You can use the CLI to configure all configuration options available from the web-based manager. For more information about the FortiGate CLI see the FortiGate CLI Reference. Connecting to the FortiGate CLI from the web-based manager You can connect to the FortiGateCLI from the web-based manager dashboard by using the CLI console widget. However. Some configuration options are available only from the CLI. you can use the following steps to change this idle timeout. go to System > Admin > Settings. the web-based manager disconnects administrative sessions if no activity takes place for five minutes. edit the administrator. Changing the web-based manager idle timeout By default. This provides an easy. For more information. you can use the CLI to enter diagnose commands and perform other advanced operations that are not available from the web-based manager. see “CLI Console” on page 55.com/ • Feedback 33 . Switching VDOMs When VDOMs are enabled. and in the CLI Console widget select inside the window. To change the idle timeout.

To change the timeout. The online help system also includes a number of links that you can use to find additional information.Using FortiGate Online Help Web-based manager • visit the FortiGuard Center.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you are not operating your FortiGate unit with virtual domains enabled. Using FortiGate Online Help The Online Help button displays context-sensitive online help for the current web-based manager page. see “Using virtual domains” on page 79. go to Product Registration and follow the instructions. To register a Fortinet product.fortinet. FortiGate context-sensitive online help topics also include a VDOM or Global icon to indicate whether the web-based manager page is for VDOM-specific or global configuration settings. you can ignore the VDOM and Global icons. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. you remain logged in until the idle timeout (default 5 minutes) expires. If you simply close the browser or leave the web-based manager. see “Changing the web-based manager idle timeout” on page 33. Most help pages also contain hyperlinks to related topics. and FortiGuard services. Figure 7: A context-sensitive online help page (content pane only) Show Navigation Previous Next Print Email 34 FortiGate Version 4. Log out before you close the browser window.com/ • Feedback . You must register your Fortinet product to receive product updates. Logging out The Logout button immediately logs you out of the web-based manager. technical support. The online help page that is displayed is called a content pane and contains information and procedures related to the current web-based manager page. For more information about virtual domains.

or hyperlinks to find information in the online help. You can navigate through the table of contents to find information in the online help. Print the current online help page. the table of contents may not be visible or the table of contents may be out of sync with the current help page. and to use the search feature. and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. see “Searching the online help” on page 36. If you have used the index. From the online help. Index Search Show in Contents FortiGate Version 4. For more information. select Show Navigation.com/ • Feedback 35 . Display the previous page in the online help.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Web-based manager Using FortiGate Online Help Show Navigation Open the online help navigation pane. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Figure 8: Online help page with navigation pane and content pane Contents Index Search Show in Contents Contents Display the online help table of contents.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product.fortinet. index. Display the next page in the online help Send an email to Fortinet Technical Documentation at techdoc@fortinet. You can select Show in Contents to display the location of the current help page within the table of contents. search. From the navigation pane you can use the online help table of contents. select Online Help in the button bar in the upper right corner of the web-based manager. Display the online help index. Previous Next Email Print To view the online help table of contents or index. Display the online help search. You can use the index to find information in the online help.

com/ • Feedback . 4 In the search field. 3 Select Search. authenticates.Using FortiGate Online Help Web-based manager Searching the online help Using the online help search. For example. The help pages found by the search are ranked in order of relevance. 2 Select Show Navigation. The search results pane lists the names of all the online help pages that contain all the words that you entered. authenticate. the search finds only those help pages that contain all of the words that you entered. Please note the following: • If you search for multiple words. In some cases the search finds only exact matches. Select a name from the list to display that help page.fortinet. and so on.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The search does not find help pages that only contain one of the words that you entered. if you search for auth* the search finds help pages containing auth. 36 FortiGate Version 4. you can search for one word or multiple words in the full text of the FortiGate online help system. authentication. enter one or more words to search for and then press the Enter key on your keyboard or select Go. • • • To search in the online help system 1 From any web-based manager page. the more likely the help page includes useful or detailed information about the word or words that you are searching for. You can work around this using the * wildcard (for example by searching for window*). The higher the ranking. select the online help button. You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. Figure 9: Searching the online help system Search Field Go Search Results Using the keyboard to navigate in the online help You can use the keyboard shortcuts listed in Table 3 to display and find information in the online help. if you search for windows the search may not find pages containing the word window. For example. Help pages with the search words in the help page title are ranked highest.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Display the Search tab.fortinet. to make it easier to find useful online help pages. Add an entry for this online help page to your browser bookmarks or favorites list.Web-based manager Using FortiGate Online Help Table 3: Online help navigation keys Key Alt+1 Alt+2 Alt+3 Alt+4 Alt+5 Alt+7 Function Display the table of contents. Go to the next page. Alt+8 Alt+9 FortiGate Version 4.com/ • Feedback 37 . Display the index. Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Go to the previous page. Print the current online help page.

fortinet.Using FortiGate Online Help Web-based manager 38 FortiGate Version 4.com/ • Feedback .0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

At a glance. FortiGate Version 4.com/ • Feedback 39 . you can view the current system status of the FortiGate unit including serial number. If upgrading to FortiOS 4. alert messages and network statistics.0 MR2. This section includes the following topics: • • • • • • • • • • • • • • • • • • • • • • Dashboard overview System Information License Information Unit Operation System Resources Alert Message Console Log and Archive Statistics CLI Console Top Sessions Top Viruses Top Attacks Traffic History Top Policy Usage DLP Archive Usage RAID monitor Top Application Usage Storage P2P Usage Per-IP Bandwidth Usage VoIP Usage IM Usage FortiGuard Note: Your browser must support Java script to view the System Dashboard page. see “Using virtual domains” on page 79. The Topology viewer is not available when VDOMs are enabled. For more information.fortinet. If you enable virtual domains (VDOMs) on the FortiGate unit. uptime.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. system resource usage. The Topology Viewer is not included in FortiOS 4. all Topology Viewer configuration settings will be lost.0 MR2. Status and Usage. FortiGuard™ license information. the status page is available globally and system status settings are configured globally for the entire FortiGate unit.System Dashboard System Dashboard This section describes the System Dashboard and its pages.

This information is useful and can help you to update your firmware. Resets the entire Dashboard menu back to its default settings. from multiple widgets.com/ • Feedback . Rename the current dashboard. reboot your FortiGate unit. For example. You are automatically redirected to the new dashboard. Administrators must have read privileges if they want to view the information in Status and Usage. remove or rename a dashboard. 5 Enter a name for the dashboard in the Name field in the Add Dashboard window. see “Admin profiles” on page 173. 4 Select Add Dashboard. For more information about administrators and their profiles. allowing users to view only log archives information. 2 Select the Dashboard icon. Removes the current dashboard that you are viewing. Administrators must have read and write privileges to customize and add widgets when in either menu. 6 Select OK. you can add multiple widgets to that dashboard.fortinet. 40 FortiGate Version 4. You can reset the Dashboard menu to its default settings by selecting Reset Dashboards. regardless of whether it is the Status or Usage menu. 3 A drop-down list appears with the following options: Add Dashboard Rename Dashboard Delete Dashboard Reset Dashboards Add a new dashboard to the Dashboard menu. You can add. such as log information.Dashboard overview System Dashboard Dashboard overview The Dashboard menu allows you to add and customize dashboards. you can allow certain dashboards to contain specific information. the Archives dashboard (System > Dashboard > Archives) contains the DLP Archive Usage and Log and Archive Statistics widgets. so that you can go directly to that dashboard to view that particular information. You can start adding widgets to the dashboard. By adding and customizing dashboards. Dashboards are menus that allow you to view information. and with some widgets you can view more detailed information. You can rename the existing default menus Status and Usage. such as traffic activity. This topic contains the following: • • • Adding dashboards Adding widgets to a dashboard VDOM and global dashboards Adding dashboards Dashboards are first added from the default menus. To add a dashboard to the dashboard menu 1 Go to System > Dashboard > Status. Adding widgets to a dashboard After adding a dashboard to the Dashboard menu. You can customize most widgets to display specific information. or quickly view log and archive statistics.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Status and Usage.

and Traffic History dashboard widgets are available in the VDOM dashboard. select the Widget icon (located at the top of the dashboard page). From a VDOM go to System > Dashboard > Status to view the VDOM dashboard.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select to update the displayed information. Select to close the display. Select to change settings for the display. User is logged into the current VDOM and cannot access global configurations.System Dashboard Dashboard overview To add a widget to a dashboard. CLI Console. Can select only interfaces or VLANs belonging to this VDOM. and then select a widget in the Click active module name to add module to the page window. Cannot configure management service or FortiAnalyzer unit. Select to show an expanded set of data. Global administrators with the super_admin admin profile can view only the global dashboard. Unit reboot and shutdown are not available. No listing of current administrators. emails sent and received. The available widgets differ from their global equivalents as follows: System information CLI Console Unit Operation Cannot enable/disable Virtual Domains. not just the primary unit. Not available for all widgets. Top Sessions Traffic History FortiGate Version 4.fortinet. and viruses caught. Top Sessions. Log and Archive Status. VDOM and global dashboards VDOM administrators can view and configure the VDOM-specific dashboard for their VDOM. The System Information. No information about network ports. Unit Operation. Note: The information that appears on the Status page applies to the whole HA cluster. This includes information such as URLs visited. System Resources. Shows only sessions for this VDOM. You will be prompted to confirm the action.com/ • Feedback 41 . Figure 10: A minimized display Widget title Open/Close arrow Edit icon Refresh icon Close icon Explanation of a widget's title bar area Widget Title Open/Close arrow History Edit Refresh Close Shows the name of the display Select to open or close the display.

For more information. By default. The current date and time according to the FortiGate unit’s internal clock. see “HA” on page 133. The status of high availability for this unit. Standalone indicates the unit is not operating in HA mode. This widget also provides settings for backing up or restoring configuration settings. go to that dashboard. and minutes since the FortiGate unit was started. select Widget. If the FortiGate unit is in HA mode. The name of the HA cluster for this FortiGate unit. Active-Passive or Active-Active indicate the unit is operating in HA mode. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. Figure 11: The system information widget Serial Number Uptime System Time The serial number of the FortiGate unit. The FortiGate unit must be operating in HA mode to display this field. this field is not displayed. the System Information widget is found on the Status page (System > Dashboard > Status). changing the operation mode. such as the FortiGate unit’s serial number.com/ • Feedback .fortinet. hours.System Information System Dashboard System Information The System Information widget contains general system information. see “Configuring system time” on page 43. The time in days. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. To add the System Information widget to a dashboard. see “HA” on page 133. The host name of the current FortiGate unit. For more information. enabling or disabling virtual domains. Select Change to change the host name. Select Configure to configure the HA status for this unit. For more information. and then select System Information from the list. as well as the firmware version that is currently running. HA Status Host Name Cluster Name 42 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. see “Changing the FortiGate unit host name” on page 44. For more information. and changing the currently logged in administrator’s password.

and whether the unit is a primary (master) or subordinate (slave) unit in the cluster. For more information. IP address from which they are connecting. The time period of when the configuration file was backed up. Virtual Cluster 1 Virtual Cluster 2 Firmware Version System Configuration FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for endpoint control. If you want to restore a configuration file.System Dashboard System Information Cluster Members The FortiGate units in the HA cluster. see “Configuring FortiClient installer download and version enforcement” on page 407. Operation Mode The operating mode of the current FortiGate unit. you are automatically redirected to the Restore page. not by PKI or remote authentication. For more information. The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. When you change the password you are logged out and must log back in with the new password. The FortiGate unit must be operating in HA mode with virtual domains disabled to display this field. Select Details to view more information about each administrator that is currently logged in. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields. Information displayed about each member includes host name. Update the display of the current FortiGate system date and time. serial number. see “Changing the FortiGate firmware” on page 45. For more information. Select Enable or Disable to change the status of virtual domains feature. There are also settings for synchronizing with an NTP server. you are automatically redirected to the Backup page. your session will be terminated and you will need to log in again. and when they logged in. The name of the admin account that you have used to log into the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The format for the firmware version is Select Update to change the firmware. This field appears if you can upload a FortiClient image onto your FortiGate unit. Select Change to switch between NAT and Transparent mode. when you select Restore. Virtual Domain Current Administrators Current User Configuring system time The FortiGate unit’s system time can be changed in the System Information widget. Time Settings page Provides settings for changing the time on your FortiGate unit. If you are authenticated locally by password. For more information. this field shows the operating mode of the current virtual domain. System Time Refresh The current FortiGate system date and time. see “Changing an administrator account password” on page 168. For more information.com/ • Feedback 43 . the Global System Status dashboard does not include this field. The version of the current firmware installed on the FortiGate unit.fortinet. For more information. The number of administrators currently logged into the FortiGate unit. Each virtual domain can be operating in either NAT mode or Transparent mode. see “Using virtual domains” on page 79. when you select Backup. see “Changing the operation mode” on page 163 If virtual domains are enabled. select Restore. Status of virtual domains on your FortiGate unit. You can also view what time it is in the System Time area of the System Information widget. The additional information includes user name. A FortiGate unit can operate in NAT mode or Transparent mode. see “HA” on page 133. see “HA” on page 133. If virtual domains are enabled. If you enable or disable virtual domains. FortiGate Version 4. You can select Backup to back up the current configuration. type of connection. For more information. you can select Change Password to change the password for this account.

fortinet. If the host name is longer than 16 characters. Changing the FortiGate unit host name The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. 3 In the New Name field. If the FortiGate unit is part of an HA cluster. 2 In the Host Name field of the System Information section. see http://www. The full host name will be displayed under System > Status > Dashboard. 3 Select the time zone and then either set the date and time manually or configure synchronization with an NTP server. The RCF for NTP Version 3 is RFC 1305. FortiGate units use NTP Version 4. For information about SNMP. The new host name is displayed in the Host Name field and the CLI prompt. see “SNMP” on page 138. saving changes Set Time Synchronize with NTP Server Select to set the FortiGate system date and time to the values you set in the Hour. You must specify the server and synchronization interval. Second. you should use a unique host name to distinguish the unit from others in the cluster. select Change on the System Time line. select Change.org. Year. Minute.System Information System Dashboard Time Zone Select the current FortiGate system time zone. The default host name is the FortiGate unit serial number. Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and clock for daylight standard time. Specify how often the FortiGate unit should synchronize its time with the NTP server. type a new host name. 4 Select OK.ntp. but the truncated host name will be displayed on the CLI and other places it is used. No RFC is currently available for NTP version 4. The host name is also used as the SNMP system name. To find an NTP server that you can use.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day. Select to use a Network Time Protocol (NTP) server to automatically set the system date and time. It is also added to the SNMP System Name. Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name. To change the FortiGate unit host name 1 Go to System > Dashboard > Status.ntp. it will be displayed as being truncated and end with a “~”. For example.com/ • Feedback . 44 FortiGate Version 4. Server Sync Interval To change the system time 1 Go to System > Dashboard > Status. Month and Day fields. Enter the IP address or domain name of an NTP server. 2 In the System Information widget.org. For example the serial number FGT8002805030003 is a FortiGate-800 unit. For more information about NTP see http://www.

USB. and FortiGuard Network. and the FortiGuard Network. Select to confirm the the installation of an older firmware image (downgrade). grey if the FortiGate unit cannot connect to the FDN. If the FortiGate unit is registered and has a valid contract. Firmware Upgrade/Downgrade page Provides settings for upgrading or downgrading the current firmware image on your FortiGate unit.com or contact Customer Support. Go to the FortiGuard Center to learn more about firmware updates through the FortiGuard network.com/ • Feedback 45 . any administrator with the super_admin profile sees a reminder message that provides access to a registration form. Firmware changes either upgrade to a newer version or revert to an earlier version. FortiGuard Subscriptions status indicators are green if the FDN was reachable and the license was valid during the last connection attempt.fortinet. Firmware images can be transferred from a number of sources including a local hard disk. Possible sources include Local Hard Disk. or the FortiGuard Network. The FortiGate unit updates the license information status indicators automatically when attempting to connect to the FortiGuard Distribution Network (FDN). If the FortiGate unit is not registered.System Dashboard License Information Changing the FortiGate firmware Caution: By installing an older firmware image. the License Information is updated. When you select Upgrade (or Downgrade. FortiGate Version 4. you will need to register your FortiGate unit with Customer Support. For more information about managing firmware.fortinet. This field is available for local hard disk and USB only. Follow the appropriate procedure to change your firmware. You should always backup your configuration before changing the firmware image. which then determines whether the FortiGate unit is registered and has valid contracts for FortiGuard subscriptions and FortiCare support services. For more information about using the USB disk. Upgrade From Select the firmware source from the drop down list of available sources. When a new FortiGate unit is powered on. see “System Maintenance” on page 195. This field only displayed when attempting to downgrade firmware. This field does not appear on all models. FortiGate administrators whose admin profiles permit maintenance read and write access can change the FortiGate firmware. Browse to the location of the firmware image on your local hard disk. if downgrading the firmware). For more information go to http://support. Upgrade File Allow Firmware Downgrade More Info Note: To access firmware updates for your FortiGate model. and orange if the FDN is reachable but the license has expired. The FortiGate unit sends its serial number to the FortiGuard service provider. some system settings may be lost. you are automatically redirected to the Firmware Upgrade/Downgrade page. it will look for FortiGuard services on the configured FortiManager system. a local USB disk. If the unit is configured for central management.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. see “Firmware management practices” on page 67. it automatically searches for FortiGuard services. License Information License Information displays the status of your technical support contract and FortiGuard subscriptions.

FortiGuard Services AntiVirus 46 FortiGate Version 4. The FortiGuard Antivirus version.fortinet. To disable registration notification config system global set registration-notification disable end To disable contract expiry notification config system global set service-expire-notification disable end Selecting any of the Configure options will take you to the Maintenance page.com/ • Feedback . any administrator with the super_admin profile sees a notification message that provides access to an Add Contract form. • If Registered appears the name of the support that registered this FortiGate unit is also displayed. Optionally. Figure 12: License Information (example) License Information widget Support Contract Displays details about your current Fortinet Support contract including expiry dates and registration status. Fortinet Support also sends contract expiry reminders. you can select Renew to renew the license. you can disable notification for registration or contract inquiry. • You can select Login Now to log into the Fortinet Support account that registered this FortiGate unit.License Information System Dashboard When a contract is due to expire within 30 days. license issue date and service status. If your license has expired. • If Expired appears. see “System Maintenance” on page 195. Contact your local reseller. For more information. select Register to register the unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. • If Not Registered appears. select Renew for information on renewing your technical support contract. Simply enter the new contract number and select Add.

see “Configuring FortiClient installer download and version enforcement” on page 407. see “P2P Usage” on page 65. Virtual Domain VDOMs Allowed The maximum number of virtual domains the unit supports with the current license. select Update.com/ • Feedback 47 . For more information. see “FortiGuard Analysis & Management Service” on page 201. see “Adding VDOM Licenses” on page 213. license expiry date and service status. license expiry date.fortinet. If your license has expired. To update the definitions manually. For more information. For more information about the extended antivirus database. For more information. For more information. select Update. Select Download to download Software Windows Installer the FortiClient application installer to your PC. The currently installed version of the IPS attack definitions. see “FortiGuard Analysis & Management Service” on page 201. Extended set Intrusion Protection IPS Definitions Web Filtering Email Filtering Email Filtering Rule Set Analysis & Management Service Services Account Select Change to enter a different Service Account ID. For more information. select Update. For more information. Endpoint Security FortiClient View information about the latest version of the FortiClient application available from FortiGuard for EndPoint NAC. expiry date and service status. Manually updating FortiGuard definitions You can update your FortiGuard antivirus database. For information about configuring automatic FortiGuard updates. you can select Renew to renew the license. To update the rule set manually. you can select Renew to renew the license. If your license has expired. see “Configuring the FortiGate unit for FDN and FortiGuard subscription services” on page 201. select Update. see “P2P Usage” on page 65. see “P2P Usage” on page 65. The FortiGuard Email Filtering or Antispam license status. license issue date and service status. For high-end FortiGate models. The FortiGuard Analysis Service and Management Service license. The FortiGuard Intrusion Prevention System (IPS) license version. you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs. see “Virus Database” on page 304. To update the definitions manually. The currently installed version of the FortiGuard Email Filtering rule set. For more information. and reachability status. For more information. To update the definitions manually. you can select Renew to renew the license. see “Configuring application sensors” on page 405. For more information. Intrusion Protection definitions. If your license has expired. and antispam rule set at any time from the License Information section of the System Status page. The currently installed version of the extended FortiGuard Antivirus definitions. FortiGate Version 4. The FortiGuard Web Filtering license status. This ID is used to validate your license for subscription services such as FortiGuard ID Management Service and FortiGuard Analysis Service. The extended antivirus database is not available on all models.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.System Dashboard License Information AV Definitions The currently installed version of the FortiGuard Antivirus definitions. see “P2P Usage” on page 65. Application Signature package The version number of the current endpoint NAC application detection predefined signature package.

If none are selected. 6 Go to System > Dashboard > Status to confirm that the version information for the selected definition or rule set has updated. a pop-up window opens allowing you to enter the reason for the system event. The FortiGate unit updates the AV definitions. no graphic is shown.Unit Operation System Dashboard To update FortiGuard antivirus definitions. or AS Rule Set field of the FortiGuard Subscriptions. an illustration of the FortiGate unit’s front panel shows the status of the unit’s Ethernet network interfaces.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 5 Select OK to copy the update file to the FortiGate unit. or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. IPS Definitions. In the Unit Operation widget. Using the reboot and shutdown options here or in the CLI ensures proper shutdown procedures are followed to prevent any loss of configuration. The graphic for each will change based on which method you choose.fortinet. Figure 13: Unit Operation examples 48 FortiGate Version 4. IP address. If a network interface is green. You can only have one management and one logging/analyzing method displayed for your FortiGate unit. event logging. that interface is connected. select Update. 3 In the License Information section. 4 Select Browse and locate the update file. IPS definitions. Pause the mouse pointer over the interface to view the name. or type the path and filename. This takes about 1 minute. and admin events are enabled. netmask and current status of the interface. 2 Start the web-based manager and go to System > Dashboard > Status. Your reason will be added to the Disk Event Log if disk logging. For more information on Event Logging. in the AV Definitions. If you select Reboot or ShutDown. Unit Operation Caution: Abruptly powering off your FortiGate unit may corrupt its configuration.com/ • Feedback . see “Accessing and viewing log messages” on page 429.

The icon below the interface name indicates its up/down status by color. You will be prompted for confirmation. For example AMC-SW1/3 is the third network interface on the SW1 module... Select the FortiManager graphic to configure central management on your FortiGate unit. and also prompted to enter a reason for the shutdown that will be entered into the logs. AMC modules support hard disks as well. . see the FortiGuard Analysis and Management Service Administration Guide.fortinet. A check mark on a green icon indicates there is OFTP communication. and the interface. Select to shutdown the FortiGate unit. An ‘X’ on a red icon indicates there is no connection. You can also add the ASM-CX4 and ASM-FX2 modules to bridge FortiGate interfaces when the FortiGate unit is operating in transparent mode. see “Central Management” on page 176. see “Central Management” on page 176. For more information. For more information. A check mark on a green icon indicates there is OFTP communication. The names and number of WAN1 / WAN2 / 1 / 2 / these interfaces vary by model. its alias if one is configured. For more information. Grey indicates there is no connection. Select the FortiGuard Management Service graphic to configure central management on your FortiGate unit. FortiAnalyzer FortiGuard Analysis Service FortiManager FortiGuard The icon on the link between the FortiGate unit graphic and the FortiGuard Management Service Management Service graphic indicates the status of the connection. A check mark on a green icon indicates there is communication between the two units. Select the FortiGuard Analysis Service graphic to configure remote logging to the FortiGuard Analysis Service. The icon on the link between the FortiGate unit graphic and the FortiGuard Analysis Service graphic indicates the status of their OFTP connection. An ‘X’ on a red icon indicates there is no connection. A tooltip displays the full name of the interface. An ‘X’ on a red icon indicates there is no connection. such as the ASM-S08 module. An ‘X’ on a red icon indicates there is no connection. see “AMC module configuration” on page 215. the IP address and netmask. If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules and if you have installed an AMC module containing network interfaces (for example. the ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. ASM-S08 is visible as well as a horizontal bar and percentage indicating how full the hard disk is. AMC-DW1/1.. The icon on the link between the FortiGate unit graphic and the FortiAnalyzer graphic indicates the status of their OFTP connection. the speed of the interface.. When a hard disk is installed. Reboot Shutdown Select to shutdown and restart the FortiGate unit. For more information about the configuration and status of an interface. For more information. The interfaces are named for the module. You will be prompted to enter a reason for the reboot that will be entered into the logs. and AMC-DW2/1 is the first network interface on the DW2 module.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The icon on the link between the FortiGate unit graphic and the FortiManager graphic indicates the status of the connection. Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit. pause the mouse over the icon for that interface. FortiGate Version 4.System Dashboard Unit Operation Unit Operation widget INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. see “Remote logging to a FortiAnalyzer unit” on page 423. For more information about AMC modules. AMC-SW1/1. and the number of sent and received packets. 3/4 Green indicates the interface is connected. . A check mark on a green icon indicates there is communication. the status of the link.com/ • Feedback 49 .

This is available only if you have a hard disk on your FortiGate unit. The current memory (RAM) status displayed as a dial gauge and as a percentage.System Resources System Dashboard System Resources The System Resources widget displays basic FortiGate unit resource usage. system. Memory usage for management processes (for example. displayed as a pie chart and a percentage. displayed as a pie chart and a percentage. it is in percentage. select the Refresh icon. The web-based manager displays CPU usage for core processes only. such as CPU and memory (RAM) usage.com/ • Feedback . This page also shows the virus and intrusion detections over the last 20 hours. Viewing operational history The System Resource History page displays six graphs representing different system resources and protection activity over time. The current CPU status displayed as a dial gauge and as a percentage. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. sessions. To view the operational history.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. The displayed CPU usage is equivalent to using the CLI command get system performance status and adding user. and nice percentages. To see the most recent CPU and memory usage. 50 FortiGate Version 4. CPU Usage Memory Usage FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate unit’s quota. The refresh rate is 3 second intervals for the graphs. CPU usage for management processes (for example. Both the web-based CPU Usage and the CLI command access the same CPU information. for HTTPS connections to the web-based manager) is excluded. and network usage. Disk Usage The current status of the FortiGate unit disk space used. The web-based manager displays memory usage for core processes only. memory. You can use the System Resources edit menu to select not to display this information. Figure 14: System Resources System Resources widget History A graphical representation of the last minute of CPU. For more information. for HTTPS connections to the web-based manager) is excluded. If no units are displayed on the vertical axis of a graph. then select History in the upper right corner of the System Resources widget. go to System > Dashboard > Status . see “Viewing operational history” on page 50. This is available only if you have configured logging to a FortiAnalyzer unit.

Each message shows the date and time that the event occurred. Number of intrusion attempts detected over the preceding interval.System Dashboard Alert Message Console Figure 15: Sample system resources history Operational History window This window allows you to see the detailed information about the operational history of your FortiGate unit. Percentage CPU usage for the preceding interval. or virus detection events.com/ • Feedback 51 . Alert Message Console Alert messages help you track system events on your FortiGate unit such as firmware changes. Network utilization for the preceding interval. Time Interval CPU Usage History Memory Usage History Session History Network Utilization History Virus History Intrusion History Select the time interval to display along the bottom axis of the graphs. Figure 16: Alert Message Console The following types of messages can appear in the Alert Message Console: FortiGate Version 4. network security events. Number of Viruses detected over the preceding interval. Percentage memory usage for the preceding interval.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Number of sessions over the preceding interval.

An updated firmware image is available to be downloaded to this FortiGate unit. Shows that the FortiGate unit has either found or lost the connection to a FortiAnalyzer unit. You can use the information gathered by log messages to see trends in network activity or attacks over time. An administrator shut down the FortiGate unit from the web-based manager or CLI. all alert types are enabled. The restart could be due to operator action or power off/on cycling.fortinet. content can be blocked or can pass unscanned under these conditions. 52 FortiGate Version 4. You can configure the alert message console settings to control what types of messages are displayed on the console. To investigate an area that draws your attention. 4 By default. viruses caught. The information displayed in the Log and Archive Statistics widget is derived from log messages. 2 Select the Edit icon in the Alert Message Console title bar. and spam emails caught. For more information. 3 Select the types of alerts that the Alert Message Console should display. and security problems including attack attempts. Depending on model and configuration.com/ • Feedback . select Details for a detailed list of the most recent activity in that area. Select OK. Log and Archive Statistics The Log and Archive Statistics widget allows you to see at a glance what is happening on your FortiGate unit with regards to DLP archiving. To configure the Alert Message Console 1 Go to System > Dashboard > Status.Log and Archive Statistics System Dashboard System restart System shutdown Firmware upgraded by <admin_name> Firmware downgraded by <admin_name> FortiGate has reached connection limit for <n> seconds Found a new FortiAnalyzer Lost the connection to FortiAnalyzer New firmware is available from FortiGuard The system restarted. The named administrator upgraded the firmware to a more recent version on either the active or non-active partition. The antivirus engine was low on memory for the duration of time shown and entered conserve mode. network traffic. The named administrator downgraded the firmware to an older version on either the active or non-active partition. see “Remote logging to a FortiAnalyzer unit” on page 423. You can quickly see the amount and type of traffic as well as any attack attempts on your system. Various configuration settings are required to actually collect data for the Log and Archive Statistics widget as described below.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

If logging to a FortiAnalyzer unit is not configured. the Details pages provide a link to Log & Report > Log Config > Log Settings. POP3 and IMAP traffic is registered as email received. email. When the firewall policy receives sessions for the selected protocols. incoming email also includes POP3S and IMAPS and outgoing email also includes SMTPS. or when you select Reset in the title bar area. see “DLP archiving” on page 347. and SMTP is email sent.fortinet.System Dashboard Log and Archive Statistics Figure 17: Log and Archive Statistics Log and Archive Statistics widget Since The date and time when the counts were last reset. meta-data is added to the statistics widget. FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. A summary of the HTTP. HTTPS. You configure the FortiGate unit to collect DLP archive data for the widget by configuring a DLP sensor to archive its log data. see the UTM chapter of the FortiOS Handbook. ICQ. The IM statistics are based on the AIM. Counts are reset when the FortiGate unit reboots. MSN. If incoming or outgoing email does not use these protocols. and Yahoo! protocols and configured by selecting Archive in DLP Sensors for IM DLP rules. The Email statistics are based on email protocols. This widget also Indicates the average DLP archive bytes per day since the last time it was reset. SIMPLE and SCCP session control protocols and configured by selecting Archive in DLP Sensors for Session Control DLP rules.com/ • Feedback DLP Archive 53 . and VoIP (also called session control) traffic that has passed through the FortiGate unit. FTP IM. these statistics will not be accurate. The VoIP statistics are based on the SIP. and has been archived by DLP. If your FortiGate unit supports SSL content scanning and inspection. For more information about SSL content scanning and inspection. The Details pages list the last items of the selected type—up to 64 items—and provides links to the FortiAnalyzer unit where the archived traffic is stored. You must also add the profile to a firewall policy. For more information.

providing the time. From – The sender’s email address. From – The IP address from which the URL was accessed. Destination – The IP address of the FTP server that was accessed. go to the Statistics widget in System > Dashboard > Status. you can view statistics about the network attacks that the FortiGate unit has stopped. Date and Time – The time that the email passed through the FortiGate unit. User – The User ID that logged into the FTP server. HTTPS. Remote – The remote address for this transaction Direction – If the file was sent or received. You can also view information about sessions matched by DLP rules. Kind – The kind of IM traffic this transaction is. attacks. If you are using DLP for summary or full archiving the DLP data loss detected number can get very large. spam email messages. Date and Time – The time of access. attacks detected. 54 FortiGate Version 4. You can select Reset on the header of the Statistics section to clear the DLP archive and attack log information and reset the counts to zero. To – The recipient’s email address. DLP data loss detected actually displays the number of sessions that have matched DLP sensor profiles. To view DLP archive information. Local – The local address for this transaction. Email FTP IM Viewing the Attack Log From the Statistics section of the Status page. FTP and IM traffic through the FortiGate unit.com/ • Feedback . Subject – The subject line of the email.fortinet. To view Attack Log information. and reset the counts to zero.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and blocked URLs that the FortiGate unit has logged. Also displays the number of sessions matched by DLP and event log messages. go to the Statistics widget in System > Dashboard > Status. You can select the Details link beside each traffic type to view more information. URL – The URL that was accessed. Protocol – The protocol used in this IM session. You can select the Details link beside each attack type to view more information. destination and other information. and select Details in the row. Table 4: Viewing DLP archive information HTTP Date and Time – The time when the URL was accessed. and select Details in the row.Log and Archive Statistics System Dashboard Log A summary of traffic. DLP collects meta-data about all sessions matched by DLP sensors and records this meta-data in the DLP log. This number may not indicate that data has been lost or leaked. You can select Reset on the header of the Statistics section to clear the DLP archive and attack log information. The following table explains what is seen when you select Details for each protocol. source. Downloads – The names of files that were downloaded. The following table explains what is seen when you select Details for each protocol. the DLP data loss detected number increases. You can view statistics about viruses caught. viruses. Every time a DLP log message is recorded. Uploads – The names of files that were uploaded. spam email detected. Date / Time – The time of access. Viewing DLP archive information on the Statistics widget From the Statistics widget of the System Status page. you can view statistics about HTTP. and URLs blocked. The Details pages list the 20 most recent items.

Service – The service type. and Detach. Date and Time – The time that the attack was detected. Service – The service type. From – The host that attempted to view the URL. Source – The source address of the session. Service – The service type. IPS Email URLs DLP CLI Console The Status page can include a CLI console. From – The sender’s email address or IP address.System Dashboard CLI Console Table 5: Viewing Attack Log information AV Date and Time – The time when the virus was detected. such as HTTP.fortinet. Attach moves the CLI console widget back onto the System Status page. SMTP. From -> To Email Accounts – The sender and intended recipient email addresses. Customize allows you to change the appearance of the console by defining fonts and colors for the text and background. such as POP or HTTP. From -> To IP – The sender and intended recipient IP addresses. Date and Time – The time that the attempt to access the URL was detected. To – The intended recipient’s email address or IP address. Service – The service type.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. From – The host that attempted to view the URL.com/ • Feedback 55 . From – The source of the attack. such as SMTP. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console. FortiGate Version 4. Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. POP or IMAP. From – The sender’s email address or IP address. Virus – The name of the virus that was detected. To – The target host of the attack. Date and Time – The time that the attempt to access the URL was detected. To – The intended recipient’s email address or IP address. Figure 18: CLI Console The two controls located on the CLI Console widget title bar are Customize. SPAM Type – The type of spam that was detected. URL Blocked – The URL that was blocked. URL Blocked – The URL that was blocked. Attack – The type of attack that was detected and prevented. POP or IMAP. The two controls on the detached CLI Console are Customize and Attach. select it to automatically log in to the admin account you are currently using in the web-based manager. Date and Time – The time that the spam was detected. To use the console.

Top Sessions System Dashboard Figure 19: The Console Preferences window where you customize the CLI Console widget Console Preferences window This window provides settings for modifying the CLI console widget’s appearance.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The sort criteria being used is displayed in the top right corner. Select to display a command input field below the normal console emulation area. The Top Sessions widget polls the FortiGate unit for session information. Top Sessions Top Sessions displays either a bar graph or a table showing the IP addresses that have the most sessions currently open on the FortiGate unit. Select the size of the font. 56 FortiGate Version 4. or the port address. then select a color from the color palette to the right to change the color of the background in the CLI Console. The sessions are sorted by their source or destination IP address. and not impacting system performance. and this slightly impacts the FortiGate unit performance. Select the current color swatch next to this label.com/ • Feedback . Background Use external command input box Console buffer length Enter the number of lines the console buffer keeps in memory. Valid numbers range from 20 to 9999. and to include an external command box. it is not collecting data. font. then select a color from the color palette to the right to change the color of the text in the CLI Console.fortinet. Select the current color swatch next to this label. When the display is shown. When this option is enabled. information is only stored in memory. Font Size Select a font from the list to change the display font of the CLI Console. The default size is 10 points. Preview Text A preview of your changes to the CLI Console’s appearance. For this reason when this display is not shown on the dashboard. you can enter commands by typing them into either the console emulation area or the external command input field.

Select to resolve a port addresses into their commonly associated service names. Choose one of: • Source Address • Destination Address • Port Address Select to include the username associated with this source IP address. The refresh interval range is from 10 to 240 seconds.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Display User Name Resolve Host Name Resolve Service Display Format Top Sessions to Show Refresh Interval Viewing the current sessions list The current sessions list displays all sessions currently processed by the FortiGate unit. if available. To view detailed information about the sessions represented by a bar in the chart. Resolve Host Name is not available when the sort criteria is Destination Port. For each session the current session list displays: • • • • • • the session protocol such as tcp or udp source address and port destination address and port the ID of the policy. 15. Select how the Top Session information is displayed. Select how often the display is updated. In the table display format this will be a separate column.System Dashboard Top Sessions Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero. a list of all sessions currently processed by the FortiGate unit. click on the bar. Shorter refresh intervals may impact the performance of your FortiGate unit. If this occurs. try increasing the refresh interval or disabling the automatic refresh.com/ • Feedback 57 . For example port 443 would resolve to HTTPS. 10. if any. edit the widget. or 20 sessions. For more information. Choose to display 5. Any port address without a service.fortinet. Choose one of: • Chart • Table Select the number of sessions to display. Report By Select the method used to sort the Top Sessions on the System Status display. will continue to be displayed as the port address. Selecting 0 will disable the automatic refresh of the display. Select Details to view the current sessions list. Select to resolve the IP address to the host name. To change the information displayed on the Top Sessions widget. Resolve Service is only available when the sort criteria is Destination Port. You will still be able to select the manual refresh option on the Top Sessions title bar. Custom Top Sessions Display Provides settings for modifying the default settings of the Top Sessions widget. see “Viewing the current sessions list” on page 57. that applies to the session how long until the session expires which virtual domain the session belongs to FortiGate Version 4. Display UserName is available only when the sort criteria is Source Address.

The age is the amount of time the session has been active. Total Clear All Filters Return Filter Icon Protocol Source Address Source Port Destination Address Destination Port Policy ID Expiry (sec) Duration Virtual Domain Delete To view the current sessions list 1 Go to System > Dashboard > Status. select Detach in the title bar area to properly view the entire list and to filter information. The Top Viruses display is not part of the default dashboard display. The service protocol of the connection. before the connection expires. The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session. The destination IP address of the connection. Select All to view sessions being processed by all virtual domains. The source port of the connection. Your admin profile must include read and write access to System Configuration. The time. It can be displayed by selecting Add Content >Top Viruses from the drop down menu. select Details at the bottom of the widget. The current sessions list appears. Refresh Page Controls Update the session list. 3 Select Return to return to the Top Sessions bar chart display. The number following the ‘/’ is the number of pages of sessions. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. Top Viruses Top Viruses displays a bar graph representing the virus threats that have been detected most frequently by the FortiGate unit. For more information see “Using virtual domains” on page 79. Return to the Top Sessions display. Select to reset any display filters that may have been set. For example if there are 5 pages of sessions and you enter 3. Current session list The following appears when you select Details within the Top Sessions widget. The age of each session in seconds. The source IP address of the connection.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. page 3 of the sessions will be displayed.Top Viruses System Dashboard When viewing the current session list. The icon at the top of all columns except #. 58 FortiGate Version 4. Stop an active communication session. The total number sessions. Select a virtual domain to list the sessions being processed by that virtual domain. See “Adding filters to web-based manager lists” on page 26. The destination port of the connection. You can detach this widget to expand and view the information better.com/ • Feedback . This is only available if virtual domains are enabled. tcp. Enter the page number of the session to start the displayed session list. and Expiry. or icmp.fortinet. in seconds. udp. 2 In the Top Sessions widget. for example). for example. Optionally select Detach to detach and expand the browser window to see the entire list.

FortiGate Version 4. and selecting Apply. Range 10 to 240 seconds. 10. If you want to expand your view of the information within the widget. The system stores up to 1024 entries. You can configure several settings for this widget when you select the Edit icon in this widget’s title bar area. and how many times it was detected. choosing the interface from the drop down menu. Custom Widget Name Enter a new name for the widget. Top Viruses To Show Select whether to display top 5. 10. day. and other information.fortinet. Select 0 to disable updating.com/ • Feedback 59 . This feature can help you locate peaks in traffic that you need to address as well as their frequency. duration. or 20 viruses. 15. You must select OK to save the settings. Custom Top Viruses Display Provides settings for modifying the default settings of the Top Viruses widget. You must select OK to save the settings. Range 10 to 240 seconds. The Top Attacks display is not part of the default dashboard display. when it was last detected. This is optional. Top Attacks Top Attacks displays a bar graph representing the most numerous attacks detected by the FortiGate unit. You can configure several settings for this widget when you select the Edit icon in this widget’s title bar area. but only displays up to 20 in the web-based manager. a window opens that displays up to the 20 most recent viruses that have been detected with information including the virus name. or 20 attacks. when it was last detected. You can also update using the Refresh icon in the module header.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.System Dashboard Top Attacks If you select the history icon. Top Attacks To Show Select whether to display top 5. Custom Widget Name Enter a new name for the widget. Traffic History The traffic history widget shows the traffic on one selected interface over the last hour. The FortiGate unit stores up to 1024 entries. 15. and month. You can also update using the Refresh icon in the module header. Selecting the history icon opens a window that displays up to the 20 most recent attacks that have been detected with information including the attack name. but only displays up to 20 in the web-based manager. Select 0 to disable updating. Only one interface at a time can be monitored. Custom Top Attacks Display Provides settings for modifying the default settings of the Top Attacks widget. This is optional. and how many times it was detected. You can change the interface being monitored by selecting Edit. It can be displayed by selecting Add Content > Top Attacks from the drop down menu. select Enlarge in the title bar area. Refresh Interval Select display update interval in seconds. All traffic history data is cleared when you select Apply. Refresh Interval Select display update interval in seconds.

Select whether to display top 5.fortinet. You can also update using the Refresh icon in the module header. Select Chart or Table display. Range 10 to 240 seconds. 15. This is optional. Select the VDOM to monitor or select Global. The scale varies based on traffic levels to allow it to show traffic levels no matter how little or how much traffic there is. Select 0 to disable updating. Select to enable the information to refresh. Three graphs showing the traffic monitored on this interface of the FortiGate unit over different periods of time.Custom Top Policy Usage Display Provides settings for modifying the default settings of the Top Policy Usage widget. VDOM administrators see only their only VDOM. Select Network Interface Enable Refresh Select an interface (FortiGate unit’s interfaces) from the dropdown list. Dashboard . Sort Criteria VDOM Select whether to sort the policies by number of Bytes or number of Packets. You can modify several default settings for this widget when you select the Edit icon in this widget’s title bar area. Custom Traffic History Display Provides settings for modifying the default settings of the Traffic History widget.Top Policy Usage System Dashboard Traffic History widget Interface: <interface_name> bit/s Last 60 Minutes Last 24 Hours Last 30 Days Traffic In Traffic Out The interface that is being monitored . Custom Widget Name Enter a new name for the widget. Select a firewall policy on the graph to view and optionally change the firewall policy. Top Policy Usage data is collected by all firewall policies.com/ • Feedback . You can configure Top Policy Usage to show data for up to 20 firewall policies. Only firewall policies that have accepted sessions appear on the chart or table. This is optional. The interface you choose displays the traffic occurring on it. 10. The traffic leaving the FortiGate unit on this interface is indicated with a dark green line. This is available for global administrators only. From the chart or table display you can: • • View details about firewall policies by pausing the mouse pointer over each bar in the chart. The traffic entering the FortiGate unit on this interface is indicated with a thin red line. The units of the traffic graph. or 20 applications. Select display update interval in seconds.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Certain trends may be easier to spot in one graph over the others. You must select OK to save the settings. Display Format Top Entries To Show Refresh Interval 60 FortiGate Version 4. Custom Widget Name Enter a new name for the widget. filled in with light green. Top Policy Usage Top Policy Usage shows the volume of traffic passing through the FortiGate unit classified by firewall policy as either a chart or a table.

Select display update interval in seconds. You can also update using the Refresh icon in the module header. Select the protocols to include. 4 Select OK. Report By Sort Criteria Protocol VDOM Select one of: DLP Rule. Top Entries To Show Refresh Interval RAID monitor The RAID monitor display shows the current state of the RAID array and each RAID disk. You must select OK to save the settings. From the table display you can: • • View details about the data by pausing the mouse pointer over each bar in the chart. 10. DLP Archive Usage DLP Archive Usage shows the volume of data that the FortiGate unit has sent to content archiving (DLP Archive). 2 Select the Edit icon in the Top Policy Usage module title bar. or Protocol. 15. Range 10 to 240 seconds. 3 Modify the settings that you want changed. DLP sensor applied to a firewall policy. You can categorize the information by DLP Rule. For information on configuring the RAID array.System Dashboard DLP Archive Usage To configure the Top Policy Usage module 1 Go to System > Dashboard > Usage. VDOM administrators see only their only VDOM. For more information. This field is not available if Report By is Protocol.fortinet. see “RAID disk configuration” on page 219. Profile. Only information about sessions matched by DLP sensors is added to the chart or table. Custom DLP Archive Display Provides settings for modifying the default settings of the DLP Archive Usage widget. or rebuild a degraded array. firewall policy. or 20 items. FortiGate Version 4. This is optional. Policy.com/ • Feedback 61 . This is available for global administrators only. It can be displayed by selecting the Widget icon that is available within the dashboard. Custom Widget Name Enter a new name for the widget. or protocol. Select 0 to disable updating. Select the VDOM to monitor or select Global. You can configure several settings for this widget when you modify the default settings within this widget. Select whether to sort the results by number of Bytes or number of Messages. Sessions accepted by firewall policies (with no DLP sensor applied to that firewall policy) do not contribute to the data displayed. RAID monitor widget Configure Select to configure the RAID array.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. DLP Archive Usage data is collected by adding a DLP sensor profile to a firewall policy. Select whether to display top 5. Select a bar on the graph to view more information about the data. The RAID monitor display is not part of the default dashboard display. The RAID monitor will not be displayed unless your FortiGate unit has more than one disk installed. see “Configuring the RAID array” on page 219.

Synchronizing may take several hours. When synchronizing the status of the RAID array will indicate synchronizing is happening in the background. There is one icon for each disk in the array.com/ • Feedback . 62 FortiGate Version 4. Green with a check mark shows a healthy disk. see “RAID levels” on page 220. Rebuilding the array may take several hours. For more information. Disk status icon RAID Level Disk Space Usage Status bar Used/Free/Total Synchronizing status Display the percent complete of the RAID array synchronization. A wrench shows the array is being rebuilt. Positioning the mouse over the array status icon displays a text message of the status of the array. the amount of storage that is free. Red with an X shows the disk has failed and needs attention. go to the dashboard where the RAID Monitor widget is located. The RAID level is set as part of configuring the RAID array. and then select [Configure] in the title bar area. Rebuild the array to fix the degraded state. These three numbers show the amount of RAID array storage that is being used.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. it is in a degraded and vulnerable state — any disk failure during a rebuild will result in data loss. You may need to select the refresh icon in the widget title bar to update this progress bar. Green with a check mark shows a healthy RAID array. A degraded array is slower than a healthy array. Rebuild status Display the percent complete of the RAID array rebuild.fortinet. Positioning the mouse over the disk status icon displays the status of the disk. Used added to Free should equal Total.RAID monitor System Dashboard Array Status Array status icon Shows the status of the RAID array. You may need to select the refresh icon in the widget title bar to update this progress bar. Yellow triangle shows the array is in a degraded state but it is still functioning. Synchronizing progress bar is visible only when the RAID array is synchronizing. The values are in GB. A warning is displayed indicating the RAID array is running in reduced reliability mode until the rebuild is completed. While rebuilding the array. and the storage capacity of the disk. The RAID level of this RAID array. RAID disk configuration To configure the RAID array. and the total storage in the RAID array. The bar shows the percentage of the RAID array that is currently in use.

or is not working properly. After inserting a functioning disk. or after a disk has been swapped in for a failed disk. the array will need to synchronize before being fully operational. Synchronizing progress bar shows percent complete Degraded — One or more of the disks in the array has failed. Options include OK. This corresponds to the physical slot of the disk. The size of the array depends on the RAID level selected. Changing the RAID level will erase any stored log information on the array. You cannot restart a rebuild once a rebuild is already in progress. When you select [Configure] in the title bar area. replace the failed disk with a working disk to rebuild the RAID array. Display if the selected disk is part of the RAID array. Changing the RAID level will take effect when Apply is selected. see “RAID levels” on page 220. no redundancy RAID-1 — (mirroring) half the storage capacity. The status of this disk. Status Size Rebuild RAID Disk# Status Member Capacity FortiGate Version 4. The array continues to be in a fragile state until the rebuilding is completed. and the RAID level of the array. Two or more disks are required for RAID 0 or RAID 1. The status. Note: If a disk has failed. everything is normal OK (Background-Synchronizing) (%) — synchronizing the disks after changing RAID level. and redundancy Available RAID level options depend on the available number of hard disks. The disk’s position in the array. The full storage capacity of the disk is used for the RAID array automatically. In this case. Also.com/ • Feedback 63 . The size of the RAID array in gigabytes (GB).0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and the number of disks in the array. Options include: RAID-0 — (striping) better performance. but totally redundant RAID-5 — striping with parity checking. This button is only available when the RAID array is in a degraded state and has enough disks to be rebuilt. A green icon with a check mark indicates the disk is part of the array. but the RAID array is being rebuilt in the background. you are automatically redirected to the Disk Configuration page. A disk may be displayed as healthy on the dashboard display even when it is not a member in the RAID array. A disk may be available but not used in the RAID array. of RAID array. When it reboots. or health. The storage capacity that this drive contributes to the RAID array. If a disk is removed from the FortiGate unit. A warning is displayed about the lack of redundancy in this state. Select to rebuild the array after a new disk has been added to the array. Degraded (Background-Rebuilding) (%) — The same as degraded. RAID level Select the level of RAID. The unit will remain offline while it reconfigures the RAID array. For more information on RAID levels. been removed. and unavailable. only two are used. For example three disks in a RAID 1 array. If you try to rebuild a RAID array with too few disks you will get a rebuild error. and reboot the FortiGate unit. A grey icon with an X indicates the disk is not part of the RAID array. Three or more disks are required for RAID 5. the disk is marked as not a member of the array and its position is retained until a new disk is inserted in that drive bay. the rebuild will start.System Dashboard RAID monitor Disk Configuration page Provides settings for configuring the RAID array. The total storage capacity of the RAID array depends on the capacity and numbers of the disks.fortinet. A disk is unavailable if it is removed or has failed. This status can be one of: OK — standard status. Select Rebuild RAID to fix the array. the number of working disks may not be enough for the RAID level to function. a degraded array is slower than a healthy array.

Select to use reverse-DNS lookup to determine the host name instead of displaying the IP address. another for logs. From the chart or table display you can: • • View traffic volumes by pausing the mouse pointer over each bar. and then select the Edit icon in the Top Application Usage module title bar.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Top Entries To Show Select whether to display top 5. and the last for WAN Opt storage. Select an application type on the graph to view information about the source addresses that used the application and the amount of data transferred by sessions from each source address. Top Application Usage data collection is started by adding application control lists to firewall policies. The management configuration could be that three partitions have been configured. This is optional. 10. VDOM administrators see only their only VDOM. Range 10 to 240 seconds.fortinet. Storage The Disk Status widget allows you to view the status of each disk currently installed on your FortiGate unit. go to System > Dashboard > Usage. and configuration of the management of the disk. with one for firmware. Select Source Address or Destination Address. You can also update using the Refresh icon in the module header. Sessions accepted by firewall policies (with no application control list applied to that firewall policy) do not contribute to the data displayed. The Disk page displays information regarding the disk’s health. For more information about disk management. or 20 applications. Select the check box to show the user name (when known) instead of the IP address. Custom Top Application Usage Display Provides settings for modifying the default settings of the Top Applications Usage widget. RAID events. visual representation of the disk. see “Disk” on page 213.Top Application Usage System Dashboard Top Application Usage Top Application Usage shows the volume of traffic passing through the FortiGate unit classified by application type as either a chart or a table. The status includes how much space is used and how much free space is available. Select 0 to disable updating. Only information about applications matched by application control is added to the chart or table. This is available for global administrators only. The detail information about the application information that will be displayed in the widget. Select whether to sort the applications by number of Bytes or number of Messages. You can find out more detailed information about a disk’s status by going to System > Maintenance > Disk.com/ • Feedback . 15. Custom Widget Name Sort Criteria Application Details Report By Display User Name Resolve Host Name VDOM Display Format Refresh Interval Enter a new name for the widget. Select Chart or Table display. To configure the Top Application Usage module. 64 FortiGate Version 4. Select display update interval in seconds. Select the VDOM to monitor or select Global. The chart displays applications in order of use.

Custom Per-IP Bandwidth Usage Display Provides settings for modifying the default settings of the Per-IP Bandwidth Usage widget. you can only modify the default name of the widget. Guntella. To change the name. To change the name. you can choose to view their name by selecting Resolve Host Name in the editing window. Select either Chart or Table. You must select OK to save the settings. select the Edit icon in the title bar and then enter a name in the Custom Widget Name field.fortinet. Per-IP Bandwidth Usage The Per-IP Bandwidth Usage widget allows you to view per-IP address session data. and KaZaa. chats. AIM.com/ • Feedback 65 . You can also update using the Refresh icon in the module header. and ICQ. you can view current active VoIP calls (using over SIP and SCCP protocols). you can view information regarding users. is similar to the top session widget. as well as calls that have been dropped. file transfer between clients. Select display update interval in seconds. You can only change the name of the IM Usage widget. With P2P Usage. Select 0 to disable updating. the information displays as a bar chart.System Dashboard P2P Usage P2P Usage P2P Usage displays the total bytes and total bandwidth for each supported instant messaging client.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. These clients are WinNY. Top Entries to Show Refresh Interval VoIP Usage In the VoIP Usage widget. You can only change the name of the VoIP Usage widget. IM Usage The IM Usage widget provides details about instant messaging clients and their activity that is occurring on your network. You can configure several settings for this widget when you select the Edit icon in this widget’s title bar area. Select the top entries that will appear within the table or chart. which displays each IP address that initiated the traffic (and its current bandwidth consumption). and how many calls there were in total from when you last cleared the information in the widget. If you select Table. Instead of viewing the IP address of the person who initiated the traffic. If you select Chart. select the Edit icon in the title bar and then enter a name in the Custom Widget Name field. Select OK to save the change. failed or went unanswered. the information displays within a table. Custom Widget Name Enter a new name for the widget. You can easily see how many calls actual succeeded. select the Edit icon in the title bar and then enter a name in the Custom Widget Name field. You can only change the name of the P2P Usage widget. Yahoo!. The data. eDonkey. Select OK to save the change. To change the name. Range 10 to 240 seconds. FortiGate Version 4. BitTorrent. and any voice chats that occurred as well. From within this widget. messages. IM Usage provides this information for IM. Select OK to save the change. Resolve Host Name Display Format Select to display a name instead of the IP address. This is optional.

FortiGuard provides you with information regarding the FortiGuard Center’s current news and RSS feeds. To enable the FortiGuard widget. select the Edit icon in the title bar area. This version of the Alert Message Console widget displays the RSS feeds from the FortiGuard Center. notifying FortiGuard subscribers about the latest news and threats.fortinet. and in the list. 66 FortiGate Version 4.com/ • Feedback . The Custom Alert Display appears.FortiGuard System Dashboard FortiGuard You can configure a separate Alert Message Console widget that displays only FortiGuard alert information that is received from the FortiGuard Center. select the check box beside FortiGuard security alerts. You can rename the newly created Alert Message Console widget and select the option FortiGuard security alerts to enable alerts are received and display on the widget.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. in the added Alert Message Console widget.

see “Using virtual domains” on page 79. system firmware versions are configured globally.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Install the patch release using the procedure “Testing firmware before upgrading” on page 70. see “System Maintenance” on page 195. If you enable virtual domains (VDOMs) on the FortiGate unit.Firmware management practices Firmware management practices Fortinet recommends reviewing this section before upgrading because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. You should also review the What’s New chapter of the FortiOS Handbook when a new firmware maintenance release is released. Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. The following topics are included in this section: • • • • • Backing up your configuration Testing firmware before upgrading Upgrading your FortiGate unit Reverting to a previous firmware image Restoring your configuration Note: For more information about the settings that are available on the Backup and Restore page (such as remotely backing up to a FortiManager unit). For more information. Follow the steps below: • • • • • Download and review the release notes for the patch release. This chapter contains valuable information about the changes and new features that may cause issues with the current configuration. see the Fortinet Knowledge Center article. Configuring NAT in Transparent mode. you can also configure your FortiGate unit to use NAT while in transparent mode. For more information. FortiGate Version 4.fortinet. Back up the current configuration.0.com/ • Feedback 67 . With FortiOS 4. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. In addition to firmware images. Download the patch release. Test the patch release until you are satisfied that it applies to your configuration. Fortinet releases patch releases—maintenance release builds that resolve important issues.

When backing up your configuration in the CLI. see the FortiGate CLI Reference. 68 FortiGate Version 4. Backing up your configuration through the web-based manager You can back up your configuration to a variety of locations. 3 Select the location where the configuration file will be stored on. If you want to encrypt your configuration file to save VPN certificates. there are limitations to what certain administrators are allowed to back up. or to a USB key.0. upgrading/downgrading firmware. 6 Save the file.fortinet. select Backup in the System Configuration line. This ensures all configuration settings are still available if you require downgrading to FortiOS 3. For more information. You can also back up to a FortiGuard Management server if you have FortiGuard Analysis and Management Service enabled. 2 In the System Information widget. or the USB key. a FortiManager unit. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4. You are automatically redirected to the Backup page.Backing up your configuration Firmware management practices Backing up your configuration Caution: Always back up your configuration before installing a patch release. If you have a local hard drive. you can choose to back up the entire configuration (execute backup full-config) or part of the configuration (execute backup config). The following procedure describes how to back up your current configuration in the CLI and assumes that you are familiar with the following commands. and then enter it again to confirm.com/ • Feedback . For more information about the individual commands used in the following procedure. Backing up your configuration through the CLI You can back up your configuration file using a TFTP or FTP server. 4 Select the check box beside Encrypt configuration file to encrypt the configuration file. If you have the FortiGuard Analysis and Management Service configured. 5 Select Backup. or resetting configuration to factory defaults. select the Encrypt configuration file check box. If you have virtual domains. You can back up configuration settings to a local PC. If you have partitions enabled on the drive.0 MR7 and want to restore those configuration settings. you can also back up your configuration to the FortiGuard Management server. you can also back up the configuration file to it. such as a FortiManager unit or a FortiGuard Management server. enter a password. The following procedure describes how to properly back up your current configuration in the web-based manager. To back up your configuration file through the web-based manager 1 Go to System > Dashboard.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. any configuration files that you back up are stored on a specific partition that you have created for log and system data. see the FortiGate CLI Reference. FortiGuard Management server.

4 Select Backup. Before proceeding. select Backup in the System Configuration line.Firmware management practices Backing up your configuration To back up your configuration file through the CLI 1 Enter the following to back up the configuration file to a USB key: execute backup config usb <backup_filename> <encrypt_passwd> 2 Enter the following to back up the configuration file to a TFTP or FTP server: execute backup config {tftp | ftp} <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> 3 Enter the following to back up the configuration to a FortiGuard Management server: execute backup config management-station <comment> To back up the entire configuration file through the CLI Enter the following to back up the entire configuration file: execute backup full-config {tftp | ftp | usb} <backup_filename> <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> Backing up your configuration to a USB key If your FortiGate unit has a USB port.com/ • Feedback 69 . see “Formatting USB Disks” on page 198. If you want to encrypt your configuration file to save VPN certificates.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. To back up your configuration to the USB key 1 Go to System > Dashboard > Status. enter a password. you can back up your current configuration to a USB key. 5 Save the file. select the Encrypt configuration file check box. and then enter it again to confirm. 3 Select USB Disk . You are automatically redirected to the Backup page. proceed with upgrading to FortiOS 4. either from the CLI or the web-based manager.fortinet. For more information. 2 In the System Information widget. After successfully backing up your configuration file. FortiGate Version 4. When backing up a configuration file to a USB key. The FAT16 format is the only supported partition type. verify that the USB key is formatted as a FAT16 disk.0. ensure that the USB key is inserted in the FortiGate unit’s USB port.

execute reboot 6 As the FortiGate unit reboots. [Q]: Quit menu and continue to boot with default firmware. the next time the FortiGate unit restarts.fortinet. [H]: Display this list of options. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. A firmware image is tested by installing it from a system reboot. 7 Type G to get the new firmware image from the TFTP server. the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again. When the following message appears.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. a series of system startup messages appears. you can familiarize yourself with the new features and changes to existing features. it operates using the firmware originally installed on the FortiGate unit. and then saving it to system memory.1. immediately press any key to interrupt the system startup: Press any key to display configuration menu… You have only three seconds to press any key.Testing firmware before upgrading Firmware management practices Testing firmware before upgrading You may want to test the firmware that you need to install before upgrading to a new firmware version.168]: 8 Type the address of the TFTP server and press Enter. or to a maintenance or patch release. the following message appears: [G]: Get firmware image from TFTP server.168. [F]: Format boot device. By testing the firmware. You can install the firmware permanently by using the procedures in “Upgrading your FortiGate unit” on page 71. 2 Start the TFTP server. You can use the following procedure for either a regular firmware image or a patch release. The following procedure assumes that you have already downloaded the firmware image to your management computer.1. If you do not press a key soon enough. 3 Log in to the CLI. the FortiGate unit operates using the firmware with the current configuration.168. The following procedure does not permanently install the firmware. If you successfully interrupt the startup process. as well as understand how your configuration works with the firmware. The following message appears: Enter TFTP server address [192. 5 Enter the following to restart the FortiGate unit.188]: 70 FortiGate Version 4. After the firmware is saved to system memory. To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server. The following message appears: Enter Local Address [192.com/ • Feedback .

To upgrade to FortiOS4. you can use the Boot alternate firmware option located in System > Maintenance > Backup and Restore. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. 5 Enter the path and filename of the firmware image file. Upgrading to FortiOS 4. You can also use the following procedure when installing a patch release. upgrading/downgrading firmware.com/ • Feedback 71 . select Update.0. available for downgrading or upgrading.0 through the web-based manager 1 Download the firmware image file to your management computer. The following procedure describes how to upgrade to FortiOS 4. You can install a patch release whether or not you upgraded to the current firmware version. 4 Beside Firmware Version. This IP address connects the FortiGate unit to the TFTP server. such as FortiOS 3. When you have completed testing the firmware. but does not contain new features or changes to existing features.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.0 through the web-based manager Caution: Always back up your configuration before installing a patch release.0 in the web-based manager. This IP address must be on the same network as the TFTP server.0 MR7 and FortiOS4. you can reboot the FortiGate unit and resume using the original firmware. The FortiGate firmware image installs and saves to system memory. or resetting configuration to factory defaults. Upgrading your FortiGate unit If your upgrade is successful. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. go to “Reverting to a previous firmware image” on page 74. A patch release is a firmware image that resolves specific issues. 2 Log in to the web-based manager. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 11 Type R. FortiGate Version 4.fortinet. but make sure you do not use an IP address of another device on the network.Firmware management practices Upgrading your FortiGate unit 9 Type the internal IP address of the FortiGate unit. and your FortiGate unit has a hard drive. or select Browse and locate the file. 3 Go to System > Status and locate the System Information widget. If the upgrade was not successful. This option enables you to have two firmware images. The following message appears: Enter File Name [image. The FortiGate unit starts running the new firmware image with the current configuration.out]: 10 Enter the firmware image file name and press Enter.

if the firmware image file name is image. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. such as certain IPS group settings.1. you should save the configuration settings that carried forward.com/ • Feedback . To upgrade to FortiOS 4.0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. enter: execute restore image. Note: After upgrading to FortiOS 4. This process may take a few minutes. while others may not have.0. for additional information about upgrading firmware in the CLI. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server.fortinet.out and the IP address of the TFTP server is 192. and displays the FortiGate login.0 MR7. The following procedure uses a TFTP server to upgrade the firmware. See the Fortinet Knowledge Base article. Some settings may have carried forward from FortiOS 3.0 through the CLI Caution: Always back up your configuration before installing a patch release. restarts.168 The FortiGate unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n) 72 FortiGate Version 4. perform an “Update Now” to retrieve the latest FortiGuard signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN.168.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. upgrades to the new firmware version.1.168. 2 Start the TFTP server.168. The following procedure assumes that you have already downloaded the firmware image to your management computer. Loading FortiGate firmware using TFTP.out 192. When the upgrade is successfully installed: • • ping to your FortiGate unit to verify there is still a connection. clear the browser’s cache and log in to the web-based manager. Go to System > Maintenance > Backup and Restore to save the configuration settings that carried forward. For example. or resetting configuration to factory defaults. After logging back in to the web-based manager.Upgrading your FortiGate unit Firmware management practices 6 Select OK. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. upgrading/downgrading firmware. The FortiGate unit uploads the firmware image file. 3 Log in to the CLI. Upgrading to FortiOS 4.

Verifying your configuration settings allows you to familiarize yourself with the new features and changes in FortiOS 4.Firmware management practices Upgrading your FortiGate unit 6 Type y.com/ • Feedback 73 . and restarts. Verifying the upgrade After clearing your browser’s cache and then logging back in to the web-based manager. upgrades to the new firmware version. You should also verify that administrative access settings carried forward as well.fortinet. enter the following: execute update-now If you want to update antivirus and attack definitions from the web-based manager instead. This process takes a few minutes.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. if you go to System > Network > Options you can see your DNS settings carried forward from your previous configuration settings. For example. You should verify what configuration settings carried forward. 7 Reconnect to the CLI. The FortiGate unit uploads the firmware image file. FortiGate Version 4. 8 Enter the following command to confirm the firmware image installed successfully: get system status 9 To update antivirus and attack definitions from the CLI. most of your previous configuration settings have been carried forward. You can verify your configuration settings by: • • going through each menu and tab in the web-based manager using the show shell command in the CLI. log in to the web-based manager and go to System > Maintenance > FortiGuard.0.

The following are included in this topic: • • • Downgrading to a previous firmware through the web-based manager Downgrading to a previous firmware through the CLI Restoring your configuration Downgrading to a previous firmware through the web-based manager Caution: Always back up your configuration before installing a patch release. or when resetting to factory defaults. 2 Beside Firmware Version. For more information. To downgrade through the web-based manager 1 Go to System > Dashboard > Status and locate the System Information widget. FortiOS 3. 74 FortiGate Version 4. This process takes a few minutes. see “Backing up your configuration” on page 68. and displays the FortiGate login. reverts to the old firmware version. Are you sure you want to continue? 5 Select OK. restarts.fortinet. Go to System > Dashboard > Status to verify that the firmware version under System Information has changed to the correct firmware.com/ • Feedback . resets the configuration. If you created additional settings in FortiOS 4. upgrading/downgrading. 3 Enter the path and filename of the firmware image file. make sure to back up the current configuration before downgrading.0) if the upgrade was not successfully installed.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Reverting to a previous firmware image Firmware management practices Reverting to a previous firmware image You may need to revert to a previous firmware image (or version. The following procedures describe how to properly downgrade to a previous firmware image using either the web-based manager or CLI. only the following settings are retained: • • • • • • • • operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles. for example. select Update. When downgrading to a previous firmware. The following message appears: This version will downgrade the current firmware version.0. The FortiGate unit uploads the firmware image file. or select Browse and locate the file. 4 Select OK. 6 Log in to the web-based manager. and include steps on how to restore your previous configuration.

make sure your administration access settings and internal network IP address are correct. enter: execute restore image tftp image.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n) FortiGate Version 4.168. Downgrading to a previous firmware through the CLI Caution: Always back up your configuration before installing a patch release. make sure you back up your configuration before downgrading. only the following settings are retained: • • • • • • • • operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.168.out 192. 3 Log in to the CLI. upgrading/downgrading. When downgrading to a previous firmware. if the firmware image file name is image. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image tftp <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. see “Backing up your configuration” on page 68. verify your connections and settings. The downgrade may change your configuration settings to default settings.fortinet.1.0.1. If you have created additional settings in FortiOS 4. For more information. or when resetting to factory defaults. 2 Start the TFTP server. For example.com/ • Feedback 75 .168. If you are unable to connect to the web-based manager. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server.out and the IP address of the TFTP server is 192. The following procedure assumes that you have already downloaded the firmware image to your management computer.Firmware management practices Reverting to a previous firmware image Verifying the downgrade After successfully downgrading to a previous firmware.

This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. you need to reconfigure your IP address since the FortiGate unit reverts to default settings.Reverting to a previous firmware image Firmware management practices 6 Type y. 8 Reconnect to the CLI.fortinet. See your install guide for configuring IP addresses. The FortiGate unit uploads the firmware image file. Check image OK.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 9 Enter the following command to confirm the firmware image installed successfully: get system status See “Restoring your configuration” on page 77 to restore you previous configuration settings. The FortiGate unit reverts to the old firmware version. including its default IP address. and restarts.com/ • Feedback . This process takes a few minutes. 76 FortiGate Version 4. resets the configuration to factory defaults. After the file uploads. a message similar to the following is displayed: Get image from tftp server OK. After the FortiGate unit uploads the firmware.

Restoring your configuration settings in the web-based manager The following procedure restores your previous firmware configuration settings in the web-based manager. 5 Select Restore.fortinet. To restore configuration settings in the web-based manager 1 Log in to the web-based manager.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 4 Enter the location of the file or select Browse to locate the file. 2 Start the TFTP server. enter your password for the configuration file. 3 Select Restore in the System Configuration line to restore the configuration from either a Local PC. To restore configuration settings in the CLI 1 Copy the backed-up configuration file to the root directory of the TFTP server. 2 Go to System > Dashboard > Status and locate the System Information widget. You can verify that the configuration settings are restored by logging in to the web-based manager and going through the various menus and tabs. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected.com/ • Feedback 77 . If required. You can restore your configuration settings for a previous firmware with the configuration file you saved before upgrading to FortiOS 4. FortiManager or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). FortiGate Version 4.0. 3 Log in to the CLI. Restoring your configuration settings in the CLI The following procedure restores your previous firmware configuration settings in the CLI. This may take a few minutes since the FortiGate unit will reboot. The FortiGate unit restores the configuration settings. You can also use the following procedures for restoring your configuration after installing a current patch release or maintenance release. You are automatically redirected to the Restore page.Firmware management practices Restoring your configuration Restoring your configuration Your configuration settings may not carry forward after downgrading to a previous firmware.

The FortiGate unit uploads the backed up configuration file.. Use the CLI show shell command to verify your settings are restored.com/ • Feedback .168 ## Restoring files.168.1.168.168 and the password is ghrffdt123: execute restore allconfig confall 192.168 ghrffdt123 The FortiGate unit responds with the message: This operation will overwrite the current settings and the system will reboot! Do you want to continue? (y/n) 6 Type y...Restoring your configuration Firmware management practices 5 Enter the following command to copy the backed -up configuration file to restore the file on the FortiGate unit: execute restore allconfig <name_str> <tftp_ipv4> <passwrd> Where <name_str> is the name of the backed up configuration file and <tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password you entered when you backed up your configuration settings. Rebooting. For example. if the backed up configuration file is confall and the IP address of the TFTP server is 192.fortinet.1. After the file uploads.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This may take a few minutes. is displayed: Getting file confall from tftp server 192.168. 78 FortiGate Version 4. similar to the following.1.. All done. or log in to the web-based manager. a message.

see the Virtual Domains Guide chapter of the FortiOS Handbook. The root VDOM must be there because the FortiGate unit needs a management VDOM for management traffic. VDOMs are essentially the same as your regular FortiGate unit for menu configuration. The root VDOM is always there in the background and is indicated in the vd field of a log message when there are no VDOMs configured. For example. CLI command structure. The root VDOM is the VDOM where your current configuration is. If you enable VDOMs on the FortiGate unit. A single FortiGate unit is then flexible enough to serve multiple departments of an organization. among other things. you configure virtual domains globally for the FortiGate unit.Using virtual domains Virtual domains overview Using virtual domains This section introduces you to virtual domains on the FortiGate unit.com/ • Feedback 79 . including how to configure them on your FortiGate unit. when you first start configuring settings on your FortiGate unit. you may not be able to access log messages within the global VDOM.fortinet. but can within each configured VDOM. This topic contains the following: • • • • VDOMs and global settings Switching between VDOMs Global and per-VDOM settings Global and per-VDOM settings FortiGate Version 4. there are some small differences.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or to act as the basis for a service provider’s managed security service. and generated task flow. called root. For more information about virtual domains. The following topics are included in this section: • • • • Virtual domains overview VDOM configuration settings VDOM licenses Global VDOM resource limits Virtual domains overview Virtual domains (VDOMs) is a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. VDOMs provide the following benefits: • • • • • improving Transparent mode configuration easier administration continued security savings in physical space and power more flexible MSSP configurations The FortiGate unit automatically contains a default VDOM. separate organizations.

some antivirus. If you are using a regular admin account. logging. select the VDOM that you want to switch to from the drop-down list. in the Current VDOM menu.for all VDOMs Switching between VDOMs You can easily switch between VDOMs using the Current VDOM menu that appears after you have enabled VDOMs on your FortiGate unit. VPN. VDOM configuration settings Settings that are configured within a VDOM are called VDOM settings. You are automatically redirected to that VDOM within the web-based manager. some antivirus.for 1 VDOM no yes . Settings that are configured within a VDOM itself are called per-VDOM settings. The drop-down list contains all VDOMs that you created. Table 6: Admin VDOM permissions Tasks Regular administrator account Read only permission View global settings Configure global settings Create or delete VDOMs Configure multiple VDOMs Assign interfaces to a VDOM Create VLANs Assign an administrator to a VDOM Create additional admin accounts Create and edit profiles yes no no no no no no no no Read/write permission yes no no no no yes . These settings affect only that specific VDOM and include areas such as operating mode. a top-level administrator should be the only user to change global settings. the web-based manager and the CLI are changed as follows: 80 FortiGate Version 4. In general.com/ • Feedback . firewall. VPN.fortinet.for all VDOMs yes . including the default root VDOM and Global.for all VDOMs yes yes .for 1 VDOM Super_admin profile administrator account yes yes yes yes yes yes .0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The following table shows what roles can perform which tasks. HA maintenance.VDOM configuration settings Using virtual domains VDOMs and global settings A VDOM is not useful unless it contains at least two physical interfaces or virtual subinterfaces for incoming and outgoing traffic. some antivirus settings. The Current VDOM menu contains a drop-down list which is located beside the menu’s name. These settings affect the entire FortiGate unit and include areas such as interfaces. routing. To switch to another VDOM. you can perform all tasks. If your are using a super_admin profile account. the tasks available to you depend on whether you have read only or read/write permissions. and reporting settings. and some logging settings. logging. firewall. routing. When virtual domains are enabled. These settings affect only that specific VDOM and include areas such as operating mode. and reporting.for 1 VDOM yes . Global and per-VDOM settings Settings configured outside of a VDOM are called global settings. Availability of the associated tasks depends on the permissions of the admin.

delete or create a new VDOM. This is optional and can only contain a maximum of 63 characters. the current virtual domain is displayed at the bottom left of the screen. The type of operation mode that the VDOM is in.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The interfaces associated with the VDOM. One or more administrators can be configured for each VDOM. On this page. When virtual domains are enabled. Within a VDOM. Create New Edit Delete Switch Management [<current vdom name>] Name Operation Mode Interfaces Enable When you select Create New. The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. these admin accounts cannot edit settings for any VDOMs for which they are not configured. in the format Current VDOM: <name of the virtual domain>. The name of the VDOM. For more information.fortinet. This status is reflected in the Enable column on the VDOM page. A green check mark indicates that the VDOM is enabled. A gray x indicates that the VDOM is disabled. This mode is either NAT or Transparent. you are automatically redirected to the New Virtual Domain page. but must first select which VDOM to configure. see “Switching between VDOMs” on page 80.Using virtual domains VDOM configuration settings • • • • • • • • Global and per-VDOM configurations are separated. Select to switch to a VDOM and make it the management VDOM. Modifies a VDOM’s settings. you can edit. For example. Name Enable Comments Enter a name for the virtual domain. The default super_admin can also access these settings.com/ • Feedback 81 . Only super_admin profile accounts can view or configure Global level options. reduced dashboard menu options are available. Removes a VDOM from the VDOM page. Selecting Global exits the current VDOM. VDOM page Lists all the VDOMs you configured. There is no operation mode option at the Global level. A new VDOM entry appears under the System option. Enter a description about the virtual domain. which you can use to go from VDOM to VDOM. FortiGate Version 4. A new menu appears called Current VDOM. and a new Global option appears. vdom_1 Select to enable or disable a virtual domain. Super_admin profile accounts can configure configurations for all VDOM. VDOMs are configured in System > VDOM > VDOM. Comments New Virtual Domain page Provides settings for configuring a virtual domain. A regular VDOM administrator sees only these settings. Indicates whether the VDOM is enabled or disabled. however.

50. or 500. preventing one VDOM from affecting the performance of others. FortiGate Version 4. or antivirus—your FortiGate unit can only provide basic firewall functionality. if three FortiGate units are registered on a FortiAnalyzer unit and they contain a total of four VDOMs. Table 7: VDOM support by FortiGate model FortiGate model 30B Low and mid-range models High-end models Support VDOMs no yes yes Default VDOM maximum 0 10 10 Maximum VDOM license 0 10 500 Global VDOM resource limits Super administrators can configure VDOM resource limits to control how many resources each VDOM can use. web filtering. You can set limits for dynamic and some static resources. You can also use resource limits to share resources evenly among VDOMs. If you do not limit the number of dynamic resources each VDOM will use as many as it can until the capacity of the FortiGate unit becomes the limiting factor. These resources include system memory and CPU. When this limit is reached. the total number of registered FortiGate units on the FortiAnalyzer unit is seven units. 250. additional tunnels are dropped.fortinet. 100. your FortiGate FortiOS Carrier model does not support more than 10 VDOMs. see the FortiAnalyzer Administration Guide.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The number of IPSec VPN Dal-up Tunnels that can be started in a VDOM. The VDOMs that are created on a registered FortiGate unit are recognized as real devices by connected FortiAnalyzer units. support 10 VDOMs by default. When running 250 or more VDOMs. The number of SSL VPN user sessions that can be started in a VDOM. Dynamic resources are resources that are not controlled by the FortiGate configuration. When this limit is reached the VDOM displays a system busy message instead of the login page when a user attempts to login to start an SSL VPN session.com/ • Feedback 82 . Your FortiGate unit has limited resources that are divided amongst all configured VDOMs. You can limit dynamic resources to limit the amount of traffic that a VDOM processes and so limit the amount of FortiGate processing resources the VDOM can use. All FortiGate units. you cannot run Unified Threat Management (UTM) features such as proxies. FortiAnalyzer units include VDOMs in their total number of registered devices. If you do not have the path System > Maintenance > License. Configuring 250 or more VDOMs will result in reduced system performance. For example. High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25. When this limit is reached additional sessions are dropped. This means you can provide tiered services for different VDOMs. For more information. You can set the following dynamic resource limits: • • • The total number of communication Sessions that can be started in a VDOM. Use one of the procedures in “Backing up your configuration” on page 68 to properly back up your current configuration. except the FortiGate-30B.VDOM licenses Using virtual domains VDOM licenses Caution: Back up current configuration settings before upgrading VDOM licenses to ensure these settings are not lost.

When you add a new VDOM. and Firewall Recurring Schedules that can be added to a VDOM configuration. The number of tunnels is limited by the maximum values for the FortiGate model. • The Maximum value limits the amount of the resource that can be used by the VDOM. Firewall Custom Services. Edit Reset to default value Resource Configured Maximum Default Maximum Current Usage Modifies a resource within the list. Sessions Enter the number of sessions that will be applied to the resource. Firewall Service Groups. You do not have to override the maximum settings unless you need to override global limits to further limit the resources available for the VDOM. You can set the following static resource limits: • The number of VPN IPSec Phase 1 and Phase 2 tunnels that can be added to a VDOM configuration.Using virtual domains Global VDOM resource limits Static resources are controlled by limits in the FortiGate configuration. after giving the VDOM a name and selecting OK you can configure resource usage for the VDOM. When configuring resource usage for a VDOM you can set the Maximum and Guaranteed value for each resource. This number cannot be changed. Limiting static resources does not limit the amount of traffic that the VDOM process. all maximum resource usage settings are 0. Firewall One-Time Schedules. To set global resource limits go to System > VDOM > Global Resources. When you add a VDOM. Firewall Addresses. Firewall Address Groups. Instead limiting static resources controls the number of configuration elements that can be added to a VDOM. The currently configured maximum for this resource. The number of Local Users and User Groups that can be added to a VDOM configuration. Global resource usage for individual VDOMs You can configure resource usage for individual VDOMS to override global limits and specify guaranteed usage for that VDOM. Edit Global Resource Limits Provides a way to change the default resource limits. to default settings. The number of Firewall policies. Resets the resource or resources within the list. • • Global resources are modified (as well as reset to default values) from System > VDOM > Global Resources.fortinet. These limits vary by model and are listed in the FortiGate Maximum Values Matrix. you can only modify global resources or reset them to default settings. FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The factory configured maximum value for this resource. On this page. You can also configure resource usage for a VDOM at any time by going to System > VDOM > VDOM and editing a VDOM. You cannot set maximum resource usage higher in a VDOM than the corresponding global resource limit. indicating that resource limits for this VDOM are controlled by the global resource limits. This value is useful for determining when and if you may need to adjust this value for some resources on your FortiGate unit. The amount of this resource that is currently being used. Global Resources page Lists the current resources that are available.com/ • Feedback 83 . The name of the available global resources.

com/ • Feedback . Guaranteed Current 84 FortiGate Version 4. Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. which means that an amount of this resource is not guaranteed for this VDOM. Note: If you set the maximum resource usage for a VDOM you cannot reduce the default maximum global limit for all VDOMs below this maximum. A guaranteed value of 0 means that an amount of this resource is not guaranteed for this VDOM. The maximum must the same as or lower than the global limit. Includes dynamic and static resources. Override the global limit to reduce the amount of each resource available for this VDOM.fortinet. The default value is 0. which means the maximum is the same as the global limit. You only have to change guaranteed settings if your FortiGate may become low on resources and you want to guarantee that a minimum level is available for this VDOM. Setting the guaranteed value makes sure that other VDOMs do not use all of a resource. The amount of the resource that this VDOM currently uses. The default value is 0.Global VDOM resource limits Using virtual domains • The Guaranteed value represents the minimum amount of the resource available for that VDOM. Resource Usage section on the Edit Virtual Domain page (System > VDOM > VDOM) Resource Maximum Name of the resource.

are part of the global configuration.fortinet.168. Optional configurations also include configuring the FortiGate unit as a DNS server and an explicit web proxy server If you enable virtual domains (VDOMs) on the FortiGate unit. you can use the short form of the netmask. For more information. For example. If you can enter both an IP address and a netmask in the same field.1. Different options are available in NAT/Route mode and in Transparent mode. More advanced configuration includes adding zones and VLAN subinterfaces to the FortiGate network configuration.168. Basic network settings include configuring FortiGate interfaces and DNS options. the explicit web proxy. You configure zones. see “Using virtual domains” on page 79. 192. Many interface options are available.255.1. and the Transparent mode routing table separately for each VDOM. the modem interface.0 can also be entered as 192.System Network Configuring interfaces System Network This section describes how to configure your FortiGate unit to operate in your network. Some of the options available include: • • • • • • • • modify the configuration of a physical interface add VLAN subinterfaces aggregate several physical interfaces into an IEEE 802. including adding interfaces to VDOMs.3ad aggregate interface (some models) combine several physical interfaces into a redundant interface (some models) add loopback interfaces add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) add VDOM links on FortiGate units with multiple VDOMs enabled add an sFlow sampler to support sFlow (CLI only) FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The following topics are included in this section: • • • • • • • Configuring interfaces Configuring zones Configuring the modem interface Configuring FortiGate DNS services Configuring the explicit web proxy Configuring WCCP Routing table (Transparent Mode) Note: Unless stated otherwise. All interface settings.255. the DNS database.100/24. the term interface can refer to either a physical FortiGate interface or to a virtual FortiGate VLAN subinterface. Configuring interfaces Go to System > Network > Interface to configure FortiGate interfaces. you configure interface and networking options globally for the entire FortiGate unit.100/255.com/ • Feedback 85 .

FortiGate Version 4. external. create a new interface. port20. below the physical or aggregated interface to which they have been added. For more information. Display a description for the interface is one has been added. you would only select Hub Mode if you are having network performance issues when operating with switch mode. all configuration settings for the interfaces affected by the change must be set to defaults. The configuration of the FortiGate unit is the same whether in switch mode or hub mode. See “Configuring the modem interface” on page 103. Create New Select Create New to add a new interface. On FortiGate models that support switch mode. Before switching modes. On some FortiGate models you can also select Hub Mode. If you have added VLAN interfaces. Some FortiGate models also include a modem interface named modem. When you select Switch Mode the web-based manager displays the list of affected interfaces. When you combine several interfaces into an aggregate or redundant interface. edit an existing interface. wan1 (wide are network). When you select Create New. For more information see “VDOM configuration settings” on page 80.Configuring interfaces System Network • • • • configure the modem interface (on some models) detect interface status for gateway load balancing change the information displayed about the interfaces configure a virtual wireless access point (VAP) interface Interface page Lists all the interfaces that are default and those that you have created. Depending on the model you can add a VLAN interface. Once visible. the individual interfaces in the switch are not displayed when in switch mode.com/ • Feedback Switch Mode Show backplane interfaces Column Settings Description Name 86 . Interface mode allows you to configure them as separate interfaces. and so on. Some names indicate the default function of the interface such as internal. select Switch Mode to change between switch mode and interface mode. See “Adding 802. For more information. On this page you can view the status of each interface. Fore more information.3ad aggregated interface. you can also select Create New to add InterVDOM links. Other names are more generic such as port1. these interfaces can be configured as regular physical interfaces. wlan (wireless LAN) and dmz. you are automatically redirected to the New Interface page.fortinet.3ad aggregate interfaces” on page 92 or “Adding redundant interfaces” on page 93.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. See “Switch Mode” on page 88. or a redundant interface. see “Switch Mode” on page 88. On supported models. See the FortiGate VLANs and VDOMs Guide. Select to make FortiGate-5000 series backplane interfaces visible. a loopback interface. Normally. they also appear in the name list. not the component interfaces. The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured. Switch mode combines some FortiGate interfaces into one switch with one IP address. or remove an interface. • “Adding VLAN interfaces” on page 91 • “Adding loopback interfaces” on page 91 • “Adding 802. a IEEE 802. see “Configuring interface settings” on page 88. Select to change the columns of information that are displayed on the interface list. Hub mode is similar to switch mode except that in hub mode the interfaces do not learn the MAC addresses of the devices on the network they are connected to and may also respond quicker to network changes. The names of the physical interfaces depend on the model.3ad aggregate interfaces” on page 92 • “Adding redundant interfaces” on page 93 When VDOMs are enabled. see “Using column settings to control the columns displayed” on page 28. only the aggregate or redundant interface is listed.

If the administrative status is a green arrow.a VLAN interface • Aggregate . If your FortiGate unit supports AMC modules and have installed an AMC module containing interfaces (for example. there will only be one internal interface. The administrative status for the interface.a wireless controller virtual access point (VAP or virtual AP) interface The virtual domain to which the interface belongs. See “Adding secondary IP addresses to an interface” on page 99. or PPPoE.a group of redundant interfaces • VDOM Link .a group of 802. you will see multiple internal interfaces. The type of the interface.for the ASM-FB4 card there would be “/1” through “/4”. The status of the interface physical connection. The interfaces are named amc-sw1/1. The configured VLAN ID for VLAN subinterfaces. The addressing mode can be manual.a virtual IPSec VPN interface • VAP . they also appear in the interface list.System Network Configuring interfaces f you have added loopback interfaces. If link status is down the interface is not connected to the network or there is a problem with the connection. The administrative access configuration for the interface. sw1 indicates it is a single width or double width card respectively in slot 1. and so on. See “Changing interface MTU packet size” on page 98. For more information. To change the administrative status of an interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You cannot change link status from the web-based manager. you will be able to view them. IPv6 addresses may be displayed in this column.one two interfaces that are joined together. the interface is up and can accept network traffic. see “Configuring administrative access to an interface” on page 96. Shows the addressing mode of the interface. DHCP. The MAC address of the interface. Displays the secondary IP addresses added to the interface. If the administrative status is a red arrow.fortinet. If you have software switch interfaces configured. including the modem interface • VLAN . For more information. Link status is only displayed for physical interfaces. see “Adding software switch interfaces” on page 100.com/ • Feedback 87 . the interface is administratively down and cannot accept traffic. For more information see “Switch Mode” on page 88. Access Administrative Status Link Status MAC Mode MTU Secondary IP Type Virtual Domain VLAN ID FortiGate Version 4. If link status is up there is an active physical connection between the physical interface and a network switch. select the Edit icon to edit the interface and change the Administrative Status setting for the interface. below the physical interface to which they have been added. In VDOM mode.two or more interfaces joined together to create a software switch interface • Tunnel . The last number “/1” indicates the interface number on that card . If switch mode is enabled. IP/Netmask The current IP address/netmask of the interface. If you have interface mode enabled on a FortiGate model with a switch interface. The maximum number of bytes per transmission unit (MTU) for the interface. Link status can be either up or down. This column is visible when VDOM configuration is enabled.a pair of virtual interfaces that link two VDOMs • Pair .3ad aggregated interfaces • Redundant . amc-dw1/2. such as 2 VDOM links • Switch . the ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display.a physical network interface. Valid types include: • Physical . When IPv6 Support is enabled on the web-based manager. when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as “-” instead.

When you select Create New on the Interface page. you can delete VLAN. Configuring interface settings Go to System > Network > Interface and select Create New to add and configure a VLAN. Switch mode is available on FortiGate models with switch hardware. Name The name of the interface.fortinet. You can only deleted an interface if it is not used in another configuration. Select Interface Mode. all configuration settings for the affected interfaces must be set to defaults. Switch Mode Interface Mode Hub Mode Select Switch Mode. and redundant interfaces. DHCP services. and redundant interfaces. IEEE 802. and you will see an error message. The switch mode feature has two states . or a redundant interface. This is the default mode. loopback. routing. loopback. This includes firewall policies. This allows you to assign different subnets and netmasks to each of the internal physical interface connections. Only one internal interface is displayed.com/ • Feedback . You should only select Hub Mode if you are having network performance issues when operating with switch mode. Edit View Switch Mode Switch mode allows you to switch a group of related FortiGate interfaces to operate as a multi-port switch with one IP address. The interface display also includes the MAC address of the physical interface. Interface mode allows you to configure each of the internal switch physical interface connections separately. you are automatically redirected to this page. If they are not removed. Interface page (FortiWiFi models only) Provides settings for switching a group of related FortiGate interfaces to operate as a multi-port switch with one IP address. Before you are able to change between switch mode and interface mode. All internal i nterfaces on the switch are displayed as individually configurable interfaces.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. New Interface page Provides settings for configuring a new interface. From the FortiGate CLI you can also add software switch interfaces. The configuration of the FortiGate unit is the same whether in switch mode or hub mode.3ad aggregated. The web-based manager displays the list of affected interfaces. Switch mode is the default mode with only one interface and one address for the entire internal switch.switch mode and interface mode. Hub mode is similar to switch mode except t hat in hub mode the interfaces do not learn the MAC addresses of the devices on the network they are connected to and may also respond quicker to network changes in some circumstances. Selecting Switch Mode on the System > Network > Interface screen displays the Switch Mode Management screen. You cannot change the name of an existing interface. For more information. Available for interfaces added by selecting Create New.Configuring interfaces System Network Delete Delete the interface. On some FortiGate models you can select Hub Mode. You can also edit an existing interface to change the settings for an interface. DNS forwarding. For example. you are automatically redirected to the Edit Interface page.3ad aggregated. see “Adding software switch interfaces” on page 100. aggregate. loopback. you will not be able to switch modes. VDOM interface assignments. IEEE 802. 88 FortiGate Version 4. You can specify and change the names of VLAN. Change the interface’s configuration. If you are editing an existing interface. and routing. View the interface’s configuration.

See“Adding 802.3ad aggregate or Redundant interface . It will not appears in logs.a virtual IPSec VPN interface. You cannot change the physical interface of a VLAN interface except when adding a new VLAN interface. See “Adding loopback interfaces” on page 91 • On some models you can set Type to 802.3ad Aggregate to add an aggregate interface. Physical Interface Members This section has two different forms depending on the interface type: • Software switch interface . This is available only for physical interfaces where you cannot configure the name. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.3ad aggregate interfaces” on page 92) • On some models you can set Type to Redundant Interface to add a redundant interface. See “Adding software switch interfaces” on page 100. You cannot change the VLAN ID except when add a new VLAN interface. For more information. See “Adding software switch interfaces” on page 100. the interfaces will be activated during failover from the top of the list to the bottom Available Interfaces Selected interfaces FortiGate Version 4.System Network Configuring interfaces Alias Enter another name for the interface that will easily distinguish this interface from another.this section is a display-only field showing the interfaces that belong to the software switch virtual interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. • VAP Interface . See“Adding redundant interfaces” on page 93 Other types include: • Software Switch .a wireless controller virtual access point (VAP or virtual AP) interface. When adding a new interface. Select the right arrow to add an interface to the grouped interface. You cannot change the Type except when adding a new interface. These interfaces are included in the aggregate or redundant interface. For redundant interfaces.either redundant or aggregate interface. but it will appear in brackets beside the interface name. Select interfaces from this list to include in the grouped interface . Indicates whether the interface is connected to a network (link status is Up) or not (link status is Down).fortinet. Displayed when Type is set to VLAN. • Tunnel . See “Configuring virtual IPSec interfaces” on page 96. • 802. The alias name is not part of the interface name.com/ • Feedback 89 . Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. VLAN ID Virtual Domain Select the virtual domain to add the interface to. Select the left arrow to remove an interface from the grouped interface.1Q-compliant router or switch connected to the VLAN subinterface.a software switch interface. see “Adding VLAN interfaces” on page 91. See“Adding VLAN interfaces” on page 91 • Set Type to Loopback Interface to add a loopback interface.this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface.3ad aggregate interfaces” on page 92 and “Adding redundant interfaces” on page 93. the VLAN interface is listed below its physical interface in the Interface list. Admin accounts with super_admin profile can change the Virtual Domain. Displayed when Type is set to VLAN. See “Adding 802. See “Configuring a virtual wireless access point” on page 412. The alias can be a maximum of 15 characters. set Type to the type of interface that you want to add: • Set Type to VLAN to add a VLAN interface. Once created. Link Status Type Interface Select the name of the physical interface to which to add a VLAN interface.

Configuring interfaces System Network Addressing mode Select the addressing mode for the interface. If the entry is not found. A single interface can have both an IPv4 and IPv6 address or just one or the other. relay the request to the DNS servers configured under System > Network > Options. enter an IPv6 address/subnet mask for the interface. For more information on one-armed IPS. For more information. this interface will be displayed on System > Network > Web Proxy under Listen on Web Proxy Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. see the FortiGate Fundamentals chapter in the FortiOS Handbook. Select to configure the interface to accept DNS queries. If Addressing Mode is set to Manual. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Two FortiGate interfaces cannot have IP addresses on the same subnet. Enable DDNS Override Default MTU Value Select Enable DDNS to configure a Dynamic DNS service for this interface. Look up domain names in the FortiGate DNS database. see “Changing interface MTU packet size” on page 98. See “Configuring PPPoE on an interface” on page 94.com/ • Feedback . Once the interface is enabled for sniffing you cannot use the interface for other traffic. you must change the MTU of all interfaces to match the new MTU. enter an IPv4 address/subnet mask for the interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If IPv6 configuration is enabled you can add both a IPv4 and an IPv6 IP address. Virtual interfaces associated with a physical interface inherit the physical interface MTU size. You must add sniffer policies for the interface to actually sniff packets. Select recursive or nonrecursive. Access HTTPS PING HTTP Allow secure HTTPS connections to the web-based manager through this interface. see “Configuring Dynamic DNS on an interface” on page 95. Interface responds to pings. if you change the MTU of an interface. If Addressing Mode is set to Manual and IPv6 support is enabled on the web-based manager. select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface • 68 to 1 500 bytes for static mode • 576 to 1 500 bytes for DHCP mode • 576 to 1 492 bytes for PPPoE mode • larger frame sizes if supported by the FortiGate model Only available on physical interfaces. When enabled. Note: In Transparent mode. For more information.fortinet. Use this setting to verify your installation and for testing. For more information on MTU size. See “Configuring DHCP on an interface” on page 94 • Select PPPoE to get the interface IP address and other network settings from a PPPoE server. Enable DNS Query recursive nonrecursive Administrative Select the types of administrative access permitted for IPv4 connections to this interface. see “Configuring FortiGate DNS services” on page 108. • Select DHCP to get the interface IP address and other network settings from a DHCP server. Look up domain names in the FortiGateDNS database. • Select Manual and add an IP/Netmask for the interface. see “Configuring the explicit web proxy” on page 112. To change the MTU. Do not relay the request to the DNS servers configured under System > Network > Options. Enable explicit Select to enable explicit web proxying on this interface. IP/Netmask IPv6 Address Enable one-arm Select to configure this interface to operate as a one-armed sniffer as part of configuring a FortiGate unit to operate as an IDS appliance by sniffing packets for sniffer attacks without actually receiving and otherwise processing the packets. 90 FortiGate Version 4. For more information. Access Ipv6 Select the types of administrative access permitted for IPv6 connections to this Administrative interface.

This will expand the display to show all VLAN subinterfaces on this physical interface.web-based manager 1 Go to System > Network > Interface.System Network Configuring interfaces SSH SNMP TELNET Allow SSH connections to the CLI through this interface. Select the blue arrow to expand or hide the section. and parent physical Interface. Enter a description up to 63 characters to describe the interface. Status for Gateway Load Balancing Secondary IP Address Description Add additional IPv4 addresses to this interface. 4 Select OK. For more information. Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface. See “Configuring SNMP” on page 139. is a virtual interface on a physical interface that accepts VLAN-tagged packets using that physical interface. Loopback interfaces were added to assist with blackhole routing which drops packets sent to a particular network address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The VLAN subinterface must have a Name. To add a VLAN interface 1 Go to System > Network > Interface. so it is not affected by hardware problems. See “Adding secondary IP addresses to an interface” on page 99. see the FortiGate VLANs and VDOMs Guide. Adding loopback interfaces A loopback interface is an ‘always up’ virtual interface that is not connected to any other interfaces. and a VLAN ID.fortinet. Status Up indicates the interface is active and can accept network traffic. See “Configuring interface settings” on page 88. See “Configuring interface status detection for gateway load balancing” on page 97. Detect Interface Configure interface status detection for the main interface IP address. This ‘always up’ feature is useful in dynamic routing where the FortiGate unit relies on remote routers and the local Firewall policies to access to the loopback interface. 2 Select Create New and set Type to Loopback Interface to add a loopback interface. go to System > Network > Interface and select the expand arrow next to the parent physical interface of the VLAN interface. As long as the FortiGate unit is functioning. Adding VLAN interfaces A VLAN interface.com/ • Feedback 91 . sometimes called a VLAN or a VLAN subinterface. Loopback interfaces connect to a FortiGate unit’s interface IP address without depending on a specific external port. FortiGate Version 4. 3 Configure the VLAN subinterface settings. To add a loopback interface . Allow a remote SNMP manager to request SNMP information by connecting to this interface. Allow Telnet connections to the CLI through this interface. there are no subinterfaces configured on that physical interface. If there is no expand arrow displayed. A loopback interface is not connected to hardware. Down indicates the interface is not active and cannot accept traffic. the loopback interface is active. Telnet connections are not secure and can be intercepted by a third party. To view the new VLAN subinterface. 2 Select Create New and set Type to VLAN.

To add a loopback interface .fortinet. The loopback interface must have a Name.0. The interface name must be different from any other interface.0. An interface is available to be an aggregate interface if: • • • • • • • • • it is a physical interface.3ad Aggregate interface 1 Go to System > Network > Interface.10 is: config system interface edit loop1 set type loopback set ip 10. FortiGate Version 4. Aggregate interfaces provides more bandwidth for the connection to a network. but also create more points of failure than redundant interfaces. 4 Select OK. 2 Select Create New. Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link.255. You can also configure administrative access and add a description. enter a name for the aggregated interface.255. but you will lose the FA2 acceleration.0.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 3 In the Name field. zone or VDOM. Adding 802. or routing. not a VLAN interface it is not already part of an aggregate or redundant interface it is in the same VDOM as the aggregated interface it does not have a IP address and is not configured for DHCP or PPPoE it does not have a DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy.Configuring interfaces System Network 3 Configure the loopback interface settings.3ad link aggregate interface to increase bandwidth and provide some link redundancy. VIP. if you aggregate two accelerated interfaces you will get slower throughput than if the two interfaces were separate. To create an 802. see “Configuring interface settings” on page 88.10 255. For example. Aggregate interfaces must all connect to the same next-hop routing destination. An aggregate interface is similar to a redundant interface.0 end For more information. see the config system interface section in the FortiGate CLI Reference.3ad aggregate interfaces On some FortiGate models you can aggregate (combine) two or more physical interfaces into an IEEE standard 802.CLI The CLI command to configure a loopback interface called loop1 with an IP address of 10. firewall virtual IPs.com/ • Feedback 92 . or multicast policy it is not an HA heartbeat interface it is not one of the FortiGate-5000 series backplane interfaces Interfaces included in an aggregate interface are not listed on the System > Network > Interface list.0. Fore more information. You cannot configure the interface individually and it is not available for inclusion in firewall policies.

FortiGate Version 4.System Network Configuring interfaces 4 From the Type list.com/ • Feedback 93 . 6 Configure other interface options as required. This is important in a fully-meshed HA configuration. 3 In the Name field. 7 Select OK. Adding redundant interfaces On some FortiGate models you can combine two or more physical interfaces to provide link redundancy.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. In a failover situation. 7 Select OK. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. In a redundant interface. or multicast policy it is not monitored by HA it is not one of the FortiGate-5000 series backplane interfaces When an interface is included in a redundant interface. the interface activated will be the next interface down the Selected Interfaces list. See “Configuring interface settings” on page 88. To create a redundant interface 1 Go to System > Network > Interface. or routing. See “Configuring interface settings” on page 88. VIP. zone or VDOM. VIPs. move two or more interfaces to include in the aggregate interface to the Selected Interfaces list. select 802. traffic is only going over one interface at any time. enter a name for the redundant interface.fortinet. it is not listed on the System > Network > Interface page.3ad Aggregate. not a VLAN interface it is not already part of an aggregated or redundant interface it is in the same VDOM as the redundant interface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy. The interface name must different from any other interface. You cannot configure the interface individually and it is not available for inclusion in firewall policies. 5 In the Available Interfaces list. An interface is available to be in a redundant interface if: • • • • • • • • • it is a physical interface. 2 Select Create New. select Redundant Interface. 6 Configure other interface options as required. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails. 4 From the Type list. select each interface that you want to include in the redundant interface and move it to the Selected Interfaces list. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. 5 In the Available Interfaces list.

and if Receive default gateway from server is selected. Only displayed if Status is connected. By default. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides. the FortiGate unit automatically broadcasts a PPPoE request from the interface. Status can be one of: • initializing . Only displayed if Status is connected. Enabled by default on low-end models. The default distance for the default gateway is 5. On low end models. Addressing mode section of New Interface page Status Displays DHCP status messages as the interface connects to the DHCP server and gets addressing information. When VDOMs are enabled. Enable to retrieve a default gateway IP address from the DHCP server. These settings allow for easy out-of-the-box configuration. netmask.interface was unable to retrieve an IP address and other settings from the DHCP server.com/ • Feedback .interface attempts to connect to the DHCP server. and other settings from the DHCP server. you can override the internal DNS only on the management VDOM. and in the Addressing mode section select PPPoE. Select to renew the DHCP license for this interface. 94 FortiGate Version 4.fortinet. this is enabled by default.interface retrieves an IP address. Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. go to System > Network > Interface.Configuring interfaces System Network Configuring DHCP on an interface If you configure an interface to use DHCP. specifies the relative priority of a route when there are multiple routes to the same destination. an integer from 1-255. • connected . low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. Obtained IP/Netmask Renew Expiry Date Default Gateway Distance Retrieve default gateway from server Override internal DNS Configuring PPPoE on an interface If you configure the interface to use PPPoE. • failed . Only displayed if Status is connected. To configure DHCP for an interface. Enter the administrative distance for the default gateway retrieved from the DHCP server. The IP address of the gateway defined by the DHCP server. The time and date when the leased IP address and netmask is no longer valid. The default gateway is added to the static routing table.No activity. The IP address and netmask leased from the DHCP server. select DHCP. A lower administrative distance indicates a more preferred route. FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs. Only displayed if Status is connected. select Create New.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The administrative distance. the FortiGate unit automatically broadcasts a DHCP request from the interface. To configure an interface for PPPoE. select Create New and in the Address Mode section. go to System > Network > Interface. Select Status to refresh the addressing mode status message. initial discovery timeout and PPPoE Active Discovery Terminate (PADT). • connecting .

FortiGate Version 4. netmask. Enter the administrative distance for the default gateway retrieved from the PPPoE server. Select Status to refresh the addressing mode status message. The PPPoE account password. The default gateway is added to the static routing table. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. Specify the IP address for the interface. and other settings from the PPPoE server.com/ • Feedback 95 . Set initial PADT timeout to 0 to disable. PPPoE connection information is displayed. 3 Select Create New. To configure DDNS on an interface 1 Get the DDNS configuration information from your DDNS service. The interface was unable to retrieve an IP address and other information from the PPPoE server. When VDOMs are enabled. Enter the time to wait before starting to retry a PPPoE discovery. Otherwise. The default distance for the default gateway is 1. Enter Initial discovery timeout. 5 Enter DDNS configuration information. you can override the internal DNS only on the management VDOM. DDNS is available only in NAT/Route mode. No activity. A lower administrative distance indicates a more preferred route. initializing connecting connected failed Reconnect User Name Password Unnumbered IP Initial Disc Timeout Initial PADT timeout Distance Retrieve default gateway from server Override internal DNS Configuring Dynamic DNS on an interface When the FortiGate unit has a static domain name and a dynamic public IP address. Enable to retrieve a default gateway IP address from a PPPoE server. Status can be one of the following 4 messages. Select to reconnect to the PPPoE server. Only displayed if you selected Edit. If your ISP has assigned you a block of IP addresses. 2 Go to System > Network > Interface.fortinet. The PPPoE account user name. specifies the relative priority of a route when there are multiple routes to the same destination.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Only displayed if Status is connected. 4 Enable DDNS. use one of them. The interface is attempting to connect to the PPPoE server.System Network Configuring interfaces Addressing mode section of New Interface page Status Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. this IP address can be the same as the IP address of another interface or can be any IP address. Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. you can use a Dynamic DNS (DDNS) service to update Internet DNS servers when the IP address for the domain changes. The interface retrieves an IP address. When the status is connected. Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server. PADT must be supported by your ISP. The administrative distance. an integer from 1-255.

HTTP connections are not secure and can be intercepted by a third party. Allow the interface to respond to pings. Enter the fully qualified domain name of the DDNS service. It can be up to 63 characters. 96 FortiGate Version 4. Select the VDOM of the IPSec interface. These two addresses must not be used anywhere else in the network. Select the types of administrative access permitted on this interface. See “Configuring SNMP” on page 139. enter IP addresses for the local and remote ends of the tunnel. For an IPSec VPN interface you can: • • • configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enter a description for the interface The name of the IPSec interface.Configuring interfaces System Network If at any time your FortiGate unit cannot contact the DDNS server. Allow a remote SNMP manager to request SNMP information by connecting to this interface. This is to prevent flooding the DDNS server. The following appears after selecting Enable DDNS: Server Domain Username Password Select a DDNS server to use. Allow SSH connections to the CLI through this interface.com/ • Feedback . In both cases the IPSec VPN virtual interface is added to the physical interface you select in the IPSec VPN configuration. Allow secure HTTPS connections to the web-based manager through this interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Configuring virtual IPSec interfaces You create a virtual IPSec interface by selecting Enable IPSec Interface Mode when configuring Advanced options for an IPSec VPN Phase 1. The FortiGate unit can connect only to one of these services. Virtual IPSec interfaces are listed System > Network > Interface list. Enter the password to use when connecting to the DDNS server. Enter a description of the interface. see “Auto Key (IKE)” on page 355 and “Manual Key” on page 361. Enter the user name to use when connecting to the DDNS server.fortinet. The client software for these services is built into the FortiGate firmware. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface. For more about configuring IPSec VPN. Allow Telnet connections to the CLI through this interface. Allow HTTP connections to the web-based manager through this interface. Name Virtual Domain IP Remote IP Administrative Access HTTPS PING HTTP SSH SNMP TELNET Description Configuring administrative access to an interface Administrative access is how an administrator can connect to the FortiGate unit to view and change configuration settings. Use this setting to verify your installation and for testing. it will retry three times at one minute intervals and then change to retrying at three minute intervals. Telnet connections are not secure and can be intercepted by a third party.

Usually the server is the next-hop router that leads to an external network or the Internet.com/ • Feedback 97 .fortinet. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 178). Select Detect Interface Status for Gateway Load Balancing. 3 Select the Administrative Access methods for the interface. Responses that are received to more than one protocol does not enhance the status of the server or interface. If a response is received from the server. Interface status detection is used for ECMP route failover and load balancing. Since its possible that a response may not be received. the dead gateway detection configuration controls the time interval between testing the connection to the server and the number times the test can fail before the FortiGate unit assumes that the interface cannot connect to the server. Enable secure administrative access to this interface using only HTTPS or SSH. the FortiGate unit assumes that the interface cannot connect to the network. see “Operation mode and VDOM management access” on page 163. the FortiGate unit assumes the server is operating and can forward packets. Note: As long as the FortiGate unit receives responses for at least one of the protocols that you select. If a response is not received. You should avoid this unless it is required for your configuration. You can use up to three different protocols to confirm that an interface can connect to the server. the FortiGate unit assumes the interface can connect to the network. If you have added secondary IP addresses to an interface you can also configure interface status detection separately for each secondary IP address. Change these passwords regularly. even if the server and the network are operating normally. enter the IP address of the server to test connecting to and select one or more protocols to use to test the connection to the server. and receiving responses from fewer protocols does not reduce the status of the server or interface. Interface status detection sends a packets using the configured protocols. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • Use secure administrative user passwords. For more information on configuring administrative access in Transparent mode. To control administrative access to an interface 1 Go to System > Network > Interface. but allowing remote administration from the Internet could compromise the security of the FortiGate unit. To configure gateway failover detection for an interface. 4 Select OK. See “Configuring Networking Options” on page 108 for information about configuring dead gateway detection. FortiGate Version 4.System Network Configuring interfaces You can allow remote administration of the FortiGate unit running in NAT/Route mode. Configuring interface status detection for gateway load balancing Interface status detection consists of the FortiGate unit confirming that packets sent from an interface result in a response from a server.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. See “ECMP route failover and load balancing” on page 233. from the web-based manager go to System > Network > Interface and edit an interface. 2 Edit the interface that you want to control administrative access on.

they are broken up or fragmented. For more information. routing alone cannot route them to different routes based only on frame size. VLANs will inherit the MTU size from the parent interface. Select this option of the server is configured to provide UDP echo services. Select interfaces on some FortiGate models support frames larger than the traditional 1 500 bytes. If the FortiGate receives an RST response to a TCP echo request. FortiGate Version 4. In some cases a server may be configured to reply to TCP echo requests but not to reply to ICMP pings. Use UDP echo to detect the server. all Ethernet devices on that route must support that larger frame size. Use TCP echo to confirm that the server is responding. Use standard ICMP ping to confirm that the server is responding. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route. see “ECMP route failover and load balancing” on page 233.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select this option if the server is configured to provide TCP echo services. The echo reply just echoes back the same text to confirm that the server can respond to UDP requests. Ping confirms that the server can respond to an ICMP ping request. If you have standard size and larger size frame traffic on the same interface. you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits.Configuring interfaces System Network The Detect Interface Status for Gateway Load Balancing section of the New Interface page Detect Server Ping TCP Echo The IP address of the server to test connecting to. Set the spillover threshold to limit the amount of bandwidth processed by the Interface. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. For more information on VLAN configurations. the FortiGate unit assumes the server is unreachable. You can easily experiment by lowering the MTU to find an MTU size for optimum network performance. The echo reply just echoes back the same text to confirm that the server can respond to TCP requests. Ideally. see the FortiGate VLANs and VDOMs Guide.fortinet. UDP echo uses UDP packets on port number 7 to send a text string to the server and expects an echo reply from the server. Changing interface MTU packet size To improve network performance. see RFC 862. FortiGate units do not recognize RST (reset) packets from TCP Echo servers as normal TCP echo replies.com/ • Feedback 98 . including the order in which interfaces are selected. In some cases a server may be configured to reply to UDP echo requests but not to reply ICMP pings. To be able to send larger frames over a route. TCP echo uses TCP packets on port number 7 to send a text string to the server and expect an echo reply back from the server. UDP Echo Spillover Threshold Note: For more information about TCP echo and UDP echo. The Spillover Thresholds range is 0-2097000 KBps. If the packets that the FortiGate unit sends are larger than the smallest MTU. To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface. Contact Fortinet Customer Support for the maximum frame sizes your FortiGate unit supports. otherwise your larger frames will not be recognized and are dropped. However you can use VLANs to make sure the larger frame traffic is routed over network devices that support that larger size. which slows down transmission. the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets.

Tip: After adding secondary IP addresses and selecting OK to save changes to the Edit Interface dialog. 2 Edit the physical interface to add secondary IP addresses to. 6 Repeat to add more secondary IP addresses.com/ • Feedback 99 . secondary IP addresses cannot be on the same subnet as any other primary or secondary IP address assigned to a FortiGate interface unless they are in separate VDOMs. you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface. you should view the interface again to make sure the secondary IP addresses have been added as expected. Secondary IP addresses cannot be assigned using DCHP or PPPoE. you can also add secondary static IP addresses to the interface. Note: If you change the MTU. an error message will indicate this. The IP address and netmask for the secondary IP. 3 Make sure the interface Addressing Mode is set to Manual and that you have added an IP/Netmask to the interface. static and dynamic routing. 5 Configure the settings for a secondary IP address and select OK to add the address and its configuration settings to the interface. Indicates whether interface status detection is enabled for the secondary IP address. and the network see the secondary IP addresses as additional IP addresses that terminate at the interface. try a smaller MTU size until the value is supported. you are automatically redirected to the Edit Interface page. The FortiGate unit. Add IP/Netmask Detect Server Enable Select to create a new secondary IP address. If you select an MTU size larger than your FortiGate unit supports. you must change the MTU of all interfaces on the FortiGate unit to match the new MTU. In Transparent mode. To add secondary IP addresses to an interface 1 Go to System > Network > Interface. 7 Select OK or Apply at the bottom of the Edit Interface dialog to add the secondary IP addresses to the interface. FortiGate Version 4. As with all other interface IP addresses.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Adding secondary IP addresses effectively adds multiple IP addresses to the interface.fortinet. When you select Add. You configure interface status detection for gateway load balancing separately for each secondary IP addresses. 3 Below Administrative Access. select Override default MTU value (1 500). if you change the MTU of an interface. Secondary IP Address section of the New Interface page Lists the secondary IP addresses that you created. All of the IP addresses added to an interface are associated with the single MAC address of the physical interface and all secondary IP addresses are in the same VDOM as the interface that are added to.System Network Configuring interfaces 2 Choose a physical interface and select Edit. In this situation. Adding secondary IP addresses to an interface If an interface is configured with a manual or static IP address. 4 Select the blue arrow to expand the Secondary IP Address section. 4 Set the MTU size.

Allow HTTP connections to the web-based manager through this secondary IP. If you only wanted to change the IP/Netmask and not add a new secondary IP address you should delete the secondary IP address that you selected the Edit icon for. The administrative access methods for this address. Select the types of administrative access permitted on the secondary IP. Use this setting to verify your installation and for testing.com/ • Feedback 100 . a software switch interface functions like a normal interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The same detect server can be shared by multiple secondary IP addresses. Telnet connections are not secure and can be intercepted by a third party. See “Configuring SNMP” on page 139. software switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces. You can choose from ping. Edit the selected secondary IP address.fortinet. when you select OK a new secondary IP address is added. Allow secondary IP to respond to pings. You can edit these settings and select OK to save changes to the secondary IP address. Allow secure HTTPS connections to the web-based manager through this secondary IP. Enter the protocols for the secondary IP address. Edit Interface page Provides settings for configuring the IP addresses. To Configure interface status detection for the secondary IP address. They are removed from the system interface table. The members of a software switch interface cannot be accessed as individual interfaces after being added to a software switch interface. you are automatically redirected to this page. The detect protocols configured for the secondary IP address. The Secondary IP address must be on a different subnet than the Primary IP address. HTTP connections are not secure and can be intercepted by a third party. udp-echo and tcp-echo. When you select Add. The interfaces added to a software switch interface are called physical interface members. See “Configuring interface status detection for gateway load balancing” on page 97. Enter the server that will be used. Detect Interface Status for Gateway Load Balancing Detect Server Detect Protocol Administrative Access HTTPS PING HTTP SSH SNMP TELNET Adding software switch interfaces You can add software switch interfaces (also called soft switch interfaces) from the FortiGate CLI. A software switch interface has one IP address. Allow Telnet connections to the CLI through this secondary IP. There are some limitations. Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. Allow SSH connections to the CLI through this secondary IP. FortiGate Version 4. You create firewall policies to and from software switch interfaces and software switch interfaces can be added to zones. When you select the Edit icon the settings for the secondary IP address to edit appear in the fields above the secondary IP address table. Select to remove this secondary IP address. A software switch interface forms a simple bridge between two or more physical or wireless FortiGate interfaces. They can be different from the primary IP address. Note: If you select the Edit icon to edit a secondary IP address and change the IP/Netmask. Similar to aggregate interfaces.Configuring interfaces System Network Detect Server Detect Protocol Administrative Access Delete Edit The IP address of the detect server for the secondary IP address. IP/Netmask Enter the IP address/subnet mask of the secondary IP address.

org. no configuration settings can refer to those interfaces. 1 Enter the following command to set the IP address of your sFlow collector to 172. Using this data you can determine normal traffic flow patterns for your network and then monitor for traffic flow problems.sflow. and policies. This includes default routes. The following command changes the sFlow agent port to 5345 config system sflow set collector-port 6345 end 3 Use the following command to enable sFlow for the port1 interface: config system interface edit port1 set sflow-sample enable end FortiGate Version 4.20. As these problems are found you can attempt to correct them and continue to use the sFlow agents and collectors to view the results of your corrective action.11 end 2 If required you can also change the UDP port number that the sFlow agent uses. You should only change this port if required by your network configuration or sFlow collector.120.fortinet.System Network Configuring interfaces If you want to add interfaces to a software switch interface. combining interface counters and flow samples into sFlow datagrams that are immediately sent to an sFlow collector. inter-VDOM links. You can add sFlow agents to any FortiGate interface. sFlow is normally used to provide an overall traffic flow picture of your network.11: config system sflow set collector-ip 172. The FortiGate sFlow agent functions like any sFlow agent. You would usually operate sFlow agents on switches. To begin using sFlow you must add the IP address of your sFlow connector to the FortiGate configuration and then configure sFlow agents on FortiGate interfaces. collect traffic data from all of them and use a collector to show traffic flows and patterns. The default sFlow port is 6343. VLANs.120. Because the sFlow datagrams are sent immediately without processing the data and without collecting large amounts of data.20. including physical interfaces. running the sFlow agent has almost no affect on system performance.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Use the following CLI command to add a software switch interface called soft_switch that includes the port1. and aggregate interfaces. external and dmz physical interfaces: config system switch-interface edit soft_switch set members port1 external dmz end Adding an sFlow agent to a FortiGate interface sFlow is a network monitoring protocol defined in RFC 3176 and described in http://www.com/ • Feedback 101 . VLAN interfaces. and firewall on your network. routers. You can configure one or more FortiGate interfaces as sFlow agents that monitor network traffic and send sFlow datagrams containing infromation about traffic flow to an sFlow collector. To configure the FortiGate unit to send sFlow datagrams to an sFlow collector You can only configure sFlow from the CLI.

You can add zones. Interface names depend on the FortiGate model. VLAN.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Once you add interfaces to a zone. Names of the zones. Configuring zones Group interfaces into zones to simplify policy creation. rename and edit zones. When you add a zone.Configuring zones System Network 4 Repeat this step to add sFlow agents to the FortiGate interfaces. If you have added multiple virtual domains to your FortiGate configuration. Create New Name Select to create a new zone. you select the names of the interfaces to add to the zone.com/ • Feedback . Edit or view a zone. and sample direction for each sFlow agent: config system interface edit port1 set sample-rate <rate_number> set polling-interval <frequency> set sample-direction {both | rx | tx} end sFlow with multiple VDOMs For a FortiGate unit operating with multiple VDOMs. delete and create new zones.20. but only for the zone. polling interval. and then select Create New.fortinet. Zones are configured from virtual domains. switch. you can add different sFlow collector IP addresses and port numbers to each non-management VDOM. and delete zones from the zone list. Interface Members Edit Delete Names of the interfaces added to the zone. By grouping interfaces into a zone you can add one set of firewall policies for the zone instead of adding separate policies for each interface. Delete a zone. 102 FortiGate Version 4.11 end The management VDOM and all VDOMs that you have not configured a VDOM-specific configuration for use the global sFlow configuration. make sure you are configuring the correct virtual domain before adding or editing zones. On this page you can edit. You can add all types of interfaces to a zone (physical.120. Configure zones by going to System > Network > Zone. 5 You can also change the sampling rate. and so on) and a zone can consist of any combination of interface types. Block intra-zone traffic Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Use the following command to customize the sFlow configuration for a VDOM named VDOM_1: config vdom edit VDOM_1 config system vdom-sflow set vdom-sflow enable set collector-ip 172. Zone page Lists all of the zones that you created. you cannot configure policies for the interfaces.

Block intra-zone traffic Enable blocking of intra-zone traffic. For these models. the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. The AUX port is only available on FortiGate models 1000A. you must configure modem operation using the CLI. See the system modem command in the FortiGate CLI Reference. wan1 and wan2 are available for zones. While the modem and AUX port may appear similar. You can insert a supported PCMCIA modem into any FortiGate model with a PCMCIA slot. Select the interface or interfaces that will be associated with this zone. you can configure the FortiGate unit to automatically have the modem dial up to three dialup accounts until the modem connects to an ISP. when you power up the FortiGate unit it should automatically find the modem and create the modem interface. you are automatically redirected to this page. You can connect a supported serial model to any FortiGate model with a serial modem port.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. In standalone mode. The interfaces that appear reflect the interfaces that are on your specific model. the AUX port has no associated interface and is used for remote console connection. For more information. For example. Configuring the modem interface FortiGate unit can include a modem interface if you connect a modem in one of the following ways: • • • You can connect a supported USB mode to any FortiGate model with a USB interface. and 3000A. Power off the FortiGate unit before inserting the PCMCIA modem. the modem interface is the connection from the FortiGate unit to the Internet. Other models can connect to an external modem through a USB-to-serial converter. When editing an existing zone. Initially. In NAT/Route mode the modem can be in one of two modes: • • In redundant or standalone mode when connecting to the ISP. Zone Name Interface members Enter the name for the zone. modem interfaces are disabled and must be enabled in the CLI to be visible in the web-based manager. see the config system aux command in the FortiGate CLI Reference.System Network Configuring the modem interface Edit Zone page Provides settings for configuring zones.com/ • Feedback 103 . on a FortiGate-50B the interfaces internal. 1000AFA2. Note: The modem interface is not the AUX port. In redundant (backup) mode. This topic contains the following: • • • • • Connecting and disconnecting the modem Redundant mode configuration Standalone mode configuration Adding firewall policies for modem connections Checking modem status FortiGate Version 4. After inserting the modem.

If the modem is disabled. Enter the timeout duration in minutes. If the modem is connected. you can select Hang Up to manually disconnect the modem. connecting. The default redial limit is 1. it will not appear in the interface list and must be enabled from the CLI using the following command syntax: config system modem set status enable end After being enabled in the CLI. the modem can be assigned to one of the VDOMs just like the other interfaces. Note: You cannot configure and use the modem in Transparent mode. Select to dial the modem when packets are routed to the modem interface.Configuring the modem interface System Network Configuring modem settings Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. Modem status can be: not active. disconnecting. The modem disconnects after the idle timeout period if there is no network activity. You can configure up to three dialup accounts. You cannot select Auto-dial if Dial on demand is selected. Modem page Provides settings for configuring the modem and dialup accounts. For FortiGate-60B and FortiWifi-60B models with modems. After this period of inactivity. Select Standalone or Redundant mode.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. or hung up. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. the modem disconnects.fortinet. after the primary interface has been restored. the modem can be a management interface. select standalone or redundant operation. Mode Auto-dial (Standalone mode) Dial on demand (Standalone mode) Idle timeout (Standalone mode) Redundant for (Redundant mode) Holddown Timer (Redundant mode) Redial Limit Wireless Modem Supported Modems Select to view a list of supported modems. a user can dial into the unit’s modem and perform administration actions as if logged in over one of the standard interfaces. FortiGate Version 4. and configure how the modem dials and disconnects. you can then go to System > Network > Modem to configure the modem in the web-based manager. Select the ethernet interface for which the modem provides backup service. Enable Modem Modem status Dial Now/Hang Up Select to enable the FortiGate modem. If VDOMs are enabled. Select None to have no limit on redial attempts. You cannot select Dial on demand if Auto-dial is selected. connected. Display a connected wireless modem if available. This feature is enabled in the CLI using config system dialinsvr command syntax. When enabled. Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted.com/ • Feedback 104 . (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching back to the primary interface from the modem interface. (Standalone mode only) Select Dial Now to manually connect to a dialup account. The default is 1 second.

and other functions as required by your modem to connect to your dialup account. you must select the name of the interface in the modem configuration and configure a ping server for that interface. sent. The phone number required to connect to the dialup account. Do not add spaces to the phone number. Dialup Account Phone Number User Name Password Extra Initialization String To configure the modem in Redundant mode. The FortiGate unit tries connecting to each account in order until a connection can be established. The active dialup account is indicated with a green check mark. If that ethernet interface disconnects from its network. minutes. To configure the modem in Standalone mode. An extra initialization string. the modem automatically dials the configured dialup accounts. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface is able to connect to its network. country codes. 3 Enter the following information: FortiGate Version 4. the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. Make sure to include standard special characters for pauses. The user name (maximum 63 characters) sent to the ISP.fortinet. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces.System Network Configuring the modem interface Usage History Display connections made on the modem interface. You can set a holddown timer that delays the switch back to the ethernet interface to ensure it is stable and fully active before switching the traffic.com/ • Feedback 105 . and total • current status of the connection Configure up to three dialup accounts. For the FortiGate unit to be able to switch from an ethernet interface to the modem. The password sent to the ISP. 2 Select Redundant mode. Redundant mode configuration In redundant mode the modem interface backs up a selected ethernet interface. see “Standalone mode configuration” on page 106. When the modem connects to a dialup account.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This saves money on dialup connection charges. The modem will disconnect after a period of network inactivity set by the value in idle timeout. Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up. and seconds • IP address connected to • traffic statistics including received. To configure redundant mode 1 Go to System > Network > Modem. Information displayed about connections includes: • date and time • duration of the connection in hours. see “Redundant mode configuration” on page 105.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback . After this period of inactivity. For example. Select if you want the modem to connect to its ISP whenever there are unrouted packets. the FortiGate unit will redial the modem.Configuring the modem interface System Network Redundant for Holddown timer Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3 From the list. select the interface to back up. If the connection to the dialup account fails. Enter the ISP phone number. The modem will disconnect after a period of network inactivity set by the value in idle timeout. 4 Select Apply. if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGate unit default route to modem. Enter the maximum number of times to retry if the ISP does not answer. 106 FortiGate Version 4. This saves money on dialup connection charges. the modem disconnects. the modem connects to a dialup account to provide a connection to the Internet. You must configure firewall policies for connections between the modem interface and other FortiGate interfaces. 2 Select Standalone mode. You can also hang up or redial the modem manually. Enter the maximum number of times to retry if the ISP does not answer. To configure standalone mode 1 Go to System > Network > Modem. See “Adding firewall policies for modem connections” on page 107. Standalone mode configuration In standalone mode. 5 Configure interface status detection for the ethernet interface the modem backs up. Dialup Account 3 4 Select Apply. Enter the number of seconds to continue using the modem after the network connectivity is restored. user name and password for up to three Dialup Account 2 dialup accounts.fortinet. or until it connects to a dialup account. 6 Configure firewall policies for network connectivity through the modem interface. 3 Enter the following information: Auto-dial Dial on demand Idle timeout Redial Limit Select if you want the modem to dial when the FortiGate unit restarts. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets. Enter the timeout duration in minutes. The modem redials the number of times specified by the redial limit. You must also go to Router > Static to configure static routes to route traffic to the modem interface. user name and password for up to three dialup accounts. See “Configuring interface status detection for gateway load balancing” on page 97. See “Adding firewall policies for modem connections” on page 107. Dialup Account 1 Enter the ISP phone number. 5 Configure firewall policies for network connectivity through the modem interface.

5 Select Dial Now. To check the modem status. The modem is disconnecting from the ISP. The modem is attempting to connect to the ISP. 4 Select Apply. see “Address” on page 275. The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 2 Select Hang Up to disconnect the modem. To disconnect from a dialup account 1 Go to System > Network > Modem. See “Adding a static route to the routing table” on page 232.fortinet. see “Policy” on page 261. For information on configuring firewall policies. Adding firewall policies for modem connections The modem interface requires firewall addresses and policies. Modem status is one of the following: not active connecting connected disconnecting hung up The modem is not connected to the ISP. The modem is connected to the ISP. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager. Connecting and disconnecting the modem The following procedure explains how to connect and disconnect from a dialup account. You should verify that the modem is in Standalone more before disconnecting or connecting from a dialup account because the modem must be in Standalone mode. The modem has disconnected from the ISP. (Standalone mode only) The modem will not redial unless you select Dial Now. You can add one or more addresses to the modem interface.System Network Configuring the modem interface 6 Go to Router > Static and set device to modem to configure static routes to route traffic to the modem interface. To connect to a dialup account 1 Go to System > Network > Modem.com/ • Feedback 107 . A green check mark indicates the active dialup account. go to System > Network > Modem. Checking modem status You can determine the connection status of your modem and which dialup account is active. If the modem is connected to the ISP. you can see the IP address and netmask. 3 Verify the information in Dialup Accounts. FortiGate Version 4. 2 Select Enable USB Modem. For information about adding addresses. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit.

You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. Enter the secondary IPv6 DNS server IP address. Enter the number of times that interface status tests fail before the FortiGate unit assumes that the interface is no longer functioning. DNS Settings Primary DNS Server Secondary DNS Server Local Domain Name IPv6 DNS Settings Primary DNS Server Secondary DNS Server Dead Gateway Detection Enter the primary IPv6 DNS server IP address. including alert email and URL blocking. Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically. You can also view DNS server settings and dead gateway detection settings from this page. Enter a number in seconds to specify how often the FortiGate unit detects interface status. You set up the DNS configuration for each interface in one of the following ways: • The interface relays DNS requests to the DNS servers configured for the FortiGate unit under System > Network > Options. See “Configuring DHCP on an interface” on page 94 or “Configuring PPPoE on an interface” on page 94. See “To configure a FortiGate interface to relay DNS requests to external DNS servers” on page 110. For information. You can configure DNS and other network options settings from System > Network > Options. Networking Options page Provides settings for configuring DNS settings as well as dead gateway detection settings.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback . 108 FortiGate Version 4. see “Configuring interface status detection for gateway load balancing” on page 97. Detection Interval Fail-over Detection DNS Servers Several FortiGate functions use DNS. Enter the secondary DNS server IP address. Enter the primary DNS server IP address. To obtain these addresses automatically.Configuring Networking Options System Network Configuring Networking Options Network options include DNS server and dead gateway detection settings. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. DNS server IP addresses are usually supplied by your ISP. Dead gateway detection settings control how interface status detection functions.fortinet. Enter the domain name to append to addresses with no domain portion when performing DNS lookups. Configuring FortiGate DNS services You can configure a FortiGate unit to be the DNS server for any networks that can communicate with a FortiGate interface. Configure interface status detection for one or more FortiGate interfaces and use the dead gateway detection settings to configure how interface status detection functions.

Host names that are not in the FortiGate unit DNS database are resolved by relaying the DNS lookup to an external DNS server. To do this. General FortiGate DNS server configuration 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. The interface resolves DNS requests using the FortiGate DNS database and relays DNS requests for host names not in the FortiGate DNS database to the DNS servers configured for the FortiGate unit under System > Network > Options.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. all DNS lookups for the server host name will return the internal IP address of the server. Because the FortiGate unit checks the FortiGate DNS database first. These should be the DNS servers provided by your ISP or other public DNS servers. See “Configuring Networking Options” on page 108.fortinet. If virtual domains are enabled. you could have a public web server behind a FortiGate unit operating in NAT/Route mode. All of the interfaces in a VDOM share the DNS database in that VDOM. But you may want users on your internal network to access the server using its private IP address to keep traffic from internal users off of the Internet. When users on the internal network attempt to connect to these host names the IP addresses are provided by the FortiGate unit DNS database.System Network Configuring FortiGate DNS services • The interface resolves DNS requests using a FortiGate DNS database. See “To configure a split DNS configuration” on page 111 • If virtual domains are not enabled you can create one DNS databases that can be shared by all the FortiGate interfaces. Users on the Internet access this web server using a port forwarding virtual IP. see “To configure a split DNS configuration” on page 111. This section describes: • • About split DNS Configuring FortiGate DNS services About split DNS In a split DNS configuration you create a DNS database on the FortiGate unit. you create a split DNS configuration on the FortiGate unit and add the host name of the server to the FortiGate DNS database. This is called a split DNS configuration. FortiGate Version 4. For example. but include the internal IP address of server instead of the external IP address. usually for host names on an internal network or for a local domain.com/ • Feedback 109 . So the web server has a public IP address for internet users. you create a DNS database in each VDOM. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. For an example of how to configure split DNS. Configuring FortiGate DNS services This section provides a general procedure for configuring FortiGate DNS as well as specific procedures for configuring a FortiGate interface to provide DNS services in different ways. See “To configure a FortiGate interface to resolve DNS requests using only the FortiGate DNS database” on page 111. DNS requests for host names not in the FortiGate DNS database are dropped. A split DNS configuration can be used to provide internal users access to resources on your private network that can also be accessed from the Internet.

This setting does not relay the request to the DNS servers that are configured in System > Network > Options. To configure a FortiGate interface to relay DNS requests to external DNS servers Configure a FortiGate interface to relay DNS requests to the DNS servers configured for the FortiGate unit under System > Network > Options. and relay the requests for names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. The interface is configured to look up domain names in the FortiGate DNS database. If you are also using a FortiGate DHCP server to configure the hosts on this network. Recursive – Looks up domain names in the FortiGate DNS database.Configuring FortiGate DNS services System Network 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. If you do not add entries to the FortiGate DNS database all DNS requests are relayed to the DNS servers configured under System > Network > Options. add the IP address of the FortiGate interface to the DNS Server IP address list. See “Configuring Networking Options” on page 108. 3 Select Enable DNS Query and select Recursive. 110 FortiGate Version 4. 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. 5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. the FortiGate unit relays all DNS queries received by this interface to the DNS servers configured under System > Network > Options.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. add the IP address of the FortiGate interface to the DNS Server IP address list. 4 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. Select Recursive or Non-Recursive to control how this works. This setting can be used to split DNS configuration. If you are also using a FortiGate DHCP server to configure the hosts on this network. See “Configuring the FortiGate DNS database” on page 112.com/ • Feedback . The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. the request is replayed to the DNS servers configured in System > Network > Options. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. • Non-recursive – Looks up domain names in the FortiGate DNS database. If the entry is not found.fortinet. • When you select Enable DNS Query. 3 Select Enable DNS Query. Add zones and entries as required. These should be the DNS servers provided by your ISP or other public DNS servers.

You can add entries to the FortiGate DNS database for users on the internal network. See “About split DNS” on page 109.System Network Configuring FortiGate DNS services To configure a FortiGate interface to resolve DNS requests using only the FortiGate DNS database Configure a FortiGate interface to resolve DNS requests using the FortiGate DNS database and to drop requests for host names that not in the FortiGate DNS database. These should be the DNS servers provided by your ISP or other public DNS servers. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. and relay the requests for names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. This is called a split DNS configuration. 3 Select Enable DNS Query and select Non-Recursive. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. The interface is configured to look up domain names in the FortiGate DNS database.com/ • Feedback 111 .fortinet. Add zones and entries as required for users on the internal network. Add zones and entries as required. See “Configuring the FortiGate DNS database” on page 112. See “Configuring Networking Options” on page 108. 5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. 2 Go to System > Network > Interface and edit the interface connected to a network that you want the FortiGate unit to be a DNS server for. If you are also using a FortiGate DHCP server to configure the hosts on this network. To configure a split DNS configuration Configure an interface to resolve DNS requests using the FortiGate DNS database and relay DNS requests for host names not in the FortiGate DNS database to the DNS servers configured under System > Network > Options. 4 Go to System > Network > DNS Database and configure the FortiGate DNS database. The FortiGate unit uses these DNS servers for its own DNS lookups and can be used to supply DNS look ups for your internal networks. These should be the DNS servers provided by your ISP or other public DNS servers. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. FortiGate Version 4. When you select Non-Recursive only the entries in the FortiGate DNS database are used.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. add the IP address of the FortiGate interface to the DNS Server IP address list. See “Configuring Networking Options” on page 108. 1 Go to System > Network > Options and add the IP addresses of a Primary and Secondary DNS server. See “Configuring the FortiGate DNS database” on page 112. 3 Select Enable DNS Query and select Recursive.

add the IP address of the FortiGate interface to the DNS Server IP address list. Enter the TTL value. The explicit web proxy also supports proxying FTP sessions sent from a web browser and proxy auto-config (PAC) to provide automatic proxy configurations for explicit web proxy users. To configure the DNS database you add zones. 112 FortiGate Version 4. Delete an zone from the DNS database. Enter 0 to use the Zone TTL value. An entry is an host name and the IP address it resolves to. Configuring the explicit web proxy Caution: Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address.Configuring the explicit web proxy System Network 5 Configure the hosts on the internal network to use the FortiGate interface as their DNS server. You can also specify if the entry is an IPv4 address (A). When you select Create New.com/ • Feedback . On this page. DNS Server page Lists the DNS servers that you have created. If you are also using a FortiGate DHCP server to configure the hosts on this network. Note: Web proxies are configured for each VDOM when VDOMs are enabled. a canonical name (CNAME). delete or create a new DNS server. The names of the DNS zones added to the DNS database list. Select Edit beside an existing zone to modify it. Create New DNS Zone Domain Name TTL # of Entries Delete Edit Add a new DNS zone to the DNS database list. The range is 0 to 2 147 483 647.fortinet. you are automatically redirected to the New DNS Zone page.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The domain name of each zone. or a mail exchange (MX) name. The number of entries in the zone. New DNS Zone page Provides settings for configuring DNS zones which make up a DNS server. Configuring the FortiGate DNS database Configure the FortiGate DNS database so that DNS lookups from an internal network are resolved by the FortiGate DNS database. The TTL value for the domain name which is the packet time to live in seconds. You can use the FortiGate explicit web proxy to enable explicit HTTP and HTTPS proxying on one or more FortiGate interfaces. you can also configure the explicit web proxy to support SOCKS sessions sent from a web browser. an IPv6 address (AAAA). Go to System > Network > DNS Server to configure the FortiGate DNS database. You then add entries to each zone. Each zone has its own domain name. a name server (NS). From the CLI. you can edit. Enter the domain name. DNS Zone Domain Name TTL (seconds) Enter the DNS zone.

fortinet. 2 Go to System > Network > Web Proxy. Usually. you would enable the explicit web proxy on the FortiGate interface connected to that network. there is no limit for each user and a persistent session is removed after an idle timeout of 3600 seconds. The source address of the policy should match client source IP addresses. When the FortiGate unit is operating in Transparent mode. FortiGate Version 4. 4 Configure the firewall policy as required to accept the traffic that you want to be processed by the explicit web proxy. On FortiGate units that support WAN optimization.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For more information. 3 Go to Firewall > Policy > Policy and select Create New and then set the Source Interface/Zone to web-proxy. The proxy tries to keep the persistent sessions alive with the clients. or SOCKS and set the proxy server IP address to the IP address of the FortiGate interface connected to their network. Before a session leaves the exiting interface. The destination address of the policy should match the IP addresses of web sites that clients are connecting to. For example.System Network Configuring the explicit web proxy The web proxy uses FortiGate routing to route sessions through the FortiGate unit to a destination interface. FTP. the explicit web proxy changes the source addresses to the management IP address.com/ • Feedback 113 . Caution: Enabling the explicit web proxy on an interface connected to the Internet is a security risk because anyone on the Internet who finds the proxy could use it to hide their source address. you can apply UTM protection to web proxy sessions and log allowed web proxy traffic. you can also enable web caching for the explicit proxy. To enable the explicit web proxy 1 Go to System > Network > Interface and enable the explicit web proxy for one or more FortiGate interfaces. Users on the network would configure their web browsers to use a proxy server for HTTP and HTTPS. however. Select Enable Explicit Web Proxy to turn on the Explicit Web Proxy. to configure a web proxy server for users on a network. see “Cache exempt list” on page 386. the explicit web proxy changes the source addresses of the session packets to the IP address of the exiting interface. 5 Select other firewall policy options as required. Traffic sent to the explicit web proxy that is not accepted by a web-proxy firewall policy is dropped. Users could also enter the PAC URL into their web browsers to automate their web proxy configuration using a PAC file stored on the FortiGate unit.

• For IP-based authentication. Within this page. go to System > Network > Web Proxy. If VDOMs are enabled. The default port number is 8080. Explicit proxy users must configure their web browser’s FTP proxy settings to use this port. HTTPS Port FTP Port PAC Port 114 FortiGate Version 4. The range is 0 to 65535. To configure the explicit web proxy. A number of authentication options are available: • For session-based authentication. Select the port that PAC traffic from client web browsers use to connect to the explicit proxy. the source IP address is used to determine a user. Enter the port number that FTP traffic from client web browsers use to connect to the explicit proxy.) Listen on Interfaces Displays the interfaces that are being monitored by the explicit web proxy. The range is 0 to 65535. FTP and proxy autoconfig PAC sessions. All sessions from a single source address are assumed to be from the same user. such as transparent web cache. not two individual users. The default value of 0 means use the same port as HTTP. Enter the port number that HTTPS traffic from client web browsers use to connect to the explicit proxy. Since multiple users can have the same user name. only interfaces that belong to the current VDOM and have explicit web proxy enabled will be displayed. which is based on whether or not they were authenticated using RADIUS. The range is 0 to 65535. HTTP Port Enter the port number that HTTP traffic from client web browsers use to connect to the explicit proxy. Web Proxy page Provides settings for configuring either the explicit web proxy and transparent web caching. Configuring explicit web proxy settings Explicit web proxy settings are configured on the Web Proxy page. If a user of one session has the same name and membership as the user of another session. You must select this option for the explicit web proxy to Proxy accept and forward packets. Explicit proxy users must configure their web browser’s HTTPS proxy settings to use this port.Configuring the explicit web proxy System Network 6 Select Enable Identity Based Policy to apply authentication to explicit web proxy sessions.fortinet. If you enable the web proxy on an interface that has VLANs on it. Explicit proxy users must configure their web browser’s PAC proxy settings to use this port.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. FSAE. the proxy attempts to identify users according to their authentication membership. each authenticated user is counted as a single user. the VLANs will only be enabled for web proxy if you manually enable each of them. The range is 0 to 65535. LDAP. FTP and PAC is only supported from a web browser and not a standalone client (for example. The default value of 0 means use the same port as HTTP. in System > Network > Web Proxy. standalone FTP clients cannot use the explicit web proxy server. You can add multiple identity based policies to apply different authentication for different user groups and also apply different UTM and logging settings for different user groups. the explicit proxy assumes that this is one user. you can configure general web proxy options. Explicit Web Proxy Options section Enable Explicit Web Enable the explicit web proxy server for HTTP/ HTTPS. Explicit proxy users must configure their web browser’s HTTP proxy settings to use this port.com/ • Feedback . or no authentication (or if no web-proxy firewall policy was added). The default value of 0 means use the same port as HTTP. or local databases.

and the remote addresses it passed through to this point. Front-end HTTPS Header FortiGate Version 4.System Network Configuring the explicit web proxy PAC File Content Select the Edit icon beside this option to change the contents in a PAC file. This is the domain name to enter into browsers to access the proxy server.120. You can use any PAC file syntax that is supported by your users’s browsers.pac From the CLI you can use the following command to display the PAC file url: get web-proxy explicit Select the action to take when the proxy server must handle an unknown HTTP version request or message. Larger messages will be rejected. Best Effort attempts to handle the HTTP traffic as best as it can.fortinet. The realm can be any text string of up to 63 characters.pac the PAC file URL would be: http://172. Choose from either Reject or Best Effort. Enter the maximum length of an HTTP request.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If the ream includes spaces enclose it in quotes. Configure the explicit web proxy to block (deny) or accept sessions if firewall policies have note been added for the explicit web proxy. To add firewall policies for the explicit web proxy add a firewall policy and set the source interface to web-proxy. If you set this option to Accept the explicit web proxy server accepts sessions even if you haven’t defined a firewall policy.120. The FortiGate unit does not parse the PAC file. The maximum PAC file size is 8192 bytes. You can also import a PAC file using this option.com/ • Feedback 115 . The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy.20. Enter an authentication realm to identify the explicit web proxy.20. Reject treats known HTTP traffic as malformed and drops it.122.122:8080/proxy. The default PAC file URL is: http://<interface_ip>:<PAC_port_int>/<pac_file_str> For example. Enable to include the Front-end HTTP Header from the original HTTPS request. users must add an automatic proxy configuration URL (or PAC URL) to their web browser proxy configuration. Enter the fully qualified domain name (FQDN) for the proxy server. Larger requests will be rejected. if the interface with the explicit web proxy has IP address 172. The Reject option is more secure. The default setting or Deny blocks access to the explicit web proxy before adding a firewall policy. To use PAC. the PAC port is the same as the default HTTP explicit proxy port (8080) and the PAC file name is proxy. Unknown HTTP version Realm Default Firewall Policy Action General Options (Explicit Web Proxy and Transparent Web Cache) section Proxy FQDN Max HTTP request length Max HTTP message Enter the maximum length of an HTTP message. You can include the following headers in those requests: Enable to include the Client IP Header from the original HTTP request. Enable to include the X-Forwarded-For (XFF) HTTP header. Enable to include the Via Header from the original HTTP request. length Add headers to Forwarded Requests Client IP Header Via Header X-forwarded-for Header The web proxy server will forward HTTP requests to the internal network. When a user authenticates with the explicit proxy the HTTP authentication dialog includes the realm so you can use the realm to identify the explicitly web proxy for your users.

Configure settings for Web Cache Communication Protocol (WCCP) version 2 to optimize web traffic. For the WCCP client: config system setting set wccp-cache-engine {enable | disable} end For WCCP services: config system wccp edit <service_id> set cache-id <ip_address> set group-address <ip_multicast_address> set router-list <ip_router_address> set authentication {enable | disable} set service-type {auto | standard | dynamic} set assignment-weight <weight_number> set assignment-bucket-form {cisco-implementation | wccp-v2} end Routing table (Transparent Mode) If your FortiGate unit is operating in Transparent mode you can go to System > Network > Routing Table to add static routes to control the flow of traffic through the FortiGate unit. you can edit.Configuring WCCP System Network Configuring WCCP All WCCP settings are configured in the CLI. the web cache server will download the HTTP information.com/ • Feedback . and send it to the local client. the web cache server sends the content directly to the local client. Note: In NAT/Route mode. Create New IP/Mask Add a new Transparent mode static route. thus reducing transmission costs and downloading time. It will also reduce the amount of data a company network sends and receives over the Internet. On this page. WCCP allows the routers on the local network to redirect the web content requests to the appropriate web cache server on the local network. cache it. the static routing table is located at System > Routing > Static. If the web cache server contains the information in the web content request. delete or create a new route. local network traffic must be directed through one or more routers that are able to forward the HTTP requests to the web cache servers.fortinet. The destination IP address and netmask for the route. The local client is not aware this caching is taking place. reducing costs. When a web client (on a computer) makes a request for web content. For web caching to function. Routing Table page Lists all the static routes that you have created. 116 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If the web cache does not contain the requested information. The web caching will speed up downloads by not accessing remote websites for each HTTP request. The FortiGate unit can act as a WCCP version 2 enabled router and direct web content requests to configured web cache servers. The following are the variables and commands that are used to configure WCCP.

To create a default route.System Network Routing table (Transparent Mode) Gateway Delete Edit Destination IP /Mask The IP address of the next hop router to which the route directs traffic.com/ • Feedback 117 .0. Destination IP/Netmask Gateway Priority Enter the IP address and netmask of the new static route.0. When you edit an existing static router.fortinet. Edit or view a route. The destination IP address. the next hop routing gateway routes traffic to the Internet. New Static Route page Provides settings for configuring a static route. For an Internet connection. you are automatically redirected to the Edit Static Route page. you are automatically redirected to the Edit Static Route page.0.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Enter a number for the priority of the static route. Remove a route. set the IP and netmask to 0. When you edit an existing static route. Enter the gateway IP address. FortiGate Version 4.

Routing table (Transparent Mode) System Network 118 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback .

4-GHz Band) IEEE 802.com/ • Feedback 119 .11b (2. No access point or client operation is possible in this mode. But. If you enable virtual domains (VDOMs) on the FortiGate unit. For more information on adding wireless interfaces. All FortiWiFi units can have up to 4 wireless interfaces. You can designate the detected access points as Accepted or Rogue for tracking purposes. For more information.4-GHz Band) WEP64 and WEP128 Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA).11a (5-GHz Band) IEEE 802. which is the default mode. The majority of this section is applicable to all FortiWiFi units. This section describes: • • • • • • FortiWiFi wireless interfaces Channel assignments Wireless settings Wireless MAC Filter Wireless Monitor Rogue AP detection FortiWiFi wireless interfaces FortiWiFi units support up to four wireless interfaces and four different SSIDs. This is called Monitoring mode.fortinet.11n (5-GHz and 2. System wireless settings are configured globally. see “Using virtual domains” on page 79.4-GHz Band) IEEE 802.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. A FortiWiFi unit operating in client mode can also can only have one wireless interface.11g (2. you can enable monitoring as a background activity while the unit is in Access Point mode. You can configure the FortiWiFi unit to: • Provide an access point that clients with wireless network cards can connect to. This is called Client mode. WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers or • or • FortiWiFi units support the following wireless network standards: • • • • • • FortiGate Version 4. see “Adding a wireless interface” on page 123. Connect the FortiWiFi unit to another wireless network. This is called Access Point mode. IEEE 802.System Wireless FortiWiFi wireless interfaces System Wireless This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. MAC filters and wireless monitor are configured separately for each virtual domain. Monitor access points within radio range. Each wireless interface should have a different SSID and each wireless interface can have different security settings.

11a channels supported for FortiWiFi products that support the IEEE 802. where both indoor and outdoor use is permitted on channels 52 through 64 in the United States. Channels 9 through 11 can be used indoors and outdoors.11a wireless standard.Channel assignments System Wireless Channel assignments Depending on the wireless protocol selected. Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. You must make sure that the channel number complies with the regulatory standards of Mexico. you have specific channels available to you. For more information see “Wireless settings” on page 122.11a is only available on FortiWiFi-60B units. Table 8: IEEE 802.fortinet. All channels are restricted to indoor usage except in the Americas.11b. IEEE 802. All FortiWiFi units support 802. depending on what region of the world you are in.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.11b channels.11a (5-GHz Band) channel numbers Channel number 34 36 38 40 42 44 46 48 52 56 60 64 149 153 157 161 Frequency (MHz) 5170 5180 5190 5200 5210 5220 5230 5240 5260 5280 5300 5320 5745 5765 5785 5805 • • • • • • • • Regulatory Areas Americas Europe • • • • • • • • • • • • • • • • • • • • • • • Taiwan Singapore Japan • IEEE 802.com/ • Feedback . The following tables list the channel assignments for wireless networks for each supported wireless protocol. 120 FortiGate Version 4. 802.11a channel numbers Table 8 lists IEEE 802. Set the channel for the wireless network by going to System > Wireless > Settings.11b channel numbers Table 9 lists IEEE 802.

All FortiWiFi products support 802.System Wireless Channel assignments Table 9: IEEE 802.11g (2.11g channel numbers Table 10 lists IEEE 802.11g.fortinet.11b (2.4-Ghz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency (MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Regulatory Areas Americas • • • • • • • • • • • EMEA • • • • • • • • • • • • • • • • • • • • Israel Japan • • • • • • • • • • • • • • IEEE 802.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.4-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA CCK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 • • • • • • • • • • • ODFM CCK • • • • • • • • • • • • • • • • • • • • • • • • ODFM • • • • • • • • • • • • • • • • • • • • • Israel CCK ODFM Japan CCK • • • • • • • • • • • • • • ODFM • • • • • • • • • • • • • FortiGate Version 4.11b channels.com/ • Feedback 121 . Table 10: IEEE 802.

The name of the wireless interface. Access Point — The FortiWiFi unit acts as an access point for wireless users to connect to send and receive information over a wireless network. the FortiWiFi unit includes one wireless interface. This enables you to connect remote users to an existing network using wireless protocols. See “Rogue AP detection” on page 126. See “Channel assignments” on page 120 for channel information. For example. If you want to keep the wireless signal to a small area.11b devices. Background scanning can reduce performance if the access point is busy. in Client Mode. there must be only one wireless interface. only Operation Mode is available. See “Channel assignments” on page 120 for channel information. such as Band. The channels that you can select depend on the Geography setting. Note: You cannot switch to Client mode or Monitoring mode if you have added virtual wireless interfaces. When you change modes. enter a smaller number. To configure the wireless settings. select the interface name. they may not be able to use the wireless network.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback . radio settings are not configurable. Decreasing the value will increase the number of beacons sent. it requires more overhead. and all wireless interfaces use those settings. the larger the area the FortiWiFi will broadcast. The scan covers all wireless channels. slowing throughput. Band Geography Channel Tx Power Beacon Interval Background Rogue AP Scan Interface MAC Address 122 FortiGate Version 4. Wireless Parameters page Provides settings for configuring wireless parameters. Set the interval between beacon packets. The MAC address of the Wireless interface. The FortiWiFi unit can connect to the internal network and act as a firewall to the Internet. When you are in Monitoring mode. If you are operating your FortiWiFi unit in access point mode. For example. That is. On this page you can also change the operation mode. When operating the FortiWiFi unit in Client mode. you can add up to three virtual wireless interfaces. Scanning occurs while the access point is idle. Client — The FortiWiFi unit is set to receive transmissions from another access point. some settings are hidden. A higher value decreases the number of beacons sent. you are automatically redirected to the Change operation mode for wireless page. For these modes. All wireless interfaces use the same wireless parameters. Perform the Monitoring mode scanning function while the unit is in Access Point mode. Operation Mode Select Change to switch operation modes.11g and users have 802. These are listed in the Rogue AP list. For more information on adding more wireless interfaces. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. Select your country or region. To add more wireless interfaces in Access Point mode. Set the transmitter power level. See “Rogue AP detection” on page 126. When you select Change. while this will make it quicker to find and connect to the wireless network. It enables multiple wireless network users access to the network without the need to connect to it physically.fortinet. Be aware what wireless cards or devices your users have as it may limit their use of the wireless network. The higher the number. if you configure the FortiWiFi unit for 802. see “Adding a wireless interface” on page 123. Monitoring — Scan for other access points.Wireless settings System Wireless Wireless settings By default. called wlan. go to System > Wireless > Settings. however it may delay some wireless clients from connecting if it misses a beacon packet. Select a channel for your wireless network or select Auto. To modify wireless interface settings. Select the wireless frequency band. wlan. see “Adding a wireless interface” on page 123. This determines which channels are available. you cannot view the settings that were available when in Access Point. you configure the wireless settings once.

Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client mode or Monitoring mode. Access Point mode: WEP64.com/ • Feedback 123 . If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. The wireless interface security mode. it retries using WPA security. an Access Point and its clients must use the same SSID. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. If the interface is not broadcast. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band. WPA — Wi-Fi protected access (WPA) security. Broadcasting the SSID makes it possible for clients to connect to your wireless network without first knowing the SSID. Any wireless user can connect to the wireless network. Green checkmark icon indicates that the wireless interface broadcasts its SSID. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. Client mode: WEP64. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. Channel. Note: In Client mode with WPA security. This column is visible only in Access Point mode. If you choose not to broadcast the SSID. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. Users who want to use the wireless network must configure their computers with this network name.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or None. If this fails. To use WPA you must select a data encryption method. For better security. SSID Broadcast Security Mode Adding a wireless interface You can add up to three virtual wireless interfaces to your access point. Geography. WPA. WEP128.System Wireless Wireless settings SSID The wireless service set identifier (SSID) or network name for the wireless interface. WEP128. WPA2 Auto or None. To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key. To communicate. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. This field appears when selecting WEP64 or WEP128 security. Security mode Select the security mode for the wireless interface. but also accepts wireless clients using WPA security. For information about these modes. WPA2 Auto — the same security features as WPA2. you need to inform users of the SSID so they can configure their wireless devices. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. there is less chance of an unwanted user connecting to your wireless network. Wireless Settings section on the New Interface page SSID Enter the wireless service set identifier (SSID) or network name for this wireless interface. WPA2. None — has no security. WPA. SSID Broadcast Select to broadcast the SSID. Wireless users must use the same security mode to be able to connect to this wireless interface. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. WEP128 — 128-bit WEP. WEP64 — 64-bit web equivalent privacy (WEP). WPA2 — WPA with more security features. the FortiWiFi unit attempts to connect using WPA2 security. do not broadcast the SSID. see Security Mode in “Adding a wireless interface” on page 123.fortinet. Ensure each wireless interface has a unique SSID. and Beacon Interval. Enter the security key. Key FortiGate Version 4. Tx Power.

The RTS threshold is the maximum size. the user gains access to the network. Select a RADIUS server name from the list. There can still be risk of smaller packet collisions.Wireless MAC Filter System Wireless Data Encryption Select a data encryption method to be used by WPA. The wireless interface can only be set as a manual address. For more information. AES is considered more secure that TKIP. you define the wireless devices that can access the network based on their system MAC address. Similar to the allow list.com/ • Feedback 124 . The interface will be on the same subnet as the other interfaces. By changing this value from the default of 2346. 2 Select Create New. the FortiWiFi unit checks the MAC address of the user to the list you created.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Wireless MAC Filter To improve the security of your wireless network. the user is rejected. You can use WPA or WPA2 Radius security to integrate your wireless network configuration with a RADIUS or Windows AD server. By enabling MAC address filtering. To add a wireless interface 1 Go to System > Network > Interface. If the packet is larger than the threshold. 3 Complete the following: Name Type Address Mode Enter a name for the wireless interface. In some cases. enter the required information and select OK. You must configure the Radius server by going to User > RADIUS. A setting of 2346 bytes effectively disables this option. Threshold the FortiWiFi unit will fragment the transmission. If the FortiWiFi is running in Transparent mode. you can configure the wireless interface to allow all connections except those in the MAC address list. you can create a deny list. If the user is not in the list. Note you can configure one list per WLAN interface. A setting of 2346 bytes effectively disables this option. If the packet size less than the threshold. Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to use Advanced Encryption Standard (AES) encryption. in effect. RTS Threshold Set the Request to Send (RTS) threshold. Alternatively. Enter a valid IP address and netmask. this field does not appear. Administrative Access 4 In the Wireless Settings section. in bytes. zone or VDOM. Fragmentation Set the maximum size of a data packet before it is broken into smaller packets.fortinet. the FortiWiFi unit will not fragment the transmission. or WPA Auto. Some implementations of WPA may not support AES. have the sending wireless device ask for clearance before sending larger transmissions. Set the administrative access for the interface. Pre-shared Key Enter the pre-shared key. If the MAC address is on the approved list. WPA2. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network. The name cannot be the same as an existing interface. you can configure the FortiWiFi unit to. This field appears when selecting WPA. however this is less likely. you can enable MAC address filtering on the FortiWiFi unit. FortiGate Version 4. or WPA2 Auto security. slowing data transmissions. see “RADIUS” on page 393. of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. larger packets being sent may cause collisions. Select Wireless. reducing the chance of packet collisions. RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. WPA2. When a user attempts to access the wireless network.

System Wireless Wireless Monitor To allow or deny wireless access to wireless clients based on the MAC address of the client wireless cards.11a interfaces and around 2. including their status. you are automatically redirected to the MAC Filter Settings page MAC Filter Settings page Provides settings to modify the existing MAC addresses that you added to a wireless interface. In Client mode.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback 125 . Managing the MAC Filter list The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status. The strength of the signal from the client. In Access Point mode. The amount of data in kilobytes sent this session. Select one or more MAC addresses in the list and select Remove to deleted the MAC addresses from the list. The signal-to-noise ratio in deciBels calculated from signal strength and noise level. Add the entered MAC address to the list. either allow or deny. When you edit a MAC address. go to System > Wireless > MAC Filter.4GHz for 802. Enter the MAC address to add to the list. The list of MAC addresses in the MAC filter list for the wireless interface. It also enables you to edit and manage MAC Filter lists. Signal Strength (dBm) Noise (dBm) S/N (dB) Rx (KBytes) Tx (KBytes) FortiGate Version 4. Wireless Monitor Go to System > Wireless > Monitor to view information about your wireless network. The amount of data in kilobytes received this session. Monitor page Lists the wireless interfaces and clients or neighbors that are currently active. Should be around 5-GHz for 802. you can see who is connected to your wireless LAN. When you select Edit. MAC Filter page Lists the MAC addresses that you added to a wireless interface. List Access MAC Address Add Remove Select to allow or deny the addresses in the MAC Address list from accessing the wireless network. The information is grouped and placed in their own section within the page. The received noise level. Use the settings on the MAC Filter Settings page to modify the existing MAC addresses that you want to change. Edit the MAC address list for an interface.fortinet. Interface MAC address List Access Enable Edit The name of the wireless interface. you are automatically redirected to the MAC Filter Settings page.11b and 802. you can see which access points are within radio range. The frequency that the wireless interface is operating with. Allow or deny access to the listed MAC addresses for the wireless interface.11g networks. Statistics section Statistical information about wireless performance for each wireless interface. AP Name / Name Frequency The name of the wireless interface. Select to enable MAC filtering for the wireless interface.

Only devices on the same radio band are listed. Neighbor AP list section (Client mode) Real-time details about the access points that the client can receive. Rogue AP page Lists the detected access points that are active. 2 Select Change beside the current operation mode. 5 Select Apply. To enable background scanning 1 While in Access Point mode. none means no updates.Rogue AP detection System Wireless Clients list section (AP mode) Real-time details about the client wireless devices that can reach this FortiWiFi unit access point. Refresh Interval Refresh Set time between information updates. 126 FortiGate Version 4. you can select Monitoring mode to scan for available wireless access points.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or those detected less than one day ago. 4 Select OK to confirm the mode change. Rogue AP detection On models that support Rogue Access Point Detection.com/ • Feedback . This designation helps you to track access points. Updates displayed information now. 2 Enable Background Rogue AP Scan and then select Apply. none. The IP address assigned to the connected wireless client. The received signal strength indication. To enable the monitoring mode 1 Go to System > Wireless > Settings.fortinet. This is available in Monitoring mode. Viewing wireless access points Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. Inactive Access Points Select which inactive access points to show: all. You can also enable scanning in the background while the unit is in Access Point mode. or in Access Point mode with Background Rogue AP Scan enabled. go to System > Wireless > Settings. The wireless service set identifier (SSID) that this access point broadcasts. The data rate of the access point in Mbits/s. MAC Address SSID Channel Rate (M) RSSI The MAC address of the connected wireless client. 3 Select Monitoring and then select OK. MAC Address IP Address AP Name The MAC address of the connected wireless client. It does not affect anyone’s ability to use these access points. The name of the wireless interface that the client is connected to. The wireless radio channel that the access point uses. a relative value between 0 (minimum) and 255 (maximum). Go to System > Wireless > Rogue AP to view detected access points. those detected less than one hour ago.

You can also enter information about accepted and rogue APs in the CLI without having to detect them first. A grey X indicates that the access point is inactive.System Wireless Rogue AP detection Online SSID MAC Address Channel Rate First Seen Last Seen Mark as ‘Rogue AP’ Forget AP A green checkmark indicates an active access point. The data and time when the FortiWifi unit first detected the access point. The wireless radio channel that the access point uses. The data rate of the access point. Signal Strength /Noise The signal strength and noise level.com/ • Feedback 127 . Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list. The wireless service set identifier (SSID) or network name for the wireless interface.fortinet. Mark as ‘Accepted AP’ Select the icon to move this entry to the Accepted Access Points list. Select the icon to move this entry to the Rogue Access Points list. See the system wireless ap-status command in the FortiGate CLI Reference. The MAC address of the Wireless interface. The data and time when the FortiWifi unit last detected the access point.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. FortiGate Version 4.

Rogue AP detection System Wireless 128 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback .

fortinet. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. DHCP requests are passed through the FortiGate unit when it is in Transparent mode. DHCP is configured separately for each virtual domain. Optionally. DHCP services can also be configured through the Command Line Interface (CLI). see “Using virtual domains” on page 79. To configure a DHCP server. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address. see “Configuring a DHCP server” on page 130. The IP range of each DHCP server must match the network address range. The following topics are included in this section: • • • FortiGate DHCP servers and relays Configuring DHCP services Viewing address leases FortiGate DHCP servers and relays The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP server. The host computers must be configured to obtain their IP addresses using DHCP. You can configure one or more DHCP servers on any FortiGate interface. You can configure a FortiGate interface as a DHCP relay.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For more information. However. If you enable virtual domains (VDOMs) on the FortiGate unit. you can configure a Regular DHCP server on an interface only if the interface is a physical interface with a static IP address. you can add a DHCP server for each network. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface.com/ • Feedback 129 . To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on page 130. FortiGate Version 4. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. If an interface is connected to multiple networks via routers. The routers must be configured for DHCP relay.System DHCP Server FortiGate DHCP servers and relays System DHCP Server This section describes how to use DHCP to provide convenient automatic network configuration for your clients. they can also obtain default gateway and DNS server settings. DHCP is not available in Transparent mode. See the FortiGate CLI Reference for more information. A FortiGate interface or VLAN subinterface can provide the following DHCP services: • • • Basic DHCP servers for non-IPSec IP networks IPSec DHCP servers for IPSec (VPN) connections DHCP relay for regular Ethernet or IPSec (VPN) connections An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec).

Configuring a DHCP server The System > DHCP Server > Service screen gives you access to existing DHCP servers.99 Default gateway 192. Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface. In Transparent mode DHCP requests pass through the FortiGate unit.1.1. you can configure a DHCP relay or add DHCP servers as needed. 3 Select the Add DHCP Server icon to create a new DHCP server. you can not configure DHCP in Transparent mode.0 7 days 192. or select the Edit icon beside an existing DHCP server to change its settings. Interface Name Type DHCP Server IP The name of the interface.1.110 to 192. Select the type of DHCP service required as either Regular or IPSEC. 130 FortiGate Version 4. a DHCP server is configured. you must edit an existing DHCP relay. An interface must have a static IP before you configure a DHCP server on it. You can edit an existing DHCP relay agent in System > DHCP Server > Service. Edit DHCP Service page Provides the existing settings for a DHCP relay previously configured on the New DHCP Service page. To Configure a DHCP server 1 Go to System > DHCP Server > Service.168. On each FortiGate interface.99 You can disable or change this default DHCP Server configuration.99. DHCP Relay Agent Select to enable the DHCP relay agent on this interface. If you change this address to a different network.255. you need to change the DHCP server settings to match.fortinet. by default. On FortiGate 50 and 60 series units. 4 Configure the DHCP server. These settings are appropriate for the default Internal interface IP address of 192.1.168. It is also where you configure new DHCP servers.255.210 255. 2 Select blue arrow for the interface.com/ • Feedback .1. Configuring an interface as a DHCP relay agent If you want to configure an interface as a DHCP relay agent. However. on the Internal interface. as follows: IP Range Netmask Lease time DNS Server 1 192.168. 5 Select OK.168.Configuring DHCP services System DHCP Server Configuring DHCP services Go to System > DHCP Server > Service to configure DHCP services.168.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

Select Server to configure a DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address.System DHCP Server Configuring DHCP services New DHCP Service page Provides settings for configuring a DHCP relay agent or a DHCP server. IP Range Network Mask Default Gateway DNS Service DNS Server 0 DNS Server 1 Advanced section of the New DHCP Service page Select to configure advanced options.fortinet. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. Select Regular or IPSEC DHCP server. You can add multiple DNS servers by selecting the plus sign (+) beside DNS Server 1. the IP Range fields are greyed out. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Select: • Server IP Range . You can add multiple options (both Code and Options field appear) by selecting the plus sign beside the Options field. The lease time can range from 5 minutes to 100 days. and minutes after which a DHCP client must ask the DHCP server for new settings. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. When User-group defined method is selected. Select Relay to configure a DHCP relay agent. Select to include options for the DHCP relay or server. If you need to add more DNS servers. Code field and Options field appear. Enter the second DNS server. Enter the last IP address of the exclude range. IP Assignment Mode WINS Server 1 WINS Server 2 Options Exclude Ranges Add Starting IP End IP Delete (minus sign) Delete the exclude range. Enable the DHCP server. Select to use either a specific DNS server or the system’s DNS settings.The IP addresses will be assigned by a user group used to authenticate the user. and Exclude Ranges. hours. Select Unlimited for an unlimited lease time or enter the interval in days.The IPSec DHCP server will assign the IP addresses as specified in IP Range. The user group is used to authenticate XAUTH users. Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. FortiGate Version 4. No range can exceed 65536 IP addresses.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and the Exclude Ranges table and controls are not visible. These fields are greyed out when IP Assignment Mode is set to User-group defined method. Enter the netmask of the addresses that the DHCP server assigns. See “User Group” on page 390. Enter the DNS server. Domain Lease Time Enter the domain that the DHCP server assigns to DHCP clients.com/ • Feedback 131 . • User-group defined method . Add an range of IP addresses to exclude. select the plus sign (+). When you enable this option. Configure how the IP addresses for an IPSec DHCP server are assigned to Dialup IPSec VPN users. Name Mode Enable Type Enter a name for the DHCP server. Enter the first IP address of the exclude range.

Reserving IP addresses for specific clients You can reserve an IP address for a specific client identified by the client device MAC address and the connection type. Use the CLI config system dhcp reserved-address command. The MAC address of the device to which the IP address is assigned. 132 FortiGate Version 4. You can assign up to 200 IP addresses as reserved. The DHCP server always assigns the reserved address to that client. Indicates the status of the IP addresses for DHCP servers. Expiry date and time of the DHCP lease. For more information.fortinet. Select Refresh to update Address leases list. Address Leases page Lists the IP addresses that the DHCP servers have assigned.com/ • Feedback . Interface Refresh IP MAC Expire Status Select interface for which to list leases. as well as the corresponding client MAC addresses. For more information see the FortiGate Maximum Values Matrix. The assigned IP address. regular Ethernet or IPSec.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Viewing address leases System DHCP Server Viewing address leases Go to System > DHCP Server > Address Leases to view the IP addresses that the DHCP servers have assigned and the corresponding client MAC addresses. see the FortiGateCLI Reference.

This section contains a brief description of HA web-based manager configuration options. FortiGate HA is also not compatible with DHCP. such as HA. custom replacement messages. If you enable virtual domains (VDOMs) on the FortiGate unit. HA. you cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization. To configure HA options so that a FortiGate unit can join an HA cluster. see “Using virtual domains” on page 79. and disconnecting cluster members. If you enable virtual domains (VDOMs) on the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback 133 . HA is configured globally for the entire FortiGate unit. For more information. HA statistics. SNMP. and replacement messages are configured globally for the entire FortiGate unit. For more information. The following topics are included in this section: • • • • HA SNMP Replacement messages Operation mode and VDOM management access HA FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. Also.fortinet. and Operation mode. Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. Changing operation mode is configured for each individual VDOM. go to System > Config > HA. If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE. SNMP. FortiGate Version 4. see “Using virtual domains” on page 79. the HA cluster members list.System Config HA System Config This section describes the configuration of several non-network features. you cannot switch to operate in HA mode. This topic contains the following: • • • • • HA options Cluster members list Viewing HA statistics Changing subordinate unit host name and device priority Disconnecting a cluster unit from a cluster HA options Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Guide.

If virtual domains are enabled you can select Active-Passive or Standalone. When the cluster is operating you can change the group name. Session pickup is disabled by default. the unit with the highest device priority usually becomes the primary unit. The default group name is FGT-HA. one for each virtual cluster. High Availability page Lists the existing settings for a configured HA cluster as well as allows you to configure a HA cluster if not already configured. Most virtual cluster HA options are the same as normal HA options. Enter a password to identify the cluster. When the cluster is operating you can change the device priority for different cluster units as required. The group name must be the same for all cluster units before the cluster units can form a cluster. You can accept the default group name when first configuring a cluster. the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster. The maximum length of the group name is 32 characters. The group name change is synchronized to all cluster units. virtual clusters include VDOM partitioning options. The default is no password. Changes to the device priority are not synchronized. Active-Passive. When the cluster is operating. Note: If your FortiGate cluster uses virtual domains. leaving session pickup disabled may reduce HA CPU usage and reduce HA heartbeat network bandwidth usage. see“Cluster members list” on page 135. You can accept the default password when first configuring a cluster. if required. each cluster unit can have two different device priorities.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For more information. If you do not require session failover protection. During HA negotiation. if required. you must set all members of the HA cluster to the same HA mode.HA System Config If HA is already enabled. sessions are picked up by the cluster unit that becomes the new primary unit. When you edit the HA configuration of the primary unit. If HA is enabled. The maximum password length is 15 characters. Each unit in a cluster can have a different device priority. go to System > Config > HA to display the cluster members list. During HA negotiation. You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled by logging into the web-based manager as the global admin administrator and going to System > Config > HA. However. you can add a password. 134 FortiGate Version 4. Optionally set the device priority of the cluster unit. Device Priority Group Name Password Enable Session Select to enable session pickup so that if the primary unit fails. pickup You must enable session pickup for session failover protection. After a cluster is operating.fortinet. you can change the group name. Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. You can select Standalone (to disable HA). Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Guide.com/ • Feedback . Select Edit for the FortiGate unit with Role of master (also called the primary unit). however two clusters on the same network cannot have the same group name. The password must be the same for all cluster units before the cluster units can form a cluster. Enter a name to identify the cluster. you are configuring HA virtual clustering. You can accept the default device priority when first configuring a cluster. You can accept the default setting for session pickup and later choose to enable session pickup after the cluster is operating. Two clusters on the same network must have different passwords. you will have to select Edit for the cluster member before you see the virtual cluster configuration screen for that cluster unit. or Active-Active. When configuring a cluster. You can also modify existing settings from this page as well. all changes are synchronized to the other units in the cluster. In a virtual cluster configuration.

If you are configuring virtual clustering. change the device priority and host name of subordinate units. The root virtual domain must always be in virtual cluster 1. You can accept the default heartbeat interface configuration or change it as required. For more information about configuring VDOM partitioning. For more information about configuring heartbeat interfaces. the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. and download a debug log for any cluster unit. FortiGate Version 4. Select to enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. the heartbeat interface with the lowest hash map order value processes all heartbeat traffic. Heartbeat Interface VDOM partitioning Cluster members list You can display the cluster members list to view the status of an operating cluster and the status of the FortiGate units in the cluster. You can select up to 8 heartbeat interfaces. To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA. You can monitor up to 16 interfaces. This default configuration usually sets the priority of two heartbeat interfaces to 50. see the FortiGate HA Guide. Port monitoring (also called interface monitoring) is disabled by default. The heartbeat interface priority range is 0 to 512.com/ • Feedback 135 .System Config HA Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify the monitored interfaces are functioning properly and are connected to their networks. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces. edit the HA configuration of primary unit. the cluster stops processing traffic.fortinet. To display the cluster members list. You must select at least one heartbeat interface. If heartbeat communication is interrupted. you can display the cluster members list to view the status of the operating virtual clusters. The web-based manager lists interfaces in alphanumeric order: • port1 • port2 through 9 • port10 Hash map order sorts interfaces in the following order: • port1 • port10 • port2 through port9 The default heartbeat interface configuration is different for each FortiGate unit. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster. This other cluster unit becomes the new primary unit. see the FortiGate HA Guide. This limit only applies to FortiGate units with more than 8 physical interfaces. From the cluster members list you can disconnect a unit from the cluster. If two or more heartbeat interfaces have the same priority.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This limit only applies to FortiGate units with more than 16 physical interfaces. The cluster members list shows the FortiGate units in the cluster and for each FortiGate unit shows interface connections. The heartbeat interface with the highest priority processes all heartbeat traffic. The default priority when you select a new heartbeat interface is 0. the cluster unit and the device priority of the cluster unit. log into an operating cluster and go to System > Config > HA. you can set the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. If a monitored interface fails or is disconnected from its network. You can also view HA statistics for the cluster. If virtual domains are enabled.

The status or role of the cluster unit in the cluster. Pause the mouse pointer over each illustration to view the cluster unit host name.com) for help diagnosing problems with the cluster or with individual cluster units.com/ • Feedback . You can send this debug log file to Fortinet Technical Support (http://support. and monitor information for each cluster unit. Hostname Role Priority Disconnect from cluster Edit Download debug log Select to download an encrypted debug log to a file. go to System > Config > HA and select View HA Statistics. including the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. select Edit to change the cluster HA configuration (including the device priority) of the primary unit. • To change the primary unit host name. • For a primary unit in a virtual cluster. Each cluster unit can have a different device priority. See “Changing subordinate unit host name and device priority” on page 137. See “Changing subordinate unit host name and device priority” on page 137. The host name of the FortiGate unit. Back to HA monitor Select to close the HA statistics list and return to the cluster members list. Unit 136 FortiGate Version 4. from the cluster members list select the Edit icon for a subordinate unit. Select to change a cluster unit HA configuration. • For a primary unit. how long the unit has been operating (up time). and the interfaces that are configured for port monitoring. the interface is connected. you can select View HA Statistics to display the serial number. go to System > Status and select Change beside the current host name. • For a subordinate unit. serial number. All that changes is the order of the units on the cluster members list. During HA negotiation. • For a subordinate unit in a virtual cluster. Refresh every Select to control how often the web-based manager updates the HA statistics display.fortinet. See “Disconnecting a cluster unit from a cluster” on page 137. You can select how often the information is refreshed. The host name and serial number of the cluster unit. • Role is MASTER for the primary (or master) unit • Role is SLAVE for all subordinate (or backup) cluster units The device priority of the cluster unit. See “Viewing HA statistics” on page 136. If the network jack for an interface is shaded green.HA System Config Cluster Settings section of the HA page View HA Statistics Displays the serial number. Up and down arrows Changes the order of cluster members in the list. To view HA statistics. select Edit to change the virtual cluster HA configuration.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and monitor information for each cluster unit. status. Viewing HA statistics From the cluster members list. The operation of the cluster or of the units in the cluster are not affected. View HA Statistics page Lists the statistical information for HA. Select to disconnect a selected cluster unit from the cluster. select Edit to change the subordinate unit host name and the device priority of the subordinate unit for the selected virtual cluster. • To change a subordinate unit host name. status. The default host name of the FortiGate unit is the FortiGate unit serial number. select Edit to change the subordinate unit host name and device priority. the unit with the highest device priority becomes the primary unit.fortinet. Cluster member Illustrations of the front panels of the cluster units. The device priority range is 0 to 255.

The current memory status of each cluster unit. For more information about memory usage. The number of viruses detected by the cluster unit. the cluster unit with the highest device priority becomes the primary unit. minutes. hours. Select Edit for any slave (subordinate) unit in the cluster members list. The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit. FortiGate Version 4. To change the host name and device priority of a subordinate unit in an operating cluster. CPU usage for management processes (for example. The current CPU status of each cluster unit. for HTTPS connections to the web-based manager) is excluded. The number of packets that have been processed by the cluster unit since it last started up. see “System Resources” on page 50. Select Edit for any slave (subordinate) unit in the cluster members list. To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled. Displays system status information for each cluster unit. log in as the global admin administrator and go to System > Config > HA to display the cluster members list. The number of bytes that have been processed by the cluster unit since it last started up. The default device priority is 128.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The device priority range is 0 to 255.System Config HA Status Indicates the status of each cluster unit. The device priority is not synchronized among cluster members. for HTTPS connections to the web-based manager) is excluded. A green check mark indicates that the cluster unit is operating normally. see “System Resources” on page 50. Peer Priority View and optionally change the subordinate unit host name. The number of communications sessions being processed by the cluster unit. Disconnecting a cluster unit from a cluster You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose. The time in days. and seconds since the cluster unit was last started. The total network bandwidth being used by all of the cluster unit interfaces. For more information about CPU usage.fortinet. A red X indicates that the cluster unit cannot communicate with the primary unit. In a functioning cluster you can change device priority to change the priority of any unit in the cluster.com/ • Feedback 137 . such as to act as a standalone firewall. go to System > Config > HA to display the cluster members list. Memory usage for management processes (for example. You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster. Up Time Monitor CPU Usage Memory Usage Active Sessions Total Packets Virus Detected Network Utilization Total Bytes Intrusion Detected Changing subordinate unit host name and device priority You can change the host name (Peer) and device priority (Priority) of this subordinate unit. The web-based manager displays CPU usage for core processes only. These changes only affect the configuration of the subordinate unit. The next time the cluster negotiates. The web-based manager displays memory usage for core processes only. View and optionally change the subordinate unit device priority.

For more information about SNMP traps. You can configure the hardware. An SNMP manager.com/ • Feedback 138 . See the system snmp user command in the FortiGate CLI Reference. or be able to query that unit. traps. IP/Netmask SNMP Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. For more information. see the Fortinet Knowledge Base. Select the interface that you want to configure. and partial support of User-based Security Model (RFC 3414). you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access. For information on how to download the MIB files. SNMP v1. and query messages sent by the FortiGate unit SNMP agent. v2c. such as the FortiGate SNMP agent. The FortiGate SNMP implementation is read-only. When the FortiGate unit is disconnected. and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit. or host.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager.0 or you may be accessing the wrong traps and fields. Note: There were major changes to the MIB files between FortiOS v3. both on an ongoing basis and to provide more information when a trap occurs. such as an a log disk being full or a virus being detected. you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. event. see “Fortinet and FortiGate traps” on page 142. such as percent CPU usage or the number of sessions. These MIBs provide information the SNMP manager needs to interpret the SNMP trap. You also specify the IP address and netmask for this interface. or host. Authentication and encryption are configured in the CLI. The FortiGate SNMP v3 implementation includes support for queries. This information is useful to monitor the condition of the unit. A FortiManager unit can act as an SNMP manager. For more information about SNMP fields. SNMP fields contain information about your FortiGate unit. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit. By using an SNMP manager. To monitor FortiGate system information and receive FortiGate traps. is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit. see “Fortinet and FortiGate MIB fields” on page 145. Specify an IP address and netmask for the interface. The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II).SNMP System Config Serial Number Interface Displays the serial number of the cluster unit to be disconnected from the cluster. to report system information and send traps (alarms or event messages) to SNMP managers. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411). authentication. see “Fortinet MIBs” on page 141. You need to use the new MIBs for FortiOS v4. SNMP traps alert you to events that happen.0 and v4.0. to one or more FortiGate units. This topic contains the following: FortiGate Version 4. all management access options are enabled for this interface.fortinet. and privacy.

Within that SNMP community. The status of SNMP traps for each SNMP community. Enter descriptive information about the FortiGate unit. and contact information. See “Configuring an SNMP community” on page 139. such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community. Each community can be configured to monitor the FortiGate unit for a different set of events. The name of the SNMP community.System Config SNMP • • • • • Configuring SNMP Configuring an SNMP community Fortinet MIBs Fortinet and FortiGate traps Fortinet and FortiGate MIB fields Configuring SNMP Go to System > Config > SNMP v1/v2c to configure the SNMP agent. FortiGate Version 4. The status of SNMP queries for each SNMP community. The description can be up to 35 characters long. Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps. The contact information can be up to 35 characters.fortinet. Each community can have a different configuration for SNMP queries and traps. SNMP traps can only be sent on interfaces in the management virtual domain. Select Create New to add a new SNMP community. You can add up to 3 communities. The query status can be enabled or disabled. SNMP v1/v2c page Provides settings for configuring the SNMP agent.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You can also add the IP addresses of up to 8 SNMP managers to each community. SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete Edit Enable the FortiGate SNMP agent. Select Delete to remove an SNMP community. location. devices can communicate by sending and receiving traps and other information. Note: When the FortiGate unit is in virtual domain mode. Save changes made to the description. Configuring an SNMP community An SNMP community is a grouping of devices for network administration purposes. Select Enable to activate an SNMP community. The system location description can be up to 35 characters long. Traps cannot be sent over other interfaces. The trap status can be enabled or disabled. You can add up to three SNMP communities. Enter the physical location of the FortiGate unit.com/ • Feedback 139 . Enter the contact information for the person responsible for this FortiGate unit. Select to view or modify an SNMP community. One device can belong to multiple communities. The list of SNMP communities added to the FortiGate configuration.

Protocol Port Enable The SNMP protocol. Note: The SNMP client software and the FortiGate unit must use the same port for traps. Add a blank line to the Hosts list. Select to enable the SNMP event. the interface must belong to the management VDOM to be able to pass SNMP traps. Community Name Enter a name to identify the SNMP community. In virtual domain mode.0 to so that any SNMP manager can use this SNMP community. by spreading values out over 8 polling cycles. Select the Enable check box to activate queries for each SNMP version. You can add up to 8 SNMP managers to a single community.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 140 FortiGate Version 4. You can also set the IP address to 0. This can occur if the SNMP manager is on the Internet or behind a router.com/ • Feedback . You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.SNMP System Config New SNMP Community page Provides settings for configuring an SNMP community. Interface Delete Add Queries section Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. To configure SNMP access (Transparent mode) 1 Go to System > Config > Operation. Note: The SNMP client software and the FortiGate unit must use the same port for queries. “AMC interfaces enter bypass mode” event trap is available only on FortiGate models that support AMC modules. “CPU overusage” traps sensitivity is slightly reduced. 4 Select OK. The port that the protocol uses.fortinet. 1 Go to System > Network > Interface. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. select SNMP.0. SNMP Event Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. Hosts section Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. You can change the port if required. 2 Choose an interface that an SNMP manager connects to and select Edit.0. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy. 3 In Administrative Access. Select a Delete icon to remove an SNMP manager. “Power Supply Failure” event trap is available only on some FortiGate models. you must configure one or more FortiGate interfaces to accept SNMP connections. Select to enable that SNMP protocol Traps section Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version. IP Address The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. Enable To configure SNMP access (NAT/Route mode) Before a remote SNMP manager can connect to the FortiGate agent.

For more information about Fortinet MIBs and traps. FORTINET-FORTIGATE-MIB. Note: There were major changes to the MIB files between FortiOS v3. There are two MIB files for FortiGate units . For information on how to download the MIB files.System Config SNMP 2 Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. You must add the Fortinet proprietary MIB to this database to have access to the Fortinet specific information. 3 Select Apply. You need to use the new MIBs for FortiOS v4.0.0 or you may mistakenly access the wrong traps and fields. fields and information that is specific to FortiGate units. see the FortiGate Administration Guide.fortinet. The Fortinet MIB contains traps. For more information. see the Fortinet Knowledge Base. The proprietary FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units. For more information. see “Fortinet and FortiGate traps” on page 142 and “Fortinet and FortiGate MIB fields” on page 145. The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can download the two FortiGate MIB files from Fortinet Customer Support. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration. see “Fortinet and FortiGate traps” on page 142 and “Fortinet and FortiGate MIB fields” on page 145. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. You need to obtain and compile the two MIBs for this release.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. Table 11: Fortinet MIBs MIB file name or RFC FORTINET-CORE-MIB.mib Description The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products.com/ • Feedback 141 . fields and information that is common to all Fortinet products.the Fortinet MIB. The FortiGate MIB contains traps. Fortinet MIBs The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. FortiManager systems require this MIB to monitor FortiGate units. and the FortiGate MIB.mib FortiGate Version 4. Each Fortinet product has its own MIB—if you use other Fortinet products you will need to download their MIB files as well.0 and v4. Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent.

The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap.com/ • Feedback .6.3.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. trap message.3.3.3.6.1. The object identifier (OID) is made up of the number at the top of the table with the index added to the end.1.0) FortiGate antivirus traps (OID1.3. For example if the OID is 1.1.3.6.0.1.1.3.12356.4. Traps starting with fn such as fnTrapCpuThreshold are defined in the Fortinet MIB.3. These tables have been included to help you locate the object identifier number (OID).3.1. or that agent can send traps when an event occurs.1. section 3.12356.1. Traps starting with fg such as fgTrapAvVirus are defined in the FortiGate MIB.1.1.4.1. More accurate information can be obtained from the information reported by the Fortinet MIB.1.1. The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception.) do not accurately capture all FortiGate traffic activity.11 and 6.12356. The OID and the name of the object are how SNMP managers refer to fields and traps from the Fortinet and FortiGate MIBs.4.12356.3.6.3.0) FortiGate IPS traps (OID1.12356. the full OID is 1. • No support for the EGP group from MIB II (RFC 1213.4.4. No support for the dot3Tests and dot3Errors groups. The name of the table indicates if the trap is found in the Fortinet MIB or the FortiGate MIB.3.6.10).1.1. you must load and compile the FORTINETCORE-MIB and FORTINET-FORTIGATE-MIB into your SNMP manager.fortinet.0) 142 FortiGate Version 4.1.1. Traps sent include the trap message as well as the FortiGate unit serial number (fnSysSerial) and hostname (sysName).SNMP System Config Table 11: Fortinet MIBs MIB file name or RFC RFC-1213 (MIB II) Description The FortiGate SNMP agent supports MIB II groups with the following exceptions. Indented rows are fields that are part of the message or table associated with the preceding row.1. RFC-2665 (Ethernet-like MIB) Fortinet and FortiGate traps An SNMP manager can request information from the Fortinet device’s SNMP agent.0) FortiGate HA traps (OID1.1.0) FortiGate VPN traps (OID1. The following tables include: • • • • • • Generic Fortinet traps (OID 1.4. To receive FortiGate device SNMP traps.1.4.6.3. and trap description of the Fortinet trap or variable you need.1.4. • Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.12356.1.3.0 and the index is 4.12356.6.12356.3. Traps are a method used to inform the SNMP manager that something has happened or changed on the Fortinet device.1.1.0) System traps (OID1.3.4. The tables in this section include information about SNMP traps and variables.6.

4. (OID1.101.1.12356.1. This information is associated with both of the VPN tunnel traps. Only available on devices with log disks.302 VPN tunnel is up (fgTrapVpnTunUp) VPN tunnel down (fgTrapVpnTunDown) Local gateway address (fgVpnTrapLocalGateway) Description An IPSec VPN tunnel has started. Not available on all models.1.103 .101.2 .1. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE. This threshold can be set in the CLI using config system snmp sysinfo.101 CPU usage high (fnTrapCpuThreshold) Memory low (fnTrapMemThreshold) Log disk too full (fnTrapLogDiskThreshold) Temperature too high (fnTrapTempHigh) Voltage outside acceptable range (fnTrapVoltageOutOfRange) Power supply failure (fnTrapPowerSupplyFailure) Interface IP change (fnTrapIpChange) Description CPU usage exceeds 80%.0) Index Trap message .201 . Memory usage exceeds 90%.fortinet.1.3. A temperature sensor on the device has exceeded its threshold.12356.4.3.3. set trap-high-cpu-threshold.1.4. The IP address for an interface has changed. Power supply failure detected.12356.3.2) Remote gateway address Address of remote side of the VPN tunnel.6.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.6.2) FortiGate Version 4. See manual for specifications. Address of the local side of the VPN tunnel.301 .1. set trap-log-full-threshold.3. Not all devices have thermal sensors. It has an OID index of . (OID1.999.1.104 .3.3 . Log disk usage has exceeded the configured threshold.999 Diagnostic trap (fnTrapTest) Table 14: FortiGate VPN traps (OID1. set trap-low-memory-threshold. This threshold can be set in the CLI using config system snmp sysinfo.105 .12356.6. Available on some devices which support redundant power supplies.106 .1.3.1.3. An IPSec VPN tunnel has shut down.4.1.4.3.System Config SNMP Table 12: Generic Fortinet traps (OID 1. . the new IP address and the serial number of the Fortinet unit. This threshold can be set in the CLI using config system snmp sysinfo.4 ColdStart WarmStart LinkUp LinkDown Description Standard traps as described in RFC 1215.3.0) Index Trap message . Not all devices have voltage monitoring instrumentation.6.12.12.1. Table 13: System traps (OID1. The trap message includes the name of the interface. Power levels have fluctuated outside of normal levels. This trap is sent for diagnostic purposes.1 .1.6.12356.com/ • Feedback 143 .102 . (fgVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps.0) Index Trap message .

3.com/ • Feedback .1.12356.3.9.1.3. ID of IPS signature identified in trap. (OID 1.12356.9.1) .3.601 Virus detected (fgTrapAvVirus) Oversize file/email detected (fgTrapAvOversize) Filename block detected (fgTrapAvPattern) Fragmented file detected (fgTrapAvFragmented) (fgTrapAvEnterConserve) (fgTrapAvBypass) (fgTrapAvOversizePass) (fgTrapAvOversizeBlock) (fgAvTrapVirName) Description The antivirus engine detected a virus in an infected file from an HTTP or FTP download or from an email message.9.608 144 FortiGate Version 4.1.1.0) Index Trap message .1.4.6.3.3. The antivirus scanner detected an oversized file.12356. An oversized file has been detected. but has been passed due to configuration.6. IPS anomaly detected. (OID1.6.3.101.12356.3.606 . and has been blocked.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.4.6.3.3.1.3. The AV engine entered conservation mode due to low memory conditions.SNMP System Config Table 15: FortiGate IPS traps (OID1.2) Message associated with IPS event. The antivirus scanner blocked a file that matched a known virus pattern. The AV scanner has been bypassed due to conservation mode.4.4.1.602 .6.1. The IPS signature database has been updated.605 .101.1) IP Address of the IPS signature trigger.12356.4. The antivirus scanner detected a fragmented file or attachment.6.1.3) Table 16: FortiGate antivirus traps (OID1.604 .4.1. (OID 1. (OID 1.607 .505 IPS Signature (fgTrapIpsSignature) IPS Anomaly (fgTrapIpsAnomaly) IPS Package Update (fgTrapIpsPkgUpdate) (fgIpsTrapSigId) (fgIpsTrapSrcIp) (fgIpsTrapSigMsg) Description IPS signature detected.1.1.101. The virus name that triggered the event.603 . An oversized file has been detected.101.8.1.1.503 .3.504 .0) Index Trap message .12356.

1.1.1. The trap sent when the HA cluster member changes its state.101.101.4.12. The heartbeat failure count has exceeded the configured threshold.1.12356.101.4. (OID1. The OID number for a field is that field’s position within the table.12356.1. The following tables include: • • • • • • • • • FortiGate HA MIB Information fields (OID 1.101.4. The tables below list the names of the MIB fields and describe the status information available for each one.13.4.1. Used to identify the origin of a trap when a cluster is configured.1.2.3.2) FortiGate Administrator accounts (OID 1.1.13.3.6.com/ • Feedback 145 .404 .1.1. the object identifier (OID) number for each table of fields has been included.1.12356.2.4. Serial number of an HA cluster member.4.1.3.6. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.3.mib and FORTINETFORTIGATE-MIB.5.6. An HA member becomes unavailable to the cluster.3. .6.101.6.101.1.3. For example fnSysVersion has an OID of 1.402 HA switch (fgTrapHaSwitch) HA State Change (fgTrapHaStateChange) HA Heartbeat Failure (fgTrapHaHBFail) HA Member Unavailable (fgTrapHaMemberDown) HA Member Available (fgTrapHaMemberUp) (fgHaTrapMemberSerial) Description The specified cluster member has transitioned from a slave role to a master role.12356.12356.3.1.3.101.4.1.2.2.3.101) FortiGate Virtual domains (OID 1.12356.4.1. An HA member becomes available to the cluster.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.mib files into your SNMP manager and browsing the MIB fields on your computer.1) FortiGate Firewall policy statistics table (OID 1.3.6.401 .1.4.1.1) .12356.12356.fortinet.4.System Config SNMP Table 17: FortiGate HA traps (OID1.13.1) FortiGate Virtual domain table entries (OID 1.1.1.2.1.6.12356.1) VPN Tunnel table (OID 1.6.1.1.1) FortiGate Version 4. starting at 0.1.1. To help locate a field.1.1.2.6.1) FortiGate HA unit stats fields (OID 1.3.101.12356.1.12356.11.101.403 .4.1.3.405 Fortinet and FortiGate MIB fields The FortiGate MIB contains fields reporting current FortiGate unit status information.6.0) Index Trap message .3.1) FortiGate Active IP sessions table (OID 1.3.3.6.12.3.1.4.1) FortiGate Dialup VPN peers (OID 1.12356.6.2.

1) Index .2 . Index .1.1.1. HA clustering priority (default . (OID 1.101.1.fortinet.6.SNMP System Config Table 18: FortiGate HA MIB Information fields (OID 1.4 .4. Status of an automatic configuration synchronization.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.1 .5 .101.12356.1. HA cluster group name. Status of a master override flag.2.1.7 .12356. fgHaStatsIndex fgHaStatsSerial fgHaStatsCpuUsage fgHaStatsNetUsage fgHaStatsSesCount fgHaStatsPktCount The index number of the unit in the cluster.13. fgHaStatsByteCount The number of bytes processed by the FortiGate unit fgHaStatsIdsCount fgHaStatsAvCount fgHaStatsHostname The number of attacks that the IPS detected in .13. fgAdminVdom The virtual domain the administrator belongs to.1.4 . The FortiGate unit serial number.3. Serial number of an HA cluster member.1.6 .8 Table 19: FortiGate HA unit stats fields (OID 1. Load balancing schedule for cluster in Active-Active mode.3. The number of viruses that the antivirus system detected in the last 20 hours.2 146 FortiGate Version 4.10 .7 . HA cluster group ID. Status of the LCD protection. either enabled or disabled. The current FortiGate unit CPU usage (%).5 .6 .1 .com/ • Feedback . .127).2 .9 the last 20 hours. Hostname of HA Cluster's unit.8 Index fgHaStatsMemUsage The current unit memory usage (%).101) MIB field fgAdminIdleTimeout fgAdminLcdProtection fgAdminTable Description Idle period after which an administrator is automatically logged out of the system.1.12356.6. The current unit network utilization (Kbps).6.4.1.6. A-A or A-P). The number of active sessions.3 .3. Table of administrators on this FortiGate unit.4.2) MIB field fgHaStatsTable Description Statistics for the individual FortiGate unit in the HA cluster.11 Table 20: FortiGate Administrator accounts (OID 1.1) MIB field fgHaSystemMode fgHaGroupId fgHaPriority fgHaOverride fgHaAutoSync fgHaSchedule fgHaGroupName fgHaTrapMemberSerial Description High-availability mode (Standalone.6.1.101.3.3 .12356. The number of packets processed.4. .1 .

3.1.8 fgIpSessFromAddr The source IPv4 address of the active IP session. The destination IPv4 address of the active IP session.6.6 .1) MIB field Description Index fgVdTable.11.1. FortiGate Version 4.).3. fgVdEntName fgVdEntOpMode The name of the virtual domain.1. . This index is also used by other tables referencing a virtual domain. etc. The number of seconds remaining until the sessions expires (if idle).3. Corresponds to the index in fgVdTable.6. The source port of the active IP session (UDP and TCP only).4.101.com/ • Feedback 147 . dEntry fgVdEntIndex Internal virtual domain index used to uniquely identify .3. The destination port of the active IP session (UDP and TCP only).101.2.1.3 .1. .6.1) MIB field fgVdInfo Description FortiGate unit Virtual Domain related information.1 entries in this table. Whether virtual domains are enabled on this FortiGate unit.5 .7 .12356. UDP.1) MIB field fgIpSessIndex fgIpSessProto fgIpSessFromPort fgIpSessToAddr fgIpSessToPort fgIpSessExp fgIpSessVdom Description The index number of the IP session within the fgIpSessTable table The IP protocol the session is using (IP.1. fgIpSessStatsTable IP Session statistics table for the virtual domain.3.1 .1) Index .fgV Table of information about each virtual domain—each virtual domain has an fgVdEntry.2 Operation mode of this virtual domain .6. fgIpSessStatsEntry. TCP.1.4 .1.12356.3.3 Transparent.2.fortinet.either NAT or .101.1.System Config SNMP Table 21: FortiGate Virtual domains (OID 1.12356. Total sessions on this virtual domain. fgIpSessNumber (OID 1.1.4.4. .1.4.2 the FortiGate unit as allowed by hardware or licensing.3 fgVdEnabled Table 22: FortiGate Virtual domain table entries (OID 1.101.2.2 . Each entry has the following fields. fgVdNumber fgVdMaxVdoms The number of virtual domains configured on this FortiGate unit.12356. Virtual domain the session is part of.1.1 Index The maximum number of virtual domains allowed on . Table 23: FortiGate Active IP sessions table (OID 1.2.11.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

fortinet.1. Only enabled policies are available for querying.1.com/ • Feedback .6 . The number of bytes received over the tunnel. The remote gateway IP address on the tunnel. .2.SNMP System Config Table 24: FortiGate Firewall policy statistics table (OID 1.6.7 .3.9 .10 148 FortiGate Version 4.3. Remote subnet mask of the tunnel.3 .0 MR2 Administration Guide 01-420-89802-20100507 http://docs.2.1 fgFwPolicyPktCount Number of packets matched to policy (passed or blocked. The number of byes send over the tunnel. Local subnet address of the tunnel.1. Count is from the time the policy became active.1) MIB field fgFwPolicyStatsTable.1. Firewall policy ID. VPN tunnel lifetime in seconds.fg FwPolicyStatsEntry fgFwPolicyID Description Index Entries in the table for firewall policy statistics on a virtual domain.1.4 .2 depending on policy action).101.1) MIB field fgVpnDialupIndex fgVpnDialupGateway fgVpnDialupLifetime fgVpnDialupTimeout fgVpnDialupSrcBegin fgVpnDialupSrcEnd fgVpnDialupDstAddr fgVpnDialupVdom fgVpnDialUpInOctets fgVpnDialUpOutOctets Description An index value that uniquely identifies an VPN dial-up peer in the table. fgFwPolicyByteCount Table 25: FortiGate Dialup VPN peers (OID 1.5 . Count is from the time the policy became active.4.2 . . Policy IDs are only unique within a virtual domain.1. This index corresponds to the index in fgVdTable. Index . Number of bytes matched to policy (passed or blocked.1 .3 depending on policy action).101.12356.12. Time remaining until the next key exchange (seconds) for this tunnel. Remote subnet address of the tunnel.5.6. .8 .1.4.12356. The virtual domain this tunnel is part of.

Current status of the tunnel .21 Replacement messages The FortiGate unit adds replacement messages to a variety of content streams. .101. fgVpnTunEntSelectorSrcBegin Beginning of the address range of the source selector. .19 .12 .2 . Number of bytes sent out on the tunnel. Go to System > Config > Replacement Message to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages.16 . For example. Index . if it is . The same applies to pages blocked by web filtering and email blocked by email filtering. This index corresponds to the index used in fgVdTable.1 . Protocol number for the selector.14 Lifetime of the tunnel in seconds.13 . Ip fgVpnTunEntSelectorDstPort fgVpnTunEntSelectorProto fgVpnTunEntLifeSecs fgVpnTunEntLifeBytes fgVpnTunEntTimeout fgVpnTunEntInOctets fgVpnTunEntOutOctets fgVpnTunEntStatus fgVpnTunEntVdom Destination selector port.System Config Replacement messages Table 26: VPN Tunnel table (OID 1.20 .4. FortiGate Version 4.1.12. if a virus is found in an email message attachment. Number of bytes received on the tunnel. fgVpnTunEntSelectorSrcPort Source selector port.4 The port of the remote gateway used by the tunnel. . The descriptive name of the Phase2 configuration for the tunnel.6 The port of the local gateway used by the tunnel. The descriptive name of the Phase1 configuration for the tunnel.12356.9 .11 fgVpnTunEntSelectorDstEndIp Ending of the address range of the destination selector.1.6. Lifetime of the tunnel in bytes. fgVpnTunEntSelectorDstBegin Beginning of the address range of the destination selector. Timeout of the tunnel in seconds.com/ • Feedback 149 . . if it .2.17 .0 MR2 Administration Guide 01-420-89802-20100507 http://docs. . Note: Disclaimer replacement messages provided by Fortinet are examples only. if byte transfer based lifetime is used.either up or down.fortinet.10 .3 .5 is UDP. if time based lifetime .3. The IP of the local gateway used by the tunnel.15 is used. web pages. Virtual domain the tunnel belongs to. the file is removed from the email and replaced with a replacement message.18 .7 UDP. The IP of the remote gateway used by the tunnel.1) MIB field fgVpnTunEntIndex fgVpnTunEntPhase1Name fgVpnTunEntPhase2Name fgVpnTunEntRemGwyIp fgVpnTunEntRemGwyPort fgVpnTunEntLocGwyIp fgVpnTunEntLocGwyPort Description An index value that uniquely identifies a VPN tunnel within the VPN tunnel table. and FTP sessions.8 Ip fgVpnTunEntSelectorSrcEndIp Ending of the address range of the source selector.2.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Replacement messages System Config This topic contains the following: • • • • • • • • • • • • • • • • • • • VDOM and global replacement messages Viewing the replacement messages list Changing replacement messages Mail replacement messages HTTP replacement messages Web Proxy replacement messages FTP replacement messages NNTP replacement messages Alert Mail replacement messages Spam replacement messages Administration replacement message User authentication replacement messages FortiGuard Web Filtering replacement messages IM and P2P replacement messages Endpoint NAC replacement messages NAC quarantine replacement messages Traffic quota control replacement messages SSL VPN replacement message Replacement message tags VDOM and global replacement messages FortiGate units include global replacement messages that are used by all VDOMs. HTTP. To view the replacement messages list. 150 FortiGate Version 4.com/ • Feedback . Mail. Use the expand arrow beside each type to display the replacement messages for that category. If you are viewing the replacement messages list in a VDOM. In each VDOM you can customize any replacement message for that VDOM as needed. and so on). At the global level you can customize replacement messages or reset modified messages to their factory defaults. any messages that have been customized for that VDOM are displayed with a Reset icon that you can use to reset the replacement message to the global version.fortinet. Select the Edit icon beside each replacement message to customize that message for your requirements. go to System > Config > Replacement Message. If you decide to revert a customized message to the global message you can view the customized message in the replacement messages list and select a Reset icon to revert the message to use the global version of this message. overriding the global message. Viewing the replacement messages list You use the replacement messages list to view and customize replacement messages to your requirements. The list organizes replacement message into an number of types (for example. If you decide to revert a customized message to the default message you can view the customized message in the replacement messages list and select a Reset icon to revert the message to the default version.

Therefore. Select to revert to the global version of this replacement message. For more information. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to IMAPS. or SMTP when an event occurs such as antivirus blocking a file attached to an email that contains a virus. The following fields and options are available when editing a replacement message. You should not use HTML code in Text messages.System Config Replacement messages Replacement Messages page Lists the replacement messages and are grouped by their associated FortiOS feature. The number of characters allowed in the replacement message. Only displayed on the a VDOM replacement message list. You can add HTML code to HTML messages. see Table 38 on page 161. POP3S. You can include replacement message tags in text and HTML messages. Allowed Formats shows you which format to use in the replacement message. Email replacement messages are text messages. For descriptions of the replacement message tags.com/ • Feedback 151 . and SMTPS email messages. POP3.fortinet. Select the expand arrow to expand or collapse the category. the user can send whatever traffic is allowed by the firewall policy. The type of content that can be included in the replacement message. Once the Disclaimer is accepted.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. virus message is placed in the Mail group. The replacement messages are described below. see the UTM chapter of the FortiOS Handbook. For example. Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Description Edit Reset Changing replacement messages Use the expand arrows to view the replacement message that you want to change. Usually size is 8192 characters. The editable text of the replacement message. There is a limit of 8192 characters for each replacement message. To change a replacement message list go to System > Config > Replacement Message. The message text can include text. Name The replacement message category. the user must initiate HTTP traffic first in order to trigger the Authentication Disclaimer page. You can change the content of the replacement message by editing the text and HTML codes and by working with replacement message tags. Different replacement messages have different sets of fields and options. Each category contains several replacement messages that are used by different FortiGate features. Replacement messages can be text or HTML messages. FortiGate Version 4. Select to change or view a replacement message. A description of the replacement message. Allowed formats can be Text or HTML. The Replacement Message page of a replacement message Message Setup Allowed Formats The name of the replacement message. Size Message Text Mail replacement messages The FortiGate unit sends the mail replacement messages listed in Table 27 to email clients and servers using IMAP. HTML codes (if HTML is the allowed format) and replacement message tags.

This message is added to the subject field of all email messages replaced by the DLP sensor that has Block. If Splice mode is enabled. then the FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message. HTTP replacement messages The FortiGate unit sends the HTTP replacement messages listed in Table 28 to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. This message replaces the first fragment of the fragmented email. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message. If the FortiGate unit supports SSL content scanning and inspection.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the incoming file is blocked and triggers this message. a rule with action set to Ban replaces a blocked email message leak prevention with this message. File block If Splice mode is enabled. Oversized file If Splice mode is enabled and the protocol option is set to Oversized File/Email message (splice which is set to Block. This message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list. a rule with action set to Ban Sender replaces a blocked email message with this message. the infected file from the email message is deleted and replaced with this message. When File Filter is enabled and includes the file filter list within an antivirus profile. and the antivirus file filter deleted a file from an SMTP message (splice email message. a rule with action set to Block stops blocked messages and this message is directed to the sender. When Oversized File/Email is set to Block within a protocol options list. see the UTM chapter of the FortiOS Handbook.com/ • Feedback . and if a match is detected. Sender banned by data leak prevention message Virus message (splice mode) In a DLP sensor. and Quarantine interface actions. Ban Sender. Quarantine IP address. the file is removed and replaced with this message.fortinet. a fragmented email is blocked. then the FortiGate unit blocks an oversize SMTP email mode) message. Ban. This message also replaces any additional email messages message that the banned user sends until they are removed from the banned user list. and if under HTTPS in the protocol option list has Enable Deep Scan enabled. and the antivirus system detects a virus in an SMTP email message. these replacement messages can also replace web pages downloaded using the HTTPS protocol. If Allow Fragmented Emails is not enabled in a protocol options list. For more information about SSL content scanning and inspection. the FortiGate unit aborts the SMTP session and returns a 554 mode) SMTP error message to the sender that includes this replacement message. and if a match is detected. In a DLP sensor.Replacement messages System Config Table 27: Mail replacement messages Replacement Description of how a replacement message is triggered Message name Virus message When Virus Scan is enabled for an email protocol within an antivirus profile. and if a match is detected. HTTP replacement messages are HTML pages. File block message Oversized file message Fragmented email Data leak prevention message Subject of data leak prevention message Banned by data In a DLP sensor. 152 FortiGate Version 4.

fortinet. Infection cache message File block message Oversized file message Data leak prevention message Banned by data In a DLP sensor. If a specific content-type is blocked. The blocked page is replaced with this web page. and so on. and if a match is detected. A web filter profile that has client comforting enabled helps to trigger this message. For more information about the client comforting URL cache.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the FortiGate unit blocks an oversized file that is being downloaded that uses a HTTP GET and replaces the file with this web page that is displayed by the client browser. a rule with action set to Block. These replacement messages are web pages that appear within your web browser. HTTP POST Action is set to Block in an profile and the FortiGate unit blocks an HTTP POST and displays this web page. and if a match is detected. It is then replaced with this web page that the client’s browser displays. This message is triggered only after the blocked URL is attempted for a second time. the infected file that is being uploaded using FTP PUT is replaced with this a web page that is displayed by the client browser. In a DLP sensor.com/ • Feedback 153 . the FortiGate unit blocks a file being downloaded that uses a HTTP GET which matches an entry in the selected file filter list. If Oversized File/Email is set to Block for HTTP or HTTPS in a protocol options list. a file being uploaded by an HTTP POST is blocked and is replaced with this web page that is displayed by the client browser. and an oversized file is being uploaded using FTP PUT. the FortiGate unit blocks a file being downloaded that uses a HTTP GET which matches an entry in the selected file filter list. This web page also replaces any additional web pages or message files that the banned user attempts to access until the user is removed from the banned user list. the file is blocked and replaced with this web page. the page is blocked and the blocked page is replaced with this web page. Email headers include information about content types such as image for pictures. and if a match is detected. blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Filter list. FortiGate Version 4. If Web content filtering is enabled in a web filter profile. Client anti-virus Client filesize Client banned word POST block Web Proxy replacement messages The FortiGate unit sends Web Proxy replacement messages listed in Table 28 when a web proxy event occurs that is detected and matches the web proxy configuration. If Web URL filtering is enabled in a web filter profile. If Oversized File/Email set to Block for HTTP or HTTPS in a protocol options list. blocks a page/file that the user loads using HTTP GET with this web page.System Config Replacement messages Table 28: HTTP replacement messages Message name Description Virus message If Virus Scan is enabled for HTTP or HTTPS in an antivirus profile. see “HTTP and FTP client comforting” on page 320. If File Filter is enabled for HTTP or HTTPS in an antivirus profile. If Virus Scan is enabled for HTTP or HTTPS in an antivirus profile. a rule with action set to Ban replaces a blocked web page or file leak prevention with this web page. It can also block the user sending information that uses HTTP POST. Banned word message Content-type block message URL block message Client block If the banned word’s score exceeds the threshold set in the web filter profile. It is then replaced with this web page that the client’s browser displays. The client browser displays this web page. a web page with a URL is blocked. the blocked message is replaced with this web page. If File Filter is enabled for HTTP or HTTPS in an antivirus profile.

however. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list. If Oversized File/Email is set to Block for FTP in an antivirus profile. a rule with action set to Ban blocks an FTP session if a match is detected. displays this message. This message forwards the actual servers’ error message and a web proxy internal error message. for example. if the following is true. Table 30: FTP replacement messages Message name Description Virus message If Virus Scan is enabled for FTP in an antivirus profile.If you have enabled user-limit within config system replacemsg limit (CLI only) webproxy. This message also displays when both of the following are true: • no web proxy policy is defined OR no existing policy matches the incoming request • default action is set to Deny (System > Network > Web Proxy) Note: The default action is ignored when there is at least one web policy defined. However. Blocked message Oversized message DLP message DLP ban message 154 FortiGate Version 4. this message is triggered when a web proxy user has met the threshold that is defined in global resources or vdom resources. FTP replacement messages The FortiGate unit sends the FTP replacement messages listed in Table 30 to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. error 404: web page is not found. Web proxy If a username and password is entered and is correct. and is always sent to the challenge client’s browser with it is triggered. the infected file is deleted when being downloaded using FTP and sends this message to the FTP client. a file being downloaded using FTP is blocked and sends this message to the FTP client.Replacement messages System Config The following web proxy replacement messages require an identity-based firewall policy so that the web proxy is successful. Web proxy login If a user name and password authentication combination is entered. this message displays. Web proxy login This replacement message is triggered by a log in. and if a match is detected. and if a match is detected.com/ • Feedback . this replacement message also appears: • The user is not allowed to view the request resources. Web proxy user. this replacement message authorization fail appears. but the user group does not match a user group defined in the firewall policy. (for example in an FSAE setup and the authentication passes). You can also enable FTP-over-HTTP by selecting the FTP option in System > Network > Web Proxy.fortinet. Table 29: Web Proxy replacement messages Message name Description Web proxy access denied If no web proxy policy is defined. and the default action is set to Deny. If File Filter is enabled for FTP in an antivirus profile.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and is fail accepted as incorrect. In a DLP sensor. Web proxy HTTP error This replacement message is triggered whenever there is a web proxy HTTP error. In a DLP sensor. this replacement message appears. and if a match is detected. that uses protocols such as FTP PUT and FTP GET. some browsers (Internet Explorer and Firefox) are unable to display this replacement message. and the username and password combo is correct. a rule with action set to Block replaces a blocked FTP download with this message. an oversize file that is being downloaded using FTP is blocked. and sends this message to the FTP client. FTP replacement messages are text messages.

this message is then added to the subject field of all NNTP messages.com/ • Feedback 155 . the File Filter must be enabled in an antivirus profile as well.fortinet. Blocked message Oversized message Data Leak prevention message Subject of data leak prevention message Banned by data In a DLP sensor. a rule with action set to Block replaces a blocked NNTP message with this message. unless you configure an alert email message with enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency this is message does not appear. If Intrusion detected is enabled for alert email message. Whenever a critical level event log message is generated. FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. if a match is detected with both enabled. and if a match is detected. This message also message replaces any additional NNTP messages that the banned user sends until they are removed from the banned user list. a rule with the action set to Ban. the Virus Scan must be enabled in an antivirus profile as well. this message displays. if a match is detected with both enabled. If Disk usage is enabled for an alert email message. and if a match is detected. this message displays. If Oversized File/Email set to Block for NNTP in a protocol options list. including an attack. Alert Mail replacement messages The FortiGate unit adds the alert mail replacement messages listed in Table 32 to alert email messages sent to administrators. removes an oversized file from an NNTP message and replaces the file with this message. if a match is detects. a file is blocked. whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level. In a DLP sensor. If Virus detected is enabled for alert email message. see “Alert E-mail” on page 428. For more information about alert email.System Config Replacement messages NNTP replacement messages The FortiGate unit sends the NNTP replacement messages listed in Table 31 to NNTP clients when an event occurs such as antivirus blocking a file attached to an NNTP message that contains a virus. this message displays. an IPS Sensor or a DoS Sensor must also be enabled as well. and Quarantine interface actions. Alert mail replacement messages are text messages. Table 32: Alert mail replacement messages Message name Description Virus message If Virus detected is enabled for alert email message. and if a match is detected. NNTP replacement messages are text messages. replaces a blocked NNTP leak prevention message with this message when a match is detected. If File Filter is enabled for NNTP in an antivirus profile. and if a match is detected. Table 31: NNTP replacement messages Message name Description Virus message If Virus Scan is enabled for NTTP in an antivirus profile. an infected file attached to an NNTP message is deleted and sends this message to the client. this replacement message is sent. however. Quarantine IP address. Ban. Block message Intrusion message Critical event message Disk full message If you enable Send alert email for logs based on severity for alert email. and if disk usage reaches the % configured for alert email. If the DLP sensor contains Block. a file attached to an NNTP message is blocked and sends this message to the client.

156 FortiGate Version 4. an email message is identified as spam and adds this replacement message. Any Email Filtering option enabled for an email protocol in an email filter profile identifies an email message as spam and adds this replacement message. this replacement message is added. and if a match is detected and identified as spam. If spamhdrcheck is enabled in the CLI for an email protocol within an email filter profile.com/ • Feedback . this replacement message is added. For more information about SSL content scanning and inspection. an if it a match is detected to the last hop IP address. HELO/EHLO domain Email address If HELO DNS lookup is enabled for an email protocol within an email filter profile and if a match is detected. Email Filtering adds this message to all email tagged as spam. this replacement message is added. and if a match is detected and identified as spam. If Return e-mail DNS check is enabled for an email protocol in an email filter profile. config system global set access-banner enable end The web-based manager administrator login disclaimer contains the text of the Login Disclaimer replacement message as well as Accept and Decline buttons. and if a match is detected and identified as spam. this replacement message is added. Mime header Returned email domain Banned word Spam submission message Administration replacement message If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI. see the UTM chapter of the FortiOS Handbook. If E-mail Address BWL check is enabled for an email protocol in an email filter profile and if a match is detected and identifies an email message as spam and adds this replacement message. DNSBL/ORDBL If spamrbl is enabled in the CLI for an email protocol in an email filter profile.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. then this replacement message is added. If Banned word check is enabled for an email protocol in an email filter profile. and if a match is detected and identified as spam .Replacement messages System Config Spam replacement messages The FortiGate unit adds the Spam replacement messages listed in Table 33 to SMTP server responses if the email message is identified as spam and the spam action is discard. HELO DNS lookup is not available for SMTPS. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to SMTPS server responses.fortinet. Table 33: Spam replacement messages Message name Description Email IP If IP address BWL check is enabled for an email protocol in an email filter profile. The administrator must select accept to login. The message describes a button that the recipient of the message can select to submit the email signatures to the FortiGuard Antispam service if the email was incorrectly tagged as spam (a false positive).

Users see the authentication login page when they use a VPN or a firewall policy that requires authentication.System Config Replacement messages User authentication replacement messages The FortiGate unit uses the text of the authentication replacement messages listed in Table 34 for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one identity-based policy that requires firewall users to authenticate. These replacement message pages are for authentication using HTTP and HTTPS. There are some unique requirements for these replacement messages: • • The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST" The form must contain the following hidden controls: • <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"> • <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%"> • <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%"> • The form must contain the following visible controls: • <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> • <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service. see “Identity-based firewall policies” on page 267.fortinet. Authentication replacement messages are HTML messages. For more information about identitybased policies. You cannot customize the firewall authentication messages for FTP and Telnet.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY> <TR><TH>Username:</TH> <TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR> <TR><TH>Password:</TH> <TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password"> </TD></TR> <TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc"> <INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden"> <INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden"> <INPUT VALUE="Continue" TYPE="submit"> </TD></TR> </TBODY></TABLE></FORM></BODY></HTML> FortiGate Version 4. The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback 157 . You can customize this page in the same way as you modify other replacement messages.

see the UTM chapter of the FortiOS Handbook.Replacement messages System Config Table 34: Authentication replacement messages Message name Description Disclaimer page If Enable Disclaimer and Redirect URL to (within Enable Identity Based Policy in a firewall policy ) is selected in a firewall policy. Usually. The user enters a response that is sent back to the RADIUS server to be verified. FortiGuard Web Filtering replacement messages are HTTP pages. For more information. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. this disclaimer page displays. these replacement messages can also replace web pages downloaded using the HTTPS protocol. The CLI includes auth-disclaimer-page-1. For more information about SSL content scanning and inspection. 158 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You can customize the replacement message to ask the user for a SecurID PIN. and for FortiGuard overrides. and auth-disclaimer-page-3 that you can use to increase the size of the authentication disclaimer page replacement message.com/ • Feedback . the Declined disclaimer page is displayed. after a firewall user authenticates with the FortiGate unit using HTTP or HTTPS. The login challenge appears when the server needs the user to enter a new PIN. Declined When a firewall user selects the button on the Disclaimer page to decline access disclaimer page through the FortiGate unit. The page displays the question and includes a field in which to type the answer. “Please enter new PIN”). Login challenge The HTML page displayed if firewall users are required to answer a question to page complete authentication.fortinet. challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example. auth-disclaimer-page-2. Go to User > Options to set the Authentication Timeout. provides details about blocked HTTP 4xx and 5xx errors. The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. FortiGuard Web Filtering replacement messages The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in Table 35 to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL. The HTML page displayed if firewall users enter an incorrect user name and password combination. and if a match is detected. Keepalive page The HTML page displayed with firewall authentication keepalive is enabled using the following command: config system global set auth-keepalive enable end Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the antivirus profile. see the FortiGate CLI Reference. Login page Login failed page The HTML page displayed for firewall users who are required to authenticate using HTTP or HTTPS before connecting through the FortiGate unit. This message is displayed on the login challenge page.

You enable photo blocking from the CLI. FortiGuard Web If Allow Override is selected for a FortiGuard Web Filtering category. Virus message Oversized file message Data leak prevention message If Virus Scan is enabled for IM in an application control list deletes a infected file from and replaces the file with this message. or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to an email that contains a virus. Table 36: IM and P2P replacement messages Message name Description File block message If File Filter is enabled for IM in an application control list deletes a file that matches an entry in the selected file filter list and replaces it with this message. IM and P2P replacement messages are text messages. a web page is blocked and that blocked web page is replaced with this web page. a rule with action set to Ban replaces a blocked IM or P2P leak prevention message with this message. a web page is blocked.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. this message displays a web page. see “Administrative overrides” on page 324. For more information. and if a match is detected. ICQ. a rule with action set to Block replaces a blocked IM or P2P message with this message. an oversized file is removed and replaced with this message. FortiGuard Web If FortiGuard Quota is enabled within a web filter profile. File name block Antivirus File Filter enabled for IM in an application control list deletes a file with message a name that matches an entry in the selected file filter list and replaces it with this message. If Oversized File/Email set to Block for IM in a protocol options list. Banned by data In a DLP sensor. ICQ. Do not remove this tag from the replacement message.System Config Replacement messages Table 35: FortiGuard Web Filtering replacement messages Message name Description URL block message HTTP error message If FortiGuard Web Filtering is enabled in a web filter profile for HTTP or HTTPS. If Provide details for blocked HTTP 4xx and 5xx errors is enabled in a web filter profile for HTTP or HTTPS. Photo share block message In an application control list. and if a match is detected. In a DLP sensor. and if a match is detected. the block-photo CLI keyword is enabled for MSN. expired message IM and P2P replacement messages The FortiGate unit sends the IM and P2P replacement messages listed in Table 36 to IM and P2P clients using AIM. and a Filtering match is detected. This message also replaces any additional message messages that the banned user sends until they are removed from the banned user list. message MSN. this message is added. Go to UTM > Web Filter > Override to add override rules.fortinet. or Yahoo and the application control list is applied to a firewall policy. MSN.com/ • Feedback 159 . Endpoint NAC replacement messages The FortiGate unit sends one of the following pages to non-compliant users who attempt to use a firewall policy in which Endpoint NAC is enabled: FortiGate Version 4. and if a match is Filtering quota detected. The blocked page is replaced with this web page. and FortiGuard Web Filtering blocks a web page in this override form category. or Yahoo! and the application control list is applied to a firewall policy. Using this web page users can authenticate to get access to the page. the Block Audio option is selected for AIM. The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page. Voice chat block In an application control list.

You can customize the pages as required. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. DoS Message 160 FortiGate Version 4. This replacement message is not displayed if quarantine is set to both. • To modify these messages. The page that is displayed for the user depends on whether NAC quarantine blocked the user because a virus was found. see “Endpoint” on page 403. If you modify this replacement message. for example to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked. be sure to retain the %%LINK%% tag which provides the download URL for the FortiClient installer. The user can download the FortiClient Endpoint Security application installer. The user can either download the FortiClient Endpoint Security application installer or select the Continue to link to access their desired destination. If you modify this replacement message. if they attempt to start an HTTP session through the FortiGate unit using TCP port 80. or FortiGate interface to the banned user list. For more information about Endpoint NAC. an IPS sensor detected an attack.Replacement messages System Config • Endpoint NAC Download Portal — The FortiGate unit sends this page if the Endpoint NAC profile has the Quarantine Hosts to User Portal (Enforce compliance) option selected. Endpoint NAC Recommendation Portal — The FortiGate unit sends this page if the Endpoint NAC profile has the Notify Hosts to Install FortiClient (Warn only) option selected.fortinet. NAC quarantine replacement messages When a user is blocked by NAC quarantine or a DLP sensor with action set to Quarantine IP address or Quarantine Interface. be sure to retain both the %%LINK%% tag which provides the download URL for the FortiClient installer and the %%DST_ADDR%% link that contains the URL that the user requested. For more information about NAC quarantine see “The Banned User list” on page 401. a DoS sensor detected an attack. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. Expand Endpoint NAC and edit the Endpoint NAC replacement message that you want to modify.com/ • Feedback . go to System > Config > Replacement Messages. or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a session from the user. Table 37: NAC quarantine replacement messages Message name Description Virus Message If Quarantine Virus Sender is enabled in an antivirus profile adds a source IP address or FortiGate interface to the banned user list. a destination IP. the FortiGate unit connects them to one of the four NAC Quarantine HTML pages listed in Table 37.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For a DoS Sensor the CLI quarantine option set to attacker or interface and the DoS Sensor added to a DoS firewall policy adds a source IP. The default messages inform the user of why they are seeing this page and recommend they contact the system administrator.

For HTTP this is the IP address of web page that sent the virus. FortiGate Version 4. When users receive the replacement message. For email this is the IP address of the email server that sent the email containing the virus. or a FortiGate interface to the banned user list. The form must contain the %%SSL_HIDDEN%% tag. see the FortiGate Fundamentals chapter of the FortiOS Handbook. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.fortinet. users see the Traffic shaper block message or the Per IP traffic shaper block message when they attempt to connect through the FortiGate unit using HTTP. The IP address of the request destination from which a virus was received. Table 38: Replacement message tags Tag %%AUTH_LOGOUT%% Description The URL that will immediately delete the current policy and close the session. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. If Action set to Quarantine IP address or Quarantine Interface in a DLP sensor adds a source IP address or a FortiGate interface to the banned user list. the replacement message tag is replaced with content relevant to the message. For information about traffic quotas. DLP Message Traffic quota control replacement messages When user traffic going through the FortiGate unit is blocked by traffic shaping quota controls. Replacement message tags Replacement messages can include replacement message tags.System Config Replacement messages Table 37: NAC quarantine replacement messages (Continued) Message name Description IPS Message If Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor applied to a firewall policy adds a source IP address. SSL VPN replacement message The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate SSL VPN portal login page. You can customize this replacement message according to your organization’s needs. %%CATEGORY%% %%DEST_IP%% The name of the content category of the web site. This replacement message is not displayed if method is set to Attacker and Victim IP Address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Used on the auth-keepalive page. • • • The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%" The form must contain the %%SSL_LOGIN%% tag to provide the login form. %%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. a destination IP address. The traffic quota HTTP pages should contain the %%QUOTA_INFO%% tag to display information about the traffic shaping quota setting that is blocking the user. Table 38 lists the replacement message tags that you can add.com/ • Feedback 161 .

Configured number of seconds between authentication keepalive connections. %%PROTOCOL%% is added to alert email virus messages.com/ • Feedback . %%FILE%% %%FORTIGUARD_WF%% %%FORTINET%% %%LINK%% %%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%% %%NIDSEVENT%% %%OVERRIDE%% %%OVRD_FORM%% %%PROTOCOL%% %%QUARFILENAME%% %%QUOTA_INFO%% %%QUESTION%% %%SERVICE%% %%SOURCE_IP%% %%TIMEOUT%% %%URL%% %%VIRUS%% 162 FortiGate Version 4. This could be a file that contained a virus or was blocked by antivirus file blocking. Used on the auth-keepalive page. “404” for example. The HTTP error description. The name of a file that has been removed from a content stream. or smtp) in which a virus was detected. pop3.Web Filtering logo. The name of a file that has been removed from a content stream and added to the quarantine. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. imap. Prompt to enter username and password on auth-login page. The name of a virus that was found in a file by the antivirus system. The FortiGuard . %%QUARFILENAME%% can be used in virus and file block messages. The IP address of the request originator who would have received the blocked file. The Fortinet logo. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed. This could be a file that contained a virus or was blocked by antivirus file blocking.Replacement messages System Config Table 38: Replacement message tags (Continued) Tag %%EMAIL_FROM%% %%EMAIL_TO%% Description The email address of the sender of the message from which the file was removed. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides. The link to the FortiGuard Web Filtering override form.fortinet. The name of the web filtering service. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages. This can be a web page that is blocked by web filter content or URL blocking. The IPS attack message. Quarantining is only available on FortiGate units with a local disk. Used in traffic quota control replacement messages. %%VIRUS%% can be used in virus messages %%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page. %%FILE%% can be used in virus and file block messages. The email address of the intended receiver of the message from which the file was removed. ftp. The HTTP error code. The URL of a web page. %%NIDSEVENT%% is added to alert email intrusion messages. The FortiGuard web filter block override form. The protocol (http.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Display information about the traffic shaping quota setting that is blocking the user. The link to the FortiClient Host Security installs download for the Endpoint Control feature. Authentication challenge question on auth-challenge page.

Enter the default gateway required to reach other networks from the FortiGate unit. To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation or select Change beside Operation Mode on the System Status page for the virtual domain. Enter the default gateway required to reach other networks from the FortiGate unit.com/ • Feedback 163 . Management IP/Netmask Enter the management IP address and netmask.NAT/Route and Transparent.fortinet. 2 From the Operation Mode list. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit. Default Gateway To switch from Transparent to NAT/Route mode 1 Go to System > Config > Operation or select Change beside Operation Mode on the System Status page for the virtual domain. select NAT.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Interface IP/Netmask Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit.System Config Operation mode and VDOM management access Operation mode and VDOM management access You can change the operation mode of each VDOM independently of other VDOMs. Select the interface to which the default gateway is connected. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. or remote access over a network or modem interface using various protocols including Telnet and HTTPS. 2 From the Operation Mode list. Methods of access can include local access through the console connection. select Transparent. FortiGate Version 4. This must be a valid IP address for the network from which you want to manage the FortiGate unit. Management access Management access defines how administrators are able to log on to the FortiGate unit to perform management tasks such as configuration and maintenance. There are two operation modes for the FortiGate unit . This topic contains the following: • • Changing the operation mode Management access Changing the operation mode You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode. Each mode is well suited to different situations. Device Default Gateway Gateway Device Select the interface to which the Interface IP/Netmask settings apply. 3 Enter the following information and select Apply. 3 Enter the following information and select Apply.

It does not matter to which VDOM the interface belongs. allowing remote administration from the Internet could compromise the security of the FortiGate unit. The system administrator (admin) can access all VDOMs. and create regular administrator accounts. telnet. In NAT/Route mode. Change these passwords regularly.fortinet. A regular administrator account can access only the VDOM to which it belongs. Enable secure administrative access to this interface using only HTTPS or SSH.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. However. To improve the security of a FortiGate unit that allows remote administration from the Internet: • • • • • Use secure administrative user passwords. See “Configuring administrative access to an interface” on page 96. HTTPS and SSH are preferred as they are more secure. the management computer must connect to an interface that permits management access and its IP address must be on the same network. HTTPS. or SSH sessions if those services are enabled on the interface. 164 FortiGate Version 4. you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. Management access can be via HTTP. In Transparent mode. Do not change the system idle timeout from the default value of 5 minutes (see “Settings” on page 178). You can allow remote administration of the FortiGate unit. You should avoid this unless it is required for your configuration. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see “Configuring the FortiGate unit for FDN and FortiGuard subscription services” on page 201).com/ • Feedback . In both cases.Operation mode and VDOM management access System Config You can configure management access on any interface in your VDOM. the interface IP address is used for management access. The management computer must connect to an interface in that VDOM. Use Trusted Hosts to limit where the remote access can originate from.

see “Using virtual domains” on page 79. the session remains open. Includes the factory default system administrator admin. including the default administrator account admin.com/ • Feedback 165 . The following topics are included in this section: • • • • • Administrators Admin profiles Central Management Settings Monitoring administratorsFortiGate IPv6 support Note: Always end your FortiGate session by logging out. admin. has full access to the FortiGate unit configuration and general system settings that includes the ability to: • enable VDOM configuration • create VDOMs • configure VDOMs • assign regular administrators to VDOMs • configure global options • customize the FortiGate web-based manager. If you enable virtual domains (VDOMs) on the FortiGate unit. For information about which options are global and which are per VDOM. Any administrator assigned to the super_admin admin profile. System administrators Users assigned to the super_admin profile: • cannot delete logged-in users who are also assigned the super_admin profile FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.System Admin Administrators System Admin This section describes how to configure administrator accounts on your FortiGate unit. in the CLI or the web-based manager. If you do not. Administrators access the FortiGate unit to configure its operation. see “VDOM configuration settings” on page 80 and “Global and per-VDOM settings” on page 80. system administrators are configured globally for the entire FortiGate unit. The factory default configuration has one administrator. it does not appear in the list of profiles in System > Admin > Admin Profile. and any administrator that is assigned to the super_admin_readonly profile. After connecting to the web-based manager or the CLI. you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. A regular administrator account has access to configuration options as determined by its Admin Profile. The super_admin admin profile cannot be changed. but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box. any other administrators assigned to the super_admin profile. Administrators There are two levels of administrator accounts: Regular administrators An administrator with any admin profile other than super_admin.fortinet. For more information. If virtual domains are enabled.

• By default. The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. or TACACS+). You can authenticate an administrator by using a password stored on the FortiGate unit. Example: For the user ITAdmin with the admin profile super_admin. the user will be logged out and prompted to re-authenticate with the new password. If the password of a user who is logged in is changed. This feature is available only to wildcard administrators.Administrators System Admin • can delete other users assigned the super_admin profile and/or change the configured authentication method. The admin user will have access depending on which VDOM and associated admin profile he or she is restricted to. the super_admin_readonly profile can view all the FortiGate configuration tools. A VDOM/admin profile override feature supports authentication of administrators via RADIUS. This topic contains the following: • • • • • • Viewing the administrators list Configuring an administrator account Changing an administrator account password Configuring regular (password) authentication for administrators Configuring remote authentication for administrators Configuring PKI certificate authentication for administrators 166 FortiGate Version 4. you must add the server to an authentication list.fortinet. RADIUS. The password should be 32 characters or less. include the server in a user group. and associate the administrator with the user group. or admin profile. Other than being read-only. admin has no password. password.com/ • Feedback . Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated admin profile. The RADIUS server authenticates users and authorizes access to internal network resources based on the admin profile of the user. The password of users with the super_admin admin profile can be reset in the CLI. to set that user’s password to 123456: config sys admin edit ITAdmin set password 123456 end Example: For the user ITAdmin with the admin profile super_admin. This profile cannot be deleted or changed.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and can be set only through the FortiGate CLI. see the FortiGate CLI Reference. To authenticate an administrator with an LDAP or TACACS+ server. only if the other users are not logged in can delete the default “admin” account only if the default admin user is not logged in. For more information. to reset the password from 123456 to the default ‘empty’: config sys admin edit ITAdmin unset password 123456 end There is also an admin profile that allows read-only super admin privileges called super_admin_readonly. a remote authentication server (such as LDAP. similar to the super_admin profile. or by using PKI certificate-based authentication. There can only be one VDOM override user per system.

To view the list of administrators. or TACACS+ server. or TACACS+ server.fortinet. see “Configuring regular (password) authentication for administrators” on page 168. Administrator Enter the login name for the administrator account. LDAP. Change the password for the administrator account. Edit Change Password Configuring an administrator account You need to use the default “admin” account. one of: Authentication of an account with a local password stored on the FortiGate unit. If you log in with an administrator account that does not have the super_admin admin profile. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. Profile Type Local Remote The admin profile for the administrator. For more information. an account with the super_admin admin profile. Authentication of a specific account on a RADIUS. You cannot delete the original “admin” account until you create another user with the super_admin profile. or an administrator with read-write access control to add new administrator accounts and control their permission levels. The name of the administrator should not contain the characters <>()#"'. The login name for an administrator account. RADIUS or local sever. you can enable authentication for an admin from an LDAP. Wildcard PKI Delete PKI-based certificate authentication of an account. go to System > Admin > Administrators and select Create New. the administrators list will show only the administrators for the current virtual domain. Create New Name Add an administrator account. an account with the super_admin admin profile. Remote+ Authentication of any account on an LDAP. New Administrator page Provides settings for configuring an administrator account. Type FortiGate Version 4.System Admin Administrators Viewing the administrators list You need to use the default ”admin” account. Select the type of administrator account: Regular Select to create a Local administrator account. The type of authentication for this administrator. or an administrator with read-write access control to create a new administrator. RADIUS. RADIUS or local sever. see “Using trusted hosts” on page 172. and log in with the alternate user that has the super_admin profile. go to System > Admin > Administrators. See “Changing an administrator account password” on page 168. To create a new administrator. When you are configuring an administrator account.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Edit or view the administrator account. Delete the administrator account. For more information. log out of the “admin” account.com/ • Feedback 167 . Administrators page Lists the default super_admin administrator account and all administrator accounts that you created. you can enable authentication for an admin from an LDAP. Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log in. When you are configuring an administrator account.

0. For improved security. The administrator user group cannot be deleted once the group is selected for authentication. This is available only if Type is Remote or PKI. 168 FortiGate Version 4. You can specify up to three trusted hosts. or TACACS+ server. see “Configuring an admin profile” on page 176. For more information on admin profiles. go to System > Admin > Administrators. the password should be at least 6 characters long. IPv6 Trusted Host #3 These addresses all default to ::/0. Select to allow all accounts on the RADIUS. and select OK to save the changes. 3 Enter the following information: Administrator Type A name for the administrator. PKI User Group Wildcard Password Confirm Password Trusted Host #1 Trusted Host #2 Trusted Host #3 IPv6 Trusted Host #1 Enter the trusted host IPv6 address and netmask this administrator login is IPv6 Trusted Host #2 restricted to on the FortiGate unit.0/0. Configuring regular (password) authentication for administrators You can use a password stored on the local FortiGate unit to authenticate an administrator. Changing an administrator account password To change an administrator password. Select to enable certificate-based authentication for the administrator. For more information. Regular. and select the Change Password icon next to the administrator account you want to change the password for.0.com/ • Feedback . Only one wildcard user is permitted per VDOM. 2 Select Create New. This is not available if Wildcard is selected or when Type is PKI. This is not available if Wildcard is selected or when PKI authentication is selected. LDAP. You can specify up to three trusted hosts. see “Using trusted hosts” on page 172. see “Configuring remote authentication for administrators” on page 169. For more information.0/0 or 0. see “Configuring PKI certificate authentication for administrators” on page 172.fortinet. To configure an administrator to authenticate with a password stored on the FortiGate unit 1 Go to System > Admin > Administrators. or TACACS+ server to be administrators.0.0. Enter a password for the administrator account. LDAP. Enter the trusted host IP address and netmask this administrator login is restricted to on the FortiGate unit. Only one administrator can be logged in with PKI authentication enabled.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Server authentication for administrators must be configured first.0. You can also select Create New to create a new admin profile. These addresses all default to 0. For more information. For more information see the Fortinet Knowledge Base article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit. Admin Profile Select the admin profile for the administrator.0. see “Using trusted hosts” on page 172. Enter and confirm the new password. Select the administrator user group that includes the Remote server/PKI (peer) users as members of the User Group. or select the Edit icon beside an existing administrator. For more information.Administrators System Admin Remote Select to authenticate the administrator using a RADIUS. This is available only if Type is Remote.0. Type the password for the administrator account a second time to confirm that you have typed it correctly.

see the Fortinet Knowledge Base article Recovering a lost FortiGate administrator account passwords. and create the administrator account to include in the user group. FortiGate Version 4. The admin profile to apply to the administrator. the FortiGate unit refuses the connection. see “RADIUS” on page 393 and the User Authentication chapter of the FortiOS Handbook. If you want to use a RADIUS server to authenticate administrators in your VDOM. LDAP. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server. For more information about RADIUS servers. include the server as a user in a user group. To view the RADIUS server list. FortiGate units use the authentication and authorization functions of the RADIUS server. you must configure the authentication before you create the administrator accounts. see “Viewing the administrators list” on page 167. Note: Access to the FortiGate unit depends on the VDOM associated with the administrator account. For information on how to set up a RADIUS server. For more information.fortinet. go to User > Remote > RADIUS. you must configure the server before you configure the FortiGate users or user groups that will need it. you will see Local as the entry in the Type column when you view the list of administrators. you must configure the server. The password entered in Password.System Admin Administrators Password Confirm Password Admin Profile A password for the administrator to use to authenticate. When you select Regular for Type.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. see “Configuring an administrator account” on page 167. Configuring RADIUS authentication for administrators Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication. or TACACS+ servers. 4 Configure additional features as required. If the RADIUS server can authenticate the user. If the RADIUS server cannot authenticate the user. 5 Select OK. To use the RADIUS server for authentication.com/ • Feedback 169 . see the documentation for your RADIUS server. Configuring remote authentication for administrators You can authenticate administrators using RADIUS. In order to do this. the FortiGate unit sends the user’s credentials to the RADIUS server for authentication. To do this you need to: • • • configure the FortiGate unit to access the RADIUS server create the RADIUS user group configure an administrator to authenticate with a RADIUS server. the user is successfully authenticated with the FortiGate unit. Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit. For more information. The following instructions assume there is a RADIUS server on your network populated with the names and passwords of your administrators. and accounting functions. authorization.

4 Configure additional features as required. see the Fortinet Knowledge Base article Using RADIUS for Admin Access and Authorization. 3 Enter or select the following: Administrator Type User Group Wildcard A name that identifies the administrator. The admin profile to apply to the administrator. To view the LDAP server list. etc. If you want to use an LDAP server to authenticate administrators in your VDOM. A check box that allows all accounts on the LDAP server to be administrators. The re-entered password that confirms the original entry in Password. 3 Enter the following information: Name Type User Group Password Confirm Password Admin Profile A name that identifies the administrator. For more information about using a RADIUS server to authenticate system administrators.Administrators System Admin To configure an administrator to authenticate with a RADIUS server 1 Go to System > Admin > Administrators. 5 Select OK. the FortiGate unit refuses the connection. The user group that includes the LDAP server as a member. the FortiGate unit contacts the LDAP server for authentication. email addresses. groups of people. see “Configuring an administrator account” on page 167. Configuring LDAP authentication for administrators Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments. For more information about LDAP servers. go to User > Remote > LDAP. or select the Edit icon beside an existing administrator. If you have configured LDAP support and an administrator is required to authenticate using an LDAP server. To configure an administrator to authenticate with an LDAP server 1 Go to System > Admin > Administrators.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 2 Select Create New or select the Edit icon beside an existing administrator account. 2 Select Create New. you must configure the authentication before you create the administrator accounts. If the LDAP server cannot authenticate the administrator. 170 FortiGate Version 4. printers. The user group that includes the RADIUS server as a member. Remote. passwords.com/ • Feedback .fortinet. For more information. To do this you need to: • • • configure an LDAP server create an LDAP user group configure an administrator to authenticate with an LDAP server. people. see “LDAP” on page 394 and the User Authentication chapter of the FortiOS Handbook. Remote. The password the administrator uses to authenticate.

To do this you need to: • • • configure the FortiGate unit to access the TACACS+ server create a TACACS+ user group configure an administrator to authenticate with a TACACS+ server. the FortiGate unit contacts the TACACS+ server for authentication. For more information. Select to allow all accounts on the TACACS+ server to be administrators. Remote. If the TACACS+ server cannot authenticate the administrator. Not available if Wildcard is enabled. Not available if Wildcard is enabled. see “TACACS+” on page 396 and the User Authentication chapter of the FortiOS Handbook. go to User > Remote > TACACS+. For more information.System Admin Administrators Password Confirm Password Admin Profile The password the administrator uses to authenticate. If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server. FortiGate Version 4. To view the TACACS+ server list. see “Configuring an administrator account” on page 167. For more information about configuring TACACS+ servers. 2 Select Create New. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin > Administrators. see “Configuring an administrator account” on page 167.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The re-entered password that confirms the original entry in Password. 4 Configure additional features as required. The admin profile to apply to the administrator. The password the administrator uses to authenticate. The re-entered password that confirms the original entry in Password. network access servers. you must configure the authentication before you create the administrator accounts. 3 Enter or select the following: Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. The admin profile to apply to the administrator. Not available if Wildcard is enabled.fortinet. or select the Edit icon beside an existing administrator. If you want to use an TACACS+ server to authenticate administrators in your VDOM. the connection is refused by the FortiGate unit. Configuring TACACS+ authentication for administrators Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers. 5 Select OK.com/ • Feedback 171 . 5 Select OK. Not available if Wildcard is enabled. The user group that includes the TACACS+ server as a member. 4 Configure additional features as required. and other networked computing devices via one or more centralized servers.

see “PKI” on page 398 and the User Authentication chapter of the FortiOS Handbook.0. The trusted host addresses all default to 0.0/0.0. 3 Enter or select the following: Administrator Type User Group Admin Profile A name that identifies the administrator.0.255. However. CLI access through the console connector is not affected. the unit accepts administrative access attempts on any interface that has administrative access enabled. The only way to use a wildcard entry is to leave the trusted hosts at 0.0. 5 Select OK. For more information about PKI users. To view the PKI user list. or ::/0 for IPv6. For more information. Using trusted hosts Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. To configure an administrator to authenticate with a PKI certificate 1 Go to System > Admin > Administrators.com/ • Feedback . The user group that includes the PKI user as a member. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through Telnet or SSH. see “Configuring an administrator account” on page 167. peer groups. the FortiGate unit does not respond to administrative access attempts from any other hosts. To use PKI authentication for an administrator. no username or password is necessary. This provides the highest security. go to User > PKI > PKI. If you leave even one administrator unrestricted.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 172 FortiGate Version 4. The admin profile to apply to the administrator.0 for IPv4. When you set trusted hosts for all administrators. you must configure the authentication before you create the administrator accounts. 2 Select Create New. To do this you need to: • • • configure a PKI user create a PKI user group configure an administrator to authenticate with a PKI certificate.fortinet. the other zero addresses will be ignored. potentially exposing the unit to attempts to gain unauthorized access.0. this configuration is less secure. 4 Configure additional features as required. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255. PKI. Users only need a valid certificate for successful authentication. or select the Edit icon beside an existing administrator. and user groups and returns authentication successful or denied notifications.255.255.0/0.0.0. an administrator must connect only through the subnet or subnets you specify.0 or ::0.Administrators System Admin Configuring PKI certificate authentication for administrators Public Key Infrastructure (PKI) authentication uses a certificate authentication library that takes a list of peers. If you set one of the zero addresses to a non-zero address. In addition to knowing the password.0.

FortiGate Version 4. Table 39: Admin profile control of access to Web-based manager pages Access control Admin Users Antivirus Configuration Application Control Auth Users Data Leak Prevention (DLP) Email Filter Firewall Configuration FortiGuard Update IM. schedule. and other virtual IP (VIP) configurations. including Session info System > Config System > Hostname System > Network > Options System > Admin > Central Management System > Admin > Settings System > Status > System Time WIreless Controller VPN UTM > Web Filter IPS Configuration Log&Report Maintenance Network Configuration Router Configuration Spamfilter Configuration System Configuration VPN Configuration Webfilter Configuration Read-only access for a web-based manager page enables the administrator to view that page.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You can control administrator access to policy.com/ • Feedback 173 .System Admin Admin profiles Admin profiles Each administrator account belongs to an admin profile. P2P & VoIP > User > Current Users IM. P2P & VoIP Configuration Affected web-based manager pages System > Admin > Administrators System > Admin > Admin Profile UTM > AntiVirus UTM > Application Control User UTM > Data Leak Prevention UTM > Email Filter Firewall System > Maintenance > FortiGuard IM. The following table lists the web-based manager pages to which each category provides access. P2P & VoIP > Statistics IM. service. profile.fortinet. or read/write access. P2P & VoIP > User > Config UTM > Intrusion Protection Log&Report System > Maintenance System > Network > Interface System > Network > Zone System > Network > Web Proxy System > DHCP Router UTM > AntiSpam System > Status. The admin profile separates FortiGate features into access control categories for which an administrator with read/write access can enable none (deny). read only. the administrator needs write access to change the settings on the page. You can expand the firewall configuration access control to enable more granular control of access to the firewall functionality. P2P & VoIP > User > User List IM. However. address.

The admin profile has a similar effect on administrator access to CLI commands. Access to “config” commands requires Read-Write access.com/ • Feedback .Admin profiles System Admin Note: When Virtual Domain Configuration is enabled (see “Settings” on page 178). see “VDOM configuration settings” on page 80. The following table shows which command types are available in each Access Control category. only the administrators with the admin profile super_admin have access to global settings. see the FortiGate CLI Reference. You can access “get” and “show” commands with Read Only access. profile. address. schedule. Table 40: Admin profile control of access to CLI commands Access control Admin Users (admingrp) Antivirus Configuration (avgrp) Application Control Auth Users (authgrp) Data Leak Prevention (DLP) Email Filter Firewall Configuration (fwgrp) Available CLI commands system admin system accprofile antivirus application user dlp spamfilter firewall Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions individually. system autoupdate execute update-av execute update-ips execute update-now ips system alertemail log system fortianalyzer execute log execute execute execute execute execute formatlogdisk restore backup batch usb-disk FortiGuard Update (updategrp) IPS Configuration (ipsgrp) Log & Report (loggrp) Maintenance (mntgrp) Network Configuration (netgrp) system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface 174 FortiGate Version 4. Other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. You can make selections for policy. and other (VIP) configurations.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. service.fortinet. For information about which settings are global. For more information.

Admin Profile page Lists all administration profiles that you created as well as the default admin profiles.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Viewing the admin profiles list You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles. allow read-only. loggrp. go to System > Admin > Admin Profile. You can edit an existing admin profile.com/ • Feedback 175 . To view the admin profiles list. gui wireless-controller execute cfg execute cli execute date execute disconnect-admin-session execute enter execute factoryreset execute fortiguard-log execute ha execute ping execute ping-options execute ping6 execute ping6-options execute reboot execute send-fds-statistics execute set-next-reboot execute shutdown execute ssh execute telnet execute time execute traceroute execute usb-disk vpn execute vpn webfilter Spamfilter Configuration (spamgrp) System Configuration (sysgrp) VPN Configuration (vpngrp) Webfilter Configuration (webgrp) To add admin profiles for FortiGate administrators. either a default admin profile or one that you created. go to System > Admin > Admin Profile. delete or create a new admin profile. Create New Add a new admin profile. Delete or other modification commands. On this page.System Admin Admin profiles Table 40: Admin profile control of access to CLI commands (Continued) Access control Router Configuration (routegrp) Available CLI commands router execute router execute mrouter spamfilter system (except admingrp. or allow both read and write-access to FortiGate features. Each administrator account belongs to an admin profile. When an administrator has read-only access to a feature. FortiGate Version 4. the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. you can edit.fortinet. An administrator with read/write access can create admin profiles that deny access to. There are no Create or Apply buttons and lists display only the View icon instead of icons for Edit. and netgrp commands).

Deny access to all Access Control categories. the following steps must be taken because of the two different deployment scenarios. The central management server is the type of service you enable. When you are configuring your FortiGate unit to connect to and communicate with a FortiManager unit. you can configure your FortiGate unit to back up or restore configuration settings automatically to the specified central management server. When configuring central management settings. you can also remotely upgrade the firmware on the FortiGate unit. When you select Edit. Enable Read access in all Access Control categories. Select to modify the admin profile. List of the items that can customize access control settings if configured. 176 FortiGate Version 4.fortinet. When you are editing an existing admin profile. however. you can also specify the source IP address of the self-originated traffic. 2 Select Create New or select the Edit icon beside an existing profile. see “Admin profiles” on page 173. You cannot delete an admin profile that has administrators assigned to it. Profile Name Access Control None Read Only Read-Write Access Control (categories) Enter the name of the admin profile. you are automatically redirected to the Edit Admin Profile page. Central Management The Central Management tab provides the option of remotely managing your FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and Management Service. you are automatically redirected to the Edit Admin Profile page.com/ • Feedback .0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Make specific control selections as required. New Admin Profile page Provides settings for configuring an administration profile. If you have a subscription for FortiGuard Analysis and Management Service.Central Management System Admin Profile Name Delete The name of the admin profile. For detailed information about the Access Control categories. Select to allow read/write access in all Access Control categories. and then select OK. either a FortiManager unit or the FortiGuard Analysis and Management Service. To configure an admin profile 1 Go to System > Admin > Admin Profile. From System > Admin > Central Management. it is available only in the CLI (set fmgsource-ip). Select to delete the admin profile. Edit Configuring an admin profile You need to use the admin account or an account with Admin Users read/write access to edit an admin profile. 3 Enter or select the profile options you want.

Enter the Account ID in the Account ID field. choose FortiManager Add the FortiManager unit to the Trusted FortiManager List.System Admin Central Management • FortiGate is directly reachable from FortiManager: • • • In the FortiManager GUI. Enable Central Management Type FortiManager Enables the Central Management feature on the FortiGate unit. Revision control requires either a configured central management server. For more information. Select Register to include the FortiManager unit in the Trusted FortiManager List. or the local hard drive. The central management server can either be a FortiManager unit or the FortiGuard Analysis & Management Service. add the FortiGate unit to the FortiManager database in the Device Manager module Change the FortiManager IP address Change the FortiGate IP address In System > Admin > Central Management.com/ • Feedback 177 . if applicable Change the FortiManager IP address Change the FortiGate IP address Contact the FortiManager administrator to verify the FortiGate unit displays in the Device list in the Device Manager module • FortiGate behind NAT • • • • • Central Management page Provides the settings for configuring central management options. located in System > Maintenance > Configuration Revision.fortinet. see “Configuration Revision” on page 196. FortiGate Version 4. If your organization is operating a FortiManager cluster. enter the account ID in the Account ID field. add the IP address or name of the primary FortiManager unit to the IP/Name field and add the IP address or name of the backup FortiManager units to the Trusted FortiManager list. Select to use FortiManager as the central management service for the FortiGate unit. displays a list of the backed up configuration files. Select the type of central management for this FortiGate unit. Select to use the FortiGuard Management Service as the central management service for the FortiGate unit. A red arrow-down indicates that there is no connection enabled.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. A yellow caution symbol appears when your FortiGate unit is considered an unregistered device by the FortiManager unit. Enter the IP address or name of the FortiManager unit in the IP/Name field. as well as enabling or disabling the service on the FortiGate unit. Under Analysis & Management Service Options. register for the FortiGuard Management Service on the FortiGuard Management Service website. FortiGuard Management Service Configuration revision The Configuration Revision menu. A green arrow-up indicates that there is a connection. You can select FortiManager or the FortiGuard Management Service. Status indicates whether or not the FortiGate unit can communicate with the FortiManager unit added to the IP/Name field. Select Change to go directly to System > Maintenance > FortiGuard. If you do not have an account ID.

fortinet. TCP port to be used for administrative telnet access.com/ • Feedback ... Set the minimum acceptable length for passwords. Timeout Settings 178 FortiGate Version 4. . Upper Case Letters — A. 3. 1. The policy applies only to new preshared keys. require that administrator to change the password at the next login. . 9 Non-alphanumeric Letters — punctuation marks. C. (Optional) Apply Password Policy to Admin Password Require administrators to change password after a specified number Expires after n days of days. The default is 443. 2. go to System > Admin > Settings. 7 8. % Select where to apply the password policy: Admin Password — Apply to administrator passwords.. B. IPSEC Preshared Key — Apply to preshared keys for IPSec VPNs.. Select any of the following special character types to require in a password. The default is 23. enter or select the following and select OK. such as enabling IPv6 on the web-based manager. Z Lower Case Letters — a.#. z Numerical digits — 0. The default is 22.Settings System Admin Settings The Settings tab includes the following features that you can configure: • • • • • • • • ports for HTTP/HTTPS administrative access and SSL VPN login password policy for administrators and IPsec pre-shared keys the idle timeout setting settings for the language of the web-based manager and the number of lines displayed in generated reports PIN protection for LCD and control buttons (LCD-equipped models only) SCP capability for users logged in via SSH Wireless controller capability IPv6 support on the web based manager. Each selected type must occur at least once in the password. TCP port to be used for administrative SSH access.. You are not required to change existing preshared keys. Specify 0 to remove required periodic password changes. Web Administration Ports HTTP HTTPS SSLVPN Login Port Telnet Port SSH Port Enable SSH v1 compatibility Password Policy Enable Minimum Length Must contain Select to enable the password policy. To configure settings. b. Administrators Settings page Provides settings for configuring different system options. 6. TCP port to be used for administrative HTTPS access. . TCP port to be used for administrative HTTP access. If any password does not conform to the policy.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.. The default port number is 10443. Enable compatibility with SSH v1 in addition to v2. @. The default is 80. 5. 4. c. An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit.

Note: If you make a change to the default port number for HTTP. For more information. If Type is jsconsole. or SSH. Select to close the window. the value in From is N/A. Administrators must enter the PIN to use the control buttons and LCD. Under System Information. For more information on IPv6. Range is from 20 .com/ • Feedback 179 . then select Disconnect to log off this administrator. Enable users logged in through the SSH to be able to use Secure Copy (SCP) to copy the configuration file. Default allows configuration from CLI only. see the sections that include IPv6 related fields.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you will see Current Administrators. Choose from English. Type contains the administrator’s IP address. Monitoring administrators To see the number of logged-in administrators. This is available only if your admin profile gives you System Configuration write permission.1000. The date and time the administrator logged on. The type of access: http. Select to update the list.fortinet. Japanese. HTTPS. Select an administrator session. The language the web-based manager uses. You should select the language that the operating system of the management computer uses. The maximum is 480 minutes (8 hours). Number of lines per page to display in table lists. address and address group).System Admin Monitoring administrators Idle Timeout The number of minutes an administrative connection must be idle before the administrator has to log in again. see “Wireless Controller” on page 411. LCD Panel (LCD-equipped models only) PIN Protection Enable SCP Select and enter a 6-digit PIN. Traditional Chinese or French. Spanish. sshv2. Enable Wireless Controller Enable the Wireless Controller feature. keep the idle timeout at the default value of 5 minutes. You can disconnect administrators from this page as well as refresh the information on the page. The default is 50. Display Settings Language Lines per Page IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy. You cannot log off the default “admin” user. or see “FortiGate IPv6 support” on page 180. Otherwise. Then you can access the Wireless Controller menu in the web-based manager and the corresponding CLI commands. Telnet. Korean. User Name Type From Time The administrator account name. Simplified Chinese. https. FortiGate Version 4. Select Details to view information about the administrators currently logged in to the FortiGate unit. Disconnect Refresh Close Select to disconnect the selected administrators. Current Administrators information page (System Information widget) Lists the administrators that are currently logged into the web-based manager and CLI. jsconsole. ensure that the port number is unique. go to System > Dashboard > Status. route. This is available only if your admin profile gives you System Configuration write access. To improve security.

to large companies and governments with thousands of computers large portions of the IP address space were either reserved or used up. IP version 6 address While 32-bits of addresses. seems like a lot. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: • • implementing dual IP layers to support both IPv6 and IPv4 using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers. To enable IPv6 support. or just under 5 billion addresses. see the FortiGate CLI Reference.com/ • Feedback . 180 FortiGate Version 4.FortiGate IPv6 support System Admin FortiGate IPv6 support IPv6 is version 6 of the Internet Protocol. one for IPv4-addressed packets and another for IPv6-addressed packets. Note that some IPv6 configuration is only available in the CLI. go to System > Admin > Settings. You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unit—the interface functions as two interfaces. you can: • • • • • • • • • • • configure IPv6 interfaces (see System Network) configure IPv6 DNS services (see System Network) configure IPv6 administrative access (see System Admin) create IPv6 static routes (see Router Static) monitor IPv6 routes (see Router Monitor) create IPv6 firewall addresses (see Address) create IPv6 firewall address groups (see Address) create IPv6 firewall policies such as DoS (see Policy) perform antivirus scanning on IPv6 traffic perform website filtering on IPv6 traffic create VPNs that use IPv6 addressing (see IPsec VPN) Once IPv6 support is enabled.fortinet. and support IPv6 in both NAT/Route.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. they have been used up quickly. firewall policies and IPSec VPN. The internet is currently in transition from IPv4 to IPv6 addressing. Before you can work with IPv6 on the web-based manager. you can configure the IPv6 options using the web-based manager or the CLI. then under Display Settings. For more information on configuring IPv6 support using the CLI. Configuring IPv6 on FortiGate units Many parts of the FortiGate configuration supports IPv6 addressing. and Transparent operation modes. IP version 6 was designed mainly to provide more addresses but also improve slightly on IP version 4 (IPv4). They support IPv6 overIPv4 tunneling as well as IPv6 routing. It can provide billions more unique IP addresses than the previous standard. FortiGate units are dual IP layer IPv6/IPv4 nodes. Between servers and routers that provide the backbone communications of the Internet. IP version 6 (IPv6) is defined in RFC 2460. For more information. select IPv6 Support on GUI. see the FortiGate Fundamentals chapter of the FortiOS Handbook. part of the TCP/IP protocol suite. you must enable IPv6 support. After you enable IPv6 support in the web-based manager. In 1998. IPv4.

For IPv4-compatible or IPv4-mapped IPv6 addresses. The following is a quick overview. hexadecimal notation replaces the dotted decimal notation of IPv4. and have no problems of ever running out. Table 41: IPv6 netmasks IP Address Netmask Network CIDR IP/Netmask 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566 ffff:ffff:ffff:ffff:0000:0000:0000:0000 3ffe:ffff:1011:f101:0000:0000:0000:0000 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64 FortiGate Version 4.com/ • Feedback 181 .fortinet. you can enter the IPv4 portion using either hexadecimal or dotted decimal. it may be omitted. This notation appends a slash (“/”) to the IP address. There must not be more than one use of “::” in an address. If a 4 digit group is 0000.System Admin FortiGate IPv6 support With four bytes of addresses there are a total just under 5 billion addresses. as this is ambiguous. Also. IPv6 addresses are 32 bytes long. This very large address space also allows for more logical organization of addresses which in turn promotes more efficient network management and routing. IPv6 Netmasks As with IP addresses. you can omit leading zeros in a group. IPv6 Address notation The IPv6 addressing standard is specified in detail in RFC 3513. 3f2e:6a8b:78a3:0000:1725:6a2f:0370:6234 is the same IPv6 address as 3f2e:6a8b:78a3::1725:6a2f:0370:6234 You can use the “::” notation to indicate multiple consecutive omitted zero groups. Thus 19a4:0478:0000:0000:0000:0000:1a57:ac9e 19a4:0478:0000:0000:0000::1a57:ac9e 19a4:478:0:0:0:0:1a57:ac9e 19a4:478:0::0:1a57:ac9e 19a4:478::1a57:ac9e are all valid and are the same address. followed by the number of bits in the network portion of the address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234 is a valid IPv6 address. IPv6 addresses are normally written as eight groups of 4 hexadecimal digits each. the CLI accepts and displays only hexadecimal. but the FortiGate CLI always shows the IPv4 portion in dotted decimal format. For all other IPv6 addresses. CIDR notation can also be used. For example. For example.

Lowest 32 bits can be in IPv6 hexadecimal or IPv4 dotted decimal format. FortiGate units also support IPv6 over IPv4 tunneling.com/ • Feedback 182 . and IPv6. Lowest 32 bits can be in IPv6 hexadecimal or IPv4 dotted decimal format. FortiGate Version 4. Equivalent to 127.0 in IPv4.0. Table 42: IPv6 address types Address Type Unspecified Loopback Prefix/prefix length Comments ::/128 ::1/128 Equivalent to 0. Link-Local addresses are used for addressing on a single link for automatic address configuration. IPv4 addresses in IPv6 format There are two ways that IPv4 addresses are represented in IPv6 format.1 in IPv4. Multiple servers can have the same address with routing used to balance the traffic load.fortinet. IPv6 anycast addresses are indistinguishable from other unicast addresses. Routers must not forward packets with site-local source or destination addresses outside of the site.52 FFFF: 874B:2B34 or 135.0.75.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The types are identifiable by their prefix values. You can distinguish them by the 16 bits that precede the IPv4 portion of the address: Table 43: Examples of IPv4 compatible and mapped IPv6 addresses IPv4-compatible IPv6 address 0000:0000:0000:0000:0000: or :: IPv4-mapped IPv6 address 0000:0000:0000:0000:0000: or :: 0000: 874B:2B34 or 135.75. IPv4-mapped addresses are used for nodes that do not support IPv6. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: • • implementing dual IP layers to support both IPv6 and IPv4 using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to carry them over IPv4 infrastructure FortiGate units are dual IP layer IPv6/IPv4 nodes—they support both IPv4.43.FortiGate IPv6 support System Admin IPv6 address types There are more types of IPv6 addresses than IPv4 addresses. Site-local addresses are used for addressing inside of a site without needing a global prefix. IPv4-compatible ::/96 IPv4-mapped Multicast Anycast ::FFFF/96 ::FF00/8 all prefixes except those listed above Link-local FE80::/10 Site-local FEC0::/10 Global all others Transition from IPv4 to IPv6 The Internet is in transition from IPv4 to IPv6 addressing. Unlike IPv4. Routers must not forward packets with link-local source or destination addresses.43.52 IPv4-compatible addresses are used for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure. neighbor discovery. or when no routers are present.0.0.

IPv4 multicast FortiGate units support IPv6-over-IPv4 tunneling. IPv4 tunnel endpoint address is determined using Neighbor Discovery. FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. but the IPv4 infrastructure must support IPv4 multicast. The endpoint address is determined by configuration information on the encapsulating node.com/ • Feedback 183 . No address configuration is required.fortinet.System Admin FortiGate IPv6 support IPv6 tunneling Networks using IPv6 addressing can be linked through IPv4-addressed infrastructure using several tunneling techniques: Table 44: Tunneling techniques IPv6-over-IPv4 Configured Automatic Encapsulates IPv6 packets within IPv4 so that they can be carried across IPv4 routing infrastructures. The IPv4 tunnel endpoint address is determined from the IPv4 address embedded in the IPv4-compatible destination address of the IPv6 packet being tunneled.

fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.FortiGate IPv6 support System Admin 184 FortiGate Version 4.com/ • Feedback .

0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback 185 .fortinet.System Admin FortiGate IPv6 support FortiGate Version 4.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback .fortinet.FortiGate IPv6 support System Admin 186 FortiGate Version 4.

Unique to each FortiGate unit. Embedded inside firmware and BIOS. Used so FortiGate units without Fortinet_Factory2 certificates have a built-in certificate signed by a FortiGate CA. Fortinet’s CA certificate. Fortinet’s CA certificate. or in FortiGate CLI under vpn certificate local.fortinet. or in FortiGate CLI under vpn certificate local. Listed under Certificates > Local. Used for FortiGate/FortiManager tunnel and HTTPS administrative access. Certificate authentication allows administrators to generate certificate requests. and PKI. install signed certificates. and to authenticate IPSec VPN peers or clients. Found only on units shipped at the end of 2008 onward. or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Listed under Certificates > Local.System Certificates System Certificates This section explains how to manage X. Listed under Certificates > CA. system certificates are configured globally for the entire FortiGate unit. as well as SSL VPN user groups or clients. There are several certificates on the FortiGate unit that have been automatically generated. for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. for example. see the FortiGate Certificate Management User Guide. Used for FortiGate/FortiManager tunnel.com/ • Feedback 187 . Used to verify certificates that claim to be signed by Fortinet. with SSL VPN.509 security certificates using the FortiGate webbased manager. Found only on units shipped at the end of 2008 onward. Embedded inside BIOS. Signed by Fortinet_CA. For more information. Listed under Certificates > CA. the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA). Same on all FortiGate units. or in FortiGate CLI under vpn certificate local. Fortinet_Factory Fortinet_Factory2 Fortinet_CA Fortinet_CA2 System administrators can use these certificates wherever they may be required. Table 45: Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware. import CA root certificates and certificate revocation lists. LDAP. Signed by Fortinet_CA2. If you enable virtual domains (VDOMs) on the FortiGate unit. For additional background information on certificates. HTTPS administrative access if Fortinet_Factory2 is not available. Embedded inside BIOS. Authentication is the process of determining if a remote host can be trusted with access to network resources. as Fortinet_CA will expire in 2020. The FortiGate unit can then use certificate authentication to reject or allow administrative access via HTTPS. Unique to each FortiGate unit. Listed under Certificates > Local. and back up and restore installed certificates and private keys. IPSec.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. To establish its trustworthiness. FortiGate Version 4. Signed by Fortinet_CA. Embedded inside BIOS. Will eventually replace Fortinet_CA. see “Using virtual domains” on page 79.

fortinet. The status of the local certificate. making a connection through the FortiGate unit with the SSL inspection feature enabled on the FortiGate unit. The Distinguished Names (DNs) of local signed certificates.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Generate Import Name Subject Comments Status View Certificate Detail Delete Generate a local certificate request. For more information. Local Certificates page Lists the default local certificates as well as the certificates that you have imported. The names of existing local certificates and pending certificate requests. This must be configured in the CLI. the CA will verify the information and register the contact information on a digital certificate that contains a serial number. and the public key of the CA. These certificates are then uploaded to the client. see “Generating a certificate request” on page 189. After you submit the request to a CA. 188 FortiGate Version 4. Delete the selected certificate request or installed server certificate from the FortiGate configuration. go to System > Certificates > Local Certificates. Local certificates can update automatically online prior to expiry. You can send the request to your CA to obtain a signed server certificate for the FortiGate unit (SCEP-based certificates only). Local Certificates Certificate requests and installed server certificates are displayed in the Local Certificates list. For this to work properly. an expiration date. A description of the certificate. To view certificate requests and/or import signed server certificates. The CA will then sign the certificate and send it to you to install on the FortiGate unit. see the FortiGate Certificate Management User Guide. Download Edit Comments For detailed information and step-by-step procedures related to obtaining and installing digital certificates. For more information. see “Importing a signed server certificate” on page 190. To view certificate details. select the View Certificate Detail icon in the row that corresponds to the certificate. See the vpn certificate local command in the FortiGate CLI Reference. and valid certificate dates.Local Certificates System Certificates The following topics are included in this section: • • • • Local Certificates Remote Certificates CA Certificates CRL Note: SSL sessions that use client-certificates can now bypass the SSL inspection.com/ • Feedback . Select to edit the description of a certificate. You can also generate certificates from this page. an SSL server should be set up that requires client-side certificates. issuer. subject. PENDING designates a certificate request that needs to be downloaded and signed. Display certificate details such as the certificate name. Import a signed local certificate. This is available only if the certificate has PENDING status. Save a copy of the certificate request to a local computer.

To fill out a certificate request. use a domain name if available to identify the FortiGate unit.fortinet. use an email address (or domain name if available) instead. Select one of the following methods: Select to generate the certificate request. Generate Certificate Signing Request page Provides settings for configuring a certificate. Challenge Password: Enter the CA server challenge password. Enter the information needed to identify the FortiGate unit: If the FortiGate unit has a static IP address. If the FortiGate unit does not have a public IP address. Only RSA is supported. select Generate. CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate. If you select Domain Name. To enable the export of a signed certificate as a PKCS12 file later on if required. If you select E-mail.System Certificates Local Certificates Generating a certificate request The FortiGate unit generates a certificate request based on the information you enter to identify the FortiGate unit. and complete the fields in the table below. Certification Name Enter a certificate name. Typically. 1536 Bit or 2048 Bit. This certificate will be associated with the FortiGate unit. Enter the legal name of your company or organization. see “Downloading and submitting a certificate request” on page 190. enter the email address of the owner of the FortiGate unit. Enter the name of the state or province where the FortiGate unit is installed. To add or remove a unit. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service. Enter the name of your department or departments. this would be the name of the FortiGate unit. Subject Information Host IP Domain Name E-Mail Optional Information Organization Unit Organization Locality (City) State/Province Country e-mail Key Type Key Size Enrollment Method File Based Online SCEP FortiGate Version 4. After you generate a certificate request. you can download the request to a computer that has management access to the FortiGate unit and then forward the request to a CA. You can enter a maximum of 5 Organization Units. Larger keys are slower to generate but they provide better security. Select the country where the FortiGate unit is installed. Generated requests are displayed in the Local Certificates list with a status of PENDING. do not include spaces in the name. Do not include the protocol specification (http://) or any port number or path names. If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service. To download and send the certificate request to a CA. an “unable to verify certificate” message may be displayed in the user’s browser whenever the public IP address of the FortiGate unit changes. go to System > Certificates > Local Certificates. Complete as described or leave blank. Select to obtain a signed SCEP-based certificate automatically over the network.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. use the plus (+) or minus (-) icon. Enter the contact email address. enter the fully qualified domain name of the FortiGate unit. Enter the name of the city or town where the FortiGate unit is installed.com/ • Feedback 189 . Select 1024 Bit. select Host IP and enter the public IP address of the FortiGate unit.

The following settings are available when you select Local Certificate from the Type drop-down list. • Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request. To import the signed server certificate. go to System > Certificates > Local Certificates. Import Certificate page Provides settings for importing a specific signed certificate. select Import. To import the PKC S12 file. Import Certificate page Provides settings for importing a specific signed certificate. 4 Name the file and save it to the local file system. The certificate file can be in either PEM or DER format. Type Certificate File Browse Select Local Certificate. 190 FortiGate Version 4. 5 Submit the request to your CA as follows: • Using the web browser on the management computer. For more information. When you receive the signed certificate from the CA. Importing a signed server certificate Your CA will provide you with a signed server certificate to install on the FortiGate unit. browse to the CA web site. enter the required information. • Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL). See “Importing a signed server certificate” on page 190. see the FortiGate Certificate Management User Guide. enter the required information.Local Certificates System Certificates Downloading and submitting a certificate request You have to fill out a certificate request and generate the request before you can submit the results to a CA. save a copy of the file on a computer that has management access to the FortiGate unit.com/ • Feedback . Before you begin. Importing an exported server certificate and private key You will need to know the password in order to import the certificate file. and then select OK.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and then select OK. see “Generating a certificate request” on page 189. To download and submit a certificate request 1 Go to System > Certificates > Local Certificates. 2 In the Local Certificates list. save the certificate on a computer that has management access to the FortiGate unit. and then install the root certificate and CRL on each remote client (refer to the browser documentation). browse to the location on the management computer where the certificate has been saved and select the certificate. 3 In the File Download dialog box. go to System > Certificates > Local Certificates. Alternatively. select Import. select the Download icon in the row that corresponds to the generated certificate request. install the certificate on the FortiGate unit. 6 When you receive the signed certificate from the CA. Type Select PKCS12 Certificate. select Save to Disk. Enter the full path to and file name of the signed server certificate. The following settings are available when you select PKCS12 Certificate from the Type drop-down list.fortinet. For more information.

The FortiGate unit assigns unique names (REMOTE_Cert_1. See “Importing CA certificates” on page 193. browse to the location on the management computer where the PKCS12 file has been saved. Remote certificates are public certificates without a private key. To view certificate details. The OCSP is configured in the CLI only. To import the certificate and private key files. and then select OK. Note: The certificate file must not use 40-bit RC2-CBC encryption. enter the required information. Password Importing separate server certificate and private key files When the server certificate request and private key were not generated by the FortiGate unit. Enter the full path to and file name of the previously exported certificate file. you will receive them as separate files. Remote Certificates For dynamic certificate revocation. Note: There is one OCSP per VDOM.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The following settings are available when you select Certificate from the Type drop-down list. select the file.System Certificates Remote Certificates Certificate with key file Enter the full path to and file name of the previously exported PKCS12 file. For more information. Import Name Import a public OCSP certificate. The names of existing Remote (OCSP) certificates. Copy the two files to the management computer. go to System > Certificates > Local Certificates. you need to use an Online Certificate Status Protocol (OCSP) server. Import Certificate page Provides settings for importing a specific signed certificate from the CA. see the FortiGate CLI Reference. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. select Import. REMOTE_Cert_3. and so on) to the Remote (OCSP) certificates when they are imported. If a password is required to upload and open the files. select the View Certificate Detail icon in the row that corresponds to the certificate. FortiGate Version 4. Enter the full path to and file name of the previously exported key file. To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate. REMOTE_Cert_2. go to System > Certificates > Remote. Type the password needed to upload the PKCS12 file.fortinet. type the password. Remote page Lists the public certificates. browse to the location of the previously exported certificate file. and then select OK. select the file. browse to the location of the previously exported key file. Browse Alternatively. Type Certificate file Browse Key file Browse Password Select Certificate. select the file. Alternatively. and then select OK. delete and view certificates. On this page you can import. and then select OK.com/ • Feedback 191 . Alternatively.

Delete a CA root certificate from the FortiGate configuration. and so on) to the CA certificates when they are imported. The FortiGate unit assigns unique names (CA_Cert_1. For detailed information and step-by-step procedures related to obtaining and installing digital certificates. CA certificates can update automatically online prior to expiry. go to System > Certificates > CA Certificates. Importing Remote (OCSP) certificates The system assigns a unique name to each Remote (OCSP) certificate. see the FortiGate Certificate Management User Guide. Installed CA certificates are displayed in the CA Certificates list. Subject Delete View Certificate Detail Download 192 FortiGate Version 4. The names of existing CA root certificates. install it on the remote clients according to the browser documentation. and then select OK. Upload Remote Certificate Provides settings for uploading a remote certificate to the FortiGate unit. When you receive the certificate. CA Certificates page Lists the CA certificates that you have created as well as the default CA certificate. Save a copy of the Remote (OCSP) certificate to a local computer. CA Certificates When you apply for a signed personal or group certificate to install on remote clients. CA_Cert_2. See the vpn certificate local command in the FortiGate CLI Reference. You cannot delete the Fortinet_CA certificate. This must be configured in the CLI. Alternatively. Save a copy of the CA root certificate to a local computer.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Display certificate details. The names are numbered consecutively (REMOTE_Cert_1.com/ • Feedback . To view installed CA root certificates or import a CA root certificate. Display certificate details. select the View Certificate Detail icon in the row that corresponds to the certificate. To import a Remote (OCSP) certificate.fortinet. Import Name Import a CA root certificate. go to System > Certificates > Remote and select Import. browse to the location on the management computer where the certificate has been saved. you must obtain the corresponding root certificate and CRL from the issuing CA. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit.CA Certificates System Certificates Subject Delete View Certificate Detail Download Information about the Remote (OCSP) certificate. CA_Cert_3. You can also import a CA certificate. To view root certificate details. REMOTE_Cert_3. select the certificate. Information about the issuing CA. REMOTE_Cert_2. Local PC Browse Enter the location in a management PC to upload a public certificate. and so on). See “Importing CA certificates” on page 193. Delete a Remote (OCSP) certificate from the FortiGate configuration.

CRL page Lists each individual CRL. and so on) to certificate revocation lists when they are imported.fortinet. go to System > Certificates > CA Certificates and select Import. After you download a CRL from the CA web site. Subject Delete View Certificate Detail Download Importing a certificate revocation list Certificate revocation lists from CA web sites must be kept updated on a regular basis to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. For more information. see “Importing a certificate revocation list” on page 193. and so on). select the certificate. Select OK. CRL_2. save the certificate on a PC that has management access to the FortiGate unit. save the CRL on a computer that has management access to the FortiGate unit. Import Name Import a CRL.com/ • Feedback 193 . Save a copy of the CRL to a local computer. go to System > Certificates > CRL and select Import. Information about the certificate revocation lists. CA_Cert_3. The names are numbered consecutively (CRL_1. and then select OK. CRL_2. CRL_3.System Certificates CRL Importing CA certificates After you download the root certificate of the CA. Enter the URL of the SCEP server from which to retrieve the CA certificate. If you choose SCEP. The names are numbered consecutively (CA_Cert_1. such as the file name. To view installed CRLs. the system starts the retrieval process as soon as you select OK. To import a CA root certificate. Local PC CRL A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. The system assigns a unique name to each CRL. enter identifying information of the CA. Installed CRLs are displayed in the CRL list. Select to use a local administrator’s PC to upload a public certificate. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. Display CRL details such as the issuer name and CRL update dates. view or download CRLs. CA_Cert_2. go to System > Certificates > CRL. Delete the selected CRL from the FortiGate configuration. On this page you can import. To import a certificate revocation list. and so on). or browse to the location on the management computer where the certificate has been saved. The names of existing certificate revocation lists. The FortiGate unit assigns unique names (CRL_1. Enter the location. The system assigns a unique name to each CA certificate. Optionally. FortiGate Version 4. CRL_3. Import CA Certificate Provides settings for importing certificates using an SCEP server or Local PC. SCEP Select to use an SCEP server to access CA certificate for user authentication.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

select the certificate. then select the Local Certificate from the list. Select to use an SCEP server to retrieve the CRL. 194 FortiGate Version 4.fortinet. Enter the URL of the SCEP server from which the CRL can be retrieved. or browse to the location on the management computer where the certificate has been saved. Select to use a local administrator’s PC to upload a public certificate. SCEP server. and/or SCEP server. Enter the location. then select the LDAP server from the list. Select to use an LDAP server to retrieve the CRL. LDAP. HTTP. HTTP LDAP SCEP Select to use an HTTP server to retrieve the CRL. or local PC. Local PC Note: When the CRL is configured with an LDAP. Enter the URL of the HTTP server.CRL System Certificates Import CRL page Provides settings to import CRLs from a HTTP.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback . and then select OK. the latest version of the CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires.

or update FortiGuard services.displays advanced settings for scripts. This section also explains the types of FDN services that are available for your FortiGate unit. Disk . Advanced . see “Using virtual domains” on page 79. such as antivirus and IPS definitions as well as the FortiGuard Analysis & Management Service. License . and FortiGuard subscription-based services.com/ • Feedback 195 . script files. a Central Management server must be configured and enabled.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. web filtering. Before you can use revision control. If you enable virtual domains (VDOMs) on the FortiGate unit. IPS. FortiGuard . system maintenance is configured globally for the entire FortiGate unit. USB auto-install and allows downloads of the debug log. The following topics are included in this section: • • • • • • • • • • Maintenance overview Configuration Revision Firmware FortiGuard Troubleshooting FDN connectivity Updating antivirus and attack definitions Enabling push updates Advanced Adding VDOM Licenses Disk Maintenance overview The maintenance menu provides help with maintaining and managing firmware.displays all FDN subscription services.displays all system configuration backups with the date and time of when they were backed up. From this menu. and antispam services.allows you to increase the maximum number of VDOMs (on some FortiGate models).displays the firmware images that are currently stored on the FortiGate unit as well as the firmware image currently running on the FortiGate unit. configuration revisions. The maintenance menu has the following menus: • Revision Control . you can upgrade or downgrade the firmware. This tab also provides configuration options for antivirus.displays detailed information about the status of multiple local disks.fortinet. • • • • • FortiGate Version 4. Firmware .System Maintenance Maintenance overview System Maintenance This section describes how to maintain your system configuration as well as how to enable and update FDN services. view historical backups of configuration files. For more information.

The administrator account that was used to back up this revision. Tip: For simplified procedures on managing firmware. number is first in the list. view the differences between revisions.0 MR1 (build178) they appear in the section OS Version 4. A regular administrator is the only user account that can restore the configuration from this file. and highest. You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu. the backup file contains the global settings and the settings for the VDOM that the regular administrator belongs to. or to its local hard disk. and revert to a previous configuration.00 build178 on the Configuration Revision page. Revision control requires either a configured central management server. a message appears to tell you to do one of the following: • • enable central management (see “Central Management” on page 176) obtain a valid license. The FortiClient section of Backup & Restore is available if your FortiGate model supports FortiClient. When virtual domain configuration is enabled. The most recent. The central management server can either be a FortiManager unit or the FortiGuard Analysis & Management Service. If central management is not configured on your FortiGate unit.com/ • Feedback . see “Firmware management practices” on page 67. The date and time this configuration was saved on the FortiGate unit. or the local hard drive. These may not be consecutive numbers if configurations are deleted. if you have four configuration revisions for 4. Configuration Revision page Lists all the configuration revisions.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. web content files and email filtering files are also included. For example. Configuration Revision The Configuration Revisions menu enables you to manage multiple versions of configuration files. a list of saved revisions of those backed-up configurations appears. To view the configuration revisions. When you back up the system configuration from a regular administrator account. When revision control is enabled on your FortiGate unit. An incremental number indicating the order in which the configurations were saved. and configurations have been backed up. This page also allows you to change comments. the content of the backup file depends on the administrator account that created it. a USB disk if your FortiGate unit includes a USB port (see “Formatting USB Disks” on page 198). OS Version <firmware_version_build> (appears as sections on the page) Revision The section of the page that contains the configuration files that belong to the specified FortiOS firmware version and build number. Date/Time Administrator 196 FortiGate Version 4. On this page. A backup of the system configuration from the super_admin account contains global settings and the settings included in each VDOM.Configuration Revision System Maintenance When backing up the system configuration. including backup and restore options as well as uploading and downloading firmware for your FortiGate unit. go to System > Maintenance > Configuration Revision.fortinet. edit or upload a configuration file. Only the super_admin can restore the configuration from this file. you can delete. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. You can save the configuration to the management computer.

Download this revision to your local PC. The description about the image. Firmware page Lists all firmware images that have been uploaded to the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. as well as upload and install an image. Select to remove the firmware image from the list. The date the firmware image was created on.System Maintenance Firmware Comments Any relevant information saved with the revision. You will be prompted to confirm this action. and if there is a date when it can be deleted to free up space. who saved it. which is then added to the list. Restore the previous selected revision. you are automatically redirected to the Upload page. Firmware Version Date Create by Comments This topic contains the following: • • • • Backing up and restoring configuration files Formatting USB Disks Remote FortiManager backup and restore options Remote FortiGuard backup and restore options FortiGate Version 4.fortinet. To view firmware images. The administrator who uploaded the firmware image. such as why the revision was saved. go to System > Maintenance > Firmware. Select to upload a configuration file to the FortiGate unit. The firmware version number of the firmware image. When you select Upload. A window will appear. You can also view what firmware is currently running on the FortiGate unit from this menu. Select to view the CLI settings of a configuration revision. Currently Running Firmware Delete Change Comments Upgrade Upload Displays the firmware image that is currently running on the FortiGate unit. enable Boot New Firmware (which installs the selected firmware on the FortiGate unit). and enter any description about the firmware that you want. Select to modify the description. Select to remove a configuration revision from the list. Diff Download Revert Delete Details Change Comments Upload Firmware The Firmware menu allows you to install firmware on your FortiGate unit. as well as upload a firmware image to install at a later date. You must select the firmware image in the list to install that image on the FortiGate unit. Select to change the description for the firmware image. Select to compare two revisions.com/ • Feedback 197 . from which you can view and compare the selected revision to one of: • the current configuration • a selected revision from the displayed list including revision history and templates • a specified revision number. On this page you can select the firmware image to upload.

a central management server. if the current configuration on a FortiGate-60 is backed up to a FortiManager unit. Backup and restore settings are available only in the CLI. Formatting USB Disks Caution: Formatting the USB disk deletes all information on the disk. Remote FortiManager backup and restore options Your FortiGate unit can be remotely managed by a FortiManager unit.fortinet. or a USB disk. see the FortiManager Install Guide. the central management server is the FortiManager unit. at the command prompt type. The list allows you to choose the configuration to restore. For example. either by using the CLI or a Windows system.Firmware System Maintenance Backing up and restoring configuration files You can backup or restore your FortiGate configuration to your management PC. There are two ways that you can format the USB disk. exe usb-disk format. FortiGate units with USB ports support USB disks for backing up and restoring configurations. FortiGate units support most USB disks including USB keys and external USB hard disks (see “Formatting USB Disks” on page 198). You must configure central management in System > Admin > Central Management before these options are available in the Backup & Restore section. After successfully connecting to the FortiManager unit from your FortiGate unit. For detailed instructions on how to install a FortiManager unit. you can back up your configuration to the FortiManager unit. A list of revisions is displayed when restoring the configuration from a remote location. FortiUSB and generic USB disks are supported. No other partition type is supported. When using a Windows system to format the disk.com/ • Feedback . You can format the USB disk in the CLI using the command syntax.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. but the generic USB disk must be formatted as a FAT16 disk. The automatic configuration backup is available only in local mode on the FortiManager unit. You can also restore your configuration. and <drive_label> is the name you want to give the USB drive for identification. see “Central Management” on page 176. Back up the information on the USB disk before formatting to ensure all information on the disk is recoverable. The FortiGate unit connects using the FortiGuard-FortiManager protocol. “format <drive_letter>: /FS:FAT /V:<drive_label>” where <drive_letter> is the letter of the connected USB drive you want to format. The execute backup config command and execute restore config command are used to backup and restore the FortiGate unit’s configuration file. and runs over SSL using IPv4/TCP port 541. 198 FortiGate Version 4. The central management server is whatever remote management service the FortiGate unit is connected to. You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have connected a USB disk to the USB port. This protocol provides communication between a FortiGate unit and a FortiManager unit. For more information.

System Maintenance FortiGuard Remote FortiGuard backup and restore options Your FortiGate unit can be remotely managed by a central management server. When the FortiGate unit contacts the FDN. Upgrading the firmware is available in the Firmware Upgrade section of the backup and restore menu. and the antispam rule set. a list of revisions is displayed so that you can choose the configuration file to restore. This topic contains the following: • • • FortiGuard Distribution Network FortiGuard services Configuring the FortiGate unit for FDN and FortiGuard subscription services FortiGuard Distribution Network The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). it connects to the nearest FDS based on the current time zone setting. see “Firmware management practices” on page 67.com/ • Feedback 199 . Tip: For simplified procedures on managing firmware. which is available when you register for the FortiGuard Analysis & Management Service. Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis & Management Service. For more information about upgrading firmware from the backup and restore menu. FortiGuard Go to System > Maintenance > FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network (FDN) and FortiGuard Services. see “Changing the FortiGate firmware” on page 45. and the Antispam rule set. IPS definitions. daily. The FortiGuard Analysis & Management Service is a subscription-based service and is purchased by contacting support. The FDN provides updates to antivirus (including grayware) definitions. IPS definitions. AV/IPS database update and firewall changes. After registering.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. including backup and restore options. You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis & Management Service. When restoring the configuration from a remote location. and antispam rule set updates from the FDN push updates from the FDN FortiGate Version 4. This protocol runs over SSL using IPv4/TCP port 541 and includes the following functions: • • • detects FortiGate unit dead or alive status detects management service dead or alive status notifies the FortiGate units about configuration changes. you can back up or restore your configuration. FortiGuard Services include FortiGuard web filtering and the FortiGuard Analysis and Management Service.fortinet. The FDN provides updates to antivirus definitions. IPS definition. or weekly scheduled antivirus definition. The FortiGuard Analysis & Management Service is useful when administering multiple FortiGate units without having a FortiManager unit. and on uploading and downloading firmware for your FortiGate unit. The FortiGate unit supports the following update options: • • • user-initiated updates from the FDN hourly.

you can switch the UDP port used for service point communication to port 8888 by going to System > Maintenance > FortiGuard. Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license. use the hostname keyword in the system fortiguard CLI command. email filtering tools. see “Email Filter” on page 328. expiry dates. FortiGuard Antispam license management is performed by Fortinet servers. For more information. go to Product Registration and follow the instructions. When the FortiGate unit is receiving push updates. a URL black list. FortiGuard Antispam is always current.com/ • Feedback . see “Email Filter” on page 328. FortiGuard Antispam service FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list. there is no need to enter a license number. By default. Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you need to change the default FortiGuard service point host name. You can globally enable FortiGuard Antispam (Email Filter) in System > Maintenance > FortiGuard and then configure Email Filtering options in UTM > Email Filtering > Profile. Alternately. see “To enable scheduled updates” on page 206. contained in an antispam rule set that is downloaded to the FortiGate unit.fortinet. The URL black list contains URLs that are found in spam email. see “Enabling push updates” on page 207. FortiGuard services Worldwide coverage of FortiGuard services is provided by FortiGuard service points. Fortinet adds new service points as required. The IP address black list contains IP addresses of email servers known to generate spam. When the FortiGate unit is connecting to the FDN. 200 FortiGate Version 4. FortiGuard Antispam processes are completely automated and configured by Fortinet. You can also configure the FortiGate unit to receive push updates. The FortiGate unit automatically contacts a FortiGuard Antispam service point when enabling FortiGuard Antispam. You can either enable or disable FortiGuard Antispam in an email filter profile.FortiGuard System Maintenance • • update status including version numbers. For more information. If the FortiGate unit is behind a NAT device. it is connecting to the closest FortiGuard service point. For more information about FortiGuard services. You cannot change the FortiGuard service point name using the web-based manager. If the closest service point becomes unreachable for any reason. the FortiGate unit communicates with the service point via UDP on port 53. For more information. see “Enabling push updates through a NAT device” on page 208. the FortiGate unit contacts another service point and information is available within seconds. Contact Fortinet Technical support to renew the FortiGuard Antispam license after the free trial expires. For more information. see the FortiGuard Center web page. and update dates and times push updates through a NAT device. the FDN must be able to route packets to the FortiGate unit using UDP port 9443. With constant monitoring and dynamic updates. The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to receive scheduled updates. On the Fortinet Support web page.

Configuring the FortiGate unit for FDN and FortiGuard subscription services FDN updates. See “Dashboard overview” on page 40. If Valid Contract is shown. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow. The status displays can be one of the following: Unreachable. The FortiGate unit accesses the nearest FortiGuard Web Filtering service point to determine the category of a requested web page. which provides a central location for configuring logging and reporting and remote management. FortiGuard Analysis & Management Service FortiGuard Analysis & Management Service is a subscription-based service that provides remote management services. There is no need to enter a license number. Contact Fortinet Technical Support to renew a FortiGuard license after the free trial. On this page. FortiGuard license management is performed by Fortinet servers. These services were previously available only on FortiAnalyzer and FortiManager units. then follows the firewall policy configured for that user or interface.fortinet. To view the FortiGuard options.System Maintenance FortiGuard FortiGuard Web Filtering service FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. The FDN page contains four sections of FortiGuard services: • • • • Support Contract and FortiGuard Subscription Services Downloading antivirus and IPS updates Configuring Web Filtering and Email Filtering Options Configuring FortiGuard Analysis & Management Service Options Support Contract and FortiGuard Subscription Services The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the Status page. such as daily quota and the expiry date of the service. see “Web Filter” on page 316.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The subscription-based service is available from the FortiGuard Analysis & Management Service portal web site.com/ • Feedback 201 . A green checkmark also appears. Not Registered or Valid Contract. as well as FortiGuard services. You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard and then configure FortiGuard Web Filtering options in UTM > Web Filtering > Profile. This option is available only when the support contract is not registered. FortiGuard Distribution Network page Lists detailed information about your FortiGate unit’s support contract and FortiGuard subscription services. block. and for viewing subscription contract information. are configured in System > Maintenance > FortiGuard. For more information. [Register] FortiGate Version 4. you can also enter the Analysis and Management Services contact account ID. Support Contract The availability or status of your FortiGate unit support contract. the FortiOS firmware version and contract expiry date appear. or monitor. Select to register your FortiGate unit support contract. go to System > Maintenance > FortiGuard. including logging and reporting capabilities for all FortiGate units. Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license. The FortiGate unit automatically contacts a FortiGuard service point when enabling FortiGuard category blocking. as well as antivirus and IPS options and web filtering and email filtering options.

You can access these options by selecting the expand arrow. method] [Date] Local system date when the FortiGate unit last checked for updates for this service. The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. The version number of the definition file currently installed on the FortiGate unit for this service. If the FDN Status still indicates no connection to the FDN. When selected. Select to register the service. you can schedule antivirus and IPS updates. Green (Valid license) – FortiGate unit can connect to FDN and has a registered support contract. Gray (Unreachable) – FortiGate unit is not able to connect to service. Use override server address Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. Antivirus and IPS Options section of the FortiGuard Distribution Network page Provides settings for scheduling updates. Not Registered.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Orange (Not Registered) – FortiGate unit can connect. The icon corresponds to the availability description. The FortiGate unit sends the FDS the IP and port numbers of the NAT device to the FDS. Downloading antivirus and IPS updates In the Antivirus and IPS Options section. The option Subscribe appears if Availability is Not Registered. Valid License. configure an override server. but is not subscribed to this service. the expiry date is displayed. 202 FortiGate Version 4. enter the IP address or domain name of a FortiGuard server and select Apply. If the Status icon is green. Select Update Now to immediately download current updates from FDN directly. The NAT device must also be configured to forward the FDS traffic to the FortiGate unit on port 9443. Select to manually update this service on your FortiGate unit. dependent on your service subscription. see “Troubleshooting FDN connectivity” on page 205. or allow push updates. Indicates the status of the subscription service. For more information. This is displayed in Analysis & Management Service. Yellow (Expired) – FortiGate unit had a valid license that has expired. [Availability] [Update] [Register] Status Icon [Version] [Last update date and The date of the last update and method used for last attempt to download definition updates for this service.com/ • Feedback . The status can be Unreachable. The option Renew appears if Availability has expired.FortiGuard System Maintenance FortiGuard Subscription Services Availability and status information for each of the FortiGuard subscription services including: • AntiVirus • Intrusion Protection • Vulnerability Compliance and Management • Web Filtering • AntiSpam • Analysis & Management Service The availability of this service on this FortiGate unit. Use the Use override push IP option when your FortiGate unit is behind a NAT device. configuring an override server or allowing push updates. or Valid Contract. see “Enabling push updates through a NAT device” on page 208. This will prompt you to download the update file from your local computer.fortinet.

the least recently used IP address or URL is deleted. Available only if both Use override server address and Allow Push Update are enabled. You can specify the hour of the day to check for updates. Attempt to update once a week. Enter the IP address of the NAT device in front of your FortiGate unit. FortiGate Version 4. Attempt to update once every 1 to 23 hours. Select to manually initiate an FDN update. Updates are then sent automatically to your FortiGate unit when they are available. The cache uses 6 percent of the FortiGate memory. Available only if Use override push is enabled. see “Troubleshooting FDN connectivity” on page 205. The status of the FortiGate unit for receiving push updates: Gray (Unreachable) .fortinet. This port must be forwarded to UDP port 9443 on the FortiGate unit. See “Enabling push updates through a NAT device” on page 208. The update attempt occurs at a randomly determined time within the selected hour. Web Filtering and Email Filtering Options section of the FortiGuard Distribution Network page Provides settings for enabling the FortiGuard web filter service. eliminating any need for you to check if they are available. Select the port on the NAT device that will receive the FDS push updates.the push update service is not available with current support license Green (Available) . Select to enable caching of web filter queries. FDS will connect to this device when attempting to reach the FortiGate unit. If the icon is gray or yellow. You can specify the day of the week and the hour of the day to check for updates.System Maintenance FortiGuard Allow Push Update Select to allow push updates. This improves performance by reducing FortiGate unit requests to the FortiGuard server. Fortinet recommends that you select this check box.the push update service is allowed. The update attempt occurs at a randomly determined time within the selected hour. cache. Select the number of hours between each update request. Allow Push Update status icon Use override push IP Port Schedule Updates Every Daily Weekly Update Now Submit attack characteristics… (recommended) Configuring Web Filtering and Email Filtering Options You can access this section by selecting the expand arrow to view Web Filtering and Email Filtering options. The NAT device must be configured to forward the FDS traffic to the FortiGate unit on UDP port 9443. Available if Enable Web Filter is selected.com/ • Feedback 203 . Enable Web Filter Enable Cache Select to enable the FortiGuard Web Filter service.theFortiGate unit is not able to connect to push update service Yellow (Not Available) . It helps to improve the quality of IPS signature. Select this check box to enable scheduled updates. When the cache is full.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Attempt to update once a day. and email filter service. Select to allow you to create a forwarding policy that redirects incoming FDS push updates to your FortiGate unit. See “Enabling push updates” on page 207.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs. if you select 2 months. The cache uses 6 percent of the FortiGate memory. Select to enable the FortiGuard AntiSpam service. the least recently used IP address or URL is deleted. You can also select this to register your FortiGate unit with the FortiGuard Analysis & Management Service. please click here To configure FortiGuard Select the link please click here to configure and enable logging to the Analysis Service options. Analysis and Management Service Options section of the FortiGuard Distribution Network page Provides settings for additional configuration of the FortiGuard Analysis and Management Service subscription service. You can also use this option to remove logs that may appear on a current report. FortiGuard Analysis & Management server. For example. Select to enable caching of antispam queries. Select one of the following ports for your web filtering and antispam requirements: Select to use port 53 for transmitting with FortiGuard Antispam servers. To launch the service portal. please Filter service. Enable Email Filter Enable Cache TTL Port Section Use Default Port (53) Use Alternate Port (8888) Test Availability To have a URL's category Select to re-evaluate a URL’s category rating on the FortiGuard Web rating re-evaluated. To purge logs older than n Select the number of months from the list that will remove those logs months. Available only if both Enable Web Filter and Enable Cache are selected. please click here from the FortiGuard Analysis & Management server and select the link please click here.FortiGuard System Maintenance TTL Time to live.com/ • Feedback . This improves performance by reducing FortiGate unit requests to the FortiGuard server. Available only if Enable Email Filter is selected. When the cache is full. the logs from the past two months will be removed from the server. The account ID that you entered in the Account ID field when registering is used in this field. Results are shown below the button and on the Status indicators. Select to go directly to the FortiGuard Analysis & Management Service portal web site to view logs or configuration. Account ID Enter the name for the Analysis & Management Service that identifies the account.fortinet. This appears only after logging is enabled and log messages are sent to the FortiGuard Analysis server. Configuring FortiGuard Analysis & Management Service Options The Analysis & Management Service Options section contains the Account ID and other options regarding the FortiGuard Analysis & Management Service.TTL must be between 300 and 86400 seconds.TTL must be between 300 and 86400 seconds. please click here This appears only after registering for the service. The link redirects you to Log&Report > Log Config > Log Setting. Time to live. 204 FortiGate Version 4. Select to test the connection to the servers. Select to use port 8888 for transmitting with FortiGuard Antispam servers. You can access this section by selecting the expand arrow. click here. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.

If the connection to the FDN or override server is successful. check your configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit. The FortiGate unit tests its connection to the FDN. Please check your update page for the status of the update.System Maintenance Troubleshooting FDN connectivity Troubleshooting FDN connectivity If your FortiGate unit is unable to connect to the FDN. To update antivirus and attack definitions 1 Go to System > Maintenance > FortiGuard.fortinet. You might have to connect to an override FortiGuard server to receive updates. Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions. 2 Go to System > Maintenance > FortiGuard. Verify that the time zone is set correctly. For more information. 3 Select the expand arrow beside Web Filtering and Email Filtering Options to reveal the available options. 3 Select Update Now to update the antivirus and attack definitions. FortiGate Version 4. see “To add an override server” on page 207. Updating antivirus and attack definitions Use the following procedures to configure the FortiGate unit to connect to the FDN to update the antivirus (including grayware) definitions and IPS attack definitions. the web-based manager displays a message similar to the following: Your update request has been sent. check your configuration. you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. If this is not successful. corresponding to the region where your FortiGate unit is located. 2 Select the expand arrow beside Antivirus and IPS Options to reveal the available options. The test results displays at the top of the FortiGuard page. Push updates might be unavailable if: • • • you have not registered the FortiGate unit (go to Product Registration and follow the instructions on the web site if you have not already registered your FortiGate unit) there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling push updates through a NAT device” on page 208) your FortiGate unit connects to the Internet using a proxy server (see “To enable scheduled updates through a proxy server” on page 207). Your database will be updated in a few minutes. Fortinet recommends scheduling updates when traffic is light to minimize disruption.com/ • Feedback 205 .0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 4 Select Test Availability. For example. To make sure the FortiGate unit can connect to the FDN 1 Go to System > Dashboard > Status and select Change on the System Time line in the System Information section.

Once a week.fortinet. the FortiGuard page lists new version information for antivirus definitions and IPS attack definitions. 3 Select the Scheduled Update check box. Check the FortiGate configuration and network configuration for settings that may prevent the FortiGate unit from connecting to the override FortiGuard server. the FortiGate unit cannot connect to the override server. you can use the config system autoupdate tunneling command syntax to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Whenever the FortiGate unit runs a scheduled update.com/ • Feedback . or if your organization provides antivirus and IPS attack updates using its own FortiGuard server. You can specify the time of day to check for updates.Updating antivirus and attack definitions System Maintenance After a few minutes. Once a day. 3 Select the Use override server address check box. For more information. 206 FortiGate Version 4. You can specify the day of the week and the time of day to check for updates. The FortiGate unit tests the connection to the override server. To enable scheduled updates 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. if an update is available. If the FortiGuard Distribution Network availability icon stays gray. 5 Select Apply. Messages are recorded to the event log. If the FortiGuard Distribution Network availability icon changes from gray to green. To add an override server 1 Go to System > Maintenance > FortiGuard. the event is recorded in the FortiGate event log. see the FortiGate CLI Reference. indicating whether the update was successful or not. Select the number of hours and minutes between each update request. the FortiGate unit has successfully connected to the override server. The page also displays new dates and version numbers for the updated definitions and engines. The FortiGate unit starts the next scheduled update according to the new update schedule. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 5 Select Apply. If you cannot connect to the FDN. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server. 4 Select one of the following: Every Daily Weekly Once every 1 to 23 hours. you can use the following procedure to add the IP address of an override FortiGuard server. 4 Type the fully qualified domain name or IP address of the FortiGuard server.

the FortiGate unit is unable to receive push updates through a NAT device. Register your FortiGate unit by going to the Fortinet Support web site. In transparent mode. if you change the management IP address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Product Registration. The following procedures configure the FortiGate unit to push updates through a NAT device. it makes only one attempt to connect to the FDN and download updates. The interface used for push updates is the interface configured in the default route of the static routing table. the FortiGate unit sends a SETUP message to the FDN. When you configure a FortiGate unit to allow push updates. These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device. If you have redundant connections to the Internet. the FortiGate unit will usually receive new updates sooner. the FortiGate unit also sends the SETUP message to notify the FDN of the address change. If the external IP address of the NAT device is dynamic (PPPoE or DHCP).System Maintenance Enabling push updates Enabling push updates The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. If your FortiGate unit is behind a NAT device. The FDN must be able to connect to this IP address so that your FortiGate unit can receive push update messages. configuring push updates is recommended in addition to scheduled updates. Enabling push updates through a NAT device If the FDN connects only to the FortiGate unit through a NAT device. When the network configuration permits. the FDN notifies all FortiGate units that are configured for push updates. see “Enabling push updates through a NAT device” on page 208. the FortiGate unit requests the update from the FDN. the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to another Internet connection. but if push updates are also enabled. Scheduled updates ensure that the FortiGate unit receives current updates. The FortiGate unit sends the SETUP message if you: • • change the IP address of this interface manually have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address. Within 60 seconds of receiving a push notification. Fortinet does not recommend enabling push updates as the only method for obtaining updates. FortiGate Version 4.fortinet. The next time new antivirus or IPS attack definitions are released. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification. Enabling push updates when a FortiGate unit IP address changes The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Port forwarding enables the FDN to connect to the FortiGate unit using UDP on either port 9443 or an override push port that you specify.com/ • Feedback 207 . and following the instructions. that a new update is available.

3 Add a port forwarding virtual IP to the NAT device. UDP port 9943 is changed only if it is blocked or in use. select Apply to have the FortiGate unit send the updated push information to the FDN. Usually this is the IP address of the external interface of the NAT device. 4 Select the Use override push IP check box. 6 Select Apply. • Enable Use override push IP and enter the IP address.144 (external interface) Virtual IP 10. Usually this is the IP address of the external interface of the NAT device. change the override push update port.com/ • Feedback . the FDN uses this IP address and port for push updates to the FortiGate unit. However.35. 2 Configure the following FortiGuard options on the FortiGate unit on the internal network. Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. • If required.Enabling push updates System Maintenance Figure 20: Example network: Push updates through a NAT device Internal network 172. • Enable Allow push updates.135 (external interface) Internet NAT Device FDN Server The overall process is: 1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates.fortinet. When the FortiGate unit sends the override push IP address and port to the FDN. To configure FortiGuard options on the FortiGate unit on the internal network 1 Go to System > Maintenance > FortiGuard. 5 Enter the IP address of the external interface of the NAT device.16. You can change to the push override configuration if the external IP address of the external service port changes.6. 3 Select the Allow Push Update check box. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. • Set the external IP address of the virtual IP to match the override push update IP.20. 208 FortiGate Version 4. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP. push updates will not actually work until a virtual IP is added to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network.

Enter the external service port. Enter the IP address and/or range of the FortiGate unit on the internal network. External Services Port and Map to Port appear. To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall > Virtual IP > Virtual IP. This IP address must be the same as the IP address in User override push update for the FortiGate unit on the internal network. To add a port forwarding virtual IP to the FortiGate NAT device. If you changed the push update port in the FortiGuard configuration of the FortiGate unit on the internal network.fortinet. 3 Enter the appropriate information for the following: Name External Interface External IP Address/Range Enter a name for the Virtual IP. This is the IP address to which the FDN sends the push updates. the options Protocol. 2 Select Create New. Enter the IP address and/or range. The external service port is the port that the FDN connects to. Select All Select the name of the interface of the NAT device that connects to the internal network. Select UDP.com/ • Feedback 209 .System Maintenance Enabling push updates If the NAT device is also a FortiGate unit. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Select the name of the interface that connects to the Internet. 4 Select OK. Select NAT. Select Accept. you must set the external service port to the changed push update port. The external service port for push updates is usually 9443. Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port 4 Select OK. This is the interface that connects to the Internet. To add a firewall policy to the FortiGate NAT device 1 Go to Firewall > Policy > Policy. Select the virtual IP added to the NAT device. Select Always. This is usually the IP address of the external interface of the NAT device. 3 Configure the external to internal firewall policy.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select an external interface from the list. Select ANY. When you select Port Forwarding. FortiGate Version 4. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. allows you to configure the NAT device to use port forwarding to push update connections from the FDN to the FortiGate unit on the internal network. FortiGate units expect push update notifications on port 9443. the following procedure. 2 Select Create New. Select Port Forwarding. Enter 9443.

if all of your devices use identical administrator admin profiles. The name of the script file. USB-Auto install. Advanced page Lists all settings for configuring scripts.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback . For example. scripts you upload are executed and stored. If you upload a script directly to a FortiGate unit. and download the debug log. A list of the 10 most recently executed scripts. configure settings for the USB Auto-install feature. Choose the script you want to run from the list of all scripts stored remotely. The list displays the last 10 executed scripts. If you have configured either a FortiManager unit or the FortiGuard Analysis & Management Service. If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis & Management Service. After executing scripts. Execute Script from Scripts can be uploaded directly to the FortiGate unit from the management PC. If you want to execute a script more than once.Advanced System Maintenance Verify that push updates to the FortiGate unit on the internal network are working by going to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering and AntiSpam Options. You can run uploaded scripts from any FortiGate unit configured with your FortiGuard Analysis & Management Service account. you can view the script execution history on the script page. Scripts section Provides settings for uploading script files. Upload Bulk CLI Command File Select From remote management station Script Execution History (past 10 scripts) Name 210 FortiGate Version 4. the scripts you upload are executed and discarded. If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service. Scripts can be used to deploy identical configurations to many devices. The uploaded script files appear on the FortiGuard Analysis & Management Service portal web site. you must keep a copy on your management PC. Select Browse to locate the script file and then select Apply to upload and execute the file. If your FortiGate unit is configured to use the FortiGuard Analysis & Management Service. the script will be saved on the server for later use. it is executed and discarded. Select to execute a script from the FortiManager unit or the FortiGuard Analysis & Management Service. If your FortiGate unit is configured to use a FortiManager unit. The Push Update indicator should change to green.fortinet. and then deploy the script to all the devices which should use those same settings. These can be uploaded and executed to run complex command sequences easily. You can also view script execution history from this section. and run them from any FortiGate unit configured to use the FortiManager unit. and download the debug log. you can upload your scripts to the FortiManager unit. scripts that have been stored remotely can also be run on the FortiGate unit. Go to System > Maintenance > Advanced to configure settings for scripts. Scripts are text files containing CLI command sequences. and to download the debug log. you can enter the commands required to create the admin profiles in a script. Advanced The Advanced menu allows you to configure and upload script files. the USB autoinstall.

You can generate script files more quickly this way. When a script is uploaded. When the system restarts. 2 Verify that Upload Bulk CLI Command File is selected. After you have created a script file. if its execution succeeded or failed. A local file is uploaded directly to the FortiGate unit from the management PC and executed.System Maintenance Advanced Type The source of the script file. When the system restarts. The commands must be entered in sequence. Enter the name of the configuration file in the field. or any editor that will save plain text can create a script file. Time Status Delete USB Auto-Install section Provides settings for uploading a specific firmware image and configuration file whenever there is a system restart. with one command per line. 3 Save the file to your maintenance PC. Download Debug Log Select to download an encrypted debug log file to your local PC. Delete the script entry from the list. Tip: An unencrypted configuration file uses the same structure and syntax as a script file.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you can then upload it through System > Maintenance > Advanced. On system restart … Download Debug Log section Provides a debug log rule for diagnostic purposes. 3 Select Browse to locate the script file. A remote file is executed on the FortiGate unit after being sent from a FortiManager unit or the FortiGuard Analysis & Management Service. The status of the script file. You can send this debug log to Fortinet Technical Support where they use it to help diagnose problems with your FortiGate unit. Enter the name of the firmware image in the field. You must have a USB key inserted into the USB port on the FortiGate unit for this feature.com/ • Feedback 211 . Notepad on Windows. the FortiGate unit will look for that configuration file name on the USB key. the commands are executed in sequence. making any edits you require. Textedit on the Mac. To create a script file 1 Open a text editor application. The date and time the script file was executed. 2 Enter the CLI commands you want to run. You can save a configuration file and copy the required parts to a new file. it is automatically executed. Select to upload a specific configuration file when the system restarts.fortinet. Uploading script files Caution: Commands that require the FortiGate unit to reboot when entered on the command line will also force a reboot if included in a script. the FortiGate unit will look for that firmware image name on the USB key. On system restart … Select to upload a specific firmware image when the system restarts. Creating script files Script files are text files with CLI command sequences. When a script file is uploaded to a FortiGate unit. To execute a script 1 Go to System > Maintenance > Advanced. GEdit on Linux. FortiGate Version 4.

Adding VDOM Licenses

System Maintenance

4 Select Apply. If the FortiGate unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later. If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis & Management Service portal web site.

Adding VDOM Licenses
Caution: Back up current configuration settings before upgrading VDOM licenses to ensure these settings are not lost. Use one of the procedures in “Backing up your configuration” on page 68 to properly back up your current configuration.

If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs. The license key is a 32-character string supplied by Fortinet. Fortinet requires the serial number of the FortiGate unit to generate the license key. The license key is entered in System > Maintenance > License in the Input License Key field. This appears only on high-end FortiGate models.
License page Displays the current maximum number of virtual domains allowed on the FortiGate unit as well as a field for inputting a license key to add more virtual domains. Current License Input License key The current maximum number of virtual domains. Enter the license key supplied by Fortinet and select Apply.

Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.

Disk
You can view the status of each available local disk on your FortiGate unit from System > Maintenance > Disk. The Disk menu allows you to view the amount of storage space that is currently left as well as what has been stored on and how much storage space that data is taking up. This menu provides detailed information about that storage space for each of the following: • • • • • • Disk logging SQL database Historic reports IPS Packet archives Quarantine WAN optimization and Web Cache

The Disk menu also provides information about quota usage, for each of the above features. The Disk menu appears only on FortiGate models with multiple disks.
FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

212

System Maintenance

Disk

Disk page Displays the detailed information about the status of each disk and how each disk is managing the storage of the information on the disk. You can view the storage of information for each feature in the Disk Management section of this page. Disk Status section Displays a pie chart explaining the storage space on the disk. There is a pie chart for each disk currently installed on that FortiGate unit. # Name Total Used Free The order of the disk within the list. The name of the disk, such as internal. The total amount of disk space available on that disk. The total amount of space that is already used on the disk. The total amount of space that is available for storage. You can select Format to format the disk; however, formatting the disk will remove all data from the disk.

Disk Management section Provides detailed information about how much disk space is used, free space that is available, and quota usage. Feature The feature that will be storing information on the disk. The following are the available features: • Disk logging • DLP archive • Historic reports • IPS Packet archive • Quarantine • SQL Database • WAN optimization and Web Cache The size of the storage space on the disk. The amount of space that is allowed for storage of a feature. The current amount of space that has been used to store information of a feature. The quota amount that is currently being used. This number is in percent. If there is no quota being used, the number is 100 percent. Select to modify the current amount of space that is being used.

Storage Size Allocated Used Quota Usage Edit

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

213

Disk

System Maintenance

214

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

AMC module configuration

Configuring AMC modules

AMC module configuration
This section explains how to configure AMC modules on the FortiGate unit. This includes auto-bypass and recovery for AMC bridge modules. The following topics are included in this section: • • • Configuring AMC modules Auto-bypass and recovery for AMC bridge module Enabling or disabling bypass mode for AMC bridge modules
Note: Most FortiGate models with AMC slots have one single-width or dual width AMC slot. The FortiGate-3810A has two single-width and two dual width AMC slots.

Configuring AMC modules
By default, FortiGate units automatically recognize the AMC modules installed in their AMC slots or automatically recognize that an AMC slot is empty. If the module contains interfaces, FortiOS automatically adds the interfaces to the FortiGate configuration. If the module contains a hard disk, the hard disk is automatically added to the configuration. However, when the FortiGate unit is powered down and the module removed from the slot, when the FortiGate unit restarts it automatically recognizes that the slot is empty and will not retain any configuration settings for the missing module. This default behavior is usually acceptable in most cases. However, it can be useful when a module is present in a slot to add the name of the module to the FortiGate configuration. Then, if the module fails or if you temporarily remove it from the slot, the FortiGate unit keeps the module’s configuration settings so that when the module is replaced you will not have to re-configure it. If you have added the name of a module to a slot and you are planning or removing the module and replacing it with a different type of module (for example, if you are removing a FortiGate-ASM-S08 and replacing it with a FortiGate-ASM-FX2) you should reset the slot to the default before removing the module. Then after adding the new module you should add its name to the slot. You configure AMC slot settings from the FortiGate CLI using the config system amc command. For information about this command, see the FortiGate CLI Reference. The following procedure shows how to add a FortiGate-ADM-FB8 to the first double-width AMC slot (dw1) and how to add the name of the module to the slot configuration. To change the default setting for an AMC slot 1 Enter the following CLI command to verify that the slot that you will insert the FortiGate-ADM-FB8 module into is set to the default configuration. This command lists the AMC slots and the settings for each one. Example command output for a FortiGate-5001A with an empty double-width AMC slot: get system amc dw1 : auto

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

215

Auto-bypass and recovery for AMC bridge module

AMC module configuration

2 Power down the FortiGate unit. 3 Insert the FortiGate-ADM-FB8 module into the double-width AMC slot. 4 Power up the FortiGate unit. As long as the slot that you have inserted the FortiGate-ADM-FB8 module into is set to auto the FortiGate unit should automatically find the module when it powers up. 5 Add the name of the FortiGate-ADM-FB8 module to the FortiGate configuration. config system amc set dw1 adm-fb8 end

Auto-bypass and recovery for AMC bridge module
The FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules provide fail open protection for interface pairs of FortiGate units operating in Transparent mode and that have a singlewidth AMC slot. The FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module bridges FortiGate interfaces, monitors the interfaces for traffic failures, and operate as passthrough devices if the interfaces or the entire FortiGate unit fails or for some reason cannot pass traffic between the interfaces. If a failure occurs, traffic bypasses the FortiGate unit and passes through the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module to make sure that the network can continue processing traffic after a FortiGate failure. This section describes how to configure a FortiGate unit to use a FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module to bridge FortiGate interfaces. The FortiGate unit must operate in Transparent mode and the FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules are not compatible with FortiGate HA. The FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules include a bypass watchdog that continually verifies that traffic is flowing through the bridged FortiGate interfaces. If traffic stops flowing, for example if the FortiGate unit fails, and if the bypass watchdog detects this, the bridge module switches to bypass mode to ensure the flow of traffic on the network. In bypass mode all traffic flows between interfaces on the FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules and not through the FortiGate unit. You can configure a recovery watchdog to verify that the bridged FortiGate interfaces cannot process traffic. If you fix the problem or the problem fixes itself, the recovery watchdog automatically detects that traffic can resume and switches the module back to normal operation by turning off bypass mode. To configure a FortiGate unit to operate with a FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module 1 Switch the FortiGate unit to operate in Transparent mode. config system settings set opmode transparent set manageip <management_IPv4> <netmask_ipv4> set gateway <gateway_ipv4> end After a short pause the FortiGate unit is operating in Transparent mode. 2 Enter the following command to verify that the slot that you will insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into is set to auto. This command lists the AMC slots and the settings for each one. Example command output for a FortiGate-620B with an empty AMC slot:

216

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

AMC module configuration

Enabling or disabling bypass mode for AMC bridge modules

get system amc sw1 : auto 3 Power down the FortiGate unit. 4 Insert the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module into a single-width AMC slot. 5 Power up the FortiGate unit. As long as the slot that you have inserted the module into is set to auto the FortiGate unit should automatically find the module when it powers up. 6 Add the name of the module to the FortiGate configuration and configure bypass and recovery settings. The following command configures AMC single width slot 1 (sw1) for a FortiGate-ASMCX4. This command also enables the bypass watchdog and increases the bypass timeout from the default value of 10 seconds to 60 seconds. This means that if a failure occurs the bridge module will change to bypass mode 60 seconds after the bypass watchdog detects the failure. This command also enables watchdog recovery and sets the watchdog recovery period to 30 seconds. This means that if a failure occurs, while the FortiGate-ASM-CX4 module is bridging the connection the AMC bypass watchdog monitors FortiGate processes and will revert to normal operating mode (that is disable the bridging the interfaces with the FortiGate-ASM-CX4 module) if the FortiGate unit recovers from the failure. config system amc set sw1 asm-cx4 set bypass-watchdog enable set bypass-timeout 60 set watchdog-recovery enable set watchdog-recovery-period 30 end

Enabling or disabling bypass mode for AMC bridge modules
Use the execute amc bypass command to switch between normal mode and bypass mode for a FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module installed in an single-width AMC slot in a FortiGate unit. Normally the FortiGate-ASM-CX4 and FortiGate-ASM-FX2 modules operate with bypass mode disabled and traffic passes through the FortiGate interfaces bridged by the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module. You can use this command manually enable bypass mode and force traffic to bypass the FortiGate interfaces and pass through the FortiGate-ASM-CX4 or FortiGate-ASM-FX2 module. Also, if bypass mode has been enabled (using this command or because of a failure), you can also use this command to manually disable bypass mode and resume normal operation. This can be useful if the problem that caused the failure has been fixed and normal operation can resume. To manually enable bypass mode 1 Use the following command to manually enable bypass mode: execute amc bypass enable

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

217

Enabling or disabling bypass mode for AMC bridge modules

AMC module configuration

2 Use the following diagnose command to view the status of the AMC modules installed in a FortiGate unit, including whether they are operating in bypass mode. For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a FortiGate-3810A and bypass mode is enabled: diagnose sys amc bypass status ASM-CX4 in slot 2: amc-sw2/1 <--> amc-sw2/2: mode=bypass (admin action) amc-sw2/3 <--> amc-sw2/4: mode=bypass (admin action) Daemon heartbeat status: normal Last heartbeat received: 0 second(s) ago 3 Log into the web-based manager and go to System > Dashboard > Status and view the Unit Operation widget to see the status of the AMC bridge module. To manually disable bypass mode 1 Use the following command to manually disable bypass mode: execute amc bypass disable 2 Use the following diagnose command to view the status of the AMC modules installed in a FortiGate unit, including whether they are operating in bypass mode. For example if you have installed a FortiGate-ASM-CX4 module in AMC slot 2 of a FortiGate-3810A and bypass mode is disabled: diagnose sys amc bypass status ASM-CX4 in slot 2: amc-sw2/1 <--> amc-sw2/2: mode=normal amc-sw2/3 <--> amc-sw2/4: mode=normal Daemon heartbeat status: normal Last heartbeat received: 1 second(s) ago 3 Log into the web-based manager and go to System > Dashboard > Status and view the Unit Operation widget to see the status of the AMC bridge module.

218

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Configuring RAID

Configuring the RAID array

Configuring RAID
This section explains how to configure RAID on a FortiGate unit with multiple disk support. RAID arrays can provide faster disk access, redundancy in case of partial failure, or both depending on the RAID level that is selected. The following topics are included in this section: • • • Configuring the RAID array RAID levels Rebuilding the RAID array

Configuring the RAID array
Caution: Do not remove a disk while the RAID array is synchronizing — you may loose stored information. This will also cause a degraded array and will require a rebuild. A RAID array provides no redundancy in a degraded state. Any disk failure while the RAID is in a degraded state will cause data loss.

Some FortiGate models have two or more disk drives configured in a RAID array to store log messages locally on the FortiGate unit. RAID arrays can provide faster disk access, redundancy in case of partial failure, or both depending on the RAID level that is selected. When switching RAID levels, you may see the message “RAID status is OK and RAID is doing background synchronization.” Synchronization of the disks in the array will take considerable time — it will take longer for larger arrays and for disks with more storage capacity.

RAID disk configuration
To configure the RAID array, go to the dashboard where the RAID Monitor widget is located, and then select [Configure] in the title bar area.
Disk Configuration page Provides settings for configuring the RAID array. When you select [Configure] in the title bar area, you are automatically redirected to the Disk Configuration page. RAID level Select the level of RAID. Options include: RAID-0 — (striping) better performance, no redundancy RAID-1 — (mirroring) half the storage capacity, but totally redundant RAID-5 — striping with parity checking, and redundancy Available RAID level options depend on the available number of hard disks. Two or more disks are required for RAID 0 or RAID 1. Three or more disks are required for RAID 5. Changing the RAID level will take effect when Apply is selected. Changing the RAID level will erase any stored log information on the array, and reboot the FortiGate unit. The unit will remain offline while it reconfigures the RAID array. When it reboots, the array will need to synchronize before being fully operational. For more information on RAID levels, see “RAID levels” on page 220.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

219

RAID levels

Configuring RAID

Status

The status, or health, of RAID array. This status can be one of: OK — standard status, everything is normal OK (Background-Synchronizing) (%) — synchronizing the disks after changing RAID level, Synchronizing progress bar shows percent complete Degraded — One or more of the disks in the array has failed, been removed, or is not working properly. A warning is displayed about the lack of redundancy in this state. Also, a degraded array is slower than a healthy array. Select Rebuild RAID to fix the array. Degraded (Background-Rebuilding) (%) — The same as degraded, but the RAID array is being rebuilt in the background. The array continues to be in a fragile state until the rebuilding is completed. The size of the RAID array in gigabytes (GB). The size of the array depends on the RAID level selected, and the number of disks in the array. Select to rebuild the array after a new disk has been added to the array, or after a disk has been swapped in for a failed disk. If you try to rebuild a RAID array with too few disks you will get a rebuild error. After inserting a functioning disk, the rebuild will start. This button is only available when the RAID array is in a degraded state and has enough disks to be rebuilt. You cannot restart a rebuild once a rebuild is already in progress. Note: If a disk has failed, the number of working disks may not be enough for the RAID level to function. In this case, replace the failed disk with a working disk to rebuild the RAID array. The disk’s position in the array. This corresponds to the physical slot of the disk. If a disk is removed from the FortiGate unit, the disk is marked as not a member of the array and its position is retained until a new disk is inserted in that drive bay. The status of this disk. Options include OK, and unavailable. A disk is unavailable if it is removed or has failed. Display if the selected disk is part of the RAID array. A green icon with a check mark indicates the disk is part of the array. A grey icon with an X indicates the disk is not part of the RAID array. A disk may be displayed as healthy on the dashboard display even when it is not a member in the RAID array. A disk may be available but not used in the RAID array. For example three disks in a RAID 1 array, only two are used. The storage capacity that this drive contributes to the RAID array. The full storage capacity of the disk is used for the RAID array automatically. The total storage capacity of the RAID array depends on the capacity and numbers of the disks, and the RAID level of the array.

Size Rebuild RAID

Disk#

Status Member

Capacity

RAID levels
When changing the RAID level, the available levels depend on the number of working disks that are actually present in the unit. For example, RAID 5 is not available on units with fewer than three disks. When a disk fails, becomes corrupt, or is removed you must rebuild the RAID array. For more information, see “Rebuilding the RAID array” on page 221. If the FortiGate unit only has one disk installed, the RAID monitor widget will not be displayed as it is not possible to configure a RAID array with only one disk. Available RAID levels include: • • • RAID 0 RAID 1 RAID 5

220

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

If any single drive fails. since the FortiGate unit can distribute disk writing across multiple disks. If you have three disks. only two will be used in the RAID 1 array. The FortiGate unit writes information to one hard disk. the unit can still access three other hard disks and continue functioning. The FortiGate unit writes information evenly across all hard disks. with four hard disks. as well as an explanation about what happened. the data on that drive cannot be recovered. Should any of the hard disks fail. it can be replaced and the FortiGate unit will restore the data on the new disk by using reference information from the parity volume. as the others are solely used for mirroring. if you have an odd number of disks then one disk will not be used. the total capacity available is actually the total for three hard disks. such as a failed hard disk.fortinet. Similar to RAID 0. and writes a copy (a mirror image) of all information to all other hard disks. minus one disk for parity storage. your RAID 0 array will have a three TB capacity. This section includes: • • Why rebuild the RAID array? How to rebuild the RAID array FortiGate Version 4. if one disk fails. For example if your FortiGate unit has three disks each with a one TeraByte (TB) capacity. the FortiGate unit writes information evenly across all drives but additional parity blocks are written on the same stripes. The total disk space available is that of only one hard disk. although performance is degraded when one disk has failed or is missing. There is no redundancy available. For example. or the RAID array becomes degraded The Alert Message Console widget. Some forms of RAID do not provide redundancy.Configuring RAID Rebuilding the RAID array RAID 0 A RAID 0 array is also referred to as striping.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Since RAID 1 pairs disks for mirroring. If a drive fails. located in System > Dashboard > Status. RAID 5 performance is typically better with reading than with writing. the array can still provide all the stored information. In a RAID 1 array. When a disk fails. displays any messages about events or activities that need urgent attention. This RAID level is beneficial because it provides better performance. The parity block is staggered for each stripe. With RAID 5. there are several backup hard disks available. RAID 1 A RAID 1 array is also referred to as mirroring.com/ • Feedback 221 . the array will have a two TB capacity. This widget provides detailed messages that contain the date and time of the event or activity. For example. The total disk space is the total number of disks in the array. RAID 5 A RAID 5 array employs striping with a parity check. if you have four disks of one TB capacity. This provides redundant data storage with no single point of failure. one disk can fail without the loss of data. however most do. Rebuilding the RAID array A RAID array has multiple disks with writing to the disks being spread out so that if one disk in the array fails. The total space available is that of all the disks in the RAID array.

This all takes longer than just the usual straight read operation and will continue until the RAID array has been rebuilt. There is no redundancy because with one disk removed from the array. 222 FortiGate Version 4. • Push the front panel of the disk to make the connection—the lever will start to move to the right. • Gently push the lever to the left as far as it will go to disconnect the disk. the information that was stored on that disk can be retrieved using the other disks in the array. You only need to rebuild the array when it is in a degraded state and in danger of loosing data. or is removed the array becomes degraded. and then in the RAID Monitor widget. This delicate state of the RAID array is displayed in the warning message on the dashboard RAID monitor when the status is degraded in the form of a warning. Also before rebuilding the array. removing another disk from the array would remove information that has no backup or parity data. The reasons you rebuild a RAID array include: • • • a disk has failed the array has become corrupted a disk has been removed How to rebuild the RAID array When the RAID array is in its normal OK state. Before you rebuild the RAID array. you should backup the data if possible. • Ensure you have the correct disk. and the Rebuild button is not greyed out.Rebuilding the RAID array Configuring RAID Why rebuild the RAID array? When the RAID array has redundancy and one disk in the array fails. To rebuild the RAID array 1 Go to System > Dashboard > Status. This second disk’s removal would result in data loss and the array will fail. 4 Insert the new disk into the FortiGate unit that is replacing the failed disk. you should have a replacement disk for the one that failed if that is the cause of the degraded array. but there are some changes. A replacement disk should be the same storage capacity as the disk it is replacing.fortinet. 3 Remove the failed disk from the FortiGate unit. Ensure that both sides of the disk are in line with the other disks. • When in place push the bar fully to the right. • Remove the disk from the FortiGate unit by pulling on the lever. select [Configure]. the array has to jump around to find it and at times recreate the missing data from the parity information. • Press the green button to unlock the disk. You cannot rebuild an array that is missing a disk. As soon as the RAID array becomes degraded you should backup the array if possible to prevent data loss. However. In a degraded state the array can still function.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. until the green button clicks. The array takes longer to access data because instead of the data being retrieved in the format and order it is expected. there is no option to rebuild the array because there is no need for it. 2 Verify the status of the RAID array is degraded. The two main changes are that there is no longer redundancy and accessing the array takes longer than before. • Insert the disk carefully into the FortiGate unit. becomes corrupted.com/ • Feedback .

fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If it is not recognized. 6 On the configure screen.com/ • Feedback 223 . the status of the RAID array will change to OK. Rebuilding the RAID array will normally take several hours. FortiGate Version 4. 7 When the rebuild is complete. repeat steps 3 and 4 with the new disk to ensure it is properly installed.Configuring RAID Rebuilding the RAID array 5 Refresh your display to ensure the new disk is installed properly. select Rebuild RAID. You can follow its progress on the RAID Monitor display on the dashboard.

fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.Rebuilding the RAID array Configuring RAID 224 FortiGate Version 4.com/ • Feedback .

Router Static

Routing concepts

Router Static
This section explains some general routing concepts, and how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. The factory configured static default route provides you with a starting point to configure the default gateway. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. For more information, see “Default route and default gateway” on page 230. You define static routes manually. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed. As an option, you can define route policies. Route policies specify additional criteria for examining the properties of incoming packets. Using route policies, you can configure the FortiGate unit to route packets based on the IP source and destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and port are being used to transport the packet. If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured separately for each virtual domain. For more information, see “Using virtual domains” on page 79. The following topics are included in this section: • • • • Routing concepts Static Route ECMP route failover and load balancing Policy Route

Routing concepts
The FortiGate unit functions as a security device on a network and packets must pass through it. You need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. Whether you administer a small or large network, this section will help you understand how the FortiGate unit performs routing functions. This topic contains the following: • • • • • How the routing table is built How routing decisions are made Multipath routing and determining the best route Route priority Blackhole Route

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

225

Routing concepts

Router Static

How the routing table is built
The routing table stores routes to different addresses so the FortiGate unit does not have to discover the route every time it contacts that address. In the factory default configuration, the FortiGate routing table contains a single static route—the default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destination—the IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. The FortiGate unit selects the “best” route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router. In some cases, the next best route may be selected if the best route is unavailable. The FortiGate unit installs the best available routes in the unit’s forwarding table, which is a subset of the unit’s routing table. Packets are forwarded according to the information in the forwarding table.

How routing decisions are made
Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet as it is likely a hacking attempt. If the destination address can be matched to a local address (and the local configuration permits delivery), the FortiGate unit delivers the packet to the local network. If the packet is destined for another network, the FortiGate unit forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table. For more information, see “Policy Route” on page 239.

Multipath routing and determining the best route
Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate unit may have several possible destinations for an incoming packet, forcing the FortiGate unit to decide which next-hop is the best one. Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate unit to select a primary (preferred) route, manually lower the administrative distance associated with the preferred routes.

Administrative Distance
Administrative distance is based on the expected reliability of a given route. It is determined through a combination of the number of hops from the source and the routing protocol being used. More hops from the source means more possible points of failure. The administrative distance can be from 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and will not be installed in the routing table. Here is an example to illustrate how administration distance works—if there are two possible routes traffic can take between 2 destinations with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. whenever possible. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable. For more information on changing the administrative distance associated with a routing protocol, see the config routing in the FortiGate CLI Reference.
FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

226

Router Static

Routing concepts

Table 46: Default administrative distances for routing protocols Routing protocol Direct physical connection Static EBGP OSPF RIP IBGP Default administrative distance 1 10 20 110 120 200

Another method to manually resolve multiple routes to the same destination is to manually change the priority of both of the routes. If the next-hop administrative distances of two routes on the FortiGate unit are equal, it may not be clear which route the packet will take. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. You can set the priority for a route only from the CLI. Lower priorities are preferred. For more information, see the FortiGate CLI Reference. All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes having the lowest distances to each destination. For information about how to change the administrative distance associated with a static route, see “Adding a static route to the routing table” on page 232.

Route priority
After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. You configure the priority field through the CLI. The route with the lowest value in the priority field is considered the best route, and the primary route. The command to set the priority field is: set priority <integer> under the config route static command. For more information, see the FortiGate CLI Reference. In summary, because you can use the CLI to specify which priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal cost multipath (ECMP) routes. Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, you can configure ECMP Route Failover and Load Balancing to control how sessions are load balanced among ECMP routes. See “ECMP route failover and load balancing” on page 233.

Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like a /dev/null interface in Linux programming. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

227

Static Route

Router Static

Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in use, traffic to those addresses (traffic which may be valid or malicious) can be directed to a blackhole for added security and to reduce traffic on the subnet. The loopback interface, a virtual interface that does not forward traffic enables easier configuration of blackhole routing. Similar to a normal interface, this loopback interface has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot have hardware connection or link status problems, it is always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in firewall policies, routing, and other places that refer to interfaces. Loopback interfaces can be configured from both the web-based manager and the CLI. For more information, see “Adding loopback interfaces” on page 91 or the system chapter of the FortiGate CLI Reference.

Static Route
You configure static routes by defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed.

Working with static routes
The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets. Initially, the list contains the factory configured static default route. For more information, see “Default route and default gateway” on page 230. You can add new entries manually. When you add a static route to the Static Route list, the FortiGate unit performs a check to determine whether a matching route and destination already exist in the FortiGate routing table. If no match is found, the FortiGate unit adds the route to the routing table. When IPv6 is enabled in the web-based manager, IPv6 routes are visible on the Static Route list and you can select IPv6 when creating a new static route. Otherwise, IPv6 routes are not displayed. For more information on IPv6, see “Settings” on page 178 or “FortiGate IPv6 support” on page 180. To view the static route list, go to Router > Static > Static Route.
Static Route page Lists all the static routes that you created, including the default static route. On this page, you can edit, delete or create a new static route. Create New Add a static route to the Static Route list. For more information, see “Adding a static route to the routing table” on page 232. Select the down arrow for the option to create an IPv6 static Route. Select to modify settings within a static route. Select to remove a static route from the list. Select the load balancing and failover method for ECMP routes. See “ECMP route failover and load balancing” on page 233. The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. This is the default load balancing method. No configuration changes are required to support source IP load balancing.

Edit Delete ECMP Route Failover & Load Balance Method Source based

228

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

Static Route

Weighted

The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. More traffic is directed to routes with higher weights. After selecting weight-based you must add weights to static routes. For more information, see “Configuring weighted static route load balancing” on page 238. The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces associated with the routes are. After selecting spill-over you add route Spillover Thresholds to interfaces added to ECMP routes. For more information, see “Configuring interface status detection for gateway load balancing” on page 97. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold. The FortiGate unit then spills additional sessions over to the next lowest numbered interface. For more information, including the order in which interfaces are selected, see “Configuring spill-over or usage-based ECMP” on page 235. Select to save the ECMP Route Failover and load balance method. Select the Expand Arrow to display or hide the IPv4 static routes. By default these routes are displayed. This is displayed only when IPv6 is enabled in the web-based manager. Select the Expand Arrow to display or hide the IPv6 static routes. By default these routes are hidden. This is displayed only when IPv6 is enabled in the web-based manager. The destination IP addresses and network masks of packets that the FortiGate unit intercepts. The IP addresses of the next-hop routers to which intercepted packets are forwarded. The names of the FortiGate interfaces through which intercepted packets are received and sent. The administrative distances associated with each route. The values represent distances to next-hop routers. If ECMP Route Failover & Load Balance Method is set to weighted, add weights for each route. Add higher weights to routes that you want to assign more sessions to when load balancing. For more information, see “Configuring weighted static route load balancing” on page 238.

Spill-over

Apply Route

IPv6 Route

IP/Mask Gateway Device Distance Weight

New Static Route page Provides settings for defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address for those packets Destination IP/Mask Device Gateway Distance Priority Enter the destination IP address and netmask of the packets that you intend the FortiGate unit to intercept. Select the interface through which intercepted packets are received and sent. Enter the gateway IP address for those packets that you intend the FortiGate unit to intercept. Enter the number that represents the distances to the next-hop routers. Enter the number for the priority of the static route. Note: Unless otherwise specified, static route examples and procedures are for IPv4 static routes. You can use the config router static6 CLI command to add, edit, or delete static routes for IPv6 traffic. For more information, see the router chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

229

Static Route

Router Static

Default route and default gateway
In the factory default configuration, entry number 1 in the Static Route list is associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route is called the “static default route”. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit, the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway. To prevent this, you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. For example, Figure 21 shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.
Figure 21: Making a router the default gateway

Internet

Gateway Router
192.168.10.1 external

FortiGate_1
internal

Internal network 192.168.20.0/24

To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: • • Destination IP/mask: 0.0.0.0/0.0.0.0 Gateway: 192.168.10.1

230

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

Static Route

• •

Device: Name of the interface connected to network 192.168.10.0/24 (in this example “external”). Distance: 10

The Gateway setting specifies the IP address of the next-hop router interface to the FortiGate external interface. The interface connected to the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network. For example, in Figure 22, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively. Also firewall policies must be configured to allow traffic to pass through the FortiGate unit along these routes. For more information, see “Policy” on page 262.
Figure 22: Destinations on networks behind internal routers
Internet

FortiGate_1
internal 192.168.10.1 Gateway Router_1 dmz 192.168.11.1 Gateway Router_2

Network_1 192.168.20.0/24

Network_2 192.168.30.0/24

To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask Gateway Device Distance 192.168.30.0/24 192.168.11.1 dmz 10

To route packets from Network_2 to Network_1, Router_2 must be configured to use the FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings:
Destination IP/mask Gateway 192.168.20.0/24 192.168.10.1

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

231

Static Route

Router Static

Device Distance

internal 10

Changing the gateway for the default route
The default gateway determines where packets matching the default route will be forwarded. If you are using DHCP or PPPoE over a modem interface on your FortiGate unit, you may have problems configuring a static route on this interface. After trying to either renew your DHCP license, or reconnect the PPPoE connection, go to the CLI and enable dynamicgateway under config system interface for the modem interface. This will remove the need to specify a gateway for this interface’s route. For more information, see FortiGate CLI Reference.
Note: For network traffic to pass, even with the correct routes configured, you must have the appropriate firewall policies. For more information, see “Policy” on page 261.

To change the gateway for the default route 1 Go to Router > Static > Static Route. 2 Select the Edit icon in row 1. 3 If the FortiGate unit reaches the next-hop router through an interface other than the interface that is currently selected in the Device field, select the name of the interface from the Device field. 4 In the Gateway field, type the IP address of the next-hop router to which outbound traffic may be directed. 5 In the Distance field, optionally adjust the administrative distance value. The default route distance should be set high enough to allow other routes to be configured at lower distances so they will be preferred over the default route. 6 Select OK.

Adding a static route to the routing table
A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway. You define static routes manually. Static routes control traffic exiting the FortiGate unit— you can specify through which interface the packet will leave and to which device the packet should be routed. To add a static route entry 1 Go to Router > Static > Static Route. 2 Select Create New. 3 Enter the IP address and netmask. For example, 172.1.2.0/255.255.255.0 would be a route for all addresses on the subnet 172.1.2.x. 4 Enter the FortiGate unit interface closest to this subnet, or connected to it. 5 Enter the gateway IP address. Continuing with the example, 172.1.2.11 would be a valid address.

232

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

ECMP route failover and load balancing

6 Enter the administrative distance of this route. The administrative distance allows you to weight one route to be preferred over another. This is useful when one route is unreliable. For example, if route A has an administrative distance of 30 and route B has an administrative distance of 10, the preferred route is route A with the smaller administrative distance of 10. If you discover that route A is unreliable, you can change the administrative distance for route A from 10 to 40, which will make the route B the preferred route. 7 Select OK to confirm and save your new static route. When you add a static route through the web-based manager, the FortiGate unit adds the entry to the Static Route list.
Destination IP/Mask Gateway Device Distance

Type the destination IP address and network mask of packets that the FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved for the default route.
Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets. Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router. Type an administrative distance from 1 to 255 for the route. The distance value is arbitrary and should reflect the distance to the next-hop router. A lower value indicates a more preferred route. Add weights for each route. Add higher weights to routes that you want to load balance more sessions to. See “Configuring weighted static route load balancing” on page 238. Available if ECMP Route Failover & Load Balance Method is set to weighted.

Weight

ECMP route failover and load balancing
FortiOS uses equal-cost multi-path (ECMP) to distribute traffic to the same destination such as the Internet or another network. By using ECMP, you can add multiple routes to the same destination and give each of those routes the same distance and priority. However, if multiple routes to the same destination have the same priority but different distances, the route with the lowest distance is used. If multiple routes to the same destination have the same distance but different priorities, the route with the lowest priority is used. Distance takes precedence over priority. If multiple routes to the same destination have the different distances and different priorities, the route with the lowest distance is always used even if it has the highest priority. By using ECMP, if more than one ECMP route is available you can configure how the FortiGate unit selects the route to be used for a communication session. If only one ECMP route is available (for example, because an interface cannot process traffic because interface status detection does not receive a reply from the configured server) then all traffic uses this route. Previous versions of FortiOS provided source IP-based load balancing for ECMP routes. FortiOS 4.0 MR1 includes three configuration options for ECMP route failover and load balancing:

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

233

2 Set ECMP Route failover & Load Balance Method to source based. The FortiGate unit then spills additional sessions over to the next lowest numbered interface.fortinet. Routes are flushed from the cache after a period of time when no new sessions to the destination IP address are received. a route cache is created that matches the route with the destination IP address of the session. If your FortiGate unit is configured for multiple VDOM operation. After selecting spill-over. To configure the ECMP route failover and load balancing method from the CLI Enter the following command: config system settings set v4-ecmp-mode {source-ip-based | usage-based | weight-based} end ECMP routing of simultaneous sessions to the same destination IP address When the FortiGate unit selects an ECMP route for a session. Weighted (also called weight-based) Spill-over (also called usage-based) The FortiGate unit load balances sessions among ECMP routes based on weights added to ECMP routes. each VDOM can have its own ECMP route failover and load balancing configuration. No configuration changes are required to support source IP load balancing.ECMP route failover and load balancing Router Static Source based The FortiGate unit load balances sessions among ECMP routes based on the source IP address of the sessions to be load balanced. it may appear that sessions are not distributed according to the ECMP route failover and load balancing configuration. you add route Spillover Thresholds to interfaces added to ECMP routes. see “Configuring spill-over or usage-based ECMP” on page 235.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. See “Configuring weighted static route load balancing” on page 238. The Spillover Thresholds range is 0-2097000 KBps. All new sessions to the same destination IP address use the same route until the route is flushed from the cache. The FortiGate unit sends all ECMP-routed sessions to the lowest numbered interface until the bandwidth being processed by this interface reaches its spillover threshold.com/ • Feedback . because all of these sessions will be processed by the same route. More traffic is directed to routes with higher weights. The route cache improves FortiGate routing performance by reducing how often the FortiGate unit looks up routes in the routing table. If the FortiGate unit receives a large number of sessions with the same destination IP address. This is the default load (also called source IP based) balancing method. The FortiGate unit distributes sessions among ECMP routes based on how busy the FortiGate interfaces added to the routes are. After selecting weight-based you must add weights to static routes. weighted. or spill-over. To configure the ECMP route failover and load balancing method from the web-based manager 1 Go to Router > Static > Static Route. You can configure only one of these ECMP route failover and load balancing methods in a single VDOM. 234 FortiGate Version 4. For more information. including the order in which interfaces are selected. 3 Select Apply.

3 Go to Router > Static > Static Route.20. With spill-over ECMP routing configured. new sessions are routed to one of the other interfaces used by the ECMP routes.20. Use the following procedure to enable usage based ECMP routing.20. add ECMP routes.140.0/24 Distance Metric 9 9 0 0 Gateway 172.4 Interface port3 port4 FortiGate Version 4.168. and add a Spillover Threshold to the interfaces used by the ECMP routes.0/24 port3 172. Set the Spillover Thresholds to limit the amount of bandwidth processed by each interface.Router Static ECMP route failover and load balancing Configuring spill-over or usage-based ECMP The spill-over or usage-based ECMP method routes new sessions to interfaces that have not reached a configured bandwidth limit (called the Spillover Threshold or a routespillover threshold).168. add Spillover Thresholds to FortiGate interfaces port3 and port4. 4 Add ECMP routes for port3 and port4.20.0/24 192.168. the FortiGate unit routes new sessions to an interface used by an ECMP route until that interface reaches its Spillover Threshold. Table 47: Example ECMP routes as listed on the routing monitor Type Static Static Network 192. Then. 6 Edit port3 and port4 and add the following spillover-thresholds: Interface Spillover Threshold (KBps) Interface Spillover Threshold (KBps) port3 100 port4 200 7 Go to Router > Monitor to view the routing table.4 9 5 Go to System > Network > Interface.20. To add Spillover Thresholds to interfaces from the web-based manager 1 Go to Router > Static > Static Route.fortinet.3 172.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. To configure spill-over or usage-based ECMP routing.20.20. The routes could be displayed in the order shown in Table 47.20.com/ • Feedback 235 . when the threshold of that interface is reached.130.3 9 192. 2 Set ECMP Route failover & Load Balance Method to usage-based.168. you enable spill-over ECMP method.140. and then to configure EMCP routes with device set to port3 and port4.130. Destination IP/Mask Device Gateway Distance Destination IP/Mask Device Gateway Distance 192.0/24 port4 172.

ECMP route failover and load balancing

Router Static

In this example, the FortiGate unit sends all sessions to the 192.168.20.0 network through port3. When port3 exceeds its spillover threshold of 100 Kbps the FortiGate unit sends all new sessions to the 192.168.20.0 network through port4. To add route-spillover thresholds to interfaces from the CLI 1 Enter the following command to set the ECMP route failover and load balance method to usage-based. config system settings set v4-ecmp-mode usage-based end 2 Enter the following commands to add three route-spillover thresholds to three interfaces. config system interface edit port1 set spillover-threshold 400 next edit port2 set spillover-threshold 200 next edit port3 set spillover-threshold 100 end 3 Enter the following commands to add three ECMP default routes, one for each interface. config router static edit 1 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.110.1 set dev port1 next edit 2 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.120.2 set dev port2 next edit 3 set dst 0.0.0.0/0.0.0.0 set gwy 172.20.130.3 set dev port3 end 4 Enter the following command to display static routes in the routing table: get router info routing-table static S 0.0.0.0/0 [10/0] via 172.20.110.1, port1 [10/0] via 172.20.120.2, port2 [10/0] via 172.20.130.3, port3 In this example, the FortiGate unit sends all sessions to the Internet through port1. When port1 exceeds its spillover threshold of 400 KBps the FortiGate unit sends all new sessions to the Internet through port2. If both port1 and port2 exceed their spillover thresholds the FortiGate unit would send all new sessions to the Internet through port3.

236

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

ECMP route failover and load balancing

Detailed description of how spill-over ECMP selects routes
When you add ECMP routes they are added to the routing table in the order displayed by the routing monitor or by the get router info routing-table static command. This order is independent of the configured bandwidth limit. The FortiGate unit selects an ECMP route for a new session by finding the first route in the routing table then sends the session out on a FortiGate interface that is not processing more traffic that its configured route spill-over limit. For example, consider a FortiGate unit with interfaces port3 and port4 both connected to the Internet through different ISPs. ECMP routing is set to usage-based and route spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are added, one for port3 and one for port4. If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit sends all default route sessions out port3 until port3 is processing 100 KBps of data. When port3 reaches its configured bandwidth limit, the FortiGate unit sends all default route sessions out port4. When the bandwidth usage of port3 falls below 100 KBps, the FortiGate again sends all default route sessions out port3. New sessions to designating IP addresses that are already in the routing cache; however, use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new sessions can continue to be sent out port3 if their destination addresses are already in the routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its bandwidth limit and if the routing cache does not contain a route for the destination IP address of the new session. The limit on port4 is important only if there are additional interfaces for spillover. Also, the switchover to port4 does not occur as soon as port3 exceeds its bandwidth limit. Bandwidth usage has to exceed the limit for a period of time before the switchover takes place. If port3 bandwidth usage drops below the bandwidth limit during this time period, sessions are not switched over to port4. This delay reduces route flapping. Route flapping occurs when routes change their status frequently, forcing routers to continually change their routing tables and broadcast the new information. FortiGate usage-based ECMP routing is not actually load balancing, since routes are not distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic would usually be processed by the first interface with only spillover traffic being processed by other interfaces. If you are configuring usage-based ECMP, in most cases, you should add spillover thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0 which means no bandwidth limiting. If any interface has a spillover threshold of 0, no sessions will be routed to interfaces lower in the list unless the interface goes down or is disconnected. An interface can go down if Detect interface status for Gateway Load Balancing does not receive a response from the configured server.
Note: A new session to a destination IP address that already has an entry in the routing cache is routed using the route already added to the cache for that destination address. For more information, see “ECMP routing of simultaneous sessions to the same destination IP address” on page 234.

Determining of a interface has exceeded its Spillover Threshold
You can use the diagnose netlink dstmac list CLI command to determine if an interface is exceeding its Spillover Threshold. If the command displays over_bps=1 the interface is exceeding its threshold. If over_bps=0 the interface has not exceeded its threshold.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

237

ECMP route failover and load balancing

Router Static

Configuring weighted static route load balancing
Configure weighted load balancing to control how the FortiGate unit distributes sessions among ECMP routes by adding weights for each route. Add higher weights to routes that you want to load balance more sessions to. If no weight has been assigned to a route, its weight is set to zero by default. With the ECMP load balancing method set to weighted, the FortiGate unit distributes sessions with different destination IPs by generating a random value to determine the route to select. The probability of selecting one route over another is based on the weight value of each route. Routes with higher weights are more likely to be selected. Large numbers of sessions are evenly distributed among ECMP routes according to the route weight values. If all weights are the same, sessions are distributed evenly. The distribution of a small number of sessions however, may not be even. For example, its possible that if there are two ECMP routes with the same weight, two sessions to different IP addresses could use the same route. On the other hand 10,000 sessions with different destination IPs should be load balanced evenly between two routes with equal rates. The distribution could be 5000:5000 or 5001:4999. Also, 10,000 sessions with different destination IP addresses should be load balanced in the following way if the weights for the two routes are 100 and 200: 3333:6667. Weights only affect how routes are selected for sessions to new destination IP addresses. New sessions to IP addresses already in the routing cache are routed using the route for the session already in the cache. So in practice sessions will not always be distributed according to the routing weight distribution. To add weights to static routes from the web-based manager 1 Go to Router > Static > Static Route. 2 Set ECMP Route failover & Load Balance Method to weighted. 3 Go to Router > Static > Static Route. 4 Add new or edit static routes and add weights to them. The following example shows two ECMP routes with weights added.
Destination IP/Mask Device Gateway Distance Weight Destination IP/Mask Device Gateway Distance Weight 192.168.20.0/24 port1 172.20.110.1 10 100 192.168.20.0/24 port2 172.20.120.2 10 200

In this example: • • one third of the sessions to the 192.168.20.0 network will use the first route and be sent out port1 to the gateway with IP address 172.20.110.1. the other two thirds of the sessions to the 192.168.20.0 network will use the second route and be sent out port2 to the gateway with IP address 172.20.120.2.

238

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

Policy Route

To add weights to static routes from the CLI 1 Enter the following command to set the ECMP route failover and load balance method to weighted. config system settings set v4-ecmp-mode weight-based end 2 Enter the following commands to add three ECMP static routes and add weights to each route. config router static edit 1 set dst 192.168.20.0/24 set gwy 172.20.110.1 set dev port1 set weight 100 next edit 2 set dst 192.168.20.0/24 set gwy 172.20.120.2 set dev port2 set weight 200 next edit 3 set dst 192.168.20.0/24 set gwy 172.20.130.3 set dev port3 set weight 300 end
Note: In this example the priority remains set to 0 and the distance remains set to 10 for all three routes. Any other routes with a distance set to 10 will not have their weight set, so will have a weight of 0 and will not be part of the load balancing.

In this example: • • • one sixth of the sessions to the 192.168.20.0 network will use the first route and be sent out port1 to the gateway with IP address 172.20.110.1. one third of the sessions to the 192.168.20.0 network will use the second route and be sent out port2 to the gateway with IP address 172.20.120.2. one half of the sessions to the 192.168.20.0 network will use the third route and be sent out port3 to the gateway with IP address 172.20.130.3.

Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffic’s protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet directly to the mail server.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

239

Policy Route

Router Static

If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found, and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table. Most policy settings are optional, so a matching policy alone might not provide enough information for forwarding the packet. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit looks up the IP address of the next-hop router in the routing table. This situation could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router. Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway. To add a policy route, go to Router > Static > Policy Route and select Create New. For more information on Type of Service, see “Type of Service” on page 241.Figure shows the policy route list belonging to a FortiGate unit that has interfaces named “external” and “internal”. The names of the interfaces on your FortiGate unit may be different.
Policy Route page Lists all policy routes that you have created. On this page, you can edit, delete or create a new policy route. Create New # Incoming Outgoing Source Destination Delete Edit Add a policy route. See “Example policy route” on page 241. The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table. The interfaces on which packets subjected to route policies are received. The interfaces through which policy routed packets are routed. The IP source addresses and network masks that cause policy routing to occur. The IP destination addresses and network masks that cause policy routing to occur. Delete a policy route. Edit a policy route.

New Routing Policy page Provides settings for configuring how to redirect traffic away from the static route. If incoming traffic matches: Protocol To perform policy routing based on the value in the protocol field of the packet, enter the protocol number to match. The Internet Protocol Number is found in the IP packet header. RFC 5237 describes protocol numbers and you can find a list of the assigned protocol numbers here. The range is from 0 to 255. A value of 0 disables the feature. Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17 for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for multicast sessions. For protocols other than 6 and 17, the port number is ignored. Select the name of the interface through which incoming packets subjected to the policy are received.

Incoming interface

240

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Static

Policy Route

Source address/mask To perform policy routing based on the IP source address of the packet, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. Destination address/mask Destination ports To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature. The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols. Use a two digit hexadecimal bit pattern to match the service, or use a two digit hexadecimal bit mask to mask out. For more information, see “Type of Service” on page 241. Select the name of the interface through which packets affected by the policy will be routed. Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.

Type of Service

Force traffic to: Outgoing interface Gateway Address

Example policy route
Configure the following policy route to send all FTP traffic received at port1 out the port10 interface and to a next hop router at IP address 172.20.120.23. To route FTP traffic set protocol to 6 (for TCP) and set both of the destination ports to 21, the FTP port.
Protocol Incoming interface Source address / mask Destination Ports Type of Service Outgoing interface Gateway Address 6 port1 0.0.0.0/0.0.0.0 From 21 to 21 bit pattern: 00 (hex) bit mask: 00 (hex) port10 172.20.120.23

Destination address / mask 0.0.0.0/0.0.0.0

Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how the IP datagram should be delivered, with such qualities as delay, priority, reliability, and minimum cost. Each quality helps gateways determine the best way to route datagrams. A router maintains a ToS value for each route in its routing table.The lowest priority TOS is 0, the highest is 7 - when bits 3, 4,and 5 are all set to 1. The router tries to match the TOS of the datagram to the TOS on one of the possible routes to the destination. If there is no match, the datagram is sent over a zero TOS route. Using increased quality may increase the cost of delivery because better performance may consume limited network resources. For more information, see RFC 791 and RFC 1349.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

241

Policy Route

Router Static

Table 48: The role of each bit in the IP header TOS 8-bit field bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important traffic. Precedence should only be used within a network, and can be used differently in each network. Typically you do not care about these bits. When set to 1, this bit indicates low delay is a priority. This is useful for such services as VoIP where delays degrade the quality of the sound. When set to 1, this bit indicates high throughput is a priority. This is useful for services that require lots of bandwidth such as video conferencing. When set to 1, this bit indicates high reliability is a priority. This is useful when a service must always be available such as with DNS servers. When set to 1, this bit indicates low cost is a priority. Generally there is a higher delivery cost associated with enabling bits 3,4, or 5, and bit 6 indicates to use the lowest cost route. Not used at this time.

bit 3

Delay

bit 4

Throughput

bit 5

Reliability

bit 6

Cost

bit 7

Reserved for future use

For example, if you want to assign low delay, and high reliability, say for a VoIP application where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an ‘x’ indicates that bit can be any value. Since all bits are not set, this is a good use for the bit mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay and high reliability.

242

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

Router Dynamic

RIP

Router Dynamic
This section introduces you to the dynamic routing in the Routing menu. For more information about dynamic routing, see the Dynamic Routing chapter in the FortiOS Handbook. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by them. The FortiGate unit supports these dynamic routing protocols: • • • Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP).

If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is configured separately for each virtual domain. For more information, see “Using virtual domains” on page 79. The following topics are included in this section: • • • • • RIP OSPF BGP Multicast Bi-directional Forwarding Detection (BFD)
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations.

RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453). RIP is configured in Routing > Dynamic > RIP.
RIP page Lists all the networks and interfaces that you have created. This page also allows you to configure basic RIP settings, including creating interfaces and networks. RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP-enabled networks: 1 – send and receive RIP version 1 packets. 2 – send and receive RIP version 2 packets. You can override the global settings for a specific FortiGate interface if required. For more information, see “RIP-enabled interface” on page 245.

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

243

RIP

Router Dynamic

Advanced Options

Select the Expand Arrow to view or hide advanced RIP options. For more information, see “Advanced RIP options” on page 244.

Networks section of the RIP page The IP addresses and network masks of the major networks (connected to the FortiGate unit) that run RIP. When you add a network to the Networks list, the FortiGate interfaces that are part of the network are advertised in RIP updates. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space. IP/Netmask Add Delete Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list. Select to remove a network from the RIP network list.

Interfaces section of the RIP page Any additional settings needed to adjust RIP operation on a FortiGate interface. Create New Add new RIP operating parameters for an interface. These parameters will override the global RIP settings for that interface. For more information, see “RIP-enabled interface” on page 245. The name of the unit RIP interface. The version of RIP used to send updates through each interface: 1, 2, or both. The versions of RIP used to listen for updates on each interface: 1, 2, or both. The type of authentication used on this interface: None, Text or MD5. Permissions for RIP broadcasts on this interface. A green checkmark means the RIP broadcasts are blocked. Select to modify the settings of a RIP Interface. Select to remove a RIP interface from the RIP Interface list.

Interface Send Version Receive Version Authentication Passive Edit Delete

Advanced RIP options
With advanced RIP options, you can specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. For example, if the unit is connected to an OSPF or BGP network or you add a static route to the FortiGate routing table manually, you can configure the unit to advertise those routes on RIP-enabled interfaces. You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on CLI routing commands, see the router chapter of the FortiGate CLI Reference. Advanced RIP options are configured in Router > Dynamic > RIP, in the Advanced Options are of the page. You must expand Advanced Options to reveal the hidden settings so that you can configure these advanced options.
Advanced Options section of the RIP page Advanced Options Default Metric Select the Expand Arrow to view or hide advanced options. Enter the default hop count that the FortiGate unit should assign to routes that are added to the FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified.

Default-information- Select to generate and advertise a default route into the FortiGate unit’s RIPenabled networks. The generated route may be based on routes learned originate through a dynamic routing protocol, routes in the routing table, or both.

244

FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet.com/ • Feedback

you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. The value determines how long an unreachable route is kept in the routing table. select Metric. OSPF. Select to redistribute routes learned from directly connected networks. you will get an error. If RIP version 2 is enabled on the interface. select Metric. the timer is restarted. Passive interfaces listen for RIP updates but do not respond to RIP requests. To specify a hop count for those routes. If the Update timer is smaller than Timeout or Garbage timers. The default settings are effective in most configurations — if you change these settings. Select one or more of the options to redistribute RIP updates about routes that were not learned through RIP. The range is from 1 to 16. The range is from 1 to 16. The valid hop count range is from 1 to 16.com/ • Feedback 245 . Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. RIP-enabled interfaces are configured in Router > Dynamic > RIP. For more information. see the router chapter of the FortiGate CLI Reference. Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. and enter the hop count in the Metric field. To specify a hop count for those routes. The unit and the neighboring router must both be configured with the same password. Select to redistribute routes learned from static routes. Authentication guarantees the authenticity of the update packet. not the confidentiality of the routing information in the packet. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks.Router Dynamic RIP RIP Timers Enter new values to override the default RIP timer settings.fortinet. if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network. and enter the hop count in the Metric field. Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates. Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. select Metric. If the FortiGate unit receives an update for the route before the timeout period expires. Select to redistribute routes learned through OSPF. ensure that the new settings are compatible with local routers and access servers. Update Timeout Garbage Redistribute Connected Static OSPF BGP RIP-enabled interface You can use RIP interface options to override the global RIP settings that apply to all FortiGate unit interfaces connected to RIP-enabled networks. To specify a hop count for those routes. The Timeout period should be at least three times longer than the Update period. The range is from 1 to 16. you can set the interface to operate passively. FortiGate Version 4. and BGP. For example. To specify a hop count for those routes. select Metric. and enter the hop count in the Metric field. Select to redistribute routes learned through BGP. and enter the hop count in the Metric field. static routes.

fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you are using the web-based manager to perform these tasks. The interface must be connected to a RIP-enabled network. MD5 — Authenticate the exchange using MD5.OSPF Router Dynamic New/Edit RIP Interface page Provides settings for configuring a RIP Interface. version 2 or Both. The interface can be a virtual IPSec or GRE interface. 246 FortiGate Version 4. Type a password (up to 35 characters) in the Password field. Text — Select if the interface is connected to a network that runs RIP version 2.com/ • Feedback . The password is sent in clear text over the network. Select an authentication method for RIP exchanges on the specified interface: None — Disable authentication. Select to suppress the advertising of FortiGate unit routing information over the specified interface. Clear the check box to allow the interface to respond normally to RIP requests. Enter the password for authentication. follow the procedures summarized below. FortiGate units support OSPF version 2 (see RFC 2328). involves: • • • defining the characteristics of one or more OSPF areas creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS if required. This topic contains the following: • • • • • • Defining an OSPF AS—Overview Basic OSPF settings Advanced OSPF options Defining OSPF areas OSPF networks Operating parameters for an OSPF interface Defining an OSPF AS—Overview Defining an OSPF Autonomous System (AS). The main benefit of OSPF is that it advertises routes only when neighbors change state instead of at timed intervals. The FortiGate unit and the RIP updates router must both be configured with the same password. so routing overhead is reduced. Interface Select the name of the FortiGate interface to which these settings apply. When you select Create New in the Interfaces section of the RIP page. Send Version. Receive Version Authentication Password Passive Interface OSPF Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). you are automatically redirected to the New/Edit RIP Interface page. Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1. adjusting the settings of OSPF-enabled interfaces.

Router Dynamic OSPF Basic OSPF settings When you configure OSPF settings. you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS. specify its area ID. The types of areas in the AS: • Regular . the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. OSPF settings are configured in Router > Dynamic > OSPF. see “Defining OSPF areas” on page 249. For more information.com/ • Feedback 247 . all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. you can configure a different password for one or more of the networks in that area. all connections to OSPF neighbors will be broken temporarily. A different authentication setting may apply to some of the interfaces in an area. For more information. see “Defining OSPF areas” on page 249. if an area employs simple passwords for authentication. Area ID 0. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. OSPF page Lists all areas. The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: None — authentication is disabled Text — text-based authentication is enabled MD5 — MD5 authentication is enabled. The header of an OSPF packet contains an area ID. Select to remove an area from the Areas list. Create New Edit Delete Add a network to the AS. which helps to identify the origination of a packet inside the AS.0. you specify the AS areas and specify which networks to include those areas. Areas section of the OSPF page Information about the areas making up an OSPF AS. in dotted-decimal notation. If you change the router ID while OSPF is configured on an interface. Select to modify settings of an area. see “Advanced OSPF options” on page 248. As part of the AS definition.fortinet.0 references the backbone of the AS and cannot be changed or deleted. When you add a network to the Networks list.0. as displayed under Interfaces. For more information. For more information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Create New Edit Delete Area Define and add a new OSPF area to the Areas list. FortiGate Version 4. By convention. Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.a normal OSPF area • NSSA . Select to remove an area from the Areas list. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces.a not so stubby area • Stub . The unique 32-bit identifiers of areas in the AS. and add the definition to the Networks list. Type Authentication Networks section of the OSPF page The networks in the OSPF AS and their area IDs. see “OSPF networks” on page 250. networks and interfaces that you created for OSPF. The connections will re-establish themselves. Select to modify settings of an area. If Router ID is not explicitly set. For example.a stub area. the highest IP address of the VDOM or unit will be used.

see the “router” chapter of the FortiGate CLI Reference. The IP addresses of the OSPF-enabled interfaces having additional/different settings. The FortiGate unit also supports offset lists.OSPF Router Dynamic Network The IP addresses and network masks of networks in the AS on which OSPF runs. Select to view or hide Advanced Options. For example. Advanced Options on the OSPF page Router ID Expand Arrow Enter a unique router ID to identify the FortiGate unit to other OSPF routers. and BGP. The area IDs that have been assigned to the OSPF network address space. For example. Default Information Generate and advertise a default (external) route to the OSPF AS. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table. You must expand the Advanced Options on the page to access these options. Advanced OSPF options are located in Router > Dynamic > RIP. an access list. you can specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. you can filter incoming or outgoing updates by using a route map. For more information on CLI routing commands. if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually. static routes.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. None Regular Prevent the generation of a default route.com/ • Feedback . The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. IP Authentication Advanced OSPF options By selecting advanced OSPF options. you can configure the unit to advertise those routes on OSPF-enabled interfaces. RIP. even if the route is not stored in the FortiGate routing table. and the CLI. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks. The names of OSPF interface definitions. see “Operating parameters for an OSPF interface” on page 250. or a prefix list. These settings override the area Authentication settings. Select to remove an area from the Areas list. or both. The FortiGate unit may have physical or VLAN interfaces connected to the network. Always Redistribute 248 FortiGate Version 4. Select one or more of the options listed to redistribute OSPF link-state advertisements about routes that were not learned through OSPF. routes in the routing table. You may base the generated route on routes learned through a dynamic routing protocol. which add the specified offset to the metric of a route. Select to modify settings of an area. For more information. Create New Edit Delete Name Interface Create additional/different OSPF operating parameters for a unit interface and add the configuration to the Interfaces list. You can configure additional advanced options through customizable GUI widgets. Area Interfaces section of the OSPF page Any additional settings needed to adjust OSPF operation on a FortiGate interface. The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area.

Once you have created the OSPF area. Each area is identified by a 32-bit area ID expressed in dotted-decimal notation.com/ • Feedback 249 . Area ID 0. New/Edit OSPF Area page Provides settings for defining an OSPF area. stub. Enter a cost for those routes in the Metric field.0. Any router connected to a stub area is considered part of the stub area. Note: If required. The range is from 1 to 16 777 214. The value must resemble an IP address in dotted-decimal notation.0 is reserved for the OSPF network backbone.0. To reach the OSPF backbone. However. In a Not-So-Stubby Area (NSSA). For more information on virtual links.Router Dynamic OSPF Connected Select to redistribute routes learned from directly connected networks.fortinet. Enter a cost for those routes in the Metric field. The area border router advertises to the OSPF AS a single default route (destination 0. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. Select to redistribute routes learned through RIP. A regular area contains more than one router. Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers. Defining an OSPF is configured in Router > Dynamic > OSPF. Enter a cost for those routes in the Metric field. the area IP value cannot be changed. see the FortiGate CLI Reference.0. Virtual links can be set up only between two FortiGate units that act as area border routers. for example 192. When you select Create New in the Areas section of the OSPF page. you can define a virtual link to an area that has lost its physical connection to the OSPF backbone. Select to redistribute routes learned from static routes. Select to redistribute routes learned through BGP. which ensures that any OSPF packet that cannot be matched to a specific route will match the default route. each having at least one OSPF-enabled interface to the area.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the area itself continues to be treated like a stub area by the rest of the AS. Enter a cost for those routes in the Metric field.168.0.1. The range is from 1 to 16 777 214. the routers in a stub area must send packets to an area border router. routes that lead out of the area into a non-OSPF domain are made known to OSPF AS. FortiGate Version 4.0.0) into the stub area. you are automatically redirected to the New/Edit OSPF Area page. The range is from 1 to 16 777 214. or NSSA. Static RIP BGP Defining OSPF areas An area logically defines part of the OSPF AS. You can classify the remaining areas of an AS as regular. The range is from 1 to 16 777 214. Area Type a 32-bit identifier for the area. you must delete the area and restart.

Select an area ID for the network. OSPF networks OSPF areas group a number of contiguous networks together. NSSA — If you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. IP/Netmask Area Enter the IP address and network mask of the local network that you want to assign to an OSPF area.1/24. Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: None — Disable authentication.1/24. You must be in the Network section of the page to assign an OSPF area ID to a network. and timer settings for sending and receiving OSPF Hello and dead-interval packets.0 and the OSPF network as 10.fortinet. the following special characters are not supported: • <> • # 250 FortiGate Version 4. you are automatically redirected to the New/Edit OSPF Network page. each having at least one OSPF-enabled interface to the area. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPFenabled network space.OSPF Router Dynamic Type Select an area type to classify the characteristics of the network that will be assigned to the area: Regular — If the area contains more than one router. For more information.0. Then define vlan1 as 10. STUB — If the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The definition includes the name of the interface (for example.1/24 and vlan3 as 10.0/16.0.0/0 When entering the operating parameters for MD5 keys for the interface. Operating parameters for an OSPF interface An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. define an area of 0. The password is sent in clear text over the network.0.0. Assigning an OSPF area ID to a network is configured in Router > Dynamic > OSPF. you can override this setting for one or more of the interfaces in the area. For example. When you select Create New in the Network section of the OSPF page. You must define the area before you can select the area ID.com/ • Feedback . the method for authenticating LSA exchanges through the interface. The attributes of the area must match the characteristics and topology of the specified network.0. to authenticate LSA exchanges using a plain-text password.0. the attributes of the area are associated with the network.3.2. For more information. When you assign an area ID to a network address space.0. MD5 — Enable MD5-based authentication using an MD5 cryptographic hash (RFC 1321). see “Operating parameters for an OSPF interface” on page 250. Text — Enables text-based password authentication. vlan2 as 10. To enable all interfaces. New/Edit OSPF Network page Provides settings for configuring networks that are assigned to an area ID.0.0.1. external or VLAN_1).0. see “Defining OSPF areas” on page 249.0. If required. you would create an OSPF network 0. All three VLANs can run OSPF in area 0. the IP address assigned to the interface.0.

VLAN. #. Text — Authenticate LSA exchanges using a plain-text password. select the Add icon to add additional MD5 keys to the list. MD5 — Use one or more keys to generate an MD5 cryptographic hash.Router Dynamic OSPF • • () ‘ • “ You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface. By convention. represented by an alphanumeric string of up to 16 characters. For example. port1. Name Interface Enter a name to identify the OSPF interface definition.20.140. or VLAN_1). When entering the characters. The password is a 128-bit hash. the Dead Interval value is usually four times greater than the Hello Interval value. Select the name of the FortiGate interface to associate with this OSPF interface definition (for example.120. and ‘ because they are not supported. The FortiGate unit can have physical. The password can be up to 35 characters. the name could indicate to which OSPF area the interface will be linked. type 172. When you select Create New in the Interface section of the OSPF page. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbor’s settings. virtual IPSec or GRE interfaces connected to the OSPF-enabled network. IP Authentication Select an authentication method for LSA exchanges on the specified interface: None — Disable authentication. Optionally. OSPF operating parameters are configured in Router > Dynamic > OSPF. New/Edit OSPF Interface page Provides settings for configuring an OSPF interface.20. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. If the FortiGate unit does not receive a Hello packet within the specified amount of time. ( ). This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through this interface. Enter the IP address that has been assigned to the OSPF-enabled interface. in the Interfaces section of the page. MD5 Keys Hello Interval Dead Interval FortiGate Version 4. For example. Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. the FortiGate unit declares the neighbor inaccessible. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. This field is available only if you selected MD5 authentication. Password Enter the plain-text password.com/ • Feedback 251 . “ . do not use < >. set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors. external. If the OSPF neighbor uses more than one password to generate MD5 hash. This field is available only if you selected plain-text authentication. and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbor’s settings. the same FortiGate interface could be connected to two neighbors through different subnets. you are automatically redirected to the New/Edit OSPF Interface page. Optionally.0/24 and port1 has been assigned the IP address 172. set the Dead Interval to be compatible with Dead Interval settings on all OSPF neighbors. For example.20. if you defined an OSPF network of 172.140.120. Enter an alphanumeric value of up to 15 characters.120. and is sent in clear text over the network.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password.

Enter a unique router ID to identify the FortiGate unit to other BGP routers. or edit an entry in the list. BGP settings are configured in Router > Dynamic > BGP. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. or both to route packets within the AS.168. If Router ID is not explicitly set. Networks section of the BGP page The IP addresses and network masks of networks to advertise to BGP peers. see the router chapter of the FortiGate CLI Reference. see RFC 4893. Add the neighbor information to the Neighbors list.com/ • Feedback . The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385. OSPF.1.BGP Router Dynamic BGP Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks. the highest IP address of the VDOM will be used. BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP. You must also identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. IP/Netmask Add Enter the IP address and netmask of the network to be advertised.fortinet.0. If you change the router ID while BGP is configured on an interface. IP Remote AS Add/Edit Neighbor Remote AS Delete Enter the IP address of the neighbor interface to the BGP-enabled network. If you want additional information about configuring four-byte AS paths. 252 FortiGate Version 4. see the router chapter of the FortiGate CLI Reference. This page also allows you to configure neighbors. networks and a local AS. The router ID is an IP address written in dotted-decimal format. You can also configure many advanced BGP options through the CLI. The connections will reestablish themselves. Note: You can configure graceful restarting and other advanced settings only through CLI commands. all connections to BGP peers will be broken temporarily.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The IP addresses of BGP peers. When you configure BGP settings. Delete a BGP neighbor entry. The FortiGate unit may have a physical or VLAN interface connected to those networks. The web-based manager offers a simplified user interface to configure basic BGP options. For example. For more information on advanced BGP settings. You can also configure four-byte AS paths as well. you need to specify the AS to which the FortiGate unit belongs and enter a router ID to identify this unit to other BGP routers. Enter the number of the AS that the neighbor belongs to. Add the network information to the Networks list. you need to specify the AS to which the FortiGate unit belongs and enter a router ID to identify this unit to other BGP routers. For more information. for example 192. Local AS Router ID Enter the number of the local AS to which the FortiGate unit belongs. When you configure BGP settings. Neighbors section of the BGP page The IP addresses and AS numbers of BGP peers in neighboring autonomous systems. BGP page Lists all neighbors and networks that you have created. The numbers of the autonomous systems associated with the BGP peers.

Delete a BGP network definition. Many additional options are available. Multicast page Lists each individual multicast route that you created. For a complete list of the command options. Note: You can configure basic options through the web-based manager. You can also configure advanced PIM options through the CLI. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. The priority number assigned to RP candidacy on that interface. see multicast in the router chapter of the FortiGate CLI Reference. select the Edit icon in the row that corresponds to the interface.fortinet. The names of FortiGate interfaces having specific PIM settings. enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a Points (RPs) multicast group. Join messages from the multicast group are sent to the RP. You can use the new entry to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For complete descriptions and examples of how to use CLI commands to configure PIM settings. you can configure sparse mode or dense mode operation on any FortiGate interface. If an RP for the specified IP’s multicast group is already known to the Boot Strap Router (BSR). the RP known to the BSR is used and the static RP address that you specify is ignored. see “Overriding the multicast settings on an interface” on page 254. PIM settings are configured in Router > Dynamic > Multicast. Multicast A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. and data from the source is sent to the RP. Enable Multicast Routing Select to enable PIM version 2 routing. The mode of PIM operation (Sparse or Dense) on that interface. but only through the CLI.com/ • Feedback 253 . For more information. For more information. Create a new multicast entry for an interface. The status of parse-mode RP candidacy on the interface. Apply Create New Save the specified static RP addresses. Static Rendezvous If required for sparse mode operation. Interface Mode Status Priority FortiGate Version 4. When multicast (PIM) routing is enabled. This page also allows you to configure each multicast route and add RP addresses. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination. Note: The get router info bgp CLI command provides detailed information about configured BGP settings. see the “router” chapter of the FortiGate CLI Reference. The web-based manager offers a simplified user interface to configure basic PIM options. Available only when RP candidacy is enabled. see the router chapter of the FortiGate CLI Reference.Router Dynamic Multicast Network Delete The IP addresses and network masks of major networks that are advertised to BGP peers. To change the status of RP candidacy on an interface.

This topic contains the following: • • Overriding the multicast settings on an interface Multicast destination NAT Overriding the multicast settings on an interface You use multicast (PIM) interface options to set operating parameters for FortiGate interfaces connected to PIM domains. next end FortiGate Version 4. adjust the remaining options as described below. you can avoid redistributing routes at the translation boundary into their network infrastructure for Reverse Path Forwarding (RPF) to work properly. Overriding the multicast settings on an interface are configured in Router > Dynamic > Multicast..Multicast Router Dynamic DR Priority Delete Edit The priority number assigned to Designated Router (DR) candidacy on the interface. Enter the priority number for advertising DR candidacy on the FortiGate unit’s interface. The interface must be connected to a PIM version 2 enabled network segment. Available only when sparse mode is enabled. When sparse mode is enabled. you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface. For example. When you select Create New on the Multicast page. and selects the router having the highest DR priority to be the DR. you are automatically redirected to the New page.com/ • Feedback 254 . you can enable dense mode on an interface that is connected to a PIM-enabled network segment. Multicast destination NAT Multicast destination NAT (DNAT) allows you translate externally received multicast destination addresses to addresses that conform to an organization's internal addressing policy. New page Provides settings for configuring a new multicast interface..0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The range is from 1 to 4 294 967 295. If you select Sparse Mode. PIM Mode DR Priority RP Candidate RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. All PIM routers connected to the same network segment must be running the same mode of operation. By using this feature that is available only in the CLI. The unit compares this value to the DR interfaces of all other PIM routers on the same network segment. The range is from 1 to 255. Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat <dnatted-multicast-group> set . Select to remove the PIM setting on the interface.fortinet. Enable RP candidacy on the interface. Select the mode of operation: Sparse Mode or Dense Mode. Interface Select the name of the root VDOM FortiGate interface to which these settings apply. They can also receive identical feeds from two ingress points in the network and route them independently. Select to modify PIM settings on the interface.

see the firewall chapter of the FortiGate CLI Reference. as it varies for each network and unit. config system settings set bfd enable set bfd-desired-min-tx 50 set bfd-required-min-rx 50 set bfd-detect-mult 3 FortiGate Version 4.com/ • Feedback 255 . This state generates unnecessary network traffic. Also the size of the network will slow down the response time—packets need to make more hops than on a smaller network. This means that once a connection is established. Bi-directional Forwarding Detection (BFD) The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic routing protocols' lack of a fine granularity for detecting device failures on the network and re-routing around those failures.fortinet. you should try setting a longer timeout period to allow BFD more time to discover the device on the network. You can enable BFD for the whole unit. If this happens.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. There is no easy number. where other dynamic routing protocols can only detect them on a second timer. Configuring BFD on your FortiGate unit For this example.Router Dynamic Bi-directional Forwarding Detection (BFD) For more information. BFD is enabled on the FortiGate unit using the default values. your unit will wait for up to 150 milliseconds for a reply from a BFD router before declaring that router down and rerouting traffic—a 50 millisecond minimum transmit interval multiplied by a detection multiplier of 3. or interface. The length of the timeout period is important—if it is too short connections will be labeled down prematurely. BFD configuration on your FortiGate unit is very flexible. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. BFD will not connect to the network device but it will keep trying. and turn it off for one or two interfaces. and leaves the device unmonitored. BFD can more quickly react to these failures. Alternatively you can specifically enable BFD for each neighbor router. since it detects them on a millisecond timer. With too short a timeout period. This generally excludes smaller networks. Your unit supports BFD as part of OSPF and BGP dynamic networking. and if it is too long time will be wasted waiting for a reply from a connection that is down. High end FortiGate models will respond very quickly unless loaded down with traffic. Which method you choose will be determined by the amount of configuring required for your network The timeout period determines how long the unit waits before labeling a connection as down. Those two factors (CPU load and network traversal time) affect how long the timeout you select should be. This topic contains the following: • • • Configuring BFD Configuring BFD on your FortiGate unit Disabling BFD for a specific interface Configuring BFD BFD is intended for networks that use BGP or OSPF routing protocols. Note: You can configure BFD only from the CLI.

config system interface edit <interface> set bfd disable end Configuring BFD on BGP Configuring BFD on a BGP network involves only one step— enable BFD globally and then disable it for each neighbor that is running the protocol.Bi-directional Forwarding Detection (BFD) Router Dynamic set bfd-dont-enforce-src-port disable end Note: The minimum receive interval (bfd-required-min-rx) and the detection multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait for a reply before declaring the neighbor down. To enable BFD on OSPF: configure routing OSPF set bfd enable end To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable end end 256 FortiGate Version 4.fortinet. config system settings set bfd enable end config router bgp config neighbor edit <ip_address> set bfd disable end end Configuring BFD on OSPF Configuring BFD on an OSPF network is very much like enabling BFD on your unit—you can enable it globally for OSPF. Disabling BFD for a specific interface The previous example enables BFD for your entire FortiGate unit. BFD is disabled for the internal interface using CLI commands. you can reduce network traffic by disabling BFD for that interface. The numbers used in this example may not work for your network.com/ • Feedback . The correct value for your situation will vary based on the size of your network and the speed of your unit’s CPU. and you can override the global settings at the interface level. For this example.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If an interface is not connected to any BFD enabled routers.

Enter an IP address and netmask (for example. FortiGate Version 4. you can also filter the information that is displayed on the page by applying a filter. The list displays the entries in the FortiGate routing table. For more information see “BGP” on page 252 HA – RIP.0/0. OSPF. including the default static route. The default static route is defined as 0. Not displayed when IP version IPv6 is selected. Displayed only if IPv6 display is enabled on the web-based manager Select one of the following route types to search the routing table and display routes of the selected type only: All – all routes recorded in the routing table. Connected – all routes associated with direct connections to FortiGate interfaces.0/24) to search the routing table and display routes that match the specified network.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you enable virtual domains (VDOMs) on the FortiGate unit.0. Fields displayed vary depending on which IP version is selected. BGP – all routes learned through BGP. On this page.12. Not displayed when IP version IPv6 is selected. see “Using virtual domains” on page 79.com/ • Feedback 257 .0.Router Monitor Viewing routing information Router Monitor This section explains how to interpret the Routing Monitor list. Routing Monitor page Lists all routes that are being monitored. For more information. 172.1/32) to search the routing table and display routes that match the specified gateway. RIP – all routes learned through RIP. Static – the static routes that have been added to the routing table manually. OSPF – all routes learned through OSPF. which matches the destination IP address of “any/all” packets. For more information see “RIP” on page 243. see the FortiGate HA. all routes are displayed in the Routing Monitor list. router monitoring is available separately for each virtual domain. and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. Type Network Gateway Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes.fortinet. Not displayed when IP version IPv6 is selected. go to Router > Monitor > Routing Monitor.14. For more information about HA routing synchronization. For more information see “OSPF” on page 246. Enter an IP address and netmask (for example.16. Not displayed when IP version IPv6 is selected. The following topics are included in this section: • • Viewing routing information Searching the FortiGate routing table Viewing routing information By default. 192. For more information see “Static Route” on page 228. HA routes are maintained on subordinate units and are visible only if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. IP version Select IPv4 or IPv6 routes.168. To display the routes in the routing table.

0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the metric of the redistributed route is equivalent to the external cost only.0/24. The following are types of metrics and the protocols they are applied to. • OSPF NSSA 1 — same as External 1. However. If applicable. connected routes. OSPF. A value of 0 means the route is preferable compared to routes to the same destination. Not displayed when IP version IPv6 is selected. In this case. • Relative cost — routes learned through OSPF. all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify). routes learned through RIP. RIP.16. To modify this distance for dynamic routes. The total accumulated amount of time that a route learned through RIP. see FortiGate CLI Reference. For example. Connected. if the FortiGate unit is connected to network 172. To modify the administrative distance assigned to static routes.16. FortiGate Version 4. or BGP has been reachable. and then select Apply Filter to display the associated routing table entry or entries. or BGP). Subtype Network Distance Metric Gateway Interface Up Time Searching the FortiGate routing table You can apply a filter to search the routing table and display certain routes only.0/24 in the Network field. you can display one or more static routes. Not displayed when IP version IPv6 is selected.16. and routes associated with the network or gateway that you specify.fortinet. The interface through which packets are forwarded to the gateway of the destination network. Any entry that contains the word “Connected” in its Type field and the specified value in the Gateway field will be displayed. The administrative distance associated with the route. but the route was received through a notso-stubby area. OSPF.com/ • Feedback 258 . If you want to search the routing table by route type and further limit the display according to network or gateway. several attributes in addition to MED determine the best path to a destination network.14. expressed as an OSPF cost. but the route was received through a notso-stubby area (NSSA).14. OSPF. see “Adding a static route to the routing table” on page 232.0/24 and you want to display all directly connected routes to network 172. type 172. Not displayed when IP version IPv6 is selected. The destination is in an area to which the FortiGate unit is connected. • OSPF NSSA 2 — same as External 2.Searching the FortiGate routing table Router Monitor Type The type values assigned to FortiGate routes (Static. For example. • An empty string implies an intra-area route. the subtype classification assigned to OSPF routes.14. The metric associated with the route type. The IP addresses of gateways to the destination networks. or BGP. • Multi-Exit Discriminator (MED) — routes learned through BGP. you must select Connected from the Type list. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table. • Hop count — routes learned through RIP. but the FortiGate unit is not connected to that area. • External 2 — the destination is outside the OSPF AS. The IP addresses and network masks of destination networks that the FortiGate unit can reach. • OSPF inter area — the destination is in the OSPF AS. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. • External 1 — the destination is outside the OSPF AS.

select Connected to display all connected routes.com/ • Feedback 259 . 5 Select Apply Filter. FortiGate Version 4. 3 If you want to display routes to a specific network. select the type of route to display.fortinet. or select RIP to display all routes learned through RIP. For example.Router Monitor Searching the FortiGate routing table To search the FortiGate routing table 1 Go to Router > Monitor > Routing Monitor.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. type the IP address and netmask of the network in the Networks field. 2 From the Type list. 4 If you want to display routes to a specific gateway. Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed. type the IP address of the gateway in the Gateway field.

Searching the FortiGate routing table Router Monitor 260 FortiGate Version 4.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback .

or simple. If you enable virtual domains (VDOMs) on the FortiGate unit. can contain many different instructions for the FortiGate unit to follow when it receives matching packets. zones. and VLAN subinterfaces. destination address. see the FortiGate Fundamentals chapter of the FortiOS Handbook. These policies that you configure on the FortiGate unit. it analyzes the packet’s source address. For more information about configuring firewall policies. see “Virtual IP” on page 288. and you must first enter the virtual domain to configure its firewall policies. see “Using virtual domains” on page 79. For more information. Firewall policies control all traffic attempting to pass through the FortiGate unit. The following topics are included in this section: • • • • • • • Policy Address Service Schedule Traffic Shaper Virtual IP Load Balance Policy A firewall policy (or policy) provides instructions to the FortiGate unit on how to decide what to do with the incoming and outgoing traffic passing through the FortiGate unit. firewall policies are configured separately for each virtual domain.fortinet. and service (by port number) and attempts to locate the policy that matches the packet. The instructions may be quite complicated. or port address translation (PAT).com/ • Feedback 261 . For more information on using virtual IPs and IP pools.Firewall Policy Firewall This section provides an introduction to the Firewall menu. including traffic shaping features. by using virtual IPs or IP pools to translate source and destination IP addresses and port numbers. When the policy receives a connection packet. between FortiGate interfaces. This topic contains the following: • • • • • • • Policy Identity-based firewall policies Central NAT Table IPv6 Policy DoS Policy Protocol Options Sniffer Policy FortiGate Version 4. Policy instructions may include network address translation (NAT).0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

you can view them from the Policy page. Packet handling actions can be ACCEPT. and hides details about each of the firewall policies while Global View shows the details. Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. For more information. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if either the selected source or destination interface is an IPSec virtual interface. When you have configured firewall policies for IPv4 and IPv6.com/ • Feedback . and may optionally log the denied traffic. respectively. DENY. Firewall policies are configured in Firewall > Policy > Policy. You can create a new policy and position it right away before an existing one in the firewall policy list. or specifying a protection profile to apply features such as virus scanning to packets in the session. IPSEC or SSL-VPN.fortinet. and may optionally include other packet processing instructions. the FortiGate unit performs the configured Action and any other configured options on all packets in the session. by selecting Column Settings. and may optionally apply NAT and allow traffic for one or both directions. a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface. make sure that you position it in the correct location in the list. see the firewall chapter of the FortiGate CLI Reference. You can also remove or show different columns on the Policy page as well. For more information. see “IPsec VPN overview” on page 353. 262 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The Policy page allows you to view these firewall policies in either Section View or Global View.Policy Firewall Policy You can configure firewall policies to define which sessions will match the policy and what actions the FortiGate unit will perform with packets from matching sessions. Section View is default. such as requiring authentication to use the policy. For more information. see “IPSec identity-based firewall policies” on page 268 and “SSL VPN identity-based firewall policies” on page 268. If the initial packet matches the firewall policy. destined for the local private network. DENY policy actions block communication sessions. • ACCEPT policy actions permit communication sessions. Sessions are matched to a firewall policy by considering these features of both the packet and policy: • • • • • • Source Interface/Zone Source Address Destination Interface/Zone Destination Address schedule and time of the session’s initiation service and the packet’s port numbers. If permitted by the firewall encryption policy. IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN tunnel. Each time that you create or edit a policy. • • Firewall policy order affects policy matching. by selecting Insert Policy before (see “Policy” on page 262).

On this page. see “Address” on page 275. The destination interface. The schedule that controls when the policy should be active. Once the policy is added to the list you can use the Move To icon to move the policy to the required position in the list. For example. a grey cross mark indicates traffic logging is disabled for the policy. For more information. A green check mark indicates traffic logging is enabled for the policy. For more information. The policy identifier. The profile that is associated with the policy. For more information. The user authentication method the policy uses.fortinet. see “Schedule” on page 284.com/ • Feedback 263 . Select to list all firewall policies in order according to a sequence number. Edit a policy. You can select the columns to hide or display and specify the column displaying order in the table. Global View Filter icons ID From To Source Destination Schedule Service Profile Action Status From To VPN Tunnel Authentication Comments Log Count Delete Edit FortiGate Version 4. For security purposes. The source interface. Note: Section View is not available if any policy selects Any as the source or destination interface. see “Service” on page 277. The destination address or address group to which the policy applies. Column Settings Customize the table view.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 5/50B means that five packets and 50 bytes in total have hit the policy. the Section Title window appears. For more information. you can edit. selecting Create New adds the new policy to the bottom of the list. Section View Select to display firewall policies organized by source and destination interfaces. When you select Create New. see “Adding filters to web-based manager lists” on page 26. The source interface of the policy. The counter is reset when the FortiGate unit is restarted or the policy is deleted and re-configured. see “Address” on page 275.Firewall Policy Policy page Lists each individual policy and section that you created. Edit the column filters to filter or sort the policy list according to the criteria you specify. The response to make when the policy matches a connection attempt. Create New Add a new firewall policy. Global view only. Comments entered when creating or editing the policy. see “Using column settings to control the columns displayed” on page 28. The source address or address group to which the policy applies. You can also use the Insert Policy before icon to add a new policy above another policy in the list. For more information. For more information. Select the down arrow beside Create New to add a new section to the list to visually group the policies. If you select the down arrow to add a new section title. Select the check box to enable a policy or deselect it to disable a policy. you are automatically redirected to the New Policy page. The destination interface of the policy. The VPN tunnel the VPN policy uses. The FortiGate unit counts the number of packets and bytes that hit the firewall policy. Global view only. delete or create a new policy or section title. Delete the policy from the list. The service to which the policy applies. Policies are numbered in the order they are added to the policy list.

You can also create firewall addresses by selecting Create New from this list. If Action is set to SSL-VPN and the policy is for tunnel mode clients. then select OK. When you are ready to configure a firewall policy.Policy Firewall Insert Policy Before Move To Add a new policy above the corresponding policy. the interface is associated with the local private network. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. In the dialog box. If you select Any as the destination interface. virtual domain (VDOM) link. If Action is set to IPSEC. If Action is set to SSL-VPN. or zone on which IP packets are received. There must be at least one secure port available. New Policy page Provides settings for configuring a new firewall policy.com/ • Feedback . 264 FortiGate Version 4. For more information. from Source Address. the policy matches all interfaces as source. server. For more information. select the name of the address that you reserved for tunnel mode clients. or network behind the FortiGate unit. or zone to which IP packets are forwarded. select Multiple. Interfaces and zones are configured on the System Network page. see “Address” on page 275.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the address is the private IP address of the host. virtual domain (VDOM) link. see “Configuring interfaces” on page 85 and “Configuring zones” on page 102.fortinet. If Action is set to SSL-VPN and the policy is for web-only mode clients. select all. If Action is set to SSL-VPN. This option is Intra-VLAN Policy. move the firewall addresses or address groups from the Available Addresses section to the Members section. the interface is associated with the entrance to the VPN tunnel. If you have a FortiGate-224B unit and it is in switch mode. you can create a policy governing traffic between switch ports on a switch GLAN. see “Configuring interfaces” on page 85 and “Configuring zones” on page 102. Source Address Select the name of a firewall address to associate with the Source Interface/Zone. If you select Any as the source interface. Source Interface/Zone Select the name of the FortiGate network interface. where you can apply UTM features to the firewall policy. For more information. the policy matches all interfaces as destination. Interfaces and zones are configured on the System Network page. If Action is set to IPSEC. the interface is associated with the local private network.. Move the corresponding policy before or after another policy in the list. If you want to associate multiple firewall addresses or address groups with the Source Interface/Zone. If Action is set to IPSEC. you will be redirected to the New Policy page. Destination Interface/Zone Select the name of the FortiGate network interface. the interface is associated with connections from remote SSL VPN clients. Use this option to simplify policy ordering.

as well as configure protection profiles. see “Custom services” on page 282 and “Custom service groups” on page 283. Accept traffic matched by the policy. See “SSL VPN identity-based firewall policies” on page 268. server. see “Virtual IP” on page 288. If you select a virtual IP. Select how you want the firewall to respond when a packet matches the conditions of the policy. VLAN subinterface. If you select a virtual IP as the Destination Address. move the firewall addresses or address groups from the Available Addresses section to the Members section. The only other configurable policy options are Log Violation Traffic to log the connections denied by this policy and adding a Comment. log traffic. For more information. see “Schedule” on page 284. For more information. or add a comment to the policy. then select OK.Firewall Policy Destination Address Select the name of a firewall address to associate with the Destination Interface/Zone. then select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool. For more information on using virtual IPs.com/ • Feedback 265 . In the dialog box. you can select multiple services or service groups. Source NAT (SNAT) is not performed. Select the name of a firewall service or service group that packets must match to trigger this policy. The options available will vary widely depending on this selection. you can also configure Dynamic IP Pool and Fixed Port. For more information. see “IP pools” on page 290. the FortiGate unit performs destination NAT (DNAT) rather than full NAT. The applied translation varies by the settings specified in the virtual IP. select Multiple. Select a one-time or recurring schedule or a schedule group that controls when the policy is in effect. from Destination Address. If Action is set to SSL-VPN. If Action is set to IPSEC. Schedule Service Action ACCEPT DENY IPSEC SSL-VPN NAT Dynamic IP Pool Select the check box. the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. See “IPSec identity-based firewall policies” on page 268. the FortiGate unit applies NAT or PAT. or you can create a custom service or service group by selecting Create New from this list. see “Address” on page 275. IP Pool cannot be selected if the destination interface. Reject traffic matched by the policy. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. select the name of the IP address that corresponds to the host. or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE. Available only if Action is set to ACCEPT or SSL-VPN. For more information. When NAT is enabled. shape traffic or add a comment to the policy. By selecting the Multiple button beside Service. and whether you select NAT (below). You can configure an IPSec firewall encryption policy to process IPSec VPN packets. shape traffic or add a comment to the policy. You can configure an SSL-VPN firewall encryption policy to accept SSL VPN traffic. You can also create schedules by selecting Create New from this list. set authentication options. You can also configure NAT and protection profiles. log traffic. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone.fortinet. but do not select the NAT option. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. log traffic. or network that remote clients need to access behind the FortiGate unit. You can also create firewall addresses by selecting Create New from this list. shape traffic. protection profiles. You can configure NAT. FortiGate Version 4. You can select from a wide range of predefined firewall services.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This option is available only after you have added a SSL-VPN user group.

see “AntiVirus” on page 300. including NNTP and logging invalid certificates. Select Create New in the drop-down list to create a new antivirus profile. and Enable Disclaimer and Redirect URL to options. Select to record messages to the traffic log whenever the policy processes a connection. Select a protocol item from the drop-down list. For more information. Per-IP traffic shaping applies traffic shaping to the traffic generated from the IP addresses added to the Per-IP traffic shaper added to the firewall policy. Select an antivirus profile from the drop-down list. if Fixed Port is selected. Select an email filter profile from the drop-down list. When it is selected. WebTrends. a policy with Fixed Port selected can allow only one connection to that service at a time. For more information about DLP sensors. if the traffic direction that a policy controls is from port1 to port2. For more information about web filter profiles. For information about configuring shared traffic shapers. select this option will also apply the policy shaping configuration to traffic from port2 to port1. see “Shared traffic shapers” on page 286. Directory Service (FSAE). This section also describes the Firewall. For more information. Select an UTM option to apply to the firewall policy. The default protocol item is called default. Select a web filtering profile from the drop-down list. NTLM Authentication. You must enable UTM before you can select the available UTM options. Select Create New in the dropdown list to create a new DLP sensor. see “Web Filter” on page 316. For information about configuring per-IP traffic shapers. Dynamic IP pool is also selected. Select Create New in the drop-down list to create a new web filtering profile. In most cases. Select a Per-IP traffic shaper for the policy. NAT is not used for that firewall policy. see “Shared traffic shapers” on page 286. see “Identity-based firewall policies” on page 267. Shared traffic shapers control the bandwidth available to and set the priority of the traffic as its processed by. Select to enable logging of NAT traffic. Some applications do not function correctly if the source port is translated. For more information about VoIP profiles. For example. Select Create New in the drop-down list to create a new application control black/white list. For more information about antivirus profiles. or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log&Report menu. Select Create New in the drop-down list to create a new protocol option list item. Select a DLP sensor from the drop-down list. see “Data Leak Prevention” on page 338. Enable Identity Based Policy UTM Protocol options Enable Antivirus Enable Web Filter Enable Email Filter Enable DLP Sensor Enable Application Control Enable VoIP Traffic Shaping Reverse Direction Traffic Shaping Per-IP Traffic Shaping Log Allowed Traffic No NAT Enable NAT 266 FortiGate Version 4. Select a VoIP profile from the drop-down list.com/ • Feedback . local disk if available. You must configure the dynamic IP pool before enabling this option. Select an application control black/white list from the drop-down list. The Dynamic IP Pool option is then available. see “Email Filter” on page 328. Select to enable reverse traffic shaping and select a shared traffic shaper.Policy Firewall Fixed Port Select Fixed Port to prevent NAT from translating the source port. see “Log&Report” on page 417. For more information about email filter profiles. If Dynamic IP pool is not selected. memory. Select to configure firewall policies that require authentication. see “VoIP” on page 351. The protocol item contains multiple settings. Selected by default. the policy. For more information about antivirus profiles. You can also create a new shared traffic shaper. Select a shared traffic shaper for the policy.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For information about configuring shared traffic shapers. see “Per-IP traffic shaping” on page 287.fortinet. see “Application Control” on page 347. Select Create New in the dropdown list to create a new VoIP profile. Select Create New in the drop-down list to create a new email filter profile. You must also enable traffic log for a logging location (syslog. Note: Fixed Port is only visible if enabled from the CLI.

com/ • Feedback 267 . see “User Group” on page 390. If you select this option. Indicates whether a UTM feature was selected for the policy. Include Directory Service groups defined in User > User Group. Comments Add information about the policy. For more information. you must install the FSAE on the Directory Service domain controller. see “Schedule” on page 284. The traffic shaping configuration for this policy. If you select this option. For more information.fortinet. you must use Directory Service groups as the members of the authentication group for NTLM. For information about configuring user groups. The rule’s name or identification. NAC • You cannot enable Endpoint in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication. see “User Group” on page 390. UTM Traffic Shaping Logging Delete Edit Move To Firewall Directory Service (FSAE) NTLM Authentication FortiGate Version 4. the Endpoint check is not performed. For more information. see “User Group” on page 390.Firewall Policy Use Central NAT Table Dynamic IP Pool Select to enabling logging using the Central NAT table that you configured in the Central NAT Table menu. you can select one or more authentication server types. The maximum length is 63 characters. Select to modify this identity-based policy. When a network user attempts to authenticate. Include firewall user groups defined locally on the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select to change the position of this identity-based policy in the identity-based policy list. Identity-based firewall policies are configured within each firewall policy. • If the firewall policy involves a load balancing virtual IP. For information about configuring user groups. Enable Identity Based Policy section of the New Policy page Select to enable identity-based policy authentication. see “Endpoint” on page 403. The groups are authenticated through a domain controller using Fortinet Server Authentication Extensions (FSAE). as well as on any connected LDAP and RADIUS servers. see the Fortinet Server Authentication Extension Administration Guide. Indicates whether logging was selected for that policy. The one-time or recurring schedule that controls when the policy is in effect. The selected user groups that must authenticate to be allowed to use this policy. This option is selected by default. the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the user’s credentials. Select to remove this identity-based policy. Identity-based firewall policies For network users to use non-SSL-VPN identity-based policies. For information about FSAE. The firewall service or service group that packets must match to trigger this policy. For information about configuring user groups. Enable Endpoint Select to enable the Endpoint NAC feature and select the Endpoint NAC profile to apply. When the Action is set to ACCEPT. Add Rule ID User Group Service Schedule The selected user groups that must authenticate to be allowed to use this policy. Available only when Enable NAT is selected. Include Directory Service groups defined in User > User Group. in Firewall > Policy > Policy. you need to add user groups to the policy. see “Schedule” on page 284. You can also create schedules by selecting Create New from this list.

When a natip value is specified. see “SSL VPN user groups” on page 392. Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network. Note: For a route-based (interface mode) VPN.com/ • Feedback . For more information. see the firewall chapter of the FortiGate CLI Reference. Enable Disclaimer Select this option to display the Authentication Disclaimer replacement and Redirect URL message HTML page after the user authenticates. The specified tunnel will be subject to this firewall encryption policy. one for each direction of communication. You should also install the certificate on the network user’s web browser. in Firewall > Policy > Policy. this should match the CN field of the specified auth-cert. The redirect URL could be to a web page with extra information (for example. You can also optionally enter an IP address or domain name to redirect user HTTP requests after accepting the authentication disclaimer. you must configure SSL VPN users. the following encryption options are available for IPSec. For information about customizing to user authentication replacement messages. Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. with the IPSec virtual interface as the source or destination interface as appropriate. Select the protection profile that guest accounts will use. in Firewall > Policy > Policy. and then configure the policy. you configure two regular ACCEPT firewall policies. see “Policy” on page 262. Note: The SSL-VPN option is only available from the Action list after you have added SSL VPN user groups. For more information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. IPSec identity-based firewall policies In a firewall policy (see “Policy” on page 262). see the “Defining firewall policies” chapter of the FortiGate IPSec VPN User Guide.Policy Firewall Certificate Certificate-based authentication only. see “User authentication replacement messages” on page 157. add them to user groups. you must select a firewall service group that includes one of the supported authentication protocols that use certificate-based authentication. Select only in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. The user must accept the disclaimer to connect to the destination. which is usually a fully qualified domain name (FQDN). For more information. 268 FortiGate Version 4.fortinet. you do not configure an IPSec firewall policy. To add SSL VPN user groups. terms of usage). Identity-based firewall policies are configured within each firewall policy.To prevent web browser security warnings. SSL VPN identity-based firewall policies For network users to use SSL-VPN identity-based policies. the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. Instead. Select to enable traffic from computers on the local private network to initiate the tunnel. Note: In order to implement certificate-based authentication. . Identity-based firewall policies are configured within each firewall policy. IPSec settings on the New Policy page VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Select the VPN tunnel name defined in the phase 1 configuration.

Select the name of a firewall address to associate with the Source Interface/Zone. move the firewall addresses or address groups from the Available Addresses section to the Members section. If Action is set to SSL-VPN. For more information. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone. and then LDAP. When it is selected. Allow traffic generated by holders of a (shared) group certificate. and whether you select NAT (below). The holders of the group certificate must be members of an SSL VPN user group. or Medium >= 128. Local – For a local user group that will be bound to this firewall policy. Selected by default. In the dialog box. virtual domain (VDOM) link. Destination Address Select the name of a firewall address to associate with the Destination Interface/Zone. Select the bit level of SSL encryption. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. If Action is set to SSL-VPN. LDAP – For remote clients that will be authenticated by an external LDAP server. If you select a virtual IP. select the name of the IP address that corresponds to the host. the interface is associated with the local private network. Local is attempted first. NAT is not used for that firewall policy. If Action is set to IPSEC.com/ • Feedback 269 . then select OK. You can also create firewall addresses by selecting Create New from this list. select the name of the address that you reserved for tunnel mode clients. server. from Destination Address.fortinet. RAIDUS – For remote clients that will be authenticated by an external LDAP server. select Multiple. If Action is set to SSL-VPN and the policy is for web-only mode clients. see “Address list” on page 275. For more information. TACACS+ – For remote clients that will be authenticated by an external TACACS+ server. or zone to which IP packets are forwarded. the FortiGate unit applies NAT or PAT. If Action is set to SSL-VPN and the policy is for tunnel mode clients. the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. select all. You can also create firewall addresses by selecting Create New from this list. For more information on using virtual IPs. Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN traffic. High >= 164. see “Virtual IP” on page 288. The web browser on the remote client must be capable of matching the level that you select: Any. then RADIUS. This option is available only after you have added a SSL-VPN user group. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. The applied translation varies by the settings specified in the virtual IP. virtual domain (VDOM) link. and the name of that user group must be present in the Allowed field. Select to enable dynamic IP pools. or zone on which IP packets are received. see “Address list” on page 275.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select the authentication server type by which the user will be authenticated: Any – For all the above authentication methods.Firewall Policy SSL-VPN settings on the New Policy page Source Interface/Zone Source Address Select the name of the FortiGate network interface. Destination Interface/Zone Select the name of the FortiGate network interface. or network that remote clients need to access behind the FortiGate unit. Action SSL Client Certificate Restrictive Cipher Strength User Authentication Method No NAT Dynamic IP Pool FortiGate Version 4.

Tip: If you select NAT.fortinet. The FortiOS unit will lookup this table and find out how to translate the packet. This icon is the same as Create New. You can also create a new source IP address when you select Create New in the drop-down list.com/ • Feedback . If you select a virtual IP as the Destination Address. For more information. Select to disable a NAT rule. Select to enable identity-based policy authentication. see “Identity-based firewall policies” on page 267. delete or create a new NAT rule. you can also configure Dynamic IP Pool and Fixed Port. Select to insert a new NAT rule. Select to use the NAT rules configured in the Central NAT Table menu. When a network user attempts to authenticate. NAT rules are configured in Firewall > Policy > Central NAT Table. but do not select the NAT option. When the Action is set to ACCEPT. This menu is not available in Transparent mode. Use Central NAT Table Enable Identity Based Policy Comments Central NAT Table The Central NAT Table allows users to create NAT rules. Select to remove a NAT rule from the Central NAT Table page. you can select one or more authentication server types. Source NAT (SNAT) is not performed. When NAT is enabled. Select the dynamic IP pool from the drop-down list. Select to move the NAT rule to another place within the list. the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the user’s credentials. Select to enable a NAT rule. Enter the translated port number. you can edit. On this page. You can optionally create a group of source IP addresses when you select Multiple in the drop-down list. Create New Edit Delete Enable Disable Insert Move Select to create a new NAT rule set. New NAT page Provides settings for configuring a NAT rule. Select to modify a NAT rule. Central NAT Table page Lists each individual NAT rules that you created.Policy Firewall Enable NAT Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. Add information about the policy. Translated Address Original Port Translated Port 270 FortiGate Version 4. Source Address Select the source IP address from the drop-down list. Enter the port that the address is originating from. The number in the From field must be greater than the lower port number that is entered in the To field. You can use these NAT rules on firewall policies by selecting Use Central NAT Table option within the policy. the FortiGate unit performs destination NAT (DNAT) rather than full NAT. as well as view NAT mappings that are set up by the global firewall table. the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The maximum length is 63 characters.

DoS policies are configured in Firewall > Policy > DoS Policy. you can edit. and a service. a destination address.Firewall Policy IPv6 Policy Configuration of IPv6 policies is only available when IPv6 is enabled. You can use the config firewall interface-policy6 command to add IPv6 sniffer policies. delete. All of the specified attributes must match network traffic to trigger the policy.fortinet. The source address or address group to which the policy applies. see “FortiGate IPv6 support” on page 180. see the FortiGate CLI Reference. If virtual domains are enabled on the FortiGate unit. DoS policy order affects policy matching. For more information. see “FortiGate IPv6 support” on page 180. DoS policies are checked against traffic in the order in which they appear in the DoS policy list. You can select the columns to hide or display and specify the column displaying order in the table. Select to display firewall policies organized by interface. Customize the table view. see “Address” on page 275. edit. A unique identifier for each policy. DoS policies are configured separately for each virtual domain. Select to list all firewall policies in order according to a sequence number. a source address. The DoS policy configuration allows you to specify the interface. DoS Policy page Lists each individual DoS policy that you created. Create New Column Settings Add a new DoS policy. For more information. For more information about enabling IPv6. source/destination address pair. one at a time. DoS Policy The DoS policy list displays the DoS policies in their order of matching precedence for each interface. see “Address” on page 275. see “Policy” on page 262. The IPv6 menu is the same as the Policy menu. the FortiGate unit is not enabled to used IPv6 addressing. On this page. You can also use this CLI command to add an IPS sensor or an Application Control black/white list to a DoS policy. Section View Global View Filter icons ID Source Destination FortiGate Version 4. you must access the VDOM before you can configure its policies. By default. see “Adding filters to web-based manager lists” on page 26. For more information. delete or create a new DoS policy. You can also use the config firewall interface-policy CLI command to add DoS policies from the CLI.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and re-order policies in the DoS policy list. When a matching policy is discovered. The IPv6 Policy menu appears after the IPv6 is enabled in System > Admin > Settings. For more information. As with firewall policies.com/ • Feedback 271 . You can add. and service. For more information about FortiGate IPv6 support. For more information about the available icons and settings. Select the down arrow beside Create New to add a new section to the list to visually group the policies. from top to bottom. Policies are numbered in the order they are created. Edit the column filters to filter or sort the policy list according to the criteria you specify. The destination address or address group to which the policy applies. See “Using column settings to control the columns displayed” on page 28. it is used and further checking for DoS policy matches are stopped.

Protocol Options page Lists each individual protocol setting that you created. Protocol Options are configured in Firewall > Policy > Protocol Options.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. When selected. You can also select Create New to add a new address or address group. The interface to which this policy applies. Clear the check box to disable the policy. which are grouped together in a protocol group. The name of the protocol group. The default groups are scan. Create New Edit Delete Name Comments When you select Create New. When you select Create New on the DoS Policy page. Select an address. strict. This group is the group you select when applying it to a firewall policy. Select an address. New Policy page Provides settings for configuring a DoS policy.Policy Firewall Service DoS Interface Status Delete Edit Insert Move The service to which the policy applies. Source Interface/Zone Source Address The interface or zone to be monitored. The DoS sensor selected in this policy. unfiltered. Destination Address Service DoS Sensor Protocol Options The Protocol Options menu allows you to configure settings for specific protocols. see “Service” on page 277. You can also select Create new to add a custom service. address range. and then applied to a firewall policy. Add a new policy above the corresponding policy (the New Policy screen appears). or address group to limit traffic monitoring to network traffic sent to the specified address or range. or address group to limit traffic monitoring to network traffic sent from the specified address or range.com/ • Feedback . Select and specify a DoS sensor to have the FortiGate unit apply the sensor to matching network traffic. Select a firewall pre-defined service or a custom service to limit traffic monitoring to only the selected service or services. Remove a protocol setting from the list. and web. Delete the policy from the list. Modify settings to a protocol setting. delete or create a new group of protocol settings. Edit the policy. See “DoS sensor” on page 310. you can edit. the DoS policy is enabled. Enable Oversized File Log Select to allow logging of oversized files. Name Comments Enter a name for the protocol group. On this page. Select Multiple to include multiple addresses or ranges. you are automatically redirected to the Protocol Options Settings page. You can also select Create New to add a new address or address group. Describes the protocol group. You can also select Create new to add a new DoS Sensor. 272 FortiGate Version 4. For more information. address range. This is optional. Protocol Options Settings page Provides settings for configuring options for each protocol which make up a protocol group. Enter a description about the protocol group. Move the corresponding policy before or after another policy in the list. you are automatically redirected to this page. Select Multiple to include multiple addresses or ranges.

This section contains the same settings as IMAPS. Configure settings for the POP3 protocol. Select to allow invalid SSL certificates. source/destination address pair. 0-auto) This is available for every protocol except for IM. Allows fragmented email messages to be passed. Select to view the activity of the protocol from the Dashboard menu. Configure settings for the file transfer protocol.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Amount (1-10240 bytes) – enter the amount in btyes. except the FTP section does not contain the option Enable Chunked Bypass. Select to enable the option of entering a new email signature that appears in the email message. Sniffer Policy The sniffer policy list displays sniffer policies in their order of matching precedence for each interface. Log HTTP section Comfort Clients Configure settings for the HTTP protocol This is available only for HTTP. Accessible only when Append Email Signature is selected. FortiGate Version 4. Enter a signature for the email message. If virtual domains are enabled on the FortiGate unit. This is available for all protocols. Yours sincerely. Configure settings for the IM protocol. Configure settings for the HTTPS protocol. and HTTPS. Interval (1-900 seconds) – enter the interval time in seconds. IMAP section Allow Fragmented Messages POP3 section SMTP section Append Email Signature Email Signature Text IM section NNTP section HTTPS section Allow Invalid SSL Certificate IMAPS POP3S SMTPS Enable Deep Scanning Select to allow deep scanning.com/ • Feedback 273 . Port (i. FTP. Configure settings for the IMAP protocol. 80. Configure settings for the NTTP protocol. This section contains the same settings as are in the IMAP section.fortinet. you must access the VDOM before you can configure its policies.e.88.Firewall Policy Enable Invalid Certificate Select to allow logging of invalid certificates. and service. Configure settings for the SMTPS protocol. FTP and HTTP contain the same settings. Configure settings for the SMTP section. Configure settings for the POP3S protocol. Threshold – enter the threshold amount for an oversized email message or file in MB. This section contains the same settings as IMAPS and POP3S. sniffer policies are configured separately for each virtual domain. Oversized File/Email Monitor Content Information for Dashboard Enable Chunked Bypass FTP section Select to enable the chunked bypass setting. for example. Configure settings for the IMAPS protocol.

from top to bottom. You can also use the config firewall sinff-interface-policy CLI command to add sniffer policies from the CLI. a destination address. For more information. and a service. Select to list all firewall policies in order according to a sequence number. Select the down arrow beside Create New to add a new section to the list to visually group the policies. see “Address” on page 275. The service to which the policy applies. edit. On this page. sniffer policies are checked against traffic in the order in which they appear in the sniffer policy list. You can select the columns to hide or display and specify the column displaying order in the table. Sniffer policies are configured in Firewall > Policy > Sniffer Policy. see “FortiGate IPv6 support” on page 180. one at a time. Edit the policy. You can use the config firewall sniff-interface-policy6 command to add IPv6 sniffer policies. Sniffer policy order affects policy matching. see “Adding filters to web-based manager lists” on page 26.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the DoS policy is enabled. see the FortiGate CLI Reference. Clear the check box to disable the policy. Delete the policy from the list. Policies are numbered in the order they are created. Add a new policy above the corresponding policy (the New Policy screen appears). For more information about FortiGate IPv6 support. You can also move a policy or insert a new policy on the page.Policy Firewall You can add. Select to display firewall policies organized by interface. A unique identifier for each policy. see “Address” on page 275. For more information. delete. see “Address” on page 275. Customize the table view. When selected. delete and create a new sniffer policy. The Application Black/White List selected in this policy.com/ • Feedback 274 . For more information. Sniffer Policy page Lists each individual sniffer policy that you created. As with firewall policies and DoS policies. The source address or address group to which the policy applies. When you select Create New on the Sniffer Policy page. The destination address or address group to which the policy applies. If no match is found the packet is dropped. FortiGate Version 4. For more information.fortinet. a source address. The DoS sensor selected in this policy. Use the sniffer policy configuration to specify the interface. The IPS sensor selected in this policy. Move the corresponding policy before or after another policy in the list. you are automatically redirected to this page. All of the specified attributes must match network traffic to trigger the policy. it is used and further checking for sniffer policy matches are stopped. See “Using column settings to control the columns displayed” on page 28. Edit column filters to filter or sort the policy list according to the criteria you specify. Section View Global View Filter icons ID Source Destination Service DoS Sensor Application Black/White List Status Delete Edit Insert Policy Before Move To New Policy page Provides settings for configuring a new sniffer policy. When a matching policy is discovered. you can edit. and re-order policies in the sniffer policy list. For more information. Create New Column Settings Add new a sniffer policy.

firewall policies requiring domain name resolution may no longer function properly. Select a firewall pre-defined service or a custom service to limit traffic monitoring to only the selected service or services. You can also select Create new to add a new DoS Sensor. Should the DNS server be compromised. see “Using virtual domains” on page 79. and fully qualified domain names (FQDNs). You can also select Create new to add a custom service. address range. Firewall addresses in the list are grouped by type: IP/Netmask. If you enable virtual domains (VDOMs) on the FortiGate unit. You can also select Create new to add a new IPS Sensor. which represents any IPv4 IP address on any network. You can also add a firewall address list when configuring a firewall policy. Select Multiple to include multiple addresses or ranges. See “Application Control List” on page 348. address range. does present some security risks. You can also select Create New to add a new address or address group. firewall addresses are configured separately for each virtual domain. or address group to limit traffic monitoring to network traffic sent to the specified address or range. FortiGate unit default configurations include the all address. See “IPS Sensor” on page 306.com/ • Feedback 275 . For more information. Select and specify an IPS sensor to have the FortiGate unit apply the sensor to matching network traffic. FQDN. You can also select Edit to add a new application control List. while convenient.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select and specify an Application control List sensor to have the FortiGate unit apply the list to matching network traffic. You can add IPv4 addresses and address ranges.Firewall Address Source Interface/Zone Source Address The interface or zone to be monitored. Select an address. or address group to limit traffic monitoring to network traffic sent from the specified address or range. Destination Address Service DoS Sensor IPS Sensor Application Black/White List Address Firewall addresses and address groups define network addresses that you can use when configuring firewall policies’ source and destination address fields. because policy matching then relies on a trusted DNS server. Select Multiple to include multiple addresses or ranges.fortinet. See “DoS sensor” on page 310. or IPv6. IPv6 addresses. You can organize related addresses into address groups and related IPv6 addresses into IPv6 address groups to simplify your firewall policy lists. The FortiGate unit compares the IP addresses contained in packet headers with firewall policy source and destination addresses to determine if the firewall policy matches the traffic. Using a fully qualified domain name in a firewall policy. FortiGate Version 4. Select and specify a DoS sensor to have the FortiGate unit apply the sensor to matching network traffic. Select an address. and you must first enter the virtual domain to configure its firewall addresses. You can also select Create New to add a new address or address group. This topic contains the following: • • Address list Address Group Address list Caution: Be cautious if employing FQDN firewall addresses.

see “Settings” on page 178. When you select Create New. you might combine the five addresses into a single address group. followed by a forward slash (/). Note: If IPv6 Support is enabled you can select the down arrow in the Create New button and select IPv6 Address. You can organize multiple firewall addresses into an address group to simplify your firewall policy list. Create New Add a firewall address. The IP address and mask. Address page Lists each individual IP address group. The list of IPv6 firewall addresses. or virtual domain (VDOM) link to which you want to bind the IP address. Select to edit the address. . then subnet mask. you are automatically redirected to the New Address page. On this page. address groups. IP address range. Firewall addresses are configured in Firewall > Address > Address. Select to remove the address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy. 276 FortiGate Version 4. Select the type of address: Subnet/IP Range or FQDN. you can edit. and virtual IPs must have unique names. followed by a forward slash (/). or fully qualified domain name. To enable IPv6 support on the web-based manager. then subnet mask. Using a fully qualified domain name in a firewall policy. zone. The interface. to add an IPv6 firewall address. delete or create a new IP address group. does present some security risks because policy matching then relies on a trusted DNS server.fortinet. Enter the firewall IPv6 address. Subnet / IP Range Enter the firewall IP address. IPv6 Address Address Group Caution: Be cautious if employing FQDN firewall addresses.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. zone. or enter an IP address range separated by a hyphen. Interface Select the interface. Instead you should use the short form netmask shown in the examples. which is used by a single firewall policy. while convenient. Addresses. which is made up of an IP address range. You cannot assign IPv6 addresses to a FortiGate interface. If the DNS server should ever be compromised. You can enter either an IP range or an IP address with subnet mask. or virtual domain (VDOM) to which you bind the IP address.Address Firewall The IPv6 address field is restricted to around 34 characters so you cannot add full IPv6 addresses and netmasks. The list of fully qualified domain name firewall addresses. firewall policies requiring domain name resolution may no longer function properly. The list of IPv4 firewall addresses and address ranges. The Delete icon appears only if a firewall policy or address group is not currently using the address. Address Name Type Enter a name to identify the firewall address.com/ • Feedback . instead of having five identical policies for five different but related firewall addresses. The name of the firewall address. Name Address / FQDN Interface IP/Netmask FQDN IPv6 Delete Edit New Address page Provides settings for configuring an IP address group. For example.

If you are added an IPv6 firewall address group. To enable IPv6 support on the web-based manager. rather than during creation of the firewall address. If you enable virtual domains (VDOMs) on the FortiGate unit. only the IPv6 addresses appear. Select to edit the address group. For more information. You can organize related services into service groups to simplify your firewall policy list. you must configure firewall services separately for each virtual domain. However.fortinet. to add an IPv6 firewall address.Firewall Service Because firewall policies require addresses with homogenous network interfaces. Group page Lists each individual address group that you created. The addresses in the address group. see “Using virtual domains” on page 79. New Address Group page Provides settings for defining the IP address that will be members of the IP address group. Available Addresses The list of all IPv4 or IPv6 firewall addresses. On this page. Group Name Enter a name to identify the address group. Use the arrows to move selected addresses between the lists of available and member addresses. The list of firewall IPv4 address groups. they cannot be grouped. Firewall policies use service definitions to match session types. You cannot add IPv4 and IPv6 firewall addresses to the same address group. Address groups are configured in Firewall > Address > Group. delete or create a new address group. Use the arrows to move selected addresses between the lists of available and member addresses. When you select Create New. or to Any — addresses whose selected interface is Any are bound to a network interface during creation of a firewall policy. Select to remove the address group.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If IPv6 Support is enabled you can select the down arrow in the Create New button and select IPv6 Address Group. You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address group. This topic contains the following: • Predefined service list FortiGate Version 4. Addresses. If you are adding an IPv4 firewall address group only the IPv4 addresses and FQDN addresses appear. Group Name Members Address Group Delete Edit IPv6 Address Group The list of firewall IPv6 address groups. even if the addresses involve different networks. Service Firewall services define one or more protocols and port numbers associated with each service. For example. address groups should contain only addresses bound to the same network interface. The Delete icon appears only if the address group is not currently being used by a firewall policy. if A1 and A2 have an interface of Any. Create New Add an address group. they can be grouped. you can edit. if address A1 is associated with port1.com/ • Feedback 277 . Members The list of addresses included in the address group. address groups. you are automatically redirected to the New Address Group page. see “Settings” on page 178. and address A2 is associated with port2. and virtual IPs must have unique names. The name of the address group.

This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Concurrent Versions System Proxy Server. UDP Authentication Header.fortinet. These predefined services are defaults. BGP is an interior/exterior routing protocol. DNS resolves domain names into IP addresses. Predefined page Lists all the predefined services that are available. Distributed Computing Environment / Remote Procedure Calls. America Online Instant Message protocol. Predefined services are located in Firewall > Service > Predefined. you can create custom services. For more information. Applications using DCE-RPC can call procedures from another application without having to know on which host the other application is running. UDP. and cannot be edited or removed. Table 49 lists the FortiGate firewall predefined services. but not secrecy. Encapsulating Security Payload. IP.com/ • Feedback . AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE. version 3. if you require different services. Table 49: Predefined services Service name AFS3 AH Description IP Protocol Port 7000-7009 7000-7009 51 Advanced File Security Encrypted File. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts. TCP all TCP TCP TCP UDP TCP UDP ANY AOL BGP CVSPSERVER all 5190-5194 179 2401 2401 135 135 DCE-RPC DHCP UDP 67 68 546. Border Gateway Protocol.CSSPServer is very good for providing anonymous CVS access to a repository. ICMP) and port number or numbers of the predefined service.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Matches connections using any protocol over IP. However. Table 49 lists and explains each firewall predefined service that is available on the FortiGate unit. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. Dynamic Host Configuration Protocol. AH provides source host authentication and data integrity.Service Firewall • • Custom services Custom service groups Predefined service list Many well-known traffic types have been predefined in firewall services. Name Detail The name of the predefined service. 547 53 53 50 DHCP6 DNS ESP UDP TCP UDP FINGER 79 278 FortiGate Version 4. The protocol (TCP. A network service providing information about users. of TCP the AFS distributed file system protocol. Domain Name Service. see “Custom services” on page 282. Dynamic Host Configuration Protocol for IPv6.

com/ • Feedback 279 . HTTP is used to browse web pages on the World Wide Web. Hypertext Transfer Protocol. and LDAP over TLS/SSL. 2727 InternetInternet Locator Service. Lightweight Directory Access Protocol.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. FortiGate Version 4. Generic Routing Encapsulation. ICMP ICMP TCP TCP TCP UDP TCP 17 15 6660-6669 389 1701 1701 389 2427. by encapsulating the packets of the protocol within GRE packets. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC. IRC Internet Relay Chat. File Transfer Protocol. 1503 1719 HTTP HTTPS ICMP_ANY 80 443 Any IKE UDP 500.323 multimedia protocol. see the UTM chapter of the FortiOS Handbook. INFO_REQUEST ICMP address mask request messages. L2TP LDAP MGCP Layer 2 Tunneling Protocol. Media Gateway Control Protocol. see the FortiGate Support for H. For more information. Internet Control Message Protocol. IMAP with SSL.Firewall Service Table 49: Predefined services (Continued) Service name FTP FTP_GET Description File Transfer Protocol. ICMP allows control messages and error reporting between a host and gateway (Internet). ILS includes LDAP.fortinet. HTTP with secure socket layer (SSL). TCP TCP ICMP IP Protocol Port TCP TCP 21 21 FTP_PUT GOPHER GRE TCP TCP 21 70 47 H323 1720. FTP PUT sessions transfer local files from an FTP client to an FTP server. User Locator-Service Locator Service. H.323 is a standard TCP approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing UDP data can be transmitted across networks. File Transfer Protocol. IMAPS is used for secure IMAP communication between email clients and servers. IMAPS is only available on FortiGate units that support SSL content scanning and inspection. IRC allows users to join chat channels. TCP 143 IMAPS 993 INFO_ADDRESS ICMP information request messages. HTTPS is used for secure communication with web servers. L2TP is a PPP-based tunnel protocol for remote access. LDAP is used to access information directories. H. Internet Key Exchange. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol. MGCP is used by UDP call agents and media gateways in distributed Voice over IP (VoIP) systems. IMAP is used by TCP email clients to retrieves email messages from email servers. 4500 IMAP Internet Message Access Protocol. For more information.323 Technical Note. FTP GET sessions transfer remote files from an FTP server to an FTP client computer.

POP retrieves email messages. NetMeeting allows users to teleconference using the Internet as the transmission medium. 1813 QUAKE RADIUS Remote Authentication Dial In User Service.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. RealAudio multimedia traffic. Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts. 27000.fortinet. Post Office Protocol v3 with secure socket layer (SSL). Open Shortest Path First. For more information. 2049 111. PC-Anywhere is a remote control and file transfer protocol. MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases. distribute. OSPF is a common link state routing protocol. 1434 Microsoft SQL Server is a relational database TCP management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. TCP MYSQL 3306 NFS NNTP NTP NetMeeting ONC-RPC TCP UDP 111. POP3S is used for secure retrieval of email messages. Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer. Network File System. authorization and accounting management for people or computers to connect and use a network service. ONC-RPC is a widely deployed remote procedure call system.com/ • Feedback . 2049 119 123 123 1720 111 111 89 Network News Transport Protocol. Network Time Protocol.Service Firewall Table 49: Predefined services (Continued) Service name MS-SQL Description IP Protocol Port 1433. see the UTM chapter of the FortiOS Handbook. TCP RAUDIO RDP UDP TCP 7070 3389 280 FortiGate Version 4. Ping sends ICMP echo request/replies to test connectivity to other hosts. RADIUS is a networking protocol that provides centralized access. NNTP is used to TCP post. Open Network Computing Remote Procedure Call. 27910. TCP TCP TCP UDP ICMP TCP UDP TCP TCP UDP OSPF PC-Anywhere PING PING6 5631 5632 8 58 POP3 POP3S 110 995 PPTP 47 TCP UDP 1723 26000. PPTP is used to tunnel connections between private network hosts over the Internet. POP3S is only available on FortiGate units that support SSL content scanning and inspection. Note: Also requires IP protocol 47. NTP synchronizes a host’s time with a time server. and retrieve Usenet messages. Point-to-Point Tunneling Protocol. 27960 1812. Post Office Protocol v3. Quake multi-player computer game traffic. NFS allows network users to mount shared files.

Simple Network Management Protocol. see the UTM chapter of the FortiOS Handbook. issuing VCR-like commands such as play and pause. SIP allows audiovisual conferencing data to be transmitted across networks. For more information. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. UDP 2000 SIP 5060 SIPMSNmessenger SMTP TCP 1863 Simple Mail Transfer Protocol. Remote login traffic. SMTP with SSL. possibly multimedia session.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 7070. caching web.Firewall Service Table 49: Predefined services (Continued) Service name REXEC Description Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon). Session Initiation Protocol used by Microsoft Messenger to initiate an interactive. Secure Shell. and between email servers securely. For more information. This is primarily used for Microsoft Windows hosts. Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon). Syslog service for remote logging. aiding security by filtering traffic. SMTPS is only available on FortiGate units that support SSL content scanning and inspection. Routing Information Protocol. Server Message Block. A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests.com/ • Feedback 281 . RIP is a common distance vector routing protocol. SSH allows secure remote management and tunneling. IP Protocol Port TCP 512 RIP UDP 520 RLOGIN RSH TCP TCP 513 514 RTSP Real Time Streaming Protocol is a protocol for use TCP in streaming media systems which allows a client to remotely control a streaming media server. SNMP can TCP be used to monitor and manage complex networks. but may be used with operating systems running the Samba daemon. TCP UDP TCP 25 SMTPS 465 SNMP SOCKS 161-162 161-162 1080 1080 3128 SQUID SSH SYSLOG TCP UDP UDP 22 22 514 FortiGate Version 4. SCCP is a Cisco TCP proprietary standard for terminal control for use with voice over IP (VoIP).fortinet. and UDP allowing time-based access to files on a server. 8554 554 139 SAMBA SCCP Skinny Client Control Protocol. TCP 554. see the Voice Solutions: SIP chapter of the FortiOS Handbook. Used for sending email messages TCP between email clients and email servers. and between email servers. DNS and other computer network lookups for a group of people sharing network resources. Session Initiation Protocol. SMB allows clients to use file and print shares from enabled hosts. SMTP is used for TCP sending email messages between email clients and email servers. UDP SOCKetS. This service matches RIP v1.

Allows plain text remote management. VDO Live streaming multimedia traffic.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer. TCP TCP WAIS TCP 210 WINFRAME TCP 1494 WINS Windows Internet Name Service is Microsoft's TCP implementation of NetBIOS Name Service (NBNS). Create New Add a custom service. Tip: You can also create custom services when you are configuring a firewall policy. Remove the custom service. WinFrame provides communications between computers running Windows NT. Trivial File Transfer Protocol. ICMP timestamp request messages. When you select Create New. Edit the custom service. TFTP is similar to FTP. you can edit.fortinet. Custom services are configured in Firewall > Service Custom. WAIS is an Internet search protocol which may be used in conjunction with Gopher. but without security features such as authentication. The protocol and port numbers for each custom service. UDP a name server and service for NetBIOS computer names. On this page. The name of the custom service. You can view all custom services from the Service Custom page as well. IP Protocol Port UDP TCP TCP UDP 517-518 0-65535 23 69 TIMESTAMP TRACEROUTE UDP UUCP VDOLIVE VNC ICMP TCP UDP UDP 13 33434 33434 0-65535 540 7000-7010 5900 Unix to Unix Copy Protocol. delete or create a new custom service.Service Firewall Table 49: Predefined services (Continued) Service name TALK TCP TELNET TFTP Description Talk allows conversations between two or more users. 1512 1512 6000-6063 X-WINDOWS Custom services If you need to create a firewall policy for a service that is not in the predefined service list. you can add a custom service.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or Citrix WinFrame/MetaFrame. Matches connections using any UDP port. Virtual Network Computing. The Delete icon appears only if the service is not currently being used by a firewall policy.com/ • Feedback . X Window System (also known as X11) can forward TCP the graphical shell from an X Window server to X Window client. UUCP provides simple UDP file copying. Matches connections using any TCP port. Wide Area Information Server. you are automatically redirected to the New Custom Service page. A computer network tool used to determine the route taken by packets across an IP network. Custom page Lists each individual custom service that you created. Service Name Detail Delete Edit 282 FortiGate Version 4.

fortinet. If the service uses one port number. Remove the entry from the list. For example. Service groups can contain both predefined and custom services. Custom service groups are configured in Firewall > Service > Group. Protocol Number Enter the protocol number for the IP protocol configuration. Custom service groups You can organize multiple firewall services into a service group to simplify your firewall policy list. Specify the source port number range for the service by entering the low and high port numbers. Group Name Enter a name to identify the service group. If the service uses one port number. FortiGate Version 4. The name to identify the service group. The default values allow the use of any source port. Edit Delete Group Name Members New Service Group page Provides settings for defining the services that will be members within a service group. Destination Port Specify the destination port number range for the service by entering the low and high port numbers. Select the protocol from the drop-down list that you are configuring settings for. The services added to the service group. Select the type of protocol for the custom service. The Delete icon appears only if the service group is not selected in a firewall policy. you might combine the five services into a single address group that is used by a single firewall policy. Enter the ICMP type number for the ICMP protocol configuration. Select to edit the Group Name and Members. Name Protocol Type Protocol Source Port Enter a name for the custom service. Enter the ICMP code number for the ICMP protocol configuration. Add Delete Type Code If your custom service requires more than one port range. UDP or SCTP) from the list. enter this number in both the Low and High fields. Remove the protocol entry (TCP. you are automatically redirected to the New Service Group page. select Add to allow more source and destination ranges. When you select Create New. Service groups cannot contain other service groups. instead of having five identical policies for five different but related firewall services. instead of having five identical policies for five different but related firewall services. You can organize multiple firewall services into a service group to simplify your firewall policy list. enter this number in both the Low and High fields.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For example. Service groups cannot contain other service groups. you can edit. Service groups can contain both predefined and custom services. On this page. Group page Lists each individual service group that you created. Tip: You can also create custom services when you are configuring a firewall policy.com/ • Feedback 283 . you might combine the five services into a single service group that is used by a single firewall policy. Create New Add a service group. delete or create a new service group.Firewall Service New Custom Service page Provides settings for configuring a customized service that is not available in the predefined service list.

You can use this technique to create recurring schedules that run from one day to the next. 284 FortiGate Version 4. see “Using virtual domains” on page 79. This topic contains the following: • • Recurring schedule list One-time schedule list Recurring schedule list You can create a recurring schedule that activates a policy during a specified period of time. One-time schedules are in effect only once for the period of time specified in the schedule. Recurring schedules are in effect repeatedly at specified times of specified days of the week. On this page.com/ • Feedback .Schedule Firewall Available Services The list of configured and predefined services available for your group. Create New Name Day Start Stop Delete Edit Add a recurring schedule. with custom services at the bottom. You can create one-time schedules or recurring schedules. To put a policy into effect for an entire day. The name of the recurring schedule. Recurring page Lists each individual recurring schedule that you created. Edit the schedule. The start time of the recurring schedule. If a recurring schedule has a stop time that is earlier than the start time. Use the arrows to move selected services between this list and Members. Remove the schedule from the list. To create a recurring schedule that runs for 24 hours. If you enable virtual domains (VDOMs) on the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For example. set the start and stop times to 00. the schedule will take effect at the start time but end at the stop time on the next day. to prevent game playing except at lunchtime. Members Schedule Firewall schedules control when policies are in effect. Name Select Enter a name to identify the recurring schedule. The list of services in the group. Recurring schedules are configured in Firewall > Schedule > Recurring. The stop time of the recurring schedule. set schedule start and stop times to 00. For example. The Delete icon appears only if the schedule is not being used in a firewall policy. you might prevent game playing during office hours by creating a recurring schedule that covers office hours. For more information. New Recurring Schedule page Provides settings for configuring a schedule that is active on a regular basis. delete or create a new recurring schedule.fortinet. Use the arrows to move selected services between this list and Available Services. Select the days of the week for the schedule to be active. you must configure firewall schedules separately for each virtual domain. and the stop time at 12:00 noon. The initials of the days of the week on which the schedule is active. you might set the start time for a recurring schedule at 1:00 p.m. you can edit.

you can edit. Edit the schedule. Select the stop time for the recurring schedule. Use the arrow buttons to move selected schedules between this list and Members. Scheduled groups are configured in Firewall > Schedule > Group. Schedule groups can contain both recurring and on-time schedules. Name Start Stop Enter a name to identify the one-time schedule. Group page Lists each individual schedule group that you created. Schedule groups cannot contain other schedule groups. Group Name Available Schedules Enter a name to identify the schedule group. FortiGate Version 4. Select the start date and time for the schedule. Select the stop date and time for the schedule. One-time schedules are configured in Firewall > Schedule > One-time. When you select Create New. you might combine the five schedules into a single schedule group that is used by a single firewall policy. delete or create a new one-time schedule. For example.fortinet. The start date and time for the schedule. On this page. delete or create a new schedule group. but you could add a one-time schedule to block access to the Internet during a holiday. The list of recurring and one-time schedules available for your group.com/ • Feedback 285 . The Delete icon appears only if the schedule is not being used in a firewall policy. To put a policy into effect for an entire day. Schedule groups You can organize multiple firewall schedules into a schedule group to simplify your firewall policy list. Create New Add a one-time schedule. Remove the schedule from the list. The stop date and time for the schedule. set schedule start and stop times to 00. Tip: You can also create custom services when you are configuring a firewall policy.Firewall Schedule Start Stop Select the start time for the recurring schedule. When you select Create New. Name Start Stop Delete Edit New One-time Schedule page Provides settings for configuring a one-time schedule. One-time schedule list You can create a one-time schedule that activates a policy during a specified period of time. a firewall might be configured with a default policy that allows access to all services on the Internet at all times. The name of the one-time schedule. For example. you can edit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you are automatically redirected to the New One-time Schedule page. Tip: You can also create recurring schedules when you configure a firewall policy. One-time page Lists each individual schedule that only occurs once. On this page. you are automatically redirected to this page. instead of having five identical policies for five different but related firewall schedules.

When you want to ensure that traffic shaping is working at its best. Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic. and ESP. Traffic Shaper Traffic shaping.fortinet. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate unit. or add new shared traffic shapers. Use the arrows to move selected schedules between this list and Available Schedule. controls the bandwidth available to. The schedules that will be associated with the group. Traffic shaping cannot increase the total amount of bandwidth available. To enable shared traffic shaping in a firewall policy. the policy for the corporate web server might be given higher priority than the policies for most employees’ computers. the FortiGate and switch settings may require adjusting. ICMP.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or SSLVPN. select the schedule and then use the up arrow to move that schedule back to Available Schedules. 286 FortiGate Version 4. To remove a schedule from the Members list. but you can use it to improve the quality of bandwidth-intensive and sensitive traffic. collisions.com/ • Feedback . For example. the policy. you add them to firewall policies by going to Firewall > Policy > Policy and adding a new or editing a firewall policy. It is also available for all supported services. You can also go to Firewall > Policy > IPv6 Policy and add a new or edit an IPv6 firewall policy to apply traffic shaping to IPv6 traffic. If any of these problems appear.Traffic Shaper Firewall Members The list of schedules in the group. UDP. or bugger overruns.323. verify that the interface Ethernet statistics show no errors. and sets the priority of the traffic processed by. IPSEC. This topic contains the following: • • Shared traffic shapers Per-IP traffic shaping Shared traffic shapers By default the FortiGate unit includes pre-defined shared traffic shapers. An employee who needs extra high speed Internet access could have a special outgoing policy set up with higher bandwidth. After creating or editing shared traffic shapers. select Traffic Shaping and select a shared traffic shaper. New Schedule Group page Provides settings for defining what schedules are members of the group. Traffic shaping is available for firewall policies whose Action is ACCEPT. Select the schedule that you want to be a member. TCP. custom them. You can also select Reverse Direction Traffic Shaping and select a shared traffic shaper to apply shared traffic shaping to return traffic. including H. when included in a firewall policy. Shared traffic shapers are configured in Firewall > Traffic Shaper > Shared. You can add these shapers to firewall policies as is. and then use the down arrow to move that schedule to Members. Group Name Available Schedules Members Enter a name for the schedule group.

Select a value to ensure there is enough bandwidth available for a high-priority service. The name of this per-IP traffic shaper. Select to add a new per-IP traffic shaper. you can edit. Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses it. Create New Delete Edit Name Maximum Bandwidth Maximum Concurrent Connections New Per-IP Traffic Shaper page Provides settings for configuring a per-IP traffic shaper. Select to modify a traffic shaper. Do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero). Per-IP traffic shaping Per-IP traffic shaping is applied per IP address. the policy is set to high priority by default. and this per-IP traffic shaper is applied to a firewall policy. a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority.fortinet. Guaranteed Bandwidth Maximum Bandwidth Traffic Priority Select High. Select For all policies using this shaper to apply this traffic shaper to all firewall policies that use it. New Shared Traffic Shaper page Provides settings for configuring a new shared traffic shaper. If you do not apply any traffic shaping rule to a policy. Be sure to enable traffic shaping on all firewall policies. you can edit. Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones. For example. Name Enter a name for the per-IP traffic shaper. On this page.com/ • Feedback 287 . Distribute firewall policies over all three priority queues.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Type a name for this traffic shaper. Select to remove a per-IP traffic shaper. instead of per policy or per shaper. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. Less important services should be assigned a low priority.Firewall Traffic Shaper Shared page Lists each individual shared traffic shaper that you created. or Low. Select to modify a per-IP traffic shaper. delete or create a new shared traffic shaper. On this page. delete or create a new Per-IP traffic shaper. These per-IP traffic shapers are each made up of an IP address. or the firewall policy that the shared traffic shaper is added to will not allow any traffic. Select to remove a traffic shaper. you select the per-IP traffic shaper in firewall policies. Create New Name Delete Edit Select to add a new shared traffic shaper. As with the shared traffic shaper. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Per-IP traffic shaping is configured in Firewall > Traffic Shaper > Per-IP. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. Medium. Per-IP page Lists each individual Per-IP traffic shaper that you created. FortiGate Version 4. Shaping Methods Configure the traffic shaping methods used by the shared traffic shaper.

Enter the maximum allowed concurrent connection.255.0. A real server IP cannot be 0.Virtual IP Firewall Maximum Bandwidth Select the check box beside Maximum Bandwidth to enable this setting. Select the check box beside Maximum Concurrent Connection to enable this setting. the Mapped IP Address/Range must be a single IP address. • • • • • • Virtual IP External IP Address/Range entries or ranges cannot overlap with each other or with load balancing virtual server Virtual Server IP entries.0. Virtual IP and virtual server names must be different from firewall address or address group names. 288 FortiGate Version 4. This topic contains the following: • • • Virtual IP. load balance virtual server and load balance real server limitations The following limitations apply when adding virtual IPs. When you bind the virtual IP’s external IP address to a FortiGate unit interface. This limit applies to each IP address. Range 1 to 2 097 000. load balance virtual server and load balance real server limitations VIP group IP pools Virtual IP.0. • Virtual IP A virtual IP’s external IP address can be a single IP address or an IP address range.0. Virtual IPs use proxy ARP.0. and load balancing real servers.0 or 255. Load balancing virtual servers are actually server load balancing virtual IPs. When port forwarding. The web-based manager does this automatically but the CLI does not. so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network.0. Load balancing virtual servers. When the FortiGate unit receives packets matching a firewall policy whose Destination Address field is a virtual IP. To disable ARP replies. If a static NAT virtual IP External IP Address/Range is 0.255. the Mapped IP Address/Range can be an address range. the network interface responds to ARP requests for the bound IP address or IP address range.0 or 255.255. virtual IPs are available from the FortiGate CLI. as defined in RFC 1027. and is bound to a FortiGate unit interface.0.com/ • Feedback . see the FortiGate CLI Reference.255. by default. If a load balance virtual IP External IP Address/Range is 0. In Transparent mode. Enter 0 to disable bandwidth limit. the count of mapped port numbers and external port numbers must be the same.0.0.fortinet.255. the FortiGate unit applies NAT. Enter the maximum allowed bandwidth in Kbps. A virtual IP’s mapped IP address can be a single IP address. or an IP address range.0.255.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. replacing the packet’s destination IP address with the virtual IP’s mapped IP address. Maximum Concurrent Connections Virtual IP Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both inbound and outbound connections. A virtual IP Mapped IP Address/Range cannot be 0. You can add server load balance virtual IPs from the CLI.

Remove the virtual IP from the list. Virtual IP’s are configured in Firewall > Virtual IP > Virtual IP. When you select Create New. The external port number or port number range. You can select any FortiGate interface. you must add it to a NAT firewall policy. On this page. For limitations on creating virtual IPs. VLAN subinterface. and virtual IPs cannot have the same names.0. The bound network interface and external IP address or IP address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This option appears only if Type is Static NAT. VPN interface.com/ • Feedback 289 . This option appears only if Port Forwarding is enabled.0. see “Virtual IP. External IP Enter the external IP address that you want to map to an address on the Address/Range destination network. you can edit. For a static NAT dynamic virtual IP you can only add one mapped IP address. The name of the virtual IP.Firewall Virtual IP To implement the translation configured in the virtual IP or IP pool. add an external to internal firewall policy whose Destination Address field is a virtual IP. addresses. The mapped to port number or port number range. This field is empty if the virtual IP does not specify port forwarding. Virtual IP page Lists each individual virtual IP that you created. address groups. Add New Virtual IP Mapping page Provides settings for configuring a virtual IP. Create New Name IP Service Port Map to IP/IP Range Map to Port Delete Edit Select to add a virtual IP. separated by a slash (/). For a static NAT virtual IP. or modem interface. This field is empty if the virtual IP does not specify port forwarding. The mapped to IP address or address range on the destination network. To avoid confusion. delete or create a new virtual IP. For example. You can also enter an address range to forward packets to multiple IP addresses on the destination network. Port Forwarding Select to perform port address translation (PAT). Mapped IP Enter the real IP address on the destination network to which the external IP Address/Range address is mapped.fortinet. to add a firewall policy that maps public network addresses to a private network. set the external IP address to 0. read only. you are automatically redirected to the Add New Virtual IP Mapping page. VIP type is Static NAT. FortiGate Version 4. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range. Edit the virtual IP to change any virtual IP option including the virtual IP name. The Delete icon only appears if the virtual IP is not selected in a firewall policy. load balance virtual server and load balance real server limitations” on page 288. Select the virtual IP external interface from the list.0. if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. To configure a dynamic virtual IP that accepts connections for any IP address. Protocol Select the protocol of the forwarded packets. Name External Interface Type Enter or change the name to identify the virtual IP.

rather than the IP address assigned to that FortiGate unit interface. if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. Group Name Members Interface Delete Edit New VIP Group page Provides settings for defining VIPs in a group. An IP pool defines a single IP address or a range of IP addresses. VIP group You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy list. Lists the group members.1. Remove the VIP group from the list. FortiGate Version 4. The name of the virtual IP group. In Transparent mode. VIP groups are configured in Firewall > Virtual IP > VIP Group. IP pools are available only from the FortiGate CLI. A single IP address in an IP pool becomes a range of one IP address.1 the IP pool is actually the address range 1. including the group name and membership. IP pools are configured in Firewall > Virtual IP > IP Pools. Members contains virtual IPs that are a part of this virtual IP group. instead of having five identical policies for five different but related virtual IPs located on the same network interface. This option appears only if Port Forwarding is enabled. For example. See “VIP group” on page 290. The Delete icon only appears if the VIP group is not being used in a firewall policy. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s). IP pools Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool.1. If you are editing the group.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Port This option appears only if Port Forwarding is enabled. you might combine the five virtual IPs into a single virtual IP group.1. which is used by a single firewall policy. delete or create a new VIP group. Select the up or down arrow to move virtual IPs between Available VIPs and Members. Edit the VIP group information. VIP Group page Lists each individual VIP group that you created. If a FortiGate interface IP address overlaps with one or more IP pool address ranges. if you enter an IP pool as 1.Virtual IP Firewall External Service Enter the external interface port number for which you want to configure port forwarding.1. Displays the interface that the VIP group belongs to. For example. You can also enter a port number range to forward packets to multiple ports on the destination network.com/ • Feedback 290 . the Interface box is grayed out. Map to Port Enter the port number on the destination network to which the external port number is mapped.1 to 1.fortinet.1. Group Name Interface Available VIPs and Members Enter or modify the group name. Select the interface for which you want to create the VIP group. you are automatically redirected to the New VIP Group page. you can edit. When you select Create New.1. Create New Select to add a new VIP group. the interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.1. For a virtual IP with static NAT. On this page.

This. more servers can be added behind the FortiGate unit in order to cope with the increased load. Select to remove the entry from the list. the FortiGate unit allows multiple servers to respond as if they were a single device or server. Virtual servers use proxy ARP. New Dynamic IP Pool page Provides settings for configuring the IP address range and subnet for the IP pool. load balance virtual server and load balance real server limitations” on page 288. the network interface responds to ARP requests for the bound IP address. see “Virtual IP. by default. as defined in RFC 1027. Interface. The following topics are included in this section: • • • Virtual servers Real servers Health check monitors Virtual servers When you bind the virtual server’s external IP address to a FortiGate unit interface. You can also enter a single IP address for the IP pool. Secondly. the load can still be handled by the other servers. To disable ARP replies. There are additional benefits to server load balancing.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. When you select Create New. Create New Name Start IP End IP Delete Edit Select to add an IP pool. If the load increases substantially. Enter the end IP defines the end of the IP pool address range. you are automatically redirected to the New Dynamic IP Pool page. see the FortiGate CLI Reference. because the load is distributed across multiple servers. On this page.fortinet. you can edit. Select to edit the IP pool. The start of the range must be lower than the end of the range. the service being provided can be highly available.com/ • Feedback 291 . For limitations on creating virtual servers. Load Balance When you use the FortiGate load balancing function to intercept the incoming traffic and share it across the available servers. means that more simultaneous requests can be handled. so that the FortiGate unit can respond to ARP requests on a network for a real server that is actually installed on another network. Virtual servers are configured in Firewall > Load Balance > Virtual Server. this increases scalability. Enter the start IP defines the start of the IP pool address range. You can change the Name. The start and end of the IP range does not have to be on the same subnet as the IP address of the interface to which you are adding the IP pool. in turn. Firstly.Firewall Load Balance IP Pool page Lists each individual IP pool that you created. delete or create a new IP pool. If one of the servers breaks down. The Delete icon only appears if the IP pool is not being used in a firewall policy. The IP range defines the start and end of an address range. IP Range/Subnet Enter the IP address range for the IP pool. IP Range/Subnet. FortiGate Version 4. The name of the IP pool. Name Enter the name of the IP pool. Select this name in a firewall policy.

TCP. The protocol load balanced by the virtual server. Name of the virtual server. Remove the virtual server from the list. This name is not the hostname for the FortiGate unit. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). • • 292 FortiGate Version 4. This is an IP address on the external interface that you want to map to an address on the destination network. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options and advanced SSL options. The type of persistence applied to this virtual server. or UDP sessions. You can also set Persistence to HTTP Cookie to select cookie-based persistence. On this page. Change Virtual Server Port to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). Load Balance Method Health Check Persistence Delete Edit New Virtual Server page Provides settings for configuring a virtual server. or SSL you can apply additional server load balancing features such as Persistence and HTTP Multiplexing.fortinet. The external port number that you want to map to a port number on the destination network. You can also select HTTP Multiplex. You can also select HTTP Multiplex. • Select HTTP to load balance only HTTP sessions with destination port number that matches the Virtual Server Port setting. The Delete icon only appears if the virtual server is not bound to a real server. HTTPS. see “Health Check” on page 295. TCP. Select HTTPS to load balance only HTTPS sessions with destination port number that matches the Virtual Server Port setting. The IP address of the virtual server. delete or create a new virtual server.Load Balance Firewall Virtual Service page Lists each individual virtual server that you created. Name Type Enter the name for the virtual server. You can also set Persistence to HTTP Cookie to select cookie-based persistence. Select IP to load balance all sessions accepted by the firewall policy that contains this virtual server. If you select specific protocols such as HTTP. Create New Name Type Comments Virtual Server IP Virtual server Port Select to add virtual servers. see “Virtual servers” on page 291. For more information. Edit the virtual server to change any virtual server option including the virtual server name. For more information. you can edit. Select the protocol to be load balanced by the virtual server. Sessions with this destination port are load balanced by this virtual server. The health check monitor selected for this virtual server.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you select a general protocol such as IP. The load balancing method for this virtual server.com/ • Feedback . or UDP the virtual server load balances all IP. You can also set Persistence to SSL Session ID. HTTPS is available on FortiGate units that support SSL acceleration. A description of the virtual server. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options.

The round trip time is determined by a Ping health check monitor and is defaulted to 0 if no Ping health check monitors are added to the virtual server. In this case “first” refers to the order of the real servers in the virtual server configuration. Select TCP to load balance only TCP sessions with destination port number that matches the Virtual Server Port setting. if you add real servers A. Virtual Server IP Virtual server Port Load Balance Method • • • • • FortiGate Version 4. This is an IP address on the external interface that you want to map to an address on the destination network. no additional server is required. Least RTT: Directs requests to the server with the least round trip time.Firewall Load Balance • Select SSL to load balance only SSL sessions with destination port number that matches the Virtual Server Port setting.fortinet. The IP address of the virtual server.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. • • Interface Select the virtual server external interface from the list. Round Robin: Directs requests to the next server. For example. Least Session: Directs requests to the server that has the least number of current connections. First Alive: Always directs requests to the first alive real server. However. the distribution is stateless. Separate real servers are not required. A separate server is required. Change Virtual Server Port to match the destination port of the sessions to be load balanced. so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Weighted: Servers with a higher weight value will receive a larger percentage of connections. Change Virtual Server Port to match the destination port of the sessions to be load balanced. If you want to change the order you must delete and re-add real servers as required. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select UDP to load balance only UDP sessions with destination port number that matches the Virtual Server Port setting. Real servers are ordered in the virtual server configuration in the order in which you add them. B and C in that order.com/ • Feedback 293 . If A goes down then traffic goes to B and if B goes down the traffic goes to C. Sessions with this destination port are load balanced by this virtual server. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced SSL options. and treats all servers as equals regardless of response time or number of connections. If A comes back up traffic goes to A. Enter the external port number that you want to map to a port number on the destination network. Change Virtual Server Port to match the destination port of the sessions to be load balanced. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. Set the server weight when adding a server. then traffic always go to A as long as it is alive. with the most recently added real server last. Load balancing methods include: • Static: The traffic load is spread evenly across all servers. Dead servers or non responsive servers are avoided. This load balancing method provides some persistence because all sessions from the same source address always go to the same server.

Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit. but cannot be used in failover configurations where the failover path does not have an SSL accelerator. Sessions are distributed solely according to the Load Balance Method. Note: Additional HTTP Multiplexing options are available in the CLI.fortinet. Select HTTP Cookie so that all HTTP or HTTPS sessions with the same HTTP session cookie are sent to the same real server. If the server is already configured to use SSL. then select which segments of the connection will receive SSL offloading. See the description of the config firewall VIP command in the FortiGate CLI Reference for information about advanced HTTP Cookie persistence options. this also enables SSL acceleration without requiring changes to the server’s configuration. For more information. This results in performance which is less than the other option. see the FortiGate CLI Reference. If the session has an HTTP cookie or an SSL session ID. SSL Session ID is available if Type is set to HTTPS or SSL. Select to accelerate clients’ SSL connections to the server by using the FortiGate unit to perform SSL operations. • • Note: The Static load balancing method provides persistence as long as the number of real servers does not change. Setting Load Balance Method to Static (the default) results in behavior equivalent to persistence. When you configure persistence. Select SSL Session ID so that all sessions with the same SSL session ID are sent to the same real server. The segment between the FortiGate unit and the server will use encrypted communications. You can configure persistence if Type is set to HTTP. This option appears only if HTTP or HTTS are selected for Type. Preserve Client IP SSL Offloading • 294 FortiGate Version 4. Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. HTTP Cookie is available if Type is set to HTTP or HTTPS. or SSL. and the segment between the FortiGate unit and the server. the header will contain the IP address of the FortiGate unit. • Select None for no persistence. the FortiGate unit load balances a new session to a real server according to the Load Balance Method. This can be useful if you want log messages on the real servers to the client’s original IP address. See the description of Load Balance Method for more information.1 compliant. This option appears only if HTTP or HTTS are selected for Type. and can be used in failover configurations where the failover path does not have an SSL accelerator. If this option is not selected. This results in best performance. but still improved over communications without SSL acceleration. HTTP Multiplexing Select to use the FortiGate unit to multiplex multiple client connections into a few connections between the FortiGate unit and the real server. • Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. This can improve performance by reducing server overhead associated with establishing multiple connections. and is available only if HTTP Multiplexing is selected. The segment between the FortiGate unit and the server will use clear text communications. The server must be HTTP/1. but the handshakes will be abbreviated.com/ • Feedback .Load Balance Firewall Persistence Configure persistence to make sure that a user is connected to the same server every time they make a request that is part of the same session. the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server. HTTPS.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

load balance virtual server and load balance real server limitations” on page 288. The limit on the number of active connections directed to a real server. The certificate key size must be 1024 or 2048 bits. Enter the port number on the destination network to which the external port number is mapped. A range of 1255 can be used. On this page.0 and TLS 1. and only on FortiGate models with hardware that supports SSL acceleration. SSL Offloading appears only if HTTPS or SSL are selected for Type. For information on configuring health check monitors. Remove the real server from the list. The port number on the destination network to which the external port number is mapped. FortiGate Version 4. For more information. Any comments or notes about this virtual server.0 are supported. see “Virtual IP. This option appears only if HTTPS or SSL are selected for Type. Edit the real server to change any virtual server option. The higher the weight value. Health Check Comments Real servers A real server is configured to bind it to a virtual server. see the FortiGate CLI Reference. the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. the higher the percentage of connections the server will handle. delete or create a new real server.fortinet. Note: Additional SSL Offloading options are available in the CLI. Enter the IP address of the real server. Real servers are configured in Firewall > Load Balance > Real Server. Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it. you can edit. 4096-bit keys are not supported. The weight value of the real server. Create New IP Address Port Weight Max Connections Select to add real servers. Certificate Select the certificate to use with SSL Offloading.com/ • Feedback 295 . If the maximum number of connections is reached for the real server. Delete Edit New Real Server page Provides settings for configuring a real server to bind it with a virtual one. and is available only if SSL Offloading is selected.Firewall Load Balance SSL 3. For more information. Select which health check monitor configuration will be used to determine a server’s connectivity status. Virtual Server IP Port Weight Select the virtual server to which you want to bind this real server. see “Health check monitors” on page 296.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For limitations on creating real servers. Real Server page Lists each individual real server that you created. This option is available only if the associated virtual server’s load balance method is Weighted. see “Real servers” on page 295. The higher the weight value. the higher the percentage of connections the server will handle. Enter the weight value of the real server.

if the IP address of the real server is 10. If the maximum number of connections is reached for the real server. The details of the health check monitor configuration.com/ • Feedback Port Interval URL 296 . Enter the number of seconds between each server health check.10. the virtual server is deemed unresponsive. The URL would not usually include an IP address or domain name.1/test_page. • TCP • HTTP • PING Enter the port number used to perform the health check. the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. This option does not appear if the Type is PING. otherwise. On this page. which vary by the type of the health check monitor. Mode Select a mode for the real server.10.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. add a URL that the FortiGate unit uses when sending a get request to check the health of a HTTP server. If you set the Port to 0. it will attempt a health check again. which are settings common to all types.1.fortinet. Health Check Monitor page Lists each individual health check monitor that you created. and load balancing will compensate by disabling traffic to that server until it becomes responsive again. and do not include the interval. Instead it should start with a “/” and be followed by the address of an actual web page on the real server.10. Health check monitor configurations can specify TCP. The URL is optional. The URL should match an actual URL for the real HTTP servers. This way you can use a single health check monitor for different real servers. or retry. Name Type Enter the name of the health check monitor configuration. The names are grouped by the health check monitor types. timeout.htm”. This option appears only if the health check monitor configuration is not currently being used by a virtual server configuration. The name of the health check monitor configuration. Setting Maximum Connections to 0 means that the FortiGate unit does not limit the number of connections to the real server. Delete Edit Add New Health Check Monitor Provides settings for configuring a health check monitor. the health check monitor uses the port defined in the real server. FortiGate Version 4. Select to remove the health check monitor configuration. A health check occurs every number of seconds indicated by the interval. Select to change the health check monitor configuration. Create New Name Details Select to add a health check monitor configuration. For example. and you have configured the health check to retry. Health check monitors You can specify which health check monitor configuration to use when polling to determine a virtual server’s connectivity status.Load Balance Firewall Maximum Connections Enter the limit on the number of active connections directed to a real server. This field is empty if the type of the health check monitor is PING. HTTP or ICMP PING. you can edit. the URL “/test_page. A range of 1-99999 can be used. Health check monitors are configured in Firewall > Load Balance > Health Check Monitor. Select the protocol used to perform the health check. For HTTP health check monitors. delete and create a new health check monitor. If a reply is not received within the timeout period. This option appears only if Type is HTTP.10.htm” causes the FortiGate unit to send an HTTP get request to “http://10.

Display the traffic processed by each real server. By default. Matched content is only required if you add a URL. the system searches the content of the web page for the Matched Content phrase. if any. The monitored servers can be viewed from Firewall > Load Balance > Monitor.com/ • Feedback 297 . Monitor page Lists each individual server and real server that is currently being monitored by the FortiGate unit. You can use the URL and Matched Content options to verify that an HTTP server is actually operating correctly by responding to get requests with expected web pages. Display each real server's up and down times. When the FortiGate unit receives the web page in response to the URL get request. Display each real server's active sessions.Firewall Load Balance Matched Content For HTTP health check monitors. Display the health status according to the health check results for each real server. Monitor Events Active Sessions RTT (ms) Bytes Processed Graceful Stop/Start FortiGate Version 4. Timeout Retry Monitoring the servers You can monitor the status of each virtual server and real server and start or stop the real servers. add a phrase that a real HTTP server should include in response to the get request sent by the FortiGate unit using the content of the URL option. you can set Matched Content to “server test page” if the real HTTP server page defined by the URL option contains the phrase “server test page”. If the URL returns a web page.fortinet. a failed health check will be retried before the server is determined to be inaccessible. For example.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This option appears only if Type is HTTP. the RTT is “<1". the FortiGate unit will not accept new sessions but will wait for the active sessions to finish. A red arrow means the server is down. Virtual Server Real Server Health Status The IP addresses of the existing virtual servers. This value will change only when ping monitoring is enabled on a real server. Select to start or stop real servers. The IP addresses of the existing real servers. Enter the number of times. Display the Round Trip Time of each real server. When stopping a server. A green arrow means the server is up. the Matched Content should exactly match some of the text on the web page. Enter the number of seconds which must pass after the server health check to indicate a failed health check.

Load Balance Firewall 298 FortiGate Version 4.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.com/ • Feedback .

• • • • • FortiGate Version 4. including creating customized signatures. Application Control – provides configuration settings for creating application control black/white lists.fortinet. This feature also includes URL filter. compound rules and rules.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The following topics are included in this section: • • • • • • • • UTM overview AntiVirus Intrusion Protection Web Filter Email Filter Data Leak Prevention Application Control VoIP UTM overview The UTM menu provides a number of security features. A profile is specific information that defines how the traffic within a policy is examined and what action is taken based on the examination. and local ratings configuration settings. Default protocol decoders are available to view as well. see the UTM chapter of the FortiOS Handbook. You can also view detailed information about applications from the list of applications on the Application List page. override. This menu also includes profiles. Intrusion Protection – provides configuration settings for IPS sensors and DoS sensors. The UTM menu contains the following seven features. Profiles are available. as well as quarantine settings. provides configuration settings for filtering and scanning banned words. IP addresses. which are applied to firewall policies. such as how to configure antivirus settings. Email filtering – also known as anti-spam. local categories. Data Leak Prevention (DLP) – provides configuration settings for creating DLP sensors.com/ • Feedback 299 . Instead of profiles. This feature also contains settings for choosing an antivirus database that is suited to your network requirements. DLP sensors are applied to firewall policies. For more information about the UTM menu. Profiles are available. Profiles are available. You can also view detailed information about the predefined signatures. and email addresses. as well as enabling FortiGuard web filter and FortiGuard web filtering overrides. such as antivirus or DoS sensors.UTM UTM overview UTM This section provides an introduction to the UTM menu. Web filter – provides configuration settings for filtering web content. and some of these features contain profiles which you can then apply to firewall policies: • Antivirus – provides configuration settings for filtering and scanning viruses.

POP3. This profile also includes enabling logging of SIP and SCCP traffic as well as traffic violations.AntiVirus UTM • VoIP – provides configuration settings for creating a profile. For more information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The name of the antivirus profile. This topic includes the following: • • • • • Profile File Filter Quarantine Quarantine configuration Virus Database Note: If you are currently running FortiOS 4. SMTP. You can create multiple antivirus profiles for different antivirus scanning requirements. If you enable virtual domains (VDOMs) on the FortiGate unit. This page also allows you to configure quarantine settings for including a virus sender to the Banned User List. 300 FortiGate Version 4. IM. you can apply an antivirus profile to a firewall policy for HTTP. and SMTPS sessions. For example. When configuring a profile. IMAPS. On this page. antivirus options are configured separately for each virtual domain. Profile page Lists each individual antivirus profile that you created. delete or create a new antivirus profile. IMAP. Antivirus profiles are configured in UTM > Antivirus > Profile. POP3S. If your FortiGate unit supports SSL content scanning and inspection you can also configure antivirus protection for HTTPS. it will not work properly.fortinet. you create an antivirus profile that specifies only virus scanning for POP3 which you then apply to the out-going firewall policy. you can edit. which you can then apply to a firewall policy. you are automatically redirected to the New Antivirus Profile page. see “Using virtual domains” on page 79. New Antivirus Profile page Provides settings for configuring a new antivirus profile. you are redirected to the Edit Antivirus Profile page. A description for the antivirus profile. If you are editing an existing antivirus profile. Select to modify settings to an antivirus profile. AntiVirus The following explains the antivirus options that you can configure in the Antivirus menu. Profile The Profile page allows you to configure antivirus profiles for applying to firewall policies.com/ • Feedback . which contains the same settings as in the New Antivirus Profile page. Select to remove an antivirus profile. Create New Edit Delete Name Comments When you select Create New. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination. FTP.0 MR2 and have configured the FortiGate unit to perform a deep inspection using explicit web proxy (HTTPS AV scanning). and NNTP sessions.

the FortiGate unit blocks files that match the enabled file filter and does not scan these files for viruses. If both file filter and virus scan are enabled.fortinet. it is passed along to antivirus scanning (if enabled). enter the changes in this field. hours. You must select OK to save the changes. If you are editing an existing antivirus profile and want to change the name.com/ • Feedback 301 . The attackers IP address is also added to the banned user list. Appears when Quarantine Virus Sender (to Banned Users List) is selected. Files are compared to the enabled file patterns and then the file types from top to bottom. If a file does not match any specified patterns or types. or minutes. Block: the file is blocked and a replacement messages will be sent to the user. Comment Virus Scan File Filter Quarantine Virus Select to enable and configure the sender quarantine. You can select whether the virus is banned indefinitely or for a specified number of days. Enter a description for the profile. FortiGate Version 4. Select any of the following to have the FortiGate unit scan for viruses when these protocols are used: • HTTP • FTP • IMAP • POP3 • SMTP • NNTP Select the Logging check box if you want logs for these events. Select Source IP address to block all traffic sent from the attackers IP address. You must select OK to save these changes. The FortiGate unit can take either of these actions toward files that match a configured file pattern or type: • • Allow: the file is allowed to pass. The sender who sent Sender (to Banned the virus will be put in the Banned Users List. Users List) Method Appears when Quarantine Virus Sender (to Banned Users List) is selected. The interface is added to the banned user list. If you are editing an existing antivirus profile and want to change the description. The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so. In effect. Select Virus’s Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack.UTM AntiVirus Name Enter a name for the profile. Select any of the following to have the FortiGate unit scan using a file filter list when these protocols are used: • HTTP • FTP • IMAP • POP3 • SMTP • NNTP Select a filter from the list from the Options drop-down list. this is optional. Expires File Filter The Filter menu allows you to configure filtering options that block specific file patterns and file types.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. enter a new name in this field. files are passed if not explicitly blocked. The target address is not affected.

For standard operation. adding *. File filters are configured in UTM > Antivirus > File Filter.vb?) screen saver files (*.doc. you can add a maximum of 5000 patterns to a list.tgz.tar. FortiGate Version 4. At the end of the list. For file types. *. and *.com/ • Feedback 302 . *. this behavior can be reversed with all files being blocked unless explicitly passed.wps) Visual Basic files (*.xl?) Microsoft Works files (*.EXE. File pattern blocking provides the flexibility to block potentially harmful content. *. *. add an all-inclusive wildcard (*.pif) control panel files (*.hta) Microsoft Office files (*. The “ignored” type is the traffic the FortiGate unit typically does not scan.exe to the file pattern list also blocks any files ending in . When blocking by file type. The FortiGate unit is preconfigured with a default list of file patterns: • • • • • • • • • • executable files (*. *. and *. • File type: Files can be blocked by type. File pattern entries are not case sensitive. without relying on the file name to indicate what type of files they are.gz.com. File filter configuration You can add multiple file filter lists to the antivirus profile.zip) dynamic link libraries (*. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end.scr) program information files (*. the FortiGate unit analyzes the file and determines the file type regardless of the file name. extension.dll) HTML application (*.cpl) The FortiGate unit can detect the following file types: Table 50: Supported file types arj cab hta petite unknown activemime class html prc ignored aspack cod jad rar base64 elf javascript sis bat exe lzh tar binhex fsg mime upx bzip gzip msc uue bzip2 hlp msoffice zip Note: The “unknown” type is any file type that is not listed in the table. Simply enter all the file patterns or types to be passed with the allow attribute. For details. For file patterns.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.bat. For example.AntiVirus UTM Using the allow action. you can select only from the supported types.ppt. Configure the FortiGate file filter to block files by: • File pattern: Files can be blocked by name. or any other pattern. see “File Filter” on page 301. and enable it temporarily to block specific threats as they occur.fortinet. This includes primarily streaming audio and video.rar.*) with a block action. *. In addition to the built-in patterns.exe) compressed or archive files (*. you can specify more file patterns to block. you can choose to disable file filter in the profile.

com/ • Feedback 303 .fortinet. Select to edit the file filter. Select File Name Pattern or File Type. which is available for viewing in Log&Report > Archive Access > Quarantine. An optional description of each file filter list. edit the text in the name field and select OK. Select to remove the file pattern or type from the list. Files matching the file patterns and types can be set to Block or Allow. The current list of file patterns and types. Select to remove the file filter list from the catalog. Select to move the file pattern or type to any position in the list. Quarantine FortiGate units with a local disk can quarantine blocked and infected files. Optional comment. This page also lists the file patterns and file types that were created for the file filter. Select to enable or disable the filter.UTM AntiVirus File Filter page Lists each individual file filter that you created. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. To change the name. To add or edit comment. If you are editing a file filter. The file pattern can be an exact file name or can include wildcards. Select to disable a file pattern or type. Select to edit the file pattern/type and action. Create New Name # Entries DLP Rule Comments Delete Edit Select Create New to add a new file filter list to the catalog. Select a file type from the list. you can edit. New File Filter page Note: The default file pattern list catalog is called builtin-patterns. Appears only when File Type is selected in Filter Type. Select an action from the drop down list: Block or Allow. The file pattern can be 80 characters long. Enter the file pattern. see “File Filter” on page 301. see “File Filter” on page 301. The DLP rules in which each filter is used. Clear the checkbox to disable the file pattern or type.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select Create New to add a new file pattern or type to the file filter list. delete or create a new file filter. enter text in comment field and select OK. On this page. FortiGate Version 4. select OK to save the changes. Detailed information about the file is found in the log file. For more information about actions. The available file filter lists. If you make changes to the list name or comments. you are redirected to this page. File Filter Settings page Provides settings for configuring multiple file patterns and file types that make up a file filter. For information about actions. Name Comment OK Create New Disable Delete Edit Move Filter Action Enable Filter Type File Type Pattern Action Enable File filter name. The number of file patterns or file types in each file filter list.

Virus Database The FortiGate unit contains multiple antivirus databases for you to choose from. located in UTM > Antivirus > Virus Database. When the limit is reached. The time limit in hours which keeps files in quarantine. which are also available to view in Log&Report > Archive Access > Quarantine. Quarantine configuration You can configure quarantine options for HTTP. Quarantine Infected Files Quarantine Suspicious Files Quarantine Blocked Files Quarantine To Select the protocols that you want the FortiGate unit to look at. you can also quarantine blocked and infected files from HTTPS. POP3S.com/ • Feedback . Select the check boxes within the protocol columns that you want the FortiGate unit to look at. Select the protocols that you want the FortiGate unit to look at. Setting the size too large may affect performance. Select to base the automatic upload of files on their Heuristic status. SMTP. Quarantine configuration is located in UTM > Antivirus > Quarantine. the TTL column displays EXP and the file is deleted (although the entry in the quarantined files list is maintained). suspicious. FTP. The age limit is used to formulate the value in the TTL column of the quarantined files list. By default. The Virus Database. You can view these settings or modify them from the Quarantine Configuration page. Select to base the automatic upload of files on their Block Pattern status. is used to detect viruses in network traffic. IMAPS. Quarantine Configuration page Provides settings for configuring the actions the FortiGate unit takes when infected. Entering an age limit of 0 (zero) means files are stored on the local disk indefinitely. the setting is set to None. The databases are available on the Virus Database page: • Regular Virus Database 304 FortiGate Version 4. located in Log&Report > Archive Access > Quarantine. and blocked files are scanned for viruses. These settings are for the local disk or FortiAnalyzer unit. If your FortiGate unit supports SSL content scanning and inspection. The maximum size of quarantined files in MB. Select to enable the automatic submission feature. Max Filesize to Quarantine Disk Age Limit (only on FortiGate models with local disks) Low Disk space Enable AutoSubmit (appears only on FortiGate models with local disks) Use File Pattern Use File Status Heuristics Block Pattern Select to enable the automatic upload of the files matching the file patterns in Select to enable the automatic upload of files matching the file patterns in the AutoSubmit list. and SMTPS traffic.fortinet. IM. IMAP. so that you can get the maximum protection that you need for your network environment. Appears only when either the FortiAnalyzer unit or local disk is selected as the storage location for quarantine files. suspicious and infected files to a FortiAnalyzer unit or local disk. you must select FortiAnalyzer if you want to store quarantine files. POP3. and NNTP traffic. depending on what action was chosen in Log Disk space.AntiVirus UTM FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file. Select to enable storage of blocked.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

An enhanced security environment is best suited for this type of database. providing better performance but lower coverage rates than the file-based virus scan. You can also update the antivirus definitions manually from the system dashboard by going to System > Dashboard > Status. you can also enable grayware detection. each containing a complete configuration based on signatures.com/ • Feedback 305 . The FortiGuard AV definitions are updated automatically from the FortiGuard Distribution Network (FDN). This database includes “in the wild” viruses along with some commonly seen viruses on the network. You can also create DoS sensors to examine traffic for anomaly-based attacks.UTM Intrusion Protection • • • Extended Virus Database Extreme Virus Database Flow-based Virus Database On the Virus Database page. The extreme antivirus database is available only on FortiGate models that have AMC-enabled platforms and large capacity hard drives. Flow-based virus scanning is an alternative to the file-based virus scanning. The flow-based antivirus database helps to detect malware using IPS. you can create multiple IPS sensors. worms. and spyware. Grayware settings can only be enabled or disabled when running FortiOS 4.0 MR2 or higher on a FortiGate unit. This grayware detection includes adware. Note: If virtual domains are enabled.fortinet. The flow-based database provides “in the wild” viruses as well as some commonly seen viruses on the network. The extreme database provides flexibility. For more information. intrusion protection is configured separately for each virtual domain. RAT. The extended database provides “in the wild” viruses as well as a large collection of zoo viruses that have not yet been seen in current virus studies. This topic contains the following: FortiGate Version 4. you must configure antivirus file filtering and antivirus settings in antivirus profiles separately for each virtual domain. If you enable virtual domains (VDOMs) on the FortiGate unit. The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses. The extreme antivirus database allows scanning for both “in the wild” and “zoo” viruses that are no longer seen in recent studies as well as all available signatures that are currently supported. keylogger. you can apply any IPS sensor to a firewall policy. With Intrusion Protection. The FortiGuard virus definitions are updated when the FortiGate unit receives a new version of FortiGuard antivirus definitions from the FDN. and other threats that can be detected and removed by your FortiGate unit using the information in the FortiGuard virus definitions. trojans. providing the maximum protection without sacrificing performance and is suited to an enhanced security environment. see “Using virtual domains” on page 79. dial. Intrusion Protection The FortiGate Intrusion Protection system combines signature and anomaly detection and prevention with low latency and excellent reliability. hacker tool. Automatic antivirus definition updates are configured from the FDN by going to System > Maintenance > FortiGuard. downloader.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Then. The flow-based antivirus database provides an alternative to the file-based virus scan while also providing better performance.

The FortiGuard Service periodically updates the pre-defined signatures. The sensor is set to use the default enable status and action of each signature. from top to bottom. IPS sensors are configured in UTM > Intrusion Protection > IPS Sensor.fortinet. Name Comments all_defaults (default) 306 FortiGate Version 4. Includes all signatures. your filter will automatically incorporate new Windows signatures as they are added. All of the signatures with those attributes. and then select those sensors in profiles designed to handle that type of traffic. Each IPS sensor consists of two parts: filters and overrides. you can specify all of the web-server related signatures in an IPS sensor. they are checked against the traffic one at a time. if you have a filter that includes all signatures for the Windows operating system. For example. new signatures matching existing filter specifications will automatically be included in those filters. For example. one filter at a time. the FortiGate unit takes the appropriate action and stops further checking. from top to bottom. On this page you can edit. When created. the filter includes only signatures checking for high priority attacks targeted at servers. If no signature matches are found. If a match is found. and that sensor can then be applied to a firewall policy that controls all of the traffic to and from a web server protected by the FortiGate unit. the IPS sensor allows the network traffic. it then compares the signatures in each filter to network traffic.Intrusion Protection UTM • • • • • IPS Sensor DoS sensor Predefined Custom Protocol Decoder IPS Sensor You can group signatures into IPS sensors for easy selection when applying to firewall policies. you are automatically redirected to the New IPS Sensor page. either default or ones that you created. An optional description of the IPS sensor. and only those attributes.com/ • Feedback . delete or create a new IPS sensor. Since the signatures included in filters are defined by specifying signature attributes. Overrides are always checked before filters. and the target is changed to server. are checked against traffic when the filter is run.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. A signature override can modify the behavior of a signature specified in a filter. If the IPS sensor does not find any matches. Create New When you select Create New. The name of each IPS sensor. The signatures included in the filter are only those matching every attribute specified. If the severity is changed to high. A signature override can also add a signature not specified in the sensor’s filters. IPS Sensor page Lists each individual IPS sensor. The signatures in the overrides are first compared to network traffic. You must enter a name to go the IPS Sensor Settings page. This page provides a name field and comment field. with signatures added to counter new threats. Each filter consists of a number of signatures attributes. You can define signatures for specific types of traffic in separate IPS sensors. a new filter has every attribute set to all which causes every signature to be included in the filter. If multiple filters are defined in an IPS Sensor. Custom signatures are included in an IPS sensor using overrides.

The software application. Select to log the IPS filters and patterns. Includes only the signatures designed to detect attacks against servers and the HTTP protocol and uses the default enable status and action of each signature. This is the Filters section of the IPS Sensor Settings page. You can also use the Insert icon. You can view these logs in Log&Report > Log Access. A green checkmark appears if you select Enable all within the filter’s settings. A green checkmark appears if you select Enable all within the filter’s settings. Overrides are not included in the total. Select to view the rules within a filter. This section lists all the filters you have currently configured for the IPS sensor. Select to move a filter within the list. Select to insert a new filter. Pass. The number of signatures included in the filter. The type of protocol for that filter. such as Adobe. The type of action the FortiGate unit will take.com/ • Feedback 307 . The target specified for that filter. You can also modify each filter from this area as well as create additional filters. You must select OK to save the change. and overrides in the Override section of the page.fortinet. IPS Sensor Settings page Provides settings for configuring multiple filters and overrides that make up an IPS sensor. The IPS Sensor Settings page also lists filters in the Filters section of the page. Includes only the signatures designed to detect attacks against servers and the SMTP. Select to add a new filter. enter the changes in the field. a gray x appears. Comments OK Enable Logging Filters Create New Edit Delete Insert Move To View Rules Name Severity Target Protocol OS Application Enable Logging Action Count FortiGate Version 4. Removes the IPS sensor from the list. This action can be Block. You must select OK to save the changes. You must select Add Pre-defined Override to add a pre-defined override to the sensor. Name If you are editing an existing IPS sensor and you want to change the name. Edit an IPS sensor. For more information. Includes only the signatures designed to detect attacks against clients and uses the default enable status and action of each signature. or IMAP protocols and uses the default enable status and action of each signature. or Reset. The sensor is set to use the default enable status of each signature. Select to modify the filter’s settings. Select to save changes that you have made to the list. The severity level of the filter. Select to remove a filter from the list.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If you select Disable all. POP3. enter a new name in the field. A gray x appears if you select Disable all. see “Filters” on page 308.UTM Intrusion Protection all_default_pass (default) protect_client (default) protect_email_server (default) protect_http_server (default) Delete Edit Includes all signatures. If you are editing an existing IPS sensor and you want to change the description. The type of operating system. The name of the filter that you created. and you need to select Add Custom Override to add a custom override to the sensor. but the action is set to pass.

See “Pre-defined overrides and custom overrides” on page 309. To select specific applications. Select Attacker and Victim IP Addresses to block all traffic sent from the attacker IP address to the target (victim) IP address.fortinet. select Specify. select the protocol and then use the <.arrow to move the application back to the Available column. Signatures with an OS attack attribute of All affect all operating system and these signatures are automatically included in any filter regardless of whether a single. Select a severity level. select the protocol and then use the <. This section lists all the overrides you have currently configured for the IPS sensor. Name Severity Target OS Enter a name for the filter. Select Attack’s Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. You are automatically redirected to this page when you select Create New in the Filters section of the IPS Sensor Settings page. To select specific protocols. Select if you want to log the quarantined attacker’s information. Select if you want to add an attacker to the Banned Users List.com/ • Feedback . Edit Delete Add Pre-defined Override Add Custom Override Select to add a custom override. or select All to include all operating systems. An IPS sensor can contain multiple IPS filters. Protocol Application Quarantine Attackers (to Banned Users List) Method Select Attacker’s IP Address to block all traffic sent from the attacker’s IP address. The signatures that have all of the attributes specified in a filter are included in the IPS signature. Select to modify either a custom override or pre-defined override. The interface is added to the banned user list. See “Pre-defined overrides and custom overrides” on page 309. Select to add a pre-defined override. Select to remove a custom override or pre-defined override. The operating system available include BSD and Solaris. multiple. You must specify a severity level if you do not want to all severity levels. Edit IPS Filter page Provides settings for configuring a filter. The attacker and target IP addresses are added to the banned user list as one entry. and then move each application that you want from the Available column to the Selected column using the -> arrow. Select to choose multiple protocols or all available protocols. Traffic from the attacker’s IP address is blocked because the attacker’s IP address is in the Banned Users List. Filters are configured in the IPS sensor itself.Intrusion Protection UTM Overrides This is the Overrides section fo the IPS Sensor Settings page. Select to specify the type of operating system. or all operating systems are specified. Select the type of system targeted by the attack. Logging 308 FortiGate Version 4. Traffic from the attacker IP address to addresses other than the victim IP address is allowed. Filters A filter is a collection of signature attributes that you specify. and then move each protocol that you want from the Available column to the Selected column using the -> arrow.arrow to move the protocol back to the Available column. Select to choose multiple applications or all available applications. The following are the available options when configuring filters. To remove an application from the Selected column. To remove a protocol from the Selected column. located in UTM > Intrusion Protection > IPS Sensors.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. select Specify.

each override defines the behavior of one signature. If you wanted to disable one of those signatures. • When a pre-defined signature is specified in an override. Add an individual signature that is not included in any filters to an IPS sensor. and you must select the IPS sensor and then apply it to a policy. When configuring either a pre-defined override or a custom override. Configure IPS Override Provides settings for configuring predefined overrides and custom overrides. select a signature the override will apply to and then select OK. the simplest way would be to create an override and mark the signature as disabled. the following options are available regardless which override you are configuring. Unlike filters. or enable or disable each according to the individual default values as shown in the signature list. hours. Select from the options to specify what the FortiGate unit will do with the signatures included in the filter. Overrides can be used in two ways: • Change the behavior of a signature already included in a filter. These settings must be explicitly set when creating the override. located in UTM > Intrusion Protection > IPS Sensors. Logging Packet Log FortiGate Version 4. or block or pass traffic according to the individual values shown in the signature list. For more information. When the override is enabled.UTM Intrusion Protection Expires Signature Settings Enable You can select whether the attacker is banned indefinitely or for a specified number of days. Logging Action Pre-defined overrides and custom overrides Pre-defined and custom overrides are configured and work mainly in the same way as filters. An override does not have the ability to affect network traffic until these steps are taken. disable all. Note: Before an override can affect network traffic. Signature Enable Action Select the browse icon to view the list of available signatures. see “Packet logging” on page 315. This is the only way to add custom signatures to IPS sensors. disable all. or enable or disable logging for each according to the individual default values show in the signature list. For example. you could create a filter that includes and enables all signatures related to servers.com/ • Feedback 309 . reset all. Configure whether the filter overrides the following signature settings or uses the default settings in the signatures. Predefined and custom overrides are configured in the IPS Sensor itself.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. to protect a web server. Select to enable creation of a log entry if the signature is discovered in network traffic. you must add it to a filter.fortinet. Block or Reset. enable all. Select from the options to specify what the FortiGate unit will do with traffic containing a signature match: block all. the action determines what the FortiGate will do with traffic containing the specified signature. Select from the option to specify whether the FortiGate unit will create log entire for the signatures included in the filter: enable all. the default status and action attributes have no effect. You are automatically redirected to this page after selecting either Add Pre-defined Override or Add Custom Override in the Override section of the IPS Sensor Settings page. Select to enable the signature override. or minutes. From this list. Select to save packets that trigger the override to the FortiGate hard drive for later examination. Select Pass.

0/0 to include all destination IP addresses.0. although it is capable of detecting and protecting against a number of anomaly attacks. The exempt IP addresses are defined in pairs. with a source and destination. Select Attack’s Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally large number of sessions with a target system. Select Attacker and Victim IP Addresses to block all traffic sent from the attacker IP address to the target (victim) IP address. Enter 0. The interface is added to the banned user list. You can create multiple DoS sensors. The source IP address and netmask entered. This type of attack gives the DoS sensor its name. The exempt destination IP address. You can select to log the individual signature. it applies the configured action. allowing you to configure the anomaly thresholds separately for each interface. The FortiGate unit deals with the attack according to the IPS sensor or DoS Users List) sensor configuration regardless of this setting. and configure the detection threshold and action to take when the detection threshold is exceeded. You can select whether the attacker is banned indefinitely or for a specified number of days. For more information Attackers (to Banned about NAC quarantine.com/ • Feedback . The attacker and target IP addresses are added to the banned user list as one entry.fortinet. Traffic from the attacker IP address to addresses other than the victim IP address is allowed.0. For example. and traffic moving from the source to the destination is exempt from the override. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. The number identifying the order of the item in the list. The destination IP address and netmask entered. Enter 0.0. When a sensor detects an anomaly. The override will then apply to all IP addresses except those defined as exempt. Enter IP addresses to exclude from the override. The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded. 310 FortiGate Version 4. The target address is not affected.Intrusion Protection UTM Quarantine Select to enable NAC quarantine for this override. The exempt source IP address. Select to remove an item in the list.0. or minutes. Each sensor consists of 12 anomaly types that you can configure.0/0 to include all source IP addresses. see “The Banned User list” on page 401. Multiple sensors allow great granularity in detecting anomalies because each sensor can be configured for the specific needs of the interface it is attached to by the DoS policy. You can enable or disable logging for each traffic anomaly.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. One sensor can be selected for use in each DoS policy. The attackers IP address is also added to the banned user list. hours. Method Select Attacker’s IP address to block all traffic sent from the attackers IP address. Select to add other exempt IP addresses to the list in the table below Add. Logging Expires Exempt IP Source Destination: Add # Source Destination Delete DoS sensor The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior.

Thresholds for newly created sensors are preset with recommended values that you can adjust to meet the needs of your network. you must enter a name to go to the Edit DoS Sensor page. no DoS sensors are present on a factory default FortiGate unit. Note: It is important to know normal and expected network traffic before changing the default anomaly thresholds. If required. Enter or change an optional description of the DoS sensor.fortinet. Name Comments Anomalies Configuration Name Enable The name of the anomaly.For more information about how these settings affect specific anomalies. and if logging should be enabled for the anomaly. Select the check box to enable the DoS sensor to log when the anomaly occurs. Selecting the check box in the header row will enable logging for all anomalies. and setting the thresholds too high could allow otherwise avoidable attacks. Range 1 to 2 147 483 647. threshold amount. Displays the number of sessions/packets that must show the anomalous behavior before the FortiGate unit triggers the anomaly action (pass or block). All sensors and custom signatures will appear only in the VDOM in which they were created. Logging Action Threshold FortiGate Version 4. There are twelve default anomalies to configure settings for. Select the check box to enable the DoS sensor to detect when the specified anomaly occurs. or set Block to prevent the traffic from passing.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. DoS Sensor page Lists each default DoS sensor and each DoS sensor that you created. you are redirected to this page. The New DoS Sensor page provides a name field and a comemnt file. An optional description of the DoS sensor.com/ • Feedback 311 . Note: If virtual domains are enabled on the FortiGate unit. Severity. Create New When you create a new DoS sensor. Delete the DoS sensor. the Intrusion Protection settings must be configured separately in each VDOM. On this page. change the number. You must create your own and then select them in a DoS policy before they will take effect. Selecting the check box in the header row will enable all anomalies. Edit the following information: Action. you are automatically redirected to the New DoS Sensor page. Select Pass to allow anomalous traffic to pass when the FortiGate unit detects it. and Threshold. Anomalies that are not enabled are not logged. Enter or change the DoS sensor name. edit or delete a DoS sensor. Name Comments Delete Edit Edit DoS Sensor page Provides settings for configuring the action type. If you are editing a DoS Sensor.UTM Intrusion Protection Since an improperly configured DoS sensor can interfere with network traffic. Setting the thresholds too low could cause false positives. The DoS sensor name. This description will appear in the DoS sensor list. see Table 51 on page 312 and “SYN threshold (preventing SYN floods using a DoS sensor)” on page 312. you can create.

UDP. incomplete TCP connections are alowed as normal as long as the configured threshold is not exceeded. the action is executed. including retransmission.com/ • Feedback tcp_port_scan tcp_src_session tcp_dst_session udp_flood udp_scan udp_src_session udp_dst_session icmp_flood 312 . If the threshold is exceeded. The threshold is expressed in packets per second. the FortiGate unit will block the SYN packets that exceed the threshold. the action is executed. the FortiGate unit will intercept incoming SYN packets from clients and respond with a SYN+ACK packet. If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value. If the number of incomplete connections exceeds the threshold value. to one destination IP address exceeds the configured threshold value. These toools will not “retry”. the action is executed. FortiGate Version 4. from one source IP address exceeds the configured threshold value. If the number of UDP sessions originating from one source IP address exceeds the configured threshold value. The threshold is expressed in packets per second. which are shown in Table 51. but it will allow SYN packets from clients that send another SYN packet. the action is executed. including retransmission. The tools attackers use to generate network traffic will not send a second SYN packet with a SYN+ACK response is not received from the server. the FortiGate unit will allow the SYN packets that exceed the threshold.fortinet. The threshold is expressed in packets per second. and these retries are allowed even if they exceed the threshold with the action set to Block. If the action is set to Block. If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value. you can choose to Proxy the incompelte connections that exceed the threshold value.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the action is executed. the action is executed. Table 51: The twelve individually configurable anomalies Anomaly tcp_syn_flood Description If the SYN packet rate. and allow the communication to proceed. If the UDP traffic to one destination IP address exceeds the configured threshold value. When the tcp_syn_flood threshold action is set to proxy. and the action is set to Pass. If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value. The threshold is expressed in packets per second. The threshold value sets an upper limit on the number of new incomplete TCP connections allowed per second. the action is executed. the action is executed. and ICMP protocols.Intrusion Protection UTM SYN proxy FortiGate units with Fortinet security processing modules installed offer a third action for the tcp_syn_flood threshold when a module is installed. SYN threshold (preventing SYN floods using a DoS sensor) The preferred primary define against any type of SYN flood is the DoS sensor tcp_syn_flood threshold. it will “replay” this exchange to the server to establish a communciation session between the client adn the server. Understanding the anomalies For each of the TCP. The result is twelve configurable anomalies. If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value. If the SYN packets rate. Legitimate clients will retry when no response is received. the action is executed. The threshold is expressed in packets per second. If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value. If the FortiGate unit recieves an ACK repsonse as expected. DoS sensors offer four statistical anomaly types. Instead of Block and Pass.

you can override the default settings of the signatures specified in an IPS sensor. All sensors and custom signatures will appear only in the VDOM in which they were created. which is default. The FortiGate unit provides a number of pre-built IPS sensors. FortiGate Version 4. web server signatures are not included. If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value. see “Adding filters to web-based manager lists” on page 26. protocol. You can view predefined signatures in UTM > Intrusion Protection > Predefined. These characteristics give you a quick reference to what the signature is for. Clear All Filters Filter If you have applied filtering to the predefined signature list display. The signature list also displays the default action. select this option to clear all filters and display all the signatures. and applications affected for each signature. For more information.UTM Intrusion Protection Table 51: The twelve individually configurable anomalies (Continued) Anomaly icmp_sweep Description If the number of ICMP packets originating from one source IP address exceeds the configured threshold value. Column Settings Select to customize the signature information displayed in the table. but you should check their settings before using them. This page also indicates which signatures are enabled and which are disabled. You can also use these characteristics to sort the signature list. You can also readjust the column order. The vulnerability encyclopedia describes the attack detected by the signature and provides recommended actions and links for more information. Edit the column filters to filter or sort the predefined signature list according to the criteria you specify.fortinet. the action is executed. The predefined signature list also includes characteristics such as severity of the attack. The predefined signature list. to ensure they meet your network requirements. The signatures are sorted by name. you are automatically redirected to that signature’s detailed defniition in the FortiGuard Center Vulnerability Encyclopedia. Note: If virtual domains are enabled on the FortiGate unit. If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value. the default logging status. you can improve system performance and reduce the number of log messages and alert email messages that the IPS sensor generates. By using only the signatures you require. When you select the name of the signature. located in UTM > Intrusion Protection > Predefined. if the FortiGate unit is not protecting a web server. Each signature name is a link to the vulnerability encyclopedia entry for the signature. grouping signatures by common characteristics. the action is executed. includes signatures that are currently in the FortiGuard Center Vulnerability Encyclopedia. The threshold is expressed in packets per second. the Intrusion Protection settings are configured separately in each VDOM. For example. For more information. see “Using column settings to control the columns displayed” on page 28 and “Using filters with column settings” on page 29. Predefined page Lists each predefined signature that is currently on your FortiGate unit.com/ • Feedback 313 . This encyclopedia also includes additional signatures not found in the Predefined menu. If required. icmp_src_session icmp_dst_session Predefined The FortiGate Intrusion Protection system can use signatures once you have grouped the required signatures in an IPS sensor. and whether the signature is enabled by default. the action is executed.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

-pattern "bad words". if you want to view only the Windows signatures. This document assumes the user has previous experience creating intrusion detection signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. High. After creating custom signatures. Drop – prevents the traffic with detected signatures from reaching its destination. Each name is also a link to the description of the signature in the FortiGuard Center Vulnerability Encyclopedia. which signatures were detected. from lowest to highest. but you will be able to examine. are Information. The default status of the signature. The operating system the signature applies to. and enable logging. The severity levels. FortiGate Version 4. You can also create custom signatures to help you block P2P protocols. The target of the signature: servers. The applications the signature applies to. see “Adding filters to web-based manager lists” on page 26.Intrusion Protection UTM Name Severity Target Protocols OS Applications Enable Action The name of the signature. For more information. and Critical. Low. All sensors and custom signatures will appear only in the VDOM in which they were created. you can add custom signatures based on the security alerts released by the application and platform vendors. clients. or both. Traffic will not be interrupted. The severity rating of the signature. For example. set the action to pass. in detail. For example. Tip: To determine what effect IPS protection will have on your network traffic. Note: If virtual domains are enabled on the FortiGate unit. The default action for the signature: Pass – allows the traffic to continue without any modification. The protocol the signature applies to. A gray circle indicates the signature is not enabled. you need to specify them in IPS sensors that were created to scan traffic. but a custom signature does not affect traffic simply by being created. Use custom signatures to block or allow specific traffic. Creating a custom signature is a necessary step. the Intrusion Protection settings are configured separately in each VDOM. --flow bi_direction. Custom Caution: Custom signatures are an advanced feature. you can use the OS status filter. If Logging is enabled. Medium. A green circle indicates the signature is enabled. to block traffic containing profanity. If you use an unusual or specialized application or an uncommon platform. Custom signatures are configured in UTM > Intrusion Protection > Custom. add custom signatures similar to the following: set signature 'F-SBID (--protocol tcp. enable the required signatures. the action appears in the status field of the log message generated by the signature. all the predefined signatures are displayed. --no_case)' Custom signatures must be added to a signature override in an IPS filter to have any effect. The FortiGate predefined signatures represent common attacks.com/ • Feedback 314 .0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. Using display filters By default. You can apply filters to display only the signatures you want to view.

The FortiGate unit automatically updates this list by contacting the FDN. The FDN keeps the protocol decoder list up-to-date with protection against new threats such as the latest versions of existing IM/P2P as well as against new applications. Enter a name for the custom signature. or the FortiGuard Analysis and Management Service. see the FortiGate CLI Reference. Packet logs are enabled in either a pre-defined override or a custom override. The decoder list is provided for your reference and can be configured using the CLI. The name of the custom signature. and packet logging is enabled. This lists includes the port number that the protocol decoder monitors. Select to modify the custom signature. a FortiAnalyzer. the internal hard drive (if so equipped). Enter the signature. FortiGate Version 4. These saved packets can later be viewed and saved in PCAP format for closer examination. For example. IPS sensors are located in UTM > Intrusion Protection > IPS Sensor.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you are automatically redirected to the New Custom Signature page. the FortiGate unit will save any network packet triggering the signature to memory. Protocols Ports The protocol decoder name. The signature itself. You can view protocol decoders in UTM > Intrusion Protection > Protocol Decoder. within an IPS sensor. Protocol Decoder page Displays a list of the current protocol decoders that are on your FortiGate unit. Packet logging Packet logging is a way you can debug custom signatures or how any signature is functioning in your network environment. delete or create a new custom signature. Select to remove a custom signature from the list on the page. Create New Edit Delete Name Signature Name SIgnature When you select Create New. the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards. The port number or numbers that the decoder monitors.UTM Packet logging Custom page Lists each custom signature that you created.com/ • Feedback 315 .fortinet. On this page you can edit. For more information. New Custom Signature page Protocol Decoder The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. If a signature is selected in a custom override. Upgrading the IPS protocol decoder list The Intrusion Protection system protocol decoders are upgraded automatically through the FortiGuard Distribution Network (FDN) if existing decoders are modified or new decoders added.

There are a number of CLI commands available to further configure packet logging. For more information. the setting. if packet-log-history is set to 7.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the packet containing the signature is saved in the packet log. If you enable virtual domains (VDOMs) on the FortiGate unit.com/ • Feedback . and the traffic load. Since only the packet containing the signature is sometimes not sufficient to troubleshoot a problem. If the value is set to larger than 1. such as a FortiAnalyzer unit.Web Filter UTM Packet logging configuration Packet logging saves the network packets matching an IPS signature to the attack log. the packet-log-memory command defines the maximum amount of memory is used to store logged packets. For example. The FortiGate unit saves the logged packets to wherever logs are configured to be stored. the packet-log-history command allows you to specify how many packets are captured when an IPS signature is found in a packet. If your FortiGate unit supports SSL content scanning and inspection you can also configure web filtering for HTTPS traffic. with the total number of logged packets equalling the value. You can save logged packets as PCAP files.fortinet. you can view or save them. see “Using virtual domains” on page 79. Packet logging is available only in signature overrides. PCAP files can be opened and examined in network analysis software such as Wireshark. Note: Setting packet-log-history to a value larger than 1 can affect the maximum performance of the FortiGate unit because network traffic must be buffered. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination. This log type is for use as a type of diagnostic tool. web filtering is configured separately for each virtual domain. This command only takes effect when logging to memory. 316 FortiGate Version 4. Web Filter The following explains the FortiGate web filtering options in the Web Filtering menu. the FortiGate unit will save the packet containing the IPS signature and the six before it. After the FortiGate unit logs packets. The performance penalty depends on the model. When logging to memory. as well as those preceding it. This topic includes the following: • • • • • • • Profile Web Content FilterURL Filter URL Filter Override Local Categories Local Ratings Reports Profile The Profile menu allows you to configure a web filter profile to apply to a firewall policy. It is not an available option in IPS sensors or filters because enabling packet logging on a large number of signatures could produce an unusable large amount of data.

Select the protocols to apply web URL filtering to. Select the check box in the Options column to enforce strict filtering levels of the safe search protection for Bing searches. Name Comments Web Content Filter Enter a name for the web filter profile. Select the check boxes for the protocols that you want to apply FortiGuard web filtering settings to. This is an optional setting. If you want to enable Web Content Filter. This web filtering check does not check if the connection should be exempted and blocking or logging of traffic occurs in the HTTP proxy as normal. Yahoo! and Bing. Select to modify settings to a web filter profile. enter a number in the Threshold field. Strict filtering filters both explicit text and images. When enabled. and if you want to enable Web URL Filter you must have a URL filter. you also need to have a web content filter.com/ • Feedback 317 . In the Options column. You can apply FortiGuard Quota settings as well. New Web Filter Profile page Provides settings for configuring a web filter profile. Web URL Filter Safe Search Google Yahoo! Bing FortiGuard Web Filtering FortiGate Version 4. In the Options column.UTM Web Filter If you want to use the SSL Proxy exemption by FortiGuard category feature.fortinet. delete or create a new web filter profile. you must enable this feature in the FortiGuard Web Filtering section of the New Web Filter Profile page. Select the check box in the Options column to enforce strict filtering levels of the safe search protection for Google searches. On this page. select the SSL Exempt check box in the row of the category that you want to enable this for. Select the check box in the Options column to enforce strict filtering levels of the safe search protection for Yahoo! searches. Enable and apply FortiGuard Web Filtering options to the profile. The SSL Proxy exemption feature allows a FortiGuard category to bypass proxy setup for connection to certain destinations that are based on a FortiGuard category. select the check box in the Logging column. To log web content filtering. Select to remove a web filter profile. A description given to the web filter profile. you can also apply FortiGuard Quota settings. Enter a description for the web filter profile. The name of the web filter profile. you can edit. To log URL filtering. Web filter profiles are configured in UTM > Web Filter > Profile. When editing a web filter profile. To enable SSL exempt proxy exemption by FortiGuard category. the supported search engines exclude offensive material from search results. you are redirected to the Edit Web Filter Profile page. Create New Edit Delete Name Comments Select to create a new web filter profile. The search engines that you can enable this for are Google. This is optional. select the web content filter list from the drop-down list. select the check box in the Logging column. Within Classification. Select the protocols to apply web content filtering to.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Profile page Lists each web filter profile that you created. select a URL filter list from the drop-down list. To apply a threshold.

You must select the protocol or the options will be inaccessible. This option defines whether the override web page will display the images and other contents from the blocked offsite URLs. You can create a directory override for the site and view the page. Select one of the scopes in the drop-down list. These options are for users who may require access to web sites that are blocked by FortiGuard web filtering. Wildcard patterns are not case sensitive. see“Using wildcards and Perl regular expressions” on page 335. the images on the page will then show up. You can specify the length of time in hours. To make a word or phrase case insensitive. select Enable in the FortiGuard Web Quota area of FortiGuard Web Filtering Override. all FortiGuard categories are blocked. or seconds. Specify when the override rule will end. Note: Perl regular expression patterns are case sensitive for the Web content filter.com/ • Feedback 318 . For more information. With web content filter enabled. use the regular expression /i. select the check box in the Logging column. The score value of each pattern appearing on the page is added. /bad language/i blocks all instances of bad language regardless of case. The maximum number of patterns in the list is 5000. For the HTTP POST Action row. For each pattern you can select Block or Exempt. and if the total is greater than the threshold value set in the web filter profile. Exempt allows access to the web page even if other entries in the list that would block access to the page. the page is blocked. If the offsite feature was set to deny.fortinet. If you set the offsite feature to allow. select an action from the Option drop-down list. If you want to log these options. Block. Override Scope Override Type Off-site URLs Override Time User Group Advanced Filter Web Content Filter Web Content Filter allows you to configure lists containing specific words or patterns that control access to web pages. If you want to specify the amount of time users are allowed to browse each type of web category. The score for a pattern is applied only once even if it appears on the page multiple times. For more information about wildcards and Perl regular expressions. The users will not be able to view any pages on the sites where the images come from (unless the pages are servers from the same directory as the images themselves) without having to create a new override rule. Only users that apply under the scope for the page override can see the images from the temporary overrides. Web content patterns can be one word or a text string up to 80 characters long. You can also enter wildcards or Perl regular expressions to filter web content. blocks access to a web page that matches with the pattern.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. all the images on the page will appear broken because they come from a different domain for which the existing override rule does not apply. If you have specified User Group in Override Scope. and you want to visit a site whose images are served from a different domain. minutes. For example. in a firewall policy every requested web page is checked against the content filter list. select the user group in the Available column and move that group to the Selected column. Select the check boxes for the protocols that you want to apply web filtering overrides to. see “Using wildcards and Perl regular expressions” on page 335. For example. no one can access any web pages with the word Example in it. Select from the available advanced filter options.Web Filter UTM FortiGuard Web Filtering Override Enable to allow FortiGuard Web Filtering override options for the profile. For example. Select one of the types from the drop-down list. FortiGate Version 4.

you are automatically redirected to the New Pattern page. Pattern type can be wildcard or regular expression. you can edit. You must select OK to save the change. The score values of all the matching patterns appearing on a page are added. Japanese. Select only when you have changed the name in the Name field or added a description (as well as changes) in the Comments field. Name If you are editing an existing web content filter and want to change the name. On this page. Korean. Comments OK Create New Enable Pattern Pattern Type Language Action Score Page Controls Edit Delete Enable Disable Remove All Entries New Pattern page FortiGate Version 4. If you are editing a web content filter. you are redirected to this page. you are automatically redirected to the Web Content Filter Settings page. The New List page provides a name field and comment field. The pattern type used in the pattern list entry. The comment text must be less than 63 characters long. Modify the pattern in the list. Disable the pattern so that it will not be used in the list. When you select Edit. You must select OK to save these changes. Action can be either block or exempt. Select to configure a new pattern for the web content filter. Modify a web content filter. Thai. enter a new name in this field. enter a new description in this field. The character set to which the pattern belongs: Simplified Chinese. or Western. Cyrillic. If you are editing an existing web content filter and want to change the description. Otherwise. The name of the web content filter list. the page is blocked. The score value is not applied when Action is set to Exempt. Remove the pattern in the list. Remove a web content filter from the page. you must enter a name to go to the Web Content Filter List page. Optional description of each web content filter list. French. Name # Entries Comments Delete Edit Web Content Filter Settings page Provides settings for configuring multiple patterns which make up a web content filter. Enable the pattern so that it will be used in the list. Traditional Chinese. and if the total is greater than the threshold value set in the web filter profile. all patterns within the list are removed. Indicates whether the pattern is enabled or disabled. Spanish. The number of content patterns in each web content filter list.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. enter the changes here as well. When selected. Web Content Filter page Lists each individual web content filter that you created. Create New When you select Create New. and also lists the patterns you created for that web content filter.com/ • Feedback 319 . If you want to change the description. you are automatically redirected to the New List page. delete or create a new web content filters.UTM Web Filter Web content filters are configured in UTM > Web Filter > Web Content Filter. When you select Create New. The current list of patterns that were created for the web content filter. Use the page controls to view all web content filters within Web Content Filter Settings page. You are automatically redirected to this page from the New List page. it will be truncated. A numerical weighting applied to the pattern.

The appearance of a client comforting message (for example. Web content patterns can be one word or a text string up to 80 characters long. the web page will not be blocked even if there are matching Block entries. 320 FortiGate Version 4.fortinet. This means that by default a web page is blocked by a single match. Select a pattern type from the dropdown list: Wildcard or Regular Expression.Web Filter UTM Action Select one of: Block — If the pattern matches. Enter the content pattern. The client is the web browser or FTP client. You can change the scores and threshold so that web pages are blocked only if there are multiple matches. The character set to which the pattern belongs: Simplified Chinese. the FortiGate unit checks all web pages for the entire phrase. and the user is left with a partially downloaded file. For a phrase in quotation marks.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select to enable the entry. If a web page matches more than one entry the score for the web page increases. there will be no visual client comforting cue. clients and their users have no indication that the download has started until the FortiGate unit has completely buffered and scanned the download. For more information. Japanese. During client comforting. Pattern Pattern Type Language Score Enable HTTP and FTP client comforting Caution: Client comforting can send unscanned and therefore potentially infected content to the client. French. the page is blocked. Spanish. if the file being downloaded is found to be infected. the score is recorded. When a web page is matched with an entry in the content block list. the FortiGate checks all web pages for any word in the phrase. Exempt — If the pattern matches. a progress bar) is clientdependent. the Score is added to the total for the web page. The client does not receive any notification of what happened because the download to the client had already started. In general. Instead the download stops. then the FortiGate unit caches the URL and drops the connection. In some instances. When the total score for a web page equals or exceeds the threshold. Korean. Thai. client comforting provides a visual display of progress for web page loading or HTTP or FTP file downloads. Cyrillic. Without client comforting. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded. Traditional Chinese. For a single word. the FortiGate unit checks all web pages for that word. You should only enable client comforting if you are prepared to accept this risk. thinking it has failed. The default score for a content list entry is 10 and the default threshold is 10. The page is blocked if the total score of the web page exceeds the web content block threshold defined in the web filter profile.com/ • Feedback . or Western. Client comforting does this by sending the first few packets of the file or web page being downloaded to the client at configured time intervals so that the client is not aware that the download has been delayed. For a phrase. see “Web Filter” on page 316. During this delay users may cancel or repeatedly retry the transfer. When you add a web content list to a web filter profile you configure a web content filter threshold for the profile. Enter a score for the pattern.

T is the buffering time and ci is the client comforting interval. the FortiGate unit sends the next 512 bytes of the buffered file to the client. HTTPS. 6 FTP client: If the file does not contain a virus. 5 When the file has been completely buffered.com/ • Feedback 321 . Character sets and Web content filtering. so after 20 seconds about one half of the file has been buffered. For email messages. the client has received the following amount of data: ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes. the FortiGate unit closes the data connection and sends the FTP Virus replacement message to the client. If the file is infected. For HTTP get pages. because character sets are not always accurately indicated in HTTP posts.. and email content to the UTF-8 character set before applying email filtering banned word checking. HTTP client: If the file does not contain a virus. you can use the following CLI command to specify up to five character set encodings. the FortiGate unit converts the content to UTF-8 encoding according to the email message charset field before applying Email filtering banned word checking and DLP scanning. <charset5>] FortiGate Version 4. web filtering and DLP content scanning as specified in the web filter profile. the FortiGate unit sends the rest of the file to the client.UTM Web Filter If the user tries to download the same file again within a short period of time. 2 The FortiGate unit buffers the file from the server. and also sends 512 bytes to the client. FTP and HTTP client comforting steps The following steps show how client comforting works for an FTP or HTTP download of a 10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes. where ca is the client comforting amount.. the FortiGate unit closes the data connection but cannot send a message to the client. the FortiGate unit sends the rest of the file to the client.fortinet. For HTTP post pages. 3 The FortiGate unit continues buffering the file from the server. The FortiGate unit converts HTTP. config firewall profile edit <profile_name> set http-post-lang <charset1> [<charset2> . and DLP scanning Caution: Specifying multiple character sets reduces web filtering and DLP performance. The connection is slow. If the file is infected. while parsing the MIME content. The number of URLs in the cache is limited by the size of the cache. then the cached URL is matched and the download is blocked. Email filtering banned word. 4 After 20 more seconds. 1 The FTP or HTTP client requests the file. The client receives the Infection cache message replacement message as a notification that the download has been blocked. the FortiGate unit converts the content to UTF-8 encoding according to the character set specified for the page before applying web content filtering and DLP scanning.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.

Add patterns using text and regular expressions (or wildcard characters) to allow or block URLs. or list comment.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You can add the following to block or exempt URLs: • • • complete URLs IP addresses partial URLs to allow or block all sub-domains Each URL filter list can have up to 5000 entries. Name Comments If you are editing an existing URL filter setting and want to change the name. you must enter a name to go to the URL Filter Settings page.Web Filter UTM end The FortiGate unit performs a forced conversion of HTTP post pages to UTF-8 for each specified character set. After each conversion the FortiGate unit applies web content filtering and DLP scanning to the content of the converted page. Name # Entries Comment Delete Edit URL Filter Settings page Provides settings for configuring URLs that make up the URL filter. you are automatically redirected to this page. For example. Select to add a URL to the URL filter list. If you are editing a URL filter. You can add multiple URL filter lists and then select the best URL filter list for each profile. URL blocking does not block access to ftp://ftp. the following appears: Select to change the settings. enter a new name in this field. You must select OK to save these changes. Select to save the changes you made to the list. You can add up to 5 character set names. When you select Create New. You are automatically redirected to this page from the New List Page.com.com/ • Feedback . you are automatically redirected to the New List page. Note: URL blocking does not block access to other services that users can access with a web browser. OK Create New Edit 322 FortiGate Version 4. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message. Create New When you select Create New. URL filters are configured in UTM > Web Filter > URL Filter. The Delete icon is only available if the URL filter list is not selected in any profiles. Instead. Optional description of each URL filter list. delete or create a new URL filter. URL Filter Allow or block access to specific URLs by adding them to the URL filter list. Separate multiple character set names with a space. you can edit. use firewall policies to deny FTP connections. enter set http-post-lang ? from within the edit shell for the web filter profile. This page provides a name field and comment field. To view the list of available character sets.fortinet. list name. Select to remove the URL filter list from the catalog. URL Filter page Lists each URL filter that you created.example. If you are editing an existing URL filter setting and want to change the description. and also lists the URLs that you created. The available URL filter lists. Select to edit the URL filter list. You must select OK to save the change. The number of URL patterns in each URL filter list. enter the changes in this field. On this page.

Since the CN only contains the domain name of the site being accessed. web content filter. and antivirus scanning. but it functions slightly differently. HTTPS URL filtering of encrypted sessions works by extracting the CN from the server certificate during the SSL negotiation. • Type a top-level URL or IP address to control access to all pages on a web site.com or 192. Select to remove all filter entries within the list. How URL formats are detected when using HTTP URLs with an action set to exempt are not scanned for viruses.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. add the URL of this website to the URL filter list with an action set to exempt so the FortiGate unit does not virus scan files downloaded from this URL. For details about URL formats. follow these rules: How URL formats are detected when using HTTPS If your FortiGate unit does not support SSL content scanning and inspection or if you have selected the URL filtering option in web content profile for HTTPS content filtering mode under Protocol Recognition. you can filter HTTPS traffic in the same way as HTTP traffic. or Wildcard. URL formats When adding a URL to the URL filter list (see “URL Filter” on page 322). FortiGate Version 4. Make sure you trust the content of any site you pass. Select a type from the drop-down list: Simple. www. For example.example. otherwise there may be a security risk.com/ • Feedback 323 . Additional information about the Exempt action is found in the UTM chapter of the FortiOS Handbook.com. for example. web script filters. Exempt – similar to Pass in that it allows trusted traffic to bypass the antivirus proxy operations. user is presented with a replacement message. If your FortiGate unit supports SSL content scanning and inspection and if you have selected Deep Scan. Block – attempts to access any URLs matching the URL pattern are denied. and replay traffic from sites that match a URL pattern with a pass action will bypass all antivirus proxy operations.fortinet. If users on the network download files through the FortiGate unit from trusted web site. Select to open the Move URL Filter dialog box and configure where the URL will be positioned in the list.168. Regex (regular expression). ensure you are aware of the network topology involving URLs that you applied the Exemption action. Do not include http://. Select to enable the URL. incluidng FortiGuard Web Filter. “com” without the leading period) to block access to all URLs with this suffix. Pass – traffic to.144.example. Select to enable a filter in the list. Select an action the FortiGate unit will take. Allow – any attempt to access a URL that matches a URL pattern with an allow action is permitted.155 controls access to all pages at this web site. www.UTM Web Filter Delete Enable Disable Move Remove All Entries URL Type Action Select to delete an entry from the list. see “URL formats” on page 323. New URL Filter page Enter the URL. filter HTTPS traffic by entering a top level domain name. Select to disable a filter in the list. Enable Tip: Type a top-level domain suffix (for example. web filtering of encrypted HTTPS sessions can only filter by domain names.

example. www.fortinet.com to the filter list. add example.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The administrative overrides are not cleaned up when they expire and you can reuse these override entries by extending their expiry dates.finance. You can also disable individual overrides within the list. Select to modify the settings of an administrative override.html or 192. example.com. • • Override You can modify FortiGuard web filtering overrides for users who may require access to web sites that are blocked by FortiGuard web filtering. Administration Overrides and User Overrides. Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters).* matches example. Edit Name Administrative Overrides User Overrides Select to change an override’s settings. You can also create new overrides within the Administrative Overrides group.com. in UTM > Web Filter > Override. Administrative overrides are accessed on the Override page. or category. If you want to modify or create new rules for the Administrative Override list. Overrides are modified in UTM > Web Filter > Override. FortiGate URL filtering supports standard regular expressions.example. For example. example. For example. The name of the override setting.example.Web Filter UTM • Enter a top-level URL followed by the path and filename to control access to a single page on a web site. a link appears on the block page directing the user to an authentication form. Administrative overrides Administrative override rules can be modified to allow access to blocked web sites based on directory. You can modify and add new overrides to each default override. located on the Override page. Administrative Overrides page Lists each individual rule that you created for the Administrative Override. or delete all overrides within the list.example. When a user attempts to access a blocked site. delete or create a new override. and so on. adding example. Create New Edit Select to add a new override rule to the list. See “Administrative overrides” on page 324. Override page Lists the two default overrides.com/news. The user overrides that you can modify. Administrative are backed up with the main configuration and managed by the system. You can create administrative overrides using both the CLI and the web-based manager. www. mail. On this page.com.net and so on.org. The user can enter a user name and password to override the FortiGuard web filtering for the the web site. To control access to all pages with a URL that ends with example.144. This is not available for User Overrides. you can edit.com. if override is enabled in the user’s user group. example.com/ • Feedback .com. For example. 324 FortiGate Version 4. The administrative overrides that you can either modify or add administrative overrides to.com controls access to www.html controls the news page on this web site. See “User overrides” on page 325. Creating new overrides is not supported. domain name.155/news. you must access Administrative Overrides.168.

Enter the name of the user selected in Scope.com/ • Feedback 325 . The user or user group who may use the rule. Select Directory. see “Administrative overrides” on page 324.fortinet. Only users that apply under the scope for the page override can see the images from the temporary overrides. If you set the offsite feature to allow. User groups must be configured before FortiGuard Web Filtering configuration.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For more information.UTM Web Filter Delete Enable Disable Remove All Entries # Enable URL/Category Scope Off-site URLs Select to remove an administrative rule. Select one of the following: User. If you select Categories. all the images on the page will appear broken because they come from a different domain for which the existing override rule does not apply. Initiator Expiry Date Page Controls Type New Override Rule page URL Scope User Group User IP IPv6 Off-site URLs Override End Time User overrides Entries are added to the User Overrides list when a user authenticates to enable a user override. which means that the overwrite web page will display the contents from off-site domains. The expiry date of the override rule. The number that displays which order the override is listed in the list. and you want to visit a site whose images are served from a different domain. Enter the IPv6 address in the field. Enter the URL or the domain name of the website. Exact Domain or Categories. a different option appears below Scope. the images on the page will then show up. The URL or category to which the rule applies. Select a user group from the drop-down list. User overrides are not backed up as part of the FortiGate configuration. The number identifying the order of the rule in the list. Administrators can view and delete user overrides. These overrides are also purged when they expire. You can create a directory override for the site and view the page. If the offsite feature was set to deny. FortiGate Version 4. Specify when the override rule will end using the available time options. which means that the overwrite web page will not display the contents from off-site domains. A gray cross indicates that the off-site URL option is set to Block. Enter the IP address in the field. The creator of the override rule. Use to navigate through lists on the page. all FortiGuard categories are blocked. The users will not be able to view any pages on the sites where the images come from (unless the pages are served from the same directory as the images themselves) without having to create a new override rule. see “User Group” on page 390. Select to remove all administrative override entries within the list. This option defines whether the override web page will display the images and other contents from the blocked offsite URLs. web filtering category options appear including classifications. Depending on the option selected. A green check mark indicates that the off-site URL option is set to Allow. For example. For more information. User Group. Select to enable an administrative rule. Select to disable an administrative rule. or Profile. IP. This is for IPv4 addresses.

You cannot add new overrides to the list. When the list has been filtered. Local Cateogries page Lists the individual local categories that you created. in UTM > Web Filter > Override. Create New Delete Local categories Enter a local category name in the field and then select Create New. User Override page Lists each individual authentication user. The user or user group who may use the override. The categories defined here appear in the global URL category list when configuring a web filter profile. 326 FortiGate Version 4. Users can create user-defined categories then specify the URLs that belong to the category. The creator of the override rule. Users can rate URLs based on the local categories. see “Administrative overrides” on page 324. which means that the overwrite web page will display the contents from off-site domains. A green check mark indicates that the off-site URL option is set to Allow. If the URL is rated in more than one category or classification. This allows users to block groups of web sites on a per profile basis.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select the gray funnel to open the Category Filter dialog box. The URL or category to which the override applies. Select to enable a user override. Note: If virtual domains are enabled on the FortiGate unit. The local ratings override the FortiGuard server ratings and appear in reports as “Local Category”. select Global Configuration on the main menu. only remove it from the list.Web Filter UTM User overrides are accessed on the Override page.com/ • Feedback .fortinet. To access these features. Select to disable a user override. web filtering features are configured globally. trailing dots appear. You cannot modify a local category. A gray cross indicates that the off-site URL option is set to Block. The expiry date of the override rule. Initiator Expiry Date Local Categories User-defined categories can be created to allow users to block groups of URLs on a perprofile basis. which means that the overwrite web page will not display the contents from off-site domains. . Select to remove the local category from the list. the funnel changes to green. A gray x appears if the user override is disabled. Delete Enable Disable Remove All Entries # Enable URL/Category Scope Off-site URLs Select to remove a user override setting. For more information. A green checkmark appears if the user override was enabled. The number identifying the order of the item in the list. Local categories are configured in UTM > Web Filter > Local Categories. Local categories are created when you enter the local category in the Create New field. The category or classification in which the URL has been placed. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed. You cannot modify the entries in the list on the Override page. Select to remove all user overrides from the list.

FortiGuard Quota page Displays each individual users’ used quota. who have used up some of their quota time. Select to enable a local rating. URL Category Rating Classification Rating Enter the URL address. Select to add classifications. You can view details of each individual user’s quota by selecting the View icon in the row of the user. as well as remove all local ratings from the page. FortiGuard Quota You can view the web quotas that are monitored in UTM > Web Filter > FortiGuard Quota. New Local Rating page Provides settings for configuring the URL address that belongs to a category and classification rating. When editing a local rating.com/ • Feedback 327 . A gray x appears if the local rating is disabled. delete or create a new local rating. You can also disable or enable a local rating. Select the ratings for the URL. Enter a word or name to search for the local rating within the list. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed. Select to disable a local rating. Select to remove a local rating from the list.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The name of the user. Create New Search Edit Delete Enable Disable Remove All Entries # Enable URL Category Select to create a new local rating. The category that was selected for the local rating. The amount of used quota by a user. On this page. The list also displays how much time has been used. The URL address of the local rating. Local Ratings page Lists each individual local rating that you created. which are sorted by user name. Page Controls User Name WebFilter Profile Used Quota Use the page controls to navigate through the lists on the FortiGuard Quota page. you are automatically redirected to the Edit Local Rating page which contains the same settings. Local ratings are configured in UTM > Web Filter > Local Ratings.fortinet. Select to remove all local ratings within the list.UTM Web Filter Local Ratings You can configure user-defined categories and then specify the URLs that belong to the category. you can edit. FortiGate Version 4. This list displays all of the users. This allows users to block groups of web sites on a per profile basis. The name of the web filter profile that was used for detecting users’ FortiGuard quota usage. Select Go to start the search. The number identifying the order of the item in the list. A green checkmark appears if the local rating is enabled. Select to modify settings to a local rating.

to detect and block a wide range of spam messages. blocked. POP3S. Reports page Provides settings for configuring a report that you generated. and SMTPS email traffic.com/ • Feedback . 328 FortiGate Version 4. or view the overall activity. If your FortiGate unit supports SSL content scanning and inspection you can also configure email filtering for IMAPS. Email Filter The following explains FortiGate email filtering for IMAP. Using FortiGuard Email filtering profile settings you can enable IP address checking. The number of allowed web addresses accessed in the selected time frame. For a “day” report type with a range of 0 to 3. If you enable virtual domains (VDOMs) on the FortiGate unit. The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database. and Spam submission. or all. Select the time range (format is in the 24 hour clock) or day range (from six days ago to today) for the report. day. Web Filter Profile Clear report data Report Type Report Range Select the web filter profile that you want to see a report based on. Updates to the IP reputation and spam signature databases are provided continuously from the global FortiGuard distribution network. For more information. For example. and monitored web pages for each category.Email Filter UTM Reports The Reports menu appears only for FortiGate models with local disks. Removes all data within the report that you are currently viewing. The information for these reports are taken from a web filter profile. URL checking. The number of blocked web addresses accessed in the selected time frame. The number of monitored web addresses accessed in the selected time frame. provides reports based on web filtering profiles. Select to generate a report. Choose from hour. You can configure the FortiGate unit to manage unsolicited commercial email by identifying spam messages from known or suspected spam servers. The information generated is in a text and pie chart format. The Reports menu. the result is a category block report for 1 pm and 4 pm today. POP3. Select the time frame for the report. and SMTP email. located in UTM > Web Filtering.fortinet. Get Report The generated report includes the following columns that appear below the pie chart on the Reports page: Category Allowed Blocked Monitored The category for which the statistic was generated. the result is a category block report for three days ago from today. The FortiGate unit maintains statistics for allowed. You must first configure a web filter profile before you can generate a report. You can view reports with a range of hours or days.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. for an “hour” report type with a range of 13 to 16. You must have a web filtering profile or multiple web filtering profiles configured before you can generate a report from UTM > Web Filtering > Reports. E-mail checksum checking. see “Using virtual domains” on page 79. along with sophisticated spam filtering tools. Email filtering is configured separately for each virtual domain.

the email session is dropped. FortiGuard Antispam email checksum check. 6 Banned word check on email body. DNSBL & ORDBL check on public IP extracted from header. HELO DNS lookup. 3 MIME headers check. If the action in the filter is Mark as Spam.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For SMTP and SMTPS if the action is discard the email message is discarded or dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message. 1 IP address BWL check on last hop IP. Order of IMAP. the FortiGate unit tags as spam the email according to the settings in the email filter profile. POP3. FortiGuard Email Filtering URL check. The order the FortiGate unit uses these filters depends on the mail protocol used. If the action in the filter is Mark as Clear. E-mail address BWL check. queries are sent while other filters are running. 5 IP address BWL check (for IPs extracted from “Received” headers).com/ • Feedback 329 . 5 Return email DNS check. FortiGuard Email Filtering IP address check on last hop IP.UTM Email Filter From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam IP reputation database. 3 IP BWL check. 4 Banned word check on email subject. Email address BWL check. Order of email filtering FortiGate email filtering uses various filtering techniques. The first reply to trigger a spam action takes effect as soon as the reply is received. or whether a URL or email address is in the signature database. FortiGuard Email Filtering URL check. FortiGuard Email Filtering email checksum check. 2 DNSBL & ORDBL check on last hop IP. If the action in the filter is Mark as Reject. 2 Banned word check on email subject. 4 Banned word check on email body. Each filter passes the email to the next if no matches or problems are found. IMAPS and POP3S email filtering IMAPS and POP3S email filtering is available on FortiGate units the support SSL content scanning and inspection.fortinet. DNSBL & ORDBL check. 1 MIME headers check. FortiGate Version 4. 7 Return email DNS check. Filters requiring a query to a server and a reply (FortiGuard Antispam Service and DNSBL/ORDBL) are run simultaneously. Order of SMTP and SMTPS email filtering SMTPS email filtering is available on FortiGate units that support SSL content scanning and inspection. To avoid delays. the email is exempt from any remaining filters.

If the IP Address Check is not enabled. you must select the check box beside the column name of the protocol that you want to configure settings. Name Comments Enable logging FortiGuard Email Filtering IP Address Check Enter a name for the email filter profile. You can change the content of this message by going to the Replacement Messages page and customizing the Spam submission message. Select to enable the FortiGuard email message checksum check. If you are editing an email filter profile. Note: Disabling the traffic types that you do not want checked to save system resources. 330 FortiGate Version 4. Banned Word Check Select to block email messages based on matching the content of the messages with the words or patterns in the selected email filter banned word list. On this page.fortinet. Enter a description about the email filter profile. you can edit. Select to enable logging for the email filter profile. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination. Select to enable a check of the FortiGuard URL black list.com/ • Feedback . The name of the email filter profile.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select to add a spam submission message and a link to the message body of all email messages marked as spam by the FortiGuard Email Filtering. If the receiver determines that the email message is not spam. Create New Edit Delete Name Comments Select to create a new email filteri profile. Select to modify settings within an email filtering profile. Select to remove an email filter profile. the FortiGate unit does not examine that type of traffic. Select to look up the source domain name (from the SMTP HELO command) for SMTP email messages. he or she can use the link in the message to inform. Profile page Lists each individual email filter profile that you created. This is an optional setting. delete or create a new email filter profile.Email Filter UTM Profile The Profile menu allows you to configure email filter profiles for applying to firewall policies. For example. Select to enable a check of the FortiGuard IP Address black list. see “Spam replacement messages” on page 156. New Email Filter Profile page Provides settings for configuring multiple email filter profiles. The description given to the email filter profile. This is optional. URL Check Email Checksum Check Spam Submission IP Address BWL Check HELO DNS Lookup E-mail Address DNS Check Return E-mail DNS Check Select to enable checking that the domain specified in the reply to or from address has an A or MX record. Email filter profiles are configured in UTM > Email Filter > Profile. Select to look up the DNS of the email address. you are automatically redirected to the Edit Email Filter Profile page. selecting the check box beside IMAP allows you access to the options available for IMAP. Select the IP address black/white list in the Options column from the drop-down list. For more information. To access the options.

see “Using wildcards and Perl regular expressions” on page 335. the FortiGate unit scans and streams the traffic to the destination at the same time.com/ • Feedback 331 . When scanning in splice mode. To add the tag to the MIME header. the FortiGate unit can only discard spam email if a virus is detected. FortiGate Version 4. The number of characters constituting 64 bytes of data varies by text encoding. which may vary by the FortiGate administrator language setting. and if the total is greater than the threshold value set in the email filter profile. the FortiGate unit processes the message according to the setting in the profile. For more information about splicing behavior for SMTP. first verify that the administrator language setting is Japanese. the FortiGate unit converts the entire subject line. Tags must not exceed 64 bytes. For more information about configuring splicing. see profile in the FortiGate CLI Reference. For more information about preventing conversion of subject line to UTF-8. see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. you can choose to either tag or discard SMTP spam. to UTF-8 format. when entering a spam tag that uses Japanese characters. When typing a tag. use the same language as the FortiGate unit’s current administrator language setting. Enter a word or phrase with which to tag email identified as spam. For more information on changing the language settings. The score for a pattern is applied only once even if the word appears in the message multiple times. Tag text using other encodings may not be accepted. The score value of each banned word appearing in the message is added. SMTP and POP3). Select to add the tag to the subject or MIME header of email identified as spam. including the tag. phrases. Tagging adds the text in the Tag Format field to the subject line or header of email identified as spam. or both. see the Knowledge Base article FortiGate Proxy Splice and Client Comforting Technical Note. Note: When you enable virus scanning for SMTP and SMTPS in an antivirus profile. You can add words. If you select to add the tag to the subject line. body. For information. The FortiGate unit checks each email message against the banned word list. you must enable spamhdrcheck in the CLI for each protocol (IMAP. This improves display for some email clients that cannot properly display subject lines that use more than one encoding.UTM Email Filter Spam Action Select to either tag or discard email that the FortiGate unit determines to be spam. For example. see “Changing the web-based manager language” on page 32.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If virus scanning is not enabled. wild cards and Perl regular expressions to match content in email messages. Tag Location Tag Format Banned Word Control spam by blocking email messages containing specific words or patterns. The FortiGate unit can sort email messages containing those banned words in the subject. the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. Banned words are configured in UTM > Email Filter > Banned Word. When virus scanning is enabled for SMTP. scanning in splice mode is also called streaming mode and is enabled automatically.fortinet. see the system settings chapter of the FortiGate CLI Reference. about wild cards and Perl regular expressions. terminating the stream to the destination if a virus is selected. Discarding immediately drops the connection. For more information.

Select to disable a banned word. On this page you can edit. If you are editing an existing banned word list and want to change the description.com/ • Feedback . The pattern type used in the banned word list entry. Comments OK Create New Enable Pattern Pattern Type Language Where Score Edit Delete Enable Disable Remove All Entries Page Controls Add Banned Word page 332 FortiGate Version 4. you are automatically redirected to the New List page. The delete icon is available only if the banned word list is not selected in any email filter profiles. Name If you are editing an existing banned word list and you want to change the name. Select to remove all banned word entries within the list. The character set to which the banned word belongs. For more information. Select to save changes in the list. enter a new name in this field. enter the changes in this field. A numerical weighting applied to the banned word. The list of banned words. You must select OK to save these changes. The score for a banned word is counted once even if the word appears multiple times on the web page in the email. Select to remove a banned word from the list. the following appear: A green checkmark appears if the banned word is enabled. These words and word patterns make up a banned word list which appears on the Banned Word page. The score values of all the matching words appearing in an email message are added. The location where the FortiGate unit searches for the banned word: Subject. Select to enable a banned word. Optional description of each banned word list. if you are editing a banned word. Use to navigate through the information in the Banned Word menu. see “Using wildcards and Perl regular expressions” on page 335. Remove the banned word list from the catalog. For more information.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. you must enter a name to go to the Banned Word Settings page. Create New When you select Create New. When you select Create New. The available Email Filter banned word lists. or All. and if the total is greater than the Banned word check value set in the profile. Body. Name # Entries Comments Delete Edit Banned Word Settings page Provides settings for configuring a word pattern or word that will be considered banned by the FortiGate unit. Select to modify banned word settings. the email is processed according to whether the spam action is set to Discard or Tagged in the email filter profile. list name.Email Filter UTM Banned Word page Lists each banned word list that you created. Choose from wildcard or regular expression. You must select OK to save these changes. The number of entries in each banned word list. delete or create a new banned word. Modify the banned word list.fortinet. This page provides a name field and comment field. Select the check box to enable all the banned words in the list. you are automatically redirected to the Banned Word Settings page. Select to add a word or phrase to the banned word list. see “Email Filter” on page 328. or list comment.

a whole word. Mark each IP address as clear.168. x. the action associated with the IP address or email address is taken.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Language Where Score Select the character sets for the banned word. the message is passed to the next enabled email filte. for example. Choose from wildcard or regular expressions. Each entry in the banned word list added to the profile includes a score. When performing an IP address list check.UTM Email Filter Pattern Enter the banned word pattern.r You can add multiple IP address lists and then select the best one for each email filter profile.x. or All.69. or reject.x.x. If a match is found. When performing an email list check. FortiGate Version 4. Select where the FortiGate unit should search for the banned word. you can add IP addresses to the list. Wildcard patterns are not case sensitive. you are automatically redirected to the New List page. Create New When you select Create New. 192. /bad language/i will block all instances of bad language regardless of case. For more information. IP Address You can add IP address black/white lists and email address black/white lists to filter email. you must enter a name to go to the IPS Address Settings page. An IP address list contains multiple IP addresses and this list is configured in the IP Address Settings page. Note: Perl regular expression patterns are case sensitive for banned words. for example. When an email message is matched with an entry in the banned word list.x/x. If no match is found.x.x.100/255. you can edit. use the regular expression /i. 192. Multiple words entered as a pattern are treated as a phrase.100. the FortiGate unit compares the email address of the message sender to the email address list items in sequence.x/x. for example.69.x. the score for the email message increases. To make a word or phrase case insensitive. Body.255.168.fortinet.168. When the total score for an email message equals or exceeds the threshold. spam.69. delete or create a new IP address list. IP Address page Lists each individual IP address list that you created. A pattern can be part of a word. see “Using wildcards and Perl regular expressions” on page 335. the FortiGate unit compares the IP address of the message sender to the IP address list items in sequence. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases. Enter a score for the pattern.x. Subject. The FortiGate unit compares the IP address of the sender to the check list in sequence. Configure the FortiGate unit to filter email from specific IP addresses. Pattern Type Select the pattern type for the banned word.x.com/ • Feedback 333 . After creating an IP address list. the score is recorded. On this page.x.x. Enter an IP address or a pair of IP address and mask in the following formats: • • • x. This page provides a name field and comment field. If an email message matches more than one entry. Filter single IP addresses or a range of addresses at the network level by configuring an address and mask. The phrase must appear exactly as entered to match.0 x.255. For example. 192. or a phrase. the message is considered spam and handled according to the spam action configured in the profile.100/24 IP addresses black/white lists configured in UTM > Email Filter > IP Address.

For example.168. Edit the IP address list. This list is then applied within the email filter profile. Select to enable an IP address. or Mark as Reject (SMTP or SMTPS) to drop the session. delete or create a new email address list. Enter the IP address or the IP address/mask pair.100.168. Select to create a new IP address list. You must select OK to save the changes. Name # Entries 334 FortiGate Version 4. On this page. If you are editing an existing IP address list and want to change the description.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. enter a new name in this field. you must put 192.168. you can edit. if you have IP address 192.168. Select to disable an IP address. You are automatically redirected to this page from the New List page. Remove the IP address list from the catalog. You must select OK to save the change. you are automatically redirected to the IP Address Settings page. This page provides a name field and comemnt field.Email Filter UTM Name # Entries Comments Delete Edit The available name of the IP address lists. IP Address Settings page Provides settings for configuring multiple IP addresses that are then grouped together to form a list of IP addresses. Optional description of each IP address list. Select to remove an IP address from the list. Select to enable the address.1 to take effect.2 for 192.100. Select to move the entry to a different position in the list. Edit address information. The name of the email address list. enter the changes in this field. Select to save modification to the list. The delete icon is available only if the IP address list is not selected in any profiles. If you are editing an IP Address. E-mail Address page Lists each individual email address list that you created.1 above 192. Email address lists are configured in UTM > Email Filter > E-mail Address. list name. you are automatically redirected to the New List page. you must enter a name to go to the E-mail Address Settings page. The number of entries in each IP address list.1 listed as spam and 192. Create New When you select Create New.100. Comments OK Create New Edit Delete Enable Disable Move Remove All Entries Add IP Address page IP/Netmask Action Enable E-mail Address The FortiGate unit can filter email from specific senders or all email from a domain (such as example. Name If you are editing an existing IP address list and want to change the name.100.fortinet. Mark as Clear to bypass this and remaining email filters. Select to remove all IP addresses from within the list. or list comment.168. The number of entries in each email address list. The firewall policy executes the list from top to bottom.2 listed as clear.com/ • Feedback . You can add email address lists and then select the best one for each profile. Select: Mark as Spam to apply the spam action configured in the profile.net).100.

Enter the email address.fortinet. and banned word list entries can include wildcards or Perl regular expressions. If you are editing an existing email address list and want to change the description. A gray x appears if an email address is disabled. Select to enable the email address.html. Comments OK Create New Edit Delete Enable Disable Remove All Entries Enable Email-Address Pattern Type Action Page Controls Add E-Mail Address page E-mail Address Pattern Type Action Enable Using wildcards and Perl regular expressions Email address list. Select a pattern type: Wildcard or Regular Expression. see http://perldoc. Add a new email address to the email address list. MIME headers list. see “Configuring Networking Options” on page 108. A green checkmark appears if an email address is enabled. FortiGate Version 4. Remove the email address list from the catalog. Select to remove an email address. Select to disable an email address. or list comment. Select: Mark as Spam to apply the spam action configured in the profile. enter the changes in this field. the following appears: Select to make changes to the email address. If you are editing an E-mail Address. You are automatically redirected to this page from the New List page. you are automatically redirected to the E-mail Address Settings page. Select to enable an email address. The email address entered. it must be able to look up this name on the DNS server. This list is then applied within the email filter profile. Name If you are editing an existing email address list and want to change the name.perl.UTM Using wildcards and Perl regular expressions Comments Delete Edit Optional description of each email address list. Delete all table entries. Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server.org/perlretut. You must select OK to save the change. For more information about using Perl regular expressions. Select to save changes to the list. see “Using wildcards and Perl regular expressions” on page 335. or Mark as Clear to bypass this and remaining email filters.com/ • Feedback 335 . The action that will be take when that email address is detected. enter a new name in this field. The pattern type chosen for that email address. Edit the email address list. For more information. E-mail Address Settings page Provides settings for configuring multiple email addresses that are then grouped together to form a list of email addresses. You must select OK to save the changes.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. The delete icon is only available if the email address list is not selected in any profiles. When you select Create New. For information on configuring DNS. Use to navigate through the lists on the E-mail Address Settings page. list name.

the pattern does not have an implicit word boundary. “atestb”. Case sensitivity Regular expression pattern matching is case sensitive in the web and Email Filter filters. To match exactly the word “test”.com not only matches fortinet. It is similar to the ‘?’ character in wildcard match pattern. ‘*’ means match 0 or more times of the character before it. regardless of case. the ‘.com To match any character 0 or more times. enter Ctrl+V followed by ?.’ means any character and the ‘*’ means 0 or more times. Word boundary In Perl regular expressions. three or four “b”s followed by a “c” “a” followed by at least two “b”s followed by a “c” 336 FortiGate Version 4.com. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character.com. the wildcard match pattern forti*. wildcard match pattern A wildcard character is a special character that represents one or more other characters.com matches fortiiii.com. the regular expression “test” not only matches the word “test” but also any word that contains “test” such as “atest”. the expression should be \btest\b. For example.Using wildcards and Perl regular expressions UTM Regular expression vs. In Perl regular expressions.com but does not match fortinet. As a result: • fortinet. The notation “\b” specifies the word boundary. For example.' and ‘*’ use the escape character ‘\’. For example. use ‘.fortinet. The most commonly used wildcard characters are the asterisk (*).*\. fortinetbcom. which typically represents any one character. and the question mark (?). fortinet\\. For example: • To match fortinet. For example. Perl regular expression formats Table 52 lists and describes some example Perl regular expression formats. For example: • forti*.com should therefore be fort. use the regular expression /i. fortinetccom. Table 52: Perl regular expression formats Expression abc ^abc abc$ a|b ^abc|abc$ ab{2. Note: To add a question mark (?) character to a regular expression from the FortiGate CLI.’ character refers to any single character. To make a word or phrase case insensitive.4}c ab{2. but anywhere in the string) “abc” at the beginning of the string “abc” at the end of the string Either “a” or “b” The string “abc” at the beginning or at the end of the string “a” followed by two.com/ • Feedback .*’ where ‘.com In Perl regular expressions. the regular expression should be: fortinet\. “testimony”. which typically represents zero or more characters in a string of characters. /bad language/i will block all instances of “bad language”. not 0 or more times of any character. “mytest”.}c Matches “abc” (the exact character sequence. To match a special character such as '.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and so on.com but also fortinetacom.

such as 42.\. “b” and “c” Either of “Abc” and “abc” Any (nonempty) string of “a”s.com/ • Feedback 337 .*r.*a. either “abc” or” ac” “a” followed by any single character (not newline) followed by a” c “ “a.*i.!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i Block common spam phrases The following phrases are some examples of common phrases found in spam messages. ”acbabcacaa”) Any (nonempty) string which does not contain any of “a”. tabs.*$/i /cr[eéèêë][\+\-\*=<>\.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the leading and trailing space is treated as part of the regular expression. the '/' is treated as the delimiter..*o. /bad language/i blocks any instance of bad language regardless of case. that is. 'x'. In regular expressions. If the first character in a pattern is forward slash '/'.*v.*g.\. The pattern must contain a second '/'. “b”s and “c”s (such as “a”.UTM Using wildcards and Perl regular expressions Table 52: Perl regular expression formats (Continued) ab*c ab+c ab?c a. “abba”.c a\. etc). /x Example regular expressions Block any word in a phrase /block|any|word/ Block purposely misspelled words Spammers often insert other characters between the letters of a word to fool spam blocking software. same as \d{2} Makes the pattern case insensitive. in “perlert” but not in “perl stuff”) Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. and “c” (such as “defg”) Any two decimal digits. and anything after the second ‘/’ will be parsed as a list of regular expression options ('i'. For example.fortinet. A “word”: A nonempty sequence of alphanumeric characters and low lines (underscores). Use this to break up a regular expression into (slightly) more readable parts.c” exactly Any one of “a”. such as foo and 12bar8 and foo_1 The strings “100” and “mk” optionally separated by any amount of white space (spaces. in “abc!” but not in “abcd”) “perl” when not followed by a word boundary (for example. An error occurs if the second '/' is missing. The pattern between ‘/’ will be taken as a regular expressions. newlines) “abc” when followed by a word boundary (for example. /try it for free/i /student loans/i /you’re already approved/i /special[\+\-\*=<>\.c [abc] [Aa]bc [abc]+ [^abc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x “a” followed by any number (zero or more) of “b”s followed by a “c” “a” followed by one or more b's followed by a c “a” followed by an optional “b” followed by a” c”. Used to add regular expressions within other text.!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i FortiGate Version 4. “b”. /^..

This topic includes the following: • • • • Sensor Compound rules Rule DLP archiving Sensor Caution: Before use. This page provides a name field and comment field. If you enable virtual domains (VDOMs) on the FortiGate unit.com/ • Feedback .fortinet. Although the primary use of the DLP feature is to stop sensitive data from leaving your network. delete or create new DLP sensors. combining the rules into DLP sensors. it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. You can use these as provided. On this page. archive. it can be specified in a firewall policy. Once a DLP sensor is configured. Name 338 FortiGate Version 4. The DLP system is configured by creating individual rules. and severity for each rule or compound rule. Any traffic handled by the policy in which the DLP sensor is specified will enforce the DLP sensor configuration. see “Using virtual domains” on page 79. For more information. DLP sensors are simply collections of DLP rules and DLP compound rules. You can create a new DLP sensor and configure it to include the DLP rules and DLP compound rules required to protect the traffic leaving your network. The following default DLP sensors are provided with your FortiGate unit. Create New When you select Create New. data leak prevention is configured separately for each virtual domain. A DLP sensor must be created before it can be configured by adding rules and compound rules. There are six default sensors. and data matching these patterns will be blocked and/or logged or archived when passing through the FortiGate unit. or modify them as required. and then assigning a sensor to a firewall policy. The DLP sensor name. you are automatically redirected to the New DLP List page. examine the sensors and rules in the sensors closely to ensure you understand how they will affect the traffic on your network. The DLP sensor also includes settings such as action. You can define sensitive data patterns. you can edit DLP sensors (default or ones that you created). as well as the default DLP sensors. Sensor page Lists each individual DLP sensor that you created.Data Leak Prevention UTM Data Leak Prevention You can use the FortiGate Data Leak Prevention (DLP) system to prevent sensitive data from leaving or entering your network. Sensors are configured in UTM > Data Leak Prevention > Sensor. you must enter a name to go to the Sensor Settings page.

and SMTP). FTP. Configure the action and archive options as required. For more information about SSL content scanning and inspection. See “DLP archiving” on page 347. enter a name in this field. the sensor is configured not to archive matching traffic and an action of None is set. You must select OK to save these changes. You can also edit the All-HTTP rule to archive HTTPS DLP archive all email (POP3. The number formats used by American Express. HTTP. If you have a FortiGate unit that supports SSL content scanning and inspection.fortinet. FTP. You can add the All-Session-Control rule to also archive session control content. and IM traffic.UTM Data Leak Prevention Content_Archive (default) traffic. Content_Summary (default) scanning and inspection. When you select Create New to create a new sensor.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. When you select a specify type of member. See “DLP archiving” on page 347.S. No blocking or quarantine is performed. IMAP. either Compound rule or Rule. If you have a FortiGate unit that supports SSL content scanning and inspection.com/ • Feedback 339 . and SMTPS traffic. As provided. For each rule in the sensor. Configure the action and archive options as required. Create New Enable Rule name FortiGate Version 4. The number formats used by U. HTTP. You must select OK to save the change. but it will not be used. you can edit the All-Email rule to archive POP3S. As provided. IMAP. Select to make changes to a DLP sensor. When you select Create New on this page. Archive is set to Summary Only. Select Create New to add a new rule or compound rule to the sensor. Name Comment If you are editing an existing sensor and want to change the name. Select to remove a DLP sensor from the list. different options become available. The item will be listed as part of the sensor. see the UTM chapter of the FortiOS Handbook. You can also edit the All-HTTP rule to archive HTTPS traffic. For each rule in the sensor. and Mastercard credit cards are detected in HTTP and email traffic. Credit-Card (default) Large-File (default) SSN-Sensor (default) Comments Delete Edit Sensor Settings page Provides settings for configuring rules that are added to DLP sensors. The optional description of the DLP sensor. you can edit the All-Email rule to archive POP3S. and IM traffic. The names of the rules and compound rules included in the sensor. Social Security and Canadian Social Insurance numbers are detected in email and HTTP traffic. Archive is set to Full. the sensor is configured not to archive matching traffic and an action of None is set. Files larger than 5MB will be detected if attached to email messages or if send using HTTP or FTP. the sensor is configured not to archive matching traffic and an action of None is set. No blocking or quarantine is performed. IMAPS. You can add the All-Session-Control rule to also archive session control content. If you are editing an existing sensor and want to change the description. etner the changes in this field. you are automatically redirected to the New DLP Sensor page. For more information about SSL content DLP summary archive all email (POP3. at which time you are redirected to the Sensor Settings page. You can disable a rule or compound rule by clearing this check box. and SMTP). Visa. Configure the action and archive options as required. As provided. You must enter a name for the sensor in the Name field to continue configuring the sensor. IMAPS. you are redirected to the New DLP Sensor Rule page. see the UTM chapter of the FortiOS Handbook. and SMTPS traffic.

com Rule 2 checks SMTP traffic for the word “sale” in the message body When the sensor is used. When this attribute is discovered in network traffic. Select the type of archival logging for that sensor. The higher the number the greater the severity. The rules of the selected type will be displayed in the table below.com/ • Feedback . Although archiving is enabled independent of the action. 340 FortiGate Version 4. if the DLP rule finds high-security content the severity could be 5.Data Leak Prevention UTM Action The action configured for each rule. Select to modify a rule or compound rule.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the rule is activated. Comment Edit Delete Enable Disable Action New DLP Sensor Rule page Archive Expires Severity Member Type Note: DLP prevents duplicate action.fortinet. Select to remove a compound rule or a rule from the list. Ban Sender. On the other hand if the DLP rule finds any content the severity should be 1. Select Rule or Compound Rule. but every attribute must be present before the rule is activated. Select an action that the FortiGate unit will take for that particular rule or compound rule. or both could be activated. Compound rules DLP compound rules are groupings of DLP rules that also change the way they behave when added to a DLP sensor. If the selected action is None. The optional description of the rule or compound rule. Appears when Quarantine Virus Sender (to Banned Users List) is selected. Select to disable a compound rule or rule. the Expires options appear. or minutes. When you select Ban. Compound rules allow you to group individual rules to specify far more detailed activation conditions. hours. no action will be listed. Depending on the contents of the SMTP traffic. neither. Archive. only the corresponding rule would be activated. If only one condition is true. Quarantine IP address. DLP will not create more than one DLP archive entry. Even if more than one rule in a sensor matches some content. Individual rules can be configured with only a single attribute. Select to enable a compound rule or rule. the action displayed in the sensor rule list is Block. DLP adds the severity to the severity field of the log message generated when the rule or compound rule matches content. Enter the severity of the content that the rule or compound rule is a match for. For example. quarantine item. or Quarantine Interface. the Archive designation appears with the selected action. create two rules and add them to a sensor: • • Rule 1 checks SMTP traffic for a sender address of spammer@example. or ban entry from the same content. Use the severity to indicate the seriousness of the problems that would result from the content passing through the FortiGate unit. For example. Each included rule is configured with a single attribute. You can select whether the attacker is banned indefinitely or for a specified number of days. For example. if you select the Block action and set Archive to Full for a rule. either. either rule could be activated its configured condition is true.

Yahoo! When you select the Instant Messaging protocol. When you select the Email protocol. and add the compound rule to the sensor. HTTPS GET When you select the HTTP protocol. MSN. Compound page Lists the coupound rules that you created. the conditions in both rules have to be present in network traffic to activate the compound rule. Compound rules for DLP sensors are configured in UTM > Data Leak Prevention > Compund. Only the rules that include all of the selected options can be added to the compound rule. if your FortiGate unit supports SSL content scanning and inspection. NNTP. and Instant Messaging. Only the rules that include all of the selected options can be added to the compound rule.UTM Data Leak Prevention If you remove these rules from the sensor. the sensor names are listed here. ICQ. POP3 FortiGate Version 4. the message passes without any rule or compound rule being activated. the Delete icon will not be available. AIM.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. or FTP get sessions or both. IMAP. add them to a compound rule. HTTPS POST. you can edit. FTP. Only the rules that include all of the selected protocols can be added to the compound rule. Name Comments Protocol Enter a name for the compound rule. you must set HTTPS Content Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol Recognition section of the profile. the DLP sensors will not scan HTTPS content. you can configure the compound rule to apply to FTP put. The compound rule name. FTP GET SMTP. When you edit an existing compound rule. Only the rules that include all of the selected options can be added to the compound rule.com/ • Feedback 341 . Only the rules that include all of the selected protocols can be added to the compound rule. you can configure the compound rule to apply to HTTP post or HTTP get sessions or both. To scan these encrypted traffic types. see the UTM chapter of the FortiOS Handbook. HTTP GET When you select the HTTP protocol. you can select the supported IM protocols for which to add rules. If the compound rule is used in any sensors. Create New Name Comments DLP sensors Edit Delete Select Create New to add a new compound rule. New/Edit Compound Rule page Provides settings for configuring compound rules. If URL Filtering is selected. you can configure the compound rule to apply to HTTPS post or HTTPS get sessions or both. The optional description of the compound rule. delete or create new compound rules.fortinet. HTTP. compound rules allow you to specify far more detailed and specific conditions to trigger an action. The rules that you can add to the compound rule vary depending on the protocol that you select. Remove the compound rule from the sensor and then delete it. By combining the individually configurable attributes of multiple rules. you can select the supported email protocols for which to add rules. An optional description of the compound rule. If a compound rule is used in a sensor. You can select the following protocols: Email. Select to modify a compound rule. Select the type of content traffic that the DLP compound rule applies to. FTP PUT. For more information about SSL content scanning and inspection. If only one condition is present. HTTP POST. On this page. Select to remove a compound rule from the Compound page. When you select the FTP protocol. you are automatically redirected to this page.

Social Security Numbers. Create New Edit Delete Select Create New to add a new rule. every rule in the compound rule must match the traffic to trigger the configured action. The rule name. If a compound rule is used in a compound rule or a sensor. and IMAP email traffic. Add Rule/Delete Rule [plus and minus signs] Rule Caution: Before use.Data Leak Prevention UTM Rules Select the rule to include in the compound rule. All-IM. For more information about regular expressions. If the rules are first combined into a compound rule and then specified in a sensor. an included rule uses regular expressions to describe Social Security number: ([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4} Rather than having to list every possible Social Security number. Use the add rule and delete rule icons to add and remove rules from the compound rule. 342 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Rules are configured in UTM > Data Leak Prevention > Rule. The pattern is easily recognizable by the FortiGate unit. Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with an implicit AND condition. traffic matching any single rule will trigger the configured action. If you are using a FortiGate unit able to decrypt and examine encrypted traffic. this regular expression describes the structure of a Social Security number. Canadian Social Insurance Numbers. examine the rules closely to ensure you understand how they will affect the traffic on your network. Only the rules that include all of the selected protocols can be added to the compound rule. These rules will detect all traffic of the specified type. delete or create new rules. On this page.S. you can edit. Select to modify a rule. All-HTTP. see “Using wildcards and Perl regular expressions” on page 335. Select the add rule icon and then select rule from the list. the delete icon will not be available. There are many default rules to choose from that are provided with your FortiGate unit. All-SessionControl Email-AmEx. Rule page Lists the rules that you created. or Visa and Mastercard numbers within the message bodies of SMTP. Name All-Email. you can enable those traffic types in these rules to extend their functionality if required. All-FTP. Email-Canada-SIN. If rules are specified directly in a sensor. Email-US-SSN.fortinet.com/ • Feedback . These rules define the data to be protected so the FortiGate unit can recognize it. For example. Remove the compound rule from the compound rule or sensor and then delete it. Note: These rules affect only unencrypted traffic types. DLP rules can be combined into compound rules and they can be included in sensors. Select to remove a rule from the list on the Rule page. You can modify the default rules as required. POP3. AllNNTP. DLP rules are the core element of the data leak prevention feature. Email-Visa-Mastercard These four rules detect American Express numbers. U.

If the rule is included in any compound rules. For more information about SSL content scanning and inspection. Large-Attachment Large-FTP-Put Large-HTTP-Post Comments Compound Rules DLP Sensors This rule detects files larger than 5MB attached to SMTP. Social Security Numbers. which is used to retrieve load web pages. Files received using FTP GET are not examined. the sensor names are listed here. The available rule options vary depending on the protocol that you select. HTTP-Visa-Mastercard These four rules detect American Express numbers. Files received using HTTP GET are not examined. Only file transfers using the IM protocols are subject to DLP rules. HTTPS POST. IMAPS.fortinet. a rule that is for emails. The optional description of the rule. Name Comments Protocol The name of the rule. NNTP. see the UTM chapter of the FortiOS Handbook. POP3. Canadian Social Insurance Numbers. When you select the Email protocol. Instant Messaging and Session Control. the compound rule names are listed here. Yahoo! When you select the Instant Messaging protocol. You can select the following protocols: Email. FTP. HTTP-Canada-SIN. FTP PUT. U. Email-Not-Webex. This rule does not detect the data retrieved with the HTTP GET command. HTTP GET When you select the HTTP protocol. For more information about SSL content scanning and inspection. MSN. HTTP. New/Edit Regular Rule Provides settings for configuring each type of rule. and Yahoo!). ICQ. see the UTM chapter of the FortiOS Handbook. you can configure the rule to apply to FTP put. or FTP get sessions or both. This rule detects files larger than 5MB sent using the HTTP POST protocol. and POP3). HTTP-US-SSN. FortiGate Version 4. POP3 SMTPS IMAPS POP3S When you select the Email protocol. HTTPS GET When you select the HTTP protocol. you can configure the rule to apply to any or all of the supported email protocols (SMTP. IMAP. HTTP POST. if your FortiGate unit supports SSL content scanning and inspection. these rules are designed to detect data the user is sending to web servers. These rules prevent DLP from matching email or HTTP pages that HTTP-Post-Not-Webex contain the string WebEx.S. The HTTP POST is used to send information to a web server.UTM Data Leak Prevention HTTP-AmEx. If URL Filtering is selected.com/ • Feedback 343 . If the rule is used in any sensors. As written.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This rule detects files larger than 5MB sent using the FTP PUT protocol. FTP GET SMTP. you can configure the rule to apply to file transfers using any or all of the supported IM protocols (AIM. IMAP. POP3S or any combination of these protocols. ICQ. AIM. MSN. for example. Select the type of content traffic that the DLP rule the rule will apply to. you can also configure the HTTP rule to apply to HTTPS get or HTTPS post sessions or both. IM messages are not scanned. the DLP sensors will not scan HTTPS content. if your FortiGate unit supports SSL content scanning and inspection. or Visa and Mastercard numbers within POST command in HTTP traffic. you must set HTTPS Content Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol Recognition section of the profile. To scan these encrypted traffic types. you can also configure the rule to apply to SMTPS. When you select the FTP protocol. you can configure the rule to apply to HTTP post or HTTP get traffic or both. and IMAP email messages. An optional comment describing the rule.

Search for the specified string in the message or page body. the sender is determined by the From: address in the email header.Data Leak Prevention UTM SIP. you can configure the rule to apply to any or all of the supported session control protocols (SIP. Search for the specified binary string in network traffic. all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. the transfer size includes the message header. no settings are given because there are none. Because they are password protected. no Rule settings appear. This option is available for HTTP. For email.com/ • Feedback . Search for the specified host name when contacting a HTTP server. Search for traffic from the specified authenticated user. body. Search for the specified string in the message or page body. SCCP When you select the Session Control protocol. This option is available for all protocols. Search for traffic from any user in the specified user group. Check the attachment file size. Match any content. body. Check the total size of the information transfer. Use the Rule settings to configure the content that the DLP rule matches. Note: For HTTPS.fortinet. and any encoded attachment. This option is available for Email and IM. and SCCP). SIMPLE. Search for the text within the attachment that uses either UTF-8 or ASCII. the following appear: Always Body URL Transfer Size Cookie CGI parameters HTTP header Hostname 344 FortiGate Version 4. and any encoded attachment. Search the contents of cookies for the specified text. For example. For IM. Match any content.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. and may contain wildcard or regular expression. This option matches all session control traffic is used for session control DLP archiving. Check the total size of the information transfer. This option is available for HTTP. In the case of email traffic for example. Search for the specified CGI parameters in any web page with CGI code. Search for the specified string in HTTP headers. These settings change according to what protocol is chosen. the transfer size includes the message header. Check whether the file is or is not encrypted. Search email messages for file types or file patterns as specified in the selected file filter. Search for the specified string in the message subject. Search for the specified string in the message recipient email address. This option is available for Email. This option is available for all protocols. when the protocol HTTPS is selected. Rule When the protocol type Email is selected in Protocol. the following appear: Always Body Subject Sender Receiver Attachment Size Attachment Type Attachment Text Transfer Size Binary file pattern (enter in base 64) Authenticated User User group File When the protocol type HTTP is selected in Protocol. the FortiGate unit cannot scan the contents of encrypted files. In the case of email traffic for example. The only rule option for the session control protocols is Always. Search for the specified string in the message sender user ID or email address. Encrypted files are archives and MS Word files protected with passwords. SIMPLE. Search for the specified URL in HTTP traffic.

Search for the specified file patterns and file types. Search for traffic from any user in the specified user group. the following appear: Always Transfer Size Server: Start/End File type File text Binary file pattern (enter in base 64) Authenticated User User group File When the protocol type NNTP is selected in Protocol. body.UTM Data Leak Prevention File type Search for the specified file patterns and file types. Search for the specified file patterns and file types. see “File Filter” on page 301. Because they are password protected. The patterns and types configured in file filter lists and a list is selected in the DLP rule. Search for the specified binary string in network traffic. This option is available for all protocols. Encrypted files are archives and MS Word files protected with passwords. the FortiGate unit cannot scan the contents of encrypted files. Search for the specified text in transferred text files. Search for the specified string in the message or page body. Check whether the file is or is not encrypted. Search for traffic from the specified authenticated user.com/ • Feedback 345 . Search for traffic from any user in the specified user group. Match any content. Match any content. Because they are password protected. see “File Filter” on page 301. For more information about file filter lists. the following appear: Always Body Transfer Size Server: Start/End File type File text Binary file pattern (enter in base 64) Authenticated User User group File When the protocol type Instant Messaging is selected in Protocol. the FortiGate unit cannot scan the contents of encrypted files. Check whether the file is or is not encrypted. Encrypted files are archives and MS Word files protected with passwords. Search for the server’s IP address in a specified address range. Encrypted files are archives and MS Word files protected with passwords. For more information about file filter lists. Check the total size of the information transfer. Search for traffic from the specified authenticated user. For more information about file filter lists. the following appear: Always FortiGate Version 4. Check whether the file is or is not encrypted. and any encoded attachment. the transfer size includes the message header.fortinet. Search for the specified text in transferred text files. Binary file pattern (enter in base 64) Authenticated User User group File When the protocol type FTP is selected in Protocol. Search for traffic from the specified authenticated user. Search for the specified binary string in network traffic. and any encoded attachment. This option is available for all protocols. Check the total size of the information transfer. Search for the specified binary string in network traffic. see “File Filter” on page 301. Because they are password protected. body. the FortiGate unit cannot scan the contents of encrypted files. In the case of email traffic for example. The patterns and types configured in file filter lists and a list is selected in the DLP rule. Search for the sever’s IP address in a specified range. The patterns and types configured in file filter lists and a list is selected in the DLP rule. This option is available for all protocols. Match any content.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Search for traffic from any user in the specified user group. In the case of email traffic for example. the transfer size includes the message header.

Select the encoding used for text files and messages. Select the means by which patterns are defined.Data Leak Prevention UTM Sender Search for the specified string in the message sender user ID or email address.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. if the rule specifies that a file type is not found in a file type list. Search for the specified binary string in network traffic. the sender is determined by the From: address in the email header. • >= is greater than or equal to the entered value. Search for the specified file patterns and file types. Encrypted files are archives and MS Word files protected with passwords. Conversely. • != is not equal to the entered value. all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. • Is: The rule will be triggered if the rule is true. see “File Filter” on page 301. For more information about wildcards and regular expressions.com/ • Feedback . • <= is less than or equal to the entered value. Transfer Size File type File Text Binary file pattern (enter in base 64) Authenticated User User group File Rule operators that appear on the New/Edit Regular Rule page are: matches/does not match This operator specifies whether the FortiGate unit is searching for the presence of specified string. Because they are password protected. • Matches: The rule will be triggered if the specified string is found in network traffic. The patterns and types configured in file filter lists and a list is selected in the DLP rule. For example. and any encoded attachment. see “Using wildcards and Perl regular expressions” on page 335 This operator specifies if the rule is triggered when a condition is true or not true. For email. all matching files will trigger the rule. • Is not: The rule will be triggered if the rule is not true. the transfer size includes the message header. Search for traffic from any user in the specified user group. ASCII/UTF-8 Regular Expression/Wildcard is/is not ==/>=/<=/!= 346 FortiGate Version 4. only the file types not in the list would trigger the rule. the FortiGate unit cannot scan the contents of encrypted files. Check whether the file is or is not encrypted. For IM. For more information about file filter lists. • Does not match: The rule will be triggered if the specified string is not found in network traffic. Search for the specified text in transferred text files. or for the absence of the specified string. These operators allow you to compare the size of a transfer or attached file to an entered value. body. • == is equal to the entered value. In the case of email traffic for example. if a rule specifies that a file type is found within a specified file type list.fortinet. This option is available for Email and IM. Search for traffic from the specified authenticated user. Check the total size of the information transfer.

POP3S. You can also use either Content_Archive or Content_Summary sensors to archive DLP logs instead of creating a new DLP sensor for archiving purposes. and session control content. and Yahoo! sessions. For more information about SSL content scanning and inspection. Web.UTM Application Control DLP archiving You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management service. You can now create a session control DLP rule that includes SIP. full email DLP archiving includes complete email messages and attachments. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiGate configuration (see “Remote logging to a FortiAnalyzer unit” on page 423). Email content can also include email messages tagged as spam by FortiGate Email filtering. • • IM content includes AIM. Session control content includes SIP. see the FortiGate CLI Reference. and SMTPS sessions. For example. and SMTP sessions. for example. FTP. Only summary DLP archiving is available for SIP and SCCP. Application Control This section describes how to configure the application control options associated with firewall policies. Email content can also include IMAPS. Summary DLP archiving includes just the meta data about the content. For more information about SSL content scanning and inspection. see the UTM chapter of the FortiOS Handbook. DLP sensors are located in UTM > Data Leak Prevention > Sensor. ICQ. Full DLP archiving includes all content. You can configure full DLP archiving and summary DLP archiving. the application control configuration of each VDOM is entirely separate.com/ • Feedback 347 . see the UTM chapter of the FortiOS Handbook. SIMPLE or SCCP for DLP archiving within the CLI. If your FortiGate unit supports SSL content scanning and inspection HTTP content can also include HTTPS sessions. HTTP. For details. IM. POP3. For more information. FTP.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. If your FortiGate unit supports SSL content scanning and inspection. SIMPLE and SCCP sessions. • You add DLP sensors to archive Email. see “Using virtual domains” on page 79. IM. application black/white lists created in one VDOM will not be visible in other VDOMs. email message summary records include only the email header. HTTP content includes HTTP sessions. If you enable virtual domains (VDOMs) on the FortiGate unit. Full and summary DLP archiving is available for SIMPLE. FortiGate Version 4. Archiving of spam email messages is configured in the DLP sensor.fortinet. DLP archiving is enabled in the DLP sensor itself. The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service (see the FortiGuard Analysis and Management Service Administration Guide). MSN. and session control content: • Email content includes IMAP. You can archive Email. for example.

To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. You can find the version of the application control database that is installed on your FortiGate unit. by going to the License Information dashboard widget and find IPS Definitions version. Because intrusion protection protocol decoders are used for application control. You can create application control black/white lists that specify the action to take with the traffic of the applications you need to manage and the network on which they are active. application control is a more userfriendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. The FortiGate unit can recognize the network traffic generated by a large number of applications.IPv4 application page This topic includes the following: • • Application Control List Application List Application Control List Each application control list contains details about the application traffic to be monitored and the actions to be taken when it is detected.Application Control UTM Using the application control UTM feature. You can select any application name to see details about the application. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. Figure 23: ISIS.fortinet.com/ • Feedback . your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Add application control lists to firewall policies applied to the network traffic you need to monitor. An application control list must be selected in a firewall policy to take effect. There are no default application control lists provided.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. 348 FortiGate Version 4.Over. Based on FortiGate Intrusion Protection protocol decoders. This web page lists all of the supported applications. the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number.

one at a time. if your organization has standardized on AIM for instant messaging. Network monitoring is available only on FortiGate models with a hard disk. you can enable monitoring so that your network is being monitored. you can use both actions to create a complex rule with fewer entries. If Application is a single application. Select to remove the application control list. enter a new name in the field. You must select OK to save the change. A unique number used primarily when re-ordering application entries. All other detected IM traffic triggers the second rule. you are redirected to this page. When you are edting a list.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. the Application is all. the action specified in the matching rule is applied to the traffic and further checks for application entry matches are stopped. from top to bottom. Create New When you select Create New. An optional description of each application control list. Whenever a match is detected. Select to edit the application control list. Name # of Entries Comments Delete Edit Application Control Lists Settings page Provides settings for configuring the applications for the list. Select to enable network monitoring. you are automatically redirected to the New Application Control List page. if Application is all and Category is toolbar. On this page. Comments OK Monitor Create New ID Category FortiGate Version 4. the value in Category has no effect on the operation of the application entry. Set the action to Pass. This page provides a name field and a comment field. If you are editing an existing list and want to change the description. Since the entries are checked from top to bottom. you must enter a name to go to the Application Control Lists Settings page. You can view this information from the Executive Summary page. enter the changes in the field. In the Application Control List menu. Select to create a new application entry. For example. you are enabling network monitoring. create an entry in which AIM is the specified application. you can allow AIM and block all other IM clients with just two entries.fortinet.UTM Application Control The FortiGate unit examines network traffic for the application entries in the listed order. The available application control lists. Because of this. First. then all the toolbar applications are included in the application entry even though they are not specified individually. Then create an entry in which the Category is im. Name If you are editing an existing application control list and want to change the name. and the FortiGate unit blocks it.com/ • Feedback 349 . Application Control Lists page Lists each individual black/white list that you created. Select to save changes that you made to the Name and/or Comment fields. Application Control lists are configured in UTM > Application Control > Application Control List. AIM traffic triggers the first rule. The number of application rules in each application control list. and is passed. You must select OK to save the change. When you select the check box beside Monitor in the Application Control Lists Setting page. For more information about configuring widgets in Log&Report > Report Access > Executive Summary. delete and create a new application control list. and the action is Block. The category indicates the scope of the applications included in the application entry if Application is set to all. you can edit. For example.

Application lists are configured in UTM > Application Control > Application List. every application in the selected category is included. To select all IM applications for example. the selected action will be taken. previous. popularity rating and risk. This web page lists all of the supported applications. If traffic from the specified application is detected. the FortiGate unit will log the occurrence and the action taken. Application List The application list displays applications. If Application is all. see . this link redirects you to the FortiGuard Application Control List where the details are given for the application. Application List page Lists the applications that are available on the FortiGate unit. Select the left and right arrows to display the first. The application’s session TTL. the selected action will be taken. 350 FortiGate Version 4. which includes their category.com/ • Feedback . You can also filter the information that appears in UTM > Application Control > Application List. For more information about how to filter information in lists. If this option is not enabled. Select to create a new application entry above the entry in which you selected Insert. and select all as the application. select the im category.fortinet. the TTL defaults to the setting of the config system session-ttl CLI command. The options that you can select for the list. If the FortiGate unit detects traffic from the specified application. Current Page The current page number of list items that are displayed. To see the complete list of applications supported by FortiGuard Application Control. The FortiGate unit will examine network traffic for the listed application. The Category selection can also be used to specify an entire category of applications. If Application is all. which also shows their popularity and risk. This specifies all the IM applications with a single application control black/white list entry. the FortiGate until will log the occurrence of packet logs which concern application control. Action Logging Delete Edit Insert Move New Application Entry page Category Application Action Options Session TTL Enable Logging Enable Packet Logging When enabled. Select to edit the application entry.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. select the im category. Select to move the application entry to a different position in the black/white list. The applications are categorized by type. for example. next or last page of the email address list. When enabled. You can select any application name to see details about the application. You can view the details of each application by selecting the application’s name. go to the FortiGuard Application Control List. If the FortiGate unit detects traffic from the specified application. If you want to choose an IM application. and the application control list will show only the im applications.Application Control UTM Application The FortiGate unit will examine network traffic for the listed application. every application in the selected category is included. Select to delete the application entry. the FortiGate unit will log the occurrence and the action taken if traffic when the specified application is detected.

The level of risk associated with the application. Select to log SIP requests.UTM VoIP [Total: 1083] Application Name Category Popularity Risk The maximum number of applications that are in the FortiGuard Application Control List. delete or create a new profile for VoIP protocols. New VoIP Profile page Provides settings for configuring SIP and SCCP options within the profile. On this page. Configuration settings for SCCP protocols. Enter a number for limiting the time it takes to register requests. The name of the profile. you are automatically redirected to the Edit VoIP Profile page. the FortiGate unit can interpret the VoIP signaling protocols used in the network and dynamically open and close ports (pinholes) for each specific VoIP call to maintain security. The name of the application. This is optional. By using SIP ALG controls.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. A profile is specific information that defines how the traffic within a policy is examined and what action may be taken based on the examination.fortinet. Select to change a profile’s settings. This is an optional setting. VoIP The FortiGate unit can effectively secure VoIP solutions since it supports VoIP protocols and associates state at the signaling layer with packet flows at the media layer. Name Comments SIP Limit REGISTER requests Enable Logging Enable Logging of Violations SCCP Limit Call Setup Enter a name for the profile. Select to remove a profile. Create New Edit Delete Name Comments Select to create a new VoIP profile. If you want to configure VoIP profiles are configured in UTM > VoIP > Profile. Profile page Lists the profiles that you created for SIP and SCCP protocols. The risk contains three levels: low.com/ • Feedback 351 . The level of popularity of the application. Select to log SIP violations. When you edit a VoIP profile. The popularity contains three levels: low. Enter a description about the profile. you can configure multiple profiles for applying to firewall policies that concern only VoIP protocols. The category that the application is associated with. In UTM > VoIP > Profile. medium and high. Configuration settings for SIP protocols. A description about the profile. Enter a number to limit call setup time. Limit INVITE requests Enter a number to limit invitation requests. Profile The Profile menu allows you to configure VoIP profiles for applying to firewall policies. medium and high. FortiGate Version 4. you can edit.

VoIP UTM Enable Logging Enable Logging of Violations Select to log SCCP.com/ • Feedback . 352 FortiGate Version 4.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.fortinet. Select to local violations of SCCP.

VPN IPSec is configured separately for each virtual domain.IPsec VPN IPsec VPN overview IPsec VPN This section provides an introduction to Internet Protocol Security (IPsec) VPN configuration options that are available through the web-based manager. the firewall policy action is IPSEC. See “Policy” on page 261. See “Phase 2 configuration” on page 359. FortiGate units support both policy-based (tunnel-mode) and route-based (interface mode) VPNs. this means that any data coming into the network and any data going out is encrypted. If a remote VPN peer or client requires a specific IPsec encryption or authentication key. See “Phase 1 configuration” on page 355.com/ • Feedback 353 . IPsec VPN overview The IPsec VPN menu contains settings and options for configuring an IPsec VPN. For an interfacebased VPN. For a policy-based VPN.fortinet.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For information about how to configure an IPSec VPN. as well as background information. the firewall policy action is ACCEPT. see “Using virtual domains” on page 79. For more information. Windows Vista and Mac OSX native VPN clients. IPsec VPNs that are configured in FortiOS must be configured by using the following general procedure: 1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote peers or clients and establish a secure a connection. Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique IPsec encryption and authentication keys automatically. 2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with a remote peer or dialup client. The following topics are included in this section: • • • • • • • IPsec VPN overview Policy-based versus route-based VPNs Auto Key (IKE) Manual Key Internet browsing Concentrator Monitoring VPNs Note: L2TP and IPSec is supported for native Windows XP. 3 Create a firewall policy to permit communication between your private network and the VPN. see the FortiGate IPSec VPN User Guide. FortiGate Version 4. An IPsec VPN is a virtual private network that uses the IPsec protocol suite to provide security and protection for the virtual private network. you must configure the FortiGate unit to use manual keys instead. If you enable virtual domains (VDOMs) on the FortiGate unit. see “Manual Key” on page 361. For more information.

For more information. Table 53: Comparison of policy-based and route-based VPNs Policy-based Available in NAT/Route or Transparent mode Route-based Available only in NAT/Route mode Requires a firewall policy with IPSEC Requires only a simple firewall policy with action that specifies the VPN tunnel. This creates a virtual IPsec interface that is bound to the local interface you selected. You then define an ACCEPT firewall policy to permit traffic to flow between the virtual IPSec interface and another network interface. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X. As an option. directions. since the number of policies required increases rapidly as the number of spokes increases. FortiGate units implement the Encapsulated Security Payload (ESP) protocol.fortinet. (Go to System > Network > Interface. even if either end of the VPN can initiate a connection. Policy-based versus route-based VPNs FortiGate units support both policy-based and route-based VPNs. you can include a virtual IPsec interface in a zone. The encrypted packets look like ordinary packets that can be routed through any IP network. FortiGate Version 4. If either end of the VPN can initiate the connection. you can configure route-based VPNs more easily than policy-based VPNs. you can specify manual keys. You create a policy-based VPN by defining an IPsec firewall policy between two network interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration. and provide the information the FortiGate unit needs to create a VPN tunnel with a remote peer or dialup client. You create a route-based VPN by enabling IPsec interface mode when you create the VPN phase 1 or manual key configuration. supported in NAT/Route mode only. This is available only for policy-based VPNs. As with other interfaces. Interface mode. This can be time-consuming to maintain if you have many site-to-site connections. Generally. and establishes a secure connection. the two types have different requirements that limit where you can use them. VLAN. Hub-and-spoke configurations To function as the hub of a hub-and-spoke VPN. creates a virtual interface for the local end of a VPN tunnel.IPsec VPN overview IPsec VPN Phase 1 is a group of settings that configure the first part of the IPsec VPN. Put all the IPsec interfaces in a zone and enable intra-zone traffic.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. but you can create the equivalent function for a route-based VPN in any of the following ways: • Define a firewall policy between each pair of IPsec interfaces that you want to concentrate. One ACCEPT action.509 digital certificates. Put all the IPsec interfaces into a zone and then define a single zone-to-zone policy.com/ • Feedback • • 354 . one for each direction. There must be more than one IPsec interface in the zone. aggregate.) The names of all tunnels bound to physical. A separate policy is required policy controls connections in both for connections in each direction. see “Configuring interfaces” on page 85. you need two firewall policies. Phase 2 is a group of settings that configure the second and last of the IPsec VPN. These settings are used to authenticate remote peers or clients. as shown in Table 53. inter-VDOM link or wireless interfaces are displayed under their associated interface names in the Name column. You need only one firewall policy. However. Virtual IPsec interface bindings are shown on the network interfaces page. the FortiGate unit provides a concentrator function.

Select to remove the IKE key. The basic phase 1 settings associate IPsec phase 1 parameters with a remote gateway and determine: • whether the various phase 1 parameters will be exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (Aggressive mode) FortiGate Version 4. If the primary VPN connection fails or the priority of a route changes through dynamic routing. OSPF. For more information. see the default-gw variable for the vpn ipsec phase1-interface command in the FortiGate CLI Reference. A simple way to provide failover redundancy is to create a backup IPsec interface. or BGP) routing information through VPN tunnels. You can configure several routes for the same IP traffic with different route metrics. through the CLI. When you define phase 2 parameters. inter-VDOM link or wireless interfaces. see “Phase 1 configuration” on page 355. VLAN. Routing Optionally. For more information. you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. For more information. Two VPN peers are configured in VPN > IPsec > Auto Key (IKE). You can do this in the CLI. Select to modify a setting for the exchanges.com/ • Feedback 355 . including an example configuration. aggregate. These can be physical. Auto Key (IKE) You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to generate unique Internet Key Exchange (IKE) keys automatically during the IPsec phase 1 and phase 2 exchanges. You can also configure the exchange of dynamic (RIP. Create a new phase 2 configuration. The names of existing phase 2 configurations.fortinet. an alternative route will be selected to forward traffic through the redundant connection. you can define a specific default route for a virtual IPsec interface. two VPN peers (or a FortiGate dialup server and a VPN client) authenticate each other and exchange keys to establish a secure communication channel between them. see “Phase 2 configuration” on page 359. Auto Key (IKE) page Lists each phase 1 and phase 2 configurations of the two VPN peers that make up the IKE key. For more information.IPsec VPN Auto Key (IKE) Redundant configurations Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. Create Phase 1 Create Phase 2 Phase 1 Phase 2 Interface Binding Edit Delete Create a new phase 1 tunnel configuration. The names of existing phase 1 tunnel configurations. see the monitor-phase1 keyword for the ipsec vpn phase1-interface command in the FortiGate CLI Reference. The names of the local interfaces to which IPsec tunnels are bound. Phase 1 configuration In phase 1.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.

Optionally. 4 for up to 999 tunnels. type the domain name of the remote peer. 35 characters for a policy-based VPN. the local VPN gateway IP address is the IP address of the interface that you selected. and so on. The maximum name length is 15 characters for an interface mode VPN. you are automatically redirected to the New Phase 1 page. Select Main (ID Protection) or Aggressive: • In Main mode. the phase 1 parameters are exchanged in single message with authentication information that is not encrypted. certificate distinguished name. Select Preshared Key or RSA Signature. you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address. For information about obtaining and loading the required server certificate.fortinet. or group name will be used to identify the remote VPN peer or client when a connection attempt is made.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. By default. If you selected RSA Signature. When you select Create New Phase 1 on the Auto Key (IKE) page. the key should consist of a minimum of 16 randomly chosen alphanumeric characters. Remote Gateway IP Address Dynamic DNS Local Interface Mode Authentication Method Pre-shared Key Certificate Name 356 FortiGate Version 4.com/ • Feedback . If Remote Gateway is Dialup User. The key must contain at least 6 printable characters and should be known only by network administrators.Auto Key (IKE) IPsec VPN • • whether a pre-shared key or digital certificates will be used to authenticate the identities of the two VPN peers (or a VPN server and its client) whether a special identifier. When the remote VPN peer has a dynamic IP address and is authenticated by a certificate. • In Aggressive mode. For a tunnel mode VPN. the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. the name should reflect where the remote connection originates. see the FortiGate Certificate Management User Guide. If you selected Static IP Address. by 3 for up to 99 tunnels. You must define the same value at the remote peer or client. Dynamic DNS — If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit. If you selected Pre-shared Key. type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. For a route-based tunnel. you can specify a unique IP address for the VPN gateway in the Advanced settings. Name Type a name to represent the phase 1 definition. Dialup User — If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit. New Phase 1 page Provides settings for configuring a phase 1. For optimum protection against currently known attacks. If you selected Dynamic DNS. Select the category of the remote connection: Static IP Address — If the remote peer has a static IP address. type the IP address of the remote peer. This option is available in NAT/Route mode only. select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key. you must select Aggressive mode if there is more than one phase 1 configuration for the interface IP address and these phase 1 configurations use different proposals. the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels. the FortiGate unit also uses the name for the virtual IPsec interface that it creates automatically. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit.

Defines advanced phase 1 parameters. the identifier is specified in the Local ID field of the phase 1 configuration. For more information about IKE v2. When IKE Version is 2. You can set Mode to Aggressive or Main. Mode and XAUTH are not available. the identifier is specified in the Local ID field. (For more information. If the dialup clients use unique pre-shared keys only. Create a virtual interface for the local end of the VPN tunnel.com/ • Feedback 357 .IPsec VPN Auto Key (IKE) Peer Options One or more of the following options are available to authenticate VPN peers or clients. If the remote peer is a FortiGate unit. This option is available only if the remote peer has a dynamic IP address. For more information about configuring FortiClient dialup clients. If the remote peer is a FortiClient dialup client. clear it to create a policybased VPN. Advanced section of the New Phase 1 page Enable IPsec Interface Mode This is available in NAT/Route mode only. see “Phase 1 advanced configuration settings” on page 357. refer to RFC 4306. But. This is available only when Enable IPsec Interface Mode is enabled and IPv6 Support is enabled in the administrative settings. The default is 1. you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address. For more information about configuring FortiGate dialup clients. The FortiGate unit does not check identifiers (local IDs). Select this option to create a route-based VPN. Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses. accessed by selecting Config in the Policy section of the VPN connection’s Advanced Settings.fortinet. Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre-shared keys only) through the same VPN tunnel. You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. You must create a dialup user group for authentication purposes. Accept any peer ID Accept this peer ID Accept peer ID in dialup group Advanced Phase 1 advanced configuration settings You use the advanced P1 Proposal parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. for highest security.) Select the group from the list next to the Accept peer ID in dialup group option. Accept the local ID of any remote VPN peer or client. You can also select these advanced settings to ensure the smooth operation of phase 1 negotiations. IKE v2 is not available if Mode is Aggressive. IKE Version IPv6 Version FortiGate Version 4. see the FortiGate IPSec VPN User Guide. You can use this option with RSA Signature authentication. depending on the Remote Gateway and Authentication Method settings. Select the version of IKE to use: 1 or 2.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. This is available only if IPsec Interface Mode is enabled. you should configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only. Enter the identifier that is used to authenticate the remote peer. see “User Group” on page 390. see the Authenticating FortiClient Dialup Clients Technical Note. For more information. This identifier must match the identifier that the remote peer’s administrator has configured.

Type the time (in seconds) that must pass before the IKE encryption key expires. which produces a 160-bit message digest. set Mode to Aggressive. in which plain text is encrypted three times by three keys. The keylife can be from 120 to 172 800 seconds. see “Configuring interfaces” on page 85. which produces a 256-bit message digest. AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes. Add or delete encryption and authentication algorithms as required. To specify a third combination. 5 and 14. Specify — You can specify a secondary address of the interface selected in the phase 1 Local Interface field. 3DES — Triple-DES. This option supports the authentication of dialup clients. P1 Proposal DH Group Select one or more Diffie-Hellman groups from DH group 1. SHA256 — Secure Hash Algorithm 2. SHA1 — Secure Hash Algorithm 1.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. Select one of the following symmetric-key algorithms: DES — Digital Encryption Standard. enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. specify an IP address for the local end of the VPN tunnel. a new key is generated without interrupting service.Auto Key (IKE) IPsec VPN Local Gateway IP If you selected Enable IPsec Interface Mode.com/ • Feedback . a 64-bit block algorithm that uses a 56-bit key. Select the encryption and authentication algorithms used to generate keys for protecting negotiations. For more information. Select a minimum of one and a maximum of three combinations. When the key expires. If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is. the tunnel will be dedicated to this FortiGate dialup client). You cannot configure Interface mode in a Transparent mode VDOM. The remote peer or client must be configured to use at least one of the proposals that you define. select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes.fortinet. type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server. For more information. Select either of the following message digests to check the authenticity of messages during phase 1 negotiations: MD5 — Message Digest 5. AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. the hash algorithm developed by RSA Data Security. 2. Keylife Local ID XAuth 358 FortiGate Version 4. use the Add button beside the fields for the second combination. see “Local Interface” on page 356. It is available for IKE v1 only. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication. AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. Disable — Select if you do not use XAuth. Select one of the following: Main Interface IP — The FortiGate unit obtains the IP address of the interface from the network interface settings. Enable as Client — If the FortiGate unit is a dialup client.

When you select Create Phase 2 on the Auto Key (IKE) page. If you enabled NAT-traversal. (For example. Enter the password that is used for authentication. You configure the phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. For more information. You can use this option to receive notification whenever a tunnel goes up or down. Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit. Username Password NAT Traversal Enter the user name that is used for authentication. Name Phase 1 Type a name to identify the phase 2 configuration.fortinet. you begin phase 2. the XAuth client and the external authentication server. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit. In most cases. For more information. and then select the user group from the User Group list. or to keep the tunnel connection open when no traffic is being generated inside the tunnel. During phase 2. Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. you need to configure only basic phase 2 settings. see “Phase 2 advanced configuration settings” on page 360.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. For more information. see “User Group” on page 390. Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. Advanced FortiGate Version 4. enter a keepalive frequency setting. traffic may be suspended while the IP address changes). see the FortiGate CLI Reference. You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server.IPsec VPN Auto Key (IKE) Enable as Server — This is available only if Remote Gateway is set to Dialup User. Define advanced phase 2 parameters. For information about these topics. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel. you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1interface (interface mode) CLI command to optionally specify a retry count and a retry interval. Select the phase 1 tunnel configuration. New Phase 2 page Provides settings for configuring Phase 2. Dialup clients authenticate as members of a dialup user group. The value represents an interval ranging from 10 to 900 seconds. you are automatically redirected to the New Phase 2 page. The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. see “RADIUS” on page 393 or “LDAP” on page 394.com/ • Feedback 359 . The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. and how the connection to the remote peer or client will be secured. Keepalive Frequency Dead Peer Detection Phase 2 configuration After IPsec phase 1 negotiations end successfully. For more information. in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically. you select specific IPsec security associations needed to implement security services and establish a tunnel. see “Phase 1 configuration” on page 355. With Dead Peer Detection selected.

com/ • Feedback . These are called P2 Proposal parameters. Select one of the following message digests to check the authenticity of messages during an encrypted session: NULL — Do not use a message digest. the hash algorithm developed by RSA Data Security. in which plain text is encrypted three times by three keys. If you select Both. which produces a 256-bit message digest. SHA256 — Secure Hash Algorithm 2. Select one of the following symmetric-key algorithms: NULL — Do not use an encryption algorithm. To specify only one proposal. Encryption Authentication Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being processed. Enable or disable PFS. select Delete to remove the second proposal. Advanced section of New Phase 2 page P2 Proposal Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. 5 or 14). AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. The range is from 120 to 172 800 seconds. at least one of the proposals that you specify must match configuration on the remote peer. Initially there are two proposals. 360 FortiGate Version 4. 2. You can specify up to three proposals. Select the method for determining when the phase 2 key expires: Seconds. To specify a third proposal. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. the key expires when either the time has passed or the number of KB have been processed.fortinet. You can use a number of additional advanced phase 2 settings to enhance the operation of the tunnel. AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. or Both. AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. Add and Delete icons are next to the second Authentication field. which produces a 160-bit message digest. This must match the DH Group that the remote peer or dialup client uses. DES — Digital Encryption Standard.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. To establish a VPN connection. or from 5120 to 2 147 483 648 KB. the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. Select one Diffie-Hellman group (1. KBytes. select Add. Replay attacks occur when an unauthorized party intercepts a series of IPsec packets and replays them back into the tunnel. SHA1 — Secure Hash Algorithm 1.Auto Key (IKE) IPsec VPN Phase 2 advanced configuration settings In phase 2. Optionally enable or disable replay detection. 3DES — Triple-DES. a 64-bit block algorithm that uses a 56bit key. It is invalid to set both Encryption and Authentication to NULL. MD5 — Message Digest 5. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). The keys are generated automatically using a Diffie-Hellman algorithm.

0. you must also set the Phase 1 Peer Options to Accept peer ID in dialup group and select the appropriate user group.0/24 or 172.0/0 means all IP addresses behind the remote VPN peer.168. Source port Destination address Destination port Protocol Note: You can configure settings so that VPN users can browse the Internet through the FortiGate unit. For more information. You also need configure a DHCP server or relay on the private network interface.16.0 for a subnet. selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients. or a network address. The range is from 0 to 65535.0. Manual Key Caution: You should use manual keys only if it is unavoidable. To specify all ports. For more information. see “Internet browsing” on page 363. If you are editing an existing phase 2 configuration.[80-100] or 192.1/255.0. If the FortiGate unit is a dialup client. see “System DHCP Server” on page 129.16. A value of 0.20.0. To specify all services.168.5. or 172.5.168. dst-name. see the dst-addr-type.0 MR2 Administration Guide 01-420-89802-20100507 http://docs.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN.1/32 or 172. To specify all ports.16.255.IPsec VPN Manual Key DHCP-IPSec Provide IP addresses dynamically to VPN clients.5. FortiGate Version 4. Type the IP protocol number of the service. This is available for phase 2 configurations associated with a dialup phase 1 configuration.0/255. type 0. Source address If the FortiGate unit is a dialup server.fortinet. or 192. If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server.100 for an address range). or 192.5.10.[80100] for an address range). For more information. This option exists only in the CLI.16.0/24 for a subnet. Quick Mode Selector Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. You can specify a single host IP address. You must configure the DHCP parameters separately.10. src-addr-type and src-name keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference. 172.0. source address must refer to the private network behind the FortiGate dialup client.255. Type the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example.10. The range is from 0 to 255. If the FortiGate unit is a dialup server.168. type 0.255. or 172.10. See “Phase 1 configuration” on page 355.0. type 0.com/ • Feedback 361 .1/32 for a server or host. the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. The range is from 0 to 65535.255. If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes. an IP address range. Type the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). Type the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). type the source IP address that corresponds to the local senders or network behind the local VPN peer (for example. A value of 0. There are potential difficulties in keeping keys confidential and in propagating changed keys to remote VPN peers securely.16.168. you should keep the default value 0.255 for a server or host. 192.80192. You may optionally specify source and destination port numbers and a protocol number.5.0/0 means all IP addresses behind the local VPN peer.

Remote SPI Remote Gateway 362 FortiGate Version 4. Create New Tunnel Name Remote Gateway Encryption Algorithm Authentication Algorithm Edit Delete Create a new manual key configuration. You need to disable encryption and authentication. 35 characters for a policy-based VPN. Name Local SPI Type a name for the VPN tunnel.fortinet. In addition.Manual Key IPsec VPN If required. The valid range is from 0x100 to 0xffffffff. and SA databases for your particular installation. you do not specify IPsec phase 1 and phase 2 parameters. The address identifies the recipient of ESP datagrams. you can manually define cryptographic keys for establishing an IPsec VPN tunnel. The names of existing manual key configurations. to cover bidirectional communications between two VPN devices. 0-9. a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. You must manually specify an SPI for each SA. The maximum name length is 15 characters for an interface mode VPN. Type a hexadecimal number (up to 8 characters. the recipient refers to the SPI to determine which SA applies to the datagram. This value must match the Remote SPI value in the manual key configuration at the remote peer. The names of the authentication algorithms specified in the manual key configurations. When an ESP datagram is received. so for each VPN you must specify two SPIs. selectors. The valid range is from 0x100 to 0xffffffff. a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. one of the VPN peers requires a specific IPsec encryption or authentication key). The names of the encryption algorithms specified in the manual key configurations. you define manual keys by going to VPN > IPsec > Manual Key instead. New Manual Key page Provides settings for configuring a cryptographic key for the IPSec VPN. 0-9. Type a hexadecimal number (up to 8 characters. do not attempt the following procedure without qualified assistance. Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to link the datagrams to the SA. New manual key configuration Caution: If you are not familiar with the security policies. The administrators of the devices need to cooperate to achieve this. Select to modify settings of a cryptographic key. If one of the VPN devices is manually keyed. The IP addresses of remote peers or dialup clients. the other VPN device must also be manually keyed with the identical authentication and encryption keys. Select to remove a cryptographic key from the list. There is an SA for each direction.com/ • Feedback . a local SPI and a remote SPI. SAs. You would define manual keys in situations where: • • You require prior knowledge of the encryption or authentication key (that is. Manual Key page Lists each individual cryptographic key that you created for establishing an IPSec VPN. This value must match the Local SPI value in the manual key configuration at the remote peer. Type the IP address of the public interface to the remote peer.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. See “New manual key configuration” on page 362. it is essential that both VPN devices be configured with complementary Security Parameter Index (SPI) settings. In both cases.

type a 64-character hexadecimal number separated into four segments of 16 characters. SHA1 — Secure Hash Algorithm 1. type a 48-character hexadecimal number (0-9. you can enable VPN users to browse the Internet through the FortiGate unit. DES — Digital Encryption Standard. type a 32-character hexadecimal number (0-9. 3DES — Triple-DES. a-f). Note: The algorithms for encryption and authentication cannot both be NULL. SHA256 — Secure Hash Algorithm 2. • for SHA1. This is available only in NAT/Route mode. see “Policy” on page 261. type a 40-character hexadecimal number separated into two segments of 16 characters and a third segment of 8 characters. FortiGate Version 4. • for SHA256. and a to f.fortinet. Select this check box to create a route-based VPN. Select one of the following message digests: NULL –– Do not use a message digest. in which plain text is encrypted three times by three keys. a-f) separated into three segments of 16 characters. Internet browsing By using appropriate firewall policies.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. type a 48-character hexadecimal number (0-9. a 64-bit block algorithm that uses a 56-bit key. For more information. Select one of the following symmetric-key encryption algorithms: NULL — Do not use an encryption algorithm. Enter an encryption key appropriate to the encryption algorithm: • for NULL. AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Digits can be 0 to 9. For more information. type a 64-character hexadecimal number (0-9. • for 3DES. type a 16-character hexadecimal number (0-9. IPsec Interface Mode Create a virtual interface for the local end of the VPN tunnel.com/ • Feedback 363 . which produces a 160-bit message digest.IPsec VPN Internet browsing Local Interface This option is available in NAT/Route mode only. which produces a 128-bit message digest. The required policies are different for policy-based and routebased VPNs. a-f) separated into three segments of 16 characters. a-f) separated into four segments of 16 characters. Note: The Algorithms for encryption and authentication cannot both be NULL. a-f) separated into two segments of 16 characters. see “Configuring interfaces” on page 85. • for DES. The FortiGate unit obtains the IP address of the interface from the network interface settings. Encryption Algorithm Encryption Key Authentication Algorithm Authentication Key Enter an authentication key appropriate to the authentication algorithm: • for MD5. which produces a 256-bit message digest. MD5 — Message Digest 5 algorithm. clear it to create a policy-based VPN. type a 32-character hexadecimal number separated into two segments of 16 characters. • for AES128. • for AES192. Select the name of the interface to which the IPsec tunnel will be bound. AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. • for AES256. AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key.

Select to remove a concentrator from the list. 364 FortiGate Version 4. To remove a tunnel from the concentrator. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator. For Static IP or dynamic DNS VPNs. For more information. managing all VPN connections between the spokes. Select to modify the settings within a concentrator. Concentrator Name The names of existing IPsec VPN concentrators. including their IP addresses. For Dialup VPNs. You can also start and stop individual tunnels from the list. On this page. The peers that connect to the hub are known as “spokes”. proxy IDs. You create the concentrator in VPN > IPSec > Concentrator. all VPN tunnels terminate at the hub.fortinet. Members Monitoring VPNs You can use the IPsec monitor to view activity on IPsec VPN tunnels and start or stop those tunnels. Site-to-site connections between the remote peers do not exist. You define a concentrator to include spokes in the hub-and-spoke configuration. see “Monitoring VPNs” on page 364. Concentrator page Lists each individual concentrator which is made up of spokes. central FortiGate unit. You can view either just Dialup or Static or Dynamic DNS IPSec VPNs.com/ • Feedback . Monitor page Lists all IPSec VPNs that are currently being monitored. The hub functions as a concentrator on the network. A list of tunnels that are members of the concentrator. A list of defined IPsec VPN tunnels. For more information. VPN traffic passes from one tunnel to the other through the hub. active or not.0 MR2 Administration Guide 01-420-89802-20100507 http://docs. policy-based VPN connections to a number of remote peers radiate from a single. You can use filters to control the information displayed in the list. Members Delete Edit New VPN Concentrator Available Tunnels Concentrator Name Type a name for the concentrator. The number of tunnels shown in the list can change as dialup clients connect and disconnect. and timeout information for all active tunnels. see “Adding filters to web-based manager lists” on page 26. you can edit. The display provides a list of addresses. Select a tunnel from the list and then select the right arrow. however. The tunnels that are associated with the concentrators. or “Static IP or Dynamic DNS”. the list provides status information about the VPN tunnels established by dialup clients. In a hub-and-spoke network. select the tunnel and select the left arrow. delete or create a new concentrator. Type Select the types of VPN to display: “All”. the list provides status and IP addressing information about VPN tunnels. “Dialup”. to remote peers that have static IP addresses or domain names. A concentrator configuration specifies which spokes to include in a