FortiGate Administration Guide 01-400-89802-20090424 111c

FortiGate
Version 4.0
Administration Guide
Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates, technical support, and FortiGuard services.
FortiGate Administration Guide Version 4.0 24 April 2009 01-400-89802-20090424 Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ............................................................................................ 21
Fortinet products .......................................................................................................... 21 About this document .................................................................................................... 21 Document conventions ................................................................................................ 24 IP addresses............................................................................................................. CLI constraints.......................................................................................................... Cautions, Notes and Tips ......................................................................................... Typographical conventions ....................................................................................... 24 24 24 25
Registering your Fortinet product............................................................................... 25 Customer service and technical support.................................................................... 25 Training .......................................................................................................................... 26 Fortinet documentation ............................................................................................... 26 Tools and Documentation CD................................................................................... 26 Fortinet Knowledge Center ...................................................................................... 26 Comments on Fortinet technical documentation ..................................................... 26
Whats new in FortiOS 4.0 ..................................................................... 27

FortiOS 4.0 FortiGate models and features supported ............................................. 28 UTM features grouped under new UTM menu............................................................ 29 Data Leak Prevention.................................................................................................... 29 Application Control....................................................................................................... 29 SSL content scanning and inspection ........................................................................ 29 WAN Optimization......................................................................................................... 30 Endpoint control ........................................................................................................... 30 Network Access Control (NAC) quarantine ................................................................ 30 IPS extensions............................................................................................................... 31 DoS policies for applying IPS sensors...................................................................... NAC quarantine in DoS Sensors .............................................................................. Adding IPS sensors to a DoS policy from the CLI .................................................... One-arm IDS (sniffer mode) ..................................................................................... IPS interface policies for IPv6 ............................................................................... IPS Packet Logging .................................................................................................. 31 31 32 32 33 33
Enhanced Antispam Engine (ASE).............................................................................. 33 WCCP v2 support.......................................................................................................... 33 Any interface for firewall policies ............................................................................ 35 Global view of firewall policies .................................................................................... 35 Identity-based firewall policies .................................................................................... 35 Web filtering HTTP upload enhancements ................................................................. 36
FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
Contents
Traffic shaping enhancements .................................................................................... 36 Firewall load balancing virtual IP changes................................................................. 36 User session persistence.......................................................................................... 36 Health Check Monitor ............................................................................................... 36 Load balancing server monitor ................................................................................. 36 Per-firewall policy session TTL ................................................................................... 37 Gratuitous ARP for virtual IPs ..................................................................................... 37 Changes to protection profiles .................................................................................... 37 Changes to content archiving...................................................................................... 37 Customizable web-based manager pages.................................................................. 37 Administration over modem ........................................................................................ 38 Auto-bypass and recovery for AMC bridge module .................................................. 38 Rogue Wireless Access Point detection..................................................................... 38 Configurable VDOM and global resource limits......................................................... 38 User authentication monitor ........................................................................................ 39 OCSP and SCEP certificate over HTTPS .................................................................... 39 Adding non-standard ports for firewall authentication ............................................. 39 Dynamically assigning VPN client IP addresses from a RADIUS record ................ 40 DHCP over route-based IPSec VPNs........................................................................... 40 SNMP upgraded to v3.0 ................................................................................................ 40 File Quarantine .............................................................................................................. 41 Customizable SSL VPN web portals ........................................................................... 41 Logging improvements ................................................................................................ 41 Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic) .......................................................................................................... 41
Web-based manager .............................................................................. 43

Common web-based manager tasks........................................................................... 44 Connecting to the web-based manager.................................................................... Changing your FortiGate administrator password .................................................... Changing the web-based manager language........................................................... Changing administrative access to your FortiGate unit ............................................ Changing the web-based manager idle timeout ....................................................... Connecting to the FortiGate CLI from the web-based manager ............................... 44 45 46 46 47 47
Button bar features ....................................................................................................... 47 Contacting Customer Support..................................................................................... 48 Backing up your FortiGate configuration ................................................................... 48 Using FortiGate Online Help ........................................................................................ 49 Searching the online help ......................................................................................... 50
Contents
Logging out ................................................................................................................... 52 Web-based manager pages.......................................................................................... 52 Using the web-based manager menu....................................................................... Using web-based manager lists................................................................................ Adding filters to web-based manager lists ................................................................ Using page controls on web-based manager lists .................................................... Using column settings to control the columns displayed .......................................... Using filters with column settings.............................................................................. 52 53 53 57 58 59
Web-based manager icons........................................................................................... 60
System Status ........................................................................................ 63

Status page.................................................................................................................... 63 Viewing system status .............................................................................................. 63 Changing system information ..................................................................................... 78 Configuring system time ........................................................................................... 78 Changing the FortiGate unit host name.................................................................... 78 Changing the FortiGate firmware ................................................................................ 79 Upgrading to a new firmware version ....................................................................... 80 Reverting to a previous firmware version ................................................................. 80 Viewing operational history ......................................................................................... 81 Manually updating FortiGuard definitions.................................................................. 82 Viewing Statistics.......................................................................................................... 83 Viewing the session list............................................................................................. 83 Viewing Content Archive information on the Statistics widget .................................. 84 Viewing the Attack Log ............................................................................................. 85 Topology ........................................................................................................................ 87 Adding a subnet object ............................................................................................. 89 Customizing the topology diagram ........................................................................... 90
Managing firmware versions................................................................. 91

Backing up your configuration .................................................................................... 92 Backing up your configuration through the web-based manager ............................. 92 Backing up your configuration through the CLI......................................................... 92 Backing up your configuration to a USB key ............................................................ 93 Testing firmware before upgrading............................................................................. 94 Upgrading your FortiGate unit..................................................................................... 95 Upgrading to FortiOS 4.0 through the web-based manager..................................... 95 Upgrading to FortiOS 4.0 through the CLI ................................................................ 96 Verifying the upgrade................................................................................................ 97 Reverting to a previous firmware image..................................................................... 98 Downgrading to a previous firmware through the web-based manager ................... 98 Verifying the downgrade ........................................................................................... 99 Downgrading to a previous firmware through the CLI .............................................. 99
Contents
Restoring your configuration..................................................................................... 101 Restoring your configuration settings in the web-based manager.......................... 101 Restoring your configuration settings in the CLI ..................................................... 101
Using virtual domains.......................................................................... 103

Virtual domains ........................................................................................................... 103 Benefits of VDOMs ................................................................................................. 103 VDOM configuration settings .................................................................................. 104 Global configuration settings .................................................................................. 107 Enabling VDOMs ......................................................................................................... 108 Configuring VDOMs and global settings .................................................................. 109 VDOM licenses ....................................................................................................... Creating a new VDOM............................................................................................ Working with VDOMs and global settings............................................................... Adding interfaces to a VDOM ................................................................................. Inter-VDOM links .................................................................................................... Assigning an interface to a VDOM.......................................................................... Assigning an administrator to a VDOM................................................................... Changing the management VDOM......................................................................... 109 110 111 113 113 114 115 116
Configuring global and VDOM resource limits ........................................................ 116 VDOM resource limits............................................................................................. 117 Global resource limits ............................................................................................. 118
System Network ................................................................................... 119

Interfaces ..................................................................................................................... 119 Switch Mode ........................................................................................................... Interface settings .................................................................................................... Creating an 802.3ad aggregate interface ............................................................... Creating a redundant interface ............................................................................... Configuring DHCP on an interface ......................................................................... Configuring an interface for PPPoE........................................................................ Configuring Dynamic DNS on an interface ............................................................. Configuring a virtual IPSec interface ...................................................................... Configuring interfaces with CLI commands ............................................................ Administrative access to an interface ..................................................................... Interface MTU packet size ...................................................................................... Secondary IP Addresses ........................................................................................ 122 123 127 128 130 131 132 133 134 135 135 136
Configuring zones....................................................................................................... 138 Configuring the modem interface.............................................................................. 139 Configuring modem settings ................................................................................... Redundant mode configuration............................................................................... Standalone mode configuration .............................................................................. Adding firewall policies for modem connections ..................................................... Connecting and disconnecting the modem............................................................. Checking modem status ......................................................................................... 140 142 143 144 144 144
Contents
Configuring Networking Options............................................................................... 145 DNS Servers........................................................................................................... 146 Dead gateway detection ......................................................................................... 146 Web Proxy.................................................................................................................... 147 Routing table (Transparent Mode)............................................................................. 149 Transparent mode route settings............................................................................ 149 VLAN overview ............................................................................................................ 150 FortiGate units and VLANs ..................................................................................... 151 VLANs in NAT/Route mode ........................................................................................ 151 Rules for VLAN IDs................................................................................................. 152 Rules for VLAN IP addresses ................................................................................. 152 Adding VLAN subinterfaces.................................................................................... 153 VLANs in Transparent mode...................................................................................... 154 Rules for VLAN IDs................................................................................................. 156 Transparent mode virtual domains and VLANs ...................................................... 156 Troubleshooting ARP Issues .................................................................................. 157
System Wireless................................................................................... 159

FortiWiFi wireless interfaces ..................................................................................... 159 Channel assignments ................................................................................................. 160 IEEE 802.11a channel numbers ............................................................................. 160 IEEE 802.11b channel numbers ............................................................................. 160 IEEE 802.11g channel numbers ............................................................................. 161 Wireless settings......................................................................................................... 162 Adding a wireless interface..................................................................................... 163 Wireless MAC Filter .................................................................................................... 165 Managing the MAC Filter list................................................................................... 166 Wireless Monitor ......................................................................................................... 167 Rogue AP detection .................................................................................................... 168 Viewing wireless access points .............................................................................. 168
System DHCP ....................................................................................... 171

FortiGate DHCP servers and relays .......................................................................... 171 Configuring DHCP services ....................................................................................... 172 Configuring an interface as a DHCP relay agent.................................................... 173 Configuring a DHCP server .................................................................................... 173 Viewing address leases.............................................................................................. 175 Reserving IP addresses for specific clients ............................................................ 175
Contents
System Config ...................................................................................... 177

HA ................................................................................................................................. 177 HA options .............................................................................................................. Cluster members list ............................................................................................... Viewing HA statistics .............................................................................................. Changing subordinate unit host name and device priority...................................... Disconnecting a cluster unit from a cluster ............................................................. Configuring SNMP .................................................................................................. Configuring an SNMP community........................................................................... Fortinet MIBs .......................................................................................................... Fortinet and FortiGate traps.................................................................................... Fortinet and FortiGate MIB fields............................................................................ Replacement messages list.................................................................................... Changing replacement messages .......................................................................... Mail replacement messages ................................................................................... HTTP replacement messages ................................................................................ FTP replacement messages................................................................................... NNTP replacement messages................................................................................ Alert Mail replacement messages........................................................................... Spam replacement messages ................................................................................ Administration replacement message..................................................................... Authentication replacement messages................................................................... FortiGuard Web Filtering replacement messages .................................................. IM and P2P replacement messages....................................................................... Endpoint control replacement message ................................................................. NAC quarantine replacement messages ................................................................ SSL VPN replacement message ............................................................................ Replacement message tags ................................................................................... 177 180 182 183 184 186 186 188 189 192 195 196 197 197 198 199 199 200 200 201 202 203 204 204 205 205
SNMP............................................................................................................................ 185
Replacement messages ............................................................................................. 194
Operation mode and VDOM management access ................................................... 206 Changing operation mode ...................................................................................... 206 Management access............................................................................................... 207
System Admin ...................................................................................... 209

Administrators............................................................................................................. 209 Viewing the administrators list ................................................................................ Configuring an administrator account ..................................................................... Configuring regular (password) authentication for administrators .......................... Configuring remote authentication for administrators ............................................. Configuring PKI certificate authentication for administrators .................................. 211 212 214 214 220
Admin profiles ............................................................................................................. 222 Viewing the admin profiles list ................................................................................ 224 Configuring an admin profile................................................................................... 225
Contents
Central Management................................................................................................... 226 Settings ........................................................................................................................ 228 Monitoring administrators.......................................................................................... 229 FortiGate IPv6 support ............................................................................................... 230 Customizable web-based manager ........................................................................... 231
System Certificates.............................................................................. 243

Local Certificates ....................................................................................................... 244 Generating a certificate request.............................................................................. Downloading and submitting a certificate request .................................................. Importing a signed server certificate....................................................................... Importing an exported server certificate and private key ........................................ Importing separate server certificate and private key files...................................... 245 246 247 247 248
Remote Certificates .................................................................................................... 248 Importing Remote (OCSP) certificates ................................................................... 249 CA Certificates ............................................................................................................ 249 Importing CA certificates......................................................................................... 250 CRL............................................................................................................................... 251 Importing a certificate revocation list ...................................................................... 251
System Maintenance............................................................................ 253

About the Maintenance menu .................................................................................... 253 Backing up and restoring........................................................................................... 254 Basic backup and restore options........................................................................... Upgrading and downgrading firmware.................................................................... Upgrading and downgrading firmware through FortiGuard .................................... Configuring advanced options ................................................................................ 255 259 259 260
Managing configuration revisions............................................................................. 261 Using script files ......................................................................................................... 262 Creating script files ................................................................................................. 263 Uploading script files............................................................................................... 264 Configuring FortiGuard Services .............................................................................. 264 FortiGuard Distribution Network ............................................................................. 264 FortiGuard services ................................................................................................ 265 Configuring the FortiGate unit for FDN and FortiGuard subscription services .............................................................................................. 266 Troubleshooting FDN connectivity ........................................................................... 271 Updating antivirus and attack definitions................................................................. 271 Enabling push updates............................................................................................... 273 Enabling push updates when a FortiGate unit IP address changes ....................... 273 Enabling push updates through a NAT device ....................................................... 274 Adding VDOM Licenses.............................................................................................. 276
Contents
Router Static ........................................................................................ 277

Routing concepts ....................................................................................................... 277 How the routing table is built .................................................................................. How routing decisions are made ........................................................................... Multipath routing and determining the best route ................................................... Route priority ......................................................................................................... Blackhole Route...................................................................................................... 278 278 278 279 279
Static Route ................................................................................................................ 280 Working with static routes ...................................................................................... 280 Default route and default gateway ......................................................................... 281 Adding a static route to the routing table ............................................................... 284 Policy Route ............................................................................................................... 285 Adding a policy route .............................................................................................. 286 Moving a policy route.............................................................................................. 287
Router Dynamic.................................................................................... 289

RIP ................................................................................................................................ 289 Viewing and editing basic RIP settings................................................................... 290 Selecting advanced RIP options............................................................................. 292 Configuring a RIP-enabled interface....................................................................... 293 OSPF ............................................................................................................................ 294 Defining an OSPF ASOverview .......................................................................... Configuring basic OSPF settings............................................................................ Selecting advanced OSPF options ......................................................................... Defining OSPF areas.............................................................................................. Specifying OSPF networks ..................................................................................... Selecting operating parameters for an OSPF interface .......................................... 295 296 298 299 300 301
BGP .............................................................................................................................. 302 Viewing and editing BGP settings........................................................................... 303 Multicast....................................................................................................................... 304 Viewing and editing multicast settings .................................................................... 305 Overriding the multicast settings on an interface.................................................... 306 Multicast destination NAT ....................................................................................... 306 Bi-directional Forwarding Detection (BFD) .............................................................. 307 Configuring BFD ..................................................................................................... 307 Customizable routing widgets ................................................................................... 309 Access List.............................................................................................................. Distribute List .......................................................................................................... Key Chain ............................................................................................................... Offset List................................................................................................................ Prefix List ................................................................................................................ Route Map .............................................................................................................. 309 310 310 311 312 312
10
Contents
Router Monitor ..................................................................................... 315

Viewing routing information ...................................................................................... 315 Searching the FortiGate routing table....................................................................... 317
Firewall Policy ...................................................................................... 319

How list order affects policy matching ..................................................................... 319 Moving a policy to a different position in the policy list ........................................... 320 Multicast policies ........................................................................................................ 321 Viewing the firewall policy list ................................................................................... 321 Configuring firewall policies ...................................................................................... 323 Adding authentication to firewall policies ................................................................ Identity-based firewall policy options (non-SSL-VPN) ............................................ IPSec firewall policy options ................................................................................... Configuring SSL VPN identity-based firewall policies............................................. Endpoint Compliance Check options...................................................................... 327 328 330 331 336
DoS policies................................................................................................................. 337 Viewing the DoS policy list...................................................................................... 337 Configuring DoS policies ........................................................................................ 338 Firewall policy examples ............................................................................................ 339 Scenario one: SOHO-sized business ..................................................................... 339 Scenario two: enterprise-sized business ................................................................ 342
Firewall Address .................................................................................. 345

About firewall addresses............................................................................................ 345 Viewing the firewall address list................................................................................ 346 Configuring addresses ............................................................................................... 347 Viewing the address group list .................................................................................. 348 Configuring address groups...................................................................................... 348
Firewall Service .................................................................................... 351

Viewing the predefined service list ........................................................................... 351 Viewing the custom service list................................................................................. 356 Configuring custom services..................................................................................... 357 Viewing the service group list ................................................................................... 359 Configuring service groups ....................................................................................... 359
Firewall Schedule................................................................................. 361

Viewing the recurring schedule list........................................................................... 361 Configuring recurring schedules .............................................................................. 362 Viewing the one-time schedule list ........................................................................... 362 Configuring one-time schedules ............................................................................... 363
11
Contents
Firewall Virtual IP ................................................................................. 365

How virtual IPs map connections through FortiGate units..................................... 365 Inbound connections............................................................................................... 365 Outbound connections............................................................................................ 368 VIP requirements .................................................................................................... 369 Viewing the virtual IP list............................................................................................ 369 Configuring virtual IPs................................................................................................ 370 Adding a static NAT virtual IP for a single IP address ............................................ Adding a static NAT virtual IP for an IP address range .......................................... Adding static NAT port forwarding for a single IP address and a single port ..................................................................................................... Adding static NAT port forwarding for an IP address range and a port range ..................................................................................................... Adding dynamic virtual IPs ..................................................................................... Adding a virtual IP with port translation only........................................................... 372 373 375 377 378 379
Virtual IP Groups......................................................................................................... 380 Viewing the VIP group list .......................................................................................... 380 Configuring VIP groups.............................................................................................. 380 IP pools ........................................................................................................................ 381 IP pools and dynamic NAT ..................................................................................... 382 IP Pools for firewall policies that use fixed ports..................................................... 382 Source IP address and IP pool address matching.................................................. 382 Viewing the IP pool list ............................................................................................... 383 Configuring IP Pools................................................................................................... 383 Double NAT: combining IP pool with virtual IP........................................................ 384 Adding NAT firewall policies in transparent mode .................................................. 386
Firewall Load Balance ......................................................................... 389

How load balancer works ........................................................................................... 389 Configuring virtual servers ........................................................................................ 390 Configuring real servers............................................................................................. 392 Configuring health check monitors........................................................................... 393 Monitoring the servers ............................................................................................... 395
Firewall Protection Profile................................................................... 397

What is a protection profile?...................................................................................... 397 Adding a protection profile to a firewall policy ........................................................ 398 Default protection profiles ......................................................................................... 398 Viewing the protection profile list ............................................................................. 399
12
Contents
SSL content scanning and inspection ...................................................................... 399 Supported FortiGate models................................................................................... 400 Setting up certificates to avoid client warnings ....................................................... 400 Configuring SSL content scanning and inspection ................................................. 402 Configuring a protection profile ................................................................................ 404 Protocol recognition options ................................................................................... Anti-Virus options.................................................................................................... IPS options ............................................................................................................. Web Filtering options .............................................................................................. FortiGuard Web Filtering options............................................................................ Spam Filtering options ............................................................................................ Data Leak Prevention Sensor options .................................................................... Application Control options ..................................................................................... Logging options ...................................................................................................... 405 407 411 411 413 416 419 420 421
Traffic Shaping ..................................................................................... 423

Guaranteed bandwidth and maximum bandwidth ................................................... 423 Traffic priority.............................................................................................................. 424 Traffic shaping considerations.................................................................................. 424 Configuring traffic shaping ........................................................................................ 425
SIP support ........................................................................................... 427

VoIP and SIP ................................................................................................................ 427 The FortiGate unit and VoIP security ........................................................................ 429 SIP NAT.................................................................................................................. 429 How SIP support works .............................................................................................. 431 Configuring SIP ........................................................................................................... 432 Enabling SIP support and setting rate limiting from the web-based manager ........ Enabling SIP support from the CLI ......................................................................... Enabling SIP logging .............................................................................................. Enabling advanced SIP features in an application list ............................................ 432 433 434 434
AntiVirus ............................................................................................... 439

Order of operations..................................................................................................... 439 Antivirus tasks ............................................................................................................ 440 FortiGuard antivirus ................................................................................................ 441 Antivirus settings and controls ................................................................................. 441 File Filter ...................................................................................................................... 443 Built-in patterns and supported file types................................................................ Viewing the file filter list catalog.............................................................................. Creating a new file filter list..................................................................................... Viewing the file filter list .......................................................................................... Configuring the file filter list..................................................................................... 443 444 444 445 445
13
Contents
File Quarantine ............................................................................................................ 446 Viewing the File Quarantine list .............................................................................. Viewing the AutoSubmit list .................................................................................... Configuring the AutoSubmit list .............................................................................. Configuring quarantine options............................................................................... 447 448 449 449
Viewing the virus database information ................................................................... 451 Viewing and configuring the grayware list ............................................................... 452 Antivirus CLI configuration........................................................................................ 453
Intrusion Protection ............................................................................. 455

About intrusion protection......................................................................................... 455 Intrusion Protection settings and controls............................................................... 456 When to use Intrusion Protection............................................................................ 456 Signatures.................................................................................................................... 456 Viewing the predefined signature list ...................................................................... 457 Using display filters................................................................................................. 458 Custom signatures...................................................................................................... 459 Viewing the custom signature list ........................................................................... 459 Creating custom signatures .................................................................................... 459 Protocol decoders....................................................................................................... 460 Viewing the protocol decoder list ............................................................................ 460 Upgrading the IPS protocol decoder list ................................................................. 461 IPS sensors.................................................................................................................. 461 Viewing the IPS sensor list ..................................................................................... Adding an IPS sensor ............................................................................................. Configuring IPS sensors ......................................................................................... Configuring filters.................................................................................................... Configuring pre-defined and custom overrides....................................................... Packet logging ........................................................................................................ 461 462 462 464 465 467
DoS sensors ................................................................................................................ 469 Viewing the DoS sensor list .................................................................................... 470 Configuring DoS sensors........................................................................................ 470 Understanding the anomalies ................................................................................. 472 Intrusion protection CLI configuration ..................................................................... 472
Web Filter.............................................................................................. 475

Order of web filtering.................................................................................................. 475 How web filtering works ............................................................................................. 475 Web filter controls....................................................................................................... 476
14
Contents
Web content block ...................................................................................................... 478 Viewing the web content block list catalog ............................................................. Creating a new web content block list .................................................................... Viewing the web content block list .......................................................................... Configuring the web content block list .................................................................... Viewing the web content exempt list catalog .......................................................... Creating a new web content exempt list ................................................................. Viewing the web content exempt list....................................................................... Configuring the web content exempt list................................................................. Viewing the URL filter list catalog ........................................................................... Creating a new URL filter list .................................................................................. Viewing the URL filter list........................................................................................ Configuring the URL filter list .................................................................................. URL formats............................................................................................................ Moving URLs in the URL filter list ........................................................................... Configuring FortiGuard Web Filtering ..................................................................... Viewing the override list.......................................................................................... Configuring administrative override rules ............................................................... Creating local categories ........................................................................................ Viewing the local ratings list.................................................................................... Configuring local ratings ......................................................................................... Category block CLI configuration............................................................................ 479 479 479 480 481 482 482 483 484 484 485 485 486 487 488 488 489 491 491 492 493
URL filter ...................................................................................................................... 483
FortiGuard - Web Filter ............................................................................................... 487
Antispam............................................................................................... 495
Antispam...................................................................................................................... 495 Order of spam filtering ............................................................................................ 495 Anti-spam filter controls .......................................................................................... 496 Banned word ............................................................................................................... 498 Viewing the banned word list catalog ..................................................................... Creating a new banned word list ............................................................................ Viewing the antispam banned word list .................................................................. Adding words to the banned word list..................................................................... Viewing the antispam IP address list catalog ......................................................... Creating a new antispam IP address list ................................................................ Viewing the antispam IP address list ...................................................................... Adding an antispam IP address.............................................................................. Viewing the antispam email address list catalog .................................................... Creating a new antispam email address list ........................................................... Viewing the antispam email address list................................................................. Configuring the antispam email address list ........................................................... 498 499 499 500 501 501 502 503 503 504 504 505
IP address and email address black/white lists ....................................................... 501
15
Contents
Advanced antispam configuration ............................................................................ 505 config spamfilter mheader ...................................................................................... 505 config spamfilter dnsbl ............................................................................................ 506 Using wildcards and Perl regular expressions ........................................................ 506 Perl regular expression formats.............................................................................. 507 Example regular expressions ................................................................................. 508
Data Leak Prevention........................................................................... 511

DLP Sensors................................................................................................................ 511 Viewing the DLP sensor list .................................................................................... 511 Adding and configuring a DLP sensor .................................................................... 512 Adding or editing a rule in a DLP sensor ................................................................ 513 DLP Rules .................................................................................................................... 515 Viewing the DLP rule list......................................................................................... 515 Adding or configuring DLP rules ............................................................................. 516 DLP Compound Rules ................................................................................................ 519 Viewing the DLP compound rule list ....................................................................... 520 Adding and configuring DLP compound rules ........................................................ 520
Application Control.............................................................................. 523

What is application control? ...................................................................................... 523 FortiGuard application control database.................................................................. 523 Viewing the application control lists......................................................................... 524 Creating a new application control list ..................................................................... 524 Configuring an application control list ..................................................................... 525 Adding or configuring an application control list entry .......................................... 526 Application control statistics..................................................................................... 527
IPSec VPN ............................................................................................. 531

Overview of IPSec VPN configuration....................................................................... 531 Policy-based versus route-based VPNs ................................................................... 532 Auto Key ...................................................................................................................... 533 Creating a new phase 1 configuration .................................................................... Defining phase 1 advanced settings....................................................................... Creating a new phase 2 configuration .................................................................... Defining phase 2 advanced settings....................................................................... 534 536 538 539
Manual Key .................................................................................................................. 541 Creating a new manual key configuration .............................................................. 542 Internet browsing configuration ................................................................................ 544 Concentrator ............................................................................................................... 544 Defining concentrator options ................................................................................. 545 Monitoring VPNs ......................................................................................................... 545
16
Contents
PPTP VPN ............................................................................................. 547

PPTP configuration using FortiGate web-based manager...................................... 547 PPTP configuration using CLI commands ............................................................... 549
SSL VPN................................................................................................ 551

ssl.root ......................................................................................................................... 551 Configuring SSL VPN ................................................................................................. 552 Monitoring SSL VPN sessions................................................................................... 553 SSL VPN web portal.................................................................................................... 554 Default web portal configurations ............................................................................. 554 General tab ............................................................................................................. Advanced tab.......................................................................................................... Adding and editing widgets..................................................................................... Session Information widget..................................................................................... Bookmarks widget .................................................................................................. Connection Tool widget .......................................................................................... Tunnel Mode widget ............................................................................................... 556 556 558 559 559 563 564
User ....................................................................................................... 567

Getting started - User authentication........................................................................ 567 Local user accounts ................................................................................................... 568 Configuring Local user accounts ............................................................................ 568 Remote ......................................................................................................................... 571 RADIUS ........................................................................................................................ 571 Configuring a RADIUS server................................................................................. 572 Dynamically assigning VPN client IP addresses from a RADIUS record.......................................................................................... 573 LDAP ............................................................................................................................ 575 Configuring an LDAP server ................................................................................... 575 TACACS+ ..................................................................................................................... 578 Configuring TACACS+ servers............................................................................... 578 Directory Service......................................................................................................... 579 Configuring a Directory Service server ................................................................... 581 PKI ............................................................................................................................... 581 Configuring peer users and peer groups ................................................................ 582 User Group .................................................................................................................. 583 Firewall user groups ............................................................................................... Directory Service user groups ................................................................................ SSL VPN user groups............................................................................................. Viewing the User group list ..................................................................................... Configuring a user group ........................................................................................ Configuring FortiGuard Web filtering override options............................................
584 585 585 586 586 589
17
Contents
Options......................................................................................................................... 590 Monitor ......................................................................................................................... 591 Firewall user monitor list ......................................................................................... IPSEC monitor list................................................................................................... SSL VPN monitor list .............................................................................................. IM user monitor list ................................................................................................. NAC quarantine and DLP ....................................................................................... NAC quarantine and DLP replacement messages ................................................. Configuring NAC quarantine................................................................................... The Banned User list .............................................................................................. 591 592 593 594 595 595 596 596
NAC quarantine and the Banned User list................................................................ 595
WAN optimization and web caching .................................................. 599

Frequently asked questions about FortiGate WAN optimization ........................... 599 Overview of FortiGate WAN optimization ................................................................. 601 WAN optimization tunnels....................................................................................... WAN optimization peer authentication.................................................................... Authentication Groups ............................................................................................ WAN optimization rules and firewall policies .......................................................... WAN optimization Transparent mode..................................................................... FortiGate models that support WAN optimization................................................... 602 602 603 603 604 604
Configuring WAN optimization .................................................................................. 605 How list order affects rule matching........................................................................ 606 Moving a rule to a different position in the rule list.................................................. 607 Configuring a WAN optimization rule ....................................................................... 608 Web caching ................................................................................................................ 610 Web cache only topology........................................................................................ Configuring web cache only WAN optimization ...................................................... Configuring client/server (active-passive) web caching.......................................... Configuring peer to peer web caching .................................................................... 611 611 612 614
Client/server or active passive WAN optimization................................................... 617 Configuring client/server (active-passive) WAN optimization ................................. 617 Peer to peer WAN optimization.................................................................................. 620 Configuring peer to peer WAN optimization ........................................................... 620 About WAN optimization addresses ....................................................................... 622 Protocol optimization ................................................................................................. 623 Byte caching................................................................................................................ 624 SSL offloading for WAN optimization and web caching ......................................... 624 Example configuration: SSL offloading for a WAN optimization tunnel .................. 625 SSL offloading and reverse proxy web caching for an internet web server............ 627 Secure tunnelling ........................................................................................................ 630 WAN optimization over IPSec VPN ........................................................................ 630
18
Contents
WAN optimization with FortiClient ............................................................................ 630 Configuring WAN optimization storage .................................................................... 631 Example WAN optimization iSCSI configuration .................................................... 632 About partition labels .............................................................................................. 633 WAN optimization and HA.......................................................................................... 634 Configuring peers ....................................................................................................... 634 Configuring authentication groups ........................................................................... 635 Details about WAN optimization peer authentication.............................................. 636 Monitoring WAN optimization.................................................................................... 637 Changing web cache settings.................................................................................... 638
Endpoint control .................................................................................. 641

Configuring endpoint control .................................................................................... 641 Viewing FortiClient required version information .................................................... 642 Configuring FortiClient required version and installer download ............................ 642 Viewing and configuring the software detection list ................................................ 643 Monitoring endpoints ................................................................................................. 644
Log&Report .......................................................................................... 647

FortiGate logging ........................................................................................................ 647 FortiGuard Analysis and Management Service........................................................ 648 FortiGuard Analysis and Management Service portal web site .............................. 649 Log severity levels ...................................................................................................... 649 High Availability cluster logging ............................................................................... 650 Storing logs ................................................................................................................. 650 Logging to a FortiAnalyzer unit ............................................................................... Connecting to FortiAnalyzer using Automatic Discovery ........................................ Testing the FortiAnalyzer configuration .................................................................. Logging to a FortiGuard Analysis server ................................................................ Logging to memory ................................................................................................. Logging to a Syslog server ..................................................................................... Logging to WebTrends ........................................................................................... Traffic log ................................................................................................................ Example configuration: logging all FortiGate traffic ................................................ Event log................................................................................................................. Data Leak Prevention log ....................................................................................... Application Control log............................................................................................ Antivirus log ............................................................................................................ Web filter log........................................................................................................... Spam filter log......................................................................................................... Attack log (IPS)....................................................................................................... 650 651 652 653 654 654 655 657 658 659 660 660 660 661 661 661
Log types ..................................................................................................................... 657
19
Contents
Accessing Logs........................................................................................................... 662 Accessing logs stored in memory ........................................................................... Accessing logs stored on the hard disk .................................................................. Accessing logs stored on the FortiAnalyzer unit..................................................... Accessing logs stored on the FortiGuard Analysis server ...................................... 662 662 663 664
Viewing log information ............................................................................................. 664 Customizing the display of log messages................................................................ 665 Column settings ...................................................................................................... 666 Filtering log messages............................................................................................ 667 Content Archive .......................................................................................................... 667 Content archiving and data leak prevention ........................................................... Configuring spam email message content archiving .............................................. Configuring VoIP content archiving ........................................................................ Viewing content archives ........................................................................................ 668 668 669 670
Alert Email ................................................................................................................... 670 Configuring Alert Email ........................................................................................... 672 Reports......................................................................................................................... 673 Viewing basic traffic reports.................................................................................... FortiAnalyzer report schedules ............................................................................... Viewing FortiAnalyzer reports................................................................................. Printing your FortiAnalyzer report ........................................................................... 673 674 677 677
Index...................................................................................................... 679
20
Introduction
Fortinet products
Introduction
Ranging from the FortiGate-50 series for small businesses to the FortiGate-5000 series for large enterprises, service providers and carriers, the FortiGate line combines the FortiOS security operating system with FortiASIC processors and other hardware to provide a high-performance array of security and networking functions including: firewall, VPN, and traffic shaping Intrusion Prevention system (IPS) antivirus/antispyware/antimalware web filtering antispam application control (for example, IM and P2P) VoIP support (H.323, SIP, and SCCP) Layer 2/3 routing multiple redundant WAN interface options
FortiGate appliances provide cost-effective, comprehensive protection against network, content, and application-level threats, including complex attacks favored by cybercriminals, without degrading network availability and uptime. FortiGate platforms include sophisticated networking features, such as high availability (active/active, active/passive) for maximum network uptime, and virtual domain capabilities to separate various networks requiring different security policies. This chapter contains the following sections: Fortinet products About this document Document conventions Registering your Fortinet product Customer service and technical support Fortinet documentation
Fortinet products
Fortinet's portfolio of security gateways and complementary products offers a powerful blend of ASIC-accelerated performance, integrated multi-threat protection, and constantly updated, in-depth threat intelligence. This unique combination delivers network, content, and application security for enterprises of all sizes, managed service providers, and telecommunications carriers, while providing a flexible, scalable path for expansion. For more information on the Fortinet product family, go to www.fortinet.com/products.
About this document

This FortiGate Version 4.0 Administration Guide provides detailed information for system administrators about FortiGate web-based manager and FortiOS options and how to use them. This guide also contains some information about the FortiGate CLI.
21
About this document
Introduction
This section of the guide contains a brief explanation of the structure of the guide, and gives an overview of each chapter. The administration guide describes web-based manager functions in the same order as the web-based manager (or GUI) menu. The document begins with several chapters that provide an overview to help you start using the product: the FortiGate web-based manager, System Status, Managing Firmware, and Using virtual domains. Following these chapters, each item in the System, Router, Firewall, UTM, and VPN menus gets a separate chapter. Then User, WAN optimization, Endpoint Control, and Log&Report are all described in single chapters. The document concludes with a detailed index. VDOM and Global icons appear in this administration guide to indicate that a chapter or section is part of either the VDOM or Global configuration. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. No distinction is made between these configuration settings when virtual domains are not enabled. The most recent version of this document is available from the FortiGate page of the Fortinet Technical Documentation web site. The information in this document is also available in a slightly different form as FortiGate web-based manager online help. You can also find more information about FortiOS from the same FortiGate page, as well as from the Fortinet Knowledge Center. This administration guide contains the following chapters: Whats new in FortiOS 4.0 lists and describes some of the new features and changes in FortiOS Version 4.0. Web-based manager introduces the features of the FortiGate web-based manager, and explains how to connect to it. It also includes information about how to use the web-based manager online help. System Status describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics. You can also access the CLI from this page. This section also describes status changes that you can make, including changing the unit firmware, host name, and system time. Finally this section describes the topology viewer that is available on all FortiGate models except those with model numbers 50 and 60. Managing firmware versions describes upgrading and managing firmware versions. You should review this section before upgrading your FortiGate firmware because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. Using virtual domains describes how to use virtual domains to operate your FortiGate unit as multiple virtual FortiGate units, which effectively provides multiple separate firewall and routing services to multiple networks. System Network explains how to configure physical and virtual interfaces and DNS settings on the FortiGate unit. System Wireless describes how to configure the Wireless LAN interface on a FortiWiFi-60 unit. System DHCP explains how to configure a FortiGate interface as a DHCP server or DHCP relay agent. System Config contains procedures for configuring HA and virtual clustering, configuring SNMP and replacement messages, and changing the operation mode.
22
Introduction
About this document
System Admin guides you through adding and editing administrator accounts, defining admin profiles for administrators, configuring central management using the FortiGuard Analysis and Management Service or FortiManager, defining general administrative settings such as language, timeouts, and web administration ports. System Certificates explains how to manage X.509 security certificates used by various FortiGate features such as IPSec VPN and administrator authentication. System Maintenance details how to back up and restore the system configuration using a management computer or a USB disk, use revision control, enable FortiGuard services and FortiGuard Distribution Network (FDN) updates, and enter a license key to increase the maximum number of virtual domains. Router Static explains how to define static routes and create route policies. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. Router Dynamic explains how to configure dynamic protocols to route traffic through large or complex networks. Router Monitor explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. Firewall Policy describes how to add firewall policies to control connections and traffic between FortiGate interfaces, zones, and VLAN subinterfaces. Firewall Address describes how to configure addresses and address groups for firewall policies. Firewall Service describes available services and how to configure service groups for firewall policies. Firewall Schedule describes how to configure one-time and recurring schedules for firewall policies. Traffic Shaping how to create traffic shaping instances and add them to firewall policies. Firewall Virtual IP describes how to configure and use virtual IP addresses and IP pools. Firewall Load Balance describes how to use FortiGuard load balancing to intercept incoming traffic and balance it across available servers. Firewall Protection Profile describes how to configure protection profiles for firewall policies. SIP support includes some high-level information about VoIP and SIP and describes how FortiOS SIP support works and how to configure the key SIP features. AntiVirus explains how to enable antivirus options when you create a firewall protection profile. Intrusion Protection explains how to configure IPS options when a firewall protection profile is created. Web Filter explains how to configure web filter options when a firewall protection profile is created. Antispam explains how to configure spam filter options when a firewall protection profile is created. Data Leak Prevention explains how use FortiGate data leak prevention to prevent sensitive data from leaving your network. Application Control describes how to configure the application control options associated with firewall protection profiles.
23
Document conventions
Introduction
IPSec VPN provides information about the tunnel-mode and route-based (interface mode) Internet Protocol Security (IPSec) VPN options available through the webbased manager. PPTP VPN explains how to use the web-based manager to specify a range of IP addresses for PPTP clients. SSL VPN provides information about basic SSL VPN settings. User describes how to control access to network resources through user authentication. WAN optimization and web caching describes how to use FortiGate units to improve performance and security of traffic passing between locations on your wide area network (WAN) or over the Internet by applying WAN optimization and web caching. Endpoint control describes how to use FortiGate end point control to enforce the use of FortiClient End Point Security (Enterprise Edition) in your network. Log&Report describes how to enable logging, view log files, and view the basic reports available through the web-based manager.
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
CLI constraints
CLI constraints, such as <address_ipv4>, indicate which data types or string patterns are acceptable input for a given parameter or variable value. CLI constraint conventions are described in the CLI Reference document for each product.
Cautions, Notes and Tips

Fortinet technical documentation uses the following guidance and styles for cautions, notes and tips.
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Note: Also presents useful information, but usually focused on an alternative, optional method, such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
24
Introduction
Registering your Fortinet product
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation Convention Example
Button, menu, text box, From Minimum log level, select Notification. field, or check box label Keyboard entry Navigation Emphasis CLI input Type a name for the remote VPN peer or client, such as Central_Office_1. Go to VPN > IPSEC > Auto Key (IKE). HTTP connections are not secure and can be intercepted by a third party. config system dns set primary <address_ipv4> end FGT-602803030703 # get system settings comments : (null) opmode : nat <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> Visit the Fortinet Technical Support web site, https://support.fortinet.com. For details, see the FortiGate Administration Guide. The chapter or section contains VDOM configuration settings, see VDOM configuration settings on page 104. The chapter or section contains Global configuration settings, see Global configuration settings on page 107.
CLI output
File content
Hyperlink Publication
Registering your Fortinet product

Before you begin, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.
Customer service and technical support

Fortinet Technical Support provides services designed to make sure that you can install your Fortinet products quickly, configure them easily, and operate them reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Center article What does Fortinet Technical Support require in order to best assist the customer?
25
Training
Introduction
Training
Fortinet Training Services provides classes that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email them at training@fortinet.com.
Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Center.
Tools and Documentation CD

The documentation for your product is available on the Fortinet Tools and Documentation CD shipped with your product. The documents on this CD are current at shipping time. For the most current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com.
Fortinet Knowledge Center

The Fortinet Knowledge Center provides additional Fortinet technical documentation, such as troubleshooting and how-to articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.
Comments on Fortinet technical documentation

Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
26
Whats new in FortiOS 4.0

This section lists and describes some of the new features and changes in FortiOS Version 4.0. FortiOS 4.0 FortiGate models and features supported UTM features grouped under new UTM menu Data Leak Prevention Application Control SSL content scanning and inspection WAN Optimization Endpoint control Network Access Control (NAC) quarantine IPS extensions DoS policies for applying IPS sensors NAC quarantine in DoS Sensors Adding IPS sensors to a DoS policy from the CLI One-arm IDS (sniffer mode) IPS interface policies for IPv6 IPS Packet Logging
Enhanced Antispam Engine (ASE) WCCP v2 support Any interface for firewall policies Global view of firewall policies Identity-based firewall policies Web filtering HTTP upload enhancements Traffic shaping enhancements Firewall load balancing virtual IP changes Per-firewall policy session TTL Gratuitous ARP for virtual IPs Changes to protection profiles Changes to content archiving Customizable web-based manager pages Administration over modem Auto-bypass and recovery for AMC bridge module Rogue Wireless Access Point detection Configurable VDOM and global resource limits User authentication monitor OCSP and SCEP certificate over HTTPS
27
FortiOS 4.0 FortiGate models and features supported
Adding non-standard ports for firewall authentication Dynamically assigning VPN client IP addresses from a RADIUS record DHCP over route-based IPSec VPNs SNMP upgraded to v3.0 File Quarantine Customizable SSL VPN web portals Logging improvements Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic)
FortiOS 4.0 FortiGate models and features supported

You can install and run FortiOS 4.0 on the following FortiGate models:
30B 50B 51B WiFi-50B 60B WiFi-60B 100A 11C 111C 200A 224B 300A 310B 400A 500A 620B 800, 800F 1000A, 1000AFA2 3016B 3600 3600A 3810A 5001SX 5001FA2 5001A-SW 5001A-DW 5005FA2
Note: The information in this section is subject to change.
Table 2 shows the FortiGate models that support some of the major new FortiOS 4.0 features. All other new FortiOS 4.0 features are available on all models except for the FortiGate-30 model which supports a reduced feature set.
Table 2: New FortiOS 4.0 feature support Feature WAN optimization SSL Content Scanning and Inspection Date Leak Prevention (DLP) End Point Control NAC Quarantine FortiGate Models 51B*, 111C*, 310B**, 620B**, 3016B**, 3600A**, 3810A**, 5001A-SW** 110C, 111C, 310B, 620B, 3016B, 3600A, 3810A, 5001ASW, 5001A-DW, 5005FA2 All Models that support FortiOS 4.0 All Models that support FortiOS 4.0 All Models that support FortiOS 4.0
*WAN optimization is available on FortiGate-51B and 111C models because these models include high-capacity internal hard disks. **WAN optimization is available on FortiGate-310B, 620B, 3016B, 3600A, 3810A, and 5001A-SW models because these models include a single-width AMC slot. To support WAN optimization you can install a FortiGate-ASM-S08 module or FortiGate-ASM-SAS module in the single-width AMC slot and use the hard disk in the ASM-S08 module or a SAS disk array connected to the ASM-SAS module for WAN optimization. All FortiGate models that support a single-width AMC slot can also be configured to support iSCSI to cache WAN Optimization data to an external iSCSI storage device. You do not need to install an ASM module in the single-width AMC slot to configure and use iSCSI.
28
UTM features grouped under new UTM menu
UTM features grouped under new UTM menu

AntiVirus, Intrusion Protection, Web Filter, and AntiSpam, as well as the new Data Leak Prevention and Application Control features are grouped under a new UTM menu. All the familiar Antivirus, Intrusion Protection, Web Filter, and AntiSpam features are available here. Most IM, P2P, and VoIP functionality has been integrated into application control. IM user control has moved to User > Local > IM. IM user monitoring has moved to User > Monitor > IM User Monitor. If you enable virtual domains, you configure all UTM features separately for each VDOM except for the Antivirus quarantine and grayware configuration.
Data Leak Prevention

The new Data Leak Prevention (DLP) feature protects sensitive information from being transmitted via web, email or file transfer protocols. You define rules and compound rules to detect possible data leaks and specify the action to take in response. Rules and compound rules are combined into DLP sensors, which you can enable in firewall protection profiles. For more information, see Data Leak Prevention on page 511.
Application Control
The new Application Control UTM feature allows your FortiGate unit to detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a more userfriendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. The FortiGate unit can recognize the network traffic generated by more than 70 applications. You can create application control lists that specify what action will be taken with the traffic of the applications you need to manage. You specify the application control list in the protection profile applied to the network traffic you need to monitor. You can also create multiple application control lists, each tailored to a particular network, for example. For more information, see Application Control on page 523.
SSL content scanning and inspection

FortiGate models that include hardware supporting SSL acceleration now also support SSL content scanning and inspection. Using SSL content scanning and inspection, you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. The following FortiGate models support SSL content scanning and inspection: 110C 111C 310B 602B 3016B
29
WAN Optimization
3600A 3810A 5005FA2 5001A.
For more information, see SSL content scanning and inspection on page 399.
WAN Optimization
You can use the new FortiGate WAN Optimization feature to improve performance and security across a WAN by applying a number of related techniques including protocol and application-based data compression and optimization data deduction (a technique that reduces how often the same data is transmitted across the WAN), web caching, secure tunneling and SSL acceleration. For more information, see WAN optimization and web caching on page 599.
Endpoint control
The new Endpoint Compliance feature (also called endpoint control) replaces the FortiOS 3.0 Check FortiClient Installed and Running firewall options. You can enforce the use of FortiClient End Point Security (Enterprise Edition) in your network and ensure that clients have both the most recent version of the FortiClient software and the most up-to-date antivirus signatures. The FortiGate unit retrieves FortiClient software and antivirus updates from the FortiGuard Distribution Network. If the FortiGate unit contains a hard disk drive, these files are cached to more efficiently serve downloads to multiple end points. Go to Endpoint Control > FortiClient to see the software and antivirus signature versions that the endpoint control feature enforces. The Endpoint Compliance feature also provides monitoring. The FortiGate unit gathers information from client PCs when they use a firewall policy with the Enable Endpoint Compliance Check option enabled. For more information, see Endpoint control on page 641 and Endpoint Compliance Check options on page 336.
Network Access Control (NAC) quarantine

FortiOS 4.0 provides new Network Access Control (NAC) quarantine features that you can use with Antivirus and intrusion protection to block (or quarantine) users or FortiGate interfaces when a virus is found or an attack is detected by an IPS Sensor or a DoS Sensor. You can also use IPS Senors and DoS Sensors to block communication between the source and destination of an attack. Data Leak Preventions (DLP) also includes features similar to NAC quarantine that you can use to block users who send content that matches a DLP sensor. The FortiGate unit adds blocked users and interfaces to the banned users list. FortiGate administrators can view the users and interfaces on the banned users list and manually remove them from the list to restore normal access. For information about NAC quarantine, see NAC quarantine and the Banned User list on page 595.
30
IPS extensions
IPS extensions
FortiOS 4.0 includes the following new IPS features: DoS policies for applying IPS sensors NAC quarantine in DoS Sensors Adding IPS sensors to a DoS policy from the CLI One-arm IDS (sniffer mode) IPS interface policies for IPv6 IPS Packet Logging
DoS policies for applying IPS sensors

In FortiOS 4.0, you can now apply IPS Denial of Service (DoS) sensors to traffic on interfaces by creating DoS policies. DoS policies are independent from firewall policies and are used to associate DoS sensors with traffic that reaches a FortiGate interface. DoS policies deliver packets to the IPS before they are accepted by firewall policies. This arrangement has the following benefits: Protection from denial of service attacks is more effective because these attacks can be detected and blocked before the firewall sees the packets. So system resources are not affected by denial of service attacks. All attacking traffic can be filtered out before being accepted by firewall policies. IPS can inspect traffic that is not normally processed by the firewall, including traffic that is: normally dropped by the firewall (for example, packets with invalid headers) using a protocol not normally processed by firewall policies (for example, flood, broadcast, and multicast traffic) matched by a deny policy (deny policies do not include protection profiles) not matched by any firewall policy.
For more information, see DoS policies on page 337.
NAC quarantine in DoS Sensors

From the FortiGate CLI you can now configure NAC quarantine for each anomaly in a DoS Sensor. You can configure the anomaly to quarantine the source address of the attack (attacker) or both the source and destination address of the attack (both). config ips DoS edit new_DoS-sensor config anomaly edit "tcp_dst_session" set status enable set quarantine {attacker | both | none} set quarantine-expiry 600 set threshold 5000 end
31
IPS extensions
Adding IPS sensors to a DoS policy from the CLI

You can now add an IPS Sensor to a DoS policy from the CLI. The CLI command for configuring DoS policies is config firewall interface-policy. The following command syntax shows how to add an example IPS sensor called all-default_pass to a DoS policy with policy ID 5 that was previously added from the web-based manager. config firewall interface-policy edit 5 set ips-sensor-status enable set ips-sensor all_default_pass end
One-arm IDS (sniffer mode)

Using the one-arm intrusion detection system (IDS), you can now configure a FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually receiving and otherwise processing the packets. To configure one-arm IDS, you enable sniffer mode on a FortiGate interface and connect that interface to a hub or to the SPAN port of a switch that is processing network traffic. Then you can add DoS policies for that FortiGate interface that include DoS sensors and optionally IPS sensors to detect attacks in the traffic that the FortiGate interface receives from the hub or switch SPAN port. In sniffer mode, the interface receives packets accepted by DoS policies only. All packets not received by DoS policies are dropped. All packets received by DoS policies go through IPS inspection and are dropped when this inspection detects attacks. One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS sensors, the FortiGate unit records log messages for all detected attacks.
Figure 1: One-arm IDS topology
Internet
Hub or switch
SPAN port
Internal network
To enable sniffer mode on a FortiGate unit port5 interface, enter the following CLI commands: config system interface edit port5
32
Enhanced Antispam Engine (ASE)
set ips-sniffer-mode enable end
IPS interface policies for IPv6

Similar to interface-based DoS policies for IPv4, you can use the FortiGate CLI command config firewall interface-policy6 to add IPv6 interface-based policies. In FortiOS version 4.0, you can add IPS Sensors to IPv6 interface-based policies: config firewall interface-policy6 edit 1 set interface "port1 set srcaddr6 "all" set dstaddr6 "all" set service6 "ANY" set ips-sensor-status enable set ips-sensor "all_default" end
IPS Packet Logging

For FortiOS 4.0 IPS packet logging has been enhanced to allow sending log messages to a FortiAnalyzer unit or the FortiGuard Analysis and Manager Service. Also if you are storing IPS packets logs in FortiGate memory new CLI commands are available to control the amount of memory to available and the number of packets that are saved when logging packets. For more information, see Packet logging on page 467.
Enhanced Antispam Engine (ASE)

FortiOS 4.0 includes a new Antispam Engine (ASE) that can be updated from the FortiGuard Distribution Network to add new antispam techniques without requiring a FortiOS firmware update. You can also update the ASE manually using the following CLI command: execute restore ase {ftp | sftp} <filename> <server> <userid>
WCCP v2 support
You can now use WCCP v2 to configure a FortiGate unit to optimize web traffic, thus reducing transmission costs and downloading time. This traffic includes user requests to view pages on Web servers and the replies to those requests. When a user requests a page from a web server, the FortiGate unit sends that request to a cache server (also called a web-cache server). If the cache server has a copy of the requested page in storage, the cache server sends the user that page. Otherwise, the cache server retrieves the requested page, caches a copy of it, and forwards it to the user. The FortiGate unit supports WCCP v2 by transparently redirecting selected types of traffic to a group of cache servers. When WCCP is enabled, the FortiGate unit maintains a web cache server list in the WCCP database. To configure WCCP support you use the config system wccp command to enable WCCP support. Then you enable WCCP for firewall policies using the wccp keyword. When these WCCP-enabled firewall policies accept traffic, the traffic is re-directed to a cache server. The FortiGate unit uses the information in the WCCP database to determine the cache server to redirect the traffic to.
33
WCCP v2 support
Finally you must configure interfaces connected to WCCP cache servers to accept wccp messages. If virtual domains are enabled, you configure WCCP separately for each virtual domain. To configure WCCP You configure WCCP from the CLI. 1 Start WCCP and configure WCCP database settings: config system wccp edit <service-id> set router-id <interface_ipv4> set server-list <server_ipv4mask> set group-address <ip_mulicast_ipv4> set password <password> set forward-method {GRE | L2 | any} set return-method {GRE | L2 | any} set assignment-method {HASH | MASK | any} next end
Variable authentication {disable | enable} <service-id> router-id <interface_ipv4> Description Enable or disable using use MD5 authentication for the WCCP configuration. 0-255. 0 for HTTP. 1 Default
An IP address known to all cache servers. This IP address 0.0.0.0 identifies a FortiGate interface IP address to the cache servers. If all cache servers connect to the same FortiGate interface, <interface_ipv4> can be 0.0.0.0, and the FortiGate unit uses the IP address of that interface as the router-id. If the cache servers can connect to different FortiGate interfaces, you must set router-id to a single IP address, and this IP address must be added to the configuration of the cache servers. The IP addresses of the cache servers. 0.0.0.0 0.0.0.0
server-list <server_ipv4mask> group-address
The IP multicast address used by the cache servers. 0.0.0.0 0.0.0.0 means the FortiGate unit ignores multicast WCCP traffic. Otherwise, group-address must be from 224.0.0.0 to 239.255.255.255. The MD5 authentication password. Maximum length is 8 characters. Specifies how the FortiGate unit forwards traffic to cache servers. If forward-method is any the cache server determines the forward method. Specifies how a cache server declines a redirected packet and return it to the firewall. If return-method is any the cache server determines the return method. GRE
password <password_str> forward-method {GRE | L2 | any} return-method {GRE | L2 | any}
GRE
assignment-method Specifies which assignment method the FortiGate prefers. If HASH {HASH | MASK | any} assignment-method is any the cache server determines the assignment method
2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy. config firewall policy Edit <policy_id> (configure the firewall policy) set wccp {enable | disable}
34
Any interface for firewall policies
next end 3 Configure the interfaces that connected to cache servers to accept WCCP traffic. config system interface edit <interface_name) (configure the interface) set wccp {enable | disable} next edit <interface_name) (configure the interface) set wccp {enable | disable} next end
Any interface for firewall policies

You can now define a firewall policy where the source or destination interface is any. If you add a firewall policy with the source or destination interface set to any, the firewall will match the policy with packets to or from any interface. For more information, see Viewing the firewall policy list on page 321.
Global view of firewall policies

In FortiOS 3.0 you could display firewall policies organized by source and destination interfaces. In FortiOS 4.0 this is called Section View. You can also switch to Global View to list all firewall policies in order according to a sequence number. The sequence number indicates the order of the policies in the policy list. When you rearrange the policy order the sequence number changes. The Policy ID remains independent of the sequence number. If you have firewall policies with Any as source or destination, only the global view is available. For more information, see Viewing the firewall policy list on page 321.
Figure 2: Example global view including an any firewall policy
Identity-based firewall policies

FortiOS 4.0 supports firewall policy authentication in a more flexible way than earlier releases. Any firewall policy that requires authentication is now known as an identitybased policy. Optionally, you can permit different schedules or services and apply different protection profiles to different user groups. For more information, see Identity-based firewall policy options (non-SSL-VPN) on page 328.
35
Web filtering HTTP upload enhancements
Web filtering HTTP upload enhancements

You can use web filtering to block HTTP uploads or, optionally, to send cached file data slowly to prevent the server from timing out during file scanning. This is a new option in the Web Filter part of the protection profile. For more information, see Web Filtering options on page 411.
Traffic shaping enhancements

Traffic shaping settings are now configured outside the firewall policy under the Traffic Shaper menu. You can configure multiple traffic shapers and add them to different firewall policies. P2P traffic shaping is configured in the protection profile with separate settings for each direction. For more information, see Traffic Shaping on page 423.
Firewall load balancing virtual IP changes

In FortiOS 4.0, server load balance Virtual IPs (VIPs) are configured separately from other VIPs. To configure load balance VIPs, go to Firewall > Load Balance. In previous releases of FortiOS, you created VIP mappings between one or more real servers and an external IP address. In FortiOS 4.0, you first define virtual servers. Then you define real servers and associate them with the virtual servers. For more information, see Firewall Load Balance on page 389.
User session persistence

When you create a virtual server, you can now enable user session persistence by using an HTTP cookie or the SSL session ID. In the CLI configuration for a VIP, config firewall vip, you can set the duration, domain and other properties of the cookie.
Health Check Monitor

As in FortiOS 3.0, you can define health check monitors. The Health Check Monitor tab has moved to the Load Balance page from the Virtual IP page, but is otherwise unchanged. You select the health check monitors in the virtual server configuration. For more information, see Configuring health check monitors on page 393.
Load balancing server monitor

A new monitor page (go to Firewall > Load Balance > Monitor) shows the status of each virtual server and real server. For more information, see Monitoring the servers on page 395.
36
Per-firewall policy session TTL
Per-firewall policy session TTL

If required by a network or by the services to be provided by a FortiGate unit, you can now use the session-ttl keyword of the config firewall policy command to control the session time to live (TTL) time for communication sessions accepted by a firewall policy. The default setting for session-ttl in a firewall policy is 0, which means use the default session TTL as set by the config system session-ttl command. The default session TTL setting is 3600 seconds. The range for the firewall policy session TTL is 300 to 604800 seconds.
Gratuitous ARP for virtual IPs

You can configure sending of ARP packets to maintain connectivity of virtual IPs where other routers clear their ARP table periodically. Use the following command syntax in the CLI to configure sending of ARP packets by a virtual IP. You can set the time interval between sending ARP packets. Set the interval to 0 to disable sending ARP packets. config firewall vip edit new_vip (configure the virtual IP) set gratuitous-arp-interval <interval_seconds> end
Changes to protection profiles

New configuration settings have been added to protection profiles, and familiar configuration settings in protection profiles have been reorganized. For a complete description of FortiOS 4.0 protection profiles, see Configuring a protection profile on page 404.
Changes to content archiving

You now configure full and summary content archiving in DLP sensors. Other content archiving settings are also available in protection profiles and from Application Control in the CLI. For information about FortiOS 4.0 content archiving, see Content Archive on page 667. Related to changes to content archiving, the information displayed by the Statistics widget on the system dashboard has also changed. See Statistics on page 71.
Customizable web-based manager pages

In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration, if you are a super_admin, you can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. In standard operation mode, the display is static. Customizing the display allows you to vary or limit the GUI layout to fulfill different administrator roles. There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default. The customized GUI layouts are stored as part of the administrator admin profile. For more information, see Customizable web-based manager on page 231.
37
Administration over modem
Administration over modem

You can now use the following CLI command to configure a FortiGate modem interface so that you can dial into the modem and administer the FortiGate unit. config system dialinsvr set status enable set server-ip <ip_address> set client-ip <ip_address> set usrgrp "grp1" set allowaccess ping https ssh http telnet set modem-dev external end
Auto-bypass and recovery for AMC bridge module

If you have installed one of the FortiGate-ASM-FX2 or FortiGate-ASM-CX4 AMC bridge modules, you can use the CLI to configure how the bridge module recovers from switching to bridge mode because of a failure with the FortiGate unit hardware or software process.
Note: AMC bridge mode is only supported in Transparent mode.
In this example, the FortiGate-ASM-CX4 module is installed in slot 1: config system amc set sw1 asm-cx4 set watchdog-recovery [enable | disable} set watchdog-recovery-period <holddown_time> end The watchdog-recovery-period keyword determines the length of the hold-down period during which the software watchdog monitors critical software processes before concluding they have stabilized.
Rogue Wireless Access Point detection

FortiWifi-50B and FortiWifi-60B units can now use rogue access point detection to scan for wireless access points. For more information, see Rogue AP detection on page 168.
Configurable VDOM and global resource limits

FortiGate units have upper limits for resources such as firewall policies, protection profiles and VPN tunnels. These limits vary by model. In previous releases of FortiOS, maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. In FortiOS 4.0, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource contention and enables you to provide tiered services to your customers. Also, you can set global resource limits to control the impact of various features on system performance. For more information, see Configuring global and VDOM resource limits on page 116
38
User authentication monitor
User authentication monitor

You can now go to User > Authentication > User Authentication Monitor to view a list of currently authenticated users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (duration), how long until the users session times out (time-left), the users source IP Address, the amount of traffic through the FortiGate unit caused by the user (traffic volume), and the authentication method used by the FortiGate unit for the user. The authentication methods can be FSAE, firewall authentication (FW-auth), or NTLM. You can sort and filter the information on the authentication monitor according to any of the columns in the monitor. For more information, see Monitor on page 591.
OCSP and SCEP certificate over HTTPS

FortiGate units now support OCSP and SCEP communication between FortiGate units and SCEP servers over HTPPS. The SCEP URLs that you add to the FortiGate System Certificate configuration can be HTTPS URLs or URLs supported by your SCEP server. For more information, see System Certificates on page 243.
Adding non-standard ports for firewall authentication

By default, when a communication session is accepted by an identity-based firewall policy, the user must authenticate with the firewall by using the FTP, HTTP, HTTPS, or Telnet protocol to enter a user name and password before being able to communicate through the FortiGate unit. And, by default, users can authenticate only with a communication session that uses the standard FTP, HTTP, HTTPS, or Telnet TCP ports (21, 80, 443, and 23 respectively). You can now use the following command if your firewall users need to authenticate with the FortiGate unit and if they use a non-standard port for FTP, HTTP, HTTPS, or Telnet sessions. config user setting config auth-ports edit <auth_port_table_id_int> set port <port_integer> set type { ftp | http | https | telnet } end end end Where <auth_port_table_id_int> is any integer. You can add multiple non-standard port tables. <port_integer> is the non-standard TCP authentication port number. Adding non-standard authentication ports does not change the standard authentication port for any protocol. You use this command only to add more non-standard authentication ports. The standard authentication port is still valid and cannot be changed. For example, if some users on your network web browse using HTTP on ports 8080 and 8008 and use telnet on port 4523, you could use the following commands to add HTTP authentication on ports 8080 and 8008 and Telnet authentication on port 4523: config user setting config auth-ports edit 1 set port 8080
39
Dynamically assigning VPN client IP addresses from a RADIUS record
set type next end edit 2 set port set type next end edit 3 set port set type end end
http
8008 http
4523 telnet
If your FortiGate unit is operating with virtual domains enabled, each VDOM has a different non-standard authentication port configuration.

SSL VPN tunnel mode, IPSec, and PPTP VPN sessions can now assign IP addresses to remote users by getting the IP address to assign from a RADIUS record. For more information, see Dynamically assigning VPN client IP addresses from a RADIUS record.
DHCP over route-based IPSec VPNs

In previous releases of FortiOS, you could use DHCP to assign IP addresses to dialup clients on policy-based IPSec VPNs only. In FortiOS 4.0, DHCP is also available to dialup clients on route-based IPSec VPNs. The configuration differs only slightly from that of a route-based dialup VPN with static IP addresses. 1 Configure Phase 1 settings. Remote Gateway must be set to Dialup User. 2 Configure Phase 2 settings. Set Phase 1 to Dialup User. In the Advanced Settings, select DHCP-IPsec. For more information, see DHCP-IPSec on page 540. 3 Configure a DHCP server on the virtual IPSec interface. Set the server Type to DHCP. Enter the IP Range and Netmask that dialup clients will use and the Default Gateway that dialup clients should use. 4 Configure an ACCEPT firewall policy with the virtual IPSec interface as source and the local private network as destination.
SNMP upgraded to v3.0

SNMP v3.0 provides up-to-date information and status reporting about the hardware running on your network.
40
File Quarantine
For more information, see SNMP on page 185.
File Quarantine
The Quarantine tab is renamed File Quarantine to distinguish it from the NAC Quarantine feature that quarantines traffic. For more information, see Viewing the File Quarantine list on page 447.
Customizable SSL VPN web portals

You can now create multiple SSL VPN web portal configurations to enable different types of web portal functionality and control the different web portal look and feel configurations. For more information, see SSL VPN web portal on page 554.
Logging improvements
Logs provide more information about the FortiGate unit operation, including: event log for VPN tunnel up/down (IPSec, SSL, PPTP VPNs), including authenticated user name, local and remote IP addresses event log for VPN tunnel re-key event log for VPN tunnel periodic statistics (configurable period) logs for new Data Leak Prevention feature attacks detected by IPS inclusion of Admin Profile in Administrator login event log increase in memory of log entries increased to 1024 bytes from 512 bytes to reduce the number of truncated logs. This reduces the number of logs that can be stored.
For more information, see Log&Report on page 647.
Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic)
You can now block or provide client comforting for HTTP-POST activity by selecting the HTTP POST Action in a protection profile. For more information, see Web Filtering options on page 411.
41
Web filtering HTTP POST traffic (blocking or comforting HTTP post traffic)
42
Web-based manager
Web-based manager
This section describes the features of the user-friendly web-based manager administrative interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate unit. Using HTTP or a secure HTTPS connection from any management computer running a web browser, you can connect to the FortiGate web-based manager to configure and manage the FortiGate unit. The recommended minimum screen resolution for the management computer is 1280 by 1024. You can configure the FortiGate unit for HTTP and HTTPS web-based administration from any FortiGate interface. To connect to the web-based manager you require a FortiGate administrator account and password. The web-based manager supports multiple languages, but by default appears in English on first use.
Figure 3: Example FortiGate-3810A web-based manager dashboard (default configuration)
43
Common web-based manager tasks
Web-based manager
You can go to System > Status to view detailed information about the status of your FortiGate unit on the system dashboard. The dashboard displays information such as the current FortiOS firmware version, antivirus and IPS definition versions, operation mode, connected interfaces, and system resources. It also shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a FortiManager unit or other central management services. You can use the web-based manager menus, lists, and configuration pages to configure most FortiGate settings. Configuration changes made using the web-based manager take effect immediately without resetting the FortiGate unit or interrupting service. You can back up your configuration at any time using the Backup Configuration button on the button bar. The button bar is located in the upper right corner of the web-based manager. The saved configuration can be restored at any time. The web-based manager also includes detailed context-sensitive online help. Selecting Online Help on the button bar displays help for the current web-based manager page. You can use the FortiGate command line interface (CLI) to configure the same FortiGate settings that you can configure from the web-based manager, as well as additional CLIonly settings. The system dashboard provides an easy entry point to the CLI console that you can use without exiting the web-based manager. This section describes: Common web-based manager tasks Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Connecting to the FortiGate CLI from the web-based manager Button bar features Contacting Customer Support Backing up your FortiGate configuration Using FortiGate Online Help Logging out Web-based manager pages Web-based manager icons

This section describes the following common web-based manager tasks: Connecting to the web-based manager Changing your FortiGate administrator password Changing the web-based manager language Changing administrative access to your FortiGate unit Changing the web-based manager idle timeout Connecting to the FortiGate CLI from the web-based manager
Connecting to the web-based manager

To connect to the web-based manager, you require:
44
Web-based manager
a FortiGate unit connected to your network according to the instructions in the QuickStart Guide and Install Guide for your FortiGate unit the IP address of a FortiGate interface that you can connect to a computer with an Ethernet connection to a network that can connect to the FortiGate unit a supported web browser. See the Knowledge Center articles Supported Windows web browsers and Using a Macintosh and the web-based manager.
To connect to the web-based manager 1 Start your web browser and browse to https:// followed by the IP address of the FortiGate unit interface that you can connect to. For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99. (remember to include the s in https://). To support a secure HTTPS authentication method, the FortiGate unit ships with a selfsigned security certificate, which is offered to remote clients whenever they initiate a HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two security warnings in a browser. The first warning prompts you to accept and optionally install the FortiGate units selfsigned security certificate. If you do not accept the certificate, the FortiGate unit refuses the connection. If you accept the certificate, the FortiGate login page appears. The credentials entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the certificate permanently, the warning is not displayed again. Just before the FortiGate login page is displayed, a second warning informs you that the FortiGate certificate distinguished name differs from the original request. This warning occurs because the FortiGate unit redirects the connection. This is an informational message. Select OK to continue logging in. 2 Type admin or the name of a configured administrator in the Name field. 3 Type the password for the administrator account in the Password field. 4 Select Login.
Changing your FortiGate administrator password

By default you can log into the web-based manager by using the admin administrator account and no password. You should add a password to the admin administrator account to prevent anybody from logging into the FortiGate and changing configuration options. For improved security you should regularly change the admin administrator account password and the passwords for any other administrator accounts that you add.
Note: See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log into your FortiGate unit.
To change an administrator account password 1 Go to System > Admin > Administrators. This web-based manager page lists the administrator accounts that can log into the FortiGate unit. The default configuration includes the admin administrator account. 2 Select the Change Password icon and enter a new password. 3 Select OK.
45
Web-based manager
Note: You can also add new administrator accounts by selecting Create New. For more information about adding administrators, changing administrator account passwords and related configuration settings, see System Admin on page 209.
Changing the web-based manager language

You can change the web-based manager to display language in English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese, or French. For best results, you should select the language that the management computer operating system uses. To change the web-based manager language 1 Go to System > Admin > Settings. 2 Under display settings, select the web-based manager display language. 3 Select Apply. The web-based manager displays the dashboard in the selected language. All web-based manager pages are displayed with the selected language.
Figure 4: System > Admin > Settings displayed in Simplified Chinese
Changing administrative access to your FortiGate unit

Through administrative access an administrator can connect to the FortiGate unit to view and change configuration settings. The default configuration of your FortiGate unit allows administrative access to one or more of the interfaces of the unit as described in your FortiGate unit QuickStart Guide and Install Guide. You can change administrative access by: enabling or disabling administrative access from any FortiGate interface enabling or disabling securing HTTPS administrative access to the web-based manager (recommended) enabling or disabling HTTP administrative access to the web-based manager (not recommended) enabling or disabling secure SSH administrative access to the CLI (recommended)
46
Web-based manager
Button bar features
enabling or disabling SSH or Telnet administrative access to the CLI (not recommended).
To change administrative access to your FortiGate unit 1 Go to System > Network > Interface. 2 Choose an interface for which to change administrative access and select Edit. 3 Select one or more Administrative Access types for the interface. 4 Select OK. For more information about changing administrative access see Administrative access to an interface on page 135.
Changing the web-based manager idle timeout

By default, the web-based manager disconnects administrative sessions if no activity takes place for 5 minutes. This idle timeout is recommended to prevent someone from using the web-based manager from a PC that is logged into the web-based manager and then left unattended. However, you can use the following steps to change this idle timeout. To change the web-based manager idle timeout 1 Go to System > Admin > Settings. 2 Change the Idle Timeout minutes as required. 3 Select Apply.
Connecting to the FortiGate CLI from the web-based manager

You can connect to the FortiGate CLI from the web-based manager dashboard by using the CLI console widget. You can use the CLI to configure all configuration options available from the web-based manager. Some configuration options are available only from the CLI. As well, you can use the CLI to enter diagnose commands and perform other advanced operations that are not available from the web-based manager. For more information about the FortiGate CLI see the FortiGate CLI Reference. To connect to the FortiGate CLI from the web-based manager 1 Go to System > Status. 2 Locate and select the CLI Console. Selecting the CLI console logs you into the CLI. For more information, see CLI Console on page 73.
Button bar features

The button bar in the upper right corner of the web-based manager provides access to several important FortiGate features.
47
Contacting Customer Support
Web-based manager
Figure 5: Web-based manager button bar
Contact Customer Support Online Help
Logout Back up your FortiGate Configuration
Contacting Customer Support

The Contact Customer Support button opens the Fortinet Support web page in a new browser window. From this page you can: visit the Fortinet Knowledge Center log into Customer Support (Support Login) register your Fortinet product (Product Registration) view Fortinet Product End of Life information find out about Fortinet Training and Certification visit the FortiGuard Center.
You must register your Fortinet product to receive product updates, technical support, and FortiGuard services. To register a Fortinet product, go to Product Registration and follow the instructions.
Backing up your FortiGate configuration

The Backup Configuration button opens a dialog box for backing up your FortiGate configuration to: the local PC that you are using to manage the FortiGate unit. a management station. This can be a FortiManager unit or the FortiGuard Analysis and Management Service. This option changes depending on your central management configuration (see Central Management on page 226). a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk to it (see Formatting USB Disks on page 261).
For more information, see Backing up and restoring on page 254.
48
Web-based manager
Using FortiGate Online Help
Figure 6: Backing up your FortiGate configuration

The Online Help button displays context-sensitive online help for the current web-based manager page. The online help page that is displayed is called a content pane and contains information and procedures related to the current web-based manager page. Most help pages also contain hyperlinks to related topics. The online help system also includes a number of links that you can use to find additional information. FortiGate context-sensitive online help topics also include a VDOM or Global icon to indicate whether the web-based manager page is for VDOM-specific or global configuration settings. VDOM and Global configuration settings apply only to a FortiGate unit operating with virtual domains enabled. If you are not operating your FortiGate unit with virtual domains enabled, you can ignore the VDOM and Global icons. For more information about virtual domains, see Using virtual domains on page 103.
Figure 7: A context-sensitive online help page (content pane only)
Show Navigation Previous Next
Bookmark Print Email
Show Navigation
Open the online help navigation pane. From the navigation pane you can use the online help table of contents, index, and search to access all of the information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Display the previous page in the online help. Display the next page in the online help Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Print the current online help page.
Previous Next Email
Print
49
Web-based manager
Bookmark
Add an entry for this online help page to your browser bookmarks or favorites list to make it easier to find useful online help pages. You cannot use the Bookmark icon to add an entry to your favorites list if you are viewing online help from Internet Explorer running on a management PC with Windows XP and service pack 2 installed. When you select help for a VDOM configuration settings web-based manager page the help display includes the VDOM icon. For information about VDOM configuration settings, see VDOM configuration settings on page 104. When you select help for a Global configuration settings web-based manager page the help display includes the Global icon. For information about Global configuration settings, see Global configuration settings on page 107.
To view the online help table of contents or index, and to use the search feature, select Online Help in the button bar in the upper right corner of the web-based manager. From the online help, select Show Navigation.
Figure 8: Online help page with navigation pane and content pane
Contents Index Search Show in Contents
Contents
Display the online help table of contents. You can navigate through the table of contents to find information in the online help. The online help is organized in the same way as the FortiGate web-based manager and the FortiGate Administration Guide. Display the online help index. You can use the index to find information in the online help. Display the online help search. For more information, see Searching the online help on page 50. If you have used the index, search, or hyperlinks to find information in the online help, the table of contents may not be visible or the table of contents may be out of sync with the current help page. You can select Show in Contents to display the location of the current help page within the table of contents.
Index Search Show in Contents
Searching the online help

Using the online help search, you can search for one word or multiple words in the full text of the FortiGate online help system. Please note the following: If you search for multiple words, the search finds only those help pages that contain all of the words that you entered. The search does not find help pages that only contain one of the words that you entered. The help pages found by the search are ranked in order of relevance. The higher the ranking, the more likely the help page includes useful or detailed information about the word or words that you are searching for. Help pages with the search words in the help page title are ranked highest.
50
Web-based manager
You can use the asterisk (*) as a search wildcard character that is replaced by any number of characters. For example, if you search for auth* the search finds help pages containing auth, authenticate, authentication, authenticates, and so on. In some cases the search finds only exact matches. For example, if you search for windows the search may not find pages containing the word window. You can work around this using the * wildcard (for example by searching for window*).
To search in the online help system 1 From any web-based manager page, select the online help button. 2 Select Show Navigation. 3 Select Search. 4 In the search field, enter one or more words to search for and then press the Enter key on your keyboard or select Go. The search results pane lists the names of all the online help pages that contain all the words that you entered. Select a name from the list to display that help page.
Figure 9: Searching the online help system
Go Search Field
Search Results
Using the keyboard to navigate in the online help

You can use the keyboard shortcuts listed in Table 3 to display and find information in the online help.
Table 3: Online help navigation keys Key Alt+1 Alt+2 Alt+3 Alt+4 Alt+5 Alt+7 Function Display the table of contents. Display the index. Display the Search tab. Go to the previous page. Go to the next page. Send an email to Fortinet Technical Documentation at techdoc@fortinet.com if you have comments on or corrections for the online help or any other Fortinet technical documentation product. Print the current online help page. Add an entry for this online help page to your browser bookmarks or favorites list, to make it easier to find useful online help pages.
Alt+8 Alt+9
51
Logging out
Web-based manager
Logging out
The Logout button immediately logs you out of the web-based manager. Log out before you close the browser window. If you simply close the browser or leave the web-based manager, you remain logged in until the idle timeout (default 5 minutes) expires. To change the timeout, see Changing the web-based manager idle timeout on page 47.
Web-based manager pages

The web-based manager interface consists of a menu and pages. Many of the pages have multiple tabs. When you select a menu item, such as System, the web-based manager expands to reveal a submenu. When you select one of the submenu items, the associated page opens at its first tab. To view a different tab, select the tab. The procedures in this manual direct you to a page by specifying the menu item, the submenu item and the tab, for example: 1 Go to System > Network > Interface.
Figure 10: Parts of the web-based manager (shown for the FortiGate-50B)
Tabs
Page
Button bar
Menu
Using the web-based manager menu

The web-based manager menu provides access to configuration options for all major FortiGate features (see Figure 10 on page 52).
System Configure system settings, such as network interfaces, virtual domains, DHCP services, administrators, certificates, High Availability (HA), system time and set system options. Configure FortiGate static and dynamic routing and view the router monitor. Configure firewall policies and protection profiles that apply network protection features. Also configure virtual IP addresses and IP pools. Configure antivirus and antispam protection, web filtering, intrusion protection, data leak prevention, and application control. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
Router Firewall UTM
52
Web-based manager
VPN User
Configure IPSec and SSL virtual private networking. PPTP is configured in the CLI. Configure user accounts for use with firewall policies that require user authentication. Also configure external authentication servers such as RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of Firewall, IPSec, SSL, IM, and Banned Users. Configure end points, view FortiClient configuration information, and configure software detection patterns. Configure logging and alert email. View log messages and reports.
Endpoint control Log&Report
Using web-based manager lists

Many of the web-based manager pages contain lists. There are lists of network interfaces, firewall policies, administrators, users, and others. If you log in as an administrator with an admin profile that allows Read-Write access to a list, depending on the list you will usually be able to: select Create New to add a new item to the list select the Edit icon for a list item to view and change the settings of the item select the Delete icon for a list item to delete the item. The delete icon will not be available if the item cannot be deleted. Usually items cannot be deleted if they have been added to another configuration; you must first find the configuration settings that the item has been added to and remove the item from them. For example, to delete a user that has been added to a user group you must first remove the user from the user group (see Figure 11).
Figure 11: A web-based manager list (read-write access)
Delete Edit If you log in as an administrator with an admin profile that allows Read Only access to a list, you will only be able to view the items on the list (see Figure 12).
Figure 12: A web-based manager list (read only access)
View For more information, see Admin profiles on page 222.
Adding filters to web-based manager lists

You can add filters to control the information that is displayed by the following complex lists: Session list (see Viewing the session list on page 83)
53
Web-based manager
Firewall policy and IPv6 policy lists (see Viewing the firewall policy list on page 321) Intrusion protection predefined signatures list (see Viewing the predefined signature list on page 457) Firewall user monitor list (see Firewall user monitor list on page 591) IPSec VPN Monitor (see IPSEC monitor list on page 592) Endpoint control list of known endpoints (see Monitoring endpoints on page 644) Log and report log access list (see Accessing Logs on page 662).
Filters are useful for reducing the number of entries that are displayed on a list so that you can focus on the information that is important to you. For example, you can go to System > Status, and, in the Statistics section, select Details on the Sessions line to view the communications sessions that the FortiGate unit is currently processing. A busy FortiGate unit may be processing hundreds or thousands of communications sessions. You can add filters to make it easier to find specific sessions. For example, you might be looking for all communications sessions being accepted by a specific firewall policy. You can add a Policy ID filter to display only the sessions for a particular Policy ID or range of Policy IDs. You add filters to a web-based manager list by selecting any filter icon to display the Edit Filters window. From the Edit Filters window you can select any column name to filter, and configure the filter for that column. You can also add filters for one or more columns at a time. The filter icon remains gray for unfiltered columns and changes to green for filtered columns.
Figure 13: An intrusion protection predefined signatures list filtered to display all signatures containing apache with logging enabled, action set to drop, and severity set to high
Filter added to display names that include apache
No filter added
The filter configuration is retained after leaving the web-based manager page and even after logging out of the web-based manager or rebooting the FortiGate unit. Different filter styles are available depending on the type of information displayed in individual columns. In all cases, you configure filters by specifying what to filter on and whether to display information that matches the filter, or by selecting NOT to display information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access lists, you can combine filters with column settings to provide even more control of the information displayed by the list. See Using filters with column settings on page 59 for more information.
54
Web-based manager
Filters for columns that contain numbers

If the column includes numbers (for example, IP addresses, firewall policy IDs, or port numbers) you can filter by a single number or a range of numbers. For example, you could configure a source address column to display only entries for a single IP address or for all addresses in a range of addresses. To specify a range, separate the top and bottom values of the range with a hyphen, for example 25-50. Figure 14 shows a numeric filter configured to control the source addresses that are displayed on the session list. In this example, a filter is enabled for the Source Address column. The filter is configured to display only source addresses in the range of 1.1.1.11.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside Sessions, select Details.
Figure 14: A session list with a numeric filter set to display sessions with source IP address in the range of 1.1.1.1-1.1.1.2
Filters for columns containing text strings

If the column includes text strings (for example, names and log messages) you can filter by a text string. You can also filter information that is an exact match for the text string (equals), that contains the text string, or that does not equal or does not contain the text string. You can also specify whether to match the capitalization (case) of the text string. The text string can be blank and it can also be very long. The text string can also contain special characters such as <, &, > and so on. However, filtering ignores characters following a < unless the < is followed by a space (for example, filtering ignores <string but not < string). Filtering also ignores matched opening and closing < and > characters and any characters inside them (for example, filtering ignores <string> but does not ignore >string>).
55
Web-based manager
Figure 15: A firewall policy list filter set to display all policies that do not include a source address with a name that contains My_Address
Filters for columns that can contain only specific items

For columns that can contain only specific items (for example, a log message severity or a pre-defined signature action) you can select a single item from a list. In this case, you can only filter on a single selected item.
Figure 16: An intrusion protection predefined signature list filter set to display all signatures with Action set to block
Custom filters
Other custom filters are also available. You can filter log messages according to date range and time range. You can also set the level filter to display log messages with multiple severity levels.
56
Web-based manager
Figure 17: A log access filter set to display all log messages with level of alert, critical, error, or warning
Using page controls on web-based manager lists

The web-based manager includes page controls to make it easier to view lists that contain more items than you can display on a typical browser window. These page controls are available for the following lists: session list (see Viewing the session list on page 83) Router Monitor (see Router Monitor on page 315) intrusion protection predefined signatures list (see Viewing the predefined signature list on page 457) web filtering lists (see Web Filter on page 475) antispam lists (see Antispam on page 495) Firewall user monitor list (see Firewall user monitor list on page 591) IPSec VPN Monitor (see IPSEC monitor list on page 592) Banned user list (see NAC quarantine and the Banned User list on page 595) log and report log access lists (see Accessing Logs on page 662). Endpoint control list of known endpoints (see Monitoring endpoints on page 644)
Figure 18: Page controls
Previous Page First Page
Total Number of Pages
Last Page Next Page Current Page (enter a page number to display that page)
First Page Previous Page
Display the first page of items in the list. Display the previous page of items in the list.
57
Web-based manager
Current Page
The current page number of list items that are displayed. You can enter a page number and press Enter to display the items on that page. For example if there are 5 pages of items and you enter 3, page 3 of the sessions will be displayed. The number of pages of list items that you can view. Display the next page of items in the list. Display the last page of items in the list.
Total Number of Pages Next Page Last Page
Using column settings to control the columns displayed

Using column settings, you can format some web-based manager lists so that information that is important to you is easy to find and less important information is hidden or less distracting. On the following web-based manager pages that contain complex lists, you can change column settings to control the information columns that are displayed for the list and to control the order in which they are displayed. Network interface list (see Interfaces on page 119) Firewall policy and IPv6 policy (see Viewing the firewall policy list on page 321) Intrusion protection predefined signatures list (see Viewing the predefined signature list on page 457) Firewall user monitor list (see Firewall user monitor list on page 591) IPSec VPN Monitor (see IPSEC monitor list on page 592) Endpoint control list of known endpoints (see Monitoring endpoints on page 644) Log and report log access lists (see Accessing Logs on page 662).
Note: Any changes that you make to the column settings of a list are stored in the FortiGate configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From Available fields, select the column headings to be displayed and then select the Right Arrow to move them to the Show these fields in this order list. Similarly, to hide column headings, use the Left Arrow to move them back to the Available fields list. Use Move Up and Move Down to change the order in which to display the columns. For example, you can change interface list column headings to display only the IP/Netmask, MAC address, MTU, and interface Type for each interface.
58
Web-based manager
Figure 19: Example of interface list column settings
Left Arrow
Right Arrow
Figure 20: A FortiGate-5001SX interface list with column settings changed
Using filters with column settings

On firewall policy, IPv6 policy, predefined signature, firewall user monitor, IPSec monitor and log and report log access lists you can combine filters with column settings to provide even more control of the information displayed by the list. For example, you can go to Intrusion Protection > Signature > Predefined and configure the Intrusion Protection predefined signatures list to show only the names of signatures that protect against vulnerabilities for a selected application. To do this, set Column Settings to only display Applications and Name. Then apply a filter to Applications so that only selected applications are listed. In the pre-defined signatures list you can also sort the list by different columns; you might want to sort the list by application so that all signatures for each application are grouped together.
59
Web-based manager icons
Web-based manager
Figure 21: A pre-defined signatures list displaying pre-defined signatures for the Veritas and Winamp applications
For more information, see Adding filters to web-based manager lists on page 53.

The web-based manager has icons in addition to buttons to help you to interact with your FortiGate unit. There are tooltips to assist you in understanding the function of most icons. Pause the mouse pointer over the icon to view the tooltip. Table 4 describes the icons that are available in the web-based manager.
Table 4: web-based manager icons Icon Name Description
Administrative The administrative status of a FortiGate interface is down status down and the interface will not accept traffic. Administrative The administrative status of a FortiGate interface is up and status up the interface accepts traffic. Change Password Clear Change the administrator password. This icon appears in the Administrators list if your admin profile enables you to give write permission to administrators. Clear all or remove all entries from the current list. For example, on a URL filter list you can use this icon to remove all URLs from the current URL filter list. Delete an item. This icon appears in lists where the item can be deleted and you have edit permission for the item. The tooltip for this icon displays the Description or Comments field for this table entry. Disconnect a FortiGate unit from a functioning HA cluster. Download information from a FortiGate unit. For example, you can download certificates and debug logs. Edit a configuration. This icon appears in lists where you have write permission for the item.
Delete Description Disconnect from cluster Download Edit
Enter a VDOM Enter a virtual domain and use the web-based manager to configure settings for the virtual domain. Expand Arrow Expand this section to reveal more fields. This icon is used in (closed) some dialog boxes and lists.
60
Web-based manager
Table 4: web-based manager icons (Continued) Icon Name Description
Expand Arrow Close this section to hide some fields. This icon is used in (open) some dialog boxes and lists. Filter Set a filter on one or more columns in this table. See Adding filters to web-based manager lists on page 53.
First page Insert before
View the first page of a list. Add a new item to a list so that it precedes the current item. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors. View the last page of a list. Change the position of an item in a list. Used in lists when the order of items in the list is significant, for example firewall policies, IPS Sensors, and DoS Sensors. View the next page of a list.
Last page Move to
Next page
Previous page View the previous page of a list. Refresh Update the information on this page.
View
View a configuration. This icon appears in lists instead of the Edit icon when you have read-only access to a web-based manager list. View detailed information about an item. For example, you can use this icon to view details about certificates.
View details
61
Web-based manager
62
System Status
Status page
System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a glance you can view the current system status of the FortiGate unit including serial number, uptime, FortiGuard license information, system resource usage, alert messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available globally and system status settings are configured globally for the entire FortiGate unit. The Topology viewer is not available when VDOMs are enabled. For details, see Using virtual domains on page 103. This section describes: Status page Changing system information Changing the FortiGate firmware Viewing operational history Manually updating FortiGuard definitions Viewing Statistics Topology
Status page
View the System Status page, also known as the system dashboard, for a snapshot of the current operating status of the FortiGate unit. FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. For more information on admin profiles, see Admin profiles on page 222. When the FortiGate unit is part of an HA cluster, the System Status page includes basic high availability (HA) cluster status such as including the name of the cluster and the cluster members including their host names. To view more specialized HA status information for the cluster, go to System > Config > HA. For more information, see HA on page 177.
Note: The information on the System Status page applies to the whole HA cluster, not just the Master unit. This includes information such as URLs visited, emails sent and received, and viruses caught.
FortiGate administrators whose admin profiles permit write access to system configuration can change or update FortiGate unit information. For information on admin profiles, see Admin profiles on page 222.
Viewing system status

The System Status page displays by default when you log in to the web-based manager. Go to System > Status to view the System Status page.
63
Status page
System Status
To view this page, your admin profile must permit read access to system configuration. If you also have system configuration write access, you can modify system information and update FortiGuard - AV and FortiGuard - IPS definitions. For information on admin profiles, see Admin profiles on page 222. The System Status page is customizable. You can select which widgets to display, where they are located on the page, and if they are minimized or maximized. Each display has an icon associated with it for easy recognition when minimized.
Figure 22: System Status page
Select Add Content to add any of the widgets not currently shown on the System Status page. Any widgets currently on the System Status page will be greyed out in the Add Content menu, as you can only have one of each display on the System Status page. Optionally select Back to Default to restore the historic System Status page configuration. Position your mouse over a displays titlebar to see your available options for that display. The options vary slightly from display to display.
Figure 23: A minimized display
Widget title Disclosure arrow
History Edit Refresh Close
Widget Title Disclosure arrow History Edit Refresh Close
Shows the name of the display Select to maximize or minimize the display. Select to show an expanded set of data. Not available for all widgets. Select to change settings for the display. Select to update the displayed information. Select to close the display. You will be prompted to confirm the action.
The available dashboard widgets are:
64
System Status
Status page
System Information License Information Unit Operation System Resources Alert Message Console Statistics CLI Console Top Sessions Top Viruses Top Attacks Traffic History
System Information
Go to System > Status to find System Information.
Figure 24: System Information
Serial Number Uptime System Time
The serial number of the FortiGate unit. The serial number is specific to the FortiGate unit and does not change with firmware upgrades. The time in days, hours, and minutes since the FortiGate unit was started. The current date and time according to the FortiGate units internal clock. Select Change to change the time or configure the FortiGate unit to get the time from an NTP server. For more information, see Configuring system time on page 78. The status of high availability for this unit. Standalone indicates the unit is not operating in HA mode. Active-Passive or Active-Active indicate the unit is operating in HA mode. Select Configure to configure the HA status for this unit. For more information, see HA on page 177. The host name of the current FortiGate unit. Select Change to change the host name. For more information, see Changing the FortiGate unit host name on page 78. If the FortiGate unit is in HA mode, this field is not displayed. The name of the HA cluster for this FortiGate unit. For more information, see HA on page 177. The FortiGate unit must be operating in HA mode to display this field.
HA Status
Host Name
Cluster Name
65
Status page
System Status
Cluster Members
The FortiGate units in the HA cluster. Information displayed about each member includes host name, serial number, and whether the unit is a primary (master) or subordinate (slave) unit in the cluster. For more information, see HA on page 177. The FortiGate unit must be operating in HA mode with virtual domains disabled to display this field. The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2. For more information, see HA on page 177. The FortiGate unit must be operating in HA mode with virtual domains enabled to display these fields.
Virtual Cluster 1 Virtual Cluster 2
Firmware Version The version of the current firmware installed on the FortiGate unit. The format for the firmware version is Select Update to change the firmware. For more information, see Upgrading to a new firmware version on page 80. FortiClient Version The currently version of FortiClient uploaded to your FortiGate unit used for endpoint control. This field appears if you can upload a FortiClient image onto your FortiGate unit. See Configuring FortiClient required version and installer download on page 642. Operation Mode The operating mode of the current FortiGate unit. Except for model 224B in switch view, a FortiGate unit can operate in NAT mode or Transparent mode. Select Change to switch between NAT and Transparent mode. For more information, see Changing operation mode on page 206 If virtual domains are enabled, this field shows the operating mode of the current virtual domain. Each virtual domain can be operating in either NAT mode or Transparent mode. Status of virtual domains on your FortiGate unit. Select enable or disable to change the status of virtual domains feature. Multiple VDOM operation is not available on a FortiGate-224B unit in switch view. If you enable or disable virtual domains, your session will be terminated and you will need to log in again. For more information, see Using virtual domains on page 103. The number of administrators currently logged into the FortiGate unit. Select Details to view more information about each administrator that is currently logged in. The additional information includes user name, type of connection, IP address from which they are connecting, and when they logged in.
Virtual Domain
Current Administrators
License Information
License Information displays the status of your technical support contract and FortiGuard subscriptions. The FortiGate unit updates the license information status indicators automatically when attempting to connect to the FortiGuard Distribution Network (FDN). FortiGuard Subscriptions status indicators are green if the FDN was reachable and the license was valid during the last connection attempt, grey if the FortiGate unit cannot connect to the FDN, and orange if the FDN is reachable but the license has expired. Selecting any of the Configure options will take you to the Maintenance page. For more information, see System Maintenance on page 253.
66
System Status
Status page
Figure 25: License Information
Support Contract
The Fortinet technical support contract number and expiry date, or registration status. If Not Registered appears, select Register to register the unit. If Expired appears, select Renew for information on renewing your technical support contract. Contact your local reseller. The FortiGuard Antivirus version, license issue date and service status. If your license has expired, you can select Renew two renew the license. The currently installed version of the FortiGuard Antivirus definitions. To update the definitions manually, select Update. For more information, see Manually updating FortiGuard definitions on page 82. The FortiGuard Intrusion Prevention System (IPS) license version, license issue date and service status. If your license has expired, you can select Renew two renew the license. The currently installed version of the IPS attack definitions. To update the definitions manually, select Update. For more information, see Manually updating FortiGuard definitions on page 82. The FortiGuard Web Filtering license, license expiry date and service status. If your license has expired, you can select Renew two renew the license. The FortiGuard Antispam license type, license expiry date and service status. If your license has expired, you can select Renew two renew the license. The currently installed version of the antispam rule set. To update the rule set manually, select Update. For more information, see Manually updating FortiGuard definitions on page 82.
FortiGuard Subscriptions AntiVirus
AV Definitions
Intrusion Protection
IPS Definitions
Web Filtering
Antispam
AS Rule Set
Analysis and The FortiGuard Analysis and Management Service license, Management Service license expiry date, and reachability status. Services Account ID Select change to enter a different Service Account ID. This ID is used to validate your license for subscription services such as the FortiGuard Analysis and Management Service. The maximum number of virtual domains the unit supports with the current license. For high-end FortiGate, you can select the Purchase More link to purchase a license key through Fortinet technical support to increase the maximum number of VDOMs. See Adding VDOM Licenses on page 276.
Virtual Domain VDOMs Allowed
67
Status page
System Status
Unit Operation
In the Unit Operation area, an illustration of the FortiGate units front panel shows the status of the units Ethernet network interfaces. If a network interface is green, that interface is connected. Pause the mouse pointer over the interface to view the name, IP address, netmask and current status of the interface. If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the reason for the system event. You can only have one management and one logging/analyzing method displayed for your FortiGate unit. The graphic for each will change based on which method you choose. If none are selected, no graphic is shown.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and admin events are enabled. For more information on Event Logging, see Event log on page 659. Figure 26: Unit Operation (FortiGate-800)
Figure 27: Unit Operation (FortiGate 30B with FGAMS)
Figure 28: Unit Operation (FortiGate 3810A)
68
System Status
Status page
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and WAN1 / WAN2 / 1 / 2 / number of these interfaces vary by model. The icon below the interface name indicates its up/down status by 3/4 color. Green indicates the interface is connected. Grey indicates there is no connection. For more information about the configuration and status of an interface, pause the mouse over the icon for that interface. A tooltip displays the full name of the interface, its alias if one is configured, the IP address and netmask, the status of the link, the speed of the interface, and the number of sent and received packets. AMC-SW1/1, ... AMC-DW1/1, ... If your FortiGate unit supports Advanced Mezzanine Card (AMC) modules and if you have installed an AMC module containing network interfaces (for example, the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named for the module, and the interface. For example AMC-SW1/3 is the third network interface on the SW1 module, and AMC-DW2/1 is the first network interface on the DW2 module. AMC modules support hard disks as well, such as the ASM-S08 module. When a hard disk is installed, ASM-S08 is visible as well as a horizontal bar and percentage indicating how full the hard disk is. The icon on the link between the FortiGate unit graphic and the FortiAnalyzer graphic indicates the status of their OFTP connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiAnalyzer graphic to configure remote logging tot he FortiAnalyzer unit on your FortiGate unit. See Logging to a FortiAnalyzer unit on page 650. The icon on the link between the FortiGate unit graphic and the FortiGuard Analysis Service graphic indicates the status of their OFTP connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is OFTP communication. Select the FortiGuard Analysis Service graphic to configure remote logging to the FortiGuard Analysis Service. See FortiGuard Analysis and Management Service on page 648. The icon on the link between the FortiGate unit graphic and the FortiManager graphic indicates the status of the connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication between the two units. Select the FortiManager graphic to configure central management on your FortiGate unit. See Central Management on page 226.
FortiAnalyzer
FortiGuard Analysis Service
FortiManager
FortiGuard The icon on the link between the FortiGate unit graphic and the Management Service FortiGuard Analysis and Management Service graphic indicates the status of the connection. An X on a red icon indicates there is no connection. A check mark on a green icon indicates there is communication. Select the FortiGuard Analysis and Management Service graphic to configure central management on your FortiGate unit. See Central Management on page 226. Reboot Select to shutdown and restart the FortiGate unit. You will be prompted to enter a reason for the reboot that will be entered into the logs. Select to shutdown the FortiGate unit. You will be prompted for confirmation, and also prompted to enter a reason for the shutdown that will be entered into the logs.
Shutdown
69
Status page
System Status
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as CPU and memory (RAM) usage. Any System Resources that are not displayed on the status page can be viewed as a graph by selecting the History icon. To see the most recent CPU and memory usage, select the Refresh icon.
Figure 29: System Resources
History
A graphical representation of the last minute of CPU, memory, sessions, and network usage. This page also shows the virus and intrusion detections over the last 20 hours. For more information, see Viewing operational history on page 81. The current CPU status displayed as a dial gauge and as a percentage. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The current memory (RAM) status displayed as a dial gauge and as a percentage. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded.
CPU Usage
Memory Usage
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this FortiGate units quota, displayed as a pie chart and a percentage. You can use the System Resources edit menu to select not to display this information. This is available only if you have configured logging to a FortiAnalyzer unit. Disk Usage The current status of the FortiGate unit disk space used, displayed as a pie chart and a percentage. This is available only if you have a hard disk on your FortiGate unit.
Alert Message Console

Alert messages help you track system events on your FortiGate unit such as firmware changes, network security events, or virus detection events. Each message shows the date and time that the event occurred.
70
System Status
Status page
Figure 30: Alert Message Console
The following types of messages can appear in the Alert Message Console:
System restart Firmware upgraded by <admin_name> Firmware downgraded by <admin_name> FortiGate has reached connection limit for <n> seconds The system restarted. The restart could be due to operator action or power off/on cycling. The named administrator upgraded the firmware to a more recent version on either the active or non-active partition. The named administrator downgraded the firmware to an older version on either the active or non-active partition. The antivirus engine was low on memory for the duration of time shown. Depending on model and configuration, content can be blocked or can pass unscanned under these conditions.
Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost Lost the connection to FortiAnalyzer the connection to a FortiAnalyzer unit. See Logging to a FortiAnalyzer unit on page 650. New firmware is available from FortiGuard An updated firmware image is available to be downloaded to this FortiGate unit.
If there is insufficient space for all of the messages within the Alert Message Console widget, select History to view the list of alerts in a new window. To clear alert messages, select the History icon and then select Clear Alert Messages, which is located at the top of the pop-up window. This will acknowledge and hide all current alert messages from your FortiGate unit. Select Edit to display Custom Alert Display options that offer the following customizations for your alert message display: Do not display system shutdown and restart. Do not display firmware upgrade and downgrade. Do not display conserve mode messages
Statistics
The Statistics widget is designed to allow you to see at a glance what is happening on your FortiGate unit with regards to network traffic and attack attempts. You can quickly see the amount and type of traffic as well as any attack attempts on your system. To investigate an area that draws your attention, select Details for a detailed list of the most recent activity. The information displayed in the statistics widget is derived from log messages that can be saved to a FortiAnalyzer unit, saved locally, or backed up to an external source such as a syslog server. You can use this data to see trends in network activity or attacks over time. Various configuration settings are required to actually collect data for the statistics widget. See the descriptions of content archive and attack log for details. For detailed procedures involving the Statistics list, see Viewing Statistics on page 83.
71
Status page
System Status
Figure 31: Statistics
Refresh Reset Close
Figure 32: Statistics
Refresh Reset Close
Since Reset Sessions
The date and time when the counts were last reset. Counts are reset when the FortiGate unit reboots, or when you select Reset. Reset the Content Archive and Attack Log statistic counts to zero. The number of communications sessions being handled by the FortiGate unit. Select Details for detailed information. See Viewing the session list on page 83.
72
System Status
Status page
Content Archive
A summary of the HTTP, HTTPS, email, FTP and IM traffic that has passed through the FortiGate unit, and whose metadata has been content archived. The Details pages list the last 64 items of the selected type and provides links to the FortiAnalyzer unit where the archived traffic is stored. If logging to a FortiAnalyzer unit is not configured, the Details pages provide a link to Log & Report > Log Config > Log Settings. You configure the FortiGate unit to collect content archive data for the statistics widget by configuring protection profiles to display content meta-information on the system dashboard. To configure a protection profile, go to Firewall > Protection Profile. Create or edit a protection profile and configure Data Leak Prevention Sensor > Display content meta-information on the system dashboard and select the protocols to collect statistics for. By default meta-data is collected and displayed on the statistics widget for all protocols. For more information, see Data Leak Prevention Sensor options on page 419. You must also add the protection profile to a firewall policy. When the firewall policy receives sessions for the selected protocols, meta-data is added to the statistics widget. You can configure a protection profile to collect statistics for HTTP, HTTPS, FTP, IMAP, POP3, and SMTP traffic. If your FortiGate unit supports SSL content scanning and inspection, a protection profile can also collect statistics for IMAPS, POP3S, and SMTPS traffic. For more information, see SSL content scanning and inspection on page 399. By default meta-data is collected and displayed on the statistics widget for all of these protocols. The Email statistics are based on email protocols. POP3 and IMAP traffic is registered as incoming email, and SMTP is outgoing email. If your FortiGate unit supports SSL content scanning and inspection, incoming email also includes POP3S and IMAPS and outgoing email also includes SMTPS. If incoming or outgoing email does not use these protocols, these statistics will not be accurate. The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols. You can also configure displaying meta-information on the system dashboard for these IM protocols.
Attack Log A summary of viruses, attacks, spam email messages, and blocked URLs that the FortiGate unit has intercepted. Also displays the number of sessions matched by DLP. The Details pages list the 20 most recent items, providing the time, source, destination and other information. DLP data loss detected actually displays the number of sessions that have matched DLP sensors added to protection profiles. DLP collects meta-data about all sessions matched by DLP sensors and records this meta-data in the DLP log. Every time a DLP log message is recorded, the DLP data loss detected number increases. If you are using DLP for content summary or full content archiving the DLP data loss detected number can get very large. This number may not indicate that data has been lost or leaked. For more information, see Adding or editing a rule in a DLP sensor on page 513.
CLI Console
The System Status page can include a CLI. To use the console, select it to automatically log in to the admin account you are currently using in the web-based manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.
Figure 33: CLI Console
Customize
The two controls located on the CLI Console widgets title bar are Customize, and Detach.
73
Status page
System Status
Detach moves the CLI Console widget into a pop-up window that you can resize and reposition. The two controls on the detached CLI Console are Customize and Attach. Attach moves the CLI console widget back onto the System Status page. Customize allows you to change the appearance of the console by defining fonts and colors for the text and background.
Figure 34: Customize CLI Console window
Preview Text
A preview of your changes to the CLI Consoles appearance. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the text in the CLI Console. Select the current color swatch next to this label, then select a color from the color palette to the right to change the color of the background in the CLI Console. Select to display a command input field below the normal console emulation area. When this option is enabled, you can enter commands by typing them into either the console emulation area or the external command input field.
Background
Use external command input box
Console buffer length Enter the number of lines the console buffer keeps in memory. Valid numbers range from 20 to 9999. Font Size Select a font from the list to change the display font of the CLI Console. Select the size of the font. The default size is 10 points.
Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have the most sessions open on the FortiGate unit. The sessions are sorted by their source or destination IP address, or the port address. The sort criteria being used is displayed in the top right corner. The Top Sessions display polls the kernel for session information, and this slightly impacts the FortiGate unit performance. For this reason when this display is not shown on the dashboard, it is not collecting data, and not impacting system performance. When the display is shown, information is only stored in memory.
74
System Status
Status page
Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.
Figure 35: Top sessions bar graph showing destination IP addresses
Last updated Number of active sessions Sort Criteria
Change to a detailed table view Criteria of Top Sessions (Source IP Address)
Number of sessions displayed
The Top Sessions display is not part of the default dashboard display. It can be displayed by selecting Add Content > Top Sessions. To view detailed information about all displayed sessions at once, select Details. This changes the Top Sessions display to a table format, without opening a new window. To return to the chart display, select Return. The table displays more detailed information about sessions than the chart display, including: the session protocol such as tcp or udp source address and port destination address and port the ID of the policy, if any, that applies to the session how long until the session expires which virtual domain the session belongs to
To view detailed information about a single session bar in the chart, click on the bar. The display will change to the table format, with the filters set to only show the selected information. Selecting edit for Top Sessions allows changes to the: refresh interval sort criteria to change between source and destination addresses of the sessions number of top sessions to show
75
Status page
System Status
Figure 36: Edit menu for Top Sessions
Sort Criteria
Select the method used to sort the Top Sessions on the System Status display. Choose one of: Source Address Destination Address Port Address Select to include the username associated with this source IP address, if available. In the table display format this will be a separate column. Display UserName is available only when the sort criteria is Source Address. Select to resolve the IP address to the host name. Resolve Host Name is not available when the sort criteria is Destination Port. Select to resolve a port addresses into their commonly associated service names. Any port address without a service, will continue to be displayed as the port address. For example port 443 would resolve to HTTPS. Resolve Service is only available when the sort criteria is Destination Port. Select how the Top Session information is displayed. Choose one of: Chart Table Select the number of sessions to display. Choose to display 5, 10, 15, or 20 sessions. Select how often the display is updated. The refresh interval range is from 10 to 240 seconds. Selecting 0 will disable the automatic refresh of the display. You will still be able to select the manual refresh option on the Top Sessions title bar. Shorter refresh intervals may impact the performance of your FortiGate unit. If this occurs, try increasing the refresh interval or disabling the automatic refresh.
Display UserName
Resolve Host Name
Resolve Service
Display Format
Top Sessions to Show Refresh Interval
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected most frequently by the FortiGate unit. The Top Viruses display is not part of the default dashboard display. It can be displayed by selecting Add Content, and selecting Top Viruses from the drop down menu. Selecting the history icon opens a window that displays up to the 20 most recent viruses that have been detected with information including the virus name, when it was last detected, and how many times it was detected. The system stores up to 1024 entries, but only displays up to 20 in the GUI. Selecting the edit icon for Top Viruses allows changes to the: refresh interval
76
System Status
Status page
top viruses to show
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the FortiGate unit. The Top Attacks display is not part of the default dashboard display. It can be displayed by selecting Add Content > Top Attacks from the drop down menu. Selecting the history icon opens a window that displays up to the 20 most recent attacks that have been detected with information including the attack name, when it was last detected, and how many times it was detected. The FortiGate unit stores up to 1024 entries, but only displays up to 20 in the web-based manager. Selecting the Edit icon for Top Attacks allows changes to the: refresh interval top attacks to show
Traffic History
The traffic history display shows the traffic on one selected interface over the last hour, day, and month. This feature can help you locate peaks in traffic that you need to address as well as their frequency, duration, and other information. Only one interface at a time can be monitored. You can change the interface being monitored by selecting Edit, choosing the interface from the drop down menu, and selecting Apply. Doing this will clear all the traffic history data.
Figure 37: Traffic History
Interface being monitored
Interface kbit/s
The interface that is being monitored . The units of the traffic graph. The scale varies based on traffic levels to allow it to show traffic levels no matter how little or how much traffic there is. Three graphs showing the traffic monitored on this interface of the FortiGate unit over different periods of time. Certain trends may be easier to spot in one graph over the others. The traffic entering the FortiGate unit on this interface is indicated with a thin red line. The traffic leaving the FortiGate unit on this interface is indicated with a dark green line, filled in with light green.
Last 60 Minutes Last 24 Hours Last 30 Days Traffic In Traffic Out
77
Changing system information
System Status
Changing system information

FortiGate administrators whose admin profiles permit write access to system configuration can change the system time, host name and the operation mode for the VDOM.
Configuring system time

1 Go to System > Status. 2 In the System Information section, select Change on the System Time line. 3 Select the time zone and then either set the date and time manually or configure synchronization with an NTP server.
Figure 38: Time Settings
System Time Refresh Time Zone
The current FortiGate system date and time. Update the display of the current FortiGate system date and time. Select the current FortiGate system time zone.
Automatically adjust Select to automatically adjust the FortiGate system clock when your time zone changes between daylight saving time and standard time. clock for daylight saving changes Set Time Synchronize with NTP Server Server Sync Interval Select to set the FortiGate system date and time to the values you set in the Hour, Minute, Second, Year, Month and Day fields. Select to use an NTP server to automatically set the system date and time. You must specify the server and synchronization interval. Enter the IP address or domain name of an NTP server. To find an NTP server that you can use, see http://www.ntp.org. Specify how often the FortiGate unit should synchronize its time with the NTP server. For example, a setting of 1440 minutes causes the FortiGate unit to synchronize its time once a day.
Changing the FortiGate unit host name

The FortiGate host name appears on the Status page and in the FortiGate CLI prompt. The host name is also used as the SNMP system name. For information about SNMP, see SNMP on page 185. The default host name is the FortiGate unit serial number. For example FGT8002805030003 would be a FortiGate-800 unit. Administrators whose admin profiles permit system configuration write access can change the FortiGate unit host name.
78
System Status
Changing the FortiGate firmware
Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to distinguish the unit from others in the cluster.
To change the FortiGate unit host name If the host name is longer than 16 characters, it will be displayed as being truncated and end with a ~. The full host name will be displayed under System > Status, but the truncated host name will be displayed on the CLI and other places it is used. 1 Go to System > Status. 2 In the Host Name field of the System Information section, select Change. 3 In the New Name field, type a new host name. 4 Select OK. The new host name is displayed in the Host Name field, and in the CLI prompt, and is added to the SNMP System Name.

FortiGate administrators whose admin profiles permit maintenance read and write access can change the FortiGate firmware. Firmware images can be transferred from a number of sources including a local hard disk, a local USB disk, or the FortiGuard Network.
Note: To access firmware updates for your FortiGate model, you will need to register your FortiGate unit with Customer Support. For more information go to http://support.fortinet.com or contact Customer Support.
For more information about using the USB disk, and the FortiGuard Network see System Maintenance on page 253.
Figure 39: Firmware Upgrade/Downgrade
Upgrade From
Select the firmware source from the drop down list of available sources. Possible sources include Local Hard Disk, USB, and FortiGuard Network. Browse to the location of the firmware image on your local hard disk. This field is available for local hard disk and USB only. The number of the partition being updated. This field is available only if your FortiGate unit has more than one firmware partition. Select to go to the FortiGuard Center to learn more about firmware updates through the FortiGuard network.
Upgrade File
Upgrade Partition
more info
79
System Status
Firmware changes either upgrade to a newer version or revert to an earlier version. Follow the appropriate procedure to change your firmware. For more information about managing firmware, see Managing firmware versions on page 91.
Upgrading to a new firmware version

When an update for your FortiGate unit is available, you can update your unit with the new firmware version. To determine what version firmware you have, refer to Firmware version on System > Status > System Information. The version is in the format of X.Y.Z where X is the major version number, Y is the minor version number, and Z is the patch number. For example firmware version 4.0.1 is major version 4, with patch 1. Use the following procedure to upgrade the FortiGate unit to a newer firmware version.
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure To update antivirus and attack definitions on page 272 to make sure that antivirus and attack definitions are up to date.
To upgrade the firmware using the web-based manager 1 Copy the new firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, closes all sessions, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware upgrade is successfully installed. 9 Update antivirus and attack definitions. For information about updating antivirus and attack definitions, see Configuring FortiGuard Services on page 264.
Reverting to a previous firmware version

Use the following procedure to revert your FortiGate unit to a previous firmware version. This also reverts the FortiGate unit to its factory default configuration and deletes IPS custom signatures, web content lists, email filtering lists, and changes to replacement messages. Back up your FortiGate unit configuration to preserve this information. For information, see About the Maintenance menu on page 253. If you are reverting to a previous FortiOS version (for example, reverting from FortiOS v3.0 to FortiOS v2.8), you might not be able to restore the previous configuration from the backup configuration file.
80
System Status
Viewing operational history
Note: Installing firmware replaces the current antivirus and attack definitions with the definitions included with the firmware release that you are installing. After you install new firmware, use the procedure To update antivirus and attack definitions on page 272 to make sure that antivirus and attack definitions are up to date.
To revert to a previous firmware version using the web-based manager 1 Copy the firmware image file to your management computer. The firmware images for FortiGate units are available at the Fortinet Technical Support web site. Log in to the site and go to Firmware Images > FortiGate. 2 Log into the web-based manager as the super admin, or an administrator account that has system configuration read and write privileges. 3 Go to System > Status. 4 In the System Information section, select Update on the Firmware Version line. 5 Type the path and filename of the firmware image file, or select Browse and locate the file. 6 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 7 Log into the web-based manager. 8 Go to System > Status and check the Firmware Version to confirm that the firmware is successfully installed. 9 Restore your configuration. For information about restoring your configuration, see About the Maintenance menu on page 253. 10 Update antivirus and attack definitions. For information about antivirus and attack definitions, see To update antivirus and attack definitions on page 272.
Viewing operational history

The System Resource History page displays six graphs representing different system resources and protection activity over time. Note the refresh rate is 3 second intervals for the graphs. To view the operational history 1 Go to System > Status. 2 Select History in the upper right corner of the System Resources section.
81
Manually updating FortiGuard definitions
System Status
Figure 40: Sample system resources history
Time Interval CPU Usage History Memory Usage History Session History Network Utilization History Virus History Intrusion History
Select the time interval for the graphs to display. CPU usage for the preceding interval. Memory usage for the preceding interval. Number of sessions over the preceding interval. Network utilization for the preceding interval. Number of Viruses detected over the preceding interval. Number of intrusion attempts detected over the preceding interval.
Manually updating FortiGuard definitions

You can update your FortiGuard antivirus database, Intrusion Protection definitions, and antispam rule set at any time from the License Information section of the System Status page.
Note: For information about configuring automatic FortiGuard updates, see Configuring FortiGuard Services on page 264.
To update FortiGuard antivirus definitions, IPS definitions, or antispam rule set manually 1 Download the latest update file from Fortinet support site and copy it to the computer that you use to connect to the web-based manager. 2 Start the web-based manager and go to System > Status. 3 In the License Information section, in the AV Definitions, IPS Definitions, or AS Rule Set field of the FortiGuard Subscriptions, select Update. 4 Select Browse and locate the update file or type the path and filename. 5 Select OK to copy the update file to the FortiGate unit. The FortiGate unit updates the AV definitions. This takes about 1 minute. 6 Go to System > Status to confirm that the version information for the selected definition or rule set has updated.
82
System Status
Viewing Statistics
Viewing Statistics
The System Status Statistics provide information about sessions, content archiving and network protection activity.
Viewing the session list

From the Statistics section of the System Status page, you can view statistics about HTTP, HTTPS, email, FTP and IM traffic through the FortiGate unit. You can select the Details link beside each traffic type to view more information. To view the session list 1 Go to System > Status. 2 In the Statistics section, select Details on the Sessions line.
Figure 41: Session list
Virtual Domain
Select a virtual domain to list the sessions being processed by that virtual domain. Select All to view sessions being processed by all virtual domains. This is only available if virtual domains are enabled. For more information see Using virtual domains on page 103. Update the session list. Select to go to the first displayed page of current sessions. Select to go to the page of sessions immediately before the current page Enter the page number of the session to start the displayed session list. For example if there are 5 pages of sessions and you enter 3, page 3 of the sessions will be displayed. The number following the / is the number of pages of sessions. Select to go to the next page of sessions. Select to go to the last displayed page of current sessions. The total number sessions. Select to reset any display filters that may have been set. The icon at the top of all columns except #, and Expiry. When selected it brings up the Edit Filter dialog allowing you to set the display filters by column. See Adding filters to web-based manager lists on page 53. The service protocol of the connection, for example, udp, tcp, or icmp. The source IP address of the connection. The source port of the connection. The destination IP address of the connection. The destination port of the connection.
Refresh Icon First Page Previous Page Page
Next Page Last Page Total Clear All Filters Filter Icon
Protocol Source Address Source Port Destination Address Destination Port
83
Viewing Statistics
System Status
Policy ID Expiry (sec) Delete icon
The number of the firewall policy allowing this session or blank if the session involves only one FortiGate interface (admin session, for example). The time, in seconds, before the connection expires. Stop an active communication session. Your admin profile must include read and write access to System Configuration.
Viewing Content Archive information on the Statistics widget

From the Statistics widget of the System Status page, you can view statistics about HTTP, HTTPS, email, FTP and IM traffic through the FortiGate unit. You can select the Details link beside each traffic type to view more information. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. Viewing HTTP content information 1 Go to System > Status. 2 In the Content Archive section, select Details for HTTP.
Date and Time From URL
The time when the URL was accessed. The IP address from which the URL was accessed. The URL that was accessed.
Viewing Email content information 1 Go to System > Status. 2 In the Content Archive section, select Details for Email.
Date and Time From To Subject
The time that the email passed through the FortiGate unit. The senders email address. The recipients email address. The subject line of the email.
84
System Status
Viewing Statistics
Viewing archived FTP content information 1 Go to System > Status. 2 In the Content Archive section, select Details for FTP.
Date and Time Destination User Downloads Uploads
The time of access. The IP address of the FTP server that was accessed. The User ID that logged into the FTP server. The names of files that were downloaded. The names of files that were uploaded.
Viewing IM content information 1 Go to System > Status. 2 In the Content Archive section, select Details for IM.
Date / Time Protocol Kind Local Remote Direction
The time of access. The protocol used in this IM session. The kind of IM traffic this transaction is. The local address for this transaction. The remote address for this transaction If the file was sent or received.
Viewing the Attack Log

From the Statistics section of the System Status page, you can view statistics about the network attacks that the FortiGate unit has stopped. You can view statistics about viruses caught, attacks detected, spam email detected, and URLs blocked. You can also view information about sessions matched by DLP rules. You can select the Details link beside each attack type to view more information. You can select Reset on the header of the Statistics section to clear the content archive and attack log information and reset the counts to zero. Viewing viruses caught 1 Go to System > Status. 2 In the Attack Log section, select Details for AV.
85
Viewing Statistics
System Status
Date and Time From To Service Virus
The time when the virus was detected. The senders email address or IP address. The intended recipients email address or IP address. The service type, such as POP or HTTP. The name of the virus that was detected.
Viewing attacks blocked 1 Go to System > Status. 2 In the Attack Log section, select Details for IPS.
Date and Time From To Service Attack The time that the attack was detected. The source of the attack. The target host of the attack. The service type. The type of attack that was detected and prevented.
Viewing spam email detected 1 Go to System > Status. 2 In the Attack Log section, select Details for Spam.
Date and Time From->To IP From->To Email Accounts Service SPAM Type The time that the spam was detected. The sender and intended recipient IP addresses. The sender and intended recipient email addresses. The service type, such as SMTP, POP or IMAP. The type of spam that was detected.
Viewing URLs blocked 1 Go to System > Status. 2 In the Attack Log section, select Details for Web.
Date and Time From URL Blocked The time that the attempt to access the URL was detected. The host that attempted to view the URL. The URL that was blocked.
Viewing the sessions matched by DLP 1 Go to System > Status. 2 In the Attack Log section, select Details for DLP.
Date and Time Service Source From URL Blocked From To The time that the attempt to access the URL was detected. The service type, such as HTTP, SMTP, POP or IMAP. The source address of the session. The host that attempted to view the URL. The URL that was blocked. The senders email address or IP address. The intended recipients email address or IP address.
86
System Status
Topology
Topology
The Topology page provides a way to diagram and document the networks connected to your FortiGate unit.The Topology viewer is not available if Virtual Domains (VDOMs) are enabled. Go to System > Status > Topology to view the system topology. The Topology page consists of a large canvas upon which you can draw a network topology diagram of your FortiGate installation.
Figure 42: Topology page
Zoom/Edit controls
Text object
Subnet object
FortiGate unit object
Viewport
Viewport control
Viewport and viewport control

The viewport displays only a portion of the drawing area. The viewport control, at the bottom right of the topology page, represents the entire drawing area. The darker rectangle represents the viewport. Drag the viewport rectangle within the viewport control to determine which part of the drawing area the viewport displays. The + and - buttons in the viewport control have the same function as the Zoom in and Zoom out controls.
FortiGate unit object

The FortiGate unit is a permanent part of the topology diagram. You can move it, but not delete it. The FortiGate unit object shows the link status of the units interfaces. Green indicates the interface is up. Gray indicates the interface is down. Select the interface to view its IP address and netmask, if assigned.
87
Topology
System Status
Zoom and Edit controls

The toolbar at the top left of the Topology page shows controls for viewing and editing the topology diagram.
Table 5: Zoom and Edit controls for Topology Refresh the displayed diagram.
Zoom in. Select to display a smaller portion of the drawing area in the viewport, making objects appear larger.
Zoom out. Select to display a larger portion of the drawing area in the viewport, making objects appear smaller.
Select to begin editing the diagram. This button expands the toolbar to show the editing controls described below: Save changes made to the diagram. Note: If you switch to any other page in the web-based manager without saving your changes, your changes are lost. Add a subnet object to the diagram. The subnet object is based on the firewall address that you select, and is connected by a line to the interface associated with that address. See Adding a subnet object on page 89. Insert Text. Select this control and then click on the diagram where you want to place the text object. Type the text and then click outside the text box. Delete. Select the object(s) to delete and then select this control or press the Delete key.
Customize. Select to change the colors and the thickness of lines used in the drawing. See Customizing the topology diagram on page 90. Drag. Select this control and then drag objects in the diagram to arrange them. Scroll. Select this control and then drag the drawing area background to move the viewport within the drawing area. This has the same effect as moving the viewport rectangle within the viewport control. Select. Select this control and then drag to create a selection rectangle. Objects within the rectangle are selected when you release the mouse button. Exit. Select to finish editing the diagram. Save changes first. The toolbar contracts to show only the Refresh and Zoom controls.
88
System Status
Topology
Adding a subnet object

While editing the topology diagram, you can select the Add Subnet control to define a subnet object. The object is drawn and connected by a line to the interface associated with the address.
Figure 43: Adding an existing subnet to the topology diagram
Figure 44: Adding a new subnet to the topology diagram
Select from existing address/group
Create a subnet object based on an existing firewall address. The object has the name of the firewall address and is connected by a line to the interface associated with that address. For more information about firewall addresses, see Firewall Address on page 345. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. Select the interface or zone to associate with this address. If the field already displays a name, changing the setting changes the interface or zone associated with this existing address. If the address is currently used in a firewall policy, you can choose only the interface selected in the policy. Create a new firewall address and add a subnet object based on that address to the topology diagram. The address is associated with the interface you choose. Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names to avoid confusion in firewall policies. Select the type of address: Subnet/IP Range or FQDN. If Type is Subnet / IP Range, enter the firewall IP address, followed by a forward slash and then the subnet mask. Alternatively, enter IP range start address, followed by a hyphen (-) and the IP range end address. If Type is FQDN, enter the fully qualified domain name. Select the interface or zone to associate with this address.
Address Name
Connect to interface
New addresses
Address Name
Type Subnet / IP Range
FQDN Connect to interface
89
Topology
System Status
Customizing the topology diagram

In System > Status > Topology, select the Customize button to open the Topology Customization window. Modify the settings as needed and select OK when you are finished.
Figure 45: Topology Customization window
Preview Canvas Size Resize to Image Background Solid U.S. Map World Map Upload My Image Background Color Image path Exterior Color Line Color Line Width Reset to Default
A simulated topology diagram showing the effect of the selected appearance options. The size of the drawing in pixels. If you selected an image as Background, resize the diagram to fit within the image. One of: A solid color selected in Background Color. A map of the United States. A map of the world. Upload the image from Image Path Select the color of the diagram background. If you selected Upload My Image for Background, enter the path to your image, or use the Browse button to find it. Select the color of the border region outside your diagram. Select the color of connecting lines between subnet objects and interfaces. Select the thickness of connecting lines. Reset all topology diagram settings to default.
90
Managing firmware versions

Fortinet recommends reviewing this section before upgrading because it contains important information about how to properly back up your current configuration settings and what to do if the upgrade is unsuccessful. You should also review the FortiGate Upgrade Guide when a new firmware version is released, or the Whats New chapter of this guide when a new firmware maintenance release is released. Both contain valuable information about the changes and new features that may cause issues with the current configuration. In addition to firmware images, Fortinet releases patch releasesmaintenance release builds that resolve important issues. Fortinet strongly recommends reviewing the release notes for the patch release before upgrading the firmware. Follow the steps below: Download and review the release notes for the patch release. Download the patch release. Back up the current configuration. Install the patch release using the procedure Testing firmware before upgrading on page 94. Test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may result in changes to settings or unexpected issues. With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in transparent mode. For more information, see the Fortinet Knowledge Center article, Configuring NAT in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions are configured globally. For more information, see Using virtual domains on page 103. This section describes: Backing up your configuration Testing firmware before upgrading Upgrading your FortiGate unit Reverting to a previous firmware image Restoring your configuration
Note: For more information about the settings that are available on the Backup and Restore page, (such as remotely backing up to a FortiManager unit), see System Maintenance on page 253.
91
Backing up your configuration

Caution: Always back up your configuration before installing a patch release, upgrading/downgrading firmware, or resetting configuration to factory defaults.
You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard Analysis and Management server, or to a USB key. You can also back up to a FortiGuard Analysis and Management server if you have FortiGuard Analysis and Management Service enabled. Fortinet recommends backing up all configuration settings from your FortiGate unit before upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.
Backing up your configuration through the web-based manager

You can back up your configuration to a variety of locations, such as a FortiManager unit or a FortiGuard Analysis and Management server. The following procedure describes how to properly back up your current configuration in the web-based manager. To back up your configuration file through the web-based manager 1 Go to System > Maintenance > Backup & Restore. 2 Select to back up the configuration to either a Local PC, FortiManager, or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). If you want to encrypt your configuration file to save VPN certificates, select the Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. 4 Save the file.
Backing up your configuration through the CLI

You can back up your configuration file using a TFTP or FTP server, or the USB key. If you have the FortiGuard Analysis and Management Service configured, you can also back up your configuration to the FortiGuard Analysis and Management server. When backing up your configuration in the CLI, you can choose to back up the entire configuration (execute backup full-config) or part of the configuration (execute backup config). If you have virtual domains, there are limitations to what certain administrators are allowed to back up. For more information, see the FortiGate CLI Reference. The following procedure describes how to back up your current configuration in the CLI and assumes that you are familiar with the following commands. For more information about the individual commands used in the following procedure, see the FortiGate CLI Reference. To back up your configuration file through the CLI 1 Enter the following to back up the configuration file to a USB key: execute backup config usb <backup_filename> <encrypt_passwd>
92
2 Enter the following to back up the configuration file to a TFTP or FTP server: execute backup config {tftp | ftp} <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd> 3 Enter the following to back up the configuration to a FortiGuard Analysis and Management server: execute backup config management-station <comment> To back up the entire configuration file through the CLI Enter the following to back up the entire configuration file: execute backup full-config {tftp | ftp | usb} <backup_filename> <backup_filename> <tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username> <ftp_passwd> <encrypt_passwd>
Backing up your configuration to a USB key

If your FortiGate unit has a USB port, you can back up your current configuration to a USB key. When backing up a configuration file to a USB key, verify that the USB key is formatted as a FAT16 disk. The FAT16 format is the only supported partition type. For more information, see Formatting USB Disks on page 261. Before proceeding, ensure that the USB key is inserted in the FortiGate units USB port. To back up your configuration to the USB key 1 Go to System > Maintenance > Backup & Restore. 2 Select USB Disk from Backup configuration to list. If you want to encrypt your configuration file to save VPN certificates, select the Encrypt configuration file check box, enter a password, and then enter it again to confirm. 3 Select Backup. After successfully backing up your configuration file, either from the CLI or the web-based manager, proceed with upgrading to FortiOS 4.0.
93
Testing firmware before upgrading
Testing firmware before upgrading

You may want to test the firmware that you need to install before upgrading to a new firmware version, or to a maintenance or patch release. By testing the firmware, you can familiarize yourself with the new features and changes to existing features, as well as understand how your configuration works with the firmware. A firmware image is tested by installing it from a system reboot, and then saving it to system memory. After the firmware is saved to system memory, the FortiGate unit operates using the firmware with the current configuration. The following procedure does not permanently install the firmware; the next time the FortiGate unit restarts, it operates using the firmware originally installed on the FortiGate unit. You can install the firmware permanently by using the procedures in Upgrading your FortiGate unit on page 95. You can use the following procedure for either a regular firmware image or a patch release. The following procedure assumes that you have already downloaded the firmware image to your management computer. To test the firmware image before upgrading 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following to restart the FortiGate unit. execute reboot 6 As the FortiGate unit reboots, a series of system startup messages appears. When the following message appears, immediately press any key to interrupt the system startup: Press any key to display configuration menu You have only three seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again. If you successfully interrupt the startup process, the following message appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. 7 Type G to get the new firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 8 Type the address of the TFTP server and press Enter. The following message appears: Enter Local Address [192.168.1.188]:
94
Upgrading your FortiGate unit
9 Type the internal IP address of the FortiGate unit. This IP address connects the FortiGate unit to the TFTP server. This IP address must be on the same network as the TFTP server, but make sure you do not use an IP address of another device on the network. The following message appears: Enter File Name [image.out]: 10 Enter the firmware image file name and press Enter. The TFTP server uploads the firmware image file to the FortiGate unit and the following appears: Save as Default firmware/Backup firmware/Run image without saving: [D/B/R] 11 Type R. The FortiGate firmware image installs and saves to system memory. The FortiGate unit starts running the new firmware image with the current configuration. When you have completed testing the firmware, you can reboot the FortiGate unit and resume using the original firmware.

If your upgrade is successful, and your FortiGate unit has a hard drive, you can use the Boot alternate firmware option located in System > Maintenance > Backup and Restore. This option enables you to have two firmware images, such as FortiOS 3.0 MR7 and FortiOS 4.0, available for downgrading or upgrading. If the upgrade was not successful, go to Reverting to a previous firmware image on page 98. You can also use the following procedure when installing a patch release. A patch release is a firmware image that resolves specific issues, but does not contain new features or changes to existing features. You can install a patch release whether or not you upgraded to the current firmware version.
Upgrading to FortiOS 4.0 through the web-based manager

The following procedure describes how to upgrade to FortiOS 4.0 in the web-based manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. To upgrade to FortiOS 4.0 through the web-based manager 1 Download the firmware image file to your management computer. 2 Log in to the web-based manager. 3 Go to System > Status and locate the System Information widget. 4 Beside Firmware Version, select Update. 5 Enter the path and filename of the firmware image file, or select Browse and locate the file.
95
6 Select OK. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts, and displays the FortiGate login. This process may take a few minutes. When the upgrade is successfully installed: ping to your FortiGate unit to verify there is still a connection. clear the browsers cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration settings that carried forward. Some settings may have carried forward from FortiOS 3.0 MR7, while others may not have, such as certain IPS group settings. Go to System > Maintenance > Backup and Restore to save the configuration settings that carried forward.
Note: After upgrading to FortiOS 4.0, perform an Update Now to retrieve the latest AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures included in the firmware may be older than those currently available on the FDN. See the FortiGate Administration Guide for more information about updating AV/NIDS signatures.
Upgrading to FortiOS 4.0 through the CLI

The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade procedure reverts all current firewall configurations to factory default settings. See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for CLI procedure, for additional information about upgrading firmware in the CLI. The following procedure assumes that you have already downloaded the firmware image to your management computer. To upgrade to FortiOS 4.0 through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image.out 192.168.1.168 The FortiGate unit responds with a message similar to the following: This operation will replace the current firmware version! Do you want to continue? (y/n)
96
6 Type y. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, and restarts. This process takes a few minutes. 7 Reconnect to the CLI. 8 Enter the following command to confirm the firmware image installed successfully: get system status 9 To update antivirus and attack definitions from the CLI, enter the following: execute update-now If you want to update antivirus and attack definitions from the web-based manager instead, log in to the web-based manager and go to System > Maintenance > FortiGuard.
Verifying the upgrade

After logging back in to the web-based manager, most of your FortiOS 3.0 MR7 configuration settings have been carried forward. For example, if you go to System > Network > Options you can see your DNS settings carried forward from your FortiOS 3.0 MR7 configuration settings. You should verify what configuration settings carried forward. You should also verify that administrative access settings carried forward as well. Verifying your configuration settings allows you to familiarize yourself with the new features and changes in FortiOS 4.0. You can verify your configuration settings by: going through each menu and tab in the web-based manager using the show shell command in the CLI.
97
Reverting to a previous firmware image

You may need to revert to a previous firmware image (or version, for example, FortiOS 3.0) if the upgrade was not successfully installed. The following procedures describe how to properly downgrade to a previous firmware image using either the web-based manager or CLI, and include steps on how to restore your previous configuration. The following are included in this topic: Downgrading to a previous firmware through the web-based manager Downgrading to a previous firmware through the CLI Restoring your configuration
Downgrading to a previous firmware through the web-based manager

Caution: Always back up your configuration before installing a patch release, upgrading/downgrading, or when resetting to factory defaults.
When downgrading to a previous firmware, only the following settings are retained: operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current configuration before downgrading. For more information, see Backing up your configuration on page 92. To downgrade through the web-based manager 1 Go to System > Status and locate the System Information widget. 2 Beside Firmware Version, select Update. 3 Enter the path and filename of the firmware image file, or select Browse and locate the file.. 4 Select OK. The following message appears: This version will downgrade the current firmware version. Are you sure you want to continue? 5 Select OK. The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets the configuration, restarts, and displays the FortiGate login. This process takes a few minutes. 6 Log in to the web-based manager. Go to System > Status to verify that the firmware version under System Information has changed to the correct firmware.
98
Verifying the downgrade

After successfully downgrading to a previous firmware, verify your connections and settings. If you are unable to connect to the web-based manager, make sure your administration access settings and internal network IP address are correct. The downgrade may change your configuration settings to default settings.
Downgrading to a previous firmware through the CLI

Caution: Always back up your configuration before installing a patch release, upgrading/downgrading, or when resetting to factory defaults.
When downgrading to a previous firmware, only the following settings are retained: operation mode Interface IP/Management IP route static table DNS settings VDOM parameters/settings admin user account session helpers system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your configuration before downgrading. For more information, see Backing up your configuration on page 92. The following procedure assumes that you have already downloaded the firmware image to your management computer. To downgrade through the CLI 1 Copy the new firmware image file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected. 5 Enter the following command to copy the firmware image from the TFTP server to the FortiGate unit: execute restore image tftp <name_str> <tftp_ipv4> Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The FortiGate unit responds with the message: This operation will replace the current firmware version! Do you want to continue? (y/n)
99
6 Type y. The FortiGate unit uploads the firmware image file. After the file uploads, a message similar to the following is displayed: Get image from tftp server OK. Check image OK. This operation will downgrade the current firmware version! Do you want to continue? (y/n) 7 Type y. The FortiGate unit reverts to the old firmware version, resets the configuration to factory defaults, and restarts. This process takes a few minutes. After the FortiGate unit uploads the firmware, you need to reconfigure your IP address since the FortiGate unit reverts to default settings, including its default IP address. See your install guide for configuring IP addresses. 8 Reconnect to the CLI. 9 Enter the following command to confirm the firmware image installed successfully: get system status See Restoring your configuration on page 101 to restore you previous configuration settings.
100
Restoring your configuration

Your configuration settings may not carry forward after downgrading to a previous firmware. You can restore your configuration settings for a previous firmware with the configuration file you saved before upgrading to FortiOS 4.0. You can also use the following procedures for restoring your configuration after installing a current patch release or maintenance release.
Restoring your configuration settings in the web-based manager

The following procedure restores your previous firmware configuration settings in the web-based manager. To restore configuration settings in the web-based manager 1 Log in to the web-based manager. 2 Go to System > Maintenance > Backup & Restore. 3 Select to restore the configuration from either a Local PC, FortiManager or FortiGuard (if your FortiGate unit is configured for FortiGuard Analysis and Management Service). 4 If required, enter your password for the configuration file. 5 Enter the location of the file or select Browse to locate the file. 6 Select Restore. The FortiGate unit restores the configuration settings. This may take a few minutes since the FortiGate unit will reboot. You can verify that the configuration settings are restored by logging in to the web-based manager and going through the various menus and tabs.
Restoring your configuration settings in the CLI

The following procedure restores your previous firmware configuration settings in the CLI. To restore configuration settings in the CLI 1 Copy the backed-up configuration file to the root directory of the TFTP server. 2 Start the TFTP server. 3 Log in to the CLI. 4 Enter the following command to ping the computer running the TFTP server: execute ping <server_ipaddress> Pinging the computer running the TFTP server verifies that the FortiGate unit and TFTP server are successfully connected.
101
5 Enter the following command to copy the backed -up configuration file to restore the file on the FortiGate unit: execute restore allconfig <name_str> <tftp_ipv4> <passwrd> Where <name_str> is the name of the backed up configuration file and <tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password you entered when you backed up your configuration settings. For example, if the backed up configuration file is confall and the IP address of the TFTP server is 192.168.1.168 and the password is ghrffdt123: execute restore allconfig confall 192.168.1.168 ghrffdt123 The FortiGate unit responds with the message: This operation will overwrite the current settings and the system will reboot! Do you want to continue? (y/n) 6 Type y. The FortiGate unit uploads the backed up configuration file. After the file uploads, a message, similar to the following, is displayed: Getting file confall from tftp server 192.168.1.168 ## Restoring files... All done. Rebooting... This may take a few minutes. Use the CLI show shell command to verify your settings are restored, or log in to the web-based manager.
102
Using virtual domains
Virtual domains

This section describes virtual domains (VDOMs) along with some of their benefits, and how to use VDOMs to operate your FortiGate unit as multiple virtual units. If you enable VDOMs on the FortiGate unit, you configure virtual domains globally for the FortiGate unit. To get started working with virtual domains, see Enabling VDOMs on page 108. This section describes: Virtual domains Enabling VDOMs Configuring global and VDOM resource limits Configuring VDOMs and global settings
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units that function as multiple independent units. A single FortiGate unit is then flexible enough to serve multiple departments of an organization, separate organizations, or to act as the basis for a service providers managed security service.
Benefits of VDOMs
Some benefits of VDOMs are: Easier administration Continued security maintenance Savings in physical space and power
Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication, firewall policies, routing, and VPN configurations. Using VDOMs can also simplify administration of complex configurations because you do not have to manage as many routes or firewall policies at one time. For more information, see VDOM configuration settings on page 104. By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. Also you can assign an administrator account restricted to that VDOM. If the VDOM is created to serve an organization, this feature enables the organization to manage its own configuration. Management systems such as SNMP, logging, alert email, FDN-based updates and NTPbased time setting use addresses and routing in the management VDOM to communicate with the network. They can connect only to network resources that communicate with the management virtual domain. The management VDOM is set to root by default, but you can change it. For more information, see Changing the management VDOM on page 116.
103
Virtual domains
Continued security maintenance

When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create firewall policies for connections between VLAN subinterfaces or zones in the VDOM. Packets do not cross the virtual domain border internally. To travel between VDOMs, a packet must pass through a firewall on a physical interface. The packet then arrives at another VDOM on a different interface, but it must pass through another firewall before entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs change this behavior in that they are internal interfaces; however their packets go through all the same security measures as on physical interfaces. Without VDOMs, administrators can easily access settings across the FortiGate unit. This can lead to security issues or far-reaching configuration errors. However, administrator permissions are specific to one VDOM. An admin on one VDOM cannot change information on another VDOM. Any configuration changes, and potential errors, will apply only to that VDOM and limit potential down time. The remainder of the FortiGate units functionality is globalit applies to all VDOMs on the unit. This means there is one intrusion prevention configuration, one antivirus configuration, one web filter configuration, one protection profile configuration, and so on. VDOMs also share firmware versions, as well as antivirus and attack databases. The operating mode, NAT/Route or Transparent, can be selected independently for each VDOM. For a complete list of shared configuration settings, see Global configuration settings on page 107.
Savings in physical space and power

Increasing VDOMs involves no extra hardware, no shipping, and very few changes to existing networking. They take no extra physical spaceyou are limited only by the size of the license you buy for your VDOMs. By default, most FortiGate units supports a maximum of 10 VDOMs in any combination of NAT/Route and Transparent modes. For high-end FortiGate models, you can purchase a license key to increase the maximum number of VDOMs to 25, 50, 100 or 250. For more information see VDOM licenses on page 109.
Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum number of FortiGate units allowed by the FortiAnalyzer units license. The total number of devices registered can be seen on the FortiAnalyzer units System Status page under License Information.
If virtual domain configuration is enabled and you log in as the default super_admin, you can go to System > Status and look at Virtual Domain in the License Information section to see the maximum number of virtual domains supported on your FortiGate unit. For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
VDOM configuration settings

To configure and use VDOMs, you must enable virtual domain configuration. For more information, see Enabling VDOMs on page 108. You can configure a VDOM by adding VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings. You can also move physical interfaces from the root VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For more information on VLANs, see VLAN overview on page 150.
104
Virtual domains
The following configuration settings are exclusively part of a virtual domain and are not shared between virtual domains. A regular VDOM administrator sees only these settings. The default super_admin can also access these settings, but must first select which VDOM to configure.
Table 6: VDOM configuration settings Configuration Object System Network Zone Network Web Proxy Configuring zones on page 138 Web Proxy on page 147 For more information, see
Network Routing Table Routing table (Transparent Mode) on page 149 (Transparent mode) Network Modem Wireless Settings Wireless MAC Filter Wireless Monitor Wireless Rogue AP DHCP service Configuring the modem interface on page 139 Wireless settings on page 162 Wireless MAC Filter on page 165 Wireless Monitor on page 167 Rogue AP detection on page 168 Configuring DHCP services on page 172
DHCP Address Leases Viewing address leases on page 175 Config Operation mode Changing operation mode on page 206 (NAT/Route or Transparent) Config Management IP Changing operation mode on page 206 (Transparent mode) Router Static Dynamic Monitor Firewall Policy Address Service Schedule Virtual IP Virtual IP Group Virtual IP, IP pool Load Balance Protection Profile UTM AntiVirus File Filter Intrusion Protection Web Filter AntiSpam Data Leak Prevention File Filter on page 443 Intrusion Protection on page 455 Web Filter on page 475 Antispam on page 495 Data Leak Prevention on page 511 Firewall Policy on page 319 Firewall Address on page 345 Firewall Service on page 351 Firewall Schedule on page 361 Firewall Virtual IP on page 365 Virtual IP Groups on page 380 IP pools on page 381 Firewall Load Balance on page 389 Firewall Protection Profile on page 397 Router Static on page 277 Router Dynamic on page 289 Router Monitor on page 315
105
Virtual domains
Table 6: VDOM configuration settings (Continued) Configuration Object Application Control VPN IPSec PPTP SSL User Local Remote Directory Service PKI User Group Options Monitor Log&Report Logging configuration Alert E-mail Event Log Log access Content Archive Report Access FortiGate logging on page 647 (Memory only) Configuring Alert Email on page 672 (Send alert email for the following) Event log on page 659 Accessing Logs on page 662 (Memory only) Content Archive on page 667 Reports on page 673 Local user accounts on page 568 Remote on page 571 Directory Service on page 579 PKI on page 581 User Group on page 583 Settings on page 228 Monitoring administrators on page 229 IPSec VPN on page 531 PPTP VPN on page 547 SSL VPN on page 551 For more information, see Application Control on page 523
106
Virtual domains
Global configuration settings

The following configuration settings affect all virtual domains. When virtual domains are enabled, only accounts with the default super_admin profile can access global settings.
Table 7: Global configuration settings Configuration Object System Status System Time Status Host name Status Firmware version Configuring system time on page 78 Changing the FortiGate unit host name on page 78 Upgrading to a new firmware version on page 80 (System Status page) or Managing firmware versions on page 91. For more information, see
Network Interfaces and Interfaces on page 119 and VLAN overview on page 150 VLAN subinterfaces (You configure interfaces as part of the global configuration but each interface and VLAN subinterface belongs to a VDOM. You add interfaces to VDOMs as part of the global configuration.) Network Options DNS Network Options Dead gateway detection Admin Settings Idle and authentication time-out Admin Settings Webbased manager language Admin Settings LCD panel PIN, where applicable Wireless Settings DNS Servers on page 146 Dead gateway detection on page 146 Settings on page 228 and Getting started - User authentication on page 567 Settings on page 228
Settings on page 228
Wireless settings on page 162
107
Enabling VDOMs
Table 7: Global configuration settings (Continued) Configuration Object Wireless MAC Filter Wireless Monitor WIreless Rogue AP Config HA Config SNMP Config Replacement messages Admin Administrators For more information, see Wireless MAC Filter on page 165 Wireless Monitor on page 167 Rogue AP detection on page 168 HA on page 177 SNMP on page 185 Replacement messages on page 194 Administrators on page 209 (You can add global administrators. You can also add administrators to VDOMs. VDOM administrators cannot add or configure administrator accounts.) Admin profiles on page 222 Central Management on page 226
Admin profiles Admin Central Management configuration Certificates Configuration backup and restore Scripts FDN update configuration UTM AntiVirus Log&Report Log Configuration Alert E-mail Report Config Report Access
System Certificates on page 243 Backing up and restoring on page 254 Using script files on page 262 FortiGuard Distribution Network on page 264
AntiVirus on page 439 FortiGate logging on page 647 (Remote and Syslog) Configuring Alert Email on page 672 (Alert email account settings.) Reports on page 673 Reports on page 673
Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM operation on the FortiGate unit. To enable virtual domains 1 Log in to the web-based manager on a super_admin profile account. 2 Go to System > Status. 3 In System Information, next to Virtual Domain select Enable. The FortiGate unit logs you off. You can now log in again as admin. Alternatively, through the CLI, enter: config system global, set vdom-admin When virtual domains are enabled, the web-based manager and the CLI are changed as follows:
108
Configuring VDOMs and global settings
Global and per-VDOM configurations are separated. A new VDOM entry appears under the System option. Within a VDOM, reduced dashboard menu options are available, and a new Global option appears. Selecting Global exits the current VDOM. There is no operation mode selection at the Global level. Only super_admin profile accounts can view or configure global options. Super_admin profile accounts can configure all VDOM configurations. One or more administrators can be set up for each VDOM; however, these admin accounts cannot edit settings for any VDOMs for which they are not set up.
When virtual domains are enabled, the current virtual domain is displayed at the bottom left of the screen, in the format Current VDOM: <name of the virtual domain>.

A VDOM is not useful unless it contains at least two physical interfaces or virtual subinterfaces for incoming and outgoing traffic. Availability of the associated tasks depends on the permissions of the admin. If your are using a super_admin profile account, you can perform all tasks. If you are using a regular admin account, the tasks available to you depend on whether you have read only or read/write permissions, Table 6 shows what roles can perform which tasks.
Table 8: Admin VDOM permissions Tasks Regular administrator account Read only permission View global settings Configure global settings Create or delete VDOMs Configure multiple VDOMs Assign interfaces to a VDOM Create VLANs Assign an administrator to a VDOM Create additional admin accounts Create and edit protection profiles yes no no no no no no no no Read/write permission yes no no no no yes - for 1 VDOM no yes - for 1 VDOM yes - for 1 VDOM Super_admin profile administrator account yes yes yes yes yes yes - for all VDOMs yes yes - for all VDOMs yes - for all VDOMs
VDOM licenses
All FortiGate units, except the 30B, support 10 VDOMs by default. High-end FortiGate models support the purchase of a VDOM license key from customer service to increase their maximum allowed VDOMs to 25, 50, 100, 250, or 500. Configuring 250 or more VDOMs will result in reduced system performance.
109
Table 9: VDOM support by FortiGate model FortiGate model 30B Low and mid-range models High-end models Support VDOMs no yes yes Default VDOM maximum 0 10 10 Maximum VDOM license 0 10 500
Note: Your FortiGate unit has limited resources that are divided amongst all configured VDOMs. These resources include system memory, and CPU. When running 250 or more VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web filtering, or antivirusyour FortiGate unit can only provide basic firewall functionality.
Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does not support more than 10 VDOMs.
To obtain a VDOM license key 1 Log in to your FortiGate unit using the admin account. Other accounts such as other super_admin profile accounts may also have sufficient privileges to install VDOM licenses. 2 Go to System > Status. 3 Record your FortiGate unit serial number as shown in System Information on page 65. 4 Under License Information > Virtual Domains, select Purchase More. 5 You will be taken to the Fortinet customer support web site where you can log in and purchase a license key for 25, 50, 100, 250, or 500 VDOMs. 6 When you receive your license key, go to System > Maintenance > License. 7 In the License Key field, enter the 32-character license key you received from Fortinet customer support. 8 Select Apply. To verify the new VDOM license, go to System > Status under Global Configuration. In the License Information area Virtual Domains, VDOMs Allowed shows the maximum number of VDOMs allowed.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.
Creating a new VDOM

By default, every FortiGate unit has a root VDOM that is visible when VDOMs are enabled. To use additional VDOMs, you must first create them. When using multiple VDOMs, it can be useful to assign fewer resources to some VDOMs and more resources to others. This VDOM resource management will result in better FortiGate unit performance. For more information, see VDOM resource limits on page 117.
110
VDOM names have the following restrictions: Only letters, numbers, -, and _ are allowed. A name can have no more than 11 characters. A name cannot contain spaces. VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other VDOMs
Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If you attempt to name a new VDOM vsys_ha or vsys_fgfm, the FortiGate unit will generate an error. Note: When creating 250 or more VDOMs, you cannot enable UTM features such as proxies, web filtering, and antivirus due to limited resources. Also when creating large numbers of VDOMs, you may experience reduced performance. To improve performance with multiple VDOMs, see VDOM resource limits on page 117. Figure 46: New Virtual Domain
To create a new VDOM 1 Log in as a super_admin profile admin. 2 Ensure VDOMs are enabled. For more information, see Enabling VDOMs on page 108. 3 Go to System > VDOM. 4 Select Create New. 5 Enter a name for the new VDOM, up to a maximum of 11 characters. This name cannot be changed. 6 Optionally enter a comment for the VDOM, up to a maximum of 63 characters. 7 Select OK.
Working with VDOMs and global settings

When you log in as admin and virtual domains are enabled, the FortiGate unit is automatically in global configuration, as demonstrated by the appearance of the VDOM option under System. To work with virtual domains, select System > VDOM.
111
Figure 47: VDOM list Disabled VDOM
Management VDOM Create New Select to add a new VDOM. Enter the new VDOM name and select OK. The VDOM must not have the same name as an existing VDOM, VLAN or zone. The VDOM name can have a maximum of 11 characters and must not contain spaces. Change the management VDOM to the selected VDOM in the list. The management VDOM is then grayed out in the Enable column. The default management VDOM is root. For more information, see Changing the management VDOM on page 116. Select to save your changes to the Management VDOM. There are three states this column can be in. A green check mark indicates this VDOM is enabled, and that you can select the Enter icon to change to that VDOM. An empty check box indicates this VDOM is disabled. When disabled, the configuration of that VDOM is preserved. The Enter icon is not available. A grayed-out check box indicates this VDOM is the management VDOM. It cannot be deleted or changed to disabled; it is always active. The name of the VDOM. The VDOM operation mode, either NAT or Transparent. When a VDOM is in Transparent mode, SNMP can display the management address, address type and subnet mask for that VDOM. For more information, see SNMP on page 185. The interfaces associated with this VDOM, including virtual interfaces. Every VDOM includes an SSL VPN virtual interface named for that VDOM. For the root VDOM this interface is ssl.root. Comments added by an admin when this VDOM was created. Delete the VDOM. The Delete icon appears only when there are no configuration objects associated with that VDOM. For example, you must remove all referring interfaces, profiles, and so on before you can delete the VDOM. If the icon does not appear and you do not want to delete all the referring configuration, you can disable the VDOM instead. The disabled VDOM configuration remains in memory, but the VDOM is not usable until it is enabled. Change the description of the VDOM. The name of the VDOM cannot be changed. Enter the selected VDOM. After entering a VDOM you will only be able to view and change settings specific to that VDOM.
Management Virtual Domain
Apply Enable
Name Operation Mode
Interfaces
Comments Delete icon
Edit icon Enter icon
112
Adding interfaces to a VDOM

A VDOM must contain at least two interfaces to be useful. These can be physical or virtual interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root virtual domain. VLAN subinterfaces often need to be in a different VDOM than their physical interface. To do this, the super administrator must first create the VDOM, create the VLAN subinterface, and then assign the VLAN to the correct VDOM. VDOMs can only be added in global settings, and not within VDOMs. For information on creating VLAN subinterfaces, see Adding VLAN subinterfaces on page 153.
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two VDOMs internally without using a physical interface. Inter-VDOM links have the same security as physical interfaces, but allow more flexible configurations that are not limited by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces, the speed of the link depends on the CPU load, but generally it is faster than physical interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes interVDOM links. A packet can pass through an inter-VDOM link a maximum of three times. This is to prevent a loop. When traffic is encrypted or decrypted, it changes the content of the packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels does not reset the counter. In HA mode, inter-VDOM links must have both ends of the link within the same virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP services are not available. To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link is created, it automatically creates a pair of virtual interfaces that correspond to the two internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name with an added 0 or 1. So if the inter-VDOM link is called vlink the interfaces are vlink0 and vlink1. Select the Expand Arrow beside the VDOM link to display the virtual interfaces.
Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.
Figure 48: VDOM link interfaces
To create an inter-VDOM link 1 Log in as admin. 2 Go to System > Network > Interface.
113
3 Select the arrow on the Create New button. 4 Select VDOM link. You will see the New VDOM Link screen.
Figure 49: New VDOM link
5 Enter the name for the new VDOM link, up to a maximum of 11 characters. The name must not contain any spaces or special characters. Hyphens (-) and underlines (_) are allowed. Remember that the name will have a 0 or 1 attached to the end for the actual interfaces. 6 Configure VDOM link 0. 7 Select the VDOM from the menu that this interface will connect to. 8 Enter the IP address and netmask for this interface. 9 Select the administrative access method or methods. Keep in mind that PING, TELNET, and HTTP are less secure methods. 10 Optionally enter a description for this interface. 11 Repeat steps 7 through 10 for VDOM link 1. 12 Select OK to save your configuration and return to the System > Interface screen.
Assigning an interface to a VDOM

The following procedure describes how to reassign an existing interface from one virtual domain to another. It assumes VDOMs are enabled and more than one VDOM exists. You cannot delete a VDOM if it is used in any configurations. For example, if an interface is assigned to that VDOM, you cannot delete the VDOM. You cannot remove an interface from a VDOM if the interface is included in any of the following configurations: DHCP server zone routing firewall policy IP pool proxy arp (only accessible through the CLI).
114
Before removing these configurations, it is recommended that you back up your configuration, so you can restore it if you want to create this VDOM at a later date. Delete the items in this list or modify them to remove the interface before proceeding.
Note: You can reassign or remove an interface or subinterface once the Delete icon is displayed. Absence of the icon means that the interface is being used in a configuration somewhere.
Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved, saving time you would otherwise need to remove and reconfigure it.
To assign an interface to a VDOM 1 Log in as admin. 2 Go to System > Network > Interface. 3 Select Edit for the interface that you want to reassign. 4 Select the new virtual domain for the interface. 5 Configure other settings as required and select OK. For more information, see Interface settings on page 123. The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP addresses for this interface are deleted. You should manually delete any routes that include this interface, and create new routes for this interface in the new VDOM. Otherwise your network traffic will not be properly routed. For more information on creating static routes, see Router Static on page 277.
Assigning an administrator to a VDOM

If you are creating a VDOM to serve an organization that will be administering its own resources, you need to create an administrator account for that VDOM. A VDOM admin can change configuration settings within that VDOM but cannot make changes that affect other VDOMs on the FortiGate unit. A regular administrator assigned to a VDOM can log in to the web-based manager or the CLI only on interfaces that belong to that VDOM. The super administrator can connect to the web-based manager or CLI through any interface on the FortiGate unit that permits management access. Only the super administrator or a regular administrator of the root domain can log in by connecting to the console interface.
Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that account is assigned to another VDOM or removed.
To assign an administrator to a VDOM 1 Log in as the super_admin. 2 Ensure that virtual domains are enabled. For more information, see Enabling VDOMs on page 108. 3 Go to System > Admin >Administrators. 4 Create a new administrator account or select the Edit icon of an existing administrator account. 5 Go to the Virtual Domain list.
115
Configuring global and VDOM resource limits
6 Select the VDOM that this administrator manages. Administrators are assigned to a specific VDOM when the account is created unless they are super_admin administrators. For more information, see Configuring an administrator account on page 212. 7 Configure other settings as required. For detailed information, see Configuring an administrator account on page 212. 8 Select OK.
Changing the management VDOM

The management VDOM on your FortiGate unit is where some default types of traffic originate, including: SNMP logging alert email FDN-based updates NTP-based time setting.
Before you change the management VDOM, ensure that virtual domains are enabled on the system dashboard screen. For more information, see Enabling VDOMs on page 108. Only one VDOM can be the management VDOM at any given time. Global events are logged with the VDOM set to the management VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS authentication.
To change the management VDOM 1 Go to System > VDOM. 2 From the list of VDOMs, select the VDOM to be the new management VDOM. This list is located to the immediate left of the Apply button. 3 Select Apply to make the change. At the prompt, confirm the change. Management traffic will now originate from the new management VDOM.

FortiGate units have upper limits for resources such as firewall policies, protection profiles and VPN tunnels. These limits vary by model. In general, the more VDOMs the FortiGate unit supports, the greater the impact on resource limits. In previous releases of FortiOS, maximum values for resources belonging to virtual domains (VDOMs) applied equally to each VDOM. Maximums for system-wide (global) resources applied globally and the resources were equally accessible to each VDOM. If you are a super administrator, you can control resource allocation to each VDOM. This limits the impact of each VDOM on other VDOMs due to resource competition. Also, you can set global resource limits to control the impact of various features on system performance.
116
Note: The resource limits vary for different FortiGate models. The resource limits are increased when two or more FortiGates are in HA mode due to the increased resources that are available to the HA cluster.
VDOM resource limits

You can configure VDOM resource limits when you create a new VDOM or edit an existing VDOM. These resource limits are restricted by the FortiGate global limits in that the total of each resource across all VDOMs cannot exceed the global limit. You can optionally set a guaranteed minimum level of resources that will be available to the VDOM. This will ensure that other VDOMs do not use all of an available resource. To configure VDOM resource limits 1 Go to System > VDOM. 2 Select Create New, enter a name and then select OK, or select the Edit icon of an existing VDOM. 3 Modify the values described in the table below as required. 4 Select OK.
Figure 50: Configuring VDOM resource limits
Resource Maximum Guaranteed Current
Description of the resource. Enter the maximum amount of the resource allowed for this VDOM. This amount might not be available due to usage of this resource type by other VDOMs. Enter the minimum amount of the resource available to this VDOM regardless of usage by other VDOMs. The amount of the resource that this VDOM currently uses.
117
If you enter a value that is not valid, the web-based manager displays the range of valid values.
Global resource limits

To ensure system performance, you can set global resource limits that are less than the maximums set by your units hardware. Your configured maximum value for any resource must be greater than amount of the resource already in use and greater than the sum of all VDOM guaranteed resource values. To view or set global resource limits, go to System > VDOM > Global Resources. Select the Edit icon to change any settings.
Figure 51: Configuring global resource limits
Resource Configured Maximum Default Maximum Edit icon
Description of the resource. The maximum amount of the resource allowed. This amount matches the default maximum until you change it. The default maximum value for this resource. This value depends on the unit hardware limitations.
Current Usage The amount of the resource currently in use. Change the configured maximum for this resource. The Edit Global Resource Limits dialog box lists the valid range of values for the configured maximum. For some resources, you can set the maximum to zero to set no limit. Reset the configured maximum to the default maximum value.
Reset icon
118
System Network
Interfaces
System Network
This section describes how to configure your FortiGate unit to operate in your network. Basic network settings include configuring FortiGate interfaces and DNS settings. More advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate network configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most system network settings globally for the entire FortiGate unit. For example, all interface settings, including adding interfaces to VDOMs, are part of the global configuration. However, zones, the modem interface, and the Transparent mode routing table are configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Interfaces Configuring zones Configuring the modem interface Configuring Networking Options Web Proxy Routing table (Transparent Mode) VLAN overview VLANs in NAT/Route mode VLANs in Transparent mode
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered as 192.168.1.100/24.
Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces. You can: modify the configuration of a physical interface add and configure VLAN subinterfaces aggregate several physical interfaces into an IEEE 802.3ad interface (models 300A, 400A, 500A, and 800 or higher) combine physical interfaces into a redundant interface add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) (see Adding a wireless interface on page 163) add and configure VDOM links (see Inter-VDOM links on page 113) view loopback interfaces
119
Interfaces
System Network
configure the modem (see Configuring the modem interface on page 139) change which information about the interfaces is displayed
For information about VLANs, see FortiGate units and VLANs on page 151.
Figure 52: Interface list - regular admin view
Figure 53: Interface list - admin view with virtual domains enabled
Create New
Select Create New to create a VLAN subinterface. On models 800 and higher, you can also create an IEEE 802.3ad aggregated interface. When VDOMs are enabled, selecting the Create New arrow enables you to create new Inter-VDOM links. For more information see Inter-VDOM links on page 113. Select to change between switch mode and interface mode. Switch mode combines the internal interfaces into one switch with one address. Interface mode gives each internal interface its own address. Before switching modes, all configuration settings that point to internal interfaces must be removed. This option is visible on models 100A and 200A for Rev2.0 and higher. Switch mode is also visible on the FortiGate-60B and FortiWiFi-60B. For more information see Switch Mode on page 122. Select to make the two backplane interfaces visible as port9 and port10. Once visible these interfaces can be treated as regular physical interfaces. This option is available only on 5000 models. Select to change the which columns of information about the network interfaces is displayed. For more information, see Column Settings on page 122. The tooltip for this icon displays the Description field for this interface. For more information see Interface settings on page 123.
Switch Mode
show backplane interfaces Column Settings
Description icon
120
System Network
Interfaces
Name
The names of the physical interfaces on your FortiGate unit. This includes any alias names that have been configured. The name, including number, of a physical interface depends on the model. Some names indicate the default function of the interface such as Internal, External and DMZ. Other names are generic such as port1. FortiGate models numbered 50 and 60 provide a modem interface. Also models with a USB port support a connected modem. See Configuring the modem interface on page 139. The oob/ha interface is the FortiGate-4000 out of band management interface. You can connect to this interface to manage the FortiGate unit. This interface is also available as an HA heartbeat interface. On FortiGate models 300A, 310B, 400A, 500A, 620B, and 800 or higher, if you combine several interfaces into an aggregate interface, only the aggregate interface is listed, not the component interfaces. The same is true for redundant interfaces. See Creating an 802.3ad aggregate interface on page 127 or Creating a redundant interface on page 128. If you have added VLAN subinterfaces, they also appear in the name list, below the physical or aggregated interface to which they have been added. See VLAN overview on page 150. If you have loopback virtual interfaces configured you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see Configuring interfaces with CLI commands on page 134 or the config system interface command in the FortiGate CLI Reference. If you have software switch interfaces configured, you will be able to view them. You can only edit these interfaces in the CLI. For more information on these interfaces see Configuring interfaces with CLI commands on page 134 or the config system switch-interface command in the FortiGate CLI Reference. If virtual domain configuration is enabled, you can view information only for the interfaces that are in your current virtual domain, unless you are using the super admin account. If VDOMs are enabled, you will be able to create, edit, and view inter-VDOM links. For more information see Inter-VDOM links on page 113. If you have interface mode enabled on a FortiGate model 100A or 200A Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models, you will see multiple internal interfaces. If switch mode is enabled, there will only be one internal interface. For more information see Switch Mode on page 122. If your FortiGate unit supports AMC modules and have installed an AMC module containing interfaces (for example, the FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added to the interface status display. The interfaces are named AMC-SW1/1, AMC-DW1/2, and so on. SW1 indicates it is a single width or double width card respectively in slot 1. The last number /1 indicates the interface number on that card - for the ASM-FB4 card there would be /1 through /4. The current IP address/netmask of the interface. In VDOM mode, when VDOMs are not all in NAT or Transparent mode some values may not be available for display and will be displayed as - instead. When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in this column. The administrative access configuration for the interface. See Administrative access to an interface on page 135. The administrative status for the interface. If the administrative status is a green arrow, the interface is up and can accept network traffic. If the administrative status is a red arrow, the interface is administratively down and cannot accept traffic. To change the administrative status, select Bring Down or Bring Up. The status of physical connection. The status of a non-physical interface will always be down. The MAC address of the interface. Shows the addressing mode of this interface such as manual, DHCP, or PPPoE. The maximum number of bytes per transmission unit. Anything over 1500 are jumbo frames. See Interface MTU packet size on page 135.
IP/Netmask
Access Administrative Status
Link Status MAC Mode MTU
121
Interfaces
System Network
Secondary IP Type
Any secondary IPs for this interface. The type of the interface. Valid types include: Physical - a physical network interface, including modem VLAN - a virtual network interface Aggregate - a group of interfaces Redundant - a group of interfaces VDOM Link - a pair of virtual interface that join two VDOMs Pair - one two interfaces that are joined together, such as 2 VDOM links The virtual domain to which the interface belongs. This column is visible only to the super admin and only when virtual domain configuration is enabled. The identification number of the VLAN. Non-VLAN interface entries will be blank. Delete, edit, or view an entry.
Virtual Domain VLAN ID Delete, edit, and view icons
Column Settings
Go to System > Network > Column Settings to change which information about the interfaces is displayed. The VDOM field is only available for display when VDOMs are enabled.
Figure 54: Column Settings
Available fields Show these fields in this order Right arrow Left arrow Move up Move down
The list of fields (columns) not currently being displayed. The list of fields (columns) currently being displayed. They are displayed in order. Top to bottom of the list will be displayed left to right on screen respectively. Move selected fields to the Show these fields in this order list. Move selected fields to the Available fields list. Move selected item up in the Show these fields in this order list. The corresponding column is moved to the left on the network interface display. Move selected item down in the Show these fields in this order list. The corresponding column is moved to the right on the network interface display.
Switch Mode
The internal interface is a switch with either four or six physical interface connections, depending on the FortiGate model. Normally the internal interface is configured as a single interface shared by all physical interface connections - a switch.
122
System Network
Interfaces
The switch mode feature has two states - switch mode and interface mode. Switch mode is the default mode with only one interface and one address for the entire internal switch. Interface mode allows you to configure each of the internal switch physical interface connections separately. This allows you to assign different subnets and netmasks to each of the internal physical interface connections. FortiGate models 100A and 200A Rev2.0 and higher have four internal interface connections. The FortiGate-60B and FortiWifi-60B have six internal interface connections. Consult your release notes for the most current list of supported models for this feature. Selecting Switch Mode on the System > Network > Interface screen displays the Switch Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all references to internal interfaces must be removed. This includes references such as firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments, and routing. If they are not removed, you will not be able to switch modes, and you will see an error message. Figure 55: Switch Mode Management
Switch Mode Interface Mode
Select Switch Mode. Only one internal interface is displayed. This is the default mode. Select Interface Mode. All internal i nterfaces on the switch are displayed as individually configurable interfaces.
Switch Mode can also be configured using CLI commands. For more information see the FortiGate CLI Reference.
Interface settings
Go to System > Network > Interface and select Create New. Selecting the Create New arrow enables you to create Inter-VDOM links. For more information on Inter-VDOM links, see Inter-VDOM links on page 113. Some types of interfaces such as loopback interfaces can only be configured using CLI commands. For more information, see Configuring interfaces with CLI commands on page 134 or the FortiGate CLI Reference To be able to configure a DHCP server on an interface, that interface must have a static IP address. You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint addresses, enable administrative access and provide a description if you are editing an existing interface. For more information, see Configuring a virtual IPSec interface on page 133.
123
Interfaces
System Network
Figure 56: Create New Interface settings
Figure 57: Edit Interface settings
124
System Network
Interfaces
Figure 58: Edit Interface settings
Name Alias
Enter a name for the interface. You cannot change the name of an existing interface. Enter another name for the interface that will easily distinguish this interface from another. This is available only for physical interfaces where where you cannot configure the name. The alias can be a maximum of 15 characters. The alias name is not part of the interface name, but it will appear in brackets beside the interface name. It will not appears in logs. The type of the interfaces. When creating a new interface, this is VLAN by default. On models 300A, 400A, 500A, 800 and higher, you can create VLAN, 802.3ad Aggregate, and Redundant interfaces. On FortiGate 100A and 200A models of Rev2.0 and higher and on all 60B models, software switch is a valid type. You cannot edit this type in the GUI. FortiWiFi models support up to four SSIDs by adding up to three wireless interfaces (for a total of four wireless interfaces). Other models support creation of VLAN interfaces only and have no Type field. You cannot change the type of an existing interface. Select the name of the physical interface on which to create the VLAN. Once created, the VLAN subinterface is listed below its physical interface in the Interface list. You cannot change the interface of an existing VLAN subinterface. This field is only displayed when Type is set to VLAN. Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. You cannot change the VLAN ID of an existing VLAN subinterface. The VLAN ID can be any number between 1 and 4094 and must match the VLAN ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN subinterface. For more information, see VLAN overview on page 150. This field is only displayed when Type is set to VLAN.
Type
Interface
VLAN ID
Virtual Domain Select the virtual domain to which this VLAN subinterface belongs. Admin accounts with super-admin profile can change the VDOM for a VLAN when VDOM configuration is enabled. For more information, see Using virtual domains on page 103.
125
Interfaces
System Network
Physical Interface Members
This section has two different forms depending on the interface type: Software switch interface - this section is a display-only field showing the interfaces that belong to the software switch virtual interface 802.3ad aggregate or Redundant interface - this section includes available interface and selected interface lists to enable adding or removing interfaces from the interface. Select interfaces from this list to include in the grouped interface - either redundant or aggregate interface. Select the right arrow to add an interface to the grouped interface. These interfaces are included in the aggregate or redundant interface. Select the left arrow to remove an interface from the grouped interface. For redundant interfaces, the interfaces will be activated during failover from the top of the list to the bottom Select the type of addressing mode as Manual, DHCP, or PPPoE. To configure a static IP address for the interface, select Manual. By default, low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. These settings allow for easy out-of-the-box configuration. You can also configure the interface for dynamic IP address assignment. For more information, see Configuring DHCP on an interface on page 130 or Configuring an interface for PPPoE on page 131. Enter the IP address/subnet mask in the IP/Netmask field. The IP address must be on the same subnet as the network to which the interface connects. Two interfaces cannot have IP addresses on the same subnet. This field is only available when Manual addressing mode is selected. Select DDNS to configure a Dynamic DNS service for this interface. For more information, see Configuring Dynamic DNS on an interface on page 132. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. For more information, see Dead gateway detection on page 146. Select to enable explicit web proxying on this interface. When enabled, this interface will be displayed on System > Network > Web Proxy under Listen on Interfaces and web traffic on this interface will be proxied according to the Web Proxy settings. For more information, see Web Proxy on page 147.
Available Interfaces Selected interfaces
Addressing mode
IP/Netmask
DDNS Ping Server
Explicit Web Proxy
Administrative Select the types of administrative access permitted on this interface. Access HTTPS PING HTTP SSH SNMP TELNET Allow secure HTTPS connections to the web-based manager through this interface. Interface responds to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 186. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party.
126
System Network
Interfaces
MTU
To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on the addressing mode of the interface 68 to 1 500 bytes for static mode 576 to 1 500 bytes for DHCP mode 576 to 1 492 bytes for PPPoE mode up to 16 110 bytes for jumbo frames (on FortiGate models that support jumbo frames) NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes FA2-accelerated interfaces do not support jumbo frames This field is available only on physical interfaces. VLANs inherit the parent interface MTU size by default. For more information on MTU and jumbo frames, see Interface MTU packet size on page 135. Add additional IP addresses to this interface. Select the blue arrow to expand or hide the section. See Secondary IP Addresses on page 136. Enter a description up to 63 characters.
Secondary IP Address Description
Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface. Status Up indicates the interface is active and can accept network traffic. Down indicates the interface is not active and cannot accept traffic. Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
To configure a specific type of interface, refer to the appropriate section. To configure: an aggregate interface, see Creating an 802.3ad aggregate interface on page 127. a redundant interface, see Creating a redundant interface on page 128. a VLAN subinterface, see FortiGate units and VLANs on page 151. a wireless interface, see Adding a wireless interface on page 163.
Creating an 802.3ad aggregate interface

You can aggregate (combine) two or more physical interfaces to increase bandwidth and provide some link redundancy. An aggregate interface provides more bandwidth but also creates more points of failure than redundant interfaces. The interfaces must connect to the same next-hop routing destination. Support of the IEEE standard 802.3ad for link aggregation is part of FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher. An interface is available to be an aggregate interface if: it is a physical interface, not a VLAN interface it is not already part of an aggregate or redundant interface it is in the same VDOM as the aggregated interface it does not have a IP address and is not configured for DHCP or PPPoE it does not have a DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not an HA heartbeat interface it is not one of the FortiGate 5000 series backplane interfaces
127
Interfaces
System Network
Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you will lose the acceleration. For example, if you aggregate two accelerated interfaces you will get slower throughput than if the two interfaces were separate.
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.
When an interface is included in an aggregate interface, it is not listed on the System > Network > Interface screen. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing.
Figure 59: Settings for an 802.3ad aggregate interface
To create an 802.3ad Aggregate interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the aggregated interface. The interface name must be different from any other interface, zone or VDOM. 4 From the Type list, select 802.3ad Aggregate. 5 In the Available Interfaces list, select each interface that you want to include in the aggregate interface and move it to the Selected Interfaces list. 6 If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: Configuring DHCP on an interface on page 130 Configuring an interface for PPPoE on page 131 7 Configure other interface options as required. 8 Select OK.
Creating a redundant interface

You can combine two or more physical interfaces to provide link redundancy. This feature allows you to connect to two or more switches to ensure connectivity in the event one physical interface or the equipment on that interface fails.
128
System Network
Interfaces
In a redundant interface, traffic is only going over one interface at any time. This differs from an aggregated interface where traffic is going over all interfaces for increased bandwidth. This difference means redundant interfaces can have more robust configurations with fewer possible points of failure. This is important in a fully-meshed HA configuration. FortiGate firmware on models 300A, 310B, 400A, 500A, 620B, and models 800 and higher implements redundant interfaces. An interface is available to be in a redundant interface if: it is a physical interface, not a VLAN interface it is not already part of an aggregated or redundant interface it is in the same VDOM as the redundant interface it has no defined IP address and is not configured for DHCP or PPPoE it has no DHCP server or relay configured on it it does not have any VLAN subinterfaces it is not referenced in any firewall policy, VIP, IP Pool or multicast policy it is not monitored by HA it is not one of the FortiGate 5000 series backplane interfaces
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be added to an aggregate or a redundant interface.
When an interface is included in a redundant interface, it is not listed on the System > Network > Interface page. You cannot configure the interface individually and it is not available for inclusion in firewall policies, VIPs, IP pools, or routing.
Figure 60: Settings for a redundant interface
To create a redundant interface 1 Go to System > Network > Interface. 2 Select Create New. 3 In the Name field, enter a name for the redundant interface. The interface name must different from any other interface, zone or VDOM. 4 From the Type list, select Redundant Interface.
129
Interfaces
System Network
5 In the Available Interfaces list, select each interface that you want to include in the redundant interface and move it to the Selected Interfaces list. In a failover situation, the interface activated will be the next interface down the Selected Interfaces list. 6 If this interface operates in NAT/Route mode, you need to configure addressing for it. For information about dynamic addressing, see: Configuring DHCP on an interface on page 130 Configuring an interface for PPPoE on page 131 7 Configure other interface options as required. 8 Select OK.
Configuring DHCP on an interface

If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP request. The interface is configured with the IP address and any DNS server addresses and default gateway address that the DHCP server provides. By default, low-end models are configured to DHCP addressing mode with Override Internal DNS and Retrieve default Gateway from DHCP server both enabled. These settings allow for easy out-of-the-box configuration. To configure DHCP on an interface 1 Go to System > Network > Interface. 2 Select Create New or select the Edit icon of an existing interface. 3 In the Addressing mode section, select DHCP.
Figure 61: Interface DHCP settings
Status
Displays DHCP status messages as the FortiGate unit connects to the DHCP server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of: initializing - No activity. connecting - interface attempts to connect to the DHCP server. connected - interface retrieves an IP address, netmask, and other settings from the DHCP server. failed - interface was unable to retrieve an IP address and other settings from the DHCP server. The IP address and netmask leased from the DHCP server. Only displayed if Status is connected. Select to renew the DHCP license for this interface. Only displayed if Status is connected.
Obtained IP/Netmask Renew
130
System Network
Interfaces
Expiry Date
The time and date when the leased IP address and netmask is no longer valid. Only displayed if Status is connected. The IP address of the gateway defined by the DHCP server. Only displayed if Status is connected, and if Receive default gateway from server is selected,. Enter the administrative distance for the default gateway retrieved from the DHCP server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1. Enable to retrieve a default gateway IP address from the DHCP server. The default gateway is added to the static routing table. Enabled by default on low-end models. Enable to use the DNS addresses retrieved from the DHCP server instead of the DNS server IP addresses on the DNS page. On low end models, this is enabled by default. When VDOMs are enabled, you can override the internal DNS only on the management VDOM. Enable so that the interface automatically attempts to connect to a DHCP server. Disable this option if you are configuring the interface offline.
Default Gateway
Distance
Retrieve default gateway from server Override internal DNS
Connect to Server
Configuring an interface for PPPoE

If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a PPPoErequest. When configuring the FortiGate unit offline and you do not want the FortiGate unit to send the PPPoE request, do not enable Connect to Server. FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT). To configure an interface for PPPoE 1 Go to System > Network > Interface. 2 Select Create New or select the Edit icon of an existing interface. 3 In the Addressing mode section, select PPPoE.
Figure 62: Interface PPPoE settings
Status
Displays PPPoE status messages as the FortiGate unit connects to the PPPoE server and gets addressing information. Select Status to refresh the addressing mode status message. Only displayed if you selected Edit. Status can be one of the following 4 messages. No activity.
initializing
131
Interfaces
System Network
connecting connected
The interface is attempting to connect to the PPPoE server. The interface retrieves an IP address, netmask, and other settings from the PPPoE server. When the status is connected, PPPoE connection information is displayed. The interface was unable to retrieve an IP address and other information from the PPPoE server. Select to reconnect to the PPPoE server. Only displayed if Status is connected. The PPPoE account user name. The PPPoE account password. Specify the IP address for the interface. If your ISP has assigned you a block of IP addresses, use one of them. Otherwise, this IP address can be the same as the IP address of another interface or can be any IP address.
failed Reconnect User Name Password Unnumbered IP
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a PPPoE discovery. Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds. Use this timeout to shut down the PPPoE session if it is idle for this number of seconds. PADT must be supported by your ISP. Set initial PADT timeout to 0 to disable. Distance Enter the administrative distance for the default gateway retrieved from the PPPoE server. The administrative distance, an integer from 1-255, specifies the relative priority of a route when there are multiple routes to the same destination. A lower administrative distance indicates a more preferred route. The default distance for the default gateway is 1. Enable to retrieve a default gateway IP address from a PPPoE server. The default gateway is added to the static routing table. Enable to replace the DNS server IP addresses on the System DNS page with the DNS addresses retrieved from the PPPoE server. When VDOMs are enabled, you can override the internal DNS only on the management VDOM. Enable Connect to Server so that the interface automatically attempts to connect to a PPPoE server when you select OK or Apply. Disable this option if you are configuring the interface offline.
Retrieve default gateway from server Override internal DNS
Connect to server
Configuring Dynamic DNS on an interface

When the FortiGate unit has a static domain name and a dynamic public IP address, you can use a DDNS service to update Internet DNS servers when the IP address for the domain changes. Dynamic DNS is available only in NAT/Route mode. To configure DDNS on an interface 1 Get the DDNS configuration information from your DDNS service. 2 Go to System > Network > Interface. 3 Select Create New. 4 Enable DDNS. 5 Enter DDNS configuration information. If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at one minute intervals and then change to retrying at three minute intervals. This is to prevent flooding the DDNS server.
132
System Network
Interfaces
Figure 63: DDNS service configuration
Server Domain Username Password
Select a DDNS server to use. The client software for these services is built into the FortiGate firmware. The FortiGate unit can connect only to one of these services. Enter the fully qualified domain name of the DDNS service. Enter the user name to use when connecting to the DDNS server. Enter the password to use when connecting to the DDNS server.
Configuring a virtual IPSec interface

You create a virtual IPSec interface by selecting IPSec Interface Mode by going to VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a VPN. You also select a physical or VLAN interface from the Local Interface list. The virtual IPSec interface is listed as a subinterface of that interface by going to System > Network > Interface. For more information, see Overview of IPSec VPN configuration on page 531 Auto Key on page 533 or Manual Key on page 541 configure IP addresses for the local and remote endpoints of the IPSec interface so that you can run dynamic routing over the interface or use ping to test the tunnel enable administrative access through the IPSec interface enter a description for the interface
Go to System > Network > Interface and select Edit on an IPSec interface to:
Figure 64: Virtual IPSec interface settings
Name Virtual Domain IP Remote IP
The name of the IPSec interface. Select the VDOM of the IPSec interface. If you want to use dynamic routing with the tunnel or be able to ping the tunnel interface, enter IP addresses for the local and remote ends of the tunnel. These two addresses must not be used anywhere else in the network.
133
Interfaces
System Network
Administrative Access HTTPS PING HTTP SSH SNMP TELNET Description
Select the types of administrative access permitted on this interface. Allow secure HTTPS connections to the web-based manager through this interface. Allow the interface to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this interface. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this interface. Allow a remote SNMP manager to request SNMP information by connecting to this interface. See Configuring SNMP on page 186. Allow Telnet connections to the CLI through this interface. Telnet connections are not secure and can be intercepted by a third party. Enter a description of the interface. It can be up to 63 characters.
Configuring interfaces with CLI commands

While nearly all types of interfaces can be configured from the GUI interface, a few, such as loopback and soft switch interface, can only be configured using CLI commands. Virtual interfaces are not connected to any physical devices or cables outside the FortiGate unit. They allow additional connections inside the FortiGate unit, which allow for more complex configurations. Virtual interfaces also have the added benefit of speed. Depending on the CPU load, virtual interfaces are consistently faster than physical interfaces.
Loopback interface
A loopback interface is an always up virtual interface that is not connected to any other interfaces. Loopback interfaces connect to a Fortigate units interface IP address without depending on a specific external port. A loopback interface is not connected to hardware, so it is not affected by hardware problems. As long as the FortiGate unit is functioning, the loopback interface is active. This always up feature is useful in dynamic routing where the Fortigate unit relies on remote routers and the local Firewall policies to access to the loopback interface. The CLI command to configure a loopback interface called loop1 with an IP address of 10.0.0.10 is:
config system interface edit loop1 set type loopback set ip 10.0.0.10 255.255.255.0 end
For more information, see config system interface in the FortiGate CLI Reference.
Software switch interface

A software switch interface forms a simple bridge between two or more physical or wireless FortiGate interfaces. The interfaces added to a soft switch interface are called members. The members of a switch interface cannot be accessed as an individual interface after being added to a soft switch interface. They are removed from the system interface table.
134
System Network
Interfaces
Similar to aggregate interfaces, a soft switch interface functions like a normal interface. A soft switch interface has one IP address. You create firewall policies to and from soft switch interfaces and soft switch interfaces can be added to zones. There are some limitations; soft switch interfaces cannot be monitored by HA or used as HA heartbeat interfaces. To add interfaces to a software switch group, no configuration settings can refer to those interfaces. This includes default routes, VLANs, inter-VDOM links, and policies. You can view available interfaces on the CLI when entering the set member command by using ? or <TAB> to scroll through the available list. The CLI command to configure a software switch interface called soft_switch with port1, external and dmz interfaces is: config system switch-interface edit soft_switch set members port1 external dmz end For more information, see config system switch-interface in the FortiGate CLI Reference.
Administrative access to an interface

Administrative access is how an administrator can connect to the FortiGate unit to view and change configuration settings. Two methods of administrative access are HTTPS and SSH. You can allow remote administration of the FortiGate unit running in NAT/Route mode, but allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: Use secure administrative user passwords. Change these passwords regularly. Enable secure administrative access to this interface using only HTTPS or SSH. Do not change the system idle timeout from the default value of 5 minutes (see Settings on page 228).
For more information on configuring administrative access in Transparent mode, see Operation mode and VDOM management access on page 206. To control administrative access to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Select the Administrative Access methods for the interface. 4 Select OK.
Interface MTU packet size

To improve network performance, you can change the maximum transmission unit (MTU) of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as the smallest MTU of all the networks between the FortiGate unit and the destination of the packets. If the packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or fragmented, which slows down transmission. Experiment by lowering the MTU to find an MTU size for optimum network performance.
135
Interfaces
System Network
FortiGate models numbered 3 000 and higher support jumbo frames - frames larger than the traditional 1 500 bytes. Some models support a jumbo frame limit of 9 000 bytes while others support 16 110 bytes. NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes. FA2-accelerated interfaces do not support jumbo frames. Jumbo frames are much larger than the maximum standard Ethernet frames (packets) size of 1 500 bytes. As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500 byte frames remain in the standard for backward compatibility. To be able to send jumbo frames over a route, all Ethernet devices on that route must support jumbo frames, otherwise your jumbo frames are not recognized and are dropped. If you have standard ethernet and jumbo frame traffic on the same interface, routing alone cannot route them to different routes based only on frame size. However you can use VLANs to make sure the jumbo frame traffic is routed over network devices that support jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to include both ends of the route as well as all switches and routers along the route. For more information on VLAN configurations, see the VLAN and VDOM guide. To change the MTU size of the packets leaving an interface 1 Go to System > Network > Interface. 2 Choose a physical interface and select Edit. 3 Below Administrative Access, select Override default MTU value (1 500). 4 Set the MTU size. If you select an MTU size larger than your FortiGate unit supports, an error message will indicate this. In this situation, try a smaller MTU size until the value is supported. Supported maximums are 16 110, 9 000, and 1 500.
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN subinterfaces on the modified interface.
Note: In Transparent mode, if you change the MTU of an interface, you must change the MTU of all interfaces to match the new MTU.
See also
Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply separate firewall policies for each IP address on an interface. You can also forward traffic and use RIP or OSPF routing with secondary IP addresses. There can be up to 32 secondary IP addresses per interface including primary, secondary, and any other IP addresses assigned to the interface. Primary and secondary IP addresses can share the same ping generator. The following restrictions must be in place before you are able to assign a secondary IP address: A primary IP address must be assigned to the interface. The interface must use manual addressing mode. By default, IP addresses cannot be part of the same subnet. To allow interface subnet overlap use the CLI command:
136
System Network
Interfaces
config system global set allow-interface-subnet-overlap enable end You can use the CLI command config system interface to add a secondary IP address to an interface. For more information, see config secondaryip under system interface in the FortiGate CLI Reference.
Figure 65: Adding Secondary IP Addresses
IP/Netmask
Enter the IP address/subnet mask in the IP/Netmask field. The Secondary IP address must be on a different subnet than the Primary IP address. This field is only available in Manual addressing mode. To enable dead gateway detection, enter the IP address of the next hop router on the network connected to the interface and select Enable. See Dead gateway detection on page 146. Multiple addresses can share the same ping server. Select the types of administrative access permitted on the secondary IP. These can be different from the primary address. Allow secure HTTPS connections to the web-based manager through this secondary IP. Allow secondary IP to respond to pings. Use this setting to verify your installation and for testing. Allow HTTP connections to the web-based manager through this secondary IP. HTTP connections are not secure and can be intercepted by a third party. Allow SSH connections to the CLI through this secondary IP. Allow a remote SNMP manager to request SNMP information by connecting to this secondary IP. See Configuring SNMP on page 186. Allow Telnet connections to the CLI through this secondary IP. Telnet connections are not secure and can be intercepted by a third party. Select Add to add the configured secondary IP address to the secondary IP table. Addresses in this table are not added to the interface until you select OK or Apply. A table that displays all the secondary IP addresses that have been added to this interface. These addresses are not permanently added to the interface until you select OK or Apply. The identifying number of the secondary IP address. The IP address and netmask for the secondary IP. The IP address of the ping server for the address. The ping server can be shared by multiple addresses. Indicates if the ping server option is selected.
Ping Server
Administrative Access HTTPS PING HTTP SSH SNMP TELNET Add
Secondary IP table
# IP/Netmask Ping Server Enable
137
Configuring zones
System Network
Access Delete Icon
The administrative access methods for this address. They can be different from the primary IP address. Select to remove this secondary IP entry.
Note: It is recommended that after adding a secondary IP, you refresh the secondary IP table and verify your new address is listed. If not, one of the restrictions (have a primary IP address, use manual addressing mode, more than one IP on the same subnet, more than 32 IP addresses assigned to the interface, etc.) prevented the address from being added.
See also
Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone. You can add zones, rename and edit zones, and delete zones from the zone list. When you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the zone. Zones are configured from virtual domains. If you have added multiple virtual domains to your FortiGate configuration, make sure you are configuring the correct virtual domain before adding or editing zones.
Figure 66: Zone list
Create New Name Block intra-zone traffic Interface Members Edit/View icons Delete icon
Select to create a new zone. Names of the zones. Displays Yes if traffic between interfaces in the same zone is blocked and No if traffic between interfaces in the same zone is not blocked. Names of the interfaces added to the zone. Interface names depend on the FortiGate model. Edit or view a zone. Delete a zone.
To configure zone settings 1 Go to System > Network > Zone. 2 Select Create New or select the Edit icon for a zone. 3 Select name, and interfaces. 4 Select OK.
138
System Network
Configuring the modem interface
Figure 67: Zone settings
Zone Name
Enter the name to identify the zone.
Block intra-zone traffic Select to block traffic between interfaces or VLAN subinterfaces in the same zone. Interface members Select the interfaces that are part of this zone. This list includes configured VLANs.

All FortiGate models with a USB interface support USB modems, and FortiGate-50 series and FortiGate-60 series modules include a serial modem port. In NAT/Route mode the modem can be in one of two modes: In redundant (backup) mode, the modem interface automatically takes over from a selected ethernet interface when that ethernet interface is unavailable. In standalone mode, the modem interface is the connection from the FortiGate unit to the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure the FortiGate unit to automatically have the modem dial up to three dialup accounts until the modem connects to an ISP. Other models can connect to an external modem through a USB-to-serial converter. For these models, you must configure modem operation using the CLI. Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the web-based manager. See the system modem command in the FortiGate CLI Reference.
Note: The modem interface is not the AUX port. While the modem and AUX port may appear similar, the AUX port has no associated interface and is used for remote console connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and 3000A. For more information, see the config system aux command in the FortiGate CLI Reference.
This section describes: Configuring modem settings Redundant mode configuration Standalone mode configuration Adding firewall policies for modem connections Connecting and disconnecting the modem Checking modem status
139
System Network
Configuring modem settings

Configure modem settings so that the FortiGate unit uses the modem to connect to your ISP dialup accounts. You can configure up to three dialup accounts, select standalone or redundant operation, and configure how the modem dials and disconnects. For FortiGate-60B and FortiWifi-60B models with modems, the modem can be a management interface. When enabled, a user can dial into the units modem and perform administration actions as if logged in over one of the standard interfaces. This feature is enabled in the CLI using
config system dialinsvr.

If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the other interfaces. If the modem is disabled it will not appear in the interface list, and must be enabled from the CLI using: config system modem set status enable end
Note: You cannot configure and use the modem in Transparent mode.
Figure 68 shows the only the settings specific to standalone mode. The remaining settings are common to both standalone and redundant modes and are shown in Figure 69.
Figure 68: Modem settings (Standalone)
140
System Network
Figure 69: Modem settings (Redundant)
Enable Modem Modem status Dial Now/Hang Up
Select to enable the FortiGate modem. Modem status can be: not active, connecting, connected, disconnecting, or hung up. (Standalone mode only) Select Dial Now to manually connect to a dialup account. If the modem is connected, you can select Hang Up to manually disconnect the modem. Select Standalone or Redundant mode. Select to dial the modem automatically if the connection is lost or the FortiGate unit is restarted. You cannot select Auto-dial if Dial on demand is selected. Select to dial the modem when packets are routed to the modem interface. The modem disconnects after the idle timeout period if there is no network activity. You cannot select Dial on demand if Auto-dial is selected. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Select the ethernet interface for which the modem provides backup service. (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate unit waits before switching back to the primary interface from the modem interface, after the primary interface has been restored. The default is 1 second. Configure a higher value if you find the FortiGate unit switching repeatedly between the primary interface and the modem interface. The maximum number of times (1-10) that the FortiGate unit modem attempts to reconnect to the ISP if the connection fails. The default redial limit is 1. Select None to have no limit on redial attempts.
Mode Auto-dial (Standalone mode) Dial on demand (Standalone mode)
Idle timeout (Standalone mode) Redundant for (Redundant mode) Holddown Timer (Redundant mode) Redial Limit
141
System Network
Wireless Modem Usage History
Display a connected wireless modem if available. Display connections made on the modem interface. Information displayed about connections includes: date and time duration of the connection in hours, minutes, and seconds IP address connected to traffic statistics including received, sent, and total current status of the connection Configure up to three dialup accounts. The FortiGate unit tries connecting to each account in order until a connection can be established. The active dialup account is indicated with a green check mark. The phone number required to connect to the dialup account. Do not add spaces to the phone number. Make sure to include standard special characters for pauses, country codes, and other functions as required by your modem to connect to your dialup account. The user name (maximum 63 characters) sent to the ISP. The password sent to the ISP.
Supported Modems Select to view a list of supported modems.
Dialup Account
Phone Number
User Name Password
To configure the modem in Redundant mode, see Redundant mode configuration on page 142. To configure the modem in Standalone mode, see Standalone mode configuration on page 143.
Redundant mode configuration

In redundant mode the modem interface backs up a selected ethernet interface. If that ethernet interface disconnects from its network, the modem automatically dials the configured dialup accounts. When the modem connects to a dialup account, the FortiGate unit routes IP packets normally destined for the selected ethernet interface to the modem interface. The FortiGate unit disconnects the modem interface and switches back to the ethernet interface when the ethernet interface is able to connect to its network. You can set a holddown timer that delays the switch back to the ethernet interface to ensure it is stable and fully active before switching the traffic. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. For the FortiGate unit to be able to switch from an ethernet interface to the modem, you must select the name of the interface in the modem configuration and configure a ping server for that interface. You must also configure firewall policies for connections between the modem interface and other FortiGate interfaces.
Note: Do not add policies for connections between the modem interface and the ethernet interface that the modem is backing up.
To configure redundant mode 1 Go to System > Network > Modem. 2 Select Redundant mode. 3 Enter the following information:
142
System Network
Redundant for Holddown timer Redial Limit Dialup Account 1 Dialup Account 2 Dialup Account 3
From the list, select the interface to back up. Enter the number of seconds to continue using the modem after the network connectivity is restored. Enter the maximum number of times to retry if the ISP does not answer. Enter the ISP phone number, user name and password for up to three dialup accounts.
4 Select Apply. 5 Configure a ping server for the ethernet interface the modem backs up. See To add a ping server to an interface on page 146. 6 Configure firewall policies for network connectivity through the modem interface. See Adding firewall policies for modem connections on page 144.
Standalone mode configuration

In standalone mode, the modem connects to a dialup account to provide a connection to the Internet. You can configure the modem to dial when the FortiGate unit restarts or when there are unrouted packets. You can also hang up or redial the modem manually. If the connection to the dialup account fails, the FortiGate unit will redial the modem. The modem redials the number of times specified by the redial limit, or until it connects to a dialup account. The modem will disconnect after a period of network inactivity set by the value in idle timeout. This saves money on dialup connection charges. You must configure firewall policies for connections between the modem interface and other FortiGate interfaces. You must also go to Router > Static to configure static routes to route traffic to the modem interface. For example, if the modem interface is acting as the FortiGate unit external interface you must set the device setting of the FortiGate unit default route to modem. To configure standalone mode 1 Go to System > Network > Modem. 2 Select Standalone mode. 3 Enter the following information:
Auto-dial Dial on demand Idle timeout Redial Limit Select if you want the modem to dial when the FortiGate unit restarts. Select if you want the modem to connect to its ISP whenever there are unrouted packets. Enter the timeout duration in minutes. After this period of inactivity, the modem disconnects. Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three Dialup Account 2 dialup accounts. Dialup Account 3
4 Select Apply. 5 Configure firewall policies for network connectivity through the modem interface. See Adding firewall policies for modem connections on page 144.
143
System Network
6 Go to Router > Static and set device to modem to configure static routes to route traffic to the modem interface. See Adding a static route to the routing table on page 284.
Adding firewall policies for modem connections

The modem interface requires firewall addresses and policies. You can add one or more addresses to the modem interface. For information about adding addresses, see Configuring addresses on page 347. You can configure firewall policies to control the flow of packets between the modem interface and the other interfaces on the FortiGate unit. For information on configuring firewall policies, see Configuring firewall policies on page 323.
Connecting and disconnecting the modem

Note: The modem must be in Standalone mode before connecting or disconnecting from a dialup account.
To connect to a dialup account 1 Go to System > Network > Modem. 2 Select Enable USB Modem. 3 Verify the information in Dialup Accounts. 4 Select Apply. 5 Select Dial Now. The FortiGate unit dials into each dialup account in turn until the modem connects to an ISP. To disconnect from a dialup account 1 Go to System > Network > Modem. 2 Select Hang Up to disconnect the modem.
Checking modem status

You can determine the connection status of your modem and which dialup account is active. If the modem is connected to the ISP, you can see the IP address and netmask. To check the modem status, go to System > Network > Modem. Modem status is one of the following:
not active connecting connected disconnecting hung up The modem is not connected to the ISP. The modem is attempting to connect to the ISP. The modem is connected to the ISP. The modem is disconnecting from the ISP. The modem has disconnected from the ISP. (Standalone mode only) The modem will not redial unless you select Dial Now.
A green check mark indicates the active dialup account. The IP address and netmask assigned to the modem interface appears on the System Network Interface screen of the web-based manager.
144
System Network
Configuring Networking Options

Network options include DNS server and dead gateway detection settings. To configure network options 1 Go to System > Network > Options. 2 Enter primary and secondary DNS servers. 3 Enter local domain name. 4 Enter Dead Gateway Detection settings. 5 Select OK.
Figure 70: Configuring Networking Options - FortiGate models 200 and higher
Figure 71: Configuring Networking Options - FortiGate models 100 and lower
145
System Network
Obtain DNS server address This option applies only to FortiGate models 100 and lower. automatically Select to obtain the DNS server IP address when DHCP is used on an interface, also obtain the DNS server IP address. Available only in NAT/Route mode. You should also enable Override internal DNS in the DHCP settings of the interface. See Configuring DHCP on an interface on page 130. Use the following DNS server addresses Primary DNS Server Secondary DNS Server Local Domain Name Enable DNS forwarding from This option applies only to FortiGate models 100 and lower. Use the specified Primary DNS Server and Secondary DNS Server addresses. Enter the primary DNS server IP address. Enter the secondary DNS server IP address. Enter the domain name to append to addresses with no domain portion when performing DNS lookups. This option applies only to FortiGate models 100 and lower operating in NAT/Route mode. Select the interfaces that forward DNS requests they receive to the configured DNS servers. Dead gateway detection confirms connectivity using a ping server added to an interface configuration. For information about adding a ping server to an interface, see Dead gateway detection on page 146. Enter a number in seconds to specify how often the FortiGate unit pings the target. Enter the number of times that the ping test fails before the FortiGate unit assumes that the gateway is no longer functioning.
Dead Gateway Detection
Detection Interval Fail-over Detection
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS server IP addresses are usually supplied by your ISP. You can configure FortiGate models numbered 100 and lower to obtain DNS server addresses automatically. To obtain these addresses automatically, at least one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See Configuring DHCP on an interface on page 130 or Configuring an interface for PPPoE on page 131. FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts on the attached network use the interface IP address as their DNS server. DNS requests sent to the interface are forwarded to the DNS server addresses that you configured or that the FortiGate unit obtained automatically.
Dead gateway detection

Dead gateway detection periodically pings a ping server to confirm network connectivity. Typically, the ping server is the next-hop router that leads to an external network or the Internet. The ping period (Detection Interval) and the number of failed pings that is considered to indicate a loss of connectivity (Fail-over Detection) are set in System > Network > Options. To apply dead gateway detection to an interface, you must configure a ping server for that interface. To add a ping server to an interface 1 Go to System > Network > Interface. 2 Choose an interface and select Edit. 3 Set Ping Server to the IP address of the next hop router on the network.
146
System Network
Web Proxy
4 Select Enable. 5 Select OK.
Web Proxy
You can use the Web Proxy settings and FortiGate interface settings to enable explicit HTTP and HTTPS proxying on one or more interfaces. When enabled, the FortiGate unit becomes a web proxy server. All HTTP and HTTPS session received by interfaces with Explicit web proxy enabled are intercepted by the explicit web proxy relayed to their destinations. To use the explicit proxy, users must add the IP address of a FortiGate interface and the explicit proxy port number to the proxy configuration settings of their web browsers. On FortiGate units that support WAN optimization you can also enable web caching for the explicit proxy. For more information, see Web caching on page 610. To enable explicit web proxy on an interface, go to System > Network > Interface, select the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that belong to the current VDOM and have explicit web proxy enabled will be displayed. If you enable the web proxy on an interface that has VLANs on it, the VLANs will only be enabled for web proxy if you manually enable each of them. Web proxy is not in the Global Network section when VDOMs are enabled.
Note: To enable protection profiles for explicit web proxy traffic, you must configure 2 VDOMs and use inter-VDOM routing to pass the web traffic between them.
Web proxies are configured for each VDOM when VDOMs are enabled. To configure web proxies go to System > Network > Web Proxy.
Figure 72: Configuring Web Proxy settings
Proxy FQDN
Enter the fully qualified domain name (FQDN) for the proxy server. This is the domain name to enter into browsers to access the proxy server. Enter the maximum length of an HTTP request. Larger requests will be rejected.
Max HTTP request length
147
Web Proxy
System Network
Max HTTP message length Add headers to Forwarded Requests Client IP Header Via Header X-forwarded-for Header
Enter the maximum length of an HTTP message. Larger messages will be rejected. The web proxy server will forward HTTP requests to the internal network. You can include the following headers in those requests: Enable to include the Client IP Header from the original HTTP request. Enable to include the Via Header from the original HTTP request. Enable to include the X-Forwarded-For (XFF) HTTP header. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy, and the remote addresses it passed through to this point.
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original HTTPS request. Explicit Web Proxy Options Web proxies can be transparent or explicit. Transparent web proxy does not modify the web traffic in any way, but just forwards it to the destination. Explicit web proxy can modify web traffic to provide extra services and administration. Explicit web proxy is configured with the following options. Enable the explicit web proxy. Enter the explicit web proxy server port. To use the explicit proxy, users must add this port to their web browser proxy configuration. Displays the interfaces that are being monitored by the explicit web proxy server. Select the action to take when the proxy server must handle an unknown HTTP version request or message. Choose from either Reject or Best Effort. The Reject option is more secure.
Enable Explicit Web Proxy Port Listen on Interfaces Unknown HTTP version
To enable the explicit web proxy on one or more interfaces To use the explicit web proxy, users must add a proxy server to their web browser configuration. The IP address of the proxy server would be the IP address of the FortiGate interface connected to their network (if the FortiGate unit is operating in NAT mode) or the management IP address (if the FortiGate unit is operating in transparent mode). The port number of the proxy server would be the same as the Explicit web proxy Port configured step 6 below. 1 Go to System > Network > Interface. 2 Select an interface to enable the explicit web proxy for. 3 Select Enable explicit web proxy, and save the changes. 4 Repeat to enable the explicit web proxy on all of the interfaces that users will connect to when web browsing. When you go to System > Network > Web Proxy, under Explicit web proxy you will see the interfaces that you enabled.
Note: Only interfaces that have explicit web proxy enabled and are in the current VDOM will be displayed. If an interface has a VLAN subinterface configured, it must be enabled separately for explicit web proxy. Enabled interfaces will be displayed independent of explicit web proxy being enabled or not on the Web Proxy screen.
5 Go to System > Network > Web Proxy and select Enable Explicit Proxy. 6 Enter a Port number for the explicit proxy. For example, 8888. 7 Select Apply to save your changes.
148
System Network
Routing table (Transparent Mode)
To enable web caching for the explicit web proxy You can enable web caching for the explicit web proxy on FortiGate units that support WAN optimization and web caching. For more information, see Web caching on page 610. 1 Use the procedure To enable the explicit web proxy on one or more interfaces on page 148 to enable the explicit web proxy 2 Go to WAN Opt. & Cache > Cache and select Enable Cache Explicit Proxy. 3 Select Apply to save your changes. Web content requested by users using the explicit proxy are now cached by the FortiGate unit using the WAN optimization web cache.
Routing table (Transparent Mode)

In NAT/Route mode the static routing table is located at System > Routing > Static, but in Transparent Mode that static routing table is located at System > Network > Routing Table. Adding a static route in Transparent Mode 1 Ensure your FortiGate unit is in Transparent mode. For more details see Changing operation mode on page 206. 2 Go to System > Network > Routing Table. 3 Select Create New.
Figure 73: Static routing table - Transparent Mode
Create New # IP Mask Gateway Distance Delete icon View/edit icon Move To icon
Add a new static route. Position of the route in the routing table. The destination IP address for the route. The netmask for the route. The IP address of the next hop router to which the route directs traffic. The administration distance or relative preferability of the route. An administration distance of 1 is most preferred. Remove a route. Edit or view a route. Change the position of a route in the list.
Transparent mode route settings

Configuring a static route in Transparent mode 1 Go to System > Network > Routing Table. 2 Select Create New. You can also select the Edit icon of an existing route to modify it. 3 Enter the Destination IP and netmask. 4 Enter the Gateway IP address.
149
VLAN overview
System Network
5 Enter the administrative distance. 6 Select OK.

Figure 74: Transparent mode route settings
Destination IP /Mask Enter the destination IP address and netmask for the route. To create a default route, set the IP and netmask to 0.0.0.0. Gateway Enter the IP address of the next hop router to which the route directs traffic. For an Internet connection, the next hop routing gateway routes traffic to the Internet. The administration distance or relative preferability of the route. An administration distance of 1 is most preferred.
Distance
VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as if they were on the same LAN segment, regardless of their location. For example, the workstations and servers for an accounting department could be scattered throughout an office or city and connected to numerous network segments, but still belong to the same VLAN. A VLAN segregates devices logically instead of physically. Each VLAN is treated as a broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but cannot connect with devices in other VLANs. The communication among devices on a VLAN is independent of the physical network. A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain a VLAN identifier as well as other information. For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.
150
System Network
VLANs in NAT/Route mode
Figure 75: Basic VLAN topology
Internet
Untagged packets Router VL AN 1 VL AN 2
VL AN 1
VLAN switch
VL AN 2
VLAN 1 network
VLAN 2 Network
FortiGate units and VLANs

In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3 routers or firewalls add VLAN tags to packets. Packets passing between devices in the same VLAN are normally handled by layer-2 switches but can be handled by layer-3 devices. Packets passing between devices in different VLANs must be handled by a layer-3 device such as router, firewall, or layer-3 switch. Using VLANs, a single FortiGate unit can provide security services and control connections between multiple security domains. Traffic from each security domain is given a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security policies to secure network and IPSec VPN traffic between security domains. The FortiGate unit can also apply policies, protection profiles, and other firewall features for network and VPN traffic that is allowed to pass between security domains.

Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to control the flow of packets between VLANs. The FortiGate unit can also remove VLAN tags from incoming VLAN packets and forward untagged packets to other networks, such as the Internet. FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks between an IEEE 802.1Q-compliant switch (or router) and the FortiGate units. Normally the FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the external interface connects to an upstream Internet router. The FortiGate unit can then apply different policies for traffic on each VLAN that connects to the internal interface.
151
System Network
When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN IDs that match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. If the IDs dont match, traffic will not be delivered. The FortiGate unit directs packets with VLAN IDs to subinterfaces with matching VLAN IDs. For example packets from the sending system VLAN ID#101 are delivered to the recipient systems VLAN ID#101. You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from incoming packets and add different VLAN tags to outgoing packets.
Rules for VLAN IDs

In NAT/Route mode, two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Rules for VLAN IP addresses

IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all interfaces must be on different subnets. This rule applies to both physical interfaces and to VLAN subinterfaces.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter the CLI command config system global and set allow-interfacesubnet-overlap enable to allow IP address overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part of a subnet used by another interface. This command is recommended for advanced users only.
Figure 64 shows a simplified NAT/Route mode VLAN configuration. In this configuration, the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external interface connects to the Internet. The external interface is not configured with VLAN subinterfaces. When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies VLAN tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The FortiGate unit is configured with policies that allow traffic to flow between VLANs and from the VLANs to the external network.
152
System Network
Figure 76: FortiGate unit in NAT/Route mode
Internet
Untagged packets External 172.16.21.2
FortiGate unit
Internal 192.168.110.126 802.1Q trunk Fa 0/24 Fa 0/9 Fa 0/3 VLAN switch
VLAN 100
VLAN 200
VLAN 100 network 10.1.1.0
VLAN 200 network 10.1.2.0
Adding VLAN subinterfaces

The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE 802.1Q-compliant router. The VLAN ID can be any number between 1 and 4094, as 0 and 4095 are reserved. Each VLAN subinterface must also be configured with its own IP address and netmask. VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.
Note: A VLAN must not have the same name as a virtual domain or zone.
To add a VLAN subinterface in NAT/Route mode 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 If you are an administrator with a super-admin profile, you can create VLAN subinterfaces for any virtual domain. If not, you can only create VLAN subinterfaces in your own VDOM. See Using virtual domains on page 103 for information about virtual domains. 7 Configure the VLAN subinterface settings. See Interface settings on page 123.
153
VLANs in Transparent mode
System Network
8 Select OK. The FortiGate unit adds the new VLAN subinterface to the interface that you selected in step 4. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface you can add firewall policies for connections between a VLAN subinterface or from a VLAN subinterface to a physical interface. 1 Go to Firewall > Address. 2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See About firewall addresses on page 345. 3 Go to Firewall > Policy. 4 Configure firewall policies as required.

In Transparent mode, the FortiGate unit can apply firewall policies and services, such as authentication, protection profiles, and other firewall features, to traffic on an IEEE 802.1 VLAN trunk. You can insert the FortiGate unit into the trunk without making changes to the network. In a typical configuration, the FortiGate internal interface accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The FortiGate external interface forwards tagged packets through the trunk to an external VLAN switch or router that can be connected to the Internet. The FortiGate unit can be configured to apply different policies for traffic on each VLAN in the trunk. For VLAN traffic to be able to pass between the FortiGate internal and external interface you add a VLAN subinterface to the internal interface and another VLAN subinterface to the external interface. If these VLAN subinterfaces have the same VLAN IDs, the FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces, you can also use firewall policies to control connections between VLANs. If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can configure a FortiGate unit to provide security for network traffic passing between different VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces. When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is directed to the VLAN subinterface with the matching VLAN ID. The VLAN subinterface removes the VLAN tag and assigns a destination interface to the packet based on its destination MAC address. The firewall policies for the source and destination VLAN subinterface pair are applied to the packet. If the packet is accepted by the firewall, the FortiGate unit forwards the packet to the destination VLAN subinterface. The destination VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN trunk.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode. This includes VLANs. If no other interfaces are configured for a VDOM, you can configure up to 255 VLANs in that VDOM.
Figure 77 shows a FortiGate unit operating in Transparent mode with 2 virtual domains and configured with three VLAN subinterfaces.
154
System Network
Figure 77: FortiGate unit with two virtual domains in Transparent mode
FortiGate unit VLAN1 Internal VLAN1 VLAN2 VLAN3 VLAN trunk root virtual domain VLAN1 VLAN1 External VLAN1 VLAN2 VLAN3 VLAN trunk VLAN Switch or router
Internet
VLAN2 VLAN Switch or router VLAN3
New virtual domain VLAN2 VLAN2 VLAN3 VLAN3
Figure 78 shows a FortiGate unit operating in Transparent mode and configured with three VLAN subinterfaces. In this configuration, the FortiGate unit would provide virus scanning, web content filtering, and other services to each VLAN.
Figure 78: FortiGate unit in Transparent mode
Internet
Router Untagged packets
VLAN Switch VL AN 1 VL AN 2 VL AN 3 FortiGate unit in Transparent mode VLAN Trunk VL AN 1 VL AN 2 VL AN 3
VLAN Trunk
VLAN Switch
VLAN 1
VLAN 2
VLAN 3
VLAN 1 Network
VLAN 2 Network
VLAN 3 Network
155
System Network
Rules for VLAN IDs

In Transparent mode, two VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the same VLAN IDs to different physical interfaces. There is no internal connection or link between two VLAN subinterfaces with the same VLAN ID. Their relationship is the same as the relationship between any two FortiGate network interfaces.
Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.
Transparent mode virtual domains and VLANs

VLAN subinterfaces are added to and associated with virtual domains. By default the FortiGate configuration includes one virtual domain, named root, and you can add as many VLAN subinterfaces as you require to this virtual domain. You can add more virtual domains if you want to separate groups of VLAN subinterfaces into virtual domains. For information on adding and configuring virtual domains, see Using virtual domains on page 103 Adding a VLAN subinterface in Transparent mode
Note: A VLAN must not have the same name as a virtual domain or zone.
To add a VLAN subinterface 1 Go to System > Network > Interface. 2 Select Create New. 3 Enter a Name to identify the VLAN subinterface. 4 Select the physical interface that receives the VLAN packets intended for this VLAN subinterface. 5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this VLAN subinterface. 6 Select which virtual domain to add this VLAN subinterface to. See Using virtual domains on page 103 for information about virtual domains. 7 Configure the administrative access, and log settings. See Interface settings on page 123 for more descriptions of these settings. 8 Select OK. The FortiGate unit adds the new subinterface to the interface that you selected in step 4. 9 Select Bring up to activate the VLAN subinterface. To add firewall policies for a VLAN subinterface After you add a VLAN subinterface, you can add firewall policies for connections between VLAN subinterfaces or from a VLAN subinterface to a physical interface. 1 Go to Firewall > Address.
156
System Network
2 Select Create New to add firewall addresses that match the source and destination IP addresses of VLAN packets. See About firewall addresses on page 345. 3 Go to Firewall > Policy. 4 Add firewall policies as required.
Troubleshooting ARP Issues

Address Resolution Protocol (ARP) traffic is vital to communication on a network and is enabled on FortiGate interfaces by default. Normally ARP packets to pass through the FortiGate unit, especially if it is sitting between a client and a server or between a client and a router.
Duplicate ARP packets

ARP traffic can cause problems such as duplicate ARP packets making the recipient device think the packets originated from two different device, which is generally an attempt to hack into the network. This is true especially in Transparent mode where ARP packets arriving on one interface are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches become unstable when they detect the same MAC address originating on more than one switch interface or from more than one VLAN. This instability can occur if the Layer 2 switch does not maintain separate MAC address tables for each VLAN. Unstable switches may reset causing network traffic to slow down.
ARP Forwarding
One solution to the duplicate ARP packet problem is to enable ARP forwarding. When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets that resolve the delivery problems caused by duplicate ARP packets. However, this also opens up your network to potential hacking attempts that spoof packets. For more secure solutions, see the FortiGate VLANs and VDOMs Guide.
157
System Network
158
System Wireless
FortiWiFi wireless interfaces
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units. The majority of this section is applicable to all FortiWiFi units. If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless monitor are configured separately for each virtual domain. System wireless settings are configured globally. For details, see Using virtual domains on page 103. This section describes: FortiWiFi wireless interfaces Channel assignments Wireless settings Wireless MAC Filter Wireless Monitor Rogue AP detection
FortiWiFi wireless interfaces

FortiWiFi units support up to four wireless interfaces and four different SSIDs. Each wireless interface should have a different SSID and each wireless interface can have different security settings. For details on adding wireless interfaces, see Adding a wireless interface on page 163. You can configure the FortiWiFi unit to: Provide an access point that clients with wireless network cards can connect to. This is called Access Point mode, which is the default mode. All FortiWiFi units can have up to 4 wireless interfaces. Connect the FortiWiFi unit to another wireless network. This is called Client mode. A FortiWiFi unit operating in client mode can also can only have one wireless interface. Monitor access points within radio range. This is called Monitoring mode. You can designate the detected access points as Accepted or Rogue for tracking purposes. No access point or client operation is possible in this mode. But, you can enable monitoring as a background activity while the unit is in Access Point mode. IEEE 802.11a (5-GHz Band) IEEE 802.11b (2.4-GHz Band) IEEE 802.11g (2.4-GHz Band) WEP64 and WEP128 Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or RADIUS servers
or or
FortiWiFi units support the following wireless network standards:
159
Channel assignments
System Wireless
Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you, depending on what region of the world you are in. Set the channel for the wireless network by going to System > Wireless > Settings. For more information see Wireless settings on page 162. The following tables list the channel assignments for wireless networks for each supported wireless protocol.
IEEE 802.11a channel numbers

Table 10 lists IEEE 802.11a channels supported for FortiWiFi products that support the IEEE 802.11a wireless standard. 802.11a is only available on FortiWiFi-60B units. All channels are restricted to indoor usage except in the Americas, where both indoor and outdoor use is permitted on channels 52 through 64 in the United States.
Table 10: IEEE 802.11a (5-GHz Band) channel numbers Channel number 34 36 38 40 42 44 46 48 52 56 60 64 149 153 157 161 Frequency (MHz) 5170 5180 5190 5200 5210 5220 5230 5240 5260 5280 5300 5320 5745 5765 5785 5805 Regulatory Areas Americas Europe Taiwan Singapore Japan
IEEE 802.11b channel numbers

Table 11 lists IEEE 802.11b channels. All FortiWiFi units support 802.11b. Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure that the channel number complies with the regulatory standards of Mexico.
160
System Wireless
Channel assignments
Table 11: IEEE 802.11b (2.4-Ghz Band) channel numbers Channel number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Frequency (MHz) 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 Regulatory Areas Americas EMEA Israel Japan
IEEE 802.11g channel numbers

Table 12 lists IEEE 802.11b channels. All FortiWiFi products support 802.11g.
Table 12: IEEE 802.11g (2.4-GHz Band) channel numbers Channel Frequency Regulatory Areas number (MHz) Americas EMEA CCK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 2467 2472 2484 ODFM CCK
Israel ODFM CCK
Japan ODFM CCK ODFM
161
Wireless settings
System Wireless
Wireless settings
To configure the wireless settings, go to System > Wireless > Settings. By default the FortiWiFi unit includes one wireless interface, called wlan. If you are operating your FortiWiFi unit in access point mode, you can add up to three virtual wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you configure the wireless settings once, and all wireless interfaces use those settings. For details on adding more wireless interfaces, see Adding a wireless interface on page 163. When operating the FortiWiFi unit in Client mode, radio settings are not configurable.
Figure 79: FortiWiFi wireless parameters - Access Point mode
Figure 80: FortiWiFi wireless parameters - Client mode
Figure 81: FortiWiFi wireless parameters - Monitoring mode
162
System Wireless
Wireless settings
Operation Mode
Select Change to switch operation modes. Access Point The FortiWiFi unit acts as an access point for wireless users to connect to send and receive information over a wireless network. It enables multiple wireless network users access to the network without the need to connect to it physically. The FortiWiFi unit can connect to the internal network and act as a firewall to the Internet. Client The FortiWiFi unit is set to receive transmissions from another access point. This enables you to connect remote users to an existing network using wireless protocols. Monitoring Scan for other access points. These are listed in the Rogue AP list. See Rogue AP detection on page 168. Note: You cannot switch to Client mode or Monitoring mode if you have added virtual wireless interfaces. For these modes, there must be only one wireless interface, wlan. Select the wireless frequency band. Be aware what wireless cards or devices your users have as it may limit their use of the wireless network. For example, if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices, they may not be able to use the wireless network. Select your country or region. This determines which channels are available. See Channel assignments on page 160 for channel information. Select a channel for your wireless network or select Auto. The channels that you can select depend on the Geography setting. See Channel assignments on page 160 for channel information. Set the transmitter power level. The higher the number, the larger the area the FortiWiFi will broadcast. If you want to keep the wireless signal to a small area, enter a smaller number. Set the interval between beacon packets. Access Points broadcast Beacons or Traffic Indication Messages (TIM) to synchronize wireless networks. A higher value decreases the number of beacons sent, however it may delay some wireless clients from connecting if it misses a beacon packet. Decreasing the value will increase the number of beacons sent, while this will make it quicker to find and connect to the wireless network, it requires more overhead, slowing throughput. Perform the Monitoring mode scanning function while the unit is in Access Point mode. Scanning occurs while the access point is idle. The scan covers all wireless channels. Background scanning can reduce performance if the access point is busy. See Rogue AP detection on page 168. The name of the wireless interface. To modify wireless interface settings, select the interface name. To add more wireless interfaces in Access Point mode, see Adding a wireless interface on page 163. The MAC address of the Wireless interface. The wireless service set identifier (SSID) or network name for the wireless interface. To communicate, an Access Point and its clients must use the same SSID. Green checkmark icon indicates that the wireless interface broadcasts its SSID. Broadcasting the SSID makes it possible for clients to connect to your wireless network without first knowing the SSID. This column is visible only in Access Point mode. The wireless interface security mode: WEP64, WEP128, WPA, WPA2, WPA2 Auto or None.
Radio settings Access Point mode only Band
Geography Channel
Tx Power
Beacon Interval
Background Rogue AP Scan
Wireless interface list Access Point and Client modes Interface
MAC Address SSID
SSID Broadcast
Security Mode
Adding a wireless interface

You can add up to three virtual wireless interfaces to your access point. These additional interfaces share the same wireless parameters configured for the WLAN interface for Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless interface has a unique SSID.
163
Wireless settings
System Wireless
Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client mode or Monitoring mode.
To add a wireless interface 1 Go to System > Network > Interface. 2 Select Create New. 3 Complete the following:
Name Type Address Mode Enter a name for the wireless interface. The name cannot be the same as an existing interface, zone or VDOM. Select Wireless. The wireless interface can only be set as a manual address. Enter a valid IP address and netmask. If the FortiWiFi is running in Transparent mode, this field does not appear. The interface will be on the same subnet as the other interfaces. Set the administrative access for the interface.
Administrative Access
4 In the Wireless Settings section, complete the following and select OK:
Figure 82: Wireless interface settings (WEP)
Figure 83: Wireless interface settings (WAP)
SSID
Enter the wireless service set identifier (SSID) or network name for this wireless interface. Users who want to use the wireless network must configure their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to connect to your wireless network without first knowing the SSID. For better security, do not broadcast the SSID. If the interface is not broadcast, there is less chance of an unwanted user connecting to your wireless network. If you choose not to broadcast the SSID, you need to inform users of the SSID so they can configure their wireless devices.
164
System Wireless
Wireless MAC Filter
Security mode
Select the security mode for the wireless interface. Wireless users must use the same security mode to be able to connect to this wireless interface. None has no security. Any wireless user can connect to the wireless network. WEP64 64-bit web equivalent privacy (WEP). To use WEP64 you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WEP128 128-bit WEP. To use WEP128 you must enter a Key containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of the key. WPA Wi-Fi protected access (WPA) security. To use WPA you must select a data encryption method. You must also enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 WPA with more security features. To use WPA2 you must select a data encryption method and enter a pre-shared key containing at least eight characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. WPA2 Auto the same security features as WPA2, but also accepts wireless clients using WPA security. To use WPA2 Auto you must select a data encryption method You must also enter a pre-shared key containing at least 8 characters or select a RADIUS server. If you select a RADIUS server the wireless clients must have accounts on the RADIUS server. Enter the security key. This field appears when selecting WEP64 or WEP128 security.
Key
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto. Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to use Advanced Encryption Standard (AES) encryption. AES is considered more secure that TKIP. Some implementations of WPA may not support AES. Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or WPA2 Auto security. RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You can use WPA or WPA2 Radius security to integrate your wireless network configuration with a RADIUS or Windows AD server. Select a RADIUS server name from the list. You must configure the Radius server by going to User > RADIUS. For more information, see RADIUS on page 571. RTS Threshold Set the Request to Send (RTS) threshold. The RTS threshold is the maximum size, in bytes, of a packet that the FortiWiFi will accept without sending RTS/CTS packets to the sending wireless device. In some cases, larger packets being sent may cause collisions, slowing data transmissions. By changing this value from the default of 2346, you can configure the FortiWiFi unit to, in effect, have the sending wireless device ask for clearance before sending larger transmissions. There can still be risk of smaller packet collisions, however this is less likely. A setting of 2346 bytes effectively disables this option. Fragmentation Set the maximum size of a data packet before it is broken into smaller packets, reducing the chance of packet collisions. If the packet is larger than Threshold the threshold, the FortiWiFi unit will fragment the transmission. If the packet size less than the threshold, the FortiWiFi unit will not fragment the transmission. A setting of 2346 bytes effectively disables this option.
Wireless MAC Filter

To improve the security of your wireless network, you can enable MAC address filtering on the FortiWiFi unit. By enabling MAC address filtering, you define the wireless devices that can access the network based on their system MAC address. When a user attempts to access the wireless network, the FortiWiFi unit checks the MAC address of the user to the list you created. If the MAC address is on the approved list, the user gains access to the network. If the user is not in the list, the user is rejected.
165
Wireless MAC Filter
System Wireless
Alternatively, you can create a deny list. Similar to the allow list, you can configure the wireless interface to allow all connections except those in the MAC address list. Using MAC address filtering makes it more difficult for a hacker using random MAC addresses or spoofing a MAC address to gain access to your network. Note you can configure one list per WLAN interface. To allow or deny wireless access to wireless clients based on the MAC address of the client wireless cards, go to System > Wireless > MAC Filter.
Managing the MAC Filter list

The MAC Filter list enables you to view the MAC addresses you have added to a wireless interface and their status; either allow or deny. It also enables you to edit and manage MAC Filter lists.
Figure 84: Wireless MAC filter list
Interface MAC address List Access Enable Edit icon
The name of the wireless interface. The list of MAC addresses in the MAC filter list for the wireless interface. Allow or deny access to the listed MAC addresses for the wireless interface. Select to enable MAC filtering for the wireless interface. Edit the MAC address list for an interface.
To edit a MAC filter list 1 Go to System > Wireless > MAC Filter. 2 Select Edit for the wireless interface.
Figure 85: Wireless interface MAC filter
3 Complete the following and select OK:
166
System Wireless
Wireless Monitor
List Access MAC Address Add Remove
Select to allow or deny the addresses in the MAC Address list from accessing the wireless network. Enter the MAC address to add to the list. Add the entered MAC address to the list. Select one or more MAC addresses in the list and select Remove to deleted the MAC addresses from the list.
Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In Access Point mode, you can see who is connected to your wireless LAN. In Client mode, you can see which access points are within radio range.
Figure 86: Wireless monitor - AP mode
Figure 87: Wireless monitor - Client mode
Statistics AP Name / Name Frequency
Statistical information about wireless performance for each wireless interface. The name of the wireless interface. The frequency that the wireless interface is operating with. Should be around 5-GHz for 802.11a interfaces and around 2.4GHz for 802.11b and 802.11g networks. The strength of the signal from the client. The received noise level. The signal-to-noise ratio in deciBels calculated from signal strength and noise level.
Signal Strength (dBm) Noise (dBm) S/N (dB)
167
Rogue AP detection
System Wireless
Rx (KBytes) Tx (KBytes) Clients list (AP mode)
The amount of data in kilobytes received this session. The amount of data in kilobytes sent this session. Real-time details about the client wireless devices that can reach this FortiWiFi unit access point. Only devices on the same radio band are listed. The MAC address of the connected wireless client. The IP address assigned to the connected wireless client. The name of the wireless interface that the client is connected to. Real-time details about the access points that the client can receive. The MAC address of the connected wireless client. The wireless service set identifier (SSID) that this access point broadcasts. The wireless radio channel that the access point uses. The data rate of the access point in Mbits/s. The received signal strength indication, a relative value between 0 (minimum) and 255 (maximum).
MAC Address IP Address AP Name Neighbor AP list (Client mode) MAC Address SSID Channel Rate (M) RSSI
Rogue AP detection
Rogue Access Point Detection scans for wireless access points in Monitoring mode. You can also enable scanning in the background while the unit is in Access Point mode. To enable the monitoring mode 1 Go to System > Wireless > Settings. 2 Select Change beside the current operation mode. 3 Select Monitoring and then select OK. 4 Select OK to confirm the mode change. 5 Select Apply. To enable background scanning 1 While in Access Point mode, go to System > Wireless > Settings. 2 Enable Background Rogue AP Scan and then select Apply.
Viewing wireless access points

Go to System > Wireless > Rogue AP to view detected access points. This is available in Monitoring mode, or in Access Point mode with Background Rogue AP Scan enabled. Access points are listed in the Unknown Access Points list until you mark them as either Accepted or Rogue access points. This designation helps you to track access points. It does not affect anyones ability to use these access points.
168
System Wireless
Rogue AP detection
Figure 88: Rogue Access Point list
Refresh Interval Refresh
Set time between information updates. none means no updates. Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected less than one hour ago, or those detected less than one day ago. Online SSID MAC Address Channel Rate First Seen Last Seen Mark as Rogue AP Forget AP A green checkmark indicates an active access point. A grey X indicates that the access point is inactive. The wireless service set identifier (SSID) or network name for the wireless interface. The MAC address of the Wireless interface. The wireless radio channel that the access point uses. The data rate of the access point. The data and time when the FortiWifi unit first detected the access point. The data and time when the FortiWifi unit last detected the access point. Select the icon to move this entry to the Rogue Access Points list. Return item to Unknown Access Points list from Accepted Access Points list or Rogue Access Points list.
Signal Strength /Noise The signal strength and noise level.
Mark as Accepted AP Select the icon to move this entry to the Accepted Access Points list.
You can also enter information about accepted and rogue APs in the CLI without having to detect them first. See the system wireless ap-status command in the FortiGate CLI Reference.
169
Rogue AP detection
System Wireless
170
System DHCP
FortiGate DHCP servers and relays
System DHCP
This section describes how to use DHCP to provide convenient automatic network configuration for your clients. DHCP is not available in Transparent mode. DHCP requests are passed through the FortiGate unit when it is in Transparent mode. If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: FortiGate DHCP servers and relays Configuring DHCP services Viewing address leases
FortiGate DHCP servers and relays

The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP server. Optionally, they can also obtain default gateway and DNS server settings. A FortiGate interface or VLAN subinterface can provide the following DHCP services: Basic DHCP servers for non-IPSec IP networks IPSec DHCP servers for IPSec (VPN) connections DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type (regular or IPSec).
Note: You can configure a Regular DHCP server on an interface only if the interface has a static IP address. You can configure an IPSec DHCP server on an interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server dynamically assigns IP addresses to hosts on the network connected to the interface. The host computers must be configured to obtain their IP addresses using DHCP. If an interface is connected to multiple networks via routers, you can add a DHCP server for each network. The IP range of each DHCP server must match the network address range. The routers must be configured for DHCP relay. To configure a DHCP server, see Configuring a DHCP server on page 173. You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests from DHCP clients to an external DHCP server and returns the responses to the DHCP clients. The DHCP server must have appropriate routing so that its response packets to the DHCP clients arrive at the FortiGate unit. To configure a DHCP relay see Configuring an interface as a DHCP relay agent on page 173. DHCP services can also be configured through the Command Line Interface (CLI). See the FortiGate CLI Reference for more information.
171
Configuring DHCP services
System DHCP

Go to System > DHCP > Service to configure DHCP services. On each FortiGate interface, you can configure a DHCP relay or add DHCP servers as needed. On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the Internal interface, as follows:
IP Range Netmask Default gateway Lease time DNS Server 1 192.168.1.110 to 192.168.1.210 255.255.255.0 192.168.1.99 7 days 192.168.1.99
You can disable or change this default DHCP Server configuration.

Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP requests pass through the FortiGate unit.
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If you change this address to a different network, you need to change the DHCP server settings to match.
Figure 89: DHCP service list - FortiGate-200A shown
Edit Delete Add DHCP Server Interface Server Name/ Relay IP Type Enable List of FortiGate interfaces. Expand each listed interface to view the Relay and Servers. Name of FortiGate DHCP server or IP address of DHCP server accessed by relay. Type of DHCP relay or server: Regular or IPSec. Green check mark icon indicates that server or relay is enabled.
Add DHCP Server Select to configure and add a DHCP server for this interface. icon
172
System DHCP
Edit icon Delete icon
Select to edit the DHCP relay or server configuration. Select to delete the DHCP server.
Configuring an interface as a DHCP relay agent

Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay configuration for an interface.
Figure 90: Edit DHCP relay settings for an interface
Interface Name Type DHCP Server IP
The name of the interface. Select the type of DHCP service required as either Regular or IPSEC. Enter the IP address of the DHCP server that will answer DHCP requests from computers on the network connected to the interface.
DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
Configuring a DHCP server

The System > DHCP > Service screen gives you access to existing DHCP servers. It is also where you configure new DHCP servers. To Configure a DHCP server 1 Go to System > DHCP > Service. 2 Select blue arrow for the interface. 3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon beside an existing DHCP server to change its settings. 4 Configure the DHCP server. 5 Select OK.
173
System DHCP
Figure 91: DHCP Server options
Name Enable Type
Enter a name for the DHCP server. Enable the DHCP server. Select Regular or IPSEC DHCP server. You cannot configure a Regular DHCP server on an interface that has a dynamic IP address. Enter the start and end for the range of IP addresses that this DHCP server assigns to DHCP clients. These fields are greyed out when IP Assignment Mode is set to User-group defined method. Enter the netmask of the addresses that the DHCP server assigns. Enter the IP address of the default gateway that the DHCP server assigns to DHCP clients. Enter the domain that the DHCP server assigns to DHCP clients. Select Unlimited for an unlimited lease time or enter the interval in days, hours, and minutes after which a DHCP client must ask the DHCP server for new settings. The lease time can range from 5 minutes to 100 days. Select to configure advanced options. The remaining options in this table are advanced options. Determines how the IP addresses for DHCP are assigned. Select: Server IP Range - The server will assign the IP addresses as specified in IP Range, and Exclude Ranges. User-group defined method - The IP addresses will be assigned via RADIUS through the user group used to authenticate the user. See Dynamically assigning VPN client IP addresses from a RADIUS record on page 573. When User-group defined method is selected, the IP Range fields are greyed out, and the Exclude Ranges table and controls are not visible.
IP Range
Network Mask Default Gateway Domain Lease Time
Advanced IP Assignment Mode
174
System DHCP
Viewing address leases
DNS Server 1 DNS Server 2 DNS Server 3 WINS Server 1 WINS Server 2 Option 1 Option 2 Option 3 Exclude Ranges Add
Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns to DHCP clients. Add the IP addresses of one or two WINS servers that the DHCP server assigns to DHCP clients. Enter up to three custom DHCP options that can be sent by the DHCP server. Code is the DHCP option code in the range 1 to 255. Option is an even number of hexadecimal characters and is not required for some option codes. For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP Vendor Extensions. Add an range of IP addresses to exclude. You can add up to 16 exclude ranges of IP addresses that the DHCP server cannot assign to DHCP clients. No range can exceed 65536 IP addresses. Enter the first IP address of the exclude range. Enter the last IP address of the exclude range. Delete the exclude range.
Starting IP End IP Delete icon

Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers have assigned and the corresponding client MAC addresses.
Figure 92: Address leases list
Interface Refresh IP MAC Expire
Select interface for which to list leases. Select Refresh to update Address leases list. The assigned IP address. The MAC address of the device to which the IP address is assigned. Expiry date and time of the DHCP lease.
Reserving IP addresses for specific clients

You can reserve an IP address for a specific client identified by the client device MAC address and the connection type, regular Ethernet or IPSec. The DHCP server always assigns the reserved address to that client. You can assign up to 200 IP addresses as reserved. For more information see the FortiGate Maximum Values for FortiOS 3.0 article on the Fortinet Knowledge Center. Use the CLI config system dhcp reserved-address command. For more information, see the FortiGate CLI Reference.
175
System DHCP
176
System Config
HA
System Config
This section describes the configuration of several non-network features, such as HA, SNMP, custom replacement messages, and Operation mode. If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement messages are configured globally for the entire FortiGate unit. Changing operation mode is configured for each individual VDOM. For details, see Using virtual domains on page 103. This section describes: HA SNMP Replacement messages Operation mode and VDOM management access
HA
FortiGate high availability (HA) provides a solution for two key requirements of critical enterprise networking components: enhanced reliability and increased performance. This section contains a brief description of HA web-based manager configuration options, the HA cluster members list, HA statistics, and disconnecting cluster members. If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 103. For complete information about how to configure and operate FortiGate HA clusters see the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center. HA is not available on FortiGate models 50A and 50AM. HA is available on all other FortiGate models, including the FortiGate-50B. The following topics are included in this section: HA options Cluster members list Viewing HA statistics Changing subordinate unit host name and device priority Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the configuration of an operating cluster or cluster member. To configure HA options so that a FortiGate unit can join an HA cluster, go to System > Config > HA.
177
HA
System Config
Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session synchronization.
If HA is already enabled, go to System > Config > HA to display the cluster members list. Select Edit for the FortiGate unit with Role of master (also called the primary unit). When you edit the HA configuration of the primary unit, all changes are synchronized to the other cluster units.
Figure 93: FortiGate-3810A unit HA configuration
You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled by logging into the web-based manager as the global admin administrator and then going to System > Config > HA.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual clustering. Most virtual cluster HA options are the same as normal HA options. However, virtual clusters include VDOM partitioning options. Other differences between configuration options for regular HA and for virtual clustering HA are described below and in the FortiGate HA Overview and the FortiGate HA Guide.
178
System Config
HA
Figure 94: FortiGate-5001SX HA virtual cluster configuration
Mode
Select an HA mode for the cluster or return the FortiGate units in the cluster to standalone mode. When configuring a cluster, you must set all members of the HA cluster to the same HA mode. You can select Standalone (to disable HA), Active-Passive, or Active-Active. If virtual domains are enabled you can select Active-Passive or Standalone. Optionally set the device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority usually becomes the primary unit. In a virtual cluster configuration, each cluster unit can have two device priorities, one for each virtual cluster. During HA negotiation, the unit with the highest device priority in a virtual cluster becomes the primary unit for that virtual cluster. Changes to the device priority are not synchronized. You can accept the default device priority when first configuring a cluster. When the cluster is operating you can change the device priority for different cluster units as required. Enter a name to identify the cluster. The maximum length of the group name is 32 characters. The group name must be the same for all cluster units before the cluster units can form a cluster. After a cluster is operating, you can change the group name. The group name change is synchronized to all cluster units. The default group name is FGT-HA. You can accept the default group name when first configuring a cluster. When the cluster is operating you can change the group name, if required. Two clusters on the same network cannot have the same group name.
Device Priority
Group Name
179
HA
System Config
Password
Enter a password to identify the cluster. The maximum password length is 15 characters. The password must be the same for all cluster units before the cluster units can form a cluster. The default is no password. You can accept the default password when first configuring a cluster. When the cluster is operating, you can add a password, if required. Two clusters on the same network must have different passwords.
Enable Session Select to enable session pickup so that if the primary unit fails, all sessions are picked up by the cluster unit that becomes the new primary unit. pickup Session pickup is disabled by default. You can accept the default setting for session pickup and then chose to enable session pickup after the cluster is operating. Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify that the monitored interfaces are functioning properly and connected to their networks. If a monitored interface fails or is disconnected from its network, the interface leaves the cluster and a link failover occurs. The link failover causes the cluster to reroute the traffic being processed by that interface to the same interface of another cluster unit that still has a connection to the network. This other cluster unit becomes the new primary unit. Port monitoring (also called interface monitoring) is disabled by default. Leave port monitoring disabled until the cluster is operating and then only enable port monitoring for connected interfaces. You can monitor up to 16 interfaces. This limit only applies to FortiGate units with more than 16 physical interfaces. Select to enable or disable HA heartbeat communication for each interface in the cluster and set the heartbeat interface priority. The heartbeat interface with the highest priority processes all heartbeat traffic. If two or more heartbeat interfaces have the same priority, the heartbeat interface with the lowest hash map order value processes all heartbeat traffic. The web-based manager lists interfaces in alphanumeric order: port1 port2 through 9 port10 Hash map order sorts interfaces in the following order: port1 port10 port2 through port9 The default heartbeat interface configuration is different for each FortiGate unit. This default configuration usually sets the priority of two heartbeat interfaces to 50. You can accept the default heartbeat interface configuration if you connect one or both of the default heartbeat interfaces together. The heartbeat interface priority range is 0 to 512. The default priority when you select a new heartbeat interface is 0. You must select at least one heartbeat interface. If heartbeat communication is interrupted, the cluster stops processing traffic. For more information about configuring heartbeat interfaces, see the FortiGate HA Overview. You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate units with more than 8 physical interfaces. If you are configuring virtual clustering, you can set the virtual domains to be in virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual domain must always be in virtual cluster 1. For more information about configuring VDOM partitioning, see the FortiGate HA Overview.
Heartbeat Interface
VDOM partitioning
Cluster members list

You can display the cluster members list to view the status of an operating cluster and the status of the FortiGate units in the cluster. The cluster members list shows the FortiGate units in the cluster and for each FortiGate unit shows interface connections, the cluster unit and the device priority of the cluster unit. From the cluster members list you can disconnect a unit from the cluster, edit the HA configuration of primary unit, change the device priority and host name of subordinate units, and download a debug log for any cluster unit. You can also view HA statistics for the cluster.
180
System Config
HA
To display the cluster members list, log into an operating cluster and go to System > Config > HA.
Figure 95: Example FortiGate-5001SX cluster members list Download Debug Log Edit Disconnect from Cluster
Up and Down Arrows
If virtual domains are enabled, you can display the cluster members list to view the status of the operating virtual clusters. The virtual cluster members list shows the status of both virtual clusters including the virtual domains added to each virtual cluster. To display the virtual cluster members list for an operating cluster log in as the global admin administrator and go to System > Config > HA.
Figure 96: Example FortiGate-5001SX virtual cluster members list Download Debug Log Edit Disconnect from Cluster
Up and Down Arrows
View HA Statistics
Displays the serial number, status, and monitor information for each cluster unit. See Viewing HA statistics on page 182.
Up and down arrows Changes the order of cluster members in the list. The operation of the cluster or of the units in the cluster are not affected. All that changes is the order of the units on the cluster members list.
181
HA
System Config
Cluster member
Illustrations of the front panels of the cluster units. If the network jack for an interface is shaded green, the interface is connected. Pause the mouse pointer over each illustration to view the cluster unit host name, serial number, how long the unit has been operating (up time), and the interfaces that are configured for port monitoring. The host name of the FortiGate unit. The default host name of the FortiGate unit is the FortiGate unit serial number. To change the primary unit host name, go to System > Status and select Change beside the current host name. To change a subordinate unit host name, from the cluster members list select the Edit icon for a subordinate unit. The status or role of the cluster unit in the cluster. Role is MASTER for the primary (or master) unit Role is SLAVE for all subordinate (or backup) cluster units The device priority of the cluster unit. Each cluster unit can have a different device priority. During HA negotiation, the unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255. Select to disconnect a selected cluster unit from the cluster. See Disconnecting a cluster unit from a cluster on page 184. Select to change a cluster unit HA configuration. For a primary unit, select Edit to change the cluster HA configuration (including the device priority) of the primary unit. For a primary unit in a virtual cluster, select Edit to change the virtual cluster HA configuration; including the virtual cluster 1 and virtual cluster 2 device priority of this cluster unit. For a subordinate unit, select Edit to change the subordinate unit host name and device priority. See Changing subordinate unit host name and device priority on page 183. For a subordinate unit in a virtual cluster, select Edit to change the subordinate unit host name and the device priority of the subordinate unit for the selected virtual cluster. See Changing subordinate unit host name and device priority on page 183.
Hostname
Role
Priority
Disconnect from cluster Edit
Download debug log Select to download an encrypted debug log to a file. You can send this debug log file to Fortinet Technical Support (http://support.fortinet.com) to help diagnose problems with the cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial number, status, and monitor information for each cluster unit. To view HA statistics, go to System > Config > HA and select View HA Statistics.
182
System Config
HA
Figure 97: Example HA statistics (active-passive cluster)
Refresh every
Select to control how often the web-based manager updates the HA statistics display. The host name and serial number of the cluster unit. Indicates the status of each cluster unit. A green check mark indicates that the cluster unit is operating normally. A red X indicates that the cluster unit cannot communicate with the primary unit. The time in days, hours, minutes, and seconds since the cluster unit was last started. Displays system status information for each cluster unit. The current CPU status of each cluster unit. The web-based manager displays CPU usage for core processes only. CPU usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The current memory status of each cluster unit. The web-based manager displays memory usage for core processes only. Memory usage for management processes (for example, for HTTPS connections to the web-based manager) is excluded. The number of communications sessions being processed by the cluster unit. The number of packets that have been processed by the cluster unit since it last started up. The number of viruses detected by the cluster unit. The total network bandwidth being used by all of the cluster unit interfaces. The number of bytes that have been processed by the cluster unit since it last started up. The number of intrusions or attacks detected by Intrusion Protection running on the cluster unit.
Back to HA monitor Select to close the HA statistics list and return to the cluster members list. Unit Status
Up Time Monitor CPU Usage
Memory Usage
Active Sessions Total Packets Virus Detected Network Utilization Total Bytes Intrusion Detected
Changing subordinate unit host name and device priority

To change the host name and device priority of a subordinate unit in an operating cluster, go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list.
183
HA
System Config
To change the host name and device priority of a subordinate unit in an operating cluster with virtual domains enabled, log in as the global admin administrator and go to System > Config > HA to display the cluster members list. Select Edit for any slave (subordinate) unit in the cluster members list. You can change the host name (Peer) and device priority (Priority) of this subordinate unit. These changes only affect the configuration of the subordinate unit.
Figure 98: Changing the subordinate unit host name and device priority
Peer Priority
View and optionally change the subordinate unit host name. View and optionally change the subordinate unit device priority. The device priority is not synchronized among cluster members. In a functioning cluster you can change device priority to change the priority of any unit in the cluster. The next time the cluster negotiates, the cluster unit with the highest device priority becomes the primary unit. The device priority range is 0 to 255. The default device priority is 128.
Disconnecting a cluster unit from a cluster

You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for another purpose, such as to act as a standalone firewall. You can go to System > Config > HA and select a Disconnect from cluster icon to disconnect a cluster unit from a functioning cluster without disrupting the operation of the cluster.
Figure 99: Disconnect a cluster member
Serial Number Interface
Displays the serial number of the cluster unit to be disconnected from the cluster. Select the interface that you want to configure. You also specify the IP address and netmask for this interface. When the FortiGate unit is disconnected, all management access options are enabled for this interface. Specify an IP address and netmask for the interface. You can use this IP address to connect to this interface to configure the disconnected FortiGate unit.
IP/Netmask
184
System Config
SNMP
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your network. You can configure the hardware, such as the FortiGate SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager is a typically a computer running an application that can read the incoming trap and event messages from the agent and send out SNMP queries to the SNMP agents. Another name for an SNMP manager is a host. A FortiManager unit can act as an SNMP manager, or host, to a FortiGate unit. Using an SNMP manager, you can access SNMP traps and data from any FortiGate interface or VLAN subinterface configured for SNMP management access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be able to query it.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to FortiGate system information through queries and can receive trap messages from the FortiGate unit. To monitor FortiGate system information and receive FortiGate traps, you must first compile the proprietary Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide the information the SNMP manager needs to interpret the SNMP trap, event, and query messages of the FortiGate unit SNMP agent. The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernetlike MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on page 188. RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414). SNMP traps alert you to events that happen, such as an a log disk being full or a virus being detected. For more information about SNMP traps, see Fortinet and FortiGate traps on page 189. SNMP fields contain information about your FortiGate unit. This information is useful to monitor the condition of the unit, both on an ongoing basis and to provide more information when a trap occurs. For more information about SNMP fields, see Fortinet and FortiGate MIB fields on page 192.
185
SNMP
System Config
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Figure 100: Configuring SNMP
SNMP Agent Description Location Contact Apply Create New Communities Name Queries Traps Enable Delete icon Edit/View icon
Enable the FortiGate SNMP agent. Enter descriptive information about the FortiGate unit. The description can be up to 35 characters long. Enter the physical location of the FortiGate unit. The system location description can be up to 35 characters long. Enter the contact information for the person responsible for this FortiGate unit. The contact information can be up to 35 characters. Save changes made to the description, location, and contact information. Select Create New to add a new SNMP community. See Configuring an SNMP community on page 186. The list of SNMP communities added to the FortiGate configuration. You can add up to 3 communities. The name of the SNMP community. The status of SNMP queries for each SNMP community. The query status can be enabled or disabled. The status of SNMP traps for each SNMP community. The trap status can be enabled or disabled. Select Enable to activate an SNMP community. Select Delete to remove an SNMP community. Select to view or modify an SNMP community.
Configuring an SNMP community

An SNMP community is a grouping of devices for network administration purposes. Within that SNMP community, devices can communicate by sending and receiving traps and other information. One device can belong to multiple communities, such as one administrator terminal monitoring both a firewall SNMP community and a printer SNMP community. Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view system information and receive SNMP traps. You can add up to three SNMP communities. Each community can have a different configuration for SNMP queries and traps. Each community can be configured to monitor the FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP managers to each community.
186
System Config
SNMP
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in the management virtual domain. Traps cannot be sent over other interfaces. Figure 101: SNMP community options (part 1)
Figure 102: SNMP community options (part 2)
187
SNMP
System Config
Community Name Hosts IP Address
Enter a name to identify the SNMP community. Enter the IP address and Identify the SNMP managers that can use the settings in this SNMP community to monitor the FortiGate unit. The IP address of an SNMP manager than can use the settings in this SNMP community to monitor the FortiGate unit. You can also set the IP address to 0.0.0.0 to so that any SNMP manager can use this SNMP community. Optionally select the name of the interface that this SNMP manager uses to connect to the FortiGate unit. You only have to select the interface if the SNMP manager is not on the same subnet as the FortiGate unit. This can occur if the SNMP manager is on the Internet or behind a router. In virtual domain mode, the interface must belong to the management VDOM to be able to pass SNMP traps. Select a Delete icon to remove an SNMP manager. Add a blank line to the Hosts list. You can add up to 8 SNMP managers to a single community. Enter the Port number (161 by default) that the SNMP managers in this community use for SNMP v1 and SNMP v2c queries to receive configuration information from the FortiGate unit. Select the Enable check box to activate queries for each SNMP version. Enter the Local and Remote port numbers (port 162 for each by default) that the FortiGate unit uses to send SNMP v1 and SNMP v2c traps to the SNMP managers in this community. Select the Enable check box to activate traps for each SNMP version. Enable each SNMP event for which the FortiGate unit should send traps to the SNMP managers in this community. CPU overusage traps sensitivity is slightly reduced, by spreading values out over 8 polling cycles. This prevents sharp spikes due to CPU intensive shortterm events such as changing a policy. Power Supply Failure event trap is available only on FortiGate-3810A, and FortiGate-3016B units. AMC interfaces enter bypass mode event trap is available only on FortiGate models that support AMC modules.
Interface
Delete Add Queries
Traps
SNMP Event
To configure SNMP access (NAT/Route mode) Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or more FortiGate interfaces to accept SNMP connections. 1 Go to System > Network > Interface. 2 Choose an interface that an SNMP manager connects to and select Edit. 3 In Administrative Access, select SNMP. 4 Select OK. To configure SNMP access (Transparent mode) 1 Go to System > Config > Operation Mode. 2 Enter the IP address that you want to use for management access and the netmask in the Management IP/Netmask field. 3 Select Apply.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.
188
System Config
SNMP
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this section. You can obtain these MIB files from Fortinet technical support. To be able to communicate with the FortiGate SNMP agent, you must compile all of these MIBs into your SNMP manager. Your SNMP manager may already include standard and private MIBs in a compiled database that is ready to use. You must add the Fortinet proprietary MIB to this database. You need to obtain and compile the two MIBs for this release.
Table 13: Fortinet MIBs MIB file name or RFC FORTINET-CORE-MIB.mib Description The proprietary Fortinet MIB includes all system configuration information and trap information that is common to all Fortinet products. Your SNMP manager requires this information to monitor FortiGate unit configuration settings and receive traps from the FortiGate SNMP agent. For more information, see Fortinet and FortiGate traps on page 189 and Fortinet and FortiGate MIB fields on page 192. The proprietary FortiGate MIB includes all system configuration information and trap information that is specific to FortiGate units. Your SNMP manager requires this information to monitor FortiGate configuration settings and receive traps from the FortiGate SNMP agent. FortiManager systems require this MIB to monitor FortiGate units. For more information, see Fortinet and FortiGate traps on page 189 and Fortinet and FortiGate MIB fields on page 192. The FortiGate SNMP agent supports MIB II groups with the following exceptions. No support for the EGP group from MIB II (RFC 1213, section 3.11 and 6.10). Protocol statistics returned for MIB II groups (IP/ICMP/TCP/UDP/etc.) do not accurately capture all FortiGate traffic activity. More accurate information can be obtained from the information reported by the Fortinet MIB. The FortiGate SNMP agent supports Ethernet-like MIB information with the following exception. No support for the dot3Tests and dot3Errors groups.
FORTINET-FORTIGATE-MIB.mib
RFC-1213 (MIB II)
RFC-2665 (Ethernet-like MIB)
Fortinet and FortiGate traps

An SNMP manager can request information from the Fortinet devices SNMP agent, or that agent can send traps when an event occurs. Traps are a method used to inform the SNMP manager that something has happened or changed on the Fortinet device. Traps sent include the trap message as well as the FortiGate unit serial number (fnSysSerial) and hostname (sysName). FortiManager related traps are only sent if a FortiManager unit is configured to manage this FortiGate unit. To receive Fortinet device SNMP traps, you must load and compile the FORTINETCORE-MIB into your SNMP manager. The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. The Trap Message column includes the message included with the trap as well as the SNMP MIB field name to help locate the information about the trap.
189
SNMP
System Config
Table 14: Generic FortiGate traps (OID1.3.6.1.4.1.12356.1.3.0) Trap message ColdStart WarmStart LinkUp LinkDown Description Standard traps as described in RFC 1215.
Table 15: FortiGate system traps (OID1.3.6.1.4.1.12356.1.3.0) Trap message CPU usage high (fnTrapCpuThreshold) Memory low (fnTrapMemThreshold) Log disk too full (fnTrapLogDiskThreshold) Temperature too high (fnTrapTempHigh) Description CPU usage exceeds 80%. This threshold can be set in the CLI using config system global. Memory usage exceeds 90%. This threshold can be set in the CLI using config system global. Log disk usage has exceeded the configured threshold. Only available on devices with log disks. A temperature sensor on the device has exceeded its threshold. Not all devices have thermal sensors. See manual for specifications.
Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not all range devices have voltage monitoring instrumentation. (fnTrapVoltageOutOfRange) Power supply failure (fnTrapPowerSupplyFailure) Interface IP change (fnTrapIpChange) Power supply failure detected. Not available on all models. Available on some devices which support redundant power supplies. The IP address for an interface has changed. The trap message includes the name of the interface, the new IP address and the serial number of the Fortinet unit. You can use this trap to track interface IP address changes for interfaces with dynamic IP addresses set using DHCP or PPPoE. This trap is sent for diagnostic purposes. It has an OID index of.999.
Diagnostic trap (fnTrapTest)
Table 16: FortiGate VPN traps Trap message VPN tunnel is up (fgTrapVpnTunUp) VPN tunnel down (fgTrapVpnTunDown) Local gateway address (fnVpnTrapLocalGateway) Description An IPSec VPN tunnel has started. An IPSec VPN tunnel has shut down. Address of the local side of the VPN tunnel. This information is associated with both of the VPN tunnel traps.
Remote gateway address Address of remote side of the VPN tunnel. (fnVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps. Table 17: FortiGate IPS traps Trap message IPS Signature (fgTrapIpsSignature) IPS Anomaly (fgTrapIpsAnomaly) IPS Package Update (fgTrapIpsPkgUpdate) (fgIpsTrapSigId) Description IPS signature detected. IPS anomaly detected. The IPS signature database has been updated. ID of IPS signature identified in trap.
190
System Config
SNMP
Table 17: FortiGate IPS traps Trap message (fgIpsTrapSrcIp) (fgIpsTrapSigMsg) Description IP Address of the IPS signature trigger. Message associated with IPS event.
Table 18: FortiGate antivirus traps Trap message Virus detected (fgTrapAvVirus) Description The antivirus engine detected a virus in an infected file from an HTTP or FTP download or from an email message.
Oversize file/email detected The FortiGate unit antivirus scanner detected an oversized file. (fgTrapAvOversize) Filename block detected (fgTrapAvPattern) Fragmented file detected (fgTrapAvFragmented) (fgTrapAvEnterConserve) (fgTrapAvBypass) (fgTrapAvOversizePass) (fgTrapAvOversizeBlock) (fgAvTrapVirName) The FortiGate unit antivirus scanner blocked a file that matched a known virus pattern. The FortiGate unit antivirus scanner detected a fragmented file or attachment. The AV engine entered conservation mode due to low memory conditions. The AV scanner has been bypassed due to conservation mode. An oversized file has been detected, but has been passed due to configuration. An oversized file has been detected, and has been blocked. The virus name that triggered the event.
Table 19: FortiGate HA traps Trap message HA switch (fgTrapHaSwitch) HA Heartbeat Failure (fgTrapHaHBFail) (fgTrapHaMemberDown) (fgTrapHaMemberUp) (fgTrapHaStateChange) (fgHaTrapMemberSerial) Description The specified cluster member has transitioned from a slave role to a master role. The heartbeat failure count has exceeded the configured threshold. An HA member becomes unavailable to the cluster. An HA member becomes available to the cluster. The trap sent when the HA cluster member changes its state. . Serial number of an HA cluster member. Used to identify the origin of a trap when a cluster is configured.
Table 20: FortiGate MIB FortiManager related traps Trap message (fgFmTrapDeployComplete) Description Indicates when deployment of a new configuration has been completed. Used for verification by FortiManager. Indicates that a configuration change was not immediate and that the change is currently in progress. Used for verification by FortiManager. The FortiGate unit configuration has been changed by something other than the managing FortiManager device. No message. Sent to monitoring FortiManager when an interface changes IP address.
(fgFmTrapDeployInProgress)
(fgFmTrapConfChange) (fgFmTrapIfChange)
191
SNMP
System Config
Fortinet and FortiGate MIB fields

The FortiGate MIB contains fields reporting current FortiGate unit status information. The tables below list the names of the MIB fields and describe the status information available for each one. You can view more details about the information available from all Fortinet and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and FORTINETFORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields on your computer.
Table 21: FortiGate HA MIB fields MIB field fgHaGroupId fgHaPriority fgHaOverride fgHaAutoSync fgHaSchedule Description HA cluster group ID. HA clustering priority (default - 127). Status of a master override flag. Status of an automatic configuration synchronization. Load balancing schedule for cluster in Active-Active mode.
fgHaGroupName HA cluster group name. fgHaTrapMember Serial number of an HA cluster member. Serial fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster. fgHaStatsIndex fgHaStatsSerial fgHaStatsCpuUsage fgHaStatsMemUsage fgHaStatsNetUsage fgHaStatsSesCount fgHaStatsPktCount fgHaStatsByteCount fgHaStatsIdsCount fgHaStatsAvCount fgHaStatsHostname Table 22: FortiGate Administrator accounts MIB field fgAdminIdelTimeout Description Idle period after which an administrator is automatically logged out of the system. Table of administrators on this FortiGate unit. fgAdminVdom The virtual domain the administrator belongs to. The index number of the unit in the cluster. The FortiGate unit serial number. The current FortiGate unit CPU usage (%). The current unit memory usage (%). The current unit network utilization (Kbps). The number of active sessions. The number of packets processed. The number of bytes processed by the FortiGate unit The number of attacks that the IPS detected in the last 20 hours. The number of viruses that the antivirus system detected in the last 20 hours. Hostname of HA Cluster's unit.
fgAdminLcdProtection Status of the LCD protection, either enabled or disabled. fgAdminTable
192
System Config
SNMP
Table 23: FortiGate Virtual domains MIB field fgVdInfo Description FortiGate unit Virtual Domain related information. fgVdNumber fgVdMaxVdoms fgVdEnabled The number of virtual domains configured on this FortiGate unit. The maximum number of virtual domains allowed on the FortiGate unit as allowed by hardware or licensing. Whether virtual domains are enabled on this FortiGate unit.
fgVdTable.fgV Table of information about each virtual domaineach virtual domain has an fgVdEntry. Each entry has the following fields. dEntry fgVdEntIndex Internal virtual domain index used to uniquely identify entries in this table. This index is also used by other tables referencing a virtual domain. fgVdEntName The name of the virtual domain. fgVdEntOpMode Operation mode of this virtual domain - either NAT or Transparent. Table 24: FortiGate Active IP sessions table MIB field fgIpSessIndex fgIpSessProto fgIpSessFromPort fgIpSessToAddr fgIpSessToPort fgIpSessExp fgIpSessVdom Description The index number of the IP session within the table The IP protocol the session is using (IP, TCP, UDP, etc.). The source port of the active IP session (UDP and TCP only). The destination IPv4 address of the active IP session. The destination port of the active IP session (UDP and TCP only). The number of seconds remaining until the sessions expires (if idle). Virtual domain the session is part of. Corresponds to the index in fgVdTable. fgIpSessNumber Total sessions on this virtual domain.
fgIpSessFromAddr The source IPv4 address of the active IP session.
fgIpSessStatsTable IP Session statistics table for the virtual domain.
Table 25: FortiGate Firewall policy statistics table MIB field Description
fgFwPolicyStatsVdomIndex Index that identifies the virtual domain. This is the same index used by fgVdTable. fgFwPolicyID Firewall policy ID. Only enabled policies are available for querying. Policy IDs are only unique within a virtual domain. Number of packets matched to policy (passed or blocked, depending on policy action). Count is from the time the policy became active. Number of bytes matched to policy (passed or blocked, depending on policy action). Count is from the time the policy became active.
fgFwPolicyPktCount
fgFwPolicyByteCount
Table 26: FortiGate Dialup VPNs MIB field fgVpnDialupIndex fgVpnDialupGateway Description An index value that uniquely identifies an VPN dial-up peer in the table. The remote gateway IP address on the tunnel.
193
Replacement messages
System Config
Table 26: FortiGate Dialup VPNs MIB field fgVpnDialupLifetime fgVpnDialupTimeout fgVpnDialupSrcBegin fgVpnDialupSrcEnd fgVpnDialupDstAddr fgVpnDialupVdom Description VPN tunnel lifetime in seconds. Time remaining until the next key exchange (seconds) for this tunnel. Remote subnet address of the tunnel. Remote subnet mask of the tunnel. Local subnet address of the tunnel. The virtual domain this tunnel is part of. This index corresponds to the index in fgVdTable.
Table 27: VPN Tunnel table MIB field fgVpnTunEntIndex fgVpnTunEntPhase1Name fgVpnTunEntPhase2Name fgVpnTunEntRemGwyIp fgVpnTunEntRemGwyPort fgVpnTunEntLocGwyIp fgVpnTunEntLocGwyPort fgVpnTunEntSelectorSrcBeginIp fgVpnTunEntSelectorSrcEndIp fgVpnTunEntSelectorSrcPort fgVpnTunEntSelectorDstBeginIp fgVpnTunEntSelectorDstEndIp fgVpnTunEntSelectorDstPort fgVpnTunEntSelectorProto fgVpnTunEntLifeSecs fgVpnTunEntLifeBytes fgVpnTunEntTimeout fgVpnTunEntInOctets fgVpnTunEntOutOctets fgVpnTunEntStatus fgVpnTunEntVdom Description An index value that uniquely identifies a VPN tunnel within the VPN tunnel table. The descriptive name of the Phase1 configuration for the tunnel. The descriptive name of the Phase2 configuration for the tunnel. The IP of the remote gateway used by the tunnel. The port of the remote gateway used by the tunnel, if it is UDP. The IP of the local gateway used by the tunnel. The port of the local gateway used by the tunnel, if it is UDP. Beginning of the address range of the source selector. Ending of the address range of the source selector. Source selector port. Beginning of the address range of the destination selector. Ending of the address range of the destination selector. Destination selector port. Protocol number for the selector. Lifetime of the tunnel in seconds, if time based lifetime is used. Lifetime of the tunnel in bytes, if byte transfer based lifetime is used. Timeout of the tunnel in seconds. Number of bytes received on the tunnel. Number of bytes sent out on the tunnel. Current status of the tunnel - either up or down. Virtual domain the tunnel belongs to. This index corresponds to the index used in fgVdTable.
Go to System > Config > Replacement Messages to change replacement messages and customize alert email and information that the FortiGate unit adds to content streams such as email messages, web pages, and FTP sessions.
194
System Config
The FortiGate unit adds replacement messages to a variety of content streams. For example, if a virus is found in an email message, the file is removed from the email and replaced with a replacement message. The same applies to pages blocked by web filtering and email blocked by spam filtering.
Note: Disclaimer replacement messages provided by Fortinet are examples only.
Replacement messages list

To view the replacement messages list go to System > Config > Replacement Messages. You use the replacement messages list to view and customize replacement messages to your requirements. The list organizes replacement message into an number of types (for example, Mail, HTTP, and so on). Use the expand arrow beside each type to display the replacement messages for that category. Select the Edit icon beside each replacement message to customize that message for your requirements.
Figure 103: Replacement messages list
Name
The replacement message category. Select the expand arrow to expand or collapse the category. Each category contains several replacement messages that are used by different FortiGate features. The replacement messages are described below. A description of the replacement message. Select to change or view a replacement message.
Description Edit or view icon
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the user can send whatever traffic is allowed by the firewall policy.
195
System Config
Changing replacement messages

To change a replacement message list go to System > Config > Replacement Messages. Use the expand arrows to view the replacement message that you want to change. You can change the content of the replacement message by editing the text and HTML codes and by working with replacement message tags. For descriptions of the replacement message tags, see Table 38 on page 205.
Figure 104: Sample HTTP virus replacement message
Replacement messages can be text or HTML messages. You can add HTML code to HTML messages. Allowed Formats shows you which format to use in the replacement message. There is a limit of 8192 characters for each replacement message. The following fields and options are available when editing a replacement message. Different replacement messages have different sets of fields and options.
Message Setup Allowed Formats The name of the replacement message. The type of content that can be included in the replacement message. Allowed formats can be Text or HTML. You should not use HTML code in Text messages. You can include replacement message tags in text and HTML messages. The number of characters allowed in the replacement message. Usually size is 8192 characters. The editable text of the replacement message. The message text can include text, HTML codes (if HTML is the allowed format) and replacement message tags.
Size Message Text
You can customize the following categories of replacement messages: Mail replacement messages HTTP replacement messages FTP replacement messages NNTP replacement messages Alert Mail replacement messages Spam replacement messages Administration replacement message Authentication replacement messages FortiGuard Web Filtering replacement messages IM and P2P replacement messages Endpoint control replacement message
196
System Config
NAC quarantine replacement messages SSL VPN replacement message
Mail replacement messages

The FortiGate unit sends the mail replacement messages listed in Table 28 to email clients and servers using IMAP, POP3, or SMTP when an event occurs such as antivirus blocking a file attached to an email that contains a virus. Email replacement messages are text messages. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to IMAPS, POP3S, and SMTPS email messages.
Table 28: Mail replacement messages Message name Description Virus message File block message Oversized file message Fragmented email Data leak prevention message Subject of data leak prevention message Antivirus Virus Scan enabled for an email protocol in a protection profile deletes a infected file from an email message and replaces the file with this message. When the antivirus File Filter enabled for an email protocol in a protection profile deletes a file that matches an entry in the selected file filter list, the file is blocked and the email is replaced with this message. When the antivirus Oversized File/Email is set to Block for an email protocol in a protection profile and removes an oversized file from an email message, the file is replaced with this message. In a protection profile, antivirus Pass Fragmented Emails is not enabled so a fragmented email is blocked. This message replaces the first fragment of the fragmented email. In a DLP sensor, a rule with action set to Block replaces a blocked email message with this message. This message is added to the subject field of all email messages replaced by the DLP sensor Block, Ban, Ban Sender, Quarantine IP address, and Quarantine interface actions.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked email message leak prevention with this message. This message also replaces any additional email messages message that the banned user sends until they are removed from the banned user list. Sender banned by data leak prevention message Virus message (splice mode) In a DLP sensor, a rule with action set to Ban Sender replaces a blocked email message with this message. This message also replaces any additional email messages that the banned user sends until the user is removed from the banned user list. Splice mode is enabled and the antivirus system detects a virus in an SMTP email message. The FortiGate unit aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.
File block Splice mode is enabled and the antivirus file filter deleted a file from an SMTP message (splice email message. The FortiGate unit aborts the SMTP session and returns a 554 mode) SMTP error message to the sender that includes this replacement message. Oversized file Splice mode is enabled and antivirus Oversized File/Email set to Block and the message (splice FortiGate unit blocks an oversize SMTP email message. The FortiGate unit mode) aborts the SMTP session and returns a 554 SMTP error message to the sender that includes this replacement message.
HTTP replacement messages

The FortiGate unit sends the HTTP replacement messages listed in Table 29 to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.
197
System Config
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol.
Table 29: HTTP replacement messages Message name Description Virus message Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser. Client comforting is enabled in a protection profile and the FortiGate unit blocks a URL added to the client comforting URL cache and replaces the blocked URL with this web page. For more information about the client comforting URL cache, see HTTP and FTP client comforting on page 410. Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser. Antivirus Oversized File/Email set to Block for HTTP or HTTPS in a protection profile blocks an oversized file being downloaded using an HTTP GET and replaces the file with this web page that is displayed by the client browser. In a DLP sensor, a rule with action set to Block replaces a blocked web page or file with this web page.
Infection cache message
File block message
Oversized file message Data leak prevention message
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file leak prevention with this web page. This web page also replaces any additional web pages or message files that the banned user attempts to access until the user is removed from the banned user list. Banned word message Web content blocking enabled in a protection profile blocks a web page being downloaded with an HTTP GET that contains content that matches an entry in the selected Web Content Block list. The blocked page is replaced with this web page. Web URL filtering enabled in a protection profile blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with this web page. Antivirus File Filter enabled for HTTP or HTTPS in a protection profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with this web page that is displayed by the client browser. Antivirus Virus Scan enabled for HTTP or HTTPS in a protection profile deletes an infected file being uploaded using an HTTP PUT and replaces the file with this a web page that is displayed by the client browser. In a protection profile, antivirus Oversized File/Email set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with this web page. Web content blocking enabled in a protection profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays this web page. HTTP POST Action is set to Block in a protection profile and the FortiGate unit blocks an HTTP POST and displays this web page.
URL block message Client block
Client anti-virus
Client filesize
Client banned word POST block
FTP replacement messages

The FortiGate unit sends the FTP replacement messages listed in Table 30 to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session. FTP replacement messages are text messages.
198
System Config
Table 30: FTP replacement messages Message name Description Virus message Blocked message Oversized message DLP message DLP ban message Antivirus Virus Scan enabled for FTP in a protection profile deletes an infected file being downloaded using FTP and sends this message to the FTP client. Antivirus File Filter enabled for FTP in a protection profile blocks a file being downloaded using FTP that matches an entry in the selected file filter list and sends this message to the FTP client. Antivirus Oversized File/Email set to Block for FTP in a protection profile blocks an oversize file from being downloaded using FTP and sends this message to the FTP client. In a DLP sensor, a rule with action set to Block replaces a blocked FTP download with this message. In a DLP sensor, a rule with action set to Ban blocks an FTP session and displays this message. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list.
NNTP replacement messages

The FortiGate unit sends the NNTP replacement messages listed in Table 31 to NNTP clients when an event occurs such as antivirus blocking a file attached to an NNTP message that contains a virus. NNTP replacement messages are text messages.
Table 31: FTP replacement messages Message name Description Virus message Blocked message Oversized message Data Leak prevention message Subject of data leak prevention message Antivirus Virus Scan enabled for NTTP in a protection profile deletes an infected file attached to an NNTP message and sends this message to the FTP client. Antivirus File Filter enabled for NNTP in a protection profile blocks a file attached to an NNTP message that matches an entry in the selected file filter list and sends this message to the FTP client. Antivirus Oversized File/Email set to Block for NNTP in a protection profile removes an oversized file from an NNTP message and replaces the file with this message. In a DLP sensor, a rule with action set to Block replaces a blocked NNTP message with this message. This message is added to the subject field of all NNTP messages replaced by the DLP sensor Block, Ban, Quarantine IP address, and Quarantine interface actions.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked NNTP leak prevention message with this message. This message also replaces any additional NNTP message messages that the banned user sends until they are removed from the banned user list.
Alert Mail replacement messages

The FortiGate unit adds the alert mail replacement messages listed in Table 32 to alert email messages sent to administrators. For more information about alert email, see Alert Email on page 670. Alert mail replacement messages are text messages.
Table 32: Alert mail replacement messages Message name Description Virus message Virus detected must be enabled for alert email. Antivirus Virus Scan must be enabled in a protection profile and detect a virus.
If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level.
199
System Config
Table 32: Alert mail replacement messages Message name Description Block message Virus detected must be enabled for alert email. Antivirus File Filter must be enabled in a protection profile, and block a file that matches an entry in a selected file filter list. Intrusion detected enabled for alert email. An IPS Sensor or a DoS Sensor detects and attack. Whenever a critical level event log message is generated, this replacement message is sent unless you configure alert email to enable Send alert email for logs based on severity and set the Minimum log level to Alert or Emergency. Disk usage enabled and disk usage reaches the % configured for alert email.
Intrusion message Critical event message Disk full message
If you enable Send alert email for logs based on severity for alert email, whether or not replacement messages are sent by alert email depends on how you set the alert email Minimum log level.
Spam replacement messages

The FortiGate unit adds the Spam replacement messages listed in Table 33 to SMTP server responses if the email message is identified as spam and the spam action is discard. If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also be added to SMTPS server responses.
Table 33: Spam replacement messages Message name Description Email IP Spam Filtering IP address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message.
DNSBL/ORDBL From the CLI, spamrbl enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. HELO/EHLO domain Email address Spam Filtering HELO DNS lookup enabled for SMTP in a protection profile identifies an email message as spam and adds this replacement message. HELO DNS lookup is not available for SMTPS. Spam Filtering E-mail address BWL check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. From the CLI, spamhdrcheck enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Spam Filtering Return e-mail DNS check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Spam Filtering Banned word check enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Any Spam Filtering option enabled for an email protocol in a protection profile identifies an email message as spam and adds this replacement message. Spam Filtering adds this message to all email tagged as spam. The message describes a button that the recipient of the message can select to submit the email signatures to the FortiGuard Antispam service if the email was incorrectly tagged as spam (a false positive).
Mime header
Returned email domain Banned word
Spam submission message
Administration replacement message

If you enter the following CLI command the FortiGate unit displays the Administration Login disclaimer whenever an administrator logs into the FortiGate unit web-based manager or CLI.
200
System Config
config system global set access-banner enable end The web-based manager administrator login disclaimer contains the text of the Login Disclaimer replacement message as well as Accept and Decline buttons. The administrator must select accept to login.
Authentication replacement messages

The FortiGate unit uses the text of the authentication replacement messages listed in Table 34 for various user authentication HTML pages that are displayed when a user is required to authenticate because a firewall policy includes at least one identity-based policy that requires firewall users to authenticate. For more information about identitybased policies, see Identity-based firewall policy options (non-SSL-VPN) on page 328 and Configuring SSL VPN identity-based firewall policies on page 331. These pages are used for authentication using HTTP and HTTPS. Authentication replacement messages are HTML messages. You cannot customize the firewall authentication messages for FTP and Telnet. The authentication login page and the authentication disclaimer include replacement tags and controls not found on other replacement messages. Users see the authentication login page when they use a VPN or a firewall policy that requires authentication. You can customize this page in the same way as you modify other replacement messages, Administrators see the authentication disclaimer page when logging into the FortiGate web-based manager or CLI. The disclaimer page makes a statement about usage policy to which the user must agree before the FortiGate unit permits access. You should change only the disclaimer text itself, not the HTML form code. There are some unique requirements for these replacement messages: The login page must be an HTML page containing a form with ACTION="/" and METHOD="POST" The form must contain the following hidden controls: <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"> <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%"> <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%"> The form must contain the following visible controls: <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25> <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25> Example The following is an example of a simple authentication page that meets the requirements listed above. <HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD> <BODY><H4>You must authenticate to use this service.</H4> <FORM ACTION="/" method="post"> <INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden"> <TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0" CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
201
System Config
<TR><TH>Username:</TH> <TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR> <TR><TH>Password:</TH> <TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password"> </TD></TR> <TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc"> <INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden"> <INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden"> <INPUT VALUE="Continue" TYPE="submit"> </TD></TR> </TBODY></TABLE></FORM></BODY></HTML>
Table 34: Authentication replacement messages Message name Description Disclaimer page User Authentication Disclaimer enabled in a firewall policy that also includes at least one identity-based policy. When a firewall user attempts to browse a network through the FortiGate unit using HTTP or HTTPS this disclaimer page is displayed. The CLI includes auth-disclaimer-page-1, authdisclaimer-page-3, and auth-disclaimer-page-3 that you can use to increase the size of the authentication disclaimer page replacement message. For more information, see the FortiGate CLI Reference. Declined The Disclaimer page replacement message does not re-direct the user to a disclaimer page redirect URL or the firewall policy does not include a redirect URL. When a firewall user selects the button on the disclaimer page to decline access through the FortiGate unit, the Declined disclaimer page is displayed. Login page Login failed page The authentication HTML page displayed when firewall users who are required to authenticate connect through the FortiGate unit using HTTP or HTTPS. The HTML page displayed if firewall users enter an incorrect user name and password combination.
Login challenge The HTML page displayed if firewall users are required to answer a question to page complete authentication. The page displays the question and includes a field in which to type the answer. This feature is supported by RADIUS and uses the generic RADIUS challenge-access auth response. Usually, challenge-access responses contain a Reply-Message attribute that contains a message for the user (for example, Please enter new PIN). This message is displayed on the login challenge page. The user enters a response that is sent back to the RADIUS server to be verified. The Login challenge page is most often used with RSA RADIUS server for RSA SecurID authentication. The login challenge appears when the server needs the user to enter a new PIN. You can customize the replacement message to ask the user for a SecurID PIN. Keepalive page The HTML page displayed with firewall authentication keepalive is enabled using the following command: config system global set auth-keepalive enable end Authentication keepalive keeps authenticated firewall sessions from ending when the authentication timeout ends. Go to User > Options to set the Authentication Timeout.
FortiGuard Web Filtering replacement messages

The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in Table 35 to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL, provides details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web Filtering replacement messages are HTTP pages.
202
System Config
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition > HTTPS Content Filtering Mode is set to Deep Scan in the protection profile, these replacement messages can also replace web pages downloaded using the HTTPS protocol.
Table 35: FortiGuard Web Filtering replacement messages Message name Description URL block message HTTP error message Enable FortiGuard Web Filtering enabled in a protection profile for HTTP or HTTPS blocks a web page. The blocked page is replaced with this web page. Provide details for blocked HTTP 4xx and 5xx errors enabled in a protection profile for HTTP or HTTPS blocks a web page. The blocked page is replaced with this web page.
FortiGuard Web Override selected for a FortiGuard Web Filtering category and FortiGuard Web Filtering Filtering blocks a web page in this category and displays this web page. Using override form this web page users can authenticate to get access to the page. Go to UTM > Web Filter > Override to add override rules. For more information, see Configuring administrative override rules on page 489. The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard Web Filtering blocks access to a web page. Do not remove this tag from the replacement message.
IM and P2P replacement messages

The FortiGate unit sends the IM and P2P replacement messages listed in Table 36 to IM and P2P clients using AIM, ICQ, MSN, or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to an email that contains a virus. IM and P2P replacement messages are text messages.
Table 36: IM and P2P replacement messages Message name Description File block message Antivirus File Filter enabled for IM in a protection profile deletes a file that matches an entry in the selected file filter list and replaces it with this message.
File name block Antivirus File Filter enabled for IM in a protection profile deletes a file with a message name that matches an entry in the selected file filter list and replaces it with this message. Virus message Oversized file message Data leak prevention message Antivirus Virus Scan enabled for IM in a protection profile deletes a infected file from and replaces the file with this message. Antivirus Oversized File/Email set to Block for IM in a protection profile removes an oversized file and replaces the file with this message. In a DLP sensor, a rule with action set to Block replaces a blocked IM or P2P message with this message.
Banned by data In a DLP sensor, a rule with action set to Ban replaces a blocked IM or P2P leak prevention message with this message. This message also replaces any additional message messages that the banned user sends until they are removed from the banned user list. Voice chat block In an Application Control list, the Block Audio option is selected for AIM, ICQ, message MSN, or Yahoo! and the application control list is added to a protection profile. Photo share block message In an Application Control list, the block-photo CLI keyword is enabled for MSN, or Yahoo and the application control list is added to a protection profile. You enable photo blocking from the CLI.
203
System Config
Endpoint control replacement message

The endpoint control download portal replacement message formats the FortiClient download portal page that appears if you enable endpoint control in a firewall policy and select Redirect Non-conforming Clients to Download Portal. The portal provides links to download a FortiClient application installer. The endpoint control replacement message is an HTML message. You can modify the appearance of the FortiClient Download Portal from System > Config > Replacement Messages > Endpoint Control by editing the Endpoint Control Download Portal. Be sure to retain the %%LINK%% tag which provides the download URL for the FortiClient installer. For more information about Endpoint control, see Endpoint control on page 641.
NAC quarantine replacement messages

When a user is blocked by NAC quarantine or a DLP sensor with action set to Quarantine IP address or Quarantine Interface, if they attempt to start an HTTP session through the FortiGate unit using TCP port 80, the FortiGate unit connects them to one of the four NAC Quarantine HTML pages listed in Table 37. The page that is displayed for the user depends on whether NAC quarantine blocked the user because a virus was found, a DoS sensor detected an attack, an IPS sensor detected an attack, or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a session from the user. The default messages inform the user of why they are seeing this page and recommend they contact the system administrator. You can customize the pages as required, for example to include an email address or other contact information or if applicable a note about how long the user can expect to be blocked. For more information about NAC quarantine see NAC quarantine and the Banned User list on page 595.
Table 37: NAC quarantine replacement messages Message name Description Virus Message Antivirus Quarantine Virus Sender enabled in a protection profile adds a source IP address or FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. For a DoS Sensor the CLI quarantine option set to attacker or interface and the DoS Sensor added to a DoS firewall policy adds a source IP, a destination IP, or FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if quarantine is set to both. Quarantine Attackers enabled in an IPS sensor filter or override and the IPS sensor added to a protection profile adds a source IP address, a destination IP address, or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80. This replacement message is not displayed if method is set to Attacker and Victim IP Address.
DoS Message
IPS Message
204
System Config
Table 37: NAC quarantine replacement messages Message name Description DLP Message Action set to Quarantine IP address or Quarantine Interface in a DLP sensor and the DLP sensor added to a protection profile adds a source IP address or a FortiGate interface to the banned user list. The FortiGate unit displays this replacement message as a web page when the blocked user attempts to connect through the FortiGate unit using HTTP on port 80 or when any user attempts to connect through a FortiGate interface added to the banned user list using HTTP on port 80.
SSL VPN replacement message

The SSL VPN login replacement message is an HTML replacement message that formats the FortiGate SSL VPN portal login page. You can customize this replacement message according to your organizations needs. The page is linked to FortiGate functionality and you must construct it according to the following guidelines to ensure that it will work. The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%" The form must contain the %%SSL_LOGIN%% tag to provide the login form. The form must contain the %%SSL_HIDDEN%% tag.
Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message. Table 38 lists the replacement message tags that you can add.
Table 38: Replacement message tags Tag %%AUTH_LOGOUT%% Description The URL that will immediately delete the current policy and close the session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window which links to this tag. %%CATEGORY%% %%DEST_IP%% The name of the content category of the web site. The IP address of the request destination from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of web page that sent the virus. The email address of the sender of the message from which the file was removed. The email address of the intended receiver of the message from which the file was removed. The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages. The FortiGuard - Web Filtering logo. The Fortinet logo. The link to the FortiClient Host Security installs download for the Endpoint Control feature. The HTTP error code. 404 for example. The HTTP error description.
%%EMAIL_FROM%% %%EMAIL_TO%%
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page. %%FILE%%
%%FORTIGUARD_WF%% %%FORTINET%% %%LINK%% %%HTTP_ERR_CODE%% %%HTTP_ERR_DESC%%
205
Operation mode and VDOM management access
System Config
Table 38: Replacement message tags (Continued) Tag %%NIDSEVENT%% %%OVERRIDE%% Description The IPS attack message. %%NIDSEVENT%% is added to alert email intrusion messages. The link to the FortiGuard Web Filtering override form. This is visible only if the user belongs to a group that is permitted to create FortiGuard web filtering overrides. The FortiGuard web filter block override form. This tag must be present in the FortiGuard Web Filtering override form and should not be used in other replacement messages. The protocol (http, ftp, pop3, imap, or smtp) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages. The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk. Authentication challenge question on auth-challenge page. Prompt to enter username and password on auth-login page. The name of the web filtering service. The IP address of the request originator who would have received the blocked file. For email this is the IP address of the users computer that attempted to download the message from which the file was removed. Configured number of seconds between authentication keepalive connections. Used on the auth-keepalive page. The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked. The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages
%%OVRD_FORM%%
%%PROTOCOL%% %%QUARFILENAME%%
%%QUESTION%% %%SERVICE%% %%SOURCE_IP%%
%%TIMEOUT%% %%URL%%
%%VIRUS%%

You can change the operation mode of each VDOM independently of other VDOMs. This allows any combination of NAT/Route and Transparent operating modes on the FortiGate unit VDOMs. Management access to a VDOM can be restricted based on which interfaces and protocols can be used to connect to the FortiGate unit.
Changing operation mode

You can set the operating mode for your VDOM and perform sufficient network configuration to ensure that you can connect to the web-based manager in the new mode. To switch from NAT/Route to Transparent mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain.
206
System Config
2 From the Operation Mode list, select Transparent.
3 Enter the following information and select Apply.

Management IP/Netmask Enter the management IP address and netmask. This must be a valid IP address for the network from which you want to manage the FortiGate unit. Enter the default gateway required to reach other networks from the FortiGate unit.
Default Gateway
To switch from Transparent to NAT/Route mode 1 Go to System > Config > Operation Mode or select Change beside Operation Mode on the System Status page for the virtual domain. 2 From the Operation Mode list, select NAT.
3 Enter the following information and select Apply.

Interface IP/Netmask Device Default Gateway Gateway Device Enter a valid IP address and netmask for the network from which you want to manage the FortiGate unit. Select the interface to which the Interface IP/Netmask settings apply. Enter the default gateway required to reach other networks from the FortiGate unit. Select the interface to which the default gateway is connected.
Management access
You can configure management access on any interface in your VDOM. See Administrative access to an interface on page 135. In NAT/Route mode, the interface IP address is used for management access. In Transparent mode, you configure a single management IP address that applies to all interfaces in your VDOM that permit management access. The FortiGate also uses this IP address to connect to the FDN for virus and attack updates (see Configuring FortiGuard Services on page 264).
207
System Config
The system administrator (admin) can access all VDOMs, and create regular administrator accounts. A regular administrator account can access only the VDOM to which it belongs. The management computer must connect to an interface in that VDOM. It does not matter to which VDOM the interface belongs. In both cases, the management computer must connect to an interface that permits management access and its IP address must be on the same network. Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH are preferred as they are more secure. You can allow remote administration of the FortiGate unit. However, allowing remote administration from the Internet could compromise the security of the FortiGate unit. You should avoid this unless it is required for your configuration. To improve the security of a FortiGate unit that allows remote administration from the Internet: Use secure administrative user passwords. Change these passwords regularly. Enable secure administrative access to this interface using only HTTPS or SSH. Use Trusted Hosts to limit where the remote access can originate from. Do not change the system idle timeout from the default value of 5 minutes (see Settings on page 228).
208
System Admin
Administrators
System Admin
This section describes how to configure administrator accounts on your FortiGate unit. Administrators access the FortiGate unit to configure its operation. The factory default configuration has one administrator, admin. After connecting to the web-based manager or the CLI, you can configure additional administrators with various levels of access to different parts of the FortiGate unit configuration. If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 103.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based manager. If you do not, the session remains open.
This section describes: Administrators Admin profiles Central Management Settings Monitoring administrators FortiGate IPv6 support Customizable web-based manager
Administrators
There are two levels of administrator accounts:
Regular administrators An administrator with any admin profile other than super_admin. A regular administrator account has access to configuration options as determined by its Admin Profile. If virtual domains are enabled, the regular administrator is assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which options are global and which are per VDOM, see VDOM configuration settings on page 104 and Global configuration settings on page 107. Includes the factory default system administrator admin, any other administrators assigned to the super_admin profile, and any administrator that is assigned to the super_admin_readonly profile. Any administrator assigned to the super_admin admin profile, including the default administrator account admin, has full access to the FortiGate unit configuration and general system settings that includes the ability to: enable VDOM configuration create VDOMs configure VDOMs assign regular administrators to VDOMs configure global options customize the FortiGate web-based manager. The super_admin admin profile cannot be changed; it does not appear in the list of profiles in System > Admin > Admin Profile, but it is one of the selections in the Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box.
System administrators
209
Administrators
System Admin
Figure 105: New Administrator dialog box displaying super_admin readonly option
Users assigned to the super_admin profile: cannot delete logged-in users who are also assigned the super_admin profile can delete other users assigned the super_admin profile and/or change the configured authentication method, password, or admin profile, only if the other users are not logged in can delete the default admin account only if the default admin user is not logged in.
By default, admin has no password. The password should be 32 characters or less.

Note: The password of users with the super_admin admin profile can be reset in the CLI. If the password of a user who is logged in is changed, the user will be logged out and prompted to re-authenticate with the new password. Example: For a user ITAdmin with the admin profile super_admin, to set the password to 123456: config sys admin edit ITAdmin set password 123456 end Example: For a user ITAdmin with the admin profile super_admin, to reset the password from 123456 to the default empty: config sys admin edit ITAdmin unset password 123456 end
There is also an admin profile that allows read-only super admin privileges, super_admin_readonly. This profile cannot be deleted or changed, similar to the super_admin. The read-only super_admin profile is suitable in a situation where it is necessary for a system administrator to troubleshoot a customer configuration without being able to make changes. Other than being read-only, the super_admin_readonly profile can view all the FortiGate configuration tools.
210
System Admin
Administrators
You can authenticate an administrator by using a password stored on the FortiGate unit, an LDAP, RADIUS, or TACACS+ server, or by using PKI certificate-based authentication. To authenticate an administrator with an LDAP or TACACS+ server, you must add the server to an authentication list, include the server in a user group, and associate the administrator with the user group.The RADIUS server authenticates users and authorizes access to internal network resources based on the admin profile of the user. Users authenticated with the PKI-based certificate are permitted access to internal network resources based on the user group they belong to and the associated admin profile. A VDOM/admin profile override feature supports authentication of administrators via RADIUS. The admin user will have access depending on which VDOM and associated admin profile he or she is restricted to. This feature is available only to wildcard administrators, and can be set only through the FortiGate CLI. There can only be one VDOM override user per system. For more information, see the FortiGate CLI Reference.
Viewing the administrators list

You need to use the default admin account, an account with the super_admin admin profile, or an administrator with read-write access control to add new administrator accounts and control their permission levels. If you log in with an administrator account that does not have the super_admin admin profile, the administrators list will show only the administrators for the current virtual domain. To view the list of administrators, go to System > Admin > Administrators.
Figure 106: Administrators list Change password Delete
Edit Create New Name Add an administrator account. The login name for an administrator account.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can log in. For more information, see Using trusted hosts on page 221. Profile Type Local Remote The admin profile for the administrator. The type of authentication for this administrator, one of: Authentication of an account with a local password stored on the FortiGate unit. Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server.
Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server. Wildcard PKI PKI-based certificate authentication of an account.
211
Administrators
System Admin
Delete icon
Delete the administrator account. You cannot delete the original admin account until you create another user with the super_admin profile, log out of the admin account, and log in with the alternate user that has the super_admin profile. Edit or view the administrator account. Change the password for the administrator account.
Edit or View icon Change Password icon
To change an administrator password, go to System > Admin > Administrators, and select the Change Password icon next to the administrator account you want to change the password for. Enter and confirm the new password, and select OK to save the changes.
Configuring an administrator account

You need to use the default admin account, an account with the super_admin admin profile, or an administrator with read-write access control to create a new administrator. To create a new administrator, go to System > Admin > Administrators and select Create New. To configure the settings for an existing administrator, select the Edit icon beside the administrator.
Figure 107: Administrator account configuration - Regular (local) authentication
Figure 108: Administrator account configuration - Remote authentication
212
System Admin
Administrators
Figure 109: Administrator account configuration - PKI authentication
Administrator
Enter the login name for the administrator account. The name of the administrator should not contain the characters <>()#"'. Using these characters in the administrator account name can result in a cross site scripting (XSS) vulnerability. Select the type of administrator account: Select to create a Local administrator account. For more information, see Configuring regular (password) authentication for administrators on page 214. Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+ server. Server authentication for administrators must be configured first. For more information, see Configuring remote authentication for administrators on page 214. Select to enable certificate-based authentication for the administrator. Only one administrator can be logged in with PKI authentication enabled. For more information, see Configuring PKI certificate authentication for administrators on page 220. Select the administrator user group that includes the Remote server/PKI (peer) users as members of the User Group. The administrator user group cannot be deleted once the group is selected for authentication. This is available only if Type is Remote or PKI. Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be administrators. This is available only if Type is Remote. Only one wildcard user is permitted per VDOM. Enter a password for the administrator account. For improved security, the password should be at least 6 characters long. This is not available if Wildcard is selected or when Type is PKI. See the Fortinet Knowledge Center article Recovering lost administrator account passwords if you forget or lose an administrator account password and cannot log in to your FortiGate unit.
Type Regular
Remote
PKI
User Group
Wildcard
Password
Confirm Password Type the password for the administrator account a second time to confirm that you have typed it correctly. This is not available if Wildcard is selected or when PKI authentication is selected. Trusted Host #1 Trusted Host #2 Trusted Host #3 Admin Profile Enter the trusted host IP address and netmask that administrator login is restricted to on the FortiGate unit. You can specify up to three trusted hosts. These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0. For more information, see Using trusted hosts on page 221. Select the admin profile for the administrator. You can also select Create New to create a new admin profile. For more information on admin profiles, see Configuring an admin profile on page 225.
213
Administrators
System Admin
Configuring regular (password) authentication for administrators

You can use a password stored on the local FortiGate unit to authenticate an administrator. To configure an administrator to authenticate with a password stored on the FortiGate unit 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter the following information:
Administrator Type Password Confirm Password Admin Profile A name for the administrator. Regular. A password for the administrator to use to authenticate. The password entered in Password. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 212. 5 Select OK. When you select Type > Regular, you will see Local as the entry in the Type column when you view the list of administrators. For more information, see Viewing the administrators list on page 211.
Note: If you forget or lose an administrator account password and cannot log in to your FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator account passwords.
Configuring remote authentication for administrators

You can authenticate administrators using RADIUS, LDAP, or TACACS+ servers. In order to do this, you must configure the server, include the server as a user in a user group, and create the administrator account to include in the user group.
Configuring RADIUS authentication for administrators

Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiGate units use the authentication and authorization functions of the RADIUS server. To use the RADIUS server for authentication, you must configure the server before you configure the FortiGate users or user groups that will need it. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user, the FortiGate unit refuses the connection. If you want to use a RADIUS server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to: configure the FortiGate unit to access the RADIUS server create a user group with the RADIUS server as its only member.
214
System Admin
Administrators
Note: Access to the FortiGate unit depends on the VDOM associated with the administrator account.
The following instructions assume that there is a RADIUS server on your network populated with the names and passwords of your administrators. For information on how to set up a RADIUS server, see the documentation for your RADIUS server. To view the RADIUS server list, go to User > Remote > RADIUS.
Figure 110: Example RADIUS server list Delete
Edit Create New Name Server Name/IP Delete icon Add a new RADIUS server. The name that identifies the RADIUS server on the FortiGate unit. The domain name or IP address of the RADIUS server. Delete a RADIUS server configuration. You cannot delete a RADIUS server that has been added to a user group. Edit a RADIUS server configuration.
Edit icon
To configure the FortiGate unit to access the RADIUS server 1 Go to User > Remote > RADIUS. 2 Select Create New, or select the Edit icon beside an existing RADIUS server. 3 Enter a name that identifies the RADIUS server. Use this name when you create the user group. 4 For Primary Server Name/IP, enter the domain name or IP address of the RADIUS server. 5 For Primary Server Secret, enter the RADIUS server secret. The RADIUS server administrator can provide this information. 6 Optionally, provide information regarding a secondary RADIUS server, custom authentication scheme, and a NAS IP/Called Station ID. 7 Optionally, configure the RADIUS server to be included in every user group in the associated VDOM. 8 Select OK. For further information about RADIUS authentication, see Configuring a RADIUS server on page 572. To create the user group (RADIUS) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing RADIUS group. 3 Enter the name that identifies the user group.
215
Administrators
System Admin
4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the RADIUS server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a RADIUS server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter the following information:
Name Type User Group Password Confirm Password Admin Profile A name that identifies the administrator. Remote. The user group that includes the RADIUS server as a member. The password the administrator uses to authenticate. The re-entered password that confirms the original entry in Password. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 212. 5 Select OK. For more information about using a RADIUS server to authenticate system administrators, see Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and Authorization. Admin profiles Configuring a RADIUS server Configuring a user group
Configuring LDAP authentication for administrators

Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, printers, etc. If you have configured LDAP support and an administrator is required to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. If the LDAP server cannot authenticate the administrator, the FortiGate unit refuses the connection. If you want to use an LDAP server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to: configure the LDAP server configure the FortiGate unit to access the LDAP server create a user group with the LDAP server as a member.
To view the LDAP server list, go to User > Remote > LDAP.
216
System Admin
Administrators
Figure 111: Example LDAP server list Delete
Edit Create New Name Server Name/IP Port Distinguished Name Delete icon Edit icon Add a new LDAP server. The name that identifies the LDAP server on the FortiGate unit. The domain name or IP address of the LDAP server. The TCP port used to communicate with the LDAP server. The distinguished name used to look up entries on the LDAP server. Delete the LDAP server configuration. Edit the LDAP server configuration.
Common Name Identifier The common name identifier for the LDAP server.
To configure an LDAP server 1 Go to User > Remote > LDAP. 2 Select Create New or select the Edit icon beside an existing LDAP server. 3 Enter or select the following and select OK.
Name Server Name/IP Server Port Common Name Identifier Distinguished Name Query icon The name that identifies the LDAP server on the FortiGate unit. The domain name or IP address of the LDAP server. The TCP port used to communicate with the LDAP server. The common name identifier for the LDAP server. The base distinguished name for the server in the correct X.500 or LDAP format. View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. For more information, see Using Query on page 577. The type of binding for LDAP authentication. Bind using anonymous user search. Bind using a user name/password and then search. Bind using a simple password authentication without a search. Filter used for group searching. Available only if Bind Type is Anonymous or Regular. Distinguished name of user to be authenticated. Available only if Bind Type is Regular. Password of user to be authenticated. Available only if Bind Type is Regular. A check box that enables a secure LDAP server connection for authentication.
Bind Type Anonymous Regular Simple Filter User DN Password Secure Connection
217
Administrators
System Admin
Protocol Certificate
The secure LDAP protocol to use for authentication. Available only if Secure Connection is selected. The certificate to use for authentication. Available only if Secure Connection is selected.
For further information about LDAP authentication, see Configuring an LDAP server on page 575. To create the user group (LDAP) 1 Go to User > User Group. 2 Select Create New or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the LDAP server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with an LDAP server 1 Go to System > Admin. 2 Select Create New or select the Edit icon beside an existing administrator account. 3 Enter or select the following:
Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. Remote. The user group that includes the LDAP server as a member. A check box that allows all accounts on the LDAP server to be administrators. The password the administrator uses to authenticate. Not available if Wildcard is enabled. The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled. The admin profile to apply to the administrator.
4 Configure additional features as required. For more information, see Configuring an administrator account on page 212. 5 Select OK.
Configuring TACACS+ authentication for administrators

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiGate unit contacts the TACACS+ server for authentication. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiGate unit. If you want to use an TACACS+ server to authenticate administrators in your VDOM, you must configure the authentication before you create the administrator accounts. To do this you need to: configure the TACACS+ server configure the FortiGate unit to access the TACACS+ server
218
System Admin
Administrators
create a user group with the TACACS+ server as a member.
To view the TACACS+ server list, go to User > Remote > TACACS+.
Figure 112: Example TACACS+ server list Delete
Edit
Create New Server Authentication Type Delete icon Edit icon
Add a new TACACS+ server. The server domain name or IP address of the TACACS+ server. The supported authentication method. TACACS+ authentication methods include: Auto, ASCII, PAP, CHAP, and MSCHAP. Delete this TACACS+ server Edit this TACACS+ server.
To configure the FortiGate unit to access the TACACS+ server 1 Go to User > Remote > TACACS+. 2 Select Create New, or select the Edit icon beside an existing TACACS+ server. 3 Enter the Name that identifies the TACACS+ server. 4 For Server Name/IP, enter the server domain name or IP address of the TACACS+ server. 5 For Server Key, enter the key to access the TACACS+ server. The maximum number is 16. 6 For Authentication Type, enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order). 7 Select OK. For further information about TACACS+ authentication, see Configuring TACACS+ servers on page 578. To create the user group (TACACS+) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter a Name that identifies the user group. 4 For Type, select Firewall. 5 In the Available Users/Groups list, select the TACACS+ server name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a TACACS+ server 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator.
219
Administrators
System Admin
3 Enter or select the following:

Administrator Type User Group Wildcard Password Confirm Password Admin Profile A name that identifies the administrator. Remote. The user group that includes the TACACS+ server as a member. Select to allow all accounts on the TACACS+ server to be administrators. The password the administrator uses to authenticate. Not available if Wildcard is enabled. The re-entered password that confirms the original entry in Password. Not available if Wildcard is enabled. The admin profile to apply to the administrator.
Configuring PKI certificate authentication for administrators

Public Key Infrastructure (PKI) authentication uses a certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Users only need a valid certificate for successful authentication; no username or password is necessary. If you want to use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. To do this you need to: configure a PKI administrator to be included in the user group create a user group.
To view the PKI user list, go to User > PKI.

Figure 113: Example PKI user list Delete
Edit
Create New Name Subject CA Delete icon Edit icon
Add a new PKI user. The name of the PKI user. The text string that appears in the subject field of the certificate of the authenticating user. The CA certificate that is used to authenticate this user. Delete this PKI user. Edit this PKI user.
To configure a PKI user 1 Go to User > PKI. 2 Select Create New, or select the Edit icon beside an existing PKI user.
220
System Admin
Administrators
3 Enter the Name of the PKI user. 4 For Subject, enter the text string that appears in the subject field of the certificate of the authenticating user. 5 Select the CA certificate used to authenticate this user. 6 Select OK. To create the user group (PKI) 1 Go to User > User Group. 2 Select Create New, or select the Edit icon beside an existing user group. 3 Enter the Name that identifies the user group. 4 For Type, enter Firewall. 5 In the Available Users/Groups list, select the PKI user name and move it to the Members list. 6 Select OK. To configure an administrator to authenticate with a PKI certificate 1 Go to System > Admin. 2 Select Create New, or select the Edit icon beside an existing administrator. 3 Enter or select the following:
Administrator Type User Group Admin Profile A name that identifies the administrator. PKI. The user group that includes the PKI user as a member. The admin profile to apply to the administrator.
Using trusted hosts

Setting trusted hosts for all of your administrators increases the security of your network by further restricting administrative access. In addition to knowing the password, an administrator must connect only through the subnet or subnets you specify. You can even restrict an administrator to a single IP address if you define only one trusted host IP address with a netmask of 255.255.255.255. When you set trusted hosts for all administrators, the FortiGate unit does not respond to administrative access attempts from any other hosts. This provides the highest security. If you leave even one administrator unrestricted, the unit accepts administrative access attempts on any interface that has administrative access enabled, potentially exposing the unit to attempts to gain unauthorized access. The trusted hosts you define apply both to the web-based manager and to the CLI when accessed through Telnet or SSH. CLI access through the console connector is not affected. The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the 0.0.0.0/0.0.0.0 addresses to a non-zero address, the other 0.0.0.0/0.0.0.0 will be ignored. The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0. However, this configuration is less secure.
221
Admin profiles
System Admin
Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates FortiGate features into access control categories for which an administrator with read/write access can enable none (deny), read only, or read/write access. The following table lists the web-based manager pages to which each category provides access:
Table 39: Admin profile control of access to Web-based manager pages Access control Admin Users Affected web-based manager pages System > Admin System > Admin > Central Management System > Admin > Settings UTM > AntiVirus User Firewall System > Maintenance > FortiGuard IM, P2P & VoIP > Statistics IM, P2P & VoIP > User > Current Users IM, P2P & VoIP > User > User List IM, P2P & VoIP > User > Config UTM > Intrusion Protection Log&Report System > Maintenance System > Network > Interface System > Network > Zone System > DHCP Router UTM > AntiSpam System > Status, including Session info System > Config System > Hostname System > Network > Options System > Admin > Central Management System > Admin > Settings System > Status > System Time VPN UTM > Web Filter
Antivirus Configuration Auth Users Firewall Configuration FortiGuard Update IM, P2P & VoIP Configuration
IPS Configuration Log&Report Maintenance Network Configuration
Router Configuration Spamfilter Configuration System Configuration
VPN Configuration Webfilter Configuration
Read-only access enables the administrator to view the web-based manager page. The administrator needs write access to change the settings on the page. You can expand the firewall configuration access control to enable more granular control of access to the firewall functionality. You can control administrator access to policy, address, service, schedule, profile, and other virtual IP (VIP) configurations.
Note: When Virtual Domain Configuration is enabled (see Settings on page 228), only the administrators with the admin profile super_admin have access to global settings. Other administrator accounts are assigned to one VDOM and cannot access global configuration options or the configuration for any other VDOM. For information about which settings are global, see VDOM configuration settings on page 104.
222
System Admin
Admin profiles
The admin profile has a similar effect on administrator access to CLI commands. The following table shows which command types are available in each Access Control category. You can access get and show commands with Read Only access. Access to config commands requires Read-Write access.
Table 40: Admin profile control of access to CLI commands Access control Admin Users (admingrp) Antivirus Configuration (avgrp) Auth Users (authgrp) Firewall Configuration (fwgrp) Available CLI commands system admin system accprofile antivirus user firewall Use the set fwgrp custom and config fwgrppermission commands to set some firewall permissions individually. You can make selections for policy, address, service, schedule, profile, and other (VIP) configurations. For more information, see FortiGate CLI Reference. system autoupdate execute update-av execute update-ips execute update-now ips alertemail log system fortianalyzer execute log execute execute execute execute execute formatlogdisk restore backup batch usb-disk
FortiProtect Update (updategrp)
IPS Configuration (ipsgrp) Log & Report (loggrp)
Maintenance (mntgrp)
Network Configuration (netgrp)
system arp-table system dhcp system interface system zone execute dhcp lease-clear execute dhcp lease-list execute clear system arp table execute interface
223
Admin profiles
System Admin
Table 40: Admin profile control of access to CLI commands (Continued) Access control Router Configuration (routegrp) Available CLI commands router execute router execute mrouter spamfilter system except accprofile, admin, arp-table, autoupdate, fortianalyzer, interface, and zone. execute date execute ha execute ping execute ping-options execute ping6 execute time execute traceroute execute cfg execute factoryreset execute reboot execute shutdown execute deploy execute set-next-reboot execute ssh execute telnet execute disconnect-admin-session execute usb vpn execute vpn webfilter
Spamfilter Configuration (spamgrp) System Configuration (sysgrp)
VPN Configuration (vpngrp) Webfilter Configuration (webgrp)
To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile. Each administrator account belongs to an admin profile. An administrator with read/write access can create admin profiles that deny access to, allow read-only, or allow both readand write-access to FortiGate features. When an administrator has read-only access to a feature, the administrator can access the web-based manager page for that feature but cannot make changes to the configuration. There are no Create or Apply buttons and lists display only the View ( ) icon instead of icons for Edit, Delete or other modification commands.
Viewing the admin profiles list

You need to use the admin account or an account with Admin Users read/write access to create or edit admin profiles. To view the admin profiles list, go to System > Admin > Admin Profile.
Figure 114: Admin profile list Delete
Edit
224
System Admin
Admin profiles
Create New Profile Name Delete icon
Add a new admin profile. The name of the admin profile. Select to delete the admin profile. You cannot delete an admin profile that has administrators assigned to it. Select to modify the admin profile.
Edit icon
Configuring an admin profile

You need to use the admin account or an account with Admin Users read/write access to edit an admin profile. To configure an admin profile, go to System > Admin > Admin Profile. Select Create New or select the Edit icon beside an existing profile. Enter or select the following, and select OK.
Figure 115: Admin profile options
Profile Name Access Control
Enter the name of the admin profile. List of the items that can customize access control settings if configured.
225
Central Management
System Admin
None Read Only Read-Write Access Control (categories) GUI Control
Deny access to all Access Control categories. Enable Read access in all Access Control categories. Select to allow read/write access in all Access Control categories. Make specific control selections as required. For detailed information about the Access Control categories, see Admin profiles on page 222. Select Standard to use the default FortiGate web-based manager. Select Customize to create a custom web-based manager configuration for the administrators who login with this admin profile. For more information, see Customizable web-based manager on page 231.
Central Management
The Central Management tab provides the option of remotely managing your FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and Management Service. From System > Admin > Central Management, you can configure your FortiGate unit to back up or restore configuration settings automatically to the specified central management server. The central management server is the type of service you enable, either a FortiManager unit or the FortiGuard Analysis and Management Service. If you have a subscription for FortiGuard Analysis and Management Service, you can also remotely upgrade the firmware on the FortiGate unit.
Figure 116: Central Management using FortiManager
Figure 117: Central Management using the FortiGuard Analysis and Management Service
226
System Admin
Central Management
Enable Central Management Type
Enables the Central Management feature on the FortiGate unit. Select the type of central management for this FortiGate unit. You can select FortiManager or the FortiGuard Analysis and Management Service. Select to use FortiManager as the central management service for the FortiGate unit. Enter the IP address or name of the FortiManager unit in the IP/Name field. If your organization is operating a FortiManager cluster, add the IP address or name of the primary FortiManager unit to the IP/Name field and add the IP address or name of the backup FortiManager units to the Trusted FortiManager list. Status indicates whether or not the FortiGate unit can communicate wit the FortiManager unit added to the IP/Name field. Select Register to include the FortiManager unit in the Trusted FortiManager List. A red arrow-down indicates that there is no connection enabled; a green arrow-up indicates that there is a connection. A yellow caution symbol appears when your FortiGate unit is considered an unregistered device by the FortiManager unit. Select to use the FortiGuard Analysis Management Service as the central management service for the FortiGate unit. Enter the Account ID in the Account ID field. If you do not have an account ID, register for the FortiGuard Analysis and Management Service on the FortiGuard Analysis and Management Service website. Select Change to go directly to System > Maintenance > FortiGuard. Under Analysis and Management Service Options, enter the account ID in the Account ID field.
FortiManager
FortiGuard Analysis and Management Service
When you are configuring your FortiGate unit to connect to and communicate with a FortiManager unit, the following steps must be taken because of the two different deployment scenarios. FortiGate is directly reachable from FortiManager: In the FortiManager GUI, add the FortiGate unit to the FortiManager database in the Device Manager module Change the FortiManager IP address Change the FortiGate IP address In System > Admin > Central Management, choose FortiManager Add the FortiManager unit to the Trusted FortiManager List, if applicable Change the FortiManager IP address Change the FortiGate IP address Contact the FortiManager administrator to verify the FortiGate unit displays in the Device list in the Device Manager module
FortiGate behind NAT
Revision control
The Revision Control tab displays a list of the backed up configuration files. The list displays only when your FortiGate unit is managed by a central management server. For more information, see Managing configuration revisions on page 261.
227
Settings
System Admin
Settings
The Settings tab includes the following features that you can configure: ports for HTTP/HTTPS administrative access and SSL VPN login the idle timeout setting settings for the language of the web-based manager and the number of lines displayed in generated reports PIN protection for LCD and control buttons (LCD-equipped models only) SCP capability for users logged in via SSH IPv6 support on the web based manager.
To configure settings, go to System > Admin > Settings, enter or select the following and select OK.
Figure 118: Administrators Settings
Web Administration Ports HTTP HTTPS SSLVPN Login Port Telnet Port TCP port to be used for administrative HTTP access. The default is 80. TCP port to be used for administrative HTTPS access. The default is 443. An alternative HTTPS port number for remote client web browsers to connect to the FortiGate unit. The default port number is 10443. TCP port to be used for administrative telnet access. The default is 23.
228
System Admin
Monitoring administrators
SSH Port Enable SSH v1 compatibility Timeout Settings Idle Timeout
TCP port to be used for administrative SSH access. The default is 22. Enable compatibility with SSH v1 in addition to v2. (Optional)
The number of minutes that an administrative connection can be idle before the administrator must log in again. The maximum is 480 minutes (8 hours). To improve security, keep the idle timeout at the default value of 5 minutes. The language the web-based manager uses. Choose from English, Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese or French. You should select the language that the management computer operating system uses. Number of lines per page to display in table lists. The default is 50. Range is from 20 - 1000.
Display Settings Language
Lines per Page
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route, address and address group). Default allows configuration from CLI only. Note: IPv6 is not supported in Transparent mode. LCD Panel (LCD-equipped models only) PIN Protection Enable SCP Select and enter a 6-digit PIN. Administrators must enter the PIN to use the control buttons and LCD. Enable users logged in through the SSH to be able to use the SCP to copy the configuration file.
Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that the port number is unique.
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System Information, you will see Current Administrators. Select Details to view information about the administrators currently logged in to the FortiGate unit.
Figure 119: System Information displaying current administrators
229
FortiGate IPv6 support
System Admin
Figure 120: Detailed view of Administrators logged in monitor window
Disconnect Refresh Close
Select to disconnect the selected administrators. This is available only if your admin profile gives you System Configuration write permission. Select to update the list. Select to close the window. Select and then select Disconnect to log off this administrator. This is available only if your admin profile gives you System Configuration write access. You cannot log off the default admin user.
User Name Type From Time
The administrator account name. The type of access: http, https, jsconsole, sshv2. If Type is jsconsole, the value in From is N/A. Otherwise, Type contains the administrators IP address. The date and time that the administrator logged on.
See also
FortiGate IPv6 support

IPv6 is version 6 of the Internet Protocol. It can provide billions more unique IP addresses than the previous standard, IPv4. The internet is currently in transition from IPv4 to IPv6 addressing. IPv6 hosts and routers maintain interoperability with the existing IPv4 infrastructure in two ways: implementing dual IP layers to support both IPv6 and IPv4 using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to carry them over IPv4 infrastructure.
FortiGate units are dual IP layer IPv6/IPv4 nodes. They support IPv6 overIPv4 tunneling, routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6 address to any interface on a FortiGate unitthe interface functions as two interfaces, one for IPv4-addressed packets and another for IPv6-addressed packets. For more information, see the FortiGate IPv6 Support Technical Note available from the Fortinet Knowledge Center. Before you can work with IPv6 on the web-based manager, you must enable IPv6 support.
Note: IPv6 is not supported in Transparent mode.
To enable IPv6 support, go to System > Admin > Settings, then under Display Settings, select IPv6 Support on GUI. After you enable IPv6 support in the web-based manager, you can: create IPv6 static routes (see Router Static) monitor IPv6 routes (see Router Monitor)
230
System Admin
Customizable web-based manager
create IPv6 firewall addresses (see Firewall Address) create IPv6 firewall address groups (see Firewall Address) create IPv6 firewall policies (see Firewall Policy) create VPNs that use IPv6 addressing (see IPSec VPN)
Once IPv6 support is enabled, you can configure the IPv6 options using the web-based manager or the CLI. See the FortiGate CLI Reference for information on configuring IPv6 support using the CLI.

In addition to configuring administrators with varying levels of access to different parts of the FortiGate unit configuration, you can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. In standard operation mode, the display is static. Customizing the display allows you to vary or limit the GUI layoutto fulfill different administrator roles. There are also several configuration widgets which you can enable for CLI-only options that are not displayed by default. Only administrators with the super_admin admin profile may create and edit GUI layouts. The customized GUI layouts are stored as part of the administrator admin profile. New admin profiles are based on the default layout. The FortiGate default layout cannot be modified. Terms used in this section include: Dialog box - HTML-layer pop-up window. Displayed via HTML with grayed-out background (see Figure 124). GUI layout - web-based manager layout configured for a specific Admin Profile (see Figure 135). Page layout - arrangement of widgets on a screen of the web-based manager (see Figure 132). Tier 1 menu item - top-level menu item in web-based manager layout (see To create Tier-1 and Tier-2 menu items on page 235). Tier 2 menu item - submenu item in web-based manager layout (see To create Tier-1 and Tier-2 menu items on page 235).
Tip: Increase the timeout settings before creating or editing a GUI layout. See Settings on page 228.
GUI layout customization example

The following example illustrates the basic steps to customize the display. The example assumes that you are an administrator with a super_admin profile performing the customization. The super_admin will create a profile called Report Profile for a regular admin user. This protection profile will allow the regular admin user read-only access to logs and reports produced by the FortiGate unit, and also prevent him or her from viewing additional FortiGate features. Before customizing the GUI layout, you need to configure the administrative admin profile. To configure the profile, go to System > Admin > Admin Profile and select Create New.
231
System Admin
Figure 121: Admin profile dialog box (default settings)
Note: The current administrator Access Control settings apply only to the fixed components of the layout (default), not to the customized items. If you want to create a completely customized layout profile, you must set access for all fixed components to None and also set all the standard menu items to Hide from within the GUI layout dialog box (see Figure 124).
The following configuration will set up read-only administrative access to Log&Report items for the Report Profile profile, and prevent access to the default layout.
232
System Admin
Figure 122: Admin Profile dialog box - Log & Report access
Access denied to other layout items
Read-only access selected for Log & Report Standard GUI Control Menu Layout selection
To configure the admin profile 1 Enter the name Report Profile (see Figure 122). 2 To prevent access to the default layout items, set Access Control to None for all items except Log & Report. 3 Under GUI Control > Menu Layout, select Standard. 4 Select OK to save the settings. The admin profiles list reappears. 5 From the list, select the Edit icon beside Report Profile. 6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see Figure 123 and Figure 124).
233
System Admin
Figure 123: Selection of Customize GUI Control option for Report Profile
]
Select Customize to access the layout dialog box Figure 124: Customize GUI layout dialog box for Report Profile Customization drop-down menu icon Edit Layout Add Content Show Preview
Customization drop-down menu
Save layout Cancel layout changes
Layout preview icon Create new Tier-1 menu item Reset menu to default layout configuration
In the GUI layout dialog box, select the customization drop-down menu icon beside System and select hide (see Figure 124). Repeat for each menu item except Log&Report.
234
System Admin
To start the configuration of customized menu items, select the Create New (Tier-1 menu item) icon in the FortiGate menu. You will need to: configure Tier-1 and Tier-2 menu items add tabs to each of these items as required add content to the page layout.
To create Tier-1 and Tier-2 menu items 1 Select the Create New Tier-1 icon. The first Tier-1 menu item with the default name custom menu will appear, with an additional Create New Tier-1 icon below it (1). 2 Select and rename the default name to Custom Log Report (2). 3 Press Enter to save your change. The Create New Tier-2 icon will appear, with the default name custom menu. 4 Select the Create New Tier-2 icon (3). 5 The first Tier-2 menu item with the default name custom menu will appear, with an additional Create New Tier-2 icon below it (4). 6 Select and rename the default name to Custom Log Menu1 (5). 7 Press Enter to save your change. 8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5) and (6).
Figure 125: Creating Tier-1 and Tier-2 menu items in FortiGate menu 1 Creation of new Tier-1 menu item Custom Log Report 2
3 Creation of new Tier-2 menu item Custom Log Menu1
5 Creation of new Tier-2 menu item Custom Log Menu2
After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items across the page layout. The Create New tab icon is not available until you have created the Tier-1 and Tier-2 menu items. To create a new tab 1 Select the Create New tab item icon (see Figure 5). A tab is created with the default name custom menu, and an additional Create New icon appears beside it.
235
System Admin
2 Select and rename the default name to Custom Log Report Tab1 (see Figure 127). 3 Press Enter to save your change. 4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2. 5 To save your customized layout, select Save in the GUI layout dialog box (see Figure 124).
Figure 126: Create New tab
Create New tab item icon
Figure 127: Creating tabs in page layout Creation of tab Custom Log Report Tab1
Creation of tab Custom Log Report Tab2 To modify the configuration of the current page 1 Select the required tab, then select Edit Layout. The Edit this tab dialog box appears (see Figure 128). You may configure the page layout to display only one widget (Full page), a page layout with one column that displays up to 8 widgets (1 column), or a page layout with two columns (2 columns) that displays up to 8 widgets. 2 For the Custom Log Report Tab1, select 2 columns. 3 To save your modified configuration, select Save in the Edit this tab dialog box.
236
System Admin
Figure 128: Edit this tab dialog box
To add content to the page layout, select Add Content (see Figure 124). The Add content to the Custom Log Report Tab1 dialog box appears (see Figure 129).
Figure 129: Add content dialog box
Search text box
The Add content dialog box includes a search feature that you can use to find widgets. This search employs a real-time filtering mechanism with a contains type search on the widget names. For example, if you search on use, you will be shown User Group, IM User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 130).
237
System Admin
Figure 130: Search mechanism - results for use Search on use
Search results
For Custom Log Report Tab1, select the Log&Report category. All the items related to the Log&Report menu item are listed (see Figure 131). Select Add next to an item that you want to include in the tab. The item is placed in the page layout behind the Custom Log Report Tab1 dialog box. You will see the configured layout when you close the Add content to the Custom Log Report Tab1 dialog box. The maximum number of items that can be placed in a page layout is 8. For the Custom Log Report Tab1, select the following items for inclusion in the layout: Alert E-mail Schedule.
Close the Edit Layout dialog box.

Figure 131: Log&Report category selection for Custom Log Report Tab1
238
System Admin
Figure 132: Custom Log Report Tab1 page layout preview
For the Custom Log Report Tab2, select the following items for inclusion in the layout: Event Log Log Setting.
239
System Admin
Figure 133: Log&Report category selection for Custom Log Report Tab2
Figure 134: Custom Log Report Tab2 page layout preview
To preview a customized layout in the custom GUI layout dialog box, select Show Preview (see Figure 135). When you have completed the configuration selections for the page layout, select Save to close the custom GUI layout dialog box (see Figure 135). To abandon the configuration, select Reset menus (see Figure 135). To exit the GUI layout dialog box without saving your changes, select Cancel (see Figure 135).
240
System Admin
Figure 135: Report Profile customized GUI layout dialog box - complete Cancel Show Preview Save
Reset menus
When you complete the customization, close the dialog box to return to the Admin Profile dialog box in which you configured the custom GUI. To save the configuration, select OK to close the Admin Profile dialog box (see Figure 121). To view the web-based manager configuration created in Report Profile, you must log out of the FortiGate unit, then log back in using the name and password of an administrator assigned the Report Profile administrative profile. The FortiGate web-based manager reflects the customized configuration of Report Profile (see Figure 136).
Figure 136: Customized FortiGate web-based manager page
241
System Admin
242
System Certificates
System Certificates
This section explains how to manage X.509 security certificates using the FortiGate webbased manager. Certificate authentication allows administrators to generate certificate requests, install signed certificates, import CA root certificates and certificate revocation lists, and back up and restore installed certificates and private keys. Authentication is the process of determining if a remote host can be trusted with access to network resources. To establish its trustworthiness, the remote host must provide an acceptable authentication certificate by obtaining a certificate from a certification authority (CA). The FortiGate unit can then use certificate authentication to reject or allow administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well as SSL VPN user groups or clients. If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are configured globally for the entire FortiGate unit. For details, see Using virtual domains on page 103. There are several certificates on the FortiGate unit that have been automatically generated:
Table 41: Automatically generated FortiGate certificates Fortinet_Firmware Embedded inside the firmware. Signed by Fortinet_CA. Same on all FortiGate units. Used so FortiGate units without Fortinet_Factory2 certificates have a built-in certificate signed by a FortiGate CA. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Embedded inside BIOS. Signed by Fortinet_CA. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel, HTTPS administrative access if Fortinet_Factory2 is not available. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Embedded inside BIOS. Signed by Fortinet_CA2. Unique to each FortiGate unit. Used for FortiGate/FortiManager tunnel and HTTPS administrative access. Listed under Certificates > Local, or in FortiGate CLI under vpn certificate local. Found only on units shipped at the end of 2008 onward. Embedded inside firmware and BIOS. Fortinets CA certificate. Used to verify certificates that claim to be signed by Fortinet, for example with a FortiGate/FortiManager tunnel or an SSL connection to a FortiGuard server. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Embedded inside BIOS. Fortinets CA certificate. Will eventually replace Fortinet_CA, as Fortinet_CA will expire in 2020. Listed under Certificates > CA, or in FortiGate CLI under vpn certificate ca or vpn certificate ocsp. Found only on units shipped at the end of 2008 onward.
Fortinet_Factory
Fortinet_Factory2
Fortinet_CA
Fortinet_CA2
System administrators can use these certificates wherever they may be required, for example, with SSL VPN, IPSec, LDAP, and PKI. For additional background information on certificates, see the FortiGate Certificate Management User Guide.
243
Local Certificates
System Certificates
This section describes: Local Certificates Remote Certificates CA Certificates CRL
Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates list. After you submit the request to a CA, the CA will verify the information and register the contact information on a digital certificate that contains a serial number, an expiration date, and the public key of the CA. The CA will then sign the certificate and send it to you to install on the FortiGate unit. To view certificate requests and/or import signed server certificates, go to System > Certificates > Local Certificates. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
Figure 137: Local Certificates list Download View Certificate Detail
Delete
Generate Import Name Subject Comments
Generate a local certificate request. For more information, see Generating a certificate request on page 245. Import a signed local certificate. For more information, see Importing a signed server certificate on page 247. The names of existing local certificates and pending certificate requests. The Distinguished Names (DNs) of local signed certificates. A description of the certificate.
244
System Certificates
Local Certificates
Status View Certificate Detail icon Delete icon
The status of the local certificate. PENDING designates a certificate request that needs to be downloaded and signed. Display certificate details such as the certificate name, issuer, subject, and valid certificate dates. Delete the selected certificate request or installed server certificate from the FortiGate configuration. This is available only if the certificate has PENDING status. Save a copy of the certificate request to a local computer. You can send the request to your CA to obtain a signed server certificate for the FortiGate unit (SCEP-based certificates only).
Download icon
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.
Generating a certificate request

The FortiGate unit generates a certificate request based on the information you enter to identify the FortiGate unit. Generated requests are displayed in the Local Certificates list with a status of PENDING. After you generate a certificate request, you can download the request to a computer that has management access to the FortiGate unit and then forward the request to a CA. To fill out a certificate request, go to System > Certificates > Local Certificates, select Generate, and complete the fields in the table below. To download and send the certificate request to a CA, see Downloading and submitting a certificate request on page 246.
Figure 138: Generate Certificate Signing Request
Remove/Add OU
245
Local Certificates
System Certificates
Certification Name
Enter a certificate name. Typically, this would be the name of the FortiGate unit. To enable the export of a signed certificate as a PKCS12 file later on if required, do not include spaces in the name. Enter the information needed to identify the FortiGate unit: If the FortiGate unit has a static IP address, select Host IP and enter the public IP address of the FortiGate unit. If the FortiGate unit does not have a public IP address, use an email address (or domain name if available) instead. If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service, use a domain name if available to identify the FortiGate unit. If you select Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not include the protocol specification (http://) or any port number or path names. If a domain name is not available and the FortiGate unit subscribes to a dynamic DNS service, an unable to verify certificate message may be displayed in the users browser whenever the public IP address of the FortiGate unit changes. If you select E-mail, enter the email address of the owner of the FortiGate unit. Complete as described or leave blank. Enter the name of your department or departments. You can enter a maximum of 5 Organization Units. To add or remove a unit, use the plus (+) or minus (-) icon. Enter the legal name of your company or organization. Enter the name of the city or town where the FortiGate unit is installed. Enter the name of the state or province where the FortiGate unit is installed. Select the country where the FortiGate unit is installed. Enter the contact email address. Only RSA is supported. Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate but they provide better security. Select one of the following methods: Select to generate the certificate request. Select to obtain a signed SCEP-based certificate automatically over the network. CA Server URL: Enter the URL of the SCEP server from which to retrieve the CA certificate. Challenge Password: Enter the CA server challenge password.
Subject Information Host IP
Domain Name
E-Mail Optional Information Organization Unit
Organization Locality (City) State/Province Country e-mail Key Type Key Size Enrollment Method File Based Online SCEP
Downloading and submitting a certificate request

You have to fill out a certificate request and generate the request before you can submit the results to a CA. For more information, see Generating a certificate request on page 245. To download and submit a certificate request 1 Go to System > Certificates > Local Certificates. 2 In the Local Certificates list, select the Download icon in the row that corresponds to the generated certificate request. 3 In the File Download dialog box, select Save to Disk. 4 Name the file and save it to the local file system.
246
System Certificates
Local Certificates
5 Submit the request to your CA as follows: Using the web browser on the management computer, browse to the CA web site. Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request and upload your certificate request. Follow the CA instructions to download their root certificate and Certificate Revocation List (CRL), and then install the root certificate and CRL on each remote client (refer to the browser documentation). 6 When you receive the signed certificate from the CA, install the certificate on the FortiGate unit. See Importing a signed server certificate on page 247.
Importing a signed server certificate

Your CA will provide you with a signed server certificate to install on the FortiGate unit. When you receive the signed certificate from the CA, save the certificate on a computer that has management access to the FortiGate unit. To install the signed server certificate, go to System > Certificates > Local Certificates and select Import. The certificate file can be in either PEM or DER format. The other dialog boxes are for importing previously exported certificates and private keys.
Figure 139: Upload Local Certificate
Certificate File Browse
Enter the full path to and file name of the signed server certificate. Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Importing an exported server certificate and private key

. The file is associated with a password, which you will need to know in order to import the file. Before you begin, save a copy of the file on a computer that has management access to the FortiGate unit. For more information, see the FortiGate Certificate Management User Guide. To import the PKCS12 file, go to System > Certificates > Local Certificates and select Import.
Figure 140: Upload PKCS12 Certificate
Certificate with key Enter the full path to and file name of the previously exported PKCS12 file. file
247
Remote Certificates
System Certificates
Browse Password
Alternatively, browse to the location on the management computer where the PKCS12 file has been saved, select the file, and then select OK. Type the password needed to upload the PKCS12 file.
Importing separate server certificate and private key files

You need to use the Upload Certificate dialog box to import a server certificate and the associated private key file when the server certificate request and private key were not generated by the FortiGate unit. The two files to import must be available on the management computer.
Figure 141: Upload Certificate
Certificate file Browse Key file Browse Password
Enter the full path to and file name of the previously exported certificate file. Alternatively, browse to the location of the previously exported certificate file, select the file, and then select OK. Enter the full path to and file name of the previously exported key file. Alternatively, browse to the location of the previously exported key file, select the file, and then select OK. If a password is required to upload and open the files, type the password.
Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.
For dynamic certificate revocation, you need to use an Online Certificate Status Protocol (OCSP) server. Remote certificates are public certificates without a private key. The OCSP is configured in the CLI only. For more information, see the FortiGate CLI Reference. Installed Remote (OCSP) certificates are displayed in the Remote Certificates list. To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to System > Certificates > Remote. To view certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
Note: There is one OCSP per VDOM.
248
System Certificates
CA Certificates
Figure 142: Remote certificate list
Import Name
Import a public OCSP certificate. See Importing CA certificates on page 250. The names of existing Remote (OCSP) certificates. The FortiGate unit assigns unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on) to the Remote (OCSP) certificates when they are imported. Information about the Remote (OCSP) certificate. Delete a Remote (OCSP) certificate from the FortiGate configuration. Display certificate details. Save a copy of the Remote (OCSP) certificate to a local computer.
Subject Delete icon View Certificate Detail icon Download icon
Importing Remote (OCSP) certificates

To import a Remote (OCSP) certificate, go to System > Certificates > Remote and select Import.
Figure 143: Upload Remote Certificate
Local PC Browse
Enter the location in a management PC to upload a public certificate. Alternatively, browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
The system assigns a unique name to each Remote (OCSP) certificate. The names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so on).
CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you must obtain the corresponding root certificate and CRL from the issuing CA. When you receive the certificate, install it on the remote clients according to the browser documentation. Install the corresponding root certificate and CRL from the issuing CA on the FortiGate unit. Installed CA certificates are displayed in the CA Certificates list. You cannot delete the Fortinet_CA certificate. To view installed CA root certificates or import a CA root certificate, go to System > Certificates > CA Certificates. To view root certificate details, select the View Certificate Detail icon in the row that corresponds to the certificate.
249
CA Certificates
System Certificates
Figure 144: CA Certificates list
View Certificate Detail Download
Import Name
Import a CA root certificate. See Importing CA certificates on page 250. The names of existing CA root certificates. The FortiGate unit assigns unique names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA certificates when they are imported. Information about the issuing CA. Delete a CA root certificate from the FortiGate configuration. Display certificate details. Save a copy of the CA root certificate to a local computer.
For detailed information and step-by-step procedures related to obtaining and installing digital certificates, see the FortiGate Certificate Management User Guide.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has management access to the FortiGate unit. To import a CA root certificate, go to System > Certificates > CA Certificates and select Import.
Figure 145: Import CA Certificate
SCEP
Select to use an SCEP server to access CA certificate for user authentication. Enter the URL of the SCEP server from which to retrieve the CA certificate. Optionally, enter identifying information of the CA, such as the file name. Select OK. Select to use a local administrators PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Local PC
If you choose SCEP, the system starts the retrieval process as soon as you select OK. The system assigns a unique name to each CA certificate. The names are numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
250
System Certificates
CRL
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are valid. To view installed CRLs, go to System > Certificates > CRL.
Figure 146: Certificate revocation list View Certificate Detail
Download
Import Name
Import a CRL. For more information, see Importing a certificate revocation list on page 251. The names of existing certificate revocation lists. The FortiGate unit assigns unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists when they are imported. Information about the certificate revocation lists. Delete the selected CRL from the FortiGate configuration. Display CRL details such as the issuer name and CRL update dates. Save a copy of the CRL to a local computer.
Importing a certificate revocation list

Certificate revocation lists from CA web sites must be kept updated on a regular basis to ensure that clients having revoked certificates cannot establish a connection with the FortiGate unit. After you download a CRL from the CA web site, save the CRL on a computer that has management access to the FortiGate unit.
Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest version of the CRL is retrieved automatically from the server when the FortiGate unit does not have a copy of it or when the current copy expires.
To import a certificate revocation list, go to System > Certificates > CRL and select Import.
251
CRL
System Certificates
Figure 147: Import CRL
HTTP LDAP SCEP
Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP server. Select to use an LDAP server to retrieve the CRL, then select the LDAP server from the list. Select to use an SCEP server to retrieve the CRL, then select the Local Certificate from the list. Enter the URL of the SCEP server from which the CRL can be retrieved. Select to use a local administrators PC to upload a public certificate. Enter the location, or browse to the location on the management computer where the certificate has been saved, select the certificate, and then select OK.
Local PC
The system assigns a unique name to each CRL. The names are numbered consecutively (CRL_1, CRL_2, CRL_3, and so on).
252
System Maintenance
About the Maintenance menu
System Maintenance
This section describes how to maintain your system configuration as well as how to enable and update FDN services. This section also explains the types of FDN services that are available for your FortiGate unit. If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is configured globally for the entire FortiGate unit. For more information, see Using virtual domains on page 103. This section includes the following topics: About the Maintenance menu Managing configuration revisions Using script files Configuring FortiGuard Services Troubleshooting FDN connectivity Updating antivirus and attack definitions Enabling push updates Adding VDOM Licenses
About the Maintenance menu

The maintenance menu provides help with maintaining and managing firmware, configuration revisions, script files, and FortiGuard subscription-based services. From this menu, you can upgrade or downgrade the firmware, view historical backups of configuration files, or update FortiGuard services. The maintenance menu has the following tabs: Backup & Restore - allows you to back up and restore your system configuration file, remotely upgrade firmware, and import CLI commands. Revision Control - displays all system configuration backups with the date and time of when they were backed up. Before you can use revision control, a Central Management server must be configured and enabled. Scripts - displays script history execution and provides a way to upload script files to the FortiGuard Analysis and Management Service portal web site FortiGuard - displays all FDN subscription services, such as antivirus and IPS definitions as well as the FortiGuard Analysis and Management Service. This tab also provides configuration options for antivirus, IPS, web filtering, and antispam services. License - allows you to increase the maximum number of VDOMs (on some FortiGate models).
When backing up the system configuration, web content files and spam filtering files are also included. You can save the configuration to the management computer or to a USB disk if your FortiGate unit includes a USB port (see Formatting USB Disks on page 261). You can also restore the system configuration from previously downloaded backup files in the Backup & Restore menu.
253
Backing up and restoring
System Maintenance
When virtual domain configuration is enabled, the content of the backup file depends on the administrator account that created it. A backup of the system configuration from the super_admin account contains global settings and the settings included in each VDOM. Only the super_admin can restore the configuration from this file. When you back up the system configuration from a regular administrator account, the backup file contains the global settings and the settings for the VDOM that the regular administrator belongs to. A regular administrator is the only user account that can restore the configuration from this file. Some FortiGate models support FortiClient by storing a FortiClient image that users can download. The FortiClient section of Backup & Restore is available if your FortiGate model supports FortiClient. This feature is currently available on FortiGate-1000A, 3600A, and 5005FA2 models.
Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see Managing firmware versions on page 91. Note: The Firmware section is available only on FortiGate-100A units and higher. If you have a FortiGate-60B unit or lower, you can upgrade or downgrade the firmware by going to System > Status and selecting the Update link that appears beside Firmware Version.
For

The Backup & Restore tab allows you to back up and restore your FortiGate configuration to your management PC, a central management server, or a USB disk. You can back up and restore your configuration to a USB disk if the FortiGate unit includes a USB port and if you have connected a USB disk to the USB port. FortiGate units support most USB disks including USB keys and external USB hard disks (see Formatting USB Disks on page 261). The central management server is whatever remote management service the FortiGate unit is connected to. For example, if the current configuration on a FortiGate-60 is backed up to a FortiManager unit, the central management server is the FortiManager unit. You must configure central management in System > Admin > Central Management before these options are available in the Backup & Restore section. For more information, see Central Management on page 226. To view the backup and restore options, go to System > Maintenance > Backup and Restore.
254
System Maintenance
Figure 148: Backup and restore page on a FortiGate-1000A unit
Basic backup and restore options

This section of the Backup & Restore page provides the option of backing up the current configuration file to several different locations, including encryption for added security. You can also restore a backed-up configuration file. To view the backup and restore options, go to System > Maintenance > Backup & Restore.
Figure 149: Backup & Restore options with FortiGuard services option enabled
Backup Backup configuration to: The options available for backing up your current configuration. Select one of the displayed options: Local PC Back up the configuration to the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis and Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit. Back up the configuration to the FortiGuard Analysis and Management Service. If the service is not enabled, Management Station is displayed. Back up the configuration file to the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. For more information, see Formatting USB Disks on page 261.
FortiGuard | Management Station USB Disk
255
System Maintenance
FortiManager
Back up the configuration to the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed.
Encrypt configuration Select to encrypt the backup file. file Encryption must be enabled to save VPN certificates with the configuration. This option is not available for configurations backed up to a FortiManager unit. Password Confirm Filename Enter a password to encrypt the configuration file. You will need this password to restore the configuration file. Enter the password again to confirm the password. Enter the name of the backup file or select Browse to locate the file. The Filename field is available only when you choose to back up the configuration to a USB disk. Select to back up the configuration. If you are backing up to a FortiManager device, a confirmation message is displayed after successfully completion of the backup. The options available for restoring the configuration from a specific file. Select one of the displayed options: Restore a configuration file from the management computer the FortiGate unit is connected to. Local PC is always displayed regardless of whether a USB disk is available, FortiGuard Analysis and Management Service is enabled, or the FortiGate unit is connected to a FortiManager unit. Restore a configuration file from the USB disk connected to the FortiGate unit. USB Disk is displayed only if the FortiGate unit includes a USB port. If you do not connect a USB disk, this option is grayed out. See Formatting USB Disks on page 261. Restore a configuration from the FortiGuard Analysis and Management Service. If the FortiGuard Analysis and Management Service is not enabled, this option is not displayed and instead displays Management Station. Restore a configuration from the configured FortiManager unit. If the FortiGate unit is not connected to a FortiManager unit, this option is not displayed. Select the configuration file name from the Browse list if you are restoring the configuration from a USB disk. Enter the configuration file name or select Browse if you are restoring the configuration from a file on the management computer. Enter the password you entered when backing up the configuration file. Select to restore the configuration.
Backup
Restore Restore configuration from: Local PC
USB disk
FortiGuard
FortiManager
Filename
Password Restore
Note: When central management is disabled, Management Station appears. FortiGuard appears when the FortiGuard Analysis and Management Service is enabled.
Remote FortiManager backup and restore options

Your FortiGate unit can be remotely managed by a FortiManager unit. The FortiGate unit connects using the FortiGuard-FortiManager protocol. This protocol provides communication between a FortiGate unit and a FortiManager unit, and runs over SSL using IPv4/TCP port 541. For detailed instructions on how to install a FortiManager unit, see the FortiManager Install Guide.
256
System Maintenance
After successfully connecting to the FortiManager unit from your FortiGate unit, you can back up your configuration to the FortiManager unit. You can also restore your configuration. The automatic configuration backup is available only in local mode on the FortiManager unit. A list of revisions is displayed when restoring the configuration from a remote location. The list allows you to choose the configuration to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore.
Figure 150: Backup & Restore options with FortiManager option enabled
\
Backup
The options available for backing up your current configuration to a FortiManager unit.
Backup configuration Select FortiManager to upload the configuration to the FortiManager unit. to: The Local PC option is always available. Comments: Backup Enter a description or information about the file in the Comments field. This is optional. Select to back up the configuration file to the FortiManager unit. A confirmation message appears after successful completion of the backup. The options for restoring a configuration file.
Restore
Restore configuration Select the FortiManager option to download and restore the configuration from the FortiManager unit. from: Please Select: Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiManager unit. The list is in numerical order, with the recent uploaded configuration first. Select to restore the configuration from the FortiManager unit.
Restore
Remote FortiGuard backup and restore options

Your FortiGate unit can be remotely managed by a central management server, which is available when you register for the FortiGuard Analysis and Management Service. The FortiGuard Analysis and Management Service is a subscription-based service and is purchased by contacting support. Additional information, including how to register you FortiGate unit for the FortiGuard Analysis and Management Service, is available in the FortiGuard Analysis and Management Service Users Guide.
257
System Maintenance
After registering, you can back up or restore your configuration. The FortiGuard Analysis and Management Service is useful when administering multiple FortiGate units without having a FortiManager unit. You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis and Management Service. Upgrading the firmware is available in the Firmware Upgrade section of the backup and restore menu. See Upgrading and downgrading firmware through FortiGuard on page 259 for more information about upgrading firmware from the backup and restore menu.
Tip: For simplified procedures on managing firmware, including backup and restore options, and on uploading and downloading firmware for your FortiGate unit, see Managing firmware versions on page 91.
For
When restoring the configuration from a remote location, a list of revisions is displayed so that you can choose the configuration file to restore. To view the basic backup and restore options, go to System > Maintenance > Backup & Restore.
Figure 151: Backup & Restore Central Management options
Backup
The options available for backing up your current configuration to the FortiGuard Analysis and Management Service.
Backup configuration Select the FortiGuard option to upload the configuration to the FortiGuard Analysis and Management Service. to: The Local PC option is always available. Comments: Backup Enter a description or information about the file in the Comments field. This is optional. Select to back up the configuration file to the FortiGuard Analysis and Management Service. A confirmation message appears after successful completion of the backup. The options for restoring a configuration file.
Restore
Restore configuration Select the FortiGuard option to download the configuration file from the FortiGuard Analysis and Management Service. from: Please Select: Select the configuration file you want to restore from the list. This list includes the comments you included in the Comment field before it was uploaded to the FortiGuard Analysis and Management Service. The list is in numerical order, with the recent uploaded configuration first. Select to restore the configuration from the FortiGuard Analysis and Management Service.
Restore
258
System Maintenance
Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis and Management Service. This protocol runs over SSL using IPv4/TCP port 541 and includes the following functions: detects FortiGate unit dead or alive status detects management service dead or alive status notifies the FortiGate units about configuration changes, AV/IPS database update and firewall changes.
Upgrading and downgrading firmware

The firmware section displays the current version of firmware installed on your FortiGate unit, as well as the firmware version currently in use if there is more than one firmware image saved on the FortiGate unit. To view the firmware options, go to System > Maintenance > Backup & Restore.
Figure 152: Two firmware images displayed on a FortiGate-1000A unit
Partition
A partition can contain one version of the firmware and the system configuration. FortiGate-100A units and higher have two partitions. One partition is active and the other is used as a backup. A green check mark indicates the partition currently in use. The date and time of the last update to this partition. The version and build number of the FortiGate firmware. If your FortiGate model has a backup partition, you can: Select Upload to replace with firmware from the management computer or a USB disk. The USB disk must be connected to the FortiGate unit USB port. See Formatting USB Disks on page 261. Select Upload and Reboot to replace the existing firmware and make this the active partition. Restart the FortiGate unit using the backup firmware. This is available only for FortiGate-100 units or higher.
Active Last upgrade Firmware Version
Boot alternate firmware
Upgrading and downgrading firmware through FortiGuard

The Firmware Upgrade section of the backup and restore page displays options for upgrading to a new version using the FortiGuard Analysis and Management Service if that option is available to you. Using the FortiGuard Analysis and Management Service to upgrade the firmware on your FortiGate unit is only available on certain FortiGate units. You must register for the service by contacting customer support. Detailed firmware version information is provided if you have subscribed for the FortiGuard Analysis and Management Service. To view the firmware options, go to System > Maintenance > Backup & Restore.
259
System Maintenance
Figure 153: Firmware Upgrade section of the Backup & Restore page
Upgrade from FortiGuard Select one of the available firmware versions. The list contains the following information for each available firmware release: network to firmware continent (for example, North America) version: [Please Select] maintenance release number patch release number build number. For example, if you are upgrading to FortiOS 3.0 MR6 and the FortiGate unit is located in North America, the firmware version available is v3.0 MR6-NA (build 0700). Allow firmware downgrade Select to allow installation of older versions than the one currently installed. This is useful if the current version changed functionality you need and you have to revert to an older firmware image. Select Browse to locate a file on your local PC to upload to the FortiGate unit. Select OK to enable your selection.
Upgrade by File OK
Configuring advanced options

The Advanced section on the backup and restore page includes the USB Auto Install feature and the debug log. The USB settings are available only if the FortiGate unit includes a USB port. You must connect a USB disk to the FortiGate unit USB port to use the USB auto-install feature. See Formatting USB Disks on page 261. To view the advanced options, go to System > Maintenance > Backup & Restore.
Figure 154: Options available in the Advanced section
On system restart, automatically update FortiGate configuration... On system restart, automatically update FortiGate firmware...
Automatically update the configuration on restart. Ensure that the default configuration file name matches the configuration file name on the USB disk. If the configuration file on the disk matches the currently installed configuration, the FortiGate unit skips the configuration update process. Automatically update the firmware on restart. Ensure that the default image name matches the firmware file name on the USB disk. If the firmware image on the disk matches the currently installed firmware, the FortiGate unit skips the firmware update process.
260
System Maintenance
Managing configuration revisions
Apply Download Debug Log
Select to apply the selected settings. Download an encrypted debug log to a file. You can send this debug log to Fortinet Technical Support to help diagnose problems with your FortiGate unit.
Formatting USB Disks

FortiGate units with USB ports support USB disks for backing up and restoring configurations. FortiUSB and generic USB disks are supported, but the generic USB disk must be formatted as a FAT16 disk. No other partition type is supported.
Caution: Formatting the USB disk deletes all information on the disk. Back up the information on the USB disk before formatting to ensure all information on the disk is recoverable.
There are two ways that you can format the USB disk, either by using the CLI or a Windows system. You can format the USB disk in the CLI using the command syntax, exe usb-disk format. When using a Windows system to format the disk, at the command prompt type, format <drive_letter>: /FS:FAT /V:<drive_label> where <drive_letter> is the letter of the connected USB drive you want to format, and <drive_label> is the name you want to give the USB drive for identification.
Managing configuration revisions

The Revision Control tab enables you to manage multiple versions of configuration files. Revision control requires a configured central management server. This server can either be a FortiManager unit or the FortiGuard Analysis and Management Service. If central management is not configured on your FortiGate unit, a message appears to tell you to do one of the following: enable central management (see Central Management on page 226) obtain a valid license.
When revision control is enabled on your FortiGate unit, and configurations have been backed up, a list of saved revisions of those backed-up configurations appears. To view the configuration revisions, go to System > Maintenance > Revision Control.
Figure 155: Revision Control page displaying system configuration backups
Current Page
Diff Revert Download
261
Using script files
System Maintenance
Current Page
The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of system configuration backups. For more information, see Using page controls on web-based manager lists on page 57. An incremental number indicating the order in which the configurations were saved. These may not be consecutive numbers if configurations are deleted. The most recent, and highest, number is first in the list. The date and time this configuration was saved on the FortiGate unit. The administrator account that was used to back up this revision. Any relevant information saved with the revision, such as why the revision was saved, who saved it, and if there is a date when it can be deleted to free up space. Select to compare two revisions. A window will appear, from which you can view and compare the selected revision to one of: the current configuration a selected revision from the displayed list including revision history and templates a specified revision number. Download this revision to your local PC. Restore the previous selected revision. You will be prompted to confirm this action.
Revision
Date/Time Administrator Comments
Diff icon
Download icon Revert icon
Using script files

Scripts are text files containing CLI command sequences. These can be uploaded and executed to run complex command sequences easily. Scripts can be used to deploy identical configurations to many devices. For example, if all of your devices use identical administrator admin profiles, you can enter the commands required to create the admin profiles in a script, and then deploy the script to all the devices which should use those same settings. If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis and Management Service, the scripts you upload are executed and discarded. If you want to execute a script more than once, you must keep a copy on your management PC. If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts to the FortiManager unit, and run them from any FortiGate unit configured to use the FortiManager unit. If you upload a script directly to a FortiGate unit, it is executed and discarded. If your FortiGate unit is configured to use the FortiGuard Analysis and Management Service, scripts you upload are executed and stored. You can run uploaded scripts from any FortiGate unit configured with your FortiGuard Analysis and Management Service account. The uploaded script files appear on the FortiGuard Analysis and Management Service portal web site. After executing scripts, you can view the script execution history on the script page. The list displays the last 10 executed scripts. To view the script options, go to System > Maintenance > Scripts.
262
System Maintenance
Using script files
Figure 156: Script execution history
Execute Script from
Scripts can be uploaded directly to the FortiGate unit from the management PC. If you have configured either a FortiManager unit or the FortiGuard Analysis and Management Service, scripts that have been stored remotely can also be run on the FortiGate unit. Select Browse to locate the script file and then select Apply to upload and execute the file. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the script will be saved on the server for later use. Select to execute a script from the FortiManager unit or the FortiGuard Analysis and Management Service. Choose the script you want to run from the list of all scripts stored remotely. A list of the 10 most recently executed scripts. The name of the script file. The source of the script file. A local file is uploaded directly to the FortiGate unit from the management PC and executed. A remote file is executed on the FortiGate unit after being sent from a FortiManager unit or the FortiGuard Analysis and Management Service. The date and time the script file was executed. The status of the script file, if its execution succeeded or failed. Delete the script entry from the list.
Upload Bulk CLI Command File
Select From remote management station Script Execution History (past 10 scripts) Name Type
Time Status Delete icon
Creating script files

Script files are text files with CLI command sequences. When a script file is uploaded to a FortiGate unit, the commands are executed in sequence. To create a script file 1 Open a text editor application. Notepad on Windows, GEdit on Linux, Textedit on the Mac, or any editor that will save plain text can create a script file. 2 Enter the CLI commands you want to run. The commands must be entered in sequence, with one command per line. 3 Save the file to your maintenance PC.
Tip: An unencrypted configuration file uses the same structure and syntax as a script file. You can save a configuration file and copy the required parts to a new file, making any edits you require. You can generate script files more quickly this way.
263
Configuring FortiGuard Services
System Maintenance
Uploading script files

After you have created a script file, you can then upload it through System > Maintenance > Scripts. When a script is uploaded, it is automatically executed.
Caution: Commands that require the FortiGate unit to reboot when entered on the command line will also force a reboot if included in a script.
To execute a script 1 Go to System > Maintenance > Scripts. 2 Verify that Upload Bulk CLI Command File is selected. 3 Select Browse to locate the script file. 4 Select Apply. If the FortiGate unit is not configured for remote management, or if it is configured to use a FortiManager unit, uploaded scripts are discarded after execution. Save script files to your management PC if you want to execute them again later. If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the script file is saved to the remote server for later reuse. You can view the script or run it from the FortiGuard Analysis and Management Service portal web site. For more information about viewing or running an uploaded script on the portal web site, see the FortiGuard Analysis and Management Service Users Guide.

Go to System > Maintenance > FortiGuard to configure your FortiGate unit to use the FortiGuard Distribution Network (FDN) and FortiGuard Services. The FDN provides updates to antivirus definitions, IPS definitions, and the Antispam rule set. FortiGuard Services include FortiGuard web filtering and the FortiGuard Analysis and Management Service.
FortiGuard Distribution Network

The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). The FDN provides updates to antivirus (including grayware) definitions, IPS definitions, and the antispam rule set. When the FortiGate unit contacts the FDN, it connects to the nearest FDS based on the current time zone setting. The FortiGate unit supports the following update options: user-initiated updates from the FDN hourly, daily, or weekly scheduled antivirus definition, IPS definition, and antispam rule set updates from the FDN push updates from the FDN update status including version numbers, expiry dates, and update dates and times push updates through a NAT device.
Registering your FortiGate unit on the Fortinet Support web page provides a valid license contract and connection to the FDN. On the Fortinet Support web page, go to Product Registration and follow the instructions.
264
System Maintenance
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to receive scheduled updates. For more information, see To enable scheduled updates on page 272. You can also configure the FortiGate unit to receive push updates. When the FortiGate unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit using UDP port 9443. For more information, see Enabling push updates on page 273. If the FortiGate unit is behind a NAT device, see Enabling push updates through a NAT device on page 274.
FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points. When the FortiGate unit is connecting to the FDN, it is connecting to the closest FortiGuard service point. Fortinet adds new service points as required. If the closest service point becomes unreachable for any reason, the FortiGate unit contacts another service point and information is available within seconds. By default, the FortiGate unit communicates with the service point via UDP on port 53. Alternately, you can switch the UDP port used for service point communication to port 8888 by going to System > Maintenance > FortiGuard. If you need to change the default FortiGuard service point host name, use the hostname keyword in the system fortiguard CLI command. You cannot change the FortiGuard service point name using the web-based manager. For more information about FortiGuard services, see the FortiGuard Center web page.
FortiGuard Antispam service

FortiGuard Antispam is an antispam system from Fortinet that includes an IP address black list, a URL black list, spam filtering tools, contained in an antispam rule set that is downloaded to the FortiGate unit. The IP address black list contains IP addresses of email servers known to generate spam. The URL black list contains URLs that are found in spam email. FortiGuard Antispam processes are completely automated and configured by Fortinet. With constant monitoring and dynamic updates, FortiGuard Antispam is always current. You can either enable or disable FortiGuard Antispam in the Firewall menu in a protection profile. For more information, see Spam Filtering options on page 416. Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license. FortiGuard Antispam license management is performed by Fortinet servers; there is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard Antispam service point when enabling FortiGuard Antispam. Contact Fortinet Technical support to renew the FortiGuard Antispam license after the free trial expires. You can globally enable FortiGuard Antispam in System > Maintenance > FortiGuard and then configure Spam Filtering options in each firewall protection profile in Firewall > Protection Profile. For more information, see Spam Filtering options on page 416.
FortiGuard Web Filtering service

FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Web Filtering service point to determine the category of a requested web page, then follows the firewall policy configured for that user or interface.
265
System Maintenance
Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license. FortiGuard license management is performed by Fortinet servers. There is no need to enter a license number. The FortiGate unit automatically contacts a FortiGuard service point when enabling FortiGuard category blocking. Contact Fortinet Technical Support to renew a FortiGuard license after the free trial. You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard and then configure FortiGuard Web Filtering options for each profile in Firewall > Protection Profiles. For more information, see FortiGuard Web Filtering options on page 413.

FortiGuard Analysis and Management Service is a subscription-based service that provides remote management services, including logging and reporting capabilities for all FortiGate units. These services were previously available only on FortiAnalyzer and FortiManager units. The subscription-based service is available from the FortiGuard Analysis and Management Service portal web site, which provides a central location for configuring logging and reporting and remote management, and for viewing subscription contract information, such as daily quota and the expiry date of the service.
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance > FortiGuard. The FDN page contains four sections of FortiGuard services: Support Contract and FortiGuard Subscription Services Downloading antivirus and IPS updates Configuring Web Filtering and AntiSpam Options Configuring Analysis and Management Service Options
Support Contract and FortiGuard Subscription Services

The Support Contract and FortiGuard Subscription Services sections are displayed in abbreviated form on the System Status page. See Viewing system status on page 63. To view the FortiGuard options, go to System > Maintenance > FortiGuard.
266
System Maintenance
Figure 157: Support Contract and FortiGuard Subscription Services section
License status icon License expiry Valid license

Support Contract The availability or status of your FortiGate unit support contract. The status displays can be one of the following: Unreachable, Not Registered or Valid Contract. If Valid Contract is shown, the FortiOS firmware version and contract expiry date appear. A green checkmark also appears. Select to register your FortiGate unit support contract. This option is available only when the support contract is not registered. Availability and status information for each of the FortiGuard subscription services including: AntiVirus Intrusion Protection Web Filtering AntiSpam Analysis and Management Service The availability of this service on this FortiGate unit, dependent on your service subscription. The status can be Unreachable, Not Registered, Valid License, or Valid Contract. The option Subscribe appears if Availability is Not Registered. The option Renew appears if Availability has expired. Select to manually update this service on your FortiGate unit. This will prompt you to download the update file from your local computer. Select Update Now to immediately download current updates from FDN directly. Select to register the service. This is displayed in Analysis and Management Service. Indicates the status of the subscription service. The icon corresponds to the availability description. Gray (Unreachable) FortiGate unit is not able to connect to service. Orange (Not Registered) FortiGate unit can connect, but is not subscribed to this service. Yellow (Expired) FortiGate unit had a valid license that has expired. Green (Valid license) FortiGate unit can connect to FDN and has a registered support contract. If the Status icon is green, the expiry date is displayed. The version number of the definition file currently installed on the FortiGate unit for this service.
[Register]
FortiGuard Subscription Services
[Availability]
[Update]
[Register] Status Icon
[Version]
267
System Maintenance
[Last update date and The date of the last update and method used for last attempt to download definition updates for this service. method] [Date] Local system date when the FortiGate unit last checked for updates for this service.
Downloading antivirus and IPS updates

In the Antivirus and IPS Options section, you can schedule antivirus and IPS updates, configure an override server, or allow push updates. You can access these options by selecting the expand arrow. The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. Use the Use override push IP option when your FortiGate unit is behind a NAT device. The FortiGate unit sends the FDS the IP and port numbers of the NAT device to the FDS. The NAT device must also be configured to forward the FDS traffic to the FortiGate unit on port 9443. For more information, see Enabling push updates through a NAT device on page 274.
Figure 158: AntiVirus and IPS Options section
Expand arrow
Allow Push Update Status
Use override server address
Select to configure an override server if you cannot connect to the FDN or if your organization provides updates using their own FortiGuard server. When selected, enter the IP address or domain name of a FortiGuard server and select Apply. If the FDN Status still indicates no connection to the FDN, see Troubleshooting FDN connectivity on page 271. Select to allow push updates. Updates are then sent automatically to your FortiGate unit when they are available, eliminating any need for you to check if they are available. The status of the FortiGate unit for receiving push updates: Gray (Unreachable) - theFortiGate unit is not able to connect to push update service Yellow (Not Available) - the push update service is not available with current support license Green (Available) - the push update service is allowed. See Enabling push updates on page 273. If the icon is gray or yellow, see Troubleshooting FDN connectivity on page 271.
Allow Push Update
Allow Push Update status icon
268
System Maintenance
Use override push IP
Available only if both Use override server address and Allow Push Update are enabled. Select to allow you to create a forwarding policy that redirects incoming FDS push updates to your FortiGate unit. Enter the IP address of the NAT device in front of your FortiGate unit. FDS will connect to this device when attempting to reach the FortiGate unit. The NAT device must be configured to forward the FDS traffic to the FortiGate unit on UDP port 9443. See Enabling push updates through a NAT device on page 274. Select the port on the NAT device that will receive the FDS push updates. This port must be forwarded to UDP port 9443 on the FortiGate unit. Available only if Use override push is enabled. Select this check box to enable scheduled updates. Attempt to update once every 1 to 23 hours. Select the number of hours between each update request. Attempt to update once a day. You can specify the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour. Attempt to update once a week. You can specify the day of the week and the hour of the day to check for updates. The update attempt occurs at a randomly determined time within the selected hour. Select to manually initiate an FDN update. Fortinet recommends that you select this check box. It helps to improve the quality of IPS signature.
Port
Schedule Updates Every Daily
Weekly
Update Now Submit attack characteristics (recommended)
Configuring Web Filtering and AntiSpam Options

You can access this section by selecting the expand arrow to view Web Filtering and AntiSpam Options.
Figure 159: Web Filtering and AntiSpam Options section
Enable Web Filter Enable Cache
Select to enable the FortiGuard Web Filter service. Select to enable caching of web filter queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available if Enable Web Filter is selected. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds. Available only if both Enable Web Filter and Enable Cache are selected.
TTL
269
System Maintenance
Enable AntiSpam Enable Cache
Select to enable the FortiGuard AntiSpam service. Select to enable caching of antispam queries. This improves performance by reducing FortiGate unit requests to the FortiGuard server. The cache uses 6 percent of the FortiGate memory. When the cache is full, the least recently used IP address or URL is deleted. Available only if Enable AntiSpam is selected. Time to live. The number of seconds to store blocked IP addresses and URLs in the cache before contacting the server again.TTL must be between 300 and 86400 seconds. Select one of the following ports for your web filtering and antispam requirements: Select to use port 53 for transmitting with FortiGuard Antispam servers. Select to use port 8888 for transmitting with FortiGuard Antispam servers. Select to test the connection to the servers. Results are shown below the button and on the Status indicators.
TTL
Port Section Use Default Port (53) Use Alternate Port (8888) Test Availability
To have a URL's category Select to re-evaluate a URLs category rating on the FortiGuard Web rating re-evaluated, please Filter service. click here. Account ID: To launch the service portal, please click here. Enter your FortiGuard Analysis and Management Service account ID. Select to log into the FortiGuard Analysis and Management Service web portal.
Configuring Analysis and Management Service Options

The Analysis and Management Service Options section contains the Account ID and other options regarding the FortiGuard Analysis and Management Service. You can access this section by selecting the expand arrow.
Figure 160: FortiGuard Analysis and Management Service options
Account ID
Enter the name for the Analysis and Management Service that identifies the account. The account ID that you entered in the Account ID field when registering is used in this field. Select to go directly to the FortiGuard Analysis and Management Service portal web site to view logs or configuration. You can also select this to register your FortiGate unit with the FortiGuard Analysis and Management Service.
To launch the service portal, please click here
270
System Maintenance
Troubleshooting FDN connectivity
To configure FortiGuard Select the link please click here to configure and enable logging to the Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to Log&Report > Log Config > Log Setting. please click here This appears only after registering for the service. To purge logs older than n Select the number of months from the list that will remove those logs months, please click here from the FortiGuard Analysis & Management server and select the link please click here. For example, if you select 2 months, the logs from the past two months will be removed from the server. You can also use this option to remove logs that may appear on a current report. This appears only after logging is enabled and log messages are sent to the FortiGuard Analysis server.
Troubleshooting FDN connectivity

If your FortiGate unit is unable to connect to the FDN, check your configuration. For example, you may need to add routes to the FortiGate routing table or configure your network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet. You might have to connect to an override FortiGuard server to receive updates. For more information, see To add an override server on page 272. If this is not successful, check your configuration to make sure you can connect to the override FortiGuard server from the FortiGate unit. Push updates might be unavailable if: you have not registered the FortiGate unit (go to Product Registration and follow the instructions on the web site if you have not already registered your FortiGate unit) there is a NAT device installed between the FortiGate unit and the FDN (see Enabling push updates through a NAT device on page 274) your FortiGate unit connects to the Internet using a proxy server (see To enable scheduled updates through a proxy server on page 273).
Updating antivirus and attack definitions

Use the following procedures to configure the FortiGate unit to connect to the FDN to update the antivirus (including grayware) definitions and IPS attack definitions. Note: Updating antivirus and IPS attack definitions can cause a very short disruption in traffic scanning while the FortiGate unit applies the new signature definitions. Fortinet recommends scheduling updates when traffic is light to minimize disruption. To make sure the FortiGate unit can connect to the FDN 1 Go to System > Status and select Change on the System Time line in the System Information section. Verify that the time zone is set correctly, corresponding to the region where your FortiGate unit is located. 2 Go to System > Maintenance > FortiGuard. 3 Select the expand arrow beside Web Filtering and AntiSpam Options to reveal the available options.
271
Updating antivirus and attack definitions
System Maintenance
4 Select Test Availability. The FortiGate unit tests its connection to the FDN. The test results displays at the top of the FortiGuard page. To update antivirus and attack definitions 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside Antivirus and IPS Options to reveal the available options. 3 Select Update Now to update the antivirus and attack definitions. If the connection to the FDN or override server is successful, the web-based manager displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. After a few minutes, if an update is available, the FortiGuard page lists new version information for antivirus definitions and IPS attack definitions. The page also displays new dates and version numbers for the updated definitions and engines. Messages are recorded to the event log, indicating whether the update was successful or not. To enable scheduled updates 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Scheduled Update check box. 4 Select one of the following:
Every Daily Weekly Once every 1 to 23 hours. Select the number of hours and minutes between each update request. Once a day. You can specify the time of day to check for updates. Once a week. You can specify the day of the week and the time of day to check for updates.
5 Select Apply. The FortiGate unit starts the next scheduled update according to the new update schedule. Whenever the FortiGate unit runs a scheduled update, the event is recorded in the FortiGate event log. If you cannot connect to the FDN, or if your organization provides antivirus and IPS attack updates using its own FortiGuard server, you can use the following procedure to add the IP address of an override FortiGuard server. To add an override server 1 Go to System > Maintenance > FortiGuard. 2 Select the Use override server address check box. 3 Type the fully qualified domain name or IP address of the FortiGuard server.
272
System Maintenance
Enabling push updates
4 Select Apply. The FortiGate unit tests the connection to the override server. If the FortiGuard Distribution Network availability icon changes from gray to green, the FortiGate unit has successfully connected to the override server. If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit cannot connect to the override server. Check the FortiGate configuration and network configuration for settings that may prevent the FortiGate unit from connecting to the override FortiGuard server. To enable scheduled updates through a proxy server If your FortiGate unit must connect to the Internet through a proxy server, you can use the config system autoupdate tunneling command syntax to allow the FortiGate unit to connect (or tunnel) to the FDN using the proxy server. For more information, see the FortiGate CLI Reference.

The FDN can push updates to FortiGate units to provide the fastest possible response to critical situations. You must register the FortiGate unit before it can receive push updates. Register your FortiGate unit by going to the Fortinet Support web site, Product Registration, and following the instructions. When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a SETUP message to the FDN. The next time new antivirus or IPS attack definitions are released, the FDN notifies all FortiGate units that are configured for push updates, that a new update is available. Within 60 seconds of receiving a push notification, the FortiGate unit requests the update from the FDN. When the network configuration permits, configuring push updates is recommended in addition to scheduled updates. Scheduled updates ensure that the FortiGate unit receives current updates, but if push updates are also enabled, the FortiGate unit will usually receive new updates sooner. Fortinet does not recommend enabling push updates as the only method for obtaining updates. The FortiGate unit might not receive the push notification. When the FortiGate unit receives a push notification, it makes only one attempt to connect to the FDN and download updates.
Enabling push updates when a FortiGate unit IP address changes

The SETUP message that the FortiGate unit sends when you enable push updates includes the IP address of the FortiGate interface that the FDN connects to. The interface used for push updates is the interface configured in the default route of the static routing table. The FortiGate unit sends the SETUP message if you: change the IP address of this interface manually have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE server changes the IP address.
The FDN must be able to connect to this IP address so that your FortiGate unit can receive push update messages. If your FortiGate unit is behind a NAT device, see Enabling push updates through a NAT device on page 274.
273
System Maintenance
If you have redundant connections to the Internet, the FortiGate unit also sends the SETUP message when one Internet connection goes down and the FortiGate unit fails over to another Internet connection. In transparent mode, if you change the management IP address, the FortiGate unit also sends the SETUP message to notify the FDN of the address change.
Enabling push updates through a NAT device

If the FDN connects only to the FortiGate unit through a NAT device, you must configure port forwarding on the NAT device and add the port forwarding information to the push update configuration. Port forwarding enables the FDN to connect to the FortiGate unit using UDP on either port 9443 or an override push port that you specify. If the external IP address of the NAT device is dynamic (PPPoE or DHCP), the FortiGate unit is unable to receive push updates through a NAT device. The following procedures configure the FortiGate unit to push updates through a NAT device. These procedures also include adding port forwarding virtual IP and a firewall policy to the NAT device.
Figure 161: Example network: Push updates through a NAT device
Internal network 172.16.35.144 (external interface) Virtual IP 10.20.6.135 (external interface)
Internet NAT Device FDN Server
The overall process is: 1 Register the FortiGate unit on the internal network so that it has a current support license and can receive push updates. For more information, see Registering your Fortinet product on page 25. 2 Configure the following FortiGuard options on the FortiGate unit on the internal network. Enable Allow push updates. Enable Use override push IP and enter the IP address. Usually this is the IP address of the external interface of the NAT device. If required, change the override push update port. 3 Add a port forwarding virtual IP to the NAT device. Set the external IP address of the virtual IP to match the override push update IP. Usually this is the IP address of the external interface of the NAT device. Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual IP.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to connect to the FDN. See To enable scheduled updates through a proxy server on page 273 for more information.
274
System Maintenance
To configure FortiGuard options on the FortiGate unit on the internal network 1 Go to System > Maintenance > FortiGuard. 2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available options. 3 Select the Allow Push Update check box. 4 Select the Use override push IP check box. 5 Enter the IP address of the external interface of the NAT device. UDP port 9943 is changed only if it is blocked or in use. 6 Select Apply. You can change to the push override configuration if the external IP address of the external service port changes; select Apply to have the FortiGate unit send the updated push information to the FDN. When the FortiGate unit sends the override push IP address and port to the FDN, the FDN uses this IP address and port for push updates to the FortiGate unit. However, push updates will not actually work until a virtual IP is added to the NAT device so that the NAT device accepts push update packets and forwards them to the FortiGate unit on the internal network. If the NAT device is also a FortiGate unit, the following procedure, To add a port forwarding virtual IP to the FortiGate NAT device, allows you to configure the NAT device to use port forwarding to push update connections from the FDN to the FortiGate unit on the internal network. To add a port forwarding virtual IP to the FortiGate NAT device 1 Go to Firewall > Virtual IP. 2 Select Create New. 3 Enter the appropriate information for the following:
Name External Interface External IP Address/Range Enter a name for the Virtual IP. Select an external interface from the list. This is the interface that connects to the Internet. Enter the IP address and/or range. This is the IP address to which the FDN sends the push updates. This is usually the IP address of the external interface of the NAT device. This IP address must be the same as the IP address in User override push update for the FortiGate unit on the internal network. Enter the IP address and/or range of the FortiGate unit on the internal network. Select Port Forwarding. When you select Port Forwarding, the options Protocol, External Services Port and Map to Port appear. Select UDP. Enter the external service port. The external service port is the port that the FDN connects to. The external service port for push updates is usually 9443. If you changed the push update port in the FortiGuard configuration of the FortiGate unit on the internal network, you must set the external service port to the changed push update port. Enter 9443. This is the port number to which the NAT FortiGate unit will send the push update after it comes through the virtual IP. FortiGate units expect push update notifications on port 9443.
Mapped IP Address/Range Port Forwarding Protocol External Service Port
Map to Port
4 Select OK.
275
Adding VDOM Licenses
System Maintenance
To add a firewall policy to the FortiGate NAT device 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the external to internal firewall policy.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action NAT Select the name of the interface that connects to the Internet. Select All Select the name of the interface of the NAT device that connects to the internal network. Select the virtual IP added to the NAT device. Select Always. Select ANY. Select Accept. Select NAT.
4 Select OK. Verify that push updates to the FortiGate unit on the internal network are working by going to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering and AntiSpam Options. The Push Update indicator should change to green.
Adding VDOM Licenses

If you have you can increase the maximum number of VDOMs on your FortiGate unit you can purchase a license key from Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate units support a maximum of 10 VDOMs. The license key is a 32-character string supplied by Fortinet. Fortinet requires the serial number of the FortiGate unit to generate the license key. The license key is entered in System > Maintenance > License in the Input License Key field. This appears only on high-end FortiGate models.
Figure 162: License key for additional VDOMs
Current License Input License key
The current maximum number of virtual domains. Enter the license key supplied by Fortinet and select Apply.
Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer unit and they contain a total of four VDOMs, the total number of registered FortiGate units on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer Administration Guide.
276
Router Static
Routing concepts
Router Static
This section explains some general routing concepts, and how to define static routes and route policies. A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination on the network. A static route causes packets to be forwarded to a destination other than the factory configured default gateway. The factory configured static default route provides you with a starting point to configure the default gateway. You must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit. For more information, see Default route and default gateway on page 281. You define static routes manually. Static routes control traffic exiting the FortiGate unit you can specify through which interface the packet will leave and to which device the packet should be routed. As an option, you can define route policies. Route policies specify additional criteria for examining the properties of incoming packets. Using route policies, you can configure the FortiGate unit to route packets based on the IP source and destination addresses in packet headers and other criteria such as on which interface the packet was received and which protocol (service) and port are being used to transport the packet. If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured separately for each virtual domain. For more information, see Using virtual domains on page 103. This section describes: Routing concepts Static Route Policy Route
Routing concepts
The FortiGate unit works as a security device on a network and packets must pass through it. You need to understand a number of basic routing concepts in order to configure the FortiGate unit appropriately. Whether you administer a small or large network, this module will help you understand how the FortiGate unit performs routing functions. The following topics are covered in this section: How the routing table is built How routing decisions are made Multipath routing and determining the best routeRoute priority Route priority Blackhole Route
277
Routing concepts
Router Static
How the routing table is built

In the factory default configuration, the FortiGate routing table contains a single static default route. You can add routing information to the routing table by defining additional static routes. The table may include several different routes to the same destinationthe IP addresses of the next-hop router specified in those routes or the FortiGate interfaces associated with those routes may vary. The FortiGate unit selects the best route for a packet by evaluating the information in the routing table. The best route to a destination is typically associated with the shortest distance between the FortiGate unit and the closest next-hop router. In some cases, the next best route may be selected if the best route is unavailable. The FortiGate unit installs the best available routes in the units forwarding table, which is a subset of the units routing table. Packets are forwarded according to the information in the forwarding table.
How routing decisions are made

Whenever a packet arrives at one of the FortiGate units interfaces, the unit determines whether the packet was received on a legitimate interface by doing a reverse lookup using the source IP address in the packet header. If the FortiGate unit cannot communicate with the computer at the source IP address through the interface on which the packet was received, the FortiGate unit drops the packet as it is likely a hacking attempt. If the destination address can be matched to a local address (and the local configuration permits delivery), the FortiGate unit delivers the packet to the local network. If the packet is destined for another network, the FortiGate unit forwards the packet to a next-hop router according to a policy route and the information stored in the FortiGate forwarding table. For more information, see Policy Route on page 285.
Multipath routing and determining the best route

Multipath routing occurs when more than one entry to the same destination is present in the routing table. When multipath routing happens, the FortiGate unit may have several possible destinations for an incoming packet, forcing the FortiGate unit to decide which next-hop is the best one. Two methods to manually resolve multiple routes to the same destination are to lower the administrative distance of one route or to set the priority of both routes. For the FortiGate unit to select a primary (preferred) route, manually lower the administrative distance associated with one of the possible routes. Administrative distance is based on the expected reliability of a given route. It is determined through a combination of the number of hops from the source and the protocol used. More hops from the source means more possible points of failure. The administrative distance can be from 1 to 255, with lower numbers being preferred. A distance of 255 is seen as infinite and will not be installed in the routing table. Here is an example to illustrate how administration distance worksif there are two possible routes traffic can take between 2 destinations with administration distances of 5 (always up) and 31 (sometimes not available), the traffic will use the route with an administrative distance of 5. Different routing protocols have different default administrative distances. The default administrative distances for any of these routing protocols are configurable.
278
Router Static
Routing concepts
Table 42: Default administrative distances for routing protocols Routing protocol Direct physical connection Static EBGP OSPF RIP IBGP Default administrative distance 1 10 20 110 120 200
Another method is to manually change the priority of both of the routes. If the next-hop administrative distances of two routes on the FortiGate unit are equal, it may not be clear which route the packet will take. Configuring the priority for each of those routes will make it clear which next-hop will be used in the case of a tie. You can set the priority for a route only from the CLI. Lower priorities are preferred. For more information, see the FortiGate CLI Reference. All entries in the routing table are associated with an administrative distance. If the routing table contains several entries that point to the same destination (the entries may have different gateways or interface associations), the FortiGate unit compares the administrative distances of those entries, selects the entries having the lowest distances, and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate forwarding table contains only those routes having the lowest distances to every possible destination. For information about how to change the administrative distance associated with a static route, see Adding a static route to the routing table on page 284.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their administrative distances, the priority field of those routes determines routing preference. You configure the priority field through the CLI. The route with the lowest value in the priority field is considered the best route, and it is also the primary route. The command to set the priority field is: set priority <integer> under the config route static command. For more information, see the FortiGate CLI Reference. In summary, because you can use the CLI to specify which sequence numbers or priority field settings to use when defining static routes, you can prioritize routes to the same destination according to their priority field settings. For a static route to be the preferred route, you must create the route using the config router static CLI command and specify a low priority for the route. If two routes have the same administrative distance and the same priority, then they are equal cost multipath (ECMP) routes. Since this means there is more than one route to the same destination, it can be confusing which route or routes to install and use. However, if you have enabled load balancing with ECMP routes, then different sessions will resolve this problem by using different routes to the same address. For more information, see load balancing in Configuring virtual IPs on page 370.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in Linux programming. Blackhole routes are used to dispose of packets instead of responding to suspicious inquiries. This provides added security since the originator will not discover any information from the target network.
279
Static Route
Router Static
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in use, traffic to those addresses (traffic which may be valid or malicious) can be directed to a blackhole for added security and to reduce traffic on the subnet. The loopback interface, a virtual interface that does not forward traffic, was added to enable easier configuration of blackhole routing. Similar to a normal interface, this loopback interface has fewer parameters to configure, and all traffic sent to it stops there. Since it cannot have hardware connection or link status problems, it is always available, making it useful for other dynamic routing roles. Once configured, you can use a loopback interface in firewall policies, routing, and other places that refer to interfaces. You configure this feature only from the CLI. For more information, see the system chapter of the FortiGate CLI Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of packets that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address for those packets. The gateway address specifies the next-hop router to which traffic will be routed.
Note: You can use the config router static6 CLI command to add, edit, or delete static routes for IPv6 traffic. For more information, see the router chapter of the FortiGate CLI Reference.
Working with static routes

The Static Route list displays information that the FortiGate unit compares to packet headers in order to route packets. Initially, the list contains the factory configured static default route. For more information, see Default route and default gateway on page 281. You can add new entries manually. When you add a static route to the Static Route list, the FortiGate unit performs a check to determine whether a matching route and destination already exist in the FortiGate routing table. If no match is found, the FortiGate unit adds the route to the routing table. When IPv6 is enabled in the GUI, IPv6 routes are visible on the Static Route list. Otherwise, IPv6 routes are not displayed. For more information on IPv6, see FortiGate IPv6 support on page 230.
Note: Unless otherwise specified, static route examples and procedures are for IPv4 static routes.
To view the static route list, go to Router > Static > Static Route. Figure 163 shows the static route list belonging to a FortiGate unit that has interfaces named port1 and port2. The names of the interfaces on your FortiGate unit may be different.
280
Router Static
Static Route
Figure 163: Static Route list when IPv6 is enabled in the GUI
Expand Arrow
Delete Edit
Create New
Add a static route to the Static Route list. For more information, see Adding a static route to the routing table on page 284. Select the down arrow to create an IPv6 static Route. Select the Expand Arrow to display or hide the IPv4 static routes. By default these routes are displayed. This is displayed only when IPv6 is enabled in the GUI. Select the Expand Arrow to display or hide the IPv6 static routes. By default these routes are hidden. This is displayed only when IPv6 is enabled in the GUI. The destination IP addresses and network masks of packets that the FortiGate unit intercepts. The IP addresses of the next-hop routers to which intercepted packets are forwarded. The names of the FortiGate interfaces through which intercepted packets are received and sent. The administrative distances associated with each route. The values represent distances to next-hop routers. Delete or edit an entry in the list.
Route
IPv6 Route
IP/Mask Gateway Device Distance Delete and Edit icons
Default route and default gateway

In the factory default configuration, entry number 1 in the Static Route list is associated with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route is called the static default route. If no other routes are present in the routing table and a packet needs to be forwarded beyond the FortiGate unit, the factory configured static default route causes the FortiGate unit to forward the packet to the default gateway. To prevent this you must either edit the factory configured static default route to specify a different default gateway for the FortiGate unit, or delete the factory configured route and specify your own static default route that points to the default gateway for the FortiGate unit.
Note: For network traffic to pass, even with the correct routes configured, you must have the appropriate firewall policies. For details, see Configuring firewall policies on page 323.
For example, Figure 164 shows a FortiGate unit connected to a router. To ensure that all outbound packets destined to any network beyond the router are routed to the correct destination, you must edit the factory default configuration and make the router the default gateway for the FortiGate unit.
281
Static Route
Router Static
Figure 164: Making a router the default gateway
Internet
Gateway Router
192.168.10.1 external
FortiGate_1
internal
Internal network 192.168.20.0/24
To route outbound packets from the internal network to destinations that are not on network 192.168.20.0/24, you would edit the default route and include the following settings: Destination IP/mask: 0.0.0.0/0.0.0.0 Gateway: 192.168.10.1 Device: Name of the interface connected to network 192.168.10.0/24 (for example external). Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the FortiGate external interface. The interface behind the router (192.168.10.1) is the default gateway for FortiGate_1. In some cases, there may be routers behind the FortiGate unit. If the destination IP address of a packet is not on the local network but is on a network behind one of those routers, the FortiGate routing table must include a static route to that network. For example, in Figure 165, the FortiGate unit must be configured with static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and Network_2 respectively.
282
Router Static
Static Route
Figure 165: Destinations on networks behind internal routers
Internet
FortiGate_1
internal 192.168.10.1 Gateway Router_1 dmz 192.168.11.1 Gateway Router_2
Network_1 192.168.20.0/24
Network_2 192.168.30.0/24
To route packets from Network_1 to Network_2, Router_1 must be configured to use the FortiGate internal interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.30.0/24 Gateway: 192.168.11.1 Device: dmz Distance: 10 To route packets from Network_2 to Network_1, Router_2 must be configured to use the FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a new static route with these settings: Destination IP/mask: 192.168.20.0/24 Gateway: 192.168.10.1 Device: internal Distance: 10
Changing the gateway for the default route

The default gateway determines where packets matching the default route will be forwarded.
Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your FortiGate unit, you may have problems configuring a static route. After trying to either Renew your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable dynamic-gateway under config system interface for the modem interface. Doing this will remove the need to specify a gateway for this interfaces route. For more information see FortiGate CLI Reference.
To change the gateway for the default route 1 Go to Router > Static > Static Route.
283
Static Route
Router Static
2 Select the Edit icon in row 1. 3 If the FortiGate unit reaches the next-hop router through an interface other than the interface that is currently selected in the Device field, select the name of the interface from the Device field. 4 In the Gateway field, type the IP address of the next-hop router to which outbound traffic may be directed. 5 In the Distance field, optionally adjust the administrative distance value. 6 Select OK.
Adding a static route to the routing table

A route provides the FortiGate unit with the information it needs to forward a packet to a particular destination. A static route causes packets to be forwarded to a destination other than the default gateway. You define static routes manually. Static routes control traffic exiting the FortiGate unit you can specify through which interface the packet will leave and to which device the packet should be routed. To add a static route entry 1 Go to Router > Static > Static Route. 2 Select Create New. 3 Enter the IP address and netmask. For example, 172.1.2.0/255.255.255.0 would be a route for all addresses on the subnet 172.1.2.x. 4 Enter the FortiGate unit interface closest to this subnet, or connected to it. 5 Enter the gateway IP address. Continuing with the example, 172.1.2.3 would be a valid address. 6 Enter the administrative distance of this route. The administrative distance allows you to weight one route to be preferred over another. This is useful when one route is unreliable. For example, if route A has an administrative distance of 30 and route B has an administrative distance of 10, the preferred route is route A with the smaller administrative distance of 10. If you discover that route A is unreliable, you can change the administrative distance for route A from 10 to 40, which will make the route B the preferred route. 7 Select OK to confirm and save your new static route. When you add a static route through the web-based manager, the FortiGate unit assigns the next unassigned sequence number to the route automatically and adds the entry to the Static Route list. Figure 166 shows the Edit Static Route dialog box belonging to a FortiGate unit that has an interface named internal. The names of the interfaces on your FortiGate unit may be different.
284
Router Static
Policy Route
Figure 166: Edit Static Route
Destination IP/Mask Gateway Device Distance
Type the destination IP address and network mask of packets that the FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved for the default route.
Type the IP address of the next-hop router to which the FortiGate unit will forward intercepted packets. Select the name of the FortiGate interface through which the intercepted packets may be routed to the next-hop router. Type an administrative distance from 1 to 255 for the route. The distance value is arbitrary and should reflect the distance to the next-hop router. A lower value indicates a more preferred route.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if you want to route certain types of network traffic differently. You can use incoming traffics protocol, source address or interface, destination address, or port number to determine where to send the traffic. For example, generally network traffic would go to the router of a subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet directly to the mail server. If you have configured the FortiGate unit with routing policies and a packet arrives at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to match the packet with a policy. If a match is found and the policy contains enough information to route the packet (a minimum of the IP address of the next-hop router and the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet using the information in the policy. If no policy route matches the packet, the FortiGate unit routes the packet using the routing table.
Note: Most policy settings are optional, so a matching policy alone might not provide enough information for forwarding the packet. The FortiGate unit may refer to the routing table in an attempt to match the information in the packet header with a route in the routing table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit looks up the IP address of the next-hop router in the routing table. This situation could happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to occur. If the attributes of a packet match all the specified conditions, the FortiGate unit routes the packet through the specified interface to the specified gateway. Figure 167 shows the policy route list belonging to a FortiGate unit that has interfaces named external and internal. The names of the interfaces on your FortiGate unit may be different. To edit an existing policy route, see Adding a policy route on page 286.
285
Policy Route
Router Static
Figure 167: Policy Route list
Delete Edit Move To

Create New # Incoming Outgoing Source Destination Delete icon Edit icon Move To icon Add a policy route. See Adding a policy route on page 286. The ID numbers of configured route policies. These numbers are sequential unless policies have been moved within the table. The interfaces on which packets subjected to route policies are received. The interfaces through which policy routed packets are routed. The IP source addresses and network masks that cause policy routing to occur. The IP destination addresses and network masks that cause policy routing to occur. Delete a policy route. Edit a policy route. After selecting this icon, enter the destination position in the window that appears, and select OK. For more information, see Moving a policy route on page 287.
Adding a policy route

To add a policy route, go to Router > Static > Policy Route and select Create New. Figure 168 shows the New Routing Policy dialog box belonging to a FortiGate unit that has interfaces named external and internal. The names of the interfaces on your FortiGate unit may be different.
Figure 168: New Routing Policy
Protocol
To perform policy routing based on the value in the protocol field of the packet, enter the protocol number to match. The Internet Protocol Number is found in the IP packet header, and RFC 5237 includes a list of the assigned protocol numbers. The range is from 0 to 255. A value of 0 disables the feature.
Incoming Interface Select the name of the interface through which incoming packets subjected to the policy are received.
286
Router Static
Policy Route
Source Address / Mask Destination Address / Mask Destination Ports
To perform policy routing based on the IP source address of the packet, type the source address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. To perform policy routing based on the IP destination address of the packet, type the destination address and network mask to match. A value of 0.0.0.0/0.0.0.0 disables the feature. To perform policy routing based on the port on which the packet is received, type the same port number in the From and To fields. To apply policy routing to a range of ports, type the starting port number in the From field and the ending port number in the To field. A value of 0 disables this feature. The Destination Ports fields are only used for TCP and UDP protocols. The ports are skipped over for all other protocols. Use a two digit hexadecimal bit pattern to match to define the service, or use a two digit hexadecimal bit mask to mask out. For example if you want the policy to apply to service 14 you would use a bit pattern of 0E. If you wanted to ignore all odd numbered services you would use a bit mask of 01.
Type of Service
Outgoing Interface Select the name of the interface through which packets affected by the policy will be routed. Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access through the specified interface. A value of 0.0.0.0 is not valid.
Moving a policy route

A routing policy is added to the bottom of the routing table when it is created. If you prefer to use one policy over another, you may want to move it to a different location in the routing policy table. The option to use one of two routes happens when both routes are a match, for example 172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these routes are in the policy table, both can match a route to 172.20.120.112 but you consider the second one as a better match. In that case the best match route should be positioned before the other route in the policy table. In the case of two matches in the routing table, alternating sessions will use both routes in a load balancing configuration. You can also manually assign priorities to routes. For two matches in the routing table, the priority will determine which route is used. This feature is available only through the CLI. For details, see FortiGate CLI Reference. To change the position of a policy route in the table, go to Router > Static > Policy Route and select Move To for the policy route you want to move.
Figure 169: Moving a policy route
Before/After Policy route ID
Select Before to place the selected Policy Route before the indicated route. Select After to place it following the indicated route. Enter the Policy route ID of the route in the Policy route table to move the selected route before or after.
287
Policy Route
Router Static
288
Router Dynamic
RIP
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or complex networks. Dynamic routing protocols enable the FortiGate unit to automatically share information about routes with neighboring routers and learn about routes and networks advertised by them. The FortiGate unit supports these dynamic routing protocols: Routing Information Protocol (RIP) Open Shortest Path First (OSPF) Border Gateway Protocol (BGP).
The FortiGate unit selects routes and updates its routing table dynamically based on the rules you specify. Given a set of rules, the unit can determine the best route or path for sending packets to a destination. You can also define rules to suppress the advertising of routes to neighboring routers and change FortiGate routing information before it is advertised. If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is configured separately for each virtual domain. For details, see Using virtual domains on page 103.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly discover routers on the network that cannot be contacted, and to re-route traffic accordingly until those routers can be contacted. A useful part of the FortiOS web-based management interface is the customizable menus and widgets. These widgets include the following routing widgets: access list, distribute list, key chain, offset list, prefix list, and route map. For more information on these routing widgets, see Customizable routing widgets on page 309. This section describes: RIP OSPF BGP Multicast Bi-directional Forwarding Detection (BFD) Customizable routing widgets
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small, relatively homogeneous networks. The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
289
RIP
Router Dynamic
How RIP works

When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each of its RIP-enabled interfaces. Neighboring routers respond with information from their routing tables. The FortiGate unit adds routes from neighbors to its own routing table only if those routes are not already recorded in the routing table. When a route already exists in the routing table, the unit compares the advertised route to the recorded route and chooses the shortest route for the routing table. RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents a network that is connected directly to the unit, while a hop count of 16 represents a network that the FortiGate unit cannot reach. Each network that a packet travels through to reach its destination usually counts as one hop. When the FortiGate unit compares two routes to the same destination, it adds the route having the lowest hop count to the routing table. Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to neighboring routers on a regular basis. The updates provide information about the routes in the FortiGate routing table, subject to the rules that you specify for advertising those routes. You can specify how often the FortiGate unit sends updates, how long a route can be kept in the routing table without being updated, and, for routes that are not updated regularly, how long the unit advertises the route as unreachable before it is removed from the routing table.
Viewing and editing basic RIP settings

When you configure RIP settings, you have to specify the networks that are running RIP and specify any additional settings needed to adjust RIP operation on the FortiGate interfaces that are connected to the RIP-enabled network. To view and edit RIP settings go to Router > Dynamic > RIP. Figure 170 shows the basic RIP settings on a FortiGate unit that has interfaces named dmz and external. The names of the interfaces on your FortiGate unit may be different.
290
Router Dynamic
RIP
Figure 170: Basic RIP settings
Expand Arrow
Delete Edit RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can enable global RIP settings on all FortiGate interfaces connected to RIP-enabled networks: 1 send and receive RIP version 1 packets. 2 send and receive RIP version 2 packets. You can override the global settings for a specific FortiGate interface if required. For more information, see Configuring a RIP-enabled interface on page 293. Select the Expand Arrow to view or hide advanced RIP options. For more information, see Selecting advanced RIP options on page 292. The IP addresses and network masks of the major networks (connected to the FortiGate unit) that run RIP. When you add a network to the Networks list, the FortiGate interfaces that are part of the network are advertised in RIP updates. You can enable RIP on all FortiGate interfaces whose IP addresses match the RIP network address space. Enter the IP address and netmask that defines the RIP-enabled network. Select to add the network information to the Networks list.
Advanced Options Networks
IP/Netmask Add
291
RIP
Router Dynamic
Interfaces Create New
Any additional settings needed to adjust RIP operation on a FortiGate interface. Add new RIP operating parameters for an interface. These parameters will override the global RIP settings for that interface. For more information, see Configuring a RIP-enabled interface on page 293. The name of the unit RIP interface. The version of RIP used to send updates through each interface: 1, 2, or both. The versions of RIP used to listen for updates on each interface: 1, 2, or both. The type of authentication used on this interface: None, Text or MD5. Permissions for RIP broadcasts on this interface. A green checkmark means the RIP broadcasts are blocked. Delete or edit a RIP network entry or a RIP interface definition.
Interface Send Version Receive Version Authentication Passive Delete and Edit icons
Selecting advanced RIP options

With advanced RIP options, you can specify settings for RIP timers and define metrics for redistributing routes that the FortiGate unit learns through some means other than RIP updates. For example, if the unit is connected to an OSPF or BGP network or you add a static route to the FortiGate routing table manually, you can configure the unit to advertise those routes on RIP-enabled interfaces. To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced Options. After you select the options, select Apply.
Note: You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on customizable GUI widgets, see Customizable routing widgets on page 309. For more information on CLI routing commands, see the router chapter of the FortiGate CLI Reference. Figure 171: Advanced Options (RIP)
Expand Arrow
Rip Version Advanced Options Default Metric
Select the version of RIP packets to send and receive. Select the Expand Arrow to view or hide advanced options. Enter the default hop count that the FortiGate unit should assign to routes that are added to the FortiGate routing table. The range is from 1 to 16. This metric is the hop count, with 1 being best or shortest. This value also applies to Redistribute unless otherwise specified.
292
Router Dynamic
RIP
Default-information- Select to generate and advertise a default route into the FortiGate units RIPenabled networks. The generated route may be based on routes learned originate through a dynamic routing protocol, routes in the routing table, or both. RIP Timers Enter new values to override the default RIP timer settings. The default settings are effective in most configurations if you change these settings, ensure that the new settings are compatible with local routers and access servers. If the Update timer is smaller than Timeout or Garbage timers, you will get an error. Enter the amount of time (in seconds) that the FortiGate unit will wait between sending RIP updates. Enter the maximum amount of time (in seconds) that a route is considered reachable while no updates are received for the route. This is the maximum time the FortiGate unit will keep a reachable route in the routing table while no updates for that route are received. If the FortiGate unit receives an update for the route before the timeout period expires, the timer is restarted. The Timeout period should be at least three times longer than the Update period. Enter the amount of time (in seconds) that the FortiGate unit will advertise a route as being unreachable before deleting the route from the routing table. The value determines how long an unreachable route is kept in the routing table. Select one or more of the options to redistribute RIP updates about routes that were not learned through RIP. The FortiGate unit can use RIP to redistribute routes learned from directly connected networks, static routes, OSPF, and BGP. Select to redistribute routes learned from directly connected networks. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The valid hop count range is from 1 to 16. Select to redistribute routes learned from static routes. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16. Select to redistribute routes learned through OSPF. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16. Select to redistribute routes learned through BGP. To specify a hop count for those routes, select Metric, and enter the hop count in the Metric field. The range is from 1 to 16.
Update Timeout
Garbage
Redistribute
Connected
Static
OSPF
BGP
Configuring a RIP-enabled interface

You can use RIP interface options to override the global RIP settings that apply to all FortiGate unit interfaces connected to RIP-enabled networks. For example, if you want to suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled network, you can set the interface to operate passively. Passive interfaces listen for RIP updates but do not respond to RIP requests. If RIP version 2 is enabled on the interface, you can optionally choose password authentication to ensure that the FortiGate unit authenticates a neighboring router before accepting updates from that router. The unit and the neighboring router must both be configured with the same password. Authentication guarantees the authenticity of the update packet, not the confidentiality of the routing information in the packet. To set specific RIP operating parameters for a RIP-enabled interface, go to Router > Dynamic > RIP and select Create New.
Note: Additional options such as split-horizon and key-chains can be configured per interface through the CLI. For more information, see the router chapter of the FortiGate CLI Reference or the Fortinet Knowledge Center.
293
OSPF
Router Dynamic
Figure 172 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that has an interface named internal. The names of the interfaces on your FortiGate unit may be different.
Figure 172: New/Edit RIP Interface
Interface
Select the name of the FortiGate interface to which these settings apply. The interface must be connected to a RIP-enabled network. The interface can be a virtual IPSec or GRE interface. Select to override the default RIP-compatibility setting for sending and receiving updates through the interface: RIP version 1, version 2 or Both. Select an authentication method for RIP exchanges on the specified interface: None Disable authentication. Text Select if the interface is connected to a network that runs RIP version 2. Type a password (up to 35 characters) in the Password field. The FortiGate unit and the RIP updates router must both be configured with the same password. The password is sent in clear text over the network. MD5 Authenticate the exchange using MD5. Select to suppress the advertising of FortiGate unit routing information over the specified interface. Clear the check box to allow the interface to respond normally to RIP requests.
Send Version, Receive Version Authentication
Passive Interface
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in large heterogeneous networks to share routing information among routers in the same Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328). The main benefit of OSPF is that it advertises routes only when neighbors change state instead of at timed intervals, so routing overhead is reduced.
How OSPF works

An OSPF network consists of one or more Autonomous Systems (ASes). An OSPF AS is typically divided into logical areas linked by Area Border Routers. A group of contiguous networks form an area. An Area Border Router (ABR) links one or more ASes to the OSPF network backbone (area ID 0). For information on configuring an OSPF AS, see Defining an OSPF ASOverview on page 295. When a FortiGate unit interface is connected to an OSPF area, that unit can participate in OSPF communications. FortiGate units use the OSPF Hello protocol to acquire neighbors in an area. A neighbor is any router that directly connected to the same area as the FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its OSPF neighbors regularly to confirm that the neighbors can be reached.
294
Router Dynamic
OSPF
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their neighbors whenever the status of a neighbor changes or a new neighbor comes online. As long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA identifies the interfaces of all OSPF-enabled routers in an area, and provides information that enables OSPF-enabled routers to select the shortest path to a destination. All LSA exchanges between OSPF-enabled routers are authenticated. The FortiGate unit maintains a database of link-state information based on the advertisements that it receives from OSPF-enabled routers. To calculate the best route (shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF) algorithm to the accumulated link-state information. OSPF uses relative path cost metric for choosing the best route. The path cost can be any metric, but is typically the speed of the pathhow fast traffic will get from one point to another. The path cost, similar to distance for RIP, imposes a penalty on the outgoing direction of a FortiGate interface. The path cost of a route is calculated by adding together all of the costs associated with the outgoing interfaces along the path to a destination. The lowest overall path cost indicates the best route, and generally the fastest route.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully adjacent neighbor in the backbone area. In this situation, the router considers summaryLSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF calculation to ensure that an OSPF packet will be routed using the shortest path to its destination. Depending on the network topology, the entries in the FortiGate routing table may include: the addresses of networks in the local OSPF area (to which packets are sent directly) routes to OSPF area border routers (to which packets destined for another area are sent) if the network contains OSPF areas and non-OSPF domains, routes to AS boundary routers, which reside on the OSPF network backbone and are configured to forward packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the network topology. A single unit can support tens of thousands of routes if the OSPF network is configured properly.
Defining an OSPF ASOverview

Defining an OSPF Autonomous System (AS), involves: defining the characteristics of one or more OSPF areas creating associations between the OSPF areas that you defined and the local networks to include in the OSPF AS if required, adjusting the settings of OSPF-enabled interfaces.
If you are using the web-based manager to perform these tasks, follow the procedures summarized below. To define an OSPF AS 1 Go to Router > Dynamic > OSPF. 2 Under Areas, select Create New. 3 Define the characteristics of one or more OSPF areas. See Defining OSPF areas on page 299. 4 Under Networks, select Create New.
295
OSPF
Router Dynamic
5 Create associations between the OSPF areas that you defined and the local networks to include in the OSPF AS. See Specifying OSPF networks on page 300. 6 If you need to adjust the default settings of an OSPF-enabled interface, select Create New under Interfaces. 7 Select the OSPF operating parameters for the interface. See Selecting operating parameters for an OSPF interface on page 301. Repeat steps 6 and 7 for any additional OSPF-enabled interfaces. 8 Optionally select advanced OSPF options for the OSPF AS. See Selecting advanced OSPF options on page 298. 9 Select Apply.
Configuring basic OSPF settings

When you configure OSPF settings, you have to define the AS in which OSPF is enabled and specify which of the FortiGate interfaces participate in the AS. As part of the AS definition, you specify the AS areas and specify which networks to include those areas. You may optionally adjust the settings associated with OSPF operation on the FortiGate interfaces. To view and edit OSPF settings, go to Router > Dynamic > OSPF. Figure 173 shows the basic OSPF settings on a FortiGate unit that has an interface named port1. The names of the interfaces on your FortiGate unit may be different.
Figure 173: Basic OSPF settings
Expand Arrow
Router ID
Enter a unique router ID to identify the FortiGate unit to other OSPF routers. By convention, the router ID is the numerically highest IP address assigned to any of the FortiGate interfaces in the OSPF AS. If you change the router ID while OSPF is configured on an interface, all connections to OSPF neighbors will be broken temporarily. The connections will re-establish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM or unit will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more information, see Selecting advanced OSPF options on page 298.
296
Router Dynamic
OSPF
Areas
Information about the areas making up an OSPF AS. The header of an OSPF packet contains an area ID, which helps to identify the origination of a packet inside the AS. Define and add a new OSPF area to the Areas list. For more information, see Defining OSPF areas on page 299. The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation. Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or deleted. The types of areas in the AS: Regular - a normal OSPF area NSSA - a not so stubby area Stub - a stub area. For more information, see Defining OSPF areas on page 299. The methods for authenticating OSPF packets sent and received through all FortiGate interfaces linked to each area: None authentication is disabled Text text-based authentication is enabled MD5 MD5 authentication is enabled. A different authentication setting may apply to some of the interfaces in an area, as displayed under Interfaces. For example, if an area employs simple passwords for authentication, you can configure a different password for one or more of the networks in that area. The networks in the OSPF AS and their area IDs. When you add a network to the Networks list, all FortiGate interfaces that are part of the network are advertised in OSPF link-state advertisements. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF network address space. For more information, see Specifying OSPF networks on page 300. Add a network to the AS, specify its area ID, and add the definition to the Networks list. The IP addresses and network masks of networks in the AS on which OSPF runs. The FortiGate unit may have physical or VLAN interfaces connected to the network. The area IDs that have been assigned to the OSPF network address space. Any additional settings needed to adjust OSPF operation on a FortiGate interface. For more information, see Selecting operating parameters for an OSPF interface on page 301. Create additional/different OSPF operating parameters for a unit interface and add the configuration to the Interfaces list. The names of OSPF interface definitions. The names of FortiGate physical or VLAN interfaces having OSPF settings that differ from the default values assigned to all other interfaces in the same area. The IP addresses of the OSPF-enabled interfaces having additional/different settings. The methods for authenticating LSA exchanges sent and received on specific OSPF-enabled interfaces. These settings override the area Authentication settings. Delete or edit an OSPF area entry, network entry, or interface definition. Icons are visible only when there are entries in Areas, Networks, and Interfaces sections.
Create New Area
Type
Authentication
Networks
Create New Network
Area Interfaces
Create New Name Interface
IP Authentication
Delete and Edit icons
297
OSPF
Router Dynamic
Selecting advanced OSPF options

By selecting advanced OSPF options, you can specify metrics for redistributing routes that the FortiGate unit learns through some means other than OSPF link-state advertisements. For example, if the FortiGate unit is connected to a RIP or BGP network or you add a static route to the FortiGate routing table manually, you can configure the unit to advertise those routes on OSPF-enabled interfaces. To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced Options. After you select the options, select Apply.
Figure 174: Advanced Options (OSPF)
Expand Arrow
Router ID Expand Arrow
Enter a unique router ID to identify the FortiGate unit to other OSPF routers. Select to view or hide Advanced Options.
Default Information Generate and advertise a default (external) route to the OSPF AS. You may base the generated route on routes learned through a dynamic routing protocol, routes in the routing table, or both. None Regular Prevent the generation of a default route. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems only if the route is stored in the FortiGate routing table. Generate a default route into the OSPF AS and advertise the route to neighboring autonomous systems unconditionally, even if the route is not stored in the FortiGate routing table. Select one or more of the options listed to redistribute OSPF link-state advertisements about routes that were not learned through OSPF. The FortiGate unit can use OSPF to redistribute routes learned from directly connected networks, static routes, RIP, and BGP. Select to redistribute routes learned from directly connected networks. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned from static routes. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through RIP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214. Select to redistribute routes learned through BGP. Enter a cost for those routes in the Metric field. The range is from 1 to 16 777 214.
Always
Redistribute
Connected
Static
RIP
BGP
298
Router Dynamic
OSPF
Note: You can configure additional advanced options through customizable GUI widgets, and the CLI. For example, you can filter incoming or outgoing updates by using a route map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add the specified offset to the metric of a route. For more information on customizable GUI widgets, see Customizable routing widgets on page 309. For more information on CLI routing commands, see the router chapter of the FortiGate CLI Reference.
Defining OSPF areas

An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID expressed in dotted-decimal notation, for example 192.168.0.1. Area ID 0.0.0.0 is reserved for the OSPF network backbone. You can classify the remaining areas of an AS as regular, stub, or NSSA. A regular area contains more than one router, each having at least one OSPF-enabled interface to the area. To reach the OSPF backbone, the routers in a stub area must send packets to an area border router. Routes leading to non-OSPF domains are not advertised to the routers in stub areas. The area border router advertises to the OSPF AS a single default route (destination 0.0.0.0) into the stub area, which ensures that any OSPF packet that cannot be matched to a specific route will match the default route. Any router connected to a stub area is considered part of the stub area. In a Not-So-Stubby Area (NSSA), routes that lead out of the area into a non-OSPF domain are made known to OSPF AS. However, the area itself continues to be treated like a stub area by the rest of the AS. Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF backbone through area border routers. To define an OSPF area, go to Router > Dynamic > OSPF, and then under Areas, select Create New. To edit the attributes of an OSPF area, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the area.
Note: If required, you can define a virtual link to an area that has lost its physical connection to the OSPF backbone. Virtual links can be set up only between two FortiGate units that act as area border routers. For more information on virtual links, see the FortiGate CLI Reference. Figure 175: New/Edit OSPF Area
299
OSPF
Router Dynamic
Area
Type a 32-bit identifier for the area. The value must resemble an IP address in dotted-decimal notation. Once you have created the OSPF area, the area IP value cannot be changed; you must delete the area and restart. Select an area type to classify the characteristics of the network that will be assigned to the area: Regular If the area contains more than one router, each having at least one OSPF-enabled interface to the area. NSSA If you want routes to external non-OSPF domains made known to OSPF AS and you want the area to be treated like a stub area by the rest of the AS. STUB If the routers in the area must send packets to an area border router in order to reach the backbone and you do not want routes to non-OSPF domains to be advertised to the routers in the area.
Type
Authentication Select the method for authenticating OSPF packets sent and received through all interfaces in the area: None Disable authentication. Text Enables text-based password authentication. to authenticate LSA exchanges using a plain-text password. The password is sent in clear text over the network. MD5 Enable MD5-based authentication using an MD5 cryptographic hash (RFC 1321). If required, you can override this setting for one or more of the interfaces in the area. For more information, see Selecting operating parameters for an OSPF interface on page 301.
Note: To assign a network to the area, see Specifying OSPF networks on page 300.
Specifying OSPF networks

OSPF areas group a number of contiguous networks together. When you assign an area ID to a network address space, the attributes of the area are associated with the network. To assign an OSPF area ID to a network, go to Router > Dynamic > OSPF, and then under Networks, select Create New. To change the OSPF area ID assigned to a network, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the network.
Figure 176: New/Edit OSPF Network
IP/Netmask Area
Enter the IP address and network mask of the local network that you want to assign to an OSPF area. Select an area ID for the network. The attributes of the area must match the characteristics and topology of the specified network. You must define the area before you can select the area ID. For more information, see Defining OSPF areas on page 299.
300
Router Dynamic
OSPF
Selecting operating parameters for an OSPF interface

An OSPF interface definition contains specific operating parameters for a FortiGate OSPF-enabled interface. The definition includes the name of the interface (for example, external or VLAN_1), the IP address assigned to the interface, the method for authenticating LSA exchanges through the interface, and timer settings for sending and receiving OSPF Hello and dead-interval packets. You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPFenabled network space. For example, define an area of 0.0.0.0 and the OSPF network as 10.0.0.0/16. Then define vlan1 as 10.0.1.1/24, vlan2 as 10.0.2.1/24 and vlan3 as 10.0.3.1/24. All three VLANs can run OSPF in area 0.0.0.0. To enable all interfaces, you would create an OSPF network 0.0.0.0/0 You can configure different OSPF parameters for the same FortiGate interface when more than one IP address has been assigned to the interface. For example, the same FortiGate interface could be connected to two neighbors through different subnets. You could configure an OSPF interface definition containing one set of Hello and dead-interval parameters for compatibility with one neighbors settings, and a second OSPF interface definition for the same interface to ensure compatibility with the second neighbors settings. To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic > OSPF, and then under Interfaces, select Create New. To edit the operating parameters of an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled interface. Figure 177 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit that has an interface named port1. The interface names on your FortiGate unit may differ.
Figure 177: New/Edit OSPF Interface
Add
Name Interface
Enter a name to identify the OSPF interface definition. For example, the name could indicate to which OSPF area the interface will be linked. Select the name of the FortiGate interface to associate with this OSPF interface definition (for example, port1, external, or VLAN_1). The FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled network.
301
BGP
Router Dynamic
IP
Enter the IP address that has been assigned to the OSPF-enabled interface. The interface becomes OSPF-enabled because its IP address matches the OSPF network address space. For example, if you defined an OSPF network of 172.20.120.0/24 and port1 has been assigned the IP address 172.20.120.140, type 172.20.120.140.
Authentication Select an authentication method for LSA exchanges on the specified interface: None Disable authentication. Text Authenticate LSA exchanges using a plain-text password. The password can be up to 35 characters, and is sent in clear text over the network. MD5 Use one or more keys to generate an MD5 cryptographic hash. Password Enter the plain-text password. Enter an alphanumeric value of up to 15 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical password. This field is available only if you selected plain-text authentication. Enter the key identifier for the (first) password in the ID field (the range is from 1 to 255) and then type the associated password in the Key field. The password is a 128-bit hash, represented by an alphanumeric string of up to 16 characters. The OSPF neighbors that send link-state advertisements to this FortiGate interface must be configured with an identical MD5 key. If the OSPF neighbor uses more than one password to generate MD5 hash, select the Add icon to add additional MD5 keys to the list. This field is available only if you selected MD5 authentication. Optionally, set the Hello Interval to be compatible with Hello Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits between sending Hello packets through this interface. Optionally, set the Dead Interval to be compatible with Dead Interval settings on all OSPF neighbors. This setting defines the period of time (in seconds) that the FortiGate unit waits to receive a Hello packet from an OSPF neighbor through the interface. If the FortiGate unit does not receive a Hello packet within the specified amount of time, the FortiGate unit declares the neighbor inaccessible. By convention, the Dead Interval value is usually four times greater than the Hello Interval value.
MD5 Keys
Hello Interval
Dead Interval
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to exchange routing information between different ISP networks. For example, BGP enables the sharing of network paths between the ISP network and an autonomous system (AS) that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.
How BGP works

When BGP is enabled on an interface, the FortiGate unit sends routing table updates to neighboring autonomous systems connected to that interface whenever any part of the FortiGate routing table changes. Each AS to which the unit belongs is associated with an AS number. The AS number references a particular destination network. BGP updates advertise the best path to a destination network. When the FortiGate unit receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED) attributes of potential routes to determine the best path to a destination network before recording the path in the FortiGate unit routing table.
302
Router Dynamic
BGP
BGP has the capability to gracefully restart. This capability limits the effects of software problems by allowing forwarding to continue when the control plane of the router fails. It also reduces routing flaps by stabilizing the network.
Note: You can configure graceful restarting and other advanced settings only through CLI commands. For more information on advanced BGP settings, see the router chapter of the FortiGate CLI Reference.
Viewing and editing BGP settings

When you configure BGP settings, you need to specify the AS to which the FortiGate unit belongs and enter a router ID to identify this unit to other BGP routers. You must also identify the FortiGate units BGP neighbors and specify which of the networks local to the FortiGate unit should be advertised to BGP neighbors. To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager offers a simplified user interface to configure basic BGP options. You can also configure many advanced BGP options through the CLI. For more information, see the router chapter of the FortiGate CLI Reference.
Figure 178: Basic BGP options
Delete
Local AS Router ID
Enter the number of the local AS to which the FortiGate unit belongs. Enter a unique router ID to identify the FortiGate unit to other BGP routers. The router ID is an IP address written in dotted-decimal format, for example 192.168.0.1. If you change the router ID while BGP is configured on an interface, all connections to BGP peers will be broken temporarily. The connections will reestablish themselves. If Router ID is not explicitly set, the highest IP address of the VDOM will be used. The IP addresses and AS numbers of BGP peers in neighboring autonomous systems. Enter the IP address of the neighbor interface to the BGP-enabled network. Enter the number of the AS that the neighbor belongs to. Add the neighbor information to the Neighbors list, or edit an entry in the list. The IP addresses of BGP peers. The numbers of the autonomous systems associated with the BGP peers. Delete a BGP neighbor entry.
Neighbors IP Remote AS Add/Edit Neighbor Remote AS Delete icon
303
Multicast
Router Dynamic
Networks
The IP addresses and network masks of networks to advertise to BGP peers. The FortiGate unit may have a physical or VLAN interface connected to those networks. Enter the IP address and netmask of the network to be advertised. Add the network information to the Networks list. The IP addresses and network masks of major networks that are advertised to BGP peers. Delete a BGP network definition.
IP/Netmask Add Network Delete icon
Note: The get router info bgp CLI command provides detailed information about configured BGP settings. For a complete list of the command options, see the router chapter of the FortiGate CLI Reference.
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM dense mode (RFC 3973) and can service multicast servers or receivers on the network segment to which a FortiGate interface is connected.
How multicast works

Multicast server applications use a (Class D) multicast address to send one copy of a packet to a group of receivers. The PIM routers throughout the network ensure that only one copy of the packet is forwarded through the network until it reaches an end-point destination. At the end-point destination, copies of the packet are made only when required to deliver the information to multicast client applications that request traffic destined for the multicast address.
Note: To support PIM communications, the sending/receiving applications and all connecting PIM routers in between must be enabled with PIM version 2. PIM can use static routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To support source-to-destination packet delivery, either sparse mode or dense mode must be enabled on all the PIM-router interfaces. Sparse mode routers cannot send multicast messages to dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM router, or between two PIM routers, or is connected directly to a receiver, you must create a firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP traffic) between the source and destination.
A PIM domain is a logical area comprising a number of contiguous networks. The domain contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs). When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these functions at any time as configured. If required for sparse mode operation, you can define static RPs.
Note: You can configure basic options through the web-based manager. Many additional options are available, but only through the CLI. For complete descriptions and examples of how to use CLI commands to configure PIM settings, see multicast in the router chapter of the FortiGate CLI Reference.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast Technical Note.
304
Router Dynamic
Multicast
Viewing and editing multicast settings

When multicast (PIM) routing is enabled, you can configure sparse mode or dense mode operation on any FortiGate interface. To view and edit PIM settings, go to Router > Dynamic > Multicast. The web-based manager offers a simplified user interface to configure basic PIM options. You can also configure advanced PIM options through the CLI. For more information, see the router chapter of the FortiGate CLI Reference.
Figure 179: Basic Multicast options Add Static RP
Delete Edit
Enable Multicast Routing Add Static RP
Select to enable PIM version 2 routing. A firewall policy must be created on PIM-enabled interfaces to pass encapsulated packets and decapsulated data between the source and destination, If required for sparse mode operation, enter the IP address of a Rendezvous Point (RP) that may be used as the root of a packet distribution tree for a multicast group. Join messages from the multicast group are sent to the RP, and data from the source is sent to the RP. If an RP for the specified IPs multicast group is already known to the Boot Strap Router (BSR), the RP known to the BSR is used and the static RP address that you specify is ignored. Save the specified static RP addresses. Create a new multicast entry for an interface. You can use the new entry to fine-tune PIM operation on a specific FortiGate interface or override the global PIM settings on a particular interface. For more information, see Overriding the multicast settings on an interface on page 306. The names of FortiGate interfaces having specific PIM settings. The mode of PIM operation (Sparse or Dense) on that interface. The status of parse-mode RP candidacy on the interface. To change the status of RP candidacy on an interface, select the Edit icon in the row that corresponds to the interface. The priority number assigned to RP candidacy on that interface. Available only when RP candidacy is enabled. The priority number assigned to Designated Router (DR) candidacy on the interface. Available only when sparse mode is enabled. Delete or edit the PIM settings on the interface.
Apply Create New
Interface Mode Status
Priority DR Priority Delete and Edit icons
305
Multicast
Router Dynamic
Overriding the multicast settings on an interface

You use multicast (PIM) interface options to set operating parameters for FortiGate interfaces connected to PIM domains. For example, you can enable dense mode on an interface that is connected to a PIM-enabled network segment. When sparse mode is enabled, you can adjust the priority number that is used to advertise Rendezvous Point (RP) and/or Designated Router (DR) candidacy on the interface.
Figure 180: Multicast interface settings
Interface
Select the name of the root VDOM FortiGate interface to which these settings apply. The interface must be connected to a PIM version 2 enabled network segment. Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers connected to the same network segment must be running the same mode of operation. If you select Sparse Mode, adjust the remaining options as described below. Enter the priority number for advertising DR candidacy on the FortiGate units interface. The range is from 1 to 4 294 967 295. The unit compares this value to the DR interfaces of all other PIM routers on the same network segment, and selects the router having the highest DR priority to be the DR. Enable RP candidacy on the interface.
PIM Mode
DR Priority
RP Candidate
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate interface. The range is from 1 to 255.
Multicast destination NAT

Multicast destination NAT (DNAT) allows you translate externally received multicast destination addresses to addresses that conform to an organization's internal addressing policy. By using this feature that is available only in the CLI, you can avoid redistributing routes at the translation boundary into their network infrastructure for Reverse Path Forwarding (RPF) to work properly. They can also receive identical feeds from two ingress points in the network and route them independently. Configure multicast DNAT in the CLI by using the following command: config firewall multicast-policy edit p1 set dnat <dnatted-multicast-group> set ... next end For more information, see the firewall chapter of the FortiGate CLI Reference.
306
Router Dynamic
Bi-directional Forwarding Detection (BFD)

The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic routing protocols' lack of a fine granularity for detecting device failures on the network and re-routing around those failures. BFD can more quickly react to these failures, since it detects them on a millisecond timer, where other dynamic routing protocols can only detect them on a second timer. Your unit supports BFD as part of OSPF and BGP dynamic networking.
Note: You can configure BFD only from the CLI.
How BFD works

When you enable BFD on your FortiGate unit, BFD starts trying to connect to other routers on the network. You can limit where BFD looks for routers by enabling one interface only, and by enabling BFD for specific neighboring routers on the network. Once the connection has been made, BFD will continue to send periodic packets to the router to make sure it is still operational. These small packets are sent frequently. If there is no response from the neighboring router within the set period of time, BFD on your unit reports that router down and changes routing accordingly. BFD continues to try to reestablish a connection with the non-responsive router. Once that connection is reestablished, routes are reset to include the router once again.
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally excludes smaller networks. BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the whole unit, and turn it off for one or two interfaces. Alternatively you can specifically enable BFD for each neighbor router, or interface. Which method you choose will be determined by the amount of configuring required for your network The timeout period determines how long the unit waits before labeling a connection as down. The length of the timeout period is importantif it is too short connections will be labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a connection that is down. There is no easy number, as it varies for each network and unit. High end FortiGate models will respond very quickly unless loaded down with traffic. Also the size of the network will slow down the response timepackets need to make more hops than on a smaller network. Those two factors (CPU load and network traversal time) affect how long the timeout you select should be. With too short a timeout period, BFD will not connect to the network device but it will keep trying. This state generates unnecessary network traffic, and leaves the device unmonitored. If this happens, you should try setting a longer timeout period to allow BFD more time to discover the device on the network. Configuring BFD on your FortiGate unit For this example, BFD is enabled on the FortiGate unit using the default values. This means that once a connection is established, your unit will wait for up to 150 milliseconds for a reply from a BFD router before declaring that router down and rerouting traffica 50 millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port that BFD traffic originates from will be checked for security purposes as indicated by disabling bfd-dont-enforce-src-port. config system settings
307
Router Dynamic
set set set set set end
bfd enable bfd-desired-min-tx 50 bfd-required-min-rx 50 bfd-detect-mult 3 bfd-dont-enforce-src-port disable

Note: The minimum receive interval (bfd-required-min-rx) and the detection multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait for a reply before declaring the neighbor down. The correct value for your situation will vary based on the size of your network and the speed of your units CPU. The numbers used in this example may not work for your network.
Disabling BFD for a specific interface The previous example enables BFD for your entire FortiGate unit. If an interface is not connected to any BFD enabled routers, you can reduce network traffic by disabling BFD for that interface. For this example, BFD is disabled for the internal interface using CLI commands. config system interface edit <interface> set bfd disable end Configuring BFD on BGP Configuring BFD on a BGP network involves only one step enable BFD globally and then disable it for each neighbor that is running the protocol. config system settings set bfd enable end config router bgp config neighbor edit <ip_address> set bfd disable end end Configuring BFD on OSPF Configuring BFD on an OSPF network is very much like enabling BFD on your unityou can enable it globally for OSPF, and you can override the global settings at the interface level. To enable BFD on OSPF: configure routing OSPF set bfd enable end To override BFD on an interface: configure routing OSPF configure ospf-interface edit <interface_name> set bfd disable end end
308
Router Dynamic
Customizable routing widgets

You can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange widgets/menus/items according to your specific requirements. Customizing the display allows you to vary or limit the GUI layout to address different administrator needs such as advanced routing. Only administrators with the super_admin admin profile may create and edit GUI layouts. For more information on GUI layouts, see Customizable web-based manager on page 231. Each of the customizable GUI widgets can be minimized or maximized using the arrow next to the widget title. Customizable routing widgets include: Access List Distribute List Key Chain Offset List Prefix List Route Map
Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the network based on IP addresses. For an access list to take effect, it must be called by a FortiGate unit routing process (for example, a process that supports RIP or OSPF). The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 289. For more information about OSPF, see OSPF on page 294. Each rule in an access list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and whether to match the prefix exactly or to match the prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route, 0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this purpose. For more information, see Prefix List on page 312.
The FortiGate unit attempts to match a packet against the rules in an access list starting at the top of the list. If it finds a match for the prefix, it takes the action specified for that prefix. If no match is found the default action is deny.
Figure 181: Access List GUI widget
Access-list Name Action Prefix
Enter the name of a new access list. Select Add to save the new access list. The name of the access list. The action to take when the prefix of this access list is matched. Actions can be either permit or deny. The IP address prefix for this access-list. When this prefix is matched, the action is taken. The prefix can match any address, or a specific address.
309
Router Dynamic
Delete Icon Add Icon
Select delete to remove this access-list. Select to add a rule to this access-list. Rules include actions and prefixes. Rules are processed from smallest to highest number.
For more information on access list, see the router chapter of the FortiGate CLI Reference.
Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates using an access or prefix list. Routes not matched by any of the distribution lists will not be advertised. The offset list is part of the RIP and OSPF routing protocols. For more information about OSPF, see OSPF on page 294.
Note: You must configure the access list that you want the distribution list to use before you configure the distribution list. To configure an access list, see Access List on page 309. Figure 182: Distribute List GUI widget
Create New Direction Filter Interface Enable Delete Icon Edit Icon
Select to create a new distribute list. This includes setting the direction, selecting either the prefix-list or access-list, and interface. The name of the access list. The prefix-list or access-list to apply to this interface. The interface to apply the filter on. A green check indicates this distribute list is enabled. Select to remove a distribution list rule. Select to change the direction, filter, or interface of the distribute list.
For more information on the distribute list, see the router chapter of the FortiGate CLI Reference.
Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key. Keys are used for authenticating routing packets only during the specified lifetimes. The FortiGate unit migrates from one key to the next according to the scheduled send and receive lifetimes. The sending and receiving routers should have their system dates and times synchronized, but overlapping the key lifetimes ensures that a key is always available even if there is some difference in the system times. RIP version 2 uses authentication keys to ensure that the routing information exchanged between routers is reliable. For authentication to work both the sending and receiving routers must be set to use authentication, and must be configured with the same keys. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 289.
310
Router Dynamic
Figure 183: Key Chain GUI widget
Key-chain Name Accept Lifetime Start End Send Lifetime Start End Delete Icon Add Icon Edit Icon
Enter the name for a new key-chain. Select Add to save the new key-chain. The name of the key-chain, or the number of the key on that chain. The start and end time that this key can accept routing packets. The start time for this key. The format is H:M:S M/D/YYYY. The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time. The start and end time that this key can send routing packets. The start time for this key. The format is H:M:S M/D/YYYY. The end time for this key. The end can be infinite, a set duration in seconds, or a set time as with the start time. Select to remove a key or key-chain Select to add keys to the key-chain. Select to edit an existing key.
For more information on key-chains, see the router chapter of the FortiGate CLI Reference.
Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the offset list. The offset list is part of the RIP and OSPF routing protocols. For more information about RIP, see RIP on page 289. For more information about OSPF, see OSPF on page 294.
Figure 184: Offset List GUI widget
Create New Direction Access-list Offset Interface Delete Icon Edit Icon
Select to add a new offset to the list. The direction can be In or Out. The access-list to use to match the traffic. The adjustment to the hop count metric. The interface this offset list applies to. Select to remove a offset entry. Select to edit an existing offset entry.
For more information on the offset list, see the router chapter of the FortiGate CLI Reference.
311
Router Dynamic
Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of the prefix netmask. Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take for this prefix (permit or deny), and maximum and minimum prefix length settings. The FortiGate unit attempts to match a packet against the rules in a prefix list starting at the top of the list. If it finds a match for the prefix it takes the action specified for that prefix. If no match is found the default action is deny. A prefix-list should be used to match the default route 0.0.0.0/0. For a prefix list to take effect, it must be called by another FortiGate unit routing feature such as RIP or OSPF. For more information about RIP, see RIP on page 289. For more information about OSPF, see OSPF on page 294.
Figure 185: Prefix List GUI widget
Prefix-list Name Action Prefix GE LE Delete Icon Add Icon Edit Icon
Enter the name of a new prefix-list. Select Add to save the new prefix list entry. The name of the prefix list, or the number of the prefix entry. The action of the prefix entry. Actions can be permit or deny. The IP address and netmask associated with this prefix. Optionally this can be set to match any address. Select the number of bits to match in the address. This number or greater will be matched for there to be a match. Select the number of bits to match in the address. This number or less will be matched for there to be a match Select to remove a prefix entry or list. Select to add a prefix entry to a list. Select to edit an existing prefix entry.
For more information on the prefix list, see the router chapter of the FortiGate CLI Reference.
Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for forwarding packets or suppressing the routing of packets to particular destinations using the BGP routing protocol. Compared to access lists, route maps support enhanced packet-matching criteria. In addition, route maps can be configured to permit or deny the addition of routes to the FortiGate unit routing table and make changes to routing information dynamically as defined through route-map rules. The FortiGate unit compares the rules in a route map to the attributes of a route. The rules are examined in ascending order until one or more of the rules in the route map are found to match one or more of the route attributes: When a single matching match-* rule is found, changes to the routing information are made as defined through the rules set-ip-nexthop, set-metric, set-metric-type, and/or set-tag settings.
312
Router Dynamic
If no matching rule is found, no changes are made to the routing information. When more than one match-* rule is defined, all of the defined match-* rules must evaluate to TRUE or the routing information is not changed. If no match-* rules are defined, the FortiGate unit makes changes to the routing information only when all of the default match-* rules happen to match the attributes of the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes. For a route map to take effect, it must be called by a FortiGate unit routing process.
Figure 186: Route Map GUI widget
Route-map Name Action Rules
Enter the name of a new route-map. Select Add to save the new routemap. The name of the route map, or the number of the prefix entry. The action of the route map. Actions can be permit or deny. The rules include the criteria to match and a value to set. The criteria to match can be an interface, address from access or prefix list, the next-hop to match from access or prefix list, a metrics, or other information. The value to set can be the next-hop IP address, the metric, metric type, and a tag number. Select to remove a route map or entry. Select to add a route map entry to a route map. Select to edit an existing route map entry.
Delete Icon Add Icon Edit Icon
For more information on the route map, see the router chapter of the FortiGate CLI Reference.
313
Router Dynamic
314
Router Monitor
Viewing routing information
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries in the FortiGate routing table. If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available separately for each virtual domain. For more information, see Using virtual domains on page 103. This section describes: Viewing routing information Searching the FortiGate routing table

By default, all routes are displayed in the Routing Monitor list. The default static route is defined as 0.0.0.0/0, which matches the destination IP address of any/all packets. To display the routes in the routing table, go to Router > Monitor. Figure 187 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces named port1, port4, and lan. The names of the interfaces on your FortiGate unit may be different.
Figure 187: Routing Monitor list
315
Router Monitor
IP version Type
Select IPv4 or IPv6 routes. Select one of the following route types to search the routing table and display routes of the selected type only: All all routes recorded in the routing table. Connected all routes associated with direct connections to FortiGate interfaces. Static the static routes that have been added to the routing table manually. For more information see Static Route on page 280. RIP all routes learned through RIP. For more information see RIP on page 289. OSPF all routes learned through OSPF. For more information see OSPF on page 294. BGP all routes learned through BGP. For more information see BGP on page 302 HA RIP, OSPF, and BGP routes synchronized between the primary unit and the subordinate units of a high availability (HA) cluster. HA routes are maintained on subordinate units and are visible only if you are viewing the router monitor from a virtual domain that is configured as a subordinate virtual domain in a virtual cluster. For details about HA routing synchronization, see the FortiGate High Availability User Guide. Enter an IP address and netmask (for example, 172.16.14.0/24) to search the routing table and display routes that match the specified network. Enter an IP address and netmask (for example, 192.168.12.1/32) to search the routing table and display routes that match the specified gateway.
Network Gateway
Apply Filter Select to search the entries in the routing table based on the specified search criteria and display any matching routes. Type Subtype The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or BGP). If applicable, the subtype classification assigned to OSPF routes. An empty string implies an intra-area route. The destination is in an area to which the FortiGate unit is connected. OSPF inter area the destination is in the OSPF AS, but the FortiGate unit is not connected to that area. External 1 the destination is outside the OSPF AS. The metric of a redistributed route is calculated by adding the external cost and the OSPF cost together. External 2 the destination is outside the OSPF AS. In this case, the metric of the redistributed route is equivalent to the external cost only, expressed as an OSPF cost. OSPF NSSA 1 same as External 1, but the route was received through a notso-stubby area (NSSA). OSPF NSSA 2 same as External 2, but the route was received through a notso-stubby area. The IP addresses and network masks of destination networks that the FortiGate unit can reach. The administrative distance associated with the route. A value of 0 means the route is preferable compared to routes to the same destination. To modify the administrative distance assigned to static routes, see Adding a static route to the routing table on page 284. To modify this distance for dynamic routes, see FortiGate CLI Reference. The metric associated with the route type. The metric of a route influences how the FortiGate unit dynamically adds it to the routing table. The following are types of metrics and when they are applied. Hop count routes learned through RIP. Relative cost routes learned through OSPF. Multi-Exit Discriminator (MED) routes learned through BGP. However, several attributes in addition to MED determine the best path to a destination network. The IP addresses of gateways to the destination networks.
Network Distance
Metric
Gateway
316
Router Monitor
Searching the FortiGate routing table
Interface Up Time
The interface through which packets are forwarded to the gateway of the destination network. The total accumulated amount of time that a route learned through RIP, OSPF, or BGP has been reachable.

You can apply a filter to search the routing table and display certain routes only. For example, you can display one or more static routes, connected routes, routes learned through RIP, OSPF, or BGP, and routes associated with the network or gateway that you specify. If you want to search the routing table by route type and further limit the display according to network or gateway, all of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed (an implicit AND condition is applied to all of the search parameters you specify). For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to display all directly connected routes to network 172.16.14.0/24, you must select Connected from the Type list, type 172.16.14.0/24 in the Network field, and then select Apply Filter to display the associated routing table entry or entries. Any entry that contains the word Connected in its Type field and the specified value in the Gateway field will be displayed. To search the FortiGate routing table 1 Go to Router > Monitor > Routing Monitor. 2 From the Type list, select the type of route to display. For example, select Connected to display all connected routes, or select RIP to display all routes learned through RIP. 3 If you want to display routes to a specific network, type the IP address and netmask of the network in the Networks field. 4 If you want to display routes to a specific gateway, type the IP address of the gateway in the Gateway field. 5 Select Apply Filter.
Note: All of the values that you specify as search criteria must match corresponding values in the same routing table entry in order for that entry to be displayed.
317
Router Monitor
318
Firewall Policy
How list order affects policy matching
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between FortiGate interfaces, zones, and VLAN subinterfaces. Firewall policies are instructions the FortiGate unit uses to decide connection acceptance and packet processing for traffic attempting to pass through. When the firewall receives a connection packet, it analyzes the packets source address, destination address, and service (by port number), and attempts to locate a firewall policy matching the packet. Firewall policies can contain many instructions for the FortiGate unit to follow when it receives matching packets. Some instructions are required, such as whether to drop or accept and process the packets, while other instructions, such as logging and authentication, are optional. Policy instructions may include network address translation (NAT), or port address translation (PAT), by using virtual IPs or IP pools to translate source and destination IP addresses and port numbers. For details on using virtual IPs and IP pools, see Firewall Virtual IP on page 365. Policy instructions may also include protection profiles, which can specify application-layer inspection and other protocol-specific protection and logging. For details on using protection profiles, see Firewall Protection Profile on page 397. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall policies. For details, see Using virtual domains on page 103. This section describes: How list order affects policy matching Multicast policies Viewing the firewall policy list Configuring firewall policies Firewall policy examples

Each time a FortiGate unit receives a connection attempting to pass through one of its interfaces, the unit searches its firewall policy list for a matching firewall policy. The search begins at the top of the policy list and progresses in order towards the bottom. The FortiGate unit evaluates each policy in the firewall policy list for a match until a match is found. When the FortiGate unit finds the first matching policy, it applies the matching policys specified actions to the packet, and disregards subsequent firewall policies. Matching firewall policies are determined by comparing the firewall policy and the packets: source and destination interfaces source and destination firewall addresses services time/schedule.
319
Firewall Policy
If no policy matches, the connection is dropped. As a general rule, you should order the firewall policy list from most specific to most general because of the order in which policies are evaluated for a match, and because only the first matching firewall policy is applied to a connection. Subsequent possible matches are not considered or applied. Ordering policies from most specific to most general prevents policies that match a wide range of traffic from superseding and effectively masking policies that match exceptions. For example, you might have a general policy that allows all connections from the internal network to the Internet, but want to make an exception that blocks FTP. In this case, you would add a policy that denies FTP connections above the general policy.
Figure 188: Example: Blocking FTP Correct policy order
}Exception
}General FTP connections would immediately match the deny policy, blocking the connection. Other kinds of services do not match the FTP policy, and so policy evaluation would continue until reaching the matching general policy. This policy order has the intended effect. But if you reversed the order of the two policies, positioning the general policy before the policy to block FTP, all connections, including FTP, would immediately match the general policy, and the policy to block FTP would never be applied. This policy order would not have the intended effect.
Figure 189: Example: Blocking FTP Incorrect policy order
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would position those policies above other potential matches in the policy list. Otherwise, the other matching policies could always take precedence, and the required authentication, IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move, disable or delete it. If you move the default policy to the bottom of the firewall policy list and no other policy matches the packet, the connection will be accepted. If you disable or delete the default policy and no other policy matches the packet, the connection will be dropped.
Moving a policy to a different position in the policy list

You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with incoming traffic. When more than one policy has been defined for the same interface pair, the first matching firewall policy will be applied to the traffic session. For more information, see How list order affects policy matching on page 319. Moving a policy in the firewall policy list does not change its ID, which only indicates the order in which the policy was created.
Figure 190: Move Policy
320
Firewall Policy
Multicast policies
To move a firewall policy in the firewall policy list 1 Go to Firewall > Policy. 2 In the firewall policy list, note the ID of a firewall policy that is before or after your intended destination. 3 In the row corresponding to the firewall policy that you want to move, select the Move To icon. 4 Select Before or After, and enter the ID of the firewall policy that is before or after your intended destination. This specifies the policys new position in the firewall policy list. 5 Select OK.
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies using the following CLI command: config firewall multicast-policy For more information, see the FortiOS CLI Reference and the FortiGate Multicast Technical Note.
Viewing the firewall policy list

The firewall policy list displays firewall policies in their order of matching precedence for each source and destination interface pair. If virtual domains are enabled on the FortiGate unit, firewall policies are configured separately for each virtual domain; you must access the VDOM before you can configure its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order policies in the policy list. Firewall policy order affects policy matching. For details about arranging policies in a policy list, see How list order affects policy matching on page 319 and Moving a policy to a different position in the policy list on page 320. To view the policy list, go to Firewall > Policy.
Figure 191: Firewall policy list
Filter
Delete Edit Insert Policy before Move To
321
Viewing the firewall policy list
Firewall Policy
Create New
Add a firewall policy. Select the down arrow beside Create New to add a firewall policy or firewall policy section. A firewall policy section visually groups firewall policies. For more information, see Configuring firewall policies on page 323.
Column Settings Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see Using column settings to control the columns displayed on page 58 and Web-based manager icons on page 60. Section View Select to display firewall policies organized by source and destination interfaces. Note: Section View is not available if any policy selects Any as the source or destination interface. Select to list all firewall policies in order according to a sequence number. Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 53. The policy identifier. Policies are numbered in the order they are added to the policy list. The source interface of the policy. Global view only. The destination interface of the policy. Global view only. The source address or address group to which the policy applies. For more information, see Firewall Address on page 345. The destination address or address group to which the policy applies. For more information, see Firewall Address on page 345. The schedule that controls when the policy should be active. For more information, see Firewall Schedule on page 361. The service to which the policy applies. For more information, see Firewall Service on page 351. The protection profile that is associated with the policy. The response to make when the policy matches a connection attempt. Select the checkbox to enable a policy or deselect it to disable a policy. The source interface. The destination interface. The VPN tunnel the VPN policy uses. The user authentication method the policy uses. Comments entered when creating or editing the policy. A green check mark indicates traffic logging is enabled for the policy; a grey cross mark indicates traffic logging is disabled for the policy. The FortiGate unit counts the number of packets and bytes that hit the firewall policy. For example, 5/50B means that five packets and 50 bytes in total have hit the policy. The counter is reset when the FortiGate unit is restarted or the policy is deleted and re-configured. Delete the policy from the list. Edit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). Move the corresponding policy before or after another policy in the list. For more information, see Moving a policy to a different position in the policy list on page 320.
Global View Filter icons
ID From To Source Destination Schedule Service Profile Action Status From To VPN Tunnel Authentication Comments Log Count
Delete icon Edit icon Insert Policy Before icon Move To icon
322
Firewall Policy
Configuring firewall policies

You can configure firewall policies to define which sessions will match the policy and what actions the FortiGate unit will perform with packets from matching sessions. Sessions are matched to a firewall policy by considering these features of both the packet and policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address schedule and time of the sessions initiation service and the packets port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured Action and any other configured options on all packets in the session. Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN. ACCEPT policy actions permit communication sessions, and may optionally include other packet processing instructions, such as requiring authentication to use the policy, or specifying a protection profile to apply features such as virus scanning to packets in the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if either the selected source or destination interface is an IPSec virtual interface. For more information, see Overview of IPSec VPN configuration on page 531. DENY policy actions block communication sessions, and may optionally log the denied traffic. IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN tunnel, respectively, and may optionally apply NAT and allow traffic for one or both directions. If permitted by the firewall encryption policy, a tunnel may be initiated automatically whenever a packet matching the policy arrives on the specified network interface, destined for the local private network. For more information, see IPSec firewall policy options on page 330 and Configuring SSL VPN identity-based firewall policies on page 331.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy or select the edit icon beside an existing firewall policy. Configure the settings as described in the following table and in the references to specific features for IPSec, SSL VPN and other specialized settings, and then select OK. If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the settings according to the following table. For more information, see DoS policies on page 337. If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin > Settings. Select IPv6 Support on GUI. Then go to Firewall > Policy > IPv6 Policy, and configure the settings according to the following table. Firewall policy order affects policy matching. Each time that you create or edit a policy, make sure that you position it in the correct location in the list. You can create a new policy and position it right away before an existing one in the firewall policy list, by selecting Insert Policy before (see Viewing the firewall policy list on page 321).
Note: You can configure differentiated services (DSCP) firewall policy options through the CLI. See the firewall chapter of the FortiGate CLI Reference.
323
Firewall Policy
Figure 192: Firewall Policy options
Source Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Interfaces and zones are configured on the System Network page. For more information, see Interfaces on page 119 and Configuring zones on page 138. If you select Any as the source interface, the policy matches all interfaces as source. If Action is set to IPSEC, the interface is associated with the local private network. If Action is set to SSL-VPN, the interface is associated with connections from remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 347. If you want to associate multiple firewall addresses or address groups with the Source Interface/Zone, from Source Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If Action is set to IPSEC, the address is the private IP address of the host, server, or network behind the FortiGate unit. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.
324
Firewall Policy
Destination Interface/Zone
Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. Interfaces and zones are configured on the System Network page. For more information, see Interfaces on page 119 and Configuring zones on page 138. If you select Any as the destination interface, the policy matches all interfaces as destination. If Action is set to IPSEC, the interface is associated with the entrance to the VPN tunnel. If Action is set to SSL-VPN, the interface is associated with the local private network. Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 347. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see Firewall Virtual IP on page 365. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit. Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 361. Select the name of a firewall service or service group that packets must match to trigger this policy. You can select from a wide range of predefined firewall services, or you can create a custom service or service group by selecting Create New from this list. For more information, see Configuring custom services on page 357 and Configuring service groups on page 359. By selecting the Multiple button beside Service, you can select multiple services or service groups. Select how you want the firewall to respond when a packet matches the conditions of the policy. The options available will vary widely depending on this selection. Accept traffic matched by the policy. You can configure NAT, protection profiles, log traffic, shape traffic, set authentication options, or add a comment to the policy. Reject traffic matched by the policy. The only other configurable policy options are Log Violation Traffic to log the connections denied by this policy and adding a Comment. You can configure an IPSec firewall encryption policy to process IPSec VPN packets, as well as configure protection profiles, log traffic, shape traffic or add a comment to the policy. See IPSec firewall policy options on page 330. You can configure an SSL-VPN firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group. You can also configure NAT and protection profiles, log traffic, shape traffic or add a comment to the policy. See Configuring SSL VPN identity-based firewall policies on page 331.
Destination Address
Schedule
Service
Action
ACCEPT
DENY
IPSEC
SSL-VPN
325
Firewall Policy
NAT
Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed.
Dynamic IP Pool Select the check box, then select an IP pool to translate the source address to an IP address randomly selected from addresses in the IP Pool. IP Pool cannot be selected if the destination interface, VLAN subinterface, or one of the interfaces or VLAN subinterfaces in the destination zone is configured using DHCP or PPPoE, or if you have selected a Destination Interface to which no IP Pools are bound. You cannot use IP pools when using zones. An IP pool can only be associated with an interface. For details, see IP pools on page 381. Fixed Port Select Fixed Port to prevent NAT from translating the source port. Some applications do not function correctly if the source port is translated. In most cases, if Fixed Port is selected, Dynamic IP pool is also selected. If Dynamic IP pool is not selected, a policy with Fixed Port selected can allow only one connection to that service at a time. Select to configure firewall policies that require authentication. For more information, see Adding authentication to firewall policies on page 327.
Enable Identity Based Policy
Enable Endpoint Firewall policies can deny access for hosts that do not have FortiClient Endpoint Security software installed and operating. For more information, see Endpoint Compliance Compliance Check options on page 336. Check You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication. User Authentication Disclaimer Redirect URL Available only on some models and only if Action is set to ACCEPT. Select this option to display the Authentication Disclaimer page (a replacement message) to the user. The user must accept the disclaimer to connect to the destination. You can use the disclaimer together with authentication or a protection profile. Available only on some models and only if Action is set to ACCEPT. If you enter a URL, the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer. Select a protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 397. If you intend to apply authentication to this policy, do not make a Protection Profile selection. The user group you choose for authentication is already linked to a protection profile. For more information, see Adding authentication to firewall policies on page 327. Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see Traffic Shaping on page 423. Note: To ensure that traffic shaping is working at its best, make sure that the interface ethernet statistics show no errors, collisions, or buffer overruns. If any of these problems do appear, then FortiGate and switch settings may require adjusting. Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0 (zero), or the policy will not allow any traffic. Select a value to ensure there is enough bandwidth available for a high-priority service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface. Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones.
Protection Profile
Traffic Shaping
Guaranteed Bandwidth Maximum Bandwidth
326
Firewall Policy
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support e-commerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute firewall policies over all three priority queues. Reverse Direction Traffic Shaping Log Allowed Traffic Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see Log&Report on page 647. Available only if Action is set to DENY. Select Log Violation Traffic, for Deny policies, to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information, see Log&Report on page 647. Add information about the policy. The maximum length is 63 characters.
Log Violation Traffic
Comments
Adding authentication to firewall policies

If you enable Enable Identity Based Policy in a firewall policy, network users must send traffic involving a supported firewall authentication protocol to trigger the firewall authentication challenge, and successfully authenticate, before the FortiGate unit will allow any other traffic matching the firewall policy. User authentication can occur through any of the following supported protocols: HTTP HTTPS FTP Telnet
The authentication style depends on which of these supported protocols you have included in the selected firewall services group and which of those enabled protocols the network user applies to trigger the authentication challenge. The authentication style will be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only) authentication, you must install customized certificates on the FortiGate unit and on the browsers of network users, which the FortiGate unit matches. For user name and password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts network users to input their firewall user name and password. For example, if you want to require HTTPS certificate-based authentication before allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy) that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the network user would send traffic using the HTTPS service, which the FortiGate unit would use to verify the network users certificate; upon successful certificate-based authentication, the network user would then be able to access his or her email.
327
Firewall Policy
In most cases, you should ensure that users can use DNS through the FortiGate unit without authentication. If DNS is not available, users will not be able to use a domain name when using a supported authentication protocol to trigger the FortiGate units authentication challenge.
Note: If you do not install certificates on the network users web browser, the network users may see an SSL certificate warning message and have to manually accept the default FortiGate certificate, which the network users web browsers may then deem as invalid. For information on installing certificates, see System Certificates on page 243. Note: When you use certificate authentication, if you do not specify any certificate when you create a firewall policy, the FortiGate unit will use the default certificate from the global settings will be used. If you specify a certificate, the per-policy setting will override the global setting. For information on global authentication settings, see Options on
page 590. Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create users, assign them to a firewall user group, and assign a protection profile to that user group. For information on configuring user groups, see User Group on page 583. For information on configuring authentication settings, see Identity-based firewall policy options (non-SSL-VPN) on page 328 and Configuring SSL VPN identity-based firewall policies on page 331.
Identity-based firewall policy options (non-SSL-VPN)

For network users to use non-SSL-VPN identity-based policies, you need to add user groups to the policy. For information about configuring user groups, see User Group on page 583. To configure identity-based policies, go to Firewall > Policy, select Create New to add a firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to ACCEPT. Select Enable Identity Based Policy.
Figure 193: Selecting user groups for authentication
Edit Delete
Enable Identity Select to enable identity-based policy authentication. Based Policy When the Action is set to ACCEPT, you can select one or more authentication server types. When a network user attempts to authenticate, the server types selected indicate which local or remote authentication servers the FortiGate unit will consult to verify the users credentials. Add User Group Schedule Select to create an identity-based firewall policy. For more information, see To create an identity-based firewall policy (non-SSL-VPN) on page 329. The selected user groups that must authenticate to be allowed to use this policy. The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 361.
328
Firewall Policy
Service Profile
The firewall service or service group that packets must match to trigger this policy. The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 397.
Traffic Shaping The traffic shaping configuration for this policy. For more information, see Firewall Policy on page 319. Reverse Direction Traffic Shaping Log Traffic Delete icon Edit icon Firewall Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1.
If the Log Allowed Traffic option is selected when adding an identity-based policy, a green check mark appears. Otherwise, a white cross mark appears. Select to remove this policy. Select to modify this policy. Include firewall user groups defined locally on the FortiGate unit, as well as on any connected LDAP and RADIUS servers. This option is selected by default.
Directory Include Directory Service groups defined in User > User Group. The groups are Service (FSAE) authenticated through a domain controller using Fortinet Server Authentication Extensions (FSAE). If you select this option, you must install the FSAE on the Directory Service domain controller. For information about FSAE, see the FSAE Technical Note. For information about configuring user groups, see User Group on page 583. NTLM Include Directory Service groups defined in User > User Group. If you select this Authentication option, you must use Directory Service groups as the members of the authentication group for NTLM. For information about configuring user groups, see User Group on page 583. Certificate Certificate-based authentication only. Select the protection profile that guest accounts will use. Note: In order to implement certificate-based authentication, you must select a firewall service group that includes one of the supported authentication protocols that use certificate-based authentication. You should also install the certificate on the network users web browser. For more information, see Adding authentication to firewall policies on page 327.
To create an identity-based firewall policy (non-SSL-VPN) 1 Go to Firewall > Policy > Policy and select Create New. 2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone, Destination Address, Schedule, and Service. For more information, see Configuring firewall policies on page 323. 3 In the Action field, select ACCEPT. 4 Select the Enable Identity Based Policy check box. A table opens below the check box. 5 Select Add.
329
Firewall Policy
Figure 194: Creating identity-based firewall policies
Right Arrow Left Arrow
6 From the Available User Groups list, select one or more user groups that must authenticate to be allowed to use this policy. Select the right arrow to move the selected user groups to the Selected User Groups list. 7 Select services in the Available Services list and then select the right arrow to move them to the Selected Services list. 8 Select a schedule from the Schedule drop-down list. There is no default. 9 Optionally, select a Protection Profile, enable User Authentication Disclaimer or Log Allowed Traffic. 10 Optionally, select Traffic Shaping and choose a traffic shaper. 11 Select OK.
IPSec firewall policy options

In a firewall policy (see Configuring firewall policies on page 323), the following encryption options are available for IPSec. To configure these options, go to Firewall > Policy, select Create New to add a firewall policy, or in the row corresponding to an existing firewall policy, select Edit. Make sure that Action is set to IPSEC. Enter the information in the following table and select OK.
Figure 195: IPSEC encryption policy
VPN Tunnel Allow Inbound Allow outbound
Select the VPN tunnel name defined in the phase 1 configuration. The specified tunnel will be subject to this firewall encryption policy. Select to enable traffic from a dialup client or computers on the remote private network to initiate the tunnel. Select to enable traffic from computers on the local private network to initiate the tunnel.
330
Firewall Policy
Inbound NAT Outbound NAT
Select to translate the source IP addresses of inbound decrypted packets into the IP address of the FortiGate interface to the local private network. Select only in combination with a natip CLI value to translate the source addresses of outbound cleartext packets into the IP address that you specify. When a natip value is specified, the source addresses of outbound IP packets are replaced before the packets are sent through the tunnel. For more information, see the firewall chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction of communication, with the IPSec virtual interface as the source or destination interface as appropriate.
For more information, see the Defining firewall policies chapter of the FortiGate IPSec VPN User Guide.
Configuring SSL VPN identity-based firewall policies

For network users to use SSL-VPN identity-based policies, you must configure users, add them to user groups, and then configure the policy. To create an identity-based firewall policy (SSL-VPN), go to Firewall > Policy > Policy and select Create New and enter the information in the following table. Select Action > SSL VPN.
Note: The SSL-VPN option is only available from the Action list after you have added SSL VPN user groups. To add SSL VPN user groups, see SSL VPN user groups on page 585.
For more information, see Configuring firewall policies on page 323.
331
Firewall Policy
Figure 196: Configuring a new SSL VPN firewall policy
Source Interface/Zone Source Address
Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone on which IP packets are received. Select the name of a firewall address to associate with the Source Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 347. If Action is set to SSL-VPN and the policy is for web-only mode clients, select all. If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the name of the address that you reserved for tunnel mode clients.
Destination Interface/Zone Select the name of the FortiGate network interface, virtual domain (VDOM) link, or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the interface is associated with the local private network.
332
Firewall Policy
Destination Address
Select the name of a firewall address to associate with the Destination Interface/Zone. Only packets whose header contains an IP address matching the selected firewall address will be subject to this policy. You can also create firewall addresses by selecting Create New from this list. For more information, see Configuring addresses on page 347. If you want to associate multiple firewall addresses or address groups with the Destination Interface/Zone, from Destination Address, select Multiple. In the dialog box, move the firewall addresses or address groups from the Available Addresses section to the Members section, then select OK. If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied translation varies by the settings specified in the virtual IP, and whether you select NAT (below). For more information on using virtual IPs, see Firewall Virtual IP on page 365. If Action is set to IPSEC, the address is the private IP address to which packets may be delivered at the remote end of the VPN tunnel. If Action is set to SSL-VPN, select the name of the IP address that corresponds to the host, server, or network that remote clients need to access behind the FortiGate unit. Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN traffic. This option is available only after you have added a SSL-VPN user group. Allow traffic generated by holders of a (shared) group certificate. The holders of the group certificate must be members of an SSL VPN user group, and the name of that user group must be present in the Allowed field. Select the bit level of SSL encryption. The web browser on the remote client must be capable of matching the level that you select: Any, High >= 164, or Medium >= 128. Select the authentication server type by which the user will be authenticated: For all of the above authentication methods. Local is attempted first, then RADIUS, then LDAP. For a local user group that will be bound to this firewall policy. For remote clients that will be authenticated by an external RADIUS server. For remote clients that will be authenticated by an external LDAP server. For remote clients that will be authenticated by an external TACACS+ server. Enable or disable Network Address Translation (NAT) of the source address and port of packets accepted by the policy. When NAT is enabled, you can also configure Dynamic IP Pool and Fixed Port. If you select a virtual IP as the Destination Address, but do not select the NAT option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT. Source NAT (SNAT) is not performed. Select Fixed Port to prevent NAT from translating the source port. Select to configure a SSL-VPN firewall policy that requires authentication. Select to configure the valid authentication methods, user group names, and services. For more information, see User Group on page 583. Add information about the policy. The maximum length is 63 characters.
Action
SSL Client Certificate Restrictive
Cipher Strength
User Authentication Method Any Local RADIUS LDAP TACACS+ NAT
Fixed Port Enable Identity Based Policy Add
Comments
To create an identity based firewall policy, select the Enable Identity Based Policy check box. A table opens below the check box. Select Add. The New Authentication Rule dialog opens (see Figure 197).
333
Firewall Policy
Figure 197: New Authentication Rule
User Group Available User Groups List of user groups available for inclusion in the firewall policy. To add a user group to the list, select the name and then select the Right Arrow. Selected User Groups List of user groups that are included in the firewall policy. To remove a user group from the list, select the name and then select the Left Arrow. Service Available Services Selected Services Schedule List of available services to include in the firewall policy. To add a service to the list, select the name and then select the Right Arrow. List of services that are included in the firewall policy. To remove a service from the list, select the name and then select the Left Arrow. Select a one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 361. Select a protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to a firewall policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 397.
Protection Profile
334
Firewall Policy
Traffic Shaping
Select a traffic shaper for the policy. You can also select to create a new traffic shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. For information about traffic shaping, see Traffic Shaping on page 423. Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. Select to enable the reverse traffic shaping. For example, if the traffic direction that a policy controls is from port1 to port2, select this option will also apply the policy shaping configuration to traffic from port2 to port1. Select to record messages to the traffic log whenever the policy processes a connection. You must also enable traffic log for a logging location (syslog, WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging severity level to Notification or lower using the Log and Report screen. For more information see Log&Report on page 647.
Reverse Direction Traffic Shaping
Reverse Direction Traffic Shaping
Log Allowed Traffic
For information about how to create a firewall encryption policy for SSL VPN users, see the SSL VPN administration tasks chapter of the FortiGate SSL VPN User Guide.
Figure 198: Selecting user groups for authentication
Move Up or Move Down
Delete Edit Enable Identity Based Policy Add Rule ID User Group Schedule Select to enable identity-based policy authentication. Select to create an identity-based firewall policy. The ID number of the policy. The selected user groups that must authenticate to be allowed to use this policy. The one-time or recurring schedule that controls when the policy is in effect. You can also create schedules by selecting Create New from this list. For more information, see Firewall Schedule on page 361. The firewall service or service group that packets must match to trigger this policy. The protection profile to apply antivirus, web filtering, web category filtering, spam filtering, IPS, content archiving, and logging to this policy. You can also create a protection profile by selecting Create New from this list. For more information, see Firewall Protection Profile on page 397.
Service Profile
335
Firewall Policy
Traffic Shaping Log Traffic
The traffic shaping configuration for this policy. For more information, see Traffic Shaping on page 423. If the Log Allowed Traffic option is selected when adding an identitybased policy, a green check mark appears. Otherwise, a white cross mark appears. Select to delete this policy. Select to edit this policy. Select to move the policy in the list. Firewall policy order affects policy matching. You can arrange the firewall policy list to influence the order in which policies are evaluated for matches with user groups.
Delete icon Edit icon Move Up or Move Down
Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used as the source address for new sessions started by SSL VPN.
Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic, but has no effect on web-mode SSL VPN traffic.
Endpoint Compliance Check options

You can require users of a firewall policy to have FortiClient Endpoint Security software installed. Optionally, you can also require that the antivirus signatures are up-to-date and check for the presence of specific applications on the computer. You can quarantine noncompliant users to a web portal, from which they can download the FortiClient installer or update their antivirus signatures. For more information about configuring the Endpoint Control feature and monitoring endpoints, see Endpoint control on page 641. In a new or existing firewall policy, the following options configure the Endpoint Compliance Check:
Figure 199: Endpoint Compliance firewall policy options
Enable Endpoint Compliance Check
Check that the source hosts of this firewall policy have FortiClient Endpoint Security software installed. Make sure that all of these hosts are capable of installing the software. You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.
Enforce FortiClient AV Check that the FortiClient Endpoint Security application has the antivirus (real-time protection) feature enabled and is using the latest Up-to-date version of the antivirus signatures available from FortiGuard Services. Collect System Information from the Endpoints Redirect Non-conforming Clients to Download Portal Collect information about the host computer, its operating system and specific installed applications. This information is displayed in the Endpoints list. See Monitoring endpoints on page 644. The non-compliant user sees a web page that explains why they are non-compliant. The page also provides links to download a FortiClient application installer. To edit this web page go to System > Config > Replacement Messages and edit the Endpoint Control Download Portal replacement message. If the redirect is not enabled, the non-compliant user simply has no network access.
336
Firewall Policy
DoS policies
Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance check is not performed.
DoS policies
DoS policies are primarily used to apply DoS sensors to network traffic based on the FortiGate interface it is leaving or entering as well as the source and destination addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. DoS policies examine network traffic very early in the sequence of protective measures the FortiGate unit deploys to protect your network. Because of this, DoS policies are a very efficient defence, using few resources. The previously mention denial of service would be detected and its packets dropped before requiring firewall policy look-ups, antivirus scans, and other protective but resource-intensive operations.
Viewing the DoS policy list

The DoS policy list displays the DoS policies in their order of matching precedence for each interface, source/destination address pair, and service. If virtual domains are enabled on the FortiGate unit, DoS policies are configured separately for each virtual domain; you must access the VDOM before you can configure its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order policies in the DoS policy list. DoS policy order affects policy matching. As with firewall policies, DoS policies are checked against traffic in the order in which they appear in the DoS policy list, one at a time, from top to bottom. When a matching policy is discovered, it is used and further checking for DoS policy matches are stopped. To view the DoS policy list, go to Firewall > Policy > DoS Policy.
Figure 200: The DoS policy list
Create New
Add a firewall policy. Select the down arrow beside Create New to add a firewall policy or firewall policy section. A firewall policy section visually groups firewall policies. For more information, see Configuring DoS policies on page 338. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. Select to display firewall polices organized by interface.
Column Settings Section View
337
DoS policies
Firewall Policy
Global View Filter icon
Select to list all firewall policies in order according to a sequence number. Edit the column filters to filter or sort the policy list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 53. When selected, the DoS policy is enabled. Clear the checkbox to disable the policy. A unique identifier for each policy. Policies are numbered in the order they are created. The source address or address group to which the policy applies. For more information, see Firewall Address on page 345. The destination address or address group to which the policy applies. For more information, see Firewall Address on page 345. The service to which the policy applies. For more information, see Firewall Service on page 351. The DoS sensor selected in this policy. The interface to which this policy applies. Delete the policy from the list. Edit the policy. Add a new policy above the corresponding policy (the New Policy screen appears). Move the corresponding policy before or after another policy in the list.
Status ID Source Destination Service DoS Interface Delete icon Edit icon Insert Policy Before icon Move To icon
Configuring DoS policies

The DoS policy configuration allows you to specify the interface, a source address, a destination address, and a service. All of the specified attributes must match network traffic to trigger the policy. You can also use the config firewall interface-policy CLI command to specify an IPS sensor to function as part of a DoS policy. For more information, see the FortiGate CLI Reference. For IPv6 operation, DoS sensors are not supported. Further, you must specify IPS sensors with the config firewall interface-policy CLI command. For more information on FortiGate IPv6 support, see FortiGate IPv6 support on page 230.
Figure 201: Editing a DoS policy
Source Interface/Zone Source Address
The interface or zone to be monitored. Select an address or address range to limit traffic monitoring to network traffic sent from the specified address or range. Select Multiple to include multiple addresses or ranges.
338
Firewall Policy
Firewall policy examples
Destination Address
Select an address or address range to limit traffic monitoring to network traffic sent to the specified address or range. Select Multiple to include multiple addresses or ranges. Select a service to limit traffic monitoring to only the selected type. Select and specify a DoS sensor to have the FortiGate apply the sensor to matching network traffic.
Service DoS Sensor

FortiGate units are capable of meeting various network requirements from home use to SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical applications of firewall policies in the SOHO and large enterprise environments. This section describes: Scenario one: SOHO-sized business Scenario two: enterprise-sized business Viewing the firewall policy list Configuring firewall policies
Scenario one: SOHO-sized business

Company A is a small software company performing development and providing customer support. In addition to their internal network of 15 computers, they also have several employees who work from home all or some of the time. With their current network topography, all 15 of the internal computers are behind a router and must go to an external source to access the IPS mail and web servers. All homebased employees access the router through open/non-secured connections.
339
Firewall Policy
Figure 202: Example SOHO network before FortiGate installation
Internet
IPS Mail Server
ISP Web Server

172.16.10.3
Home-based Workers (no secure connection)
192.168.100.1
Finance Department Internal Network
Help Desk
Engineering Department
Company A requires secure connections for home-based workers. Like many companies, they rely heavily on email and Internet access to conduct business. They want a comprehensive security solution to detect and prevent network attacks, block viruses, and decrease spam. They want to apply different protection settings for different departments. They also want to integrate web and email servers into the security solution. To deal with their first requirement, Company A configures specific policies for each home-based worker to ensure secure communication between the home-based worker and the internal network. 1 Go to Firewall > Policy. 2 Select Create New and enter or select the following settings for Home_User_1:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Source: internal Source: CompanyA_Network Always ANY IPSEC Home1 yes yes yes Destination: wan1 Destination: Home_User_1
340
Firewall Policy
Outbound NAT Protection Profile
no Select the check mark and select standard_profile
3 Select OK. 4 Select Create New and enter or select the following settings for Home_User_2:
Interface / Zone Address Schedule Service Action VPN Tunnel Allow Inbound Allow outbound Inbound NAT Outbound NAT Protection Profile Source: internal Source: CompanyA_network Always ANY IPSEC Home2_Tunnel yes yes yes no Select the check mark and select standard_profile Destination: wan1 Destination: All
5 Select OK.
Figure 203: SOHO network topology with FortiGate-100
VPN Tunnel
Internet
VPN Tunnel
Home User 1 172.20.100.6
External 172.30.120.8
FortiGate 100A
Home User 2 172.25.106.99 DMZ 10.10.10.1 Email Server 10.10.10.2
Internal 192.168.100.1
Finance Users 192.168.100.10192.168.100.20 Help Desk Users 192.168.100.21192.168.100.50
Engineering Users 192.168.100.51192.168.100.100
Web Server 10.10.10.3
The proposed network is based around a ForitGate 100A unit. The 15 internal computers are behind the FortiGate unit. They now access the email and web servers in a DMZ, which is also behind the FortiGate unit. All home-based employees now access the office network through the FortiGate unit via VPN tunnels.
341
Firewall Policy
Scenario two: enterprise-sized business

Located in a large city, the library system is anchored by a main downtown location serving most of the population, with more than a dozen branches spread throughout the city. Each branch is wired to the Internet but none are linked with each other by dedicated connections. The current network topography at the main location consists of three user groups. The main branch staff and public terminals access the servers in the DMZ behind the firewall. The catalog access terminals directly access the catalog server without first going through the firewall. The topography at the branch office has all three users accessing the servers at the main branch through non-secured internet connections.
Figure 204: The library systems current network topology
The library must be able to set different access levels for patrons and staff members. The first firewall policy for main office staff members allows full access to the Internet at all times. A second policy will allow direct access to the DMZ for staff members. A second pair of policies is required to allow branch staff members the same access. The staff firewall policies will all use a protection profile configured specifically for staff access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and spyware sites.
342
Firewall Policy
A few users may need special web and catalog server access to update information on those servers, depending on how they are configured. Special access can be allowed based on IP address or user. The proposed topography has the main branch staff and the catalog access terminals going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals first go through a FortiWiFi unit, where additional policies can be applied, to the HA Cluster and finally to the servers. The branch office has all three users routed through a FortiWiFi unit to the main branch via VPN tunnels.
Figure 205: Proposed library system network topology
Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall > Protection Profile. Main office staff to Internet policy:
Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All External All Always Accept
343
Firewall Policy
Main office staff to DMZ policy:

Source Interface Source Address Destination Interface Destination Address Schedule Action Internal All DMZ Servers Always Accept
Branches staff to Internet policy:

Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff External All Always Accept
Branches staff to DMZ policy:

Source Interface Source Address Destination Interface Destination Address Schedule Action Branches Branch Staff DMZ Servers Always Accept
For more information about these examples, see: SOHO and SMB Configuration Example Guide FortiGate Enterprise Configuration Example
344
Firewall Address
About firewall addresses
Firewall Address
Firewall addresses and address groups define network addresses that you can use when configuring firewall policies source and destination address fields. The FortiGate unit compares the IP addresses contained in packet headers with firewall policy source and destination addresses to determine if the firewall policy matches the traffic. You can organize related addresses into address groups to simplify your firewall policy list. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are configured separately for each virtual domain, and you must first enter the virtual domain to configure its firewall addresses. For details, see Using virtual domains on page 103. This section describes: About firewall addresses Viewing the firewall address list Configuring addresses Viewing the address group list Configuring address groups
About firewall addresses

A firewall address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask, an IP address range, or a fully qualified domain name (FQDN). When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a firewall address can be: a single computer, such as 192.45.46.45 a subnetwork, such as 192.168.1.0 for a class C subnet 0.0.0.0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats: netmask for a single computer: 255.255.255.255, or /32 netmask for a class A subnet: 255.0.0.0, or /8 netmask for a class B subnet: 255.255.0.0, or /16 netmask for a class C subnet: 255.255.255.0, or /24 netmask including all IP addresses: 0.0.0.0 x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 x.x.x.x/x, such as 192.168.1.0/24
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall address.
Valid IP address and netmask formats include:
345
Viewing the firewall address list
Firewall Address
When representing hosts by an IP Range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP Range formats include: x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120 x.x.x.[x-x], such as 192.168.110.[100-120] x.x.x.*, such as 192.168.110.*
When representing hosts by a FQDN, the domain name can be a subdomain, such as mail.example.com. A single FQDN firewall address may be used to apply a firewall policy to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate units automatically resolve and maintain a record of all addresses to which the FQDN resolves. Valid FQDN formats include: <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as mail.example.com <host_name>.<top_level_domain_name>
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.
Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see Settings on page 228.
Viewing the firewall address list

Firewall addresses in the list are grouped by type: IP/Netmask, FQDN, or IPv6. FortiGate unit default configurations include the all address, which represents any IP address on any network. To view the address list, go to Firewall > Address.
Figure 206: Firewall address list Create Options
Delete Edit
Create New Add a firewall address. If IPv6 Support on GUI is enabled, you can alternatively select Create Options (the down arrow) located in the Create New button, then select IPv6 Address, to configure an IPv6 firewall address. For more information on enabling IPv6 support, see Settings on page 228. The name of the firewall address.
Name
346
Firewall Address
Configuring addresses
Address / FQDN Interface Delete icon Edit icon
The IP address and mask, IP address range, or fully qualified domain name. The interface, zone, or virtual domain (VDOM) to which you bind the IP address. Select to remove the address. The Delete icon appears only if a firewall policy or address group is not currently using the address. Select to edit the address.
Configuring addresses
You can use one of the following methods to represent hosts in firewall addresses: IP/Netmask, FQDN, or IPv6.
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain name in a firewall policy, while convenient, does present some security risks, because policy matching then relies on a trusted DNS server. Should the DNS server be compromised, firewall policies requiring domain name resolution may no longer function properly.
Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see Settings on page 228.
To add a firewall address 1 Go to Firewall > Address. 2 Select Create New. If IPv6 Support on GUI is enabled, you can alternatively select the down arrow located in the Create New button, then select IPv6 Address to configure an IPv6 firewall address. For information on enabling configuration of IPv6 firewall addresses in the web-based manager, see Settings on page 228. 3 Complete the following:
Figure 207: New address or IP range options
Address Name Type Subnet / IP Range Interface
Enter a name to identify the firewall address. Addresses, address groups, and virtual IPs must have unique names. Select the type of address: Subnet/IP Range or FQDN. You can enter either an IP range or an IP address with subnet mask. Enter the firewall IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. Select the interface, zone, or virtual domain (VDOM) link to which you want to bind the IP address. Select Any if you want to bind the IP address with the interface/zone when you create a firewall policy.
347
Viewing the address group list
Firewall Address
4 Select OK.
Tip: You can also create firewall addresses when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address > Create New.
Viewing the address group list

You can organize multiple firewall addresses into an address group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall addresses, you might combine the five addresses into a single address group, which is used by a single firewall policy. To view the address group list, go to Firewall > Address > Group.
Figure 208: Firewall address group list Create Options
Delete Edit
Create New Add an address group. If IPv6 Support on GUI is enabled, you can alternatively select Create Options (the down arrow) located in the Create New button, then select IPv6 Address Group, to configure an IPv6 firewall address group. For more information on enabling IPv6 Support on GUI, see Settings on page 228. The name of the address group. The addresses in the address group. Select to remove the address group. The Delete icon appears only if the address group is not currently being used by a firewall policy. Select to edit the address group.
Group Name Members Delete icon Edit icon
Configuring address groups

Because firewall policies require addresses with homogenous network interfaces, address groups should contain only addresses bound to the same network interface, or to Any addresses whose selected interface is Any are bound to a network interface during creation of a firewall policy, rather than during creation of the firewall address. For example, if address A1 is associated with port1, and address A2 is associated with port2, they cannot be grouped. However, if A1 and A2 have an interface of Any, they can be grouped, even if the addresses involve different networks. To organize addresses into an address group 1 Go to Firewall > Address > Group. 2 Select Create New. 3 Complete the following:
348
Firewall Address
Figure 209: Address group options
Group Name Available Addresses Members
Enter a name to identify the address group. Addresses, address groups, and virtual IPs must have unique names. The list of all configured and default firewall addresses. Use the arrows to move selected addresses between the lists of available and member addresses. The list of addresses included in the address group. Use the arrows to move selected addresses between the lists of available and member addresses.
4 Select OK.
Tip: You can also create firewall address groups when configuring a firewall policy: Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Source Address list, select Address Group > Create New.
349
Firewall Address
350
Firewall Service
Viewing the predefined service list
Firewall Service
Firewall services define one or more protocols and port numbers associated with each service. Firewall policies use service definitions to match session types. You can organize related services into service groups to simplify your firewall policy list. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall services separately for each virtual domain. For more information, see Using virtual domains on page 103. This section describes: Viewing the predefined service list Viewing the custom service list Configuring custom services Viewing the service group list Configuring service groups

Many well-known traffic types have been predefined in firewall services. These predefined services are defaults, and cannot be edited or removed. However, if you require different services, you can create custom services. For more information, see Configuring custom services on page 357. To view the predefined service list, go to Firewall > Service > Predefined.
Figure 210: Predefined service list
351
Firewall Service
Name Detail
The name of the predefined service. The protocol and port number of the predefined service.
Table 43: Predefined services Service name AFS3 AH Description IP Protocol Port 7000-7009 7000-7009 51
Advanced File Security Encrypted File, version 3, of TCP the AFS distributed file system protocol. UDP Authentication Header. AH provides source host authentication and data integrity, but not secrecy. This protocol is used for authentication by IPSec remote gateways set to aggressive mode. Matches connections using any protocol over IP. America Online Instant Message protocol. Border Gateway Protocol. BGP is an interior/exterior routing protocol. Concurrent Versions System Proxy Server.CSSPServer is very good for providing anonymous CVS access to a repository. Distributed Computing Environment / Remote Procedure Calls. Applications using DCE-RPC can call procedures from another application without having to know on which host the other application is running. Dynamic Host Configuration Protocol. DHCP allocates network addresses and delivers configuration parameters from DHCP servers to hosts. Dynamic Host Configuration Protocol for IPv6. Domain Name Service. DNS resolves domain names into IP addresses. Encapsulating Security Payload. ESP is used by manual key and AutoIKE IPSec VPN tunnels for communicating encrypted data. AutoIKE VPN tunnels use ESP after establishing the tunnel by IKE. A network service providing information about users. File Transfer Protocol. File Transfer Protocol. FTP-GET is used for FTP connections which upload files. File Transfer Protocol. FTP-PUT is used for FTP connections which download files. Gopher organizes and displays Internet server contents as a hierarchically structured list of files. Generic Routing Encapsulation. GRE allows an arbitrary network protocol to be transmitted over any other arbitrary network protocol, by encapsulating the packets of the protocol within GRE packets. H.323 multimedia protocol. H.323 is a standard TCP approved by the International Telecommunication Union (ITU) defining how audiovisual conferencing UDP data can be transmitted across networks. For more information, see the FortiGate Support for H.323 Technical Note. TCP TCP TCP TCP TCP all TCP TCP TCP UDP TCP UDP
ANY AOL BGP CVSPSERVER
all 5190-5194 179 2401 2401 135 135
DCE-RPC
DHCP
UDP
67 68
DHCP6 DNS ESP
UDP TCP UDP
546, 547 53 53 50
FINGER FTP FTP_GET FTP_PUT GOPHER GRE
79 21 21 21 70 47
H323
1720, 1503 1719
352
Firewall Service
Table 43: Predefined services (Continued) Service name HTTP HTTPS ICMP_ANY Description Hypertext Transfer Protocol. HTTP is used to browse web pages on the World Wide Web. HTTP with secure socket layer (SSL). HTTPS is used for secure communication with web servers. Internet Control Message Protocol. ICMP allows control messages and error reporting between a host and gateway (Internet). Internet Key Exchange. IKE obtains authenticated keying material for use with the Internet Security Association and Key Management Protocol (ISAKMP) for IPSEC. IP Protocol Port TCP TCP ICMP 80 443 Any
IKE
UDP
500, 4500
IMAP
Internet Message Access Protocol. IMAP is used by TCP email clients to retrieves email messages from email servers. IMAP with SSL. IMAPS is used for secure IMAP communication between email clients and servers. IMAPS is only available on FortiGate units that support SSL content scanning and inspection. TCP
143
IMAPS
993
INFO_ADDRESS ICMP information request messages. INFO_REQUEST ICMP address mask request messages. IRC Internet Relay Chat. IRC allows users to join chat channels.
ICMP ICMP TCP TCP TCP UDP TCP
17 15 6660-6669 389 1701 1701 389 2427, 2727
InternetInternet Locator Service. ILS includes LDAP, User Locator-Service Locator Service, and LDAP over TLS/SSL. L2TP LDAP MGCP Layer 2 Tunneling Protocol. L2TP is a PPP-based tunnel protocol for remote access. Lightweight Directory Access Protocol. LDAP is used to access information directories.
Media Gateway Control Protocol. MGCP is used by UDP call agents and media gateways in distributed Voice over IP (VoIP) systems. Microsoft SQL Server is a relational database TCP management system (RDBMS) produced by Microsoft. Its primary query languages are MS-SQL and T-SQL. MySQL is a relational database management system (RDBMS) which runs as a server providing multi-user access to a number of databases. Network File System. NFS allows network users to mount shared files. TCP
MS-SQL
1433, 1434
MYSQL
3306
NFS NNTP NTP NetMeeting ONC-RPC
TCP UDP
111, 2049 111, 2049 119 123 123 1720 111 111 89
Network News Transport Protocol. NNTP is used to TCP post, distribute, and retrieve Usenet messages. Network Time Protocol. NTP synchronizes a hosts TCP time with a time server. UDP NetMeeting allows users to teleconference using the Internet as the transmission medium. Open Network Computing Remote Procedure Call. ONC-RPC is a widely deployed remote procedure call system. Open Shortest Path First. OSPF is a common link state routing protocol. TCP TCP UDP
OSPF
353
Firewall Service
Table 43: Predefined services (Continued) Service name PC-Anywhere PING PING6 Description PC-Anywhere is a remote control and file transfer protocol. Ping sends ICMP echo request/replies to test connectivity to other hosts. Ping6 sends ICMPv6 echo request/replies to network hosts to test IPv6 connectivity to other hosts. Post Office Protocol v3. POP retrieves email messages. Post Office Protocol v3 with secure socket layer (SSL). POP3S is used for secure retrieval of email messages. POP3S is only available on FortiGate units that support SSL content scanning and inspection. Point-to-Point Tunneling Protocol. PPTP is used to tunnel connections between private network hosts over the Internet. Note: Also requires IP protocol 47. Quake multi-player computer game traffic. TCP TCP IP Protocol Port TCP UDP ICMP 5631 5632 8 58
POP3 POP3S
110 995
PPTP
47 TCP UDP 1723 26000, 27000, 27910, 27960 1812, 1813
QUAKE
RADIUS
Remote Authentication Dial In User Service. RADIUS is a networking protocol that provides centralized access, authorization and accounting management for people or computers to connect and use a network service. RealAudio multimedia traffic. Remote Desktop Protocol is a multi-channel protocol that allows a user to connect to a networked computer. Rexec traffic allows specified commands to be executed on a remote host running the rexecd service (daemon). Routing Information Protocol. RIP is a common distance vector routing protocol. This service matches RIP v1. Remote login traffic. Remote Shell traffic allows specified commands to be executed on a remote host running the rshd service (daemon).
TCP
RAUDIO RDP
UDP TCP
7070 3389
REXEC
TCP
512
RIP
UDP
520
RLOGIN RSH
TCP TCP
513 514
RTSP
Real Time Streaming Protocol is a protocol for use TCP in streaming media systems which allows a client to remotely control a streaming media server, issuing VCR-like commands such as play and pause, and UDP allowing time-based access to files on a server. Server Message Block. SMB allows clients to use file and print shares from enabled hosts. This is primarily used for Microsoft Windows hosts, but may be used with operating systems running the Samba daemon. TCP
554, 7070, 8554 554 139
SAMBA
SCCP
Skinny Client Control Protocol. SCCP is a Cisco TCP proprietary standard for terminal control for use with voice over IP (VoIP).
2000
354
Firewall Service
Table 43: Predefined services (Continued) Service name SIP Description Session Initiation Protocol. SIP allows audiovisual conferencing data to be transmitted across networks. For more information, see the FortiGate SIP Support Technical Note. Session Initiation Protocol used by Microsoft Messenger to initiate an interactive, possibly multimedia session. IP Protocol Port UDP 5060
SIPMSNmessenger SMTP
TCP
1863
Simple Mail Transfer Protocol. SMTP is used for TCP sending email messages between email clients and email servers, and between email servers. SMTP with SSL. Used for sending email messages TCP between email clients and email servers, and between email servers securely. SMTPS is only available on FortiGate units that support SSL content scanning and inspection. Simple Network Management Protocol. SNMP can TCP be used to monitor and manage complex networks. UDP SOCKetS. SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall. TCP UDP
25
SMTPS
465
SNMP SOCKS
161-162 161-162 1080 1080
355
Viewing the custom service list
Firewall Service
Table 43: Predefined services (Continued) Service name SQUID Description A proxy server and web cache daemon that has a wide variety of uses that includes speeding up a web server by caching repeated requests; caching web, DNS and other computer network lookups for a group of people sharing network resources; aiding security by filtering traffic. Secure Shell. SSH allows secure remote management and tunneling. Syslog service for remote logging. Talk allows conversations between two or more users. Matches connections using any TCP port. Allows plain text remote management. Trivial File Transfer Protocol. TFTP is similar to FTP, but without security features such as authentication. ICMP timestamp request messages. A computer network tool used to determine the route taken by packets across an IP network. Matches connections using any UDP port. IP Protocol Port TCP 3128
SSH SYSLOG TALK TCP TELNET TFTP
TCP UDP UDP UDP TCP TCP UDP
22 22 514 517-518 0-65535 23 69
TIMESTAMP TRACEROUTE UDP UUCP VDOLIVE VNC
ICMP TCP UDP UDP
13 33434 33434 0-65535 540 7000-7010 5900
Unix to Unix Copy Protocol. UUCP provides simple UDP file copying. VDO Live streaming multimedia traffic. Virtual Network Computing.VNC is a graphical desktop sharing system which uses the RFB protocol to remotely control another computer. Wide Area Information Server. WAIS is an Internet search protocol which may be used in conjunction with Gopher. WinFrame provides communications between computers running Windows NT, or Citrix WinFrame/MetaFrame. TCP TCP
WAIS
TCP
210
WINFRAME
TCP
1494
WINS
Windows Internet Name Service is Microsoft's TCP implementation of NetBIOS Name Service (NBNS), UDP a name server and service for NetBIOS computer names. X Window System (also known as X11) can forward TCP the graphical shell from an X Window server to X Window client.
1512 1512 6000-6063
X-WINDOWS
Viewing the custom service list

If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service. To view the custom service list, go to Firewall > Service > Custom.
356
Firewall Service
Configuring custom services
Figure 211: Custom service list
Delete Edit
Create New Service Name Detail Delete icon Edit icon Add a custom service. The name of the custom service. The protocol and port numbers for each custom service. Remove the custom service. The Delete icon appears only if the service is not currently being used by a firewall policy. Edit the custom service.

If you need to create a firewall policy for a service that is not in the predefined service list, you can add a custom service.
Tip: You can also create custom services when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service > Create New.
To add a custom TCP or UDP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to TCP/UDP. 4 Complete the fields in the following table and select OK.
Figure 212: New Custom Service - TCP/UDP
Delete
Name Protocol Type Protocol Source Port
Enter a name for the custom service. Select TCP/UDP. Select TCP or UDP as the protocol of the port range being added. Specify the source port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. The default values allow the use of any source port.
357
Firewall Service
Destination Port Specify the destination port number range for the service by entering the low and high port numbers. If the service uses one port number, enter this number in both the Low and High fields. Add Delete Icon If your custom service requires more than one port range, select Add to allow more source and destination ranges. Remove the entry from the list.
To add a custom ICMP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to ICMP. 4 Complete the fields in the following table and select OK.
Figure 213: New Custom Service - ICMP
Name Protocol Type Type Code
Enter a name for the ICMP custom service. Select ICMP. Enter the ICMP type number for the service. If required, enter the ICMP code number for the service.
To add a custom IP service 1 Go to Firewall > Service > Custom. 2 Select Create New. 3 Set Protocol Type to IP. 4 Complete the fields in the following table and select OK.
Figure 214: New Custom Service - IP
Name Protocol Type Protocol Number
Enter a name for the IP custom service. Select IP. Enter the IP protocol number for the service.
358
Firewall Service
Viewing the service group list
Viewing the service group list

You can organize multiple firewall services into a service group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall services, you might combine the five services into a single address group that is used by a single firewall policy. Service groups can contain both predefined and custom services. Service groups cannot contain other service groups. To view the service group list, go to Firewall > Service > Group.
Figure 215: Sample service group list
Delete Edit
Create New Group Name Members Delete icon Edit icon Add a service group. The name to identify the service group. The services added to the service group. Remove the entry from the list. The Delete icon appears only if the service group is not selected in a firewall policy. Select to edit the Group Name and Members.
Configuring service groups

You can organize multiple firewall services into a service group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related firewall services, you might combine the five services into a single address group, which is used by a single firewall policy. Service groups can contain both predefined and custom services. Service groups cannot contain other service groups. To organize services into a service group, go to Firewall > Service > Group.
Tip: You can also create custom service groups when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Service list, select Service Group > Create New.
359
Configuring service groups
Firewall Service
Figure 216: Service Group
Group Name Available Services Members
Enter a name to identify the service group. The list of configured and predefined services available for your group, with custom services at the bottom. Use the arrows to move selected services between this list and Members. The list of services in the group. Use the arrows to move selected services between this list and Available Services.
360
Firewall Schedule
Viewing the recurring schedule list
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules or recurring schedules. One-time schedules are in effect only once for the period of time specified in the schedule. Recurring schedules are in effect repeatedly at specified times of specified days of the week. If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall schedules separately for each virtual domain. For more information, see Using virtual domains on page 103. This section describes: Viewing the recurring schedule list Configuring recurring schedules Viewing the one-time schedule list Configuring one-time schedules
Viewing the recurring schedule list

You can create a recurring schedule that activates a policy during a specified period of time. For example, you might prevent game playing during office hours by creating a recurring schedule that covers office hours.
Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect at the start time but end at the stop time on the next day. You can use this technique to create recurring schedules that run from one day to the next. For example, to prevent game playing except at lunchtime, you might set the start time for a recurring schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Figure 217: Recurring schedule list
Delete
Edit
Create New Name Day Start Stop Add a recurring schedule. The name of the recurring schedule. The initials of the days of the week on which the schedule is active. The start time of the recurring schedule. The stop time of the recurring schedule.
361
Configuring recurring schedules
Firewall Schedule
Delete icon Edit icon
Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy. Edit the schedule.
Configuring recurring schedules

To add a recurring schedule, go to Firewall > Schedule > Recurring. Complete the fields as described in the following table and select OK. To put a policy into effect for an entire day, set schedule start and stop times to 00.
Figure 218: New Recurring Schedule
Name Select Start Stop
Enter a name to identify the recurring schedule. Select the days of the week for the schedule to be active. Select the start time for the recurring schedule. Select the stop time for the recurring schedule. Tip: You can also create recurring schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select Recurring > Create New.
Viewing the one-time schedule list

You can create a one-time schedule that activates a policy during a specified period of time. For example, a firewall might be configured with a default policy that allows access to all services on the Internet at all times, but you could add a one-time schedule to block access to the Internet during a holiday. To view the one-time schedule list, go to Firewall > Schedule > One-time.
Figure 219: One-time schedule list
Delete Edit
Create New Name Start Stop Add a one-time schedule. The name of the one-time schedule. The start date and time for the schedule. The stop date and time for the schedule.
362
Firewall Schedule
Configuring one-time schedules
Remove the schedule from the list. The Delete icon appears only if the schedule is not being used in a firewall policy. Edit the schedule.

To add a one-time schedule, go to Firewall > Schedule > One-time. Complete the fields as described in the following table and select OK. To put a policy into effect for an entire day, set schedule start and stop times to 00.
Figure 220: New One-time Schedule
Name Start Stop
Enter a name to identify the one-time schedule. Select the start date and time for the schedule. Select the stop date and time for the schedule. Tip: You can also create one-time schedules when you configure a firewall policy. Go to Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule list, select One-time > Create New.
363
Firewall Schedule
364
Firewall Virtual IP
How virtual IPs map connections through FortiGate units
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP addresses and ports of packets received by a network interface, including a modem interface. When the FortiGate unit receives inbound packets matching a firewall policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets IP addresses with the virtual IPs mapped IP address. IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP pools configure dynamic translation of packets IP addresses based on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets IP addresses based upon the Source Interface/Zone. To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT firewall policy. For details, see Configuring virtual IPs on page 370.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies that include Virtual IPs and IP pools. See Adding NAT firewall policies in transparent mode on page 386.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: How virtual IPs map connections through FortiGate units Viewing the virtual IP list Configuring virtual IPs Virtual IP Groups Viewing the VIP group list Configuring VIP groups IP pools Viewing the IP pool list Configuring IP Pools Double NAT: combining IP pool with virtual IP Adding NAT firewall policies in transparent mode

Virtual IPs can specify translations of packets port numbers and/or IP addresses for both inbound and outbound connections. In Transparent mode, virtual IPs are available from the FortiGate CLI.
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to apply bidirectional NAT, also known as inbound NAT.
365
Firewall Virtual IP
When comparing packets with the firewall policy list to locate a matching policy, if a firewall policys Destination Address is a virtual IP, FortiGate units compares packets destination address to the virtual IPs external IP address. If they match, the FortiGate unit applies the virtual IPs inbound NAT mapping, which specifies how the FortiGate unit translates network addresses and/or port numbers of packets from the receiving (external) network interface to the network interface connected to the destination (mapped) IP address or IP address range. In addition to specifying IP address and port mappings between interfaces, virtual IP configurations can optionally bind an additional IP address or IP address range to the receiving network interface. By binding an additional IP address, you can configure a separate set of mappings that the FortiGate unit can apply to packets whose destination matches that bound IP address, rather than the IP address already configured for the network interface. Depending on your configuration of the virtual IP, its mapping may involve port address translation (PAT), also known as port forwarding or network address port translation (NAPT), and/or network address translation (NAT) of IP addresses. If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your selection of: static vs. dynamic NAT mapping the dynamic NATs load balancing style, if using dynamic NAT mapping full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when configuring a firewall policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to the same mapped IP address. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is Port Forwarding always translated to the same mapped IP address, and an external port number is always translated to the same mapped port number. If using IP address ranges, the external IP address range corresponds to a mapped IP address range containing an equal number of IP addresses, and each IP address in the external range is always translated to the same IP address in the mapped range. If using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range. Server Load Balancing Dynamic, one-to-many NAT mapping: an external IP address is translated to one of the mapped IP addresses, as determined by the selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one real server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP Balancing with address is translated to one of the mapped IP addresses, as determined by the Port Forwarding selected load balancing algorithm for more even traffic distribution. The external IP address is not always translated to the same mapped IP address. Server load balancing requires that you configure at least one real server, but can use up to eight. Real servers can be configured with health check monitors. Health check monitors can be used to gauge server responsiveness before forwarding packets.
366
Firewall Virtual IP
Note: If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full (source and destination) NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets destination address to the mapped private IP address, but does not translate the source address. The private network is aware of the sources public IP address. For reply traffic, the FortiGate unit translates packets private network source IP address to match the destination address of the originating packets, which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a web server on a private network that is protected by a FortiGate unit. Reduced to its essence, this example involves only three hosts, as shown in Figure 221: the web server on a private network, the client computer on another network, such as the Internet, and the FortiGate unit connecting the two networks. When a client computer attempts to contact the web server, it uses the virtual IP on the FortiGate units external interface. The FortiGate unit receives the packets. The addresses in the packets are translated to private network IP addresses, and the packet is forwarded to the web server on the private network.
Figure 221: A simple static NAT virtual IP example
The packets sent from the client computer have a source IP of 192.168.37.55 and a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets addresses. The source address is changed to 10.10.10.2 and the destination is changed to 10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session table it maintains internally. The packets are then sent on to the web server.
Figure 222: Example of packet address remapping during NAT from client to server
Note that the client computers address does not appear in the packets the server receives. After the FortiGate unit translates the network addresses, there is no reference to the client computers IP address, except in its session table. The web server has no indication that another network exists. As far as the server can tell, all packets are sent by the FortiGate unit.
367
Firewall Virtual IP
When the web server replies to the client computer, address translation works similarly, but in the opposite direction. The web server sends its response packets having a source IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit receives these packets on its internal interface. This time, however, the session table is used to recall the client computers IP address as the destination address for the address translation. In the reply packets, the source address is changed to 192.168.37.4 and the destination is changed to 192.168.37.55. The packets are then sent on to the client computer. The web servers private IP address does not appear in the packets the client receives. After the FortiGate unit translates the network addresses, there is no reference to the web servers network. The client has no indication that the web servers IP address is not the virtual IP. As far as the client is concerned, the FortiGate units virtual IP is the web server.
Figure 223: Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the firewall policy. If the NAT check box is not selected when building the firewall policy, the resulting policy does not perform full NAT; instead, it performs destination network address translation (DNAT). For inbound traffic, DNAT translates packets destination address to the mapped private IP address, but does not translate the source address. The web server would be aware of the clients IP address. For reply traffic, the FortiGate unit translates packets private network source IP address to match the destination address of the originating packets, which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional outbound NAT to connections outbound from private network IP addresses to public network IP addresses. However, if virtual IP configurations exist, FortiGate units use virtual IPs inbound NAT mappings in reverse to apply outbound NAT, causing IP address mappings for both inbound and outbound traffic to be symmetric. For example, if a network interfaces IP address is 10.10.10.1, and its bound virtual IPs external IP is 10.10.10.2, mapping inbound traffic to the private network IP address 192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not 10.10.10.1
368
Firewall Virtual IP
Viewing the virtual IP list
VIP requirements
Virtual IPs have the following requirements. The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255. The Mapped IP Address/Range must not include any interface IP addresses. If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the External IP Address/Range cannot be 0.0.0.0. When port forwarding, the External IP Address/Range cannot include any other interface IP addresses. When port forwarding, the count of mapped port numbers and external port numbers must be the same, and the last port number in the range must not exceed 65535. Virtual IP names must be different from address or address group names. A physical external IP address can be used as the external VIP IP address. Duplicate entries or overlapping ranges are not permitted.
Viewing the virtual IP list

To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP.
Figure 224: Virtual IP list
Delete Edit
Create New Name IP Service Port Map to IP/IP Range Map to Port Delete icon Edit icon Select to add a virtual IP. The name of the virtual IP. The bound network interface and external IP address or IP address, separated by a slash (/). The external port number or port number range. This field is empty if the virtual IP does not specify port forwarding. The mapped to IP address or address range on the destination network. The mapped to port number or port number range. This field is empty if the virtual IP does not specify port forwarding. Remove the virtual IP from the list. The Delete icon only appears if the virtual IP is not selected in a firewall policy. Edit the virtual IP to change any virtual IP option including the virtual IP name.
369
Configuring virtual IPs
Firewall Virtual IP

A virtual IPs external IP address can be a single IP address or an IP address range, and is bound to a FortiGate unit interface. When you bind the virtual IPs external IP address to a FortiGate unit interface, by default, the network interface responds to ARP requests for the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP requests on a network for a server that is actually installed on another network. To disable ARP replies, see the FortiGate CLI Reference. A virtual IPs mapped IP address can be a single IP address, or an IP address range. When the FortiGate unit receives packets matching a firewall policy whose Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packets destination IP address with the virtual IPs mapped IP address. To implement the translation configured in the virtual IP or IP pool, you must add it to a NAT firewall policy. For example, to add a firewall policy that maps public network addresses to a private network, add an external to internal firewall policy whose Destination Address field is a virtual IP.
Figure 225: Creating a Virtual IP
Name
Enter or change the name to identify the virtual IP. To avoid confusion, addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. You can select any FortiGate interface, VLAN subinterface, VPN interface, or modem interface. Type External IP Address/Range VIP type is Static NAT, read only. Enter the external IP address that you want to map to an address on the destination network. To configure a dynamic virtual IP that accepts connections for any IP address, set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you can only add one mapped IP address. For a load balance dynamic virtual IP you can specify a single mapped address or a mapped address range. Enter the real IP address on the destination network to which the external IP address is mapped. You can also enter an address range to forward packets to multiple IP addresses on the destination network. For a static NAT virtual IP, if you add a mapped IP address range the FortiGate unit calculates the external IP address range and adds the IP address range to the External IP Address/Range field. This option appears only if Type is Static NAT. Select to perform port address translation (PAT).
Mapped IP Address/Range
Port Forwarding
370
Firewall Virtual IP
Protocol External Service Port Map to Port
Select the protocol of the forwarded packets. This option appears only if Port Forwarding is enabled. Enter the external interface port number for which you want to configure port forwarding. This option appears only if Port Forwarding is enabled. Enter the port number on the destination network to which the external port number is mapped. You can also enter a port number range to forward packets to multiple ports on the destination network. For a virtual IP with static NAT, if you add a map to port range the FortiGate unit calculates the external port number range and adds the port number range to the External Service port field. This option appears only if Port Forwarding is enabled. Select to accelerate clients SSL connections to the server by using the FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading. Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the servers configuration. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. This option appears only if Port Forwarding is selected, and only on FortiGate models whose hardware support SSL acceleration, such as FortiGate-3600A. Note: Additional SSL Offloading options are available in the CLI. For details, see the FortiGate CLI Reference. Select which SSL certificate to use with SSL Offloading. This option appears only if Port Forwarding is selected, and is available only if SSL Offloading is selected.
SSL Offloading
Certificate
To configure a virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to the network interface, and selecting the mapping type and mapped IP address(es) and/or port(s). For configuration examples of each type, see: Adding a static NAT virtual IP for a single IP address on page 372 Adding a static NAT virtual IP for an IP address range on page 373 Adding static NAT port forwarding for a single IP address and a single port on page 375 Adding static NAT port forwarding for an IP address range and a port range on page 377 Adding dynamic virtual IPs on page 378 Adding a virtual IP with port translation only on page 379
371
Firewall Virtual IP
4 Select OK. The virtual IP appears in the virtual IP list. 5 To implement the virtual IP, select the virtual IP in a firewall policy. For example, to add a firewall policy that maps public network addresses to a private network, you might add an external to internal firewall policy and select the Source Interface/Zone to which a virtual IP is bound, then select the virtual IP in the Destination Address field of the policy. For details, see Configuring firewall policies on page 323.
Adding a static NAT virtual IP for a single IP address

The IP address 192.168.37.4 on the Internet is mapped to 10.10.10.42 on a private network. Attempts to communicate with 192.168.37.4 from the Internet are translated and sent to 10.10.10.42 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit with a private network behind it.
Figure 226: Static NAT virtual IP for a single IP address example
To add a static NAT virtual IP for a single IP address 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 227: Virtual IP options: static NAT virtual IP for a single IP address
Name Type
static_NAT Static NAT
External Interface wan1
372
Firewall Virtual IP
External IP Address/Range
The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank.
4 Select OK. To add a static NAT virtual IP for a single IP address to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP address packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination address of these packets from the external IP to the DMZ network IP address of the web server. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 simple_static_nat always HTTP ACCEPT
3 Select NAT. 4 Select OK.
Adding a static NAT virtual IP for an IP address range

The IP address range 192.168.37.4-192.168.37.6 on the Internet is mapped to 10.10.10.42-10.10.123.44 on a private network. Packets from Internet computers communicating with 192.168.37.4 are translated and sent to 10.10.10.42 by the FortiGate unit. Similarly, packets destined for 192.168.37.5 are translated and sent to 10.10.10.43, and packets destined for 192.168.37.6 are translated and sent to 10.10.10.44. The computers on the Internet are unaware of this translation and see three computers with individual IP addresses rather than a FortiGate unit with a private network behind it.
373
Firewall Virtual IP
Figure 228: Static NAT virtual IP for an IP address range example
To add a static NAT virtual IP for an IP address range 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to three individual web servers on the DMZ network. In this example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 229: Virtual IP options: static NAT virtual IP with an IP address range
Name External Interface Type External IP Address/Range
static_NAT_range wan1 Static NAT The Internet IP address range of the web servers. The external IP addresses are usually static IP addresses obtained from your ISP for your web server. These addresses must be unique IP addresses that are not used by another host and cannot be the same as the IP addresses of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses. The IP address range of the servers on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field.
4 Select OK.
374
Firewall Virtual IP
To add a static NAT virtual IP with an IP address range to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses of these packets from the wan1 IP to the DMZ network IP addresses of the servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 All (or a more specific address) dmz1 static_NAT_range always HTTP ACCEPT
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000 on a private network. Attempts to communicate with 192.168.37.4, port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.
Figure 230: Static NAT virtual IP port forwarding for a single IP address and a single port example
To add static NAT virtual IP port forwarding for a single IP address and a single port 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New.
375
Firewall Virtual IP
3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In our example, the wan1 interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Figure 231: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address and a single port
Name External Interface Type External IP Address/Range
Port_fwd_NAT_VIP wan1 Static NAT The Internet IP address of the web server. The external IP address is usually a static IP address obtained from your ISP for your web server. This address must be a unique IP address that is not used by another host and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP address must be routed to the selected interface. The virtual IP address and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP address. The IP address of the server on the internal network. Since there is only one IP address, leave the second field blank. Selected TCP The port traffic from the Internet will use. For a web server, this will typically be port 80. The port on which the server expects traffic. Since there is only one port, leave the second field blank.
Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port
4 Select OK. To add static NAT virtual IP port forwarding for a single IP address and a single port to a firewall policy Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
376
Firewall Virtual IP
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action
wan1 All (or a more specific address) dmz1 Port_fwd_NAT_VIP always HTTP ACCEPT
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network. Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the Internet are unaware of this translation and see a single computer at 192.168.37.5 rather than a FortiGate unit with a private network behind it.
Figure 232: Static NAT virtual IP port forwarding for an IP address range and a port range example
To add static NAT virtual IP port forwarding for an IP address range and a port range 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Use the following procedure to add a virtual IP that allows users on the Internet to connect to a web server on the DMZ network. In this example, the external interface of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to the DMZ network.
Name External Interface Type Port_fwd_NAT_VIP_port_range external Static NAT
377
Firewall Virtual IP
External IP Address/Range
The external IP addresses are usually static IP addresses obtained from your ISP. This addresses must be unique, not used by another host, and cannot be the same as the IP address of the external interface the virtual IP will be using. However, the external IP addresses must be routed to the selected interface. The virtual IP addresses and the external IP address can be on different subnets. When you add the virtual IP, the external interface responds to ARP requests for the external IP addresses. The IP addresses of the server on the internal network. Define the range by entering the first address of the range in the first field and the last address of the range in the second field. Selected TCP The ports that traffic from the Internet will use. For a web server, this will typically be port 80. The ports on which the server expects traffic. Define the range by entering the first port of the range in the first field and the last port of the range in the second field. If there is only one port, leave the second field blank.
Mapped IP Address/Range Port Forwarding Protocol External Service Port Map to Port
4 Select OK. To add static NAT virtual IP port forwarding for an IP address range and a port range to a firewall policy Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the Internet attempt to connect to the web server IP addresses, packets pass through the FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates the destination addresses and ports of these packets from the external IP to the dmz network IP addresses of the web servers. 1 Go to Firewall > Policy and select Create New. 2 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action external All (or a more specific address) dmz1 Port_fwd_NAT_VIP_port_range always HTTP ACCEPT
Adding dynamic virtual IPs

Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the External IP address must be set to 0.0.0.0 so the External IP address matches any IP address. To add a dynamic virtual IP 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP.
378
Firewall Virtual IP
4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 Set the External IP Address to 0.0.0.0. The 0.0.0.0 External IP Address matches any IP address. 6 Enter the Mapped IP Address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. 7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port). 10 Enter the Map to Port number to be added to packets when they are forwarded. Enter the same number as the External Service Port if the port is not to be translated. 11 Select OK.
Adding a virtual IP with port translation only

When adding a virtual IP, if you enter a virtual IP address that is the same as the mapped IP address and apply port forwarding, the destination IP address will be unchanged, but the port number will be translated.
Note: To apply port forwarding to the external interface without binding a virtual IP address to it, enter the IP address of the network interface instead of a virtual IP address, then configure port forwarding as usual.
To add a virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter a name for the dynamic virtual IP. 4 Select the virtual IP External Interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Select any firewall interface or a VLAN subinterface. 5 Set the External IP Address as the mapped IP address. 6 Enter the Mapped IP Address to which to map the external IP address. For example, the IP address of a PPTP server on an internal network. 7 Select Port Forwarding. 8 For Protocol, select TCP. 9 Enter the External Service Port number for which to configure dynamic port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides PPTP passthrough access from the Internet to a PPTP server, the external service port number should be 1723 (the PPTP port).
379
Virtual IP Groups
Firewall Virtual IP
10 Enter the Map to Port number to be added to packets when they are forwarded. 11 Select OK.
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy list. For example, instead of having five identical policies for five different but related virtual IPs located on the same network interface, you might combine the five virtual IPs into a single virtual IP group, which is used by a single firewall policy. Firewall policies using VIP Groups are matched by comparing both the member VIP IP address(es) and port number(s).
Viewing the VIP group list

To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group.
Figure 233: VIP Group list
Delete Edit
Create New Group Name Members Interface Delete icon Edit icon Select to add a new VIP group. See Configuring VIP groups on page 380. The name of the virtual IP group. Lists the group members. Displays the interface that the VIP group belongs to. Remove the VIP group from the list. The Delete icon only appears if the VIP group is not being used in a firewall policy. Edit the VIP group information, including the group name and membership.
Configuring VIP groups

To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create New. To edit a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP group to edit. Enter the information as described below, and select OK.
380
Firewall Virtual IP
IP pools
Figure 234: Editing a VIP group
Group Name Interface Available VIPs and Members
Enter or modify the group name. Select the interface for which you want to create the VIP group. If you are editing the group, the Interface box is grayed out. Select the up or down arrow to move virtual IPs between Available VIPs and Members. Members contains virtual IPs that are a part of this virtual IP group.
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly selected from the IP pool, rather than the IP address assigned to that FortiGate unit interface. In Transparent mode, IP pools are available from the FortiGate CLI. An IP pool defines an address or a range of IP addresses, all of which respond to ARP requests on the interface to which the IP pool is added. Select Enable Dynamic IP Pool in a firewall policy to translate the source address of outgoing packets to an address randomly selected from the IP pool. An IP pool list appears when the policy destination interface is the same as the IP pool interface. With an IP pool added to the internal interface, you can select Dynamic IP pool for policies with the internal interface as the destination. Add multiple IP pools to any interface and select the IP pool to use when configuring a firewall policy. A single IP address is entered normally. For example, 192.168.110.100 is a valid IP pool address. If an IP address range is required, use either of the following formats. x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120 x.x.x.[x-x], for example 192.168.110.[100-120]
381
IP pools
Firewall Virtual IP
IP pools and dynamic NAT

Use IP pools for dynamic NAT. For example, an organization might have purchased a range of Internet addresses but has only one Internet connection on the external interface of the FortiGate unit. Assign one of the organizations Internet IP addresses to the external interface of the FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from the network to the Internet appear to come from this IP address. For connections to originate from all the Internet IP addresses, add this address range to an IP pool for the external interface. Then select Dynamic IP Pool for all policies with the external interface as the destination. For each connection, the firewall dynamically selects an IP address from the IP pool to be the source address for the connection. As a result, connections to the Internet appear to be originating from any of the IP addresses in the IP pool.
IP Pools for firewall policies that use fixed ports

Some network configurations do not operate correctly if a NAT policy translates the source port of packets used by the connection. NAT translates source ports to keep track of connections for a particular service. Select fixed port for NAT policies to prevent source port translation. However, selecting fixed port means that only one connection can be supported through the firewall for this service. To be able to support multiple connections, add an IP pool to the destination interface, and then select dynamic IP pool in the policy. The firewall randomly selects an IP address from the IP pool and assigns it to each connection. In this case the number of connections that the firewall can support is limited by the number of IP addresses in the IP pool.
Source IP address and IP pool address matching

When the source addresses are translated to the IP pool addresses, one of the following three cases may occur: Scenario 1: The number of source addresses equals that of IP pool addresses In this case, the FortiGate unit will always match the IP addressed one to one. If you use fixed port in such a case, the FortiGate unit will preserve the original source port. However, this may cause conflicts if more than one firewall policy uses the same IP pool, or the same IP addresses are used in more than one IP pool.
Original address 192.168.1.1 192.168.1.2 ...... 192.168.1.254 Change to 172.16.30.1 172.16.30.2 ...... 172.16.30.254
Scenario 2: The number of source addresses is more than that of IP pool addresses In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism. If you use fixed port in such a case, the FortiGate unit preserves the original source port. But conflicts may occur since users may have different sessions using the same TCP 5 tuples.
Original address 192.168.1.1 Change to 172.16.30.10
382
Firewall Virtual IP
Viewing the IP pool list
192.168.1.2 ...... 192.168.1.10 192.168.1.11 192.168.1.12 192.168.1.13 ......
172.16.30.11 ...... 172.16.30.19 172.16.30.10 172.16.30.11 172.16.30.12 ......
Scenario 3: The number of source addresses is fewer than that of IP pool addresses In this case, some of the IP pool addresses will used and the rest of them will not be used.
Original address 192.168.1.1 192.168.1.2 192.168.1.3 No more source addresses Change to 172.16.30.10 172.16.30.11 172.16.30.12 172.16.30.13 and other addresses will not be used
Viewing the IP pool list

If virtual domains are enabled on the FortiGate unit, IP pools are created separately for each virtual domain. To access IP pools, select a virtual domain from the list on the main menu. To view the IP pool list go to Firewall > Virtual IP > IP Pool.
Figure 235: IP pool list
Delete Edit
Create New Name Start IP End IP Delete icon Edit icon Select to add an IP pool. Enter the name of the IP pool. Enter the start IP defines the start of an address range. Enter the end IP defines the end of an address range. Select to remove the entry from the list. The Delete icon only appears if the IP pool is not being used in a firewall policy. Select to edit the following information: Name, Interface, IP Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
383
Double NAT: combining IP pool with virtual IP
Firewall Virtual IP
Figure 236: New Dynamic IP Pool
Name Interface
Enter the name of the IP pool. Select the interface to which to add an IP pool.
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range. The start and end of the IP range does not have to be on the same subnet as the IP address of the interface to which you are adding the IP pool.

When creating a firewall policy, you can use both IP pool and virtual IP for double IP and/or port translation. For example, in the following network topology: Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1. The servers listening port is 80. Fixed ports must be used.
Figure 237: Double NAT
To allow the local users to access the server, you can use fixed port and IP pool to allow more than one user connection while using virtual IP to translate the destination port from 8080 to 80. To create an IP pool 1 Go to Firewall > Virtual IP > IP Pool.
384
Firewall Virtual IP
2 Select Create New. 3 Enter the following information and select OK.
Name Interface IP Range/Subnet pool-1 DMZ 10.1.3.1-10.1.3.254
To create a Virtual IP with port translation only 1 Go to Firewall > Virtual IP > Virtual IP. 2 Select Create New. 3 Enter the following information and select OK.
Name External Interface Type server-1 Internal Static NAT
External IP 172.16.1.1 Address/Range Note this address is the same as the server address. Mapped IP 172.16.1.1. Address/Range Port Forwarding Enable Protocol TCP External Service 8080 Port Map to Port 80
To create a firewall policy Add an internal to dmz firewall policy that uses the virtual IP to translate the destination port number and the IP pool to translate the source addresses. 1 Go to Firewall > Policy. 2 Select Create New. 3 Configure the firewall policy:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal 10.1.1.0/24 dmz server-1 always HTTP ACCEPT
385
Adding NAT firewall policies in transparent mode
Firewall Virtual IP

Similar to operating in NAT/Route mode, when operating a FortiGate unit in Transparent mode you can add firewall policies and: Enable NAT to translate the source addresses of packets as they pass through the FortiGate unit. Add virtual IPs to translate destination addresses of packets as they pass through the FortiGate unit. Add IP pools as required for source address translation
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two different networks with two different subnet addresses. Then you can create firewall policies to translate source or destination addresses for packets as they are relayed by the FortiGate unit from one interface to the other. A FortiGate unit operating in Transparent mode normally has only one IP address, the management IP. To support NAT in Transparent mode you can add a second management IP. These two management IPs must be on different subnets. When you add two management IP addresses, all FortiGate unit network interfaces will respond to connections to both of these IP addresses. In the example shown in Figure 238, all of the PCs on the internal network (subnet address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results in a typical NAT mode firewall. When a PC on the internal network attempts to connect to the Internet, the PC's default route sends packets destined for the Internet to the FortiGate unit internal interface. Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default route of 10.1.1.99. The example describes adding an internal to wan1 firewall policy to relay these packets from the internal interface out the wan1 interface to the Internet. Because the wan1 interface does not have an IP address of its own, you must add an IP pool to the wan1 interface that translates the source addresses of the outgoing packets to an IP address on the network connected to the wan1 interface. The example describes adding an IP pool with a single IP address of 10.1.1.201. So all packets sent by a PC on the internal network that are accepted by the internal to wan1 policy leave the wan1 interface with their source address translated to 10.1.1.201. These packets can now travel across the Internet to their destination. Reply packets return to the wan1 interface because they have a destination address of 10.1.1.201. The internal to wan1 NAT policy translates the destination address of these return packets to the IP address of the originating PC and sends them out the internal interface to the originating PC. Use the following steps to configure NAT in Transparent mode Adding two management IPs Adding an IP pool to the wan1 interface Adding an internal to wan1 firewall policy
386
Firewall Virtual IP
Figure 238: Example NAT in Transparent mode configuration

Internet
Router 10.1.1.0/24
Transparent mode Management IPs: 10.1.1.99 192.168.1.99 WAN 1 DMZ Internal
Internal network 192.168.1.0/24
DMZ network 10.1.1.0/24
To add a source address translation NAT policy in Transparent mode 1 Enter the following command to add two management IPs. The second management IP is the default gateway for the internal network. config system settings set manageip 10.1.1.99/24 192.168.1.99/24 end 2 Enter the following command to add an IP pool to the wan1 interface: config firewall ippool edit nat-out set interface "wan1" set startip 10.1.1.201 set endip 10.1.1.201 end 3 Enter the following command to add an internal to wan1 firewall policy with NAT enabled that also includes an IP pool: config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set scraddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable set ippool enable set poolname nat-out end
387
Firewall Virtual IP
Note: You can add the firewall policy from the web-based manager and then use the CLI to enable NAT and add the IP Pool.
388
Firewall Load Balance
How load balancer works

Use the FortiGate load balancing function to intercept the incoming traffic and share it across the available servers. By doing so, the FortiGate unit enables multiple servers to respond as if they were a single device or server. This in turn means that more simultaneous requests can be handled. There are additional benefits to server load balancing. Firstly, because the load is distributed across multiple servers, the service being provided can be highly available. If one of the servers breaks down, the load can still be handled by the other servers. Secondly, this increases scalability. If the load increases substantially, more servers can be added behind the FortiGate unit in order to cope with the increased load. This section describes: How load balancer works Configuring virtual servers Configuring real servers Configuring health check monitors Monitoring the servers
How load balancer works

You can configure virtual servers on the FortiGate unit (load balancer) and bind them to a cluster of real servers. Up to 8 real servers can be bound to 1 virtual server. The topology of cluster is transparent to end users, and the users interact with the system as if it were only a single virtual server. The real servers may be interconnected by high-speed LAN or by geographically dispersed WAN. The FortiGate unit schedules requests to the different servers and makes parallel services of the cluster to appear as a virtual service on a single IP address.
Figure 239: Virtual server and real servers setup
Internet/Intranet User
(Virtual Server/Load Balancer)
LAN/WAN Real Server Real Server
Real Server
389
Configuring virtual servers

Configure a virtual servers external IP address and bind it to a FortiGate unit interface. When you bind the virtual servers external IP address to a FortiGate unit interface, by default, the network interface responds to ARP requests for the bound IP address. Virtual servers use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to ARP requests on a network for a real server that is actually installed on another network. To disable ARP replies, see the FortiGate CLI Reference. To view the virtual server list, go to Firewall > Load Balance > Virtual Server.
Figure 240: Virtual server list
Delete Edit Create New Name Type Comments Virtual Server IP Virtual server Port Load Balance Method Select to add virtual servers. For more information, see To create a virtual server on page 391. Name of the virtual server. This name is not the hostname for the FortiGate unit. The communication protocol used by the virtual server. Comments on the virtual server. The IP address of the virtual server. The port number to which the virtual server communicates. Load balancing methods include: Static: The traffic load is spread evenly across all servers, no additional server is required. Round Robin: Directs requests to the next server, and treats all servers as equals regardless of response time or number of connections. Dead servers or non responsive servers are avoided. A separate server is required. Weighted: Servers with a higher weight value will receive a larger percentage of connections. Set the server weight when adding a server. First Alive: Always directs requests to the first alive real server. Least RTT: Directs requests to the server with the least round trip time. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined. Least Session: Directs requests to the server that has the least number of current connections. This method works best in environments where the servers or other equipment you are load balancing have similar capabilities. The health check monitor selected for this virtual server. For more information, see Health Check on page 392. Persistence is the process of ensuring that a user is connected to the same server every time they make a request within the boundaries of a single session. Depending on the type of protocol selected for the virtual server, the following persistence options are available: None: No persistence option is selected. HTTP Cookie: Persistence time is equal to the cookie age. Cookie ages are set in CLI under config firewall vip. SSL Session ID: Persistence time is equal to the SSL sessions. SSL session states are set in CLI under config firewall vip.
Health Check Persistence
390
Remove the virtual server from the list. The Delete icon only appears if the virtual server is not bound to a real server. Edit the virtual server to change any virtual server option including the virtual server name.
To create a virtual server 1 Go to Firewall > Load Balance > Virtual Server > Create New.
Figure 241: Creating a virtual server
2 Complete the following:

Name Type Interface Enter the name for the virtual server. This name is not the hostname for the FortiGate unit. Enter the communication protocol used by the virtual server. Select the virtual server external interface from the list. The external interface is connected to the source network and receives the packets to be forwarded to the destination network. Enter the IP address of the virtual server. The port number to which the virtual server communicates. Select a load balancing method. For more information, see Load Balance Method on page 390. Select a persistence for the virtual server. For more information, see Persistence on page 390. Select to use the FortiGate units HTTP proxy to multiplex multiple client connections destined for the web server into a few connections between the FortiGate unit and the web server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant. This option appears only if HTTP or HTTS are selected for Type. Note: Additional HTTP Multiplexing options are available in the CLI. For more information, see the FortiGate CLI Reference. Select to preserve the IP address of the client in the X-Forwarded-For HTTP header. This can be useful if you require logging on the server of the clients original IP address. If this option is not selected, the header will contain the IP address of the FortiGate unit. This option appears only if HTTP or HTTS are selected for Type, and is available only if HTTP Multiplexing is selected.
Virtual Server IP Virtual server Port Load Balance Method Persistence HTTP Multiplexing
Preserve Client IP
391
Configuring real servers
SSL Offloading
Select to accelerate clients SSL connections to the server by using the FortiGate unit to perform SSL operations, then select which segments of the connection will receive SSL offloading. Client <-> FortiGate Select to apply hardware accelerated SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. Client <-> FortiGate <-> Server Select to apply hardware accelerated SSL to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the servers configuration. SSL 3.0, TLS 1.0, and TLS 1.1 are supported. SSL Offloading appears only if HTTPS or SSL are selected for Type, and only on FortiGate models with hardware that supports SSL acceleration. Note: Additional SSL Offloading options are available in the CLI. For more information, see the FortiGate CLI Reference. Select the certificate to use with SSL Offloading. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. This option appears only if HTTPS or SSL are selected for Type, and is available only if SSL Offloading is selected. Select which health check monitor configuration will be used to determine a servers connectivity status. For information on configuring health check monitors, see Configuring health check monitors on page 393. Any comments or notes about this virtual server.
Certificate
Health Check
Comments
3 Select OK.
Configuring real servers

Configure a real server to bind it to a virtual server. To view the real server list, go to Firewall > Load Balance > Real Server.
Figure 242: Real server list
Delete Edit
Create New IP Address Port
Select to add real servers. For more information, see To create a real server on page 393. Select the blue arrow beside a virtual server name to view the IP addresses of the real servers that are bound to it. The port number on the destination network to which the external port number is mapped.
392
Configuring health check monitors
Weight Max Connection
The weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle. The limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit. Remove the real server from the list. Edit the real server to change any virtual server option.
To create a real server 1 Go to Firewall > Load Balance > Real Server > Create New.
Figure 243: Creating a real server

Virtual Server IP Port Weight Select the virtual server to which you want to bind this real server. Enter the IP address of the real server. Enter the port number on the destination network to which the external port number is mapped. Enter the weight value of the real server. The higher the weight value, the higher the percentage of connections the server will handle. A range of 1-255 can be used. This option is available only if the associated virtual servers load balance method is Weighted. Enter the limit on the number of active connections directed to a real server. A range of 1-99999 can be used. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.
Max Connection
3 Select OK.

You can specify which health check monitor configuration to use when polling to determine a virtual servers connectivity status. Health check monitor configurations can specify TCP, HTTP or ICMP PING. A health check occurs every number of seconds indicated by the interval. If a reply is not received within the timeout period, and you have configured the health check to retry, it will attempt a health check again; otherwise, the virtual server is deemed unresponsive, and load balancing will compensate by disabling traffic to that server until it becomes responsive again.
393
Figure 244: Health check monitor
Delete Edit Create New Name Details Select to add a health check monitor configuration. For more information, see To create a health check monitor configuration on page 394. The name of the health check monitor configuration. The names are grouped by the health check monitor types. The details of the health check monitor configuration, which vary by the type of the health check monitor, and do not include the interval, timeout, or retry, which are settings common to all types. This field is empty if the type of the health check monitor is PING. Select to remove the health check monitor configuration. This option appears only if the health check monitor configuration is not currently being used by a virtual server configuration. Select to change the health check monitor configuration.
Delete
Edit
To create a health check monitor configuration 1 Go to Firewall > Virtual IP > Health Check Monitor > Create New.
Figure 245: Creating a health check monitor

Name Type Enter the name of the health check monitor configuration. Select the protocol used to perform the health check. TCP HTTP PING Enter the port number used to perform the health check. This option does not appear if the Type is PING. Enter the URL that will receive the HTTP request. This option appears only if Type is HTTP.
Port URL
Matched Content Enter the HTTP reply content that must be present to indicate proper server connectivity. This option appears only if Type is HTTP. Interval Enter the number of seconds between each server health check.
394
Monitoring the servers
Timeout Retry
Enter the number of seconds which must pass after the server health check to indicate a failed health check. Enter the number of times, if any, a failed health check will be retried before the server is determined to be inaccessible.
3 Select OK.

You can monitor the status of each virtual server and real server and start or stop the real servers.
Figure 246: Server monitor
Virtual Server Real Server Health Status
The IP addresses of the existing virtual servers. The IP addresses of the existing real servers. Display the health status according to the health check results for each real server. A green arrow means the server is up. A red arrow means the server is down. Display each real server's up and down times. Display each real server's active sessions. Display the Round Trip Time of each real server. By default, the RTT is <1". This value will change only when ping monitoring is enabled on a real server. Display the traffic processed by each real server. Select to start or stop real servers. When stopping a server, the FortiGate unit will not accept new sessions but will wait for the active sessions to finish.
Monitor Events Active Sessions RTT (ms) Bytes Processed Graceful Stop/Start
395
396
Firewall Protection Profile
What is a protection profile?

Protection profiles contain settings for many application layer and other types of protection, such as antivirus, web filtering, and logging, that you can apply to a firewall policy. For information on applying a protection profile to a firewall policy, see Configuring firewall policies on page 323. If you enable virtual domains (VDOMs) on the FortiGate unit, firewall protection profiles are configured separately for each virtual domain. For more information, see Using virtual domains on page 103. This section contains the following topics: What is a protection profile? Adding a protection profile to a firewall policy Default protection profiles Viewing the protection profile list SSL content scanning and inspection Configuring a protection profile
What is a protection profile?

A protection profile is a group of settings that you can apply to one or more firewall policies. Because protection profiles can be used by more than one firewall policy, you can configure one protection profile for the traffic types handled by a set of firewall policies requiring identical protection levels and types, rather than repeatedly configuring those same protection profile settings for each individual firewall policy. For example, while traffic between trusted and untrusted networks might need strict protection, traffic between trusted internal addresses might need moderate protection. To provide the different levels of protection, you might configure two separate protection profiles: one for traffic between trusted networks, and one for traffic between trusted and untrusted networks.
Note: If the firewall policy requires authentication, do not select the protection profile in the firewall policy. The protection profile is specific to the authenticating user group. For details on configuring the protection profile associated with the user group, see Configuring a user group on page 586.
You can use protection profiles to configure: antivirus protection web filtering FortiGuard Web Filtering spam filtering IPS data leak prevention sensor dashboard statistics
397
Adding a protection profile to a firewall policy
application control logging for traffic which violates the protection profile.
Adding a protection profile to a firewall policy

Protection profiles are used when specified in one or more firewall policies whose Action is set to ACCEPT, IPSEC, or SSL VPN. For example, if you create a protection profile containing SMTP antivirus settings that you want to apply to all incoming SMTP connections, you might select that protection profile in all external-to-internal firewall policies whose service group contain the SMTP service. Protection profiles can contain settings relevant to many different services. Each firewall policy uses the subset of the protection profile settings which apply to its specified Service. In this way, you might define one protection profile that can be used by many firewall policies, each policy using a different or overlapping subset of the protection profile. To add a protection profile to a firewall policy 1 Go to Firewall > Policy. If virtual domains are enabled on the FortiGate unit, protection profiles are applied separately in firewall policies for each virtual domain (VDOM). To access firewall policies, first select a virtual domain from the main menu. 2 Select Create New to add a policy, or select Edit for the policy to which you want to apply the protection profile. 3 Enable Protection Profile in the firewall policy. 4 Select the protection profile that you want to apply to the firewall policy. The firewall policy will use settings from the protection profile that apply to its Services. 5 If you are creating a new firewall policy, configure other required policy options. For more information, see Configuring firewall policies on page 323. 6 Select OK.
Default protection profiles

FortiGate units have four default protection profiles. You can use these default protection profiles as bases for creating your own.
Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The strict protection profile may not be useful under normal circumstances, but it is available when maximum protection is required. Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic. Quarantine is also selected for all content services. On FortiGate models with a hard drive, if antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate hard disk. If a FortiAnalyzer unit is configured, files are quarantined remotely. Quarantine permits system administrators to inspect, recover, or submit quarantined files to Fortinet for analysis. Apply virus scanning and web content blocking to HTTP traffic. Add this protection profile to firewall policies that control HTTP traffic. Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content protection for content traffic is required. Add this protection profile to firewall policies for connections between highly trusted or highly secure networks where content does not need to be protected. Note: Content archiving is disabled by default with the unfiltered protection profile.
Scan
Web Unfiltered
398
Viewing the protection profile list
Viewing the protection profile list

Both default and customized protection profiles appear in the protection profile list. To view the protection profile list, go to Firewall > Protection Profile.
Figure 247: Default protection profiles
Delete Edit
Delete Edit
Create New Name Delete icon Edit icon Add a protection profile. The name of the protection profile. Delete a protection profile from the list. The Delete icon appears only if the protection profile is not currently selected in a firewall policy or user group. Modify a protection profile.

Using SSL content scanning and inspection you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic. To perform SSL content scanning and inspection, the FortiGate unit does the following: intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption) applies content inspection to decrypted content, including: HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP, and content archiving HTTPS web filtering and FortiGuard web filtering IMAPS, POP3S, and SMTPS spam filtering
re-encrypts the sessions and forwards them to their destinations.
399
Figure 248: FortiGate SSL content scanning and inspection packet flow
3 2 1
Decrypted packets 4 Protection Profile content scanning and inspection applied (antivirus, web filtering, spam filtering, DLP, content archiving) SSL decrypt/encrypt process decrypts SSL sessions using session certificate and key Content scanning and inspection
SSL Decrypt/ Encrypt Process
Session encrypted 5 using SSL session certificate and key
Protection profile includes SSL content scanning and inspection
Protection profile
Encrypted packets
3 2
3 2
Firewall 6
Encrypted packets
HTTPS, IMAPS, POP3S or 1 SMTPS encrypted packets Client Starts HTTPS, IMAPS, accepted by firewall policy POP3S or SMTPS session
HTTPS, IMAPS, Encrypted packets POP3S, or forwarded to destination SMTPS Server
Supported FortiGate models

FortiGate models that support SSL acceleration also support SSL content scanning and inspection. The following FortiGate models support SSL content scanning and inspection: 110C 111C 310B 602B 3016B 3600A 3810A 5005FA2 5001A.
Setting up certificates to avoid client warnings

FortiGate SSL content scanning and inspection intercepts the SSL keys that are passed between clients and servers during SSL session handshakes and substitutes spoofed keys. Two encrypted SSL sessions are set up, one between the client and the FortiGate unit, and a second one between the FortiGate unit and the server. Inside the FortiGate unit the packets are decrypted.
400
While the SSL sessions are being set up, the client and server communicate in clear text to exchange SSL session keys. The session keys are based on the client and server certificates. The FortiGate SSL decrypt/encrypt process intercepts these keys and uses a built-in signing CA certificate named Fortinet_CA_SSLProxy to create keys to send to the client and the server. This signing CA certificate is used only by the SSL decrypt/encrypt process. The SSL decrypt/encrypt process then sets up encrypted SSL sessions with the client and server and uses these keys to decrypt the SSL traffic to apply content scanning and inspection. Some client programs (for example, web browsers) can detect this key replacement and will display a security warning message. The traffic is still encrypted and secure, but the security warning indicates that a key substitution has occurred. You can stop these security warnings by importing the signing CA certificate used by the server into the FortiGate unit SSL content scanning and inspection configuration. Then the FortiGate unit creates keys that appear to come from the server and not the FortiGate unit.
Note: You can add one signing CA certificate for SSL content scanning and inspection. The CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL content scanning and encryption.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another signing CA certificate. To do this you need the signing CA certificate file, the CA certificate key file, and the CA certificate password. All SSL content scanning and inspection uses the same signing CA certificate. If your FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is used by all virtual domains. To add a signing CA certificate for SSL content scanning and inspection 1 Obtain a copy of the signing CA certificate file, the CA certificate key file, and the password for the CA certificate. 2 Go to System > Certificates > Local Certificates and select Import. 3 Set Type to Certificate. 4 For Certificate file use the Browse button to select the signing CA certificate file. 5 For Key file use the Browse button to select the CA certificate key file. 6 Enter the CA certificate Password.
Figure 249: Importing a signing CA certificate for SSL content scanning and inspection
7 Select OK. The CA certificate is added to the Local Certificates list. In this example the signing CA certificate name is Example_CA. This name comes from the certificate file and key file name. If you want the certificate to have a different name, change these file names. 8 Add the imported signing CA certificate to the SSL content scanning and inspection configuration. Use the following CLI command if the certificate name is Example_CA.
401
config firewall ssl setting set caname Example_CA end The Example_CA signing CA certificate will now be used by SSL content scanning and inspection for establishing encrypted SSL sessions.
Configuring SSL content scanning and inspection

If SSL content scanning and inspection is available on your FortiGate unit, you can configure the following SSL content scanning and inspection settings:
Predefined firewall services Protocol Recognition The IMAPS, POP3S and SMTPS predefined services. You can select these services in a firewall policy and a DoS policy. For more information, see Table 43, Predefined services, on page 352. The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS, POP3S, and SMTPS. Go to Firewall > Protection Profile. Add or edit a protection profile and configure Protocol Recognition for HTTPS, IMAPS, POP3S, and SMTPS. Using protocol recognition you can also configure the FortiGate unit to just perform URL filtering of HTTPS or to use SSL content scanning and inspection to decrypt HTTPS so that the FortiGate unit can also apply Antivirus and DLP content inspection and content archiving to HTTPS. Using SSL content scanning and inspection to decrypt HTTPS also allows you to apply more web filtering and FortiGuard Web Filtering options to HTTPS. For more information, see Protocol recognition options on page 405. Antivirus options including virus scanning, file filtering, and client comforting for HTTPS, IMAPS, POP3S, and SMTPS. Go to Firewall > Protection Profile. Add or edit a protection profile and configure Anti-Virus for HTTPS, IMAPS, POP3S, and SMTPS. For more information, see Anti-Virus options on page 407. Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S, and SMTPS sessions. Go to UTM > AntiVirus > Config. You can quarantine infected files, suspicious files, and blocked files found in IMAPS, POP3S, and SMTPS sessions. You can also quarantine infected files and suspicious files found in HTTPS sessions. For more information, see Configuring quarantine options on page 449. Web filtering options for HTTPS: Web Content Block Web Content Exempt Web URL Filter ActiveX Filter Cookie Filter Java Applet Filter Web Resume Download Block Block invalid URLs HTTP POST Action Go to Firewall > Protection Profile. Add or edit a protection profile and configure Web Filtering for HTTPS. For more information, see Web Filtering options on page 411.
Antivirus
Antivirus quarantine
Web Filtering
402
FortiGuard Web Filtering
FortiGuard Web Filtering options for HTTPS: Enable FortiGuard Web Filtering Enable FortiGuard Web Filtering Overrides Provide details for blocked HTTP 4xx and 5xx errors Rate images by URL (blocked images will be replaced with blanks) Allow websites when a rating error occurs Strict Blocking Rate URLs by domain and IP address Go to Firewall > Profile. Add or edit a protection profile and configure Web Filtering > FortiGuard Web Filtering for HTTPS. For more information, see FortiGuard Web Filtering options on page 413. Spam filtering options for IMAPS, POP3S, and SMTPS: FortiGuard AntiSpam IP address check, URL check, E-mail checksum check, and Spam submission IP address BWL check HELO DNS lookup E-mail address BWL check Return e-mail DNS check Banned word check Spam Action Tag Location Tag Format Go to Firewall > Protection Profile. Add or edit a protection profile and configure Spam Filtering for IMAPS, POP3S, and SMTPS. For more information, see Spam Filtering options on page 416. DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps below: Go to UTM > Data Leak Prevention > Rule to add DLP rules. For HTTPS, add an HTTP rule and select HTTPS POST and HTTPS GET. For IMAPS, POP3S, and SMTPS, add an Email rule and select IMAPS, POP3S, and SMTPS. See Adding or configuring DLP rules on page 516. Go to UTM > Data Leak Prevention > Sensor and add the DLP rules to a DLP sensor. See Adding or editing a rule in a DLP sensor on page 513. Go to Firewall > Protection Profile. Add or edit a protection profile and use Data Leak Prevention Sensor to add the DLP sensor to a protection profile. Note: In a protection profile, if you set Protocol Recognition > HTTPS Content Filtering Mode to URL Filtering, DLP rules cannot inspect HTTPS. Set this option to Deep Scan. Go to Firewall > Policy and add the protection profile to a firewall policy. See Data Leak Prevention Sensor options on page 419. Content summary content archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP rules to the protocol. All DLP rules perform content summary content archiving for the content that they match. For summary content archiving, you must configure the FortiGate unit to send log messages to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service (FAMS). To view content summary information go to Log&Report > Content Archive. Select Web to view HTTPS content summary information. Select E-mail to view IMAPS, POP3S, and SMTPS content summary information. For more information, see Content Archive on page 667.
Spam Filtering
Content summary content archiving
Full content archiving Full content archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP rules for the protocol to a DLP sensor and select Archive for full content archiving. DLP rules with Archive selected in a DLP sensor perform full content archiving for the content that they match. For full content archiving, you must also configure the FortiGate unit to send log messages to a FortiAnalyzer unit. To view archived content go to Log&Report > Content Archive. Select Web to view HTTPS content. Select E-mail to view IMAPS, POP3S, and SMTPS content. For more information, see Content Archive on page 667.
403
Configuring a protection profile
Displaying content Meta-information on the system dashboard for HTTPS, IMAPS, POP3S, and SMTPS. meta-information on the system dashboard Go to Firewall > Protection Profile. Add or edit a protection profile and open Data Leak Prevention Sensor. For Displaying content metainformation on the system dashboard select HTTPS, IMAPS, POP3S, and SMTPS as required. These options display meta-information on the Statistics dashboard widget. For more information, see Statistics on page 71. Content archiving SPAM email Content archiving of email tagged as spam by FortiGate Spam Filtering in IMAPS, POP3S, and SMTPS sessions. Content archiving SPAM email is available only if you have configured logging to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service. Go to Firewall > Protection Profile. Add or edit a protection profile and select the Expand Arrow to view Data Leak Prevention Sensor. For Archive SPAMed emails to FortiAnalyzer/FortiGuard, select IMAPS, POP3S, and SMTPS as required. For more information, see Data Leak Prevention Sensor options on page 419 and Content Archive on page 667.

If the default protection profiles do not provide the settings required, you can create custom protection profiles. To add a protection profile, go to Firewall > Protection Profile and select Create New.
Figure 250: New Protection Profile
Expand Arrow
404
Expand Arrow
Profile Name Comments Protocol Recognition Anti-Virus IPS Web Filtering Spam Filtering Data Leak Prevention Sensor Application Control Logging Enter a name for the protection profile. Enter a description of the profile. The maximum length is 63 characters. See Protocol recognition options on page 405. See Anti-Virus options on page 407. See IPS options on page 411. See Web Filtering options on page 411. See Spam Filtering options on page 416. See Data Leak Prevention Sensor options on page 419. See Application Control options on page 420 See Logging options on page 421.
FortiGuard Web Filtering See FortiGuard Web Filtering options on page 413.
Protocol recognition options

You configure protocol recognition options to set the HTTPS content filtering mode and to select the TCP port numbers that the protection profile monitors for the HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, and FTP content protocols. If your FortiGate unit supports SSL content scanning and inspection you can also select the TCP port numbers for SMTPS, POP3S, and IMAPS. You can also configure the HTTPS content filtering mode. For more information, see SSL content scanning and inspection on page 399. By default the protection profile monitors the default content protocol port numbers (for example, port 80 for HTTP). You can edit the settings for each content protocol and select inspection for all port numbers for that protocol, or select one or more port numbers to monitor for that protocol.
405
To configure protocol recognition options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Protocol Recognition, enter the information as described below, and select OK.
Figure 251: Protection profile Protocol Recognition options (SSL content scanning and inspection)
Add or Remove Port Numbers
Edit Monitored Ports
Figure 252: Protection profile Protocol Recognition options
Add or Remove Port Numbers
Edit Monitored Ports
Note: If your FortiGate unit supports SSL content scanning and inspection, you must set HTTPS Content Filtering Mode to Deep Scan before you can configure additional HTTPS content scanning protection profile options.
406
HTTPS Content Filtering Mode If your FortiGate unit supports SSL content scanning and inspection, you can select the content filtering mode used for HTTPS traffic. The mode can be: URL Filtering This option limits HTTPS content filtering to URL filtering only. If you select this option the FortiGate unit does not perform SSL content scanning and inspection of HTTPS traffic. Instead the FortiGate unit just applies web filtering to HTTPS URLs. Also, if you select URL Filtering, you cannot select any Anti-Virus options for HTTPS. Under Web Filtering you can select only Web URL Filter and Block invalid URLs for HTTPS. Selecting URL Filtering also limits the FortiGuard Web Filtering options that you can select for HTTPS. Select this option to apply full SSL content scanning and inspection of HTTPS traffic. The names of the content protocols that you can configure recognition for: HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, and FTP. If your FortiGate unit supports SSL content scanning and inspection the content protocols also include SMTPS, POP3S, and IMAPS. The port numbers that the protection profile monitors for each content protocol. You can select multiple port numbers to monitor for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP, and FTP you can also select Inspect All Ports to monitor all ports for these content protocols. Monitoring all ports means the protection profile uses protocol recognition techniques to determine the protocol of a communication session independent of the port number that the session uses. Select Edit for a content protocol to configure how the protection profile monitors traffic for that content protocol. Select one of the following options: Select to monitor all ports for the content protocol. This option is available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP. Select this option and then enter the port numbers to monitor for the content protocol. You can specify up to 20 ports for each content protocol.
Deep Scan (Decryption on SSL Traffic) Protocol
Monitored Ports
Edit icon
Inspect All Ports Specify Ports
Anti-Virus options
You can apply antivirus options through a protection profile for the HTTP, SMTP, POP3, IMAP, NNTP, and content protocols. If your FortiGate unit includes SSL content inspection and filtering, you can also apply antivirus scanning options through a protection profile for HTTPS, IMAPS, POP3S, and SMTPS content protocols. For more information, see SSL content scanning and inspection on page 399.
Note: You cannot select Anti-Virus options for HTTPS if under protocol recognition HTTPS Content Filtering Mode is set to URL Filtering. For more information, see Protocol recognition options on page 405.
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Anti-Virus, enter the information as described below, and select OK. For more antivirus configuration options, see AntiVirus on page 439.
407
Figure 253: Protection Profile Anti-Virus options
Figure 254: Protection Profile Anti-Virus options (SSL content scanning and inspection)
Virus Scan
Select virus scanning for each protocol. Virus Scan includes grayware, as well as heuristic scanning. However, by default neither is enabled. To enable specific grayware, go to UTM > AntiVirus > Grayware. To enable heuristic scanning, see the config antivirus heuristic command in the FortiGate CLI Reference. Note: When you enable virus scanning, scanning by splice, also called streaming mode, is enabled automatically. When scanning by splice, the FortiGate unit simultaneously scans and streams traffic to the destination, terminating the stream to the destination if a virus is detected. For details on configuring splicing, see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. For details on splicing behavior for each protocol, see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. Select to scan for viruses that have not been recently observed in the wild. In addition to the FortiGuard Antivirus wild list database, which contains viruses currently being detected in the wild, some FortiGate models are also equipped with an extended antivirus database that contains viruses not recently observed in the wild. This option appears only on some FortiGate models. Select to filter files, then under Option, specify a file filter, which can consist of file name patterns and file types. For more information, see File Filter on page 443.
Extended AV Database
File Filter
408
Quarantine
Select for each protocol to quarantine suspect files for later inspection or submission to Fortinet for analysis. This option appears only if the FortiGate unit has a hard drive or a configured FortiAnalyzer unit, and will take effect only if you have first enabled and configured the quarantine. For more information, see File Quarantine on page 446.
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and SMTP as well as IMAPS, POP3S, and SMTPS if SSL content scanning and inspection is supported). Fragmented email messages cannot be scanned for viruses. Comfort Clients Interval Select client comforting for the HTTP, FTP, and HTTPS protocols. See HTTP and FTP client comforting on page 410. The time in seconds before client comforting starts sending data after the download has begun, and also the time interval between sending subsequent data. The number of bytes sent at each interval. Select Block or Pass for files and email messages exceeding configured thresholds for each protocol. For email scanning, the oversize threshold refers to the final size of the email, including attachments, after encoding by the email client. Email clients can use a variety of encoding types; some result in larger file sizes than the original attachment. The most common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the configured oversize threshold. If the file is larger than the threshold value in megabytes, the file is passed or blocked. The maximum threshold for scanning in memory is 10% of the FortiGate units RAM. If your FortiGate unit supports SSL content scanning and inspection, you can allow HTTPS, IMAPS, POP3S, and SMTPS sessions that include an invalid server certificate. If these options are not selected, HTTPS, IMAPS, POP3S, and SMTPS with invalid server certificates are blocked. Use this feature to validate server certificates. Select Enabled to quarantine or ban either the IP address of the sender of the virus or the FortiGate interface that received the virus. The senders IP address or the interface that received the virus is added to the banned users list. For more information about the banned user list including how to manage the duration of items and how to remove them manually, see NAC quarantine and the Banned User list on page 595. If a virus is found, select the method used to quarantine the virus sender. You can select Source IP Address to add the senders source IP address to the banned users list, or you can select Viruss Incoming Interface to add the interface that received the virus to the banned user list. Select Indefinite to permanently quarantine virus senders. Only a FortiGate administrator can remove them from the banned users list. Or, configure how long the virus sender remains on the banned user list in minutes, hours, or days. A FortiGate administrator can manually remove a virus sender from the banned user list before the expiry time.
Amount Oversized File/Email
Threshold
Allow Invalid Server Certificate
Quarantine Virus Sender (to Banned Users List)
Method
Expires
Add signature to outgoing Create and enable a signature to append to outgoing SMTP email messages. The signature will also be appended to outgoing SMTPS emails email messages if your FortiGate unit supports SSL content scanning and inspection.
409
HTTP and FTP client comforting

In general, client comforting provides a visual display of progress for web page loading or HTTP or FTP file downloads. Client comforting does this by sending the first few packets of the file or web page being downloaded to the client at configured time intervals so that the client is not aware that the download has been delayed. The client is the web browser or FTP client. Without client comforting, clients and their users have no indication that the download has started until the FortiGate unit has completely buffered and scanned the download. During this delay users may cancel or repeatedly retry the transfer, thinking it has failed. The appearance of a client comforting message (for example, a progress bar) is clientdependent. In some instances, there will be no visual client comforting cue. During client comforting, if the file being downloaded is found to be infected, then the FortiGate unit caches the URL and drops the connection. The client does not receive any notification of what happened because the download to the client had already started. Instead the download stops, and the user is left with a partially downloaded file. If the user tries to download the same file again within a short period of time, then the cached URL is matched and the download is blocked. The client receives the Infection cache message replacement message as a notification that the download has been blocked. The number of URLs in the cache is limited by the size of the cache.
Caution: Client comforting can send unscanned and therefore potentially infected content to the client. You should only enable client comforting if you are prepared to accept this risk. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded.
FTP and HTTP client comforting steps The following steps show how client comforting works for an FTP or HTTP download of a 10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes. 1 The FTP or HTTP client requests the file. 2 The FortiGate unit buffers the file from the server. The connection is slow, so after 20 seconds about one half of the file has been buffered. 3 The FortiGate unit continues buffering the file from the server, and also sends 512 bytes to the client. 4 After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file to the client. 5 When the file has been completely buffered, the client has received the following amount of data: ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes, where ca is the client comforting amount, T is the buffering time and ci is the client comforting interval. 6 FTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate unit closes the data connection and sends the FTP Virus replacement message to the client. HTTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate unit closes the data connection but cannot send a message to the client.
410
IPS options
You can use the IPS options in a protection profile to enable IPS for the protection profile and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS, select an IPS Sensor, and select OK. For more information on IPS, see Intrusion Protection on page 455.
Figure 255: Protection Profile IPS options
IPS
Select to enable and use the specified IPS sensor. You cannot select denial of service (DoS) sensors through this option. For information on configuring DoS sensors, see DoS sensors on page 469.
Web Filtering options

Web filtering sorts millions of web pages into a wide range of categories that you can allow, block or monitor. Content block uses words and patterns to block web pages containing the words or patterns, URL filtering uses URLs and URL patterns to exempt or block web pages from specific sources, and FortiGuard web filter provides many additional categories by which to filter web traffic. In some instances, users may require access to web sites that are blocked by a policy. An administrator can give the user the ability to override the block for a specified period of time. For more information about overrides, see Web Filter on page 475.
Note: Protection profile web filtering also includes FortiGuard Web Filtering. For information about FortiGuard Web Filtering, see FortiGuard Web Filtering options on page 413.
You can configure web filtering for HTTP and HTTPS traffic. If your FortiGate unit supports SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan, you can select the same web filtering options for HTTPS and HTTP. For more information, see SSL content scanning and inspection on page 399 and Protocol recognition options on page 405. Filters defined in the web filtering settings are turned on through a protection profile. To configure web filtering options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Web Filtering, enter the information as described below, and select OK.
Note: If your FortiGate unit does not support SSL content scanning and inspection, or if you have set HTTPS Content Filtering Mode to URL Filtering, you can only select URL filtering and blocking invalid URLs for HTTPS.
411
Figure 256: Protection Profile Web Filtering options
Figure 257: Protection Profile Web Filtering options (SSL content scanning and inspection)
Web Content Block
Select to block HTTP and HTTPS web pages based on matching the content of the web page with the words or patterns in the selected web content block list. For more information, see Web content block on page 478.
Web content block list Select the web content block list to add to the protection profile. For more information, see Creating a new web content block list on page 479. Threshold Enter a web content block threshold. Each entry in the web content block list added to the protection profile incudes a score. When a web page is matched with an entry in the content block list the score is recorded. If a web page matches more than one entry the score for the web page increases. When the total score for a web page equals or exceeds the threshold the page is blocked. The default score for content block list entry is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. You can change the scores and threshold so that web pages can only be blocked if there are multiple matches. Select to exempt HTTP and HTTPS web pages from web filtering and virus scanning based on matching the content of the web page with the words or patterns in the selected web exempt block list. For more information, see Web content block on page 478. Select the web content exempt list add to the protection profile. For more information, see Creating a new web content exempt list on page 482. Select to block HTTP and HTTPS web pages based on matching the URL of the web page with a URL in the selected URL filter list. For more information, see URL filter on page 483. Select the URL filter list to add to this protection profile. For more information, see Creating a new URL filter list on page 484.
Web Content Exempt
Web content exempt list Web URL Filter
Web URL filter list
412
ActiveX Filter Cookie Filter Java Applet Filter Web Resume Download Block
Select to block ActiveX controls. Select to block cookies. Select to block Java applets. Select to block downloading parts of a file that have already been downloaded. Enabling this option will prevent the unintentional download of virus files hidden in fragmented files. Note that some types of files, such as PDFs, are fragmented to increase download speed, and that selecting this option can cause download interruptions with these types. Select to block web sites whose SSL certificates CN field does not contain a valid domain name. FortiGate units always validate the CN field, regardless of whether this option is enabled. However, if this option is not selected, the following behavior occurs: If the request is made directly to the web server, rather than a web server proxy, the FortiGate unit queries for FortiGuard Web Filtering category or class ratings using the IP address only, not the domain name. If the request is to a web server proxy, the real IP address of the web server is not known. Therefore, rating queries by either or both the IP address and the domain name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web Filtering. Select the action to take with HTTP POST traffic. Do not affect HTTP POST traffic. Block HTTP POST requests. When the post request is blocked the FortiGate unit sends a web page to the users web browser instead of the requested POST page. You can configure the content of this web page by going to from System > Config > Replacement Messages by customizing the HTTP > POST message. Use the comfort amount and interval settings to send comfort bytes to the server in case the client connection is too slow. Select this option to prevent a server timeout when scanning or other filtering tool is turned on.
Block invalid URLs
HTTP POST Action Normal Block
Comfort
Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy. To configure replacement messages, go to System > Config > Replacement Messages. For more information on web filter configuration options, see Web Filter on page 475. For details on how web URL filter lists are used with HTTP and HTTPS URLs, see URL formats on page 486.
FortiGuard Web Filtering options

You can enable and apply FortiGuard Web Filtering options using a protection profile. If you have blocked a pattern using the FortiGuard Web Filtering, but want certain users to have access to URLs within the pattern, you can use the FortiGate web filtering override feature. For more information about FortiGuard web filtering, see FortiGuard - Web Filter on page 487. You can configure FortiGuard Web Filtering for HTTP and HTTPS traffic. If your FortiGate unit supports SSL content scanning and inspection and if you have set HTTPS Content Filtering Mode in the Protocol Recognition part of this protection profile to Deep Scan you can select all but one of the same web filtering options for HTTPS and HTTP. If your FortiGate unit does not support SSL content scanning and inspection or if you have set HTTPS Content Filtering Mode to URL Filtering you can have fewer options for HTTPS. See the field descriptions below for details.
413
For more information, see SSL content scanning and inspection on page 399 and Protocol recognition options on page 405. To configure FortiGuard Web Filtering options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard Web Filtering. Enter the information as described below, and select OK.
Figure 258: Protection Profile FortiGuard Web Filtering options
414
Figure 259: Protection Profile FortiGuard Web Filtering options (SSL content scanning and inspection)
Enable FortiGuard Web Filtering Enable FortiGuard Web Filtering Overrides Provide details for blocked HTTP 4xx and 5xx errors
Select to enable FortiGuard Web Filtering for this protection profile. Select to enable category overrides. For more information, see Viewing the override list on page 488 and Configuring administrative override rules on page 489. Display a replacement message for 400 and 500-series HTTP errors. If the error is allowed through, malicious or objectionable sites can use these common error pages to circumvent web filtering. Only supported for HTTPS if your FortiGate unit supports SSL content scanning and inspection.
Rate images by URL (blocked Block images that have been rated by FortiGuard. Blocked images images will be replaced with are replaced on the originating web pages with blanks. Rated image file types include GIF, JPEG, PNG, BMP, and TIFF. Only blanks) supported for HTTPS if your FortiGate unit supports SSL content scanning and inspection. Allow websites when a rating Allow web pages that return a rating error from the web filtering service. error occurs
415
Strict Blocking
This option is enabled by default. Strict Blocking only has an effect when either a URL fits into a protection profile category and classification or Rate URLs by domain and IP address is enabled. With Rate URLs by domain and IP address enabled, all URLs have two categories and up to two classifications (one set for the domain and one set for the IP address). All URLs belong to at least one category (including the Unrated category) and may also belong to a classification. If you enable Strict Blocking, a site is blocked if it is in at least one blocked category or classification and only allowed if all categories or classifications it falls under are allowed. If you do not enable Strict Blocking, a site is allowed if it belongs to at least one allowed category or classification and only blocked if all categories or classifications it falls under are allowed. For example, suppose that a protection profile blocks Search Engines but allows Image Search, and that the URL images.example.com falls into the General Interest / Search Engines category and the Image Search classification. With Strict Blocking enabled, this URL is blocked because it belongs to the Search Engines category, which is blocked. With Strict Blocking disabled, the URL is allowed because it is classified as Image Search, which the profile allows. It would be blocked only if both the Search Engines category and Image Search classification were blocked.
Rate URLs by domain and IP Select to send both the URL and the IP address of the requested site for checking, and thus provide additional security against address attempts to bypass the FortiGuard system. However, because IP rating is not updated as quickly as URL rating, some false ratings may occur. Block HTTP redirects by rating Enable to block HTTP redirects. Many web sites use HTTP redirects legitimately; however, in some cases, redirects may be designed specifically to circumvent web filtering, as the initial web page could have a different rating than the destination web page of the redirect. Not supported for HTTPS. FortiGuard Web Filtering provides many content categories for filtering web traffic. Categories reflect the subject matter of the content. For each category, select to Allow or Block and, if the category is blocked, whether or not to Allow Override to permit users to override the filter if they successfully authenticate. You can also select to log each traffic occurrence of the category. In addition to content categories, FortiGuard Web Filtering provides functional classifications that block whole classes of web sites based upon their functionality, media type, or source, rather than the web sites subject matter. Using classifications, you can block web sites that host cached content or that facilitate image, audio, or video searches, or web sites from spam URLs. Classification is in addition to, and can be configured separately from, the category. For each class, select to Allow or Block and, if the class is blocked, whether or not to Allow Override to permit users to override the filter if they successfully authenticate. You can also select to log each traffic occurrence of the class.
Category
Classification
Spam Filtering options

Several spam filters can be configured in the protection profile. With the IP address filter, FortiGuard AntiSpam extracts the email server source address and sends the IP address to a FortiGuard Antispam server to check if this IP address matches the list of known spammers. If the IP address is found, FortiGuard Antispam terminates the session. If FortiGuard Antispam does not find a match, the email server sends the email to the recipient. With the URL filter, FortiGuard Antispam checks the body of email messages to
416
extract any URL links. These URL links are sent to a FortiGuard Antispam server to determine if any are listed. Spam messages often contain URL links to advertisements (also called spamvertizing). If a URL match is found, FortiGuard Antispam terminates the session. If FortiGuard Antispam does not find a match, the email server sends the email to the recipient. The email checksum filter calculates the checksum of an email message and sends this checksum to the FortiGuard servers to determine if the checksum is in the blacklist. The FortiGate unit then passes or marks/blocks the email message according to the server response. To configure spam filtering options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Spam Filtering, enter the information as described below, and select OK. You can configure spam filtering for IMAP, POP3, and SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can also configure spam filtering for IMAPS, POP3S, and SMTPS email. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 399. For more information about this service, see FortiGuard Antispam service on page 265 and Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266. For more spam filter configuration options, see Antispam on page 495.
Note: Some popular email clients cannot filter messages based on the MIME header. For these clients, select to tag email message subject lines instead. Figure 260: Protection Profile Spam Filtering options
417
Figure 261: Protection Profile Spam Filtering options (SSL content scanning and inspection)
FortiGuard AntiSpam
Select one or more check boxes to enable protocols (IMAP, POP3, SMTP), then apply the options that you need. If your FortiGate unit supports SSL content scanning and inspection you can also enable FortiGuard Antispam for IMAPS, POP3S, and SMTPS. Select to enable the FortiGuard AntiSpam filtering IP address blacklist. Select to enable the FortiGuard AntiSpam spam filtering URL blacklist.
IP address check URL check
E-mail checksum check Select to enable the FortiGuard Antispam email message checksum blacklist. Spam submission Select to add a spam submission message and a link to the message body of all email messages marked as spam by FortiGuard Antispam. If the receiver considers that the email message is not spam, he or she can use the link in the message to inform FortiGuard Antispam. You can change the content of this message by going to System > Config > Replacement Messages and customizing the Spam > Spam submission message. For more information, see Spam replacement messages on page 200. Select to compare the IP address of email message senders to the selected IP address black/white list and, if a match is found, to take the action configured in the list for the IP address. For more information, see IP address and email address black/white lists on page 501. Select the IP address black/white list to add to the protection profile. For more information, see Creating a new antispam IP address list on page 501. Select to look up the source domain name (from the SMTP HELO command) for SMTP email messages. Select to compare the email address of message senders to the selected email address black/white list and if a match is found to take the action configured in the list for the email address. For more information, see IP address and email address black/white lists on page 501.
IP address BWL check
IP address BWL check list HELO DNS lookup E-mail address BWL check
E-mail address BWL list Select the email address black/white list to add to the protection profile. For more information, see Creating a new antispam email address list on page 504. Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or from address has an A or MX record.
418
Banned word check
Select to block email messages based on matching the content of the message with the words or patterns in the selected spam filter banned word list. For more information, see Banned word on page 498. Select the banned word list to add to the protection profile. For more information, see Creating a new banned word list on page 499. Enter a spam filter banned word block threshold. Each entry in the banned word list added to the protection profile incudes a score. When an email message is matched with an entry in the banned word list, the score is recorded. If an email message matches more than one entry, the score for the email message increases. When the total score for an email message equals or exceeds the threshold, the message is tagged as spam. The default score for a banned word list entry is 10 and the default threshold is 10. This means that by default an email message is tagged as spam by a single match. You can change the scores and threshold so email messages are only tagged as spam if there are multiple matches. Select to either tag or discard email that the FortiGate unit determines to be spam. Tagging adds the text in the Tag Format field to the subject line or header of email identified as spam. Note: When you enable virus scanning for SMTP and SMTPS in the Anti-virus section of the protection profile, scanning by splice, also called streaming mode, is enabled automatically. When scanning by splice, the FortiGate unit simultaneously scans and streams traffic to the destination, terminating the stream to the destination if a virus is detected. For details on configuring splicing, see the splice option for each protocol in the config firewall profile command in the FortiGate CLI Reference. For details on splicing behavior for SMTP, see the Knowledge Center article FortiGate Proxy Splice and Client Comforting Technical Note. When virus scanning is enabled for SMTP the FortiGate unit can only discard spam email if a virus is detected. Discarding immediately drops the connection. If virus scanning is not enabled, you can choose to either tag or discard SMTP spam. Select to add the tag to the subject or MIME header of email identified as spam. If you select to add the tag to the subject line, the FortiGate unit converts the entire subject line, including the tag, to UTF-8 format. This improves display for some email clients that cannot properly display subject lines that use more than one encoding. For details on preventing conversion of subject line to UTF-8, see the System Settings chapter of the FortiGate CLI Reference. To add the tag to the MIME header, you must enable spamhdrcheck in the CLI for each protocol (IMAP, SMTP, and POP3). For more information see profile in the FortiGate CLI Reference. Enter a word or phrase with which to tag email identified as spam. When typing a tag, use the same language as the FortiGate units current administrator language setting. Tag text using other encodings may not be accepted. For example, when entering a spam tag that uses Japanese characters, first verify that the administrator language setting is Japanese; the FortiGate unit will not accept a spam tag written in Japanese characters while the administrator language setting is English. For details on changing the language setting, see Settings on page 228. Tags must not exceed 64 bytes. The number of characters constituting 64 bytes of data varies by text encoding, which may vary by the FortiGate administrator language setting.
Banned word list Threshold
Spam Action
Tag Location
Tag Format
Data Leak Prevention Sensor options

You apply data leak prevention (DLP) to traffic by selecting a data leak prevention sensor. You can use DLP to prevent sensitive data from leaving your network and to provide content archiving.
419
You can also use protection profile DLP settings to: display content meta-information on the system dashboard content archive spam email (requires a FortiAnalyzer unit or the FortiGuard Analysis and Management Service).
To configure DLP sensor options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Data Leak Prevention Sensor, enter the information as described below, and select OK. For more information, see Data Leak Prevention on page 511 and Content Archive on page 667.
Figure 262: Data Leak Prevention Sensor options
Figure 263: Data Leak Prevention Sensor options (SSL content scanning inspection and FortiAnalyzer unit configured)
Data Leak Prevention Sensor Display content metainformation on the system dashboard Archive SPAMed emails to FortiAnalyzer/ FortiGuard
Select the check box and then specify the DLP sensor to add to the protection profile. For more information, see Adding and configuring a DLP sensor on page 512. For each protocol, select whether or not to display the content summary in the Dashboard Statistics widget. You can select HTTP, FTP, IMAP, POP3, and SMTP. If your FortiGate unit supports SSL content scanning and inspection you can also select HTTPS, IMAPS, POP3S, and SMTPS. For more information about the statistics widget, see Statistics on page 71. For each email protocol, select to content archive email messages identified as spam by the FortiGate spam filtering or by FortiGuard Antispam. You must configure the FortiGate unit to log to a FortiAnalyzer unit to configure this option. For information about content archiving spam, see Configuring spam email message content archiving on page 668.
Application Control options

You can apply application control options through a protection profile. For more information about application control, see Application Control on page 523. To configure application control options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Application Control and select the application control list to add to the protection profile.
420
Figure 264: Protection Profile Application Control options
Application Control Select the check box and then specify the application control list to add to the protection profile. For more information, see Creating a new application List control list on page 524. Figure 265: Protection Profile Replacement Message options
Figure 266: Adding an MMS protection profile to a protection profile
Logging options
You can enable logging options in a protection profile to write event log messages when the options that you have enabled in this protection profile perform an action. For example, if you enable antivirus protection you could also enable the antivirus protection profile logging options to write an event log message every time a virus is detected by this protection profile. For more information about enabling and configuring event logs, see Event log on page 659. To configure Logging options, go to Firewall > Protection Profile. Select Create New to add a protection profile, or the Edit icon beside an existing protection profile. Then select the Expand Arrow beside Logging, enter the information as described below, and select OK.
421
Figure 267: Protection Profile Logging options
Antivirus
Viruses Blocked Files Oversized Files / E-mails
Select to log detected viruses. Select to log blocked files. Select to log oversize files and email messages. Select to log content blocking events. Select to log blocked and exempted URLs. Select to log blocked Active X plugins. Select to log blocked cookies. Select to log blocked Java applets. Select to log rating errors. Select to log detected spam. Select to log IPS signature and anomaly events. Select to log Application Control events. Select to log DLP events.
Web Filtering
Content Block URL Filter ActiveX Filter Cookie Filter Java Applet Filter
FortiGuard Web Rating Errors Filtering (HTTP only) Spam Filtering IPS Application Control Data Leak Prevention Sensor Log Spam Log Intrusions Log Application Control Log DLP
422
Traffic Shaping
Guaranteed bandwidth and maximum bandwidth
Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the FortiGate unit. For example, the policy for the corporate web server might be given higher priority than the policies for most employees computers. An employee who needs extra high speed Internet access could have a special outgoing policy set up with higher bandwidth. Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSLVPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and ESP. Guaranteed and maximum bandwidth in combination with queuing ensures minimum and maximum bandwidth is available for traffic. Traffic shaping cannot increase the total amount of bandwidth available, but you can use it to improve the quality of bandwidth-intensive and sensitive traffic. For more information about firewall policy, see Firewall Policy on page 319.
Note: For more information about traffic shaping you can also see the FortiGate Traffic Shaping Technical Note.
This section describes: Guaranteed bandwidth and maximum bandwidth Traffic priority Traffic shaping considerations Configuring traffic shaping
Guaranteed bandwidth and maximum bandwidth

When you enter a value in the Guaranteed Bandwidth field when adding a traffic shaper, you guarantee the amount of bandwidth available for selected network traffic (in Kbytes/sec). For example, you may want to give a higher guaranteed bandwidth to your ecommerce traffic. When you enter a value in the Maximum Bandwidth field when adding a traffic shaper, you limit the amount of bandwidth available for selected network traffic (in Kbytes/sec). For example, you may want to limit the bandwidth of IM traffic usage, to save some bandwidth for the more important e-commerce traffic. The bandwidth available for traffic set in a traffic shaper is used for both the control and data sessions and for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal and an external FTP policy, and a user on an internal network uses FTP to put and get files, both the put and get sessions share the bandwidth available to the traffic controlled by the policy. Once included in a firewall policy, the guaranteed and maximum bandwidth is the total bandwidth available to all traffic controlled by the policy. If multiple users start multiple communications session using the same policy, all of these communications sessions must share from the bandwidth available for the policy.
423
Traffic priority
Traffic Shaping
However, bandwidth availability is not shared between multiple instances of using the same service if these multiple instances are controlled by different policies. For example, you can create one FTP policy to limit the amount of bandwidth available for FTP for one network address and create another FTP policy with a different bandwidth availability for another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy does not allow any traffic.
Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of different types of traffic. Important and latency-sensitive traffic should be assigned a high priority. Less important and less sensitive traffic should be assigned a low priority. The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. For example, you can add policies to guarantee bandwidth for voice and ecommerce traffic. Then you can assign a high priority to the policy that controls voice traffic and a medium priority to the policy that controls e-commerce traffic. During a busy time, if both voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic will be transmitted before the ecommerce traffic.
Traffic shaping considerations

Traffic shaping attempts to normalize traffic peaks/bursts to prioritize certain flows over others. But there is a physical limitation to the amount of data which can be buffered and to the length of time. Once these thresholds have been surpassed, frames and packets will be dropped, and sessions will be affected in other ways. For example, incorrect traffic shaping configurations may actually further degrade certain network flows, since the excessive discarding of packets can create additional overhead at the upper layers that may be attempting to recover from these errors. A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose potential discarding is less advantageous. This would mean that you accept sacrificing certain performance and stability on low-priority traffic, in order to increase or guarantee performance and stability to high-priority traffic. If, for example, you are applying bandwidth limitations to certain flows, you must accept the fact that these sessions can be limited and therefore negatively impacted. Traffic shaping applied to a firewall policy is enforced for traffic which may flow in either direction. Therefore a session which may be set up by an internal host to an external one, through an Internal-to-External policy, will have traffic shaping applied even if the data stream flows external to internal. One example may be an FTP get or a SMTP server connecting to an external one, in order to retrieve email. Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic shaping is not effective during periods when traffic exceeds the capacity of the FortiGate unit. Since packets must be received by the FortiGate unit before they are subject to traffic shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped packets, delays, and latency are likely to occur.
424
Traffic Shaping
Configuring traffic shaping
To ensure that traffic shaping is working at its best, make sure that the interface ethernet statistics show no errors, collisions or buffer overruns. If any of these problems do appear, then FortiGate and switch settings may require adjusting. For more information, see the FortiGate Traffic Shaping Technical Note.

Configure traffic shapers to be included in firewall policies. To view the traffic shaper list, go to Firewall > Traffic Shaping > Traffic Shaping.
Figure 268: Traffic shaper list
Edit Delete
Create New Name Delete icon Edit icon Add a traffic shaper. For more information, see To create a traffic shaper on page 425. The name of a traffic shaper. Select to remove a traffic shaper. Select to modify a traffic shaper.
To create a traffic shaper 1 Go to Firewall > Traffic Shaping > Traffic Shaping. 2 Select Create New.
Figure 269: Creating traffic shapers
Name Name
Type a name for this traffic shaper. The name of a traffic shaper.
Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses it. Select For all policies using this shaper to apply this traffic shaper to all firewall policies that use it. Guaranteed Bandwidth Select a value to ensure there is enough bandwidth available for a high-priority service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is significantly less than the bandwidth capacity of the interface.
425
Traffic Shaping
Maximum Bandwidth
Select to limit bandwidth in order to keep less important services from using bandwidth needed for more important ones.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure web server needed to support ecommerce traffic should be assigned a high traffic priority. Less important services should be assigned a low priority. The firewall provides bandwidth to low-priority connections only when bandwidth is not needed for high-priority connections. Be sure to enable traffic shaping on all firewall policies. If you do not apply any traffic shaping rule to a policy, the policy is set to high priority by default. Distribute firewall policies over all three priority queues.
3 Select OK.
426
SIP support
VoIP and SIP
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and conducting multiuser calls over TCP/IP networks using any media. Due to the complexity of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is stateful. The FortiGate unit has a pre-defined SIP firewall service that tracks and scans SIP calls and makes adjustments, to both the firewall state and call data, to ensure a seamless call is established through the FortiGate unit regardless of its operation mode, NAT, route, or transparent. You can use protection profiles to control the SIP protocol and SIP call activity. A statistical summary of SIP protocol activity is also available for managing SIP use. This section includes some information about VoIP and SIP. It also describes how FortiOS SIP support works and how to configure the key SIP features. For more configuration information, see the FortiGate CLI Reference. The FortiGate unit supports the following SIP features: stateful SIP tracking RTP Pinholing request control rate limiting vents logging communication archiving NAT IP preservation client connection control register response acceptance Application Layer Gateway (ALG) control SIP stateful HA VoIP and SIP The FortiGate unit and VoIP security How SIP support works Configuring SIP
This section describes:
VoIP and SIP

SIP is an IETF protocol for establishing Voice over IP (VoIP) connections. Many VoIP networks choose SIP to handle multimedia sessions between endpoints. This lightweight text-based signaling protocol is transported over either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). SIP uses invitations to create Session Description Protocol (SDP) messages that allow participants to agree on a set of compatible media types. SIP applications are based on a client-server structure and support user mobility with two operating modes: proxy and redirect.
427
VoIP and SIP
SIP support
In proxy mode (shown in Figure 270), SIP clients send requests to the proxy server. The proxy server either handles the requests or forwards them to other SIP servers. Proxy servers can insulate and hide SIP users by proxying the signaling messages. To the other users on the VoIP network, the signaling invitations look as if they come from the SIP proxy server.
Figure 270: SIP in proxy mode
SIP Proxy Server
2. Client A dials Client B and a request is sent to the SIP proxy server 3. Proxy server looks up phone number or URL of destination client (Client B) and sends invite to Client B
IP Network
RTP Session
4. Client B is notified of incoming call by proxy server phone rings
SIP Client A
(a@example.com)
5. RTP session opens when Client B answers
SIP Client B
(b@example.com)
1. SIP clients register with SIP server
When the SIP server operates in redirect mode (shown in Figure 271), the SIP client sends its signaling request to a SIP server, which then looks up the destination address. The SIP server returns the destination address to the originator of the call, who uses it to signal the destination SIP client.
Figure 271: SIP in redirect mode
SIP Redirect Server
2. Client A dials Client B and request is sent to SIP redirect server 3. Redirect server looks up phone number or URL of destination client (Client B) and sends address back to the caller (Client A)
4. Client A sends invitation to Client B
IP Network
RTP Session
5. Client B is notified of incoming call by redirect server phone rings
SIP Client A
(a@example.com)
6. RTP session opens when Client B answers
SIP Client B
(b@example.com)
1. SIP clients register with SIP server
428
SIP support
The FortiGate unit and VoIP security

Like data networks, VoIP networks are vulnerable to many of the same security risks, including denial of service (DoS) attacks, service theft, tampering, and fraud. Many conventional firewalls cannot protect VoIP networks from attacks because VoIP is implemented at both the signaling and media layers. VoIP calls cannot go through these firewalls unless a range of ports are opened which exposes the network for unauthorized access. The FortiGate unit can effectively secure VoIP solutions since it supports VoIP protocols such as SIP, MGCP, and H.323, and associates state at the signaling layer with packet flows at the media layer. Using SIP ALG controls, the FortiGate unit can interpret the VoIP signaling protocols used in the network and dynamically open and close ports (pinholes) for each specific VoIP call to maintain security. The FortiGate intrusion prevention system (IPS) provides another strategic line of defense, particularly against VoIP network predators. The IPS has deep-packet inspection capabilities to provide continuous surveillance across multiple network sectors simultaneously, recognizing network traffic expected within each and alerting network managers to malicious packets and other protocol anomalies.
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the FortiGate ALG can modify the SIP headers correctly. This section uses scenarios to explain the FortiGate SIP NAT support.
Source NAT (SIP and RTP)

In the source NAT scenario shown in Figure 272, a SIP phone connects to the Internet through a FortiGate unit with PPPoE. The FortiGate ALG translates all private IPs in the SIP contact header into public IPs. You need to configure an internal to external UDP firewall policy with NAT checked and a SIP-enabled protection profile. For more information about firewall policies, see Firewall Policy on page 319.
Figure 272: SIP source NAT
217.10.79.9 SIP Server 217.10.69.11 RTP Server
SIP service provider has a SIP server and a separate RTP server
217.233.122.132
Internet
10.72.0.57
429
SIP support
Destination NAT (SIP and RTP)

In the destination NAT scenario, a SIP phone can connect to a local IP using a FortiOS VIP. The FortiGate unit translates the SIP contact header to the IP of the real SIP server located outside.
Figure 273: SIP destination NAT
217.10.79.9 SIP Server 217.10.69.11 RTP Server
SIP service provider has a SIP server and a separate RTP server
10.72.0.60
217.233.122.132
Internet
10.72.0.57
In the scenario, shown in Figure 273, the SIP phone connects to a VIP (10.72.0.60). The FortiGate SIP ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG will open the Real-time Transport Protocol (RTP) pinholes and manage NAT. The FortiGate unit also supports a variation of this scenariothe RTP server hides its real address.
Figure 274: SIP destination NAT-RTP server hidden
192.168.200.99
219.29.81.21
RTP Server
10.0.0.60 217.233.90.60
Internet
SIP Server
In this scenario, shown in Figure 274, a SIP phone connects to the Internet. The VoIP service provider only publishes a single public IP (a VIP). The SIP phone connects to the FortiGate unit (217.233.90.60) and the FortiGate unit then translates the SIP contact header to the SIP server (10.0.0.60). The SIP server changes the SIP/SDP connection information (which tells the SIP phone which RTP IP it should contact) also to 217.233.90.60.
430
SIP support
How SIP support works
Source NAT with IP pool

You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if the source IP of the SIP packets is different from the interface IP. The FortiGate ALG interprets this configuration and translates the SIP header accordingly. This configuration also applies to destination NAT.
Different source and destination NAT for SIP and RTP

This is a more complex scenario that a SIP service provider may use. It can also be deployed in large-scale SIP environments where RTP has to be processed by the FortiGate unit and the RTP server IP has to be translated differently than the SIP server IP.
Figure 275: Different source and destination NAT for SIP and RTP
RTP Servers 192.168.0.21 - 192.168.0.23 219.29.81.10 219.29.81.20
RTP Server
10.0.0.60
RTP-1: 217.233.90.65 RTP-2: 217.233.90.70
Internet
SIP Server SIP: 217.233.90.60
In this scenario, shown in Figure 275, assume there is a SIP server and a separate media gateway. The SIP server is configured so that the SIP phone (219.29.81.20) will connect to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to 217.233.90.65. What happens is as follows: 1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60). 2 The SIP server carries out RTP to 217.233.90.65. 3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened. 4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP contact header to 192.168.0.21.
How SIP support works

The FortiGate unit uses firewall policies to protect communications between servers and VoIP end devices. These policies restrict VoIP communication based on authorized end devices or traffic sourced or destined for a particular IP address or interface. The FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to ensure that appropriate priority and policies are applied.
431
Configuring SIP
SIP support
You need to configure the FortiOS SIP support in the following order: 1 Create a firewall protection profile that enables SIP (see Enabling SIP support and setting rate limiting from the web-based manager on page 432). Once the profile is included in a policy, the ALG will parse the SIP traffic and open the RTP ports for each specific VoIP call. When creating a protection profile, you configure SIP features using the web-based manager and CLI. You then apply the profile to a firewall policy. You can apply a profile to multiple policies. 2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile. Specifically, select the SIP or Any pre-defined service for the policy. When the FortiGate unit receives a SIP packet, it checks the packet against the firewall policies. If the packet matches a policy, the FortiGate firewall inspects and processes the packet according to the SIP profile applied to the policy. For more information about firewall policies, see Firewall Policy on page 319. 3 Configure advanced SIP features as required (see Configuring SIP on page 432).
Configuring SIP
You can enable SIP support, set two rate limits, enable SIP logging, and view SIP statistics using the web-based manager. You need to configure most features, however, through the CLI.
Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to: enable SIP in an application control list select this application control list in a protection profile add this protection profile to a firewall policy that accepts SIP traffic.
From the web-based manager, you can also configure some SIP rate limiting settings. Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a SIP server within a company. Most SIP servers do not have integrated controls and it is very easy to flood SIP servers with INVITE or REGISTER requests. To enable SIP and set rate limiting from the web-based manager 1 Go to UTM > Application Control. 2 If you want to enable SIP for an existing application control list, select the Edit icon for an application control list. Otherwise, select Create New to add a new application list. 3 Then, select Create New in the application list to add a new application to the application control list. 4 Set Application to SIP. 5 Select OK. 6 Make sure the application control list is selected in a protection profile and that the protection profile is added to a firewall policy. For more information about application control, see Application Control on page 523.
432
SIP support
Configuring SIP
Enabling SIP support from the CLI

From the FortiGate CLI, you can enable rate limiting for a more extensive range of SIP requests, including ACK, INFO, NOTIFY, OPTIONS, PRACK, REFER, SUBSCRIBE, and UPDATE. For more information, see the FortiGate CLI Reference. From the CLI, you enable SIP support using the config application list command to add SIP to an application list. The config application list command uses application list numbers to identify applications. SIP is application number 12. Use the following command to enable SIP support in an application list: config application list edit <list_name> config entries edit 12 end end Entering this command enables SIP support with all SIP settings set to defaults. See the FortiGate CLI Reference for information about all of the SIP settings and their defaults.
Setting SIP rate limiting from the CLI

Use the following command to enable SIP support in an application list and configure SIP rate limiting: config application list edit <list_name> config entries edit 12 set register-rate 100 set invite-rate 30 end end
More about rate limiting

FortiGate units support rate limiting for the following types of VoIP traffic: Session Initiation Protocol (SIP) Skinny Call Control Protocol (SCCP) Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions (SIMPLE).
You can use rate limiting of these VoIP protocols to protect the FortiGate unit and your network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects against SIP DoS attacks by limiting the number of SIP REGISTER and INVITE requests that the FortiGate unit receives per second. Rate limiting protects against SCCP DoS attacks by limiting the number of SCCP call setup messages that the FortiGate unit receives per minute. When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per second (or minute) than the configured rate, the extra messages are dropped. If you are experiencing denial of service attacks from traffic using these VoIP protocols, you can enable VoIP rate limiting and limit the rates for your network. Limit the rates depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be handling. You can adjust the settings if some calls are lost or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance.
433
Configuring SIP
SIP support
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For more information, see the description of the config sip, config sccp, and config simple subcommands of the application command in the FortiGate CLI Reference. You can also block SIMPLE sessions by enabling block login for the SIMPLE application. For more information, see Application Control on page 523.
Enabling SIP logging

You can log SIP events in a protection profile. Go to Firewall > Protection Profile. Open an existing profile or select Create New to create a new profile. Expand Logging. Select Log VoIP Activity to log VoIP events. For more information about enabling and configuring logging, see Log&Report on page 647.
Enabling advanced SIP features in an application list

You can configure advanced SIP features for an application list. For more information, see the FortiGate CLI Reference.
Turning on SIP tracking

The FortiGate SIP ALG (Application Level Gateway) tracks the SIP session over its life span. A SIP session (or SIP dialog) is normally established after the SIP INVITE procedure. The ALG then tracks this call as a SIP session. A session can end by regular BYE procedure, such as callers hanging up the phone, or by an unexpected signalling or transport error. You can continue tracking a SIP session for a specified period of time even when RTP (Real-time Transport Protocol) is lost. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set call-keepalive <integer> end end
Managing RTP pinholing

Once you create a firewall policy that allows SIP, the FortiGate ALG will automatically open the respective RTP ports as long as the SIP session is alive. You can also manually close RTP ports. This may be useful in cases where the FortiGate unit only acts as a signalling firewall while RTP is bypassed. Therefore, no pinholes need to be created. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set rtp disable end end
434
SIP support
Configuring SIP
Blocking SIP requests

Since SIP requests can be transmitted via UDP, broadcast attacks are possible. To prevent your site from being used as an intermediary in an attack, you can block various SIP requests including ACK, INVITE, INFO, PRACK, and so on directed to broadcast addresses at your router. For example, you can type the following commands to block INVITE requests: config application list edit <list_name> config entries edit 12 set block-invite enable end end
Archiving SIP communication

You can content archive SIP call metadata. Depending on your log configuration, you can view the archived information. For more information, see Log&Report on page 647. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set sip-archive-summary enable end end
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line. This allows the SIP server to parse this IP for billing purposes. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set nat-trace enable end end In addition, you can overwrite or append the SDP i line: config application list edit <list_name> config entries edit 12 set preserve-override {enable | disable} end end where selecting enable removes the original source IP address from the SDP i line and disable appends the address.
435
Configuring SIP
SIP support
Controlling SIP client connection

You can control the SIP client to only connect to the registrar itself. This can avoid VoIP spoofing. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set strict-register enable end end
Accepting SIP register response

You can enable reg-diff-port to accept a SIP register response from a SIP server even if the source port of the register response is different from the destination port of the register request. Most SIP servers use 5060 as the source port in the SIP register response. Some SIP servers, however, may use a different source port. If your SIP server uses a different source port, you can enable reg-diff-port and the FortiGate SIP ALG will create a temporary pinhole when receiving a register request from a SIP client. As a result, the FortiGate unit will accept a register response with any source port number from the SIP server. From the CLI, type the following commands: config application list edit <list_name> config entries edit 12 set reg-diff-port enable end end
Controlling the SIP ALG

You can enable contact-fixup so that the FortiGate ALG performs normal SIP NAT translation to SIP contact headers as SIP sessions pass through the FortiGate unit. Disable contact-fixup if you do not want the FortiGate ALG to perform normal SIP NAT translation of the SIP contact header if a Record-Route header is also available. If contact-fixup is disabled, the FortiGate ALG does the following with contact headers: For Contact in Requests, if a Record-Route header is present and the request comes from the external network, the SIP Contact header is not translated. For Contact in Responses, if a Record-Route header is present and the response comes from the external network, the SIP Contact header is not translated.
If contact-fixup is disabled, the FortiGate ALG must be able to identify the external network. To identify the external network, you must use the config system interface command to set the external keyword to enable for the interface that is connected to the external network. From the CLI, type the following commands: config application list edit <list_name> config entries
436
SIP support
Configuring SIP
edit 12 set contact-fixup {enable | disable} end end
437
Configuring SIP
SIP support
438
AntiVirus
Order of operations
AntiVirus
This section describes how to configure the antivirus options associated with firewall protection profiles. From a protection profile you can configure the FortiGate unit to apply antivirus protection to HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP sessions. If your FortiGate unit supports SSL content scanning and inspection you can also configure antivirus protection for HTTPS, IMAPS,POP3S, and SMTPS sessions. For more information, see SSL content scanning and inspection on page 399. If you enable virtual domains (VDOMs) on the FortiGate unit, most antivirus options are configured separately for each virtual domain. However, the file quarantine, the virus list and the grayware list are part of the global configuration. Only administrators with global access can configure and manage the file quarantine, view the virus list, and configure the grayware list. For details, see Using virtual domains on page 103. This section describes: Order of operations Antivirus tasks Antivirus settings and controls File Filter File Quarantine Viewing the virus database information Viewing and configuring the grayware list Antivirus CLI configuration
Order of operations
Antivirus scanning function includes various modules and engines that perform separate tasks. The FortiGate unit performs antivirus processing in the following order: File size File pattern File type Virus scan Grayware Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For example, if the file fakefile.EXE is recognized as a blocked pattern, the FortiGate unit will send the end user a replacement message and the file will be deleted or quarantined. The virus scan, grayware, heuristics, and file type scans will not be performed as the file is already been determined to be a threat and has been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages in the antivirus process.
439
Antivirus tasks
AntiVirus
Figure 276: Order of operation

FTP, NNTP, SMTP, POP3, or IMAP traffic after web filter spam checking. Start File or message is buffered
Block
Oversized file/email action
Yes
File/email exceeds oversized threshold
Pass
No
Block file/email
Block
Matching file pattern action
Yes
File Pattern Match?
Allow
No
Pass file/email
File/email exceeds oversized threshold
Yes
Pass file/email
No
No
Block
Yes AV scan detects infection?
Allow
Matching file type action
Yes
File type match?
No
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your network unparalleled antivirus protection. The first four tasks have specific functions, the fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that your system is providing the most protection available, all virus definitions and signatures are updated regularly through the FortiGuard antivirus services. The tasks will be discussed in the order that they are applied followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is enabled by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to Pass. For more information, see Anti-Virus options on page 407.
440
AntiVirus
Antivirus settings and controls
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The FortiGate unit will check the file against the file pattern setting you have configured. If the file is a blocked pattern, .EXE for example, then it is stopped and a replacement message is sent to the end user. No other levels of protections are applied. If the file is not a blocked pattern the next level of protection is applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus definitions are keep up to date through the FortiNet Distribution Network. The list is updated on a regular basis so you do not have to wait for a firmware upgrade. For more information on updating virus definitions, see FortiGuard antivirus on page 441.
Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware configurations can be turned on and off as required and are kept up to date in the same manner as the antivirus definitions. For more information on configuring grayware please see Viewing and configuring the grayware list on page 452.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect virus-like behavior or known virus indicators. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition filter. The FortiGate unit will check the file against the file type setting you have configured. If the file is a blocked type, then it is stopped and a replacement message is sent to the end user. No other levels of protections are applied. If the file is not a blocked type, the next level of protection is applied.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The connection between the FortiGate unit and FortiGuard Center is configured in System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266 for more information.

While antivirus settings are configured for system-wide use, specific settings can be implemented on a per profile basis. Table 44 compares antivirus options in protection profiles and the antivirus menu.
441
AntiVirus
Note: If virtual domains are enabled, you configure antivirus file filtering and antivirus settings in protection profiles separately for each virtual domain. Antivirus file quarantine and grayware settings are part of the global configuration. Table 44: Antivirus and Protection Profile antivirus configuration Protection Profile antivirus options Virus Scan Antivirus setting UTM > AntiVirus > Virus Database
Enable or disable virus scanning for each View a read-only list of current viruses. supported protocol: HTTP, FTP, IMAP, POP3, SMTP, IM. If your FortiGate unit supports SSL content scanning and inspection you can also enable virus scanning for HTTPS, IMAPS, POP3S, and SMTPS. File Filter Enable or disable file pattern and file type handling for each protocol. Quarantine Enable or disable quarantining for each protocol. File Quarantine is only available on units with a local disk, or with a configured FortiAnalyzer unit. Pass fragmented email messages. Enable or disable passing fragmented email messages. Fragmented email messages cannot be scanned for viruses. Comfort Clients Enable or disable for HTTP and FTP traffic (and HTTPS traffic if your FortiGate unit supports SSL content scanning and inspection and HTTPS content filtering mode is set to Deep Scan in the protocol recognition part of the protection profile). Set the interval and byte amount to trigger client comforting. Oversized file/email Configure the FortiGate unit to block or pass oversized files and email messages for each protocol. Set the size thresholds for files and email messages for each protocol in AntiVirus. UTM > AntiVirus > Grayware Enable or disable blocking of Grayware by category. Add signature to outgoing email messages Create and enable a signature to append to outgoing email messages (SMTP only). UTM > AntiVirus > File Filter Configure file patterns and types to block or allow files. Patterns and types can also be individually enabled or disabled. UTM > AntiVirus > Quarantined Files View and sort the list of quarantined files, configure file patterns to upload automatically to Fortinet for analysis, and configure quarantining options in AntiVirus.
442
AntiVirus
File Filter
File Filter
Configure the FortiGate file filter to block files by: File pattern: Files can be blocked by name, extension, or any other pattern. File pattern blocking provides the flexibility to block potentially harmful content. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending in .EXE. In addition to the built-in patterns, you can specify more file patterns to block. For details, see Configuring the file filter list on page 445. File type: Files can be blocked by type, without relying on the file name to indicate what type of files they are. When blocking by file type, the FortiGate unit analyzes the file and determines the file type regardless of the file name. For details about supported file types, see Built-in patterns and supported file types on page 443.
For standard operation, you can choose to disable file filter in the protection profile, and enable it temporarily to block specific threats as they occur. The FortiGate unit can take any of the following three actions towards the files that match a configured file pattern or type: Allow: the file will be allowed to pass. Block: the file will be blocked and a replacement messages will be sent to the user. If both file filter and virus scan are enabled, the FortiGate unit blocks files that match the enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email message if configured to do so. Files are compared to the enabled file patterns and then the file types from top to bottom. If a file does not match any specified patterns or types, it is passed along to antivirus scanning (if enabled). In effect, files are passed if not explicitly blocked. Using the allow action, this behavior can be reversed with all files being blocked unless explicitly passed. Simply enter all the file patterns or types to be passed with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action. Allowed files continue to antivirus scanning (if enabled) while files not matching any allowed patterns are blocked by the wildcard at the end.
Built-in patterns and supported file types

The FortiGate unit is preconfigured with a default list of file patterns: executable files (*.bat, *.com, and *.exe) compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip) dynamic link libraries (*.dll) HTML application (*.hta) Microsoft Office files (*.doc, *.ppt, *.xl?) Microsoft Works files (*.wps) Visual Basic files (*.vb?) screen saver files (*.scr) program information files (*.pif) control panel files (*.cpl)
The FortiGate unit can take actions against the following file types:
443
File Filter
AntiVirus
Table 45: Supported file types exe gzip bzip aspack unknown bat rar activemime jad ignored mime tar hlp class javascript lzh arj cod html upx base64 msc hta zip binhex petite msoffice cab uue sis elf bzip2 fsg prc
Note: The unknown type is any file type that is not listed in the table. The ignored type is the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio and video.
Viewing the file filter list catalog

You can add multiple file filter lists and then select the best file filter list for each protection profile. To view the file filter list catalog, go to UTM > AntiVirus > File Filter. To view any individual file filter list, select the edit icon for the list you want to see.
Figure 277: Sample file pattern list catalog
Note: The default file pattern list catalog is called builtin-patterns.
Create New Name # Entries Profiles DLP Rule Comments Delete icon Edit icon
Select Create New to add a new file filter list to the catalog. The available file filter lists. The number of file patterns or file types in each file filter list. The protection profiles each file filter list has been applied to. The DLP rules in which each filter is used. Optional description of each file filter list. Select to remove the file filter list from the catalog. The delete icon is only available if the file filter list is not selected in any protection profiles. Select to edit the file filter, its name and comment.
The file filter list will be used in protection profiles. For more information, see Anti-Virus options on page 407.
Creating a new file filter list

To add a file pattern list to the file pattern list catalog, go to UTM > AntiVirus > File Filter and select Create New.
444
AntiVirus
File Filter
Figure 278: New File Filter List dialog box
Name Comment
Enter the name of the new list. Enter a comment to describe the list, if required.
Viewing the file filter list

To view the file filter list, go to UTM > AntiVirus > File Filter and select the edit icon of the file filter list you want to view.
Figure 279: Sample file filter list
The file filter list has the following icons and features:
Name Comment OK Create New Filter Action Enable Delete icon Edit icon Move To icon File filter list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. If you make changes to the list name or comments, select OK to save the changes. Select Create New to add a new file pattern or type to the file filter list. The current list of file patterns and types. Files matching the file patterns and types can be set to block, allow, or intercept. For information about actions, see File Filter on page 443. Clear the checkbox to disable the file pattern or type. Select to remove the file pattern or type from the list. Select to edit the file pattern/type and action. Select to move the file pattern or type to any position in the list.
Configuring the file filter list

For file patterns, you can add a maximum of 5000 patterns to a list. For file types, you can only select from the supported types.
445
File Quarantine
AntiVirus
Figure 280: New file filter
To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a file filter catalog. Select Create New.
Filter Type Pattern File Type Action Enable Select File Name Pattern if you want to add a file pattern; select File Type and then select a file type from the supported file type list. Enter the file pattern. The file pattern can be an exact file name or can include wildcards. The file pattern can be 80 characters long. Select a file type from the list. For information about supported file types, see Builtin patterns and supported file types on page 443. Select an action from the drop down list: Block, Allow, or Intercept. For more information about actions, see File Filter on page 443. Select to enable the pattern.
File Quarantine
FortiGate units with a local disk, or FortiGate unit with a single width AMC slot containing a FortiGate-ASM-S08 module, or a FortiGate-ASM-SAS module can quarantine blocked and infected files. View the file name and status information about the file in the Quarantined Files list. Submit specific files and add file patterns to the AutoSubmit list so they will automatically be uploaded to Fortinet for analysis. FortiGate units can also quarantine blocked and infected files to a FortiAnalyzer unit. Files stored on the FortiAnalyzer unit can also be viewed from the Quarantined Files list. To configure quarantine to a FortiAnalyzer unit, go to Log & Report > Log Config > Log Setting. To configure and enable file quarantine 1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination. For details, see Configuring quarantine options on page 449. 2 Go to Firewall > Protection Profile > Antivirus to enable quarantine for required protocols in the protection profiles. For details, see Configuring a protection profile on page 404. You can configure a protection profile to quarantine blocked and infected files from HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP Traffic. If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS, IMAPS, POP3S, and SMTPS traffic. To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition part of the protection profile. For more information, see SSL content scanning and inspection on page 399. 3 Go to Firewall > Policy and add the protection profile to a firewall policy.
446
AntiVirus
File Quarantine
Viewing the File Quarantine list

The Quarantined Files list displays information about each quarantined file because of virus infection or file blocking. Sort the files by file name, date, service, status, duplicate count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific status or from a specific service. To view the Quarantined Files list, go to UTM > AntiVirus > Quarantined Files.
Figure 281: File Quarantine list
The file quarantine list displays the following information about each quarantined file:
Source Sort by Filter Either FortiAnalyzer or Local disk, depending where you configure to quarantined files to be stored. Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate Count. Select Apply to complete the sort. Filter the list. Choose either Status (infected, blocked, or heuristics) or Service (IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Select Apply to complete the filtering. Heuristics mode is configurable through the CLI only. See Antivirus CLI configuration on page 453. If your FortiGate unit supports SSL content scanning and inspection Service can also be IMAPS, POP3S, SMTPS, or HTTPS. Select to apply the sorting and filtering selections to the list of quarantined files. Select to delete the selected files. Use the controls to page through the list. For details, see Using page controls on web-based manager lists on page 57. Removes all quarantined files from the local hard disk. This icon only appears when the files are quarantined to the hard disk. The processed file name of the quarantined file. When a file is quarantined, all spaces are removed from the file name, and a 32-bit checksum is performed on the file. The checksum appears in the replacement message but not in the quarantined file. The file is stored on the FortiGate hard disk with the following naming convention: <32bit_CRC>.<processed_filename> For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe. The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm. This value indicates the time that the first file was quarantined if the duplicate count increases. The service from which the file was quarantined (HTTP, FTP, IMAP, POP3, SMTP, IM, NNTP, IMAPS, POP3S, SMTPS, or HTTPS).
Apply Delete Page Controls Remove All Entries File Name
Date
Service
447
File Quarantine
AntiVirus
Status Status Description DC TTL
The reason the file was quarantined: infected, heuristics, or blocked. Specific information related to the status, for example, File is infected with W32/Klez.h or File was stopped by file block pattern. Duplicate count. A count of how many duplicates of the same file were quarantined. A rapidly increasing number can indicate a virus outbreak. Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit labels the file as EXP under the TTL heading. In the case of duplicate files, each duplicate found refreshes the TTL. The TTL information is not available if the files are quarantined on a FortiAnalyzer unit. Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file has not been uploaded. This option is available only if the FortiGate unit has a local hard disk. Select to download the corresponding file in its original format. This option is available only if the FortiGate unit has a local hard disk. Select to upload a suspicious file to Fortinet for analysis. This option is available only if the FortiGate unit has a local hard disk.
Upload status
Download icon Submit icon
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL value and the duplicate count are updated each time a duplicate of a file is found.
Viewing the AutoSubmit list

If the FortiGate unit has a local hard disk, you can configure the FortiGate unit to upload suspicious files automatically to Fortinet for analysis. You can add file patterns to the AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit regardless of file blocking settings. Upload files to Fortinet based on status (blocked or heuristics), or submit individual files directly from the file quarantine. The FortiGate unit uses encrypted email to autosubmit files to an SMTP server through port 25. To view the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit. The autosubmit feature is not available on the FortiGate models without a local hard disk.
Figure 282: Sample AutoSubmit list
AutoSubmit list has the following icons and features:

Create New File Pattern Select to add a new file pattern to the AutoSubmit list. The current list of file patterns that will be automatically uploaded. Create a pattern by using ? or * wildcard characters. Enable the check box to enable all file patterns in the list. Select to remove the entry from the list. Select to edit the following information: File Pattern and Enable.
448
AntiVirus
File Quarantine
Configuring the AutoSubmit list

To add a file pattern to the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit. Note that the autosubmit feature is available only if your FortiGate unit has a local hard disk.
Figure 283: New File Pattern dialog box
File Pattern Enable
Enter the file pattern or file name to be upload automatically to Fortinet. Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to AntiVirus > File Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.
Configuring quarantine options

Go to UTM > AntiVirus > Config to set quarantine configuration options, such as whether to quarantine blocked or infected files and from which service. You can configure quarantine options for HTTP, FTP, IMAP, POP3, SMTP, IM, and NNTP Traffic. If your FortiGate unit supports SSL content scanning and inspection you can also quarantine blocked and infected files from HTTPS, IMAPS, POP3S, and SMTPS traffic. To enable HTTPS quarantine you must set HTTPS Content Filtering Mode to Deep Scan in the Protocol Recognition part of the protection profile. For more information, see SSL content scanning and inspection on page 399.
Figure 284: Quarantine Configuration (quarantine to FortiAnalyzer unit)
449
File Quarantine
AntiVirus
Figure 285: Quarantine Configuration (SSL content scanning and inspection and quarantine to disk)
Quarantine configuration has the following options:

Options Quarantine Infected Files: Select the protocols from which to quarantine infected files identified by antivirus scanning. Quarantine Suspicious Files: Select the protocols from which to quarantine suspicious files identified by heuristic scanning. Quarantine Blocked Files. Select the protocols from which to quarantine blocked files identified by antivirus file filtering. The Quarantine Blocked Files option is not available for IM and HTTPS because a file name is blocked before downloading and cannot be quarantined. The time limit in hours for which to keep files in quarantine. The age limit is used to formulate the value in the TTL column of the quarantined files list. When the limit is reached, the TTL column displays EXP. and the file is deleted (although the entry in the quarantined files list is maintained). Entering an age limit of 0 (zero) means files are stored on disk indefinitely, depending on low disk space action. The maximum size of quarantined files in MB. Setting the maximum file size too large may affect performance.
Age limit
Max filesize to quarantine
Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop the newest file. FortiAnalyzer Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit. See Log&Report on page 647 for more information about configuring a FortiAnalyzer unit. Enable AutoSubmit: enables the automatic submission feature. Select one or both of the options below. Use file pattern: Enables the automatic upload of files matching the file patterns in the autoSubmit list. Use file status: Enables the automatic upload of quarantined files based on their status. Select either Heuristics or Block Pattern. Heuristics is configurable through the CLI only. See Antivirus CLI configuration on page 453. Select to save the configuration.
Enable AutoSubmit
Apply
Figure 286: Notification lists
450
AntiVirus
Viewing the virus database information
Figure 287: A new notification list
Figure 288: A new notification list entry
Viewing the virus database information

The FortiGate unit contains the wildlist antivirus database. It is used to detect viruses in network traffic. In addition to the wildlist antivirus database, which contains actively spreading viruses, some newer FortiGate models are also equipped with an extended antivirus database, which contains viruses that are not considered to be actively spreading. If required, you can enable this feature to allow the FortiGate unit to scan for non-active viruses. For details, see Anti-Virus options on page 407. To view information about the virus databases, go to UTM > AntiVirus > Virus Database. The FortiGuard virus definitions are updated every time the FortiGate unit receives a new version of the FortiGuard antivirus definitions. The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses, worms, trojans, and other threats that can be detected and removed by your FortiGate unit using the information in the FortiGuard virus definitions.
Figure 289: Virus database information
Usually the FortiGuard AV definitions are updated automatically from the FortiGuard Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure automatic antivirus definition updates from the FDN.
451
Viewing and configuring the grayware list
AntiVirus
You can also update the antivirus definitions manually from the system dashboard (go to System > Status).
Viewing and configuring the grayware list

Grayware programs are unsolicited commercial software programs that get installed on computers, often without the users consent or knowledge. Grayware programs are generally considered an annoyance, but these programs can cause system performance problems or be used for malicious ends. The FortiGate unit scans for known grayware executable programs in each enabled category. The category list and contents are added or updated whenever the FortiGate unit receives a virus update package. New categories may be added at any time and will be loaded with the virus updates. By default, all new categories are disabled. Grayware is enabled in a protection profile when Virus Scan is enabled. Grayware categories are populated with known executable files. Each time the FortiGate unit receives a virus and attack definitions update, the grayware categories and contents are updated. To view the grayware list, go to UTM > AntiVirus > Grayware.
Figure 290: Sample grayware options
Enabling a grayware category blocks all files listed in the category. The categories may change or expand when the FortiGate unit receives updates. You can choose to enable the following grayware categories:
Adware BHO Block adware programs. Adware is usually embedded in freeware programs and causes ads to pop up whenever the program is opened or used. Block browser helper objects. BHOs are DLL files that are often installed as part of a software package so the software can control the behavior of Internet Explorer 4.x and later. Not all BHOs are malicious, but the potential exists to track surfing habits and gather other information. Block dialer programs. Dialers allow others to use the PC modem to call premium numbers or make long distance calls. Block download programs. Download components are usually run at Windows startup and are designed to install or download other software, especially advertising and dial software.
Dial Download
452
AntiVirus
Antivirus CLI configuration
Game
Block games. Games are usually joke or nuisance games that you may want to block from network users. Block browser hijacking programs. Browser hijacking occurs when a spyware type program changes web browser settings, including favorites or bookmarks, start pages, and menu options. Block joke programs. Joke programs can include custom cursors and programs that appear to affect the system. Block keylogger programs. Keylogger programs can record every keystroke made on a keyboard including passwords, chat, and instant messages. Block any programs included in the miscellaneous grayware category. Block network management tools. Network management tools can be installed and used maliciously to change settings and disrupt network security. Block peer to peer communications programs. P2P, while a legitimate protocol, is synonymous with file sharing programs that are used to swap music, movies, and other files, often illegally. Block browser plugins. Browser plugins can often be harmless Internet browsing tools that are installed and operate directly from the browser window. Some toolbars and plugins can attempt to control or record and send browsing preferences. Block remote administration tools. Remote administration tools allow outside users to remotely change and monitor a computer on a network. Block spyware programs. Spyware, like adware, is often included with freeware. Spyware is a tracking and analysis program that can report your activities, such as web browsing habits, to the advertisers web site where it may be recorded and analyzed. Block custom toolbars. While some toolbars are harmless, spyware developers can use these toolbars to monitor web habits and send information back to the developer.
HackerTool Block hacker tools. Hijacker
Joke Keylog Misc NMT P2P
Plugin
RAT Spy
Toolbar

This section describes the CLI commands that extend features available through the webbased manager. For complete descriptions and examples of how to enable additional features through CLI commands, see the FortiGate CLI Reference.
system global optimize

The optimize feature configures CPU settings to ensure efficient operation of the FortiGate unit for either antivirus scanning or straight throughput traffic. When optimize is set to antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks to several CPUs, making scanning faster. This feature is available on models numbered 1000 and higher. For more information, see the Antivirus failopen and optimization Fortinet Knowledge Center article.
config antivirus heuristic

The FortiGate heuristic antivirus engine performs tests on files to detect virus-like behavior or known virus indicators. Heuristic scanning is performed last, after file blocking and virus scanning have found no matches. In this way, heuristic scanning may detect new viruses, but may also produce some false positive results. The heuristic engine is disabled by default. You need to enable it to pass suspected files to the recipient and send a copy to the file quarantine. Once enabled in the CLI, heuristic scanning is enabled in a protection profile when Virus Scan is enabled.
453
AntiVirus
Use the heuristic command to change the heuristic scanning mode.
config antivirus quarantine

The quarantine command also allows configuration of heuristic related settings. This feature is available on models numbered 200 and higher.
config antivirus service <service_name>

Use this command to configure how the FortiGate unit handles antivirus scanning of large files, and what ports the FortiGate unit scans for the service.
454
About intrusion protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and prevention with low latency and excellent reliability. With intrusion Protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to each protection profile. You can also create DoS sensors to examine traffic for anomaly-based attacks. This section describes how to configure the FortiGate Intrusion Protection settings. For more information about Intrusion Protection, see the FortiGate Intrusion Protection System (IPS) Guide. If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: About intrusion protection Signatures Custom signatures Protocol decoders IPS sensors DoS sensors Intrusion protection CLI configuration
About intrusion protection

The FortiGate unit can log suspicious traffic, send alert email messages to system administrators, and log, pass, or block suspicious packets or sessions. You can adjust the DoS sensor anomaly thresholds to work best with the normal traffic on the protected networks. You can also create custom signatures to tailor the FortiGate Intrusion Protection system to your network environment. The FortiGate Intrusion Protection system matches network traffic against patterns contained in attack signatures. Attack signatures reliably protect your network from known attacks. Fortinets FortiGuard infrastructure ensures the rapid identification of new threats and the development of new attack signatures. FortiGuard services provide automatic updates of virus and intrusion protection (attack) engines and definitions to FortiGate customers through the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the FortiGuard virus and attack encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. For more information about configuring the connection between the FortiGate unit and FortiGuard see Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266.
455
Signatures
Using Intrusion Protection, you can configure the FortiGate unit to check for and automatically download updated attack definition files containing the latest signatures, or download the updated attack definition file manually. Alternately, you can configure the FortiGate unit to allow push updates of the latest attack definition files as soon as they are available from the FortiGuard Distribution Network. You can also create custom attack signatures for the FortiGate unit to use in addition to an extensive list of predefined attack signatures. Whenever the Intrusion Protection system detects or prevents an attack, it generates an attack log message. You can configure the FortiGate unit to add the message to the attack log and send an alert email to administrators, as well as schedule how often it should send this alert email. You can also reduce the number of log messages and alerts by disabling signatures for attacks that will not affect your network. For example, you do not need to enable signatures to detect web attacks when there is no web server to protect. You can also use the packet logging feature to analyze packets for false positive detection. For more information about FortiGate logging and alert email, see Log&Report on page 647.
Intrusion Protection settings and controls

You can configure the Intrusion Protection system and then select IPS sensors in individual firewall protection profiles. For information about creating IPS sensors, see Configuring IPS sensors on page 462. For information about accessing and modifying the protection profile IPS sensor selection, see IPS options on page 411. For information about creating DoS Sensors, see DoS sensors on page 469.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings are configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.
When to use Intrusion Protection

Intrusion Protection is best for large networks or for networks protecting highly sensitive information. Using IPS effectively requires monitoring and analysis of the attack logs to determine the nature and threat level of an attack. An administrator can adjust the threshold levels to ensure a balance between performance and intrusion prevention. Small businesses and home offices without network administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. However, the other protection features in the FortiGate unit, such as antivirus (including grayware), spam filters, and web filters offer excellent protection for all networks.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the required signatures in an IPS sensor, and then selected the IPS sensor in the protection profile. If required, you can override the default settings of the signatures specified in an IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should check their settings before using them, to ensure they meet your network requirements.
456
Signatures
By using only the signatures you require, you can improve system performance and reduce the number of log messages and alert email messages the IPS sensor generates. For example, if the FortiGate unit is not protecting a web server, do not include any web server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available signatures. By using these default settings, you may be slowing down the overall performance of the FortiGate unit. By creating IPS sensors with only the signatures your network requires, you can ensure maximum performance as well as maximum protection.
Viewing the predefined signature list

The predefined signature list includes all of predefined signatures currently in the FortiGuard Center Vulnerability Encyclopedia. Each signature name is a link to the vulnerability encyclopedia entry for the signature. For each signature the vulnerability encyclopedia describes the attack detected by the signature and provides recommended actions and links for more information. The predefined signature list also includes characteristics such as severity of the attack, protocol, and applications affected for each signature. These characteristics give you a quick reference to what the signature is for. You can also use these characteristics to sort the signature list, grouping signatures by common characteristics. The signature list also displays the default action, the default logging status, and whether the signature is enabled by default.
To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You can also use filters and column settings to display the signatures you want to view. For more information, see Using display filters on page 458.
Figure 291: Predefined signature list
Current page
Filter
By default, the signatures are sorted by name. To sort the table by another column, select the header of the column to sort by.
Current Page The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can also readjust the column order. For more information, see Using column settings to control the columns displayed on page 58 and Web-based manager icons on page 60.
457
Signatures
Clear All Filters Filter icons
If you have applied filtering to the predefined signature list display, select this option to clear all filters and display all the signatures. Edit the column filters to filter or sort the predefined signature list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 53. The name of the signature. Each name is also a link to the description of the signature in the FortiGuard Center Vulnerability Encyclopedia. The severity rating of the signature. The severity levels, from lowest to highest, are Information, Low, Medium, High, and Critical. The target of the signature: servers, clients, or both. The protocol the signature applies to. The operating system the signature applies to. The applications the signature applies to. The default status of the signature. A green circle indicates the signature is enabled. A gray circle indicates the signature is not enabled. The default action for the signature: Pass allows the traffic to continue without any modification. Drop prevents the traffic with detected signatures from reaching its destination. If Logging is enabled, the action appears in the status field of the log message generated by the signature. A unique numeric identifier for the signature. The default logging behavior of the signature. A green circle indicates logging is enabled. A gray circle indicates logging is disabled. A functional group that is assigned to that signature. This group is only for reference and cannot be used to define filters. The default packet log status of the signature. A green circle indicates that the packet log is enabled. A gray circle indicates that the packet log is not enabled. The revision level of the signature. If the signature is updated, the revision number will be incremented.
Name Severity Target Protocols OS Applications Enable Action
ID Logging Group Packet Log Revision
Tip: To determine what effect IPS protection would have on your network traffic, you can enable the required signatures, set the action to pass, and enable logging. Traffic will not be interrupted, but you will be able to examine in detail which signatures were detected.
Using display filters

By default, all the predefined signatures are displayed. You can apply filters to display only the signatures you want to view. For example, if you want to view only the Windows signatures, you can use the OS status filter. For more information, see Adding filters to web-based manager lists on page 53. To apply filters to the predefined signature list 1 Go to UTM > Intrusion Protection > Predefined. 2 Select the filter icon beside any column name in the signature table. 3 In Edit Filters, specify the filtering criteria. The criteria will vary depending on the column name. 4 Select the Enable check box. 5 Select OK.
458
Custom signatures
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. The FortiGate predefined signatures represent common attacks. If you use an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors. You can also create custom signatures to help you block P2P protocols. After creation, you need to specify custom signatures in IPS sensors created to scan traffic. For more information about creating IPS sensors, see Adding an IPS sensor on page 462. For more information about custom signatures, see the FortiGate Intrusion Protection System (IPS) Guide.
Viewing the custom signature list

To view the custom signature list, go to UTM > Intrusion Protection > Custom.
Figure 292: The custom signature list
Edit Delete
Create New Name Signature Select to create a new custom signature. The custom signature name. The signature syntax.
Delete and Edit Delete or edit the custom signature. icons
Creating custom signatures

Use custom signatures to block or allow specific traffic. For example, to block traffic containing profanity, add custom signatures similar to the following: set signature 'F-SBID (--protocol tcp; --flow bi_direction; -pattern "bad words"; --no_case)' For more information on custom signature syntax, see the FortiGate Intrusion Protection System (IPS) Guide.
Note: Custom signatures are an advanced feature. This document assumes the user has previous experience creating intrusion detection signatures.
459
Protocol decoders
Note: Custom signatures must be added to a signature override in an IPS filter to have any effect. Creating a custom signature is a necessary step, but a custom signature does not affect traffic simply by being created.
To create a custom signature, go to UTM > Intrusion Protection > Custom.

Figure 293: Edit Custom Signature
Name Signature
Enter a name for the custom signature. Enter the custom signature, using the appropriate syntax. For more information, see Custom signature syntax in the FortiGate Intrusion Protection System (IPS) Guide.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.
Viewing the protocol decoder list

To view the decoders and the port numbers that the protocol decoders monitor, go to UTM > Intrusion Protection > Protocol Decoder. The decoder list is provided for your reference and can be configured using the CLI. For more information, see the FortiGate CLI Reference.
Figure 294: The protocol decoder list
460
IPS sensors
Protocols Ports
The protocol decoder name. The port number or numbers that the decoder monitors.
Upgrading the IPS protocol decoder list

The Intrusion Protection system protocol decoders are upgraded automatically through the FortiGuard Distribution Network (FDN) if existing decoders are modified or new decoders added. The FDN keeps the protocol decoder list up-to-date with protection against new threats such as the latest versions of existing IM/P2P as well as against new applications.
IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS sensor, and the sensor can then be used by a protection profile in a policy that controls all of the traffic to and from a web server protected by the FortiGate unit. The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.
Viewing the IPS sensor list

To view the IPS sensors, go to UTM > Intrusion Protection > IPS Sensor.
Figure 295: IPS Sensor list showing the default sensors
Edit Delete
Create New Name Comments Delete and Edit icons Add a new IPS sensor. For more information, see Adding an IPS sensor on page 462. The name of each IPS sensor. An optional description of the IPS sensor. Delete or edit an IPS sensor.
Five default IPS sensors are provided with the default configuration.
461
IPS sensors
all_default all_default_pass protect_client protect_email_server
Includes all signatures. The sensor is set to use the default enable status and action of each signature. Includes all signatures. The sensor is set to use the default enable status of each signature, but the action is set to pass. Includes only the signatures designed to detect attacks against clients; uses the default enable status and action of each signature. Includes only the signatures designed to detect attacks against servers and the SMTP, POP3, or IMAP protocols; uses the default enable status and action of each signature. Includes only the signatures designed to detect attacks against servers and the HTTP protocol; uses the default enable status and action of each signature.
protect_http_server
Adding an IPS sensor

An IPS sensor must be created before it can be configured by adding filters and overrides. To create an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select Create New.
Figure 296: New IPS sensor
Name Comment
Enter the name of the new IPS sensor. Enter an optional comment to display in the IPS sensor list.
Configuring IPS sensors

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters. Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate action and stops further checking. A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensors filters. Custom signatures are included in an IPS sensor using overrides. The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic. To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor attributes, Filters, and Overrides.
462
IPS sensors
Figure 297: Edit IPS sensor Insert Signature attributes Edit Delete Move To View
IPS sensor attributes: Name Comments OK IPS sensor filters: Add Filter # Name Signature attributes Add a new filter to the end of the filter list. For more information, see Configuring filters on page 464. Current position of each filter in the list. The name of the filter. Signature attributes specify the type of network traffic the signature applies to. Severity Target Protocol OS Application Enable The severity of the included signatures. The type of system targeted by the attack. The targets are client and server. The protocols to which the signatures apply. Examples include HTTP, POP3, H323, and DNS. The operating systems to which the signatures apply. The applications to which the signatures apply. The name of the IPS sensor. You can change it at any time. An optional comment describing the IPS sensor. You can change it at any time. Select to save changes to Name or Comments
The status of the signatures included in the filter. The signatures can be set to enabled, disabled, or default. The default setting uses the default status of each individual signature as displayed in the signature list. The logging status of the signatures included in the filter. Logging can be set to enabled, disabled, or default. The default setting uses the default status of each individual signature as displayed in the signature list. The action of the signatures included in the filter. The action can be set to pass all, block all, reset all, or default. The default setting uses the action of each individual signature as displayed in the signature list. The number of signatures included in the filter. Overrides are not included in this total. Delete the filter. Edit the filter. Create a new filter and insert it above the current filter. After selecting this icon, enter the destination position in the window that appears, and select OK.
Logging
Action
Count Delete icon Edit icon Insert icon Move to icon
463
IPS sensors
View Rules icon Open a window listing all of the signatures included in the filter. IPS sensor overrides: Add Pre-defined Select to create an override based on a pre-defined signature. Override Add Custom Override # Name Enable Logging Action Delete and Edit icons Select to create an override based on a custom signature. Current position of each override in the list. The name of the signature. The status of the override. A green circle indicates the override is enabled. A gray circle indicates the override is not enabled. The logging status of the override. A green circle indicates logging is enabled. A gray circle indicates logging is not enabled. The action set for the override. The action can be set to pass, block, or reset. Delete or edit the filter.
Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of the IPS sensor containing the filter you want to edit. When the sensor window opens, select the Edit icon of the filter you want to change, or select Add Filter to create a new filter. Enter the information as described below and select OK.
Figure 298: Edit IPS Filter
Name Severity
Enter or change the name of the IPS filter. Select All, or select Specify and then one or more severity ratings. Severity defines the relative importance of each signature. Signatures rated critical detect the most dangerous attacks while those rated as info pose a much smaller threat.
464
IPS sensors
Target OS
Select All, or select Specify and then the type of systems targeted by the attack. The choices are server or client. Select All, or select Specify and then select one or more operating systems that are vulnerable to the attack. Signatures with an OS attribute of All affect all operating systems. These signatures will be automatically included in any filter regardless of whether a single, multiple, or all operating systems are specified. Select All, or select Specify to list what network protocols are used by the attack. Use the Right Arrow to move the ones you want to include in the filter from the Available to the Selected list, or the Left Arrow to remove previously selected protocols from the filter. Select All, or select Specify to list the applications or application suites vulnerable to the attack. Use the Right Arrow to move the ones you want to include in the filter from the Available to the Selected list, or the Left Arrow to remove previously selected protocols from the filter. Select to enable NAC quarantine for this filter. For more information about NAC quarantine, see NAC quarantine and the Banned User list on page 595. The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting. Select Attackers IP address to block all traffic sent from the attackers IP address. The attackers IP address is also added to the banned user list. The targets address is not affected. Select Attacker and Victim IP Addresses to block all traffic sent from the attackers IP address to the target (victims) IP address. Traffic from the attackers IP address to addresses other than the victims IP address is allowed. The attackers and targets IP addresses are added to the banned user list as one entry. Select Attacks Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. The interface is added to the banned user list. You can select whether the attacker is banned indefinitely or for a specified number of days, hours, or minutes. Configure whether the filter overrides the following signature settings or accepts the settings in the signatures. Select from the options to specify what the FortiGate unit will do with the signatures included in the filter: enable all, disable all, or enable or disable each according to the individual default values shown in the signature list. Select from the options to specify whether the FortiGate unit will create log entries for the signatures included in the filter: enable all, disable all, or enable or disable logging for each according to the individual default values shown in the signature list. Select from the options to specify what the FortiGate unit will do with traffic containing a signature match: pass all, block all, reset all, or block or pass traffic according to the individual default values shown in the signature list.
Protocol
Application
Quarantine Attackers (to Banned Users List) Method
Expires Signature Settings Enable
Logging
Action
The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.
Configuring pre-defined and custom overrides

Pre-defined and custom overrides are configured and work mainly in the same way as filters. Unlike filters, each override defines the behavior of one signature. Overrides can be used in two ways: To change the behavior of a signature already included in a filter. For example, to protect a web server, you could create a filter that includes and enables all signatures related to servers. If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as disabled.
465
IPS sensors
To add an individual signature, not included in any filters, to an IPS sensor. This is the only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action attributes have no effect. These settings must be explicitly set when creating the override.
Note: Before an override can affect network traffic, you must add it to a filter, and you must select the filter in a protection profile applied to a policy. An override does not have the ability to affect network traffic until these steps are taken.
To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor and select the Edit icon of the IPS sensor containing the override you want to edit. When the sensor window opens, select the Edit icon of the override you want to change.
Figure 299: Configure IPS override
Signature Enable Action
Select the browse icon to view the list of available signatures. From this list, select a signature the override will apply to and then select OK. Select to enable the signature override. Select Pass, Block or Reset. When the override is enabled, the action determines what the FortiGate will do with traffic containing the specified signature. Select to enable creation of a log entry if the signature is discovered in network traffic. Select to save packets that trigger the override to the FortiGate hard drive for later examination. Select to enable NAC quarantine for this override. For more information about NAC quarantine, see NAC quarantine and the Banned User list on page 595. The FortiGate unit deals with the attack according to the IPS sensor or DoS sensor configuration regardless of this setting.
Logging Packet Log Quarantine Attackers (to Banned Users List)
466
IPS sensors
Method
Select Attackers IP address to block all traffic sent from the attackers IP address. The attackers IP address is also added to the banned user list. The targets address is not affected. Select Attacker and Victim IP Addresses to block all traffic sent from the attackers IP address to the target (victims) IP address. Traffic from the attackers IP address to addresses other than the victims IP address is allowed. The attackers and targets IP addresses are added to the banned user list as one entry. Select Attacks Incoming Interface to block all traffic from connecting to the FortiGate interface that received the attack. The interface is added to the banned user list. You can select whether the attacker is banned indefinitely or for a specified number of days, hours, or minutes. Enter IP addresses to exclude from the override. The override will then apply to all IP addresses except those defined as exempt. The exempt IP addresses are defined in pairs, with a source and destination, and traffic moving from the source to the destination is exempt from the override. The exempt source IP address. Enter 0.0.0.0/0 to include all source IP addresses. The exempt destination IP address. Enter 0.0.0.0/0 to include all destination IP addresses.
Expires Exempt IP
Source Destination:
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is functioning in your network environment. If a signature is selected in a custom override, and packet logging is enabled, the FortiGate unit will save any network packet triggering the signature to memory, the internal hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management Service. These saved packets can be later viewed and saved in PCAP format for closer examination.
Configuring packet logging

Packet logging saves the network packets containing an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service. You can enable packet logging only in signature overrides. It not an available option in IPS sensors or filters because enabling packet logging on a large number of signatures could produce an unusably large amount of data. Packet logging is designed as focused diagnostic tool. There are a number of CLI commands available to further configure packet logging. When logging to memory, the packet-log-memory command defines the maximum amount of memory is used to store logged packets. This command only takes effect when logging to memory. Since only the packet containing the signature is sometimes not sufficient to troubleshoot a problem, the packet-log-history command allows you to specify how many packets are captured when an IPS signature is found in a packet. If the value is set to larger than 1, the packet containing the signature is saved in the packet log, as well as those preceding it, with the total number of logged packets equalling the value. For example, if packet-log-history is set to 7, the FortiGate unit will save the packet containing the IPS signature and the six before it.
467
IPS sensors
Note: Setting packet-log-history to a value larger than 1 can affect the maximum performance of the FortiGate unit because network traffic must be buffered. The performance penalty depends on the model, the setting, and the traffic load.
To enable packet logging for a signature 1 Create either a pre-defined override or a custom override in an IPS sensor. For more information. For more information, see Configuring pre-defined and custom overrides on page 465. 2 Enable Packet Log in the override. 3 Select the IPS sensor in the protection profile applied to the firewall policy that allows the network traffic the FortiGate unit will examine for the signature.
Viewing and saving logged packets

Once the FortiGate unit logs packets, you can view or save them. To view and save logged packets 1 Go Log & Report > Log Access. 2 Depending on where the logs are configured to be stored, select the appropriate tab: Memory: Select Memory if logs are stored in the FortiGate unit memory. Disk: Select Disk if the FortiGate unit has an internal hard disk and logs are stored there. Remote: Select Remote if logs are sent to a FortiAnalyzer unit or to the FortiGuard Analysis and Management Service. 3 Select the Attack Log log type. 4 Select the Packet Log icon of the log entry you want to view. The IPS Packet Log Viewer window appears.
Figure 300: Log entry with packet log icon
468
DoS sensors
Figure 301: IPS Packet Log Viewer
5 Select the packet to view the packet in binary and ASCII. Each table row represents a captured packet. 6 Select Save to save the packet data in a PCAP formatted file. PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system so legitimate users can no longer use it. This type of attack gives the DoS sensor its name, although it is capable of detecting and protecting against a number of anomaly attacks. You can enable or disable logging for each traffic anomaly, and configure the detection threshold and action to take when the detection threshold is exceeded. You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you can configure. Each sensor examines the network traffic in sequence, from top to bottom. When a sensor detects an anomaly, it applies the configured action. Multiple sensors allow great granularity in detecting anomalies because each sensor can be configured to examine traffic from a specific address, to a specific address, on a specific port, in any combination. When arranging the DoS sensors, place the most specific sensors at the top and the most general at the bottom. For example, a sensor with one protected address table entry that includes all source addresses, all destination addresses, and all ports will match all traffic. If this sensor is at the top of the list, no subsequent sensors will ever execute. The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded.
469
DoS sensors
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings must be configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.
Viewing the DoS sensor list

To view the anomaly list, go to UTM > Intrusion Protection > DoS Sensor.
Figure 302: The DoS sensor list
Delete Edit
Insert DoS Sensor before Move To
Create New ID Status Name Comments Delete Edit icon
Add a new DoS sensor to the bottom of the list. A unique identifier for each DoS sensor. The ID does not indicate the sequence in which the sensors examine network traffic. Select to enable the DoS sensor. The DoS sensor name. An optional description of the DoS sensor. Delete the DoS sensor. Edit the following information: Action, Severity, and Threshold.
Insert DoS Sensor Create a new DoS sensor before the current sensor. before icon Move To icon Move the current DoS sensor to another position in the list. After selecting this icon, enter the destination position in the window that appears, and select OK.
Configuring DoS sensors

Because an improperly configured DoS sensor can interfere with network traffic, no DoS sensors are present on a factory default FortiGate unit. You must create your own and then enable them before they will take effect. Thresholds for newly created sensors are preset with recommended values that you can adjust to meet the needs of your network.
Note: It is important to know normal and expected network traffic before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could allow otherwise avoidable attacks.
To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit icon of an existing DoS sensor, or select Create New to create a new DoS sensor.
Note: You can configure NAC quarantine for DoS sensors from the FortiGate CLI. For more information, see Configuring NAC quarantine on page 596.
470
DoS sensors
Figure 303: Edit DoS Sensor
DoS sensor attributes:

Name Comments Enter or change the DoS sensor name. Enter or change an optional description of the DoS sensor. This description will appear in the DoS sensor list. The name of the anomaly. Select the check box to enable the DoS sensor to detect when the specified anomaly occurs. Selecting the check box in the header row will enable sensing of all anomalies. Select the check box to enable the DoS sensor to log when the anomaly occurs. Selecting the check box in the header row will enable logging for all anomalies. Anomalies that are not enabled are not logged. Select Pass to allow anomalous traffic to pass when the FortiGate unit detects it, or set Block to prevent the traffic from passing. Displays the number of sessions/packets that must show the anomalous behavior before the FortiGate unit triggers the anomaly action (pass or block). If required, change the number. For more information about how these settings affect specific anomalies, see Table 46 on page 472. Each entry in the protected address table includes a source and destination IP address as well as a destination port. The DoS sensor will be applied to traffic matching the three attributes in any table entry. A new DoS sensor has no protected address table entries. If no addresses are entered, the DoS sensor cannot match any traffic and will not function. The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes the management IP address. The destination port of the traffic. 0 matches any port.
Anomalies Configuration Name Enable
Logging
Action Threshold
Protected Addresses
Destination
Destination Port
471
Intrusion protection CLI configuration
Source Add
The IP address of the traffic source. 0.0.0.0/0 matches all addresses. After entering the required destination address, destination port, and source address, select Add to add protected address to the Protected Addresses list. The DoS sensor will be invoked only on traffic matching all three of the entered values. If no addresses appear in the list, the sensor will not be applied to any traffic.
Understanding the anomalies

For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly types. The result is twelve configurable anomalies.
Table 46: The twelve individually configurable anomalies Anomaly tcp_syn_flood Description If the SYN packet rate, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the SYN packets rate, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed. If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of UDP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed. If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of ICMP packets originating from one source IP address exceeds the configured threshold value, the action is executed. The threshold is expressed in packets per second. If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed. If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.
tcp_port_scan
tcp_src_session tcp_dst_session udp_flood
udp_scan
udp_src_session udp_dst_session icmp_flood
icmp_sweep
icmp_src_session icmp_dst_session

This section describes the CLI commands that extend features available through the webbased manager. For complete descriptions and examples of how to enable additional features through CLI commands, see the FortiGate CLI Reference.
ips global fail-open

If for any reason the IPS should cease to function, it will fail open by default. This means crucial network traffic will not be blocked, and the FortiGate unit will continue to operate while the problem is being resolved.
472
ips global socket-size

Set the size of the IPS buffer.
473
474
Web Filter
Order of web filtering
Web Filter
This chapter describes how to configure FortiGate web filtering for HTTP traffic. If your FortiGate unit supports SSL content scanning and inspection you can also configure web filtering for HTTPS traffic. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 399. if your FortiGate unit does not support HTTPS content scanning and inspection you can configure URL filtering for HTTPS traffic. The three main sections of the web filtering function, the Web Filter Content Block, the URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to provide maximum control and protection for the Internet users. If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Order of web filtering How web filtering works Web filter controls Web content block URL filter FortiGuard - Web Filter
Order of web filtering

Web filters are applied in a specific order: 1 URL Exempt (Web Content Exempt List) 2 URL Block (Web URL Block) 3 URL Block (Web Pattern Block) 4 FortiGuard Web Filtering (Also called Category Block) 5 Content Block (Web Content Block) 6 Script Filter (Web Script Filter) 7 Antivirus scanning The URL filter list is processed in order from top to bottom. An exempt match stops all further checking including AV scanning. An allow match exits the URL filter list and checks the other web filters. Local ratings are checked prior to other FortiGuard Web Filtering categories. The FortiGate unit applies the rules in this order and failure to comply with a rule will automatically block a site despite what the setting for later filters might be.
How web filtering works

The following information shows how the filters interact with each other and how to use them to your advantage.
475
Web filter controls
Web Filter
The first section, the URL exempt and block filters, will allow you to decide what action to take for specific addresses. For example, if you want to exempt www.google.com from being scanned, you can add it to the URL exempt list. Then no web filtering or virus scanning will be taken to this web site. If you have blocked a pattern but want certain users to have access to URLs within that pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to specify which users have access to which blocked URLs and how long they have that access. For example, you want user1 to be able to access www.example.com for 1 hour. You can use this section to set up the exemption. Any user listed in an override must fill out an online authentication form before the FortiGate unit will grant access to the blocked URL. FortiGuard Web Filter also lets you create local categories to block groups of URLs. Once you have created the category, you can use the local rating to add specific sites to the local category you have created. You then use the Firewall > Protection Profile to tell the FortiGuard Unit what action to take with the Local category. The local ratings overwrite the FortiGuard ratings. Finally the FortiGuard unit applies script filtering for ActiveX, Cookie, and Java applet, which can be configured in Firewall > Protection Profile > Web Filtering. Once you have finished configuring all of these settings, you still have to turn them all on in the Firewall > Protection Profile > Web filtering and Firewall > Protection Profile > FortiGuard Web Filtering. By enabling them here, you are telling the FortiGate unit to start using the filters as you have configured them. This section describes how to configure web filtering options. Web filtering functions must be enabled in the active protection profile for the corresponding settings in this section to have any effect.
Web filter controls

As a general rule you go to Web Filter to configure the web filtering settings and to enable the filters for use in a protection profile. To actually activate the enabled filters you go to Firewall > Protection Profile.
Note: Enabled means that the filter will be used when you turn on web filtering. It does not mean that the filter is turned on. To turn on all enabled filters you must go to Firewall > Protection Profile.
FortiGuard - Web Filter is described in detail inFortiGuard Web Filtering options on page 413. Rating corrections as well as suggesting ratings for new pages can be submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for details and a link to the FortiGuard Center. The following tables compare web filtering options in protection profiles and the web filter menu.
476
Web Filter
Web filter controls
Table 47: Web filter and Protection Profile protocol recognition configuration Protection Profile web filtering options HTTPS Content Filtering Mode On FortiGate units that support SSL content scanning and inspection you can select URL filtering to only apply URL filtering and FortiGuard URL filtering to encrypted HTTPS traffic. Or you can select Deep Scan to decrypt HTTPS traffic and apply all web filtering and FortiGuard web filtering options to HTTPS traffic. Table 48: Web filter and Protection Profile web content block configuration Protection Profile web filtering options Web Content Block Enable or disable web page blocking based on the banned words and patterns in the content block list for HTTP or HTTPS traffic. Web Filter setting UTM > Web Filter > Content Block Add words and patterns to block web pages containing those words or patterns. Web Filter setting n/a
Table 49: Web filter and Protection Profile web URL filtering configuration Protection Profile web filtering options Web URL Filter Web Filter setting UTM > Web Filter > URL Filter
Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt or block traffic based on the URL filter list. web pages from specific sources. Table 50: Web filter and Protection Profile web script filtering and download configuration Protection Profile web filtering options Enable or disable blocking scripts from web pages for HTTP traffic. Web resume Download Block Enable to block downloading the remainder of a file that has already been partially downloaded. Enabling this option prevents the unintentional download of virus files, but can cause download interruptions. n/a Web Filter setting
Active X Filter, Cookie Filter, Java Applet Filter n/a
477
Web content block
Web Filter
Table 51: Web filter and Protection Profile FortiGuard web filtering configuration Protection Profile web filtering options Enable FortiGuard Web Filtering (HTTP only). Enable FortiGuard Web Filtering Overrides (HTTP only). Provide details for blocked HTTP 4xx and 5xx errors (HTTP only.) Rate images by URL (Blocked images will be replaced with blanks) (HTTP only). Allow web sites when a rating error occurs (HTTP only). Strict Blocking (HTTP only) Category / Action FortiGuard Web Filtering service provides many categories by which to filter web traffic. Set the action to take on web pages for each category. Choose from allow, block, log, or allow override. Local Categories can be configured to best suit local requirements. Classification/Action When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files. Choose from allow, block, log, or allow override. UTM > Web Filter > Local Categories | Local Ratings UTM > Web Filter> Overrides Web Filter setting
To access protection profile web filter options 1 Go to Firewall > Protection Profile. 2 Select Edit or Create New. 3 Select Web Filtering or Web Category Filtering.
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are configured globally. To access these features, select Global Configuration on the main menu.
Web content block

Control web content by blocking access to web pages containing specific words or patterns. You can add words, phrases, wild cards and Perl regular expressions to match content on web pages. For information, about wild cards and Perl regular expressions, see Using wildcards and Perl regular expressions on page 506.
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i blocks all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
478
Web Filter
Web content block
Viewing the web content block list catalog

You can add multiple web content block lists and then select the best web content block list for each protection profile. To view the web content block list catalog, go to UTM > Web Filter > Web Content Block. To view any individual web content block list, select the edit icon for the list you want to see.
Figure 304: Sample web content block list catalog
Create New Name # Entries Profiles Comment
Select to add a new web content block list to the catalog. The available web content block lists. The number of content patterns in each web content block list. The protection profiles each web content block list has been applied to. Optional description of each web content block list. The comment text must be less than 63 characters long. Otherwise, it will be truncated. Spaces will also be replaced by the plus sign ( + ). Select to remove the web content block list from the catalog. The delete icon is only available if the web content block list is not selected in any protection profiles. Select to edit the web content block list, list name, or list comment.
Delete icon
Edit icon
Select web content block lists in protection profiles. For more information, see Web Filtering options on page 411.
Creating a new web content block list

To add a web content block list to the web content block list catalog go to UTM > Web Filter > Web Content Block. Select Create New.
Figure 305: New Web Content Block list dialog box
Name Comment
Viewing the web content block list

With web content block enabled, every requested web page is checked against the content block list. The score value of each pattern appearing on the page is added, and if the total is greater than the threshold value set in the protection profile, the page is blocked. The score for a pattern is applied only once even if it appears on the page multiple times.
479
Web content block
Web Filter
To view the web content block list go to UTM > Web Filter > Web Content Block and select the Edit icon of the web content block list you want to view.
Figure 306: Sample web content block list
Note: Enable UTM > Web Filtering > Web Content Block in a firewall Protection Profile to activate the content block settings.
The web content block list has the following icons and features:
Name Comment Create new Total Page up icon Remove All Entries icon Banned word Pattern type Language Score Web content block list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a pattern to the web content block list. The number of patterns in the web content block list. Select to view the previous page. Select to clear the table. The current list of patterns. Select the check box to enable all the patterns in the list. The pattern type used in the pattern list entry. Choose from wildcard or regular expression. See Using wildcards and Perl regular expressions on page 506. The character set to which the pattern belongs: Simplified Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or Western. A numerical weighting applied to the pattern. The score values of all the matching patterns appearing on a page are added, and if the total is greater than the threshold value set in the protection profile, the page is blocked. Select to delete an entry from the list. Select to edit the following information: Banned Word, Pattern Type, Language, and Enable.
Page down icon Select to view the next page.
Configuring the web content block list

Web content patterns can be one word or a text string up to 80 characters long. The maximum number of banned words in the list is 5000. To add or edit a content block pattern go to UTM > Web Filter > Web Content Block and select Create New or select the Edit icon of the web content block list you want to view.
480
Web Filter
Web content block
Figure 307: New content block pattern
Banned Word
Enter the content block pattern. For a single word, the FortiGate checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase. Select a pattern type from the dropdown list: Wildcard or Regular Expression. Select a language from the dropdown list. Enter a score for the pattern. Each entry in the web content block list incudes a score. When you add a web content block list to a protection profile you configure a web content block threshold for the protection profile. When a web page is matched with an entry in the content block list the score is recorded. If a web page matches more than one entry the score for the web page increases. When the total score for a web page equals or exceeds the threshold the page is blocked. The default score for a content block list entry is 10 and the default threshold is 10. This means that by default a web page is blocked by a single match. You can change the scores and threshold so that web pages can only be blocked if there are multiple matches. For more information, see Web Filtering options on page 411. Select to enable the pattern.
Pattern Type Language Score
Enable
Viewing the web content exempt list catalog

You can add multiple web content exempt lists and then select the best web content exempt list for each protection profile. To view the web content block list catalog go to UTM > Web Filter > Web Content Exempt. To view any individual web content exempt list, select the Edit icon for the list you want to see.
Figure 308: Sample web content exempt list catalog
The web content exempt list catalogue has the following icons and features:
Create New Name # Entries Profiles Comment Select to add a new web content exempt list to the catalog. The available web content block lists. The number of content patterns in each web content block list. The protection profiles each web content block list has been applied to. Optional description of each web content block list.
481
Web content block
Web Filter
Delete icon
Select to remove the web content block list from the catalog. The delete icon is only available if the web content block list is not selected in any protection profiles. Select to edit the web content block list, list name, or list comment.
Edit icon
Select web content block lists in protection profiles. For more information, see Web Filtering options on page 411.
Creating a new web content exempt list

To add a web content exempt list to the web content exempt list catalog go to UTM > Web Filter > Web Content Exempt. Select Create New.
Figure 309: New Web Content Exempt list dialog box
Name Comment
Viewing the web content exempt list

Web content exempt allows overriding of the web content block feature. If any patterns defined in the web content exempt list appear on a web page, the page will not be blocked even if the web content block feature would otherwise block it. To view the web content exempt list go to UTM > Web Filter > Web Content Exempt. Select the Edit icon of the web content block list you want to view.
Figure 310: Sample web content exempt list
Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to activate the content exempt settings.
The web content exempt list has the following icons and features:
Name Comment Web content exempt list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK.
482
Web Filter
URL filter
Create new Total Page up icon Remove All Entries icon Pattern Pattern type Language Delete icon Edit icon
Select to add a pattern to the web content exempt list. The number of patterns in the web content exempt list. Select to view the previous page. Select to clear the table. The current list of patterns. Select the check box to enable all the patterns in the list. The pattern type used in the pattern list entry. Choose from wildcard or regular expression. See Using wildcards and Perl regular expressions on page 506. The character set to which the pattern belongs: Simplified Chinese, Traditional Chinese, French, Japanese, Korean, Thai, or Western. Select to delete an entry from the list. Select to edit the following information: Pattern, Pattern Type, Language, and Enable.
Page down icon Select to view the next page.
Configuring the web content exempt list

Web content patterns can be one word or a text string up to 80 characters long. The maximum number of banned words in the list is 5000. To add or edit a content block pattern go to UTM > Web Filter > Web Content Exempt. Select Create New or select the Edit icon of the web content block pattern you want to view.
Figure 311: New content exempt pattern
Pattern Word
Enter the content exempt pattern. For a single word, the FortiGate checks all web pages for that word. For a phrase, the FortiGate checks all web pages for any word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all web pages for the entire phrase. Select a pattern type from the dropdown list: Wildcard or regular Expression. Select a language from the dropdown list. Select to enable the pattern.
Pattern Type Language Enable
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns using text and regular expressions (or wildcard characters) to allow or block URLs. The FortiGate unit allows or blocks web pages matching any specified URLs or patterns and displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the URL filter settings.
483
URL filter
Web Filter
Note: URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
Viewing the URL filter list catalog

You can add multiple URL filter lists and then select the best URL filter list for each protection profile. To view the URL filter list catalog go to UTM > Web Filter > URL Filter. To view any individual URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon for the list you want to see.
Figure 312: Sample URL filter list catalog
The URL filter list catalogue has the following icons and features:
Create New Name # Entries Profiles Comment Delete icon Edit icon Select to add a new web content URL list to the catalog. The available URL filter lists. The number of URL patterns in each URL filter list. The protection profiles each URL filter list has been applied to. Optional description of each URL filter list. Select to remove the URL filter list from the catalog. The delete icon is only available if the URL filter list is not selected in any protection profiles. Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see Web Filtering options on page 411.
Creating a new URL filter list

Different FortiGate models support different maximum numbers of URL filter lists. For details, see the FortiGate Maximum Values Matrix in Fortinets Knowledge Center web site http://kc.forticare.com. To add a URL filter list to the URL filter list catalog go to UTM > Web Filter > URL Filter. Select Create New.
Figure 313: New URL Filter list dialog box
Name Comment
484
Web Filter
URL filter
Viewing the URL filter list

Add specific URLs to block or exempt. Add the following items to the URL filter list: complete URLs IP addresses partial URLs to allow or block all sub-domains
To view the URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon of the URL filter list you want to view.
Figure 314: URL filter list
The URL filter list has the following icons and features:
Name Comment Create New Page up icon Page down icon Clear All URL Filters icon URL Type Action URL filter list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a URL to the URL block list. Select to view the previous page. Select to view the next page. Select to clear the table. The current list of blocked/exempt URLs. Select the check box to enable all the URLs in the list. The type of URL: Simple or Regex (regular expression). The action taken when the URL matches: Allow, Block, or Exempt. An allow match exits the URL filter list and checks the other web filters. An exempt match stops all further checking including AV scanning. A block match blocks the URL and no further checking will be done. Select to remove an entry from the list. Select to edit the following information: URL, Type, Action, and Enable. Select to open the Move URL Filter dialog box.
Delete icon Edit icon Move icon
Configuring the URL filter list

Each URL filter list can have up to 5000 entries.
Note: Type a top-level domain suffix (for example, com without the leading period) to block access to all URLs with this suffix.
To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New or edit an existing list.
485
URL filter
Web Filter
Figure 315: New URL Filter
URL Type Action
Enter the URL. Do not include http://. For details about URL formats, see URL formats on page 486. Select a type from the dropdown list: Simple or Regex (regular expression). Select an action from the dropdown list: Allow, Block, or Exempt. An allow match exits the URL filter list and checks the other web filters. An exempt match stops all further checking including AV scanning. A block match blocks the URL and no further checking will be done. Select to enable the URL.
Enable
URL formats
When adding a URL to the URL filter list (see Configuring the URL filter list on page 485), follow these rules:
HTTPS URL formats

If your FortiGate unit does not support SSL content scanning and inspection or if you have selected the URL filtering option in a protection profile for HTTPS content filtering mode under Protocol Recognition, filter HTTPS traffic by entering a top level domain name, for example, www.example.com. HTTPS URL filtering of encrypted sessions works by extracting the CN from the server certificate during the SSL negotiation. Because the CN only contains the domain name of the site being accessed, web filtering of encrypted HTTPS sessions can only filter by domain names. If your FortiGate unit supports SSL content scanning and inspection and if you have selected Deep Scan, you can filter HTTPS traffic in the same way as HTTP traffic. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 399.
HTTP URL formats

Type a top-level URL or IP address to control access to all pages on a web site. For example, www.example.com or 192.168.144.155 controls access to all pages at this web site. Enter a top-level URL followed by the path and filename to control access to a single page on a web site. For example, www.example.com/news.html or 192.168.144.155/news.html controls the news page on this web site. To control access to all pages with a URL that ends with example.com, add example.com to the filter list. For example, adding example.com controls access to www.example.com, mail.example.com, www.finance.example.com, and so on.
486
Web Filter
FortiGuard - Web Filter
Control access to all URLs that match patterns created using text and regular expressions (or wildcard characters). For example, example.* matches example.com, example.org, example.net and so on. FortiGate web pattern blocking supports standard regular expressions.
Note: URLs with an action set to exempt are not scanned for viruses. If users on the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Moving URLs in the URL filter list

To make the URL filter list easier to use, the entries can be moved to different positions in the list. To move a URL in the URL filter list 1 Go to UTM > Web Filter > URL Filter. 2 Select the Edit icon for the URL list. 3 Drag and drop a URL or select the Move icon to the right of the URL to be moved. 4 Specify the location for the URL. 5 Select OK.
Figure 316: Move URL Filter
Move to (URL)
Select the location in the list to place the URL. Enter the URL before or after which the new URL is to be located in the list.

FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet. FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of categories users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page then follows the firewall policy configured for that user or interface. FortiGuard Web Filtering includes over 60 million individual ratings of web sites applying to hundreds of millions of pages. Pages are sorted and rated into 56 categories users can allow, block, or monitor. Categories may be added to, or updated, as the Internet evolves. To make configuration simpler, users can also choose to allow, block, or monitor entire groups of categories. Blocked pages are replaced with a message indicating that the page is not accessible according to the Internet usage policy.
487
Web Filter
FortiGuard Web Filtering ratings are performed by a combination of proprietary methods including text analysis, exploitation of the Web structure, and human raters. Users can notify the FortiGuard Web Filtering Service Points if they feel a web page is not categorized correctly, and new sites are quickly rated as required. Use the procedure FortiGuard Web Filtering options on page 413 to configure FortiGuard category blocking in a protection profile. To configure the FortiGuard Web service, see Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266.
Configuring FortiGuard Web Filtering

To configure the FortiGuard Web Filtering service go to System > Maintenance > FortiGuard. See Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266.
Viewing the override list

Users may require access to web sites that are blocked by a policy. In this case, an administrator can give the user the ability to override the block for a specified period of time. When a user attempts to access a blocked site, if override is enabled, a link appears on the block page directing the user to an authentication form. The user must provide a correct user name and password or the web site remains blocked. Authentication is based on user groups and can be performed for local, RADIUS, and LDAP users. For more information about authentication and configuring user groups, see User Group on page 583.
Administrative overrides vs. user overrides

The administrative overrides are backed up with the main configuration and managed by the FortiManager system. The administrative overrides are not cleaned up when they expire and you can reuse these override entries by extending their expiry dates. You can create administrative overrides using both the CLI and the web-based manager. The user overrides are not backed up as part of the main configuration and are not managed by the FortiManager system. These overrides are also purged when they expire. You can only view and delete the user overrides entries. Users create user overrides using the authentication form opened from the block page when they attempt to access a blocked site, if override is enabled. To view the override list go to UTM > Web Filter > Override. Select the Edit icon for Administrative Overrides or User Overrides.
Figure 317: Override list
The override list has the following icons and features:

Create New Return Clear All icon URL/Category Select to add a new override rule to the list. This button is not available under User Overrides. Select to return to the override category page. Select to clear the table. The URL or category to which the override applies.
488
Web Filter
Scope Off-site URLs
The user or user group who may use the override. A green check mark indicates that the off-site URL option is set to Allow, which means that the overwrite web page will display the contents from offsite domains. A gray cross indicates that the off-site URL option is set to Block, which means that the overwrite web page will not display the contents from off-site domains. For details, see Configuring administrative override rules on page 489. The creator of the override rule. The expiry date of the override rule. Select to remove the entry from the list. Select to edit the following information: Type, URL, Scope, User, Off-site URLs, and Override Duration.
Initiator Expiry Date Delete icon Edit icon
Configuring administrative override rules

Administrative override rules can be configured to allow access to blocked web sites based on directory, domain name, or category. To create an override rule for a directory or domain go to UTM > Web Filter > Override. Select the Edit icon for Administrative Overrides.
Figure 318: New Override Rule - Directory or Domain
Type URL Scope User User Group
Select Directory or Domain. Enter the URL or the domain name of the website. Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope. Enter the name of the user selected in Scope. Select a user group from the dropdown list. User groups must be configured before FortiGuard Web Filtering configuration. For more information, see User Group on page 583.
489
Web Filter
Off-site URLs
This option defines whether the override web page will display the images and other contents from the blocked offsite URLs. For example, all FortiGuard categories are blocked, and you want to visit a site whose images are served from a different domain. You can create a directory override for the site and view the page. If the offsite feature was set to deny, all the images on the page will appear broken because they come from a different domain for which the existing override rule does not apply. If you set the offsite feature to allow, the images on the page will then show up. Only users that apply under the scope for the page override can see the images from the temporary overrides. The users will not be able to view any pages on the sites where the images come from (unless the pages are served from the same directory as the images themselves) without having to create a new override rule. Specify when the override rule will end.
Override End Time
To create an override for categories, go to UTM > Web Filter > Override.
Figure 319: New Override Rule - Categories
Type Categories Classifications
Select Categories. Select the categories to which the override applies. A category group or a subcategory can be selected. Local categories are also displayed. Select the classifications to which the override applies. When selected, users can access web sites that provide content cache, and provide searches for image, audio, and video files. Select one of the following: User, User Group, IP, or Profile. Depending on the option selected, a different option appears below Scope.
Scope
490
Web Filter
User User Group IP Profile Off-site URLs Override End Time
Enter the name of the user selected in Scope. Select a user group from the dropdown list. Enter the IP address of the computer initiating the override. Select a protection profile from the dropdown list. Select Allow or Block. See the previous table for details about off-site URLs. Specify when the override rule will end.
Creating local categories

User-defined categories can be created to allow users to block groups of URLs on a perprofile basis. The categories defined here appear in the global URL category list when configuring a protection profile. Users can rate URLs based on the local categories. To create or view local categories, go to UTM > Web Filter > Local Categories.
Figure 320: Local categories list
Add Delete icon
Enter the name of the category then select Add. Select to remove the entry from the list.
Viewing the local ratings list

To view the local ratings list go to UTM > Web Filter > Local Ratings.
Figure 321: Local ratings list
The local ratings list has the following icons and features:
Create New Search 1 - 3 of 3 Page up icon Page down icon Clear All icon URL Category Select to add a rating to the list. Enter search criteria to filter the list. The total number of local ratings in the list. Select to view the previous page. Select to view the next page. Select to clear the table. The rated URL. Select the green arrow to sort the list by URL. The category or classification in which the URL has been placed. If the URL is rated in more than one category or classification, trailing dots appear. Select the gray funnel to open the Category Filter dialog box. When the list has been filtered, the funnel changes to green.
491
Web Filter
Select to remove the entry from the list. Select to edit the following information: URL, Category Rating, and Classification Rating.
Figure 322: Category Filter
Clear Filter Category Name Enable Filter Classification Name Enable Filter
Select to remove all filters. Select the blue arrow to expand the category. Select to enable the filter for the category or the individual sub-category. The classifications that can be filtered. Select to enable the classification filter.
Configuring local ratings

Users can create user-defined categories then specify the URLs that belong to the category. This allows users to block groups of web sites on a per profile basis. The ratings are included in the global URL list with associated categories and compared in the same way the URL block list is processed. The local ratings override the FortiGuard server ratings and appear in reports as Local Category. To create a local rating go to UTM > Web Filter > Local Ratings.
492
Web Filter
Figure 323: New Local Rating
URL Category Name Enable Filter Classification Name Enable Filter
Enter the URL to be rated. Select the blue arrow to expand the category. Select to enable the filter for the category or the individual sub-category. The classifications that can be filtered. Select to enable the classification filter.
Category block CLI configuration

Use the hostname keyword for the webfilter fortiguard command to change the default host name (URL) for the FortiGuard Web Filtering Service Point. The FortiGuard Web Filtering Service Point name cannot be changed using the web-based manager. Configure all FortiGuard Web Filtering settings using the CLI. For more information, see the FortiGate CLI Reference for descriptions of the webfilter fortiguard keywords.
493
Web Filter
494
Antispam
Antispam
Antispam
This chapter describes how to configure FortiGate spam filtering for IMAP, POP3, and SMTP email. If your FortiGate unit supports SSL content scanning and inspection you can also configure spam filtering for IMAPS, POP3S, and SMTPS email traffic. For information about SSL content scanning and inspection, see SSL content scanning and inspection on page 399. If you enable virtual domains (VDOMs) on the FortiGate unit, Antispam is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Antispam Banned word IP address and email address black/white lists Advanced antispam configuration Using wildcards and Perl regular expressions
Antispam
You can configure the FortiGate unit to manage unsolicited commercial email by detecting and identifying spam messages from known or suspected spam servers. The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools, to detect and block a wide range of spam messages. Using FortiGuard Antispam protection profile settings you can enable IP address checking, URL checking, E-mail checksum check, and Spam submission. Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard distribution network. From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam IP reputation database, or whether a URL or email address is in the signature database.
Order of spam filtering

The FortiGate unit checks for spam using various filtering techniques. The order the FortiGate unit uses these filters depends on the mail protocol used. Filters requiring a query to a server and a reply (FortiGuard Antispam Service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received. Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit tags as spam the email according to the settings in the protection profile. For SMTP and SMTPS if the action is discard the email message is discarded or dropped. If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message.
495
Antispam
Antispam
Order of SMTP and SMTPS spam filtering

SMTPS spam filtering is available on FortiGate units the support SSL content scanning and inspection. 1 IP address BWL check on last hop IP. 2 DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP, HELO DNS lookup. 3 MIME headers check, E-mail address BWL check. 4 Banned word check on email subject. 5 IP address BWL check (for IPs extracted from Received headers). 6 Banned word check on email body. 7 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check on public IP extracted from header.
Order of IMAP, POP3, IMAPS and POP3S spam filtering

IMAPS and POP3S spam filtering is available on FortiGate units the support SSL content scanning and inspection. 1 MIME headers check, E-mail address BWL check. 2 Banned word check on email subject. 3 IP BWL check. 4 Banned word check on email body. 5 Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check.
Anti-spam filter controls

Spam filters are configured for system-wide use, but enabled on a per profile basis. Table 52 describes the Antispam settings and where to configure and access them. To access protection profile Antispam options, go to Firewall > Protection Profile, select the Edit icon beside an existing profile, or select Create New. Select Spam Filtering.
Table 52: AntiSpam and Protection Profile spam filtering configuration Protection Profile spam filtering options IP address FortiGuard Antispam check Configure the FortiGuard Antispam service. Fortinet has its own DNSBL server for FortiGuard Antispam that provides spam IP address and URL blacklists. Fortinet keeps the FortiGuard Antispam IP and URLs up-todate as new spam sources are found. IP address BWL check Black/white list check. Configure the checking of incoming IP addresses against the configured spam filter IP address list. AntiSpam setting System > Maintenance > FortiGuard Enable FortiGuard Antispam, check the status of the FortiGuard Antispam server, view the license type and expiry date, and configure the cache. For more information, see Configuring the FortiGate unit for FDN and FortiGuard subscription services on page 266 UTM > AntiSpam > IP Address Add to and edit IP addresses to the list. You can configure the action to take as spam, clear, or reject for each IP address. You can place an IP address anywhere in the list. The filter checks each IP address in sequence. Command line only
DNSBL & ORDBL check
496
Antispam
Antispam
Table 52: AntiSpam and Protection Profile spam filtering configuration (Continued) Protection Profile spam filtering options Enable or disable checking email traffic against configured DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL) servers (SMTP and SMTPS). AntiSpam setting Add or remove DNSBL and ORDBL servers to and from the list. You can configure the action to take as spam or reject for email identified as spam from each server (SMTP and SMTPS). DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the FortiGate CLI Reference. n/a
HELO DNS lookup Enable or disable checking the source domain name against the registered IP address in the Domain Name Server. If the source domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. E-mail address BWL check
UTM > AntiSpam > E-mail Address
Enable or disable checking incoming email Add to and edit email addresses to the list, with the addresses against the configured spam filter option of using wildcards and regular expressions. email address list. You can configure the action as spam or clear for each email address. You can place an email address anywhere in the list. The filter checks each email address in sequence. Return e-mail DNS check Enable or disable checking incoming email return address domain against the registered IP address in the Domain Name Server. If the return address domain name does not match the IP address the email is marked as spam and the action selected in the protection profile is taken. MIME headers check Enable or disable checking source MIME headers against the configured spam filter MIME header list. Command line only Add to and edit MIME headers, with the option of using wildcards and regular expressions. You can configure the action for each MIME header as spam or clear. DNSBL and ORDBL configuration can only be changed using the command line interface. For more information, see the FortiGate CLI Reference. UTM> AntiSpam > Banned Word Add to and edit banned words to the list, with the option of using wildcards and regular expressions. You can configure the language and whether to search the email body, subject, or both. You can configure the action to take as spam or clear for each word. n/a n/a
Banned word check Enable or disable checking source email against the configured spam filter banned word list.
Spam Action
497
Banned word
Antispam
Table 52: AntiSpam and Protection Profile spam filtering configuration (Continued) Protection Profile spam filtering options The action to take on email identified as spam. POP3 and IMAP messages are tagged. Choose Tagged or Discard for SMTP or SMTPS messages. You can append a custom word or phrase to the subject or MIME header of tagged email. You can choose to log any spam action in the event log. For IMAP, spam email may be tagged only after the user downloads the entire message by opening the email, since the some IMAP email clients download the envelope portion of the email message initially. For details, see Spam Filtering options on page 416. Tag location: Affix the tag to the subject or MIME header of the email identified as spam. Tag format: Enter a word or phrase (tag) to affix to email identified as spam. Add event into the system log Enable or disable logging of spam actions to the event log. AntiSpam setting
Banned word
Control spam by blocking email messages containing specific words or patterns. You can add words, phrases, wild cards and Perl regular expressions to match content in email messages. For information, about wild cards and Perl regular expressions, see Using wildcards and Perl regular expressions on page 506.
Note: Perl regular expression patterns are case sensitive for antispam banned words. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language regardless of case. Wildcard patterns are not case sensitive.
Viewing the banned word list catalog

You can add a maximum of two antispam banned word lists and then select the best antispam banned word list for each protection profile. To view the antispam banned word list catalog, go to UTM > AntiSpam > Banned Word. To view any individual antispam banned word list, select the Edit icon for the list you want to see.
Figure 324: Sample antispam banned word list catalog Edit Delete
Create New Name
Add a new list to the catalog. For more information, see Creating a new banned word list on page 499. The available antispam banned word lists.
498
Antispam
Banned word
# Entries Profiles Comments Delete icon
The number of entries in each antispam banned word list. The protection profiles each antispam banned word list has been applied to. Optional description of each antispam banned word list. Remove the antispam banned word list from the catalog. The delete icon is available only if the antispam banned word list is not selected in any protection profiles. Modify the antispam banned word list, list name, or list comment.
Edit icon
To use the banned word list, select antispam banned word lists in protection profiles. For more information, see Spam Filtering options on page 416.
Creating a new banned word list

To add an antispam banned word list to the antispam banned word list catalog, go to UTM > AntiSpam > Banned Word and select Create New.
Figure 325: New AntiSpam Banned Word list dialog box
Name Comments
Viewing the antispam banned word list

The FortiGate unit checks each email message against the antispam banned word list. The FortiGate unit can sort email messages containing those banned words in the subject, body, or both. The score value of each banned word appearing in the message is added, and if the total is greater than the threshold value set in the protection profile, the FortiGate unit processes the message according to the Spam Action setting in the protection profile. The score for a pattern is applied only once even if the word appears in the message multiple times. To view the banned word list, go to UTM > AntiSpam > Banned Word and select the Edit icon of the banned word list you want to view.
Figure 326: Sample banned word List Remove All Entries Edit Delete Current Page
499
Banned word
Antispam
Name Comments Create New Current Page Remove All Entries icon Pattern Pattern Type
Banned word list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Select to add a word or phrase to the banned word list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the banned word list. Clear the table. The list of banned words. Select the check box to enable all the banned words in the list. The pattern type used in the banned word list entry. Choose from wildcard or regular expression. For more information, see Using wildcards and Perl regular expressions on page 506. The character set to which the banned word belongs. The location where the FortiGate unit searches for the banned word: Subject, Body, or All. A numerical weighting applied to the banned word. The score values of all the matching words appearing in an email message are added, and if the total is greater than the Banned word check value set in the protection profile, the email is processed according to whether the spam action is set to Discard or Tagged in the protection profile. The score for a banned word is counted once even if the word appears multiple times on the web page in the email. For more information, see Configuring a protection profile on page 404.
Language Where Score
Delete and Edit Delete or edit the banned word. icons
Adding words to the banned word list

For a single word, the FortiGate unit blocks all email containing the word. For a phrase, the FortiGate unit blocks all email containing the exact phrase. To block any word in a phrase, use Perl regular expressions. To add a banned word list name 1 Go to UTM > AntiSpam > Banned Word. 2 Select Create New. 3 Enter the banned word list name. 4 Optionally, enter any comments about the name. 5 Select OK. To add a banned word 1 Go to UTM > AntiSpam > Banned Word. 2 For the banned word list name to which you want to add a banned word, select Edit. 3 Select Create New.
Pattern Pattern Type Enter the word or phrase you want to include in the banned word list. Select the pattern type for the banned word. Choose from wildcard or regular expression. For more information, see Using wildcards and Perl regular expressions on page 506. Select the character set for the banned word. Select where the FortiGate unit should search for the banned word: Subject, Body, or All.
Language Where
500
Antispam
IP address and email address black/white lists
Score
Enter a score for the pattern. Each entry in the banned word list added to the protection profile incudes a score. When an email message is matched with an entry in the banned word list, the score is recorded. If an email message matches more than one entry, the score for the email message increases. When the total score for an email message equals or exceeds the threshold, the message is tagged as spam. The default score for a banned word list entry is 10 and the default threshold is 10. This means that by default an email message is tagged as spam by a single match. You can change the scores and threshold so email messages are only tagged as spam if there are multiple matches. For more information, see Spam Filtering options on page 416. Select to enable scanning for the banned word.
Enable
4 Select OK.

You can add IP address black/white lists and an email address black/white lists to filter email. When performing an IP address list check, the FortiGate unit compares the IP address of the message sender to the IP address list in sequence. When performing an email list check, the FortiGate unit compares the email address of the message sender to the email address list in sequence. If a match is found, the action associated with the IP address or email address is taken. If no match is found, the message is passed to the next enabled spam filter.
Viewing the antispam IP address list catalog

You can add a maximum of two antispam IP address lists and then select the best one for each protection profile. To view the antispam IP address list catalog, go to UTM > AntiSpam > IP Address. To view any individual antispam IP address list, select the Edit icon for the list you want to see.
Figure 327: Sample antispam IP address list catalog Edit Delete
Create New Name # Entries Profiles Comments Delete icon
Add a new IP address list to the catalog. The available name of the antispam IP address lists. The number of entries in each antispam IP address list. The protection profiles each antispam IP address list has been applied to. Optional description of each antispam IP address list. Remove the antispam IP address list from the catalog. The delete icon is available only if the antispam IP address list is not selected in any protection profiles. Edit the antispam IP address list, list name, or list comment.
Edit icon
Creating a new antispam IP address list

To add an antispam IP address list to the antispam IP address list catalog, go to UTM > AntiSpam > IP Address and select Create New.
501
Antispam
Figure 328: New AntiSpam IP Address list dialog box
Name Comments
Viewing the antispam IP address list

Configure the FortiGate unit to filter email from specific IP addresses. The FortiGate unit compares the IP address of the sender to the check list in sequence. Mark each IP address as clear, spam, or reject. Filter single IP addresses or a range of addresses at the network level by configuring an address and mask. To view the antispam IP address list, go to UTM > AntiSpam > IP Address and select the Edit icon of the antispam IP address list you want to view.
Figure 329: Sample IP address list Remove All Entries Current Page
Move To Edit Delete Name Comments Create New Current Page Antispam IP address list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit a comment, enter text in the comments field and select OK. Add an IP address to the antispam IP address list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the IP address list.
Remove All Entries Clear the table. icon IP address/Mask Action The list of IP addresses. The action to take on email from the configured IP address. Actions are: Spam to apply the configured spam action, Clear to bypass this and remaining spam filters, or Reject (SMTP or SMTPS) to drop the session. If an IP address is set to reject but mail is delivered from that IP address via using POP3 or IMAP, the email messages will be marked as spam.
502
Antispam
Delete icon Edit icon Move To icon
Remove the address from the list. Edit address information. Select to move the entry to a different position in the list. The firewall policy executes the list from top to bottom. For example, if you have IP address 192.168.100.1 listed as spam and 192.168.100.2 listed as clear, you must put 192.168.100.1 above 192.168.100.2 for 192.168.100.1 to take effect.
Adding an antispam IP address

After creating an IP address list, you can add IP addresses to the list. Enter an IP address or a pair of IP address and mask in the following formats: x.x.x.x, for example, 192.168.69.100. x.x.x.x/x.x.x.x, for example, 192.168.69.100/255.255.255.0 x.x.x.x/x, for example, 192.168.69.100/24
To add an IP address go to UTM > AntiSpam > IP Address. For the IP address list name to which you want to add an IP address, select Edit. Then select Create New.
Figure 330: Adding an antispam IP address
IP Address/Mask Action
Enter the IP address or the IP address/mask pair. Select: Mark as Spam to apply the spam action configured in the protection profile, Mark as Clear to bypass this and remaining spam filters, or Mark as Reject (SMTP or SMTPS) to drop the session. Select to enable the address.
Enable
Viewing the antispam email address list catalog

You can add a maximum of two antispam email address lists and then select the best one for each protection profile. To view the antispam email address list catalog, go to UTM > AntiSpam > E-mail Address. To view any individual antispam email address list, select the Edit icon for the list you want to see.
Figure 331: Sample antispam email address list catalog Edit Delete
Create New Name # Entries
Create a new antispam address list. Antispam email address lists. The number of entries in each antispam email address list.
503
Antispam
Profiles Comments Delete icon
The protection profiles each antispam email address list has been applied to. Optional description of each antispam email address list. Remove the antispam email address list from the catalog. The delete icon is only available if the antispam email address list is not selected in any protection profiles. Edit the antispam email address list, list name, or list comment.
Edit icon
You enable antispam email addresses in protection profiles. For more information, see Spam Filtering options on page 416.
Creating a new antispam email address list

To add an antispam email address list to the antispam email address list catalog, go to UTM > AntiSpam > E-mail Address and select Create New.
Figure 332: New AntiSpam E-mail Address list dialog box
Name Comment
Viewing the antispam email address list

The FortiGate unit can filter email from specific senders or all email from a domain (such as example.net). To view the antispam email address list, go to UTM > AntiSpam > E-mail Address and select the Edit icon of the antispam email address list you want to view.
Figure 333: Sample email address list Current Page
Delete Edit Move To Remove All Entries Name Comments Create New Antispam email address list name. To change the name, edit text in the name field and select OK. Optional comment. To add or edit comment, enter text in comment field and select OK. Add an email address to the email address list.
504
Antispam
Advanced antispam configuration
Current Page
The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of the IP address list.
Remove All Entries Clear the table. icon Email address Pattern Type Action The list of email addresses. The pattern type used in the email address entry. The action to take on email from the configured address. Actions are: Spam to apply the spam action configured in the protection profile, or Clear to let the email message bypass this and remaining spam filters. Remove the email address from the list. Edit the address information. Move the entry to a different position in the list. The firewall policy executes the list from top to bottom. For example, if you have abc@example.com listed as clear and *@example.com as spam, you must put abc@example.com above *@example.com for abc@example.com to take effect.
Delete icon Edit icon Move To icon
Configuring the antispam email address list

To add an email address or domain to a list, go to UTM > AntiSpam > E-mail Address. Select the Edit icon beside the list you want to add the address to. Select Create New, enter the information below and select OK.
Figure 334: Add E-mail Address
E-Mail Address Pattern Type Action Enable
Enter the email address. Select a pattern type: Wildcard or Regular Expression. For more information, see Using wildcards and Perl regular expressions on page 506. Select: Mark as Spam to apply the spam action configured in the protection profile, or Mark as Clear to bypass this and remaining spam filters. Select to enable the email address for spam checking.
Advanced antispam configuration

Advanced antispam configuration covers only command line interface (CLI) commands not represented in the web-based manager. For complete descriptions and examples of how to use CLI commands, see the FortiGate CLI Reference.
config spamfilter mheader

Use this command to configure email filtering based on the MIME (Multipurpose Internet Mail Extensions) header. MIME header filtering is enabled within each protection profile. The FortiGate unit compares the MIME header key-value pair of incoming email to the list pair in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter.
505
Using wildcards and Perl regular expressions
Antispam
MIME headers are added to email to describe content type and content encoding, such as the type of text in the email body or the program that generated the email. Some examples of MIME headers include: X-mailer: outgluck X-Distribution: bulk Content_Type: text/html Content_Type: image/jpg
The first part of the MIME header is called the header or header key. The second part is called the value. Spammers often insert comments into header values or leave them blank. These malformed headers can fool some spam and virus filters. Use the MIME headers list to mark email from certain bulk mail programs or with certain types of content that are common in spam messages. Mark the email as spam or clear for each header configured.
config spamfilter dnsbl

Use this command to configure email filtering using DNS-based Blackhole List (DNSBL), and Open Relay Database List (ORDBL) servers. DNSBL and ORDBL filtering is enabled within each protection profile. The FortiGate unit compares the IP address or domain name of the sender to any database lists configured, in sequence. If a match is found, the corresponding action is taken. If no match is found, the email is passed on to the next spam filter. Some spammers use unsecured third party SMTP or SMTPS servers to send unsolicited bulk email. Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the network. These lists act as domain name servers that match the domain of incoming email to a list of IP addresses known to send spam or allow spam to pass through. There are several free and subscription servers available that provide reliable access to continually updated DNSBLs and ORDBLs. Check with the service you are using to confirm the correct domain name for connecting to the server.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL or ORDBL server, it must be able to look up this name on the DNS server. For information on configuring DNS, see Configuring Networking Options on page 145.

Email address list, MIME headers list, and banned word list entries can include wildcards or Perl regular expressions. See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.
Regular expression vs. wildcard match pattern

A wildcard character is a special character that represents one or more other characters. The most commonly used wildcard characters are the asterisk (*), which typically represents zero or more characters in a string of characters, and the question mark (?), which typically represents any one character. In Perl regular expressions, the . character refers to any single character. It is similar to the ? character in wildcard match pattern. As a result:
506
Antispam
fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom, fortinetccom, and so on.
Note: To add a question mark (?) character to a regular expression from the FortiGate CLI, enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression from the CLI you must add precede it with another backslash character. For example, fortinet\\.com.
To match a special character such as '.' and * use the escape character \. For example: To match fortinet.com, the regular expression should be: fortinet\.com In Perl regular expressions, * means match 0 or more times of the character before it, not 0 or more times of any character. For example: forti*.com matches fortiiii.com but does not match fortinet.com To match any character 0 or more times, use .* where . means any character and the * means 0 or more times. For example, the wildcard match pattern forti*.com should therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For example, the regular expression test not only matches the word test but also any word that contains test such as atest, mytest, testimony, atestb. The notation \b specifies the word boundary. To match exactly the word test, the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam filters. To make a word or phrase case insensitive, use the regular expression /i. For example, /bad language/i will block all instances of bad language, regardless of case.
Perl regular expression formats

Table 53 lists and describes some example Perl regular expression formats.
507
Antispam
Table 53: Perl regular expression formats Expression abc âbc abc$ a|b âbc|abc$ ab{2,4}c ab{2,}c ab*c ab+c ab?c a.c a\.c [abc] [Aa]bc [abc]+ [âbc]+ \d\d /i \w+ 100\s*mk abc\b perl\B \x Matches abc (the exact character sequence, but anywhere in the string) abc at the beginning of the string abc at the end of the string Either a or b The string abc at the beginning or at the end of the string a followed by two, three or four bs followed by a c a followed by at least two bs followed by a c a followed by any number (zero or more) of bs followed by a c a followed by one or more b's followed by a c a followed by an optional b followed by a c; that is, either abc or ac a followed by any single character (not newline) followed by a c a.c exactly Any one of a, b and c Either of Abc and abc Any (nonempty) string of as, bs and cs (such as a, abba, acbabcacaa) Any (nonempty) string which does not contain any of a, b, and c (such as defg) Any two decimal digits, such as 42; same as \d{2} Makes the pattern case insensitive. For example, /bad language/i blocks any instance of bad language regardless of case. A word: A nonempty sequence of alphanumeric characters and low lines (underscores), such as foo and 12bar8 and foo_1 The strings 100 and mk optionally separated by any amount of white space (spaces, tabs, newlines) abc when followed by a word boundary (for example, in abc! but not in abcd) perl when not followed by a word boundary (for example, in perlert but not in perl stuff) Tells the regular expression parser to ignore white space that is neither preceded by a backslash character nor within a character class. Use this to break up a regular expression into (slightly) more readable parts. Used to add regular expressions within other text. If the first character in a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern must contain a second '/'. The pattern between / will be taken as a regular expressions, and anything after the second / will be parsed as a list of regular expression options ('i', 'x', etc). An error occurs if the second '/' is missing. In regular expressions, the leading and trailing space is treated as part of the regular expression.
/x
Example regular expressions Block any word in a phrase

/block|any|word/
508
Antispam
Block purposely misspelled words

Spammers often insert other characters between the letters of a word to fool spam blocking software. /^.*v.*i.*a.*g.*r.*o.*$/i /cr[e][\+\-\*=<>\.\,;!\?%&@\^\$\{\}()\[\]\|\\_01]dit/i
Block common spam phrases

The following phrases are some examples of common phrases found in spam messages. /try it for free/i /student loans/i /youre already approved/i /special[\+\-\*=<>\.\,;!\?%&~#@\^\$\{\}()\[\]\|\\_1]offer/i
Figure 335: MMS Message Flood Remove All Entries Current Page
Figure 336: MMS Duplicate Message Remove All Entries Current Page
509
Antispam
510
DLP Sensors

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. You can define sensitive data patterns, and data matching these patterns will be blocked and/or logged or archived when passing through the FortiGate unit. The DLP system is configured by creating individual rules, combining the rules into DLP sensors, and then assigning a sensor to a protection profile. Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit. This section describes how to configure the DLP settings. If you enable virtual domains (VDOMs) on the Fortinet unit, data leak prevention is configured separately for each virtual domain. For details, see Using virtual domains on page 103. The section describes: DLP Sensors DLP Rules DLP Compound Rules
DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. Once a DLP sensor is configured, it can be specified in a protection profile. Any traffic handled by the policy in which the protection profile is specified will enforce the DLP sensor configuration.
Viewing the DLP sensor list

To view the available DLP sensors, go to UTM > Data Leak Prevention > Sensor.
Figure 337: DLP sensor list
Create New Name Comment Protection Profiles Delete and Edit icons
Select to create a new DLP sensor. The DLP sensor name. The optional description of the DLP sensor. The names of the protection profiles in which the DLP sensor is specified are listed. Delete or edit the DLP sensor.
511
DLP Sensors
Default DLP sensors

A number of default DLP sensors are provided with your FortiGate unit. You can use these as provided, or modify them as required.
Caution: Before use, examine the sensors and rules in the sensors closely to ensure you understand how they will affect the traffic on your network.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some content, DLP will not create more than one content archive entry, quarantine item, or ban entry from the same content. Content_Archive All non-encrypted email, FTP, HTTP, IM, and NNTP traffic is archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. Traffic is only archived. No blocking or quarantine is performed. If you have a FortiGate unit that supports supports SSL content scanning and inspection, you can modify this sensor to archive encrypted traffic as well. A summary of all non-encrypted email, FTP, HTTP, IM, and NNTP traffic is saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service. No blocking or quarantine is performed. If you have a FortiGate unit that supports supports SSL content scanning and inspection, you can modify this sensor to archive a summary of encrypted traffic as well. The number formats used by American Express, Visa, and Mastercard credit cards are detected in HTTP and email traffic. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required. Files larger than 5MB will be detected if attached to email messages or if send using HTTP or FTP. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required. The number formats used by U.S. Social Security and Canadian Social Insurance numbers are detected in email and HTTP traffic. As provided, the sensor is configured not to archive matching traffic and an action of None is set. Configure the action and archive options as required.
Content_Summary
Credit-Card
Large-File
SSN-Sensor
Adding and configuring a DLP sensor

You can create a new DLP sensor and configure it to include the DLP rules and DLP compound rules required to protect the traffic leaving your network. A DLP sensor must be created before it can be configured by adding rules and compound rules. To create a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select Create New. Enter the DLP sensor name and optional comment, and select OK. You can then add the required rules and compound rules. To configure a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select the Edit icon of the sensor to be configured. A list of the DLP rules and DLP compound rules included in the DLP sensor is displayed. A newly created sensor will include no rules.
512
DLP Sensors
Figure 338: List of rules in a DLP sensor
Name Comment Create New Enable Rule name Action
The DLP sensor name. The optional description of the DLP sensor. Select Create New to add a new rule or compound rule to the sensor. You can disable a rule or compound rule by clearing this check box. The item will be listed as part of the sensor, but it will not be used. The names of the rules and compound rules included in the sensor. The action configured for each rule. If the selected action is None, no action will be listed. Although archiving is enabled independent of the action, the Archive designation will appear with the selected action. For example, if you select the Block action and enable Archive for a rule, the action displayed in the sensor rule list is Block, Archive. The optional description of the rule or compound rule. Delete or edit a rule or compound rule.
Comment Delete and Edit icons
Adding or editing a rule in a DLP sensor

To add or edit a rule in a DLP sensor go to UTM > Data Leak Prevention > Sensor and select the Edit icon of the sensor to be configured. To add a DLP rule to a sensor, select Create New. To edit a rule already included in the sensor, select the edit icon of the sensor you want to edit.
Figure 339: Adding a DLP rule to a DLP sensor
513
DLP Sensors
Action
Select the action to be taken against traffic matching the configured DLP rule or DLP compound rule. The actions are: None prevents the DLP rule from taking any action on network traffic. Other matching rules in the same sensor and other sensors may still operate on matching traffic. Block prevents the traffic matching the rule from being delivered. The matching message or download is replaced with the Data leak prevention replacement message. Exempt prevents any DLP sensors from taking action on matching traffic. This action overrides any other action from any matching sensors. Ban if the user is authenticated, blocks all traffic to or from the user using the protocol that triggered the rule and the user will be added to the Banned User list. If the user is not authenticated, all traffic of the protocol that triggered the rule from the users IP address will be blocked. If the user that is banned is using HTTP, FTP, NNTP (or HTTPS if the FortiGate unit supports SSL content scanning and inspection) the FortiGate unit displays the Banned by data leak prevention replacement message for the protocol. If the user is using IM, the IM and P2P Banned by data leak prevention message replaces the banned IM message and this message is forwarded to the recipient. If the user is using IMAP, POP3, SMTP (or MAPS, POP3S, SMTPS if your FortiGate unit supports SSL content scanning and inspection) the Mail Banned by data leak prevention message replaces the banned email message and this message is forwarded to the recipient. These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list. Ban Sender blocks email or IM traffic from the sender of matching email or IM messages and adds the sender to the Banned User list. This action is available only for email and IM protocols. For email, the sender is determined by the From: address in the email header. For IM, all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. Similar to Ban, the IM or Mail Banned by data leak prevention message replaces the banned message and this message is forwarded to the recipient. These replacement messages also replace all subsequent communication attempts until the user is removed from the banned user list. Quarantine IP address blocks access through the FortiGate unit for any IP address that sends traffic matching a sensor with this action. The IP address is added to the Banned User list. The FortiGate unit displays the NAC Quarantine DLP Message replacement message for all connection attempts from this IP address until the IP address is removed from the banned user list. Quarantine Interface blocks access to the network for all users connecting to the interface that received traffic matching a sensor with this action. The FortiGate unit displays the NAC Quarantine DLP Message replacement message for all connection attempts to the interface until the interface is removed from the banned user list. Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality similar to NAC quarantine. However, these DLP options cause DLP to block users and IP addresses at the application layer while NAC quarantine blocks IP addresses and interfaces at the network layer. For more information, see NAC quarantine and the Banned User list on page 595. For more information about configuring DLP replacement messages, see Replacement messages on page 194. If you have configured DLP to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all traffic from that NAT device could be blocked not just individual users. You can avoid this problem by implementing authentication or where possible select Ban Sender. Content archive all traffic matching the DLP rule or compound rule. For more information about content archiving, see Content Archive on page 667. When the action is set to Ban, Ban Sender, or Quarantine IP address, you can specify how long the ban will last. Select Indefinite for a ban ending only if the offender is manually removed from the banned user list, or select After and enter the required number of minutes, hours or days the ban will last. When the specified duration expires, the offender is automatically removed from the banned user list. Select Rule or Compound Rule. The rules of the selected type will be displayed in the table below. The names of all available rules or compound rules.
Archive Expires
Member Type Name
Description The optional description entered for each rule or compound rule.
514
DLP Rules
Tip: The None action can be extremely useful when used with the Archive function. Together, these two settings will have a rule log matching traffic but it to pass. This can be useful when adding a new rule to FortiGate unit handling live traffic. The effect of the new rule can be checked before it has any effect on network traffic.
DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the data to be protected so the FortiGate unit can recognize it. For example, an included rule uses regular expressions to describe Social Security number: ([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4} Rather than having to list every possible Social Security number, this regular expression describes the structure of a Social Security number. The pattern is easily recognizable by the FortiGate unit. For more information about regular expressions, see Using wildcards and Perl regular expressions on page 506. DLP rules can be combined into compound rules and they can be included in sensors. If rules are specified directly in a sensor, traffic matching any single rule will trigger the configured action. If the rules are first combined into a compound rule and then specified in a sensor, every rule in the compound rule must match the traffic to trigger the configured action. Individual rules in a sensor are linked with an implicit OR condition while rules within a compound rule are linked with an implicit AND condition.
Viewing the DLP rule list

To view the DLP rule list, go to UTM > Data Leak Prevention > Rule.
Figure 340: The DLP rule list
Create New Name Comments Compound Rules DLP Sensors Delete and Edit icons
Select Create New to add a new rule. The rule name. The optional description of the rule. If the rule is included in any compound rules, the compound rule names are listed here. If the rule is used in any sensors, the sensor names are listed here. Delete or edit a rule. If a compound rule is used in a compound rule or a sensor, the delete icon will not be available. Remove the compound rule from the compound rule or sensor and then delete it.
515
DLP Rules
Default DLP rules

A number of default DLP rules are provided with your FortiGate unit. You can use these as provided, or modify them as required.
Note: These rules affect only unencrypted traffic types. If you are using a FortiGate unit able to decrypt and examine encrypted traffic, you can enable those traffic types in these rules to extend their functionality if required.
Caution: Before use, examine the rules closely to ensure you understand how they will affect the traffic on your network.
All-Email, All-FTP, .These rules will detect all traffic of the specified type. All-HTTP, All-IM, All-NNTP Email-AmEx, Email-Canada-SIN, Email-US-SSN, Email-Visa-Mastercard HTTP-AmEx, HTTP-Canada-SIN, HTTP-US-SSN, HTTP-Visa-Mastercard These four rules detect American Express numbers, Canadian Social Insurance Numbers, U.S. Social Security Numbers, or Visa and Mastercard numbers within the message bodies of SMTP, POP3, and IMAP email traffic. These four rules detect American Express numbers, Canadian Social Insurance Numbers, U.S. Social Security Numbers, or Visa and Mastercard numbers within POST command in HTTP traffic. The HTTP POST is used to send information to a web server. As written, these rules are designed to detect data the user is sending to web servers. This rule does not detect the data retrieved with the HTTP GET command, which is used to retrieve load web pages. This rule detects files larger than 5MB attached to SMTP, POP3, and IMAP email messages. This rule detects files larger than 5MB sent using the FTP PUT protocol. Files received using FTP GET are not examined. This rule detects files larger than 5MB sent using the HTTP POST protocol. Files received using HTTP GET are not examined.
Large-Attachment Large-FTP-Put Large-HTTP-Post
Adding or configuring DLP rules

Go to UTM > Data Leak Prevention > Rule. To add a new rule, select Create New. To edit an existing rule, select the edit icon of the rule to be changed.
516
DLP Rules
Figure 341: DLP rule for HTTP traffic
Name Comments Protocol
The name of the rule. An optional comment describing the rule. Select the type of content traffic that the DLP rule the rule will apply to. The available rule options vary depending on the protocol that you select. You can select the following protocols: Email, HTTP, FTP, NNTP, and Instant Messaging.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can configure the rule to apply to file transfers using any or all of the supported IM protocols (AIM, ICQ, MSN, and Yahoo!). Only file transfers using the IM protocols are subject to DLP rules. IM messages are not scanned. HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the rule to apply to HTTP post or HTTP get traffic or both. HTTPS POST, HTTPS GET When you select the HTTP protocol, if your FortiGate unit supports SSL content scanning and inspection, you can also configure the HTTP rule to apply to HTTPS get or HTTPS post traffic or both. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 402. To scan these encrypted traffic types, you must set HTTPS Content Filtering Mode to Deep Scan (Decrypt on SSL Traffic) in the Protocol Recognition section of the protection profile. If URL Filtering is selected, the DLP sensors will not scan HTTPS content. When you select the FTP protocol, you can configure the rule to apply to FTP put, or FTP get traffic or both. When you select the Email protocol, you can configure the rule to apply to any or all of the supported email protocols (SMTP, IMAP, and POP3).
FTP PUT, FTP GET SMTP, IMAP, POP3
SMTPS IMAPS POP3S When you select the Email protocol, if your FortiGate unit supports SSL content scanning and inspection, you can also configure the rule to apply to SMTPS, IMAPS, POP3S or any combination of these protocols. For more information about SSL content scanning and inspection, see Configuring SSL content scanning and inspection on page 402.
517
DLP Rules
File Options
You can select file options for any protocol to configure how the DLP rule handles archive files, MS-Word files, and PDF files found in content traffic.
Scan archive contents When selected, files within archives are extracted and scanned in the same way as files that are not archived. Scan archive files whole Scan MS-Word text When selected, archives are scanned as a whole. The files within the archive are not extracted and scanned individually. When selected the text contents of MS Word DOC documents are extracted and scanned for a match. All metadata and binary information is ignored. Note: Office 2007/2008 DOCX files are not recognized as MS-Word by the DLP scanner. To scan the contents of DOCX files, select the Scan archive contents option. When selected, MS Word DOC files are scanned. All binary and metadata information is included. If you are scanning for text entered in a DOC file, use the Scan MS-Word option. Binary formatting codes and file information may appear within the text, causing text matches to fail. Note: Office 2007/2008 DOCX files are not recognized as MS-Word by the DLP scanner. To scan the contents of DOCX files, select the Scan archive contents option. When selected, the text contents of PDF documents are extracted and scanned for a match. All metadata and binary information is ignored. When selected, PDF files are scanned. All binary and metadata information is included. If you are scanning for text in PDF files, use the Scan PDF Text option. Binary formatting codes and file information may appear within the text, causing text matches to fail. Use the Rule settings to configure the content that the DLP rule matches. Check the attachment file size. This option is available for Email. Search email messages for file types or file patterns as specified in the selected file filter. This option is available for Email. Search for traffic from the specified authenticated user. Search for the specified binary string in network traffic. Search for the specified string in the message or page body. This option is available for Email, HTTP, and NNTP. Search for the specified CGI parameters in any web page with CGI code. This option is available for HTTP. Search the contents of cookies for the specified text. This option is available for HTTP. Check whether the file is or is not encrypted. Encrypted files are archives and MS Word files protected with passwords. Because they are password protected, the FortiGate unit cannot scan the contents of encrypted files. Search for the specified text in transferred text files. This option is available in FTP, IM, and NNTP. Search for the specified file patterns and file types. The patterns and types configured in file filter lists and a list is selected in the DLP rule. For more information about file filter lists, see File Filter on page 443. This option is available for FTP, HTTP, IM, and NNTP. Search for the specified host name when contacting a HTTP server. Search for the specified string in HTTP headers. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
Scan MS-Word file whole
Scan PDF text Scan PDF file whole
Rule Attachment size Attachment type
Authenticated User Binary file pattern Body CGI parameters
Cookie File is/not encrypted
File text File type
Hostname HTTP header
518
DLP Compound Rules
Receiver Sender
Search for the specified string in the message recipient email address. This option is available for Email. Search for the specified string in the message sender user ID or email address. This option is available for Email and IM. For email, the sender is determined by the From: address in the email header. For IM, all members of an IM session are senders and the senders are determined by finding the IM user IDs in the session. Search for the servers IP address in a specified address range. This option is available for FTP, NNTP. Search for the specified string in the message subject. This option is available for Email. Check the total size of the information transfer. In the case of email traffic for example, the transfer size includes the message header, body, and any encoded attachment. Search for the specified URL in HTTP traffic. Search for traffic from any user in the specified user group.
Server Subject Transfer size
URL User group
Rule operators:
matches/does not match This operator specifies whether the FortiGate unit is searching for the presence of specified string, or for the absence of the specified string. Matches: The rule will be triggered if the specified string is found in network traffic. Does not match: The rule will be triggered if the specified string is not found in network traffic. Select the encoding used for text files and messages. Select the means by which patterns are defined. For more information about wildcards and regular expressions, see Using wildcards and Perl regular expressions on page 506 This operator specifies if the rule is triggered when a condition is true or not true. Is: The rule will be triggered if the rule is true. Is not: The rule will be triggered if the rule is not true. For example, if a rule specifies that a file type is found within a specified file type list, all matching files will trigger the rule. Conversely, if the rule specifies that a file type is not found in a file type list, only the file types not in the list would trigger the rule. These operators allow you to compare the size of a transfer or attached file to an entered value. == is equal to the entered value. >= is greater than or equal to the entered value. <= is less than or equal to the entered value. != is not equal to the entered value.
ASCII/UTF-8 Regular Expression/Wildcard is/is not
==/>=/<=/!=
DLP Compound Rules

DLP compound rules are groupings of DLP rules that also change the way they behave when added to a DLP sensor. Individual rules can be configured with only a single attribute. When this attribute is discovered in network traffic, the rule is activated. Compound rules allow you to group individual rules to specify far more detailed activation conditions. Each included rule is configured with a single attribute, but every attribute must be present before the rule is activated. For example, create two rules and add them to a sensor: Rule 1 checks SMTP traffic for a sender address of spammer@example.com
519
DLP Compound Rules
Rule 2 checks SMTP traffic for the word sale in the message body
When the sensor is used, either rule could be activated its configured condition is true. If only one condition is true, only the corresponding rule would be activated. Depending on the contents of the SMTP traffic, neither, either, or both could be activated. If you remove these rules from the sensor, add them to a compound rule, and add the compound rule to the sensor, the conditions in both rules have to be present in network traffic to activate the compound rule. If only one condition is present, the message passes without any rule or compound rule being activated. By combining the individually configurable attributes of multiple rules, compound rules allow you to specify far more detailed and specific conditions to trigger an action.
Viewing the DLP compound rule list

To view the DLP compound rule list, go to UTM > Data Leak Prevention > Compound.
Figure 342: DLP compound rule list
Create New Name Comments DLP sensors Delete and Edit icons
Select Create New to add a new compound rule. The compound rule name. The optional description of the compound rule. If the compound rule is used in any sensors, the sensor names are listed here. Delete or edit a compound rule. If a compound rule is used in a sensor, the delete icon will not be available. Remove the compound rule from the sensor and then delete it.
Adding and configuring DLP compound rules

Go to UTM > Data Leak Prevention > Compound. To add a new compound rule, select Create New. To edit an existing compound rule, select the edit icon of the compound rule to be changed.
Figure 343: DLP compound rule
Add rule
520
DLP Compound Rules
Name Comments Protocol HTTP POST/GET
The compound rule name. An optional description of the compound rule. The network protocol to which the compound rule applies. When the protocol is set to HTTP, select whether to have the compound rule apply to POST, GET, or both types of HTTP transactions. When the protocol is set to FTP, select whether to have the compound rule apply to PUT, GET, or both types of FTP transactions. Select the rule to include in the compound rule. Select the Add Rule icon to have another rule selection appear. This way, multiple rules may be added to the compound rule.
FTP PUT/GET Rules Add Rule
521
DLP Compound Rules
522
Application Control
What is application control?
Application Control
This section describes how to configure the application control options associated with firewall protection profiles. If you enable virtual domains (VDOMs) on the FortiGate unit, the application control configuration of each VDOM is entirely separate. For example, application lists created in one VDOM will not be visible in other VDOMs. For details, see Using virtual domains on page 103. This section describes: What is application control? FortiGuard application control database Viewing the application control lists Creating a new application control list Configuring an application control list Adding or configuring an application control list entry Application control statistics
What is application control?

Using the application control UTM feature your FortiGate unit can detect and take action against network traffic depending on the application generating the traffic. Based on FortiGate Intrusion Protection protocol decoders, application control is a more userfriendly and powerful way to use Intrusion Protection features to log and manage the behavior of application traffic passing through the FortiGate unit. Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses non-standard ports or protocols. The FortiGate unit can recognize the network traffic generated by a large number of applications. You can create application control lists that specify the action to take with the traffic of the applications you need to manage and the network on which they are active. Add application control lists to protection profiles applied to the network traffic you need to monitor.
FortiGuard application control database

Fortinet is constantly increasing the list of applications that application control can detect by adding applications to the FortiGuard Application Control Database. Because intrusion protection protocol decoders are used for application control, the application control database is part of the FortiGuard Intrusion Protection System Database and both of these databases have the same version number. To view the version of the application control database installed on your FortiGate unit, go to the License Information dashboard widget and find IPS Definitions version. To see the complete list of applications supported by FortiGuard Application Control go to the FortiGuard Application Control List. This web page lists all of the supported applications. You can select any application name to see details about the application.
523
Viewing the application control lists
Application Control
Figure 344: ISIS.Over.IPv4 application page
Viewing the application control lists

Each application control list contains details about the application traffic to be monitored and the actions to be taken when it is detected. To take effect, an application control list must be selected in a protection profile. No default lists are provided. To view the application control lists, go to UTM > Application Control.
Figure 345: The application control lists
Create New Name # of Entries Profiles
Select Create New to add a new application control list. The available application control lists. The number of application rules in each application control list. The protection profile each application control list has been applied to. If the list has not been applied to a protection profile, this field will be blank. An optional description of each application control list. Select to remove the application control list. The delete icon is only available if the application control list is not selected in any protection profiles. Select to edit the application control list.
Comment Delete icon
Edit icon
Creating a new application control list

To create a new application control list, go to UTM > Application Control > Control List and select Create New. Enter a name and optionally, a comment of description. Select OK. Since a new application control list is blank, the list edit window appears. For information on creating application control list entries, see Configuring an application control list on page 525.
524
Application Control
Configuring an application control list
Figure 346: The create a new application control list dialog window
Name Comments
Enter the name of the application control list. Optionally, enter a comment or description.
Configuring an application control list

To configure an application control list, go to UTM > Application Control > Control List and select the Edit icon of the list you want to configure. The FortiGate unit examines network traffic for the application entries in the listed order, one at a time, from top to bottom. Whenever a match is detected, the action specified in the matching rule is applied to the traffic and further checks for application entry matches are stopped. Because of this, you can use both actions to create a complex rule with fewer entries. For example, if your organization has standardized on AIM for instant messaging, you can allow AIM and block all other IM clients with just two entries. First, create an entry in which AIM is the specified application. Set the action to Pass. Then create an entry in which the Category is im, the Application is all, and the action is Block. Since the entries are checked from top to bottom, AIM traffic will trigger the first rule, and be passed. All other detected IM traffic will trigger the second rule, and the FortiGate unit will block it.
Figure 347: Editing an application control list
Name Comments Other Applications
The name of the application control list. Enter or edit a comment about the list. The comment is optional. Other applications are those the FortiGate unit does not recognize, or applications that are recognized but not configured in the application control list. You can select whether to block or allow other application traffic, and also whether to log it. Select the action the FortiGate unit takes with other application traffic. Select whether the FortiGate unit will log other application traffic. Select to create a new application entry.
Action Log Create New
525
Adding or configuring an application control list entry
Application Control
ID Category
A unique number used primarily when re-ordering application entries. The category indicates the scope of the applications included in the application entry if Application is set to all. For example, if Application is all and Category is toolbar, then all the toolbar applications are included in the application entry even though they are not specified individually. If Application is a single application, the value in Category has no effect on the operation of the application entry. The FortiGate unit will examine network traffic for the listed application. If Application is all, every application in the selected category is included. If the FortiGate unit detects traffic from the specified application, the selected action will be taken. If traffic from the specified application is detected, the FortiGate unit will log the occurrence and the action taken. Select to delete the application entry. Select to edit the application entry.
Application
Action Logging Delete icon Edit icon
Insert Application Before Select to create a new application entry above the entry in which you selected the icon. icon Move To icon Select to move the application entry to a different position in the list.
Adding or configuring an application control list entry

To add a new application control list entry or edit an existing one, go to UTM > Application Control > Control list, and select the Edit icon for the list you want to modify. To add a new entry, select Create New. To edit an existing entry, select the Edit icon if the entry you want to modify.
Figure 348: The application control list entry for FTP.
Category
The applications are categorized by type. If you want to choose an IM application, for example, select the im category, and the application list will show only the im applications. The Category selection can also be used to specify an entire category of applications. To select all IM applications for example, select the im category, and select all as the application. This specifies all the IM applications with a single application control list entry. The FortiGate unit will examine network traffic for the listed application. If Application is all, every application in the selected category is included. If the FortiGate unit detects traffic from the specified application, the selected action will be taken.
Application
Action Options
526
Application Control
Application control statistics
Session TTL
The applications session TTL. If this option is not enabled, the TTL defaults to the setting of the config system session-ttl CLI command. When enabled, the FortiGate unit will log the occurrence and the action taken if traffic from the specified application is detected.
Enable Logging
In addition to these option, some IM applications and VoIP protocols have additional options:
IM options Block Login Block File Transfers Block Audio Select to prevent users from logging in to the selected IM system. Select to prevent the sending and receiving of files using the selected IM system. Select to prevent audio communication using the selected IM system.
Inspect Non-standard Select to allow the FortiGate unit to examine non-standard ports for the IM client traffic. Port Display content meta- Select to include meta-information detected for the IM system on the FortiGate unit dashboard. information on the system dashboard VoIP options Limit Call Setup Limit REGISTER request Limit INVITE request Enable Logging of Violations Other options Command Some of traffic types include a command option. Specify a command that appears in the traffic that you want to block or pass. For example, enter GET as a command in the FTP.Command application to have the FortiGate unit examine FTP traffic for the GET command. Multiple commands can be entered. A method option is available for HTTP, RTSP, and SIP protocols. Specify a method that appears in the traffic that you want to block or pass. For example, enter POST as a method in the HTTP.Method application to have the FortiGate unit examine HTTP traffic for the POST method. Multiple methods can be entered. Enter the program number appearing in Sun Remote Procedure Calls (RPC) that you want to block or pass. Multiple program numbers can be entered. Enter the UUID appearing in Microsoft Remote Procedure Calls (MSRPC) that you want to block or pass. Multiple UUIDs can be entered. Enter the maximum number of calls each client can set up per minute. Enter the maximum number of register requests per second allowed for the firewall policy. Enter the maximum number of invite requests per second allowed for the firewall policy. Select to enable logging of violations.
Method
Program Number
UUID

The FortiGate unit maintains statistics on selected IM and P2P applications, and VoIP protocols. You can use these statistics to gain insight into how the protocols are being used within your network. To view these statistics, go to UTM > Application Control > Statistics.
527
Application Control
Figure 349: Application control statistics
Automatic Refresh Interval Refresh Reset Stats Users
Select the automatic refresh interval for statistics. Set the interval from none to 30 seconds. Click to refresh the page with the latest statistics. Click to reset the statistics to zero. For each IM protocol, the following user information is listed: Current Users (Users) Since Last Reset (Users) Blocked. For each IM protocol, the following chat information is listed: Total Chat Sessions Server-based Chat (Sessions) Group Chat (Sessions) Direct/Private Chat (Sessions) For each IM protocol, the following message information is listed: Total Messages Sent Received For each IM protocol, the following file transfer information is listed: (Files transferred) Since Last Reset (Files) Sent (Files) Received (Files) Blocked. For each IM protocol, the following voice chat information is listed: (Voice chats) Since Last Reset (Voice chats) Blocked.
Chat
Messages
File Transfers
Voice Chat
528
Application Control
P2P Usage
For each P2P protocol, the following usage information is listed: Total Bytes (transferred) Average Bandwidth. If the action for a P2P application is set to pass, the statistics will display the total usage of the P2P application. Applications set to Block will not affect the statistics. Note that the same application can have different actions set in different application control lists. In this case, the traffic handled by the lists with the Pass action will be reflected in the statistics. The traffic handled by the lists with the Block action will not be reflected. For SIP and SCCP protocol, the following information is listed: Active Sessions (phones connected, etc) Total Calls (since last reset) Calls Failed/Dropped Calls Succeeded
VoIP Usage
529
Application Control
530
IPSec VPN
Overview of IPSec VPN configuration
IPSec VPN
This section provides information about Internet Protocol Security (IPSec) VPN configuration options available through the web-based manager. FortiGate units support both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Overview of IPSec VPN configuration Policy-based versus route-based VPNs Auto Key Manual Key Internet browsing configuration Concentrator Monitoring VPNs
Overview of IPSec VPN configuration

FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The encrypted packets look like ordinary packets that can be routed through any IP network. Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or X.509 digital certificates. As an option, you can specify manual keys. Interface mode, supported in NAT/Route mode only, creates a virtual interface for the local end of a VPN tunnel. Use the following configuration procedures for all IPSec VPNs: 1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote peers or clients and establish a secure a connection. See Creating a new phase 1 configuration on page 534. 2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with a remote peer or dialup client. See Creating a new phase 2 configuration on page 538.
Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique IPSec encryption and authentication keys automatically. If a remote VPN peer or client requires a specific IPSec encryption or authentication key, you must configure the FortiGate unit to use manual keys instead. For more information, see Manual Key on page 541.
3 Create a firewall policy to permit communication between your private network and the VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interfacebased VPN, the firewall policy action is ACCEPT. See Configuring firewall policies on page 323.
531
Policy-based versus route-based VPNs
IPSec VPN
For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User Guide.
Policy-based versus route-based VPNs

FortiGate units support both policy-based and route-based VPNs. Generally, you can configure route-based VPNs more easily than policy-based VPNs. However, the two types have different requirements that limit where you can use them, as shown in Table 54.
Table 54: Comparison of policy-based and route-based VPNs Policy-based Available in NAT/Route or Transparent mode Route-based Available only in NAT/Route mode
Requires a firewall policy with IPSEC Requires only a simple firewall policy with action that specifies the VPN tunnel. One ACCEPT action. A separate policy is required policy controls connections in both for connections in each direction. directions.
You create a policy-based VPN by defining an IPSEC firewall policy between two network interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration. You need only one firewall policy, even if either end of the VPN can initiate a connection. You create a route-based VPN by enabling IPSec interface mode when you create the VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is bound to the local interface you selected. You then define an ACCEPT firewall policy to permit traffic to flow between the virtual IPSec interface and another network interface. If either end of the VPN can initiate the connection, you need two firewall policies, one for each direction. Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System > Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN, inter-VDOM link or wireless interfaces are displayed under their associated interface names in the Name column. For more information, see Interfaces on page 119. As with other interfaces, you can include a virtual IPSec interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a concentrator function. This is available only for policy-based VPNs, but you can create the equivalent function for a route-based VPN in any of the following ways: Define a firewall policy between each pair of IPSec interfaces that you want to concentrate. This can be time-consuming to maintain if you have many site-to-site connections, since the number of policies required increases rapidly as the number of spokes increases. Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy. Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
532
IPSec VPN
Auto Key
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You can configure several routes for the same IP traffic with different route metrics. You can also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through VPN tunnels. If the primary VPN connection fails or the priority of a route changes through dynamic routing, an alternative route will be selected to forward traffic through the redundant connection. A simple way to provide failover redundancy is to create a backup IPSec interface. You can do this in the CLI. For more information, including an example configuration, see the monitor-phase1 keyword for the ipsec vpn phase1-interface command in the FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec interface. For more information, see the default-gw keyword for the vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to generate unique Internet Key Exchange (IKE) keys automatically during the IPSec phase 1 and phase 2 exchanges. When you define phase 2 parameters, you can choose any set of phase 1 parameters to set up a secure connection for the tunnel and authenticate the remote peer. Auto Key configuration applies to both tunnel-mode and interface-mode VPNs. To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Figure 350: Auto Key list
Delete
Create Phase 1 Create Phase 2 Phase 1 Phase 2 Interface Binding
Edit
Create a new phase 1 tunnel configuration. For more information, see Creating a new phase 1 configuration on page 534. Create a new phase 2 configuration. For more information, see Creating a new phase 2 configuration on page 538. The names of existing phase 1 tunnel configurations. The names of existing phase 2 configurations. The names of the local interfaces to which IPSec tunnels are bound. These can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
Delete and Edit icons Delete or edit a phase 1 configuration.
533
Auto Key
IPSec VPN
Creating a new phase 1 configuration

In phase 1, two VPN peers (or a FortiGate dialup server and a VPN client) authenticate each other and exchange keys to establish a secure communication channel between them. The basic phase 1 settings associate IPSec phase 1 parameters with a remote gateway and determine: whether the various phase 1 parameters will be exchanged in multiple rounds with encrypted authentication information (main mode) or in a single message with authentication information that is not encrypted (Aggressive mode) whether a pre-shared key or digital certificates will be used to authenticate the identities of the two VPN peers (or a VPN server and its client) whether a special identifier, certificate distinguished name, or group name will be used to identify the remote VPN peer or client when a connection attempt is made.
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 1. For information about how to choose the correct phase 1 settings for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 351: New Phase 1
Name
Type a name to represent the phase 1 definition. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. If Remote Gateway is Dialup User, the maximum name length is further reduced depending on the number of dialup tunnels that can be established: by 2 for up to 9 tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on. For a tunnel mode VPN, the name should reflect where the remote connection originates. For a route-based tunnel, the FortiGate unit also uses the name for the virtual IPSec interface that it creates automatically. Select the category of the remote connection: Static IP Address If the remote peer has a static IP address. Dialup User If one or more FortiClient or FortiGate dialup clients with dynamic IP addresses will connect to the FortiGate unit. Dynamic DNS If a remote peer that has a domain name and subscribes to a dynamic DNS service will connect to the FortiGate unit. If you selected Static IP Address, type the IP address of the remote peer. If you selected Dynamic DNS, type the domain name of the remote peer.
Remote Gateway
IP Address Dynamic DNS
534
IPSec VPN
Auto Key
Local Interface
This option is available in NAT/Route mode only. Select the name of the interface through which remote peers or dialup clients connect to the FortiGate unit. By default, the local VPN gateway IP address is the IP address of the interface that you selected. Optionally, you can specify a unique IP address for the VPN gateway in the Advanced settings. For more information, see Local Gateway IP on page 537. Select Main or Aggressive: In Main mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information. In Aggressive mode, the phase 1 parameters are exchanged in single message with authentication information that is not encrypted. When the remote VPN peer has a dynamic IP address and is authenticated by a pre-shared key, you must select Aggressive mode if there is more than one dialup phase1 configuration for the interface IP address. When the remote VPN peer has a dynamic IP address and is authenticated by a certificate, you must select Aggressive mode if there is more than one phase 1 configuration for the interface IP address and these phase 1 configurations use different proposals. Peer Options settings may require a particular mode. See Peer Options, below. Select Preshared Key or RSA Signature. If you selected Pre-shared Key, type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. You must define the same value at the remote peer or client. The key must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. If you selected RSA Signature, select the name of the server certificate that the FortiGate unit will use to authenticate itself to the remote peer or dialup client during phase 1 negotiations. For information about obtaining and loading the required server certificate, see the FortiGate Certificate Management User Guide. One or more of the following options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings. Accept the local ID of any remote VPN peer or client. The FortiGate unit does not check identifiers (local IDs). You can set Mode to Aggressive or Main. You can use this option with RSA Signature authentication. But, for highest security, you should configure a PKI user/group for the peer and set Peer Options to Accept this peer certificate only. This option is available only if the remote peer has a dynamic IP address. Enter the identifier that is used to authenticate the remote peer. This identifier must match the identifier that the remote peers administrator has configured. If the remote peer is a FortiGate unit, the identifier is specified in the Local ID field of the phase 1 configuration. If the remote peer is a FortiClient dialup client, the identifier is specified in the Local ID field, accessed by selecting Config in the Policy section of the VPN connections Advanced Settings.
Mode
Authentication Method Pre-shared Key
Certificate Name
Peer Options
Accept any peer ID
Accept this peer ID
535
Auto Key
IPSec VPN
Accept peer ID in dialup Authenticate multiple FortiGate or FortiClient dialup clients that use unique identifiers and unique pre-shared keys (or unique pre-shared group keys only) through the same VPN tunnel. You must create a dialup user group for authentication purposes. (For more information, see User Group on page 583.) Select the group from the list next to the Accept peer ID in dialup group option. For more information about configuring FortiGate dialup clients, see the FortiGate IPSec VPN User Guide. For more information about configuring FortiClient dialup clients, see the Authenticating FortiClient Dialup Clients Technical Note. You must set Mode to Aggressive when the dialup clients use unique identifiers and unique pre-shared keys. If the dialup clients use unique pre-shared keys only, you can set Mode to Main if there is only one dialup phase 1 configuration for this interface IP address. Accept this peer certificate only This option is available when Authentication Method is set to RSA Signature. Authenticate remote peers or dialup clients that use a security certificate. Select the certificate from the list next to the option. You must add peer certificates to the FortiGate configuration before you can select them here. For more information, see PKI on page 581. This option is available when Authentication Method is set to RSA Signature and Remote Gateway is set to Dialup User. Use a certificate group to authenticate dialup clients that have dynamic IP addresses and use unique certificates. Select the name of the peer group from the list. You must first create the group through the config user peergrp CLI command before you can select it. For more information, see the user chapter of the FortiGate CLI Reference. Members of the peer group must be certificates added by using the config user peer CLI command. You can also add peer certificates using the web-based manager. For more information, see PKI on page 581. Define advanced phase 1 parameters. For more information, see Defining phase 1 advanced settings on page 536.
Accept this peer certificate group only
Advanced
Defining phase 1 advanced settings

You use the advanced P1 Proposal parameters to select the encryption and authentication algorithms that the FortiGate unit uses to generate keys for the IKE exchange. You can also select these advanced settings to ensure the smooth operation of phase 1 negotiations. To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC > Auto Key (IKE), select Create Phase 1, and then select Advanced. For information about how to choose the correct advanced phase 1 settings for your particular situation, see the FortiGate IPSec VPN User Guide.
536
IPSec VPN
Auto Key
Figure 352: Phase 1 advanced settings
Add Delete
Enable IPSec Interface Mode
This is available in NAT/Route mode only. Create a virtual interface for the local end of the VPN tunnel. Select this option to create a route-based VPN, clear it to create a policy-based VPN. Select if you want to use IPv6 addresses for the remote gateway and interface IP addresses. This is available only when Enable IPSec Interface Mode is enabled. If you selected Enable IPSec Interface Mode, specify an IP address for the local end of the VPN tunnel. Select one of the following: Main Interface IP The FortiGate unit obtains the IP address of the interface from the network interface settings. For more information, see Interfaces on page 119. Specify You can specify a secondary address of the interface selected in the phase 1 Local Interface field. For more information, see Local Interface on page 535. You cannot configure Interface mode in a Transparent mode VDOM. Select the encryption and authentication algorithms used to generate keys for protecting negotiations. Add or delete encryption and authentication algorithms as required. Select a minimum of one and a maximum of three combinations. The remote peer or client must be configured to use at least one of the proposals that you define. Select one of the following symmetric-key algorithms: DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Select either of the following message digests to check the authenticity of messages during phase 1 negotiations: MD5 Message Digest 5, the hash algorithm developed by RSA Data Security. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. To specify a third combination, use the Add button beside the fields for the second combination.
IPv6 Version
Local Gateway IP
P1 Proposal
537
Auto Key
IPSec VPN
DH Group
Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. At least one of the DH Group settings on the remote peer or client must match one the selections on the FortiGate unit. Type the time (in seconds) that must pass before the IKE encryption key expires. When the key expires, a new key is generated without interrupting service. The keylife can be from 120 to 172 800 seconds. If the FortiGate unit will act as a VPN client and you are using peer IDs for authentication purposes, enter the identifier that the FortiGate unit will supply to the VPN server during the phase 1 exchange. If the FortiGate unit will act as a VPN client and you are using security certificates for authentication, select the distinguished name (DN) of the local server certificate that the FortiGate unit will use for authentication purposes. If the FortiGate unit is a dialup client and will not be sharing a tunnel with other dialup clients (that is, the tunnel will be dedicated to this FortiGate dialup client), set Mode to Aggressive. This option supports the authentication of dialup clients. Disable Select if you do not use XAuth. Enable as Client If the FortiGate unit is a dialup client, type the user name and password that the FortiGate unit will need to authenticate itself to the remote XAuth server. Enable as Server This is available only if Remote Gateway is set to Dialup User. Dialup clients authenticate as members of a dialup user group. You must first create a user group for the dialup clients that need access to the network behind the FortiGate unit. For more information, see Configuring a user group on page 586. You must also configure the FortiGate unit to forward authentication requests to an external RADIUS or LDAP authentication server. For information about these topics, see Configuring a RADIUS server on page 572 or Configuring an LDAP server on page 575. Select a Server Type setting to determine the type of encryption method to use between the FortiGate unit, the XAuth client and the external authentication server, and then select the user group from the User Group list. Select the check box if a NAT device exists between the local FortiGate unit and the VPN peer or client. The local FortiGate unit and the VPN peer or client must have the same NAT traversal setting (both selected or both cleared) to connect reliably. If you enabled NAT-traversal, enter a keepalive frequency setting. The value represents an interval ranging from 10 to 900 seconds. Select this check box to reestablish VPN tunnels on idle connections and clean up dead IKE peers if required. You can use this option to receive notification whenever a tunnel goes up or down, or to keep the tunnel connection open when no traffic is being generated inside the tunnel. (For example, in scenarios where a dialup client or dynamic DNS peer connects from an IP address that changes periodically, traffic may be suspended while the IP address changes). With Dead Peer Detection selected, you can use the config vpn ipsec phase1 (tunnel mode) or config vpn ipsec phase1interface (interface mode) CLI command to optionally specify a retry count and a retry interval. For more information, see the FortiGate CLI Reference.
Keylife
Local ID
XAuth
Nat-traversal
Keepalive Frequency Dead Peer Detection
Creating a new phase 2 configuration

After IPSec phase 1 negotiations end successfully, you begin phase 2. You configure the phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt and transfer data for the remainder of the session. During phase 2, you select specific IPSec security associations needed to implement security services and establish a tunnel. The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration that specifies the remote end point of the VPN tunnel. In most cases, you need to configure only basic phase 2 settings.
538
IPSec VPN
Auto Key
To configure phase 2 settings, go to VPN > IPSEC > Auto Key (IKE) and select Create Phase 2. For information about how to choose the correct phase 2 settings for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 353: New Phase 2
Name Phase 1
Type a name to identify the phase 2 configuration. Select the phase 1 tunnel configuration. For more information, see Creating a new phase 1 configuration on page 534. The phase 1 configuration describes how remote VPN peers or clients will be authenticated on this tunnel, and how the connection to the remote peer or client will be secured. Define advanced phase 2 parameters. For more information, see Defining phase 2 advanced settings on page 539.
Advanced
Defining phase 2 advanced settings

In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish a secure communication channel between them. You select the encryption and authentication algorithms needed to generate keys for protecting the implementation details of Security Associations (SAs). These are called P2 Proposal parameters. The keys are generated automatically using a Diffie-Hellman algorithm. You can use a number of additional advanced phase 2 settings to enhance the operation of the tunnel. To modify IPSec phase 2 advanced parameters, go to VPN > IPSEC Auto Key (IKE), select Create Phase 2, and then select Advanced. For information about how to choose the correct advanced phase 2 settings for your particular situation, see the FortiGate IPSec VPN User Guide.
Figure 354: Phase 2 advanced settings
Add Delete
539
Auto Key
IPSec VPN
P2 Proposal
Select the encryption and authentication algorithms that will be proposed to the remote VPN peer. You can specify up to three proposals. To establish a VPN connection, at least one of the proposals that you specify must match configuration on the remote peer. Initially there are two proposals. Add and Delete icons are next to the second Authentication field. To specify only one proposal, select Delete to remove the second proposal. To specify a third proposal, select Add. It is invalid to set both Encryption and Authentication to NULL. Select one of the following symmetric-key algorithms: NULL Do not use an encryption algorithm. DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Select one of the following message digests to check the authenticity of messages during an encrypted session: NULL Do not use a message digest. MD5 Message Digest 5, the hash algorithm developed by RSA Data Security. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. Optionally enable or disable replay detection. Replay attacks occur when an unauthorized party intercepts a series of IPSec packets and replays them back into the tunnel. Enable or disable PFS. Perfect forward secrecy (PFS) improves security by forcing a new Diffie-Hellman exchange whenever keylife expires. Select one Diffie-Hellman group (1, 2, or 5). This must match the DH Group that the remote peer or dialup client uses. Select the method for determining when the phase 2 key expires: Seconds, KBytes, or Both. If you select Both, the key expires when either the time has passed or the number of KB have been processed. The range is from 120 to 172 800 seconds, or from 5120 to 2 147 483 648 KB.
Encryption
Authentication
Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is being processed. DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for phase 2 configurations associated with a dialup phase 1 configuration. You also need configure a DHCP server or relay on the private network interface. You must configure the DHCP parameters separately. For more information, see System DHCP on page 171. If you configure the DHCP server to assign IP addresses based on RADIUS user group attributes, you must also set the Phase 1 Peer Options to Accept peer ID in dialup group and select the appropriate user group. See Creating a new phase 1 configuration on page 534. If the FortiGate unit acts as a dialup server and you manually assigned FortiClient dialup clients VIP addresses that match the network behind the dialup server, selecting the check box will cause the FortiGate unit to act as a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the FortiGate unit. For more information, see Internet browsing configuration on page 544.
540
IPSec VPN
Manual Key
Quick Mode Selector
Optionally specify the source and destination IP addresses to be used as selectors for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the default value 0.0.0.0/0 unless you need to circumvent problems caused by ambiguous IP addresses between one or more of the private networks making up the VPN. You can specify a single host IP address, an IP address range, or a network address. You may optionally specify source and destination port numbers and a protocol number. If you are editing an existing phase 2 configuration, the Source address and Destination address fields are unavailable if the tunnel has been configured to use firewall addresses as selectors. This option exists only in the CLI. For more information, see the dst-addr-type, dst-name, src-addr-type and srcname keywords for the vpn ipsec phase2 command in the FortiGate CLI Reference. Source address If the FortiGate unit is a dialup server, type the source IP address that corresponds to the local senders or network behind the local VPN peer (for example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100 for an address range). A value of 0.0.0.0/0 means all IP addresses behind the local VPN peer. If the FortiGate unit is a dialup client, source address must refer to the private network behind the FortiGate dialup client. Type the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0. Type the destination IP address that corresponds to the recipients or network behind the remote VPN peer (for example, 192.168.20.0/24 for a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80100] for an address range). A value of 0.0.0.0/0 means all IP addresses behind the remote VPN peer. Type the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). The range is from 0 to 65535. To specify all ports, type 0. Type the IP protocol number of the service. The range is from 0 to 255. To specify all services, type 0.
Source port
Destination address
Destination port
Protocol
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN tunnel. You would define manual keys in situations where: You require prior knowledge of the encryption or authentication key (that is, one of the VPN peers requires a specific IPSec encryption or authentication key). You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in keeping keys confidential and in propagating changed keys to remote VPN peers securely.
For general information about how to configure an IPSec VPN, see the FortiGate IPSec VPN User Guide.
541
Manual Key
IPSec VPN
Figure 355: Manual Key list
Delete Edit
Create New Tunnel Name Remote Gateway Encryption Algorithm Authentication Algorithm Delete and Edit icons
Create a new manual key configuration. See Creating a new manual key configuration on page 542. The names of existing manual key configurations. The IP addresses of remote peers or dialup clients. The names of the encryption algorithms specified in the manual key configurations. The names of the authentication algorithms specified in the manual key configurations. Delete or edit a manual key configuration.
Creating a new manual key configuration

If one of the VPN devices is manually keyed, the other VPN device must also be manually keyed with the identical authentication and encryption keys. In addition, it is essential that both VPN devices be configured with complementary Security Parameter Index (SPI) settings. The administrators of the devices need to cooperate to achieve this. Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to link the datagrams to the SA. When an ESP datagram is received, the recipient refers to the SPI to determine which SA applies to the datagram. You must manually specify an SPI for each SA. There is an SA for each direction, so for each VPN you must specify two SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two VPN devices.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases for your particular installation, do not attempt the following procedure without qualified assistance.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and select Create New.
Figure 356: New Manual Key
542
IPSec VPN
Manual Key
Name Local SPI
Type a name for the VPN tunnel. The maximum name length is 15 characters for an interface mode VPN, 35 characters for a policy-based VPN. Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles outbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Remote SPI value in the manual key configuration at the remote peer. Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the SA that handles inbound traffic on the local FortiGate unit. The valid range is from 0x100 to 0xffffffff. This value must match the Local SPI value in the manual key configuration at the remote peer. Type the IP address of the public interface to the remote peer. The address identifies the recipient of ESP datagrams. This option is available in NAT/Route mode only. Select the name of the interface to which the IPSec tunnel will be bound. The FortiGate unit obtains the IP address of the interface from the network interface settings. For more information, see Interfaces on page 119. Select one of the following symmetric-key encryption algorithms: DES Digital Encryption Standard, a 64-bit block algorithm that uses a 56bit key. 3DES Triple-DES, in which plain text is encrypted three times by three keys. AES128 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 128-bit key. AES192 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 192-bit key. AES256 a 128-bit block Cipher Block Chaining (CBC) algorithm that uses a 256-bit key. Note: The algorithms for encryption and authentication cannot both be NULL.
Remote SPI
Remote Gateway Local Interface
Encryption Algorithm
Encryption Key
Enter an encryption key appropriate to the encryption algorithm: for DES, type a 16-character hexadecimal number (0-9, a-f). for 3DES, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters. for AES128, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters. for AES192, type a 48-character hexadecimal number (0-9, a-f) separated into three segments of 16 characters. for AES256, type a 64-character hexadecimal number (0-9, a-f) separated into four segments of 16 characters. Select one of the following message digests: MD5 Message Digest 5 algorithm, which produces a 128-bit message digest. SHA1 Secure Hash Algorithm 1, which produces a 160-bit message digest. Note: The Algorithms for encryption and authentication cannot both be NULL. Enter an authentication key appropriate to the authentication algorithm: for MD5, type a 32-character hexadecimal number (0-9, a-f) separated into two segments of 16 characters. for SHA1, type 40-character hexadecimal number (0-9, a-f) separated into one segment of 16 characters and a second segment of 24 characters. Create a virtual interface for the local end of the VPN tunnel. Select this check box to create a route-based VPN, clear it to create a policy-based VPN. This is available only in NAT/Route mode.
Authentication Algorithm
Authentication Key
IPSec Interface Mode
543
Internet browsing configuration
IPSec VPN
Internet browsing configuration

By using appropriate firewall policies, you can enable VPN users to browse the Internet through the FortiGate unit. The required policies are different for policy-based and routebased VPNs. For more information, see Configuring firewall policies on page 323. To create a policy-based VPN Internet browsing configuration 1 Go to Firewall > Policy. 2 Select Create New and enter the following information
Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Action VPN Tunnel Inbound NAT Select the FortiGate unit public interface. Select All. Select the FortiGate unit public interface. Select the remote network address name. Select IPSEC. Select the tunnel that provides access to the private network behind the FortiGate unit. Select the check box.
3 Configure other settings as required. 4 Select OK. To configure a route-based VPN Internet browsing configuration 1 Go to Firewall > Policy. 2 Select Create New and enter the following information.
Source Interface/Zone Source Address Name Destination Interface/Zone Destination Address Name Action NAT Select the IPSec interface. Select All. Select the FortiGate unit public interface. Select All. Select ACCEPT. Select the check box.
3 Configure other settings as required. 4 Select OK.
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote peers radiate from a single, central FortiGate unit. Site-to-site connections between the remote peers do not exist; however, You can establish VPN tunnels between any two of the remote peers through the FortiGate unit hub. In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect to the hub are known as spokes. The hub functions as a concentrator on the network, managing all VPN connections between the spokes. VPN traffic passes from one tunnel to the other through the hub. You define a concentrator to include spokes in the hub-and-spoke configuration.
544
IPSec VPN
Monitoring VPNs
To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and step-by-step procedures about how to set up a hub-and-spoke configuration, see the FortiGate IPSec VPN User Guide.
Figure 357: Concentrator list
Delete Edit
Create New
Define a new concentrator for an IPSec hub-and-spoke configuration. For more information, see Defining concentrator options on page 545. The tunnels that are associated with the concentrators. Delete or edit a concentrator.
Concentrator Name The names of existing IPSec VPN concentrators. Members Delete and Edit icons
Defining concentrator options

A concentrator configuration specifies which spokes to include in an IPSec hub-and-spoke configuration. To specify the spokes of an IPSec hub-and-spoke configuration, go to VPN > IPSEC > Concentrator and select Create New.
Figure 358: New VPN Concentrator
Concentrator Name Available Tunnels
Type a name for the concentrator. A list of defined IPSec VPN tunnels. Select a tunnel from the list and then select the right arrow. Repeat these steps until all of the tunnels associated with the spokes are included in the concentrator. A list of tunnels that are members of the concentrator. To remove a tunnel from the concentrator, select the tunnel and select the left arrow.
Members
Monitoring VPNs
To view active VPN tunnels, go to User > Monitor > IPSEC. For more information, see IPSEC monitor list on page 592.
545
Monitoring VPNs
IPSec VPN
546
PPTP VPN
PPTP configuration using FortiGate web-based manager
PPTP VPN
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit to forward PPTP packets to a PPTP server on the network behind the FortiGate unit. PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to configure VPN PPTP separately for each virtual domain. For more information, see Using virtual domains on page 103. When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP client IP from a local address range or use the server defined in the PPTP user group. You select which method to use for IP address retrieval and, in the case of the user group server, provide the IP address and the user group. This section explains how to specify a range of IP addresses for PPTP clients or configure the PPTP client-side IP address to be used in the tunnel setup. For information about how to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User Guide.
Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You configure the PPTP tunnel configuration by creating a customized FortiGate screen.
This section describes: PPTP configuration using FortiGate web-based manager PPTP configuration using CLI commands

To configure the PPTP tunnel, create a customized screen in the web-based manager. The PPTP Range tab is found under the Categories heading as a selection in the Additional category:
547
PPTP VPN
Figure 359: Categories > Additional > PPTP Range
For information about creating customized screens in the FortiGate web-based manager, see Customizable web-based manager on page 231. PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the range of addresses reserved for remote PPTP clients. When the remote PPTP client establishes a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (webbased manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its source address for the duration of the connection. To enable PPTP and specify the PPTP address range or specify the IP address for the peers remote IP on the PPTP client side, go to the customized screen in the web-based manager, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet, e.g. 192.168.1.1 - 192.168.1.254.
548
PPTP VPN
PPTP configuration using CLI commands
Figure 360: Edit PPTP range options, showing both Range and User Group
Enable PPTP IP Mode Range User Group Starting IP Ending IP Local IP User Group Disable PPTP
Enable PPTP. You must add a user group before you can select the option. See User Group on page 583. Select a method of determining the IP address for the PPTP connection: Enable to specify a local address range to reserve for remote PPTP clients. Select to specify that the PPTP client IP address is determined by the PPTP user group server. Type the starting address in the range of reserved IP addresses. Type the ending address in the range of reserved IP addresses. Type the IP address to be used for the peers remote IP on the PPTP client side. Select the PPTP user group from the list. Select to disable PPTP support.

If you prefer not to set up a customized screen in the FortiGate web-based manager, you can configure the PPTP tunnel using CLI.
Syntax
config vpn pptp set eip <address_ipv4> set ip-mode {range | usrgrp} set local-ip <address_localip> set sip <address_ipv4> set status {disable | enable} set usrgrp <group_name> end
Variables eip <address_ipv4> Description The ending address of the PPTP address range. Default 0.0.0.0
549
PPTP VPN
ip-mode {range | usrgrp} local-ip <address_localip> sip <address_ipv4> status {disable | enable} usrgrp <group_name>
Enable to have the PPTP client retrieve the IP address from the PPTP user group or select an IP address from the pre-configured IP address range. PPTP server IP address from the PPTP user group. The starting address of the PPTP IP address range. 0.0.0.0 Enable or disable PPTP VPN. disable
This keyword is available when status is set to Null. enable. Enter the name of the user group for authenticating PPTP clients. The user group must be added to the FortiGate configuration before it can be specified here. The ending address of the PPTP address range. Enable to have the PPTP client retrieve the IP address from the PPTP user group or select an IP address from the pre-configured IP address range. 0.0.0.0
eip <address_ipv4> ip-mode {range | usrgrp}
550
SSL VPN
ssl.root
SSL VPN
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. SSL VPN does not require the installation of specialized client software on end users computers, and is ideal for applications including web-based email, business and government directories, file sharing, remote backup, remote system management, and consumer-level electronic commerce. The two modes of SSL VPN operation (supported in NAT/Route mode only) are: web-only mode, for thin remote clients equipped with a web-browser only. tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection between the remote client and the FortiGate unit is established through the SSL VPN security in the FortiGate unit and the SSL security in the web browser. After the connection has been established, the FortiGate unit provides access to selected services and network resources through a web portal. The FortiGate SSL VPN web portal has a widget-based layout with customizable themes. Each widget is displayed in a 1- or 2column format with the ability to modify settings, minimize the widget window, or other functions depending on the type of content within the widget. When users have complete administrative rights over their computers and use a variety of applications, tunnel mode allows remote clients to access the local internal network as if they were connected to the network directly. This section provides information about the features of SSL VPN available for configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode support the SSL VPN feature. If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured separately for each virtual domain. For details, see Using virtual domains on page 103.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode operation, see the FortiGate SSL VPN User Guide.
This section describes: ssl.root Configuring SSL VPN Monitoring SSL VPN sessions SSL VPN web portal
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdomname>. The root VDOM, called ssl.root, appears in the firewall policy interface lists and static route interface lists. You can use the ssl-root interface to allow access to additional networks and facilitate a connected users ability to browse the Internet through the FortiGate unit. SSL VPN tunnel-mode access requires the following firewall policies: External > Internal, with the action set to SSL, with an SSL user group
551
Configuring SSL VPN
SSL VPN
ssl.root > Internal, with the action set to Accept Internal > ssl.root, with the action set to Accept.
Access also requires a new static route: Destination network - <ssl tunnel mode assigned range> interface ssl.root. If you are configuring Internet access through an SSL VPN tunnel, you must add the following configuration: ssl.root > External, with the action set to Accept, NAT enabled.
Configuring SSL VPN

You can configure basic SSL VPN settings including timeout values and SSL encryption preferences. If required, you can also enable the use of digital certificates for authenticating remote clients.
Note: If required, you can enable SSL version 2 encryption (for compatibility with older browsers) through a FortiGate CLI command. For more information, see the ssl settings command in the FortiGate CLI Reference.
To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL > Config and select Enable SSL-VPN. When you have completed configuring the settings, select Apply.
Figure 361: SSL-VPN Settings
Enable SSL VPN Tunnel IP Range
Select to enable SSL VPN connections. Specify the range of IP addresses reserved for tunnel-mode SSL VPN clients. Type the starting and ending address that defines the range of reserved IP addresses. Select the signed server certificate to use for authentication purposes. If you leave the default setting (Self-Signed), the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.
Server Certificate
Require Client Certificate If you want to enable the use of group certificates for authenticating remote clients, select the check box. Afterward, when the remote client initiates a connection, the FortiGate unit prompts the client for its clientside certificate as part of the authentication process.
552
SSL VPN
Monitoring SSL VPN sessions
Encryption Key Algorithm Default - RC4(128 bits) and higher High - AES(128/256 bits) and 3DES Low - RC4(64 bits), DES and higher Idle Timeout
Select the algorithm for creating a secure SSL connection between the remote client web browser and the FortiGate unit. If the web browser on the remote client can match a cipher suite greater than or equal to 128 bits, select this option. If the web browser on the remote client can match a high level of SSL encryption, select this option to enable cipher suites that use more than 128 bits to encrypt data. If you are not sure which level of SSL encryption the remote client web browser supports, select this option to enable a cipher suite greater than or equal to 64 bits. Type the period of time (in seconds) to control how long the connection can remain idle before the system forces the user to log in again. The range is from 10 to 28800 seconds. You can also set the value to 0 to have no idle connection timeout. This setting applies to the SSL VPN session. The interface does not time out when web application sessions or tunnels are up. Select to save and apply settings.
Apply
Monitoring SSL VPN sessions

You can view a list of all active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit. To view the list of active SLS VPN sessions, go to User > Monitor > SSL.
Figure 362: Monitor list
Delete
No. User Source IP Begin Time Description Subsession Action Delete icon
The connection identifiers. The user names of all connected remote users. The IP addresses of the host devices connected to the FortiGate unit. The starting time of each connection. Information about the services provided by an SSL VPN tunnel session. Tunnel IP: IP address that the Fortigate unit assigned to the remote client. Select action to apply to current SSL VPN tunnel session or subsession. Delete the current session or subsession.
553
SSL VPN web portal
SSL VPN
SSL VPN web portal

The SSL VPN Service portal allows you to access network resources through a secure channel using a web browser. FortiGate administrators can configure log in privileges for system users and which network resources are available to the users, such as HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH. The portal configuration determines what the system user sees when they log in to the FortiGate. Both the system administrator and the system user have the ability to customize the SSL VPN portal. This section describes: General tab Advanced tab Adding and editing widgets Session Information widget Bookmarks widget Connection Tool widget Tunnel Mode widget
Default web portal configurations

There are three pre-defined default web portal configurations available: full-access: Includes all widgets available to the user - Session Information, Connection Tool, Bookmarks, and Tunnel Mode. tunnel-access: Includes Session Information and Tunnel Mode widgets. web-access: Includes Session Information and Bookmarks widgets.
To use a default SSL VPN web portal configuration, select the Edit icon next to the web portal in the Portal list. The SSL VPN web portal you select will appear.
554
SSL VPN
Figure 363: Default web portals Edit button
Default full-access web portal
Default tunnel-access web portal
Default web-access web portal
555
SSL VPN
General tab
To configure the SSL VPN web portal General tab, go to VPN > SSL > Portal and select Create New. The SSL VPN web portal General tab is displayed. Use the General tab to configure basic settings required for the SSL VPN web portal. To edit settings for an existing web portal configuration, select Settings to open the General tab.
Figure 364: SSL VPN web portal - Create New/Settings, General tab
OK/Cancel
Select OK to save the configuration and Cancel to exit the configuration window without any saving changes made. If you select OK, the main portal configuration window appears. Name of the web portal configuration. Select the abbreviated name of the server application or network service. Enter the caption that appears at the top of the web portal home page. Select the color scheme for the web portal home page from the list. Select the one or two page column format for the web portal home page.
General tab Name Applications Portal Message Theme Page Layout
Advanced tab
To configure the SSL VPN web portal Advanced tab, go to VPN > SSL > Portal and select Create New then select Advanced. The SSL VPN web portal Advanced tab is displayed. Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients and apply other advanced settings. To edit settings for an existing web portal configuration, select Settings > Advanced to open the Advanced tab.
556
SSL VPN
Figure 365: SSL VPN web portal - Create New/Settings, Advanced tab
OK/Cancel
Select OK to save the configuration and Cancel to exit the configuration window without any saving changes made. If you select OK, the main portal configuration window appears. Select the method used to determine whether a client is permitted to connect to the network. None - Select to enable a client to connect to the SSL VPN session without determining whether any antivirus or firewall applications are installed. FortiClient - Select to allow a client to connect to the SSL VPN session only if they are running FortiClient. Third Party - Select to allow a client to connect to the SSL VON session only if they are running a third party antivirus or firewall application.
Advanced tab Client Check Type
Client Check
AV - Select to have the FortiGate unit check for a running antivirus application FW - Select to have the FortiGate unit check for a running firewall application.
Clean Cache Virtual Desktop
Select to enable the FortiGate unit to remove residual information from the remote client computer just before the SSL VPN session ends. Select to have the SSL VPN Virtual Desktop application automatically downloaded and started on the client machine. This option is available only to clients using Microsoft 32-bit XP or Vista. Enter the URL of the web page which will enable the FortiGate unit to display a second HTML page in a popup window when the web portal home page is displayed. Action - Select the action for the FortiGate unit to take if the client operating system is Windows 2000 or XP: Allow, Deny, or Check Latest Version.
Redirect URLs
OS Check Windows 2000 Windows XP
557
SSL VPN
Latest Patch Level - If you set Action to Check Latest Version, enter the latest acceptable patch number. Tolerance - If you set Action to Check Latest Version, set Tolerance to 0 if clients must have the latest patch. Set Tolerance to a number to control how close clients must be to the latest patch. For example, if the latest patch level is 4 and tolerance is 2, clients will be accepted with patch 2, 3, 4, 5, or 6.
Adding and editing widgets

To add or edit SSL VPN web portal widgets, go to VPN > SSL > Portal and select Create New, then select OK. The SSL VPN web portal is displayed. You can also edit an existing SSL VPN web portal. You can add, remove, and edit the widgets that appear on the web portal.
Figure 366: SSL VPN web portal - full-access Default configuration window Log out icon Help icon
Add Widget list OK Cancel Apply Settings Help Select to save the configuration. If you select OK, you exit out of the SSL VPN web portal configuration window. Select to exit the configuration window without saving any changes. Select to apply any changes made in the web portal configuration. If you select Apply, you will not leave the portal configuration window. Select to edit the General or Advanced settings for the SSL VPN web portal. See SSL VPN web portal on page 554. Indicates the location of the SSL VPN web portal online help icon. You cannot change or move this icon. Active when SSL VPN web portal is activated by user. Indicates the location of the SSL VPN web portal log out icon. You cannot change or move this icon. Active when SSL VPN web portal is activated by user. Select to add a widget to the SSL VPN web portal configuration.
Log out
Add Widget list
558
SSL VPN
Session Information
Displays the login name of the user, the amount of time the user has been logged in, and the inbound and outbound traffic of HTTP and HTTPS. Displays configured bookmarks, allows for the addition of new bookmarks and editing of existing bookmarks. Enter the URL or IP address for a connection tool application/server (selected when configuring the Connection Tool). You can also check connectivity to a host or server on the network behind the FortiGate unit by selecting the Type Ping. Displays tunnel information and actions in user mode. The administrator can configure a split-tunneling option.
Bookmarks Connection Tool
Tunnel Mode
Session Information widget

The Session Information widget displays the login name of the user, along with the amount of time the user has been logged in and the inbound and outbound traffic statistics of HTTP and HTTPS. To edit the session information, in the Session Information widget select Edit.
Figure 367: Session Information widget - Edit Remove widget Edit
Edit Remove widget OK Cancel Name
Select to edit the information in the widget. Select to close the widget and remove it from the web portal home page. Select to save the Session Information configuration. Select to exit the Session Information widget without saving any changes. Enter a customized name for the Session Information widget.
Bookmarks widget
Bookmarks are used as links to specific resources on the network. When a bookmark is selected from a bookmark list, a pop-up window appears with the requested web page. Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and Samba replace the bookmarks page with an HTML file-browser.
559
SSL VPN
Adding bookmarks
To add bookmarks, in the Bookmarks widget title bar select Edit, then select Add. The Add bookmark window opens. When you finish creating the bookmark, select OK in the Add bookmark window and then in the Bookmarks widget.
Figure 368: Bookmarks widget - Edit Remove widget Edit
Add bookmark window
Select OK
Bookmark added
Edit Remove widget
Select to edit the general configuration information in the Bookmarks widget. Select to close the Bookmarks widget and remove it from the web portal home page.
560
SSL VPN
OK
Select to save the configuration. Select OK before creating any bookmarks in order for selected applications to appear in the Add or Edit bookmark window. Select to exit the Bookmarks widget without saving any changes. Enter a customized name for the Bookmarks widget. Select the server application or network service the FortiGate unit will use to set up web-portal applications. Select to create a bookmark hyperlink. Select to edit an existing bookmark hyperlink. When you select Edit, a list of existing bookmarks appears. Enter a name for the bookmark. Select the type of application that the FortiGate unit will use to connect server applications or network service. Only application types that are selected in the top window of the Bookmarks widget will be in the list. Enter the information the FortiGate unit needs to forward client requests to the correct server application or network service. Enter an optional description of the bookmark. Select to save the bookmark configuration. The bookmark will appear in a list of bookmarks in the Bookmarks widget. Select to exit the Bookmarks Add window without saving the new bookmark configuration.
Cancel Name Applications Add Edit Name Type
Location Description OK Cancel
Editing bookmarks
To edit bookmarks, in the Bookmarks widget title bar, select Edit.
561
SSL VPN
Figure 369: Bookmarks widget - Edit Remove widget Edit
Delete bookmark
Select bookmark to edit
Bookmark detail window Select OK
Select Done Bookmarks widget with list of bookmarks
Edit Remove widget Done
Select to edit the general configuration information in the Bookmarks widget. Select to close the Bookmarks widget and remove it from the web portal home page. Select to save the bookmark configuration and close the bookmark detail window. The bookmark will appear in a list of bookmarks in the Bookmarks widget. Select to create a bookmark hyperlink Select to edit an existing bookmark hyperlink. When you select Edit, a list of existing bookmarks appears. Select the bookmark you want to edit. The name of the bookmark. The type of application that the FortiGate unit will use to connect server applications or network service. Only application types that are selected in the top window of the Bookmarks widget will be in the list. The information the FortiGate unit needs to forward client requests to the correct server application or network service. An optional description of the bookmark. FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
Add Edit
Name Type
Location Description
562
SSL VPN
OK Cancel
Select to save the bookmark configuration. Select to exit the Bookmarks Edit window without saving the new bookmark configuration.
Connection Tool widget

Settings in the Connection Tool allow a user to connect to pre-selected connection application without adding a bookmark to the bookmark list. You specify the URL or IP address of the host computer, and if required, you can ping a host computer behind the FortiGate unit to verify connectivity to that host. To edit the connections tool information, in the Connections Tool widget select Edit.
Figure 370: Connections Tool widget - Edit Remove widget Edit
Edit Remove widget Name Applications Type Host
Select to edit the information in the Connections Tool widget. Select to close the Connections Tool widget and remove it from the web portal home page. Enter a customized name for the Connections Tool widget. Select the server application or network service the FortiGate unit can use to set up the connection. Select the server/application that the FortiGate unit will use to establish a connection. Enter the information that the FortiGate unit needs to forward client requests to the correct server/application. Value depends on value in Type. Select to connect to the server/application specified in Type and Host.
Go
563
SSL VPN
Tunnel Mode widget

The Tunnel Mode settings display tunnel information and actions in user mode. As an administrator, you can also configure a split-tunneling option. The presence of this widget implies that the user group will have tunnel mode enabled. If IP Range is selected, the IP range of the tunnel must be specified in the user group.
Figure 371: Tunnel Mode widget Remove widget Edit
Edit Remove widget OK Cancel Name IP Mode Range User Group
Select to edit the information in the Tunnel Mode widget. Opens the Tunnel Mode configuration window. Select to close the Tunnel Mode widget and remove it from the web portal home page. Select OK to save the configuration. If you select OK, the Tunnel Mode configuration window closes. Select to exit the Tunnel Mode configuration window without saving any changes made. Enter a name for the Tunnel Mode widget. Select the mode by which the IP address is assigned to the user. The user IP is allocated from a configured range of IP addresses. The user IP is assigned on a per-user basis using a RADIUS received from the RADIUS user group used to authenticate the user. See Dynamically assigning VPN client IP addresses from a RADIUS record on page 573. Select to enable split tunneling. Enter the starting IP address for the split tunnel range.
Split tunneling Start IP
564
SSL VPN
End IP Connect Disconnect Refresh now Link status
Enter the ending IP address for the split tunnel range. Initiate a session and establish an SSL VPN tunnel with the FortiGate unit. End the session and close the tunnel to the FortiGate unit. Refresh the Fortinet SSL VPN Client page (web portal). Indicates the state of the SSL VPN tunnel: Up is displayed when an SSL VPN tunnel with the FortiGate unit has been established. Down is displayed when a tunnel connection has not been initiated. Displays the number of bytes of data transmitted from the client to the FortiGate unit since the tunnel was established. The number of bytes of data received by the client from the FortiGate unit since the tunnel was established. Displays detailed information about the tunnel connection (for example, Fortinet SSL VPN client connected to server.)
Bytes sent: Bytes received: <status information>
565
SSL VPN
566
User
Getting started - User authentication
User
This section explains how to set up user accounts, user groups, and external authentication servers. You can use these components of user authentication to control access to network resources. If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is configured separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Getting started - User authentication Local user accounts Remote RADIUS LDAP TACACS+ PKI Directory Service User Group Options Monitor NAC quarantine and the Banned User list
Getting started - User authentication

FortiGate authentication controls access by user group, but you need to complete one or more of the following tasks prior to configuring the user groups. Configure local user accounts. For each user, you can choose whether the password is verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a TACACS+ server. For more information, see Local user accounts on page 568. Configure IM user profiles. For IM users, you can configure user lists that either allow or block use of network resources.FortiGate. For more information, see IM user monitor list on page 594. Configure your FortiGate unit to authenticate users by using your RADIUS, LDAP, or TACACS+ servers. For more information, see RADIUS on page 571, LDAP on page 575, and TACACS+ on page 578. Configure access to the FortiGate unit if you use a Directory Service server for authentication. For more information, see Configuring a Directory Service server on page 581. Configure for certificate-based authentication for administrative access (HTTPS webbased manager), IPSec, SSL-VPN, and web-based firewall authentication. For more information, see PKI on page 581.
567
Local user accounts
User
You can configure your FortiGate unit to authenticate system administrators with your FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with certificate-based authentication using PKI. For more information, see System Admin on page 209. You can change the authentication timeout value or select the protocol supported for Firewall authentication. For more information, see Options on page 590. You can view lists of currently authenticated users, active SSL VPN sessions, activity on VPN IPSec tunnels, authenticated IM users, and banned users. For more information, see Monitor on page 591. For each network resource that requires authentication, you specify which user groups are permitted access to the network. There are three types of user groups: Firewall, Directory Service, and SSL VPN. For more information, see Firewall user groups on page 584, Directory Service user groups on page 585, and SSL VPN user groups on page 585.
Local user accounts

A local user is a user configured on a FortiGate unit. The user can be authenticated with a password stored on the FortiGate unit (the user name and password must match a user account stored on the FortiGate unit) or with a password stored on an authentication server (the user name must match a user account stored on the FortiGate unit and the user name and password must match a user account stored on the authentication server associated with the user). Instant Messenger (IM) protocols are gaining in popularity as an essential way to communicate between two or more individuals in real time. Some companies even rely on IM protocols for critical business applications such as Customer/Technical Support. The most common IM protocols in use today include AOL Instant Messenger, Yahoo Instant Messenger, MSN messenger, and ICQ. FortiGate units allow you to set up IM users that either allow or block the use of applications, to determine which applications are allowed.
Configuring Local user accounts

You can block a user with a valid local user account from authenticating at all, or configure the FortiGate unit to allow a user to authenticate with a user name and password stored on the FortiGate unit, or with an account stored on a specific server (LDAP, RADIUS, or TACACS+). To view the list of existing local users, go to User > Local.
Figure 372: Example Local user list
Delete Edit
Create New User Name
Add a new local user account. The local user name.
568
User
Local user accounts
Type
The authentication type to use for this user. The authentication types are Local (user and password stored on FortiGate unit), LDAP, RADIUS, and TACACS+ (user and password matches a user account stored on the authentication server). Delete the user. The delete icon is not available if the user belongs to a user group. Edit the user account.
Note: Deleting the user name deletes the authentication configured for the user.
To add a Local user, go to User > Local, select Create New, and enter or select the following:
Figure 373: Local user
User Name Disable Password LDAP
A name that identifies the user. Select to prevent this user from authenticating. Select to authenticate this user using a password stored on the FortiGate unit and then enter the password. The password should be at least six characters. Select to authenticate this user using a password stored on an LDAP server. Select the LDAP server from the list. You can select only an LDAP server that has been added to the FortiGate LDAP configuration. For more information, see LDAP on page 575. Select to authenticate this user using a password stored on a RADIUS server. Select the RADIUS server from the list. You can select only a RADIUS server that has been added to the FortiGate RADIUS configuration. For more information, see RADIUS on page 571. Select to authenticate this user using a password stored on a TACACS server. Select the TACACS+ server from the list. You can select only a TACACS server that has been added to the FortiGate TACACS configuration. For more information, see TACACS+ on page 578.
RADIUS
TACACS+
Configuring IM user policies

IM users determine whether they are permitted to access instant messaging services or are blocked from these services. If you enable virtual domains (VDOMs) on the FortiGate unit, IM is available separately for each virtual domain. For more information, see Using virtual domains on page 103.
569
Local user accounts
User
Note: If virtual domains are enabled on the FortiGate unit, IM features are configured globally. To access these features, select Global Configuration on the main menu.
The IM user list displays information about configured instant messaging user policies. The list can be filtered by protocol and policy. To view the list of IM users, go to User > Local > IM.
Figure 374: IM user list
Create New Protocol Policy Protocol Username
Add a new user to the list. Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or All. Filter the list by selecting a policy: Allow, Block, or All. The protocol associated with the user. The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. The policy applied to the user when attempting to use the protocol: Block or Deny. Change the following user information: Protocol, Username, and Policy. Permanently remove users from the User List.
Policy Edit icon Delete icon
To add an IM user, go to User > Local > IM, select Create New, and enter or select the following:
Figure 375: Edit User dialog
Protocol Username Policy
Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!. Enter a name for the user. Select a policy from the dropdown list: Allow or Block.
The IM user monitor list displays information about instant messaging users who are currently connected. For more information, see IM user monitor list on page 594.
Configuring older versions of IM applications

Some older versions of IM protocols are able to bypass file blocking because the message types are not recognized.
570
User
Remote
Supported IM protocols include: MSN 6.0 and above ICQ 4.0 and above AIM 5.0 and above Yahoo 6.0 and above
If you want to block a protocol that is older than the ones listed above, use the CLI command: config imp2p old-version For more information, see the FortiGate CLI Reference.
Remote
Remote authentication is generally used to ensure that employees working offsite can remotely access their corporate network with appropriate security measures in place. In general terms, authentication is the process of attempting to verify the (digital) identity of the sender of a communication such as a login request. The sender may be someone using a computer, the computer itself, or a computer program. Since a computer system should be used only by those who are authorized to do so, there must be a measure in place to detect and exclude any unauthorized access. On a FortiGate unit, you can control access to network resources by defining lists of authorized users, called user groups. To use a particular resource, such as a network or VPN tunnel, the user must: belong to one of the user groups that is allowed access correctly enter a user name and password to prove his or her identity, if asked to do so.
RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication, authorization, and accounting functions. FortiGate units use the authentication function of the RADIUS server. To use the RADIUS server for authentication, you must configure the server before you configure the FortiGate users or user groups that will need it. If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the FortiGate unit sends the users credentials to the RADIUS server for authentication. If the RADIUS server can authenticate the user, the user is successfully authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user, the FortiGate unit refuses the connection. You can override the default authentication scheme by selecting a specific authentication protocol or changing the default port for RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645, use the CLI to change the default RADIUS port. For more information, see the config system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
571
RADIUS
User
Figure 376: Example RADIUS server list Delete Edit
Create New Name Delete icon Edit icon
Add a new RADIUS server. The maximum number is 10. Name that identifies the RADIUS server on the FortiGate unit. Delete a RADIUS server configuration. You cannot delete a RADIUS server that has been added to a user group. Edit a RADIUS server configuration.
Server Name/IP Domain name or IP address of the RADIUS server.
Configuring a RADIUS server

The RADIUS server uses a shared secret key to encrypt information passed between it and clients such as the FortiGate unit. When you configure a RADIUS server, you can also configure a secondary RADIUS server. The FortiGate unit attempts authentication with the primary server first, and if there is no response, uses the secondary server. You can include the RADIUS server in every user group without including it specifically in user group configurations.
Note: The server secret key should be a maximum of 16 characters in length.
The RADIUS server can use several different authentication protocols during the authentication process: MS-CHAP-V2 is the Microsoft challenge-handshake authentication protocol v2 MS-CHAP is the Microsoft challenge-handshake authentication protocol v1 CHAP (challenge-handshake authentication protocol) provides the same functionality as PAP, but does not send the password and other user information over the network to a security server PAP (password authentication protocol) is used to authenticate PPP connections. PAP transmits passwords and other user information in clear text (unencrypted).
If you have not selected a protocol, the default protocol configuration uses PAP, MSCHAPv2, and CHAP, in that order. To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and enter or select the following:
572
User
RADIUS
Figure 377: RADIUS server configuration
Name Primary Server Name/IP Primary Server Secret
Enter the name that is used to identify the RADIUS server on the FortiGate unit. Enter the domain name or IP address of the primary RADIUS server. Enter the RADIUS server secret key for the primary RADIUS server. The primary server secret key should be a maximum of 16 characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS server, if you have one. Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS server. The secondary server secret key should be a maximum of 16 characters in length. Select Use Default Authentication Scheme to authenticate with the default method. The default authentication scheme uses PAP, MSCHAP-V2, and CHAP, in that order. Select Specify Authentication Protocol to override the default authentication method, and choose the protocol from the list: MSCHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your RADIUS server needs. Enter the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If you do not enter an IP address, the IP address that the FortiGate interface uses to communicate with the RADIUS server will be applied.
Authentication Scheme
NAS IP/Called Station ID
Include in every User Group Select to have the RADIUS server automatically included in all user groups.

SSL VPN tunnel mode, IPSec, and PPTP VPN sessions can assign IP addresses to remote users by getting the IP address to assign to the user from the Framed-IP-Address field in the RADIUS record received when the RADIUS server confirms that the user has authenticated successfully. See RFC 2865 and RFC 2866 for more information about RADIUS.
573
RADIUS
User
For the FortiGate unit to dynamically assign an IP address, the VPN users must be configured for RADIUS authentication and you must include the IP address to assign to the user in the Framed-IP-Address RADIUS field. You configure each type of VPN differently. In each case you are associating the VPN configuration that assigns IP addresses to users with a user group. Assigning IP addresses in this way does not replace assigning IP addresses from a configured IP address range. In fact, you can configure an IP address range as well as enable assigning IP addresses from a RADIUS server. If you use both methods, the FortiGate unit attempts to assign the IP address from the RADIUS record first.
SSL VPN tunnel mode

For SSL VPN, you implement this feature by adding the Tunnel Mode widget to the SSL VPN portal configuration. Go to VPN > SSL > Portal to configure SSL VPN portals. In the Tunnel Mode configuration, set IP Mode to User Group.
Figure 378: Using RADIUS records to assign IP addresses for SSL VPN Tunnel Mode
For more information, see Tunnel Mode widget on page 564.
IPSec VPN DHCP server

You can dynamically assign IP addresses to IPSec VPN clients using RADIUS records by configuring the IPSec DHCP server. In the IPSec DHCP server configuration you set ip-mode to usrgrp: config system dhcp server edit dhcp_server set server-type ipsec set ip-mode usrgrp ... end
PPTP VPN
You can dynamically assign IP addresses to PPTP VPN clients using RADIUS records by configuring the PPTP VPN to use the user group for getting IP addresses: config vpn pptp set status enable set ip-mode usrgrp ... end
574
User
LDAP
LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain authentication data that may include departments, people, groups of people, passwords, email addresses, and printers. An LDAP consists of a data-representation scheme, a set of defined operations, and a request/response network. If you have configured LDAP support and require a user to authenticate using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. To authenticate with the FortiGate unit, the user enters a user name and password. The FortiGate unit sends this user name and password to the LDAP server. If the LDAP server can authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP server cannot authenticate the user, the FortiGate unit refuses the connection. The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating user names and passwords. FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the FortiGate CLI Reference. FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. Nor does the FortiGate LDAP supply information to the user about why authentication failed. To view the list of LDAP servers, go to User > Remote > LDAP.
Figure 379: Example LDAP server list
Delete Edit
Create New Name Port
Add a new LDAP server. The maximum number is 10. The name that identifies the LDAP server on the FortiGate unit. The TCP port used to communicate with the LDAP server.
Server Name/IP The domain name or IP address of the LDAP server. Common Name The common name identifier for the LDAP server. Most LDAP servers use cn. However, some servers use other common name identifiers such as uid. Identifier Distinguished Name Delete icon Edit icon The distinguished name used to look up entries on the LDAP servers use. The distinguished name reflects the hierarchy of LDAP database object classes above the common name identifier. Delete the LDAP server configuration. Edit the LDAP server configuration.
Configuring an LDAP server

A directory is a set of objects with similar attributes organized in a logical and hierarchical way. Generally, an LDAP directory tree reflects geographic or organizational boundaries, with the Domain Name System (DNS) names at the top level of the hierarchy. The common name identifier for most LDAP servers is cn; however some servers use other common name identifiers such as uid. For example, you could use the following base distinguished name:
575
LDAP
User
ou=marketing,dc=fortinet,dc=com where ou is organization unit and dc is a domain component. You can also specify multiple instances of the same field in the distinguished name, for example, to specify multiple organization units: ou=accounts,ou=marketing,dc=fortinet,dc=com Binding is said to occur when the LDAP server successfully authenticates the user and allows the user access to the LDAP server based on his or her permissions. You can configure the FortiGate unit to use one of three types of binding: anonymous - bind using anonymous user search regular - bind using user name/password and then search simple - bind using a simple password authentication without a search.
You can use simple authentication if the user records all fall under one dn. If the users are under more than one dn, use the anonymous or regular type, which can search the entire LDAP database for the required user name. If your LDAP server requires authentication to perform searches, use the regular type and provide values for user name and password. To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the information below and select OK.
Figure 380: LDAP server configuration
Query
Name Server Name/IP Server Port
Enter the name that identifies the LDAP server on the FortiGate unit. Enter the domain name or IP address of the LDAP server. Enter the TCP port used to communicate with the LDAP server. By default, LDAP uses port 389. If you use a secure LDAP server, the default port changes when you select Secure Connection.
576
User
LDAP
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum number of characters is 20. Distinguished Name Enter the base distinguished name for the server using the correct X.500 or LDAP format. The FortiGate unit passes this distinguished name unchanged to the server. The maximum number of characters is 512. View the LDAP server Distinguished Name Query tree for the LDAP server that you are configuring so that you can cross-reference to the Distinguished Name. For more information, see Using Query. Select the type of binding for LDAP authentication. Connect to the LDAP server directly with user name/password, then receive accept or reject based on search of given values. Connect as an anonymous user on the LDAP server, then retrieve the user name/password and compare them to given values. Connect directly to the LDAP server with user name/password authentication. Enter the filter to use for group searching. Available if Bind Type is Regular or Anonymous. Enter the Distinguished name of the user to be authenticated. Available if Bind Type is Regular. Enter the password of the user to be authenticated. Available if Bind Type is Regular. Select to use a secure LDAP server connection for authentication. Select a secure LDAP protocol to use for authentication. Depending on your selection, the value in Server Port will change to the default port for the selected protocol. Available only if Secure Connection is selected. LDAPS: port 636 STARTTLS: port 389 Select a certificate to use for authentication from the list. The certificate list comes from CA certificates at System > Certificates > CA Certificates.
Query icon
Bind Type Regular Anonymous Simple Filter User DN Password Secure Connection Protocol
Certificate
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all the distinguished names associated with the Common Name Identifier for the LDAP server. The tree helps you to determine the appropriate entry for the DN field. To see the distinguished name associated with the Common Name identifier, select the Expand Arrow beside the CN identifier and then select the DN from the list. The DN you select is displayed in the Distinguished Name field. Select OK to save your selection in the Distinguished Name field of the LDAP Server configuration. To see the users within the LDAP Server user group for the selected Distinguished Name, select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name Query tree.
577
TACACS+
User
Figure 381: Example LDAP server Distinguished Name Query tree
Common Name Identifier (CN)
Distinguished Name (DN) Expand Arrow
TACACS+
In recent years, remote network access has shifted from terminal access to LAN access. Users connect to their corporate network (using notebooks or home PCs) with computers that use complete network connections and have the same level of access to the corporate network resources as if they were physically in the office. These connections are made through a remote access server. As remote access technology has evolved, the need for network access security has become increasingly important. Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. TACACS+ allows a client to accept a user name and password and send a query to a TACACS+ authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49. To view the list of TACACS+ servers, go to User > Remote > TACACS+.
Figure 382: Example TACACS+ server list
Delete Edit
Create New Server Authentication Type Delete icon Edit icon
Add a new TACACS+ server. The maximum number is 10. The server domain name or IP address of the TACACS+ server. The supported authentication method. TACACS+ authentication methods include: Auto, ASCII, PAP, CHAP, and MSCHAP. Delete this TACACS+ server. Edit this TACACS+ server.
Configuring TACACS+ servers

There are several different authentication protocols that TACACS+ can use during the authentication process:
578
User
Directory Service
ASCII Machine-independent technique that uses representations of English characters. Requires user to type a user name and password that are sent in clear text (unencrypted) and matched with an entry in the user database stored in ASCII format.
PAP (password authentication protocol) Used to authenticate PPP connections. Transmits passwords and other user information in clear text.
CHAP (challenge-handshake authentication protocol) Provides the same functionality as PAP, but more secure as it does not send the password and other user information over the network to the security server.
MS-CHAP (Microsoft challenge-handshake authentication protocol v1) Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order. To add a new TACACS+ server, go to User > Remote > TACACS+, select Create New, and enter or select the following:
Figure 383: TACACS+ server configuration
Name Server Name/IP Server Key Authentication Type
Enter the name of the TACACS+ server. Enter the server domain name or IP address of the TACACS+ server. Enter the key to access the TACACS+ server. The server key should be a maximum of 16 characters in length. Select the authentication type to use for the TACACS+ server. Selection includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using PAP, MSCHAP, and CHAP (in that order).
Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication services by storing information about network resources across a domain (a logical group of computers running versions of an operating system) in a central directory database. Each person who uses computers within a domain receives his or her own unique account/user name. This account can be assigned access to resources within the domain. In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related features that affect the user/domain interactions, security centralization, and administrative functions.
579
Directory Service
User
FortiGate units use firewall policies to control access to resources based on user groups configured in the policies. Each FortiGate user group is associated with one or more Directory Service user groups. When a user logs in to the Windows or Novell domain, a Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the users IP address and the names of the Directory Service user groups to which the user belongs. The FSAE has two components that you must install on your network: The domain controller (DC) agent must be installed on every domain controller to monitor user logins and send information about them to the collector agent. The collector agent must be installed on at least one domain controller to send the information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address. You must install the Fortinet Server Authentication Extensions (FSAE) on the network and configure the FortiGate unit to retrieve information from the Directory Service server. For more information about FSAE, see the FSAE Technical Note. To view the list of Directory Service servers, go to User > Directory Service.
Figure 384: Example Directory Service server list Delete Edit User/Group
Expand Arrow (Directory Service server) Domain and groups Create New Name AD Server Domain Groups FSAE Collector IP Add a new Directory Service server.
Edit Add User/Group
Select the Expand arrow beside the server/domain/group name to display Directory Service domain and group information. The name defined for the Directory Service server. The domain name imported from the Directory Service server. The group names imported from the Directory Service server. The IP addresses and TCP ports of up to five FSAE collector agents that send Directory Service server login information to the FortiGate unit. Delete this Directory Service server. Edit this Directory Service server.
580
User
PKI
Add User/Group Edit Users/Group
Add a user or group to the list. You must know the distinguished name for the user or group. Select users and groups to add to the list.
Configuring a Directory Service server

You need to configure the FortiGate unit to access at least one FSAE collector agent. You can specify up to five Directory Service servers on which you have installed a collector agent. If your FSAE collector agent requires authenticated access, you enter a password for the server. The server name appears in the list of Directory Service servers when you create user groups. You can also retrieve Directory Service information directly through an LDAP server instead of through the FSAE agent.
Note: You can create a redundant configuration on your FortiGate unit if you install a collector agent on two or more domain controllers. If the current (or first) collector agent fails, the FortiGate unit switches to the next one in its list of up to five collector agents.
You can enter information for up to five collector agents. To add a new Directory Service server, go to User > Directory Service, select Create New, and enter or select the following:
Figure 385: Directory Service server configuration
Name
Enter the name of the Directory Service server. This name appears in the list of Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where this collector agent is installed. The maximum number of characters is 63. IP/Name Port Password LDAP Server Enter the TCP port used for Directory Service. This must be the same as the FortiGate listening port specified in the FSAE collector agent configuration. Enter the password for the collector agent. This is required only if you configured your FSAE collector agent to require authenticated access. Select the check box and select an LDAP server to access the Directory Service.
PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library that takes a list of peers, peer groups, and/or user groups and returns authentication successful or denied notifications. Users only need a valid certificate for successful authenticationno user name or password are necessary. Firewall and SSL VPN are the only user groups that can use PKI authentication.
581
PKI
User
For more information about certificate authentication, see the FortiGate Certificate Management User Guide. For information about the detailed PKI configuration settings available only through the CLI, see the FortiGate CLI Reference. To view the list of PKI users, go to User > PKI.
Figure 386: Example PKI User list
Delete Edit
Name Subject CA Delete icon
The name of the PKI user. The text string that appears in the subject field of the certificate of the authenticating user. The CA certificate that is used to authenticate this user. Delete this PKI user. The delete icon is not available if the peer user belongs to a user group. Remove it from the user group first. Edit this PKI user.
Edit icon
Configuring peer users and peer groups

You can define peer users and peer groups used for authentication in some VPN configurations and for PKI certificate authentication in firewall policies. A peer user is a digital certificate holder that can use PKI authentication. Before using PKI authentication, you must define peer users to include in the user group that is incorporated into the firewall authentication policy. To define a peer user, you need: a peer user name the text from the subject field of the certificate of the authenticating peer user, or the CA certificate used to authenticate the peer user.
You can add or modify other configuration settings for PKI authentication. For more information, see the FortiGate CLI Reference.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a value for either subject or ca. If you do not do so, and then open the user record in the webbased manager, you will be prompted to enter a subject or ca value before you can continue.
To create a peer user for PKI authentication, go to User > PKI, select Create New., and enter the following:
582
User
User Group
Figure 387: PKI user
Name Subject CA
Enter the name of the PKI user. Enter the text string that appears in the subject field of the certificate of the authenticating user. This field is optional. Enter the CA certificate that must be used to authenticate this user. This field is optional.
Note: You must enter a value for at least one of Subject or CA.
You can configure peer user groups only through the CLI. For more information, see the FortiGate CLI Reference.
User Group
A user group is a list of user identities. An identity can be: a local user account (user name and password) stored on the FortiGate unit a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate) a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN. For information about each type, see Firewall user groups on page 584, Directory Service user groups on page 585, and SSL VPN user groups on page 585. For information on configuring each type of user group, see Configuring a user group on page 586. In most cases, the FortiGate unit authenticates users by requesting each user name and password. The FortiGate unit checks local user accounts first. If the unit does not find a match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group. Authentication succeeds when the FortiGate unit finds a matching user name and password. For a Directory Service user group, the Directory Service server authenticates users when they log in to the network. The FortiGate unit receives the users name and IP address from the FSAE collector agent. For more information about FSAE, see the FSAE Technical Note. You can configure user groups to provide authenticated access to: Firewall policies that require authentication See Adding authentication to firewall policies on page 327. You can choose the user groups that are allowed to authenticate with these policies.
583
User Group
User
SSL VPNs on the FortiGate unit See Configuring SSL VPN identity-based firewall policies on page 331. IPSec VPN Phase 1 configurations for dialup users See Creating a new phase 1 configuration on page 534. Only users in the selected user group can authenticate to use the VPN tunnel.
XAuth for IPSec VPN Phase 1 configurations See XAUTH in Defining phase 1 advanced settings on page 536. Only user groups in the selected user group can be authenticated using XAuth.
FortiGate PPTP configuration See PPTP configuration using FortiGate web-based manager on page 547. Only users in the selected user group can use PPTP.
FortiGate L2TP configuration You can configure this only by using the config vpn l2tp CLI command. See the FortiGate CLI Reference. Only users in the selected user group can use L2TP.
Administrator login with RADIUS authentication See Configuring RADIUS authentication for administrators on page 214. Only administrators with an account on the RADIUS server can log in.
FortiGuard Web Filtering override groups See FortiGuard - Web Filter on page 487. When FortiGuard Web Filtering blocks a web page, authorized users can authenticate to access the web page or to allow members of another group to access it.
For each resource that requires authentication, you specify which user groups are permitted access. You need to determine the number and membership of user groups appropriate to your authentication needs.
Firewall user groups

A firewall user group provides access to a firewall policy that requires authentication and lists the user group as one of the allowed groups. The FortiGate unit requests the group members user name and password when the user attempts to access the resource that the policy protects. You can also authenticate a user by certificate if you have selected this method. For more information, see Adding authentication to firewall policies on page 327. A firewall user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. The users VPN client is configured with the user name as peer ID and the password as pre-shared key. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit.
Note: A user group cannot be a dialup group if any member is authenticated using a RADIUS or LDAP server.
For more information, see Creating a new phase 1 configuration on page 534.
584
User
User Group
For information about configuring a Firewall user group, see Configuring a user group on page 586. You can also use a firewall user group to provide override privileges for FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering override options on page 589. For detailed information about FortiGuard Web Filter, including the override feature, see FortiGuard - Web Filter on page 487.
Directory Service user groups

On a network, you can configure the FortiGate unit to allow access to members of Directory Service server user groups who have been authenticated on the network. The Fortinet Server Authentication Extensions (FSAE) must be installed on the network domain controllers.
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies. You must add Directory Service groups to FortiGate user groups. A Directory Service group should belong to only one FortiGate user group. If you assign it to multiple FortiGate user groups, the FortiGate unit recognizes only the last user group assignment.
A Directory Service user group provides access to a firewall policy that requires Directory Service type authentication and lists the user group as one of the allowed groups. The members of the user group are Directory Service users or groups that you select from a list that the FortiGate unit receives from the Directory Service servers that you have configured. See Directory Service on page 579.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for FortiGuard web filtering. For more information, see Configuring FortiGuard Web filtering override options on page 589. For detailed information about FortiGuard Web Filter, including the override feature, see FortiGuard - Web Filter on page 487. For information on configuring user groups, see Configuring a user group on page 586.
SSL VPN user groups

An SSL VPN user group provides access to a firewall policy that requires SSL VPN type authentication and lists the user group as one of the allowed groups. Local user accounts, LDAP, and RADIUS servers can be members of an SSL VPN user group. The FortiGate unit requests the users user name and password when the user accesses the SSL VPN web portal. The user group settings include options for SSL VPN features. An SSL VPN user group can also provide access to an IPSec VPN for dialup users. In this case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer option. You configure the users VPN client with the user name as peer ID and the password as pre-shared key. The user can connect successfully to the IPSec VPN only if the user name is a member of the allowed user group and the password matches the one stored on the FortiGate unit. For more information about configuring user groups for IPSec VPN, see Creating a new phase 1 configuration on page 534.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using a RADIUS or LDAP server.
585
User Group
User
For information on configuring user groups, see Configuring a user group on page 586. For information on configuring SSL VPN user group options, see Configuring SSL VPN identity-based firewall policies on page 331.
Viewing the User group list

To view the User group list, go to User > User Group.
Figure 388: Example User group list Delete
Expand Arrow Create New Group Name Add a new user group.
Edit
The name of the user group. User group names are listed by type of user group: Firewall, Directory Service and SSL VPN. For more information, see Firewall user groups on page 584, Directory Service user groups on page 585, and SSL VPN user groups on page 585. The Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups or PKI users found in the user group. Delete the user group. You cannot delete a user group that is included in a firewall policy, a dialup user phase 1 configuration, or a PPTP or L2TP configuration. Edit the membership and options of the group.
Members
Delete icon
Edit icon
Configuring a user group

To add a new user group, go to User > User Group, select Create New, and enter or select the following according to user group type:
Note: By default, the FortiGate web-based manager displays Firewall options. The following figures show the variations that display for each of the user group types: Firewall, Directory Service, and SSL VPN.
Note: If you try to add LDAP servers or local users to a group configured for administrator authentication, an Entry not found error occurs.
586
User
User Group
Figure 389: User group configuration - Firewall Right Arrow
Expand Arrow
Left Arrow
Figure 390: User group configuration - Directory Service Right Arrow
Expand Arrow
Left Arrow
587
User Group
User
Figure 391: User group configuration - SSL VPN Right Arrow
Left Arrow
Name Type Firewall
Enter the name of the user group. Select the user group type. Select this group in any firewall policy that requires Firewall authentication. See Adding authentication to firewall policies on page 327 and Configuring FortiGuard Web filtering override options on page 589. Select this group in any firewall policy that requires Directory Service authentication. See Adding authentication to firewall policies on page 327. Select this group in any firewall policy with Action set to SSL VPN. Not available in Transparent mode. See Configuring SSL VPN identity-based firewall policies on page 331. Select the SSL VPN web portal configuration to use with the User Group. For more information, see SSL VPN web portal on page 554. The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups, or PKI users that can be added to the user group. To add a member to this list, select the name and then select the Right Arrow. * Available Members if user group type is Directory Service. The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory Service users/user groups, or PKI users that belong to the user group. To remove a member, select the name and then select the Left Arrow. Available only if Type is Firewall or Directory Service. Configure Web Filtering override capabilities for this group. See Configuring FortiGuard Web filtering override options on page 589.
Directory Service
SSL VPN
Portal
Available Users/Groups or Available Members*
Members
FortiGuard Web Filtering Override
588
User
User Group
Configuring FortiGuard Web filtering override options

FortiGuard Web Filtering is a managed web filtering solution that sorts hundreds of millions of web pages into a wide range of categories that users can allow, block, or monitor. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point to determine the category of a requested web page and then follows the firewall policy configured for the user or interface. The FortiGuard Web Filtering Override option is available only if the user group is Firewall or Directory Service. To configure FortiGuard Web Filtering Override, go to User > User Group and select the Edit icon for a Firewall or Directory Service user group. Select the Expand Arrow beside FortiGuard Web Filtering Override, and enter or select the following information:
Figure 392: FortiGuard Web Filtering Override configuration
Expand Arrow
Allow to create FortiGuard Select to allow members of this group to request an override on the FortiGuard Web Filtering Block page. The firewall Web Filtering overrides protection profile governing the connection must have FortiGuard overrides enabled. The protection profile may have more than one user group as an override group. Members of an override group can authenticate on the FortiGuard Web Filter Block Override page to access the blocked site. For more information, see FortiGuard - Web Filter on page 487. Override Scope The override can apply to just the user who requested the override, or include others. Select one of the following from the list: Only the user. The user group to which the user belongs. Any user at the users IP address. Any user with the specified protection profile of the user group. Authenticating user, who chooses the override scope. Only the user. Select from the list to allow access to: Only the lowest level directory in the URL.
User User Group IP Profile Ask User Override Type Directory
589
Options
User
Domain Categories Ask Override Time Constant Ask Protection Profiles Available
The entire website domain. The FortiGuard category. Authenticating user, who chooses the override type. Select to set the duration of the override: Select to set the duration of override in days, hours, minutes. Authenticating user, who determines the duration of override. The duration set is the maximum. One protection profile can have several user groups with override permissions. Verification of the user group occurs once the user name and password are entered. The overrides can still be enabled or not enabled on a profile-wide basis regardless of the user groups that have permissions to override the profile. The list of defined protection profiles applied to user groups that have override privileges.
Permission Granted For
Options
You can define setting options for user authentication, including authentication timeout, supported protocols, and authentication certificates. Authentication timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. When user authentication is enabled on a firewall policy, the authentication challenge is normally issued for any of the four protocols (depending on the connection protocol): HTTP (can also be set to redirect to HTTPS) HTTPS FTP Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen control which protocols support the authentication challenge. Users must connect with a supported protocol first so they can subsequently connect with other protocols. If HTTPS is selected as a method of protocol support, it allows the user to authenticate with a customized Local certificate. When you enable user authentication on a firewall policy, the firewall policy user will be challenged to authenticate. For user ID and password authentication, users must provide their user names and passwords. For certificate authentication (HTTPS or HTTP redirected to HTTPS only), you can install customized certificates on the FortiGate unit and the users can also have customized certificates installed on their browsers. Otherwise, users will see a warning message and have to accept a default FortiGate certificate.
Note: When you use certificate authentication, if you do not specify any certificate when you create the firewall policy, the global settings will be used. If you specify a certificate, the per-policy setting will overwrite the global setting. For information about how to use certificate authentication, see FortiGate Certificate Management User Guide.
To configure authentication setting options, go to User > Options.
590
User
Monitor
Figure 393: Authentication Settings
Authentication Timeout
Enter a length of time in minutes, from 1 to 480. Authentication Timeout controls how long an authenticated firewall connection can be idle before the user must authenticate again. The default value is 30 Select the protocols to challenge during firewall user authentication. If using HTTPS protocol support, select the Local certificate to use for authentication. Available only if HTTPS protocol support is selected. Apply selections for user Authentication Settings.
Protocol Support Certificate Apply
Monitor
You can go to User > Monitor to view lists of currently authenticated users, active SSL VPN sessions, activity on VPN IPSec tunnels, authenticated IM users, and banned users. For each authenticated user, the list includes the user name, user group, how long the user has been authenticated (Duration), how long until the users session times out (Time left), and the method of authentication used. VPN tunnel information includes user name, IP address of the remote client, connection type (IPSec), Proxy ID source/destination (IPSec), and start time of the sessions (SSL). The list of IM users includes the source IP address, protocol, and last time the protocol was used. The Banned User list includes users configured by administrators in addition to those quarantined based on AV, IPS, or DLP rules. The following lists are available: Firewall user monitor list IPSEC monitor list SSL VPN monitor list IM user monitor list NAC quarantine and the Banned User list
Firewall user monitor list

In some environments, it is useful to determine which users are authenticated by the FortiGate unit and allow the system administrator to de-authenticate (stop current session) users. With the Firewall monitor, you can de-authenticate all currently authenticated users, or select single users to de-authenticate. To permanently stop a user from reauthenticating, change the FortiGate configuration (disable a user account) and then use the User monitor to immediately end the users current session. To view the list of authenticated users (Firewall), go to User > Monitor > Firewall.
591
Monitor
User
Figure 394: Firewall user monitor list
Refresh
Current Page
Stop individual authentication session

Refresh Current Page Column Settings Refresh the Firewall user monitor list. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of logged in users. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see Using column settings to control the columns displayed on page 58 and Web-based manager icons on page 60. Remove all filters applied to the Firewall user monitor list.
Clear All Filters
De-authenticate All Stop authenticated sessions for all users in the Firewall user monitor list. User(s) must re-authenticate with the firewall to resume their communication Users session. Filter icons Edit the column filters to filter or sort the firewall user monitor list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 53. The user names of all connected remote users. The user group that the remote user is part of. Length of time since the user was authenticated. Length of time remaining until the user session times out. Only available if the authentication time of the session will be automatically extended (authentication keepalive is enabled). If authentication keepalive is not enabled, the value in Time-left will be N/A. For more information, see the FortiGate CLI Reference. The users source IP address. The amount of traffic through the FortiGate unit generated by the user. Authentication method used for the user by the FortiGate unit (authentication methods can be FSAE, firewall authentication, or NTLM).
User Name User Group Duration Time-left
IP Address Traffic Volume Method
IPSEC monitor list

You can use the IPSEC monitor to view activity on IPSec VPN tunnels and start or stop those tunnels. The display provides a list of addresses, proxy IDs, and timeout information for all active tunnels, including tunnel mode and route-based (interface mode) tunnels. You can use filters to control the information displayed in the list. For more information, see Adding filters to web-based manager lists on page 53. To view active tunnels, go to User > Monitor > IPSEC.
592
User
Monitor
Figure 395: IPSec Monitor list
Current Page
Type Column Settings
Select the types of VPN to display: All, Dialup, or Static IP or Dynamic DNS. Customize the table view. You can select the columns to hide or display and specify the column displaying order in the table. For more information, see Using column settings to control the columns displayed on page 58 and Web-based manager icons on page 60. The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of monitored VPNs. Edit the column filters to filter or sort the IPSec monitor list according to the criteria you specify. For more information, see Adding filters to web-based manager lists on page 53. The name of the phase 1 configuration for the VPN. The public IP address of the remote host device, or if a NAT device exists in front of the remote host, the public IP address of the NAT device. The UDP port of the remote host device, or if a NAT device exists in front of the remote host, the UDP port of the NAT device. Zero (0) indicates that any port can be used.
Clear All Filters Select to clear any column display filters you might have applied. Current Page Filter icons
Name Remote Gateway Remote Port
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate unit. The page may display a network range if the source address in the firewall encryption policy was expressed as a range of IP addresses. Proxy ID Destination When a FortiClient dialup client establishes a tunnel: If VIP addresses are not used, the Proxy ID Destination field displays the public IP address of the remote host Network Interface Card (NIC). If VIP addresses were configured (manually or through FortiGate DHCP relay), the Proxy ID Destination field displays either the VIP address belonging to the FortiClient dialup client, or the subnet address from which VIP addresses were assigned. When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field displays the IP address of the remote private network. A green arrow means the tunnel is currently processing traffic. Select to bring down the tunnel. A red arrow means the tunnel is not processing traffic. Select to bring up the tunnel.
Tunnel up or tunnel down icon
For Dialup VPNs, the list provides status information about the VPN tunnels established by dialup clients, including their IP addresses. The number of tunnels shown in the list can change as dialup clients connect and disconnect. For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information about VPN tunnels, active or not, to remote peers that have static IP addresses or domain names. You can also start and stop individual tunnels from the list.
SSL VPN monitor list

You can view a list of all active SSL VPN sessions. The list displays the user name of the remote user, the IP address of the remote client, and the time the connection was made. You can also see which services are being provided, and delete an active web session from the FortiGate unit. For more information, see SSL VPN on page 551.
593
Monitor
User
To view the list of active SLS VPN sessions, go to User > Monitor > SSL.
Figure 396: SSL VPN monitor list
Delete No. User Source IP Begin Time Description The connection identifiers. The user names of all connected remote users. The IP addresses of the host devices connected to the FortiGate unit. The starting time of each connection. Information about the services provided by an SSL VPN tunnel session. Subsession Tunnel IP: IP address that the FortiGate unit assigned to the remote client. Delete icon: Delete current subsession. Delete a web session.
Action
IM user monitor list

User lists can be managed to allow or block certain users. Each user can be assigned a policy to allow or block activity for each IM protocol. Each IM function can be individually allowed or blocked providing the administrator the granularity to block the more bandwidth consuming features such as voice chat while still allowing text messaging. The IM user monitor list displays information about instant messaging users who are currently connected. The list can be filtered by protocol. After IM users connect through the firewall, the FortiGate unit displays which users are connected. You can analyze the list and decide which users to allow or block. To view the list of active IM users, go to User > Monitor > IM.
Figure 397: IM user monitor list
Protocol # Protocol
Filter the list by selecting the protocol for which to display current users: AIM, ICQ, MSN, or Yahoo. All current users can also be displayed. The position number of the IM user in the list. The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user name can be used for multiple IM protocols. Each user name/protocol pair appears separately in the list. Source IP The Address from which the user initiated the IM session.
594
User
NAC quarantine and the Banned User list
Last Login The last time the current user used the protocol. Block Select to add the user name to the permanent black list. Each user name/protocol pair must be explicitly blocked by the administrator.

You can use Network Access Control (NAC) quarantine to block access through the FortiGate unit when virus scanning detects a virus, or when an IPS sensor or a DoS sensor detects an attack. You can configure NAC quarantine for IPS sensor filters and overrides. NAC quarantine blocks access for the IP address that sent the virus or attack or blocks all traffic from connecting to the FortiGate interface that received the virus or attack. You can also configure IPS sensors and DoS sensors to block communication between the IP address that sent the attack and the target or receiver (victim) of the attack. NAC quarantine blocking drops blocked packets at the network layer before the packets are accepted by firewall policies.
Caution: If you have configured NAC quarantine to block IP addresses and if the FortiGate unit receives sessions that have passed through a NAT device, all trafficnot just individual userscould be blocked from that NAT device.
NAC quarantine adds blocked IP addresses or interfaces to the Banned User list. To view the Banned User list, go to User > Monitor > Banned User. When you configure NAC quarantine settings, you can specify how long to block the IP addresses or interfaces. FortiGate administrators can manually enable access again by removing IP addresses or interfaces from the Banned User list. Removing an IP address from the Banned User list means the user can start accessing network services through the FortiGate unit again. Removing an interface from the list means the interface can resume normal receiving and processing of communication sessions. For more information, see The Banned User list on page 596.
NAC quarantine and DLP

You can also use Data Leak Prevention (DLP) sensors to block access and to add users to the Banned User list. However, unlike NAC quarantine, which drops packets at the network layer, DLP blocks packets at the application layer, after the packets have been accepted by firewall policies. Because of this difference, with DLP you have more control over what is blocked and what is not. For example, if a DLP sensor matches content in an SMTP email message, you can configure DLP to block all SMTP email from a sender identified in the From: field of the email messages, without blocking the user from web browsing. DLP will also add the senders name to the Banned User list. For more information about using actions in DLP sensors, see Adding or editing a rule in a DLP sensor on page 513.
NAC quarantine and DLP replacement messages

A user who is blocked by NAC quarantine or a DLP sensor with action set to Quarantine IP address will typically attempt to start an HTTP session through the FortiGate unit using TCP port 80. When this happens, the FortiGate unit connects the user to one of four NAC quarantine web pages displaying messages that access has been blocked. You can customize these web pages by going to System > Config > Replacement Messages and editing the NAC Quarantine replacement messages. For more information, see NAC quarantine replacement messages on page 204.
595
User
When an interface is blocked by NAC quarantine or a DLP sensor with action set to Quarantine Interface, any user attempting to start an HTTP session through this interface using TCP port 80 will also be connected by the FortiGate unit to one of the four NAC quarantine web pages. The DLP Ban and Ban Sender options also send messages to blocked users. For more information, see Adding or editing a rule in a DLP sensor on page 513.
Configuring NAC quarantine

You can configure NAC quarantine for antivirus protection in a protection profile and for IPS sensors and DoS sensors: To configure NAC quarantine for antivirus protection, go to Firewall > Protection Profile. Add or edit a protection profile and configure Anti-Virus. Enable Quarantine Virus Sender (to Banned Users List), select a Method, and configure Expires. For more information, see Anti-Virus options on page 407. To configure NAC quarantine for an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor. Add or edit an IPS sensor. To add NAC quarantine to a filter, select Add Filter, enable Quarantine Attackers (to Banned Users List) select a Method, and configure Expires. You can also add NAC quarantine to pre-defined and custom overrides in an IPS sensor. For more information, see Configuring filters on page 464 and Configuring pre-defined and custom overrides on page 465. To configure NAC quarantine for a DoS sensor, you create or edit a DoS sensor and from the CLI configure NAC quarantine for one or more of the 12 anomaly types. To configure NAC quarantine for an anomaly, you set quarantine to attacker to block the attacker, both to block both the attacker and the target, or interface to block the interface that received the attack. You can add the DoS sensor from the web-based manager or the CLI but you can only configure NAC quarantine from the CLI. The following example shows how to edit a DoS sensor named QDoS_sensor, set quarantine to attacker for the udp_dst_session and set the quarantine expiry time to 30 minutes. The example also shows how to set quarantine to both for the icmp_flood anomaly: config ips DoS edit QDoS_sensor config anomaly edit udp_dst_session set quarantine attacker set quarantine-expiry 30 next edit icmp_flood set quarantine both end end For more information, see the FortiGate CLI Reference.
The Banned User list

The Banned User list shows all IP addresses and interfaces blocked by NAC quarantine. The list also shows all IP addresses, authenticated users, senders, and interfaces blocked by Data Leak Prevention (DLP). The system administrator can selectively release users or interfaces from quarantine or configure quarantine to expire after a selected time period.
596
User
All sessions started by users or IP addresses on the Banned User list are blocked until the user or IP address is removed from the list. All sessions to an interface on the list are blocked until the interface is removed from the list. You can configure NAC quarantine to add users or IP addresses to the Banned User list under the following conditions: Users or IP addresses that originate attacks detected by IPS - To quarantine users or IP addresses that originate attacks, enable and configure Quarantine Attackers in an IPS Sensor Filter. For more information, see Configuring filters on page 464. IP addresses or interfaces that send viruses detected by virus scanning - To quarantine IP addresses that send viruses or interfaces that accept traffic containing a virus, enable Quarantine Virus Sender in a protection profile. For more information, see Anti-Virus options on page 407. Users or IP addresses that are banned or quarantined by Data Leak Prevention Set various options in a DLP sensor to add users or IP addresses to the Banned User list. For more information, see Adding or editing a rule in a DLP sensor on page 513.
To view the Banned User list, go to User > Monitor > Banned User.
Figure 398: Banned User list
Clear Current Page
Delete
Current Page The current page number of list items that are displayed. Select the left and right arrows to display the first, previous, next or last page of banned users or IP addresses. Remove all users and IP addresses from the Banned User list. The position number of the user or IP address in the list. The protocol that was used by the user or IP address added to the Banned User list.
Clear icon # Application Protocol
Cause or rule The FortiGate function that caused the user or IP address to be added to the Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention. Created Expires The date and time the user or IP address was added to the Banned User list. The date and time the user or IP address will be automatically removed from the Banned User list. If Expires is Indefinite you must manually remove the user or host from the list. Delete the selected user or IP address from the Banned User list.
Delete icon
597
User
598
WAN optimization and web caching
Frequently asked questions about FortiGate WAN optimization

You can use FortiGate WAN optimization and web caching to improve performance and security of traffic passing between locations on your wide are network (WAN) or from the Internet to your web servers. This section describes how FortiGate WAN optimization and web caching works and also describes how to configure WAN optimization and web caching. If you enable virtual domains (VDOMs) on the FortiGate unit, WAN optimization is available separately for each virtual domain. For details, see Using virtual domains on page 103. This section describes: Frequently asked questions about FortiGate WAN optimization Overview of FortiGate WAN optimization Configuring WAN optimization Configuring a WAN optimization rule Web caching Client/server or active passive WAN optimization Peer to peer WAN optimization Protocol optimization Byte caching SSL offloading for WAN optimization and web caching Secure tunnelling WAN optimization with FortiClient Configuring WAN optimization storage WAN optimization and HA Configuring peers Configuring authentication groups Monitoring WAN optimization Changing web cache settings

Q: Which FortiGate models support WAN optimization? A: WAN optimization is supported on the following models: FortiGate-51B and 111C FortiGate-310B FortiGate-620B FortiGate-3016B
599
FortiGate-3600A FortiGate-3810A FortiGate-5001A-SW
The 310B, 620B, 3600A, 3016B, 3810A and 5001A-SW must include a FortiGate-ASM-S08 module or FortiGate-ASM-SAS module or you must configure iSCSI to support web caching and byte caching. Q: What happens if my FortiGate unit doesnt include the FortiGate-ASM-S08 module or FortiGate-ASM-SAS module? A: You can still configure and use WAN optimization even if the FortiGate unit does not have a hard disk. If the hard disk is not available WAN optimization can still apply all features except web caching and byte caching. If you have an iSCSI device on your network, you can use the CLI to configure WAN optimization to use iSCSI for web caching and byte caching. Q: How does WAN Optimization accept sessions? A: WAN optimization uses rules to select traffic to be optimized. But, before WAN optimization rules can accept traffic, the traffic must be accepted by a FortiGate firewall policy. All sessions accepted by a firewall policy that also match a WAN optimization rule are processed by WAN optimization. Q: Can you apply protection profiles to WAN optimization traffic? A: Within the same VDOM, you cannot apply a protection profile and WAN optimization to the same communication session. As of FortiOS 4.0, in a single VDOM if a firewall policy includes a protection profile, all sessions accepted by the policy are processed by the protection profile and are not processed by WAN optimization. To apply a protection profile to WAN optimization traffic you can use two VDOMs and an inter-VDOM link (or two FortiGate units). On the client end of a WAN optimization link, sessions leaving a LAN should be processed by a protection profile first. Then using the inter-vdom link you can apply WAN optimization in a second VDOM before sending the session over the WAN optimization tunnel. If you want to apply a protection profile to WAN optimized traffic on the server end of a WAN optimization tunnel before the traffic enters the destination LAN, you also require two VDOMs. The first VDOM should terminate the WAN optimization tunnel. Then an inter-VDOM link is required to a second VDOM that applies a protection profile to the sessions before the sessions are sent to the receiving LAN. This may be changed in later FortiOS versions. Q: Does FortiGate WAN optimization work with other vendors WAN optimization or acceleration features? A: No, FortiGate WAN optimization is proprietary to Fortinet. FortiGate WAN optimization is compatible with FortiClient WAN optimization. Q: Can the web cache feature be used for caching HTTPs sessions. A: Yes, if you import the correct certificates. Q: To use FortiGate WAN optimization or Web caching, do end users need to configure their web browsers to use the FortiGate unit as a proxy server? A: No WAN optimization is transparent to users.
600
Overview of FortiGate WAN optimization

Using FortiGate WAN optimization you can apply a number of techniques to improve the efficiency of communication across your WAN. These techniques include protocol optimization, byte caching, web caching, and SSL offloading. Protocol optimization can improve the efficiency of traffic that uses the CIFS, FTP, HTTP, or MAPI protocol as well as any other TCP protocol. Byte caching caches files and other data on FortiGate units to reduce the number of times that it is transmitted across the WAN. Web caching stores web pages on FortiGate units so that they do not have to transmitted across the WAN. SSL offloading off loads SSL decryption and encryption from web servers onto FortiGate SSL acceleration hardware. You can also configure FortiGate WAN optimization to send traffic through a secure SSL tunnel to keep the traffic crossing your WAN private. The basic topology of FortiGate WAN optimization consists of two WAN optimization peers that can communicate across a WAN. The peers can be two FortiGate units or a PC running FortiClient host security and a FortiGate unit. Traffic passing from clients on one part of the WAN to servers on another part of the WAN is intercepted by a WAN optimization peer. This client side WAN optimization peer sets up a WAN optimization tunnel with a server side WAN optimization peer. Together these WAN optimization peers apply WAN optimization features such as protocol optimization, byte caching, web caching, SSL offloading, and secure tunneling to optimize the traffic flow over the WAN between the clients and servers. WAN optimization reduces bandwidth requirements, increases throughput, reduces latency, off loads SSL encryption/decryption and improves privacy for traffic on the WAN. Figure 399 shows a basic WAN optimization topology that includes two FortiGate units and a PC running FortiClient communicating across a WAN.
Figure 399: Basic WAN optimization topology
Client Network Server Network
Peer (Client Side)
WAN optimization tunnel

WAN
Peer (Server Side)
Peer (FortiClient)
WAN optimization tunnel
Note: The FortiGate units can be operating in NAT/Route or Transparent mode and do not have to be operating in the same mode. WAN optimization is configured for each VDOM and one or both of the units can be operating with multiple VDOMs enabled. If a FortiGate unit or VDOM is operating in Transparent mode with WAN optimization enabled, WAN optimization uses the management IP address as the address of the FortiGate unit instead of the address of an interface.
FortiGate WAN optimization includes the following features. Web caching (a type of object caching) Client/server or active passive WAN optimization (also known as automated WAN optimization mode) Peer to peer WAN optimization
601
Protocol optimization (increases the efficiency of data transmission of traffic based on the communication protocol) Byte caching Byte caching (reduces the amount of duplicate data transmission caching data for future re-transmission) SSL offloading for WAN optimization and web caching (using FortiGate CP6 FortiASIC acceleration to accelerate encryption/decryption of SSL traffic) Secure tunnelling (employs SSL encryption to encrypt the WAN optimization tunnel) WAN optimization with FortiClient
You can apply different combinations of these WAN optimization techniques to a single traffic stream depending on the traffic type. For example, you can apply byte caching and secure tunneling to any TCP traffic. For HTTP traffic you can also apply protocol optimization and web caching.
WAN optimization tunnels

All optimized traffic passes between the FortiGate units or between a PC running FortiClient and a FortiGate unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain text or encrypted using SSL. Both the plain text and the encrypted tunnels use TCP port 7810.
Figure 400: WAN optimization flow
3 2 1
3 2
3 2
Packets WAN Optimization Client
Packets in WAN Optimization Tunnel Port 7810 WAN WAN Optimization Server
Packets
Client
Server
Client Connects to Server
Server Receives connection from Client
A tunnel is started with a client side WAN optimization peer attempts to start a WAN optimization tunnel with a server side WAN optimization peer. Before the tunnel can be started the peers must authenticate with each other and then agree on the tunnel configuration. Then the peers bring up the tunnel and WAN optimization communication over the tunnel starts.
WAN optimization peer authentication

All communication between WAN optimization peers begins with one WAN optimization peer sending a WAN optimization tunnel request to another peer. The tunnel request starts with the WAN optimization peers identifying and authenticating with each other.
Note: Once a tunnel has been established multiple WAN optimization sessions can start and stop between peers without restarting the tunnel.
Peer authentication requires the following configuration on each peer.
602
All peers must have a unique host ID that identifies each peer. You can add the host ID to a peer from the web-based manager by going to WAN Opt. & Cache > Peer, entering a host ID in the Local Host ID field and selecting Apply. The host ID can be up to 25 characters long and can include spaces. All peers must know the host IDs and IP addresses of all of the other peers that they can start WAN optimization tunnels with. You can add these host IDs and IP addresses from the web-based manager by going to WAN Opt. & Cache > Peer and selecting Create New. Enter the other peers host ID in the Peer Host ID field, enter the other peers IP address in the IP Address field and select OK. The IP address will be the source IP address of tunnel requests sent by the peer. Usually this would be the IP address of the peers interface that is connected to the WAN, that is the IP address of the interface from which tunnel requests are sent.
Some WAN optimization rules require you to include a peer and others do not. Even if you are not required to add a peer to a WAN optimization rule, WAN optimization requires local and peer IDs to be added as described above.
Authentication Groups
Adding peers is not strictly a requirement. Instead you can configure authentication groups that accept any peer. However, for this to work both peers must have the same authentication group (with the same name) and both peers must have the same certificate or pre-shared key. This configuration is useful if you have many peers or if peer IP addresses change. For example, you could have many travelling users running FortiClient and participating in WAN optimization using PCs with IP addresses that are always changing as the users travel to different customer sites. This configuration is also useful if you have FortiGate units that get external IP addresses using DHCP or PPPoE. For more information, see Configuring authentication groups on page 635.
WAN optimization rules and firewall policies

To configure WAN optimization you add WAN optimization rules. Similar to firewall policies when a FortiGate unit receives a connection packet, it analyzes the packets source address, destination address, and service (by destination port number), and attempts to locate a matching WAN optimization rule that decides how to optimize the traffic over the WAN. See How list order affects rule matching on page 606. The FortiGate unit applies firewall policies to communication sessions before WAN optimization rules. A WAN optimization rule can be applied to a packet only after the packet is accepted by a firewall policy. If the firewall policy includes a protection profile communication sessions accepted by the policy are processed by the protection profile and not by WAN optimization. To apply WAN optimization to traffic that is accepted by a firewall policy containing a protection profile you can use multiple FortiGate units or multiple VDOMs. Apply the protection profile in the first FortiGate unit or VDOM and apply WAN optimization in the second FortiGate unit or VDOM. WAN optimization does not apply source and destination NAT settings included in firewall policies. This means that selecting NAT or adding virtual IPs in a firewall policy does not affect WAN optimized traffic. WAN optimization is also not compatible with firewall load balancing. However, traffic accepted by these policies that is not WAN optimized is processed as expected. WAN optimization is compatible with identity-based firewall policies. If a session is allowed after authentication and if the identity-based policy that allows the session does not include a protection profile the session can be processed by matching WAN optimization rules.
603
Firewall traffic shaping is compatible with client/server (active-passive) transparent mode WAN optimization rules. Traffic shaping is ignored for peer to peer WAN optimization and for client/server WAN optimization not operating in transparent mode.
WAN optimization Transparent mode

WAN optimization is transparent to users. With WAN optimization in place clients connect to servers in the same way as they would without WAN optimization. However, servers receiving packets after WAN optimization see different source addresses depending on whether transparent mode is enabled for WAN optimization or not. If transparent mode is enabled, WAN optimization keeps the original source address of the packets, so servers appear to receive traffic directly from clients. Routing on the server network should be able to route traffic with client source IP addresses from the FortiGate unit to the server and back to the FortiGate unit.
Note: Some protocols, for example CIFS, may not function as expected if transparent mode is not selected. In most cases you should select transparent mode and make sure routing on the server network is configured as required to support transparent mode.
If transparent mode is not enabled, the source address of the packets received by servers is changed to the address of the FortiGate unit interface that sends the packets to the servers. So servers appear to receive packets from the FortiGate unit. Routing on the server network is simpler in this case because client addresses are not involved, but the server sees all traffic as coming from the FortiGate unit and not from individual clients.
Note: Do not confuse WAN optimization transparent mode with FortiGate unit transparent mode. WAN optimization transparent mode is configured in individual WAN optimization rules. FortiGate transparent mode is a system setting that controls how the FortiGate unit (or a VDOM) processes traffic.
FortiGate models that support WAN optimization

WAN optimization is available on newer FortiGate models that also support SSL acceleration, high-capacity internal hard disks, the FortiGate-ASM-S08 module, or the FortiGate-ASM-SAS module. This includes the following models: FortiGate-51B and 111C FortiGate-310B FortiGate-620B FortiGate-3000A FortiGate-3016B FortiGate-3600A FortiGate-3810A FortiGate-5001A-SW
FortiGate models 51B and 111C use an internal hard disk for web caching and byte caching. FortiGate models 310B, 620B, 3000A, 3016B, 3600A, 3810A, and 5001A-SW use the hard disk in the FortiGate-ASM-S08 module or the SAS system connected to the FortiGate-ASM-SAS module for web caching and byte caching. All FortiGate models that support WAN optimization except for the 51B and 111C models can also be configured to use iSCSI for web caching and byte caching.
604
Configuring WAN optimization
WAN optimization uses these various data storage devices for web caching and byte caching. All of these options can provide similar web caching and byte caching performance. If you add more than one storage location (for example, by adding iSCSI to a FortiGate that already has a FortiGate-ASM-S08 module) you can configure different storage locations for web caching and byte caching. If you have not installed a FortiGate-ASM-S08 or ASM-SAS module in a FortiGate unit with a single-width AMC slot you can still configure and use iSCSI for full WAN optimization. A hard disk, the ASM-SAS module, or iSCSI is only required for web caching and byte caching. All other WAN optimization features, including SSL acceleration, are supported if the hard disk, SAS, or iSCSI is not available. You configure iSCSI support from the FortiGate CLI. See the FortiGate CLI Reference for more information.

The WAN optimization rule list displays WAN optimization rules in their order of matching precedence. If virtual domains are enabled on the FortiGate unit, WAN optimization rules are configured separately for each virtual domain; you must access the VDOM before you can configure its rules. To access a VDOM, go to System > VDOM, and in the row corresponding to the VDOM whose policies you want to configure, select Enter. You can add, delete, edit, and re-order rules in the rule list. WAN optimization rule order affects rule matching. For details about arranging rules in the rule list, see How list order affects rule matching on page 606 and Moving a rule to a different position in the rule list on page 607. To view the WAN optimization rule list, got to WAN Opt. & Cache > Rule. Before you add WAN optimization rules you must add firewall policies to accept the traffic to be optimized. Then you add WAN optimization rules that: Match WAN traffic to be optimized that is accepted by a firewall policy according to source and destination addresses and destination port of the traffic Add the WAN optimization techniques to be applied to the traffic
Figure 401: WAN optimization rule list
Edit Delete
Enable/ Disable Rules
Insert Before Move To
605
Create New Status ID Source Destination Port Method Auto-Detect
Add a new WAN optimization rule. New rules are added to the bottom of the list. Select to enable a rule or deselect to disable a rule. A disabled rule is out of service. The rule identifier. Rules are numbered in the order they are added to the rule list. The source address or address range that the rule matches. The destination address or address range that the rule matches. The destination port number or port number range that the rule matches. Indicates whether you have selected byte caching in the WAN optimization rule. Indicates whether the rule is an active (client) rule, a passive (server) rule or if auto-detect is off. If auto-detect is off the rule can be a peer to peer rule or a web cache only rule. The protocol optimization WAN optimization technique applied by the rule. See Protocol optimization on page 623. For a peer to peer rule, the name of the peer WAN optimizer at the other end of the link. Indicates whether the rule applies full optimization or web cache only. Indicates whether the rule is configured for SSL offloading. Indicates whether the rule is configured to used a WAN optimization tunnel. Delete a rule from the list. Edit a rule.
Protocol Peer Mode SSL Secure Tunnel Delete icon Edit icon
Add a new rule above the corresponding rule (the New rule screen appears). Insert WAN Optimization Rule Before icon Move To icon Move the corresponding rule before or after another rule in the list. See How list order affects rule matching on page 606 and Moving a rule to a different position in the rule list on page 607.
How list order affects rule matching

Similar to firewall policies, you add WAN optimization rules to the WAN optimization rule list. The FortiGate unit uses the first matching technique to select the WAN optimization rule to apply to a communication session. When WAN optimization rules have been added, each time the FortiGate firewall accepts a communication session, it then searches the WAN optimization rule list for a matching rule. The search begins at the top of the rule list and progresses in order towards the bottom. Each rule in the rule list is compared with the communication session until a match is found. When the FortiGate unit finds the first matching rule, it applies the matching rules specified WAN optimization features to the session, and disregards subsequent rules. Matching rules are determined by comparing the rule and the session source and destination addresses and destination port. If no WAN optimization rule matches, the session is processed according to the firewall policy that originally accepted the session. As a general rule, you should order the WAN optimization rule list from most specific to most general because of the order in which rules are evaluated for a match, and because only the first matching rule is applied to a session. Subsequent possible matches are not considered or applied. Ordering rules from most specific to most general prevents rules that match a wide range of traffic from superseding and effectively masking rules that match exceptions.
606
For example, you might have a general WAN optimization rule that applies WAN optimization features but does not apply secure tunneling to most WAN traffic but you want to apply secure tunneling to FTP traffic (FTP traffic uses port 21). In this case, you would add a the rule that creates a secure tunnel for FTP session above the general rule.
Figure 402:Example: secure tunneling for FTP correct rule order
Exception General FTP sessions (using port 21) would immediately match the secure tunnel rule. Other kinds of services would not match the FTP rule, and so rule evaluation would continue until reaching the matching general rule. This rule order has the intended effect. But if you reversed the order of the two rules, positioning the general rule before the FTP rule, all session, including FTP, would immediately match the general rule, and the rule to secure FTP would never be applied. This rule order would not have the intended effect.
Figure 403:Example: secure tunneling for FTP Incorrect rule order
General
Exception
Similarly, if specific traffic requires exceptional WAN optimization rule settings, you would position those rules above other potential matches in the rule list. Otherwise, the other matching rules will take precedence, and the required authentication, IPSec VPN, or SSL VPN might never occur.
Moving a rule to a different position in the rule list

You can arrange the WAN optimization rule list to influence the order in which rules are evaluated for matches with incoming traffic. Moving a rule in the rule list does not change its ID, which only indicates the order in which the rule was created.
Figure 404:Move rule
To move a rule in the WAN optimization rule list 1 Go to WAN Opt & Cache > Rule. 2 In the rule list, note the ID of a rule that is before or after your intended destination. 3 In the row corresponding to the rule that you want to move, select the Move To icon. 4 Select Before or After, and enter the ID of the rule that is before or after your intended destination. This specifies the rules new position in the WAN optimization rule list. 5 Select OK.
607
Configuring a WAN optimization rule

This section describes the WAN optimization rule options. The options that appear in WAN optimization rules change depending on how you configure the rule. This section describes all of the options. To add a WAN optimization rule, got to WAN Opt. & Cache > Rule and select Create New. See the following sections for information about the configuring WAN optimization rules for different types of WAN optimization configurations. Configuring web cache only WAN optimization on page 611 Configuring client/server (active-passive) web caching on page 612 Configuring peer to peer web caching on page 614 Configuring client/server (active-passive) WAN optimization on page 617 Configuring peer to peer WAN optimization on page 620
To add a WAN optimization rule, go to WAN Opt. & Cache > Rule and select Create New.
Mode Select Full Optimization to add a rule that can apply all WAN optimization features. Select Web Cache Only to add a rule that just applies web caching. If you select Web Cache Only you can configure the source and destination address and port to the rule. You can also select Transparent Mode and Enable SSL. Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See About WAN optimization addresses on page 622. Only packets whose source address header contains an IP address matching this IP address or address range will be accepted by and subject to this rule. For a passive rule, the server (passive) source address range should be compatible with the source addresses of the matching client (active) rule. To match one passive rule with many active rules the passive rule source address range should include the source addresses of all of the active rules. Enter an IP address, followed by a forward slash (/), then subnet mask, or enter an IP address range separated by a hyphen. See About WAN optimization addresses on page 622. Only packets whose destination address header contains an IP address matching this IP address or address range will be accepted by and subject to this rule. For a web-cache only rule, if you set you set Destination to 0.0.0.0 the rule caches web pages on the Internet or any network. For a passive rule, the server (passive) destination address range should be compatible with the destination addresses of the matching client (active) rule. To match one passive rule with many active rules the passive rule destination address range should include the destination addresses of all of the active rules. Enter a single port number or port number range. Only packets whose destination port number matches this port number or port number range will be accepted by and subject to this rule. For a passive rule the server (passive) port range should be the same or a subset of the matching client (active) rule port range. For a passive rule, the server (passive) port range should be compatible with the port range of the matching client (active) rule. To match one passive rule with many active rules the passive rule port range should include the port ranges of all of the active rules.
Source
Destination
Port
608
Auto-Detect
Specify whether the rule is an Active (client) rule, a Passive (server) rule or if autodetect is Off. If auto-detect is off the rule is a peer to peer rule. For an Active (client) rule you must select all of the WAN optimization features to be applied by the rule. You can select the protocol to optimize, transparent mode, byte-caching, SSL offloading, secure tunneling, and an authentication group. A Passive (server) rule uses the settings in the active rule on the client FortiGate unit to apply WAN optimization settings. You can also select web caching for a passive rule. If Auto-Detect is Off, the rule must include all required WAN optimization features and you must select a Peer for the rule. Select this option to configure peer to peer WAN optimization where this rule can start a WAN optimization tunnel with this peer only. Auto-Detect is not available if you set Mode to Web Cache Only. Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for one of these protocols. For information about protocol optimization, see Protocol optimization on page 623. Select TCP if the WAN optimization tunnel accepts sessions that use more than one protocol or that do not use the CIFS, FTP, HTTP, or MAPI protocol. You can select a protocol if Auto-Detect is set to Off or Active. Select the peer host ID of the peer that this peer to peer WAN optimization rule will start a WAN optimization tunnel with. You can also select Create New to add a new peer. You can select a peer if Auto-Detect is set to Off. Servers receiving packets after WAN optimization see different source addresses depending on whether you select transparent mode or not. You can select Transparent mode if Auto-Detect is set to Active or Off. You can also select transparent mode for web cache only rules. Select transparent mode to keep the original source address of the packets when they are sent to servers. The servers appear to receive traffic directly from clients. Routing on the server network should be able to route traffic with client source IP addresses from the FortiGate unit to the server and back to the FortiGate unit. If transparent mode is not selected, the source address of the packets received by servers is changed to the address of the FortiGate unit interface that sends the packets to the servers. So servers appear to receive packets from the FortiGate unit. Routing on the server network is usually simpler in this case because client addresses are not involved, but the server sees all traffic as coming from the FortiGate unit and not from individual clients. Some protocols, for example CIFS, may not function as expected if transparent mode is not selected. In most cases you should select transparent mode and make sure routing on the server network is configured as required to support transparent mode. Select to apply WAN optimization byte caching to the sessions accepted by this rule. For more information, see Byte caching on page 624. Select to apply SSL offloading for HTTPS traffic. You can use SSL offloading to offload SSL encryption and decryption from one or more HTTP servers to the FortiGate unit. If you enable SSL offloading you should configure the rule to accept SSL-encrypted traffic, for example, by configuring the rule to accept HTTPS traffic by setting Port to 443. If you enable SSL offloading, from the FortiGate CLI you must also use the config wanopt ssl-server command to add an SSL server for each HTTP server that you wan to offload SSL encryption/decryption for. For more information, see SSL offloading for WAN optimization and web caching on page 624. You can select SSL offloading if Auto-Detect is set to Active or Off. You can also select SSL offloading for web cache only rules.
Protocol
Peer
Transparent Mode
Enable Byte Caching Enable SSL
609
Web caching
Enable Secure If you select Enable Secure Tunnel the WAN optimization tunnel is encrypted using SSL encryption. If you enable the secure tunnel you must also add an Tunnel authentication group to the rule. For more information, see Secure tunnelling on page 630. You can enable secure tunnelling if Auto-Detect is set to Active or Off. Authentication Select Authentication Group and select an authentication group from the list if you want the FortiGate units to authenticate with each other before starting the WAN Group optimization tunnel. You must also select an authentication group if you select Enable Secure Tunnel. You must add identical authentication groups to both of the FortiGate units that will participate in the WAN optimization tunnel started by the rule. For more information, see Configuring authentication groups on page 635.
Web caching
FortiGate WAN optimization web caching is a form of object caching that accelerates web applications and web servers by reducing bandwidth usage, server load, and perceived latency. Web caching supports explicit and transparent proxy caching of HTTP 1.0 and HTTP 1.1 web sites. See RFC 2616 for information about web caching for HTTP 1.1. Web caching involves storing HTML pages, images, servlet responses and other web based objects for later retrieval. FortiGate units cache these objects on a hard disk installed in the FortiGate unit or on a remove iSCSI or SAS device. There are three significant advantages to using web caching to improve WAN performance: Reduced WAN bandwidth consumption because fewer requests and responses go over the WAN Reduced web server load because there are fewer requests for web servers to handle Reduced latency because responses for cached requests are available from a local FortiGate unit instead of from across the WAN or Internet.
You can use web caching to cache any web traffic that passes through the FortiGate unit, including web pages from web servers on a LAN, WAN or on the Internet. The FortiGate unit caches web objects for all HTTP traffic processed by WAN optimization rules that include web caching. You can add WAN optimization rules for web caching only. You can also add web caching to WAN optimization rules for HTTP traffic that also include byte caching, protocol optimization, and other WAN optimization features.
Note: You can also enable web caching for the FortiGate explicit web proxy. For more information, see To enable web caching for the explicit web proxy on page 149.
Web caching cannot determine whether a file is compressed (for example a zip file) or not and caches compressed (for example, zipped) and non-compressed versions of the same file separately. If the HTTP protocol considers the compressed and uncompressed versions of a file the same object only the compressed or uncompressed file will be cached.
610
Web caching
Web cache only topology

A web cache only WAN optimization topology includes one FortiGate unit that acts as a proxy server and web cache server. Web page requests sent by users from the source address in the web cache only rule are intercepted by the FortiGate unit. The FortiGate unit requests web pages from the web servers, caches the web page contents, and returns the web page contents to the users. When the FortiGate intercepts requests for cached web pages the FortiGate unit which returns the cached pages and does not contact the destination web server except to check for changes. You can configure web cache settings to control how the web cache operates. See Changing web cache settings on page 638.
Figure 405: Example web cache only topology
Web Server Network 192.168.10.0 WAN Optimization Web Cache WAN, LAN, or Internet
Client Network 172.20.120.0
11010010101
Web Cache
Configuring web cache only WAN optimization

You add WAN optimization rules that enable web caching only by going to WAN Opt. & Cache > Rule and selecting Create New to add a WAN optimization rule. To add a rule that enables web caching only, set the Mode to Web Cache Only. If you select Web Cache only, the WAN optimization rule does not perform byte caching or protocol optimization. For example, to configure web caching for users in a network with subnet address 172.20.120.0 connecting to web servers on a network with subnet address 192.168.10.0 you can add a web cache only WAN optimization rule with Source address 172.20.120.0, Destination address 192.168.10.0, and Port 80 (see Figure 406). This rule caches web pages requested by users on the 172.20.120.0 network who are using TCP port 80 to request web pages on the 192.168.10.0 network.
Note: Since only one FortiGate unit is involved in the web cache configuring you do not need to change the WAN optimization peer configuration for this scenario. Figure 406: Adding a web cache only WAN optimization rule
611
Web caching
To configure web cache only WAN optimization 1 Go to Firewall > Policy and add a firewall policy that accepts traffic to be web cached. 2 Go to WAN Opt. & Cache > Rule and select Create New. 3 Select Web Cache Only. 4 Configure the web cache only rule.
Mode Source Destination Port Transparent Mode Enable SSL Web Cache Only 172.20.120.0 192.168.10.0 80 Enable Disable
More information about these settings:

Port Usually you would set the port to 80 to cache normal HTTP traffic. But you can change the Port to a different number (for example 8080) or to a port number range so that the FortiGate unit provides web caching for HTTP traffic using other ports. In this example SSL offloading is disabled. For an example of a reverse proxy web cache configuration that also includes only one FortiGate unit and enables SSL offloading, see SSL offloading and reverse proxy web caching for an internet web server on page 627.
Enable SSL
5 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list. 6 If required, move the rule to a different position in the list. See Moving a rule to a different position in the rule list on page 607.
Configuring client/server (active-passive) web caching

You add web caching support to the passive or server side of an active-passive WAN optimization configuration. Web pages are cached on the server side FortiGate unit so you should also Enable Byte Caching for optimum WAN optimization performance.
Figure 407: Example client/server (active-passive) web cache topology
Web Server Network 192.168.10.0
User Network 172.20.120.0
WAN Optimization Client (active rule, Protocol=HTTP) WAN IP address 172.10.10.1
WAN Optimization Server (passive rule, Enable Web Cache)
IP address 172.20.20.1
11010010101
Web Cache
612
Web caching
For web caching to work, the WAN optimization tunnel must accept HTTP (and optionally HTTPS) traffic. To do this, the active rule on the client side must include the ports used for HTTP (and HTTPS) traffic. Set Protocol set to HTTP to perform protocol optimization of the HTTP traffic. You can also enable SSL offloading, secure tunneling, and add an authentication group.
Figure 408: Adding an active WAN optimization rule compatible with web caching
To configure the client (active) FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client FortiGate unit.
Local Host ID Client_Side
2 Select Create New and add a Peer Host ID and the IP address for the server side FortiGate unit.
Peer Host ID IP Address Server_Side 172.20.20.1
3 Go to Firewall > Policy and add a firewall policy that accepts traffic to be web cached. 4 Go to WAN Opt. & Cache > Rule and select Create New. 5 Configure the rule.
Mode Source Destination Port Auto-Detect Protocol Transparent Mode Full Optimization 172.20.120.0 192.168.10.0 1-65535 Active HTTP Enable
Enable Byte Caching Enable
613
Web caching
Figure 409: Adding web caching to a passive WAN optimization rule
To configure the server (passive) FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server FortiGate unit.
Local Host ID Server_Side
2 Select Create New and add a Peer Host ID and the IP address for the client side FortiGate unit.
Peer Host ID IP Address Client_Side 172.10.10.1
3 Go to WAN Opt. & Cache > Rule and select Create New. 4 Configure the rule.
Mode Source Destination Port Auto-Detect Enable Web Cache Full Optimization 172.20.120.0 192.168.10.0 1-65535 Passive Enable
Configuring peer to peer web caching

In a peer to peer web caching configuration you create a peer-to-peer WAN optimization rule on the client side FortiGate unit and include the peer host ID of the server side FortiGate unit. In the rule you set Auto-Detect to Off and select Enable Web Cache. Using this rule, the client side FortiGate unit can create a WAN optimization tunnel only with the peer that is added to the rule. In a peer-to-peer configuration you do not have to add a rule to the server side FortiGate unit. If the server side FortiGate unit peer list contains the client FortiGate unit, the server FortiGate unit accepts WAN optimization tunnel connections from the client FortiGate unit and the two units can form a WAN optimization tunnel. The server side FortiGate unit uses the settings in the rule added to the client side FortiGate unit.
614
Web caching
For web caching to work the WAN optimization tunnel must allow HTTP (and optionally HTTPS) traffic. To do this, the WAN optimization rule must include the ports used for HTTP (and HTTPS) traffic. Set Protocol to HTTP to perform protocol optimization of the HTTP traffic. You can also enable transparent mode, byte caching, SSL offloading, secure tunneling, and add an authentication group.
Figure 410: Example peer to peer web cache topology
Web Server Network 192.168.10.0 WAN Optimization Client (Local Host ID: Client_Side) WAN IP Address 172.20.34.12 IP Address 192.168.30.12 WAN Optimization Server (Local Host ID: Server_Side)
11010010101
Web Cache
Figure 411: Adding the server side Peer Host ID to the client side peer list
Figure 412: Adding web caching to a peer to peer WAN optimization rule
To configure the client side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client FortiGate unit.
Local Host ID Client_Side
615
Web caching
Peer Host ID IP Address Server_Side 192.168.30.12
3 Select OK to save the peer. 4 Go to Firewall > Policy and add a firewall policy that accepts traffic to be web cached. 5 Go to WAN Opt. & Cache > Rule and select Create New. 6 Configure the rule.
Mode Source Destination Port Auto-Detect Protocol Peer Enable Web Cache Transparent Mode Full Optimization 172.20.120.0 192.168.10.0 80 Off HTTP Server_Side Enable Enable
Figure 413: Adding the client side Peer Host ID to the server side peer list
To configure the server side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server FortiGate unit.
Local Host ID Server_Side
Peer Host ID IP Address Client_Side 172.20.34.12
3 Select OK to save the peer.
616
Client/server or active passive WAN optimization

In a typical client/server or active-passive WAN optimization configuration, a pair of WAN optimizing FortiGate units optimize traffic between a client and a server that are communicating across a WAN. When the client communicates with the server, the FortiGate unit applies WAN optimization techniques to traffic sent from the client by the WAN Optimization client. The optimized traffic is sent through the WAN Optimization tunnel over the WAN. The tunnel is intercepted by the WAN Optimization server and the server reverses the WAN optimization techniques before sending the data stream to the server. In this configuration, the WAN Optimization client operates in active mode and the server operates in passive mode. You configure an active WAN optimization rule on the client by setting WAN optimization auto-detect to active. You configure a passive WAN optimization rule on the server by setting WAN optimization auto-detect to passive.
Figure 414: Example complimentary passive (server) WAN optimization rule
Configuring client/server (active-passive) WAN optimization

You configure client/server (active-passive) WAN optimization by adding an active WAN optimization rule to the client side FortiGate unit and a passive rule to the server side FortiGate unit. You can add multiple active rules for one passive rule. You might want to do this to add multiple active rules to optimize different protocols. Since you dont configure the protocol in the passive rule, one passive rule can be used for each of the active rules. Adding fewer passive rules simplifies the WAN optimization configuration.
Figure 415: Example client/server (active-passive) WAN optimization topology
User Network 172.20.120.100 to 172.20.120.200 Client side (active rule) Local Host ID: User_net WAN IP address 172.30.120.1 IP address 192.168.20.1 Web Server Network 192.168.10.0 Server side (passive rule) Local Host ID: Web_servers
This example configuration includes three active rules on the client side FortiGate unit and one passive rule in the server side FortiGate unit. The active rules do the following: Optimize HTTP traffic from IP addresses 172.20.120.100 to 172.20.120.150 Optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200
617
Optimize CIFS traffic from IP addresses 172.20.120.100 to 172.20.120.200
You can do this by adding three active WAN optimization rules to the client side FortiGate unit. One for each protocol, with port set to 80 for the HTTP rule, 21 for the FTP rule and 1-65535 for the CIFS rule. Then the rules must be arranged in the WAN optimization rule list with the HTTP and FTP rules above the CIFS rule because the HTTP and FTP rules include single port numbers.
Figure 416: Example active rule to optimize HTTP traffic
To configure peers on the client side FortiGate unit and add a firewall policy 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client side FortiGate unit.
Local Host ID User_net
Peer Host ID IP Address Web_servers 192.168.20.1
3 Go to Firewall > Policy and add a firewall policy that accepts traffic to be optimized. To add the active rules to the client side FortiGate unit 1 Go to WAN Opt. & Cache > Rule. 2 Select Create New to add the active rule to optimize CIFS traffic from IP addresses 172.20.120.100 to 172.20.120.200.
Mode Source Destination Port Auto-Detect Protocol Transparent Mode Full Optimization 172.20.120.[100-200] 192.168.10.0 1 - 65535 Active CIFS Enable
3 Select OK to save the rule.
618
4 Select Create New to add the active rule to optimize HTTP traffic for IP addresses 172.20.120.100 to 172.20.120.150.
Mode Source Destination Port Auto-Detect Protocol Transparent Mode Full Optimization 172.20.120.[100-150] 192.168.10.0 80 Active HTTP Enable
5 Select OK to save the rule. 6 Select Create New to add the active rule to optimize FTP traffic from IP addresses 172.20.120.151 172.20.120.200.
Mode Source Destination Port Auto-Detect Protocol Transparent Mode Full Optimization 172.20.120.[151-200] 192.168.10.0 21 Active FTP Enable
7 Select OK to save the rule. 8 If required, use the Move To icon to change the order of the rules in the list so that the HTTP and FTP rules are above the CIFS rule in the list. See Moving a rule to a different position in the rule list on page 607.
Figure 417: HTTP, FTP, and CIFS rules in the rule list
To configure the server side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit.
Local Host ID Web_servers
Peer Host ID IP Address User_net 172.30.120.1
619
Peer to peer WAN optimization
3 Go to WAN Opt. & Cache > Rule and select Create New. 4 Add the passive rule. The source address matches the 172.20.120.100 to 172.20.120.200 IP address range and the 1-65535 port range. You can also enable web caching for the HTTP traffic.
Mode Source Destination Port Auto-Detect Enable Web Cache Full Optimization 172.20.120.[100-200] 192.168.10.0 1-65535 Passive Enable
5 Select OK to save the rule. The rule is added to the bottom of the rule list. 6 If required, move the rule to a different position in the list.

Peer-to-peer WAN optimization is very similar to active-passive WAN optimization. The difference is that the peer-to-peer tunnel can only be set up between the client FortiGate unit and the server FortiGate unit named in the WAN optimization rule added to the client FortiGate unit. When the client side FortiGate unit initiates a tunnel with the server side FortiGate unit the packets that initiate the tunnel include extra information so that this server side FortiGate unit can determine that it is a peer-to-peer tunnel request. This extra information is required because the server side FortiGate unit does not require a WAN optimization rule. All that is required on the server side FortiGate unit is that the client Peer Host ID and IP address be added to the server side FortiGate unit peer list. The extra information in the communication session plus the peer list entry allow the server side FortiGate unit to set up the WAN optimization tunnel with the client side FortiGate unit using only the settings on the client side WAN optimization rule.
Configuring peer to peer WAN optimization

In a peer to peer WAN optimization configuration you create a peer-to-peer WAN optimization rule on the client side FortiGate unit with Auto-Detect to Off and include the peer host ID of the server side FortiGate unit. Using this rule, the client side FortiGate unit can create a WAN optimization tunnel only with the peer that is added to the rule. You do not have to add a rule to the server side FortiGate unit. But the server side FortiGate unit peer list must include the client FortiGate unit. The server side FortiGate unit uses the WAN optimization settings in the client side rule.
620
Figure 418: Example peer to peer topology

Web Server Network 192.168.10.0 WAN Optimization Server (Local Host ID: Peer_Fgt_2) WAN IP address 172.20.34.12 IP address 192.168.30.12
WAN Optimization Client (Local Host ID: Peer_Fgt_1)
Figure 419: Adding a peer to peer WAN optimization rule
To configure the client side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the client side FortiGate unit.
Local Host ID Peer_Fgt_1
Peer Host ID IP Address Peer_Fgt_2 192.168.30.12
3 Select OK to save the peer. 4 Go to Firewall > Policy and add a firewall policy that accepts traffic to be optimized. 5 Go to WAN Opt. & Cache > Rule and select Create New. 6 Configure the rule.
Mode Source Destination Port Auto-Detect Full Optimization 172.20.120.0 192.168.10.0 1-65535 Off
621
Protocol Peer Transparent Mode
MAPI Peer_Fgt_2 Enable
7 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list. 8 If required, move the rule to a different position in the list. See Moving a rule to a different position in the rule list on page 607. To configure the serve side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit.
Local Host ID Peer_Fgt_2
2 Select Create New and add a Peer Host ID and the IP address for the peer side FortiGate unit.
Peer Host ID IP Address Peer_Fgt_1 172.20.34.12
3 Select OK to save the peer.
About WAN optimization addresses

A WAN optimization source or destination address can contain one or more network addresses. Network addresses can be represented by an IP address with a netmask or an IP address range. When representing hosts by an IP address with a netmask, the IP address can represent one or more hosts. For example, a source or destination address can be: a single computer, such as 192.45.46.45 a subnetwork, such as 192.168.1.0 for a class C subnet 0.0.0.0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be represented in either dotted decimal or CIDR format. The FortiGate unit automatically converts CIDR formatted netmasks to dotted decimal format. Example formats: netmask for a single computer: 255.255.255.255, or /32 netmask for a class A subnet: 255.0.0.0, or /8 netmask for a class B subnet: 255.255.0.0, or /16 netmask for a class C subnet: 255.255.255.0, or /24 netmask including all IP addresses: 0.0.0.0 x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0 x.x.x.x/x, such as 192.168.1.0/24
Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or destination address.
Valid IP address and netmask formats include:
622
Protocol optimization
When representing hosts by an IP Range, the range indicates hosts with continuous IP addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the complete range of hosts on that subnet. Valid IP Range formats include: x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120 x.x.x.[x-x], such as 192.168.110.[100-120] x.x.x.*, such as 192.168.110.*
Protocol optimization
FortiGate WAN optimization applies protocol optimization techniques to optimize bandwidth use across the WAN. These techniques can improve the efficiency of communication across the WAN optimization tunnel by reducing the amount of traffic required by communication protocols. Protocol optimization can be applied to specific protocols such as CIFS, FTP, HTTP, and MAPI to apply specific techniques based on the protocol. For example, Common Internet File System (CIFS) provides file access, record locking, read/write privileges, change notification, server name resolution, request batching, and server authentication. CIFS is a fairly chatty protocol, requiring many background transactions to successfully transfer a single file. This is usually not a problem across a LAN. However, across WAN latency and bandwidth reduction can slow down CIFS performance. When you set Protocol to CIFS in a WAN optimization rule, the FortiGate units at either end of the WAN optimization tunnel use a number of techniques to reduce the amount of background transactions that occur over the WAN for CIFS traffic. You can only select one protocol in a WAN optimization rule. For best performance you should separate the traffic by protocol by creating different WAN optimization rules for each protocol. For example, to optimize HTTP traffic you should set port to 80 so that only HTTP traffic is accepted by this WAN optimization rule. For an example configuration that uses multiple rules for different protocols, see Configuring client/server (active-passive) WAN optimization on page 617.
Figure 420: WAN optimization rule to optimize HTTP traffic
If the WAN optimization accepts a range of different types of traffic, you can set Protocol to TCP to employ TCP optimization. This technique applies general optimization techniques to TCP traffic. Applying TCP optimization to a range of different types of traffic is not as effective as applying more protocol-specific optimization to specific types of traffic. TCP protocol optimization uses techniques such as TCP SACK support, TCP window scaling and window size adjustment, and TCP connection pooling to remove TCP bottlenecks.
623
Byte caching
Byte caching
FortiGate WAN optimization Byte Caching breaks large units of application data (for example, a file being downloaded in from a web page) into small chunks of data, labelling each chunk of data with a hash of the chunk, and storing those chunks and their hashes in a database. The database is stored on a storage device such s a hard disk or an iSCSI device. Then, instead of sending the actual data over the WAN tunnel, the FortiGate unit sends the hashes. The FortiGate unit at the other end of the tunnel receives the hashes and compares them with the hashes in its local byte caching database. If any hashes match, that data does not have to be transmitted over the WAN optimization tunnel. The data for any hashes that does not match is transferred over the tunnel and added to that byte caching database. Then the unit of application data (the file being downloaded) is reassembled and sent to its destination. Byte caching is not application specific. Bytes cached from a file in an email can be used to optimize downloading that same file, or a similar file from a web page. The result is less data is transmitted over the WAN. Initially, byte caching may reduce performance until a large enough byte caching database is built up. Select Byte caching in a WAN optimization rule to enable byte caching. The Protocol setting does not affect byte caching. Data is byte cached when it is processed by a WAN optimization rule that includes byte caching. Byte caching cannot determine whether a file is compressed (for example a zip file) or not and caches compressed (for example, zipped) and non-compressed versions of the same file separately.
SSL offloading for WAN optimization and web caching

WAN optimization SSL offloading uses the FortiGate unit to encrypt and decrypt SSL sessions. WAN optimization supports SSL offloading for HTTP and HTTPS sessions to and from web servers. The FortiGate unit intercepts HTTPS traffic from clients and decrypts it before sending it as HTTP clear text to the web server. The HTTP clear text response from the web server is encrypted by the FortiGate unit and returned to the client as an HTTPS session. The result should be a performance improvement because SSL encryption and decryption is off-loaded from the server to the FortiGate unit FortiASIC SSL encryption/decryption engine. You can also combine SSL offloading with other WAN optimization techniques such as HTTP protocol optimization, byte caching, and web caching to further enhance web server performance. You enable SSL offloading by selecting Enable SSL in a WAN optimization rule. You must also add SSL servers to support SSL offloading using the CLI command config wanopt ssl-server. You must add one WAN optimization SSL server configuration to a FortiGate unit for each HTTP server that you are configuring SSL offloading for. This SSL server configuration must also include the HTTP server CA. You load this certificated into the FortiGate unit as a local certificate and then add the certificate to the SSL server configuration using the ssl-cert keyword. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. You can configure one WAN optimization rule to offload SSL encryption/decryption for multiple HTTP servers. To do this, the WAN optimization rule source and destination addresses must be configured so that the rule accepts packets destined for all of the HTTP servers that you want offloading for. Then you must add one SSL server configuration for each of the HTTP servers.
624
A number of SSL offloading configurations are possible. This section includes two.
Example configuration: SSL offloading for a WAN optimization tunnel

In this example, clients on a client network use https://192.168.10.20 to browse to a web server. A WAN optimization rule with Auto-Detect set to Off on the client side FortiGate unit accepts sessions from the clients with source addresses on the 172.20.120.0 network and with a destination address of 192.168.10.0 and with a destination port of 443. In this rule Enable secure tunnel is selected so that the tunnel is encrypted. The server side FortiGate unit includes an SSL server configuration with ip set to 192.168.10.20 and port to 443. The server side FortiGate unit also includes the web server CA.
Figure 421: SSL offloading WAN optimization configuration
Client Network 172.20.120.0 Client side Rule: autodetect: off Local Host ID:User_net WAN IP address 172.20.120.1 IP address 192.168.10.1 Decrypted Traffic
3 2 1
Web Server Server side (port 80) SSL server and Web server CA Local Host ID:Web_servers IP:192.168.10.20
Encrypted Traffic
3 2 1
Decrypted Traffic Protected by the Encrypted tunnel

3 2 1
When the client side FortiGate unit accepts an HTTPS connection for 192.168.10.20 the SSL server configuration provides the information that the client side FortiGate unit needs to decrypt the traffic and send it in clear text across a WAN optimization tunnel to the server side FortiGate unit. The server side FortiGate unit then forwards the clear text packets to the web server. The web server CA is not downloaded from the server side to the client side FortiGate unit. Instead the client side FortiGate unit proxies the SSL parameters from the client side to the server side which returns an SSL key and other required information to the client side FortiGate unit so that the client FortiGate unit can decrypt and encrypt HTTPS traffic.
Note: In this peer-to-peer configuration you do not need to add a WAN optimization rule to the server side FortiGate unit as long as the server side FortiGate unit includes the Peer Host ID of the client FortiGate unit in its peer list. However, you could set Auto-Detect to Active on the client side FortiGate and add then a passive rule to the server side FortiGate unit. Note: In this example the secure tunnel and the authentication group configurations are not required, but are added to protect the privacy of the WAN optimization tunnel. Instead of the secure tunnel configuration, you could configure a route-based IPSec VPN between the FortiGate units and use IPSec to protect the privacy of the WAN optimization tunnel.
To configure the client side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit.
625
Local Host ID
User_net
Peer Host ID IP Address Web_servers 192.168.10.1
3 Select OK to save the peer. 4 Go to WAN Opt. & Cache > Peer > Authentication Group and select Create New to add an authentication group named SSL_auth_grp to the client side FortiGate unit. The authentication group includes a pre-shared key and the peer added in step 2. An authentication group with the same name and the same pre-shared key must also be added to the server side FortiGate unit. This authentication group is required for the secure tunnel.
Name Password Peer Acceptance SSL_auth_grp <pre-shared_key> Specify Peer: Web_servers
Authentication Method Pre-shared key
5 Go to WAN Opt. & Cache > Rule and select Create New to add the WAN optimization rule:
Mode Source Destination Port Auto-Detect Protocol Peer Transparent Mode Enable SSL Full Optimization 172.20.120.0 192.168.10.0 443 Off HTTP Web_servers Enable Enable
Enable Byte Caching Enable Enable Secure Tunnel Enable Authentication Group SSL_auth_grp
6 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list. 7 If required, move the rule to a different position in the list. See Moving a rule to a different position in the rule list on page 607. To configure the server side FortiGate unit 1 Go to WAN Opt. & Cache > Peer and enter a Local Host ID for the server side FortiGate unit.
Local Host ID Web_servers
626
Peer Host ID IP Address
User_net 172.20.120.1
3 Select OK to save the peer. 4 Go to WAN Opt. & Cache > Peer > Authentication Group and select Create New to add an authentication group named SSL_auth_grp to the server side FortiGate unit. The authentication group includes a pre-shared key and the peer added to the server side FortiGate unit in step 2.
Name Password Peer Acceptance SSL_auth_grp <pre-shared_key> Specify Peer: User_net
Authentication Method Pre-shared key
5 Go to System > Certificates > Local Certificates and select Import to import the web servers CA. Set the name of the local certificate to Web_Server_Cert_1. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. 6 Enter the following command to add the SSL server to the server side FortiGate unit. config wanopt ssl-server edit example_server set ip 192.168.10.20 set port 443 set ssl-cert Web_Server_Cert_1 end Configure other ssl-server settings as required for your configuration.
SSL offloading and reverse proxy web caching for an internet web server
This example shows how to configure SSL offloading for a reverse proxy web cache only WAN optimization configuration. In this configuration, clients on the Internet use HTTPS to browse to a web server. The FortiGate unit intercepts the HTTPS traffic and a web cache only WAN optimization rule with SSL offloading enabled decrypts the traffic before sending it to the web server. The FortiGate unit also caches pages from the web server. Replies from the web server are encrypted by the FortiGate unit before returning to the web browsing clients. The web cache only rule enables transparent mode because the FortiGate unit is performing NAT between the Internet and the HTTP server and the web server network is not configured to route Internet traffic between the FortiGate unit and the web server. In this configuration the FortiGate unit is operating in reverse proxy mode. Reverse proxy caches can be placed directly in front of a particular server. Web caching on the FortiGate unit reduces the number of requests that the web server must handle therefore leaving it free to process new requests that it has not serviced before. Some benefits of a reverse proxy configuration: Avoid the capital expense of purchasing additional web servers by instead increasing the capacity of existing servers. Serve more requests for static content from web servers. Serve more requests for dynamic content from web servers. Reducing operating expenses including the cost of bandwidth required to serve content.
627
Accelerate the response time of web server and accelerate page download times to end users, delivering a faster and better experience to site visitors.
When planning a reverse proxy implementation the web server's content should be written so that it is cache aware to take full advantage of the reverse proxy cache. In Reverse Proxy mode, the FortiGate unit functions more like a web server with respect to the clients it services. Unlike internal clients, external clients are not reconfigured to access the proxy server. Instead, the site URL routes the client to the FortiGate unit as if it were a web server. Replicated content is delivered from the proxy cache to the external client without exposing the web server or the private network residing safely behind the firewall. In this example, the site URL translates to IP address 192.168.10.1 which is the port2 IP address of the FortiGate unit. The port2 interface is connected to the Internet. You could also use a different IP address and route traffic for this IP address to the FortiGate unit port2 interface. This example also includes two web cache only rules. One that accepts the HTTP traffic for web caching and one that accepts the HTTPS traffic for SSL offloading and web caching. You could also add only one rule for both the HTTP and HTTPS traffic. This example assumes all HTTP traffic uses port 80 and all HTTPS traffic using port 443. The FortiGate unit includes the web server CA and an SSL server configuration for IP address 172.10.20.30 and port to 443.
Figure 422: SSL offloading for web caching
Web Cache Only rule that includes SSL offloading Internet port2 IP address 192.168.10.1 Encrypted Traffic
3 2 1
port1 IP address 172.10.20.2 Decrypted Traffic

3 2 1
HTTP Web Server (port 80) IP address: 172.10.20.30
To configure the FortiGate unit as a reverse proxy web cache server 1 Go to Firewall > Virtual IP and select Create New to add a virtual IP that translates the destination IP address from 192.168.10.1 to 172.10.20.30.
Name External Interface Type External IP Address/Range Mapped IP Address/Range Destination Address Reverse_proxy_VIP port2 Static NAT 192.168.10.1 port1 172.10.20.30
628
2 Go to Firewall > Policy and select Create New to add a port2 to port1 firewall policy that accepts HTTP and HTTPS traffic from the Internet. Do not select a protection profile. Set the destination address to the virtual IP. You do not have to enable NAT.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Service Action port2 all port1 Reverse_proxy_VIP HTTP and HTTPS ACCEPT
3 Go to WAN Opt. & Cache > Rule and select Create New to add a web cache only WAN optimization rule that accepts the HTTP traffic accepted by the firewall policy. Set destination to the IP address that is translated by the virtual IP (192.168.10.1) and not to the server IP (172.10.20.30). Enable transparent mode.
Mode Source Destination Port Transparent Mode Enable SSL Web Cache Only 0.0.0.0 192.168.10.1 80 Enable Disable
4 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list. 5 If required, move the rule to a different position in the list. See Moving a rule to a different position in the rule list on page 607. To configure the FortiGate unit for SSL offloading of HTTPS traffic The firewall policy added in the first procedure accepts HTTPS traffic so you dont have to add another one. 1 Go to WAN Opt. & Cache > Rule and select Create New to add a web cache only WAN optimization rule that accepts the HTTPS traffic accepted by the firewall policy. Set destination to the IP address that is translated by the virtual IP (192.168.10.1) and not to the server IP (172.10.20.30). Enable transparent mode and SSL offloading.
Mode Source Destination Port Transparent Mode Enable SSL Web Cache Only 0.0.0.0 192.168.10.1 443 Enable Enable
2 Select OK to save the rule. The rule is added to the bottom of the WAN optimization list.
629
Secure tunnelling
3 If required, move the rule to a different position in the list. The HTTPS rule can be above or below the HTTP rule. See Moving a rule to a different position in the rule list on page 607. 4 Add a SSL server to offload SSL encryption and decryption for the web server. 5 Go to System > Certificates > Local Certificates and select Import to import the web servers CA. Set the name of the local certificate to Rev_Proxy_Cert_1. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported. 6 Connect to the CLI and enter the following command to add the SSL server. config wanopt ssl-server edit rev_proxy_server set ip 172.10.20.30 set port 443 set ssl-cert Rev_Proxy_Cert_1 end Configure other ssl-server settings as required for your configuration.
Secure tunnelling
Select Enable Secure Tunnel in WAN optimization rules to use SSL to encrypt the traffic in the WAN optimization tunnel. The FortiGate units use FortiASIC acceleration to accelerate SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same TCP port as a non-secure tunnel (TCP port 7810). You must configure and add an authentication group to the WAN optimization rule to use secure tunneling. The authentication group configures the certificate or pre-shared key parameters required by the secure tunnel. The WAN optimization rules at both ends of the tunnel should have compatible authentication group configurations. For example, they should have the same certificates or the same pre-shared key.
WAN optimization over IPSec VPN

Another way to encrypt WAN optimization traffic is to configure a route-based IPSec VPN between the client and server FortiGate units. Then configure WAN optimization to use the IPSec interfaces on the FortiGate units for the WAN optimization tunnel. No special configuration is required except making sure the routing configuration sends the WAN optimization packets through the IPSec interfaces.
WAN optimization with FortiClient

FortiClient 4.0 WAN optimization can work together with WAN optimization on a FortiGate unit to accelerate network access. FortiClient will automatically detect if WAN optimization is enabled on the optimizing FortiGate unit it is connected to and transparently make use of the byte caching and protocol optimization features available. To enable FortiClient WAN Optimization from FortiClient 1 Go to Status > WAN Optimization. 2 Select Enable WAN Optimization. 3 Enable the protocols to be optimized: HTTP (web browsing), CIFS (Windows file sharing), MAPI (Microsoft Exchange) and FTP (file transfers).
630
Configuring WAN optimization storage
4 Set Maximum Disk Cache to 512, 1024, or 2048MB. The default is 512MB. If your hard disk can accommodate a larger cache, better optimization performance is possible. 5 Select Apply. To enable FortiClient WAN Optimization on a FortiGate unit Because PCs running FortiClient have IP addresses that change often you cannot use peers to authenticate FortiClient. Instead you can add an authentication group set to accept any peer. You must also add a passive rule that includes source and destination addresses that will accept connections from the IP addresses of PCs running FortiClient. For example, if the PCs running FortiClient are on the Internet the source address could be 0.0.0.0. You do not need to add firewall policies to allow FortiClient to participate in WAN optimization because the FortiGate unit accepts and authenticates WAN optimization connection attempts depending on configured WAN optimization rules. 1 Go to WAN Opt. & Cache > Peer > Authentication Group and select Create New. 2 Configure the authentication group.
Name Authentication Method Certificate Peer Acceptance auth-fc Certificate Fortinet_Firmware Accept Any Peer
3 Select OK to save the authentication group. 4 Go to WAN Opt. & Cache > Rule and select Create New. 5 Configure a rule to accept FortiClient WAN optimization sessions.
Mode Source Destination Port Auto-Detect Full Optimization 0.0.0.0 0.0.0.0 1-65535 Passive

WAN optimization storage is used for storing the web cache and byte cache databases. In most cases you can accept the default storage configuration for FortiGate units that support WAN optimization and include internal storage, such as the FortiGate-111C and FortiGate units with a single width-AMC slot in which you have installed and AMC hard disk or SAS module. You only have to configure WAN optimization storage if you have more than one possible storage location. This can happen on FortiGate models with multiple single-width AMC slots or if you add one or two iSCSI servers to your WAN optimization configuration. When you add a second storage location you must configure the FortiGate unit to use this storage location for web caching, byte caching or both. You configure WAN optimization storage from the FortiGate CLI.
631
Example WAN optimization iSCSI configuration

This example shows how to configure FortiGate WAN optimization to use iSCSI for the topology shown in Figure 423. The example describes adding the iSCSI server, creating a 40-Gbyte partition on the ISCSI server, adding 15 and 25 WAN optimization storages to the partition, using the 15 Gbyte storage for web caching and the 25 Gbyte partition for byte caching.
Figure 423: FortiGate unit and iSCSI server topology
Network
iSCSI Server 192.168.20.100

To configure WAN optimization to use an iSCSI server 1 Enter the following command to add the iSCSI server to the FortiGate configuration. config wanopt iscsi set first_target 192.168.20.100 end If required you can also change the TCP port used for iSCSI. The default iSCSI port is TCP 3260. Its also common for some iSCSI servers to use TCP 860. If required, use the following command to change the iSCSI port to 860: config wanopt iscsi set iscsi-port 860 end 2 Enter the following command to view the SCSI devices that the FortiGate unit can save data to (example output shown, actual output should be similar): # execute scsi-dev list Device 1 74.5 GB ref: 0 (Vendor: ATA Model: FUJITSU MHW2080B? Rev: 000) partition 1 74.5 GB ref: 1 label: <none> Device 2 60.3 GB VIRTUAL-DISK Rev: 0) ref: 16 (Vendor: IET Model:
In the example output, Device 1 is a FortiGate-ASM-S08 and Device 2 is the iSCSI device added in step 1. 3 Enter the following command to create the 40 Gbyte partition on the iSCSI device.
execute scsi-dev partition create 16 40000 Partition is created on /dev/sdc with file system; size: 40000MB
4 Enter the following command to display the new partition: # execute scsi-dev list
Device 1 74.5 GB MHW2080B? Rev: 000) partition 1 74.5 GB Device 2 Rev: 0) 60.3 GB ref: 0 ref: 1 ref: 16 (Vendor: ATA Model: FUJITSU label: <none> (Vendor: IET Model: VIRTUAL-DISK
632
partition 1
39.1 GB
ref: 17
label: <none>
The command adds partition ref 17 to the device ref 16. The actual size of the partition is 39.1 GBytes. 5 Enter the following command to add a WAN optimization storage named web_cache_sto to be used for web caching. The command adds the WAN optimization storage to partition reference 17. execute scsi-dev storage 17 15000 web_cache_sto Relabeling partition 17 (sdb2), current label: <none> Partition labeled as 77A2A1AB1D0EF8B7 Storage created; size: 15000MB signature: web_cache_sto77A2A1AB1D0EF8B7 See About partition labels on page 633 for more information about adding storages to a partition. 6 Enter the following command to add a WAN optimization storage named byte_cache_sto to be used for byte caching. The command adds the WAN optimization storage to partition reference 17. execute scsi-dev storage 17 24999 byte_cache_storage Storage created; size: 24999MB signature: byte_cache_sto77A2A1AB1D0EF8B7
Note: If you set the storage to 25000 the following error message appears: The space left to define more storages on this partition: 24999MB Command fail. Return code -39
You cannot list these WAN optimization storages using the execute scsi-dev command. Instead, you can use the following command to list the WAN optimization storages that you have added: get wanopt storage == [ web_cache_sto ] name: web_cache_sto partition-label: 77A2A1AB1D0EF8B7 partitionsize: 39999 storage-size: 15000 == [ byte_cache_sto ] name: byte_cache_sto partition-label: 77A2A1AB1D0EF8B7 partition-size: 39999 storage-size: 24999 7 Enter the following commands to configure web caching to use the web_cache_sto storage and byte caching to use the byte_cache_sto storage. config wanopt cache-storage set web-cache-storage web_cache_sto set byte-cache-storage byte_cache_sto
About partition labels

The first time you add a storage to a partition using the execute scsi-dev storage command the partition is labelled with a random string (in the above example 77A2A1AB1D0EF8B7). This label is used for all storages added to a given partition. A different label is created for each partition. The labels appear when you use the execute scsi-dev list command to list the partitions. In the following example, label is added to partition reference 17.
execute scsi-dev list Partition is created on /dev/sdb with file system; size: 40000MB Device 1 74.5 GB ref: 0 (Vendor: ATA Model: FUJITSU MHW2080B? Rev: 000) partition 1 74.5 GB ref: 1 label: <none> FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
633
WAN optimization and HA
Device 2 Rev: 0) partition 1
60.3 GB 39.1 GB
ref: 16 ref: 17
(Vendor: IET
Model: VIRTUAL-DISK
label: 77A2A1AB1D0EF8B7
WAN optimization and HA

You can configure WAN optimization on a FortiGate HA cluster. The recommended HA configuration for WAN optimization is active-passive mode. When the cluster is operating, all WAN optimization sessions s are processed by the primary unit only. Even if the cluster is operating in active-active mode HA does not load-balance WAN optimization sessions. You can also form a WAN optimization tunnel between a cluster and a standalone FortiGate unit or between two clusters. In a cluster, the web cache and byte cache databases are only stored by the primary unit. These databases are not synchronized to the subordinate units. So after a failover the new primary unit must rebuild its web and byte caches. As well, the new primary unit cannot connect to an iSCSI or SAS partition that was used by the failed primary unit. Rebuilding the byte caches can happen relatively quickly because the new primary unit can get byte cache data from the other FortiGate units that it is participating in WAN optimization tunnels with.
Configuring peers
Go to WAN Opt. & Cache > Peer to configure WAN optimization peers. From here you can add the Local Host ID that identifies the FortiGate unit for WAN optimization and add an the peer Host ID and IP address of each FortiGate unit that a FortiGate unit can create WAN optimization tunnels with.
Figure 424: WAN optimization peer list
Delete Edit
Viewing basic information Create New Local Host ID Apply Add a new peer. Enter the local host ID of this FortiGate unit and select Apply. If you add this FortiGate unit as a peer to another FortiGate unit, use this as the Peer Host ID. Add a change to the Local Host ID to the FortiGate configuration.
Adding or Select Create New to add a new peer or select Edit beside an existing peer to modifying a peer modify it.
634
Configuring authentication groups
Peer Host ID IP Address
The Peer Host ID of the peer FortiGate unit. This is the local host id added to the peer FortiGate unit. The IP address of the FortiGate unit. Usually this would be the IP address of the FortiGate interface connected to the WAN.

Add authentication groups to support authentication and secure tunneling between WAN optimization peers. Go to WAN Opt. & Cache > Peer > Authentication Group to add authentication groups.
Figure 425: WAN optimization Authentication Group list
Delete Edit
Viewing basic information Create New Name Peer(s) Add a new authentication group. The name of the authentication group. Select this name when adding the authentication group to a rule. The Host IDs of the peers added to the authentication group. When you add the authentication group to a WAN optimization rule, only these FortiGate units can authenticate to use this WAN optimization rule. Peer(s) can be any peer, a peer added to the FortiGate unit peer list (defined peers), or a selected peer.
Adding or modifying Select Create New to add a new authentication group or select Edit beside an existing authentication group to modify it. an authentication group Name Authentication Method Add or change the name of the authentication group. Select the authentication method to use. If you select Certificate all peers that use this authentication group must have the an authentication group with the name and certificate. If you select Pre-shared key, all peers that use this authentication group must have the same authentication group with the same name and preshared key. If you select Certificate all peers that use this authentication group must have the same certificate. Go to System > Certificate and add a local certificate. Then select this certificate in the Certificate field.
Certificate
635
Pre-shared key
If you select Pre-shared key add a pre-shared key. All peers that use this authentication group must have the same authentication group with the same pre-shared key. If you selected Pre-shared Key, type the pre-shared key that the FortiGate unit will use to authenticate itself to the remote peer. The key must contain at least 6 printable characters and should be known only by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. One or more of the following options are available to authenticate VPN peers or clients, depending on the Remote Gateway and Authentication Method settings.
Peer Acceptance
Accept any peer Authenticate with any peer. Use this setting if you dont know the peer host IDs or IP addresses of the peers that will use this authentication group. This setting is most often used for WAN optimization with FortiClient. Accept defined peers Specify Peer Authenticate with any peer in the FortiGate unit peer list. Authenticate with the selected peer only. Select the peer to add to this authentication group.
Details about WAN optimization peer authentication

When a client side FortiGate unit attempts to start a WAN optimization tunnel with a server side FortiGate unit, the tunnel request includes the following information: The client side Local Host ID The name of an authentication group if included in the rule that initiates the tunnel The authentication method defined in the authentication group: pre-shared key or certificate Whether the tunnel should be a secure tunnel or not The authentication group is optional for unless the tunnel should be a secure tunnel If the tunnel request includes an authentication group the authentication will be based on the settings of this group as follows: The server side FortiGate unit searches its own configuration for the name of the authentication group in the tunnel request. If no match is found, the authentication fails. If a match is found, the server side FortiGate unit compares the authentication method in the client and server authentication groups. If the methods do not match, the authentication fails. If the authentication methods match the server side FortiGate unit tests the peer acceptance settings in its copy of the authentication group. If the setting is accept any peer, the authentication is successful. If the setting is specify peer the server side FortiGate unit compares the client side Local Host ID in the tunnel request with the peer name in the server side authentication group. If the names match authentication is successful. If a match is not found, authentication fails. If the setting is accept defined peers, the server side FortiGate unit compares the client side Local Host ID in the tunnel request with the with the server side peer list. If a match is found authentication is successful. If a match is not found authentication fails.
636
Monitoring WAN optimization
If the tunnel request does not include an authentication group authentication will be based on the client side Local Host ID in the tunnel request. The server side FortiGate unit searches its peer list to match the client side Local Host ID in the tunnel request. If a match is found, authentication is successful. If a match is not found authentication fails. If the server side FortiGate unit successfully authenticates the tunnel request, the server side FortiGate unit sends back a tunnel setup response message. This message includes the server side Local Host ID and the authentication group that matches the one in the tunnel request. The client side FortiGate unit then performs the same authentication procedure as the server side FortiGate unit did. If both sides succeed tunnel setup continues.
Monitoring WAN optimization

Using WAN optimization monitoring you can view and improve WAN optimization performance. The monitoring tools help isolate performance problems, aid in troubleshooting, and enable network optimization and capacity planning. Go to WAN Opt. & Cache > Monitor to view the WAN optimization monitor.The monitor unit uses collected log information and presents it in graphical format to show network traffic summary and bandwidth optimization information.
Figure 426: WAN optimization monitor
Refresh Traffic Summary
Refresh Bandwidth Optimization
637
Changing web cache settings
Traffic Summary
Provides traffic optimization information. The piechart illustrates percentage of traffic for supported applications processed during the selected Period. The table displays how much traffic has been reduced by WAN optimization by comparing the amount of LAN and WAN traffic for each protocol. Refresh the Traffic Summary. Select a time period to show traffic summary for. You can select: Last 10 Minutes Last 1 Hour Last 1 Day Last 1 Week Last 1 Month Displays each applications optimization rate. For example, a rate of 80% means the amount of data processed by that application has been reduced by 20%. The amount of data in Mbytes received from the LAN for each application. The amount of data in Mbytes sent across the WAN for each application. The greater the difference between the LAN and WAN data the greater the amount of data reduced by WAN optimization byte caching, web caching, and protocol optimization. Shows network bandwidth optimization per time Period. A line or column chart compares an applications pre-optimized (LAN data) size with its optimized size (WAN data). Select to refresh the Bandwidth Optimization display. Select a time frame to show bandwidth optimization. You can select: Last 10 Minutes Last 1 Hour Last 1 Day Last 1 Week Last 1 Month Select All to display bandwidth optimization for all applications. Select an individual protocol to display bandwidth optimization for that individual protocol. Select to display bandwidth optimization with a line chart or a column chart.
Refresh icon Period
Reduction Rate
LAN WAN
Bandwidth Optimization Refresh icon Period
Protocol
Chart Type

Go to WAN Opt. & Cache > Cache to change the settings for the WAN optimization web cache. In most cases the default settings are acceptable. However you may want to change these settings to improve performance or optimize the cache for your configuration.
Always revalidate Max Cache Object Size Select to always to revalidates requested cached object with content on the server before serving it to the client. Set the maximum object size to cache. The default size is 512000 kbytes (512 Mbytes). This object size determines the maximum object size to store in the web cache. All objects retrieved that are larger than the maximum size are delivered to the client but are not stored in the web cache.
Negative Response Set how long in minutes to cache negative responses. The default is 0, meaning negative responses are not cached. The content server might send Duration a client error code (4xx HTTP response) or a server error code (5xx HTTP response) as a response to some requests. If the web cache is configured to cache these negative responses, it returns that response in subsequent requests for that page or image for the specified number of minutes.
638
Fresh Factor
Set the fresh factor as a percentage. The default is 100, and the range is 1 to 100. For cached objects that dont have an expiry time, the web cache periodically checks the server to see if the object has expired. The higher the fresh factor the less often the checks occur. The maximum amount of time an object can stay in the web cache without checking to see if it has expired on the server. The default is 7200 minutes (120 hours or 5 days). The minimum amount of time an object can stay in the web cache before checking to see if it has expired on the server. The default is 5 minutes. The default expiry time for objects that do not have an expiry time set by the web server. The default expiry time is 1440 minutes (24 hours). Indicates whether the explicit proxy has been enabled for the FortiGate unit. See Web Proxy on page 147. Select to enable using the WAN optimization web cache to cache for the explicit proxy.
Max TTL
Min TTL Default TTL Explicit Proxy Enable Explicit Proxy Ignore
If-modified-since Be default, the time specified by the if-modified-since (IMS) header in the client's conditional request is greater than the last modified time of the object in the cache, it is a strong indication that the copy in the cache is stale. If so, HTTP does a conditional GET to the Overlay Caching Scheme (OCS), based on the last modified time of the cached object. Enable ignoring If-modifiedsince to override this behavior. HTTP 1.1 Conditionals HTTP 1.1 provides additional controls to the client over the behavior of caches concerning the staleness of the object. Depending on various CacheControl headers, the FortiGate unit can be forced to consult the OCS before serving the object from the cache. For more information about the behavior of cache-control header values, see RFC 2616. Typically, if a client sends an HTTP GET request with a pragma no-cache (PNC) or cache-control nocache header, a cache must consult the OCS before serving the content. This means that the FortiGate unit always refetches the entire object from the OCS, even if the cached copy of the object is fresh. Because of this, PNC requests can degrade performance and increase server-side bandwidth utilization. However, if ignore Pragma-no-cache is enabled, then the PNC header from the client request is ignored. The FortiGate unit treats the request as if the PNC header is not present at all. Some versions of Internet Explorer issue Accept / header instead of Pragma nocache header when you select Refresh. When an Accept header has only the / value, the FortiGate unit treats it as a PNC header if it is a type-N object. When ignore IE Reload is enabled, the FortiGate unit ignores the PNC interpretation of the Accept: / header.
Pragma-nocache
IE Reload
639
Cache Expired Objects
Applies only to type-1 objects. When Cache Expired Objects is enabled, type-1 objects that are already expired at the time of acquisition are cached (if all other conditions make the object cacheable). When this setting is disabled, already expired type-1 objects become non-cacheable at the time of acquisition.
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect the efficiency of the FortiGate unit from a bandwidth gain perspective. If you do no-cache not want to completely ignore PNC in client requests (which you can do by using the ignore PNC option configuration), you can lower the impact of the PNC by enabling the revalidate-pragma-no-cache setting. When the revalidate-pragma-no-cache setting is enabled, a client's non-conditional PNC-GET request results in a conditional GET request sent to the OCS if the object is already in the cache. This gives the OCS a chance to return the 304 Not Modified response, consuming less server-side bandwidth, because it has not been forced to return full content even though the contents have not actually changed. By default, the revalidate PNC configuration is disabled and is not affected by changes in the top-level profile. When the Substitute Get for PNC configuration is enabled, the revalidate PNC configuration has no effect. Most download managers make byte-range requests with a PNC header. To serve such requests from the cache, the revalidate pragma-no-cache option should be configured along with byte-range support.
640
Endpoint control
Configuring endpoint control
Endpoint control
Endpoint control enforces the use of the FortiClient End Point Security (Enterprise Edition) application on your network. The compliance check ensures that the endpoint is running the most recent version of the FortiClient application and, optionally, checks that the FortiClient antivirus signatures are up-to-date on the endpoint. An endpoint is most often a single PC with a single IP address being used to access network services through a FortiGate unit. You enable endpoint control in a firewall policy. When traffic attempts to pass through the firewall policy, the FortiGate unit runs compliance checks on the originating host on the source interface. Non-compliant endpoints are blocked. If web browsing, the endpoints receive a message telling them that they are non-compliant, or they are redirected to a web portal where they can download the FortiClient application installer. You can monitor the endpoints that are subject to endpoint control, by viewing information about the computer and its operating system. If you configure software detection, you can also see the applications that are installed on endpoints. This section describes: Configuring endpoint control Monitoring endpoints

Endpoint control requires that all hosts using the firewall policy have the FortiClient Endpoint Security application installed. Make sure that all hosts affected by this policy are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows 2000 and later only. To set up endpoint control, you need to Enable Central Management by the FortiGuard Analysis and Management Service if you will use FortiGuard Services to update the FortiClient application or antivirus signatures. You do not need to enter account information. See Central Management on page 226. Configure the minimum required version of FortiClient and the source of FortiClient installer downloads for non-compliant endpoints. See Configuring FortiClient required version and installer download on page 642. Enable endpoint control in firewall policies. See Endpoint Compliance Check options on page 336.
Note: You cannot enable Endpoint Compliance Check in firewall policies if Redirect HTTP Challenge to a Secure Channel (HTTPS) is enabled in User > Options > Authentication.
Configure software detection if you want to monitor the applications installed on endpoints. See Viewing and configuring the software detection list on page 643.
641
Endpoint control
You can also modify the appearance of the FortiClient Download Portal. Go to System > Config > Replacement Messages > Endpoint Control and edit the Endpoint Control Download Portal. This is an HTML page. Be sure to retain the %%LINK%% tag which provides the download URL for the FortiClient installer. For more information about modifying replacement messages, see Endpoint control replacement message on page 204.
Viewing FortiClient required version information

Go to Endpoint Control > FortiClient to view the following information: minimum required version of the FortiClient application latest available FortiClient version latest available antivirus signature package version the number of times the FortiClient application has been downloaded from the FortiGuard network since the last reboot of the FortiGate unit.
Select Customize to set the minimum FortiClient version that endpoints are required to run and to configure the download source for the FortiClient installer. See Configuring FortiClient required version and installer download on page 642.
Configuring FortiClient required version and installer download

Go to Endpoint Control > FortiClient and select Customize to set the minimum FortiClient version that endpoints are required to run and to configure the download source for the FortiClient installer.
Figure 427: Configuring FortiClient version requirements and installer source
642
Endpoint control
FortiClient Installer Download Location FortiGuard Distribution Network
Select one of the following options to determine the link that the FortiClient Download Portal provides to non-compliant users to download the FortiClient installer. The FortiClient application is provided by the FortiGuard Distribution Network. The FortiGate unit must be able to access the FortiGuard Distribution Network. See Configuring FortiGuard Services on page 264. If the FortiGate unit contains a hard disk drive, the files from FortiGuard Services are cached to more efficiently serve downloads to multiple end points. Users download a FortiClient installer file from this FortiGate unit. This option is available only on FortiGate models that support upload of FortiClient installer files. Upload your FortiClient installer file using the execute restore forticlient CLI command. For more information, refer to the FortiGate CLI Reference. Specify a URL from which users can download the FortiClient installer. You can use this option to provide custom installer files even if your FortiGate unit does not have storage space for them. Select the minimum requirement for the FortiClient version that must be installed on the endpoints: Latest Available Endpoints must have the latest FortiClient version available from the download location installed. FortiClient Enterprise Edition 4.0.0 Endpoints must have FortiClient Enterprise Edition 4.0.0 installed. FortiClient Enterprise Edition 4.0.1 Endpoints must have FortiClient Enterprise Edition 4.0.1 installed. Specify Enter the FortiClient version that endpoints must have installed. Fortinet recommends that administrators deploy a FortiClient version update to their users or ask users to install the update and then wait a reasonable period of time for the updates to be installed before updating the minimum version required to the most recent version.
This FortiGate
Custom URL
Minimum FortiClient Version Required
Note: Select This FortiGate or Custom URL if you want to provide a customized FortiClient application. This is required if a FortiManager unit will centrally manage FortiClient applications. For information about customizing the FortiClient application, see the FortiClient Administration Guide.
Viewing and configuring the software detection list

You can use Endpoint Control software detection to find out what applications are installed on endpoints. The list of applications installed on endpoints is displayed in the Detected Software column of the Endpoints list. To detect an application on an endpoint, the endpoint must be running FortiClient 4.0.0 or a more recent version that supports searching the Windows Registry for the names of the applications installed on the endpoint. You must also add entries to the Software Detection list that will match application names in the endpoints Windows Registry. You can add up to 10 entries to the application list. Each entry consists of a name and a pattern. The name is any wording you need to describe the entry. The pattern is matched against names in the endpoints Windows Registry. The pattern can be an application name, can include wildcards, or can be a Perl regular expression. To view the list of applications that endpoint control checks for, go to Endpoint Control > Software Detection and view the Detected Software column. By default the software detection list includes applications such as BitTorrent, Microsoft Office, and Skype. Then, to configure software detection for an application, select Create New. Enter the Name and Pattern information and select OK. You can also edit the items already added to the list or delete entries on the list and add new ones.
643
Monitoring endpoints
Endpoint control
Figure 428: Software Detection list for Endpoint Control
Delete Edit
Create New Name Pattern
Add an application to detect. See Viewing and configuring the software detection list on page 643. A descriptive name for the application. A pattern to match the application name as it appears in the endpoints Windows Registry. FortiClient matches the pattern against the endpoints Windows Registry. If FortiClient finds a match, an entry is added to the Detected Software list for the endpoint. Go to Endpoint Control > Endpoints to view all detected endpoints and the Detected Software on each endpoint. The pattern can consist of complete application names (for example, AppName) or partial names (for example, App). Patterns are not case sensitive. The Detected Software list shows the complete application name found in the registry by FortiClient. Patterns can be wildcards or Perl regular expressions. For example, you can use regular expressions in a search to distinguish between product names with the same base name, such as My App and My App Reader. To detect My App only, enter the pattern My App$. For more information about using wildcards and Perl regular expressions, see Using wildcards and Perl regular expressions on page 506. Remove this item from the list. Modify this item. See Viewing and configuring the software detection list on page 643.
To view the list of known endpoints, go to Endpoint Control > Endpoints. An endpoint is added to the list when it uses a firewall policy that has Endpoint Compliance Check enabled. Once an endpoint is added to the list it remains there until you manually delete it or until the FortiGate unit restarts. Every time an endpoint accesses network services through the FortiGate unit (or attempts to access services) the entry for the endpoint is updated. The endpoints list can provide an inventory of the endpoints on your network. Entries for endpoints not running the FortiClient application include the IP address, last update time, and traffic volume/attempts. The non-compliant status indicates the endpoint is not running the FortiClient application.
644
Endpoint control
Entries for endpoints running the FortiClient application show much more information, depending on what is available for the FortiClient application to gather. Detailed information you can view includes endpoint hardware (CPU and model name) and the software running on the endpoints. You can adjust column settings and filters to display this information in many different forms. From the endpoints list, you can view information for each endpoint, temporarily exempt end points from endpoint control, and restore exempted end points to their blocked state.
Figure 429: Endpoints list (showing one endpoint that does not have FortiClient software installed)
Refresh
Non-Compliant
View Exempt Temporarily
Non-Compliant But Temporarily Exempted

Refresh Status Update the list.
Restore to Blocked State
Display Compliant or Non-compliant endpoints or Both. Compliant endpoints are running the minimum required version of FortiClient or a more recent version. To configure the minimum required version of FortiClient, see Configuring FortiClient required version and installer download on page 642. The Status column displays a gray icon if the endpoint is non-compliant and a green icon if the endpoint is compliant. The Status column displays a green icon with an hourglass if the endpoint is non-compliant but has been temporarily exempted. Shows the current page number in the list. Select the left and right arrows to display the first, previous, next or last page of known endpoints. Select the columns to display in the list. You can also determine the order in which they appear. For more information, see Using column settings to control the columns displayed on page 58 and Web-based manager icons on page 60. Clear any column display filters you might have applied.
Page
Column Settings
Clear All Filters
645
Endpoint control
Filter icons
Edit the column filters to filter or sort the endpoints list according to the criteria you specify. For example, you could add a filter to the Detected Software column to display all endpoints running BitTorrent software. For more information, see Adding filters to web-based manager lists on page 53. View details about a selected endpoint. Select this icon to display the information about the endpoint found by the FortiClient application.
View icon
Exempt Temporarily icon Exempt the selected endpoint from endpoint control. This means an endpoint that is blocked and added to the endpoint list can temporarily access network services through the FortiGate unit. When you select this icon you can specify how long the end point is exempted from endpoint control. The default exempt duration is 600 seconds. Restore to Blocked State Re-enable blocking access to a temporarily exempted endpoint. icon Information columns Select Column Settings determine which of the following columns to display. All information that appears in the columns is reported by the FortiClient application running on the endpoint, unless otherwise noted. The version of the FortiClient antivirus signatures installed on the endpoint. The name of the manufacturer of the endpoint. The model name of the endpoint. The CPU running on the endpoint. The description of the endpoint. The software applications detected on this endpoint. See Viewing and configuring the software detection list on page 643. You can control the applications that appear in the Detected Software column by editing the Detected Software filter. See Adding filters to web-based manager lists on page 53. The version of the FortiClient application running on the endpoint. The host name of the endpoint. The FortiClient features enabled on the endpoint. The IP address of the endpoint as found from the communication session. The FortiClient application is not required to obtain this information. The last user to log in to the endpoint. The time that the status of the endpoint was last verified by the FortiGate unit. The FortiClient application is not required to obtain this information. The amount of memory installed on the endpoint. The version of the operating system running on the endpoint. The system up time of the endpoint.
AV signature Computer Manufacturer Computer Model CPU Model Description Detected Software
FortiClient Version Host Name Installed FCT Features IP Address
Last User Last Update
Memory Size OS Version System Uptime
Traffic Volume/Attempts If the endpoint is compliant, this column displays the amount of data passed through the FortiGate unit by communication sessions originating from the endpoint. If the endpoint is non-compliant, this column displays the number of times the endpoint has attempted to connect through the FortiGate unit. The FortiClient application is not required to obtain this information.
646
Log&Report
FortiGate logging
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network protection functions. They also allow you to compile reports from the detailed log information gathered. Reports provide historical and current analysis of network activity to help identify security issues that will reduce and prevent network misuse and abuse. This section provides information about how to enable logging, view log messages, and configure reports. If you have VDOMs enabled, see Using virtual domains on page 103 for more information. The following topics are included in this section: FortiGate logging FortiGuard Analysis and Management Service Log severity levels High Availability cluster logging Storing logs Log types Accessing Logs Viewing log information Customizing the display of log messages Content Archive Alert Email Reports
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging may not be available because certain features do not support logging, or are not available in Transparent mode. For example, SSL VPN events are not available in Transparent mode.
FortiGate logging
A FortiGate unit can log many different network activities and traffic including: overall network traffic system-related events including system restarts, HA and VPN activity anti-virus infection and blocking web filtering, URL and HTTP content blocking signature and anomaly attack and prevention spam filtering Instant Messaging and Peer-to-Peer traffic VoIP telephone calls.
When customizing the logging location, you can also customize what minimum log severity level the FortiGate unit should log these events at. There are six severity levels to choose from. For more information, see Log severity levels on page 649.
647
Log&Report
For better log storage and retrieval, the FortiGate unit can send log messages to a FortiAnalyzer unit. FortiAnalyzer units provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network activity. Detailed log reports also help identify security issues, reducing network misuse and abuse. The FortiGate unit can send all log message types, including quarantine files and content archives, to a FortiAnalyzer unit for storage. The FortiAnalyzer unit can upload log files to an FTP server for archival purposes. For more information about configuring the FortiGate unit to send log messages to a FortiAnalyzer unit, see Logging to a FortiAnalyzer unit on page 650. If you have a subscription for the FortiGuard Analysis and Management Service, your FortiGate unit can send logs to a FortiGuard Analysis server. This service provides another way to store and view logs, as well as archiving email messages. For more information, see FortiGuard Analysis and Management Service on page 648. Fortinet recommends reviewing the FortiGuard Analysis and Management Service Administration Guide to learn more about the logging, reporting, and remote management features from the FortiGuard Analysis and Management Service portal web site. The FortiGate unit can also send log messages to either a Syslog server or WebTrends server for storage and archival purposes. If your FortiGate unit has a hard disk, you can also send logs to it by using the CLI. For more information about configuring logging to the hard disk, see the FortiGate CLI Reference. In the FortiGate web-based manager, you can view log messages available in system memory, on a FortiAnalyzer unit running firmware version 3.0 or higher, or, if available, the hard disk. You can use customizable filters to easily locate specific information within the log files. For details and descriptions of log messages and formats, see the FortiGate Log Message Reference.

FortiGuard Analysis and Management Service is a subscription-based service that provides logging and reporting solutions, as well as remote management service, for all FortiGate units. The FortiGuard Analysis and Management Service is available on all FortiGate units running FortiOS 3.0 MR6 and higher. The logging and reporting side of FortiGuard Analysis and Management Service is made up of two types of servers, the primary analysis server and the secondary analysis server. The primary analysis server stores logs generated from the FortiGate unit. The secondary analysis server provides redundancy, ensuring log data is available at all times. There are several secondary analysis servers available for redundancy for each FortiGate unit. The network also includes the main analysis server, which is responsible for monitoring and maintaining the primary and secondary analysis servers. When the FortiGate unit connects to the logging and reporting network for the first time, it retrieves its assigned primary analysis server, contract term, and storage space quota from the main analysis server. The main analysis server contains this information so it can maintain and monitor the status of each of the servers. After configuring logging to the assigned primary analysis server, the FortiGate unit begins sending encrypted logs to the primary analysis server through TCP port 514. The connection between the main analysis server and the FortiGate unit is secured using FCP over HTTPS, through port 443.
648
Log&Report
Log severity levels
Fortinet recommends reviewing the FortiGuard Analysis and Management Service Administration Guide because it contains very detailed information about this FortiGuard service. This administration guide contains information about: registering your FortiGate unit, or multiple FortiGate units, for this FortiGuard service enabling this FortiGuard service on your FortiGate unit configuring remote management and logging and reporting.
Note: After upgrading your FortiGate firmware, you need to re-enter your account ID and then update the service to re-connect to the servers that support logging and reporting. You may need to update the service from the portal web site as well.
FortiGuard Analysis and Management Service portal web site

The portal web site provides a central location for managing your information about the FortiGate units and service account. The portal web site also allows you to view logs and reports, including remote management services such as configuration backups. You need a service account ID, username and password before entering the portal web site. You receive this information when you register for the FortiGuard Analysis and Management Service on the Fortinet support web site. After entering all appropriate information on the Fortinet support web site, you can then log into the FortiGuard Analysis and Management Service portal web site. For information about registering, enabling and configuring the FortiGuard Analysis and Management Service, see the FortiGuard Analysis and Management Service Administration Guide.
Note: The portal also includes remote management features. For more information about remotely managing your FortiGate unit using the FortiGuard Analysis and Management Service, see System Maintenance on page 253.
Log severity levels

You can define what severity level the FortiGate unit records logs at when you configure the logging location. The FortiGate unit logs all messages at and above the logging severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert and Emergency level messages.
Table 55: Log severity levels Levels 0 - Emergency 1 - Alert 2 - Critical 3 - Error 4 - Warning 5 - Notification 6 - Information Description The system has become unstable. Immediate action is required. Functionality is affected. An error condition exists and functionality could be affected. Functionality could be affected. Information about normal events. General information about system operations.
The Debug severity level, not shown in Table 55, is rarely used. It is the lowest log severity level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly. Debug log messages are generated only if the log severity level is set to Debug. Debug log messages are generated by all types of FortiGate features.
649
High Availability cluster logging
Log&Report
High Availability cluster logging

When configuring logging with a High Availability (HA) cluster, you configure the primary unit to send logs to a FortiAnalyzer unit or a Syslog server. The settings are applied to the subordinate units, which send the log messages to the primary unit. The primary unit then sends all logs to the FortiAnalyzer unit or Syslog server. If you configured a secure connection via an IPSec VPN tunnel between a FortiAnalyzer unit and a HA cluster, the connection is between the FortiAnalyzer unit and the HA cluster primary unit. For more information, see the FortiGate High Availability User Guide.
Storing logs
The type and frequency of log messages you intend to save determines the type of log storage to use. For example, if you want to log traffic and content logs, you need to configure the FortiGate unit to log to a FortiAnalyzer unit or Syslog server. The FortiGate system memory is unable to log traffic and content logs because of their frequency and large file size. Storing log messages to one or more locations, such as a FortiAnalyzer unit or Syslog server, may be a better solution for your logging requirements than the FortiGate system memory. Configuring your FortiGate unit to log to a FortiGuard Analysis server may also be a better log storage solution if you do not have a FortiAnalyzer unit and want to create reports. This particular log storage solution is available to all FortiGate units running FortiOS 3.0 MR6 or higher, through a subscription to the FortiGuard Analysis and Management Service. For more information, see FortiGuard Analysis and Management Service on page 648. If your FortiGate unit has a hard disk, you can also enable logging to the hard disk from the CLI. See the FortiGate CLI Reference for more information before enabling logging to the hard disk. If you require logging to multiple FortiAnalyzer units or Syslog servers, see the FortiGate CLI Reference.
Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and Canada and may affect your location. It is recommended to verify if your location observes this change, since it affects the scope of the report. Fortinet has released supporting firmware. See the Fortinet Knowledge Center article, New Daylight Saving Time support, for more information.
Logging to a FortiAnalyzer unit

FortiAnalyzer units are network devices that provide integrated log collection, analysis tools and data storage. Detailed log reports provide historical as well as current analysis of network activity to help identify security issues and reduce network misuse and abuse. You can configure the FortiGate unit to log up to three FortiAnalyzer units. The FortiGate unit sends logs to all three FortiAnalyzer units. Each FortiAnalyzer unit stores the same information. Logging to multiple FortiAnalyzer units provides real-time backup protection in the event one of the FortiAnalyzer units fails. You can configure logging to multiple FortiAnalyzer units only in the CLI. For more information, see the FortiGate CLI Reference.
650
Log&Report
Storing logs
Figure 430: Configuring a connection to the FortiAnalyzer unit
Expand Arrow
To configure the FortiGate unit to send logs to the FortiAnalyzer unit 1 Go to Log&Report > Log Config > Log Setting. 2 Select the Expand Arrow beside Remote Logging to reveal the available options. 3 Select FortiAnalyzer. 4 From the Minimum log level list, select one of the following:
Emergency Alert Critical Error Warning Notification Information Debug The system in unusable. Immediate action is required. Functionality is affected. An erroneous condition exists and functionality is probably affected. Functionality might be affected. Information about normal events. General information about system operations. Information used for diagnosing or debugging the FortiGate unit.
5 Select Static IP Address. 6 Enter the static IP address of the FortiAnalyzer unit in the Static IP Address field. 7 Select Apply. The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate unit after you have configured log settings on the FortiGate unit. Contact a FortiAnalyzer administrator to complete the configuration.
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard Analysis server, and vice versa. If you require a backup solution for one of these logging devices, using a Syslog server or WebTrends server is preferred.
Connecting to FortiAnalyzer using Automatic Discovery

You can connect to a FortiAnalyzer unit by using the Automatic Discovery feature. This feature allows the FortiGate unit to find a FortiAnalyzer unit that is on the network within the same subnet. When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate any FortiAnalyzer units available on the network within the same subnet. When the FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically begins sending log data, if logging is configured for traffic and other events, to the FortiAnalyzer unit.
651
Storing logs
Log&Report
The Automatic Discovery feature must be enabled on the FortiAnalyzer side to work properly. The FortiAnalyzer unit requires 3.0 firmware (and higher) to use this feature. Fortinet recommends contacting a FortiAnalyzer administrator to verify Automatic Discovery is enabled on the FortiAnalyzer unit before using this feature. To enable automatic discovery 1 Go to Log&Report > Log Config > Log Setting. 2 Select the Expand Arrow beside Remote Logging to reveal the available options. 3 Select FortiAnalyzer. 4 Select Automatic Discovery. 5 Select a FortiAnalyzer unit from the Connect To list, if available. If no FortiAnalyzer unit is available, contact a FortiAnalyzer administrator to verify if there is one on the network. 6 Select Discover. The FortiGate unit searches within the same subnet for a response from any available FortiAnalyzer units. 7 Select Apply.
Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the CLI before Automatic Discovery can carry traffic. Use the procedure in the Fortinet Knowledge Center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to also carry traffic when using the Automatic Discovery feature.
Testing the FortiAnalyzer configuration

After configuring FortiAnalyzer settings, test the connection between the FortiGate unit and FortiAnalyzer unit to verify both devices are communicating properly. During testing, the FortiGate unit displays information about specific settings for transmitting and receiving logs, reports, content archive and quarantine files. The FortiGate unit must learn the IP address of the FortiAnalyzer unit before testing the connection. A false test report failure may result if testing the connection occurs before the FortiGate unit learns the IP address of the FortiAnalyzer unit. To test the connection, go to Log&Report > Log Config > Log Setting, expand Remote Logging options, and then select Test Connectivity.
Figure 431: Test Connectivity with FortiAnalyzer
652
Log&Report
Storing logs
FortiAnalyzer (Hostname) FortiGate (Device ID) Registration Status Connection Status
The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is its product name, for example, FortiAnalyzer-400. The serial number of the FortiGate unit. The status of whether or not the FortiGate unit is registered with the FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full privileges. For more information, see the FortiAnalyzer Administration Guide. The connection status between FortiGate and FortiAnalyzer units. A green check mark indicates there is a connection and a gray X indicates there is no connection. Allocated Space Used Space Total Free Space The amount of space designated for logs, including quarantine files and content archives. The amount of used space. The amount of unused space.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Privileges
The permissions of the device for sending and viewing logs, reports, content archives, and quarantined logs. Tx indicates the FortiGate unit is allowed to transmit log packets to the FortiAnalyzer unit. Rx indicates the FortiGate unit is allowed to display reports and logs stored on the FortiAnalyzer unit. A check mark indicates the FortiGate unit has permissions to send or view log information and reports. An X indicates the FortiGate unit is not allowed to send or view log information.
You can also test the connection status between the FortiGate unit and the FortiAnalyzer unit by using the following CLI command: execute log fortianalyzer test-connectivity The command displays the connection status and the amount of disk usage in percent. For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units has been reached on the FortiAnalyzer unit.
Logging to a FortiGuard Analysis server

You can configure logging to a FortiGuard Analysis server after registering for the FortiGuard Analysis and Management Service on the Fortinet support web site. Fortinet recommends verifying that the connection is working properly before configuring logging to a FortiGuard Analysis server. You can enable FortiGate features from the FortiGate web-based manager. For more information, see Log types on page 657. Logging traffic, as well as summary and email content archiving, is also available. To log to a FortiGuard Analysis server 1 Go to Log&Report > Log Config. 2 Select the Expand Arrow beside Remote Logging to reveal the available options. 3 Select FortiGuard Analysis Service. 4 Enter the account ID in the Account ID field.
653
Storing logs
Log&Report
5 Select one of the following:

Overwrite oldest logs Do not log Deletes the oldest log entry and continues logging when the maximum log disk space is reached. Stops log messages going to the FortiGuard Analysis server when the maximum log disk space is reached.
6 Select a severity level. 7 Select Apply.
Logging to memory
The FortiGate system memory has a limited capacity for log messages. The FortiGate system memory displays only the most recent log entries. It does not store traffic and content logs in system memory due to their size and the frequency of log entries. When the system memory is full, the FortiGate unit overwrites the oldest messages. All log entries are cleared when the FortiGate unit restarts. If your FortiGate unit has a hard disk, use the CLI to enable logging to it. You can also upload logs stored on the hard disk to a FortiAnalyzer unit. For more information, see the FortiGate CLI Reference. To configure the FortiGate unit to save logs in memory 1 Go to Log&Report > Log Config > Log Setting. 2 Select the check box beside Memory. 3 Select the Expand Arrow beside the check box to reveal the available Memory options. 4 Select a severity level. The FortiGate unit logs all messages at and above the logging severity level you select. For more information about the logging levels, see Table 55, Log severity levels, on page 649.
Note: You can configure logging to an AMC disk and schedule when to upload logs to a FortiAnalyzer unit. The AMC disk is available on FortiGate models with a single-width AMC slot such as the 310B, 620B, 3600A, 3016B, 3810A and 5001A-SW.
Logging to a Syslog server

A Syslog server is a remote computer running Syslog software and is an industry standard for logging. Syslog is used to capture log information provided by network devices. The Syslog server is both a convenient and flexible logging device, since any computer system, such as Linux, Unix, and Intel-based Windows can run syslog software. When configuring logging to a Syslog server, you need to configure the facility and log file format, normal or Comma Separated Values (CSV). The CSV format contains commas whereas the normal format contains spaces. Logs saved in the CSV file format can be viewed in a spread-sheet application, while logs saved in normal format are viewed in a text editor (such as Notepad) because they are saved as plain text files. Configuring a facility easily identifies the device that recorded the log file.
654
Log&Report
Storing logs
Figure 432: Logging to a Syslog server
Name/IP Port Minimum log level
The domain name or IP address of the syslog server. The port number for communication with the syslog server, typically port 514. The FortiGate unit logs all messages at and above the logging severity level you select. For more information about the logging levels, see Log severity levels on page 649. Facility indicates to the syslog server the source of a log message. By default, FortiGate reports Facility as local7. You may want to change Facility to distinguish log messages from different FortiGate units. If you enable CSV format, the FortiGate unit produces the log in Comma Separated Value (CSV) format. If you do not enable CSV format the FortiGate unit produces plain text files.
Facility
Enable CSV Format
To configure the FortiGate unit to send logs to a syslog server 1 Go to Log&Report > Log Config > Log Setting. 2 Select the check box beside Syslog. 3 Select the Expand Arrow beside the check box to reveal the Syslog options. 4 Enter the appropriate information for the Syslog server. 5 Select Apply.
Note: If more than one Syslog server is configured, the Syslog servers and their settings appear on the Log Settings page. You can configure multiple Syslog servers in the CLI. For more information, see the FortiGate CLI Reference.
Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting server. FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are compatible with NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1. Use the CLI to configure the FortiGate unit to send log messages to WebTrends. After logging into the CLI, enter the following commands: config log webtrends setting set server <address_ipv4> set status {disable | enable} end
655
Storing logs
Log&Report
Keywords and variables server <address_ipv4>
Description Enter the IP address of the WebTrends server that stores the logs.
Default No default.
status Enter enable to enable logging to a WebTrends server. disable {disable | enable}
Example
This example shows how to enable logging to a WebTrends server and to set an IP address for the server. config log webtrends setting set status enable set server 172.16.125.99 end For more information about setting the options for the types of logs sent to WebTrends, see the Log chapter in the FortiGate CLI Reference.
656
Log&Report
Log types
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor activity that is occurring on your network. For example, you can enable logging of IM/P2P features, to obtain detailed information on the activity occurring on your network where IM/P2P programs are used. Before enabling FortiGate features, you need to configure what type of logging device will store the logs. For more information, see Storing logs on page 650. This topic also provides details on each log type and explains how to enable logging of the log type.
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging may not be available because they do not support logging, or are not available in Transparent mode. For example, SSL VPN events are not available in Transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can configure logging of traffic controlled by firewall policies and for traffic between any source and destination addresses. You can also filter to customize the traffic logged: Allowed traffic The FortiGate unit logs all traffic that is allowed according to the firewall policy settings. Violation traffic The FortiGate unit logs all traffic that violates the firewall policy settings.
If you are logging other-traffic, the FortiGate unit will incur a higher system load because other-traffic logs log individual traffic packets. Fortinet recommends logging firewall policy traffic since it minimizes the load. Logging other-traffic is disabled by default. Firewall policy traffic logging records the traffic that is both permitted and denied by the firewall policy, based on the protection profile. Firewall policy traffic logging records packets that match the policy. To enable firewall policy traffic logging 1 Go to Firewall > Policy. 2 Select the Expand Arrow to view the policy list for a policy. 3 Select Edit beside the policy that you want. If required, create a new firewall policy by selecting Create New. For more information, see Firewall Policy on page 319. 4 Select Log Allowed Traffic. 5 Select OK.
Note: You need to set the logging severity level to Notification when configuring a logging location to record traffic log messages. Traffic log messages generally have a severity level no higher than Notification. If VDOMs are in Transparent mode, make sure that VDOM allows access for enabling traffic logs.
657
Log types
Log&Report
Example configuration: logging all FortiGate traffic

You can use the following procedure to configure your FortiGate unit record traffic log messages for all traffic. This procedure enables traffic logging for all FortiGate interfaces that receive traffic. However, traffic logging may not log traffic that would otherwise be dropped by the FortiGate unit. To record log messages for this traffic, you can add an IPS Sensor that includes predefined IPS signatures that can detect and log traffic that would otherwise be dropped by the FortiGate unit. To log all traffic received by a FortiGate unit 1 Enter the following CLI command to enable logging of failed connection attempts to the FortiGate unit that use TCP/IP ports other than the TCP/IP ports configured for management access: config system global set localdeny enable end 2 Enter the following CLI command to set global header checking to strict. config system global set check-protocol-header strict end Strict header checking detects invalid raw IP packets by validating packet checksums and also checks IP headers to make sure they adhere to current standards. The default setting is loose which is usually appropriate for most environments. Loose header checking improves performance while meeting most organizations requirements. 3 Enter the following CLI commands to enable traffic logging for all of the FortiGate interfaces that receive traffic. The following commands enable traffic logging on port1 and port2. You should repeat these commands for all other FortiGate unit interfaces that receive traffic. config system interface edit port1 set log enable next edit port2 set log enable end 4 Use the following command to enable logging of other traffic. This option is only available when logging to an external syslog server. config log syslogd filter set other-traffic enable end 5 Go to UTM > Intrusion Protection > IPS Sensor and select Create New to add an IPS Sensor. Edit the IPS Sensor and select Add Pre-defined Override to add the following predefined IPS signatures to the sensor. Invalid.Protocol.Header TCP.Bad.Flags TCP.Invalid.Packet.Size Enable each of these signatures, set Action to Block and enable Logging.
658
Log&Report
Log types
6 Enter the following CLI commands to add a DoS policy (called an interface policy in the CLI) that includes the IPS Sensor. config firewall interface-policy edit 1 set interface <interface_name> set srcaddr all set dstaddr all set service ANY set ips-sensor-status enable set ips-sensor <sensor_name> end Where <sensor_name> is the name of the IPS sensor added above.
Event log
The Event Log records management and activity events, such as when a configuration has changed, or VPN and High Availability (HA) events occur. When you are logged into VDOMs that are in Transparent mode, or if all VDOMs are in Transparent mode, certain options may not be available such as VIP ssl event or CPU and memory usage event. You can enable event logs only when you are logged in to a VDOM; you cannot enable event logs in the root VDOM. To enable the event logs 1 Go to Log&Report > Log Config > Event Log. 2 Select the Enable check box. 3 Select one or more of the following logs:
System Activity event IPSec negotiation event DHCP service event L2TP/PPTP/PPPoE service event Admin event HA activity event All system-related events, such as ping server failure and gateway status. All IPSec negotiation events, such as progress and error reports. All DHCP-events, such as the request and response log. All protocol-related events, such as manager and socket creation processes. All administrative events, such as user logins, resets, and configuration updates. All high availability events, such as link, member, and state information.
Firewall All firewall-related events, such as user authentication. authentication event Pattern update event All pattern update events, such as antivirus and IPS pattern updates and update failures.
SSL VPN user All user authentication events for an SSL VPN connection, such as authentication event logging in, logging out and timeout due to inactivity. SSL VPN All administration events related to SSL VPN, such as SSL configuration administration event and CA certificate loading and removal. SSL VPN session event VIP ssl event All session activity such as application launches and blocks, timeouts, and verifications. All server-load balancing events happening during SSL session, especially details about handshaking.
659
Log types
Log&Report
VIP server health monitor event CPU & memory usage (every 5 min)
All related VIP server health monitor events that occur when the VIP health monitor is configured, such as an interface failure. All real-time CPU and memory events, at 5-minute intervals.
4 Select Apply.
Data Leak Prevention log

Data Leak Prevention (DLP) provides additional information for administrators that can better analyze and detect data leaks. You can enable logging of your configured settings for Data Leak Prevention in a protection profile. Before enabling logging of DLP events, verify that the correct DLP sensor is available for what you want to log. A DLP sensor is required for both logging and content archiving of DLP events. You cannot apply multiple DLP sensors for logging or content archiving of DLP events. To enable logging of Data Leak Prevention settings 1 Go to Firewall > Protection Profile. 2 Select the Expand Arrow to view the policy list for a policy. 3 Select Edit beside the policy that you want. 4 Select the Expand Arrow to view the Data Leak Prevention options. 5 Select the check box next to the sensor list. 6 Select a sensor from the list. 7 Select the Expand Arrow to view the Logging options. 8 Select the Data Leak Prevention Log DLP check box.
Application Control log

This log file includes IPS, IM/P2P and VoIP events that the FortiGate unit records. The application control log also includes some IPS activities. Before enabling logging of Application Control events, verify that the correct application control list is available for what you want to log. An application control list is required for logging application control events. To enable logging of Application Control settings 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand arrow to expand Application Control. 4 Select the check box beside the application control list. 5 Select a list from the application control list. 6 Select the Expand Arrow to expand the Logging options. 7 Select the Log Application Control check box.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example, when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized file or email that is logged, it records an antivirus log. You can also apply filters to customize what the FortiGate unit logs, which are:
660
Log&Report
Log types
Viruses The FortiGate unit logs all virus infections. Blocked Files The FortiGate unit logs all instances of blocked files. Oversized Files/Emails The FortiGate unit logs all instances of files and email messages exceeding defined thresholds. AV Monitor The FortiGate unit logs all instances of viruses, blocked files, and oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM traffic.
To enable antivirus logs 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand Arrow beside Logging to reveal the available options. 4 Select the antivirus events you want logged. 5 Select OK.
Web filter log

The Web Filter log records HTTP FortiGuard log rating errors including web content blocking actions. To enable web filter logs 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand Arrow beside Logging to reveal the available options. 4 Select the web filtering events to log. 5 Select the FortiGuard Web Filtering Rating Errors (HTTP only) check box, to log FortiGuard filtering. 6 Select OK.
Spam filter log

The Spam Filter log records blocking of email address patterns and content in SMTP, IMAP and POP3 traffic. To enable the Spam log 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand Arrow beside Logging to reveal the available options. 4 Select Log Spam. 5 Select OK.
Attack log (IPS)

The Attack (IPS) log records attacks detected and prevented by the FortiGate unit. The FortiGate unit logs the following: Attack Signature The FortiGate unit logs all detected and prevented attacks based on the attack signature, and the action taken by the FortiGate unit. Attack Anomaly The FortiGate unit logs all detected and prevented attacks based on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.
661
Accessing Logs
Log&Report
You can view attack log messages from either the Memory or Remote tab. To enable the attack logs 1 Go to Firewall > Protection Profile. 2 Select Edit beside the protection profile that you want. 3 Select the Expand Arrow beside Logging to reveal the available options. 4 Select Log Intrusions under IPS. 5 Select OK.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to log the attack. The logging options for the signatures included with the FortiGate unit are set by default. Ensure any custom signatures also have the logging option enabled. For more information, see Intrusion Protection on page 455.
Accessing Logs
You can use the Log Access feature in the FortiGate web-based manager to view logs stored in memory, on a hard disk, or stored on a FortiAnalyzer unit running FortiAnalyzer 3.0, or on the FortiGuard Analysis server. Log Access provides tabs for viewing logs according to these locations. Each tab provides options for viewing log messages, such as search and filtering options, and choice of log type. The Remote tab displays logs stored on either the FortiGuard Analysis server or FortiAnalyzer unit, whichever one is configured for logging. For the FortiGate unit to access logs on a FortiAnalyzer unit, the FortiAnalyzer unit must run firmware version 3.0 or higher.
Accessing logs stored in memory

You can access logs stored in the FortiGate system memory from the Memory tab. The traffic log type is not available in the Log Type list because the FortiGate system memory is unable to store them; however, you can view attack logs. To view log messages in the FortiGate memory buffer, go to Log&Report > Log Access, select the Memory tab, and then select a log type from the Log Type list.
Accessing logs stored on the hard disk

You can access logs stored on the hard disk if your FortiGate unit has a hard disk. Logs stored on the hard disk are available for viewing in the Disk tab. You can view, navigate, and download logs stored on the hard disk. To access log files on the hard disk, go to Log&Report > Log Access, select the Disk tab, and then select a log type from the Log Type list. The FortiGate unit displays a list of rolled log files. You can view log messages when you select the View icon.
662
Log&Report
Accessing Logs
Figure 433: Viewing log files stored on the FortiGate hard disk
Delete
Clear View log

Download Log Type File name Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged. The names of the log files of the displayed Log Type stored on the FortiGate hard disk. When a log file reaches its maximum size, the FortiGate unit saves the log files with an incremental number, and starts a new log file with the same name. For example, if the current attack log is alog.log, any subsequent saved logs appear as alog.n, where n is the number of rolled logs. The size of the log file in bytes. The time a log message was recorded on the FortiGate unit. The time is in the format name of day month date hh:mm:ss yyyy, for example Fri Feb 16 12:30:54 2007. Clear the current log file. Clearing deletes only the current log messages of that log file. The log file is not deleted. Download the log file or rolled log file. Select either Download file in Normal format or Download file in CSV format. Select Return to return to the Disk tab page. Downloading the current log file includes only current log messages. View a log files log messages. Delete rolled logs. Fortinet recommends to download the rolled log file before deleting it because the rolled log file cannot be retrieved after deleting it.
Size (bytes) Last access time Clear log icon Download icon
View icon Delete icon
Accessing logs stored on the FortiAnalyzer unit

You can view and navigate through logs saved to the FortiAnalyzer unit. For information about configuring the FortiGate unit to send log files to the FortiAnalyzer unit, see Logging to a FortiAnalyzer unit on page 650. Logs accessed on a remote logging device such as the FortiAnalyzer unit, automatically appear in the Remote tab. To access log files on the FortiAnalyzer unit, go to Log&Report > Log Access, select the Remote tab, and select a log type from the Log Type list.
Figure 434:Viewing log files stored on the FortiAnalyzer unit
Current Page
663
Viewing log information
Log&Report
Log Type Current Page
Select the type of log you want to view. By default, the first page of the list of items is displayed. The total number of pages appears after the current page number. For example, if 3/54 appears, you are currently viewing page 3 of 54 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter. For more information, see Using page controls on web-based manager lists on page 57.
Column Settings Select to add or remove columns. This changes what log information appears in Log Access. For more information, see Column settings on page 666. Raw or Formatted By default, log messages is displayed in Formatted mode. Select Formatted to view log messages in Raw mode, without columns. When in Raw mode, select Formatted to switch back to viewing log messages organized in columns. When log messages are displayed in Formatted view, you can customize the columns, or filter log messages. Clear All Filters Clear all filter settings. For more information, see Filtering log messages on page 667.
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs from the FortiGate unit.
Accessing logs stored on the FortiGuard Analysis server

You can access log files stored on the FortiGuard Analysis server from the FortiGate webbased manager, if you have subscribed to FortiGuard Analysis and Management Service. After enabling logging to the FortiGuard Analysis server, a Remote tab appears in the Log Access menu. For more information about viewing real-time and historical log files, see the FortiGuard Analysis and Management Service Guide. To access log files on the FortiGuard Analysis server, go to Log&Report > Log Access, select the Remote tab, and then select a log type from the Log Type list.
Viewing log information

Log information is displayed in the Log Access menu. Different tabs in Log Access display log information stored on the FortiAnalyzer unit, FortiGate system memory and hard disk if available, including the FortiGuard Analysis server. The columns that appear reflect the content found in the log file. The top portion of the Log Access page includes navigational features to help you move through the log messages and locate specific information. To view log messages, go to Log&Report > Log Access and then select the tab that corresponds to the log storage device used: Remote, Memory or Disk. If you are logging to the FortiGate units hard disk, select Edit beside a rolled log file to view log messages.
664
Log&Report
Customizing the display of log messages
Figure 435: Viewing log messages
Current Page
Log Type Current Page
Select the type of log you want to view. Some log files, such as the traffic log, cannot be stored to memory due to the volume of information logged. By default, the first page of the list of items is displayed. The total number of pages displays after the current page number. For example, if 3/54 appears, you are currently viewing page 3 of 54 pages. To view pages, select the left and right arrows to display the first, previous, next, or last page. To view a specific page, enter the page number in the field and then press Enter. For more information, see Using page controls on web-based manager lists on page 57. Select to add or remove columns. This changes what log information appears in Log Access. For more information, see Column settings on page 666. By default, log messages are displayed in Formatted mode. Select Formatted to view log messages in Raw mode, without columns. When in Raw mode, select Formatted to switch back to viewing log messages organized in columns. When log messages are displayed in Formatted view, you can customize the columns, or filter log messages. Clear all filter settings. For more information, see Filtering log messages on page 667.
Column Settings Raw or Formatted
Clear All Filters

By customizing the display of log messages, you can view certain parts or different formats of log messages. For example, log messages can be viewed in Formatted or Raw view. In Formatted view, you can customize the columns, or filter log messages. In Raw view, the log message appears as it would in the log file.
665
Log&Report
Filtering is also another way to customize the display of log messages. By using the filter icon, you can display specific information of log messages. For example, you may want to display only event log messages that have a severity level of alert.
Note: For more information about filtering log messages, see Adding filters to web-based manager lists on page 53.
Column settings
By using Column Settings, you can customize the view of log messages in Formatted view. By adding columns, changing their order, or removing them, you can view only the log information you want. The Column Settings feature is available only in Formatted view.
Figure 436: Column settings for viewing log messages
To customize the columns 1 Go to Log&Report > Log Access. 2 Select the tab to view logs from, Memory, Disk or Remote. 3 Select a log type from the Log Type list. 4 Select the View icon if you are viewing a log file on a FortiAnalyzer unit. 5 Select the Column Settings icon. 6 Select a column name in the Available fields list and then select one of the following to change the views of the log information:
-> <Move up Move down Select the right arrow to move selected fields from the Available fields list to the Show these fields in this order list. Select the left arrow to move selected fields from the Show these fields in this order list to the Available fields list. Move the selected field up one position in the Show these fields in this order list. Move the selected field down one position in the Show these fields in this order list.
7 Select OK.
666
Log&Report
Content Archive
Note: The Detailed Information column provides the entire raw log entry and is needed only if the log contains information not available in any of the other columns. The VDOM column displays which VDOM the log was recorded in. You can view the device ID and device name when customizing columns. The device ID provides the identification name of the device. The device name is the host name that you configured for the FortiGate unit, for example Headquarters.
Filtering log messages

You can filter log messages by selecting the Filter icon to display specific information about log messages. The filter settings that are applied remain until you log out of the web-based manager. Log filters automatically reset to default settings when you log into the web-based manager.
Figure 437: Log filters
Filter icon (disabled)
Filter icon (enabled)
To filter log messages 1 Go to Log&Report > Log Access. 2 Select the tab to view logs from, Memory, Remote or Disk. 3 Select a log type from the Log Type list. 4 Select the Filter icon in the column to view logs. 5 Select Enable to enable filtering for the column. 6 Enter the information as appropriate. Fields vary between type. For more information about using the filter icons to filter log messages, see Adding filters to web-based manager lists on page 53. 7 Select OK. 8 Select the columns to filter in the Filter list. You can also select the columns that appear in the Filter list instead of selecting the actual column. You can view log messages in Raw format only after configuring the filters. If you want to delete all filter settings, select the Clear All Filters that is located under the Filters list.
Content Archive
The Content Archive menu allows users to view historical logs that have been archived to a FortiAnalyzer unit or FortiGuard Analysis server. A FortiGuard Analysis server becomes available when you subscribe to the FortiGuard Analysis and Management Service. For more information, see FortiGuard Analysis and Management Service on page 648.
667
Content Archive
Log&Report
You can configure full content archiving and summary content archiving. Full content archiving includes all content, for example, content archiving email includes complete email messages and attachments. Summary content archiving includes just the meta data about the content, for example, email message summary records include only the email header. You can content archive Email, Web, FTP, IM, and VoIP content. Email content includes IMAP, POP3, and SMTP sessions. Email content can also include email messages tagged as spam by FortiGate spam filtering. Web content includes HTTP sessions. IM content includes AIM, ICQ, MSN, and Yahoo! sessions. VoIP content includes SIP, SIMPLE and SCCP sessions. Only summary content archiving is available for SIP and SCCP. Full and summary content archiving is available for SIMPLE. If your FortiGate unit supports SSL content scanning and inspection Web content can also include HTTPS sessions and Email content can also include IMAPS, POP3S, and SMTPS sessions. For more information about SSL content scanning and inspection, see SSL content scanning and inspection on page 399. You use data leak prevention (DLP) sensors to content archive Email, Web, FTP, and IM content. VoIP content archiving is configured using application control CLI commands. Content archiving of spam email messages is configured in protection profiles.
Content archiving and data leak prevention

You enable Email, Web, FTP, and IM content archiving in data leak prevention (DLP) sensors. Then you add the DLP sensors to protection profiles and add the protection profiles to firewall policies. All sessions accepted by firewall policies that are matched by rules in DLP sensors are content archived. DLP includes the Content_Archive and Content_Summary pre-defined DLP sensors. The Content_Archive sensor includes pre-defined DLP rules that provide full content archiving for HTTP, Email, FTP, and IM protocols. The Content_Summary sensor also includes predefined DLP rules and provides summary content archiving for HTTP, Email, FTP, and IM protocols. If your FortiGate unit supports SSL content scanning and inspection you can also configure DLP to content archive HTTPS, IMAPS, POP3S, and SMTPS content. By default the SSL protocols are not enabled in the All-Email and All-HTTP pre-defined DLP rules. To content archive the SSL protocols, you must edit these pre-defined rules and select the SSL protocols to be able to content archive them. In addition to these pre-defined DLP rules and sensors, you can add your own DLP rules and sensors and use them for full and summary content archiving. See DLP Sensors on page 511 for more information about configuring DLP sensors.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some content, DLP will not create more than one content archive entry from the same content.
Configuring spam email message content archiving

DLP sensors configured to content archive email will archive legitimate email and email identified as spam by FortiGate spam filtering and by FortiGuard Antispam. By default; however, the protection profile options under Archive SPAMed email to FortiAnalyzer/FortiGuard are disabled. As a result, by default email identified as spam is not content archived.
668
Log&Report
Content Archive
In most cases you would probably not want to content archive email identified as spam so you can leave these options disabled. However, if you want to content archive email identified as Spam you can use the following procedure to enabled content archiving of email identified as spam. To enable content archiving of email messages identified as spam by the FortiGate unit or by FortiGuard Antispam 1 Go to Firewall > Protection Profile. 2 Create or edit a protection profile. 3 Select the Expand Arrow to view the Data Leak Prevention Sensor option. 4 Select the DLP sensor for content archiving from the list. 5 Select the check boxes for the email protocols to content archive spam for beside Archive SPAMed email to FortiAnalyzer/FortiGuard. 6 Select OK.
Note: Infected files are clearly indicated in the Content Archive message list so that you know which content archives are infected and which are not.
Configuring VoIP content archiving

You can use the application control CLI commands described in this section to content archive SIP, SIMPLE and SCCP protocols. You can enable summary content archiving or the SIP, SIMPLE and SCCP. You can enable full content archiving for SIMPLE. To save time, you can add application control lists containing the VoIP category options from the web-based manager before using the CLI to enable content archiving for the VoIP protocols. For more information about configuring application lists, see Configuring an application control list on page 525. Then you add the application control lists to protection profiles and add the protection profiles to firewall policies. The application control list settings then content archive sessions for the configured VoIP protocols. For more information about VoIP content archiving commands, see the FortiGate CLI Reference. The following procedure assumes that you have already configured an application control list for VoIP content archiving. To configure VoIP content archiving 1 Verify that you have the correct application control list for VoIP content archiving. 2 Verify that logging is enabled for that application control VoIP list. 3 Log in to the CLI. 4 Enter the following to access the application control VoIP list and the entries: config application list edit <name> config entries edit <entry_identification> 5 Enter one of the following to enable content archiving for the entry you chose in step 5: set sip-archive-summary enable set sccp-archive-summary enable set simple-archive-summary enable 6 If you want to enable full content archiving of SIMPLE, enter the following:
669
Alert Email
Log&Report
set simple-archive-full enable
Viewing content archives

From the Content Archive menu, you can view all archived logs in the web-based manager. You can view either content archive logs stored on a FortiAnalyzer unit or FortiGuard Analysis server. If you need to view logs in Raw format, select Raw beside the Column Settings icon. For more information, see Column settings on page 666. Content archives are displayed only if either the FortiAnalyzer unit or the FortiGuard Analysis server is enabled in the protection profile for that remote logging device. For example, if the FortiAnalyzer unit is configured to receive content archives, then only content archives from the FortiAnalyzer unit appear in the Content Archive menu. To view content archives from a remote logging location (such as a FortiAnalyzer unit or FortiGuard Analysis server), go to Log&Report > Content Archive, and select the archived log type tab to view: Email, Web, FTP, IM, or VoIP.
Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send email notification about a specific activity or event logged. For example, if you require notification about administrators logging in and out, you can configure an alert email that is sent whenever an administrator logs in and out. You can also base alert email messages on the severity levels of the logs.
670
Log&Report
Alert Email
Figure 438: Alert Email options
SMTP Server Email from Email to Authentication SMTP user
The name/address of the SMTP email server. The SMTP user name. Enter up to three email address recipients for the alert email message. Select the authentication Enable check box to enable SMTP authentication. Enter the user name for logging on to the SMTP server to send alert email messages. You need to do this only if you have enabled the SMTP authentication. Enter the password for logging on to the SMTP server to send alert email. You need to do this only if you selected SMTP authentication. Select to have the alert email sent for one or multiple events that occur, such as an administrator logging in and out. Enter the minimum time interval between consecutive alert emails. Use this to rate-limit the volume of alert emails. Select if you require an alert email message based on attempted intrusion detection. Select if you require an alert email message based on virus detection. Select if you require an alert email message based on blocked web sites that were accessed. Select if you require an alert email message based on HA status changes.
Password Send alert email for the following Interval Time (1-9999 minutes) Intrusion detected Virus detected Web access blocked HA status changes
671
Alert Email
Log&Report
Violation traffic detected
Select if you require an alert email message based on violated traffic that is detected by the FortiGate unit.
Firewall authentication Select if you require an alert email message based on firewall authentication failures. failure SSL VPN login failure Select if you require an alert email message based on any SSL VPN logins that failed. Administrator login/logout IPSec tunnel errors L2TP/PPTP/PPPoE errors Select if you require an alert email message based on whether administrators log in or out. Select if you require an alert email message based on whether there is an error in the IPSec tunnel configuration. Select if you require an alert email message based on errors that occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any changes made to the FortiGate configuration. FortiGuard license expiry time (1-100 days) FortiGuard log quota usage Send alert email for logs based on severity Minimum log level Enter the number of days before the FortiGuard license expiry time notification is sent. Select if you require an alert email message based on the FortiGuard Analysis server log disk quota getting full. Select if you want to send an alert email that is based on a specified log severity, such as warning. Select a log severity from the list. For more information about log severity levels, see Log severity levels on page 649.
Configuring Alert Email

Before configuring alert email, you must configure at least one DNS server if you are configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the SMTP server name to connect to the mail server, and must look up this name on your DNS server. You can also specify an IP address. To configure alert email 1 Go to Log&Report > Log Config > Alert E-mail. 2 Enter the information for the SMTP server and select Apply. 3 Select Test Connectivity to send a test email message to the email account you configured in the above step. 4 Select Send alert email for the following if you require sending an email based and then select the alert options you want. 5 Select Send an alert based on severity if you require sending an alert email based on log severity level. 6 Select the minimum severity level in the Minimum severity level list if you are sending an alert based on severity. 7 Select Apply.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more than one log message before an interval is reached, the FortiGate unit combines the messages and sends out one alert email.
672
Log&Report
Reports
Reports
You can use the Log&Report menu to configure FortiAnalyzer report schedules and to view generated FortiAnalyzer reports. You can also configure basic traffic reports, which use the log information stored in your FortiGate system memory to present basic traffic information in a graphical format.
Viewing basic traffic reports

The FortiGate unit uses collected log information and presents it in a graphical format to show network usage for a number of services. The charts show the bytes used for the service traffic. To view basic traffic reports, go to Log&Report > Report Access > Memory.
Figure 439: Viewing the basic traffic report from a FortiGate-60 unit
Time Period
Select a time range to view for the graphical analysis. You can choose from one day, three days, one week or one month. The default is one day. When you refresh your browser or go to a different menu, the settings revert to default. By default all services are selected. When you refresh your browser or go to a different menu, all services revert to default settings. Clear the check boxes beside the services you do not want to include in the graphical analysis.
Services
673
Reports
Log&Report
Bandwidth Per Service Top Protocols Ordered by Total Volume
Browsing DNS Email FTP Gaming Instant Messaging Newsgroups P2P Streaming TFTP VoIP Generic TCP Generic UDP Generic ICMP Generic IP
This bar graph is based on what services you select, and is updated when you select Apply. The graph is based on date and time, which is the current date and time. This bar graph displays the traffic volume for various protocols, in decreasing order of volume. The bar graph does not update when you select different Services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the Memory tab.
Note: The data used to present the graphs is stored in the FortiGate system memory. When the FortiGate unit is reset or rebooted, the data is erased.
Configuring the graphical view

The FortiGate basic traffic report includes a wide range of services you can monitor. For example, you can choose to view only email services for the last three days. To change the graphical information 1 Go to Log&Report > Report Access > Memory. 2 Select the time period to include in the graph from the Time Period list. 3 Clear the services to exclude them from the graph. All services are selected by default. 4 Select Apply. The graph refreshes and displays the content you specified in the above procedure. The Top Protocols Ordered by Total Volume graph does not change.
Note: If you require a more specific and detailed report, you can configure a simple report from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate over 140 different reports providing you with more options than the FortiGate unit provides. If you need to configure a FortiAnalyzer report schedule, see FortiAnalyzer report schedules on page 674.
FortiAnalyzer report schedules

You can configure a FortiAnalyzer report schedule from FortiGate logs in the web-based manager or CLI. You need to configure a report layout before configuring a report schedule. Contact a FortiAnalyzer administrator before configuring report schedules from the FortiGate unit to verify that the appropriate report layout is configured. Report layouts can only be configured from the FortiAnalyzer unit.
674
Log&Report
Reports
For information about how to configure a report layout, see the FortiAnalyzer Administration Guide. The following procedure describes how to clone a report schedule. When you clone a report schedule, a duplicate of the original is used as a basis for a new one. To view the list of report schedules, go to Log&Report > Report Config. To configure a report schedule, go to Log&Report > Report Config, select Create New, enter the appropriate information and then select OK.
Figure 440: Report schedules in Report Config
Delete Edit Clone
General report schedule settings Create New Name Description Report Layout Schedule Create a new report schedule. The name of the report schedule. The comment made when the report schedule was created. The name of the report layout used for the report schedule. When the report schedule will be generated. The time depends on what time period was selected when the report schedule was created: once, daily, or specified days of the week. For example, if you select monthly, the days of the month and time (hh:mm) will appear in the format Monthly 2, 10, 21, 12:00. Delete or edit a report schedule in the list. Create a duplicate of the report schedule and use it as a basis for a new report schedule.
Delete and Edit icons Clone icons
Report schedule configuration settings
675
Reports
Log&Report
Name Description Report Layout
Enter a name for the schedule. Enter a description for the schedule. This is optional. Select a configured report layout from the list. You must apply a report layout to a report schedule. For more information, see the FortiAnalyzer Administration Guide. Select the language you want used in the report schedule from the list. Select one of the following to have the report generate once only, daily, weekly, or monthly at a specified date or time period. Select to have the report generated only once. Select to generate the report every date at the same time, and then enter the hour and minute time period for the report. The format is hh:mm. Select to generate the report on specified days of the week, and then select the days of the week check boxes. Select to generate the report on a specific day or days of the month, and then enter the days with a comma to separate them. For example, if you want to generate the report on the first day, the 21st day and 30th day, enter: 1, 21, 30. You can specify the following variables for the report: Select to create a report based on virtual domains. Enter a specific virtual domain to include in the report. Select to create a report based on a network user. Enter the user or users in the field, separated by spaces. If a name or group name contains a space, if should be specified between quotes, for example, user 1. Select to create a report based on a group of network users, defined locally. Enter the name of the group or groups in the field. Select the LDAP Query check box and then select an LDAP directory or Windows Active Directory group from the list. Select to include the time period of the logs to include in the report. Select a time period from the list. For example, this year. Select to specify the date, day, year and time for the report to run. From Select the beginning date and time of the log time range. To Select the ending date and time of the log time range. Select the format you want the report to be in and if you want to apply an output template. Select the type of file format for the generated report. You can choose from PDF, MS Word, Text, and MHT. Select the check box if you want to apply a report output template from the list. This list is empty if a report output template does not exist. For more information, see the FortiAnalyzer Administration Guide.
Language Schedule Once Daily
These Days These Dates
Log Data Filtering Virtual Domain User
Group LDAP Query Time Period Relative to Report Runtime Specify
Output Output Types Email/Upload
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
To clone a report schedule 1 Go to Log&Report > Report Config. 2 Select Clone in the same row of the report schedule that will be the basis of a new report schedule.
676
Log&Report
Reports
3 Rename the report schedule. The report schedule is renamed, for example, CloneOfFGT_100A. 4 Enter the appropriate information and select OK.
Viewing FortiAnalyzer reports

After the FortiAnalyzer unit generates the report, it appears on the Report Access page. All reports are listed on the page, including the rolled reports. A list displays the generated report schedules as well as other reports that the FortiAnalyzer unit generated. To view reports, go to Log&Report > Report Access and select a report name in the Report Files column. You can also select the Expand Arrow to view the rolled report and view the entire report. After viewing the report, select Historical Reports to return to the list.
Figure 441: Generated reports displayed in Report Access
Report Files
The name of the generated report. Select the name to view the report. You can also select the Expand Arrow to view the report and the select the rolled report to view the report. The date the report was generated on. The size of the report in bytes. Displays the formats PDF, RTF or MHT or all if these formats were chosen in the report schedule.
Date Size(bytes) Other Formats
Printing your FortiAnalyzer report

After the FortiAnalyzer unit generates the report, you may want to print the report to have as a hardcopy reference or for a presentation. To print a FortiAnalyzer report, go to Log&Report > Report Access, select the report you want printed from the list and then select Print.
677
Reports
Log&Report
678
Index
Index
Symbols
, 461
Numerics
802.3ad aggregate interface creating, 127
A
accept action firewall policy, 638 access profile, See admin profile, 224 accessing logs stored in hard disk, 662 action firewall policy, 322 spam filter banned word, 500 spam filter IP address, 502 action type spam filter email address, 505 active sessions HA statistics, 183 ActiveX filter protection profile, 413 add signature to outgoing email protection profile, 409 adding, configuring or defining admin profile, 225 administrative access to interface, 135 administrator account, 212 administrator password, 212 administrator settings, 228 alert email, 672 antispam advanced options, 505 antispam email address list, 504, 505 antispam IP address, 503 antispam IP address list, 501 antivirus file filter list, 444, 446 antivirus file patterns, 446 antivirus file quarantine, 446 antivirus log, 660 antivirus quarantine options, 449 antivirus scanning options, 407 application control options, 420 attack log (IPS), 661 authentication settings, 590 authentication, firewall policy, 327 automatic discovery, 651 autosubmit list, 449 banned word list, 499, 500 basic traffic report, graphical view, 674 BFD, 307 BFD on BGP, 308 BFD on OSPF, 308 BGP settings, 303 CA certificates, 249 Certificate Revocation List (CRL), 251 cipher suite, 553 combined IP pool and virtual IP, 384 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
content archive, 668 custom firewall service, 357 custom service, firewall, 357 custom signatures, 459 customized CLI console, 64 DHCP interface settings, 130 DHCP relay agent, 173 DHCP server, 173 Directory Service server, 579, 581 Directory Service user groups, 585 DoS sensors, 470 Dynamic DNS on an interface, 132 dynamic virtual IP, 378 event logs, 659 fail-open, IPS, 472 firewall address, 347 firewall address group, 348 firewall policy, 322, 323, 425 firewall policy traffic logging, 657 firewall policy, adding to VLAN subinterface, 156 firewall policy, modem connections, 144 firewall protection profile, 404 firewall schedule, 361 firewall service group, 359 firewall user groups, 584 firewall virtual IP, 365 firmware upgrade, 259 firmware version, 79 FortiAnalyzer report schedules, 674 FortiGuard override options for a user group, 589 FortiGuard Web Filtering options, 413 FortiWiFi-50B settings, 162, 163 FortiWiFi-60B settings, 162, 163 gateway for default route, 283 grayware list, 452 HA, 177 HA device priority, 183 HA subordinate unit host name, 183 health check monitor, 393 IM/P2P/VoIP applications, older versions, 570 interface settings, 123 inter-VDOM links, 113 IP pool, 383 IPS log (attack), 661 IPS options, 411 IPS sensor filters, 464 IPS sensors, 461 IPSec encryption policy, 330 IPSec VPN concentrator, 545 IPSec VPN phase 1, 534 IPSec VPN phase 1 advanced options, 536 IPSec VPN phase 2, 538 IPSec VPN phase 2 advanced options, 539 IPv6 support, 230 LDAP authentication, 216 LDAP server, 575 license key, 276 local ratings, 492 local URL block categories, 491 local user account, 568
679
Index
log message display, 665 logging options, 421 logging to a FortiAnalyzer unit, 650 logging to a FortiGuard Analysis server, 653 logging to a Syslog server, 654 logging to memory, 654 logging to WebTrends, 655 MAC filter list, 166 modem connections, firewall policy, 144 modem interface, 139 MTU size, 136 multicast settings, 305 NAT virtual IP, 372 OCSP certificates, 249 one-time schedule, 363 OSPF areas, 299 OSPF AS, 295 OSPF basic settings, 296 OSPF interface, operating parameters, 301 OSPF networks, 300 OSPF settings, advanced, 298 override server, 272 password, 214 password, administrator, 212 peer users and peer groups, 582 ping server, 146 PKI authentication, 220 policy, 323, 327 policy route, 286 PPPoE or PPPoA interface settings, 131 PPTP range, 547, 549 PPTP VPN, 547, 549 protection profile, 398 push updates, 274 RADIUS authentication, 214 RADIUS server, 572 recurring schedule, 362 redundant interface, 128 redundant mode, 142 remote authentication, 214 RIP settings, advanced, 292 RIP settings, basic, 290 RIP-enabled interface, 293 scripts, 263 secondary IP address, 136 SIP advanced features, 434 SNMP community, 186 socket-size, IPS, 473 spam filter log, 661 spam filtering options, 416 SSL VPN options, firewall policy, 331 SSL VPN settings, 552 SSL VPN user groups, 585 standalone mode, 143 static NAT port forwarding, IP address and port range, 377 static NAT port forwarding, single address and port, 375 static NAT virtual IP, IP address range, 373 static route (transparent mode), 149 static route, adding to routing table, 284 subnet object, 89 system administrators, 209 system certificates, 247 system configuration backup and restore, 254
system configuration backup and restore, FortiManager, 256 system configuration, central management options, 258 system status widgets, 64 system time, 78 TACACS+ authentication, 218 TACACS+ server, 578 topology diagram, 89, 90 updates for FDN and FortiGuard services, 266 URL filter list, 484, 485 URL overrides, 489 user authentication settings, 590 user group, 586 user groups, 583 VDOM configuration settings, 105, 111 VDOM configuration settings, advanced, 109 VDOM configuration settings, global, 107 VDOM interface, 113 VDOM, new, 110 VIP group, 380 virtual IP, 370 virtual IP group, 380 virtual IP, port translation only, 379 virtual IPSec interface, 133 VLAN subinterface, 153 VPN firewall policy-based internet browsing, 544 VPN route-based internet browsing, 544 web content block list, 479, 480 web content exempt list, 482, 483 web filtering options, 411 wireless interface, 163 zone, 138 address firewall address group, 348 list, 346 address group, 348 adding, 348 creating new, 348 list, 348 Address Name firewall address, 347 admin administrator account, 45 admin profile administrator account, 222 CLI commands list, 223 configuring, 225 viewing list, 224 administrative access changing, 46 interface settings, 126, 134, 137 monitoring logins, 229 administrative distance, 278 administrative interface. See web-based manager administrator assigning to VDOM, 115 administrator account admin, 45 admin profile, 222 configuring, 212 netmask, 213 administrator login disclaimer, 200
680
Index
administrator password changing, 45 administrator settings, 228 administrators viewing list, 211 administrators, monitoring, 229 Advanced Mezzanine Card (AMC), 69 adware grayware category, 452 AFS3, advanced file security encrypted file AFS3, 352 age limit quarantine, 450 aggregate interface creating, 127 AH, predefined service, 352 alert email options, 670 SMTP user, 671 Alert Message Console clearing messages, 71 alert message console viewing, 70 ALG controlling the SIP ALG, 436 SIP, 429 allow inbound IPSec firewall policy, 330 allow outbound IPSec firewall policy, 330 allow web sites when a rating error occurs protection profile, 415 AMC module, 121 antispam port 53, 270 port 8888, 270 antispam email address list adding, 504 viewing, 504 antispam IP address list viewing, 502 antispam. See also spam filter, 495
antivirus adware grayware, 452 av_failopen, 453 BHO grayware, 452 CLI configuration, 453 configure antivirus heuristic, 453 configuring grayware list, 452 dial grayware, 452 download grayware, 452 file block, 443 file block list, 445 game grayware, 453 heuristics, 453 hijacker grayware, 453 joke grayware, 453 keylog grayware, 453 misc grayware, 453 NMT grayware, 453 optimize, 453 P2P grayware, 453 plugin grayware, 453 quarantine, 446 quarantine files list, 447 RAT grayware, 453 scanning large files, 454 splice, 408, 419 spy grayware, 453 streaming mode, 408, 419 system global av_failopen, 453 system global optimize, 453 toolbar grayware, 453 virus list, 451 antivirus and attack definitions, 271 antivirus options protection profile, 407 antivirus updates, 272 manual, 82 through a proxy server, 273 ANY service, 352 AOL service, 352 append tag format protection profile, 419 append tag to location protection profile, 419 application control, 523 statistics, 527 application level gateway SIP, 429 application list SIP, 434 area border router (ABR), 294, 299 ARP, 370, 390 proxy ARP, 370, 390 AS OSPF, 294 attack updates manual, 82 scheduling, 272 through a proxy server, 273 Authentication IPSec VPN, phase 2, 540
681
Index
authentication client certificates and SSL VPN, 552 configuring remote authentication, 214 defining settings, 590 firewall policy, 327, 333 MD5, 300 RIP, 294 server certificate and SSL VPN, 552 WAN optimization, 603 WAN optimization peer authentication, 602 Authentication Algorithm IPSec VPN, manual key, 542, 543 Authentication Key IPSec VPN, manual key, 543 Authentication Method IPSec VPN, phase 1, 535 Auto Key IPSec VPN, 533 Autokey Keep Alive IPSec VPN, phase 2, 540 automatic discovery, 651 autonomous system (AS), 294, 302 AutoSubmit quarantine, 450 autosubmit list configuring, 449 enabling uploading, 449 quarantine files, 448 av_failopen antivirus, 453
B
back to HA monitor HA statistics, 183 backing up 3.0 config to FortiUSB, 93 3.0 configuration, 92 config using web-based manager, 3.0, 92 FortiGate configuration, 48 backup (redundant) mode modem, 139 backup and restore, system maintenance, 254 backup mode modem, 142 band wireless setting, 163 bandwidth guaranteed, 326, 425 maximum, 326, 426, 606, 635 banned word web content block, 480, 483 banned word (spam filter) action, 500 adding words to the banned word list, 500 catalog, 498 language, 500 list, 499 pattern, 500 pattern type, 500 banned word check protection profile, 419
banned word list creating new, 499 banned word list catalog viewing, 498 beacon interval wireless setting, 163 BFD configuring on BGP, 308 configuring on OSPF, 308 disabling, 308 BGP AS, 302 flap, 303 graceful restart, 303 MED, 302 RFC 1771, 302 service, 352 settings, viewing, 303 stabilizing the network, 303 BHO grayware category, 452 black/white list, 501 blackhole route, 279 block, 435 block login (IM) protection profile, 421 Boot Strap Router (BSR), 304 BOOTP, 175 browsing log information, 664 button bar features, 47 byte cache, 601
C
CA certificates importing, 249 viewing, 249 cache WAN optimization web caching, 610 web, 610 catalog banned word, 498 content block, 479 content exempt, 481 email address back/white list, 503 IP address black/white list, 501 URL filter, 484 viewing file pattern, 444 category protection profile, 416 category block configuration options, 488 central management, 226 revision control, 227 Certificate Name IPSec VPN, phase 1, 535 certificate, security. See system certificate certificate, server, 552 certificate. See system certificates channel wireless setting, 163
682
Index
CIDR, 345, 622 cipher suite SSL VPN, 553 CLI, 44 admin profile, 223 connecting to from the web-based manager, 47 CLI command PPTP tunnel setup, 549 CLI configuration antivirus, 453 customizing CLI console, 64 system network, 134 using in web-based manager, 73 web category block, 493 CLI console, 73 client certificates SSL VPN, 552 client comforting, 410 cluster member, 180 cluster members list, 182 priority, 182 role, 182 cluster unit disconnecting from a cluster, 184 code, 358 column settings, 666 configuring, 58 system network, 122 using with filters, 59 comfort clients protection profile, 409 comforting client, 410 comments firewall policy, 327, 333 comments, documentation, 26 concentrator adding, 545 equivalent for route-based VPN, 532 IPSec tunnel mode, 544 IPSec VPN, policy-based, 544 Concentrator Name IPSec VPN, concentrator, 545 config antivirus heuristic CLI command, 453 configuration backing up FortiGate configuration, 48 configuring WAN optimization peer, 634 WAN optimization rule, 605 connecting modem, dialup account, 144 web-based manager, 44 conservation mode, 191 contact information SNMP, 186 contacting customer support, 48 content archive viewing, 84 content block catalog, 479 web filter, 478 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
content exempt catalog, 481 content filtering mode HTTPS, 407 content scanning SSL, 399 content streams replacement messages, 195 cookie filter protection profile, 413 CPU load, 110 CPU usage HA statistics, 183 CRL (Certificate Revocation List) importing, 251 viewing, 251 custom service adding, 357 adding a TCP or UDP custom service, 357 list, 356 custom signatures intrusion protection, 459 viewing, 459 customer service, 25, 109 customer support contacting, 48 customized GUI PPTP tunnel setup, 547 CVSPSERVER, concurrent versions system proxy server, 352
D
dashboard, 44, 63 dashboard statistics protection profile, 420 data encryption wireless setting, 165 data leak prevention sensor, 419 data leak protection, 511 compound rule, 519 rule, 515 sensor, 511 date quarantine files list, 447 DC quarantine files list, 448 DCE-RPC firewall service, 352 Dead Peer Detection IPSec VPN, phase 1, 538 default gateway, 281 default route, 281 Designated Routers (DR), 304 destination firewall policy, 322, 325, 329, 332 destination IP address system status, 83 destination NAT SIP, 430 destination network address translation (DNAT) virtual IPs, 367, 368
683
Index
destination port, custom services, 358 device priority HA, 179 subordinate unit, 183 DH Group IPSec VPN, phase 1, 538 IPSec VPN, phase 2, 540 DHCP and IP Pools, 326 configuring relay agent, 173 configuring server, 173 servers and relays, 171 service, 172 system, 171 transparent mode, 171 viewing address leases, 175 DHCP (Dynamic Host Configuration Protocol) configuring on an interface, 130 service, 352 DHCP6 service, 352 DHCP-IPSec IPSec VPN, phase 2, 540 diagnose commands, 47 diagram topology viewer, 87 dial grayware category, 452 dialup VPN monitor, 545 differentiated services firewall policy, 339 differentiated services code point (DHCP), 339 DiffServ firewall policy, 339 Directory Service configuring server, 579, 581 FSAE, 581 disclaimer administrator login, 200 disconnecting modem, dialup account, 144 disk space quarantine, 450 display content meta-information on dashboard protection profile option, 420 display content meta-information on the system dashboard protection profile, 420 Distinguished Name query, 577 DLP. See data leak protection DNAT virtual IPs, 367, 368 DNS service, 352 documentation commenting on, 26 Fortinet, 26 domain name, 346
DoS policy, 337 configuring, 338 viewing, 337 DoS sensor, 469 IPS, 411 list, 470 SCCP, 433 SIP, 433 dotted-decimal notation, 299 double NAT, 384 downgrading. See also reverting 3.0 using the CLI, 99 3.0 using web-based manager, 98 download grayware category, 452 quarantine files list, 448 DSCP, 339 duplicates quarantine files list, 448 Dynamic DNS IPSec VPN, phase 1, 534 monitor, 545 network interface, 132 VPN IPSec monitor, 545 dynamic IP pool SIP, 431 dynamic routing, 289 OSPF, 294 PIM, 304 dynamic virtual IP adding, 378
E
ECMP, 279 eip vpn pptp, 549, 550 email oversize threshold, 409 email address action type, 505 adding to the email address list, 505 back/white list catalog, 503 BWL check, protection profile, 418 list, spam filter, 504 pattern type, 505 enable FortiGuard Web Filtering protection profile, 415 enable FortiGuard Web Filtering overrides protection profile, 415 Enable perfect forward secrecy (PFS) IPSec VPN, phase 2, 540 Enable replay detection IPSec VPN, phase 2, 540 enable session pickup HA, 180 Encryption IPSec VPN, phase 2, 540 Encryption Algorithm IPSec VPN, manual key, 542, 543 Encryption Key IPSec VPN, manual key, 543
684
Index
end IP IP pool, 383 Endpoint compliance firewall policy options, 336 Equal Cost Multipath (ECMP), 279 ESP service, 352 example firewall policy, 339 source IP address and IP pool address matching, 382 exclude range adding to DHCP server, 175 expire system status, 84 expired subscription, 267 explicit mode WAN optimization, 604, 609 exported server certificates importing, 247 external interface virtual IP, 370 external IP address virtual IP, 370 external service port virtual IP, 371
F
fail-open, CLI command for IPS, 472 FDN attack updates, 207 HTTPS, 271 override server, 268 port 443, 271 port 53, 270 port 8888, 270 port forwarding connection, 274 proxy server, 273 push update, 268 troubleshooting connectivity, 271 updating antivirus and attack definitions, 271 FDS, 264 file block antivirus, 443 default list of patterns, 443 list, antivirus, 445 protection profile, 408
file name quarantine files list, 447 file pattern catalog, 444 quarantine autosubmit list, 448 filter filtering information on web-based manager lists, 53 IPS sensor, 464 quarantine files list, 447 using with column settings, 59 web-based manager lists, 53 FINGER service, 352 firewall, 319, 345, 351, 361, 365, 397 address list, 346 configuring, 319, 345, 397 configuring firewall service, 351 configuring service group, 359 configuring virtual IP, 365 configuring, schedule, 361 custom service list, 356 one-time schedule, 362 overview, 319, 345, 351, 397 overview, firewall schedule, 361 overview, virtual IP, 365 policy list, 321 policy matching, 319, 606 predefined services, 351 recurring schedule, 361 virtual IP list, 369 firewall address adding, 347 address group, 348 address name, 347 create new, 346 IP range/subnet, 347 list, 346 name, 346 subnet, 347 firewall address group adding, 348 available addresses, 349 group name, 349 members, 349 firewall IP pool list, 383 firewall IP pool options, 383 firewall load balancing WAN optimization, 603
685
Index
firewall policy accept action, 638 action, 322 adding, 323 adding a protection profile, 398 allow inbound, 330 allow outbound, 330 authentication, 327, 333 changing the position in the policy list, 320, 607 comments, 327, 333 configuring, 323 creating new, 322, 425 deleting, 320, 607 destination, 322, 325, 329, 332 differentiated services, 339 DiffServ, 339 Endpoint compliance, 336 example, 339 guaranteed bandwidth, 326, 425 ID, 322 identity-based, 328 inbound NAT, 331 insert policy before, 322, 606 list, 321 log traffic, 327, 329, 335 matching, 319, 606 maximum bandwidth, 326, 426, 606, 635 modem, 144 moving, 320, 607 multicast, 321 outbound NAT, 331 protection profile, 326, 334 schedule, 322, 325 service, 322, 325 source, 322, 324, 332 SSL VPN options, 331 traffic priority, 606, 635 traffic shaping, 326, 329, 335 user groups, 584 firewall protection profile default protection profiles, 398 list, 399 options, 404 firewall service AFS3, 352 AH, 352 ANY, 352 AOL, 352 BGP, 352 CVSPSERVER, 352 DCE-RPC, 352 DHCP, 352 DHCP6, 352 DNS, 352 ESP, 352 FINGER, 352 FTP, 352 FTP_GET, 352 FTP_PUT, 352 GOPHER, 352 GRE, 352 group list, 359 H323, 352
HTTP, 353 HTTPS, 353 ICMP_ANY, 353 IKE, 353 IMAP, 353 INFO_ADRESS, 353 INFO_REQUEST, 353 Internet-Locator-Service, 353 IRC, 353 L2TP, 353 LDAP, 353 MGCP, 353 MS-SQL, 353 MYSQL, 353 NetMeeting, 353 NFS, 353 NNTP, 353 NTP, 353 ONC-RPC, 353 OSPF, 353 PC-Anywhere, 354 PING, 354 PING6, 354 POP3, 354 PPTP, 354 QUAKE, 354 RAUDIO, 354 REXEC, 354 RIP, 354 RLOGIN, 354 RSH, 354 RTSP, 354 SAMBA, 354 SCCP, 354 SIP, 355 SIP-MSNmessenger, 355 SMTP, 355 SNMP, 355 SOCKS, 355 SQUID, 356 SSH, 356 SYSLOG, 356 TALK, 356 TCP, 356 TELNET, 356 TFTP, 356 TIMESTAMP, 356 UDP, 356 UUCP, 356 VDOLIVE, 356 viewing custom service list, 356 viewing list, 351 VNC, 356 WAIS, 356 WINFRAME, 356 WINS, 356 X-WINDOWS, 356 firmware reverting to previous version, 80 upgrading to a new version, 80 viewing, 259 fixed port IP pool, 382
686
Index
FortiAnalyzer, 21, 651 accessing logs, 663 configuring report schedules, 674 logging to, 650 printing reports, 677 VDOM, 104 FortiBridge, 21 FortiClient, 21 system maintenance, 254 FortiGate 4000, 121 FortiGate documentation commenting on, 26 FortiGate logging, 647 FortiGate SNMP event, 188 FortiGate unit registering, 48 FortiGate-ASM-FB4, 121 FortiGuard, 21 changing the host name, 493 CLI configuration, 493 configuration options, 488 configuring FortiGuard Web filtering options, 413 manually configuring definition updates, 82 override options for user group, 589 web filter, 487 FortiGuard Analysis and Management Services remote management options, 257 FortiGuard Analysis Service, 648 accessing logs on FortiGuard Analysis server, 664 portal web site, 649 FortiGuard Antispam email checksum check, 418 IP address check, 418 FortiGuard Distribution Network. See FDN FortiGuard Distribution Server. See FDS FortiGuard Services, 265 antispam service, 265 configuring antispam service, 265 configuring updates for FDN and services, 266 configuring web filter service, 266 FortiGuard Analysis and Management Services, 266 licenses, 66, 265 management and analysis service options, 270 support contract, 266 web filtering, 265 web filtering and antispam options, 269 FortiMail, 21 FortiManager, 21 FortiManager Management Services revision control, 261 Fortinet customer service, 109 Fortinet customer service, 25 Fortinet documentation, 26 Fortinet Family Products, 21 Fortinet Knowledge Center, 26 Fortinet MIB, 189, 192 FortiWiFi-50B wireless settings, 162
FortiWiFi-60B wireless settings, 162 fragmentation threshold wireless setting, 165 FSAE Directory Service server, 581 FTP service, 352 FTP_GET service, 352 FTP_PUT service, 352 fully qualified domain name (FQDN), 346
G
game grayware category, 453 geography wireless setting, 163 GOPHER service, 352 graceful restart, 303 graphical user interface. See web-based manager grayware adware, 452 antivirus, 452 BHO, 452 dial, 452 download, 452 game, 453 hijacker, 453 joke, 453 keylog, 453 misc, 453 NMT, 453 P2P, 453 plugin, 453 RAT, 453 spy, 453 toolbar, 453 updating antivirus and attack definitions, 271 GRE, 294 service, 352 group name HA, 179 grouping services, 359 groups user, 583 guaranteed bandwidth firewall policy, 326, 425 traffic shaping, 326, 425 GUI. See web-based manager
H
H323 service, 352
687
Index
HA, 177, 182 changing cluster unit host names, 182 cluster logging, 650 cluster member, 182 cluster members list, 180 configuring, 177 device priority, 179 disconnecting a cluster unit, 184 enable session pickup, 180 group name, 179 heartbeat interface, 180 host name, 182 interface monitoring, 180 mode, 179 out of band management, 121 password, 180 port monitor, 180 router monitor, 316 routes, 316 session pickup, 180 subordinate unit device priority, 183 subordinate unit host name, 183 VDOM partitioning, 180 viewing HA statistics, 182 HA statistics active sessions, 183 back to HA monitor, 183 CPU usage, 183 intrusion detected, 183 memory usage, 183 monitor, 183 network utilization, 183 refresh every, 183 status, 183 total bytes, 183 total packets, 183 unit, 183 up time, 183 virus detected, 183 health check monitor configuring, 393 heartbeat, HA interface, 180 HELO DNS lookup protection profile, 418 help navigating using keyboard shortcuts, 51 searching the online help, 50 using FortiGate online help, 49 heuristics antivirus, 453 quarantine, 454 high availability See HA, 177 hijacker grayware category, 453 host name changing, 78 changing for a cluster, 182 viewing, 78 hostname cluster members list, 182
HTTP, 393 service, 353 virus scanning large files, 454 HTTPS, 43, 208 service, 353 HTTPS content filtering mode, 407 hub-and-spoke IPSec VPN (see also concentrator), 532
I
ICMP custom service, 358 code, 358 protocol type, 358 type, 358 ICMP echo request, 393 ICMP_ANY service, 353 ID firewall policy, 322 identity-based firewall policy, 328 identity-based firewall policy WAN optimization, 603 idle timeout changing for the web-based manager, 47 IEEE 802.11a, channels, 160 IEEE 802.11b, channels, 161 IEEE 802.11g, channels, 161 IEEE 802.3ad, 127 IKE service, 353 IMAP service, 353 inbound NAT IPSec firewall policy, 331 INFO_ADDRESS service, 353 INFO_REQUEST service, 353 insert policy before firewall policy, 322, 606 inspection SSL, 399 interface adding system settings, 123 administrative access, 126, 134, 137 administrative status, 121 configuring administrative access, 135 GRE, 294 IP pool, 384 loopback, 121, 280 modem, configuring, 139 MTU, 127 proxy ARP, 370, 390 software switch, 125 wireless, 159 WLAN, 159 Interface Mode, 123 interface monitoring HA, 180
688
Index
internet browsing IPSec VPN configuration, 544 Internet-Locator-Service service, 353 inter-VDOM links, 113 introduction Fortinet documentation, 26 intrusion detected HA statistics, 183 intrusion protection custom signature list, 459 DoS sensor list, 470 DoS sensor, protection profile, 411 fail-open, CLI command for IPS, 472 filter, 464 IPS sensor list, 461 IPS sensor, protection profile, 411 predefined signature list, 457 protection profile options, 411 protocol decoder, 460 protocol decoder list, 460 signatures, 456 socket-size, CLI command for IPS, 473 IP virtual IP, 369 IP address action, antispam, 502 antispam black/white list catalog, 501 BWL check, protection profile, 418 defining PPTP range, 547, 549 IPSec VPN, phase 1, 534 list, spam filter, 502 PPTP user group, 547, 549 spam filter, 501 WAN optimization, 603 IP address, configuring secondary, 136 IP custom service, 358 protocol number, 358 protocol type, 358 IP pool adding, 383 configuring, 383 creating new, 383 DHCP, 326 end IP, 383 fixed port, 382 interface, 384 IP range/subnet, 384, 385 list, 383 name, 384, 385 options, 383 PPPoE, 326 proxy ARP, 370, 390 SIP, 431 start IP, 383 transparent mode, 386 IP range/subnet firewall address, 347 IP pool, 384, 385 IPS see intrusion protection
IPS sensor filter, 464 options, protection profile, 411 IPSec, 294 IPSec firewall policy allow inbound, 330 allow outbound, 330 inbound NAT, 331 outbound NAT, 331 IPSec Interface Mode IPSec VPN, manual key, 543 IPSec VPN, phase 1, 537 IPSec VPN adding manual key, 542 authentication for user group, 584 Auto Key list, 533 concentrator list, 544 configuring phase 1, 534 configuring phase 1 advanced options, 536 configuring phase 2, 538 configuring phase 2 advanced options, 539 configuring policy-, route-based Internet browsing, 544 Manual Key list, 541 monitor list, 545 remote gateway, 584 route-based vs policy-based, 532 IPv6, 230, 280 IPv6 support settings, 229 IRC service, 353 iSCSI, 604
J
java applet filter protection profile, 413 joke grayware category, 453
K
Keepalive Frequency IPSec VPN, phase 1, 538 key license, 276 wireless setting, 165 keyboard shortcut online help, 51 Keylife IPSec VPN, phase 1, 538 IPSec VPN, phase 2, 540 keylog grayware category, 453
L
L2TP, 584 service, 353 language changing the web-based manager language, 46 spam filter banned word, 500 web content block, 480, 483 web-based manager, 46, 229
689
Index
LDAP configuring server, 575 service, 353 user authentication, 568 LDAP Distinguished Name query, 577 LDAP server authentication, 214 configuring authentication, 216 license key, 276 licenses viewing, 66 lists using web-based manager, 53 load balancer, 389 load balancing WAN optimization, 603 local certificates options, 245 viewing, 244 Local Gateway IP IPSec VPN, phase 1, 537 local host ID WAN optimization, 603 Local ID IPSec VPN, phase 1, 538 Local Interface IPSec VPN, manual key, 543 IPSec VPN, phase 1, 535 local ratings configuring, 492 local ratings list viewing, 491 Local SPI IPSec VPN, manual key, 543 local user, 568 local user account configuring, 568 log attack anomaly, 661 attack signature, 661 column settings, 666 messages, 664 raw or formatted, 665 to FortiAnalyzer, 651 traffic, firewall policy, 327, 329, 335 log messages viewing, 664 log traffic firewall policy, 327, 329 log types, 657 antivirus, 660 attack, 661 event, 659 spam filter, 661 traffic, 657 web filter, 661
logging, 662 accessing logs in memory, 662 accessing logs on FortiAnalyzer unit, 663 accessing logs on FortiGuard Analysis server, 664 ActiveX filter, 422 alert email, configuring, 670 applying through protection profile, 421 basic traffic reports, 673 blocked files, 422 browsing log messages, 664 cluster, HA, 650 configuring content archive, 668 configuring FortiAnalyzer report schedules, 674 configuring graphical system memory report, 674 connecting using automatic discovery, 651 content archive, 667 content block, 422 cookie filter, 422 customizing display of log messages, 665 FortiGuard Analysis server, 653 intrusions, 422 java applet filter, 422 log severity levels, 649 log types, 657 oversized files/emails, 422 printing FortiAnalyzer reports, 677 rating errors, 422 reports, 673 searching, filtering logs, 667 SIP, 434 spam, 422 storing logs, 650 testing FortiAnalyzer configuration, 652 to a FortiAnalyzer unit, 650 to memory, 654 to syslog server, 654 to WebTrends, 655 URL block, 422 viewing content archives, 670 viewing raw or formatted logs, 665 viruses, 422 web site, FortiGuard Analysis Service, 649 logging out web-based manager, 52 loopback interface, 121, 280 lost password recovering, 45, 213, 214 low disk space quarantine, 450
M
MAC address filtering, 165 MAC filter wireless, 165 MAC filter list configuring, 166 viewing, 166 major version, 80 Management Information Base (MIB), 185 management VDOM, 112, 116 Manual Key IPSec VPN, 541 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
690
Index
map to IP virtual IP, 369 map to port virtual IP, 369, 371 matched content, 394 matching firewall policy, 319, 606 max filesize to quarantine quarantine, 450 maximum bandwidth, 326, 426, 606, 635 firewall policy, 326, 426, 606, 635 traffic shaping, 326, 426, 606, 635 MD5 OSPF authentication, 300, 302 Members IPSec VPN, concentrator, 545 memory, 110 memory usage HA statistics, 183 menu web-based manager menu, 52 messages, log, 664 MGCP service, 353 mheader, 505 MIB, 192 FortiGate, 188 RFC 1213, 188 RFC 2665, 188 minor version, 80 misc grayware category, 453 Mode IPSec VPN, phase 1, 535 mode HA, 179 modem adding firewall policies, 144 backup mode, 142 connecting and disconnecting to dialup account, 144 redundant (backup) mode, 139 standalone mode, 139, 143 viewing status, 144 modem interface configuring, 139 monitor administrator logins, 229 HA statistics, 183 IPSec VPN, 545 routing, 315 monitored ports, 407 monitoring WAN optimization, 637 moving a firewall policy, 320, 607 MS-CHAP, 572 MS-CHAP-V2, 572 MS-SQL service, 353 MTU size, 127, 135 multicast, 304
multicast destination NAT, 306 multicast policy, 321 multicast settings overriding, 306 viewing, 305 Multi-Exit Discriminator (MED), 302 MYSQL service, 353
N
Name IP pool, 384, 385 IPSec VPN, manual key, 543 IPSec VPN, phase 1, 534 IPSec VPN, phase 2, 539 NAT in transparent mode, 386 inbound, IPSec firewall policy, 331 multicast, 306 outbound, IPSec firewall policy, 331 preserving SIP NAT IP, 435 push update, 274 SIP, 429 symmetric, 368 WAN optimization, 603 NAT virtual IP adding for single IP address, 372 adding static NAT virtual IP for IP address range, 373 Nat-traversal IPSec VPN, phase 1, 538 netmask administrator account, 213 NetMeeting service, 353 network topology viewer, 87 network address translation (NAT), 366 network utilization HA statistics, 183 NFS service, 353 NMT grayware category, 453 NNTP service, 353 not registered subscription, 267 Not-so-stubby Area (NSSA), 299 not-so-stubby area (NSSA), 316 Novel edirectory, 579 NTP service, 353
O
object cache WAN optimization web caching, 610 OCSP certificates importing, 249 ONC-RPC service, 353
691
Index
one-time schedule adding, 363 configuring, 363 creating new, 362 list, 362 start, 363 stop, 363 online help content pane, 49 keyboard shortcuts, 51 navigation pane, 50 search, 50 using FortiGate online help, 49 operation mode, 207 wireless setting, 163 operational history viewing, 81 optimize antivirus, 453 OSPF area ID, 300 AS, 297 authentication, 300, 302 Dead Interval, 302 dead packets, 302 GRE, 301 Hello Interval, 302 Hello protocol, 294 interface definition, 301 IPSec, 301 link-state, 294 LSA, 302 multiple interface parameter sets, 301 neighbor, 294 network, 297 network address space, 302 NSSA, 299, 316 path cost, 295 regular area, 299 service, 353 settings, 296 stub, 299 virtual lan, 301 virtual link, 299 VLAN, 301 OSPF AS, 294 defining, 295 out of band, 121 outbound NAT IPSec firewall policy, 331 override server adding, 272 oversize threshold, 409 oversized file/email protection profile, 409
P
P1 Proposal IPSec phase 1, 537 P2 Proposal IPSec VPN, phase 2, 540
P2P grayware category, 453 packets VDOM, 104 page controls web-based manager, 57 PAP, 572 pass fragmented email protection profile, 409 password configuring authentication password, 214 HA, 180 recovering lost password, 45, 213, 214 PAT virtual IPs, 366 patch number, 80 pattern default list of file block patterns, 443 spam filter banned word, 500 pattern type spam filter banned word, 500 spam filter email address, 505 web content block, 480, 483 PC-Anywhere service, 354 peer WAN optimization, 602 peer authentication WAN optimization, 602 peer group configuring, 582 peer host ID WAN optimization, 603 peer IP address WAN optimization, 603 Peer option IPSec VPN, phase 1, 535 peer user configuring, 582 Perl regular expressions spam filter, 506 Phase, 539 phase 1 IPSec VPN, 534, 539 phase 1 advanced options IPSec VPN, 536 phase 2 IPSec VPN, 538 phase 2 advanced options IPSec VPN, 539 PIM BSR, 304 dense mode, 304 DR, 304 RFC 2362, 304 RFC 3973, 304 RP, 304 sparse mode, 304 PING, 393 service, 354 ping server adding to an interface, 146 FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback
692
Index
PING6 firewall service, 354 pinholing RTP, 434 SIP, 434 PKI, 581 authentication, 220 plugin grayware category, 453 policy accept action, 638 action, 322 adding, 323 allow inbound, 330 allow outbound, 330 authentication, 327, 333 changing the position in the policy list, 320, 607 comments, 327, 333 configuring, 323 creating new, 322, 425 deleting, 320, 607 destination, 322 differentiated services, 339 DiffServ, 339 DoS, 337 example, 339 guaranteed bandwidth, 326, 425 ID, 322 identity-based, 328 inbound NAT, 331 insert policy before, 322, 606 list, 321 log traffic, 327, 329, 335 matching, 319, 606 maximum bandwidth, 326, 426, 606, 635 move, 320, 607 multicast, 321 outbound NAT, 331 protection profile, 326, 334 schedule, 322, 325 service, 322, 325 source, 322 SSL VPN options, 331 traffic priority, 606, 635 traffic shaping, 326, 329, 335 policy route moving in list, 287 policy-based routing, 285 POP3 service, 354 port 53, 270 port 8888, 270 port 9443, 274 port address translation virtual IPs, 366 port forwarding, 366 port monitor HA, 180 PPPoE and IP Pools, 326 PPPoE (Point-to-Point Protocol over Ethernet) RFC 2516, 131
PPTP, 547, 584 service, 354 PPTP IP address user group, 547, 549 PPTP range defining addresses, 547, 549 PPTP tunnel setup CLI command, 549 customized GUI, 547 predefined services, 351 predefined signature default action, 458 list, 457 Pre-shared Key IPSec VPN, phase 1, 535 pre-shared key wireless setting, 165 priority cluster members, 182 private key importing, 247, 248 product registration, 48 products, family, 21 proposal IPSec phase 1, 537 IPSec VPN, phase 2, 540 protection profile ActiveX, 413 add signature to outgoing email, 409 adding to a firewall policy, 398 allow web sites when a rating error occurs, 415 antivirus options, 407 append tag format, 419 append tag to location, 419 banned word check, 419 block login (IM), 421 category, 416 comfort clients, 409 cookie filter, 413 dashboard statistics, 420 default protection profiles, 398 display content meta-information on dashboard, 420 display content meta-information on the system dashboard options, 420 DoS sensor, 411 email address BWL check, 418 enable FortiGuard Web Filtering, 415 enable FortiGuard Web Filtering overrides, 415 file block, 408 firewall policy, 326, 334 FortiGuard Antispam IP address check, 418 FortiGuard email checksum check, 418 HELO DNS lookup, 418 IP address BWL check, 418 IPS sensor, 411 IPS sensor options, 411 java applet filter, 413 list, 399 logging, ActiveX filter, 422 logging, blocked files, 422 logging, content block, 422 logging, cookie filter, 422 logging, intrusions, 422
693
Index
logging, java applet filter, 422 logging, oversized files/emails, 422 logging, rating errors, 422 logging, spam, 422 logging, URL block, 422 logging, viruses, 422 options, 404 oversized file/email, 409 pass fragmented email, 409 provide details for blocked HTTP errors, 415 quarantine, 409 rate images by URL, 415 rate URLs by domain and IP address, 416 return email DNS check, 418 scan (default protection profile), 398 spam action, 419 spam filtering options, 416 strict (default protection profile), 398 strict blocking (HTTP only), 416 tag format, 419 tag location, 419 unfiltered (default protection profile), 398 virus scan, 408 web (default protection profile), 398 web content block, 412 web content exempt, 412 web filtering options, 411, 476 web resume download block, 413 web URL block, 412 protocol number, custom service, 358 OSPF Hello, 294 service, 352 system status, 83 type, custom service, 357, 358 virtual IP, 371 protocol decoder, 460 list, 460 Protocol Independent Multicast (PIM), 304 protocol optimization, 601 protocol recognition, 407 protocol type, 358 provide details for blocked HTTP errors protection profile, 415 proxy SIP, 427 proxy ARP, 370, 390 FortiGate interface, 370, 390 IP pool, 370, 390 virtual IP, 370, 390 proxy server, 273 push updates, 273 push update, 268 configuring, 273 external IP address changes, 273 IP address changes, 273 management IP address changes, 274 through a proxy server, 273
QUAKE service, 354 quality of service, 339 quarantine age limit, 450 antivirus, 446 autosubmit list, 448 autosubmit list file pattern, 448 configuring, 449 configuring the autosubmit list, 449 enable AutoSubmit, 450 enabling uploading autosubmit file patterns, 449 heuristics, 454 low disk space, 450 max filesize to quarantine, 450 options, 450 protection profile, 409 quarantine files list antivirus, 447 apply, 447 date, 447 DC, 448 download, 448 duplicates, 448 file name, 447 filter, 447 service, 447 sorting, 447 status, 448 status description, 448 TTL, 448 upload status, 448 query, 577 Quick Mode Selector IPSec VPN, phase 2, 541
R
RADIUS configuring server, 572 servers, 571 user authentication, 568 viewing server list, 571 WPA Radius, 165 RADIUS authentication VDOM, 116 RADIUS server authentication, 214 wireless setting, 165 RAT grayware category, 453 rate images by URL protection profile, 415 rate limiting SCCP, 433 SIMPLE, 433 SIP, 432, 433 rate URLs by domain and IP address protection profile, 416 RAUDIO service, 354 read & write access level administrator account, 78, 79, 211
Q
QoS, 339
694
Index
read only access level administrator account, 78, 79, 211, 213 reading log messages, 664 real servers configuring, 392 monitoring, 395 recurring schedule adding, 362 configuring, 362 creating new, 361 list, 361 select, 362 start, 362 stop, 362 redirect SIP, 427 redundant interface adding system settings, 128 redundant mode configuring, 142 refresh every HA statistics, 183 registering FortiGate unit, 48 regular administrator, 209 relay DHCP, 171, 173 remote administration, 135, 208 remote certificates options, 248 viewing, 248 Remote Gateway IPSec manual key setting, 543 IPSec VPN, manual key, 542 IPSec VPN, phase 1, 534 remote peer manual key configuration, 542 Remote SPI IPSec VPN, manual key, 543 remote user authentication, 571 Rendezvous Point (RP), 304 replacement messages, 195 report basic traffic, 673 configuring report schedules, 674 FortiAnalyzer, printing, 677 viewing FortiAnalyzer reports, 677 restoring 3.0 configuration, 101 using the CLI, 101 using web-based manager, 101 return email DNS check protection profile, 418 Reverse Path Forwarding (RPF), 306 reverse proxy web cache, 627 revision control, 227 REXEC firewall service, 354 RFC, 304 RFC 1058, 289
RFC 1213, 185, 188 RFC 1215, 190 RFC 1321, 300 RFC 1771, 302 RFC 2132, 175 RFC 2362, 304 RFC 2385, 302 RFC 2453, 289 RFC 2474, 339 RFC 2475, 339 RFC 2516, 131 RFC 2665, 185, 188 RFC 3509, 295 RFC 3973, 304 RFC 5237, 286 RIP authentication, 294 hop count, 290 RFC 1058, 289 RFC 2453, 289 service, 354 settings, viewing, 290 split horizon, 293 version 1, 289 version 2, 289 RLOGIN service, 354 role cluster members, 182 route HA, 316 router monitor HA, 316 routing administrative distance, 278 blackhole, 279 configuring, 147 ECMP, 279 loopback interface, 280 monitor, 315 static, 280 routing policy protocol number, 286 routing table, 315 searching, 317 RSH firewall service, 354 RTP, 429 pinholing, 434 RTS threshold wireless setting, 165 RTSP firewall service, 354
S
SAMBA service, 354 scan default protection profile, 398
695
Index
SCCP DoS sensor, 433 firewall service, 354 protection profile, 433 rate limiting, 433 schedule antivirus and attack definition updates, 272 firewall policy, 322, 325 one-time schedule list, 362 recurring schedule list, 361 scheduled updates through a proxy server, 273 screen resolution minimum recommended, 43 search online help, 50 online help wildcard, 51 searching routing table, 317 security MAC address filtering, 165 security certificates. See system certificates security mode wireless setting, 165 select recurring schedule, 362 sensor DoS, 469 IPS, 461 separate server certificates importing, 248 server DHCP, 171 log WebTrends setting, 656 server certificate, 552 server certificates importing, 247, 248 server health, 394 service AH, 352 ANY, 352 AOL, 352 BGP, 352 custom service list, 356 CVSPSERVER, 352 DCE-RPC, 352 DHCP, 172, 352 DHCP6, 352 DNS, 352 ESP, 352 FINGER, 352 firewall policy, 322, 325 FTP, 352 FTP_GET, 352 FTP_PUT, 352 GOPHER, 352 GRE, 352 group, 359 H323, 352 HTTPS, 353 ICMP_ANY, 353 IKE, 353 IMAP, 353
INFO_ADDRESS, 353 INFO_REQUEST, 353 Internet-Locator-Service, 353 IRC, 353 L2TP, 353 LDAP, 353 MGCP, 353 MS-SQL, 353 MYSQL, 353 NetMeeting, 353 NFS, 353 NNTP, 353 NTP, 353 ONC-RPC, 353 organizing services into groups, 359 OSPF, 353 PC-Anywhere, 354 PING, 354 PING6, 354 POP3, 354 PPTP, 354 predefined, 351 QUAKE, 354 quarantine files list, 447 RAUDIO, 354 REXEC, 354 RIP, 354 RLOGIN, 354 RSH, 354 RTSP, 354 SAMBA, 354 SCCP, 354 service name, 352 SIP, 355 SIP-MSNmessenger, 355 SMTP, 355 SNMP, 355 SOCKS, 355 SQUID, 356 SSH, 356 SYSLOG, 356 TALK, 356 TCP, 356 TELNET, 356 TFTP, 356 TIMESTAMP, 356 UDP, 356 UUCP, 356 VDOLIVE, 356 VNC, 356 WAIS, 356 WINFRAME, 356 WINS, 356 X-WINDOWS, 356 service group, 359 adding, 359 create new, 359 list, 359 service port virtual IP, 369 service set identifier (SSID), 119 Session Initiation Protocol. See SIP session list viewing, 83
696
Index
session pickup HA, 180 settings, 163 administrators, 228 IPv6 support, 229 timeout, 229 Shortest Path First (SPF), 295 signatures custom, intrusion protection signatures, 459 SIMPLE protection profile, 433 rate limiting, 433 SIP, 427 accepting register response, 436 ALG, 429 application level gateway, 429 application list, 434 archiving communication, 435 blocking requests, 435 configuring advanced features, 434 controlling client connection, 436 controlling the SIP ALG, 436 destination NAT, 430 different source and destination NAT for SIP and RTP, 431 DoS sensor, 433 enabling, 432 logging, 434 NAT, 429 NAT with dynamic IP pool, 431 operating modes, 427 preserving NAT IP, 435 protection profile, 433 proxy, 427 rate limiting, 432, 433 redirect, 427 RTP pinholing, 434 service, 355 source NAT, 429 support workflow, 432 turning on tracking, 434 VoIP, 427 sip vpn pptp, 550 SIP requests, 435 SIP support workflow, 432 SIP-MSNmessenger service, 355 Skinny Call Control Protocol. See SCCP SMTP service, 355 user, 671 SNAT virtual IPs, 367
SNMP configuring community, 186 contact information, 186 event, 188 manager, 185, 186 MIB, 192 MIBs, 188 queries, 188 RFC 12123, 188 RFC 1215, 190 RFC 2665, 188 service, 355 traps, 188, 189 SNMP Agent, 186 SNMP communities, 186 socket-size, CLI command for IPS, 473 SOCKS service, 355 software switch, 125 sorting quarantine files list, 447 URL filter list, 487 source firewall policy, 322, 324, 332 source IP address system status, 83 source IP port system status, 83 source NAT SIP, 429 source port, 357 spam action protection profile, 419 spam filter, 495 adding an email address or domain to the email address list, 505 adding words to the banned word list, 500 banned word list, 499 email address list, 504 IP address, 501 IP address list, 502 Perl regular expressions, 506 spam filtering options protection profile, 416 splice, 408, 419 spy grayware category, 453 SQUID service, 356 SSH, 208 service, 356 SSID wireless setting, 164 SSID broadcast wireless setting, 164 SSL content inspection, 399 content scanning, 399 inspection, 399 service definition, 353, 354 SSL offloading, 601
697
Index
SSL VPN checking client certificates, 552 configuring settings, 552 default web portal, 554 firewall policy, 331 monitoring sessions, 553 setting the cipher suite, 553 specifying server certificate, 552 specifying timeout values, 553 tunnel IP range, 552 web-only mode, 551 SSL VPN Client Certificate, 331 SSL VPN login message, 205 SSL VPN web portal, 554 default, 554 standalone mode modem, 139, 143 start IP pool, 383 one-time schedule, 363 recurring schedule, 362 static IP monitor, 545 static NAT port forwarding adding for IP address and port range, 377 adding for single address and port, 375 static route adding, 149, 284 adding policy, 286 administrative distance, 278 concepts, 277 creating, 280 default gateway, 281 default route, 281 editing, 280 moving in list, 287 overview, 277 policy, 285 policy list, 285 selecting, 278 table building, 278 table priority, 279 table sequence, 279 viewing, 280 viewing in transparent mode, 149 statistics viewing, 83 viewing HA statistics, 182 status HA statistics, 183 interface, 121 quarantine files list, 448 vpn pptp, 550 status description quarantine files list, 448 stop one-time schedule, 363 recurring schedule, 362 streaming mode, 408, 419 strict default protection profile, 398 strict blocking (HTTP only) protection profile, 416
stub OSPF area, 299 subnet adding object, 89 firewall address, 347 subscription expired, 267 not registered, 267 valid license, 267 super administrator, 209 switch mode, 123 sync interval, 78 SYSLOG service, 356 system administrators, 209 system certificate FortiGate unit self-signed security certificate, 45 system certificates CA, 249 CRL, 251 importing, 247 OCSP, 249 requesting, 245, 246 viewing, 244 system configuration, 177 system DHCP see also DHCP, 171 system global av_failopen antivirus, 453 system global optimize antivirus, 453 system idle timeout, 208 system information viewing, 65 system maintenance advanced, 260 backup and restore, 254 creating scripts, 263 enabling push updates, 273 firmware, 259 firmware upgrade, 259 managing configuration, 253 push update through a NAT device, 274 remote FortiManager options, 256 remote management options, 257 revision control, 261 scripts, 262 updating antivirus and attack definitions, 271 uploading scripts, 264 USB disks, 261 VDOM, 254 system resources viewing, 70 system status viewing, 63 system status widgets customizing, 64 system time configuring, 78 system wireless. See wireless
698
Index
T
TACACS+ configuring server, 578 user authentication, 568 TACACS+ server authentication, 214, 218 tag format protection profile, 419 tag location protection profile, 419 TALK service, 356 TCP, 393 service, 356 TCP custom service, 357, 358 adding, 357 destination port, 358 protocol type, 357 source port, 357 technical support, 25, 109 TELNET service, 356 TFTP service, 356 threshold oversize, 409 time configuring, 78 timeout settings, 229 timeout values specifying for SSL VPN, 553 TIMESTAMP service, 356 toolbar grayware category, 453 top attacks viewing, 77 top sessions viewing, 74 top viruses viewing, 76 topology viewer, 87 total bytes HA statistics, 183 total packets HA statistics, 183 tracking SIP, 434 traffic history viewing, 77 Traffic Priority, 606, 635 traffic priority firewall policy, 606, 635 traffic shaping, 606, 635 traffic reports viewing, 673
traffic shaping configuring, 425 firewall policy, 326, 329, 335 guaranteed bandwidth, 326, 425 guaranteed bandwidth and maximum bandwidth, 423 maximum bandwidth, 326, 426, 606, 635 priority, 424 traffic priority, 606, 635 WAN optimization, 604 transparent mode IP pools, 386 NAT, 386 VDOMs, 104 VIP, 386 virtual IP, 386 VLAN, 154 WAN optimization, 604, 609 traps SNMP, 189 troubleshooting FDN connectivity, 271 trusted host administrators options, 213 security issues, 221 TTL quarantine files list, 448 tunnel WAN optimization, 602 tunnel IP range SSL VPN, 552 tunnel mode SSL VPN, SSL VPN tunnel mode, 551 Tunnel Name IPSec VPN, manual key, 542 Tx Power wireless setting, 163 type, 358 virtual IP, 370
U
UDP custom service, 357, 358 adding, 357 destination port, 358 protocol type, 357 source port, 357 UDP service, 356 unfiltered default protection profile, 398 unit HA statistics, 183 unit operation viewing, 68 up time HA statistics, 183 update push, 273
699
Index
upgrading 3.0 using web-based manager, 95 4.0 using the CLI, 96 backing up using the CLI, 3.0, 92 firmware, 80 FortiGate unit to 3.0, 95 using the web-based manager, 95 using web-based manager, 3.0, 92 upload status quarantine files list, 448 URL block adding a URL to the web filter block list, 485 configuring overrides, 489 local categories, 491 web filter, 483 URL filter adding new list, 484 catalog, 484 sorting in list, 487 viewing list, 485 URL formats, 486 USB disk, 254 auto-install, 260 backup and restore configuration, 253 formatting, 261 system maintenance, 261 user authentication overview, 567 PKI, 581 remote, 571 user group configuring, 586 PPTP source IP address, 547, 549 user groups configuring, 583 Directory Service, 585 firewall, 584 SSL VPN, 585 viewing, 586 usrgrp vpn pptp, 550 UUCP service, 356
V
valid license, 267 VDOLIVE service, 356
VDOM adding interface, 113 assigning administrator, 115 assigning interface, 114 configuration settings, 105 enabling multiple VDOMs, 108 FortiAnalyzer, 104 inter-VDOM links, 113 license key, 276 limited resources, 110 management VDOM, 112 maximum number, 110 NAT/Route, 104 packets, 104 RADIUS authentication, 116 system maintenance, 254 transparent mode, 104 VDOM partitioning HA, 180 verifying downgrade to 2.80 MR11, 99 upgrade to 4.0, 97 viewing address group list, 348 admin profiles list, 224 administrators, 229 administrators list, 211 Alert Message Console, 70 antispam email address list catalog, 503 antispam IP address list, 502 antispam IP address list catalog, 501 antivirus file filter list, 445 antivirus file pattern list catalog, 444 antivirus list, 451 antivirus quarantined files list, 447 autosubmit list, 448 banned word list, 499 banned word list catalog, 498 BGP settings, 303 CA certificates, 249 certificates, 244 cluster members list, 180 content archive, 84 content archives, 670 CRL (Certificate Revocation List), 251 custom service list, firewall service, 356 custom signatures, 459 DHCP address leases, 175 DoS sensor list, 470 firewall policy list, 321 firewall service group list, 359 firewall service list, 351 firmware, 259 FortiAnalyzer reports, 677 FortiGuard support contract, 266 grayware list, 452 HA statistics, 182 hostname, 78 IP pool list, 383 IPS sensor list, 461 IPS sensor options, 411 IPSec VPN auto key list, 533 IPSec VPN concentrator list, 544 IPSec VPN manual key list, 541
700
Index
IPSec VPN monitor list, 545 LDAP server list, 575 licenses, 66 local ratings list, 491 log messages, 664 modem status, 144 multicast settings, 305 one-time schedule list, 362 operational history, 81 protection profile list, 399 protocol decoder list, 460 RADIUS server list, 571 recurring schedule list, 361 remote certificates, 248 revision control, 261 RIP settings, 290 routing information, 315 session list, 83 SSL VPN sessions, 553 static route, 280 static route (transparent mode), 149 statistics, 83 system information, 65 system resources, 70 system status, 63 system topology, 87 TACACS+ server, 578 top attacks, 77 top sessions, 74 top viruses, 76 traffic history, 77 traffic reports, 673 unit operation, 68 URL filter list, 485 URL filter list catalog, 484 URL override list, 488 user group list, 586 VIP group list, 380 virtual IP group list, 380 virtual IP list, 369 virtual IP pool list, 383 web content block list, 479 web content block list catalog, 479 web content exempt list, 482 web content exempt list catalog, 481 wireless monitor, 167 viewport, 87 VIP transparent mode, 386 VIP group configuring, 380 Virtual IP transparent mode, 386
virtual IP, 370, 390 configuring, 370 create new, 369, 380 destination network address translation (DNAT), 367, 368 external interface, 370 external IP address, 370 external service port, 371 IP, 369 list, 369 map to IP, 369 map to port, 369, 371 NAT, 366 PAT, 366 port address translation, 366 protocol, 371 server down, 394 service port, 369 SNAT, 367 source network address translation, 367 type, 370 WAN optimization, 603 virtual IP group configuring, 380 virtual IP group list viewing, 380 virtual IP, port translation only adding, 379 virtual IPSec configuring interface, 133 virtual servers configuring, 390 virus detected HA statistics, 183 virus list, 451 virus name, 206 virus protection. See antivirus virus scan protection profile, 408 VLAN adding firewall policy to subinterface, 156 adding subinterface, 153 jumbo frames, 136 OSPF, 301 overview, 150 VNC service, 356 VoIP SIP, 427 VoIP security, 429 VPN IPSec (see also IPSec VPN), 531 VPN PPTP, 547 VPN SSL. See SSL VPN VPN tunnel IPSec VPN, firewall policy, 330 VPN, IPSec firewall policy, 330 VPNs, 547
W
WAIS service, 356
701
Index
WAN optimization and virtual IPs, 603 authentication, 603 explicit mode, 604, 609 firewall load balancing, 603 FortiGate models supported, 604 identity-based firewall policies, 603 IP address, 603 local host ID, 603 monitoring, 637 NAT, 603 object caching, 610 peer authentication, 602 peer host ID, 603 peer IP address, 603 peers, 602 traffic shaping, 604 transparent mode, 604, 609 tunnel, 602 web cache, 610 WAN optimization peer configuring, 634 WAN optimization rule configuring, 605 web default protection profile, 398 web cache, 601, 610 active-passive WAN optimization, 612 adding to passive WAN optimization rule, 612 client/server WAN optimization, 612 non-standard ports, 612 peer to peer WAN optimization, 614 reverse proxy, 627 web category block changing the host name, 493 CLI configuration, 493 configuration options, 488 web content block banned word, 480, 483 language, 480, 483 pattern type, 480, 483 protection profile, 412 web filter, 480 web content block list web filter, 479 web content exempt protection profile, 412 web content exempt list adding, 482 web equivalent privacy, 165 web filter, 475 adding a URL to the web URL block list, 485 configuring the web content block list, 480 configuring the web URL block list, 485 content block, 478 filter interaction, 475 FortiGuard, 487 protection profile options, 476 URL block, 483 URL category, 270 web content block list, 479 web URL block list, 485
web filtering options protection profile, 411 web filtering service, 206 web portal SSL VPN,SSL VPN web portal customize, 554 web resume download block protection profile, 413 web site, content category, 205 Web UI. See web-based manager web URL block configuring the web URL block list, 485 list, 485 list, web filter, 485 protection profile, 412 web-based manager, 43, 44 changing the language, 46 connecting to the CLI, 47 idle timeout, 47 IPv6 support, 229 language, 46, 229 logging out, 52 online help, 49 pages, 52 screen resolution, 43 using the menu, 52 using web-based manager lists, 53 web-only mode SSL VPN, 551 WebTrends, 655 WEP, 164 WEP128, 159, 165 WEP64, 159, 165 WiFi protected access, 165 wildcard online help search, 51 Windows Active Directory, 579 WINFRAME service, 356 WINS service, 356
702
Index
wireless band, 163 beacon interval, 163 channel, 163 configuration, 159 data encryption, 165 fragmentation threshold, 165 geography, 163 interface, 159 key, 165 MAC filter, 165 operation mode, 163 pre-shared key, 165 RADIUS server, 165 RTS threshold, 165 security, 164 security mode, 165 settings FortiWiFi-50B, 162 settings FortiWiFi-60A, 162 settings FortiWiFi-60AM, 162 settings FortiWiFi-60B, 162 SSID, 164 SSID broadcast, 164 Tx power, 163 viewing monitor, 167 WLAN interface, 159
WLAN interface adding to a FortiWiFi-50B, 163 adding to a FortiWiFi-60A, 163 adding to a FortiWiFi-60AM, 163 adding to a FortiWiFi-60B, 163 WPA, 159, 164, 165 WPA Radius wireless security, 165 WPA2, 159, 165 WPA2 Auto, 159, 165 WPA2 Radius wireless security, 165
X
X.509 security certificates. See system certificates XAuth IPSec VPN, phase 1, 538 X-Forwarded-For (XFF), 148 X-WINDOWS service, 356
Z
zones configuring, 138
703
Index
704
www.fortinet.com
www.fortinet.com

FortiGate Administration Guide 01-400-89802-20090424 111c

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiGate Administration Guide 01-400-89802-20090424 111c

Uploaded by

Copyright:

Available Formats

FortiGate

Whats new in FortiOS 4.0 ..................................................................... 27

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Web-based manager .............................................................................. 43

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Web-based manager icons........................................................................................... 60

System Status ........................................................................................ 63

Managing firmware versions................................................................. 91

Using virtual domains.......................................................................... 103

System Network ................................................................................... 119

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

System Wireless................................................................................... 159

System DHCP ....................................................................................... 171

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

System Config ...................................................................................... 177

Replacement messages ............................................................................................. 194

System Admin ...................................................................................... 209

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

System Certificates.............................................................................. 243

System Maintenance............................................................................ 253

Router Static ........................................................................................ 277

Router Dynamic.................................................................................... 289

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Router Monitor ..................................................................................... 315

Firewall Policy ...................................................................................... 319

Firewall Address .................................................................................. 345

Firewall Service .................................................................................... 351

Firewall Schedule................................................................................. 361

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Firewall Virtual IP ................................................................................. 365

Firewall Load Balance ......................................................................... 389

Firewall Protection Profile................................................................... 397

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Traffic Shaping ..................................................................................... 423

SIP support ........................................................................................... 427

AntiVirus ............................................................................................... 439

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Intrusion Protection ............................................................................. 455

Web Filter.............................................................................................. 475

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

URL filter ...................................................................................................................... 483

FortiGuard - Web Filter ............................................................................................... 487

IP address and email address black/white lists ....................................................... 501

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Data Leak Prevention........................................................................... 511

Application Control.............................................................................. 523

IPSec VPN ............................................................................................. 531

PPTP VPN ............................................................................................. 547

SSL VPN................................................................................................ 551

User ....................................................................................................... 567

584 585 585 586 586 589

NAC quarantine and the Banned User list................................................................ 595

WAN optimization and web caching .................................................. 599

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

Endpoint control .................................................................................. 641

Log&Report .......................................................................................... 647

Log types ..................................................................................................................... 657

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

About this document

About this document

FortiGate Version 4.0 Administration Guide 01-400-89802-20090424 http://docs.fortinet.com/ Feedback

About this document