Fortigate Cookbook

The FortiGate Cookbook
FortiOS 4.0 MR3

A P r a c t i c a l G u i d e t o G e t t i n g t h e B e s t f r o m Yo u r F o r t i G a t e
Fortinet Publishing
FortiGate Cookbook A Practical Guide to Getting the best from Your FortiGate FortiOS 4.0 MR3 21 October 2011 01-432-153797-20111021 Copyright 2011 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet without prior notice.
Trademarks
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Visit these links for more information and documentation for your Fortinet products: Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Introduction 7
About FortiGate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Administrative interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Registering your Fortinet product. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
The basics of installing and initial setup of a new FortiGate unit
11
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode. . . . . . . 12 Connecting a private network to the Internet with one configuration step . . . . . . . . . . . . . . . . . 15 Changing the address of an internal network in one step using the FortiGate setup wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Troubleshooting NAT/Route mode installations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Troubleshooting Transparent mode installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Verifying the current firmware version and upgrading the FortiOS firmware . . . . . . . . . . . . . . . . 27 Setting up and troubleshooting FortiGuard services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Setting up an administrator account on the FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Advanced FortiGate installation and setup
37
Connecting a FortiGate unit to two ISPs for redundant Internet connections . . . . . . . . . . . . . . . 38 Using a modem for a redundant Internet connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Distributing sessions between dual redundant Internet connections with usage-based ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Protecting a web server on a DMZ network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Protecting an email server with a FortiGate unit without changing the network (Transparent Mode). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Using port pairing to simplify a Transparent mode installation . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Connecting networks without translating addresses (FortiGate unit in Route mode) . . . . . . . . . 66 Employing high availability (HA) to improve network reliability . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Upgrading the firmware installed on a FortiGate HA cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Connecting multiple networks to a FortiGate interface using virtual LANs (VLANs) . . . . . . . . . . 75 Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit. . . . . 78 Setting up an administrator account for monitoring firewall activity and basic maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Creating a local DNS server listing for internal web sites and servers . . . . . . . . . . . . . . . . . . . . . 85
FortiOS 4.0 MR3 http://docs.fortinet.com/
Contents
Assigning IP addresses according to a MAC address using DHCP . . . . . . . . . . . . . . . . . . . . . . 86 Setting up the FortiGate unit to send SNMP traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Advanced troubleshooting by sniffing packets (packet capture) . . . . . . . . . . . . . . . . . . . . . . . . . 94 Creating, saving, and using packet capture filters (sniffing packets from the web-based manager) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Debugging FortiGate configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Quick reference to common diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
WiFi Networking
107
Setting up secure WiFi access on your FortiWiFi unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 Setting up secure WiFi on your FortiGate unit using a FortiAP unit . . . . . . . . . . . . . . . . . . . . . . 110 Improving WiFi security with WPA-Enterprise security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Setting up secure WiFi with a captive portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Sharing the same subnet for WiFi and wired clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Setting up a WiFi network with an external DHCP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Authenticating WiFi users with Windows AD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Using security policies and firewall objects to control traffic
132
Restricting employees Internet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Restricting Internet access per IP address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 Verifying that traffic is accepted a security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Ordering security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Allowing DNS queries to only one approved DNS server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Ensuring sufficient and consistent bandwidth for VoIP traffic . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Using geographic addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 Providing Internet access for your private network users (static source NAT). . . . . . . . . . . . . . 160 Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 Dynamic source NAT without changing the source port (one-to-one source NAT) . . . . . . . . . . 164 Dynamic source NAT using the central NAT table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Allowing access to a web server on an internal network when you only have one Internet IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Allowing Internet access to a web server on a protected network when you have an IP address for the web server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Configuring port forwarding to open ports on a FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . 176 Dynamic destination NAT for a range of IP addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
UTM Profiles
181
Protecting your network against greyware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Protecting your network against legacy viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Changing the maximum file size that the AV scanner examines . . . . . . . . . . . . . . . . . . . . . . . . 185 Blocking files that are too large to scan for viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Improving FortiGate performance with flow-based UTM scanning . . . . . . . . . . . . . . . . . . . . . . 187
4 FortiGate Cookbook http://docs.fortinet.com/
Contents
Limiting the types of web sites your users can visit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Overriding FortiGuard web filtering for selected users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Prevent offensive search results in Google, Bing and Yahoo search engines . . . . . . . . . . . . . . 191 Finding the FortiGuard web filter category of a URL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Listing the web sites your users have visited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Using FortiGuard web filtering to block access to web proxies. . . . . . . . . . . . . . . . . . . . . . . . . 194 Blocking access to streaming media using web filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 Blocking access to specific web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Blocking all web sites except those you specify using a whitelist . . . . . . . . . . . . . . . . . . . . . . . 197 Configuring FortiGuard web filtering to check IP addresses as well as URLs . . . . . . . . . . . . . . 199 Configuring FortiGuard web filtering to check images as well as URLs . . . . . . . . . . . . . . . . . . 200 Applying ratings to HTTP redirects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Visualizing the applications on your network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Preventing the use of instant messaging clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Blocking access to social media web sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Blocking peer-to-peer file sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Configuring IPS to stop traffic if the scanner fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Protecting against denial of service attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Filtering incoming spam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Blocking outgoing email containing sensitive information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Using the FortiGate vulnerability scanner to check your network for vulnerabilities . . . . . . . . . 210
SSL VPN
213
Setting up remote web browsing for internal sites through SSL VPN . . . . . . . . . . . . . . . . . . . . 214 Using SSL VPN to provide protected Internet access for remote users . . . . . . . . . . . . . . . . . . 218 SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
IPSec VPN
227
Protecting communication between offices across the Internet using IPsec VPN . . . . . . . . . . 228 Using FortiClient VPN for secure remote access to an office network . . . . . . . . . . . . . . . . . . . 231 Using IPsec VPN to secure iPhone communication with a network protected by a FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Using IPsec VPN to secure Android mobile device communication with a network protected by a FortiGate unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Using the FortiGate FortiClient VPN Wizard to set up a VPN between a remote users and a private network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 My IPsec VPN tunnel isnt working. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Contents
Authentication
259
Creating a security policy to identify users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Creating a security policy to identify users and restrict access to websites by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Creating a security policy to identify users, restrict access to certain websites, and control use of applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Adding FortiToken two-factor authentication to a user account . . . . . . . . . . . . . . . . . . . . . . . . 266 Adding SMS token code delivery two-factor authentication to a FortiGate administrators account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Stopping the Connection is untrusted message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Logging and Reporting
271
Understanding log messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 Creating a backup log solution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Logging to remote Syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Alert email notification of SSL VPN login failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 Modifying a default report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Testing the log configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Index
285
FortiGate Cookbook http://docs.fortinet.com/
Introduction
The FortiGate Cookbook provides administrative users who are new to FortiGate appliances with examples of how to implement many basic and advanced FortiGate configurations. FortiGate products offer administrators a wealth of features and functions for securing their networks, but to cover the entire scope of configuration possibilities would easily surpass the limits set forth for this book. Fortunately, much more information can be obtained in the FortiOS Handbook. The latest version is available from the Fortinet Technical Documentation website (http://docs.fortinet.com) and is also accessible as FortiGate online help This cookbook contains a series of sections (or recipes) that describe how to solve a problems. Each section begins with a description of the problem and is followed by a step-by-step solution. Most sections conclude with results that describe how to verify that the problem was successfully resolved. Many sections also contain troubleshooting information, best practices and additional details about the FortiGate features used to solve the problem. Scattered throughout this document you will also find dedicated troubleshooting sections and sections that describe FortiGate troubleshooting features such as the packet sniffer and diagnose debug command. This FortiGate Cookbook was written using FortiOS 4.0 MR3 patch 2 (FortiOS 4.3.2). The solutions in this document should also work with more recent FortiOS 4.0 MR3 firmware versions, possibly with minor adjustments. A PDF copy of this document is available from the Fortinet Technical Documentation website (http://docs.fortinet.com) as well as a list of errata (if any are found). You can send comments about this document and ideas for new recipes to techdoc@fortinet.com. New recipes may be published on the Fortinet Technical Documentation website and added to future versions of the cookbook.
About the IP addresses used in this document

To avoid publication of public IP addresses that belong to Fortinet or any other organization, the IP addresses used in Fortinet technical documentation are fictional and follow the documentation guidelines specific to Fortinet. The addresses used are from the private IP address ranges defined in RFC 1918: Address Allocation for Private Internets, available at http://ietf.org/rfc/rfc1918.txt?number-1918.
rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 1 19 2. in 16 te 8. r n 1. al 99
FortiGate Unit e in NAT/Route mode
NA T in b and ternaetwee the l ne n pr Inte two ivat rne rk e t
Most of the examples in this document use 192, 172, or 10 - the non-public addresses covered in RFC 1918. In most of the examples in this cookbook, the 172.20.120.0 network is equivalent to the Internet.
2. 20 17 .1 w 2. Ga 20 an1 20 te .1 .1 wa 4 20 y .2
17
About FortiGate
Introduction
About FortiGate
A FortiGate appliance represents the latest response to the ever changing Internet security threat landscape. You already know quite well how Internet security covers a wide range of disciplines across a broad set of services, protocols and network topologies. The FortiGate appliance is designed specifically to cover a wide range of solutions for your networking requirements, from the smallest office to the largest Internet service provider. Comprising custom designed silicon and a dedicated operating system this combination of FortiGate, FortiASIC and FortiOS provides a wide range of solutions that scale from the smallest office to the largest internet service provider. The FortiOS feature set is constantly evolving and today provides both IPv6 as well as IPv4 protection, high availability, a full suite of dynamic routing protocols, traffic shaping, IPsec and SSL VPN, user authentication, WAN Internal network optimization, and secure WiFi. UTM has been extended beyond virus scanning and web filtering to include intrusion protection, FortiGate Unit application control, endpoint security, and data leak prevention. Application control combined with a whole host of monitoring functions and network vulnerability scanning provides a complete and detailed picture of the traffic on your networks allowing you to detect and isolate threats before they happen and take action to control traffic as it passes through your network.
APPLICATION CONTROL
The advanced capabilities of your FortiGate appliance require an equally advanced and global presence for ensuring as complete a defence as possible. Updated many times a day, the FortiGuard network provides a series of databases which are either installed directly or queried on demand to realize the goal of complete content protection. Whether you are scanning for hundreds of thousands of viruses, checking millions of URLs or looking for that next SPAM outbreak FortiGuard is the place to turn. To ease the introduction of your new FortiGate units they have been designed to operate in what we call NAT/Route mode or Transparent mode. In NAT/Route mode the FortiGate unit functions as a router connecting two or more different networks together. Using static and advanced dynamic routing, in NAT/Route mode the FortiGate unit routes packets between its attached networks. You can also use security policies and firewall objects to apply network address translation (NAT) to traffic as it passes back and forth between different networks. NAT hides addresses on private networks to improve security and also simplifies routing between networks. In Transparent mode the FortiGate unit is installed in a network transparently to layer 3, without changing the IP addressing of the network in any way. Its presence on the network restricted to a single management IP address. In transparent mode, traffic can pass through the FortiGate unit without any address translation or routing taking place.
Administrative interfaces
A full set of options is available to configure and manage FortiGate units including the web-based manager for visual management, the CLI for command-line-based management, and FortiExplorer which allows management over a USB connection.
Introduction
Registering your Fortinet product
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and click, drag and drop interface that provides quick access to most FortiGate configuration settings and includes a configuration wizard and complementary visual monitoring and management tools. Using the web-based manager you can for example, add a security policy to monitor application activity on a network, view the results of this application monitoring policy, and then add additional policies or change the existing policy to block or limit the traffic produced by some applications. The web-based manager also provides a wide range of monitoring and reporting tools that provide detailed information about traffic and events on the FortiGate unit. All aspects of FortiGate operation can be monitored from the web-based manager. Specialized monitoring pages are available for most features. You access the web-based manager using HTTP or a secure HTTPS connection from any web browser. By default you can access the web-based manager by connecting to the FortiGate interface usually attached to a protected network. Configuration changes made from the web-based manager take effect immediately, without resetting the unit or interrupting service.
CLI
As its name implies the command line interface (CLI) provides a text-based command line configuration interface to the FortiGate unit. You can configure all FortiGate configuration options from the CLI using config commands. The CLI also includes get commands for viewing the configuration and getting status information, execute commands for performing immediate operations including setting the date and time, backing up and restoring the configuration, testing network connections, and so on, and diagnose commands for advanced FortiGate monitoring and troubleshooting. You can connect to the CLI using an, RS-232 serial console connection, over a TCP/IP network using Telnet or SSH. Configuration changes made within the CLI also take effect immediately, without resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate unit over a standard USB connection. Once you have installed FortiExplorer software on a PC running Windows or Mac OS X and established a USB connection between the PC and your FortiGate unit you can use FortiExplorer to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate unit and connect to the web-based manager or CLI.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard services, require product registration. For more information, see the Fortinet Knowledge Center article Registration Frequently Asked Questions.
For more information
Introduction
For more information

Fortinet products End User License Agreement See the Fortinet products End User License Agreement. Training Fortinet Training Services provides courses that orient you quickly to your new equipment, and certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve the needs of our customers and partners world-wide. To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site at http://campus.training.fortinet.com, or email training@fortinet.com. Documentation The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date versions of Fortinet publications, as well as additional technical documentation such as technical notes. In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base. Please send information about any errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com. Fortinet Tools and Documentation CD Many Fortinet publications are available on the Fortinet Tools and Documentation CD shipped with your Fortinet product. The documents on this CD are current at shipping time. For current versions of Fortinet documentation, visit the Fortinet Technical Documentation web site, http://docs.fortinet.com. Fortinet Knowledge Base The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the Fortinet Knowledge Base at http://kb.fortinet.com. Customer service and technical support Fortinet Technical Support provides services designed to make sure that your Fortinet products install quickly, configure easily, and operate reliably in your network. To learn about the technical support services that Fortinet provides, visit the Fortinet Technical Support web site at https://support.fortinet.com. You can dramatically improve the time that it takes to resolve your technical support ticket by providing your configuration file, a network diagram, and other specific information. For a list of required information, see the Fortinet Knowledge Base article FortiGate Troubleshooting Guide - Technical Support Requirements.
10
The basics of installing and initial setup of a new FortiGate unit

Most people purchased a FortiGate unit with the intention of creating a secure connection between a protected private network and the Internet. And in most cases they want the FortiGate unit to hide the IP addresses of the private network from the Internet. This chapter describes how to install a new FortiGate appliance with this configuration, called NAT/Route mode and describes how to troubleshoot NAT/Route mode installations. In addition this chapter describes a basic Transparent mode FortiGate installation in which a FortiGate unit provides security services to a network without requiring any changes to the network. This chapter also describes some basic procedures often required after installing a FortiGate unit, including checking the firmware version and upgrading the firmware, and troubleshooting FortiGuard services. This chapter includes the following basic installation and setup examples: Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode Connecting a private network to the Internet with one configuration step Changing the address of an internal network in one step using the FortiGate setup wizard Troubleshooting NAT/Route mode installations Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode) Troubleshooting Transparent mode installations Verifying the current firmware version and upgrading the FortiOS firmware Setting up and troubleshooting FortiGuard services Setting up an administrator account on the FortiGate unit
11
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
Problem How to connect and configure a new FortiGate
unit to securely connect a private network to the Internet.
19 2. in 16 te 8. rn 1. al 99
FortiGate Unit e
in NAT/Route mode The Internet connection uses a static IP address and the private network uses private network addressing. The FortiGate unit should perform source NAT. The FortiGate unit should also protect the private network from Internet threats but still allow anyone on the private network to freely connect to the Internet.
Solution Most commonly, FortiGate units are installed as a gateway or router between a private network
and the Internet. The FortiGate unit operates in what is called NAT/Route mode to hide the addresses of the private network from prying eyes on the Internet. 1 Connect the FortiGate wan1 interface to your ISP-supplied equipment. 2 Connect the internal network to the FortiGate internal interface. 3 Power on the ISP's equipment, the FortiGate unit, and the PCs in the Internal network. 4 From a PC on the Internal network, connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Login using admin and no password. 5 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask Manual 172.20.120.14/255.255.255.0
Internal Network
6 Edit the internal interface and change the following settings: Addressing mode IP/Netmask Manual 192.168.1.99/255.255.255.0
7 Go to Router > Static > Static Route and select Create New to add the following default route. Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 wan1 172.20.120.2
12
17 2. 20 17 .1 w 2. Ga 20 an1 20 te .1 .1 wa 4 20 y .2
rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 1
e at iv pr k n or t ee tw ne tw ne er be nal Int AT er e N int d th an
A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally you would have only one default route. If the static route list already contains a default route, you can edit it or delete it and add a new one. 8 Go to System > Network > DNS and add Primary and Secondary DNS servers. 9 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal All wan1 All always ANY ACCEPT
10 Select Enable NAT and Use Destination Interface Address. 11 Select OK to save the security policy. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you and as soon as your FortiGate unit is connected and the computers on your internal network are configured, they should be able to access the Internet.
Results On the PC that you used to connect to the FortiGate internal interface, open a web browser
and browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit.
The source address of most sessions should be an address on the 192.168.1.0 network. The source NAT IP for most sessions should be 172.20.120.14 (or the IP address added to the wan1 interface). The policy ID should be 1, which is the ID of the default security policy that allows users in the internal network to connect to the Internet.
13
You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
14
Connecting a private network to the Internet with one configuration step
S er ve r In 19 ter 2. na 16 l 8. 1. 99

Problem To use as few steps as possible to
get a FortiGate unit up and running and providing internet connectivity for a private network.
Internal network address 192.168.1.0/255.255.255. 0
Computers on a private network configured to get IP addresses automatically using DHCP
FortiGate Unit in NAT/Route mode
Solution If your Internet service provider
configuration uses DHCP to automatically provide using DHCP Internet connectivity, only one FortiGate configuration step is required to get a FortiGate unit up and running and allowing connections from a private network to the Internet.
The solution involves connecting FortiGate unit to your ISP and your Internal network, configuring the computers on your internal network to get their IP configuration automatically (using DHCP), and then powering on the FortiGate unit and configuring it to get network settings from your ISP using DHCP. To use this one-step configuration solution, the default configuration of your FortiGate unit must include a DHCP server for the internal interface and a default security policy that allows all sessions from the internal network to the Internet. This default configuration is available on many SMB/SOHO FortiGate and FortiWifi models. 1 Connect the FortiGate wan1 interface to your ISP-supplied equipment. 2 Connect the internal network to the FortiGate internal interface. 3 Power on the ISP's equipment, the FortiGate unit, and the PCs in the Internal network. 4 If required, configure the PCs to get their IP network configuration automatically using DHCP. All of the PCs should acquire an IP address on the 192.168.1.0/255.255.255.0 network. 5 On one of the PCs, start a web browser and browse to https://192.168.1.99.
Internal Network
6 Log in to the FortiGate web-based manager by entering admin as the Name and leaving the password blank. 7 Go to System > Network > Interface and Edit the wan1 interface. 8 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server, and Override internal DNS. 9 Select OK to save the changes. If your ISP uses PPPoE or manual addressing you can configure the wan1 interface for these options instead of DHCP.
Results On any of the PCs connected to the FortiGate internal interface, open a web browser and
browse to any Internet website. You should also be able to connect to the Internet using FTP or any other protocol or connection method.
FortiOS 4.0 MR3 http://docs.fortinet.com/ 15
W D AN H 1 C P ad d re ss
H C P
ISP provides IP
m od e
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit.
The source address of most sessions should be an address on the 192.168.1.0 network. The source NAT IP for most sessions should be the IP address acquired by the wan1 interface. The policy ID should be 1, which is the ID of the default security policy that allows users in the internal network to connect to the Internet. You can also see results by going to Policy > Policy > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down to get more info about the current sessions. Other dashboard widgets display session history, traffic history and per-IP bandwidth usage.
What if it Use the following steps: didnt 1 Verify that the wan1 interface is getting IP configuration settings from the ISP. Log in to the work? web-based manager and go to System > Network > Interface > wan1. Confirm that the
Addressing Mode is set to DHCP and information similar to the following appears showing that the wan1 interface has acquired an IP address, one or more DNS server IP addresses, and a default gateway from the ISP.
If the IP address seems incorrect or is missing, select Renew to renew the lease and get new IP configuration information from the ISP. If you cannot get a valid IP address in this manner, the FortiGate unit cannot communicate with the ISPs DNS server. Make sure the options to retrieve a default gateway and override the internal DNS are selected. If your ISP does not supply a DNS server through DHCP, you can go to System > Network > DNS and manually add one or more DNS server IP addresses for the FortiGate unit to use. These DNS server IP addresses are also used by the FortiGate DHCP server to provide the IP configuration for PCs on the internal network. If your ISP does not supply a default gateway through DHCP you can go to Router > Static > Static Route and manually add a default route that points from the wan1 interface to the ISPs default gateway. 2 If the internal network is configured to get IP addresses from the FortiGate DHCP server, go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. Verify that the DHCP server configuration uses the system DNS setting. Go to System > Monitor > DHCP Monitor to view information about the PCs that have been configured by
16
the FortiGate unit DHCP server. There should be one entry here for each PC on the network that should have gotten its address using DHCP. Check the network configuration of the PCs on the internal network to make sure they are getting the correct IP configuration from the FortiGate DHCP server. If they are not, they may not be able to communicate with the FortiGate internal interface. Attempt to renew their DHCP lease, check other network configuration settings on the PC, and verify the physical connections are OK. The Use System DNS Setting DHCP server option causes the FortiGate DHCP server to supply the DNS IP addresses in the System > Network > DNS page of the web-based manager. If Override internal DNS is selected for a FortiGate interface that gets its configuration from a DHCP server, the DNS server IP addresses acquired from the ISP are supplied by the FortiGate DHCP server instead. If a PC on the internal network sends a DHCP request to the FortiGate unit before it has acquired DNS IP addresses from the ISP, then the FortiGate unit sends the DNS IP addresses DNS web-based manager page. To make sure the PCs receive the correct DNS server IP addresses, you can update the PCs DHCP leases. If this does not solve the problem, use the steps described in Troubleshooting NAT/Route mode installations on page 20 to find and fix the problem.
17
Changing the address of an internal network in one step using the FortiGate setup wizard
Problem To use as few steps as possible to
quickly change the subnet address of an internal network and all of the devices connected to it.
Internal network address changes from 192.168.1.0/255.255.255.0 to 192.168.50.0/255.255.255.0

In ch ter 19 an na 19 2. ge l IP 2. 16 d a 16 8. fro dd 8. 1.9 m re ss 50 9 .1 to 0
er
S er v
Solution Use the FortiGate setup wizard to
FortiGate Unit in NAT/Route mode
change the IP address of the FortiGate ISP provides IP internal interface and change the configuration network addresses that the FortiGate using DHCP DHCP server provides for devices on the Internal network. Renew the DHCP leases of the devices on the internal network so that they acquire new IP addresses. You may need to change the address of an internal network if you have two different internal networks and you want to allow communication between them. The FortiGate setup wizard deletes all security policies and adds a single security policy configured by the wizard to allow Internet access from the Internal network. You might not want to use this solution if you have added custom security policies. However, this solution can be convenient if you have not added very many security policies. A more cumbersome solution would be to manually change the IP address of the FortiGate internal interface and then manually change the IP address of a PC on the internal network. Then you would need to re-log into the web-based manager and change the configuration of the DHCP server. This process involves a number of tedious steps; using the wizard simplifies the process to a few simple steps. 1 From a PC on the internal network, log in to the FortiGate web-based manager. 2 Select the Wizard icon. 3 Page through the wizard without making any changes until you get to the Local Area Network (LAN) Settings page. 4 Change the settings as follows: IP Address Netmask 192.168.50.10 255.255.255.0
5 Enable DHCP should be selected. Change the following settings: Start Address End Address 192.168.50.20 192.168.50.60
6 Continue to step through the wizard without making any other changes. Most wizard pages display the current configuration and allow you to change it. If you dont make any changes, the wizard does not change that configuration element. One exception to this is the Internet Access Policy wizard page. The settings on this page are applied to the security policy configuration of the FortiGate unit. All existing security policies are removed and replaced with a single security policy using the settings selected on this wizard page. 7 Renew the DHCP lease for the devices on the internal network. You may have to restart them, or bring there interfaces down and back up to do this.
W D AN H 1 C P ad
re ss
od
Results All devices on the internal network (including the FortiGate internal interface) are now on the
192.168.50.0/255.255.255.0 subnet. From any device on the internal network, try connecting to the Internet. Log in to the FortiGate web-based manager by browsing to https://192.168.50.10. Go to System > Network > Interface and verify that the IP address of the internal interface has been changed to 192.168.50.10. Also verify that the configuration of other interfaces has not been changed. Go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. The IP range should be changed to the range specified in the wizard, and the default gateway should be changed to the new internal interface IP address. Go to System > Monitor > DHCP Monitor and verify that devices on the internal network have acquired a new address from the FortiGate DHCP server.
Go to Policy > Policy > Policy and verify that the policy list includes one security policy that allows users on the internal network to access the Internet. Attempt to connect to the Internet from any device on the Internal network. If you cant connect from a device on the internal network to the Internet, see Troubleshooting NAT/Route mode installations on page 20.
19
Troubleshooting NAT/Route mode installations

Problem You have set up a FortiGate NAT/Route
configuration, and devices on the private network cannot connect to the Internet.
19 2. in 16 te 8. rn 1. al 99
Solution Use the following steps to find and fix the

problem that is preventing users from connecting to the Internet.
FortiGate Unit e in NAT/Route mode
1 Check the physical network connections between the PC and the FortiGate unit, as well as between the FortiGate unit and your ISPs equipment. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces (System > Dashboard > Status). 2 Check the ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal IP address of the FortiGate unit. For example, use a web browser to connect to the web-based manager from the FortiGate internal interface by browsing to its IP address (for example, https://192.168.1.99). From the PC, ping the internal interface IP address. For example: ping 192.168.1.99 If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure cables are connected and all network equipment, such as switches, is powered on and operating. Go to the next step when you can connect to the internal interface. 4 Check the configuration of the FortiGate interface connected to the Internal network. 5 Check the configuration of the FortiGate interface that connects to the Internet to make sure it includes the proper addressing mode. If the addressing mode is manual, make sure the IP address and netmask is correct. If the addressing mode is DHCP, see What if it didnt work? on page 16. 6 To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address or domain name on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. 7 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 8 Verify the security policy configuration. Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following and that Enable NAT and Use Destination Interface Address is selected: Source Interface/Zone Source Address Destination Interface/Zone internal all wan1
20
17 2. 20 17 .1 w 2. Ga 20 an1 20 te .1 .1 wa 4 20 y .2
rk o .0 w 55 et 2 n 5. al 25 r n 5. te 5 in 0/2 te 1. va 8. ri 6 P .1 2 9 1
e at iv pr k n or t ee tw ne tw ne er be nal Int AT er e N int d th an
Destination Address Schedule Service Action
all always ANY ACCEPT
9 Verify the static routing configuration. Go to Router > Static > Static Route and verify that the default route is correct. Go to Router > Monitor > Router Monitor and take a look at the routing monitor and verify that the default route appears in the list as a static route. Along with the default route, you should see at least two connected routes, one for each connected FortiGate interface. 10 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. This can happen for a number of reasons. If disabling web filtering allows you to connect to the Internet with a web browser, then the web filter profile selected in the policy was blocking access to the site you were attempting to connect to. This could happen because the configuration of the default web filter profile is blocking access to your site. Its also possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable the Allow Websites When a Rating Error Occurs option. Other things you can try: Verify that you can connect to the wan1 IP address of the FortiGate unit. Once you have established that the internal network is operating, you could try pinging the FortiGate wan1 interface IP address (for example, ping 172.20.120.12). (The wan1 interface responds to pings if ping administrative access is selected for that interface (go to System > Network > Interface and edit the wan1 interface to enable ping administrative access)). If you cannot connect to the wan1 interface, the FortiGate unit is not allowing internal to wan1 sessions. Verify that you can connect to the gateway provided by your ISP.
21
Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode)
Problem How to connect and configure a new
FortiGate unit to protect a private network without changing the configuration of the network. The network is connected to the Internet using a router that performs NAT.
Se be allocurit twe w y p seg en tra olic me net ffic ies nts wo rk 01 .10 0
Internal network 5.0 10.31.101.0/255.255.255.0 FortiGate Unit tiG t U it in Transparent mode Management IP 10.31.101.40
10
.1 .31
Router
This solution requires adding network security without replacing the router. The FortiGate unit should block access from the Internet to the private network but allow users on the private network to connect to the Internet. The FortiGate unit should also monitor application usage and find and remove viruses.
Solution Install a FortiGate unit in Transparent mode between the internal network and the router. Add a
security policy to the FortiGate unit that allows users on the internal network to connect to the Internet and add virus scanning and application control to this security policy. No network changes are required, except to provide the FortiGate unit with a management IP address. Changing to Transparent mode removes most configuration changes made in NAT/Route mode. If you want to keep your current NAT/Mode configuration you should backup your FortiGate NAT/Route mode configuration from the System Information dashboard widget. 1 Connect a PC to the FortiGate internal interface. 2 Power on the FortiGate unit and PC. 3 Connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Log in using admin and no password. 4 Go to System > Dashboard > Status > System Information and beside Operation Mode select Change and configure the following: Operation Mode Management IP/Netmask Default Gateway Transparent 10.31.101.40/255.255.255.0 10.31.101.100
5 Select OK to switch to Transparent mode. 6 Log in to the web-based manager by browsing to https://10.31.101.40. You will need to change the IP address of the PC to an address on the 10.31.101.0/255.255.255.0 subnet. 7 Go to System > Network > DNS and add Primary and Secondary DNS servers. 8 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address internal All
22
Destination Interface/Zone Destination Address Schedule Service Action
wan1 All always ANY ACCEPT
9 Select UTM. Select Enable Antivirus and select Enable Application Control. 10 Select OK to save the security policy. 11 Power off the FortiGate unit. 12 Connect the FortiGate unit between the network and the router. Connect the wan1 interface to the router internal interface. Connect the internal network to the FortiGate-60C internal interface switch. If the Internal network consists of only five devices, they can all be connected to the internal interface switch. 13 Power on the FortiGate unit.
Internal Network Router
Results From a PC on the internal network, open a web browser and browse to any Internet website.
You should also be able to connect to the Internet using FTP or any other protocol or connection method. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit.
The source address of most sessions should be an address on the 10.31.10.0 network. The Src NAT IP and Src NAT port columns are blank because no NAT it taking place. The policy ID should usually be 1, which is usually the ID of first security policy that you added. You can also see results by going to Policy > Monitor > Policy Monitor, to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for policy 1 to view the top sessions by source address, destination address, or destination port/service.
23
The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If a FortiGate unit operating in Transparent mode is installed between a DHCP server and PCs that get their address by DHCP, you must add a security policy to allow the DHCP servers response to get back through the FortiGate unit from the DHCP server to the DHCP client. The internal to wan1 policy allows the DHCP request to get from the client to the server, but the response from the server is a new session, not a typical response to the originating request, so the FortiGate unit will not accept this new session unless you add a wan1 to internal policy with the service set to DHCP. If you can browse the Internet from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting Transparent mode installations on page 25 to find the problem.
24
Troubleshooting Transparent mode installations

Problem You set up a basic FortiGate Transparent
mode configuration, and traffic will not pass through the FortiGate unit.
Internal network 5.0 10.31.101.0/255.255.255.0 FortiGate Unit tiG t U it in Transparent mode Management IP 10.31.101.40
Se be allocurit twe w y p seg en tra olic me net ffic ies nts wo rk .10 1.1 00
1 0.3
Solution Use the following steps to find and fix the

problem that is preventing users from connecting through the FortiGate unit.
Router
1 Check the physical network connections between the network and the FortiGate unit, and between the FortiGate unit and the Internet. The Unit Operation dashboard widget indicates the connection status of FortiGate network interfaces. 2 Check the router and ISP-supplied equipment to make sure it is operating correctly. 3 Verify that you can connect to the internal interface by connecting to the management IP address of the FortiGate unit from the Internal network. From the internal network, attempt to ping the management IP address. If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure the cables are connected and all switches and other devices on the network are powered on and operating. Go to the next step when you can connect to the internal interface. 4 To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate CLI and use the execute ping command to ping an address on the Internet. You can also use the execute traceroute command to troubleshoot connectivity to the Internet. 5 Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can check for DNS errors by pinging or using traceroute to connect to a domain name. If the name cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should confirm the DNS server IP addresses are present and correct. For example: ping www.fortinet.com ping: cannot resolve www.fre.com: Unknown host 6 Verify the security policy configuration. Go to Policy > Policy > Policy and verify that an internal -> wan1 security policy has been added. Check the Count column to see if the policy has been processing traffic. Check the configuration of the policy to make sure it is similar to the following: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 all always ANY ACCEPT
7 Verify the static routing configuration. Go to System > Network > Routing Table and verify that the default route is correct.
25
8 Disable web filtering. If you have enabled web filtering in a security policy it may be blocking access to the web site that you are attempting to connect to. If disabling web filtering allows you to connect to the Internet with a web browser, then the web filter profile selected in the policy was blocking access to the site you were attempting to connect to. This could happen because the configuration of the default web filter profile is blocking access to your site. Its also possible that FortiGuard Web Filtering produced a rating error for the web site and the default web filter profile is configured to block access to sites when a rating error occurs. A rating error could occur for a number of reasons, including not being able to access FortiGuard web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in the default profile, select Advanced Filter and enable the Allow Websites When a Rating Error Occurs option. 9 Verify that you can connect to the gateway provided by your ISP. Try pinging the default gateway IP address from a PC on the internal network. 10 Confirm that the FortiGate unit can connect to the FortiGuard network. Once registered, the FortiGate unit obtains antivirus and application control and other updates from the FortiGuard network. Once the FortiGate unit is on your network, you should confirm that it can reach the FortiGuard network. The FortiGate unit must be able to connect to the network from its management IP address. If the following tests provide incorrect results, the FortiGate unit cannot connect to the Internet from its management IP address. Check the FortiGate units default route to make sure it is correct. Check your Internet firewall to make sure it allows connections from the FortiGate management IP address to the Internet. First, check the License Information dashboard widget to make sure the status of all FortiGuard services matches the services that you have purchased. The FortiGate unit connects to the FortiGuard network to obtain this information. Go to System > Config > FortiGuard. Open web filtering and email options and select Test Availability. After a minute the web-based manager should indicate that the connection was successful. 11 Check the FortiGate bridge table. The bridge table is a list of MAC addresses of devices on the same network as the FortiGate unit and the FortiGate interfaces from which each MAC address was found. The FortiGate unit uses this table to determine where to forward a packet. If a the MAC address of a specific device is getting added to in the bridge table, then packets to that MAC address will be blocked. This may appear as traffic going to a MAC address, but no reply traffic coming back. In this situation, check the bridge table to ensure the correct MAC addresses have been added to the bridge table. Use the following CLI command to check the bridge table associated with the root VDOM.
diagnose netlink brctl name host root.b show bridge control interface root.b host. fdb: size=2048, used=25, num=25, depth=1 Bridge root.b host table port no device devname mac addr ttl 3 4 wan1 00:09:0f:cb:c2:77 88 3 4 wan1 00:26:2d:24:b7:d3 0 3 4 wan1 00:13:72:38:72:21 98 4 3 internal 00:1a:a0:2f:bc:c6 1 6 dmz 00:09:0f:dc:90:69 0 3 4 wan1 c4:2c:03:0d:3a:38 81 3 4 wan1 00:09:0f:15:05:46 89 3 4 wan1 c4:2c:03:1d:1b:10 0 2 5 wan2 00:09:0f:dc:90:68 0
attributes
6 Local Static
Local Static
If your devices MAC address is not listed, the FortiGate unit cannot find the device on the network. This could indicate that the device is not connected or not operating. Check the devices network connections and make sure it is operating correctly.
Verifying the current firmware version and upgrading the FortiOS firmware
Problem Fortinet has released a new version of
FortiOS. You want to know what firmware version is currently running on your FortiGate unit and how to upgrade to the latest version.
Solution View the current firmware version from the web-based manager and CLI. Download a new
version of FortiOS from the Fortinet Customer Support web site and install it from the webbased manager. Firmware images for all FortiGate units are available on the Fortinet Customer Support web site. You must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting http://support.fortinet.com and select Product Registration. Always review the Release Notes before installing a new firmware version. They provide the recommended upgrade path for the firmware release as well as additional information not available in other documentation. Only perform a firmware upgrade during a maintenance window. 1 Log in to the web-based manager and view the dashboard System Information widget to see the Firmware Version currently installed on your FortiGate unit. From the FortiGate CLI you can also enter the following command. The first output line indicates FortiOS firmware version installed on your FortiGate unit: get system status Version: Fortigate-60C v4.0,build0458,110627 (MR3 Patch 1) Virus-DB: 11.00773(2010-05-04 13:32) Extended DB: 0.00000(2010-03-16 10:31) IPS-DB: 3.00000(2011-05-18 15:09) FortiClient application signature package: 1.421(2011-09-08 10:19) Serial-Number: FGT60C3G10002814 BIOS version: 04000010 Log hard disk: Need format Internal Switch mode: switch Hostname: FGT60C3G10002814 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Distribution: International Branch point: 458 Release Version Information: MR3 Patch 1 System time: Wed Sep 14 13:07:27 2011 2 To download a newer firmware version, browse to http://support.fortinet.com and select a Download Firmware Images link. 3 Log in using your Fortinet account user name and password. 4 Go to Download Firmware Images > FortiGate. 5 Select FortiGate firmware images and browse to the FortiOS firmware version that you want to install (for example, browse to FortiGate/v4.00/4.0MR3/MR3_Patch_1).
6 Locate and download the firmware for your FortiGate unit. 7 Download and read the Release Notes for this firmware version. Always review the Release Notes before installing a new firmware version in case you cannot update to the new firmware release from the one that you are currently running. 8 Backup your configuration from the System Information dashboard widget. Always remember to back up your configuration before doing any firmware upgrades.
9 Go to System > Dashboard > Status. 10 Under System Information > Firmware Version, select Update. 11 Find the firmware image file that you downloaded and select OK to upload and install the firmware build on the FortiGate unit.
Results The FortiGate unit uploads the firmware image file, upgrades to the new firmware version,
restarts, and displays the FortiGate login. This process takes a few minutes. From the FortiGate web-based manager, go to System > Dashboard > Status. In the System Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI enter get system status).
What if it There is a possibility that the firmware upgrade from the web-based manager does not load doesnt properly. If this occurs, you may find that the FortiGate will not boot, or continuously reboots. work? It is best to perform a fresh install of the firmware from a reboot using the CLI. This procedure
installs a firmware image and resets the FortiGate unit to default settings. For this procedure, you must connect to the CLI using the FortiGate console port and a RJ-45 to DB-9, or null modem cable. Installing FortiGate firmware from a TFTP server This procedure requires a TFTP server that you can connect to from the FortiGate unit. The TFTP server should be on the same subnet as the management interface. 1 Connect to the CLI using the RJ-45 to DB-9 or null modem cable. 2 Make sure the TFTP server is running and copy the firmware image file to the TFTP server. 3 Enter the following command to restart the FortiGate unit. execute reboot 4 When prompted by the FortiGate unit to reboot, type y. 5 As the FortiGate unit starts, a series of system startup messages appears. When the following messages appears: Press any key to display configuration menu.......... Immediately press any key to interrupt the system startup. You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate unit reboots and you must log in and repeat the execute reboot command. If you successfully interrupt the startup process, the messages similar to the following appear (depending on the FortiGate BIOS version): [G]: [F]: [B[: [C]: [Q]:
28
Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default Configuration and information Quit menu and continue to boot with default firmware.
[H]: Display this list of options. Enter G, F, Q, or H: 6 Type G to get to the new firmware image form the TFTP server. 7 When prompted, enter the TFTP server IP address, and local FortiGate IP address. The IP address can be any IP address that is valid for the network the interface is connected to. Make sure you do not enter the IP address of another device on this network. 8 Enter the firmware image filename and press Enter. The TFTP server uploads the firmware image file. 9 When prompted how to save the default firmware, type D to load it as the default. The FortiGate unit installs the new firmware image and restarts. When loading the firmware using this method, the existing configuration is reset to defaults. You will need to reconfigure the IP addresses and load the configuration file from the System Information widget on the Dashboard.
29
Setting up and troubleshooting FortiGuard services

Problem You want to confirm that your FortiGate
unit is receiving FortiGuard services. You also want to be able to troubleshoot issues that arise if antivirus or IPS updates or web filtering or email filtering lookups are not available.
FortiGuard Network
Solution If you have purchased FortiGuard services and registered your FortiGate unit it should
automatically connect to the FortiGuard Distribution Network (FDN) and display license information about your FortiGuard services. Verify whether the FortiGate unit is communicating with the FDN by checking the License Information dashboard widget. The FortiGate unit automatically connects with the FortiGuard network to verify the FortiGuard Services status for the FortiGate unit.
Any subscribed services should have a green check mark beside them, indicating that connections are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network, or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to connect but that a subscription has expired, or has not been activated. Use the following steps to troubleshoot FortiGuard services. 1 Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the services have not expired. You can verify the support status for your FortiGate unit at the Fortinet Support website (https://support.fortinet.com/). 2 Verify the status of the FortiGuard services on the FortiGate unit. You can view the status of FortiGuard services from the License Information dashboard widget or from the System > Config > FortiGuard page. The status information displayed here should match the information on the support site. If the information doesnt match there may be a problem with communication between the FortiGate unit and the FortiGuard network.
You can also view the FortiGuard connection status by going to System > Config > FortiGuard.
3 Verify that the FortiGate unit can communicate with the Internet. The FortiGate unit should be able to communicate with the FortiGuard network if it can communicate with the Internet. 4 Go to Router > Monitor > Routing Monitor (NAT/Route mode) or System > Network > Routing Table and verify that a default route is available and configured correctly. 5 Go to System > Network > DNS and make sure the primary and secondary DNS servers are correct, as provided by your ISP. The FortiGate unit connects to the FortiGuard network using a domain name, not a numerical IP address. If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP addresses from the ISP using DHCP. 6 Verify that the FortiGate unit can connect to the DNS servers using the execute ping command to ping them. 7 You can also attempt a traceroute from FortiGate CLI to an external network using a domain name for a location, for example, enter the command: execute traceroute www.fortiguard.com If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate unit cannot connect to the configured DNS servers. 8 Make sure that at least one security policy includes antivirus. If no security policies include antivirus, the antivirus database may not be updated. 9 Verify that the FortiGate unit can communicate with the FortiGuard network. At System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify if the updates were successful. 10 Test the availability of web filtering and email filtering lookups from System > Config > FortiGuard > Web Filtering and Email Filtering options by selecting the Test Availability button.
31
If the test is not successful, try changing the port that is used for web filtering and email filtering lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network and some ISPs may block one of these ports. 11 Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the network or on the ISPs network. Many firewalls block all ports by default, and often ISPs block low-numbered ports (such as 53). FortiGuard uses port 53 by default, so if it is being blocked, you need to either open the port or change the port used by the FortiGate unit. 12 Change the FortiGuard source port. It is possible ports that are used to contact the FortiGuard network are being changed before reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same. FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a destination port of 1027 or 1031. If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply packets. You can select a different source port range for the FortiGate unit to use. If your ISP blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use higher-numbered ports such as 2048-20000, using the following CLI command: config system global set ip-src-port-range 2048-20000 end Trial and error may be required to select the best source port range. You can also contact your ISP to determine the best range to use. 13 Display the FortiGuard server list The get webfilter status CLI command shows the list of FortiGuard servers that the FortiGate unit can connect to. The command should show more than one server.
get webfilter status Locale : english License : Contract Expiration : Thu Oct 9 02:00:00 2012 Hostname : service.fortiguard.net -=- Server List (Wed Sep 14 14:39:46 2011) -=IP 69.20.236.179 174.137.33.92 208.91.112.196 69.20.236.180 209.222.147.36 66.117.56.42 66.117.56.37 69.20.236.182 69.195.205.101 80.85.69.37 80.85.69.41 80.85.69.40 62.209.40.72 208.91.112.194 116.58.208.39 Weight 30 0 0 30 30 30 30 30 30 80 80 80 90 118 160 RTT Flags 3 91 62 4 22 24 24 4 32 85 85 88 109 128 DI 276 TZ -5 -8 -8 -5 -5 -5 -5 -5 -5 0 0 0 1 -8 8 Packets 30491 8794 146 11620 8799 8792 8793 11332 8810 8800 8804 8808 8791 12713 8805 Curr Lost Total Lost 0 9 0 7 0 2 0 9 0 11 0 9 0 10 0 7 0 27 0 17 0 21 0 25 0 8 0 3912 0 22
32
Hostname is the name of the FortiGuard server the FortiGate unit will attempt to contact. The Server List includes the IP addresses of alternate servers if the first entry cannot be reached. In this example, the IP addresses are not public addresses. The following flags in get webfilter status indicate the server status: D - the server was found through the DNS lookup of the hostname. If the hostname returns more than one IP address, all of them will be flagged with D and will be used first for INIT requests before falling back to the other servers. I - the server to which the last INIT request was sent. F - the server has not responded to requests and is considered to have failed. T - the server is currently being timed.
33
Setting up an administrator account on the FortiGate unit

Problem You want to add a new FortiGate administrator
login that has super administrator access to all FortiGate features. You also want to be able to identify individual administrators instead of allowing multiple uses of the admin administrator account.
Int er n al N etw a ad dmin min _p istr rofi ato le rs ork F DH ortiG CP ate Se Un rve it r
Solution Create a new administrator with the super_admin profile, to enable full access to all FortiGate
features. 1 Go to System > Admin > Administrators and select Create New to add the following administrator: Administrator Type Password Confirm Password Admin Profile Terry_White Regular password password super_admin
2 Select OK to save the administrator. Administrator names and passwords are case-sensitive. You cannot include the < > ( ) # characters in an administrator name or password. Spaces are allowed, but not as the first or last character. Spaces in a name or password can be confusing and require the use of quotes to enter the name in the CLI. The admin profile dictates what parts of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles, depending on what they are tasked to do with the FortiGate unit.
Results Log in to the FortiGate using the user name of Terry_White and the password of password. As
this administrator, you can view all web-based manager pages and change all FortiGate configuration settings. From the FortiGate web-based manager,go to Log&Report > Event Log to verify that the login activity occurred.
34
Select the log entry to view detailed information, which indicates the admin user connected. The Message row indicates that Terry White connected successfully from 192.168.1.1.
Go to System > Dashboard > Status, and view the System Information widget. In the Current Administrator row, it will indicate the number of administrators logged in.
Selecting Details shows Terry White logged in as an administrator.
35
36
Advanced FortiGate installation and setup

FortiGate units can be deployed in many ways to meet a wide range of advanced requirements. This chapter samples some of advanced configurations that include advanced NAT and Transparent mode configurations, high availability, VLANs and Virtual Domains (VDOMs). This chapter also includes two sections that describe how to use the FortiGate packet sniffer and one that describes using the diagnose debug tools. This chapter includes the following advanced installation and setup examples: Connecting a FortiGate unit to two ISPs for redundant Internet connections Using a modem for a redundant Internet connection Distributing sessions between dual redundant Internet connections with usage-based ECMP Protecting a web server on a DMZ network Protecting an email server with a FortiGate unit without changing the network (Transparent Mode) Using port pairing to simplify a Transparent mode installation Connecting networks without translating addresses (FortiGate unit in Route mode) Employing high availability (HA) to improve network reliability Upgrading the firmware installed on a FortiGate HA cluster Connecting multiple networks to a FortiGate interface using virtual LANs (VLANs) Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit Setting up an administrator account for monitoring firewall activity and basic maintenance Creating a local DNS server listing for internal web sites and servers Assigning IP addresses according to a MAC address using DHCP Setting up the FortiGate unit to send SNMP traps Troubleshooting by sniffing packets (packet capture) Advanced troubleshooting by sniffing packets (packet capture) Creating, saving, and using packet capture filters (sniffing packets from the web-based manager) Debugging FortiGate configurations Quick reference to common diagnose commands
37
Connecting a FortiGate unit to two ISPs for redundant Internet connections

Problem Create a backup Internet connection
with your FortiGate unit, so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection and when the primary Internet connection is restored, traffic automatically switches back to it.
Internal Network 192.168.1.0/255.255.255.0
In 19 ter 2. na 16 l 8. 1.
99 W 17 AN G 2. 1 17 ate 20 2. w .12 20 ay 0 .1 .1 4 20 .2 W D AN H 2 C P
Backup ISP
Primary ISP
Solution This solution describes how to improve the reliability of a networks connection to the Internet
by using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to wan1 with a static IP and the backup ISP is connected to wan2 using DHCP. To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet. You can choose to reduce the amount of traffic when the wan2 interface is operating by adding fewer security polices for connections to the wan2 interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the wan2 interface. Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface. 2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask Manual 172.20.120.14/255.255.255.0
Internal Network
Primary ISP
38
6 Go to System > Network > DNS and add Primary and Secondary DNS servers. 7 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan1 interface. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action
internal All wan1 All always ANY ACCEPT
8 Select Enable NAT and Use Destination Interface Address. 9 Select OK to save the security policy. Adding the backup Internet connection using wan2 1 Connect the wan2 interface to your backup ISP-supplied equipment. 2 Log in to the web-based manager. 3 Go to System > Network > Interface and Edit the wan2 interface. 4 Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear the checkbox for Override internal DNS. 5 Select OK to save the changes.
Primary ISP Internal Network
If everything is connected correctly, the wan2 interface should acquire an IP address from the IPSs DHCP server. Backup ISP This can take a few minutes, you can select the Status link to refresh the display. Eventually, an Obtained IP/Netmask should appear. If the IPSs
39
DHCP server supplies DNS server IP addresses and a default gateway, they should also appear. Make sure Retrieve Default Gateway from server is selected so that a default route is added to the routing table. Normally in a dual Internet configuration, you would not select Override internal DNS because you would not want the FortiGate unit to use the backup ISPs DNS servers. 6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan2 interface. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal All wan2 All always ANY ACCEPT
7 Select Enable NAT and Use Destination Interface Address. 8 Select OK to save the security policy. Set the default route to wan1 to be the primary default route and add a ping server for wan1 and a ping server for wan2 As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup ISPs DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to the Internet. 1 Go to Router > Static > Static Route and Edit the wan1 default route, select Advanced and set the Distance to 10. The distance may already be set to 10 so you may not actually have to change it. 2 Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or any number higher than 10). 3 To confirm which default route is now actually being used by the FortiGate unit, go to Router > Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active do not appear on the routing monitor. In this example, only the one static route should appear: the wan1 default route. Its distance should be 10. Connected routes for the connected interfaces should also appear.
40
If you edit the wan2 interface and set the distance to a lower value (say 5), the wan1 default route is removed from the router monitor and is replaced with the wan2 default route (because the wan2 route has the lower distance). You can also have both default routes appear in the router monitor by setting their distances to the same value (say 10). When both routes have the same distance, this is known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load balanced between them. For an example, see Distributing sessions between dual redundant Internet connections with usage-based ECMP on page 48. 4 Go to Router > Static > Settings and select Create New and add the wan1 ping server: Interface Ping Server Detect Protocol Ping Interval (seconds) Failover Threshold wan1 172.20.120.2 ICMP Ping 5 5
5 Select Create New and add the wan2 ping server. The wan2 ping server is optional for this configuration. However adding the wan2 ping server means the FortiGate unit will record even log messages when the wan2 ping server cant reach its destination. Interface Ping Server Detect Protocol Ping Interval (seconds) Failover Threshold wan2 10.41.101.100 ICMP Ping 5 5
Results If the wan1 ping server can connect to its ping server IP address the routing monitor appears
as shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1 interface and the internal to wan1 security policy. You can verify this by viewing the routing monitor and by going to Policy > Policy > Policy and viewing the Count column for the internal to wan1 and internal to wan2 policies while connecting to the Internet. The internal to wan1 policy count should increase, while the internal to wan2 count should not. If you change the network so that the wan1 ping server cannot connect to its ping server IP address, (for example, by physically disconnecting the cable from the wan1 interface), the default route should change to the wan2 interface (called default route failover):
An event log message similar to the following should also be recorded. 2011-08-24 10:16:39 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="wan1" status=down msg="Ping peer: (172.20.120.14->172.20.120.2 ping-down)"
41
With the wan2 link active, attempt to connect to the Internet from the Internal network. If you can connect, this confirms that the dual Internet connection configuration is correct. View the security policy count column for the internal to wan2 policy. The count should be increasing, indicating that this policy is accepting traffic. When you restore the wan1 interfaces connection, the ping server should detect that network traffic is restored and the routing table should revert to including the wan1 default route. All new sessions will use the internal to wan1 security policy. Sessions that were established using the internal to wan2 security policy will continue to use this policy and the wan2 interface until they are terminated. However, all new sessions will use the internal to wan1 security policy. Outgoing sessions and their responses that are in progress during a failover will have to be restarted after the failover, since responses to traffic sent out on one interface will not come back on another. During a failover, incoming sessions received by a firewall VIP security policy from the wan1 interface before the failover may be sent out the wan2 interface after the failover. Outbound sessions initiated by the server and sent out the VIP security policy will have their source IP address modified according to the interface that sends the session to the Internet. If the wan1 link fails, outgoing VIP sessions automatically fail over to wan2. The source address of these sessions depends on the address defined in the firewall VIP. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem. Changing this redundant Internet configuration to use ECMP The basic redundant Internet connection scenario described in this section should be successful for many networks. However, to potentially improve default route failover performance and to reduce the number of fail overs for incoming connections when the primary ISP fails and re-connects you could implement Equal Cost Multipath (ECMP) routing. You could implement a basic ECMP configuration of this redundant Internet connection scenario by setting the distances for both default routes to the same value and setting the priority of the default route to the primary ISP to a lower value than the priority of the default route to the backup ISP. The route with the lowest priority value is considered the best route. Use the following steps to modify the configuration. Because the wan2 default route is acquired from the ISP using DHCP, the priority of the wan2 default route must be changed by editing the wan2 interface from the CLI.
1 Go to Router > Static > Static Route and Edit the wan1 default route. 2 Select Advanced and set the Distance to 10 and the Priority to 5 3 Enter the following CLI command to edit the distance and priority of the wan2 default route. config system interface edit wan2 set distance 10 set priority 20 end Since the wan1 default route has the lowest priority it is considered the best route and all traffic heading from the private network for the Internet uses the wan1 interface.
42
When two different distances are used on the wan1 and wan2 default routes, traffic originating from the Internet can only be responded to by the interface with the default route with the lowest distance metric (wan1). If a user from the Internet has established a connection to the Internal network through the wan1 interface, the user would lose their connection if the wan1 connection to the Internet fails. After a brief interruption the user would automatically re-connect through the wan2 interface. When the wan1 Internet connection comes back, the users connection would be interrupted a second time because it would have to switch back to the wan1 interface since the wan2 interface would no longer be able to process traffic. When ECMP is implemented, both interfaces are able to respond to traffic initiated from the Internet as the routing is based on the session tables. The user would still lose their connection when the wan1 Internet connection fails, but after connecting through the wan2 interface the users connection would be able to continue on the wan2 interface after the wan1 connection was restored resulting in only a single interruption. A number of ECMP scenarios are available. For another, see Distributing sessions between dual redundant Internet connections with usage-based ECMP on page 48.
43
Using a modem for a redundant Internet connection
In 19 ter 2. na 16 l 8. 1. 99

Problem Create a backup Internet connection
using a modem so that if the primary internet connection fails, some or all traffic automatically switches to the backup Internet connection which is a dialup connection using the modem interface. When the primary Internet connection is restored, traffic automatically switches back to it.
od em
Backup ISP
Solution This solution describes how to improve the reliability of a networks connection to the Internet
by using two Internet connections. The primary internet connection is to the wan1 interface and the backup internet connection is a dial-up connection using a modem and the FortiGate modem interface. The modem interface is configured to be redundant for the wan1 interface and a ping server is added for the wan1 interface. When the ping server determines that the wan1 interface cannot connect to the Internet, the FortiGate unit dials the modem and the modem becomes the active Internet connection. You can choose to reduce the amount of traffic when the modem interface is operating, by adding fewer security polices for connections to the modem interface. You could also use techniques such as traffic shaping to limit the amount of traffic processed by the modem interface. You could also add security policies that include FortiGuard web filtering or other web filtering techniques to block popular, but less important websites. Application control could also be used to limit the applications that can be used when traffic is using the modem interface. Configuring the primary Internet connection to use wan1 1 Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the internal network to the internal interface. 2 From a PC on the Internal network, log in to the FortiGate web-based manager using admin and no password. 3 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask Manual 172.20.120.14/255.255.255.0
Primary ISP
Internal Network
44
W 17 AN G 2. 1 17 ate 20 2. w .12 20 ay 0 .1 .1 4 20 .2
Primary ISP
6 Go to Router > Static > Settings, select Create New, and add the following ping server: Interface Ping Server Detect Protocol Ping Interval (seconds) Failover Threshold wan1 172.20.120.2 ICMP Ping 5 5
7 Go to System > Network > DNS and add Primary and Secondary DNS servers. 8 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the wan1 interface. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action
internal all wan1 all always ANY ACCEPT
9 Select Enable NAT and Use Destination Interface Address. 10 Select OK to save the security policy.
45
Configuring the modem interface as the backup Internet connection 1 Connect the modem interface to a phone line. You can also connect a USB modem to the USB port, or insert an express card modem into the express card slot of the FortiGate unit. You may have to restart the FortiGate unit after connecting an external modem. 2 Log in to the web-based manager. 3 Go to System > Network > Modem and Edit the modem settings, then select Enable Modem, and select Apply. 4 Configure the following modem settings: Primary Modem Mode Redundant for Dial Mode Idle Timeout Redial Limit Internal Modem (or External modem if you are using one) Redundant wan1 Dial on demand 5 minutes None
Primary ISP Backup ISP Internal Network
5 Configure the External Modem or Internal Modem settings. Phone Number User Name Password 555 555 1212 ISP_user Passw0rd
6 Select Apply to save the changes. 7 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet through the modem interface. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all modem all always ANY ACCEPT
8 Select Enable NAT and Use Destination Interface Address. 9 Select OK to save the security policy. With this configuration, if the wan1 interface becomes disconnected, the modem will automatically dial up and attempt to connect to an ISP. If the connection is successful, the modem interface will be configured via PPPoE from the ISP and a default route pointing to the modem interface will be added to the routing table. All traffic destined for the Internet will then use the modem interface as long as it is accepted by an internal to modem security policy.
Results You can test default route failover by blocking access from the wan1 interface to the ping
server target (for example, by physically disconnecting the wan1 interface cable). The modem should dial in, and when connected, the routing monitor should show the modem default route replacing the wan1 default route. You can also try connecting to the Internet and verifying that the connection works and that traffic is accepted by an internal to modem security policy. You can then restore the wan1 connection, see the wan1 default route being added back to the routing monitor, and verify connectivity. With the modem dialed in, if you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
47
Distributing sessions between dual redundant Internet connections with usage-based ECMP

30 . W 2. Ga 12 AN 30 te 0. 2 .1 w 10 20 ay .2
Problem Your organization uses two different

ISPs for reliability and you want to make efficient use of these two Internet connections by distributing sessions to both, without allowing either one to become overloaded.
17
17
2.
Backup ISP
Solution Use spillover (also known as usage-based) Equal Cost Multipath (ECMP) routing route. When
one Internet connection reaches a defined traffic level, sessions spill over to the other connection. 1 Go to Router > Static > Static Route, select Create New to add default routes for the wan1 and wan2 interfaces For the wan1 interface: Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 wan1 172.20.120.2
Select Advanced and set the Distance to 10. For the wan2 interface: Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 wan2 172.30.120.2
Select Advanced and set the Distance to 10. For ECMP to work, both default routes must have the same Distance and Priority.
2 Go to Router > Static > Settings and select Spillover as the ECMP Load Balance Method. 3 Under Dead Gateway Detection, select Create New to add dead gateway detection for the wan1 and wan2 interfaces. For the wan1 interface: Interface Ping Server Detect Protocol wan1 172.20.120.2 ICMP Ping
48
W 1 A G 72 N1 17 at .20 2. ew .1 20 ay 20 .1 .1 20 4 .2
In 19 te 2. rna 16 l 8. 1. 99
Primary ISP
Ping Interval Failover Threshold For the wan2 interface: Interface Ping Server Detect Protocol Ping Interval Failover Threshold
5 5
wan2 172.30.120.2 ICMP Ping 5 5
4 Go to System > Network > Interface and Edit the wan1 interface and set the Spillover Threshold to 10000 kbits/s. 5 Go to System > Network > Interface and Edit the wan2 interface and set the Spillover Threshold to 20000 kbits/s. You must add spillover thresholds to both interfaces, since the default spillover threshold of 0 means no bandwidth limiting. If one of the interfaces had a spillover threshold of 0, it would process all sessions.
Results Most sessions from the internal network to the Internet should use the wan1 interface. When
traffic on the wan1 interface reaches the spillover threshold, new sessions should begin using the wan2 interface. When usage on the wan1 interface reduces below the spillover threshold new sessions should will again use the wan1 interface. Usage-based ECMP routing is not actually load balancing, since routes are not distributed evenly among the interfaces. A spillover threshold of 10000 kbits (10 Mbps) means that when the wan1 interface usage reaches 10 Mbps new sessions are spilled over to the wan2 interface. So during low traffic times, wan1 would be processing all sessions. The spillover threshold does not strictly limit the bandwidth processed by the interface because new sessions with destination IP addresses that are already in the routing cache will use the cached routes. This means, that even if wan1 is exceeding its bandwidth limit, new sessions can continue to be sent out on wan1 if their destination addresses are already in the routing cache. You can adjust the spillover thresholds to change how sessions are distributed between the ISPs as you become familiar with your traffic patterns. You can use the Traffic History dashboard widget to view bandwidth usage for the wan1 and wan2 interfaces. You can see whether an interface is exceeding its Spillover Threshold by using this CLI command: diagnose netlink dstmac list The output is like this: dev=wan2 mac=00:00:00:00:00:00 threshold=0 bytes=0 over_bps=0 dev=wan1 mac=00:00:00:00:00:00 threshold=0 bytes=0 over_bps=0 rx_tcp_mss=0 tx_tcp_mss=0 overspillsampler_rate=0 rx_tcp_mss=0 tx_tcp_mss=0 overspillsampler_rate=0
In the output, over_bps=1 means that the interface is exceeding its threshold, over_bps=0 means that the interface has not exceeded its threshold.
49
Protecting a web server on a DMZ network

Problem You need to keep a web server
secure and available from the Internet and from an internal private network.
Web Server DMZ network address 10.10.10.123
in 19 ter 2. na 16 l 8. 1. 9
9 10.dmz 10. 10.
Solution This solution protects and provides

access to the web server by: Installing the web server on a DMZ (demilitarized zone) network separate from your internal network that exposes the web server to the Internet and the internal network.
Web Server Internet address 172.20.120.123
Connecting the DMZ network to a FortiGate interface (the DMZ interface or any other available interface). Creating a destination NAT (DNAT) security policy that includes UTM protection and that allows users on the Internet to access the web server. Creating a route mode security policy that allows users on the internal network to access the web server. When you connect multiple networks to your FortiGate unit, you might want to add interface aliases that describe the function of the interface or the network connected to it. Aliases are easy to add: go to System > Network > Interface, edit an interface and then add descriptive text to the Alias field. The alias appears with the interface name in most places on the web-based manager. Connecting the networks to the FortiGate unit and configuring IP settings 1 Connect the DMZ network to the FortiGate DMZ interface the internal network to the internal interface and the Internet to the wan1 interface (or any available interfaces). 2 Go to System > Network > Interface. 3 Edit the dmz interface: Alias Addressing mode IP/Netmask DMZ server network Manual 10.10.10.10/255.255.255.0
DMZ Network Internal Network
4 Edit the internal interface: Alias Addressing mode IP/Netmask Private internal network Manual 192.168.1.99/255.255.255.0
50
17 2 D .2 17 efa 0.1 w 2. ul 20 an1 20 t r .1 . 1 ou 4 20 te .2
Private internal network 192.168.1.0/255.255.255.0 User Address range 192.168.1.100 to 192.168.1.150
DMZ network 10 10.10.10.0/255.255.255.0
5 Edit the wan1 interface: Alias Addressing mode IP/Netmask Internet Manual 172.20.120.14/255.255.255.0
6 Go to Router > Static > Static Route and Edit the default route as follows. Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 wan1(Internet) 172.20.120.2
7 Go to System > Network > DNS and add Primary and Secondary DNS servers. 8 Configure the web servers IP network settings. IP address Netmask Default Gateway DNS Servers 10.10.10.123 255.255.255.0 10.10.10.10 IP addresses of available DNS servers.
If the web server does not have the correct default gateway, its response packets will not reach the DMZ interface, so the web server will appear to not be responding.
Create a DNAT security policy to allow sessions from the Internet to the web server Configure DNAT (port forwarding) by creating a firewall virtual IP (VIP) that maps the Internet address of the web server (172.20.120.123) to the actual IP address of the web server on the DMZ network (10.10.10.123). Then, add this VIP to a security policy that allows users on the Internet to browse to the Internet address of the web server (in this example, 172.20.120.123) to connect through the FortiGate unit to the web server on the DMZ network. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a new virtual IP with the following settings: Name External Interface Type External IP Address/Range Mapped IP Address/Range Web-server-DNAT wan1(Internet) Static NAT 172.20.120.123 10.10.10.123
2 Go to Policy > Policy > Policy and select Create New to add a security policy to allow users on the Internet to connect to the web server on the DMZ network. Source Interface/Zone Source Address wan1(Internet) all
51
Destination Interface/Zone Destination Address Schedule
dmz(DMZ server network) Web-server-DNAT always
3 Beside Service, select Multiple and add HTTP and HTTPS to the Members list. 4 Set Action to ACCEPT. 5 Select UTM and select Enable AntiVirus, Enable Application Control, and Enable IPS. 6 Select OK to save the security policy. Create a route mode security policy to allow users on the internal network to connect to the web server on the DMZ network By using a route mode policy, users on the internal network can connect to the web server using its real DMZ IP address (by browsing to http://10.10.10.123 or https://10.10.10.123). Since users on the internal network know the real address of the web server, you do not have to enable NAT in the security policy that allows this access. 1 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the user address range on the internal network. Address Name Type Subnet / IP Range Interface Internal-user-addresses Subnet / IP Range 192.168.1.100 -192.168.1.150 (can also be entered as 192.168.1.[100-150]) Internal(Private internal network)
2 Select Create New to add a firewall address for the web server on the DMZ network. Address Name Type Subnet / IP Range Interface DMZ-web-server-address Subnet / IP Range 10.10.10.123/255.255.255.255 dmz(DMZ server network)
3 Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the internal network to connect to the DMZ network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Internal(Private internal network) Internal-user-addresses dmz(DMZ server network) DMZ-web-server-address Always
4 Beside Service, select Multiple and add HTTP and HTTPS to the Members list. 5 Set Action to ACCEPT. 6 Select UTM and select Enable AntiVirus, Enable Application Control, and Enable IPS.
7 Select OK to save the security policy. For this policy, you could have selected Enable NAT to enable source NAT. However, doing this would mean that all packets from the internal network connecting to the web server would have the same source address (the IP address of the DMZ interface). If you do not select Enable NAT you can record web server usage according to the actual source address of sessions from the internal network. Add a security policy to allow users on the internal network to connect to the Internet 1 Go to Policy > Policy > Policy and select Create New to add the following security policy. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Internal(Private internal network) Internal-user-addresses wan1(Internet) all Always ANY ACCEPT
2 Select UTM and select Enable AntiVirus and Enable Application Control. 3 Select OK to save the security policy.
Results Test the configuration by connecting to the web server from the internal network and from the
Internet. If any of the following tests fail, re-check your FortiGate configuration. Also, make sure the web server has the correct default route. This is especially important for connections from the internal network because the security policies do not perform source NAT, so the web server needs the correct default route to be able to send return packets correctly. You can also try the steps described in Troubleshooting NAT/Route mode installations on page 20. Testing the connection from the internal network to the web server From the internal network, browse to the web servers actual IP address (http://10.10.10.123 or https://10.10.10.123). The connection should be successful. This communication uses the internal to dmz policy. Go to Policy > Monitor > Policy Monitor to view sessions accepted by the internal to dmz policy (in the example, policy 3). Sessions for other policies may also be visible.
53
Drill down to view details about the sessions accepted by the policy. They should all be HTTP (port 80) or HTTPS (port 443) sessions. The source address should be an address on the internal network and the destination address should be the real address of the web server (10.10.10.123). The NAT columns should be blank because no address translation is taking place.
You can also view similar session information using the FortiGate packet sniffer. The following sniffer output shows HTTP traffic (port 80) between a PC with IP address 192.168.1.110 and the web server (IP address 10.10.10.123). You can see the HTTP sessions between the PC and the internal interface and between the dmz interface and the web server. Note that the source and destination addresses and ports are not translated:
diagnose sniffer packet any 'port 80' 4 10 interfaces=[any] filters=[port 80] 5.360359 internal in 192.168.1.110.4359 -> 10.10.10.123.80: syn 2514178891 5.361982 internal out 10.10.10.123.80 -> 192.168.1.110.4359: syn 656842736 ack 2514178892 5.362165 internal in 192.168.1.110.4359 -> 10.10.10.123.80: ack 656842737 5.362463 internal in 192.168.1.110.4359 -> 10.10.10.123.80: psh 2514178892 ack 656842737 5.366684 internal out 10.10.10.123.80 -> 192.168.1.110.4359: ack 2514179678 5.370189 dmz out 192.168.1.110.4359 -> 10.10.10.123.80: syn 1168283220 5.370411 dmz in 10.10.10.123.80 -> 192.168.1.110.4359: syn 1433097504 ack 1168283221 5.370606 dmz out 192.168.1.110.4359 -> 10.10.10.123.80: ack 1433097505 5.375160 dmz out 192.168.1.110.4359 -> 10.10.10.123.80: psh 1168283221 ack 1433097505 5.375417 dmz in 10.10.10.123.80 -> 192.168.1.110.4359: ack 1168284007
54
The following FortiGate sniffer output shows HTTPS traffic (port 443) between IP address 192.168.1.110 and the web server (IP address 10.10.10.123). You can see the HTTPS sessions between the PC and the internal interface and between the dmz interface and the web server. Note that the source and destination addresses and ports are not translated:
diagnose sniffer packet any 'port 443' 4 10 interfaces=[any] filters=[port 443] 5.124564 internal in 192.168.1.110.4366 -> 10.10.10.123.443: syn 3141078769 5.128308 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: syn 3141078769 5.128538 dmz in 10.10.10.123.443 -> 192.168.1.110.4366: syn 2403170564 ack 3141078770 5.130991 internal out 10.10.10.123.443 -> 192.168.1.110.4366: syn 2403170564 ack 3141078770 5.131151 internal in 192.168.1.110.4366 -> 10.10.10.123.443: ack 2403170565 5.131414 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: ack 2403170565 5.131702 internal in 192.168.1.110.4366 -> 10.10.10.123.443: psh 3141078770 ack 2403170565 5.138192 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: psh 3141078770 ack 2403170565 5.138361 dmz in 10.10.10.123.443 -> 192.168.1.110.4366: ack 3141078914 5.138632 internal out 10.10.10.123.443 -> 192.168.1.110.4366: ack 3141078914
You could also use the following sniffer command to get similar results: diagnose sniffer packet any 'host 192.168.1.110 or 10.10.10.123' 4 10 Testing the connection from the Internet to the web server From any location on the Internet, (or any location on the 172.20.120.0 network), browse to the web servers Internet IP address (http://172.20.120.123 or https://172.20.120.123). The connection should be successful. This communication uses the wan1 to dmz policy. Go to Policy > Monitor > Policy Monitor to view the sessions accepted by security policies. The policy monitor should show sessions accepted by the internal to dmz policy. Drill down to view details about the sessions accepted by the policy. They should all be HTTP (port 80) or HTTPS (port 443) sessions. The source address should be an address on the Internet (or the 172.20.120.0 network) and the destination address should be the Internet address of the web server (172.20.120.123). The wan1 to DMZ policy performs DNAT on incoming packets, translating the destination IP address of the packets from 172.20.120.123 to 10.10.10.123. The destination NAT IP address is shown in the Src NAT IP column when destination NAT is taking place. The destination ports are not translated so the Src NAT Port column and Dst Port column both show port 80.
You can also view similar information using the packet sniffer. The following sniffer output shows HTTP traffic (destination port 80) from 172.20.120.12 to 172.20.120.123. All packets received by the wan1 interface have a source address of 172.20.120.12 and a destination address of 172.20.120.123. All packets exiting from the dmz interface have a source address of 172.20.120.12 and a destination address of 10.10.10.123:
55
Protecting a web server on a DMZ network diagnose sniffer packet any 'port 80' 4 10 interfaces=[any] filters=[port 80] 5.384633 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: syn 3310195461 5.390855 wan1 out 172.20.120.123.80 -> 172.20.120.12.59485: syn 1257313456 ack 3310195462 5.392429 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: ack 1257313457 5.392970 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: psh 3310195462 ack 1257313457 5.402474 wan1 out 172.20.120.123.80 -> 172.20.120.12.59485: ack 3310196396 5.404772 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: syn 3794602648 5.405014 dmz in 10.10.10.123.80 -> 172.20.120.12.59485: syn 4209798675 ack 3794602649 5.405236 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: ack 4209798676 5.406434 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: psh 3794602649 ack 4209798676 5.406689 dmz in 10.10.10.123.80 -> 172.20.120.12.59485: ack 3794603583
The following sniffer output shows HTTPS traffic (destination port 443) from 172.20.120.12 172.20.120.123. You can see the HTTPS sessions between the PC and the wan1 interface and between the dmz interface and the web server. Note that the source and destination addresses and ports are not translated:
diagnose sniffer packet any 'port 443' 4 10 interfaces=[any] filters=[port 443] 4.557201 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: syn 2276259104 4.561331 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: syn 2276259104 4.561577 dmz in 10.10.10.123.443 -> 172.20.120.12.59666: syn 3539944843 ack 2276259105 4.562214 wan1 out 172.20.120.123.443 -> 172.20.120.12.59666: syn 3539944843 ack 2276259105 4.562974 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: ack 3539944844 4.563323 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: ack 3539944844 4.563540 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: psh 2276259105 ack 3539944844 4.570165 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: psh 2276259105 ack 3539944844 4.570270 dmz in 10.10.10.123.443 -> 172.20.120.12.59666: ack 2276259473 4.570566 wan1 out 172.20.120.123.443 -> 172.20.120.12.59666: ack 2276259473
You could also use the following sniffer command to get similar results: diagnose sniffer packet any 'host 172.20.120.12 or 172.20.120.123' 4 10
56
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
S ec u be al rit tw low y p o e se en tra lic gm n ffi ies e c en tw or k
Problem You need to keep an email server free from
viruses without changing the server and without changing the network. For example, you cannot install virus scanning software on the email server or change the email servers IP address or change the addressing of the network.
ts
IP ent 40 em 1. ag 31.10 n Ma 10. FortiGate Unit FortiG
al rn te in
Protected Email Server 10.31.101.200
User network 10.31.101.0/255.255.255.0 User Address Range 10.31.101.[1-30]
10
.3
1.
10
Solution Insert a FortiGate unit in Transparent mode

between the email server and the network. Configure the FortiGate unit to allow sessions from the network to the email server and apply antivirus protection to these sessions to keep viruses from reaching the email server. Users on the Internal network connect to the email server to get their mail using IMAP, IMAPS, POP3, POP3S, or HTTPS (for webmail) and to send outgoing email using SMTP or SMTPS. The email server sends outgoing email by connecting to the Internet using SMTP or SMTPS and receives incoming email from the Internet using SMTP or SMTPS. Switching to Transparent mode and configuring IP settings 1 Connect a PC to the FortiGate internal interface. 2 Power on the FortiGate unit and PC. 3 Connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Login using admin and no password. 4 Go to System > Dashboard > Status > System Information and beside Operation Mode select Change and configure the following: Operation Mode Management IP/Netmask Default Gateway Transparent 10.31.101.40/255.255.255.0 10.31.101.100
5 Select OK to switch to Transparent mode. 6 Log in to the web-based manager by browsing to https://10.31.101.40. You will need to change the IP address of the PC to an address on the 10.31.101.0/255.255.255.0 subnet. 7 Go to System > Network > Interface and Edit the wan1 interface. 8 For Administrative Access select HTTPS and SSH and select OK. Once the FortiGate unit is connected to the network, you will be managing it by connecting to the wan1 interface 9 Go to System > Network > DNS and add Primary and Secondary DNS servers.
1.
Router
10
1 an w
in Transparent mode
57
Configure the security policies 1 Go to Firewall Objects > Address > Address and select Create New to add the following firewall addresses: For the email server: Address Name Type Subnet/IP Range Interface For the user network: Address Name Type Subnet/IP Range Interface Email_User_Network Subnet/IP Range 10.31.101.[1-30] wan1 Email_Server_Address Subnet/IP Range 10.31.101.200/255.255.255.255 internal
2 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the user network to access the email server using IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, and HTTPS: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule wan1 Email_User_Network internal Email_Server_Address Always
3 Beside Service, select Multiple and add IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, and HTTPS to the Members list. 4 Set Action to ACCEPT. 5 Select UTM and select Enable AntiVirus. 6 Select OK to save the security policy. 7 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the email server to send outgoing email to the Internet using SMTP and SMTPS: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule internal Email_Server_Address wan1 all Always
8 Beside Service, select Multiple and add SMTP, and SMTPS to the Members list.
58
9 Set Action to ACCEPT. 10 Select UTM and select Enable AntiVirus. 11 Select OK to save the security policy. 12 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the email server to receive incoming email from the Internet using SMTP and SMTPS: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule wan1 all internal Email_Server_Address Always
13 Beside Service, select Multiple and add SMTP, and SMTPS to the Members list. 14 Set Action to ACCEPT. 15 Select UTM and select Enable AntiVirus. 16 Select OK to save the security policy. 17 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the email server to connect to any DNS server: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal Email_Server_Address wan1 all Always DNS ACCEPT
18 Select OK to save the security policy. 19 Connect the FortiGate unit between the email server and the user network. Connect the wan1 interface to a switch connected to the user network. Connect the internal interface to email server.
Email Server
User Network
59
Results The functionality of the email server should not be changed after the FortiGate unit is inserted.
To confirm this, you should access the email server from the user network using all the email protocols that users on the network normally use. As you test email services, on the web-based manager, you can go to Policy > Monitor > Policy Monitor to view the FortiGate security policy activity. The Policy Monitor displays bar graphs that show the sessions for each policy. The bar graphs are labelled with the policy ID. If no other security policies have been added to the FortiGate unit, and if you followed the steps in the order listed, the FortiGate will have 4 security policies.
Policy 1 allows users to connect to the email server using any email protocol and HTTPS. Policy 2 allows the email server to connect to the Internet to send outgoing email. Policy 3 allows the email server to receive incoming email from the Internet. Policy 4 allows the email server to send DNS queries. When you connect from the user network to the email server using one of the email protocols (POP3, IMAP, or HTTPS) the sessions are accepted by policy 1 and the policy monitor could look similar to this:
The policy monitor shows sessions accepted by policy 1. You can display information about the sessions by selecting the bar graph. For example, you can display the source and destination addresses and services used by sessions accepted by policy 1 as well as a listing of all active sessions.
60
When you send an outgoing email to the server using SMTP, the policy monitor could look similar to this:
The policy monitor shows sessions accepted by three policies. Drilling down into the policy 1 graph shows SMTP sessions and possibly POP3 and HTTPS sessions between an address on the user network and the email server. Drilling down into the policy 2 graph shows SMTP sessions between the email server and an Internet address caused by the email server sending outgoing email. Drilling down into the policy 4 graph shows DNS sessions between the email server and a DNS server. You can test virus scanning by attaching a virus test file to an email message. You can get the EICAR test file from http://www.eicar.org. You can verify the virus scanning results by going to UTM Profiles > Monitor > AV Monitor. The following shows the EICAR test file detected three times.
You can drill down to display the FortiGuard Center page for the virus that was detected. The Log and Archive Statistics dashboard widget also displays information about viruses caught including details about the date an time on which the virus was detected, the source and destination address of the session in which the virus was caught, and the service.
61
Finally, when the file is removed from the email its replaced with a message similar to the following: Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus. It was infected with the "EICAR_TEST_FILE" virus. File quarantined as: ""."http://www.fortinet.com/ve?vid=2172" You can customize this message by going to System > Config > Replacement Message > Mail > Virus Message. The default message specifies that the file is quarantined. If you have not configured quarantine, you can remove this part of the message.
If you can send and receive email, your configuration is successful. If you cannot, try the steps described in Troubleshooting Transparent mode installations on page 25 to find the problem.
62
Using port pairing to simplify a Transparent mode installation

Problem You want to simplify configuring a FortiGate
unit operating in transparent mode.
an1 o w air al t t p er n por Int inte rna
wa
n1
Solution You can enable port pairing in Transparent
IP nt 0 me .4 ge 1.101 na Ma 10.3 FortiGate Unit FortiG
Protected Web Server 10.31.101.210
in Transparent
mode mode to so that all traffic accepted by one FortiGate interface can only exit out of one 00 User network 1.1 other FortiGate interface. Restricting traffic in 10.31.101.0/255.255.255.0 0.31.10 1 User Address Range this way simplifies your FortiGate 10.31.101.[1-30] Router configuration because security policies between these interfaces are pre-configured. All you have to do is make the physical configurations and then add a port pair. Then, when you create a new security policy for sessions accepted by one of the interfaces in the pair, the second interface is automatically added to the security policy.
Switching to Transparent mode and configuring IP settings 1 Connect a PC to the FortiGate internal interface. 2 Power on the FortiGate unit and PC. 3 Connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Login using admin and no password. 4 Go to System > Dashboard > Status > System Information and beside Operation Mode select Change and configure the following: Operation Mode Management IP/Netmask Default Gateway Transparent 10.31.101.40/255.255.255.0 10.31.101.100
5 Select OK to switch to Transparent mode. 6 Log in to the web-based manager by browsing to https://10.31.101.40. You will need to change the IP address of the PC to an address on the 10.31.101.0/255.255.255.0 subnet. 7 Go to System > Network > DNS and add Primary and Secondary DNS servers. Creating the internal and wan1 port pair and adding firewall addresses and security policies for it 1 Go to System > Network > Interface and select Create New > Port Pair to configure the following port pair: Name Selected Members internal-wan1-port-pair internal wan1
63
You can only add interfaces to a port pair if no other configuration objects have been added for the interfaces. For example, you can not add an interface to a port pair if you have added security policies or firewall addresses for it. 2 Select OK to add the port pair. 3 Go to Firewall Objects > Address > Address and add select Create New to add the following firewall addresses For the web server: Address Name Type Subnet/IP Range Interface For the user network: Address Name Type Subnet/IP Range Interface Web-Server-User-Network Subnet/IP Range 10.31.101.[1-30] any Web-Server-Address Subnet/IP Range 10.31.101.210/255.255.255.255 any
4 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the user network to access the email server using HTTP and HTTPS: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule internal Web-Server-User-Network wan1 Web-Server-Address Always
5 Beside Service, select Multiple and add HTTP and HTTPS to the Members list. 6 Set Action to ACCEPT. 7 Select UTM and select Enable AntiVirus and Enable Application Control. 8 Select OK to save the security policy. 9 Go to Policy > Policy > Policy and select Create New to add a security policy that allows connections from the web server to the user network and the Internet using any service: Source Interface/Zone Source Address Destination Interface/Zone Destination Address wan1 Web-Server-Address internal all
64
Schedule Service Action
Always ANY ACCEPT
10 Select UTM and select Enable AntiVirus and Enable Application Control. 11 Select OK to save the security policy. 12Connect the web server to the FortiGate wan1 interface and the user network to the FortiGate internal interface.
Web Server
User Network
Results Connect to the web server from the internal network. Go to Policy > Policy > Policy and verify
that the count for the internal to wan1 policy has increased indicating that this policy is accepting traffic from the user network to the web server. Go to Policy > Monitor > Policy Monitor to drill down for more information about the sessions accepted by the internal to wan1 policy. If you can connect to the web server, and if the web server can connect to the Internet, your configuration is successful. If you cannot, try the steps described in Troubleshooting Transparent mode installations on page 25 to find the problem.
65
Connecting networks without translating addresses (FortiGate unit in Route mode)
in 19 ter 2. na 16 l 8. 1. 9

Problem You want to control and apply UTM
features to traffic between two subnets but you want full visibility between the networks (no address translation between the subnets).
Private internal network 192.168.1.0/255.255.255.0
9 10.dmz 10. 10.
DMZ network 10 10.10.10.0/255.255.255.0
Solution Install the FortiGate unit in NAT/Route mode between the subnets and create route mode
security policies that allow sessions between the networks without performing address translation. Connecting the networks to the FortiGate unit and configuring IP settings 1 Connect the DMZ network to the FortiGate DMZ interface the internal network to the internal interface and the Internet to the wan1 interface (or any available interfaces). 2 Go to System > Network > Interface and Edit and configure the dmz, internal, and wan1 interfaces: Name Addressing mode IP/Netmask Name Addressing mode IP/Netmask Name Addressing mode IP/Netmask dmz Manual 10.10.10.10/255.255.255.0 internal Manual 192.168.1.99/255.255.255.0 wan1 Manual 172.20.120.14/255.255.255.0
17 2 D .2 17 efa 0.1 w 2. ul 20 an1 20 t r .1 . 1 ou 4 20 te .2

DMZ Network
Internal Network
3 Go to Router > Static > Static Route and Edit the default route as follows. Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 wan1(Internet) 172.20.120.2
4 Go to System > Network > DNS and add Primary and Secondary DNS servers.
66
5 Configure the following IP network settings for the devices on the internal network. IP address Netmask Default Gateway DNS Servers 192.168.1.x 255.255.255.0 192.168.1.99 IP addresses of available DNS servers.
6 Configure the IP following IP network settings for the devices on the DMZ network. IP address Netmask Default Gateway DNS Servers 10.10.10.x 255.255.255.0 10.10.10.10 IP addresses of available DNS servers.
If the devices on both networks do not have the correct default route, their response packets will not be returned to the source network.
Create route mode security policies to allow connections between the internal and DMZ networks 1 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the internal network. Address Name Type Subnet / IP Range Interface Internal-network Subnet / IP Range 192.168.1.1 -192.168.1.255 (can also be entered as 192.168.1.[1-255]) Internal
2 Select Create New to a firewall address for the DMZ network. Address Name Type Subnet / IP Range Interface DMZ-network Subnet / IP Range 10.10.10.1 -10.10.10.255 (can also be entered as 10.10.10.[1-255]) dmz
3 Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the internal network to connect to the DMZ network. Source Interface/Zone Source Address Destination Interface/Zone Internal Internal-network dmz
67
DMZ-network Always ANY ACCEPT
4 Select UTM and select Enable AntiVirus and Enable Application Control. 5 Select OK to save the security policy. 6 Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the DMZ network to connect to the internal network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action dmz DMZ-network internal Internal-network Always ANY ACCEPT
7 Select UTM and select Enable AntiVirus and Enable Application Control. 8 Select OK to save the security policy. To make these NAT policies, you could have selected Enable NAT to enable source NAT. However, doing this would mean that all packets from the one network connecting to the other network would have the same source address as the FortiGate unit interface connected to that network.
Results Test the configuration by connecting from one network to the other, for example by pinging an
address on the internal network from the DMZ network. You can use the FortiGate sniffer to show the ping packets going from one network to the other and the replies coming back without any NAT. The following example shows a device at 10.10.10.20 pinging 192.168.1.120.
diagnose sniffer packet any 'icmp' 4 8 interfaces=[any] filters=[icmp] 6.916578 dmz in 10.10.10.20 -> 192.168.1.120: icmp: echo request 6.916794 internal out 10.10.10.20 -> 192.168.1.120: icmp: echo request 6.917459 internal in 192.168.1.120 -> 10.10.10.20: icmp: echo reply 6.917595 dmz out 192.168.1.120 -> 10.10.10.20: icmp: echo reply 7.918637 dmz in 10.10.10.20 -> 192.168.1.120: icmp: echo request 7.918723 internal out 10.10.10.20 -> 192.168.1.120: icmp: echo request 7.919303 internal in 192.168.1.120 -> 10.10.10.20: icmp: echo reply 7.919391 dmz out 192.168.1.120 -> 10.13.10.20: icmp: echo reply
If any of the connections fail, re-check your FortiGate configuration and make sure the devices on each network have the correct default route. You can also try the steps described in Troubleshooting NAT/Route mode installations on page 20.
68
Employing high availability (HA) to improve network reliability

S w itc h z
in
te
rn
al
FortiGate HA cluster. Configure basic settings on the cluster to allow users on the internal network to access the Internet.
an
Solution Configure two FortiGate units to form a
FortiGate For Cluster
The FortiGate units to be clustered must have the same hardware configuration, including the following: The same hard disk configuration. The same AMC or FMC cards installed in the same slots. The same interface/hub/switch mode if the FortiGate units contain a switch interface. The same soft switch configuration. Also you should make sure that: No FortiGate interfaces are configured for DHCP or PPPoE addressing. Both FortiGate units have the same firmware build. Both FortiGate units are set to the same operating mode (NAT or Transparent). Both FortiGate units are set to the same VDOM mode. Setting up HA 1 Power on a FortiGate unit and log into the web-based manager. 2 On the System Information Dashboard widget, beside Host Name select Change. 3 Enter a New Name and select OK. Changing the host name makes it easier to identify individual cluster units when the cluster is operating. 4 Go to System > Config > HA and change the following settings to enable HA mode: Mode Device Priority Group Name Password Active-Passive 128 My-Cluster HAPassw0RD
5 Set dmz and wan2 to be the Heartbeat Interfaces and set the Priority of both to 50. FortiGate units cannot form a cluster if a FortiGate interface is configured to get its IP address using DHCP or PPPoE. If the FortiGate unit reverts back standalone mode after you select OK, check the FortiGate interfaces and if required change the addressing mode of all of the interfaces to Manual.
x R te ou r n te al r
al
te
rn
an
your Internet gateway by implementing a high availability (HA) solution.
Problem You want to improve the reliability of
S w itc E
in
d m
Internal Network 192.168.1.0/ 255.255.255.0
d m
an
an
69
The best practice is to configure and connect two or more heartbeat interfaces. If heartbeat communication is interrupted, the cluster will form a so-called split-brain configuration where both cluster units operate like standalone FortiGate units, but with the same network configuration, resulting in a service interruption. Redundant heartbeat links avoids this problem. 6 Select OK to save the HA configuration. The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily lose connectivity with the FortiGate unit because HA changes the MAC addresses of the FortiGate interfaces. To be able to reconnect sooner, you can update the ARP table of your PC by deleting the ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You may be able to delete the ARP table of your PC from a command prompt using a command similar to arp -d. 7 Power off the FortiGate unit. 8 Repeat these steps with the second FortiGate unit to configure it for HA operation. You can optionally configure one of the FortiGate units with a higher Device Priority so that this unit always becomes the primary unit.
9 Connect FortiGate units to each other to form a cluster and connect the cluster to the network. Connect the wan1 interfaces of each cluster unit to a switch connected to the Internet. Connect the internal interfaces of each cluster unit to a switch connected to the internal network. Connect the dmz interfaces of the cluster units together using a crossover or regular Ethernet cable. Connect the wan2 interfaces of the cluster units together using a crossover or regular Ethernet cable. 10 Power on the FortiGate units. As they start, they negotiate to choose the primary unit and to form a cluster. This negotiation occurs with no user intervention and normally just takes a few seconds. The FortiGate units must be connected together by at least one heartbeat interface for to negotiation to take place.
Configure basic settings for the cluster You can now configure the cluster if it is a single FortiGate unit. HA synchronizes the configuration to all cluster units. This includes configuring addressing, operation mode (NAT or Transparent) enabling or disabling multiple VDOM mode, add security policies and so on. 1 From a PC on the Internal network, connect to the FortiGate web-based manager. You can configure the PC to get its IP address using DHCP and then browse to https://192.168.1.99. You could also give the PC a static IP address on the 192.168.1.0/255.255.255.0 subnet. Login using admin and no password. 2 Go to System > Network > Interface and Edit the wan1 interface and change the following settings: Addressing mode IP/Netmask
70
Manual 172.20.120.14/255.255.255.0
5 Go to System > Network > DNS and add Primary and Secondary DNS servers. 6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you and as soon as your FortiGate unit is connected, and the computers on your internal network are configured, they should be able to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal All wan1 All always ANY ACCEPT
Results Just like a standard FortiGate NAT/Route mode configuration, users on the Internal network
should be able to connect to the Internet. Check the System Information Widget on the dashboard to confirm the HA status.
71
When a cluster first starts up, do the following to make sure that it is configured and operating correctly. 1 Set ping to continuously ping the cluster, and then start a large download, or, in some other way, establish ongoing traffic through the cluster. 2 While traffic is going through the cluster, disconnect the power from one of the cluster units. Traffic should continue with minimal interruption. 3 Start up the cluster unit that you powered off. The unit should re-join the cluster with little or no affect on traffic. 4 Disconnect a cable for one of the HA heartbeat interfaces. The cluster should keep functioning, using the other HA heartbeat interface. 5 Log in to the web-based manager and from the Dashboard, verify that the System Information widget displays both cluster units. 6 Verify that the Unit Operation graphic shows that the correct cluster unit interfaces are connected. 7 Go to System > Config > HA and verify that all of the cluster units are displayed on the cluster members list. 8 From the cluster members list, edit the primary unit (master), and verify the cluster configuration is as expected. 9 Go to System > Config > HA > View HA Statistics and view information about the cluster and the traffic it is processing.
72
Upgrading the firmware installed on a FortiGate HA cluster

Problem Fortinet has released a new version of
FortiOS. You want to know what firmware version is currently running on your FortiGate HA cluster and how to upgrade to the latest version.
Solution You can upgrade the FortiOS firmware

running on an HA cluster in the same manner as upgrading the firmware running on a standalone FortiGate unit. During a normal firmware upgrade, the cluster upgrades the primary unit and all subordinate units to run the new firmware image. The firmware upgrade takes place without interrupting communication through the cluster. Upgrading cluster firmware to a new major release (for example upgrading from 3.0 MRx to 4.0 MRx) is supported for clusters. Make sure you are taking an upgrade path described in the Release Notes. Even so you should back up your configuration. Only perform a firmware upgrade during a maintenance window. View the current firmware version from the web-based manager and CLI. Download a new version of FortiOS from the Fortinet Customer Support web site and install it from the webbased manager. Firmware images for all FortiGate units are available on the Fortinet Customer Support web site. You must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting http://support.fortinet.com and select Product Registration. 1 Log in to the web-based manager and view the dashboard System Information widget to see the Firmware Version currently installed on your FortiGate unit. From the FortiGate CLI, you can also enter the following command. The first output line indicates FortiOS firmware version installed on your FortiGate unit: get system status Version: Fortigate-5001B v4.0,build0458,110627 (MR3 Patch 1) Virus-DB: 11.00679(2010-04-09 13:44) Extended DB: 1.00234(2010-04-09 16:38) Extreme DB: 1.00234(2010-04-09 16:37) IPS-DB: 3.00000(2011-05-18 15:09) FortiClient application signature package: 1.421(2011-09-14 20:27) Serial-Number: FG-5KB3E10700037 BIOS version: 04000004 Log hard disk: Available Hostname: FG-5KB3E10700037 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: a-p, master Distribution: International Branch point: 458 Release Version Information: MR3 Patch 1 FortiOS x86-64: Yes System time: Wed Sep 14 20:53:41 2011
73
2 To download a newer firmware version, browse to http://support.fortinet.com and select a Download Firmware Images link. 3 Log in using your Fortinet account user name and password. 4 Go to Download Firmware Images > FortiGate. 5 Select FortiGate firmware images and browse to the FortiOS firmware version that you want to install (for example, browse to FortiGate/v4.00/4.0MR3/MR3_Patch_1). 6 Locate and download the firmware for the FortiGate units in your HA cluster. 7 Download and read the Release Notes for this firmware version. Always review the Release Notes before installing a new firmware version in case you cannot update to the new firmware release from the one that you are currently running. 8 Backup your configuration from the System Information dashboard widget. Always remember to back up your configuration before doing any firmware upgrades.
9 Go to System > Dashboard > Status. 10 Under System Information > Firmware Version, select Update. 11 Find the firmware image file that you downloaded and select OK to upload and install the firmware build on the FortiGate unit.
Results To upgrade the firmware without interrupting communication through the cluster, the cluster
goes through a series of steps that involve first upgrading the firmware running on the subordinate units, then making one of the subordinate units the primary unit, and finally upgrading the firmware on the former primary unit. These steps are transparent to the user and the network, but depending upon your HA configuration may result in the cluster selecting a new primary unit. From the FortiGate web-based manager go to System > Dashboard > Status. In the System Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI enter get system status). There is a possibility that the firmware upgrade from the web-based manager does not load properly. If this occurs, you may find that some of the FortiGate units in the cluster will not boot, or continuously reboot. It is best to perform a fresh install of the firmware from a reboot using the CLI. This procedure installs a firmware image and resets each FortiGate unit to default settings. Once the new firmware versions is installed you can restore the configuration of the FortiGate units in the cluster and the cluster should reform. For more information, see Installing FortiGate firmware from a TFTP server on page 28.
74
Connecting multiple networks to a FortiGate interface using virtual LANs (VLANs)

Problem Connecting three internal networks to the
FortiGate internal interface using VLANs to keep the three networks separate.
Engineering network 192.168.10.0 VLAN ID 10
N VLAN ch h Switch
in te rn al
Sales network 192.168.30.0 V VLAN ID 30
Solution This solution uses VLANs to connect three

networks to the FortiGate internal interface in the following way:
FortiGate Unit FortiGate Unit a Marketing in NAT/Route mode network 192.168.20.0 VLAN ID 20
Packets from each network pass through a VLAN switch before reaching the FortiGate unit. The VLAN switch adds different VLAN tags to packets from each network. To handle VLANs on the FortiGate unit, add VLAN interfaces to the internal interface for each network Add a DHCP server to each VLAN interface. Create security policies to allow each network to access the Internet. This solution assumes you have configured a VLAN switch to tag packets from the three networks. Add VLAN interfaces 1 Go to System > Network > Interface and select Create New to add a VLAN interface for the engineering network: Name Type Interface VLAN ID Addressing mode IP/Netmask Engineering-net VLAN internal 10 Manual 192.168.10.1
2 Select Create New to add a VLAN interface for the marketing network: Name Type Interface VLAN ID Addressing mode IP/Netmask Marketing-net VLAN internal 20 Manual 192.168.20.1
3 Select Create New to add a VLAN interface for the sales network: Name Type Interface
Sales-net VLAN internal

75
an
VLAN ID Addressing mode IP/Netmask
30 Manual 192.168.30.1
Add DHCP servers to each VLAN interface 1 Go to System > Network > DHCP Server and select Create New to add a DHCP server for the marketing network: Interface Name Mode Type IP Network Mask Default Gateway DNS Service Marketing-net Server Regular 192.168.10.100 - 192.168.10.200 255.255.255.0 192.168.10.1 Use System DNS Setting
2 Select Create New to add a DHCP server for the engineering network: Interface Name Mode Type IP Network Mask Default Gateway DNS Service Engineering-net Server Regular 192.168.20.100 - 192.168.20.200 255.255.255.0 192.168.20.1 Use System DNS Setting
3 Select Create New to add a DHCP server for the sales network: Interface Name Mode Type IP Network Mask Default Gateway DNS Service Sales-net Server Regular 192.168.30.100 - 192.168.30.200 255.255.255.0 192.168.30.1 Use System DNS Setting
4 Configure the devices on the networks to get their addresses using DHCP. 5 For devices with manual IP configurations, make sure their default routes point to the correct FortiGate VLAN interface.
Add security policies to allow each network to access the Internet 1 Go to Policy > Policy > Policy and select Create New to add a security policy that allows users on the engineering network to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Engineering-net all wan1 all Always ANY ACCEPT
2 Select Create New to add a security policy that allows users on the marketing network to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Marketing-net all wan1 all Always ANY ACCEPT
3 Select Create New to add a security policy that allows users on the sales network to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Sales-net all wan1 all Always ANY ACCEPT
Results Users from any of the networks should be able to connect to the Internet. Go to Policy >
Monitor > Policy Monitor to view information about sessions through the FortiGate unit. If users on the networks cannot connect to the Internet, re-check your FortiGate configuration. You can also try the steps described in Troubleshooting NAT/Route mode installations on page 20.
77
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
rt3 po .20 20 .1 20 2. 17
Problem Providing Internet connectivity and

security for two private networks with a single FortiGate unit.
Gateway Router 172.20.120.2
rt1 po .10 20 .1 20 2. 17
VD -B M O VD -A M O 1 0. .2 rt4 68 po 2.1 19
Solution Use Virtual domains (VDOMs) to divide

the FortiGate unit into two or more virtual instances of FortiOS that function similar to two independent FortiGate units. Each VDOM has its own physical interfaces, routing configuration, and security policies.
1 0. .1 rt2 68 po 2.1 19
Company A 192.168.10.0 Company B 192.168.20.0
FortiGate Unit with two Virtual Domains
This example simulates an ISP that provides Company A and Company B with Internet services. Each company would have its own Internet IP address and internal network. This configuration requires: Two VDOMs: VDOM-A and VDOM-B each operating in NAT/Route mode with two interfaces, one for a connection to the Internet and one for a connection to the internal network. The routing configuration of the example is simplified to only require a default static route from each VDOM to an Internet gateway router. Create VDOM-A and VDOM-B Enable multiple VDOM mode, create the VDOMS, configure interfaces and add them to their VDOMs. 1 Connect to the FortiGate web-based manager and from the Dashboard System Information widget select Enable beside Virtual Domain. 2 Go to System > VDOM > VDOM and select Create New to create two VDOMs with the following configuration: For company A: Name Enable Operation Mode For company B: Name Enable Operation Mode VDOM-B Select NAT VDOM-A Select NAT
78
3 Go to System > Network > Interface and Edit port1 and add it to VDOM-A. Name Virtual Domain Addressing Mode IP/Netmask port1 VDOM-A Manual 172.20.120.10/255.255.255.0
Edit port2 and add it to VDOM-A: Name Virtual Domain Addressing Mode IP/Netmask Administrative Access port2 VDOM-A Manual 192.168.10.1/255.255.255.0 HTTPS, PING, SSH
Edit port3 and add it to VDOM-B: Name Virtual Domain Addressing Mode IP/Netmask port3 VDOM-B Manual 172.20.120.20/255.255.255.0
Edit port4 and add it to VDOM-B: Name Virtual Domain Addressing Mode IP/Netmask Administrative Access port4 VDOM-B Manual 192.168.20.1/255.255.255.0 HTTPS, PING, SSH
4 Go to System > Admin > Administrators and select Create New to add an administrator for VDOM-A. Administrator Type Password Confirm Password Admin Profile Virtual Domain a-admin Regular passw0rda passw0rda prof_admin VDOM-A
79
5 Go to System > Admin > Administrators and select Create New to add an administrator for VDOM-B. Administrator Type Password Confirm Password Admin Profile Virtual Domain b-admin Regular passw0rdb passw0rdb prof_admin VDOM-B
Create a basic configuration for VDOM-A Add a default route, a DHCP server, and security policy to allow company-A users to get their IP configuration from the FortiGate unit, and connect to the Internet. 1 Beside Current VDOM select VDOM-A. 2 Go to Router > Static > Static Route and select Create New to add the default route for VDOM_A. Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 port1 172.20.120.2
3 Go to System > Network > DHCP Server and select Create New to add a DHCP server. Interface Name Mode Type IP Network Mask Default Gateway port2 Server Regular 192.168.10.100-192.168.10.200 255.255.255.0 192.168.10.1
4 Configure the DNS Service as required for the network. 5 Select OK to save the port2 DHCP server. 6 Connect a PC to the port2 interface and configure it to get an IP address automatically using DHCP. 7 Log in to VDOM-A by browsing to https://192.168.10.1 and entering a-admin as the Name and passw0rda as the Password. 8 Go to Policy > Policy > Policy and select Create New to create a security policy that allows users on the company A internal network to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone
80
port2 all port1

9 Select Enable NAT and Use Destination Interface Address. 10 Select OK to save the security policy. 11 Test the configuration by connecting to the Internet from the PC. You should be able to connect to the Internet, if not check the configuration or use the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
12 Configure the computers on the company A network to get their IP configuration automatically using DHCP. Create a basic configuration for VDOM-B Add a default route, a DHCP server, and security policy to allow company-B users to get their IP configuration from the FortiGate unit, and connect to the Internet. 1 Log in to the FortiGate unit as the admin administrator (or any administrator with the super_admin profile). 1 Beside Current VDOM select VDOM-B. 2 Go to Router > Static > Static Route and select Create New to add the default route for VDOM_A. Destination IP/Mask Device Gateway 0.0.0.0/0.0.0.0 port3 172.20.120.2
3 Go to System > Network > DHCP Server and select Create New to add a DHCP server. Interface Name Mode Type IP Network Mask Default Gateway port4 Server Regular 192.168.20.100-192.168.20.200 255.255.255.0 192.168.20.1
4 Configure the DNS Service as required for the network. 5 Select OK to save the port4 DHCP server. 6 Connect a PC to the port4 interface and configure it to get an IP address automatically using DHCP. 7 Log in to VDOM-B by browsing to https://192.168.20.1 and entering b-admin as the Name and passw0rdb as the Password.
8 Go to Policy > Policy > Policy and select Create New to create a security policy that allows users on the company B internal network to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action port4 all port3 all always ANY ACCEPT
9 Select Enable NAT and Use Destination Interface Address. 10 Select OK to save the security policy. 11 Test the configuration by connecting to the Internet from the PC. You should be able to connect to the Internet, if not check the configuration or use the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
12 Configure the computers on the company B network to get their IP configuration automatically using DHCP.
Results Connect to the Internet from the company A and company B networks. From either VDOM, go
to Policy > Monitor > Policy Monitor and confirm that the policies that you added are allowing traffic through the individual VDOMs. You can use the packet sniffer to verify that traffic is staying in a VDOM. For example, enter the following command from the FortiGate CLI and then ping from one of the internal networks to an address on the Internet. diagnose sniffer packet any 'icmp' 4 10 interfaces=[any] filters=[icmp] 10.728968 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request 10.729158 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request 10.821152 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply 10.821288 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply 11.729230 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request 11.729431 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request 11.821349 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply 11.821481 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply The command output shows sessions only uses the port4 and port3 interfaces, both of which are in VDOM-B. If you log in as an administrator with the super_admin profile, you can sniff any interface. If you log in as a-admin or b-admin (an administrator for a single VDOM), you can only sniff interfaces in the administrators VDOM. To access the packet sniffer, you must log in to a VDOM, you cannot access the packet sniffer from the global configuration.
82
Setting up an administrator account for monitoring firewall activity and basic maintenance
In te rn
e fil ro o r s _p at in tr m nis ad mi ad
r ito r on to _m tra nt is ai in m dm a
Problem You want to add a login for an administrator to be

responsible for system maintenance, firmware updates and general monitoring and logging of the FortiGate unit for reporting purposes, but dont want them to have full configuration access.
Solution Create a new admin profile that only allows the administrator to view and maintain
configuration options, and viewing and configuring log information and reports. Create an administrative user, Terry White, with the monitoring profile. 1 Go to System > Admin > Admin Profile and select Create New. 2 Enter the Profile Name of maint_monitor and set the following settings to Read-Write: FortiGuard Update Maintenance Log & Report 3 Go to System > Admin > Administrators and select Create New to add the following administrator: Administrator Type Password Confirm Password Admin Profile Terry_White Regular password password maint_monitor
The admin profile dictates what of the FortiGate configuration the administrator can see and configure from web-based manager and CLI. You can add multiple profiles and assign users and administrators different profiles depending on what they are tasked to do with the FortiGate unit.
Results Log in to the FortiGate using the user name of Terry_White and the password of password.
When logged in, the web-based manager menus and sub-menus related to the access control you configured appear. The OK or Apply buttons will not appear in settings that may be editable on a Read-Write page.
al N et w or k t ni U r e ve at er iG S rt P Fo HC D
83
To confirm that Terry White has logged in successfully, from the FortiGate web-based manager go to Log&Report > Event Log to see the login message in the Action column.
Select the log entry to view the detailed information, which indicates the admin user connected. The Message row indicates that Terry White connected successfully from 192.168.1.1. The Profile Name row also indicates the admin profile in use.
Go to System > Dashboard > Status, and look at the System Information widget. In the Current Administrator row, it will indicate the number of administrators logged in.
Selecting Details shows the information of Terry White logged in as an administrator.
84
Creating a local DNS server listing for internal web sites and servers
Creating a local DNS server listing for internal web sites and servers
Problem Keeping DNS traffic for company server
lookups off of the Internet and on the internal network.
Int er n al N etw ork
Internal server name: info.company.com IP: 192.168.1.2 Internal DNS Queries FortiGate DN DNS Database
Solution On a FortiGate unit, enable DNS databases,
Fo
rtiG
nit create an internal DNS database with the IPs/names/URLs of internal sites, and enable the DNS server on the FortiGate internal interface. Configure the internal network to use the FortiGate internal interface as the authoritative DNS server. This way, when internal users request a URL, the FortiGate unit will look to its internal DNS. To lookup external names, the FortiGate unit forwards DNS requests to external DNS servers.
ate
The DNS server setting on the devices on the internal network must use the FortiGate internal interface as their DNS server. 1 Go to System > Admin > Settings, select DNS Database and select Apply. 2 Go to System > Network > DNS Server and select Create New to add a new DNS Database: Type View DNS Zone Domain Name Master Shadow Internal company.com
3 Select OK to save this DNS database. 4 To add DNS Entries, select Create New and enter the name and IP address of an internal site: Type Hostname IP Address Address (A) info 192.168.1.2
5 Select OK to save this DNS database. 6 Go to System > Network > DNS Server and select Create New under DNS Service on Interface to configure the mode for queries to the DNS database received at the Internal interface. Interface Mode Internal Recursive
Results
7 Select OK to save the DNS service mode for the internal interface. To verify that the DNS database is being used, go to System > Network > DNS and temporarily remove the primary and secondary DNS server settings. That is, leave them empty, and browse to the http://info.company.com web site. The web site will appear, while surfing to any other site will not work. This shows that the FortiGate unit is using its internal DNS database to resolve the configured web site.
85
Assigning IP addresses according to a MAC address using DHCP
Assigning IP addresses according to a MAC address using DHCP

Problem Ensure that certain users or PCs always have the
same IP address when the FortiGate unit assigns addresses using DHCP. This feature can be used to ensure that certain users can always connect to the network, or to track Internet usage by IP address even if IP addresses are assigned automatically by the FortiGate DHCP server.
In te rn al N et w or k
F DH ortiG CP ate Se Un rve it r
RE
E RV SE
Reserved IP: 10.10.10.18 MAC: 00:13:72:38:6a:39
Solution If you have an existing DHCP server enabled on the FortiGate unit, enable IP reservation within
the DHCP service settings and then add the MAC addresses of PCs that you want to always get the same IP address. 1 Go to System > Network > DHCP Server and Edit the DHCP server. 2 Select IP Reservation and select Create New and add a MAC IP address pair: IP MAC Address 10.10.10.18 00:13:72:38:6a:39
The IP address must be within the range defined by the DHCP server.
If the PC is already connected and has acquired an IP address from the DHCP server, you can set get its MAC address and IP address by selecting Add from DHCP Client List. When the list appears, select the PC from the list and select Add To Reserved.
Results The PC will always acquire the reserved IP address from the FortiGate DHCP server.
Verify that the PC has acquired the correct IP address by viewing its IP configuration or status. For example, from a command prompt, you may be able to enter the command ipconfig/all. From the FortiGate web-based manager, go to System > Monitor > DHCP Monitor to view the list of PCs that are using the DHCP server to acquire IP addresses. The PC with the reserved address will appear with an R next to the address.
If you do not see the PC in the DHCP Monitor or if the R icon is not visible, you may need to either restart the PC, or renew its IP configuration.
86
Setting up the FortiGate unit to send SNMP traps

Problem You want to receive SNMP traps (or event
notifications) when a FortiGate unit experiences system events, like high CPU usage, low log disk space, or UTM events such as a virus being detected, IPS detecting an attack and so on.
Int er n al N etw ork Fo rtiG ate Un
SNMP Manager IP: 192.168.1.10 SNMP Traps
FortiGate SN SNMP Agent
it
Solution Enable SNMP to collect SNMP v1/2c traps for the

status of the FortiGate unit. 1 Go to System > Config > SNMP and select Enable to enable the FortiGate SNMP agent. 2 Configure the agent as follows: Description Location Contact Company FortiGate unit Head Office, server room admin@company.com
3 Select Apply to save the configuration and start the FortiGate SNMP agent. 4 Select Create New for SNMP v1/c2c. 5 Enter the Community Name of Example Company. 6 Add the IP address of a Host that can receive SNMP traps by selecting Add under Hosts. 7 Set the IP Address/Netmask to 192.168.1.10/255.255.255.0 and the Interface to internal. You can also set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any SNMP manager at any network connected to the FortiGate unit can use this SNMP community and receive traps from the FortiGate unit. How do I get FortiGate MIBs? There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB contains traps, fields and information that is specific to FortiGate units. The two FortiGate MIB files are available on the Fortinet Customer Support web site. The Fortinet MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB includes the system information for FortiGate unit and version of FortiOS. Both files are required for proper SNMP data collection. 1 Login to the Customer Support web site at https://support.fortinet.com. 2 Go to Download >Firmware Images. 3 Log in using your Fortinet account. 4 Select FortiGate > v4.00 > Core MIB. 5 Select and download the FORTINET-CORE-MIB.mib file. 6 Move up one directory level. 7 Select the firmware version, revision and patch (if applicable). 8 Select the MIB directory. 9 Select and download the FORTINET-FORTIGATE-MIB.mib file.
87
Local-in policies You can also use local-in policies to provide further access control for all management traffic, including SNMP traffic. For example, you could use the following local-in policy to allow SNMP access to the internal interface from the address range 172.20.120.100 - 172.20.120.110: config firewall address edit local-address-range set associated-interface internal set type iprange set start-ip 172.20.120.100 set end-ip 172.20.120.110 end config firewall local-in-policy edit 0 set intf internal set srcaddr local-address-range set dstaddr all set action accept set service SNMP set schedule always end
Results Configure the SNMP manager at 192.168.1.10 to receive traps from the FortiGate unit. The do
something to trigger a trap, for example, change the IP address of a FortiGate interface. Verify that the SNMP manager receives the trap. You can also send a trap by enabling antivirus in a security policy and try downloading an eicar test file from http://eicar.org. This will trigger a Virus detected event, sending a trap. You can also view the UTM log by going to Log&Report > Log & Archive Access > UTM Log.
88
Troubleshooting by sniffing packets (packet capture)

Problem I hear packet sniffing is used for troubleshooting network
problems, but I dont know how.
Solution When troubleshooting networks, it helps to look inside the

header of the packets. This helps to determine if the packets, route, and destination are all what you expect. Packet sniffing can also be called a network tap, packet capture, or logic analyzing. When to use packet sniffing Packet sniffing tells you what is happening on the network at a low level. This can be very useful for troubleshooting problems, such as: finding missing traffic seeing if sessions are setting up properly locating ARP problems such as broadcast storm sources and causes confirming which address a computer is using on the network if they have multiple addresses or are on multiple networks confirming routing is working as you expect wireless client connection problems intermittent missing PING packets a particular type of packet is having problems, such as UDP, which is commonly used for streaming video What sniffing packets can tell you If you are running a constant traffic application such as ping, packet sniffing can tell you if the traffic is reaching the destination, how the port enters and exits the FortiGate unit, if the ARP resolution is correct, and if the traffic is returning to the source as expected. You can also use packet switching to verify that NAT or other configuration is translating addresses or routing traffic the way that you want it to. Before you start sniffing packets, you need to have a good idea of what you are looking for. Sniffing is used to confirm or deny your ideas about what is happening on the network. If you try sniffing without a plan to narrow your search, you could end up with too much data to effectively analyze. On the other hand, you need to sniff enough packets to really understand all of the patterns and behavior that you are looking for. You can find more examples of packet sniffing throughout this document. How to sniff packets The sniffer command is CLI-only. and the syntax is: diag sniffer packet {<interface> | any} {filter_str| none } {1 | 2 | 3 | 4 | 5 | 6} <pkt_count> Interface and filter arguments are required. To stop the sniffer, press Ctrl+C. The name of the FortiGate unit interface to sniff, such as port1 or internal or VLAN18. Alternatively use any to sniff all interfaces.
{ <interface> | any }
89
Only packets that include the text in the filter will be displayed. The filter can include logical statements such as and or or. { filter_str | none } none indicates no filtering, and all packets will be displayed as the other arguments indicate. The filter must be inside single quotes (). The level of verbosity. 1 - header of packets 2 - header and data from IP of packets {1 | 2 | 3 | 4 | 5 | 6} 3 - header and data from Ethernet of packets 4 - header packets with interface name 5 - header and data from IP of packets with interface name 6 - header and data from Ethernet packets with interface name. The default level of verbosity is 1. The number of packets the sniffer displays before stopping. < pkt_count > If you do not put a number here, the sniffer will run forever until you stop it by pressing Ctrl+C.
Sniffer output description for TCP packets A simple example: # diag sniffer packet internal none 4 3 This command looks for all packets on the internal interface and returns the packet headers with interface names attached for first three packets. Three packets was selected for this example so the output would not overwhelm you. During normal troubleshooting, you will want to capture a larger number of packets to get a better picture of the network. Also note that if you run this command you will not see the same three packets listed here, but they will have similar information displayed.
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261 internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 ack 1949135261 internal out 192.168.0.30.1144 -> 192.168.0.1.22: ack 2859918884
From the look of these packets they are part of a TCP SSH exchange. Lets look at the first packet sniffed:
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261
The sniffer displayed the following info about the first packet: internal the FortiGate interface where the packet was found. in the direction of the packet at the interface for inbound. 192.168.0.1.22 the IP address with port number of the packet source (a source IP of 192.168.0.1 with the source port number 22, which is generally associated with SSH). 192.168.0.30.1144 the IP address with port number of the packet destination (a destination IP of 192.168.0.30 with the destination port number 1144). psh one of the nine flags from TCP headers (ns, cwr, ece, urg, ack, psh, rst, syn, fin). psh stands for push function, which asks to push the buffered data to the receiving application. 2859918764 the TCP sequence number. The sequence number, which starts with 285, is incrementing by small amounts over the three sniffed packets. ack the acknowledgement flag is set.
90
1949135261 the acknowledgement number. If ACK is set, this is the next sequence number the receiver is expecting, in effect acknowledging all prior bytes. You will notice from this description that, after the IP and port information, all the information is TCP specific. This information will change, depending on the type of packet (tcp, arp, udp, ip, gre, etc.). Regardless of how in-depth you need the information to give you, you need to be familiar with the packet header structure for your type of packets. The TCP flag and sequence information is displayed because verbosity level 4 was selected. This information can be useful to ensure that all the traffic for a session is reaching its destination, and that the session was properly established. Sniffing icmp (ping) packets This example sets up a computer to ping the internal interface of the FortiGate unit non-stop and sniff for icmp packets on the internal interface. Ensure that ping administrative access is enabled on the internal interface; otherwise, you will not be able to see the output shown below.
From any computer run a continuous ping to IP address 172.20.120.136 and on the FortiGate CLI enter the following command:
# diag sniffer packet internal 'icmp' 4 5 interfaces=[any] filters=[icmp] 16.776272 internal in 172.20.120.17 -> 172.20.120.136: icmp: echo request 16.776462 internal out 172.20.120.136 -> 172.20.120.17: icmp: echo reply 17.777280 internal in 172.20.120.17 -> 172.20.120.136: icmp: echo request 17.777360 internal out 172.20.120.136 -> 172.20.120.17: icmp: echo reply 18.778176 internal in 172.20.120.17 -> 172.20.120.136: icmp: echo request
This output captured the 16th, 17th, and 18th ping echo requests that were sent out from 172.20.120.17, and the 16th and 17th replies from the FortiGate unit. You can tell this from the number at the start of each line the 16, 17, or 18, which indicates the packet number and sequence. It is useful to check this number to see if you are dropping packets. The echo or echo reply tells you which direction the packet is travelling without the IP address. Note that there is no other information displayed because icmp packets carry very little information. If you have icmp packets from other sources showing up in your sniffing, you can add a basic filter to select only packets to or from 172.20.120.17. To do this, the sniffer command would become: diag sniffer packet any icmp and host 172.20.120.17 4 5. Filtering is described in more detail in Advanced troubleshooting by sniffing packets (packet capture) on page 94. Verbosity level on a random UDP packet So far, the verbosity level has only determined if interface information is shown or not. However, it can also be used to display the content or payload of the packets. This is useful if you have packets with headers inside packets, or other specific plain text information you can read from the packets.
91
This example shows how to sniff one udp packet on any network of the FortiGate unit at verbosity level 6 to show the packet contents and interface. # diag sniffer packet any 'udp' 6 1 interfaces=[any] filters=[udp] 1.865746 wan1 out 172.20.120.136.60718 -> 0x0000 0000 0000 0000 0009 0f30 ca51 0800 0x0010 003f cee2 0000 4011 771f ac14 7888 0x0020 0808 ed2e 0035 002b c997 db37 0100 0x0030 0000 0000 0000 0361 7273 056f 7363 0x0040 0361 6f6c 0363 6f6d 0000 0100 01
8.8.8.8.53: udp 35 4500.........0.Q..E. 0808.?....@.w...x... 0001.....5.+...7.... 6172.......ars.exmpl .aol.com.....
This packet is going out on the wan1 interface, using port 60718. Its destination is 8.8.8.8 using port 53. All six lines of output are for a single packet, and this is a small packet. TCP packets are much larger. The IP address 8.8.8.8 is Googles public DNS address. UDP port 53 is used for DNS lookups, and FortiGuard communications. In this case, it seems safe to say its a DNS lookup. If we look at the payload for the packet, we can see the address ars.exmpl.aol.com, which appears to be a domain name to be resolved. Examining DNAT HTTP packets Here is a practical example to show how this all comes together. Sniffing can show you what NAT is taking place instead of you guessing. Test destination NAT by browsing to http://172.20.120.14 from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4 interfaces=[any] filters=[port 80] 6.150356 wan1 in 172.20.120.12.51439 -> 172.20.120.14.80: syn 15893888 6.150637 internal out 172.20.120.12.51439 -> 192.168.1.110.80: syn 15893888 6.150803 internal in 192.168.1.110.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889 6.150974 wan1 out 172.20.120.14.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.14 and destination port 80. The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port is still 80. The third output line shows the response from the web server. The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.14. In this example, the source port is not changed.
Best Here are some tips that will improve your troubleshooting when using the sniffer. Practices Always log output to a file that you can search, sort, and process later. You can also send
the output log to Fortinet support to assist them in solving your issue. Visualize the path you expect the packets in question are using. It will help you write your sniffer command more accurately and reduce your troubleshooting. If you are not getting the results you expect, broaden your search parameters. Its possible things are behaving differently than you expect.
92
You need to know the details about the packet type you are sniffing to maximize the benefits. Otherwise there will be useful information you do not understand in the sniffing results. Keep your connection method in mind when sniffing packets. If you are web browsing to the FortiGate unit, web protocol packets may be affected. If you are using Telnet to connect, those packets will affect the sniffing results. If you are sniffing VLAN packets, any configured filter will stop VLAN tags from being displayed.
93
Advanced troubleshooting by sniffing packets (packet capture)

Problem How do I use filters for sniffing? They are really confusing. Solution You can perform some basic packet sniffing and network
troubleshooting without using packet sniffing filters. However, with filters, you can fine tune your troubleshooting to the point of being able to find a specific ping packet on a busy network. When packet sniffing, the filter field is very flexible. By using the filter option, you can: match the source hostname or IP address match the type of packet (arp, ip, gre, esp, udp, tcp, icmp) match the port number logically AND or OR parts of the filter with each other specify a certain byte in a packet The default format of the filter syntax is: [[src|dst] host <host_name_or_IP1>] [[arp|ip|gre|esp|udp|tcp|icmp] [port_no]] [and | or] [..] Lets look at each of the different parts to the filter. Keep in mind that in addition to these formats, you can also search for individual words using the filter. The following are examples. IP matching with filters Lets look at the hostname and IP matching [[src|dst] host <host_name_or_IP1>]. It allows you to specify either the source or destination host. For example if you want to sniff packets coming from IP address 192.168.1.27 you would set the filter to src host 192.168.1.27. If you want to sniff packets going to a computer called my_laptop, the filter would be dst host my_laptop. This host name is resolved using DNS. In each case, when the sniffer finds packets from that computer, the packets will match the filter and be displayed. You can enter two or more different computers using this format and join them with logical ANDs or ORs. For example, you could specify one source and two destinations. In the following example, lets assume a computer on the network is pinging the FortiGate unit. We will only be looking for ping packets with a source of 172.20.120.136 which is the FortiGate unit. diag sniffer packet any 'icmp and src host 172.20.120.136' interfaces=[any] filters=[icmp and src host 172.20.120.136] 0.319302 172.20.120.136 -> 172.20.120.17: icmp: echo reply 1.348780 172.20.120.136 -> 172.20.120.17: icmp: echo reply 2.355177 172.20.120.136 -> 172.20.120.17: icmp: echo reply 3.356008 172.20.120.136 -> 172.20.120.17: icmp: echo reply 4 packets received by filter 0 packets dropped by kernel
94
The result displays four packets, all ping (icmp) packets, originating from the FortiGate unit and going to 172.20.120.17. This time there was no verbosity level indicated or number of packets. A default verbosity level 1 is used, and the sniffing continues until you press Ctrl-C to stop it. Note that the last two lines tell you how many packets were sniffed and if the FortiGate kernel dropped any packets during this time. When the sniffing has ended, if you see anything but zero packets dropped, you may have a problem. Packets dropped indicates the FortiGate unit was not able to sniff and display all the packets that were coming in. If you were looking for all the packets in a sequence, there may well be packets missing. For this reason, you should consider possible reasons for those dropped packets, attempt to fix the problem so all packets are captured, and run the sniffer again. Keep in mind that the sniffer can take up to 25% of the CPU resources on smaller FortiGate units. Sniffing a port and specifying multiple hosts using AND and OR operators When a TCP session is created, the destination port is set to a known port number for example, port 80 is commonly used for HTTP sessions. But the source port is randomly assigned. The unknown source port can make troubleshooting difficult. However, the FortiGate packet sniffer can match the known port if it is the source or destination port you do not need to know which port. Lets check HTTP packets going between IP 172.20.120.18 (the FortiGate) and on either 10.10.80.110 (wifi interface called Star) or 10.10.10.100 (internal LAN interface).
diag sniffer packet any "port 80 and host 172.20.120.18 and (host 10.10.80.110 or host 10.10.10.100)" 4 interfaces=[any] filters=[port 80 and host 172.20.120.18 and (host 10.10.10.100 or host 10.10.80.110)] 5.036340 internal in 10.10.10.100.58753 -> 172.20.120.18.80: syn 4189154 5.036664 internal out 172.20.120.18.80 -> 10.10.10.100.58753: syn 1354149395 ack 4189155 6.464015 Star out 172.20.120.18.80 -> 10.10.80.110.56791: syn 2000204115 ack 571678006 6.471966 Star in 10.10.80.110.56791 -> 172.20.120.18.80: ack 2000204116 6.474720 Star in 10.10.80.110.56791 -> 172.20.120.18.80: psh 571678006 ack 2000204116 5.036837 internal in 10.10.10.100.58753 -> 172.20.120.18.80: ack 1354149396 5.037023 internal in 10.10.10.100.58753 -> 172.20.120.18.80: psh 4189155 ack 1354149396 6.463686 Star in 10.10.80.110.56791 -> 172.20.120.18.80: syn 571678005
Since either the source or destination will be using port 80, all HTML traffic between those two computers will match the filter and be displayed. SSH and HTTPS traffic uses different ports, so that traffic will not be displayed. The first number of each line of output will vary between sources and is a good way to quickly determine which IP addresses are in that session. Packet type filters Lets look at the packet type [arp|ip|gre|esp|udp|tcp]. This determines what type of packets to look for. In addition to the common ICMP, IP, TCP, and UDP you can look for ARP (address resolution protocol), GRE (generic routing encapsulation), and ESP (encapsulating security payload) packets. If the protocol you want isnt listed here you can specify it if you know the ethernet protocol number for it. For example to specify ARP packets on the internal interface with this method: diag packet sniffer internal ether proto 0x0806 Lets sniff some ARP packets from a gateway on the network at IP address 172.20.120.2. For this we dont care about the interface, and five packets will be enough to see what is happening.
95
# diag sniffer packet any 'arp' 1 5 interfaces=[any] filters=[arp] 1.187291 arp who-has 192.168.100.1 tell 192.168.100.99 2.187125 arp who-has 192.168.100.1 tell 192.168.100.99 2.858334 arp who-has 172.20.120.228 tell 172.20.120.224 2.889542 arp who-has 172.20.120.224 tell 172.20.120.228 4.187019 arp who-has 192.168.100.1 tell 192.168.100.99 From this output, we can see ARP requests from a computer with IP address 192.168.100.99 that is looking for the MAC address of a computer with the IP address 192.168.100.1. In the ARP protocol, the who-has request is broadcast and includes the link layer address of where to send the reply. The expected response, when a computer has the 192.168.100.1 IP address, will be in the format arp reply 192.168.100.1 is at 00:26:b9:00:0f:9c. Since there is no such reply in the sniffed packets, we can either sniff more packets or assume there is no computer on the network with the IP address 192.168.100.1. This may be important if a computer is supposed to be using that IP address and is not. It could imply DHCP problems, or that the computer was physically moved to a different part of the network. ARP packets can be the source of problems if there is a network loop. As mentioned above, ARP tries to match a single MAC address to a single IP address. If the request results in two or more replies with the same IP address, or different IP addresses have the same MAC address, as may happen with virtual networking solutions, the loop or asymmetric routing is created. Essentially, all traffic will go to and from both computers. This will appear as a network slowdown or halt. You can see this happening if you are sniffing ARP packets and seeing the double replies or double MAC addresses. To confirm that this is the issue, enter the CLI command config system settings, set asymroute enable, end. This will turn on asymmetric routing, stop these ARP problems, and disable stateful inspection. Disabling stateful inspection will compromise security, so in most cases you should only use this command to confirm a problem. Once the problem is confirmed, use the sniffer output to find and fix the source and then disable asymmetric routing. Miscellaneous advanced filters There are some non-standard filters you can use to match traffic with the packet sniffer. These advanced filters use logical symbols to match specific bits within packet headers. Some examples are: If you want to match TTL = 1 in the packet headers on port2: # diagnose sniffer packet port2 ip[8:1] = 0x01 If you want to match packets with a source IP address of 192.168.1.2 in the header: # diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)" The source and destination information are stored in different places in the packet headers. If you want to match packets with a source MAC address of 00:09:0f:89:10:ea on the internal interface # diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)" where matching packets with the same MAC address as a destination MAC on the internal interface is # diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)" You can also target specific types of packets, such as addressing the TCP or UDP flags. If you want to match packets with RST flag set:
96
# diagnose sniffer packet internal "tcp[13] & 4 != 0" If you want to match packets with the SYN flag set: # diagnose sniffer packet internal "tcp[13] & 2 != 0" If you want to match packets with the SYN-ACK flag set: # diagnose sniffer packet internal "tcp[13] = 18" If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change the sniffer trace. Before performing a trace on any NP2 interfaces, you should disable offloading on those interfaces.
Best Here are some tips that will improve your troubleshooting using the packet sniffer. practices Enabling the sniffer will consume additional CPU resources. This can be as high as an
additional 25 percent of CPU usage on low-end models. Therefore, enabling this on a unit that is experiencing excessively high CPU usage, can only render the situation worse. If you must perform a sniff, keep the sniffing sessions short and keep the filter specific. Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can help identify the cause of the problem. For example: diag sniff packet interface wan1 'tcp port 3389 or icmp' 3 Use the any interface to sniff all FortiGate unit interfaces. You can use the "any" interface if you want to confirm that a specific packet is sent and received by different FortiGate interfaces. The any interface is also useful if you are not sure which interface will send or receive the packet. An example using the any interface: diag sniff packet any 'tcp port 3389' 3 The FortiGate unit may not display all packets if too much information is requested. When this occurs, the FortiGate unit will log the following message once the trace is terminated: 12151 packets received by filter 3264 packets dropped by kernel When this occurs, it is possible that what you were attempting to capture, was not actually captured. In order to avoid this, try to make the filters more specific, reduce the verbosity level, or run the sniffer during a lower traffic period. The packet timestamps, as displayed by the sniffer, may become skewed or delayed under high load conditions. This may occur even if no packets were dropped. Therefore, it is not recommended that you rely on these values in order to troubleshoot or measure performance issues that require absolute precise timing. Short Ethernet frames sent by the FortiGate unit may appear to be under the minimum length of 64 bytes (also known as runts) and will not be displayed by the sniffer. This is because the sniffer does not display any Ethernet Trailer/Padding information, although it is sent over the network. The Ethernet source and/or destination MAC addresses may be incorrect when using the "any" interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01. Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can help identify the cause of the problem. For example, diag sniff packet interface wan1 'tcp port 3389 or icmp' 3 If you are sniffing VLAN packets, you cannot have any filter configured if you want to see the VLAN tags. For example diag sniffer packet wan1 icmp will not show the tags where diag sniffer packet wan1 will.
97
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
Problem To capture, download, and analyze packets received or sent by
a FortiGate unit.
1 01 00 0111 01 11 0100 011 1 1 01 0110 10
Solution Packet capturing or packet sniffing through the web-based

manager is a new feature for FortiOS 4.0 MR3 Patch 2. From the web-based manager you can go to System > Configure > Advanced and under Packet Capture select Create New to create and save packet capture filters. Packet capture filters contain saved packet sniffer settings that define the packets to capture.
You can start a packet capture filter any time when you want to capture the packets defined in the filter. Results of running a packet capture filter can be download to your computer for viewing and analysis as a pcap file. The pcap file contains complete details about the packets captured, including packet content. To read a pcap file, open it with an application that can read pcap files, for example, tcpdump or Wireshark. Capturing HTTP packets on the Internal interface The following filter captures 100 HTTP packets (destination port 80) received at the FortiGate internal interface with destination address 66.171.121.34, from any source address on the 192.168.1.0/24 network, and with any source port. 1 Go to System > Config > Advanced > Packet Capture, select Create New and create a packet capture filter to capture HTTP packets sent and received by the internal interface from and IP address on the 192.168.1.0 network to IP address 66.171.121.34: Interface Max Packets to Capture Source Address Source Port(s) Destination Address Destination Port Protocol Include IPv6 Packets Capture Non-IP Packets 2 Select OK. 3 Start capturing packets by selecting the packet capture filter and selecting Start. You can also Edit the packet capture filter and select Start Capture. 4 From a PC with an IP address on the 192.168.1.0/24 network browse to 66.171.121.34. You can view the packet capture progress, which stops when 100 packets are captured. You can also Stop capturing packets at any time. If you select Start to restart capturing packets, the packet count is reset, so packets previously saved are lost. 5 To download captured packets, stop packet capture if its still running, select the packet capture filter, select Download, and open or save the downloaded sniffer-internal.pcap file. (The filename includes the interface name specified in the filter.)
internal 100 192.168.1.0/24
66.171.121.34/24 80 TCP Disable Disable
6 View the downloaded pcap file with a pcap file viewer. The output below shows packets with source address 192.168.1.120 and destination address 66.101.121.34 and destination port 80 received by the FortiGate internal interface. The packets in the pcap file do not include the FortiGate interface name. In this example all of the packets are received and sent by the internal interface. If you set the Interface to ANY; however, the pcap file will contain packets from any FortiGate interface. You can use the hardware address to determine which FortiGate interface received or sent the packet.
Capturing packets to show static source NAT As described in Providing Internet access for your private network users (static source NAT) on page 160 you can use the packet sniffer to verify your NAT configuration. This example shows how to create a packet capture filter to verify basic source NAT in the same way as entering the command diagnose sniffer packet any 'port 80' 4 4. 1 Go to System > Config > Advanced.
19
2. in 16 te 8. rn 1. al 99
2 Under Packet Capture, select Create New and create a packet capture filter to capture all HTTP packets sent or received by any interface: Interface Max Packets to Capture any 100
17
1
2.
20
.1 wa 20 n .1 1 4
1 9 2 ] 1 55 3 -2 2 .[1 .1 01 .1 68 .1 ] 20 92 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 0 sr p : 8 c P t: sr t I or s d tp s d rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 5 .0 .1 Sta tic s in be and terna twee ource the l ne n the NAT Inte two rne rk t 14 3 0. 2 01 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 0 sr c p P: t: 8 sr I r st o d tp s d
99
Source Address Source Port(s) Destination Address Destination Port Protocol Include IPv6 Packets Capture Non-IP Packets 3 Select OK.
0.0.0.0/0.0.0.0
0.0.0.0/0.0.0.0 23 ALL Disable Disable
4 Start capturing packets by selecting the packet capture filter and selecting Start. You can also Edit the packet capture filter and select Start Capture. 5 From a PC with on the internal network browse to any Internet address. You can view the packet capture progress, which stops when 100 packets are captured. 6 To download captured packets, stop packet capture if its still running, select the packet capture filter, select Download, and open or save the downloaded sniffer-any.pcap file. 7 View the downloaded pcap file with a pcap file viewer such as Wireshark. The first line below shows a packets with source address 192.168.1.110 and destination address 172.20.120.101 sent by a PC. The second line shows the same packet with source address changed to 172.20.120.14 exiting the FortiGate wan1 interface.
This packet capture filter may capture many more packets than the ones you are looking for. You reduce the number of packets captured by specifying the source and destination addresses of the packets that you are interested in.
100
Debugging FortiGate configurations

Problem Im having problems configuring my FortiGate unit.
Ive heard of debug commands, how do I use them?
Solution FortiGate units have built-in diagnose debug

commands that can be used to debug the operation of any FortiGate software system by displaying debug messages on the CLI console as the system operates. When you find the problem you can correct the configuration and run the diagnose debug command again to verify that the system now operates correctly.
3 2
Before performing any debugging, you should connect to the FortiGate CLI with a terminal program that supports storing the output to a file for later reference. If you do not save the output to a file, you will miss valuable debugging information. Keep in mind that debugging consumes system resources and may affect performance. In most cases this will not be a problem, but if your FortiGate unit is running at 100 percent resource usage already, it is likely that running the debug application will cause the FortiGate unit to drop more packets or sessions, and generally increase its overloaded behavior. The worst is when you are sniffing packets, which can use 10 percent or more of the system resources. To use the diagnose debug commands you must check the current debug configuration, enable debugging, select a software system for which to display debugging information, collect and analyze the results, and stop displaying debugging information. In general you can follow this command sequence: diagnose debug info diagnose debug <software-system> <debug-level> diagnose debug enable diagnose debug disable The following debug commands are also useful: diagnose debug reset to reset the debug configuration to a default state. diagnose debug report Fortinet support may ask you to run this command and send them the output. This is an exhaustive report that runs many different diagnose commands to gather a large amount of information. It may take up to 20 minutes to run on a FortiGate unit with a complex configuration and may temporarily affect system performance. Example diagnose debug procedure for an SSL VPN portal This procedure describes typical steps for displaying debug information for the SSL VPN configuration described in Setting up remote web browsing for internal sites through SSL VPN on page 214. You can use similar steps to display debug info for many other software systems. 1 Verify the current debug configuration by entering the following command: diagnose debug info debug output: disable console timestamp: disable console no user log message: disable CLI debug level: 3
This is a good command to run first, so you know what filters are in place and so on; otherwise, you may start debugging and wonder why the output is not what you expected. This output above indicates that debug output is disabled so debug messages are not displayed. The output also indicates that debugging has not been enabled for any software systems. 2 Enter the following command to display debug messages for SSL VPN. diagnose debug application sslvpn -1 This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level produces detailed results. You can view all the debug options by entering diagnose debug ? or diagnose debug application ?
3 Enter the following command to verify the debug configuration: diagnose debug info debug output: disable console timestamp: disable console no user log message: disable sslvpn debug level: -1 (0xffffffff) CLI debug level: 3 This output verifies that SSL VPN debugging is enabled with a debug level of -1. 4 Enable displaying debug messages by entering the following command: diagnose debug enable 5 Log into the SSL VPN portal. The CLI displays debug messages similar to the following.
diagnose debug enable FGT60C3G10002814 # [282:root]SSL state:before/accept initialization (172.20.120.12) [282:root]SSL state:SSLv3 read client hello A (172.20.120.12) [282:root]SSL state:SSLv3 write server hello A (172.20.120.12) [282:root]SSL state:SSLv3 write change cipher spec A (172.20.120.12) [282:root]SSL state:SSLv3 write finished B (172.20.120.12) [282:root]SSL state:SSLv3 flush data (172.20.120.12) [282:root]SSL state:SSLv3 read finished A:system lib(172.20.120.12) [282:root]SSL state:SSLv3 read finished A (172.20.120.12) [282:root]SSL state:SSL negotiation finished successfully (172.20.120.12) [282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
Just the first few messages are shown for an SSL VPN user connecting to the portal from IP address 172.20.120.12. The messages show the connection being accepted and SSL VPN negotiation taking place. You can view and analyze the debug messages or save them to a text file using your terminal program. 6 Enter the following command to stop displaying debug messages: diagnose debug disable If there is a lot of output scrolling by quickly, you may not be able to see the command as you enter it. Debugging authentication Any time a FortiGate unit authenticates a user, the authd daemon is responsible. This is true if the user is logging in through SSL VPN, connecting over IPsec VPN from FortiClient, and even if certificates are involved. You can use the following command to debug authentication: diagnose debug application authd -1 diagnose debug enable
authd_http.c:1910 authd_http_connect: called authd_http.c:3071 authd_http_change_state: called change state to: 3 authd_http.c:1112 authd_http_read: called authd_http.c:2383 authd_http_wait_req: called authd_http.c:2443 authd_http_read_req: called authd_http_common.c:276 authd_http_read_http_message: called authd_http_common.c:229 authd_http_is_full_http_message: called authd_http.c:4899 authd_http_on_method_get: called authd_http.c:2098 authd_http_check_auth_action: called authd_http.c:3071 authd_http_change_state: called change state to: 2 The output shows the messages the authentication daemon is receiving and the resulting state changes. This authentication session was between a FortiGate unit and FortiClient during an IPsec VPN session setup. Debugging IPsec VPN You can use the diag debug application ike -1 command to display all the VPN related traffic, especially for initial negotiations. By doing this, it will give you the information to find and fix errors that you would only be guessing at, otherwise. You can find more details about this command and its output in My IPsec VPN tunnel isnt working on page 249. Debugging URL filtering Have you tried to set up URL filters only to have the URLs still come through? The diag debug information can help you determine what is going on under the hood, such as Blocking all web sites except those you specify using a whitelist on page 197. For example, if one user at 172.20.120.18 is complaining the URL filter is not working for them you can enter the command: #diag debug disable #diag debug application urlfilter -1 #diag debug enable This is very useful if you want to test some new URL filter patterns. The following sample output from this set of commands for a group of URLs that you have included in the UTM Web Filtering Advanced Filtering list, such as *.ro, would appear as: msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.example.ro:80, id=22, vfid=0, type=0, client=10.10.80.110, url=/favicon.ico" Checking urlfilter list 4 Url filter deny action This output shows one attempt to browse to http://www.example.ro, which is a match to the blocked *.ro sites. From this output, we can see the URL, who was going there (the client IP address of 10.10.80.110), and the action - URL filter deny action. It is good to note that the ID number will increment by one for each message matched like this. From this information, we now know the *.ro URL filter is working properly for a client on the 10.10.80.0 subnet. Debugging packet flow You can use the diag debug flow command to show packet flow through the FortiGate unit. As packets are received, you can view debug messages to show how the FortiGate unit processes them. For more information, see Verifying that traffic is accepted a security policy on page 144.
Quick reference to common diagnose commands

FortiOS diagnose commands, commonly called diag commands, are powerful CLI commands that allow you to see what is happening at a low level. You can find more information about diag and get commands in the Troubleshooting chapter of the FortiOS Handbook. To find out more information about diagnose command options, enter the command followed by a ?, for example, diagnose debug application ? debug application Display detailed debugging information for FortiGate software systems. For example:
diagnose debug application ike -1
3 2
For debugging IPsec VPN, see My IPsec VPN tunnel isnt working on page 249.
diagnose debug application sslvpn -1
For debugging IPsec VPN, see Debugging FortiGate configurations on page 101.
diagnose debug application urlfilter -1
For debugging URL filtering, see Debugging FortiGate configurations on page 101. debug flow Show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following commands will send 100 packets of output to the console of the packet flow including the IP address.
diagnose diagnose diagnose diagnose debug debug debug debug enable flow show console enable flow filter add 10.10.20.30 flow trace start 100
See Verifying that traffic is accepted a security policy on page 144. debug info Display information about how debug is currently configured on your FortiGate unit. Run this before doing a series of diag debug commands, so you know what filters are in place. Otherwise, your output may not what you expected. See Debugging FortiGate configurations on page 101. Display throughput information for the firewall broken down by both packets and bytes. Categories include common applications such as DNS, FTP, IM, P2P, and VoIP and also includes the lower level protocols TCP, UDP, ICMP, and IP. Display the drift for each configured FortiToken registered on the FortiGate unit. Verify all FortiGate unit certificates. For each certificate the name, test performed and the results are listed.
firewall statistic show
fortitoken drift hardware certificate
104
hardware Display all disks in the FortiGate unit. This includes hard disks, and deviceinfo disk SSD disks. The information includes partitions, size, type, and available space. hardware deviceinfo nic eth0 Display information about the network card attached to the interface. The information displayed varies by the type of NIC. It will include the VLAN id, state, link, speed, counts for received and transmitted packets and bytes. The MAC for this NIC is Current_HWaddr and Permant_HWaddr, and this is only place you can see both the old and new MAC when it is changed. Display statistics for URL filters. This includes number of requests, responses, pending responses, errors, timeouts, blocked, and allowed. Display the information from the bridging table in the FortiGate unit. This is useful when troubleshooting transparent mode. Once you have the bridge names, you can check their forwarding domain using diag netlink brctl domain <bridge_name>.
ips urlfilter status netlink brctl list
sniffer packet Capture packets on any FortiGate interface that are on port 80, any port 80 4 commonly used by HTTP. Verbosity level 4 displays packet header information and interface names. You can use this information to test security policies, network connections, or find where missing packets are going. See Troubleshooting by sniffing packets (packet capture) on page 89. sys session full-stat test log Display details about the session table including its size, the sessions in each state, errors, and other statistics. Generate default log messages. This allows you to test logging features such as remote log server connections. See Creating a backup log solution on page 275 Display information about the update daemon including the last set of messages from the update daemon, the current object versions, the next scheduled updates, and counters for various updates for pass, fail, and retry.
test update info
vpn tunnel list Display all configured IPsec VPN tunnels in the current VDOM. This is useful to compare settings on both ends of a tunnel that is having problems.
105
106
WiFi Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into your organizations network architecture. Each WiFi network or SSID is represented by a virtual network interface to which you apply security policies, UTM features, traffic shaping, and so on, in the same way as for physical wired networks. You can create multiple WiFi networks to serve different groups of users. For example, you might want one network for your employees and another for guests or customers. Also, with the increase in use of smartphones, tablets and other mobile devices that use WiFi technology, wireless networks are becoming busier than ever and have to accommodate a broad range of wireless client devices each with their own strengths and limitations. You may also want to accommodate these devices and technologies on multiple overlapping wireless networks. These networks could differ greatly in the access they provide to other networks, as well as the authentication, access control, and UTM features they apply. A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as a single thick AP. A thick AP such as a FortiWiFi unit contains the WiFi radio facility as well as access control and authentication functionality. A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost-effective solution for adding WiFi to your network. The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more complex to manage. This chapter includes the following WiFi networking examples: Setting up secure WiFi access on your FortiWiFi unit Setting up secure WiFi on your FortiGate unit using a FortiAP unit Improving WiFi security with WPA-Enterprise security Setting up secure WiFi with a captive portal Sharing the same subnet for WiFi and wired clients Setting up a WiFi network with an external DHCP server Authenticating WiFi users with Windows AD
107
Setting up secure WiFi access on your FortiWiFi unit

Problem Your small office wired network is configured
using a FortiWiFi unit, but employees also use laptops, and other mobile devices. These devices need secure WiFi access to both the office network and the Internet.
Inte
Wireless network
rna
l ne
two
rk
FortiWiFi Unit Unit i
Solution Configure a WiFi network on your FortiWiFi unit.
Use DHCP to assign up to 10 IP addresses to office WiFi users, as most mobile devices are preconfigured to use DHCP. Use WPA2 security. As there is no authentication in place for the wired network and this is a small team in one place, WPA2-Personal security is appropriate. There will be one preshared key that users must know to access the WiFi network. Create security policies to enable the WiFi network to access both the office network and the Internet. This solution assumes an area that can be covered by a single FortiWiFi. You can extend the coverage area by connecting FortiAP units and adding the our_wifi SSID to them.
Create the SSID and enable the WiFi radio 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi
2 Enable DHCP with the following settings: Address Range Netmask Default Gateway DNS Server 10.10.10.10-10.10.10.19 255.255.255.0 Same as Interface IP Same as System DNS
3 Configure the security settings as follows: Security Mode Data Encryption Pre-shared Key 4 Select OK. 5 Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select Enable WiFi Radio. WPA/WPA2-Personal AES justforus
108
Create firewall addresses and security policies 1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network security policy that allows WiFi users to access to the office network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all port1 all always ANY ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other. 2 Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all wan1 all always ANY ACCEPT
3 Select Enable NAT and Use Destination Interface Address. 4 Select OK.
Results On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the
justforus preshared key when prompted. Verify that you can connect to servers on your office network. Verify that you can connect to the Internet. You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
If you want a more secure authentication method, see Improving WiFi security with WPAEnterprise security on page 114 that requires users to logon instead of using the preshared key.
109
Setting up secure WiFi on your FortiGate unit using a FortiAP unit

Problem A FortiGate unit provides your office with wired
networking, but employees also use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. What is a good solution for a small number of users with no access to Windows Active Directory?
Wireless network
in te rn al
F tiG t U it FortiGate Unit
Solution Set up a WiFi network with WPA-Personal

authentication. Using the WiFi Controller feature on your FortiGate unit, configure a WiFi network. Then connect a FortiAP unit and authorize it to carry your WiFi network. On your WiFi network, use DHCP to assign IP addresses to WiFi users, as most mobile devices are preconfigured to use DHCP. Use WPA2 security. As there is no authentication in place for the wired network and this is a small team in one place, WPA2-Personal security is appropriate. There will be one preshared key that users must know to access the WiFi network. Create security policies to enable the WiFi network to access both the office network and the Internet. Configure port3, an unused network interface on the FortiGate unit, to connect to the FortiAP unit. Connect the FortiAP unit to the port3 interface and wait for it to be discovered. Authorize the FortiAP unit. Create the SSID 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi
3 Configure the security settings as follows: Security Mode Data Encryption Pre-shared Key 4 Select OK. WPA/WPA2-Personal AES justforus
110
Fo t3 or po
rti A
un it
k or tw ne al rn te In
Create firewall and security policy settings 1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy that allows WiFi users to access to the office network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all port1 all always ANY ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other. 2 Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Interne. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all wan1 all always ANY ACCEPT
3 Select Enable NAT and Use Destination Interface Address. 4 Select OK. Configure a FortiGate interface to connect to the FortiAP unit and connect the devices 1 Go to System > Network > Interface and Edit the port3 interface: Addressing Mode IP/Netmask Manual 192.168.8.1/255.255.255.0
2 Select Dedicate this interface to FortiAP connection. Reserve IP addresses for FortiAP connection 192.168.8.2 - 192.168.8.9
The Reserve IP for FortiAP connection setting automatically configures a DHCP server to assign an IP address to the FortiAP unit. The FortiGate unit uses these IP addresses to communicate with the FortiAP unit. 3 Use an Ethernet cable to connect port0 (also the ETH port) on the FortiAP unit to port3 on the FortiGate unit and power up the FortiAP unit.
4 On the FortiGate web-based manager, go to WiFi Controller > Managed Access_Points > Managed FortiAP. Select Refresh every ten seconds or so until the FortiAP unit is listed. Discovery of the FortiAP unit can take up to two minutes.
If the FortiAP is not listed under Managed FortiAP after two minutes: Check that port0 (ETH) on the FortiAP unit is connected to port3 on the FortiGate unit. Power cycle the FortiAP unit. On the FortiGate unit, go to System > Monitor > DHCP Monitor to see whether the FortiAP unit is assigned an IP address lease. See also Using the FortiGate packet sniffer to view the FortiAP discovery process in the Results section. 5 When the FortiAP unit appears, select it and select Edit. 6 Enter the Name FortiAP1. 7 Select Authorize. 8 Ensure that Enable WiFi Radio is selected and then select OK. This solution assumes an area that can be covered by a single FortiAP. You can extend the coverage area by connecting and authorizing additional FortiAP units and adding the our_wifi SSID to them.
Results On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the
justforus preshared key when prompted. Verify that you can connect to servers on your office network. Verify that you can connect to the Internet. You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
Using the FortiGate packet sniffer to view the FortiAP discovery process The FortiGate units built-in packet sniffer can help you to view the discovery process if you experience difficulty in getting the FortiGate unit to recognize the FortiAP unit. Use the CLI command diagnose sniffer packet port3 none 4 to capture packets entering or leaving the FortiGate port3 interface to which the FortiAP unit is connected. Packet headers will be shown. For more information about using the sniffer, see Troubleshooting by sniffing packets (packet capture) on page 89. The FortiAP unit uses several methods to find a WiFi controller. Here are some examples of the request packets you should see, possibly repeated several times before a response is received and processed: Broadcast DHCP request: port3 -- 0.0.0.0.68 -> 255.255.255.255.67: udp This DCHP client request should reach the DHCP server configured on port3. The server response looks like this: port3 -- 192.168.8.1.67 -> 192.168.8.2.68: udp The FortiAP unit is assigned the IP address 192.168.8.2. It will then communicate with the WiFi controller on 192.168.8.1 using the CAPWAP control port 5246.
112
Multicast WiFi controller discovery request: port3 -- 192.168.8.2.5246 -> 224.0.1.140.5246: udp Note that this request is on the CAPWAP control port, 5246. The multicast IP address on the FortiAP unit and the WiFi controller is reconfigurable and must agree. The WiFi controller responds directly to the FortiAP unit in unicast on port 5246. Broadcast WiFi controller discovery request: port3 -- 192.168.8.2.5246 -> 255.255.255.255.5246: udp This request on the CAPWAP control port 5246 should get a response from the WiFi controller at 192.168.8.1 on port 5246. ARP request packet and response packets: port3 -- arp who-has 192.168.8.2 tell 192.168.8.1 port3 -- arp reply 192.168.8.2 is-at 0:9:f:d6:b9:71 ARP who-has packets occur frequently. The ARP reply packet containing your FortiAP units wired MAC address confirms that the unit has successfully obtained an IP address. Ongoing communication between FortiAP unit and WiFi controller: The discovery process should be complete now, with the FortiAP unit listed in the Managed FortiAP list, ready for you to authorize. Routine control channel communications back and forth look like this: port3 -- 192.168.8.2.5246 -> 192.168.8.1.5246: udp port3 -- 192.168.8.1.5246 -> 192.168.8.2.5246: udp
113
Improving WiFi security with WPA-Enterprise security

Problem You set up a WiFi network with WPAPersonal security, but now you want better security with individual authentication for your users.
Internal network
Solution Create user accounts and a wifi_users
FortiWiFi Unit
user group on the FortiWiFi unit. Modify your SSID to use WPA/WPA2Enterprise security and authenticate users who belong to the wifi_users group. There is no longer a pre-shared key that could fall into the wrong hands or would need to be changed if someone left the group. Each user has an individual user name and password. Accounts can be added or removed as needed. Create WiFi network user accounts 1 Go to User > User > User and select Create New to create a user account: User Name Password wloman my_secure_pwd
2 Create additional user accounts as needed, one for each employee. If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this step and use the existing accounts.
3 Go to User > User Group > User Group and select Create New to create a user group: Name Type Members 4 Select OK. Create the SSID and enable the WiFi radio 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi wifi_users Firewall Add wloman and the other employee accounts to the Members list.
114
3 Configure the security settings as follows: Security Mode Data Encryption Authentication Usergroup 4 Select OK. 5 Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select Enable WiFi Radio. Create firewall addresses and security policies 1 Go to Policy > Policy > Policy to and select Create New to add a WiFi-to-Office network security policy that allows WiFi users to access to the office network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all port1 all always ANY ACCEPT WPA/WPA2-Enterprise AES Usergroup wifi_users
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other. 2 Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule wifi all wan1 all always
115
Service Action
ANY ACCEPT
Results On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Unlike
WPA/WPA2-Personal you will be prompted to enter your user name and password. Enter wloman as the user name and my_secure_pwd as the password. Once you have been authenticated, verify that you can connect to servers and other resources on your office network. Also verify that you can connect to the Internet. You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
116
Setting up secure WiFi with a captive portal

Problem A FortiGate unit provides your office with wired
networking, but employees also use laptops and mobile devices. These devices need secure WiFi access to both the office network and the Internet. The employees use web applications and are most comfortable authenticating through the web browser.
k or tw ne al rn te In
F tiG t Unit FortiGate U it Wireless network
in te rn al
Solution Set up a captive portal configuration that intercepts

connections to the wireless network and displays a portal on wireless clients devices. Users must authenticate with the portal to get access to the wireless network. To configure the portal you must Create a user group with a user account for each employee. Create a WiFi network with captive portal authentication. A captive portal appears to be an open WiFi access point, allowing any WiFi device to connect. On the first attempt to connect to a web site, the captive portal presents a web page that requests the users logon credentials which must match credentials in the user group. Create WiFi network user accounts 1 Go to User > User > User and select Create New to create a user account: User Name Password wloman my_secure_pwd
2 Create additional user accounts as needed, one for each employee. If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this step and use the existing accounts.
3 Go to User > User Group > User Group and select Create New to create a user group: Name Type Members 4 Select OK. Create the SSID and enable the WiFi radio 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi wifi_users Firewall Add wloman and the other employee accounts to the Members list.
Fo tt3 or po
rti A
un it
117
3 Configure the security settings as follows: Security Mode User Groups 4 Select OK. 5 Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select Enable WiFi Radio. Create firewall and security policy settings 1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy that allows WiFi users to access to the office network. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all port1 all always ANY ACCEPT Captive Portal wifi_users
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other. 2 Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all wan1 all always ANY ACCEPT
3 Select Enable NAT and Use Destination Interface Address.

4 Select OK.
Results On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Your
device should connect quickly because no password is required at this stage. Some mobile devices display the Fortinet Terms and Disclaimer Agreement portal as soon as you connect to the SSID. Some devices only display the portal when you open a web browser and attempt to connect to an Internet destination. Select the I accept... check box below the Agreement text to indicate that you agree. Enter wloman as Username and my_secure_pwd as Password, then select Continue. Your requested web site should then be displayed and you can otherwise use the WiFi network. You can continue browsing until your authentication times out. Then, you will have to accept the disclaimer and re-enter your logon credentials again. You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
In User > Monitor > Firewall, you can see the authenticated captive portal user:
119
Sharing the same subnet for WiFi and wired clients

Problem You want to put your WiFi users on the same
network segment (or subnet) as your wired LAN users, but the FortiGate unit requires each network interface to have a single unique network segment.
Software switch network 1010.10.0 255.255.255.0 Software switch interface combo_lan 1010.10.1
wifi
Internal network FortiWiFi Unit
Solution Create a software switch interface with the internal

LAN interface and WiFi network virtual interfaces as members.
A software switch interface can only include physical and WiFi interfaces. Before adding an interface to a software switch interface you must delete all configuration objects that use that interface. This includes factory default security policies and DHCP server configurations. Create the SSID and enable the WiFi radio 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to add the SSID to be added to the software switch: Interface Name SSID wifi our_wifi
2 Clear the Enable DHCP checkbox. There is no need to specify an IP address for the SSID because the IP address of the software switch interface will be used. Also, you should disable the DHCP server for the SSID since you will add one later for the software switch interface. 3 Configure the security settings as follows: Security Mode Data Encryption Pre-shared Key 4 Select OK to save the SSID. 5 Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select Enable WiFi Radio. You can extend the coverage area by connecting FortiAP units and adding the our_wifi SSID to them. WPA/WPA2-Personal AES justforus
Create the software switch 1 Go to System > Network > Interface and select Create New to add the software switch: Name Type Physical Interface Members
120
combo_lan Software Switch wifi port1

or t
Addressing Mode IP/Netmask
Manual 10.10.10.1/255.255.255.0
2 Go to System > Network > DHCP Server and select Create New to add a DHCP server for the devices on the wired and wireless networks connected to the software switch: Interface Name Mode Enable Type IP Network Mask Default Gateway DNS Service 3 Select OK. Create firewall addresses and security policies 1 Go to Policy > Policy > Policy to create the security policy that enables users connected to the software switch to connect to the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action combo_lan all wan1 all always ANY ACCEPT combo_lan Server Selected Regular 10.10.10.2-10.10.10.199 255.255.255.0 10.10.10.1 Use System DNS Setting
Results Configure the devices on the internal network to get their IP addresses using DHCP and renew
their leases if required. They should all have IP addresses on the 10.10.10.0/255.255.255.0 network. On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the justforus preshared key when prompted. Wireless devices should also acquire IP addresses in the 10.10.10.0/255.255.255.0 network. Verify that you can connect to servers on your office network from mobile devices and verify that you can connect to the Internet.
121
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
You can also go to System > Monitor > DHCP Monitor to view information about all the address leases for both wired and wireless clients.
122
Setting up a WiFi network with an external DHCP server

Problem You want to set up a small WiFi network for
your teams laptops and mobile devices and use the companys DHCP server instead of a DHCP server configured on the WiFi interface.
192 DHCP .16 se 8.1 rve .10 r 1
Wireless network
Inte
rna
l ne
two
rk
FortiWiFi Unit
Solution When you configure the SSID (WiFi

network) dont configure a DHCP server. On the WiFi interface, specify a DHCP relay to the companys DCHP server. Check your security policies to ensure that DHCP packets can pass through the FortiGate unit from the WiFi network to the LAN where the DHCP server resides. This example shows a FortiWiFi-based network with WPA/WPA2-Personal security. You can also apply this DHCP configuration to WiFi networks with other security settings and to WiFi networks based on FortiAP units. Create the SSID and enable the WiFi radio 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi
2 Clear the Enable DHCP checkbox to disable DHCP. 3 Configure the security settings as follows: Security Mode Data Encryption Pre-shared Key 4 Select OK. 5 Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select Enable WiFi Radio. Configure the WiFi interface to support DHCP relay 1 Go to System > Network > DHCP Server, select Create New and enter the following settings to configure the WiFi interface to support DHCP relay: Interface Name Mode Type DHCP Server IP wifi Relay Regular 192.168.1.101 WPA/WPA2-Personal AES justforus
123
Create firewall addresses and security policies 1 Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network security policy that allows WiFi users to access to the office network: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all port1 all always ANY ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each other. The default ANY service accepts DHCP sessions. If you make a more restrictive policy, make sure that DHCP sessions are allowed.
If the DHCP server that you will use is not on the office network, you will also need a policy to allow DHCP traffic to pass from the DHCP servers network to the WiFi network. 2 Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wifi all wan1 all always ANY ACCEPT
Results On your mobile device, look for the our_wifi SSID and attempt to connect. Enter the justforus
preshared key when prompted. Once you are connected, verify that you can connect to servers on your office network, and to the Internet. You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that are connected to your WiFi network.
124
If the Auth column shows Pass, but the IP column shows 0.0.0.0, the DHCP Relay configuration isnt working. Check the following: Is the mobile device configured to obtain an IP address automatically using DHCP? Does the wifi-to-wan1 policy allow DHCP service to pass? (ANY service includes DHCP.) Does the DHCP server have a route to the WiFi network? To check this, add a temporary wan1-to-wifi policy and ping the WiFi network gateway from the DHCP server. Is the DHCP server configured to provide IP addresses for your WiFi networks subnet? A complete configuration includes the default route and DNS server addresses. The normal DHCP sequence as seen in the servers log messages looks like this: dhcpd: DHCPDISCOVER from 00:23:4e:52:fd:6f via 10.10.10.1 dhcpd: DHCPOFFER on 10.10.10.10 to 00:23:4e:52:fd:6f (user1-AOA150) via 10.10.10.1 dhcpd: DHCPREQUEST for 10.10.10.10 (192.168.1.101) from 00:23:4e:52:fd:6f (user1-AOA150) via 10.10.10.1 dhcpd: DHCPACK on 10.10.10.10 to 00:23:4e:52:fd:6f (user1-AOA150) via 10.10.10.1 Repeated DHCPDISCOVER and DHCPOFFER messages with no DHCPACK response suggest that these messages are not reaching the client. It is also normal to see a DCHCPREQUEST message for an IP address that was not offered in a prior DHCPOFFER message. Many clients automatically request the IP address that they used previously. If this IP address is acceptable to the server, it will issue a DHCPACK message immediately.
125
Authenticating WiFi users with Windows AD

Problem You want WiFi users to authenticate
using their Windows Active Directory credentials. You are using Windows Active Directory (Windows AD) running on Windows Server 2008.
do WIn 172 main dows .20 con AD .12 tro 0.3 ller 2 Inte
Wireless network
port1
wifi
rna
l ne
two
rk
wan1
Solution Configure a RADIUS server (Network
FortiWiFi Unit
Policy Server) in Windows Active Directory (AD). Configure the your WiFi network with WPA-Enterprise to authenticate users with this Windows RADIUS (NPS) server. This example assumes that You have a Windows AD network which currently uses a RADIUS (NPS) server for authentication. The server to which the FortiWiFi unit connects is a domain controller with a DNS server, NPS server (same domain), and a CA Authority installed. WiFi users have been added to a group called WiFi_users. Determine the IP address of the RADIUS server before you begin. Configuring the Windows AD domain controller You need to: Configure the Network Policy Server. Install a certificate for PEAP authentication. Install the CA certificate. Add the FortiWiFi unit as a RADIUS client. Configure a connection request policy for the FortiWiFi unit. Configure the Security Health Validator. Configure health policies. Configure network policies. Configure the Network Policy Server 1 In Windows AD, go to Start > Administrative Tools > Network Policy Server. 2 In the left pane expand Policies right-click Network Policies and select New. 3 On the Specify Network Policy Name and Connection Type screen, for Policy name enter FortinetWiFi. Leave the Type of network access server as Unspecified and select Next. 4 On the Specify Conditions screen, select Add. Select Windows Groups and select Add. 5 In the Windows Groups dialog, select Add Groups. 6 In the Select Group dialog, enter WiFi_users. Select Check Names to verify your entry, then select OK. 7 In the Windows Groups dialog, select OK. 8 In the Specify Conditions window, select Next. 9 In the Specify Access Permission window, select Access Granted, then select Next.
126
10 In the Configure Authentication Methods window, use the Add button to add PEAP and EAP-MSCHAP v2 to the EAP Types list. Select MS-CHAP-v2 and PAP methods, then select Next. 11 Select Next until you reach the Completing New Network Policy page, then select Finish. Install a certificate for PEAP authentication 1 Go to Start >Run. In Open, type mmc, and then select OK. If there is no Certificates item in the left pane, you need to install the Certificates snap-in. 2 In the mmc left pane, expand Certificates, right-click Personal, select All Tasks > Request New Certificate. 3 In the Certificate Enrollment window, select Next. 4 Select Computer, then select Enroll. 5 Verify that Succeeded is displayed and then select Finish. 6 Close the Console1 window. Do not save the console settings. Install the Root CA 1 Open the Server Manager. 2 In the left pane, select Roles. 3 Select Action > Add Roles. 4 If the Before you Begin wizard appears, select Next. 5 In the list of available server roles, select the Active Directory Certificate Services and select Next twice. 6 Make sure that Certification Authority is selected, and select Next. 7 Select Enterprise and select Next. 8 Specify Root CA and select Next. (Selection must match type of CA you are changing from.) 9 On the Set Up Private Key page, select Next. Keep selecting Next until the Install button is available, then select Install. 10 When installation completes, select Close. Add the FortiWiFi unit to Windows AD as a RADIUS client 1 Open the Network Policy Server. 2 In the left pane, expand RADIUS Clients and Servers. Right-click RADIUS Clients and select New. Enter the following information: Enable this RADIUS client Selected Friendly name Address (IP or DNS) Shared secret 3 Select the Advanced tab. 4 Select Access-Request must contain the Message Authenticator attribute. 5 Make sure that RADIUS client is NAP-capable is not selected. 6 Select OK. FortiWiFi_1 172.20.120.32 secure_value
127
Configure a connection request policy for the FortiWiFi unit 1 Open the Network Policy Server. 2 In the left pane, expand Policies. 3 Select Connection Request Policies. Right-click the default policy and select Delete. 4 In the left pane, right-click Connection Request Policies and select New. Enter the following information: Policy name Type of network access server 5 Select Next. Select Add. 6 Double-click NAS IPv4 Address and add the FortiWiFi units IP Address: 172.20.120.32. 7 Select Next. Make sure that Authenticate Requests on this server is selected and then select Next. 8 Select Override network policy authentication settings. 9 Select Add, Select Microsoft: Protected EAP (PEAP), and then select OK. 10 Select the PEAP option in EAP Types and then select Edit. 11 Check that Certificate Issued has the appropriate CA certificate selected. 12 Ensure that Enforce Network Access Protection is selected. Select OK. 13 Select Next. Select Next again. Select Finish. Configure Windows Security Health Validator 1 In the Server Manager left pane, go to Roles > Network Policy and Access > NPS (Local) > Network Access Protection > System Health Validators. 2 In the right pane, select Windows Security Health Validator. Select Settings. Double-click Default Configuration. 3 Ensure that only A firewall is enabled for all network connections is enabled. Select OK. To configure health policies 1 In the Network Policy Server, expand Policies, right-click Health Policies, and select New. 2 Enter the following information and select OK: Policy name Client SHV checks SHVs used in this health policy WiFi_compliant Client passes all SHV checks Select Windows Security Health Validator FortiWiFi_1_policy Unspecified
3 In the left pane, right-click Health Policies, and select New. 4 Enter the following information and select OK: Policy name Client SHV checks SHVs used in this health policy WiFi_noncompliant Client fails one or more SHV checks Select Windows Security Health Validator
128
Configure network policies 1 In the Network Policy Server, expand Policies, right-click Network Policies, and select New. 2 In Policy name, enter NAP_WiFi_compliant and then select Next. 3 Select Add. Double-click Windows Groups. Add the WiFi_users group and select OK. 4 Select Add. Double-click NAS IPv4 Address. Add the FortiWiFi unit IP address and select OK. 5 Select Add. Double-click Health Policy. Add the WiFi_compliant policy and select OK. 6 Select Next. Ensure that Access Granted is selected. Select Next three times. 7 On the Configure Settings page, select Vendor Specific. 8 In the Attributes list, select Vendor-Specific and then select Add. 9 Select Add. Select Enter Vendor Code. Enter the Fortinet vendor code 12356. 10 Select Yes. It conforms. 11 Select Configure Attribute, enter the following information, and then select OK: Vendor-assigned attribute number Attribute format Attribute value 1 String WiFi_users
12 Select OK. Select Close. Select Next. Select Finish. Configure the FortiWiFi unit You need to: Add the NPS server. Configure the WiFi SSID, including security settings. Configure firewall addresses for the networks. Configure security policies. Enable the WiFi hardware. Add the RADIUS (NPS) server to the FortiWiFi unit configuration 1 Go to User > Remote > RADIUS. Select Create New, enter the following information and then select OK: Name Type Primary Server Name/IP Primary Server Secret Authentication Scheme Win_NPS Query 172.20.120.2 secure_value Use Default Authentication Scheme
129
Configure your WiFi network SSID 1 Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless network like this: Interface Name IP/Netmask SSID wifi 10.10.10.1/255.255.255.0 our_wifi
3 Configure the security settings as follows: Security Mode Data Encryption Authentication WPA/WPA2-Enterprise AES RADIUS Server, select Win_NPS
4 Go to Policy > Policy > Policy to create the security policies that enable WiFi users to connect to the office network and to the Internet. WiFi-to-Office network policy Source Interface/Zone Source Address Destination Interface/Zone Destination Address Enable NAT WiFi-to-Internet policy Source Interface/Zone Source Address Destination Interface/Zone Destination Address Enable NAT wifi all wan1 all Selected wifi all port1 all Selected
130
5 Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select Enable WiFi Radio. This solution assumes an area that can be covered by a single FortiWiFi. You can extend the coverage area by connecting FortiAP units and adding the our_wifi SSID to them.
Results Verify that WiFi users can authenticate and have access to both the office LAN and the
Internet.
131

Most commonly, FortiGate units are used to control access between the Internet and a network, typically allowing users on the network (such as an office network) to connect to the Internet while protecting the network from unwanted access from the Internet. So a FortiGate unit has to know what access should be allowed and what should be blocked. This is what security policies are for, controlling all network traffic attempting to pass through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to by a security policy. Once traffic is allowed, virtually all FortiGate features are applied to allowed traffic through security policies. From a security policy, you can control address translation, control the addresses and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of the examples in this cookbook at some point involve the creation of security policies to allow traffic and then apply a feature to it. This chapter focuses more on firewall features and how to configure policies to apply them. Topics include using security policies to restrict access, how to order policies correctly, using geographic addresses, applying traffic shaping and configuring some common forms or source network address translation (S-NAT) and destination address translation (DNAT).
Security It is simple to set up a FortiGate unit to policies allow users on a network to access the
Internet while blocking traffic from the Internet from accessing the protected network. All that is required is a single security policy that allows traffic from the Internal network to connect to the Internet. As long as you do not add a security policy to allow traffic from the Internet onto your internal network, your network is protected.
19
2. in 16 te 8. rn 1. al 99
When a user connects to the Internet, they expect a reply (for example, when you connect to a web site you expect to see a web page). The same security policy that allows you to connect to the Internet also allows servers you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming traffic is only allowed in response to requests sent by you.
17
2. 20
.1 wa 20 n .1 1 4
1 9 2 ] 1 55 3 2 -2 .[1 .1 01 .1 68 .1 ] 20 92 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 0 sr c p P: t: 8 sr I r st o d tp s d 5 rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 .0 .1 Sta tic s in be and terna twee ource the l ne n the NAT two Inte rne rk t
1 14 3 2 0. 01 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d
132
Even though there is no risk of unwanted traffic originating from the Internet getting onto your internal network, users are connecting to the Internet and downloading data. These downloads can sometimes include unwanted items, such as viruses. that make their way through to FortiGate unit to your network. To protect your network from this problem, security policies are also the way to turn on all FortiGate UTM features. For example, users may download a virus when browsing the web or retrieving email. You can protect your network from this danger by adding virus scanning to security polices that allow users to connect to the Internet. All traffic in either direction that is controlled by a security policy that includes virus scanning will be scanned for viruses. The benefit of this approach is that you can apply security features directly to allowed traffic. This also means that you can apply custom security features to each security policy and to each type of traffic allowed through the FortiGate unit. Security features are applied using UTM objects and profiles. You can create as many profiles as you need and mix and match them in a security policy as required. For example, it might be acceptable to you to apply only web filtering to the security policy that allows users on the protected internal network to access web sites on the Internet. If you have a separate security policy that allows users on the internal network to download and send email, you could apply virus scanning to this traffic to make sure users cannot download email attachments containing viruses. In addition you could apply data leak protection to the email traffic to prevent users from sending confidential email to the Internet. All of these security features can be added to security policies as you create them. Or once you have security policies that control traffic patterns you can edit them to add or change security features as you build up your security requirements or as those requirements change.
Defining Firewall objects include addresses, services, and schedules that are used in security policies to Firewall control the traffic accepted or blocked by a security policy. Addresses are matched with the objects source and destination address of packets received by the FortiGate unit. Firewall addresses
can be IPv4 or IPv6 addresses that define a single device or a network. You can also add domain names instead of numeric addresses and use geographic addressing to specify all of the IP addresses of traffic originating from a specific country. These powerful address tools allow you to customize addresses for any security policy requirement. The all address matches a security policy with traffic to or from any IP address. FortiGate units include a wide range of pre-defined network services that can be added to security policies. For example, you can add a security policy that intercepts all HTTP traffic just by adding the HTTP service to a security policy. Pre-defined services include basic network services such as HTTP, FTP, TCP, SMTP and more specialized services such as H323 (used for VoIP and media), MMS (the multimedia messaging service used by mobile phones) and so on. You can also easily create custom services if your network uses network services that are not in the FortiGate pre-defined services list. You must add at least one service to a security policy. You can also add multiple services to a single security policy if you want to policy to multiple traffic types. The ANY pre-defined service accepts traffic using any network service. Firewall schedules control when security policies are active. The default always schedule does not restrict when a policy is active. You can limit when a policy is active by adding schedules defining the time for which the policy is active. You can create recurring schedules that take effect repeatedly at specified times of specified days of the week (for example, a schedule that is active during office hours: weekdays between 9am and 5 pm). You can also create one-time schedules that take effect only once for the period of time (for example, for a week in September 2020). Firewall objects also include traffic shapers, used to normalize traffic peaks and bursts to prioritize certain flows over others. A wide variety of traffic shaping options are available, allowing you to customize traffic shaping according to your networks requirements and apply custom traffic shaping to any security policy. The Virtual IP firewall objects are added to security policies to perform various forms of destination network address translation (D-NAT) including destination IP address and destination port translation and port forwarding.
The final firewall object is load balancing, which is an extension of virtual IPs to load balance traffic passing through the FortiGate unit to multiple servers. FortiGate load balancing supports various load balancing schedules, real server health monitoring, persistence, and SSL acceleration. This chapter includes the following security policy and firewall object examples: Restricting employees Internet access Restricting Internet access per IP address Verifying that traffic is accepted a security policy Ordering security policies Allowing DNS queries to only one approved DNS server Ensuring sufficient and consistent bandwidth for VoIP traffic Using geographic addresses Providing Internet access for your private network users (static source NAT) Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT) Dynamic source NAT without changing the source port (one-to-one source NAT) Dynamic source NAT using the central NAT table Allowing access to a web server on an internal network when you only have one Internet IP address Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation Allowing Internet access to a web server on a protected network when you have an IP address for the web server Configuring port forwarding to open ports on a FortiGate unit Dynamic destination NAT for a range of IP addresses
134
Restricting employees Internet access

Problem You want to limit general Internet
access to between 12 noon and 2 pm. You also want to allow unlimited access to a select few Internet web sites at all times.
in te rn al w an 1 In te rn al n et w o rk s es d cc ke A oc l B
Access allowed
Solution Create a firewall schedule that restricts access to between 12 and 2. Add this schedule to a
security policy that allows access to the Internet. Add FQDN and subnet/IP range firewall addresses for Internet web sites that should be allowed unlimited access (wiki.example.net, svn.example.com, 172.20.120.101, and 172.16.100.154). Add these firewall addresses to a second security policy that allows unlimited access to these addresses. Depending on the network configuration, users on the internal network may always need access to a DNS server on the Internet. There are a number of ways you can allow access to such a DNS server. This example adds the DNS server to the address group. You could also add another security policy that only allows access to the DNS servers on the Internet. Creating the security policy that limits Internet access to between 12 noon and 2 pm 1 Go to Firewall Objects > Schedule > Recurring and select Create New to add a schedule to allow access between 12 and 2 on weekdays: Name Day of the Week Start Time lunch break Monday, Tuesday, Wednesday, Thursday, Friday Hour 12 Minute 00 Hour 14 Minute 00
m o .c m le o p .c m ple 01 xa m 0.1 54 i.e a 2 .1 ik ex .1 0 w n. 20 .10 sv 2. 16 7 1 2. 7 1
Stop Time
2 Select OK. 3 Go to Policy > Policy > Policy and select Create New to add the security policy that restricts Internet access to between 12 and 2: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 all lunch break ANY ACCEPT
Creating the security policy to allow unlimited access to selected Internet sites 1 Go to Firewall Objects > Address > Address and select Create New to add the wiki.example.net FQDN firewall address: Address Name Type FQDN Interface wiki FQDN wiki.example.net wan1
2 Select Create New to add the svn.example.com FQDN firewall address: Address Name Type FQDN Interface svn FQDN svn.example.com wan1
3 Select Create New to add the 172.20.120.101 firewall address: Address Name Type Subnet / IP Range Interface 101 server Subnet / IP Range 172.20.120.101/255.255.255.255 wan1
4 Select Create New to add the 172.16.100.154 firewall address: Address Name Type Subnet / IP Range Interface 154 server Subnet / IP Range 172.16.100.154/255.255.255.255 wan1
5 Select Create New to add the firewall address of a DNS server on the Internet. This example uses the Google DNS server 8.8.8.8: Address Name Type Subnet / IP Range Interface dns server Subnet / IP Range 8.8.8.8/255.255.255.255 wan1
136
6 Go to Firewall Objects > Address > Group and select Create New to add a firewall address group: Group Name Allowed addresses wiki svn Members 101 server 154 server dns server You can add and remove addresses from this address group at any time to change the Internet addresses with unlimited access.
7 Select OK. 8 Go to Policy > Policy > Policy and select Create New and add a security policy that allows unlimited access to selected addresses on the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 Allowed addresses always ANY ACCEPT
Results If you have followed steps in order, your internal to wan1 policy list could look similar to the
following:
Policy 1 (the default policy available on many FortiGate units) to allow all traffic to access the Internet is at the top of the list. Policy 2 to allow access to the Internet between 12 and 2 is second. Policy 3 to allow access to a selected Internet addresses is third. Use the following steps to test this configuration. 1 Disable or delete policy 1. Otherwise all traffic will be accepted by this policy. 2 If possible, temporarily disable other policies.
137
To test a new security policy configuration it can be useful to temporarily disable other policies, attempt to connect through the FortiGate unit as users would, and verify the results. Once you get a configuration working with other policies disabled you can enable the other policies and re-test the configuration. Note that disabling policies will interrupt traffic through the FortiGate unit. 3 Before 12 or after 2, attempt to access any site on the Internet (other than the allowed sites). Access should be blocked because policy 2 only allows access to the Internet between 12 and 2. Firewall schedules reference the FortiGate units system time. Make sure the FortiGate system time is correct or schedules will produce unexpected results. You can check and adjust the FortiGate system time from the System Information dashboard widget. 4 Before 12 or after 2, attempt to access any of the addresses added to the Allowed addresses address group. Access should be allowed. The Count column for policy 3 should show that this policy has been accepting sessions.
Sessions accepted by policy 3 should also appear when you go to Policy > Monitor > Policy Monitor to view active sessions by policy.
5 Between 12 or after 2, attempt to access any site on the Internet (including the sites added to the Allowed addresses address group). All Internet traffic is allowed by policy 2, so the Count for policy 2 should increase. No sessions are accepted by policy 3 so its count should not increase.
As well, Policy > Monitor > Policy Monitor should only show sessions for policy 2.
Using diagnose debug flow to show traffic hitting the policies before 12 You can use the diagnose debug flow command to show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following command sequence displays packet flow for packets from IP address 192.168.1.110 before 12 when policy 2 is not active.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.110 diagnose debug flow trace start 100
The first six output lines show a packet received at the Internal interface with destination address 172.16.100.148. This matches the IP address of wiki.example.net so the packet is routed, SNATed and allowed by security policy 3.
id=36871 trace_id=1 msg="vd-root received a packet(proto=6, 192.168.1.110:3152>172.16.100.148:80) from internal." id=36871 trace_id=1 msg="allocate a new session-0000724b" id=36871 trace_id=1 msg="find a route: gw-172.20.120.2 via wan1" id=36871 trace_id=1 msg="find SNAT: IP-172.20.120.11, port-40156" id=36871 trace_id=1 msg="Allowed by Policy-3: SNAT" id=36871 trace_id=1 msg="SNAT 192.168.1.110->172.20.120.11:40156"
The next three output lines show another packet that is part of the same session.
id=36871 trace_id=2 msg="vd-root received a packet(proto=6, 192.168.1.110:3152>172.16.100.148:80) from internal." id=36871 trace_id=2 msg="Find an existing session, id-0000724b, original direction" id=36871 trace_id=2 msg="SNAT 192.168.1.110->172.20.120.11:40156"
The next seven output lines show DNS packet accepted by policy number 3 and show the DNS session helper being used.
id=36871 trace_id=7 from internal." id=36871 trace_id=7 id=36871 trace_id=7 id=36871 trace_id=7 id=36871 trace_id=7 id=36871 trace_id=7 id=36871 trace_id=7 msg="vd-root received a packet(proto=17, 192.168.1.110:3884->8.8.8.8:53) msg="allocate a new session-00007262" msg="find a route: gw-172.20.120.2 via wan1" msg="find SNAT: IP-172.20.120.11, port-40864" msg="Allowed by Policy-3: SNAT" msg="SNAT 192.168.1.110->172.20.120.11:40864" msg="run helper-dns-udp(dir=original)"
The next four output lines show a packet destined for another Internet address being denied.
id=36871 trace_id=9 msg="vd-root received a packet(proto=6, 192.168.1.110:3155>72.32.40.232:80) from internal." id=36871 trace_id=9 msg="allocate a new session-00007272" id=36871 trace_id=9 msg="find a route: gw-172.20.120.2 via wan1" id=36871 trace_id=9 msg="Denied by forward policy check"
139
Using diagnose debug flow to show traffic hitting the policies between 12 and 2 The following command sequence displays packet flow for packets from IP address 192.168.1.110 between 12 and 2 when policy 2 is active.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.110 diagnose debug flow trace start 100
The following output lines show a packet received at the Internal interface with destination address 172.16.100.148. This matches the IP address of wiki.example.net but because security policy 2 is active it is accepted by this policy instead of security policy 3.
id=36871 trace_id=201 msg="vd-root received a packet(proto=6, 192.168.1.110:3518>172.16.100.148:80) from internal." id=36871 trace_id=201 msg="allocate a new session-00007adc" id=36871 trace_id=201 msg="find a route: gw-172.20.120.2 via wan1" id=36871 trace_id=201 msg="find SNAT: IP-172.20.120.11, port-48434" id=36871 trace_id=201 msg="Allowed by Policy-2: SNAT" id=36871 trace_id=201 msg="SNAT 192.168.1.110->172.20.120.11:48434"
140
Restricting Internet access per IP address

Problem How do I use security policies to restrict
access to the Internet based on IP addresses of users on an internal network?
10. E 10. ngine 20. eri 100 ng -15 0 Re tra stric ffic ting g etin -50 ark .20.3 M 0 1 10.
Solution Identify groups of users according to

their IP addresses and add firewall addresses for these groups. Two user groups are identified:
Engineering users with IP addresses in the range 10.10.20.100 - 10.10.20.150 Marketing users with IP addresses in the range 10.10.20.30 - 10.10.20.50 The solution shows how to allow marketing access to the Internet during office hours (between 8:00 am and 6:00 pm) but restricting engineering to only being able to access the Internet between 12:00 noon and 2:00 pm. Creating the firewall addresses for each user group 1 Go to Firewall Objects > Address > Address and select Create New to add the engineering address range: Address Name Type Subnet / IP Range Interface engineering Subnet / IP Range 10.10.20.[100-150] internal
2 Select Create New to add the marketing address range: Address Name Type Subnet / IP Range Interface Creating the firewall schedules 1 Go to Firewall Objects > Schedule > Recurring and select Create New to add a schedule for engineering: Name Day of Week Start Time Stop Time engineering-restrict Monday, Tuesday, Wednesday, Thursday, Friday 12:00 14:00 marketing Subnet / IP Range 10.10.20.[30-50] internal
141
2 Select Create New to configure the schedule for marketing: Name Day of Week Start Time Stop Time 3 Select OK. Configuring security policies Disable or delete any existing security policies before proceeding. This allows the FortiGate unit to skip the other policies and concentrate on the following two policies, eliminating any sequencing conflicts. Once you have the following scenario working you can reorder any other policies that you have, enable them, and then test the firewall configuration to make sure it works as expected. 1 Go to Policy > Policy > Policy and select Create New to create the security policy for marketing: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal marketing wan1 all marketing-all ANY ACCEPT marketing-all Monday, Tuesday, Wednesday, Thursday, Friday 08:00 18:00
2 Select Enable NAT and Use Destination Interface Address. 3 Select Create New to create the security policy for engineering: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal engineering wan1 all engineering-restrict ANY ACCEPT
142
Results The marketing department should be able to connect to the Internet immediately and the
engineering department should not be able to connect to the Internet until the specified time in the schedule. You should also see packets in the Count column in the marketing policy, but nothing in the engineering policy.
To test that things are correct, try accessing web sites on the Internet from the engineering department. All access should be denied. Try accessing web sites from the marketing department. All access should be allowed. To test that the engineering department policy is correct, change the time frame in the engineering-restrict firewall schedule to the current time, and then try accessing web sites from the engineering department. You should be seeing packets in the Count column in the engineering policy as well as in the marketing policy.
Change the time range back to the original time in the engineering-restrict firewall schedule, and all packets should stop and the Count for this policy should not increase.
143
Verifying that traffic is accepted a security policy

Problem How can I verify that traffic is being
accepted by (or hitting) a security policy?
10. E 10. ngine 20. eri 100 ng -15 0 Re tra stric ffic ting g etin -50 ark .20.3 M 0 1 10.
Solution Use the security policy list Count

column and the policy monitors. The Count column and the policy monitors provide a visual verification that packets are hitting a policy.
This solution uses the security policies created in Restricting Internet access per IP address on page 141. 1 Go to Policy > Policy > Policy and locate the engineering-restrict and marketing-all policies. The Count column in the following example shows that there are currently no packets hitting the engineering-restrict policy, but packets are hitting the marketing-all policy.
2 Go to Policy > Monitor > Policy Monitor to view the marketing-all policy sessions. In the list, you should be seeing that the policy ID, in this case ID number 5, is the marketing-all policy that is accepting these sessions. You can verify this by selecting Refresh to see the byte and packet count increase.
144
3 You can drill down to see a graph of the individual sessions accepted by the policy by source or destination address or destination port.
4 You can drill down one more level to see a detailed list of the sessions currently accepted by the policy.
5 Go to the engineering-restrict schedule and change the original time to current time so that you can verify that traffic is hitting that policy. 6 On both the policy list and Policy Monitor, you can verify that traffic is now hitting both policies.
Results You can use these web-based manager tools to verify that traffic is hitting the expected
security policies. More advanced tools for verifying that traffic is hitting the expected policy are available from the CLI.
145
Using diagnose debug flow to show traffic hitting a policy You can use the diagnose debug flow command to show packet flow through the FortiGate unit. As packets are received you can view debug messages to show how the FortiGate unit processes them. The following command sequence displays packet flow for packets with IP address 10.10.20.30. The command output is extracted from actual command output and shows what happens after one packet is received: a new session is allocated, a route is found for the packet, its source NAT IP and port number are selected, It is matched with a policy (in this case policy ID 5), Source is performed and the packet is forwarded.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 10.10.20.30 diagnose debug flow trace start 100 id=36871 trace_id=1132 >192.168.110.11:161) from internal." id=36871 trace_id=1132 id=36871 trace_id=1132 id=36871 trace_id=1132 id=36871 trace_id=1132 id=36871 trace_id=1132 msg="vd-root received a packet(proto=17, 10.10.20.30:1029-
msg="allocate a new session-00012042" msg="find a route: gw-172.20.120.2 via wan1" msg="find SNAT: IP-172.20.120.230, port-54409" msg="Allowed by Policy-5: SNAT" msg="SNAT 10.10.20.30->172.20.120.230:54409"
The following command sequence and output shows what happens when you do a debug trace for packets that contain IP address 172.20.120.2 and then ping from 10.10.20.30 to 172.20.120.2 through the FortiGate unit. The first six output lines shows the ping packet received from 10.10.20.30 and being accepted by the security policy ID 5. The final four lines show how the reply from 172.20.120.2 is received by an existing session and passed through the FortiGate unit to the source.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 172.20.120.2 diagnose debug flow trace start 100 id=36871 trace_id=1147 >172.20.120.2:8) from internal." id=36871 trace_id=1147 id=36871 trace_id=1147 id=36871 trace_id=1147 id=36871 trace_id=1147 id=36871 trace_id=1147 id=36871 trace_id=1148 >172.20.120.230:0) from wan1." id=36871 trace_id=1148 id=36871 trace_id=1148 id=36871 trace_id=1148 146 msg="vd-root received a packet(proto=1, 10.10.20.30:512-
msg="allocate a new session-00012259" msg="find a route: gw-172.20.120.2 via wan1" msg="find SNAT: IP-172.20.120.230, port-59532" msg="Allowed by Policy-5: SNAT" msg="SNAT 10.10.20.30->172.20.120.230:59532" msg="vd-root received a packet(proto=1, 172.20.120.2:59532-
msg="Find an existing session, id-00012259, reply direction" msg="DNAT 172.20.120.230:0->10.10.20.30:512" msg="find a route: gw-10.10.20.30 via internal" FortiGate Cookbook http://docs.fortinet.com/
Using diagnose debug flow to show traffic hitting a DENY policy Change a policy that accepts traffic to one that denies traffic and use the diagnose debug flow commands to view the results. For example, change the policy ID 5 to a DENY, enter the debug flow commands and then ping from 10.10.20.30 to 172.20.120.2 through the FortiGate unit. The output lines show a ping packet being received, a session allocated, a route found and then the packet being denied. Note that the output does not indicate which security policy denied the packet. Note also that traffic hitting a DENY policy does not appear on the Policy Monitor.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 172.20.120.2 diagnose debug flow trace start 100 id=36871 trace_id=126 from internal." id=36871 trace_id=126 id=36871 trace_id=126 id=36871 trace_id=126 msg="vd-root received a packet(proto=1, 10.10.20.30:512->172.20.120.2:8)
msg="allocate a new session-00000d37" msg="find a route: gw-172.20.120.2 via wan1" msg="Denied by forward policy check"
147
Ordering security policies

0 11 1. 8. 16 2. 19 ss ce d Ac nie de
Problem I want to add a security policy that blocks

access to the Internet for one source address. Should I arrange it above or below a general policy that allows access to the Internet from any source address?
k or tw 0 ne .1. .0 al 8 55 rn 16 .2 te 2. 5 In 19 .25 5 25 ss ce ed Ac low al
Solution More specific security policies should be
placed in the security policy list above more general policies. In this case the specific policy that blocks one source address should be placed above the general policy that allows access from any source address. 1 Go to Policy > Policy > Policy and select Create New to add a security policy to allow all users on the internal network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal All wan1 All always ANY ACCEPT
2 Select Enable NAT and Use Destination Interface Address. 3 Select OK. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.
4 Go to Firewall Objects > Address > Address and select Create New to add the specific address to be blocked: Address Name Type Subnet / IP Range Interface 5 Select OK. 6 Go Policy > Policy > Policy and select Create New to add a security policy to deny access for sessions from the source address 192.161.1.110: Source Interface/Zone Source Address internal Blocked address Blocked address Subnet / IP Range 192.168.1.110/255.255.255.255 internal
148
Destination Interface/Zone Destination Address Schedule Service Action
wan1 all always ANY DENY
7 Select OK to save the security policy.
Results New security policies are always added to the bottom of the policy list so this specific policy is
added below the general policy that allows access. 1 Test the configuration by attempting to connect to the Internet from a PC with IP address 192.168.1.110. Access should be allowed. If you go to Policy > Policy > Policy, the Count column should show that the general policy is accepting packets. 2 Select the specific policy and select Move to and move this policy Before policy 1. 3 Test this new configuration by attempting to connect to the Internet from a PC with IP address 192.168.1.110. Access should be denied. If you go to Policy > Policy > Policy the Count column should show that the deny policy is blocking packets.
149
Packet The following command sequence displays packet flow for packets from IP address flow 192.168.1.110 that are blocked by the deny policy.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.110 diagnose debug flow trace start 100 id=36871 trace_id=301 msg="vd-root received a packet(proto=6, 192.168.1.110:3858>172.16.100.148:80) from internal." id=36871 trace_id=301 msg="allocate a new session-0000876e" id=36871 trace_id=301 msg="find a route: gw-172.20.120.2 via wan1" id=36871 trace_id=301 msg="Denied by forward policy check"
The following command sequence displays packet flow for packets from IP address 192.168.1.120 that are allowed by policy 1.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.120 diagnose debug flow trace start 100 id=36871 trace_id=310 msg="vd-root received a packet(proto=6, 192.168.1.120:3907>172.16.100.148:80) from internal." id=36871 trace_id=310 msg="allocate a new session-000088a8" id=36871 trace_id=310 msg="find a route: gw-172.20.120.2 via wan1" id=36871 trace_id=310 msg="find SNAT: IP-172.20.120.11, port-53199" id=36871 trace_id=310 msg="Allowed by Policy-1: SNAT"
150
Allowing DNS queries to only one approved DNS server

Inte
Problem How do I restrict all DNS queries to

an approved DNS server on the Internet?
rna
l ne
two
rk
S DN vedver .53 o pre Ser .112 Ap .91 208
Solution Block all DNS sessions except for

sessions to the approved DNS server. To do this, create a firewall address for the approved DNS server and then add it to a security policy that uses the DNS service and allows access to the Internet. Create another security policy that blocks all DNS sessions. Arrange the allow DNS policy above the more general deny DNS policy. Arrange both of these policies above any general policies that allow access to the Internet. Make sure the devices on the internal network are configured to use the approved DNS server. 1 Go to Policy > Policy > Policy and select Create New to add a security policy to allow all users on the internal network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal All wan1 All always ANY ACCEPT
2 Select Enable NAT and Use Destination Interface Address. 3 Select OK. Some FortiGate models include this security policy in the default configuration. If you have one of these models, this step has already been done for you.
4 Go to Firewall Objects > Address > Address and select Create New and add a firewall address for the approved DNS server: Address Name Type Subnet/IP Range Interface 5 Select OK. Approved dns server Subnet / IP Range 208.91.112.53/255.255.255.255 wan1
151
6 Go to Policy > Policy > Policy and select Create New to add a policy that allows DNS sessions to access the approved DNS server: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Service Action internal all wan1 Approved dns server DNS ACCEPT
7 Select Enable NAT and Use Destination Interface Address. 8 Select OK. 9 Select Create New to add a policy to block all DNS sessions to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Service Action internal all wan1 all DNS DENY
If you completed the steps in order the internal to wan1 policy list should look similar to the following:
10 Select policy 2 and select Move To. 11 Move policy 2 Before policy 1. 12 Select policy 3 and select Move To. 13 Move policy 3 After policy 2.
152
Results Use the following steps to test the configuration.

1 Configure a PC on the internal network to use the 208.91.112.53 DNS server. 2 Attempt to browse the web from this PC. You should be able to browse the web. 3 Go to Policy > Policy > Policy view the Count column for the security policies. The policy 2 Count column should show that it is processing traffic. The policy monitor (at Policy > Monitor > Policy Monitor) should show that all sessions accepted by policy 2 are DNS sessions with a destination address of 208.91.112.53. 4 Enter the following command to verify DNS sessions from a PC with IP address 192.168.1.110 to IP address 208.91.112.53 are accepted by policy 2.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.110 diagnose debug flow trace start 100 id=36871 trace_id=459 >208.91.112.53:53) id=36871 trace_id=459 id=36871 trace_id=459 id=36871 trace_id=459 id=36871 trace_id=459 id=36871 trace_id=459 id=36871 trace_id=459 msg="vd-root received a packet(proto=17, 192.168.1.120:1207from internal." msg="allocate a new session-00009c6f" msg="find a route: gw-172.20.120.2 via wan1" msg="find SNAT: IP-172.20.120.11, port-42043" msg="Allowed by Policy-2: SNAT" msg="SNAT 192.168.1.120->172.20.120.11:42043" msg="run helper-dns-udp(dir=original)"
5 Change the PC to use a different but still valid DNS server on the Internet. 6 Attempt to browse the web. Web browsing will not work because DNS lookups are blocked. The policy 3 Count column should show that it is denying traffic. 7 Enter the following command to verify that DNS sessions from a PC with IP address 192.168.1.110 to a different DNS server are blocked.
diagnose debug enable diagnose debug flow show console enable show trace messages on console diagnose debug flow filter add 192.168.1.110 diagnose debug flow trace start 100 id=36871 trace_id=409 from internal." id=36871 trace_id=409 id=36871 trace_id=409 id=36871 trace_id=409 msg="vd-root received a packet(proto=17, 192.168.1.120:1051->8.8.8.8:53) msg="allocate a new session-00009c09" msg="find a route: gw-172.20.120.2 via wan1" msg="Denied by forward policy check"
153
Ensuring sufficient and consistent bandwidth for VoIP traffic

Problem You want to make sure that enough
bandwidth is reserved through the FortiGate unit to adequately support the use of IP phones in the office.
Inte rn net al IP wo ph rk one l rna k Inte twor ne
Solution Using traffic shaping, you can configure

shared shapers that ensure a consistent amount of bandwidth is reserved for VoIP/SIP communications and still maintain bandwidth for other Internet traffic such as email and web browsing. For this solution, 200000 kbits/s is guaranteed to be available for VoIP and VoIP traffic is given higher priority than other traffic. Other traffic is limited to a maximum bandwidth of 100000 kbits/s. In this configuration, the internal IP phone network and internal network both connect to the FortiGate internal interface. Create traffic shapers for VoIP traffic and for other traffic When creating a traffic shaper, you must include a data value for the Maximum Bandwidth and/or the Guaranteed Bandwidth as well as selecting the Traffic Priority. 1 Go to Firewall Objects > Traffic Shaper > Shared and select Create New to add a shared shaper for IP phone traffic: Name Apply Shaper Traffic Priority Maximum Bandwidth Guaranteed Bandwidth 2 Select OK. 3 Select Create New and add a shared shaper for other traffic: Name Apply Shaper Traffic Priority Maximum Bandwidth Daily_Traffic Per Policy Medium 1000000 VoIP Per Policy High 16776000 2000000
Creating the firewall addresses for the IP phone and internal networks 1 Go to Firewall Objects > Address > Address and select Create New to add the engineering address range: Address Name Type IP Phone net Subnet / IP Range
154
Subnet / IP Range Interface
10.10.10.[10-50] internal
2 Select Create New to add the marketing address range: Address Name Type Subnet / IP Range Interface Internal net Subnet / IP Range 10.10.10.[100-200] internal
Create the security policies that include the traffic shapers 1 Go to Policy > Policy > Policy and select Create New and add a security policy for VoIP/SIP traffic: Source Interface/Zone Source address Destination Interface/Zone Destination Address Schedule Service Action internal IP Phone net wan1 all always SIP ACCEPT
2 Select Enable NAT and Use Destination Interface Address. 3 Select Traffic Shaping and select the VoIP shaper for both directions: Shared Traffic Shaper Shared Traffic Shaper Reverse Direction 4 Select OK. 5 Select Create New and add a security policy for other traffic from the Internal network to the Internet: Source Interface/Zone Source address Destination Interface/Zone Destination Address Schedule Service Action internal Internal net wan1 all always ANY ACCEPT VoIP VoIP
155
6 Select Enable NAT and Use Destination Interface Address. 7 Select Traffic Shaping and select the daily traffic shaper for both directions: Shared Traffic Shaper Shared Traffic Shaper Reverse Direction Daily_Traffic Daily_Traffic
To monitor the data passing through the FortiGate unit for troubleshooting, remember to enable Log Allowed Traffic in both policies.
Results Phone usage has a guaranteed bandwidth and a higher priority than other standard Internet
usage. As such, telephony use will not be degraded by other traffic between the internal network and the Internet. Go to Firewall Objects > Monitor > Traffic Shaper Monitor and select Current Bandwidth to view the current bandwidth being used by active traffic shapers. If standard traffic volume is high enough, it will top out at the maximum bandwidth defined in each shaper,
To ensure that the shaper is in use, go to Log&Report > Log & Archive Access > Traffic Log. Filter the Service by SIP to see the telephony traffic.
156
Viewing the detailed information for a SIP log messages, the shaper name appears in the Sent Shaper Name field.
157
Using geographic addresses

Problem You need to restrict employee access
to the subversion servers at branch offices, located in Ireland, Brazil and Egypt, so that scheduled backups at these locations are uninterrupted.
B 19 ran 2. ch 16 o 8. ffi 11 ce 0. 2 1- 12 Br 2 az il
na hi C 3 e fic 25 of h 0 .1 n c .2 ra 0 B 0 .1 1
office, as well as addresses with the geographic-based address feature.
The geographic-based addresses allow you to indicate the country, and the traffic originating or going to this country is logged, blocked or specific filtering is applied. The schedules, in this case, will block employee access to the servers at specified times. For this solution, we are using Eastern Time zone (GMT -5:00) as the time zone for the location of the schedules and addresses. Creating the geographic addresses 1 Go to Firewall Objects > Address > Address and create a new address. 2 Enter the name, branch_office_1 for the Address Name. 3 Select Geography from the Type list. 4 From the Country list, select Ireland. 5 Select wan1 from the Interface list. 6 Select OK. 7 Create the other two addresses using steps 2 to 6; use the names branch_office_2 for Brazil, and branch_office_3 for Egypt. 8 Go to Firewall Objects > Address > Group and create a group of the three addresses. Creating the firewall schedules 1 Go to Firewall Objects > Schedule > Recurring. 2 Create a new schedule for the Ireland branch, and enter branch_office1 for the Name of the schedule. 3 Select Monday, Wednesday and Friday for the Day of Week. 4 Select 11:00 as the Start Time and 13:00 as the Stop Time. 5 Select OK to save the schedule. 6 Create a new schedule for Brazil and enter branch_office1 for the Name of the schedule. 7 For Day of Week, select Monday and Friday. 8 Select 16:00 as the Start Time and 18:00 as the Stop Time. 9 Select OK to save the schedule. 10 Create a new schedule for Egypt and enter branch_office3 for the Name of the schedule. 11 For Day of Week, select Tuesday and Saturday. 12 Select 11:00 as the Start Time and 13:00 as the Stop Time. 13 Select OK to save the schedule. 14 Go to Firewall Objects > Schedule > Group and group these three schedules.
rs -15 rte .1 ua 20 d q 6 .1 ea 2 H 72. 1 5
B 17 ran 2. ch 16 o .1 ffi 44 ce .1 1 5- 15 Ire 5 la
nd
Solution Create schedules for each branch
Applying the addresses and schedules to a policy Go to Policy > Policy > Policy, and apply both groups to a security policy.
Results Employee access to these servers should be blocked during the times specified in the firewall
schedules. You can test this by trying to access a server in Ireland at 11:00 am your time; you should not be able to access the server.
159
Providing Internet access for your private network users (static source NAT)
Problem How to configure static source address
translation (or static SNAT) to allow users on a private internal network to connect to the Internet.
19 2. in 16 te 8. rn 1. al 99
The NAT requirement is to translate the source address of packets from the private network. Packets from the private network have a private source address. For communication with an Internet site the private source address must be translated to a public source address so that response packets can be routed on the Internet.
Solution Static source address translation (or static SNAT) is most often used to allow users on an
internal network to connect to the Internet. Static SNAT translates the source addresses of all outgoing packets to the IP address of the external interface. To keep track of individual sessions, the FortiGate unit also translates the source port of all packets. This type of NAT is also called port address translation (PAT), network address and port translation (NAPT), IP masquerading, NAT overload, and many-to-one NAT. 1 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 all always ANY ACCEPT
Results All packets accepted by this security policy have their source IP addresses translated from a
private IP address on the 192.168.1.0 network to the IP address of the wan1 interface (172.20.120.14). As well, the source port is translated to a random source port. The destination IP address and destination port are not changed. Test source NAT by browsing a website on the Internet from a device on the internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4 interfaces=[any] filters=[port 80] 7.863458 internal in 192.168.1.110.3444 -> 172.20.120.101.80: syn 2322143869 7.872937 wan1 out 172.20.120.14.36344 -> 172.20.120.101.80: syn 2322143869 7.873146 wan1 in 172.20.120.101.80 -> 172.20.120.14.36344: syn 593799196 ack 2322143870 7.873325 internal out 172.20.120.101.80 -> 192.168.1.110.3444: syn 593799196 ack 2322143870 160 FortiGate Cookbook http://docs.fortinet.com/
17 2. 20 .1 wa 20 n .1 1 4
1 9 2 ] 1 55 3 2 -2 . [1 .1 01 .1 68 .1 ] 20 92 ny 0.1 : 1 : [a . 2 IP rt 2 c o 17 0 sr c p P: t: 8 sr I r st o d tp s d 5 rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 .0 .1 Sta tic s in be and terna twee ource the l ne n the NAT two Inte rne rk t
1 14 3 2 0. 01 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a . 2 IP rt 2 c o 17 0 sr p : 8 c P t: sr t I or s d tp s d
The first output line shows a packet was received by the Internal interface with source address 192.168.110. The second output line shows that when the packet exits the wan1 interface the source address is changed to 172.20.120.14. The third output line shows that when the response packet is received by the wan1 interface the destination address is still 172.20.120.14. The fourth output line shows that when the response packet exits the internal interface to return to the source, its destination address has changed to 192.168.1.110. Notice also in this example, the source port is translated from 3444 to 36344 and then back to 3444. The source IP of all packets from any source IP is always translated to 172.20.120.14. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
161
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT)
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT)
Problem How to configure dynamic source
address translation NAT to allow users on a private internal network connect to the Internet when you have more than one external IP address and you want outgoing packets to use some or all of these addresses.
2. in 1 6 te 8. r n 1. al 99
Solution Use dynamic source address

translation when you have more than one external IP address and you want outgoing packets to use some or all of these addresses. To get the FortiGate unit to use more than one IP address for source NAT, you add the addresses to an IP pool. This example uses an IP pool containing only 3 IP addresses: 172.20.120.[13-15]. Then you add a security policy and select Use Dynamic IP Pool. 1 Go to Firewall Objects > Virtual IP > IP Pool and select Create New to add the following IP pool. Name IP Range/Subnet Dynamic-Source 172.20.120.13-172.20.120.15
2 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 all always ANY ACCEPT
3 Select Enable NAT and Use Dynamic IP Pool and select the Dynamic-Source IP Pool. 4 Select OK to save the security policy.
private IP address on the 192.168.1.0 network to one of the IP addresses in the IP pool. (172.20.120.[13-15]). As well, the source port is translated to a random source port. The destination IP address and destination port are not changed. Test dynamic source NAT by browsing a website on the Internet from multiple IP addresses on the internal network. Use the following packet sniffer command to see the results.
162
17
2.
20
.1 wa 20 n .1 1 E 4 x 17 te 17 2. r na 17 2. 20 l I 2. 20 .12 Ps 2 0 .1 0 .1 2 0 .1 3 2 0 .1 .1 4 5
19
1 9 2 ] 1 55 3 2 -2 .[ 1 .1 01 .1 68 .1 ] 2 0 9 2 n y 0 .1 : 1 : [ a .2 I P rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d 5 rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 .0 .1 AT N ce ur he k so t or ic een tw net e am tw l n ter yn e a n D b rn e I te h in d t an ] 15 31 [1 0. 3 2 01 12 .1 0. .2 ] 2 0 7 2 n y 0 .1 : 1 : [ a .2 I P rt 2 c o 17 0 sr p : 8 c P t: sr t I or s d tp s d
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT) diagnose sniffer packet any 'port 80' 4 8 interfaces=[any] filters=[port 80] 4.893372 internal in 192.168.1.120.4806 -> 172.20.120.101.80: syn 1222685135 4.893644 wan1 out 172.20.120.14.45642 -> 172.20.120.101.80: syn 1222685135 4.893855 wan1 in 172.20.120.101.80 -> 172.20.120.14.45642: syn 3955257209 ack 4.894016 internal out 172.20.120.101.80 -> 192.168.1.120.4806: syn 3955257209 4.559945 internal in 192.168.1.110.4834 -> 172.20.120.101.80: syn 2817814036 4.560189 wan1 out 172.20.120.13.49774 -> 172.20.120.101.80: syn 2817814036 4.562207 wan1 in 172.20.120.101.80 -> 172.20.120.13.49774: syn 1591702338 ack 4.562383 internal out 172.20.120.101.80 -> 192.168.1.110.4834: syn 1591702338
1222685136 ack 1222685136
2817814037 ack 2817814037
The first four output lines show a session from IP address 192.168.1.120 where the source IP address has been translated to 172.20.120.14. The next four output lines show a session from IP address 192.168.1.110 where the source IP address has been translated to 172.20.120.13. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
163
Dynamic source NAT without changing the source port (one-to-one source NAT)
Dynamic source NAT without changing the source port (one-toone source NAT)
Problem Some protocols or services will only
function if they use a specific source port, or a source port that does not change. Normally source NAT changes the source port to allow multiple simultaneous sessions.
2. in 16 te 8. r n 1. al 99
Solution You can select the fixed port option to
restrict the FortiGate unit to not translate the source port. This results in a one-to-one NAT configuration. Oneto-one NAT limits the number of simultaneous sessions that are supported because one variable for tracking sessions (the source port number) is no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external IPs added to an IP pool. In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled from the CLI so this entire example is configured from the CLI. 1 Enter the following command to add the IP pool: config firewall ippool edit Dynamic-Source set startip 172.20.120.13 set endip 172.20.120.15 end 2 Enter the following command to add a security policy that allows users on the private network to access the Internet. config firewall policy edit 0 set srcintf internal set srcaddr all set dstintf wan1 set dstaddr all set schedule always set service ANY set action accept set nat enable set fixedport enable set ippool enable set poolname Dynamic-Source end If you edit this policy from the web-based manager, you will notice that the Fixed Port option is visible and is selected.
private IP address on the 192.168.1.0 network to one of the IP addresses in the IP pool. (172.20.120.[13-15]). The source port, destination IP address, and destination port are not changed. Test dynamic source NAT by browsing to a website on the Internet from multiple IP addresses on the internal network. Use the following packet sniffer command to see the results.
164
17
2.
20
.1 wa 20 n .1 1 4 E x 17 te 17 2. r na 17 2. 20 l I 2. 20 .12 Ps 2 0 .1 0 .1 2 0 .1 3 2 0 .1 .1 4 5
19
1 9 2 ] 1 55 3 2 -2 .[ 1 .1 01 .1 68 .1 5 2 0 9 2 4 1 0 .1 : 1 : 2 .2 I P rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d 5 rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 .1 AT N ce ur he k so t or d ic een tw net ge e am tw l n ter an yn e a n ch D b ern e I ot t h n in d t r t an po e rc u so .0 ] 15 31 [1 0. 3 2 01 12 .1 0. .2 5 2 0 7 2 4 1 0 .1 : 1 : 2 .2 I P rt 2 c o 17 0 sr p : 8 c P t: sr t I or s d tp s d
Dynamic source NAT without changing the source port (one-to-one source NAT) diagnose sniffer packet any 'port 80' 4 18 interfaces=[any] filters=[port 80] 17.388234 internal in 192.168.1.110.2415 -> 172.20.120.101.80: syn 1350596827 17.392883 wan1 out 172.20.120.13.2415 -> 172.20.120.101.80: syn 1350596827 17.395249 wan1 in 172.20.120.101.80 -> 172.20.120.13.2415: syn 927139461 ack 1350596828 17.395425 internal out 172.20.120.101.80 -> 192.168.1.110.2415: syn 927139461 ack 1350596828 17.395537 internal in 192.168.1.110.2415 -> 172.20.120.101.80: ack 927139462 17.395626 wan1 out 172.20.120.13.2415 -> 172.20.120.101.80: ack 927139462 17.406820 internal in 192.168.1.110.2416 -> 172.20.120.101.80: syn 1206067881 17.407038 wan1 out 172.20.120.13.2416 -> 172.20.120.101.80: syn 1206067881 17.407246 wan1 in 172.20.120.101.80 -> 172.20.120.13.2416: syn 921167482 ack 1206067882 17.407383 internal out 172.20.120.101.80 -> 192.168.1.110.2416: syn 921167482 ack 1206067882 17.407493 internal in 192.168.1.110.2416 -> 172.20.120.101.80: ack 921167483 17.407582 wan1 out 172.20.120.13.2416 -> 172.20.120.101.80: ack 921167483 2.872214 internal in 192.168.1.120.2483 -> 172.20.120.101.80: syn 543091999 2.872890 wan1 out 172.20.120.14.2483 -> 172.20.120.101.80: syn 543091999 2.873090 wan1 in 172.20.120.101.80 -> 172.20.120.14.2483: syn 868936759 ack 543092000 2.873263 internal out 172.20.120.101.80 -> 192.168.1.120.2483: syn 868936759 ack 543092000 2.873413 internal in 192.168.1.120.2483 -> 172.20.120.101.80: ack 868936760 2.873513 wan1 out 172.20.120.14.2483 -> 172.20.120.101.80: ack 868936760
The first six output lines show a session from IP address 192.168.1.110 where the source IP address has been translated to 172.20.120.13. The source port remains unchanged at 2415. The next six output lines also show a session from IP address 192.168.1.110 where the source IP address has been translated to 172.20.120.13. The source port for this session was 2416 and was also not changed. The final six output lines show a session from IP address 192.168.1.120 where the source IP address has been translated to 172.20.120.14. The source port for this session was 2483 and was also not changed. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
165
Dynamic source NAT using the central NAT table

Problems How to use the central NAT table to
cause packets with a specific range of source ports (3380 to 3400) to have their source ports and source IP addresses translated differently than packets with other source ports.
2. in 1 6 te 8. r n 1. al 99
Solution The central NAT table provides full
control over how source addresses and source ports are translated and is the only solution when you want to control how source ports are translated. By using the central NAT table, you can specify an incoming source address range and source port range and specify how the source address and source ports are translated. This can be useful for protocols that require a fixed source port or that require the source port be translated in a controlled and predictable way. In this example: Packets with a source IP on the internal network and a source port in the range 3380 to 3400 will have their source address translated to an address in the range 172.20.120.[13-15] and their source ports translated to a port number in the range 30000 to 30020. Packets with a source IP on the internal network and a source port in the range 1 to 3379 and 3401 to 65,535 will have their source address translated to the IP address of the FortiGate wan1 interface (172.20.120.11). This is the default source NAT behavior. 1 Go to Firewall Objects > Virtual IP > IP Pool and select Create New to add the following IP pool. Name IP Range/Subnet Dynamic-Source 172.20.120.13-172.20.120.15
2 Go to Firewall Objects > Address> Address and select Create New to add the following firewall address. Name Type Subnet / IP Range Interface Internal Network Subnet / IP Range 192.168.1.1 - 192.168.1.255 internal
3 Go to System > Admin > Settings and under Display Options on GUI, make sure the Central NAT Table option is selected. 4 Select Apply if you made a change. 5 Go to Policy > Policy > Central NAT Table and select Create New to add a central NAT table entry. Source Address Translated Address
166
Internal Network Dynamic-Source

17
2.
20
.1 wa 20 n .1 1 1 Ex 17 te 17 2. r na 17 2. 20 l I 2. 20 .12 Ps 2 0 .1 0 .1 2 0 .1 3 2 0 .1 .1 4 5
19
1 9 2 ] 1 55 3 -2 ] 2 .[ 1 0 0 .1 3 4 0 1 6 8 - .1 .1 0 2 0 9 2 3 8 0 .1 : 1 : [ 3 .2 I P rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d rk 5 o .2 w 5 et 5 N 5.2 al 5 r n /2 te .0 In 8.1 6 5 .0 .1 e bl ta rce AT ou n l N g s tio tra llin sla en o n C ntr tra t co or p ] 15 3- 0] 1 [1 2 0. 00 1 3 2 12 3 0 0 . - .1 .2 0 0 2 0 7 2 0 0 0 .1 : 1 : [ 3 .2 I P rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d
Original Source Port Translated Port
3380 - 3400 30000 - 30020
6 Go to Policy > Policy > Policy and select Create New to add the following security policy that allows users on the private network to access the Internet. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action internal all wan1 all always ANY ACCEPT
7 Select Enable NAT and Use Central NAT Table. 8 Select OK to save the security policy.
Results All packets accepted by this security policy from the internal network with source ports in the
range 3380 to 3400 have their source IP addresses translated to one of the IP addresses in the IP pool. (172.20.120.[13-15]) and their source ports translated to a number in the range 30000 to 30020. Packets with any other source port are handled according to the default source NAT behavior (if you selected Use Destination Interface Address). Test the configuration by browsing a website on the Internet from any IP address on the internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 8 interfaces=[any] filters=[port 80] 5.117683 internal in 192.168.1.110.3364 -> 172.16.100.148.80: syn 3821216192 5.117980 wan1 out 172.20.120.11.40360 -> 172.16.100.148.80: syn 3821216192 5.177848 wan1 in 172.16.100.148.80 -> 172.20.120.11.40360: syn 1388291811 ack 3821216193 5.178020 internal out 172.16.100.148.80 -> 192.168.1.110.3364: syn 1388291811 ack 3821216193 5.178181 internal in 192.168.1.110.3364 -> 172.16.100.148.80: ack 1388291812 5.178297 wan1 out 172.20.120.11.40360 -> 172.16.100.148.80: ack 1388291812 6.950657 wan1 in 172.16.100.148.80 -> 172.20.120.11.40360: fin 1388326799 ack 3821216763 129.595427 internal in 192.168.1.110.3385 -> 172.20.120.101.80: syn 2385736674 129.595715 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: syn 2385736674 129.598782 wan1 in 172.20.120.101.80 -> 172.20.120.13.30005: syn 2238273308 ack 2385736675 129.598923 internal out 172.20.120.101.80 -> 192.168.1.110.3385: syn 2238273308 ack 2385736675 129.599054 internal in 192.168.1.110.3385 -> 172.20.120.101.80: ack 2238273309 129.599164 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: ack 2238273309 144.656912 wan1 in 172.20.120.101.80 -> 172.20.120.13.30005: fin 2238273938 ack 2385737098 144.657027 internal out 172.20.120.101.80 -> 192.168.1.110.3385: fin 2238273938 ack 2385737098 145.982513 internal in 192.168.1.110.3385 -> 172.20.120.101.80: fin 2385737098 ack 2238273939 145.982631 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: fin 2385737098 ack 2238273939
The first seven output lines show a session from IP address 192.168.1.110 with a source port of 3364. Since this source port is outside the range specified in the central NAT table entry (3380 to 3400) the source port has been translated to any source port (in this case 40360) and the source address has been translated to 172.20.120.11 (the IP address of the wan1 interface).
167
The next ten output lines show sessions from IP address 192.168.1.110 with a source port of 3385. Since this source port is in the range specified in the central NAT table entry the source port has been translated to 30005, which is in the range specified in the central NAT table entry (30000 to 30020) and the source address has been translated to 172.20.120.13, one of the addresses in the IP pool. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. If you can browse the web from the internal network, your configuration is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode installations on page 20 to find the problem.
168
Allowing access to a web server on an internal network when you only have one Internet IP address
Problem You want to allow users on the Internet to
access a web server on your internal network. You have only one Internet address (172.20.120.14), which is the address of the FortiGate wan1 interface.
12 0. 0 12 0. 11 .2 ] .1. 72 ny 68 : 1 : [a .1 IP rt 2 c o 19 0 sr c p P: t: 8 sr I r st o d tp s d
3 2
19 2. in 16 te 8. rn 1. al 99
Solution In this basic DNAT example, to allow
connections to the web server, you must configure the FortiGate unit to accept HTTP sessions with a destination address of 172.20.120.14 and translate this destination IP address to the IP address of the web server (192.168.1.110) before forwarding the session to the internal network. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps the wan1 interface IP address to the web server IP address. Name External Interface Type External IP Address/Range Mapped IP Address/Range 2 Select OK to save the VIP. 3 Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the Internet to access the web server. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 all internal Web Server VIP always HTTP ACCEPT Web Server VIP wan1 Static NAT 172.20.120.14-172.20.120.14 192.168.1.110-192.168.1.110
4 Select OK to save the security policy. If you select NAT, the source address is changed to the internal interface address. Normally, you would not want to perform source NAT since this has the affect of hiding the actual source address of the sessions.
17 2. 20 .1 wa 20 n .1 1 4
3 2 1
n o r rk ve o w 0 er t 1 S Ne .1 .1 eb te 8 W iva .16 r P 92 ses De si sti to ons f natio the rom n N we th AT b s e In for erv ter er net
12 0. 4 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 80 sr p c P: t: sr t I or s d tp s d
169
Results All HTTP packets accepted by this security policy have their destination IP addresses
translated from 172.20.120.14 to 192.168.1.110 before being forwarded to the Internal network where they are received by the web server. The source IP address and source port are not changed. As a result of this configuration, you cannot establish an administrative connection to the wan1 interface because all sessions with a destination address of the wan1 interface (172.20.120.14) are accepted or denied by the security policy. This configuration is not recommended, especially if you want to remotely administer your FortiGate unit from the wan1 interface. Instead, you should get another Internet IP address for the web server and change the VIP to forward this address to the web server. Test destination NAT by browsing to http://172.20.120.14 from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4 interfaces=[any] filters=[port 80] 6.150356 wan1 in 172.20.120.12.51439 -> 172.20.120.14.80: syn 15893888 6.150637 internal out 172.20.120.12.51439 -> 192.168.1.110.80: syn 15893888 6.150803 internal in 192.168.1.110.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889 6.150974 wan1 out 172.20.120.14.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.14 and destination port 80. The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port is still 80. The third output line shows the response from the web server. The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.14. In this example, the source port is not changed. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
170
Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation
Problem You want to allow users on the Internet to
access a web server on your internal network. You only have one Internet address (172.20.120.14), which is being used by the FortiGate wan1 interface.
12 0. 0 12 0. 11 .2 ] .1. 72 ny 68 : 1 : [a .1 IP rt 2 c o 19 0 sr p : 8 c P t: sr t I or s d tp s d
3 2
19
2. in 16 te 8. rn 1. al 99
17
3 2 1
Solution In this DNAT example, to allow connections
to the web server you must configure the FortiGate unit to accept HTTP sessions with a destination address of 172.20.120.14 and translate this destination IP address to the IP address of the web server (192.168.1.110) before forwarding the session to the internal network. In addition, the web server accepts connections on the standard HTTP port (port 80), but you want sessions from the Internet to the web server to use port 8080. The FortiGate unit must also translate the destination port from 8080 to 80. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps the wan1 interface IP address to the web server IP address and maps connections from port 8080 to port 80. Name External Interface Type External IP Address/Range Mapped IP Address/Range Web Server VIP wan1 Static NAT 172.20.120.14-172.20.120.14 192.168.1.110-192.168.1.110
2 Select Port Forwarding and configure the following port forwarding settings: Protocol External Service Port Map to Port 3 Select OK to save the VIP. 4 Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the Internet to access the web server. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule
TCP 8080 - 8080 80 - 80
wan1 all internal Web Server VIP always

171
2.
20
.1 wa 20 n .1 1 4
n o r rk ve wo 0 er t 1 S Ne .1 .1 eb te 8 W iva .16 r P 92 1 i th w r et AT fo n N n er n io nt io at I er at nsl the rv tin ra m se es t o b D rt fr e po ns e w io h ss o t se t 12 0. 4 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 80 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d
Service Action
HTTP ACCEPT
translated from 172.20.120.14 to 192.168.1.110 and their destination port translated from 8080 to 80 before being forwarded to the Internal network where they are received by the web server. The source IP address and source port are not changed. Even though in the security policy, the Service is set to the HTTP predefined service, which would normally only receive packets on port 80, this configuration still accepts HTTP packets on port 8080. Test destination NAT by browsing to http://172.20.120.14:8080. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80 or port 8080' 4 4 interfaces=[any] filters=[port 80 or port 8080] 8.823058 wan1 in 172.20.120.12.52568 -> 172.20.120.14.8080: syn 2855697809 8.829146 internal out 172.20.120.12.52568 -> 192.168.1.110.80: syn 2855697809 8.829287 internal in 192.168.1.110.80 -> 172.20.120.12.52568: syn 2151198672 ack 2855697810 8.838931 wan1 out 172.20.120.14.8080 -> 172.20.120.12.52568: syn 2151198672 ack 2855697810
The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.14 and destination port 8080. The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port has been changed to 80. The third output line shows the response from the web server. The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.14 and the source port to 8080. The original source port is not changed. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more information about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
172
Allowing Internet access to a web server on a protected network when you have an IP address for the web server
Problem You want to allow users on the
Internet to access a web server on your internal network. You have an Internet address for the web server (172.20.120.11) that is different than the Internet address of the FortiGate wan1 interface (172.20.120.14).
12 0. 0 12 0. 11 .2 ] .1. 72 ny 68 : 1 : [a .1 IP rt 2 c o 19 0 sr p : 8 c P t: sr t I or s d tp s d
3 2
19
2. in 16 te 8. rn 1. al 99
17
3 2 1
Solution In this DNAT example, to allow
connections to the web server, you must configure the FortiGate unit to accept HTTP sessions with a destination address 172.20.120.11 and translate this destination IP address to 192.168.1.110 before forwarding the session to the web server. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps the wan1 interface IP address to the web server IP address. Name External Interface Type External IP Address/Range Mapped IP Address/Range 2 Select OK to save the VIP. 3 Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the Internet to access the web server. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 all internal Web Server VIP always HTTP ACCEPT Web Server VIP wan1 Static NAT 172.20.120.11-172.20.120.11 192.168.1.110-192.168.1.110
2.
20
.1 wa 20 n .1 1 4
n o r rk ve wo 0 er t 1 S Ne .1 .1 eb te 8 W iva .16 r P 92 1 r ss v e re er d 1 S ad .1 0 eb t IP 12 . r t W ne 20 r . fo rne te 2 AT te In 17 N In n e er io th rv at m se tin ro b es f e D ons e w i h ss o t se t 12 0. 1 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 c o 17 0 sr c p P: t: 8 sr t I or s d tp s d
173
translated from 172.20.120.11 to 192.168.1.110 before being forwarded to the Internal network where they are received by the web server. The source IP address and source port are not changed. Test destination NAT by browsing to http://172.20.120.11 from the Internet. The session passes through the FortiGate unit to the web server which sends a response. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 interfaces=[any] filters=[port 80] 3.454327 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: syn 3420016827 3.458908 internal out 172.20.120.12.51526 -> 192.168.1.110.80: syn 3420016827 3.459044 internal in 192.168.1.110.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828 3.468915 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828 3.469133 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: ack 3323826863 3.469260 internal out 172.20.120.12.51526 -> 192.168.1.110.80: ack 3323826863 3.470322 internal in 192.168.1.110.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308 3.470453 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308
The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.11 and destination port 80. The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.110 and the destination port is still 80. The third output line shows the response from the web server. The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.11. The source port is not changed. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph form the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage. Allowing the web server to connect to the Internet You can add the following security policy to allow sessions from the web server to connect to the Internet. (The web server might need to contact servers on the Internet for software updates, etc.) Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule internal all wan1 all always
174
Service Action
ANY ACCEPT
Select Enable NAT and Use Destination Interface Address. All sessions from the web server to the Internet that are accepted by this security policy have their source addresses translated to 172.20.120.14, the wan1 interface IP address. Start a connection from the web server to the Internet and use the following packet sniffer command to see the results:
diagnose sniffer packet any 'port 80' 4 6 interfaces=[any] filters=[port 80] 16.796304 internal in 192.168.1.110.2703 -> 172.20.120.101.80: syn 2181076939 16.798962 wan1 out 172.20.120.14.55811 -> 172.20.120.101.80: syn 2181076939 16.799160 wan1 in 172.20.120.101.80 -> 172.20.120.14.55811: syn 1829260053 ack 2181076940 16.799335 internal out 172.20.120.101.80 -> 192.168.1.110.2703: syn 1829260053 ack 2181076940 16.799493 internal in 192.168.1.110.2703 -> 172.20.120.101.80: ack 1829260054 16.799594 wan1 out 172.20.120.14.55811 -> 172.20.120.101.80: ack 1829260054
175
Configuring port forwarding to open ports on a FortiGate unit

Problem You want to allow incoming connections
from the Internet to a PC on the internal network so that the PC can access an Internet service that requires open ports. The service requires opening TCP ports in the range 7882 to 7999, as well as opening UDP ports 2119 and 2995.
19 2. in 16 te 8. rn 1. al 99
Solution This DNAT example describes how to

configure firewall VIPs to map the following sessions to the PC on the internal network:
TCP sessions to the wan1 IP address with destination port in the range 7882 to 7999. UDP sessions to the wan1 IP address with destination port 2119 or 2995. The solution involves creating multiple VIPs that map sessions from the wan1 IP address to the PC IP address and adding the VIPs to a VIP group and adding that VIP group to a wan1 to internal security policy. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps connections to the wan1 interface on ports 7882 to 7999 to the server. Name External Interface Type External IP Address/Range Mapped IP Address/Range Port Range VIP wan1 Static NAT 172.20.120.14-172.20.120.14 192.168.1.110-192.168.1.110
2 Select Port Forwarding and configure the following port forwarding settings: Protocol External Service Port Map to Port 3 Select OK to save the VIP. 4 Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port 2119 to the server. Name External Interface Type External IP Address/Range Mapped IP Address/Range
176
TCP 7882 - 7999 7882 - 7999
First UDP Port VIP wan1 Static NAT 172.20.120.14-172.20.120.14 192.168.1.110-192.168.1.110

17 2. 20 .1 wa 20 n .1 1 4
1
rk n o o tw 0 C e 11 P N .1. te 8 va 6 ri .1 P 92 1 en T 2 CP Inte for tr 119, ports affi and 78 rne t to c fro 299 82the m t 5 7999 , ser he ver Op o 12 3 0. 9, 2 1 11 12 .1 2 0. .2 ] 20 9, 72 ny 0.1 99 : 1 : [a .2 -7 IP rt 2 82 c o 17 8 sr c p P: t: 7 sr I r st o 1 d tp s d 3 12 2 0. 9, 0 11 12 0. 11 2 .2 ] .1. 9, 72 ny 68 99 : 1 : [a .1 -7 5 IP rt 2 82 9 c o 19 8 9 sr c p P: t: 7 r 2 sr I r o st o d tp s d r 95 29
5 Select Port Forwarding and configure the following port forwarding settings: Protocol External Service Port Map to Port 6 Select OK to save the VIP. 7 Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port 2995 to the server. Name External Interface Type External IP Address/Range Mapped IP Address/Range Second UDP Port VIP wan1 Static NAT 172.20.120.14-172.20.120.14 192.168.1.110-192.168.1.110 UDP 2119 2119
8 Select Port Forwarding and configure the following port forwarding settings: Protocol External Service Port Map to Port 9 Select OK to save the VIP. 10 Go to Firewall Objects > Virtual IP > VIP Group and select Create New to add a VIP Group that includes all three VIPs. Group Name Interface Server VIP Group wan1 UDP 2995 2995
11 Add Server Port Range, First UDP Port VIP, and Second UDP Port VIP to the Members list. 12 Go to Policy > Policy > Policy and select Create New to add a policy that accepts includes the VIP Group. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 all internal Server VIP Group always ANY ACCEPT
177
Results All packets accepted by this security policy have to have a destination port defined in the VIPs.
The VIPs also translate the destination IP address 172.20.120.14 to 192.168.1.110 before being forwarded to the Internal network where they are received by the server. The destination ports, source IP address and source port are not changed. Test the configuration by operating the service and using the packet sniffer to see the results. For example, you could try the following command:
diagnose sniffer packet any 'port 7882' 4 interfaces=[any] filters=[port 7882] 4.150689 wan1 in 172.20.120.12.56825 -> 172.20.120.14.7882: syn 2904689044 4.150936 internal out 172.20.120.12.56825 -> 192.168.1.110.7882: syn 2904689044 4.151102 internal in 192.168.1.110.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045 4.151258 wan1 out 172.20.120.14.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045
Other commands could include: diagnose sniffer packet any 'port 7882 or port 7883' 4 diagnose sniffer packet any 'udp and port 2119 or port 2995' 4 Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active session for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph form the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more info about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
178
Dynamic destination NAT for a range of IP addresses

Problem In this DNAT example, you want to
allow users on the Internet to access four different web servers on your internal network. You have three Internet addresses for the web servers (172.20.120.100-103) and each server has a different IP address on the Internal network (192.168.20.120-123).
17
3 2 1
Solution To allow connections to the web
server, you must configure the FortiGate unit to accept HTTP sessions with a destination address in the range 172.20.120.100-103 and translate this destination IP address to 192.168.1.120-123 before forwarding the session to a web server. In addition, the port used by each web server to accept HTTP connections is the standard HTTP port 80. But you want connections from the Internet to the web servers to use port 8000. 1 Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that maps the internet IP addresses of the web server to its actual internal network IPs. Name External Interface Type External IP Address/Range Mapped IP Address/Range Web Server Range VIP wan1 Static NAT 172.20.120.100-172.20.120.103 192.168.1.120-192.168.1.123
2 Select Port Forwarding and configure the following port forwarding settings: Protocol External Service Port Map to Port 3 Select OK to save the VIP. 4 Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the Internet to access the web server. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action wan1 all internal Web Server Range VIP always HTTP ACCEPT TCP 8000 - 8000 80 - 80
2.
20
.1 wa 20 n .1 1 4
3 2
19
2. in 16 te 8. rn 1. al 99
n o k rs or 23 ve tw 1 er e 0S N 12 . eb te .1 W va 8 ri 6 P .1 2 9 1 s r se ve es 03 er r 1 S dd 0a 0 eb P .1 W t I 20 e .1 r t fo rne ern 20 t . AT te N In s In 72 n e r 1 i o th ve at m ser tin ro b es f e D ons e w i h ss t se to
3 12 0. 12 012 0. 12 .2 ] .1. 72 ny 68 : 1 : [a .1 IP rt 2 c o 19 0 sr c p P: t: 8 sr t I or s d tp s d
03 12 -1 0. 00 12 .1 0. .2 ] 20 72 ny 0.1 : 1 : [a .2 IP rt 2 80 c o 17 0 sr p : 8 c P t: sr t I or s d tp s d
179
Results HTTP packets accepted by this security policy have their destination IP addresses translated
as follows: 172.20.120.100 to 192.168.1.120 172.20.120.101 to 192.168.1.121 172.20.120.102 to 192.168.1.122 172.20.120.103 to 192.168.1.123 In all cases the destination port is translated from 8080 to 80. The source IP address and source port are not changed. Test destination NAT by browsing to http://172.20.120.100 - 103:8000 from the Internet. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80 or port 8000' 4 interfaces=[any] filters=[port 80 or port 8000] 10.603074 wan1 in 172.20.120.12.57053 -> 172.20.120.100.8000: syn 3591312927 10.603312 internal out 172.20.120.12.57053 -> 192.168.1.120.80: syn 3591312927 10.603479 internal in 192.168.1.120.80 -> 172.20.120.12.57053: syn 3848795067 ack 10.603635 wan1 out 172.20.120.100.8000 -> 172.20.120.12.57053: syn 3848795067 ack 16.422671 wan1 in 172.20.120.12.57070 -> 172.20.120.102.8000: syn 1145994219 16.422927 internal out 172.20.120.12.57070 -> 192.168.1.122.80: syn 1145994219 16.423096 internal in 192.168.1.122.80 -> 172.20.120.12.57070: syn 3958945838 ack 16.423264 wan1 out 172.20.120.102.8000 -> 172.20.120.12.57070: syn 3958945838 ack
3591312928 3591312928
1145994220 1145994220
The first output line shows a packet from a client device with IP address 172.20.120.12 was received by the wan1 interface with destination address 172.20.120.100 and destination port 8000. The second output line shows that when the packet exits the internal interface the destination address is changed to 192.168.1.120 and the destination port has been changed to 80. The third output line shows the response from the web server. The fourth output line shows the response from the web server being returned to the client device. The source address has been changed back to 172.20.120.100 and the source port back to 8000. The original source port is not changed. Go to Policy > Policy > Policy and check the Count column for the security policy you added to verify that it is processing traffic. Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active sessions for each policy. Since there is only one policy, that graph contains only one entry. You can select the bar graph for the policy to view the top sessions by source address, destination address, or destination port/service. The Top Sessions dashboard widget presents another view of sessions that you can also drill down into to get more information about current sessions. Other dashboard widgets display session history, traffic history, and per-IP bandwidth usage.
180
UTM Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email filtering, and data leak prevention (DLP) apply core UTM security functions to traffic accepted by security policies. The FortiGate unit comes pre-configured with default UTM profiles for all of these security features, and you can apply UTM features to traffic accepted by a security policy by selecting the default profiles for the UTM features that you want to apply. You can also create UTM profile groups to group together sets of UTM profiles to further simplify adding UTM features to security policies. The default profiles are designed to provide basic protection. You can modify the default profiles for you needs or create new ones. Creating multiple profiles means you can apply different levels of protection to different traffic types according to the security policies that accept the traffic. In addition to the basic set of UTM profiles, the FortiGate unit includes specialized profiles for protecting SIP and SCCP VoIP traffic and offloading additional security functions using ICAP. Endpoint control profiles are created to ensure that workstation computers (also known as endpoints) on your network, meet the networks security requirements; otherwise, they are not permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint control can block or control access through the FortiGate unit for workstation computers depending on the security functions enabled on the computers and the applications running on them. After creating endpoint control profiles, you can add endpoint security profiles to security policies. The final UTM profile feature, vulnerability scanning is independent of security policies. By using vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take action to remove those vulnerabilities. This chapter includes the following UTM examples: Protecting your network against greyware Protecting your network against legacy viruses Changing the maximum file size that the AV scanner examines Blocking files that are too large to scan for viruses Improving FortiGate performance with flow-based UTM scanning Limiting the types of web sites your users can visit Prevent offensive search results in Google, Bing and Yahoo search engines Finding the FortiGuard web filter category of a URL Listing the web sites your users have visited Using FortiGuard web filtering to block access to web proxies Blocking access to streaming media using web filtering Blocking access to specific web sites Blocking all web sites except those you specify using a whitelist Configuring FortiGuard web filtering to check IP addresses as well as URLs
UTM Profiles
Configuring FortiGuard web filtering to check images as well as URLs Applying ratings to HTTP redirects Visualizing the applications on your network Preventing the use of instant messaging clients Blocking access to social media web sites Blocking peer-to-peer file sharing Configuring IPS to stop traffic if the scanner fails Protecting against denial of service attacks Filtering incoming spam Blocking outgoing email containing sensitive information Using the FortiGate vulnerability scanner to check your network for vulnerabilities
182
Protecting your network against greyware
Protecting your network against greyware

Problem You need to stop users from downloading
and installing software that could potentially be greyware. Users can unintentionally install software designed to display ads, allow remote access, or even transmit information. The best way to deal with greyware is to prevent it from entering your network before it can cause problems.
Internal network Greyware FortiGate Unit
Greyware
Solution Enable greyware scanning.

1 Go to UTM Profiles > AntiVirus > Virus Database. 2 Select Enable Grayware Detection. By enabling grayware detection, all security policies with antivirus protection will also detect greyware. If you have configured your FortiGate unit to protect your network against viruses, enabling greyware protection allows your FortiGate unit to scan for greyware threats as well.
Results With greyware detection enabled, all traffic scanned for viruses is also scanned for greyware.
Greyware scanning works in parallel with antivirus scanning. To protect against greyware, ensure the security policy allowing the traffic to be protected has an antivirus profile active in which antivirus scanning is enabled. If traffic is not scanned for viruses, it is not scanned for greyware, even if greyware detection is enabled.
183
Protecting your network against legacy viruses
Protecting your network against legacy viruses

Problem Protecting a network from viruses that are nolonger common on the Internet.
Internal network Attacks FortiGate Unit
Solution Configure your FortiGate unit to use the

Extreme Virus Database. 1 Go to UTM Profiles > AntiVirus > Virus Database. 2 Select the Extreme Virus database. 3 Select OK.
Attacks
In addition to the signatures of current common viruses, the Extreme Virus Database contains signatures of all the viruses detected by the FortiGuard Antivirus Service. If your FortiGate unit does not offer the Extreme Virus Database, select the Extended Virus Database. The extended database contains the signatures of current common viruses and a large library of older viruses that are no longer common. While larger AV databases can detect more viruses, they also require more resources. For regular virus protection, use the normal virus database. If you choose a more capable database for all AV scanning, and your FortiGate unit frequently enters conserve mode, you may need to consider measures to save system memory. Only the some FortiGate units support all the AV databases. Other FortiGate units offer a subset from which you may choose. All FortiGate units have the Regular Virus Database, which includes all the currently detected viruses on the Internet.
Results Manually force a virus database update to ensure the database is current.
1 Go to System > Config > FortiGuard. 2 Expand AntiVirus and IPS Options. 3 Select Update Now. Confirm that the update has occurred. 1 Go to Log&Report > Log & Archive Access > Event Log. 2 Check the recent log entries for one that begins with Fortigate update now. This indicates a manually triggered update. If the log entry timestamp matches when you triggered the manual update, the virus database was updated successfully. If the update does not occur, ensure that you have an antivirus profile in which antivirus scanning is enabled and selected in a security policy. If no antivirus scanning is enabled, no antivirus databases are updated.
184
Changing the maximum file size that the AV scanner examines
Changing the maximum file size that the AV scanner examines

Problem How to scan larger downloaded files for viruses.
Internal network
ANTIVIRUS/ ANTISPYWARE
Solution Use the uncompsizelimit CLI command to

change the maximum uncompressed file size that the antivirus service will scan. In this example, the antivirus service is configured to scan uncompressed files up to 15 MB in size. config antivirus service http set uncompsizelimit 15 end The size limit can be set for FTP, HTTP, IM, IMAP, NNTP, POP3, and SMTP traffic. If your FortiGate unit supports encrypted content inspection, you can also set the size limit for FTPS, HTTPS, IMAPS, POP3S, and SMTPS traffic. Archive files, such as ZIP and RAR, are extracted and the contents are scanned for viruses. The total size of all the contents of an archive must be smaller than the uncompsizelimit for the archive contents to be scanned for viruses. The default value is 10 MB. The maximum size varies by FortiGate model. To determine the limit for your model, enter: config antivirus service http set uncompsizelimit ? The result is a brief description of the command and the acceptable range. For example: <value> max uncompressed size to scan (1-547MB or use 0 for unlimited) Entering an uncompsizelimit of 0 indicates no maximum size restriction. This setting is not recommended.
FortiGate Unit
Results The FortiGate antivirus scanner will examine any file smaller than the size limit you set. For
archives, the extracted contents must total a size smaller than the limit to be scanned. If you increase the size limit, you may be more likely to push the FortiGate unit into conserve mode because each simultaneous download has the potential to make a greater demand on the available memory.
185
Blocking files that are too large to scan for viruses
Blocking files that are too large to scan for viruses

Problem You need to make sure that files too large to be
scanned for viruses are not passed to your internal network.
Internal network
ANTIVIRUS/ ANTISPYWARE
FortiGate Unit
Solution Configure the protocol options to block files

larger than the FortiGate is configured to cache. This procedure applies only to proxy-based scanning. Flow-based scanning has no maximum file size limits. 1 Go to Policy > Policy > Protocol Options and expand HTTP. 2 Set Oversized File/Email to Block. 3 If you have used the uncompsizelimit CLI command to change the maximum scan size, change the Threshold value to match the setting you used. The default value for all FortiGate models is 10 MB. 4 All the protocols have default values of Pass and 10 MB. Change the settings for each protocol as required.
Results If you leave the Threshold setting at 10 MB and set the Oversized File/Email action to Block,
any attempt to download a file larger than 10 MB is blocked. The FortiGate unit displays a replacement message explaining why the attempt failed. Each supported content protocol can be configured separately. You can set some to Block and others Pass, and each can have a different threshold.
186
Improving FortiGate performance with flow-based UTM scanning

Problem You need faster UTM scanning or you need
UTM scanning to use fewer FortiGate resources.
Solution Enable flow-based antivirus scanning, web

filtering, and DLP.
Attacks
In addition to faster scanning, flow-based scanning can save considerable resources. Flowbased scans involves examination of the files as they pass through while proxy-based scans require that files are cached as they come in and examined once complete. This takes more memory. Flow-based scanning is an ideal solution to ease the memory requirements of some UTM scans, but it can be difficult to achieve. The problem is that if any proxy-based scan is active, files are cached. For example, if you configure antivirus and DLP to use flow-based scanning, and leave web filtering as a proxybased scan, no memory is saved. This is especially true for features that dont support flowbased scanning, such as web content filtering. Even if your FortiGate unit is configured so that flow-based scanning does not save memory, there is an advantage to using it. Should your FortiGate unit approach its memory or session limits, it will enter conserve mode. Conserve mode stops all proxy-based scans on new connections until the FortiGate unit leaves conserve mode. UTM features using flow-based scans will continue to protect network traffic without interruption. Enable flow-based antivirus scanning 1 Go to UTM Profiles > AntiVirus > Virus Database. 2 Select Flow-based Virus Database. Note that flow-based scanning is not available on all FortiGate units. 3 Select Apply. Flow-based antivirus scanning is used to examine network traffic instead of the default proxybased scan. Files will be checked as they flow through the FortiGate unit, rather than being buffered and examined whole. Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements, and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages include no detection of polymorphic and self-cloaking viruses, support for fewer file archive formats, and no replacement messages. Enable flow-based web filtering 1 Go to UTM Profiles > Web Filter > Profile. 2 Select Proxy from the Inspection Mode setting. 3 Select Apply. Flow-based scanning does not support web content filtering. If you use flow-based web filtering and enable web content filtering, the FortiGate will use proxy-based scanning for web content filtering and flow-based scanning for other web filtering. Flow-based web filtering is used to filter web traffic instead of the default proxy-based scan. Files will be checked as they flow through the FortiGate unit, rather than being buffered and examined whole.
187
Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements, and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages include support for fewer file archive formats and no support for web content filtering, meaning that both flow-based and proxy-based scanning operates when web filtering is configured for flow-based scanning and web content filtering is enabled. Enable flow-based DLP 1 Go to UTM Profiles > Data Leak Prevention > Profile. 2 Select Proxy-based Detection from the Inspection Method setting. 3 Select Apply. Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements, and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages include no detection of polymorphic and self-cloaking viruses and support for fewer file archive formats.
188
Limiting the types of web sites your users can visit
Limiting the types of web sites your users can visit

Problem You need to control the web sites your users can
visit, but you dont have the resources to create and maintain a URL list of web sites.
Internal network
WEB FILTERING
FortiGate Unit
Solution FortiGuard web filtering assigns web sites into

nearly 100 categories. The categories are organized into six major groups. You can configure web filter profiles to allow, block, monitor, warn, or require authentication for categories and category groups as required by your network. In this example, configure a web filter to block the Security Risk and Bandwidth Consuming category groups and the Proxy Avoidance category. 1 Go to UTM Profiles > Web Filter > Profile and select the Security Risk and Bandwidth Consuming category groups. 2 Expand the Potentially Liable category group and select the Proxy Avoidance category. 3 Select the Block action for Change Action for Selected Categories to and select Apply. Enable FortiGuard web filtering Select the web filter profile in a security policy to enable it. 1 Go to Policy > Policy > Policy. 2 Edit the security policy that allows Internet access. 3 Select UTM. Select Enable Web Filter. If you have multiple security policies that allow Internet access, make these same changes to each of them.
Results Users will not be able to visit web sites categorized as Proxy Avoidance or those categories
within the Security Risk and Bandwidth Consuming category groups. When attempting to visit these web sites, users will be presented with a replacement message explaining that visiting the site violates the Internet usage policy. You can customize replacement messages by going to System > Config > Replacement Message, selecting the feature, the replacement message to be customized, and selecting Edit.
189
Overriding FortiGuard web filtering for selected users
Overriding FortiGuard web filtering for selected users

Problem You need to allow some users to override
FortiGuard web filter blocking when required.
Internal network
WEB FILTERING
Solution Configure FortiGuard web filtering to use the
FortiGate Unit
Authenticate action rather than Block. Put the users who need to override the restriction into a user group and specify it in the web filter profile. When a user attempts to visit a restricted site, they will be asked for their username and password. Those in the user group will be allowed access after providing their credentials while the others will be blocked. This example, allows the users Sally and Roger to override the restriction on the Potentially Liable category group. Create the users and the user group 1 2 3 4 5 6 7 Go to User > User > User and select Create New. Enter the username Sally, password abcxyz, and select OK. Select Create New again. Enter the username Roger, password abc123, and select OK. Go to User > User Group > User Group and select Create New. Enter Web filter override users for the user group name. Select Sally from the Available Users window and select the right arrow icon to move them to the Members window. 8 Repeat the procedure for Roger and select OK.
Configure the web filter profile 1 Go to UTM Profiles > Web Filter > Profile. 2 Select the Potentially Liable category group. 3 Select the Authenticate action for Change Action for Selected Categories to. 4 Select the Web filter override users group and select the right arrow icon to move the group to the Selected User Groups window. 5 Select OK. Enable the FortiGuard web filter Select the web filter profile in a security policy to enable it. 1 Go to Policy > Policy > Policy. 2 Edit the security policy that allows Internet access. 3 Select UTM. Select Enable Web Filter. If you have multiple security policies that allow Internet access, make these same changes to each of them.
Results Browse to a proxy web site such as proxy.org. Before being allowed access, you are asked for
a username and password. If you provide credentials for a user in the user group applied to the web filter profile, you are allowed access to the site. Further, once you provide a valid username and password, you will be able to browse any sites in the category group before having to authenticate again. If you do not have a valid username and password, you are denied access to any web site in the category group. This test involves proxy.org because it is classified as Proxy Avoidance, part of the Potentially Liable category group. Any site in a classification that is part of the Potentially Liable category group will function in exactly the same way with this configuration.
190 FortiGate http://docs.fortinet.com/
Prevent offensive search results in Google, Bing and Yahoo search engines
Prevent offensive search results in Google, Bing and Yahoo search engines
Problem You need to ensure that search results contain no
offensive site by forcing the safe searching of Google, Bing, and Yahoo.
Internal network
WEB FILTERING
FortiGate Unit
Solution Configure the default web filter to block offensive

search results. 1 Go to UTM Profiles > Web Filter > Profile. 2 Select Enable Safe Search. 3 Select Apply. Select the default web filter in the security policy that allows Internet access. 1 Go to Policy > Policy > Policy. 2 Edit the security policy that allows Internet access. 3 Enable UTM and Web Filter, and select the profile named default. If you have multiple security policies that allow Internet access, make these same changes to each of them.
Results Google, Yahoo, and Bing search results will no longer contain offensive sites.
191
Finding the FortiGuard web filter category of a URL
Finding the FortiGuard web filter category of a URL

Problem You need to find the FortiGuard web filter
category of a particular web page to properly configure web filtering.
Internal network
WEB FILTERING
FortiGate Unit
Solution The FortiGuard Centre web site offers a webbased URL lookup. 1 Go to http://www.fortiguard.com/tools/url_lookup.html 2 Enter the URL in the first field. enter the displayed code in the second field and select Search.
Results The page is refreshed, listing the category of the URL you entered.
The lookup may also show a classification. The classification is not used by FortiOS 4.0 MR3 firmware and is included for those still using older firmware versions in which it is supported.
If a URL hasnt been categorized, or if you feel the categorization is incorrect, you can submit the URL to the FortiGuard team and suggest a category. To suggest or correct a URL category 1 Perform a URL look up as described above. 2 Select the Check to submit the URL check box. 3 Enter your name, Company, and email address. 4 Choose the category you feel best represents the URL and select Submit. When a web site contains elements in different categories, web pages on the site are categorized according to their contents. A web page will be assigned to only one category, but the web pages at a single URL may not all share the same category.
192
Listing the web sites your users have visited
Listing the web sites your users have visited

Problem You need a list of the web sites your users have
visited.
Internal network
WEB FILTERING
Solution Use web filtering to log every site that anyone on

your network visits. 1 Go to UTM Profiles > Web Filter > Profile to configure the default web filter profile. 2 Select the Monitor option from the Show drop-down menu. 3 Select all of the visible FortiGuard categories.
FortiGate Unit
4 Select Monitor from the Change Action for Selected Categories to drop-down menu. 5 Select Apply. With these changes, all allowed categories are monitored. Access to the categories is allowed, but the monitor action also logs visits to the sites. To use this profile, you must select it in the security policies that allow users on your network to visit web sites. 1 Go to Policy > Policy > Policy and select the security policy that allows your used to visit web sites. 2 Select Edit. 3 Enable UTM. 4 Select Enable Web Filter. 5 Select the default web filter policy. 6 Select OK. If you have multiple security policies that allow users to visit web sites, follow these steps for each of them.
Results The web sites your users visit will be recorded in the UTM log. The default settings of the UTM
log page do not display the URLs. Configure the log settings to display URLs. 1 Go to Log&Report > Log & Archive Access > UTM Log. 2 Select Column Settings. 3 Choose Hostname in the left column and select the right arrow button to move it to the right column. 4 Choose URL in the left column and select the right arrow button to move it to the right column. 5 Select OK. When you view the UTM log, the hostname column will display the domain name of site, and the URL will display the path of the file accessed on the host.
193
Using FortiGuard web filtering to block access to web proxies
Using FortiGuard web filtering to block access to web proxies

Problem You need to ensure that users dont bypass web
filtering entirely by using an external web proxy.
Internal network
WEB FILTERING
Solution Use FortiGuard web filtering to block web

proxies. 1 Go to UTM Profiles > Web Filter > Profile.
FortiGate Unit
2 In the FortiGuard Categories window, expand the Potentially Liable category group and select Proxy Avoidance. 3 For the Change Action for Selected Categories to setting, select the Block action and choose Apply. 4 Go to Policy > Policy > Policy and in the policies that allow access to the Internet, enable UTM and Web Filter, and then select the web filter profile named default. 5 Select OK.
Results After configuring the web filter to block the Proxy Avoidance category, go to the proxy.org web
site. If the web filter is configured correctly, any attempt to visit proxy.org will be blocked. Although the web site itself is not a proxy, it maintains a large list of proxies and is, therefore, categorized as a proxy avoidance cite. Reporting proxy sites If you discover a proxy that isnt correctly categorized, go to http://www.fortiguard.com/tools/url_lookup.html and use the URL lookup to check the assigned category. If it is incorrect, or not categorized, submit the URL with a suggested category. The FortiGuard web filter team will review the site categorization, usually within 24 hours.
194
Blocking access to streaming media using web filtering
Blocking access to streaming media using web filtering

Problem You need to prevent your users from accessing
any streaming audio and video.
Internal network
WEB FILTERING
Solution Configure FortiGuard web filter to block sites that

offer streaming media. 1 Go to UTM Profiles > Web Filter> Profile.
FortiGate Unit
2 Expand the Bandwidth Consuming FortiGuard Category and select the Streaming Media and Download and Internet Radio and TV categories. 3 Select Apply. 4 Verify that UTM and Web Filtering are enabled in the security policies that allow access to the Internet.
Results After making these configuration changes, visit http://www.youtube.com. The FortiGate unit
prevents you from visiting the site so you can not view any streaming video.
195
Blocking access to specific web sites
Blocking access to specific web sites

Problem You need prevent users from visiting specific web
sites.
Internal network
WEB FILTERING
Solution Create a web filter profile that blocks access to

those web sites you specify. In this example, users will be blocked from visiting fortinet.com. Create the web filter profile 1 Go to UTM Profiles > Web Filter > URL Filter and select Create New. 2 Name the new URL filter list Block List and select OK. 3 Select Create New to create a list entry that blocks access to any web site with a domain name ending in fortinet.com. URL Type Action Enable 4 Select OK. Enable the URL filter list 1 Go to UTM Profiles > Web Filter > Profile. 2 Expand the Advanced Filter heading. 3 Enable Web Filter URL and select Block List. 4 Select Apply. 5 Go to Policy > Policy > Policy. 6 Edit the security policy that allows Internet access. 7 Select UTM. Select Enable Web Filter. If you have multiple security policies that allow Internet access, make these same changes to each of them. *fortinet.com Wildcard Block Checked
FortiGate Unit
Results In this example configuration, you can visit web sites normally but all web access to any
domain ending in fortinet.com is blocked. Visit http://fortinet.com after completing the configuration above to see the result. Add more list entries to Block List to block access to other web sites as required.
196
Blocking all web sites except those you specify using a whitelist
Problem You need to allow users to access only a small
number of web sites. They must not have access to any others.
Internal network
WEB FILTERING
FortiGate Unit
Solution Create a web filter profile that blocks all sites

except those you explicitly allow. In this example, users will be blocked from all sites except fortinet.com. You can do this by making a URL filter that has an entry that blocks all sites, and entries that allow individual sites. Ensure the entry that blocks all sites is the last entry in the URL filter list. 1 Go to UTM Profiles > Web Filter > URL Filter and select Create New. 2 Name the new URL filter list White List and select OK. 3 Select Create New to create a new list entry that blocks all web access. URL Type Action Enable 4 Select OK. 5 Select Create New to create another new list entry that allows access to any web site with a domain name ending in fortinet.com. URL Type Action Enable *fortinet.com Wildcard Allow Checked * Wildcard Block Checked
The list entries are processed from top to bottom. Since the block entry is first, all sites will be blocked regardless of any following items that allow sites. To fix this problem, move the entries allowing access above the block entry. The entry blocking all sites should always be last. 6 Select the check box in the first column of the *fortinet.com entry. 7 Select Move To and enter these items: Move to URL 8 Select OK. Before *
197
Enable the URL filter list Select it in a web filter profile in a security policy to enable it. 1 Go to UTM Profiles > Web Filter > Profile. 2 Expand the Advanced Filter heading. 3 Enable Web Filter URL and select White List from the list. 4 Select Apply. 5 Go to Policy > Policy > Policy. 6 Edit the security policy that allows Internet access. 7 Select UTM. Select Enable Web Filter. If you have multiple security policies that allow Internet access, make these same changes to each of them.
Results In this example configuration, you can view fortinet.com and go anywhere on the site, but all
other web sites are blocked. URL filtering uses a black list approach. That is, all sites are allowed, except those that are blocked. Adding an entry that blocks all sites reverses this behavior. All sites are blocked except those that you add to the top of the list and allow access to.
198
Configuring FortiGuard web filtering to check IP addresses as well as URLs
Configuring FortiGuard web filtering to check IP addresses as well as URLs

Problem How do I prevent users from using IP addresses
to access web sites that are suppose to be blocked? Users accessing web sites using IP addresses can bypass FortiGuard web filtering.
Internal network
WEB FILTERING
FortiGate Unit
Solution Configure FortiGuard web filtering to check IP

addresses as well as domain names. This will prevent users from bypassing FortiGuard web filtering by using IP addresses to access web sites. 1 Go to UTM Profiles > Web Filter > Profile and expand Advanced Filter. 2 Enable Rate URLs by Domain and IP Address and select Apply.
Results The FortiGate unit submits IP addresses to the FortiGuard service just as it submits domain
names when FortiGuard web filtering is enabled. If a site is part of a blocked category, the users will get the same result whether they use the site domain name or IP address when they visit. FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This can sometimes temporarily cause the FortiGate unit to allow access to sites that should be blocked, or to block sites that should be allowed. Test the configuration by blocking access to fortinet.com and then attempt to access it using the sites IP address. Configure FortiGuard web filtering to block access to the Information Technology category which is part of the General Interest - Business category group. Browse to http://www.fortinet.com/ and confirm that you are not allowed access. Find the web site IP address by executing this CLI command: FG600B3908600705 # execute ping fortinet.com The result reveals the IP address in the first line: PING fortinet.com (66.171.121.34): 56 data bytes 64 bytes from 66.171.121.34: icmp_seq=0 ttl=45 time=92.8 64 bytes from 66.171.121.34: icmp_seq=1 ttl=45 time=92.7 64 bytes from 66.171.121.34: icmp_seq=2 ttl=45 time=94.7 64 bytes from 66.171.121.34: icmp_seq=3 ttl=45 time=93.3 64 bytes from 66.171.121.34: icmp_seq=4 ttl=45 time=93.4 --- fortinet.com ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 92.7/93.3/94.7 ms Browse to http://66.171.121.34/ and if your attempt is blocked, you have verified that FortiGuard web filtering is checking IP addresses in addition to domain names. ms ms ms ms ms
199
Configuring FortiGuard web filtering to check images as well as URLs
Configuring FortiGuard web filtering to check images as well as URLs

Problem How do I prevent users from accessing images
directly, bypassing FortiGuard web filtering.
Internal network
WEB FILTERING
Solution Configure FortiGuard web filtering to check

images themselves as well as domain names.
FortiGate Unit
This will prevent users from bypassing FortiGuard web filtering by loading images directly. Since images are checked on their own, an image in a blocked category will not be blocked even if part of an allowed web site. 1 Go to UTM Profiles > Web Filter > Profile and expand Advanced Filter. 2 Enable Rate Images by URL (Blocked images will be replaced with blanks) and select Apply.
Results With this feature active, the FortiGate unit submits image addresses to the FortiGuard service
just as it submits site addresses when FortiGuard web filtering is enabled. If an image is part of a blocked category, users will not be permitted to view it whether they access it directly, or as part of a site in an allowed category. If a blocked image is part of an allowed web site, the user is able to visit the web site, but the image is replaced by a placeholder.
200
Applying ratings to HTTP redirects
Applying ratings to HTTP redirects

Problem How do I make sure that your users are not
automatically redirected to other web pages that have different ratings.
Internal network
WEB FILTERING
Solution Configure your FortiGate unit to consider the

FortiGuard web filter category of the redirect destination, and act accordingly.
FortiGate Unit
Web sites can use HTTP redirects to seamlessly move users to other web pages or web sites. By default, the FortiGate unit does not check the FortiGuard web filter rating of the destination. 1 Go to UTM Profiles > Web Filter > Profile. 2 Expand Advanced Filter enable Block HTTP Redirects by Rating.
Results When a user is redirected, the FortiGate unit checks the category of the destination before
allowing access to the web page. If the category is blocked, the user is denied access to the web page and presented with a replacement message.
201
Visualizing the applications on your network
Visualizing the applications on your network

Problem You need to find the applications that are using
the most network bandwidth.
Internal network
APPLICATION CONTROL
Solution Find the security policies that process the most

data and add the application control sensor named default to them. Use the application monitor to view a graph of the 10 applications using the most bandwidth.
FortiGate Unit
1 Go to Policy > Policy > Policy and check the Count column to find security policies that process large amounts of data. 2 Edit each of these policies, enable UTM and Application Control, and select the application control sensor named default. If the application monitor does not show any information, verify that the security policies are processing traffic by viewing the Count column in the policy list. If the count is increasing the policy is processing traffic. You can also view policy usage from Policy > Monitor > Policy Monitor.
Results Go to UTM Profiles > Monitor > Application Monitor to view a graph that shows the 10
applications that are currently using the most data. The graph displays date and time on which data collection started. You can reset the graph to restart data collection. You can select Refresh to update the data displayed by the graph.
You can drill down into any bar on the graph to display the source and destination addresses or names of the hosts that used the application. If the user authenticated you can also display the name of the user that used the application. The application monitor shows the results for all traffic being monitored by application control. You can monitor selected traffic by only adding application control monitoring to selected security policies. You can monitor all traffic by adding application control monitoring to all security policies.
202
Preventing the use of instant messaging clients
Preventing the use of instant messaging clients

Problem You need to prevent users on your network from
using instant messaging applications.
Internal network
APPLICATION CONTROL
Solution Configure application control to block instant

messaging: 1 Go to UTM Profiles > Application Control > Application Sensor. 2 Select Create New. 3 Under Filters in the Category list, choose im. 4 Confirm that the Action is set to Block, and then select OK.
FortiGate Unit
5 Ensure that UTM and Application Control are enabled in the security policies that allow access to the Internet.
Results Open any recognized instant messaging client and attempt to log in to the IM service. Your
attempt is blocked. Users can run any instant messaging clients they may have installed, but the FortiGate unit will not allow them to log in to IM services. Users already logged in when you make this change may continue their IM session uninterrupted because only logging in to instant messaging services is blocked. You can view the instant messaging clients the FortiGate unit recognizes by filtering the application list to display only IM category applications: 1 Go to UTM Profiles > Application Control > Application List. 2 Select the funnel icon in the Category column header. 3 Choose im in the left window and select the -> button to move it to the right window. 4 Select OK.
203
Blocking access to social media web sites
Blocking access to social media web sites

Problem You need to stop social media web site use on
your network.
Internal network
APPLICATION CONTROL
Solution Configure the default application control sensor

to block access to social media web sites. 1 Go to UTM > Application Control > Application Sensor and select Create New. 2 For the Category filter, select web.
FortiGate Unit
3 For the Subcategory filter, select social-network and facebook-apps. 4 Confirm that the Action is set to Block, then select OK. 5 Ensure that UTM and Application Control are enabled in the security policies that allow access to the Internet.
Results Users will not be able to access social media web sites. To confirm this, open a web browser
and visit facebook.com. Instead of the Facebook web site, you are presented with a replacement message explaining that the site is blocked. There are many subcategories in the web category. Other combinations of selections may better suit your needs. Choose other subcategories and view the resulting sites in the Applications/Settings window.
204
Blocking peer-to-peer file sharing
Blocking peer-to-peer file sharing

Problem You need to stop peer-to-peer sharing on your
network.
Internal network
APPLICATION CONTROL
Solution Configure the default application control sensor

to block peer-to-peer sharing. 1 Go to UTM > Application Control > Application Sensor and select Create New. 2 For Category, select Specify. 3 Choose p2p from the category drop down menu. 4 For the Action, select Block. 5 Select OK. Select the default application control sensor in the security policy that allows Internet access. 1 Go to Policy > Policy > Policy. 2 Enable UTM and Application Control, and select the application sensor named default. If you have multiple security policies that allow Internet access, make these same changes to each of them.
FortiGate Unit
Results Users will not be taking advantage of P2P transfers to share files in traffic controlled by the
security policies incorporating the default application sensor. You can view which P2P protocols are blocked from the Application List. 1 Go to UTM > Application Control > Application List. 2 Select Filter Settings and choose Add new filter. 3 Select the Category field. 4 Select the p2p value. 5 Select OK. The application list displays only the items in the P2P category. These are the blocked items. Note that the Category heading filter is highlighted to indicate an active filter.
As applications are added to the application list by FortiGuard updates, new items in the P2P category will be automatically included in your sensor.
205
Configuring IPS to stop traffic if the scanner fails
Configuring IPS to stop traffic if the scanner fails

Problem By default, traffic is allowed to flow without
IPS protection if the IPS scanner fails. In particularly sensitive networks, the FortiGate unit be configured to block traffic while the problem is corrected.
Attacks
Solution Disable the IPS fail-open behavior by entering

this CLI command: config ips global set fail-open disable end
Results Under normal circumstances, changing the IPS failover setting will not change how your
FortiGate unit behaves. In the unlikely event that the IPS scanner fails, however, all traffic controlled by security policies with IPS scanning will be blocked until the IPS scanner is working again. Traffic controlled by security policies without IPS scanning will continue to flow, regardless of the IPS fail-over setting and the state of the IPS scanner. Before making this change, consider whether a period without IPS protection is worse than your users having no Internet access. Even more important is whether your web server should continue to be accessible without IPS protection or inaccessible while the problem is fixed.
206
Protecting against denial of service attacks
Protecting against denial of service attacks

Problem You need to ensure that your web server is
available even when subjected to a denial of service attack.
Solution Create a DoS sensor, enable it in a DoS policy

and adjust the threshold for your network. Create a new DoS sensor 1 Go to UTM Profiles > Intrusion Protection > DoS Sensor and select Create New. 2 Name the profile General Protection and select OK. 3 Select Enable and Logging for the tcp_syn_flood anomaly. Create a DoS policy and select the DoS sensor 1 Go to Policy > Policy > DoS Policy and select Create New. 2 For the Source Interface/Zone, select the interface connected to the Internet that visitors use to connect to your web site. Leave the source and destination addresses set to all and the Service set to ANY. 3 Enable DoS Sensor and select General Protection from the list. 4 Select OK. The DoS policy will scan incoming traffic and take no action when the number of SYN packets exceed the threshold, but it will log these occurrences. Run the DoS policy for a period to check the suitability of the default threshold of 2000 SYN packets per second to your network traffic. If a traffic peak triggers the DoS policy, increase the threshold. The idea is to set the threshold high enough that legitimate traffic will not trigger any action, but not so high that attacks are permitted. When you have found a threshold that fits these criteria for your network, change the tcp_syn_flood action to Block.
Attacks
Results Once you have determined the ideal threshold for your network, normal traffic will not exceed
the threshold and it will be allowed. When an attack occurs, the attack will be blocked but legitimate traffic is permitted. This is because a communication session is initiated by a client sending a SYN packet. Legitimate clients send a second SYN packet when they do not receive the expected ACK acknowledgement and are allowed. Attackers attempt to open as many sessions as possible and will not retry a connection attempt by sending a second SYN packet. In this way, the FortiGate unit can distinguish between an attack and legitimate traffic, and act accordingly. Periodically monitor the UTM log for traffic exceeding the threshold. Over time, your web site traffic may increase, requiring a higher threshold. Temporary traffic changes may also require a threshold adjustment, for example, increased traffic for a commerce web site during the holiday season.
207
Filtering incoming spam
Filtering incoming spam

Problem You need to filter incoming spam to stop wasting
peoples time and your mail servers resources.
Internal network
EMAIL FILTER
Solution Configure the default email filter profile to detect

and filter spam. 1 Go to UTM Profiles > Email Filter > Profile and select Enable Spam Detection and Filtering. 2 Verify that the email protocols (POP3, SMTP, IMAP) are all enabled. 3 Set the Spam Action for SMTP to Tagged. The SMTP spam action can be set to Discard, but always set the action to Tagged when creating or editing a spam filter profile. This will allow you to see the messages that the FortiGate unit determines are spam and ensures that no important messages are discarded if the profile doesnt function as expected. 4 Expand FortiGuard Spam Filtering and enable IP Address Check, E-mail Checksum Check, and URL Check. 5 Find the security policies that process incoming email and add the email filter profile named default to them.
FortiGate Unit
Results Incoming email messages are scanned and those that the FortiGate unit determines are spam,
are tagged with the word Spam at beginning of the email messages subject. Go to Log&Report > Log & Archive Access > UTM Log periodically to review the email filter activity. Users can configure their email client software to move spam messages to their email clients spam or junk folder automatically, if required.
208
Blocking outgoing email containing sensitive information
Blocking outgoing email containing sensitive information

Problem You need to prevent users from sending sensitive
information out of your network using email.
Internal network
DLP
Solution Configure Data Leak Prevention (DLP) to examine

outgoing email for sensitive data. In this example, configure Visa and Mastercard credit card numbers as the information to protect.
FortiGate Unit
1 Go to UTM Profiles > Data Leak Prevention > Sensor and select Create New to create a new DLP sensor: Filter Name Filter By Advanced Rule Action Archive credit cards by email Advanced Rule Email-Visa-Mastercard Log Only Disable
2 Go to Policy > Policy > Policy and edit the security policy that allows Internet access. 3 Enter credit cards by email as the Filter Name. 4 Select Advanced. 5 Edit each of these policies, enable UTM and DLP Sensor, and select the DLP sensor named default.
Results To test, create an email message with a credit card number and send it. Your email client will
return an error indicating that the message is blocked because it contains sensitive information.
209
Using the FortiGate vulnerability scanner to check your network for vulnerabilities
Problem You need to discover if any of the computers on
your network are vulnerable to attack.
Internal network
Solution Configure your FortiGate unit to scan your

network for vulnerable hosts.
FortiGate Unit
In this example, the local network uses the 172.20.120.0/24 subnet. The FortiGate unit internal interface is a part on this subnet. Configure a vulnerability scan to run at midnight on the first day of every month. Create the asset definition 1 Go to UTM > Profiles > Vulnerability Scan > Asset Definition and select Create New to create a new asset. Name Type Range 2 Select OK. Configure the scan schedule 1 Go to UTM > Profiles > Vulnerability Scan > Scan Schedule and configure the following settings: Recurrence Day of Month Hour Minutes Vulnerability Scan Mode 2 Select Apply. Vulnerability scans should always be schedule for periods of off-peak traffic. These scans can use significant network and FortiGate resources and may impact network performance. Monthly 1 00 00 Quick 172.20.120 subnet Range 172.20.120.1-172.20.120.255
Run a manual scan immediately 1 Go to UTM > Profiles > Vulnerability Scan > Asset Definition and specify the 172.20.120 subnet by selecting the check box at the beginning of the row. 2 Select Start Scan. The scan will take a few moments.
210
FortiGate http://docs.fortinet.com/
Results When the scan is complete, go to UTM > Profiles > Vulnerability Scan >
Vulnerability Result. The results are broken down into four sections:
Summary Vulnerability by Severity Vulnerability by Category
The scan start and stop time, the current scan status, and number of hosts scanned. A chart displaying the number of vulnerabilities sorted by high, low, and info severity. A chart displaying the number of vulnerabilities by category. The table listing all of the scanned hosts. The Asset Definition used to target the scan is listed as well as the host IP address, the OS Version, the Vulnerability Severity, and the number of vulnerabilities for the host. You may select the host to view further details, including a list of the vulnerabilities.
Results by host
211
212
SSL VPN
SSL is an easy to use application-level network independent method of ensuring private communication over the Internet. Commonly used to protect the privacy of online shopping payments, customers web browsers can almost transparently switch to using SSL for secure communication without customers being required to do any SSL-related configuration or have any extra SSL-related software. SSL protection can also be applied to secure communication over the Internet between client PCs and a remote network using SSL VPN. For basic SSL VPN functionality all a user needs to do to access an SSL VPN is to browse to the IP address of a FortiGate unit configured for SSL VPN. The users do not require any special SSL VPN software or configuration since SSL in the form of HTTPS is automatically enabled by most web browsers. The FortiGate SSL VPN configuration requires an SSL VPN web portal for SSL VPN users to log into, the addition of a user authentication configuration to allow SSL VPN users to login and then the creation of SSL VPN security policies that control the source and destination access of SSL VPN users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN traffic. FortiASIC processors can accelerate SSL VPN encryption, optimizing SSL VPN performance for a large user base. Additional SSL VPN features are available including tunnel mode, virtual desktop for enhanced endpoint protection, and endpoint security checks. These features are supported for SSL VPN clients that can be downloaded automatically by SSL VPN users after logging into the SSL VPN portal. Users can also download Fortinet SSL VPN clients to access these additional SSL VPN features without logging into and SSL VPN portal. Fortinet supports SSL VPN clients for many PC and mobile platforms. This chapter includes the following SSL VPN examples: Setting up remote web browsing for internal sites through SSL VPN Using SSL VPN to provide protected Internet access for remote users SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
213
Setting up remote web browsing for internal sites through SSL VPN
Problem You want to provide remote users the ability to access the
corporate internal sites and specific company-related external sites.
Fo
er Us 0 ote ogin 4.20 em User L212.13 R

10.
.12 n1 wa 72.20 1
0.1
36
Solution Using SSL VPN you can create a web portal, which, when
the remote user connects they can view a list of links for internal servers and web sites. Before you begin, you need to make sure SSL VPN is enabled using the CLI command: config vpn ssl settings set sslvpn-enable enable end Creating a firewall address for the email server Create a firewall address for the email server.
1 To add the email server address, go to Firewall Objects > Address > Address, select Create New and enter the email server address: Address Name Type Subnet / IP Range Interface 2 Select OK. Creating the web portal Create the SSL VPN portal and a bookmark for the email server that the user connects to after logging in. 1 Go to VPN > SSL > Config and for IP Pools select Edit and add twhite to the Selected table. 2 Go to VPN > SSL > Portal and select Create New to create the portal: Name Applications Portal Message Internal_company_sites_portal HTTP/HTTPS Internal Company sites Email Server Subnet / IP Range 192.168.1.12 Internal
rt iG at e U ni t
er erv 1 il S .1. ma 2.168 E 9 1
3 Select OK to close the Edit Settings window. 4 On the default web portal delete the Bookmarks widget by selecting its Remove icon (looks like an X). 5 On the Add Widget on the right of the default portal select Bookmarks. 6 In the new Bookmarks widget select the Edit icon (looks like a pencil). 7 Optionally edit the Name and make sure Applications is set to HTTP/HTTPS. 8 Select OK in the Bookmarks widget.
9 In the Bookmarks widget select Add and create a bookmark to link the email server web page: Name Type Location Description Email HTTP/HTTPS https://mail.company.com Corporate email system
10 Select OK at the bottom of the Bookmarks widget. 11 Select Apply at the top of web portal page to save the web portal configuration. Adding and working with web portal widgets can be confusing and produce unexpected results. Always select Apply at the top of the web portal page after making a change. When you have completed making changes, navigate to another web-based manager page and then navigate back to the web portal to make sure you changes were saved. Creating an SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use. 1 Go to User > User > User and select Create New to add the user: User Name Password twhite password
2 Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group:. Name Type Allow SSL-VPN Access Sales Firewall Internal_company_sites_portal
Make sure you select the Allow SSL-VPN Access option and that you also select the SSL VPN web portal that the members of this user group connect to. If not selected, the Sales user group will not appear in the group list when configuring the SSL VPN authentication security policy. 3 Move twhite to the Members list. 4 Select OK. Creating an SSL VPN security policy Create an SSL VPN security policy with SSL VPN user authentication. 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone wan1 all internal
215
Destination Address Action
Email SSL-VPN
2 Select Configure SSL-VPN Users and select Add to add an authentication rule for remote SSL VPN users: Selected User Groups Selected Services Schedule Sales HTTP HTTPS always
If the Sales user group does not appear in the User Group list, ensure you selected the SSL PVN Access option when creating the user group. If that option is not selected, the Sales user group will not appear in the group list when configuring the authentication security policy. 3 Select OK.
Results To verify the setup works:

1 From the Internet, browse to https://172.20.120.136:10443/remote/login. 2 Login to the web portal: Name Password twhite password
After logging in, the SSL VPN portal appears.
3 Select the Email link in the Bookmarks widget. The portal launches a new window that displays the email server website. From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN.
216
From the FortiGate web-based manager, go to Policy > Monitor > Session Monitor to view the session information for the SSL connection. Because of the internal nature of the SSL connection, the source address appears as 0.0.0.0 and the destination is the internal home address of 224.0.0.1
You can also use the diagnose debug application sslvpn -1 command to debug this configuration as described in Debugging FortiGate configurations on page 101.
217
Using SSL VPN to provide protected Internet access for remote users
Problem You want to provide remote users the ability to

access the Internet while travelling, and ensure that they are not subjected to malware and other dangers by using the corporate firewall to filter all of their Internet traffic.
00 n ogi 34.2 er L .1 Us 0.212 1
em
ot e
SS L
VP N
U se
172
n1 wa .136 120 20.
ot .ro ing ssl rows b
Fo
rtiG
Solution Using SSL VPN and FortiClient SSL VPN software,

you create a means to use the corporate FortiGate to browse the web safely. Before you begin, you need to enable SSL VPN using the CLI command: config vpn ssl settings set sslvpn-enable enable end Creating an SSL VPN IP pool and SSL VPN web portal 1 Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. 2 Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access. 3 Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools 4 Select OK. Creating the SSL VPN user and user group Browsing User Group SSLVPN_TUNNEL_ADDR1
ate
Un
it
Create the SSL VPN user and add the user to a user group configured for SSL VPN use. 1 Go to User > User > User and select Create New to add the user: User Name Password 2 Select OK. 3 Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access twhite password
Make sure you select the Allow SSL VPN Access option. If not selected, the Tunnel user group will not appear in the group list when configuring the authentication security policy.
218
4 Move twhite to the Members list. 5 Select OK. Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel. 1 Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10.212.134.0/255.255.255.0 ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
2 Select OK. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet. 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action wan1 all ssl.root all SSL-VPN
2 Select Configure SSL-VPN Users and select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN Access option when creating the user group. If that option is not selected, the Tunnel user group will not appear in the user group list when configuring the authentication security policy. 3 Select OK. 4 Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address
ssl.root all
219
Destination Interface/Zone Destination Address Schedule Service Action 5 Select OK.
wan1 all always ANY ACCEPT
Results Using FortiClient SSLVPN application, log into the VPN using the address
https://172.20.120.136:10443/ and log in as twhite. Once connected, you can browse the Internet. From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to the Internet.
From the FortiGate web-based manager, go to Policy > Monitor > Session Monitor to view the session information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.root interface.
220
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
U U SS 10 ser se L .2 Lo r V 12 g PN .1 in 34 .2 00
R em
Problem You want remote users to be able to securely
access head office internal network servers and browse the Internet through the head office firewall.
17
ot
2. 20
Fo Head rtiG o ate ffice Un it
.1 w 20 an .1 1 36
ss br l.ro ow o si t ng
Solution This solution describes how to configure FortiGate SSL VPN split tunnelling using the
FortiClient SSL VPN software, available from the Fortinet Support site. Using split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the users PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user. Before you begin, you need to enable SSL VPN using the CLI command: config vpn ssl settings set sslvpn-enable enable end Creating a firewall address for the head office server 1 Go to Firewall Objects > Address > Address and select Create New and add the head office server address: Address Name Type Subnet / IP Range Interface 2 Select OK. Creating an SSL VPN IP pool and SSL VPN web portal 1 Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to the Selected table. 2 Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access. 3 Select the Edit pencil icon for the Tunnel Mode widget and enter the following: Name IP Mode IP Pools Split Tunneling 4 Select OK. Connect to head office server User Group SSLVPN_TUNNEL_ADDR1 Enable Head office server Subnet / IP Range 192.168.1.12 Internal
ea d 19 Se Of 2. rv fic 16 er e 8. 1. 1
221
Creating the SSL VPN user and user group Create the SSL VPN user and add the user to a user group configured for SSL VPN use. 1 Go to User > User > User, select Create New and add the user: User Name Password 2 Select OK. 3 Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN user group: Name Type Allow SSL-VPN Access Tunnel Firewall tunnel-access twhite password
Make sure you select the Allow SSL-VPN Access option. If not selected, the Tunnel user group will not appear in the group list when configuring the authentication security policy. 4 Move twhite to the Members list. 5 Select OK. Creating a static route for the remote SSL VPN user Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel. 1 Go to Router > Static > Static and select Create New to add the static route: Destination IP/Mask Device 10.212.134.0/255.255.255.0 ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
2 Select OK. Creating security policies Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet. 1 Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy: Source Interface/Zone Source Address Destination Interface/Zone wan1 all internal
222
Destination Address Action
Head office server SSL-VPN
2 Select Configure SSL-VPN Users and select Add to add an authentication rule for the remote user: Selected User Groups Selected Services Schedule Tunnel ANY always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN Access option when creating the user group. If that option is not selected, the Tunnel user group will not appear in the user group list when configuring the authentication security policy. 3 Select OK. 4 Select Create New to add a security policy that allows remote SSL VPN users to connect to the Internet: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action 5 Select OK. ssl.root all wan1 all always ANY ACCEPT
Results Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the
address https://172.20.120.136:10443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet. From the web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.
From the web-based manager, go to Policy > Monitor > Session Monitor to view the session information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
223
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs will also show the source interface for outbound traffic from the SSL connection through the ssl.root interface.
224
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
ot e U SS se L r VP N
Problem Before a remote SSL VPN user logs into the network,
you want to be sure that they have approved antivirus software installed on their computers. Only clients that meet the requirements are permitted to log on.
Fo
R em
Solution Use SSL VPN host checking. When the remote client attempts to log in to the VPN network,
the FortiGate unit uses the host check information to verify that the approved antivirus software is installed on the client computer. 1 Go to VPN > SSL > Portal, Edit a portal and select Settings. 2 Select Security Control and select the following: Host Check Policy Custom Select the names of one or more antivirus software packages from the FortiGate AV software database. You can select multiple options.
If your company does not require a standard AV software on remote computers, you can set Custom to AV option, in which case, the FortiGate unit will check for any AV software from its SSL VPN antivirus software database. 3 Select OK twice to save the portal configuration changes.
Results When a remote user connects to the SSL VPN tunnel, the FortiGate unit verifies that the
approved antivirus software is installed on the remote users device. If it is, the user can log in. If the approved antivirus software is not installed, the remote user sees the following error message:
From the FortiGate web-based manager go to Log&Report > Event Log to see the tunnel message in the Action column.
Se rv
er
rt iG at e U ni t
225
Select the log entry to view the detailed information, which indicates the user attempting to connect. The Reason row indicates that the host check failed.
To make sure that SSL logs appear in the event log, go to Log&Report > Log Config > Log Setting. Enable Event Logging and select SSL VPN user authentication event and SSL VPN session event.
226
IPSec VPN
IPsec VPN is a common method for enabling private communication over the Internet. IPsec supports a similar client server architecture as SSL VPN. However, to support a client server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinets FortiClient Endpoint Security) on their PCs or mobile devices. IPsec client configurations can be cryptic and complex, usually making SSL VPN more convenient for users with little networking knowledge. However IPsec VPN supports more configurations than SSL VPN. A common application of IPsec VPN is for a gateway to gateway configuration that allows users to transparently communicate between remote networks over the Internet. When a user on one network starts a communication session with a server on the other network, a security policy configured for IPsec VPN intercepts the communication session and uses an associated IPsec configuration to both encrypt the session for privacy but also transparently route the session over the Internet to the remote network. At the remote network the encrypted communication session is intercepted and decrypted by the IPsec gateway at the remote network and the unencrypted traffic is forwarded to the server. Responses from the server than pass back over the encrypted tunnel to the client. Many variations of the gateway to gateway configuration are available depending on the requirements. In addition to gateway to gateway IPsec VPNs, FortiGate units also support various mesh IPsec VPN configurations that can allow transparent communication between networks at multiple locations around the world. FortiGate units also support automated IPsec configuration of FortiClient software running on client PCs. All communication over IPsec VPNs is controlled by security policies. Security policies allow for full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet IPsec VPNs employs industry standard features to ensure the best security and interoperability with industry standard VPN solutions provided by other vendors. This chapter includes the following IPsec VPN examples: Protecting communication between offices across the Internet using IPsec VPN Using FortiClient VPN for secure remote access to an office network Using IPsec VPN to secure iPhone communication with a network protected by a FortiGate unit Using IPsec VPN to secure Android mobile device communication with a network protected by a FortiGate unit Using the FortiGate FortiClient VPN Wizard to set up a VPN between a remote users and a private network My IPsec VPN tunnel isnt working
227
Protecting communication between offices across the Internet using IPsec VPN
Problem You need to provide secure
transparent communication between company headquarters (HQ) and a branch office.
) (HQ nal .0/24 r Inte 0.10 0.1 1
rna
HQ
B to_
ran
ch Br
20 .1 w 20 a .2 n1 00
w 17 an 2. 1 20 .1 2
Inte
0.
12
Solution Create a gateway-to-gateway

IPsec VPN between headquarters and the branch office.
h_ anc
to_
HQ
2.
17
Br This basic gateway-toal ( /24 ern 8.1.0 Int .16 gateway IPsec VPN assumes 192 that both office have connections to the Internet with static IP addresses. This configure uses a simple policy-based IPsec VPN configuration.
c se IP N VP
Inte
rna
anc
h)
Configure the HQ FortiGate 1 Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase 1 configuration. Name Remote Gateway IP Address Local Interface Mode Authentication Method Pre-shared Key 2 Select OK. 3 Select Create Phase 2 and enter the following information. Name Phase 1 4 Select OK. 5 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the HQ network. Name Type Subnet / IP Range Interface HQ_net Subnet / IP Range 10.10.10.0/255.255.255.0 internal HQ_to_Branch_p2 HQ_to_Branch_p1 HQ_to_Branch_p1 Static IP Address 172.20.120.122 wan1 Main (ID protection) Preshared Key fortinet123
228
6 Select Create New to add a firewall address for the branch office network. Name Type Subnet / IP Range Interface 7 Select OK. 8 Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action VPN Tunnel internal HQ_net wan1 Branch_net always ANY IPSEC HQ_to_Branch_p1 Branch_net Subnet / IP Range 192.168.1.0/255.255.255.0 wan1
9 Select Allow inbound and Allow outbound. 10 Select OK. Configure the Branch office The branch office settings are almost identical to the HQ settings. 1 Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase 1 configuration. Name Remote Gateway IP Address Local Interface Mode Authentication Method Pre-shared Key 2 Select OK. 3 Select Create Phase 2. Branch_to_HQ_p1 Static IP Address 172.20.120.200 wan1 Main (ID protection) Preshared Key fortinet123
229
4 Enter the following information, and select OK. Name Phase 1 5 Select OK. 6 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the HQ network. Name Type Subnet / IP Range Interface Branch_net Subnet / IP Range 192.168.1.0/255.255.255.0 internal Branch_to_HQ_p2 Branch_to_HQ_p1
7 Select Create New to add a firewall address for the branch office network. Name Type Subnet / IP Range Interface 8 Select OK. 9 Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action VPN Tunnel internal Branch_net wan1 HQ_net always ANY IPSEC Branch_to_HQ_p1 HQ_net Subnet / IP Range 10.10.10.0/255.55.255.0 wan1
10 Select Allow inbound and Allow outbound. 11 Select OK.
Results A user on either of the office networks should be able to connect to any address on the other
office network transparently. For example, from a PC on the branch office with IP address 192.168.1.100 you should be able to ping a device on the HQ network with PIP address 10.10.10.100. When the VPN is operating you should be able to go to VPN > Monitor > IPsec Monitor and verify that its status is up.
Using FortiClient VPN for secure remote access to an office network

Problem You need a secure communication channel
between FortiClient on a remote user and the office so that the user can access work network resources. You also want to require individual IPsec VPN uses to authenticate to get access.
Offi ce uni FortiG t a 0 n1 .12 wa 72.20 1 te I wit Psec h X VP Au N th .14 6
l rna k Inte twor ne
Solution Create an IPSec VPN between FortiClient on
the remote users PC and the office FortiGate unit that uses XAuth to authenticate the remote user. The remote users IP address changes so you need to configure a dialup IPsec VPN on the FortiGate unit. As well the remote user must start the VPN because the office FortiGate unit doesnt know the users IP address. Creating a user and user group to support XAuth 1 Go to User > User > User and select Create New to add the user: User Name Password fsmith passw0rd
ser t U ress lien dd tiC IP a or ic te F am mo yn Re ith D w
2 Go to User > User Group > User Group and select Create New to add fsmith to the user group:. Name Type FortiClient_group Firewall
3 Move fsmith to the Members list. 4 Select OK. Creating the IPsec VPN phase 1 and phase 2 and a DHCP server for the IPsec VPN 1 Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure Phase 1. Name Remote Gateway Local Interface Mode Authentication Method Pre-shared Key Peer Options FortiClient_VPN Dialup User wan1 Main (ID protection) Preshared Key fortinet123 Accept any peer ID
2 Select Advanced to configure advanced settings.
231
3 Select Enable IPsec Interface Mode and configure the following: IKE Version IPv6 Version Local Gateway IP DNS Server P1 Proposal DH Group Keylife Local ID XAuth Server Type User Group NAT Traversal Keepalive Frequency Dead Peer Detection 4 Select OK. Go to System > Network > Interface and verify that a tunnel interface named FortiClient_VPN has been added under the wan1 interface. Edit the FortiClient_VPN tunnel interface and verify that the IP and Remote IP are both 0.0.0.0. These IPs must be set to 0.0.0.0 for the DHCP server to supply IP addresses to the remote users. 5 Go to System > Interface > DHCP server and elect Create New to add a DHCP server for the IPsec VPN Interface Name Mode Enable Type IP Network Mask Default Gateway DNS Service 6 Select OK. FortiClient_VPN Server Select IPsec 10.254.254.1 - 10.254.254.254 255.255.255.0 172.20.120.146 Use System DNS Setting 1 Clear check box. Main Interface IP Use System DNS 1 - Encryption 3DES Authentication SHA1 2 - Encryption AES128 Authentication SHA1 5 28800 Leave blank. Enable as Server PAP FortiClient_group Enable 10 Enable
232
7 Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2 to configure the phase 2 for the IPsec VPN. Name Phase 1 FortiClient_VPN2 FortiClient_VPN
8 Select Advanced to configure advanced settings. P1 Proposal Enable Replay Detection Enable perfect forward secrecy (PFS) DH Group Keylife Autokey Keep Alive DHCP-IPsec 1 - Encryption 3DES Authentication SHA1 2 - Encryption AES128 Authentication SHA1 Select Select 5 1800 Seconds Do not select Enable
If DHCP-IPsec is grey, there is no valid DHCP server attached to the FortiClient _VPN tunnel interface. If there are static IP addresses assigned to the FortiClient_VPN tunnel interface IP and Remote IP, you must delete the Phase1 entry and start again. The DHCP server will not work if static IPs are assigned to the FortiClient_VPN tunnel interface. Creating a static route and security policies for the IPsec VPN configuration There is one policy each for inbound and outbound traffic. Network services such as DNS require policies in both directions.
1 Go to Router > Static > Static Route and select Create New to add a static route for the IPsec VPN. Destination IP/Mask Device 10.254.254.0/255.255.255.0 FortiClient_VPN
The static route ensures that traffic for the VPN doesnt leave the FortiGate for the default gateway. When you select the VPN interface as the Device, there is no requirement for a gateway, as shown by it being greyed out. 2 Select OK. 3 Go to Policy > Policy > Policy and select Create New to configure a policy to allow incoming IPsec VPN traffic on the FortiClient_VPN interface. Source Interface/Zone Source Address Destination Interface/Zone FortiClient_VPN all wan1
233
4 Select Enable Identity Based Policy. 5 Select Add to add an authentication rule with the following settings: Selected User Groups Selected Services Schedule Log Allowed Traffic Schedule 6 Select OK. 7 Select OK to save the security policy. 8 Select Create New to configure a policy to allow outgoing IPsec VPN traffic on the FortiClient_VPN interface: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action 9 Select Enable Identity Based Policy. 10 Select Add to add an authentication rule with the following settings: Selected User Groups Selected Services Schedule Log Allowed Traffic Schedule 11 Select OK. 12 Select OK to save the security policy. FortiClient_group ANY always Enable always wan1 all FortiClient_VPN all always ANY ACCEPT FortiClient_group ANY always Enable always
234
Configure FortiClient These instructions were tested on FortiClient 4.2.1, and FortiClient 4.3.2. 1 On the remote computer, start the FortiClient console. 2 Go to VPN > Connections. 3 Select Advanced > Add. 4 Enter the following information. Connection Name VPN Type Remote Gateway Remote Network Authentication Method Pre-Shared Key Work_VPN Manual IPsec 172.20.120.146 10.254.254.0 / 255.255.255.0 Preshared Key fortinet123
5 Select Advanced to open a new window. 6 Enter the following information. Acquire virtual IP address Enable and select Config to ensure DHCP is set. eXtended Authentication Remote Network Enable and select Config to ensure Prompt to login is set. If you dont see 172.20.120.0 / 255.255.255.0 here, now is your chance to fix it.
7 Under Policy, select Config to open a new window. 8 For both IKE and IPsec Proposals, remove the MD5 authentication entries. 9 Under IKE, select Main Mode. 10 Under Advanced Options, make sure that NAT Traversal is enabled. 11 Select OK three times to close the Connection Detailed Settings, the Advanced Settings, and the New Connection windows.
Results You know your VPN is successful when you select the VPN on FortiClient, select Connection,
and receive a Connection Successful! message. In FortiClient the status next to the VPN connection will read Up with the number of seconds it has been up, in brackets. To ensure your new VPN works, from FortiClient select the Work_VPN entry, and then select Advanced > Test. This will open a window and show each step of the attempted connection. If there are any problems they will be visible here and easy to troubleshoot. For additional information, check the event log of the FortiGate unit (Log&Report > Log & Archive Access > Event Log) where you especially want to read the Message, Action, and Error Reason parts of the log messages to help you troubleshoot. Some useful troubleshooting checks include: Ensure both pre-shared keys match exactly. Ensure both ends use the same P1 Proposal settings. Ensure both ends are using main mode, unless there are connection problems and you want to try aggressive mode on both ends which is easier to connect but less secure.
235
Ensure XAuth settings are the same for both ends, with the FortiGate unit being the Server if its enabled. Ensure P2 Proposal details on the FortiGate unit match those on FortiClient (under Advanced > Policy Config, IKE is Phase1 and IPsec is Phase 2) DH group, pfs, dpd, replay detection, keylife, and auto keep alive. When working with policy routing, ensure you have allowed inbound and outbound, especially if network services such as DNS or DHCP are having problems. Check your NAT settings - for best results NAT traversal is enabled in the Phase 1 configuration, and NAT is not enabled in the security policy. If the negotiation is OK but there is no traffic, check the route. Only the FortiClient end can initiate the VPN tunnel because the FortiGate doesnt know the FortiClient IP address.
Best There are CLI only options that can help with FortiClient VPNs in certain situations. Practices
Phase1 set forticlient-enforcement {enable | disable} set add-route {enable | disable} set encapsulation {tunnelmode | transport-mode}
When enabled, only FortiClient users can connect. Enable to propagate VPN routes when using dynamic routing. Set to transport-mode when using L2TP or other encapsulation with IPsec.
Phase2
236
Using IPsec VPN to secure iPhone communication with a network protected by a FortiGate unit
Problem You need to configure an iPhone for a user, F. Smith, to
access a web server at work over a secure connection.
Apple iPhone
exa mp le. wa com n1 inte rn
ec IPs
VP
N rne t
Inte
al
Solution The easiest way to connect to the office from a remote

location is by a IPsec VPN. It is secure and it appears as if you are physically on the network at work. The iPhone IPsec client is a Cisco UNITY client.
ce rk Offi etwo n
In this example, user fsmith is part of the iPhone_Users usergroup. fsmiths iPhone will be assigned an IP address in the range 172.16.1.1 - 172.16.1.254. The VPN is interface based. You already have three security policies to allow traffic to flow on your networkInternal to Wan1, Internal to dmz, and dmz to Internal. For this example an Apple iPhone 4 running iOS 4.3.5 was used. Menu options may vary for different models and iOS versions. The steps involved include: Configure the user fsmith, and the user group iPhoneVPN. Configure the firewall address ranges called DMZ_WebServers and iPhoneVPNUsers. Configure IPsec VPN Phase1. Configure IPsec VPN Phase2 in the CLI. Configure iPhone VPN Phase 1 access to the DMZ subnet. Configure an IPsec security policy between the iPhoneVPNUsers and DMZ_Servers. Configure the iPhone VPN settings. Create fsmith user account, and iPhoneVPN group 1 Go to User > User > User and select Create New and add a user account for and iPhone user. User Name Password 2 Select OK. 3 Go to User > User Group > User Group and select Create New to create a user group for iPhone users. Name Type Available USers 4 Select OK. iPhoneVPN Firewall Move fsmith to Members list. fsmith my1pwd
237
Create a firewall addresses for the web server on DMZ and iPhone Users 1 Go to Firewall Objects > Address > Address and select Create New to enter the following information. Address Name Type Subnet / IP Range Interface 2 Select OK. 3 Select Create New and enter the following information. Address Name Type Subnet / IP Range Interface 4 Select OK. Configure IPsec Phase1 settings 1 Go to VPN > IPsec Auto Key (IKE) and select Create Phase 1 to enter the following information. Name Remote Gateway Local Interface Mode Authentication Method Preshared Key Peer Options iPhone Dialup User wan1 Main Preshared Key mykey123 Accept any peer ID iPhoneVPNUsers Subnet / IP Range 172.16.1.0/255.255.255.0 Any DMZ_WebServer Subnet / IP Range 10.0.0.0/255.255.255.0 dmz
2 Select Advanced and enter the following information. Enable IPsec Interface Mode IKE Version Local Gateway IP DNS Server 1 - Encryption 1 - Authentication 2 - Encryption Enable 1 Main Interface IP Use System DNS AES256 MD5 AES256
238
2 - Authentication DH Group Key life (sec) XAUTH Server Type User Group NAT Traversal Keepalive Frequency Dead Peer Detection 3 Select OK. Configure IPsec Phase2
SHA1 2 28800 Enable as Server AUTO iPhoneVPNUsers enable 10 Enable
1 Go to VPN > IPSec > Auto Key and select Create Phase 2 to enter the following information. Name Phase1 iPhone_P2 iPhone
2 Select Advanced and enter the following information. 1 Encryption 1 Authentication 2 Encryption 2 Authentication Enable replay detection Enable perfect forward secrecy (PFS) DH Group Keylife Auto-key keep alive Quick Mode Selector AES256 MD5 AES256 SHA1 Enable Enable 2 Seconds 1800 Enable Source Address: 0.0.0.0/0 Source port: 0 Destination Address: 0.0.0.0/0 Destination port: 0 Protocol: 0 3 Select OK.
239
Configure iPhone VPN Phase 1 access to the DMZ subnet 1 Enter the following CLI commands. config vpn ipsec phase1-interface edit iPhone set mode-cfg enable set unity-support enable set assign-ip enable set assign-ip-from range set mode-cfg-ip-version 4 set ipv4-start-ip 172.16.1.1 set ipv4-end-ip 172.16.1.254 set ipv4-netmask 255.255.255.0 set ipv4-split-include DMZ_WebServer end Create a new security policy for the VPN 1 Go to Policy > Policy and select Create new to enter the following information Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Enable NAT 2 Select OK. 3 Move this policy to the top of the policy list, to ensure it will be matched first. Configure the iPhone 1 On the iPhone, go to Settings > General > Network > VPN. 2 Select Add VPN Configuration > L2TP. 3 Enter the following information, and select Save. Description Server Account RSA SecurID Password Secret Send All Traffic Office_VPN 210.0.0.1 fsmith OFF my1pwd mykey123 ON
iPhone iPhoneVPNUsers DMZ DMZ_WebServer Always ANY Accept Disable
240
The Send all traffic option will send everything on the iPhone through the VPN. If this option is turned off, only traffic addressed to the VPN will use the tunnel. If the iPhone is used for work, this option should be turned on to force all iPhone data to be encrypted and forced through the office FortiGate firewall.
Results To test the configuration:

1 Ensure the iPhone has access to a data network. 2 Select the Office_VPN, and turn VPN ON. The iPhone will attempt to connect for a while. During this time, on the FortiGate unit you can: monitor the VPN connection with the VPN monitor refresh the event log entries to see the entry for each step of the VPN connection if you are logging VPN events run diag debug on the CLI for full details of the connection attempt. When the VPN connects, you will see event log entries and have access to the internal web server as expected. If there are problems, check the logs for messages to tell you what happened. Also consider running the CLI commands: diag debug disable diag debug application ike -1 diag debug enable When your VPN connection is established on your iPhone there will be a small VPN tag tat the top of the screen. However, this is easily missed. If you want a clear message that your VPN connection is up and working on the iPhone, then enter the following CLI command: config vpn ipsec phase1-interface edit iPhone set banner YOU ARE NOW CONNECTED next end This creates a pop-up banner message that is displayed on your iPhone when the VPN connection is successful. The configuration here allows access to an internal web server. If you want to access additional internal subnets you can create firewall addresses for each one, and then add them to a firewall address group, called my_addr_grp for example. Then you will need to enter the following CLI commands config vpn ipsec phase1-interface edit iPhone set ipv4-split-include my_addr_grp next end
241
Using IPsec VPN to secure Android mobile device communication with a network protected by a FortiGate unit
Problem A user on your network, W. Loman, has an Android device

and needs access to the office servers over a secure connection.
dm z
location is by VPN. It is secure and it appears as if you are physically on the network at the office. A common type of VPN is L2TP.
In this example, user wloman is part of the Android_Users usergroup. The Android mobile device will be assigned an IP address in the range 192.168.1.[90-99]. This is a VPN policy it is not interface based. For this example an LG P999 mobile phone running Android 2.2.2 was used. Menu options may vary for different models or versions of the Android OS. The steps involved include: Configure the user wloman, and the user group Android_Users. Configure the firewall address ranges called Android_Range, and DMZ_Servers. Configure the FortiGate as anL2TP server in the CLI. Configure IPsec VPN Phase1. Configure IPsec VPN Phase2 in the CLI, also known as the Security Association (SA). Configure an IPsec security policy between the Android_Users and DMZ_Servers. Configure the Android device VPN settings. Create the user account for wloman 1 Go to User > User > User, select Create New and create the following user account.: Name Password 2 Select OK. 3 Go to User > User Group > User Group select Create New to create a user group for Android users. Name Type Available Users 4 Select OK. Android_users Firewall Select wloman and move to Members list wloman my1pass
242
ffi c
se
rv e
Solution The easiest way to connect to the office from a remote
rs
In te r
exa mp le. wa com n1
IP se c
Android device
ne t
VP
Configure the firewall address for Android_Range and DMZ_Servers 1 Go to Firewall Objects > Address > Address and select Create New to add and a firewall address for Android users. Address Name Type Subnet / IP Range Interface 2 Select OK. 3 Select Create New to add a firewall address for the DMZ network. Address Name Type Subnet / IP Range Interface 4 Select OK. Configure the FortiGate as an LT2P server. 1 Enter the following CLI commands: config vpn l2tp set sip 192.168.1.90 set eip 192.168.1.99 set status enable set usrgrp Android_Users end Configure IPsec tunnel Phase1 1 Go to VPN > IPsec > Auto Key (IKE), and select Create Phase 1 and configure following Phase 1 settings. Name Remote Gateway Local Interface Mode Authentication Method Preshared Key Peer Options AndroidVPN Dialup User wan1 Main Preshared Key fortinet123 Accept any peer ID DMZ_Servers Subnet / IP Range 10.10.10.0/255.255.255.0 dmz Android_Users Subnet / IP Range 192.168.1.[90-99] wan1
If you are entering the Phase1 settings in the CLI, remember that the CLI type dynamic is equivalent to the dialup type in the web-based manager.
243
2 Select Advanced to configure the following advanced settings. Enable IPsec Interface Mode IKE Version Local Gateway IP DNS Server 1 - Encryption 1 - Authentication 2 - Encryption 2 - Authentication DH Group Key life (sec) XAUTH Server Type User Group NAT Traversal Keepalive Frequency Dead Peer Detection 3 Select OK. 4 Configure IPsec tunnel Phase2 in the CLI. config vpn ipsec phase2 edit AndroidVPN2 set phase1name AndroidVPN set proposal aes256-md5 3des-sha1 set replay enable set pfs disable set keylifeseconds 3600 set encapsulation transport-mode end Create a new security policy to establish the VPN connection 1 Go to Policy > Policy > Policy select Create New and enter the following information. Source Interface/Zone Source Address Destination Interface/Zone Destination Address dmz DMZ_Servers wan1 Android_Users AES256 MD5 3DES SHA1 2 28800 Enable as Server AUTO Android_Users enable 10 Enable Grayed out Disable
244
Action Log Allowed Traffic VPN Tunnel Inbound Outbound 2 Select OK.
IPSEC enable AndroidVPN enable enable
3 Move the policy to the top of your policy list to ensure it is matched first. Configure the Android device. 1 On the Android device, go to Settings > Wireless & Networks > VPN Settings. 2 Select Add VPN. 3 Select Add L2TP/IPsec PSK VPN. 4 Enter the following information, and select the Menu Key > Save. VPN Name VPN Server Office_DMZ_servers 210.0.0.1
Set IPsec Pre-Shared Key fortinet123
Results To test the configuration:

1 Ensure the Android device has access to a data network. 2 Select the Office_DMZ_servers VPN. It will attempt to connect for a while. During this time you can: monitor the VPN connection with the VPN monitor refresh the log entries to see the entry for each step of the connection run diag debug on the CLI for full details of the connection attempt. When the VPN connects, you will have access to the office servers as expected. If there are problems check the logs for messages to tell you what happened. Also consider running the CLI commands: diag debug disable diag debug application ike -1 diag debug enable To ensure your new VPN works, bring up the VPN tunnel. For information about this attempt to bring up the tunnel, check the event log of the FortiGate unit (Log&Report > Log & Archive Access > Event Log) where you especially want to read the Message, Action, and Error Reason parts of the log messages to help you troubleshoot.
245
Using the FortiGate FortiClient VPN Wizard to set up a VPN between a remote users and a private network
Problem You want to setup a VPN between FortiClient
Endpoint Security users and a FortiGate unit quickly and easily.
Solution There is a new feature in FortiOS 4.3.1 called the

FortiClient VPN Wizard. It is an easier way to setup a VPN with your FortiClient Connect with less options to configure. The wizard and FortiClient connect take care of encryption, authentication and related options for you. In this example, user sgreen is part of the Wizard_Users usergroup. Once the VPN tunnel is up, sgreens FortiClient Connect will be assigned an IP address in the range 192.168.1.[90-99]. If there are multiple devices sharing the VPN tunnel they will use that same range of IP addresses to share the tunnel. The VPN is a VPN route it is interface based. The FortiClient VPN Wizard configuration here was tested with FortiClient 4.2.1, FortiClient Connect (4.3), and FortiClient 4.3.2. On the FortiGate unit, the VPN is on the wan1 interface, the public facing interface with a domain of example.com. The office network is on the FortiGate internal interface. The FortiGate units public facing interface, wan1 here, must have a public IP address, a public domain name, or a domain name resolved by dynamic DNS. This example uses the domain name example.com for the FortiGate unit gateway information. 1 If the user account sgreen does not exist, go to User > User > User and create the account including a password. 2 If the user group Wizard_users does not exist, go to User > User Group > User Group and create it as a Firewall group and add sgreen to the group. 3 Configure the firewall address for Wizard_Range as 192.168.1.[80-89] 4 Go to VPN > IPsec > Auto Key, select Create FortiClient VPN and enter the following:. Name Local Outgoing Interface Authentication Method Pre-shared Key User Group Address Range Start IP Address Range End IP Subnet Mask DNS Server Wiz wan1 Pre-shared key fortinet123 Wizard_users 192.168.1.80 192.168.1.89 255.255.255.0 Use system DNS
5 Create a Phase2 called Wiz2 that uses the wiz Phase1. Use default settings for Phase2 otherwise. The wizard part only configures Phase1.
6 Create a new security policy to establish the VPN connection using the following information, and select OK. Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action Log Allowed Traffic Enable NAT Wiz all Wan1 all ACCEPT enable disable
7 Move the policy to the proper location in the policy list. 8 Create another policy to allow the FortiClient IP addresses access to the rest of the office network: Source Interface/Zone Source Address Destination Interface/Zone Destination Address Action Log Allowed Traffic Enable NAT Wan1 Wizard_Range Wiz all ACCEPT enable disable
9 Move the policy to the proper location in the policy list. Configure FortiClient Connect 1 Go to IPsec VPN. 2 Select + at the bottom of the IPsec VPN connections list. 3 Enter the following information. Connection name Description Remote gateway Authentication Method Pre-shared Key Authentication (XAuth) 4 Select OK. Wizard VPN connection with office. Used Wizard to set it up. example.com Pre-shared Key fortinet123 Prompt on Login
247
Results To test the configuration, select the Wizard VPN configuration in FortiClient Connect and select
Connect. If you connect, status will say UP, Duration will increase, and bytes sent and received will increase as well. If you need information about the connection process, such as for troubleshooting, use the following methods: monitor the VPN connection with the VPN monitor refresh the log entries to see the entry for each step of the connection run diag debug on the CLI for full details of the connection attempt. If the VPN connects, you will have access to the office network as expected. If there are problems check the logs for messages to tell you what happened. Also consider running the CLI commands: diag debug disable diag debug application ike -1 diag debug enable Remember that only the Android can open the tunnel because this is a dialup VPN the FortiGate unit doesnt know the Androids IP or location until the Android tries to open the tunnel.
248
My IPsec VPN tunnel isnt working

Problem You have an IPsec VPN tunnel
configuration that wont come up or pass traffic.
Q) l (H 4 rna 0.0/2 Inte 0.1 1 10. h)
Solution IPsec VPN tunnels have

multiple layers of protocols that need to all connect properly for the tunnel to come up and pass traffic.
r n1 o_B wa HQ_t ( m .co ffice ple _O xam HQ I q.e al ID: h c VP Psec N Lo
anc
To make things a bit simpler, this information assumes a site-to-site VPN connection, not a hub-and-spoke VPN connection. Local will refer to a FortiGate unit at the main office. Remote or client will refer to the FortiClient PC or FortiGate unit at a home or branch office. 1 Turn on logging everywhere possible.
to n1 h_ wa Branc ( m .co ffice ple _O xam nch h.e : Bra nc bra cal ID Lo
_H
Q)
ch) ran l (B /24 rna .0 Inte.168.1 192
When you are troubleshooting VPN, information is your friend. Whenever possible turn on logging on both ends. If you enable logging in the security policy on the FortiGate, you should be able to tell at what point the connection is failing phase1, phase2, or IP address and routing. 2 For FortiClient, test the connection. FortiClient allows you to select a VPN configuration, and test it before actually using it. This test goes through all the set up steps to ensure they work. It outputs messages during the test so you know what passed and what failed. 3 Ensure both ends have the same Phase 1 and Phase 2 settings. For a VPN to work, both ends must have the same settings. For both Phase 1 and 2 this includes matching encryption and authentication pairs, and DH group. Additionally for Phase one check the IKE version, and if XAUTH is used or not. If you have multiple VPNs, ensure you are using the correct Phase1 configuration. 4 If the Phase 1 VPN type is dialup, the remote end must initiate the connection. If you have a dialup VPN, that means the local FortiGate does not know the IP address of the remote end to start the connection. This is common with home networks connecting to the office as they do not have public IP addresses. In this situation, the remote end must initiate the VPN tunnel. Once the tunnel is up, it is two-way communication as normal. 5 Check routing. If you are getting successful connection messages during the setting up of the VPN tunnel but no traffic is flowing, there is a good chance you have a routing problem. 6 Count the interfaces used. If you are using policy VPNs, this is not an issue. However, if you are configuring many VPN interfaces, you may run into the interface limit of 256 interfaces. This applies to physical and virtual interfaces. There are some situations, such as Transparent mode in a VDOM, where extra interfaces are created by default so you may not be able to create all 256 interfaces. In the TP mode example, only 254 interfaces are available. 7 Remote end cannot resolve domain names, or is not assigned an IP address. If the local FortiGate assigns the remote end an IP address via DHCP and it is not working, the two most likely reasons are either that the DHCP server is not configured properly or
you have problems with your outbound VPN security policy. The same security policy solution is true for DNS resolution problems as well. Security policies vary for VPN depending if you are using an interface VPN (route mode) or a tunnel VPN (policy mode). With route mode, the VPN is treated just like another interface. This means you have to specify everything as you would with another interface ensure the policy action is ACCEPT, connects the correct two interfaces, the correct policy addresses are selected (if any), and logging is enabled. Ensure there are policies for each direction; otherwise, protocols that the local side initiates will not be able to reach the remote end of the tunnel. With policy mode, the policy is IPsec VPN specific ensure the policy action is IPSEC, correct VPN tunnel is selected, allow inbound and outbound are enabled, and logging is enabled. 8 Ensure the Phase 1 Peer Options to Accept peer ID in dialup group is properly set. If you are serving IP addresses via a DHCP server, and you are using RADIUS user group attributes to assign those addresses, the Phase 1 field Peer Options to Accept peer ID must be set to the correct group. For example if your RADIUS is configured to authenticate users in the sales group (the group name sales is sent in the RADIUS start record), the Phase 1 field must also be set to sales. If it is not, no user will be assigned an IP address. 9 If using interface mode, recreate VPN Phase1 using policy mode. There may be configuration details that you are missing in your current setup and not realize it. Many people find policy VPNs easier to configure. If you are using interface mode (set in Advanced section of Phase1 settings), try creating a new Phase1 with the same settings but using policy VPN instead of interface. You will need to create a new IPSEC security policy for the VPN to match the new Phase1. 10 Restart the IKE daemon. If you have problems with changes not being visible or unpredictable results, you may want to re-start the IKE daemon and start fresh. The down side is that any VPN tunnels will be disconnected, so you need to give anyone using VPN warning before restarting the daemon. The CLI command to restart the daemon is: diag vpn ike restart. You may want to turn on IKE debugging before restarting the daemon so you will see all the shutdown and start up messages will it is rebuilding its tables. The restart reloads all the IPsec configuration so this will remove any lingering issues that may have been cached. 11 Debug the VPN handshake for detailed information. When the VPN is being established, there is a lot of information being passed back and forth between the local and remote ends of the tunnel. To see all this information, start a telnet session on the local end and log the output to a file. Enter the CLI commands: diagnose debug application ike -1 diagnose debug enable These commands tell debug to print all the IKE related information, and the enable command starts it. From this point you should see all IPsec related information that is being passed between the two ends of the tunnel as it is being set up. Here is a sample output. After each major section of output there will be comments to explain what is going on.
diagnose debug enable ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Identity Protection id=df1ade8dd5613b41/0000000000000000 len=296
250
ike 0: in DF1ADE8DD5613B4100000000000000000110020000000000000001280D00009C 000000010000000100000090010100040300002001010000800B0001800C7080 800100058003000180020001800400050300002002010000800B0001800C7080 800100058003000180020002800400050300002403010000800B0001800C7080 80010007800E00808003000180020001800400050000002404010000800B0001 800C708080010007800E00808003000180020002800400050D0000144A131C81 070358455C5728F20E95452F0D000014CD60464335DF21F87CFDB2FC68B6A448 0D00001490CB80913EBB696E086381B5EC427B1F0D00001435DB6C9CDDE4F023 1DF692E1DC77D1E80D00000C09002689DFD6B71200000014AFCAD71368A1F1C9 6B8696FC77570100 ike 0: cache rebuild start ike 0:AndroidVPN: cached as dynamic ike 0:FCL: cached as dynamic ike 0:iPhone: cached as dynamic ike 0: cache rebuild done The cache contains all VPN configurations on the FortiGate server. In this case there were three AndroidVPN, FCL (the one we want), and iPhone. ike 0:FCL:0: responder: main mode get 1st message... ike 0:FCL:0: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:FCL:0: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:FCL:0: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:FCL:0: VID unknown (16): 35DB6C9CDDE4F0231DF692E1DC77D1E8 ike 0:FCL:0: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:FCL:0: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:FCL:0: DPD negotiated Note that FCL has been selected at this point, and some basic things have been negotiated IKE version and DPD. If you are going to debug VPN output like this its better to use shorter VPN tunnel names to help with readability of the output. ike ike ike ike ike ike ike ike ike ike ike 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: 0:FCL:0: negotiation result proposal id = 1: protocol id = ISAKMP: trans_id = KEY_IKE. encapsulation = IKE/none type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. type=OAKLEY_HASH_ALG, val=SHA. type=AUTH_METHOD, val=PRESHARED_KEY. type=OAKLEY_GROUP, val=1536. ISKAMP SA lifetime=28800 selected NAT-T version: RFC 3947
This section lists the proposals tried. If there is only one, then the first one tried was a match. You can see the settings here if you know what to look for encryption is 3des-sha1, authentication is pre-shared key, the key lifetime is 28,800 seconds, and nat traversal is enabled. ike 0:FCL:0: cookie df1ade8dd5613b41/4bb2750030bc8a06 ike 0:FCL:0: out DF1ADE8DD5613B414BB2750030BC8A0601100200000000000000008C0D000034 000000010000000100000028010100010000002002010000800B0001800C7080 800100058003000180020002800400050D0000144A131C81070358455C5728F2 0E95452F0D000014AFCAD71368A1F1C96B8696FC775701000000001482990317 57A36082C6A621DE000401CA
ike 0:FCL:0: sent IKE msg (ident_r1send): 10.10.80.3:500>10.10.80.110:500, len=140, id=df1ade8dd5613b41/4bb2750030bc8a06 ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Identity Protection id=df1ade8dd5613b41/4bb2750030bc8a06 len=292 ike 0: in DF1ADE8DD5613B414BB2750030BC8A060410020000000000000001240A0000C4 B1BB998514C7F6F595C9F1ACA1DEE16026576E2644878024079EE1EAF1F29A85 383973DB1CC9D51A7DD40F93FBD57AF8ADACD63A9408EDFD40F9B304F1A0626C 202891119B362CAA45CA1853120BA2E42A64629FCA09A042276E25FF1044AF86 150C17CE9EFA7FC6CB4C029B85B74DD86B45E68E51FC7218E2887B444498AAEA A8B4962A2FD11BFA7F9C2AB84613ED3EDA5FFA57C13EA95070971B3D1BFC5616 26CCB67B4919E278A7E155A195E58D658C7AB124F9C311052C220887D64B9B36 14000014AC80EB704C90E1D4CEFC75B7CA1CCA0B1400001866DCE39FA4DB9B93 D3AC45665952B5E45F32859A00000018255171E5AA6979B9974D6A5D7422BEAB B8756493 ike 0:FCL:0: responder:main mode get 2nd message... ike 0:FCL:0: NAT not detected Here is the main mode and NAT is not used. Responder means the FortiGate unit is responding to a remote attempt to initiate the VPN tunnel. The remote end is the initiator and the FortiGate is the responder. Knowing this can help you locate errors in the negotiation. ike 0:FCL:0: out DF1ADE8DD5613B414BB2750030BC8A060410020000000000000001240A0000C4 B92ECABF7B52E1B67F2FC2B40BAEA5FDBB2D8B71F1F576E0F4B97E7E37B1BDE4 CA41CA19D7798D1EA37976902543BA1401C9964CE7AA94765EC6E059AE56E9B3 081BA9619691C5683AE79561E0F9B3013A449FDCF1826C69EFE1DFB3E4E3621D 8CDA5969F665E0891F423F3D4FD3F5B92B5815C4CCCED44125711F2B80D143CD B40FD9AFA1827CFC6D96AA199B99B686CA381918751F45C7F9774FD0423D8FAF 3F50B0496911FA01EADE98C1DC2A6D22E1EF8CE106980BD402D0F675398B6526 14000014180187A2D9803178C54C7295CE2E574A14000018255171E5AA6979B9 974D6A5D7422BEABB87564930000001866DCE39FA4DB9B93D3AC45665952B5E4 5F32859A ike 0:FCL:0: sent IKE msg (ident_r2send): 10.10.80.3:500>10.10.80.110:500, len=292, id=df1ade8dd5613b41/4bb2750030bc8a06 ike 0:FCL:0: ISAKMP SA df1ade8dd5613b41/4bb2750030bc8a06 key 24:549399B9FF81AE7DE8E57886538F3767B818D71A555C89B1 ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Identity Protection id=df1ade8dd5613b41/4bb2750030bc8a06 len=100 ike 0: in DF1ADE8DD5613B414BB2750030BC8A06051002010000000000000064EEA47E9F E00EBC19A7B01185C1A004A6236B1897E48C8D7B88DDB9F6D6951D532A03F6C7 57E5084B854F9817315D0236A70FA01B0E28CB35A1FE2762DBCA25508AFB5C9C 1BB99D49 ike 0:FCL:0: responder: main mode get 3rd message... ike 0:FCL:0: dec DF1ADE8DD5613B414BB2750030BC8A060510020100000000000000640800000C 010000000A0A506E0B000018E916BDEF7FEFC5A4733726EA91BC9649A9962494 0000001C0000000101106002DF1ADE8DD5613B414BB2750030BC8A06B2FAB197 A0DE9A07 ike 0:FCL:0: received notify type 24578 ike 0:FCL:0: PSK authentication succeeded ike 0:FCL:0: authentication OK
252
By this point nearly all the configuration information from Phase1 has shown up in the negotiations. Phase2 hasnt come yet or we would see FCL2 in the lines. Things are going well because we have seen the 2nd and 3rd messages come up. At this point things are going well. Notice the last two lines are the pre-shared secret is OK, and the authentication is good. ike 0:FCL:0: enc DF1ADE8DD5613B414BB2750030BC8A060510020100000000000000400800000C 010000000A0A500300000018848220ADB0CAB1135DB7126C6C52B90D958B089C ike 0:FCL:0: out DF1ADE8DD5613B414BB2750030BC8A06051002010000000000000044A31F756C 988507EFBE1134612CD5FFEC074168D1F5D57FCD49FC0E5970008413BEF5E138 7CF441CB ike 0:FCL:0: sent IKE msg (ident_r3send): 10.10.80.3:500>10.10.80.110:500, len=68, id=df1ade8dd5613b41/4bb2750030bc8a06 ike 0:FCL:0: established IKE SA df1ade8dd5613b41/4bb2750030bc8a06 ike 0:FCL: adding new dynamic tunnel for 10.10.80.110:500 ike 0:FCL_0: added new dynamic tunnel for 10.10.80.110:500 ike 0:FCL_0:0: processing INITIAL-CONTACT ike 0:FCL_0: flushing ike 0:FCL_0: flushed ike 0:FCL_0:0: processed INITIAL-CONTACT ike 0:FCL_0:0: no pending Quick-Mode negotiations ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Informational id=df1ade8dd5613b41/4bb2750030bc8a06:82044f57 len=84 ike 0: in DF1ADE8DD5613B414BB2750030BC8A060810050182044F57000000541FC01E53 9233B368C7434635E718CD80D73A4CD897D2AC5972D69EFFA6CC37B3D83F1424 35C6CF4A5E103BC72B1F543C31AEBAFD3732AC40 ike 0:FCL_0:0: dec DF1ADE8DD5613B414BB2750030BC8A060810050182044F57000000540B000018 6628AE8F6FAB58F68F08744B01CE18FDF7673D210000001C0000000101106002 DF1ADE8DD5613B414BB2750030BC8A06D39EE503 ike 0:FCL_0:0: notify msg received: INITIAL-CONTACT ike 0:FCL_0:0: processing INITIAL-CONTACT ike 0:FCL_0: flushing ike 0:FCL_0: flushed ike 0:FCL_0:0: processed INITIAL-CONTACT ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Quick id=df1ade8dd5613b41/4bb2750030bc8a06:c378b320 len=548
253
ike 0: in DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000022443EB6862 1324B61C15F3BB0BAED0B31C0C42EC769978AECA6EC422F03E7F5B7B433FBC5A 07E7C4BB69C7BE0F9D9E06A82B6B8C6BE30D4CB64AA68C1ACE7C1D16F22FC350 8FDA9DB7098C833569D002031735C9C18353CCD85BBC5E7103D1878F3A90DF36 37E2126CE51937C68DC47C0C1CB054739E83A8C94D053475067C216452B03DFF 568B5098095EC17632963E2B73886601FBFC4818FF6A1AD553A2CC14618A4815 9E3C8EFC1DF035E744D98F3762C72A467E9292720CC2894619266D0807FA6DC0 9CB51A9DB19284F373381CFDCE49334A1C2EF6402594B01C82016F4D8D589B69 B9A922778455F820F3A08127DBCA63B731BBA6775013A7873C303E04EAF4841E 0288CD431D35A953D3D163AAC67335D804C2368016912246A2BF7F1695B91FAC 0E93FEA8BF383AF18BE22600117544D276A69FB42D29F8A8655EA9DFAFAFD038 A572244E47B9A86B78B1BD685A15208331C9497480917EDE2BD46989F31E858A B59C4149B9CAEEEBCE0D8776A944E70B104633F1464BEE3E5ECBD382512C17E6 E51C6541FC47721C2F6C8D52E988964B269645BFF038251467A1FD51A407FF45 6C37718F254868672918FE307100C3C18523FDF9EAAD522101383F2C251305C0 C1CA2D55C38F96A2ED036DA04D6170F4ED381358101377A7A2CB1B4417801D93 D6AD3C91A834B13CAEE54EA855FB6852396BF2D7D43F4B00166461DA62A4BB23 40F946FF ike 0:FCL_0:0:0: responder received first quick-mode message ike 0:FCL_0:0: dec DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000022401000018 4511292B0824C46F6FF1112C20B74A9496A6DAA10A0001B80000000100000001 000001AC010304105EF744C50300001801030000800100018002070880040001 8005000103000018020300008001000180020708800400018005000203000018 0303000080010001800207088004000180050001030000180403000080010001 8002070880040001800500020300001805030000800100018002070880040001 8005000103000018060300008001000180020708800400018005000203000018 0703000080010001800207088004000180050001030000180803000080010001 8002070880040001800500020300001C090C0000800100018002070880040001 80060080800500010300001C0A0C000080010001800207088004000180060080 800500020300001C0B0C00008001000180020708800400018006008080050001 0300001C0C0C000080010001800207088004000180060080800500020300001C 0D0C000080010001800207088004000180060080800500010300001C0E0C0000 80010001800207088004000180060080800500020300001C0F0C000080010001 800207088004000180060080800500010000001C100C00008001000180020708 80040001800600808005000205000014C3437F1E4BB42AF14C259397E4CC40AE 0500000C010000000A0A506E00000010040000000A0A5000FFFFFF00D7DA99FD C2A5E807 ike 0:FCL_0:0:0: peer proposal is: peer:0:10.10.80.11010.10.80.110:0, me:0:10.10.80.0-10.10.80.255:0 ike 0:FCL_0:0:FCL2:0: trying ike 0:FCL_0:0:FCL2:0: matched phase2 ike 0:FCL_0:0:FCL2:0: dynamic client ike 0:FCL_0:0:FCL2:0: my proposal: ike 0:FCL_0:0:FCL2:0: proposal id = 1: ike 0:FCL_0:0:FCL2:0: protocol id = IPSEC_ESP: ike 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES ike 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 ike 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) ike 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 ike 0:FCL_0:0:FCL2:0: incoming proposal: This section has both FCL and FLC2 which indicates we are into Phase2 negotiations.
254
When you see my proposal and incoming proposal, it means there was a proposal mismatch. If everything goes well, you will just see the successful proposal match. This output shows the proposals from both sides my proposal (the FortiGate unit), and incoming proposal (the remote end). Note there are 2 entries for my proposal (3des-sha1 and aes-sha1). If there were more than two entries configured in Phase2 they would be listed here. There are many more incoming proposals 20 or more. This means the remote end is trying to cover all possible encryption and authentication possible. The problem with this approach is the output here gets very long, and you will be connecting with the same information in most cases which lets you remove the unused proposals here. At the end of all the proposals it lists the proposal result, which is the one that is being used. ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike ike
0:FCL_0:0:FCL2:0: proposal id = 1: 0:FCL_0:0:FCL2:0: protocol id = IPSEC_ESP: 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128)
255
ike ike ike ike ike ike ike ike ike ike ike ike ike
0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=MD5 0:FCL_0:0:FCL2:0: trans_id = ESP_AES (key_len = 128) 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: negotiation result 0:FCL_0:0:FCL2:0: proposal id = 1: 0:FCL_0:0:FCL2:0: protocol id = IPSEC_ESP: 0:FCL_0:0:FCL2:0: trans_id = ESP_3DES 0:FCL_0:0:FCL2:0: encapsulation = ENCAPSULATION_MODE_TUNNEL 0:FCL_0:0:FCL2:0: type = AUTH_ALG, val=SHA1 0:FCL_0:0:FCL2:0: using tunnel mode. 0:FCL_0:0: enc DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000009401000018 0A105570023A0518E9C3517A26C22386549727D10A0000300000000100000001 0000002401030401D1B360400000001802030000800100018002070880040001 80050002050000143FAB0878D6189B658C96A4E4E854F1640500000C01000000 0A0A506E00000010040000000A0A5000FFFFFF00 ike 0:FCL_0:0: out DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000009C180D9E06 9E53579921C35ACC514AB63548D04BED6319E4E9B1B9461A09D7D885E166469A 6DAB9C921F2EAD6F6F5A7168ED612324D1E6B996A3DE264D58B9034047379C88 C58C201AE9155281FFEAE72E8C542F9EF10F9AEAE68594014E334B37DA368E9A C1470694B3E5987EEE7654420C19E1E88A2AAC642A6AC7CB3437B222 ike 0:FCL_0:0: sent IKE msg (quick_r1send): 10.10.80.3:500>10.10.80.110:500, len=156, id=df1ade8dd5613b41/4bb2750030bc8a06:c378b320 ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Quick id=df1ade8dd5613b41/4bb2750030bc8a06:c378b320 len=60 ike 0: in DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000003C8B15588C DC1EE2B5C33869C64C7C806CE9915049DD6554FC3122CEA1AA9DFEA6 ike 0:FCL_0:0: dec DF1ADE8DD5613B414BB2750030BC8A0608102001C378B3200000003C00000018 EB68D687570B875ECBC6C55B3E1AFCBEB900D2A29BA7B1C8C1D0B807 ike 0:FCL_0:0:FCL2:0: replay protection enabled ike 0:FCL_0:0:FCL2:0: SA life soft seconds=1786. ike 0:FCL_0:0:FCL2:0: SA life hard seconds=1800. ike 0:FCL_0:0:FCL2:0: IPsec SA selectors #src=1 #dst=1 ike 0:FCL_0:0:FCL2:0: src 0 7 0:10.10.80.0-10.10.80.255:0 ike 0:FCL_0:0:FCL2:0: dst 0 7 0:10.10.80.110-10.10.80.110:0 ike 0:FCL_0:0:FCL2:0: add dynamic IPsec SA selectors ike 0:FCL_0:0:FCL2:0: tunnel 1 of VDOM limit 0/0 ike 0:FCL_0:0:FCL2:0: add IPsec SA: SPIs=d1b36040/5ef744c5 ike 0:FCL_0:0:FCL2:0: IPsec SA dec spi d1b36040 key 24:7F0F504EA42ED86512A2C4808A56B1F353C3CC3D805FF3A9 auth 20:294209EDB682FBD01430801BE482BECFA166D06C ike 0:FCL_0:0:FCL2:0: IPsec SA enc spi 5ef744c5 key 24:593E6734ED63ADC48524693D2F9CBD419A62B56A5E1A18E1 auth 20:6D8E9CDA2D560A7DC8F0A54A846590048F8155CC ike 0:FCL_0:0:FCL2:0: added IPsec SA: SPIs=d1b36040/5ef744c5 ike 0:FCL_0:0:FCL2:0: sending SNMP tunnel UP trap These last few lines are finishing up the Security Association (SA) negotiation. The important part here is the last line sending SNMP tunnel UP trap. This is saying the tunnel is up and ready to go. If you see this in the diag output the VPN came up successfully.
Another line you can look for is the R-U-THERE and R-U-THERE ack messages. Its the keep alive message sent between the ends of the VPN to make sure both ends are still functional. Its easy to see in the output, and it only happens after the tunnel is up. ike shrank heap by 65536 bytes ike 0:FCL_0: link is idle 17 10.10.80.3->10.10.80.110:500 dpd=1 seqno=1 ike 0:FCL_0: link is idle 17 10.10.80.3->10.10.80.110:500 dpd=1 seqno=2 ike 0:FCL_0:0: send IKEv1 DPD probe, seqno 2 ike 0:FCL_0:0: enc DF1ADE8DD5613B414BB2750030BC8A0608100501147397C2000000540B000018 ADC2E9DF61F03F2980D6CE15C4128DE8A7E6AB7A000000200000000101108D28 DF1ADE8DD5613B414BB2750030BC8A0600000002 ike 0:FCL_0:0: out DF1ADE8DD5613B414BB2750030BC8A0608100501147397C20000005C5BB65CCC 42DC2B33B485B0FB2657521B521BD0DA65D1E10E4B331CC03C9212010034C334 ADD290457E8C2B02891D7AE0E0149D1D5DB78EF649B7548B659B0D45 ike 0:FCL_0:0: sent IKE msg (R-U-THERE): 10.10.80.3:500>10.10.80.110:500, len=92, id=df1ade8dd5613b41/4bb2750030bc8a06:147397c2 ike 0: comes 10.10.80.110:500->10.10.80.3:500,ifindex=17.... ike 0: IKEv1 exchange=Informational id=df1ade8dd5613b41/4bb2750030bc8a06:b620421b len=92 ike 0: in DF1ADE8DD5613B414BB2750030BC8A0608100501B620421B0000005CFBA22BA2 A8E4EA89C46B8AE1C9D5B639669EA5E50C3225D98CB3BCD2A3786D59B384FE7D 96A6560499088D0AF6D28BDEE03968C31BA58F7158B156C59D1B9EF7 ike 0:FCL_0:0: dec DF1ADE8DD5613B414BB2750030BC8A0608100501B620421B0000005C0B000018 FBE51A0B7132BA625A1F6F25D6741968E337EBAA000000200000000101108D29 DF1ADE8DD5613B414BB2750030BC8A0600000002F5D890FBF0C1B607 ike 0:FCL_0:0: notify msg received: R-U-THERE-ACK ike shrank heap by 4096 bytes
Results These steps configure ends of an IPsec VPN tunnel on the office FortiGate unit, and the home
computer FortiClient. To ensure your new VPN works, select the Work_VPN entry, and then select Advanced > Test. This will open a window and show each step of the attempted connection. If there are any problems they will be visible here and easy to troubleshoot. For additional information, check the event log of the FortiGate unit (Log&Report > Log & Archive Access > Event Log) where you especially want to read the Message, Action, and Error Reason parts of the log messages to help you troubleshoot.
257
258
Authentication
Identifying users and other computers (authentication) is a key part of network security. This chapter describes some basic elements and concepts of authentication. Businesses need to authenticate people who have access to company resources. In the physical world this may be a swipe card to enter the building, or a code to enter a locked door. If a person has this swipe card or code, they have been authenticated as someone allowed in that building or room. Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. The FortiGate unit enables controlled network access and applies authentication to users of security policies and VPN clients. This chapter includes the following authentication examples: Creating a security policy to identify users Creating a security policy to identify users and restrict access to websites by category Creating a security policy to identify users, restrict access to certain websites, and control use of applications Adding FortiToken two-factor authentication to a user account Adding SMS token code delivery two-factor authentication to a FortiGate administrators account Stopping the Connection is untrusted message
259
Creating a security policy to identify users

Problem How do you identify the users who are
accessing Internet services through your FortiGate unit. This is the first step towards controlling users access to resources through the FortiGate unit.
Solution Enable FortiGate user authentication by

creating a user group named Sales and adding a user named wloman to this group. Then add an identity based policy to a security policy that accepts connections from the internal network to the Internet. Add the Sales user group to the identity based policy. Test the configuration by authenticating with the FortiGate unit and viewing the information displayed in the user monitor. This solution describes adding a user to the FortiGate local user database. FortiOS user authentication can also integrate with LDAP, RADIUS, or TACAS+ servers, Windows NTLM, Fortinet single sign on (FSSO), and PKI solutions. 1 Go to User > User Group > User Group and select Create New to add a user group with the following settings: Name Type 2 Select OK. 3 Go to User > User > User and select Create New to a user with the following settings: Name Password Add this user to Groups 4 Select OK. 5 Go to Policy > Policy > Policy and Edit a policy that allows users to access the Internet. 6 Select Enable Identity Based Policy and Add an identity-based policy with the following settings: Selected User Groups Selected Services Schedule Sales ANY always wloman password Sales Sales Firewall
7 Select OK to save the security policy.
Results From a web browser on the internal network, attempt to access the Internet. If the session is
accepted by the policy that you added the identity based policy to you should be prompted for a user name and password. Enter wloman and password. If authentication is successful you should be able to browse anywhere on the Internet.
260
Form the FortiGate web-based manager go to User > Monitor > Firewall to view the list of authenticated firewall users. An entry similar to the following should appear,
If you select De-authenticate All Users or if you select the De-authenticate user icon for Example_user you will have to authenticate with the firewall again to continue browsing the Internet. You can also go to Log&Report > Log & Archive Access > Event Log to view log messages recorded when the users authenticated. (more info to be provided about reports and so on that include authenticated users user names in them.) If you do not see an authentication page, verify that the identity based policy has been added to the correct security policy by viewing the Count column in the policy list. If the count is increasing the policy is processing traffic. You can also view policy usage from Policy > Monitor > Policy Monitor.
You can customize the authentication page that users see by going to System > Config > Replacement Message > Authentication > Login page.
261
Creating a security policy to identify users and restrict access to websites by category
Problem How to allow only authorized users to access
the Internet and block these users from accessing online shopping and auction websites.
WEB FILTERING
Solution Block access to shopping and auction

websites by adding a web filter profile named Sales_web_filter that blocks shopping and auction websites. Enable web filtering for the identity based policy created in Creating a security policy to identify users on page 260 and add the Sales_web_filter profile to it. Test the configuration by authenticating and then attempting to browse to an online shopping web site. This example requires the FortiGate unit to have a valid FortiGuard Web Filtering license. 1 Go to UTM Profiles > Web Filter > Profile and select Create New to add a new web filter profile group named Sales_web_filter. 2 Select the FortiGuard Categories > General Interest - Personal > Shopping and Auction category, then select Block as the action for selected categories. 3 Select OK to save the web filter profile. 4 Go to Policy > Policy > Policy and Edit the policy that allows users to access the Internet and contains the identity based policy. 5 Edit the identity based policy that includes the Sales user group. 6 Select UTM. 7 Select Enable Web Filter and select the Sales_web_filter profile. 8 Save the changes to the identity based policy and the security policy.
Results Go to User > Monitor > Firewall and deauthenticate the wloman user. From a web browser on
the internal network, attempt to access the Internet. If the session is accepted by the identity based policy you should be prompted for a user name and password. Enter wloman and password. If authentication is successful you should be able to browse the Internet. Attempt to access an online shopping or auction website. FortiGuard Web Filtering web page blocked message appears, blocking access to the website. If you attempt to access an online shopping page before authenticating, the FortiGate unit would ask you to authenticate. After authenticating the FortiGuard web page blocked message appears. You can customize the FortiGuard web filtering page that appears by going to System > Config > Replacement Message > FortiGuard Web Filtering > URL block message. Form the FortiGate web-based manager go to UTM Profiles > Monitor > Web Monitor to view graphs of FortiGuard Web Filtering activity. The graphs should show the Shopping and Auction category has been blocked,
262
If you can access the online shopping site it may not be in the FortiGuard web filtering database. Try another online shopping site to see if it is blocked. You can browse to http://www.fortiguard.com/webfiltering/webfiltering.html and look up the URL to see what category it has been added to. You can also request to have the category changed. All sites will be blocked if the FortiGate unit cannot access the FortiGuard network to get web site ratings. This happens because the Allow Websites When a Rating Error Occurs option under Advanced Filter in the web filter profile is disabled by default.
263
Creating a security policy to identify users, restrict access to certain websites, and control use of applications
Problem How to allow only authorized users to access
the Internet and block these users from accessing online shopping and auction websites, and block them from using any excessive bandwidth consuming applications, including Skype.
WEB FILTERING
Solution Blocking nuisance applications is common on corporate networks to control bandwidth usage,
illegal file sharing, and employee time wasting. Enable web filtering and block access to shopping and auction websites for the identity based policy as described in Creating a security policy to identify users and restrict access to websites by category on page 262. Then add the Sales_app_sensor profile to it to block excessive bandwidth applications. Test the configuration by authenticating and then attempting to use a blocked application such as bitTorrent, KaZaa, or eDonkey. This example requires the FortiGate unit to have a valid FortiGuard Web Filtering license. 1 Go to UTM Profiles > Application Control > Application Sensor and select Create New to add a new detection list named Sales_app_sensor. 2 Select Create New above the list to create a new application detection entry that blocks all running applications in the instant messaging category. 3 Select OK to save the IM blocking application detection entry. 4 Select Create New to create a new application detection entry that allows Skype. Select Instant Messaging category, and specify the application. Select Filter by Vendor and find Skype Technologies in the list, and select Allow for the action. 5 Select OK to save the application detection entry. 6 Move the Skype entry above the block all instant messaging. Otherwise, Skype will be blocked with all the other IM applications. 7 Select OK to save the web filter profile. 8 Go to Policy > Policy > Policy and Edit the policy that allows users to access the Internet and contains the identity based policy. 9 Edit the identity based policy that includes the Sales user group. 10 Select UTM. 11 Select Enable Web Filter and select the Sales_web_filter profile. 12 Save the changes to the identity based policy and the security policy.
Results Go to User > Monitor > Firewall and deauthenticate wloman. From a web browser on the
internal network, attempt to access the Internet. If the session is accepted by the policy that you added the identity based policy to, you should be prompted for a user name and password. Enter wloman and password. If authentication is successful you should be able to browse the Internet. Attempt to access an online shopping or auction website. FortiGuard Web Filtering web page blocked message appears, blocking access to the website. Attempt to use one of the blocked high bandwidth applications. It should be blocked through the Application Sensor.
264
If you attempt to access an online shopping page before authenticating, the FortiGate unit would ask you to authenticate. After authenticating the FortiGuard web page blocked message appears. You can customize the FortiGuard web filtering page that appears by going to System > Config > Replacement Message > FortiGuard Web Filtering > URL block message. Form the FortiGate web-based manager go to UTM Profiles > Monitor > Web Monitor to view graphs of FortiGuard Web Filtering activity. The graphs should show the Shopping and Auction category has been blocked,
If you can access the online shopping site it may not be in the FortiGuard web filtering database. Try another online shopping site to see if it is blocked. You can browse to http://www.fortiguard.com/webfiltering/webfiltering.html and look up the URL to see what category it has been added to. You can also request to have the category changed. All sites will be blocked if the FortiGate unit cannot access the FortiGuard network to get web site ratings. This happens because the Allow Websites When a Rating Error Occurs option under Advanced Filter in the web filter profile is disabled by default.
If the behavior is not what you expect, check the logs. Turning on logging leaves a trail whenever you authenticate or access is blocked. For Authentication entries look in the Event Log, for blocked websites look in Web Filter Log, and for blocked applications look in Application Control log. You can use these log messages or lack of them to find details that will help fix the problem.
If you use the Application Sensor to block games if you are not logged in, the games will not be able to connect and because of that some just will not start up. For example World of Warcraft launcher never appears after you start it when it is blocked like this. Where other games, such as World of Tanks, load their loading application before attempting to connect so you will get an error message with those games.
265
Adding FortiToken two-factor authentication to a user account

Problem How do you add a FortiToken to a user account. Solution Two-factor authentication is fast becoming an
FortiToken User
industry requirement. FortiToken is a cost FortiGate Unit effective solution. With its combination of information you know (your username and password) and something you have (the FortiToken device), it improves your network security with little extra work for administrators. FortiToken is a one-time password generator that users must carry with them. It generates a six-digit token that the user enters in addition to username and password at logon as an extra factor of security. It serves a similar purpose to RSAs SecureID tokens. To add a new FortiToken to a user, the FortiToken must first be added to the FortiGate unit, verified by the FortiGuard system, and FortiGate and FortiToken time must be synchronized. Then the FortiToken can be applied to the user account. Test the configuration by the user logging in and being prompted for the FortiToken generated code. This solution assumes you have a FortiToken, the user account wloman is already created, and is part of a user group that is used in an identity-based security policy. FortiTokens and other two-factor authentication can be added to local or remote users or administrators. This applies to FortiToken-200, with other models having minor variations.
1 Get your FortiToken and make sure it is working. Press the button. It should display a sixdigit number and to the left a stack of up to six bars. These represent the time until the code changes, one bar for each 10 seconds. After a few seconds the display should turn off to save power. Turn the FortiToken over and verify there is a serial number. It is 16-digits long and starts with FTK. For this example the token serial number is FTK2000BHV1KRZCC. 1 Go to User > FortiToken > FortiToken and select Create New. 2 Enter the serial number and select OK. Serial Number #1 Automatically Send Activate Request to FortiGuard FTK2000BHV1KRZCC Select
You may have problems entering the serial number. If any of the characters are wrong it will be invalid. If you already entered this serial number, it will be invalid. If it is the wrong length, it will be invalid. For security reasons there is no hint of what is wrong you must determine that by yourself. 3 Wait for the FortiGuard system to validate your FortiTokens serial number. When you first enter the serial number its status is listed as New. Once FortiGuard validates the serial number, the status will change to Active.
266
4 Go to User > FortiToken > FortiToken, select the FortiToken serial number you just added, and select Synchronization. The FortiToken Synchronization window appears.
5 Press the button on your FortiToken, and enter the resulting six-digit number in the First Code field. The bars displayed on the left size of the FortiToken display are a count down to when the code changes. When the displayed code changes, press the FortiToken button again, and enter that code in the Second Code field. 6 Go to User > User > User and edit the user account. Select Enable Two-factor Authentication, under Deliver Token Code by ensure FortiToken is selected, and choose your serial number from the drop-down list. If there are no FortiTokens listed in the drop-down list on the user edit page, go to User > FortiToken > FortiToken and verify the status of the entry. If it does not say Active, it is not available to be associated with a users account. Generally the FortiGuard system will verify the FortiToken serial number after a short period of time. If this does not happen, ensure you have a valid connection to the FortiGuard network. See (FortiGuard Troubleshooting section). 7 Select OK to save the user.
Results To verify the user has two-factor authentication configured, go to User > User > User. On the
list of users that is displayed wloman will have a green check under two-factor authentication. This verifies that some form of two-factor authentication is associated with this account.
To verify the user has FortiToken two-factor authentication properly configured, go to User > FortiToken > FortiToken. On the list of FortiToken serial numbers, the one associated with the wloman account will have wloman displayed in the User column.
You can also go to Log&Report > Log & Archive Access > Event Log to view log messages recorded while registering the FortiToken, and changing the user account:
Best If you are assigning an administrator a FortiToken, ensure there is another administrator Practices account configured as a backdoor in if there are problems authenticating. Otherwise you will
be unable to logon. On a regular basis, check all FortiTokens for drift. To do this take the token in your hand, go to User > FortiToken > FortiToken, and select Synchronize. When you enter the 2 codes, you are updating the FortiGate unit clock with any drift in the FortiToken clock that might have happened. This prevents logon issues due to drift.
Adding SMS token code delivery two-factor authentication to a FortiGate administrators account
Adding SMS token code delivery twofactor authentication to a FortiGate administrators account
Problem I need an alternative to FortiToken devices
users dont want to carry them around.
User
SMS text
FortiGate Unit
Solution An alternative to FortiToken for 2-factor

authentication is using SMS text messaging to send users their token code. Using this method, users only need to carry their mobile phone with them which they likely do already. SMS token code delivery generates a six-digit token on the FortiGate unit. The token code is then delivered to a mobile phone via SMS text messaging, so you can enter it when you logon. This solution assumes the FortiGate administrator account admin2 is already created, and is part of a user group that is used in an identity-based security policy. To deliver the token code by SMS text message, you must first configure the SMTP email address for your FortiGate unit, configure the Mobile Provider, and then add the two-factor SMS information to the user account. For this example, the user is in Canada and uses the mobile provider mproexample. The company is example.com. The administrators email address is admin2@example.com and their password is 123456, a very bad password. Their mobile phone number is 613-555-5555. 1 Go to the email server at Log&Report > Log Config > Alert E-mail. 2 Enter the following information and select Apply when done. SMTP Server Email from Authentication SMTP user Password mail.example.com my_fortigate@example.com enable admin2@example.com 123456
You should test your settings at this point to ensure the email can be delivered as expected. This is done by selecting the Test Connectivity button shown in the image above. If the settings are correct, email will be sent to admin1 and admin2. If they do not receive email, something is wrong. Check the spelling of each entry, ensure the SMTP server uses authentication, ensure there is a default route to the mail server, and that SMTP traffic is allowed by security policies on the FortiGate unit. 3 In the CLI, enter the following information to add mproexample as an SMS provider: config user sms-provider edit mproexample set mail-server mproexample.ca next end
268
Adding SMS token code delivery two-factor authentication to a FortiGate administrators account
You will need to contact your mobile provider for their mail server address. This is the mail server that you can email and it will forward your message as an SMS text message to the customers mobile phone. At that time you should verify that your mobile phone service includes SMS text messaging. 4 Go to System > Admin > Administrators, select admin2, and select Edit. 5 Select Enable Two-factor Authentication, under Deliver Token Code by ensure SMS is selected, and choose mproexample as the mobile provider. 6 Enter your mobile phones telephone number including area code and/or country code as required by your mobile provider. 7 Select OK.
Results When the token code is sent via SMS text messaging the message will appear similar to:
fortigate@example.com(AuthCode: 039130) Your authentication token code is 039130. To verify the administrator has two-factor authentication configured, go to System > Admin > Administrators. On the list of administrators that is displayed admin2 will have a green check in the two-factor authentication column. This verifies that some form of two-factor authentication is associated with this account.
You can also go to Log&Report > Log & Archive Access > Event Log to view log messages recorded while registering the FortiToken, and changing the user account:
When admin2 attempts to logon to the FortiGate unit GUI or access network resources through an identity-based security policy, they will be presented with a two-factor authentication logon prompt. This prompt includes the normal username and password, but after wloman has entered and verified their username and password, a third field appears where the token code is entered by admin2 once it has been received on their mobile phone. On validation, wloman is allowed access. If any of the username, password, or token code are not valid admin2 is not authenticated and is not granted access.
269
Stopping the Connection is untrusted message
Stopping the Connection is untrusted message

CERTIFICATE
Problem When you first connect to a FortiGate unit with your web
browser, a message may appear questioning the connections security. How do you prevent this?
Solution When you see a Connection is untrusted type message,

it means there is a problem with the certificate for the website you are connecting to. Anytime you browse a website, you are using either HTTP or HTTPS. The difference between them is that HTTPS has security. This security is in the form of certificates that identify the source as being legitimate. Without a valid certificate, the customer does not know if it is really the true website, or if a hacker hijacked their connection with malicious intent. With FortiGate units, this message occurs for two reasons because the default certificate used by the FortiGate unit is a self-signed certificate, and because the certificate is valid only for the FortiGate unit. To be trusted, a certificate must be signed by a known certificate authority (CA) that the web browser can verify. For example if Freds certificate is signed by Bob, and Bobs certificate is signed by Peter, then anytime someone checks Freds certificate they must be able to trace it back to Peter and verify that Peter is trustworthy. Any break in that chain, and Freds certificate is seen as untrustworthy. Contact your ISP or other online services provider to get a trusted intermediate CA certificate for your FortiGate unit. When you are giving them the information, make sure it is clear where you will be using this certificate: on an internal network, a public facing website, or across your enterprise. Ensure it is a CA certificate as this allows you to sign certificates for local users for applications such as VPN. Generally online services providers include a form for you to fill out to create your certificate when you are paying for it on their website. However another common method is to generate a certificate signing request (CSR) with an application like openssl. This is a request that is sent to the certificate authority providing you with your certificate. They process the request, usually automatically, and return a certificate to the email address provided based on the information in the CSR. The certificate from the CA is a text file that contains the information you included in the CSR as well as details about the CA who issued the certificate, when it was issued and when it expires, and the fingerprints or encryption associated with it. To install a CA certificate from your computer to the FortiGate unit you go to System > Certificates > CA Certificates and select Import. After you browse to the certificate file, which is usually a .cer or .p12 format text file, and select it will be installed on your FortiGate unit. You can verify this by refreshing the display to see the new certificate. It will be displayed by name and subject, and you can select it for more in-depth details if you need to verify it. Now when you are using HTTPS or other SSL connection, your FortiGate unit will not generate untrusted certificate-based error messages.
270
Logging and Reporting

You can use FortiGate logging to record all traffic passing through the FortiGate unit and record all events such as when application activity, virus events, attacks and so on. In security policies you can also enable traffic logging to record log messages for all of the traffic accepted by security policies. On FortiGate units with hard disks, all of the information captured by logging is compiled into the weekly activity report. You can view this report at any time to see details of the activity captured by FortiGate logging. Included in the report is bandwidth and application data, web usage data, email usage data, threats intercepted, and VPN usage. In addition to real time viewing you can view historical versions of the report which is recorded each week. You can also view the actual log messages recorded by the FortiGate unit. Viewing log messages supplies more details about specific events recorded by the FortiGate unit and can be used to trace activity and diagnose problems. FortiGate units without hard disks support a port of these logging and reporting features. On any FortiGate unit you can send log messages to a FortiAnalyzer unit or remote syslog server and use these devices to report on FortiGate activity recorded by log messages. Throughout the web-based manager you can find monitor pages that display real time information about that part of the product. For example, in the policy section of the web-based manager you can view the list of active sessions being processed by the FortiGate unit and view a graph of the most active security policies. In the UTM profiles section of the web-based manager monitoring pages are available for most UTM functions, including application usage, intrusion monitoring, and endpoint monitoring. Many of the reporting and monitoring functions include drill down options to view more details or different views of the information on the monitor or report page. This chapter includes the following logging and reporting examples: Understanding log messages Creating a backup log solution Logging to remote Syslog servers Alert email notification of SSL VPN login failures Modifying a default report Testing the log configuration
271
Understanding log messages

Problem There are several application
control log messages with the message web: HTTP.BROWSER. What does this mean?
I 172ntern .16 al ne .12 tw 0.1 ork 0-1 00
nit 1 te u .20 Ga 6.120 ti For 72.1 1
Solution Find out what these log

messages mean by understanding each part of the log message.
F 172 ortiA .16 naly .12 zer 0.1 un 54 it
The parts of the log message, called log fields, contain specific information. For example, the date log field contains information about the day, month and year of when the log message was recorded. You can look at log messages as puzzles each piece of the log message is a piece of a puzzle, and when those pieces are put together, they show the whole picture. Log messages provide valuable insight into how to better protect the network traffic against attacks, misuse and abuse. 1 Go to Log&Report > Log & Archive Access > UTM Log. The application control log messages appear on the page. Even though you can view the individual fields from the log viewer table, not all log fields are visible. You should always download a log file so that you can clearly see all log fields. A text editor, such as jEdit, can help to better display the log messages when viewing them from your computer. 2 Download the UTM log file by selecting Download Raw Log.
The log messages saved to your computer are in a format called Raw. This format is how the log messages appear in the log file on the FortiGate unit. When viewing the log messages in the web-based manager, you are viewing them in the format called Format. This view allows you to customize what information you see on the page, where in Raw format you cannot.
272
3 On your computer, open the file up and scroll down to locate the application control log messages with the message web: HTTP.BROWSER.
4 Since these log messages are the same, pick one and break it into the two groups that make up a log message: the log header and log body. The first group is what will be looked at first, the log header. 2011-08-17 13:40:20 log_id=28704 type=app-ctrl subtype=app-ctrl-all pri=information vd=root
date=2011-08-17 time=13:40:20 The year, month and day of when the event occurred in yyyy-mm-dd format. The hour, minute and second of when the event occurred in the format hh:mm:ss. A five-digit unique identification number. The number represents that log message and is unique to that log message. This five-digit number helps to identify the log message. The section of system where the event occurred. The subtype category of the log message. The severity level of the event. In this log message, this means that there is general system information. The name of the virtual domain where the action/event occurred in. If no virtual domains exist, this field is always root.
log_id=28704 type=app-crtl subtype=app-crtl-all pri=information vd=root
Now we know the first part of the what the log message is saying an application control event occurred on August 17, 2011 at 1:40 pm and this is just general system information. Next, understanding the rest of the log message from the log body. 5 The log body contains the following information: attack_id=15893 src="10.10.20.3" src_port=52315 src_int="internal" dst="67.69.176.57" dst_port=80 dst_int="wan1" src_name="10.10.20.3" dst_name="67.69.176.57" proto=6 service="http" policyid=1 serial=20596 app_list="default" app_type="web" app="HTTP.BROWSER" action="pass" count=1 msg="web: HTTP.BROWSER"
attack_id=15893 src=10.10.20.3 src_port=52315 src_int= internal dst=67.69.176.57 dst_port=80 dst_int=wan1 src_name=10.10.20.3 The identification number of the IM (IPS) log message. The source IP address. In this case, it is the internal interface that is used with the IP address of 10.10.20.3 The source port number. Usually a random number that keeps track of sessions. The source interface is the internal interface. The destination IP address. The destination port number. Port 80 is typically HTTP. The destination interface is wan1. The source name. The source name is usually the source IP address.
273
dst_name=67.69.176.57
The destination name. This is usually the same as the destination IP address. The protocol number that applies to the session or packet. This is the protocol number in the packet header that identifies the next level protocol. Protocol numbers are assigned by the Internet Assigned Number Authority (IANA). Protocol 6 is TCP. Another common protocol is UDP (proto=17). For more information on protocol numbers see RFC 1700. The IP network service that applies to the session or packet. The services displayed correspond to the services configured in the security policy. Since the firewall configuration for the FortiGate unit includes the service ANY, this also means all services to the FortiGate unit so it chooses the service that applies to the session or packet, which in this case, is HTTP. The ID number of the security policy that applies to the session or packet. Any policy that is automatically added by the FortiGate will have an index number of zero. The serial number of the firewall session where the event happened. The application control list applied to the security policy and used during the scanning process.
proto=6
service=http
policyid=1 serial=20596 app_list=default
The log information. This is usually a sentence and explains the activity msg=web:HTTP.BROW and/or action taken. In this message it states that access to a page on the SER Internet occurred (web) and that the application that was used was HTTP.BROWSER.
From the log body, we now know the traffic that was flowing through wan1 (the external interface on the FortiGate unit) was scanned by the FortiGate unit using the security policy 1, which had the default application control profile applied to it. From those rules, the FortiGate unit matched the traffic. The user (internal=10.10.20.3) was accessing the Internet and was using the application HTTP.BROWSER. Knowing the application was HTTP.BROWSER, we can lookup exactly what this application is by going to the FortiGuard Center. 6 In the web-based manager, go to UTM Profiles > Application Control > Application List. 7 In the search field, enter HTTP.BROWSER; when it appears in the list on the page, select its name. You are automatically redirected to the FortiGuard Center page that contains all the information you need to know about the application, HTTP.BROWSER. 8 The description for this log message on the FortiGuard Center page says this application only has a medium risk, and indicates that an HTTP client request attempted to contact with a HTTP server, which usually listens on port 80. This is not an attack or an exploit. You can use the FortiGate Log Message Reference to understand log messages. It contains an explanation of each log field for each log message.
274
Creating a backup log solution

Problem You have recently setup a
FortiAnalyzer unit and need a backup solution. Before integrating the FortiGate unit into your network, you were using a Syslog server, which you would like to use again.
Lo th gs th e F be e or in Sy tiG g sl a se og te nt se un fro rv it t m er o
Solution Configure the FortiAnayzer and Syslog

rti Fo al An yz er it un
server first, and then configure the FortiGate unit to send logs to both log devices.
The FortiAnalyzer unit, a Fortinet log device, can help you provide another storage location for storing logs. The FortiAnalyzer unit can log all FortiGate activity that is available for logging, including archival of log files. The FortiAnalyzer unit has many features, for example managing multiple FortiGate units logging requirements, as well as creating FortiAnalyzer customized reports that organize and monitor FortiAnalyzer unit information. The following steps begin immediately after you have set up the FortiAnalyzer unit on your network. Before configuring the FortiGate unit, ensure both the FortiGate unit and the FortiAnalyzer unit have the same firmware version and maintenance release. If both do not have the same firmware version and maintenance release, issues may arise, such as being unable to send logs to the FortiAnalyzer unit. 1 Update your third party Syslog server software, and verify that it is up and running properly. 2 On the FortiGate unit, use the CLI command execute ping to ping the FortiAnalyzer unit and then do the same for your Syslog server. If there is 100 percent packet loss, troubleshoot the networking problem before proceeding. 3 On the FortiGate unit, go to Log&Report > Log Config > Log Setting and verify that you are currently logging to the FortiGate units local disk. 4 Enter the following CLI commands: config log fortianalyzer setting set status enable set address-mode static set server 172.20.120.138 set upload-option realtime end config log syslogd setting set status enable set server 10.10.20.4 set facility local1 end 5 Test the connection between the FortiGate unit and FortiAnalyzer unit. On your FortiGate unit go to Log&Report > Log Config > Log Setting, select Upload logs remotely, and then select Test Connectivity. By selecting Test Connectivity, you can see if there are any issues with the settings. For example, Connection Status in the FortiAnalyzer Connection Summary window has Logs not received. This means that there is an issue about sending the logs to the FortiAnalyzer
Lo th gs Fo e F be rti ort ing An iG s al at en yz e t er un fro un it t m it o t he
Sy sl k or w
og et N
Se te In al rn
rv
er
275
unit. You must troubleshoot the problem. If the Connection Status has a green checkmark, you are able to successfully log to the first FortiAnalyzer.
6 On the same page, select Apply to enable uploading of logs to the FortiAnalyzer units. 7 To upload the logs to the FortiAnalyzer unit at a scheduled time, select Change beside FortiAnalyzer (Daily at 00:60), to change the daily upload time to 22:00. 8 Verify that the log options you require are enabled. If there are no log options enabled, then there will be no logs recorded. By default, the FortiGate unit enables all SQL logs. You must enable UTM as well if you want to log UTM features.
Results On the FortiAnalyzer unit, you should now see logs appearing on each unit, in Log & Archive >
Log Access. You should also be seeing logs appear on the Syslog server.
If you are not seeing any logs on the FortiAnalyzer unit, verify that the device has been included in the Devices menu list. Check with the FortiAnalyzer documentation to help troubleshoot any FortiAnalyzer problems that appear. There is no command to verify the FortiGate units connection with the Syslog server. If you are having issues between the Syslog server and FortiGate unit, you should verify that you can ping to the Syslog server through your FortiGate unit. You should test that logs can be sent to the FortiAnalyzer units to ensure log messages are being sent. By testing the connection, you can easily and quickly resolve any issues that may occur, such as logs not being sent or an issue that is on the FortiAnalyzer side, such as the device is not appearing on the FortiAnalyzer units Devices list.
276
To test that the FortiGate unit can send logs to the FortiAnalyzer unit, use the diag log test to generate logs and view them from the FortiAnalyzer unit to verify that they were sent. diag log test generating a system event message with level warning generating an infected virus message with level warning generating a blocked virus message with level warning generating a URL block message with level warning generating a DLP message with level warning generating an attack detection message with level warning generating an application control IM message with level information generating an antispam message with level notification generating an allowed traffic message with level notice generating a wanopt traffic log message with level notification generating a HA event message with level warning generating netscan log messages with level notice generating a VOIP event message with level information generating authentication event messages
277
Logging to remote Syslog servers

Problem You want to configure the FortiGate
unit to send logs to three Syslog servers and ensure the reliability that the logs were sent to the servers.
Inte rna lN etw
ork uni t
Solution Use the reliable Syslog feature,

available when configuring the Syslog servers. When configuring logging to three Syslog servers, it is best to configure all three using the CLI instead of going to the web-based manager and configuring one there, and then the other two in the CLI.
Fo
ate rtiG
Sys
s log
erv
ers
This type of logging configuration is called a log redundancy configuration. A redundancy logging configuration sends the same logs to each of the log devices, so that there is always a copy of the same log file on each device. In FortiOS, this configuration is supported only with FortiAnalyzer units and Syslog servers. 1 Log in to the CLI. 2 Enter the following command syntax to configure the three Syslog servers, as well as enabling reliable logging to Syslog servers: config log syslogd setting set status enable set server 10.10.20.4 set reliable enable set csv enable set facility local1 end config log syslogd setting set status enable set server 10.10.20.5 set reliable enable set csv enable set facility local2 end config log syslogd3 setting set status enable set server 10.10.20.6 set reliable enable set csv enable set facility local3 end
278
3 Test the configuration by using the diag log test command syntax.
The FortiGate unit generates log messages and then sends them to the Syslog servers. 4 View the Syslog server log entries to verify that the logs were successfully sent.
Results The log messages should be going directly to all three Syslog servers. You can verify this by
going directly to each Syslog server and viewing the logs that are displayed in the servers window.
279
Alert email notification of SSL VPN login failures

e at G rti Fo
immediately notified when an SSL VPN login failure occurs so that you can quickly fix the problem, regardless of where you are.
ad m k
in
Solution Create an alert email to notify you that an SSL VPN login failure occurred.
The following assumes that you have already set up logging and that event logging has been enabled. For this example, turn off all event logging before you start to prevent other possible non-SSL VPN log messages from confusing things. Event logging must be enabled (in Log&Report > Log Config > Log Setting) so that this alert email can be sent. SSL VPN events are one of the event types logged to the event log and therefore must be enabled in Event Logging. When entering the email addresses for the alert email configuration, you need to enter two email addresses. The first email address is for the sender of the alert email and the second is for receiver of the alert email. The sender can be any email address that helps to identify that the email has been sent from the FortiGate unit. In this solution, we use fortigate@example.com to help identify that the alert email is sent by the FortiGate unit. The email that you receive is your email address, and in this solution it is referred to as myemail@example.com 1 Go to Log&Report > Log Config > Log Setting. 2 Under Event Logging, select SSL VPN user authentication so that all SSL VPN authentication events are logged. 3 Go to Log&Report > Log Config > Alert E-mail and configure the following: SMTP server Email from Email to mail.example.com fortigate@example.com myemail@example.com
4 Select Authentication and provide the following authentication log in credentials for the SMTP server. SMTP user Password myemail !eMa1L9
5 Verify that all information is correct and then select Test Connectivity. When you select Test Connectivity, the FortiGate unit generates a test alert email message and sends it to your email address. If you do not receive an email, you need to troubleshoot the problem. An email log message is only recorded if the SMTP server name is misspelled.
280
et w or
SS L
VP N
us er
Problem You need to be
it un
If you accidently have a typo is in the SMTP server field it appears as follows: 2010-04-05 13:34:31 log_id=01000200003 type=event subtype=system vd=root pri=notice user=system ui=system action=alert-email status=failure count=5 msg=Failed to send alert email from mail.exmpl.com to myemailaddress@example.com In the above log message, highlighted in bold, you can see that mail.example.com has been misspelled. To fix the problem, make the spelling correction and select Test Connectivity again. 6 Select SSL VPN login failure in Send alert email for the following. 7 Select Apply to save the alert email configuration.
Results When an SSL VPN user attempts to authenticate using the SSL VPN tunnel, and they are
unsuccessful, this event is logged by the FortiGate unit and you receive an alert email in your inbox. The body of the email contains the event log message. To test that you can receive an alert email notification, on the Alert E-Mail page, select Administrator login/logout and then select Apply. Log out of the web-based manager and then log back in again. Check your inbox; an alert email message should be there, with the subject line Message meets Alert condition and appears as follows:
Alert email can be sent for any configured event logging events such as DHCP event, IPsec event, or quarantine event. The complete list of available events can be found at Log&Report > Log Config > Log Setting. Select only specific alert email notification options that you require. Otherwise your inbox could be flooded with unwanted email messages.
281
Modifying a default report

Problem You want to create a
report from the information you found after viewing a list of the web sites your users have visited.
Solution Modify the default

FortiOS UTM report so that it has exactly what you need. Modifying this report is easy and less time consuming than creating a custom report. However, you can create a custom report for this but it is entirely done in the CLI. After creating your modified version of the default FortiOS UTM report, you can restore the report back to its default settings which includes all pages and charts. 1 Go to Log&Report > Report Access > Cover Page and select Edit to change the cover page information. 2 Change the following information: FortiGate UTM Weekly Activity Report Top Web Sites Employees Visit Report of August 30, 2011
3 Remove the FortiGate Host Name and FortiGate Serial Number text boxes. 4 Remove the The FortiGate Advantage text box. 5 Select Save to save the changes to the cover page. The page automatically goes back to its unedited view when you save the page, regardless of which page you are modifying. 6 Select Edit and then select Options. 7 Under Sections, select VPN Usage, Threats, Emails, and Bandwidth and Application Usage and then select Delete. 8 Under Report Schedule, select Demand from the Schedule Type list. When you select Demand, you are creating an on-demand report which is available for generating whenever you want. 9 Select OK. 10 Select Save to save the changes. 11 Go to Log&Report > Report Access > Web Usage and then select Edit. 12 Scroll down until you locate the chart Top Search Phrases; remove the chart and its text boxes. 13 Select Save to save the changes. If you have been logging web usage for a while, you may see information in some of the charts. 14 Select Run to immediately generate the report. The report may take a while, depending on how much information has been gathered from the logs.
282
Results A generated report should appear in the list on the Historical Reports page. The following
shows a page of the report in a PDF.
You can view the generated report either as a HTML report, by select the reports name in the Report File column, or as a PDF, by selecting PDF in the Other Formats column. The PDF can be easily downloaded to your computer and then distributed in an email to others.
283
Testing the log configuration
Testing the log configuration

Problem How do I test my log configuration? Solution Test the configuration by using Test
Connectivity, as well as the diag log test command.
I 172ntern .16 al ne .12 tw 0.1 ork 0-1 00 t uni 01 ate 20.2 rtiG .16.1 Fo 72 1
Testing connections between a FortiGate unit and a WebTrends server or Syslog server are not available. Testing between the FortiGuard Analysis server and the FortiGate unit is also supported. The test involves using both the CLI and web-based manager. 1 In the web-based manager, go to Log&Report > Log Config > Log Setting. 2 Under Logging and Archiving, select Test Connectivity. The FortiAnalyzer Connection Summary window appears. You should have all green check marks for the Privileges and Connection Status. If there is a caution icon with the words Logs not received in Connection Status, you will need to troubleshoot the issue. You may have to troubleshoot both the FortiGate unit and the FortiAnalyzer unit. 3 To test the connection other than using the web-based manager, in the CLI use diag log test command. This command sends logs to the FortiAnalyzer unit.
F 172 ortiA .16 naly .12 zer 0.1 un 54 it
4 To verify the number of logs sent, failed, dropped or buffered to the FortiAnalyzer unit, use the diag fortianalyzer-log mgstats show command. 5 Go to the FortiAnalyzer unit, and under Log & Archive, view the logs that you just sent from your FortiGate device. 6 To check the connectivity between your FortiGate and the FortiGuard Analysis server, in Log&Report > Log Config > Log Setting, under Logging and Archiving, select Test Connectivity for the FortiGuard Analysis & Management Service. The FortiGuard Connection Summary window appears, showing the expiry date, disk quota and daily volume, and whether or not you are sending DLP archives to the server.
Results You should be seeing successful results, where logging is being sent to the log device, either a
FortiGuard Analysis server or a FortiAnalyzer unit.
284
Index
A
access point, 107 Active Directory, 126 address FQDN firewall address, 135 admin profile custom, 83 super_admin, 34 administrator creating, 34, 83 administrator profile custom, 83 alert email, 280 alert notification email for SSL VPN login failures, 280 antivirus changing the maximum file size, 185 flow-based, 187 software, 225 application control, 202, 264 adding a sensor to a policy, 202 blocking access to social media, 204 blocking instant messaging, 203 blocking peer to peer file sharing, 205 troubleshooting, 202 application monitor, 202 drill down, 202 applications bandwidth use, 189, 202, 204, 205, 228, 231, 237, 242, 246, 249, 270, 272, 275, 278 blocking, 264 debugging, 104 visualizing, 202 ARP packet sniffer, 95 assigning IP addresses, 86 authenticate web filtering, 190 authentication debugging, 102 two-factor, 266, 268 authoritative dns, 85 Bing safe search, 191 bridge table, 26
C
CA Authority, 126 captive portal WiFi, 117 capture packet, 89 central NAT table, 166 certification, 10 Cisco UNITY client, 237 cluster, 69 connecting an HA cluster, 70 configuration backup, 28, 74 connecting a FortiGate HA cluster, 70 count, 144 policy, 144 security policy, 202 customer service, 10
D
Data Leak Prevention, 209 DCHP server, 123 debug application, 104 authentication, 102 diagnose command, 101 flow, 104, 139, 140, 146 info, 104 IPsec VPN, 103 packet flow, 103 SSL VPN, 101 URL filtering, 103 debug flow, 139, 140 debugging FortiGate configurations, 101 default route failover, 41, 47 demilitarized zone network, 50 denial of service protection, 207 deny policy count column, 149 verifying, 147 destination NAT, 169, 171, 173, 176, 179 DHCP, 15 IP reservation, 86 DHCP relay WiFi, 123 diag debug flow, 139, 140, 146 285
B
backup configuration, 28, 74 backup Internet connection, 38, 44 backup log solution, 275 bandwidth application use, 189, 202, 204, 205, 228, 231, 237, 242, 246, 249, 270, 272, 275, 278 bandwidth consuming web filtering, 189
Index diag log test, 277 diagnose quick reference, 104 diagnose debug, 101 diagnose debug flow, 139, 140 DLP, 209 flow-based, 188 DMZ network, 50 DNAT, 169, 171, 173, 176, 179 web server, 51 DNS creating a local DNS server, 85 verifying the configuration, 20, 25 dns authoritative, 85 database, 85 documentation, 10 Fortinet, 10 domain name service, 85 DoS policy, 207 protection, 207 sensor, 207 drift FortiToken, 104 dual internet connections, 48 dynamic SNAT, 162 dynamic source address translation, 162 central NAT table, 166 firewall ordering policies, 148 restricting all DNS queries to a selected DNS server, 151 restricting employees Internet access, 135 restricting Internet access per IP address, 141 schedule, 135 using geographic addresses, 158 verifying that traffic is hitting a security policy, 144 firewall address FQDN, 135 firewall statistics diag, 104 firmware download from Fortinet support, 27 TFTP upgrade, 28 upgrading, 27, 73 version, 27, 73 flow debug, 104 diag debug, 139, 140, 146 diagnose debug flow, 139, 140 flow-based antivirus, 187 DLP, 187 UTM, 187 web filtering, 187 FortiAnalyzer, 275 FortiAnalyzer unit, 275 testing sending logs, 277 FortiAP, 107, 110, 123 FortiAP, troubleshooting, 112 FortiASIC, 213 FortiClient SSL VPN, 221 FortiClient SSL VPN, 218 FortiGuard Antivirus, 9 email filtering lookups, 32 overriding web filtering, 190 ports used, 32 server list, 32 services, 9 setup, 30 transparent mode, 26 troubleshooting, 30 web filtering category, 192 web filtering lookups, 32 FortiGuard Centre, 192 FortiGuard web filtering, 189 check IP addresses, 199 images, 200 Fortinet customer service, 10 Knowledge Base, 10 Knowledge Center, 10 MIB, 87 SSL VPN clients, 213 Technical Documentation, 10 Technical Support, 10 Technical Support, registering with, 9 Technical Support, web site, 9 Training Services, 10 Fortinet documentation, 10 Fortitoken drift, 104
E
ECMP route priority, 42 routing, 42, 48 spillover, 48 usage-based, 48 email filtering, 208 FortiGuard, 32 enterprise security wireless, 114 equal cost multipath routing, 42, 48 ESP packet sniffer, 95 event log, 280 extended virus database, 184 extreme virus database, 184
F
failover default route, 41, 47 FAQ, 10 file size antivirus maximum, 185 filter packet capture, 98 packet sniffer, 94
286
Index FortiToken device SMS message as alternative, 268 using with FortiOS, 266 FortiWiFi, 107, 108, 114, 117, 126 FQDN firewall address, 135
L
legacy viruses protecting your network from, 184 license information dashboard widget, 30 local disk, 275 local DNS server, 85 local server, 85 local-in policy, 88 log messages, 125, 272 DCHCPREQUEST, 125 DHCPACK, 125 DHCPDISCOVER, 125 DHCPOFFER, 125 log to disk, 275 logging alert notification email for SSL VPN login failures, 280 backup log solution, 275 FortiAnalyzer unit, 275 log message body, 273 log message header, 273 Log Message Reference, 274 multiple Syslog servers, 278 testing log configuration, 284 testing sending logs to a FortiAnalyzer unit, 277 testing sending logs to Syslog servers, 279 understanding log messages, 272
G
geographic addresses, firewall, 158 get system status, 27, 73 glossary, 10 Google safe search, 191 GRE packet sniffer, 95 greyware, 183 guest network, 107
H
HA, 69 firmware upgrade, 73 hardware configuration, 69 split brain, 70 hardware certificate diagnose, 104 hardware deviceinfo disk diagnose, 105 hardware deviceinfo nic eth0 diagnose, 105 high availability, 69 host checking, 225 how-to, 10
M
mac address IP reservation, 86 Managed FortiAP, 112 management local-in policy, 88 many-to-one NAT, 160 MIB Fortinet, 87 mobile devices, 107 mode-cfg, 240 modem interface, 44, 46 MS-CHAP-v2, 127
I
images web filtering, 200 info debug, 104 instant messaging blocking, 203 introduction Fortinet documentation, 10 IP address private network, 7 IP addresses assigning, 86 web filtering, 199 IP masquerading, 160 IP Phone traffic shaping, 154 IP reservation, 86 IPS fail closed, 206 failover, 206 ips urlfilter status diagnose, 105 IPsec VPN debugging, 103
N
NAPT, 160 NAT destination NAT, 169, 171, 173, 176, 179 dynamic SNAT, 162 IP masquerading, 160 many-to-one, 160 NAPT, 160 one-to-one, 164 PAT, 160 SNAT, 160 NAT overload, 160 netlink brctl list diagnose, 105 network visualizing applications on, 202 network address and port translation, 160 Network Policy Server., 126 networking WiFi, 108, 110, 114, 123
K
Knowledge Center, 10 FortiOS 4.0 MR3 http://docs.fortinet.com/
287
Index
O
one-to-one NAT, 164 override web filtering, 190 override internal DNS DHCP, 17 oversized email, 186 oversized file, 186
P
packet sniffer, 89 packet capture, 94, 98 filters, 98 packet flow debugging, 103 packet sniffer filters, 94 protocols, 95 packet sniffing, 89, 98 PAT, 160 pcap packet capture file, 98 PEAP, 128 PEAP authentication, 126 peer-to-peer file sharing blocking, 205 ping server, 41 policy adding an application control sensor, 202 count, 144 DoS, 207 local-in, 88 policy monitor, 144 port address translation, 160 port forwarding, 169, 171, 173, 176, 179 web server, 51 port mapping, 169, 171, 173, 176, 179 port pairing transparent mode, 63 portal WiFi, 117 preshared key, 121, 124 Primary Internet connection, 44 primary Internet connection, 38 priority route, 42 product registration, 9 protocol options, 186 proxy avoidance web filtering, 189
release notes, 27 remote Internet access, 218 replacement message virus message, 62 reporting FortiOS UTM report, 282 modifying default report, 282 RFC 1918, 7 route priority, 42 route failover, 41, 47 route mode, 66 security policy, 52 routing ECMP, 42, 48 equal cost multipath, 42, 48
S
safe search web filtering, 191 schedule firewall, 135 security policies ordering, 148 restricting all DNS queries to a selected DNS server, 151 restricting employees Internet access, 135 using geographic addresses, 158 security policy, 144 adding an application control sensor, 202 count column, 202 limit Internet access, 135 restricting Internet access per IP address, 141 verifying traffic, 144 security risk web filtering, 189 sensitive information blocking, 209 sensor DoS, 207 service multiple, 52 shared shapers, 154 SMS used in two-factor authentication, 268 SNAT, 160, 162, 166 sniffer packet diagnose, 105 sniffing packet, 89 social media blocking, 204 software switch WiFi, 120 source address translation, 160 spam filtering, 208 spillover ECMP, 48 split tunnel, 220 split tunneling SSL VPN, 221 split-brain HA, 70 SSID, 120, 123 FortiGate Cookbook http://docs.fortinet.com/
R
RADIUS (NPS), 126 rating error, 21, 26 web filtering, 21, 26 recursive DNS server mode, 85 recursive dns, 85 redundant Internet connections, 38 registering with Fortinet Technical Support, 9 288
Index SSL VPN, 214 access email server, 214 debugging, 101 endpoint security, 213 FortiClient, 221 portal, 214 remote user, 225 split tunneling, 221 Subsession, 220 tunnel mode, 213 virtual desktop, 213 ssl.root, 219, 222 ssl.root interface, 220 static SNAT, 160 storage location, 275 streaming media blocking, 195 suggest a URL category web filtering, 192 super_admin administrator profile, 34 sys session full-stat diagnose, 105 Syslog server, 275 Syslog servers, log device, 278
U
unity-support, 240 upgrade firmware, 27 HA cluster firmware, 73 uploading logs, 276 URL FortiGuard web filtering category, 192 URL filtering debugging, 103 usage-based ECMP, 48 USB modem, 46 users identifying, 260 monitoring, 260
V
VDOM, 78 VIP web server firewall VIP, 51 virtual domain, 78 virtual FortiOS instances, 78 virtual interface, 120 virtual LANs, 75 virus legacy, 184 virus database extended, 184 extreme, 184 visual applications, 202 VLANs, 75 configuring, 75 VoIP traffic shaping, 154 VPN Cisco UNITY client, 237 Dialup, 231 L2TP, 236 SSL, 214 vpn tunnel list diagnose, 105 VPN, IPsec from Android device, 242 from FortiClient PC, 231 from iPhone, 237, 242 overview, 227 vulnerability scanner, 210
T
technical documentation, 10 notes, 10 support, 10 technical support, 10 test log diagnose, 105 test update info diagnose, 105 TFTP, 28 thin AP, 107 threshold oversized file/email, 186 traceroute, 31 traffic shaping shared shapers, 154 VoIP, 154 Training Services, 10 Transparent mode, 26 transparent mode port pairing, 63 protecting a server, 57 troubleshooting, 25 transport-mode, 236 troubleshooting DHCP, 16 FortiGuard, 30 ISP connection, 16 NAT configuration, 16 packet sniffing, 89, 94 transparent mode, 25 verifying that traffic is hitting a security policy, 144 VPNs, 249 Tunnel Mode, 218
W
web browsing blocking web sites by category, 262 web filter blocking streaming media, 195 record websites, 193 safe search, 191 whitelist, 197 Web filtering correct a URL category, 192
289
Index web filtering, 21, 26, 189 authenticate, 190 errors, 21 flow-based, 187 FortiGuard, 32, 189, 262 suggest a URL category, 192 web monitoring, 262 web portal, 214 web server port forwarding, 51 web sites users have visited, 193 websites blocking, 262 whitelist web filter, 197 WiFi captive portal, 117 DHCP relay, 123 software switch, 120 WiFi access, 108, 110, 114, 123 WiFi access point, 107 WiFi Controller, 109 WiFi controller feature, 107 Windows AD, 126 Windows Security Health Validator, 128 Windows Server 2008, 126 wireless WPA/WPA2 enterprise security, 114 WPA2 security, 108 WPA/WPA2 enterprise security wireless security, 114 WPA2 wireless security, 108 WPA2-Personal, 110, 123 WPA-Enterprise, 126
Y
Yahoo safe search, 191
290
FortiGate Network Protection
The FortiGate Cookbook is designed to help new FortiGate users solve problems on their networks by implementing FortiGate features such as UTM, WiFi, and VPN. The cookbook contains sections (recipes) that describe step-by-step solutions for solving problems and verifying the results of the solution. Many recipes also contain troubleshooting information, best practices and additional details. Scattered throughout this document you will also nd dedicated troubleshooting sections and details about using the FortiGate packet sniffer and diagnose debug commands. The FortiGate Cookbook was written for FortiOS 4.0 MR3 patch 2 (FortiOS 4.3.2) and is compatible with most FortiOS 4.0 MR3 rmware versions. Fortinet Knowledge Base - http://kb.fortinet.com Technical Documentation - http://docs.fortinet.com Training Services - http://campus.training.fortinet.com Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
2011 Fortinet, Inc. All Rights Reserved. Fortinet and the Fortinet logo are trademarks of Fortinet, Inc.
01-432-153797-20111021

Fortigate Cookbook

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fortigate Cookbook

Transféré par

Droits d'auteur :

Formats disponibles

The FortiGate Cookbook

FortiOS 4.0 MR3

The basics of installing and initial setup of a new FortiGate unit

Advanced FortiGate installation and setup

FortiOS 4.0 MR3 http://docs.fortinet.com/

Using security policies and firewall objects to control traffic

FortiOS 4.0 MR3 http://docs.fortinet.com/

Logging and Reporting