Fortigate Cookbook 502

The FortiGate Cookbook
Essential Recipes for Success with your FortiGate

15 May 2013
Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered
trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All
other product or company names may be trademarks of their respective owners. Performance metrics
contained herein were attained in internal lab tests under ideal conditions, and performance may vary.
Network variables, different network environments and other conditions may affect performance results.
Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties,
whether express or implied, except to the extent Fortinet enters a binding written contract, signed by
Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will
perform according to the performance metrics herein. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims
in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to techdoc@fortinet.com.
Contents
Introduction
Installing and Setup
Setting up a limited access administrator account
Setting up and troubleshooting FortiGuard services
13
Logging FortiGate system events to gather network traffic information
17
Using SNMP to monitor the FortiGate unit
21
Using FortiCloud to view log data and reports
27
Using two ISPs for redundant Internet connections with distributed sessions
31
Protect a web server on the DMZ network
35
Adding a second FortiGate unit to improve reliability
39
Setting up an explicit proxy for users on a private network
45
Using port pairing to simplify transparent mode
49
Adding packet capture to help troubleshooting
55
Wireless Networking
58
Providing remote users access to the internet and corporate network using FortiAP
59
Setting up a FortiGate and FortiAP to provide wired and wireless Internet access
65
Setting up guest wifi users with a captive portal
71
Security Policies and Firewall Objects
78
Controlling when BYOD users can access the Internet
79
Using AirPrint with iOS and OS X and a FortiGate unit
83
Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit
93
Using port forwarding on a FortiGate unit
UTM Profiles
101
106
Visualizing and controlling the applications on your network using application control
107
Configuring web filter overrides and local ratings
113
Protecting a web server from vulnerabilities and DoS attacks using IPS
119
Blocking email/web traffic or files containing sensitive information
125
Monitoring your network for undesirable behavior using client reputation
131
Inspecting content on the network using flow-based UTM instead of proxy-based UTM
135
Blocking large files from entering the network
141
Blocking access to specific web sites
145
Blocking HTTPS traffic with web filtering
149
SSL and IPsec VPN

Protecting traffic between company headquarters and branch offices using IPsec VPN
155
Providing remote users with access to a corporate network and Internet using SSL VPN
161
Securing remote access to the office network using FortiClient IPsec VPN
169
Securing remote access to the office network for an iOS device over IPsec VPN
175
Redundant OSPF routing between two remote networks over IPsec VPN
183
Authentication
Providing single sign-on on a Windows AD network by adding a FortiGate
153
198
199
Introduction
This FortiGate Cookbook provides administrators who are new to FortiGate appliances with
examples of how to implement many basic and advanced FortiGate configurations. FortiGate
products offer administrators a wealth of features and functions for securing their networks, but
to cover the entire scope of configuration possibilities would easily surpass this book. Fortunately,
much more information can be obtained in the FortiOS Handbook. The latest version is available
from the Fortinet Technical Documentation website at http://docs.fortinet.com.
This cookbook contains a series of recipes that describe how to solve a problem. Each recipe
begins with a description the configuration requirements, followed by a step-by-step solution, and
concludes with results that show what should occur to verify the steps were completed successfully.
This FortiGate Cookbook was written for FortiOS 5.0 patch 2 (FortiOS 5.0.2).
A PDF copy of this document is available from the FortiGate Technical Documentation website at
http://docs.fortinet.com/cookbook.html. You can also find earlier editions of the FortiGate
Cookbook, that contains additional recipes and troubleshooting tips and video representations of
some of the content in this book.
You can send comments about this document and ideas for new recipes to techdoc@fortinet.com.
New recipes may be published on the FortiGate Cookbook website and added to future versions.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point
and click, drag and drop interface that provides quick access to most FortiGate configuration
settings and includes visual monitoring and management tools.
Using the web-based manager you can add a security policy to monitor application activity on a
network, view the results of this application monitoring policy, and then create additional policies or
change the existing policy to block or limit the traffic produced by some applications.
The web-based manager also provides a wide range of monitoring and reporting tools that provide
detailed information about traffic and events occurring on the FortiGate unit.
You access the web-based manager using HTTP or a secure HTTPS connection from any web
browser. By default you can access the web-based manager by connecting to the FortiGate interface
usually attached to a protected network. Configuration changes made from the web-based manager
take effect immediately, without resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate
unit over a standard USB connection. You can install FortiExplorer software on a PC running Windows
or Mac OS X and use a USB connection between the PC and your FortiGate unit. Use FortiExplorer
to register your FortiGate unit, check for and perform FortiOS firmware updates, use the FortiExplorer
configuration wizard to quickly set up the FortiGate unit and connect to the
web-based manager or CLI.
Registering your Fortinet product

Before you begin configuring and customizing features, take a moment to register your Fortinet product
at the Fortinet Technical Support web site, https://support.fortinet.com. Many Fortinet customer
services, such as firmware updates, technical support, and FortiGuard Antivirus and other FortiGuard
services, require product registration.
For more information

Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-to-date
versions of Fortinet publications.
Fortinet Knowledge Base

The Fortinet Knowledge Base provides additional Fortinet technical documentation, such as
troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary, and more. Visit the
Fortinet Knowledge Base at http://kb.fortinet.com.
Training
Fortinet Training Services provides a variety of training programs world-wide that orient you to your new
equipment, and provides certifications to verify your knowledge level. For more on training services, visit
the Fortinet Training Services web site at http://campus.training.fortinet.com.
Installing and Setup

Most people purchase a FortiGate unit with the intention of creating a secure connection between a
protected private network and the Internet. And in most cases they want the FortiGate unit to hide
the IP addresses of the private network from the Internet. This chapter describes how to setup a
number of common configurations with the FortiGate unit.
In addition this chapter describes a common transparent mode FortiGate installation in which a
FortiGate unit provides security services to a network without requiring any changes to the network.
Setting up a limited access administrator account

This example adds a new FortiGate administrator login that uses an administrator
profile that has limited access only to firewall features, and read-only access to
administrator information. It also shows how to identify the administrators using the
admin administrator account.
1. Create a new administrative profile

2. Add a new administrator and assign the profile
3. Results
Internet
wAN 1
172.20.120.22
FortiGate
LAN
192168.1.99/24
Internal Network
Step One: Create a new administrative

profile
Go to System > Admin > Admin Profle.
Create a new administer profile that allows
the administrator with this profile to view
and edit firewall objects and security
policies and only view administrator
information.
Step Two: Add a new administrator

and assign a profile
Go to System > Admin > Administrators.
Create a new administrator with the
Firewall_Admin_Access profile, to enable
full access to all FortiOS features.
The admin profile controls what features

of the FortiGate configuration the
administrator can see and configure from
web-based manager and CLI. You can
add multiple profiles and assign users and
administrators different profiles, depending
on what they are tasked to do with the
FortiGate unit.
10
Results
Log in to the FortiGate unit using the user
name of Terry_White.
As this administrator, you can and edit any
element of the FortiGate unit pertaining to
the firewall objects and security policies.
You can also view the other administrator
information. Note that any menu items for
other features do not appear.
Go to Log & Report > Event Log >

System.
Verify that the login activity occurred.
Select the entry for more information on

the administrator log in.
11
Go to System > Dashboard > Status, and

view the System Information widget.
The Current Administrator row indicates
the current administrators and the number
of administrators logged in.
Select Details for the Current

Administrator to view all administrators
logged in.
12
Setting up and troubleshooting FortiGuard services

If you have purchased FortiGuard services and registered your FortiGate unit,
the FortiGate unit it should automatically connect to the FortiGuard Distribution
Network (FDN) and display license information about your FortiGuard services.
In this example, you will verify whether the FortiGate unit is communicating with
the FDN by checking the License Information dashboard widget. The FortiGate
unit automatically connects with the FortiGuard network to verify the FortiGuard
Services status for the FortiGate unit.
Internet
FortiGuard
WAN 1
FortiGate
port 1
Internal Network
13
Verifying the connection

Any subscribed services should have
a green check mark, indicating that
connections are successful.
A grey X indicates that the FortiGate unit
cannot connect to the FortiGuard network,
or that the FortiGate unit is not registered.
A red X indicates that the FortiGate
unit was able to connect but that a
subscription has expired, or has not been
activated.
You can also view the FortiGuard

connection status by going to System >
Config > FortiGuard.
14
Troubleshooting connection issues

Use these steps to troubleshoot FortiGuard
services should connection issues arise.
Verify that you have registered your FortiGate
unit, purchased FortiGuard services, and that
the services have not expired. You can verify
the support status for your FortiGate unit at
the Fortinet Support website (https://support.
fortinet.com/).
Verify that the FortiGate unit can communicate
with the Internet. The FortiGate unit should
be able to communicate with the FortiGuard
network if it can communicate with the Internet.
Go to Router > Monitor > Routing Monitor
and verify that a default route is available and
configured correctly.
Go to System > Network > DNS and make
sure the primary and secondary DNS servers
are correct. The FortiGate unit connects to the
FortiGuard network using a domain name, not a
numerical IP address. If the FortiGate interface
connected to the Internet gets its IP address
using DHCP, you should make sure Override
internal DNS is selected so that the FortiGate
unit gets its DNS server IP addresses from the
ISP using DHCP.
Verify that the FortiGate unit can connect to
the DNS servers using the execute ping
command to ping them.
You can also attempt a traceroute from
FortiGate CLI to an external network using a
domain name for a location, for example, enter
the command:
If the command cannot find the numeric IP

address of www.fortiguard.com, then the
FortiGate unit cannot connect to the configured
DNS servers.
Make sure that at least one security policy
includes antivirus. If no security policies include
antivirus, the antivirus database may not be
updated.
Verify that the FortiGate unit can communicate
with the FortiGuard network. Go to System
> Config > FortiGuard > Antivirus and IPS
Options, you can select Update now to force
an immediate update of the antivirus and IPS
databases. After a few minutes, you can verify if
the updates were successful.
Test the availability of web filtering and email
filtering lookups from System > Config
> FortiGuard > Web Filtering and Email
Filtering options by selecting Test Availability.
If the test is not successful, try changing the
port that is used for web filtering and email
filtering lookups. The FortiGate unit uses port
53 or 8888 to communicate with the FortiGuard
network and some ISPs may block one of these
ports.
Determine if there is anything upstream that
might be blocking FortiGuard traffic, either on
the network or on the ISPs network. Many
firewalls block all ports by default, and often
ISPs block low-numbered ports (such as 53).
FortiGuard uses port 53 by default, so if it is
being blocked, you need to either open the port
or change the port used by the FortiGate unit.
execute traceroute www.fortiguard.com
15
Change the FortiGuard source port. It is

possible ports that are used to contact the
FortiGuard network are being changed before
reaching FortiGuard, or on the return trip,
before reaching your FortiGate unit. A possible
solution for this is to use a fixed-port at the NAT
firewall to ensure the port number remains the
same.
FortiGate units contact the FortiGuard Network
by sending UDP packets with typical source
ports of 1027 or 1031, and destination ports of
53 or 8888. The FDN reply packets would then
have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port
range, the FortiGate unit cannot receive the
FDN reply packets. You can select a different
source port range for the FortiGate unit to use.
16
If your ISP blocks the lower range of UDP ports

(around 1024), you can configure your FortiGate
unit to use higher-numbered ports such as
2048-20000, using the following CLI command:
config system global

set ip-src-port-range 2048-20000
end
Trial and error may be required to select the

best source port range. You can also contact
your ISP to determine the best range to use.
Display the FortiGuard server list. The
diagnose debug rating CLI command
shows the list of FortiGuard servers that the
FortiGate unit can connect to. The command
should show more than one server.
Logging FortiGate system events to gather network

traffic information
This example shows how to enable logging to capture the details of network traffic
processed by the FortiGate unit.
1. Configure logging and event logging

2. Enable logging in the security policy
3. Results
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
17
Step One: Configure logging and event

logging
Go to Log & Report > Log Config > Log
Setting.
Enable and configure logging.
Note that logging to disk is only available
on FortiGate units with a hard disk or flash
drive.
Logging to disk is enabled in the CLI
using the config log disk setting
commands.
Step Two: Enable logging in the

security policy
Go to Policy > Policy > Policy.
For any security policy, in the Logging
Options section, select Log all Sessions.
18
Results
To see information about network traffic
processed by the FortiGate unit, go to Log
& Report > Traffic Log > Forward Traffic.
Select an entry for more information.
19
20
Using SNMP to monitor the FortiGate unit

Simple Network Management Protocol (SNMP) enables you to monitor hardware
on your network. You configure the hardware, such as the FortiGate SNMP agent,
to report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager, or host, is a typically a computer running an
application that reads the traps from the agent and sends out SNMP queries to the
SNMP agents.
In this example, you configure the SNMP agent and FortiGate interface to send
SNMP traps to the SNMP server for review.
1. Configure the SNMP agent and community
2. Enable SNMP on a FortiGate interface
3. Download the MIB files and configure the SNMP manager
4. Results
Internet
Internal Network
WAN 1
172.20.120.123
port 1
FortiGate
192168.1.99
SNMP Manager
192.168.1.114
21
Step One: Configure the SNMP agent

and community
Go to System > Config > SNMP.
Configure the agent.
Under the SNMP version, create a new

community.
You need to add a host IP address
where the SNMP manager is installed,
192.168.1.114/32, and select the port to
receive SNMP request and send SNMP
traps.
You can also set the IP address/Netmask
to 0.0.0.0/0.0.0.0 and the Interface to ANY
so that any SNMP manager at any network
connected to the FortiGate unit can use
this SNMP community and receive traps
from the FortiGate unit.
22
Step Two: Enable SNMP on a

FortiGate interface
Go to System > Network > Interface.
Enable SNMP on port 1.
Step Three: Download the MIB files

and configure the SNMP manager
Go to System > Config > SNMP to
download FortiGate SNMP MIB.
There are two MIB files for FortiGate units:
the Fortinet MIB, and the FortiGate MIB.
The Fortinet MIB contains traps, fields and
information that is common to all Fortinet
products. The FortiGate MIB contains
traps, fields and information that is specific
to FortiGate units.
Configure the SNMP manager at
192.168.1.114 to receive traps from the
FortiGate unit.
23
Results
This example uses SolarWinds SNMP trap
viewer.
In SolarWinds Toolset Launch Pad, go to
SNMP > MIB Viewer and select Launch.
Select Select Device and enter the IP

address of the FortiGate unit and the
community string.
Open the SNMP Trap Receiver and select

Launch.
24
Perform an action to trigger a trap, for

example, change the IP address of the
DMZ interface in the FortiGate.
Verify that the SNMP manager receives the
trap.
View the UTM log by going to Log &

Report > Event Log > System.
25
26
Using FortiCloud to view log data and reports

FortiCloud is an online hosted security management and log retention service. It
provides a centralized reporting, traffic analysis, configuration and log retention tool
without the need for additional hardware and software.
This example describes setting up and accessing log and reports in FortiCloud.
1. Activate FortiCloud
2. Configure logging and event logging
3. Enable logging in the security policy
4. Results
FortiCloud
Internet
WAN 1
172.20.120.123
FortiGate
port 1
192168.1.99
Internal Network
27
Step One: Activate FortiCloud

Go to System > Dashboard > Status.
On the License Information widget, in the
FortiCloud section, select Activate.
Once the account is created, you can

launch the FortiCloud portal from the
License Information widget.
Step Two: Configure logging

Go to Log & Report > Log Config > Log
Setting.
Enable and configure logging to
FortiCloud.
28
Step Three: Enable logging in the

security policy
For any security policy, in the Logging
Options section, select Log all Sessions.
Results
On the License Information widget, in the
FortiCloud section, select Launch Portal.
From the portal, you can see the log data
and reports.
29
30
Using two ISPs for redundant Internet connections with

distributed sessions
This example describes how to improve the reliability of a networks connection
to the Internet by using two Internet connections. It also includes configuration of
equal cost multi-path load balancing to make efficient use of these two Internet
connections by distributing sessions to both, without allowing either one to become
overloaded.
1. Configure connections to the two ISPs

2. Add security policies
3. Configure fail over detection and spillover load balancing
4. Results
Internet
ISP 1
WAN1
WAN 2
FortiGate
ISP 2
LAN
Internal
Network
31
Step One: Configure connections to the

two ISPs
Step Two: Add security policies

Create a security policy for the primary
interface connecting to their ISPs and the
internal network.
32
Create a security policy for each interface

connecting to their ISPs and the internal
network.
Step Three: Configure fail over

detection and spillover load balancing
Go to Router > Static > Settings.
Create two new Dead Gateway Detection
entries.
Set the Ping Interval and Failover

Threshold to a smaller value for a more
immediate reaction to a connection going
down.
33
Go to Router > Static > Settings and set

the ECMP Load Balancing Method to
Spillover.
The Spillover Threshold value is calculated
in kbps (kilobit per second). However the
bandwidth on interfaces is calculated in
kBps (kilo Byte per second).
For wan1 interface, Spillover Threshold =
100 kbps = 100000 bps
100000 bps = 102400 bps = 102400/8 Bps
= 12800 Bps
Results
Go to Log & Report > Traffic Log >
Forward Traffic to see network traffic
from different source IP addresses flowing
through both wan1 and wan2.
Disconnect the wan1 port on the FortiGate

unit to see all traffic will automatically
flow through the wan2 port unit wan1 is
available again.
34
Protect a web server on the DMZ network

In this example, a web server on the DMZ network. An internal to DMZ security
policy allows internal users to access the web server using its internal IP address
(10.10.10.22). A WAN to DMZ security policy hides the internal address, allowing
external users to access the web server with a public IP address (172.20.120.22).
1. Configure the FortiGate unit DMZ interface
2. Add virtual IPs
3. Create security policies
4. Results
Internet
WAN 1
172.20.120.22
DMZ Network
FortiGate
DMZ
LAN
Web Server
10.10.10.22
Internal Network
35
Step One: Configure the FortiGate unit

DMZ interface
Edit the DMZ interface settings.
Your FortiGate unit may have an interface

named DMZ. Using the DMZ interface is
recommended but not required.
Step Two: Add virtual IPs

Go to Firewall Objects > Virtual IP >
Virtual IP.
Create two virtual IPs; one for HTTP
access and one for HTTPS access.
Each virtual IP will have the same address

mapping from the public-facing interface
to the DMZ interface. The difference is the
port for each traffic type; (port 80 for HTTP
and port 443 for HTTPS).
36
Step Three: Create security policies

Create a security policy to allow HTTP and
HTTPS traffic from the Internet to the DMZ
interface and web server.
Create a security policy to allow HTTP and

HTTPS traffic from the internal network to
the DMZ interface and web server.
Adding this policy reduces traffic on the
wan1 interface by allowing traffic to pass
directly from the Internal interface to
the DMZ interface, rather than from the
Internal interface, to the wan1 interface,
then back in through the wan1 interface to
the DMZ interface.
37
Results
External users can access the web
server on the DMZ network from the
internet using http://172.20.120.22 and
https://172.20.120.22.
Internal users can access the web
server using http://10.10.10.22 and
https://10.10.10.22.
Go to Policy > Monitor > Policy Monitor.

Use the policy monitor to verify that traffic
from the Internet and from the internal
network is allowed to access the web
server. This verifies that the policies are
configured correctly.

Forward Traffic.
The traffic log should shows sessions from

the internal network and from the Internet
accessing the web server on the DMZ
network.
38
Adding a second FortiGate unit to improve reliability

This example adds a second FortiGate unit to a currently installed FortiGate unit to
provide redundancy in the event one FortiGate unit fails. This example also steps
through upgrading the HA cluster to a new firmware version.
1. Add and connect the second FortiGate and configure HA
2. Test the failover functionality
3. Upgrade the firmware for the HA cluster
Internet
Switch
WAN 1
FortiGate
Internal
WAN 1
Dual HA
Links
FortiGate
Internal
Switch
Internal Network
39
Step One: Add and connect the second

FortiGate and configure HA

Change the host name of the primary
FortiGate unit.
Go to System > Config > HA.

Configure the HA settings for the primary
FortiGate unit.

Change the host name of the backup
FortiGate unit.
40
Go to System > Config > HA.

Configure the HA settings for the backup
FortiGate unit.
Ensure that the Group Name and
Password are the same as on the primary
FortiGate unit.
Go to System > Config > HA to view the

cluster information.
Select View HA Statistics for more

information on the cluster.
41
Go to System > Dashboard > Status to

see the cluster information.
Step Two: Test the failover

functionality
Unplug the ethernet cable from the wan
1 interface of the primary FortiGate unit.
Traffic will divert to the backup FortiGate
unit.
Use the ping command to view the results.
Shut down the primary FortiGate unit, and

see that traffic fails over to the backup
FortiGate unit using a ping command.
42
Step Three: Upgrading the firmware

for the HA cluster
When a new version of the FortiOS
firmware becomes available, upgrade the
firmware on the primary FortiGate unit,
and the backup FortiGate unit will upgrade
automatically
Go to System > Dashboard > Status to
upgrade the firmware.
The firmware will load on the primary

FortiGate unit, and then on the backup
unit.
System.

Both FortiGate units have the new
firmware installed.
43
44
Setting up an explicit proxy for users on a private

network
This example sets up the explicit web proxy to accommodate faster web browsing.
Internal users will connect to an explicit web proxy using port 8080 rather than
surfing the Internet directly using port 80.
1. Enable explicit web proxy on the internal interface

2. Configure the explicit web proxy for HTTP/HTTPS traffic
3. Add a security policy for proxy traffic
4. Results
Internet
port 3
FortiGate
Explicit web
proxy port 4
Internal Network
45
Step One: Enable explicit web proxy

on the internal interface
Go to System > Network > Interface and
enable web proxy on port 4.
You may need to enable Explicit Proxy

and WAN Opt. & Cache on the System
Information widget before you proceed.
Go to System > Dashboard > Status and
select Enable for these options.
Step Two: Configure the explicit web

proxy for HTT P/HTT PS traffic
Go to System > Network > Explicit Proxy
and enable the http/https explicit web
proxy.
Ensure to set the Default Firewall Policy

Action to Deny.
Later you will create a security policy for
webproxy traffic with web cache enabled.
46
Step Three: Add a security policy for

proxy traffic
Create a security policy for webproxy
traffic, and enable web cache.
Results
Configure web browsers on the private
network to connect using a proxy server.
The IP address of the HTTP proxy server is
10.10.1.99 (the IP address of the FortiGate
internal interface) and the port is 8080 (the
default explicit web proxy port).
Web browsers configured to use the proxy
server are able to connect to the Internet.
Go to Policy > Policy > Policy to see
the ID of the policy (3) allowing webproxy
traffic. Web proxy traffic is not counted by
firewall policy.
47
48
Using port pairing to simplify transparent mode

This example simplifies configuring a FortiGate unit operating in transparent mode
by using port pairing. When you create a port pair, all traffic accepted by one of the
ports of the pair can only exit out the other port. You add security policies to control
the traffic that can pass between these to ports and to apply UTM protection to the
traffic.
1. Switch the FortiGate unit to transparent mode and add a static route
2. Create an internal and wan 1 port pair
3. Create firewall addresses
4. Create a security policy
5. Results
Protected web server

192.168.1.200
Internet
Router
wan 1
FortiGate Internal
Management IP
192.168.1.100
192.168.1.99/24
Internal Network
192.168.1.[110-150]
49
Step One: Switch the FortiGate unit to

transparent mode and add a static
route
In the System Information widget, select
Change beside the Operation mode.
Log into the FortiGate unit using the

management IP 192.168.1.100.
Go to System > Network > Routing
Table and set a static route.
Step Two: Create an internal and

wan 1 port pair

Create an internal/wan 1 pair.
50
Step Three: Create firewall addresses

Go to Firewall Objects > Address >
Address.
Create addresses for the web server and
address range for internal users.
Step Four: Create security policies

Create a security policy that allows internal
users to access the web server using
HTTP and HTTPS.
51

Create a security policy that allows
connections from the web server to the
internal users network and to the internet
using any service.
Results
Connect to the web server from the
internal network and surf the Internet from
the server itself.
Forward Traffic to verify that there is
traffic from the internal to wan 1 interface.
52
Select an entry for details.
Go to Policy > Monitor > Policy Monitor

to see the active sessions.
53
54
Adding packet capture to help troubleshooting

Packet capture is a means of logging traffic and its details to troubleshoot any
issues you may have with traffic flow or connectivity. This example shows the
basics of setting up packet capture on the FortiGate unit and analyze the results.
1. Create a packet capture filter

2. Start the packet capture
3. Stop the packet capture
4. Results
Internet
WAN 1
172.20.120.23
FortiGate
Internal network
Internal
192.168.1.99/24
55
Step One: Create a packet capture

filter
Go to System > Network > Packet
Capture and create a new filter.
For this example, the FortiGate unit will

capture 100 HTTP packets on the internal
interface from/to host 192.168.1.200.
Host(s) can be a single or multiple
IPs separated by comma, IP range or
subnet.
Port(s) can be single or multiple
separated by comma or range.
Protocol can be simple, multiple
separated by comma or range. Use 6
for TCP, 17 for UDP, 1 for ICMP.
Step Two: Start the packet capture

Select Start to begin the packet capture,
and from an internal computer or device
set to IP address 192.168.1.200, surf the
Internet to generate traffic.
56
Step Three: Stop the packet capture

Once the maximum packets to save
is reached (in this example 100), the
capturing progress is stopped and allows
you to download the saved pcap file.
You can also stop the capturing at any
time before the maximum is reached.
Results
Open the pcap file with a pcap file viewer
such as tcpdump or Wireshark.
Depending on the kind of traffic you need
to capture, you may adjust the settings in
the filter to meet your needs.

System to verify that the packet capture
file was successfully downloaded.
57
Wireless Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into
your organizations network architecture. Each WiFi network, or SSID, is represented by a virtual
network interface to which you apply security policies, UTM features, traffic shaping, and so on, in
the same way as for physical wired networks.
You can create multiple WiFi networks to serve different groups of users. For example, you might
have one network for your employees and another for guests or customers. Also, with the increase
in use of Bring Your Own Devices (BYOD); smartphones, tablets and other mobile devices that use
WiFi technology, wireless networks are becoming busier than ever and have to be monitored and
accommodated accordingly.
A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as
a single thick Access Ppoint (AP). A thick AP such as a FortiWiFi unit contains the WiFi radio facility
as well as access control and authentication functionality.
A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives
commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding
a FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a cost
effective solution for adding WiFi to your network.
The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi
units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a
built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling
multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more
complex to manage.
58
Providing remote users access to the internet and

corporate network using FortiAP
In this example, users in a remote location such as a hotel, use FortiAP to securely
connect to a corporate network and browse the Internet from behind the corporate
firewall.
1. Configure the corporate SSID and security policies

2. Configure the FortiGate unit to connect and configure FortiAP
3. Authorize the remote FortiAP connection
4. Results
FortiAP
WLAN_1
Wireless Network
Internet
WLAN 1
FortiGate
Internal Network
Internal
59
Step One: Configure the FortiGate for

remote user connections
Go to WiFi Controller > WiFi Network
> SSID and create a new SSID for the
FortiAP.
Configure the WiFi Settings, and DHCP
Server so wireless users can connect
directly to the FortiAP.

Address.
Create addresses for the remote users and
the corporate network.
60
Go to Policy > Policy > Policy and create

two security polices.
Create a policy for remote wireless users to
access the Internet.
Create a policy for remote wireless users to

access the corporate network.
Step Two: Configure FortiAP to

connect to the corporate FortiGate
unit
In the System Information tab, enter
the AC IP Address of the public facing
interface of the FortiGate unit.
The remote user will plug an Ethernet
cable into the FortiAP and into the
network connection to the Internet at the
hotel. FortiAP searches for the FortiGate
interface you configure here.
61
Step Tthee: Configure the FortiGate

unit to connect, and configure FortiAP
Go to WiFi Controller > Managed
Devices > Managed FortiAP.
Right-click the FortiAP in the list and
select Authorize.
With the FortiAP authorized with the

FortiGate unit, you can use the FortiGate
to configure the wireless settings for the
FortiAP remotely.
Results
The remote user connects the FortiAP to
the network connection at the hotel. They
then connect to the RemoteWiFi wireless
network. They will be able to access the
corporate network and surf the Internet
securely.
Go to WiFi Controller > Monitor > Client

Monitor to see remote wireless users
connected to the FortiAP unit.
When the remote wireless user connects

to the corporate network, traffic appears in
the log messages.
Forward Traffic.
62
Selecting an entry for the WLAN_1

interface and internal destination interface
shows traffic using RDP to connect to the
corporate network.
Selecting an entry for the WLAN_1

interface and wan1 destination interface
shows internet traffic.
63
64
Setting up a FortiGate and FortiAP to provide wired

and wireless Internet access
This example sets up FortiAP to connect to the Internet using the FortiGate unit.
Wireless and wired users will be on the same subnet and thus can share network
resources.
1. Configure the FortiGate WAN 1 and LAN ports

2. Create an internal address range and security policy
3. Set up a wireless network with the FortiAP
4. Results
Internet
WAN 1
172.20.120.226
FortiAP
FortiGate
LAN
192.168.1.99/24
wireless
network
Internal network
65
Step One: Configure the FortiGate

WAN 1 and LAN ports
Configure the WAN 1 interface to use
DHCP.
Configure the LAN interface to use a static

IP with a DHCP server enabled.
66
Step T WO: Create an internal address

range and security policy
Address.
Create a new address range for the
internal network users.

Create a security policy allowing users on
the wired network to access the Internet.
Step Three: Set up a wireless network

with the FortiAP
Connect the FortiAP to the LAN interface.
Go to WiFi Conroller > Managed Access
Points > Managed FortiAP and authorize
the FortiAP.
67
Go to WiFi Conroller > WiFi Network >

SSID and create a new SSID.
Ensure the Traffic Mode is set to Local
bridge with FortiAPs Interface.
Go to WiFi Conroller > WiFi Network >

Custom AP Profile.
Select Create New and select My_SSID
for Radio 1 and Radio 2.
68
Go to WiFi Conroller > Managed Access

Points > Managed FortiAP.
Edit the FortiAP in the Wireless Settings
and select MyProfile for the AP Profile.
Results
Have the wifi users connect to My_SSID
and they should be able to surf the
internet. The wireless devices will be in the
same subnet as the internal wired network.
Go to WiFi Controller > Monitor > Client
Monitor to see wifi users and their IP
addresses.
Forward Traffic and verify that wifi users
accessing the internet with the same
security policy as the wired network users.
69
70
Setting up guest wifi users with a captive portal

In this example, a FortiGate unit provides your office with wired networking,
but guest users use laptops and mobile devices. These devices need secure
WiFi access to both the office network and the Internet. Guest users use
web applications and authenticate through a portal using a web browser. The
receptionist for the company is provided a limited access admin account to
distribute temporary password access to the wireless network.
1. Authorize the FortiAP over the DMZ interface
2. Add wifi guest users
3. Create an SSID using a captive portal
4. Add firewall addresses
5. Add security policies
6. Add a limited administrative role for the receptionist
7. Results
Internet
Internal network
Wireless network
10.10.10.1/24
WAN 1
172.20.120.23
Internal FortiGate DMZ

192.168.1.99/24
10.10.80.99/24
FortiAP
71
Step One: Authorize the FortiAP over

the DMZ interface
Set the DMZ interface to be dedicated to
FortiAP connections.
Connect the FortiAP to the DMZ interface

and go to WiFi Controller > Managed
Access Points > Managed FortiAP to
authorize the FortiAP.
Step Two: Add wifi guest users

Go to User & Device > User > User
Group.
Create guest wifi users group.
72
Step Three: Create an SSID using a

captive portal
Go to WiFi Controller > WiFi Network >
SSID.
Create new SSID using captive portal.
Step Four: Add firewall addresses

Address.
Create addresses for internal wired
network and guest wifi users.
73
Step Five: Add security policies

Create a security policy allowing wifi guest
users accessing the internal network.
Create a security policy allowing wifi guest

users accessing the Internet.
74
Step Six: Add a limited administrative

role for the receptionist
Go to System > Admin > Admin Profile.
Create a limited admin profile allowing the
receptionist to create new guest users.
Go to System > Admin > Administrators.

Create a new admin account for the
receptionist using the new limited profile.
75
Results
When a guest requires access to the
wireless network, the company receptionist
logs into the FortiGate unit with their
account. The receptionist creates guest
user names on the FortiGate unit.
Once logged in, they go to User & Device
> User > Guest Management and create
new user id.
The FortiGate unit generates a password

for the user. This password is only valid for
four hours.
Once this information is provided to the

guest user, they can log in through the
captive portal on the authentication page.
76
To verify that guest user logged in

successfully, go to WiFi Controller >
Monitor > Client Monitor.
Once authenticated, guest users can

surf on the internet and can also access
resources in the internal wired network.
and verify the active sessions.
Select one of the bars for more

information.
77
Security Policies and Firewall Objects

FortiGate units are used to control access between the Internet and a network, typically allowing
users on the network to connect to the Internet while protecting the network from unwanted access
from the Internet. The FortiGate unit has to know what access should be allowed and what should
be blocked. This is what security policies are for; controlling all network traffic attempting to pass
through a FortiGate unit. No traffic can pass through a FortiGate unit unless specifically allowed to
by a security policy. With a security policy, you can control address translation, control the addresses
and services used by the traffic, and apply features such as UTM, authentication, and VPNs. Most of
the examples in this cookbook at some point involve the creation of security policies to allow traffic
and then apply a feature to it. This chapter focuses more on firewall features and how to configure
policies to apply them.
It is simple to set up a FortiGate unit to allow users on a network to access the Internet while
blocking traffic from the Internet from accessing the protected network. All that is required is a single
security policy that allows traffic from the Internal network to connect to the Internet. As long as you
do not add a security policy to allow traffic from the Internet onto your internal network, your network
is protected. The same security policy that allows you to connect to the Internet also allows servers
you contact to respond to you. In effect, a single policy allows two-way traffic, but the incoming
traffic is only allowed in response to requests sent by you.
Firewall objects are those elements within the security policy that further dictate how and when
network traffic is routed and controlled. This includes addresses, services, and schedules that are
used in security policies to control the traffic accepted or blocked by a security policy. Addresses are
matched with the source and destination address of packets received by the FortiGate unit.
The examples in this chapter use a number of these elements and policies to build a secure network.
78
Controlling when BYOD users can access the Internet

This example uses FortiOS device identity and security policy scheduling to limit
use of Bring Your Own Device (BYOD) users during company time.
1. Add BYODs to the FortiGate unit

2. Add schedules for time allowed for use of a BYOD
3. Add a device identity security policy
4. Results
Internet
wan 1
wifi
FortiWiFi
Internal
wireless mobile
devices
internal
network
79
Step One: Add BYODs to the FortiGate

unit
Go to User & Device > Device > Device
Definition.
Alternatively, got to System > Network

Interface, and for the wireless interface,
select Detect and Identify Devices.
Devices not yet added may appear in the
list. Double-click on the entry and enter an
Alias to add it.
The BYOD information may not initially fill

in on the table until the user connects with
their device. Select Refresh if needed.
Step Two: Add schedules for time

allowed for use of a BYOD
Go to Firewall Objects > Schedule >
Recurring.
The schedule, when included with a

security policy, will allow users to access
the Internet with their personal wireless
devices over lunch time hours.
This schedule can also be used in other
security policies as well as this application.
80
Step Three: Add a device identity

security policy
Go to Policy > Policy > Policy and create
a Device Identity policy.
Create a new authentication rule that

includes the wireless devices and the new
schedule.
Results
Forward Traffic. When a mobile user
connects during the lunch break, they can
surf the Internet, as shown in the logs.
When the time in the schedule is reached,

further surfing cannot continue. This does
not appear in the logs, as only allowed
traffic is logged.
Evidence that the schedule and policy
are working appears when attempting to
connect to a web site, and possibly a few
questions from the BYOD users.
81
82
Using AirPrint with iOS and OS X and a FortiGate unit

This example sets up AirPrint services for use with an iOS device and OS X
computers using Bonjour and multicast security policies.
1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless networks and printer
3. Add service objects for printing
4. Add multicast security policies
5. Add inter-subnet security policies
6. Results
ipad 10.10.10.3
(connected to SSID 1 )
SSID 1 (WLAN 1 )
10.10.10.1/24
FortiAP
Internal network
OS x
DMZ
10.10.100.1/24
FortiGate
LAN
192.168.1.99/24
SSID 2 (WLAN 2)
20.20.20.1.24
AirPrint 20.20.20.2
(connected to SSID 2)
83
Step One: Configure the FortiAP and

SSIDs
Set the DMZ interface as dedicated for the
FortiAP unit.
Connect FortiAP to the DMZ interface.

Access Points > Managed FortiAP and
Once authorized, it will appear in the

authorized list.
84

SSID.
Create an SSID for the network for wireless
users.
Create an SSID for the network for the

AirPrint printer.
85
Step Two: Add addresses for the

wireless networks and printer

Address.
Create addresses for the SSID 1, SSID 2
and AirPrint printer.
86
Create an address for the internal network

with the OS X computers.
Step Three: Add service objects for

printing
Go to Firewall Objects > Service >
Service.
Create a new service for Internet Printing
Protocol (IPP) for iOS devices.
Create a new service for PDL Data Stream

for OS X computers.
87
Step Four: Add multicast security

policies
Go to Policy > Policy > Multicast Policy.
Create two policies to allow multicast
traffic from WLAN 1 and WLAN 2 for iOS
devices.
Create two policies to allow multicast

traffic from the LAN and WLAN 2 for OS X
computers.
88
Step Five: Add inter-subnet security

policies
Create policy allowing IPP service from
WLAN1 to WLAN2.
Create policy allowing printing from a OS X

computer to the AirPrint printer.
89
Results
Print a document from an iOS device.
Multicast Traffic to see the printing traffic
passing through the FortiGate unit.
Select an entry to see more information.

Forward Traffic and verify the entry with
the IPP service.
90
Print a document from an OS X computer.

Multicast Traffic to see the printing traffic
passing through the FortiGate unit.

Forward Traffic and filter the destination
interface for WLAN 2 traffic.
91
92
Using AirPlay with iOS, AppleT V, FortiAP and a

FortiGate unit
This example sets up AirPlay services for use with an iOS device using Bonjour and
multicast security policies.
Apple TV can also be connected to the internet wirelessly, from any iOS device
connected to the same SSID as Apple TV, AirPlay will function. No configuration is
required on the FortiGate unit.
1. Configure the FortiAP and SSIDs

2. Add addresses for the wireless network
3. Add service objects for multicasting
4. Add multicast security policies
5. Add inter-subnet security policies
6. Results
ipad 10.10.10.3
(connected to SSID 1 )
FortiAP
SSID1 (WLAN 1 )
10.10.10.1/24
DMZ
10.10.100.1/24
Internal network OS x
FortiGate LAN
192.168.1.99/24
Apple
TV
93
Step One: Configure the FortiAP and

SSIDs
Set the DMZ interface as dedicated for the
FortiAP unit.
Connect FortiAP to the DMZ interface.

Access Points > Managed FortiAP and
Once authorized, it will appear in the

authorized list.
94

SSID.
Create an SSID for the network for wireless
users.
Step Two: Add addresses for the

wireless network

Address.
Create addresses for SSID 1.
95
Step Three: Add two service object

for AirPlay
Go to Firewall Objects > Service >
Service.
Step Four: Add multicast security

policies
Create a policy to allow multicast traffic
from the LAN and WLAN 1 for AppleTV to
iOS devices.
96

Create a policy to allow multicast traffic
from the WLAN 1 and LAN for iOS
devices to AppleTV.
Step Five: Add inter-subnet security

policies
Create policy allowing traffic from the
Apple TV to the iOS device.
Create policy allowing traffic from the iOS

device to the Apple TV.
97
Results
Use Airplay from the iPad to stream video
to the Apple TV.
Multicast Traffic to see the multicast
traffic between the WLAN 1 and LAN
interfaces.
Select and entry for more information.
98
Go to Log & Report > Traffic Log > Log

Forward and filter on the policy id 6 and 7,
that allow AirPlay traffic.
99
100
Using port forwarding on a FortiGate unit

This example illustrates how to allow incoming connections from the Internet to a
server on the internal network so that the server can access a service that requires
open ports. The service requires opening TCP ports in the range 7882 to 7999, as
well as opening UDP ports 2119 and 2995. This involves creating multiple VIPs that
map sessions from the wan 1 IP address to the server IP address.
1. Create three virtual IPs

2. Add the virtual IPs to a group
3. Create a security policy to allow inbound traffic to the server
4. Results
Internet
WAN 1
172.20.120.226
Open TCP ports 7882-7999,
UDP port 2119 and 2995 for
traffic from the Internet
to the Server
FortiGate
LAN
192.168.1.99/24
Server
192.168.1.200
101
Step One: Create three virtual IPs

Go to Firewall Objects > Virtual IP >
Virtual IP.
Add a virtual IP for the TCP port range

7882 to 7999.
Add a virtual IP for the UDP port 2119.
Add a virtual IP for the UDP port 2995.
102
Step Two: Add virtual IPs to a group

Go to Firewall Objects > Virtual IP > VIP
Group.
Create a VIP group that includes all three
virtual IPs.
Step Three: Create a security policy to

allow inbound traffic to the server
Create a security policy allowing inbound
connections to the server from the
Internet.
103
Results

to see the active sessions.
Select the blue bar for more information.
104

Forward Traffic to see the logged activity.
105
UT M Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS), email
filtering, and data leak prevention (DLP), apply core UTM security functions to traffic accepted by
security policies. The FortiGate unit includes default UTM profiles for all of these security features.
You can apply UTM features to traffic accepted by a security policy by selecting the default profiles
for the UTM features that you want to apply.
The default profiles are designed to provide basic protection. You can modify the default profiles,
and group them, for your needs or create new ones. Creating multiple profiles means you can apply
different levels of protection to different traffic types according to the security policies that accept the
traffic.
Endpoint control profiles are created to ensure that workstation computers, also known as
endpoints, on your network meet the networks security requirements; otherwise, they are not
permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint
control can block or control access through the FortiGate unit for workstation computers depending
on the security functions enabled on the computers and the applications running on them. After
creating endpoint control profiles, you can add endpoint security profiles to security policies.
The final UTM profile feature, vulnerability scanning is independent of security policies. By using
vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take
action to remove those vulnerabilities.
106
Visualizing and controlling the applications on your

network using application control
This example sets up application monitors in security policies to determine
what applications are contributing to high bandwidth usage on the network or
distractions for employees and blocking access from those applications.
1. Add an application control sensor
2. Add a security policy to use the application control sensor
3. Reviewing data from the application control monitor
4. Block high bandwidth applications
5. Add a security policy to use the block application control sensor
6. Results
Internet
1001001
001011100
010110011
WAN 1
FortiGate
Internal
Internal Network
107
Step One: Add application control

sensor
Go to UTM Security Profiles >
Application Control > Application
Sensor.
Select the plus icon in the upper right
corner of the window to create a new
sensor list for monitoring application
traffic.
Select Create New to add a new

application filter. Ensure you set the
Action to Monitor.
At this stage in the process, you want to
watch the application traffic to determine
where problems, if any, are occurring.
108
Step Two: Add a security policy to

use the application control sensor
Edit the security policy allowing internal
users to access the Internet and apply
the application control sensor in the UTM
Security Profiles section.
Step Three: Review the data from

the application control monitor
Go to UTM > Monitor > Application
Monitor.
109
Select on each blue bar to see further

details on the usage statistics.

Forward Traffic.
You can see the sensor is working and
picking up on various application traffic.
Step Four: Block high-bandwidth

applications
Go to UTM Security Profiles >
Application Control > Application
Sensor.
corner of the window to create a new
sensor list for blocking application traffic.
110
Select Create New to add a new

application filter.
Select the options for streaming media,
instant messaging clients, social media
and peer-to-peer file sharing.
Ensure you set the Action to Block.
Step Five: Add a security policy to use

the block application control sensor
Edit the security policy allowing internal
users to access the Internet and apply
the block application control sensor in the
UTM Security Profiles section.
111
Results
Forward Traffic.
You can see the sensor is working and
blocking the selected application traffic.
Select and entry to see more details.
112
Configuring web filter overrides and local ratings

This example sets up web site overrides for blocked sites. It will add web profiles
that prohibit viewing a web site until the user authenticates an override. Once
authenticated, they will still only have a limited amount of time to visit the site.
1. Configure users and user groups

2. Configure rating overrides and web filter profiles
3. Edit security profile to include the web filter UTM profile
4. Results
Internet
FortiGuard
WAN 1
FortiGate
LAN
Internal Network
113
Step One: Configure users and user

groups
Definition.
Add users. These users will be allowed to
override the web filter blocking.

Group and add users to a group.
Step Two: Configure rating overrides

and web filter profiles
Go to UTM Security Profiles > Web Filter
> Rating Overrides.
Select Lookup Rating to see the
FortiGuard rating for a URL.
Select Custom Categories and Create
New and add the new category name for
the URL.
114

> Profile.
Create web filter profile to allow the
Web News and Streaming Media and
Download categories.
Create a new profile to block the new

Web news category, as well as Streaming
Media and Download categories.
Select the blue arrow to expand the
Advanced Filter section.
Enable Allow Blocked Override and
Assign to Overrided_URLs profile.
115
Step Three: Edit the security profile to

include the web filter UT M profile
Edit the policy allowing outbound traffic
from internal network and add the web
filter profile .
Results
In a web browser, go to cnn.com. The
FortiGate unit blocks the web site wth an
override option.
116
Select Override. You are prompted to

authenticate to view the page.
Once successfully authenticated, you are

guaranteed access for 15 minutes from
your IP address only. This access will be
for all allowed categories according to the
Overrided_URLs web filter profile.
Go to Log & Report > Traffic Log
> Forward Traffic and filter the
destination to the IP address of cnn.com
(157.166.255.19)
117
118
Protecting a web server from vulnerabilities and DoS

attacks using IPS
This example uses IPS to protect a web server by placing the web server on the
internal network with a virtual IP, and creating a security policy that allows web
access from the Internet to the server. IPS is added to the policy to protect the
server from attacks.
1. Configure IPS to detect and protect against common attacks

2. Add a security profile that includes the IPS UTM profile
3. Add a DoS security policy using IPS
4. Results
Attacks
Internet
FortiGate WAN 1
172.20.120.24
LAN
192.168.1.99/24
Internal network
Web server
VIP: 172.20.120.24 --> 192.168.1.200
119
Step One: Configure IPS to detect and

protect against common attacks
Go to UTM Security Profiles > Intrusion

Protection > IPS Sensor.
Create a new sensor.
Select Create New and add a new IPS

filter.
120
Step Two: Add a security profile that

includes the IPS UT M profile
Edit the security policy allowing traffic to
the web server from the Internet and add
the new IPS sensor.
121
Step Three: Add a DoS security policy

using IPS
Go to Policy > Policy > DoS Policy.
Create a new policy. The Incoming
Interface is the one connected to the
Internet.
122
Results
Perform an DoS tcp_sync_flood attack to the web
server IP address. The TCP sync session should be
blocked when the threshold of 20 is reached.
Note: Ensure you have the proper IP address of your
web server. Otherwise you may be unwillingly causing
a DoS attack on another server!
Go to Log & Report > UTM Security Log

> Intrusion Protection.
123
124
Blocking email/web traffic or files containing sensitive

information
This example sets up data leak prevention (DLP) for the network by analyzing data
using sensors for credit card numbers, watermarked files and file pattern matching.
With these filters, the FortiGate unit will scan outgoing data for potential sensitive
data breaches.
1. Create a DLP file matching pattern filter

2. Setup a DLP sensor with sensor criteria
3. Create an address range for the internal network
4. Add a security profile that includes the DLP sensor
5. Results
Internet
WAN 1
FortiGate
Data leak
LAN
Internal network
125
Step One: Create a DLP file matching

pattern filter
To create a file matching pattern, you need
to create a DLP file filter.
Go to UTM Security Profiles > Data Leak
Prevention > File Filter.
Create new file filter table and add the file
filter.
Step Two: Setup a DLP sensor with

sensor criteria
Prevention > Sensor.
Create a new sensor. To this sensor you
will add the filters the FortiGate unit uses
to scan outgoing data.
Select Create New to add a filter to look

for the file patterns.
126

for credit card number patterns.

for a corporate identifier, or watermark, in
outgoing files.
Step Three: Create an address range

for the internal network
Address.
Create an address range for the internal
network. The FortiGate unit will scan any
traffic for data loss from this range.
127
Step Four: Add a security profile that

includes the DLP sensor
Create a security policy and enable the
DLP sensor using the filters created.
Results
Upload a file containing a credit card
number to a server on the Internet such
as a local FTP server or web server.
The FortiGate unit will block the file
and prevent it from leaving the internal
network.
Forward Traffic and locate the blocked
log entry.
128
Upload a watermarked file to a server on

the Internet such as a local FTP server or
web server. The FortiGate unit will block
the file and prevent it from leaving the
internal network.
log entry.
Upload an exe file to a server on the

Internet such as a local FTP server or web
server. The FortiGate unit will block the
file and prevent it from leaving the internal
network.
log entry.
129
130
Monitoring your network for undesirable behavior

using client reputation
Client reputation enables you to monitor traffic from internal sources based on UTM
profiles and risk ratings. Client reputation tracks client behavior and reporting on the
activities you determine are risky or otherwise noteworthy. This example enables
client reputation on web filtering to monitor traffic from various sources to web sites.
1. Add client reputation to the network

2. Create a security policy
3. Results
Internet
WAN 1
FortiGate
Internal
Internal Network
131
Step One: Add client reputation on the

network
Go to User & Device > Client Reputation
> Reputation Definition.
Enable Client Reputation Tracking by
selecting the Off button to turn the feature
on.
To configure the profile, decide how risky
or dangerous each of the types of behavior
are to your network and rate them
accordingly. The higher you rate a type of
behavior the more visible clients engaging
in this behavior will become in the client
reputation monitor and the more easily you
can detect this behavior.
Step Two: Create a security policy
Go to Policy > Policy > Policy. In the

UTM Security Profiles section, enable the
web filter profile. You can use the default
profiles for data gathering purposes.
132
Results
Allow traffic to pass through the FortiGate
unit for a day. Then go to User & Device >
Client Reputation > Reputation Score to
view the results.
Each user by device that met the threshold
set appears in the chart. With this
information, you can see where potential
problems may occur or potential security
breaches are imminent.
Select the blue bar for a device to see

more information.
Client reputation only highlights risky

activity. It does not include tools to stop
the behavior. Rather, client reputation is
a tool that exposes risky behavior. When
you uncover risky behavior that you are
concerned about you can take additional
action to stop it. That action could include
adding more restrictive security policies
to block the activity or increase UTM
protection. You can also taking other
measures outside your FortiGate unit to
stop the activity.
133
134
Inspecting content on the network using flow-based

UT M instead of proxy-based UT M
Flow-based scans examine files as they pass through while proxy-based scans
require that files are cached as they come in and examined once completely
cached. Caching files takes more memory and system resources. UTM features
using flow-based scans will continue to protect network traffic without interruption.
Flow-based scanning is an ideal solution to ease the memory requirements of some
UTM scans.
1. Enable flow-based antivirus

2. Enable flow-based web filtering
3. Add a firewall policy to include the new UTM security profiles
4. Results
Web Filter
Internal Network
Viruses
Internal
FortiGate
WAN 1
Internet
Viruses
Viruses
135
Step One: Enable flow-based antivirus

Go to UTM Security Profiles > Antivirus
> Profile.
corner and add a new AV profile.
Step Two: Enable flow-based web

filtering
> Profile.
corner and add a new profile to block
search engines and portals.
136
Step Three: Add a firewall policy to

include the new UT M security profiles
Edit the policy allowing users to access
the Internet and apply the flow-based
profiles.
Results
To test the AV scanning, from a PC in the
internal network, go to
http://www.eicar.org and try to download a
test file.
The browser will time out and display a
message similar to what is shown here
from Google Chrome.
137

Forward Traffic to see the UTM profile is
activated when attempting to download
the file.
To test the web filtering, from a PC in the

internal network, go to google.com.
The FortiGate unit displays a block
message.
Go to UTM Security Profiles > Monitor >

Web Monitor.
138
Select the blue bar in the chart to see

further details by user.
139
140
Blocking large files from entering the network

If a file is too large to be properly scanned by the FortiGate unit, you need to
make sure they still do not enter the network. This example configures data leak
prevention (DLP) options to block files large files from entering the network.
1. Setup a DLP sensor with file matching pattern filter

2. Add a security profile that includes the DLP sensor
3. Results
Internal network
LAN
FortiGate WAN 1
Viruses/Spyware
Internet
141
Step One: Setup a DLP sensor with

file matching pattern filter

Prevention > Sensor.
Create a new senor. To this sensor you will
add the filters the FortiGate unit uses to
check incoming files.

for a file size threshold.
142
Step Two: Add a security profile that

includes the DLP sensor
Create a security policy and enable the
DLP sensor using the filters created.
143
Results
Any attempt to download a file larger than
10 MB is blocked.
The FortiGate unit displays a replacement
message explaining why the attempt
failed.

Forward Traffic.
Select an entry to see information on the
blocked file.
144
Blocking access to specific web sites

This example sets up the FortiGate unit to block users from viewing specific web
sites using web filtering.
1. Create a new web filter block list

2. Add the block list to a web filter profile
3. Add a security profile that includes the web filter UTM profile
4. Results
Internet
Block Site
WAN 1
FortiGate
LAN
Internal network
145
Step One: Create a new web filter

block list
> URL Filter.
Create a new filter list for blocked URLs.
Select Create New to enter a list of URLs

you want to prevent users from accessing.
Using the asterisk (*) as a wildcard in the
URL, ensures any sub-domain for the site
is also blocked.
Step Two: Add the block list to a web

filter profile
> Profile.
Create a new profile and expand the
Advanced Filter. Select the new block list
in the Web URL Filter.
146
Step Three: Add a security profile

that includes the web filter UT M
profile
Edit the policy allowing outbound traffic
from the internal network to include UTM
security profiles and select the new profile.
Results
In a web browser, attempt to visit
fortinet.com and docs.fortinet.com. In
both cases, the FortiGate unit displays a
message.
147

Forward Traffic.
148
Blocking HTT PS traffic with web filtering

Some websites are accessible using http and https protocols, such as YouTube and
Facebook. This example steps through how to block https access to these websites
using either proxy-based or flow-based web filtering profiles. You will need to have
your FortiGate licensed for FortiGuard services.
1. Verify FortiGuard services are enabled
2. Create a web filter profile
3. Create an SSL inspection profile
4. Create a security profile with the web filter and SSL profiles
5. Results
YouTube
Facebook
HTT PS
FortiGuard
Internet
WAN 1
FortiGate
Internal
Internal Network
149
Step One: Verify FortiGuard services

are enabled
In the Licence Information widget, verify

that the FortiGate unit is connected to the
FortiGuard servers. A green check mark
should appear next to the services you are
subscribed to.
Step Two: Create a web filter profile

> Profile. Select the plus icon in the
upper-right corner to create a new profile.
Ensure the inspection mode is set to
Proxy. You can also set the Inspection
Mode to Flow-based or DNS.
150
Step Three: Create a SSL Inspection

protile
Go to Policy > Policy > SSL/SSH
Inspection.
Select the plus icon in the upper-right
corner to create a new profile and enable
only the HTTPS option.
Step Four: Create a security profile

Create a new security policy that uses the
new SSL/SSH inspection profile and the
HTTPS web filter profile.
151
Results
In a web browser, go to
https://youtube.com. The web page is
blocked and a FortiGate replacement
message is put up in its place.
Go to System > Admin > Settings.

Enable UTM Monitoring in the Display
Options on GUI area.
Go to UTM Security Profiles > Monitor >

Web Monitor.
If you chose DNS block or redirect, when

you visit https://youtube.com, the browser
will time out. FortiGuard will not display a
message.
152
SSL and IPsec VPN

SSL is an easy to use application-level, network-independent method of ensuring private
communication over the Internet. Commonly used to protect the privacy of online shopping
payments, customers web browsers can almost transparently switch to using SSL for secure
communication without customers being required to do any SSL-related configuration or have any
extra SSL-related software.
The FortiGate SSL VPN configuration requires an SSL VPN web portal for users to log into, a user
authentication configuration to allow SSL VPN users to login, and the creation of SSL VPN security
policies that control the source and destination access of SSL VPN users. SSL VPN security policies
can also apply UTM and other security features to all SSL VPN traffic.
IPsec VPN is a common method for enabling private, secure communication over the Internet.
IPsec supports a similar client server architecture as SSL VPN. However, to support a client
server architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinets
FortiClient Endpoint Security) on their PCs or mobile devices.
IPsec VPN, supports more configuration options than SSL VPN. A common application of IPsec
VPN is for a gateway to gateway configuration that allows users to transparently communicate
between remote networks over the Internet. When a user on one network starts a communication
session with a server on the other network, a security policy configured for IPsec VPN intercepts
the communication session and uses an associated IPsec configuration to both encrypt the session
for privacy but also transparently route the session over the Internet to the remote network. At the
remote network the encrypted communication session is intercepted and decrypted by the IPsec
gateway and the unencrypted traffic is forwarded to the server.
Many variations of the gateway to gateway configuration are available depending on the
requirements.
All communication over IPsec VPNs is controlled by security policies. Security policies allow for
full access control and can be used to apply UTM and other features to IPsec VPN traffic. Fortinet
IPsec VPNs employs industry standard features to ensure the best security and interoperability with
industry standard VPN solutions provided by other vendors.
153
154
Protecting traffic between company headquarters and

branch offices using IPsec VPN
This example uses a gateway-to-gateway IPsec VPN, and assumes that both
offices have connections to the Internet with static IP addresses. This configuration
uses a policy-based IPsec VPN.
1. Configure the HQ IPsec VPN Phase 1 and Phase 2 settings

2. Add HQ addresses for the local and remote LAN on the HQ
FortiGate unit
3. Create an HQ IPsec security policy
4. Configure the Branch IPsec VPN Phase 1 and Phase 2 settings
5. Add Branch addresses for the local and remote LAN on the HQ
FortiGate unit
6. Create an branch IPsec security policy
7. Results
wan1
172.20.120.123
FortiGate
port1
192.168.1.99/24
Internal
Network (HQ)
IPsec
port3
172.20.120.141
Internet
FortiGate
port4
10.10.1.99/24
Internal
Network (Branch)
155
Step One: Configure the HQ IPsec VPN

Phase 1 and Phase 2 settings
Go to VPN > IPsec > Auto Key (IKE).
Select Create New Phase 1.

156
Step Two: Add HQ addresses for

the local and remote LAN on the HQ
FortiGate unit
Address.
Create a local address and a remote LAN
address.
Step Three: Create an HQ IPsec

security policy
When complete, make sure it is at the top
of the policy list by clicking on the policy
sequence number and dragging the row to
the top of the policy table.
157
Step Four: Configure the Branch IPsec

VPN Phase 1 and Phase 2 settings

158
Step Five: Add Branch addresses for

the local and remote LAN on the HQ
FortiGate unit
Address.
Create a local address and a remote LAN
address.
Step Six: Create a Branch IPsec

security policy
When complete, make sure it is at the top
of the policy list by clicking on the policy
sequence number and dragging the row to
the top of the policy table.
159
Results
Go to VPN > Monitor > IPSec Monitor
to verify the status of the VPN tunnel. It
should be up.
A user on either of the office networks

should be able to connect to any address
on the other office network transparently.
For example, from a PC on the Branch
office with IP address 10.10.1.100 you
should be able to ping a device on the
Headquarters network with the IP address
192.168.1.114 and vice versa.
From the Headquarters FortiGate unit go

to Log & Report > Traffic Log > Forward
Traffic.
From the Branch FortiGate unit go to Log

& Report > Traffic Log > Forward Traffic.
160
Providing remote users with access to a corporate

network and Internet using SSL VPN
This example sets up remote users to connect to the corporate network using SSL
VPN, and use the FortiGate UTM for surfing the Internet. During the connecting
phase, the FortiGate unit will also verify that the remote users antivirus software is
installed and current.
1. Create an SSL VPN tunnel for remote users
2. Create user definitions and add them to a group
3. Add an address for the local network
4. Add security profiles for access to the Internet and internal network
5. Set the FortiGate unit to verify users have current antivirus software
6. Results
Internet
sslroot
browsing
Remote sslvpn user
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Internal Network
Windows Server
192.168.1.114
161
Step One: Create an SSL VPN tunnel

for remote users
Go to VPN > SSL > Portal.
Edit the full-access portal.
The full-access portal allows the use of

tunnel mode and/or web mode. In this
scenario we are using both modes.
Enable Split Tunneling is not enabled

so that all internet traffic will go through
the FortiGate unit and be subject to the
corporate UTM profiles.
Select Create New in the Include

Bookmarks area to add a bookmark for a
remote desktop link/connection.
162
Step Two: Create user definitions and

add them to a group
Definition.
Add a remote user.

Group.
Add the user to a user group for SSL VPN
connections.
Step Three: Add an address for the

local network
Address.
Add the address for the local network.
163
Step Four: Add security profiles for

access to the Internet and internal
network
Add a security policy allowing access to
the internal network.
Add a security policy allowing access to

the Internet.
For this policy, the Incoming Interface
is sslvpn tunnel interface and Outgoing
Interface is wan1. This way, the remote
SSL VPN users accessing the Internet
through the FotiGate unit.
164
Step Five: Set the FortiGate unit to

verify users have current antivirus
software
Go to System > Status > Dashboard.
In the CLI Console widget, enter the
commands on the right to enable the host
check for compliant antivirus software on
the remote users computer.
Results
Log into the portal as twhite.
The FortiGate unit performs the host

check.
165
After the check is complete, the portal

appears.
Select the bookmark Remote Desktop link

to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users. The Web Application
description indicates that the user is using
web mode.
166

Forward Traffic and view the details for
the SSL entry.
In the Tunnel Mode widget, select

Connect to enable the tunnel.
Select the bookmark Remote Desktop link

to begin an RDP session.
Go to VPN > Monitor > SSL-VPN to verify

the list of SSL users.
The Tunnel description indicates that the
user is using tunnel mode.
167

Forward Traffic and view the details for
the SSL entry.

Forward Traffic.
Internet access occurs simultaneously
through the FortiGate unit.
168
Securing remote access to the office network using

FortiClient IPsec VPN
This example sets up a remote user and user group to provide protected access to
the corporate network. The remote users use the FortiClient Endpoint Protection
software to connect to the VPN tunnel. This example sets up the user to access the
internal network as well as access the Internet through the FortiGate unit, to provide
a secure surfing experience using the FortiGate UTM features.
1. Create a new FortiClient user and add to a user group
2. Create an IPsec FortiClient VPN tunnel
3. Add addresses for the local LAN and remote FortiClient users
4. Create security policies for access to the internal network and Internet
5. Results
FortiGate wan 1
172.20.120.123
port 1
192.168.1.99/24
Internet
IPsec
Remote user
(FortiClient)
Internal Network
169
Step One: Create a new FortiClient

user and add to a user group
Definition.
Create a new user.

Group.
Create a user group for FortiClient users
and add user twhite.
Step Two: Create an IPsec FortiClient

VPN tunnel
Select Create FortiClient VPN.
170
Step Three: Add addresses for the

local LAN and remote FortiClient users
Address.
Step Four: Create security policies for

access to the internal network and
Internet
Create a security policy allowing remote
FortiClient users to access the internal
network.
171

FortiClient users to access the Internet
securely through the FortiGate unit.
Results
Launch FortiClient and go to Remote
Access and add new connection.
172
Connect using the user name twhite.
On the FortiGate unit, go to VPN >

Monitor > IPsec Monitor to see the satus
of the tunnel.
Verify the IP address assigned to the

remote user by the FortiGate unit. which is
10.10.1.100.
All hosts in the internal network should be
accessible using the FortiClient VPN, to
test this, ping an internal server set to IP
192.168.1.114 and logon to it using RDP.

Forward Traffic and filter by the policy ID
controlling the FortiClient VPN traffic.
173
174
Securing remote access to the office network for an

iOS device over IPsec VPN
This example sets up a remote user and user group to provide protected access
to the corporate network. The remote users use their iPad to connect to the VPN
tunnel. This example sets up the user to access the internal network as well
as access the Internet through the FortiGate unit, to provide a secure surfing
experience using the FortiGate UTM features. This example uses an iPad 2 running
iOS 6.1.2. Menu options may vary for different iOS versions and devices.
1. Create a new user and add to a user group

2. Add addresses for the local LAN and remote users
3. Configure the IPsec VPN Phase 1 and Phase 2 settings
4. Create security policies for access to the internal network and Internet
5. Results
wan 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Internet
IPsec
Remote user
(iPad)
Internal Network
175
Step One: Create a new user and add

to a user group
Definition.
Create a new user.

Group.
Create a user group for ios users and add
user twhite.
Step Two: Add addresses for the local

LAN and remote users
Address.
176

Address.
Step Three: Configure the IPsec VPN

Phase 1 and Phase 2 settings
Go to VPN > IPSec > Auto Key (IKE).
Select Create Phase 1.
For the Mode, select Main.

In the Advanced section select Enable
IPsec Interface Mode and select 2 for
the DH Group.
Enable XAUTH and select the user group
ios_group.
177
Go to VPN > IPSec > Auto Key (IKE).

In the Advanced section select 2 for the

DH Group.
Once you complete the tunnel

configuration, go to System > Dashboard
> Status and enter the commands here in
the CLI widget.
178
Step Four: Create security policies for

access to the internal network and
Internet
iOS users to access the internal network.

ios users to access the Internet securely
through the FortiGate unit.
179
Results
On the iPad, go to Settings > General >
VPN and select Add VPN Configuration.
On the FortiGate unit, go to VPN >

Monitor > IPsec Monitor and see the
status of the tunnel.
Users on the internal network will be

accessible using the iPad.
Forward Traffic to see the traffic.
180
Select an entry to view more information.
Remote iOS users can also access the

internet securely via the FortiGate unit.
Forward Traffic to see the traffic.
Select an entry to view more information.
181
182
Redundant OSPF routing between two remote networks

over IPsec VPN
This example sets up secure communication between two remote networks using
redundant OSPF routes .
1. Create redundant IPSec tunnels on FortiGate 1
2. Create IP addresses for the IPsec interfaces on FortiGate 1
3. Configure OSPF on FortiGate 1
4. Configure firewall addresses on FortiGate 1
5. Configure security policies on FortiGate 1
6. Create redundant IPSec tunnels for FortiGate 2
7. Create IP addresses for the IPsec interfaces on FortiGate 2
8. Configure OSPF on FortiGate 2
9. Configure firewall addresses on FortiGate 2
10. Configure security policies on FortiGate 2
11. Results
WAN 1
172.20.120.24
FortiGate 1
Internal
10.20.1.1/24
WAN 2
172.20.120.23
OSPF
IPsec
IPsec
Internet
WAN 1
172.20.120.123
FortiGate 2
WAN 2
172.20.120.127
Internal
10.21.1.1/24
OSPF
Internal
Network (HQ)
Internal
Network (Branch)
183
Step One: Create redundant IPSec

tunnels on FortiGate 1
Select Create Phase 1 and create the
primary tunnel.
Select Advanced and select Enable
IPSec Interface Mode.
184

secondary tunnel.
185
Step Two: Create IP addresses for the

IPsec interfaces on FortiGate 1
Select the arrow for wan1 to expand the
list. Edit the primary tunnel interface.

list. Edit the secondary tunnel interface.
Step Three: Configure OSPF on

FortiGate 1
Go to Router > Dynamic > OSPF.
Enter the Router ID for FortiGate 1.
Select Create New in the Area section.

Add the backbone area of 0.0.0.0.
186
Select Create New in the Networks

section.
Create the networks and select Area
0.0.0.0 for each one.
Select Create New in the Interfaces

section.
create primary and secondary tunnel
interfaces. Set the Cost of 10 for the
primary interface and 100 for the
secondary interface.
Step Four: Configure firewall

addresses on FortiGate 1
Address.
Edit the subnets behind FortiGate 1 and
FortiGate 2.
187
Edit the primary and secondary interfaces

of FortiGate 2.
Step Five: Configure security policies on

FortiGate 1
Create security policies for each primary
and secondary interface to the FortiGate 2
primary and secondary interfaces.
188
189
Step Six: Create redundant IPSec

tunnels on FortiGate 2
primary tunnel.
190

secondary tunnel.
191
Step Seven: Create IP addresses for

the IPsec interfaces on FortiGate 2
list. Edit the primary tunnel interface.

list. Edit the secondary tunnel interface.
Step Eight: Configure OSPF on

FortiGate 2
Go to Router > Dynamic > OSPF.
Enter the Router ID for FortiGate 2.
Select Create New in the Area section.

Add the backbone area of 0.0.0.0.
192
Select Create New in the Networks

section.
Create the networks and select Area
0.0.0.0 for each one.
Select Create New in the Interfaces

section.
create primary and secondary tunnel
interfaces. Set the Cost of 10 for the
primary interface and 100 for the
secondary interface.
Step Nine: Configure firewall addresses

on FortiGate 2
Address.
Edit the subnets behind FortiGate 1 and
FortiGate 2.
193
Edit the primary and secondary interfaces

of FortiGate 1.
Step Ten: Configure security policies on

FortiGate 2
Create security policies for each primary
and secondary interface to the FortiGate 1
primary and secondary interfaces.
194
195
Results
Verify the primary and secondary IPSec
vpn tunnel status on FortiGate1 and
FortiGate2.
Tunnels on both FortiGates should be UP.
Go to VPN > Monitor > IPsec Monitor to
verify the status.
Verify the routing table on FortiGate 1

and FortiGate 2. The primary OSPF route
(the one with cost =10) appears on both
FortiGates.
Go to Router > Monitor > Routing
Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.
Verify that traffic flows via the primary

tunnel.
From a PC1 set to IP:10.20.1.100 behind
FortiGate 1, run a tracert to a PC2 set to IP
address 10.21.1.00 behind fortiGate 2 and
vise versa.
From PC1, you should see the traffic goes
through 10.1.1.2 which is the primary
tunnel interface IP set on FortiGate 2.
through 10.1.1.1 which is the primary
196
The VPN network between the two

OSPF networks uses the primary VPN
connection. Disconnect the wan1 interface
and confirm that the secondary tunnel will
be used automatically to maintain a secure
connection.
Verify the IPSec vpn tunnels status
on FortiGate 1 and FortiGate 2. Both
FortiGates should show that primary
tunnel is DOWN and secondary tunnel is
UP.
Go to VPN > Monitor > IPsec Monitor to
verify the status.
Verify the routing table on FortiGate 1 and

FortiGate 2.
The secondary OSPF route (the one with
cost =100) appears on both FortiGate
units.
Go to Router > Monitor > Routing
Monitor. Type OSPF for the Type and
select Apply Filter to verify OSPF route.
Verify that traffic flows via the secondary

tunnel.
From a PC1 set to IP:10.20.1.100 behind
FortiGate 1, run a tracert to a PC2 set
to IP:10.21.1.100 behind fortiGate 2 and
vise versa. From PC1, you should see
the traffic goes through 10.2.1.2 which is
the secondary tunnel interface IP set on
FortiGate 2.
through 10.2.1.1 which is the secondary
197
Authentication
Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure
that only authorized parties can access the network. The FortiGate unit enables controlled network
access and applies authentication to users of security policies and VPN clients.
Identifying users and other computers (authentication) is a key part of network security. This chapter
describes some basic configurations.
198
Providing single sign-on on a Windows AD network by

adding a FortiGate
This example uses the Fortinet Single Sign-On (FSSO) Collector Agent to integrate a
FortiGate unit into the Windows AD domain.
1. Install the FSSO Collector Agent
2. Configure the Single Sign-on Agent
3. Configure the FortiGate unit to connect to the FSSO agent
4. Add a FSSO user group
5. Add an address for the internal network
6. Add a security profile that includes an authentication rule
7. Results
Internet
WAN 1
172.20.120.123
FortiGate
Port 1
192.168.1.99/24
Windows AD
192.168.1.114
Internal Network
199
Step One: Install the FSSO Collector

Agent
Run the setup for the Fortinet SSO
Collector Agent. After logging in, configure
the agent settings.
Add the Collector Agent address

information.
200
Select the domains to monitor, and any

users whose activity you do not wish to
monitor.
Set the working mode and complete the

installation.
201
Step Two: Configure the Single

Sign-on Agent
If required, select Require authenticatied
connection from FortiGate, and add a
password.
You will also enter this password when
configuring the FSSO on the FortiGate
unit.
Step Three: Configure the FortiGate

unit to connect to the FSSO agent
On the FortiGate unit, go to User &
Device > Authentication > Single SignOn.
Enter this password used configuring the
FSSO on the FortiGate unit in the previous
step.
Step Four: Add a FSSO user group

On the FortiGate unit, go to User &
Device > User > User Group.
202
Step Five: Add an address for the

internal network
Address.
Step Six: Add a security profile that

includes an authentication rule
Add an accept user identity security policy
and add the new FSSO group.
203
Results
Forward Traffic.
As users log into the Windows AD system,
the FortiGate collects their connection
information.
204

Fortigate Cookbook 502

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fortigate Cookbook 502

Transféré par

Droits d'auteur :

Formats disponibles

The FortiGate Cookbook

Essential Recipes for Success with your FortiGate

Installing and Setup

Setting up a limited access administrator account

Setting up and troubleshooting FortiGuard services

Logging FortiGate system events to gather network traffic information

Using SNMP to monitor the FortiGate unit

Using FortiCloud to view log data and reports

Protect a web server on the DMZ network

Adding a second FortiGate unit to improve reliability

Setting up an explicit proxy for users on a private network

Using port pairing to simplify transparent mode

Adding packet capture to help troubleshooting

Setting up guest wifi users with a captive portal

Security Policies and Firewall Objects

Controlling when BYOD users can access the Internet

Using AirPrint with iOS and OS X and a FortiGate unit

Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit

Using port forwarding on a FortiGate unit

Configuring web filter overrides and local ratings

Blocking email/web traffic or files containing sensitive information

Monitoring your network for undesirable behavior using client reputation

Blocking large files from entering the network

Blocking access to specific web sites

Blocking HTTPS traffic with web filtering

SSL and IPsec VPN

Registering your Fortinet product

For more information

Fortinet Knowledge Base

Installing and Setup

Setting up a limited access administrator account

1. Create a new administrative profile

Step One: Create a new administrative

Step Two: Add a new administrator

The admin profile controls what features

Go to Log & Report > Event Log >

Select the entry for more information on

Go to System > Dashboard > Status, and

Select Details for the Current

Setting up and troubleshooting FortiGuard services

Verifying the connection

You can also view the FortiGuard

Troubleshooting connection issues

If the command cannot find the numeric IP

execute traceroute www.fortiguard.com

Change the FortiGuard source port. It is

If your ISP blocks the lower range of UDP ports

set ip-src-port-range 2048-20000

Trial and error may be required to select the

Logging FortiGate system events to gather network

1. Configure logging and event logging

Step One: Configure logging and event

Step Two: Enable logging in the

Select an entry for more information.

Using SNMP to monitor the FortiGate unit

Step One: Configure the SNMP agent

Under the SNMP version, create a new

Step Two: Enable SNMP on a

Step Three: Download the MIB files

Select Select Device and enter the IP

Open the SNMP Trap Receiver and select

Perform an action to trigger a trap, for

View the UTM log by going to Log &

Using FortiCloud to view log data and reports

Installing and Setup

Setting up a limited access administrator account

Setting up and troubleshooting FortiGuard services

Logging FortiGate system events to gather network traffic information

Using SNMP to monitor the FortiGate unit

Using FortiCloud to view log data and reports

Protect a web server on the DMZ network

Adding a second FortiGate unit to improve reliability

Setting up an explicit proxy for users on a private network

Using port pairing to simplify transparent mode

Adding packet capture to help troubleshooting

Setting up guest wifi users with a captive portal

Security Policies and Firewall Objects

Controlling when BYOD users can access the Internet

Using AirPrint with iOS and OS X and a FortiGate unit

Using AirPlay with iOS, AppleTV, FortiAP and a FortiGate unit

Using port forwarding on a FortiGate unit

Configuring web filter overrides and local ratings

Blocking email/web traffic or files containing sensitive information

Monitoring your network for undesirable behavior using client reputation

Blocking large files from entering the network

Blocking access to specific web sites

Blocking HTTPS traffic with web filtering

SSL and IPsec VPN