Académique Documents
Professionnel Documents
Culture Documents
FortiGate™
Version 3.0 MR7
Visit http://support.fortinet.com to register your FortiGate product. By registering you can receive product updates,
technical support, and FortiGuard services.
www.fortinet.com
FortiGate™ Administration Guide
Version 3.0 MR7
12 January 2009
01-30007-0203-20090112
Trademarks
Fortinet, FortiGate and FortiGuard are registered trademarks and
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiDB, FortiGate, FortiGate Unified
Threat Management System, FortiGuard-Antispam, FortiGuard-Antivirus,
FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, and FortiVoIP, are trademarks of Fortinet, Inc.
in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of
their respective owners.
Contents
Contents
What’s new in 3.0 MR7..................................................................... 19
3.0 MR7 new features and changes ............................................................... 21
FSAE........................................................................................................... 21
AMC support ............................................................................................... 21
Dashboard................................................................................................... 22
FortiGuard Analysis and Management Service........................................... 22
Virtual domains ........................................................................................... 22
VDOM and Global icons in documentation ................................................. 23
Modem support ........................................................................................... 23
SNMP.......................................................................................................... 23
Router ......................................................................................................... 23
Authentication ............................................................................................. 24
SSL VPN client tunnel mode for Mac OS and Linux ................................... 24
Standalone SSL VPN client ........................................................................ 24
SSL VPN Virtual Desktop application ......................................................... 24
SSL VPN URL obscuration ......................................................................... 24
Intrusion Protection ..................................................................................... 24
Log messages............................................................................................. 25
Content archiving ........................................................................................ 25
Alert email ................................................................................................... 25
Email archiving ............................................................................................ 26
HA primary unit acts as a router for subordinate unit management traffic .. 26
HA heartbeat IP addresses ......................................................................... 27
Interface display order................................................................................. 28
Introduction ...................................................................................... 29
Introducing the FortiGate units ...................................................................... 29
FortiGate-5000 series chassis .................................................................... 30
About the FortiGate-5000 series boards ..................................................... 31
FortiGate-AMC modules ............................................................................. 32
FortiGate-3810A.......................................................................................... 32
FortiGate-3600A.......................................................................................... 32
FortiGate-3016B.......................................................................................... 33
FortiGate-3600 ............................................................................................ 33
FortiGate-3000 ............................................................................................ 33
FortiGate-1000A/AFA2................................................................................ 34
FortiGate-1000 ............................................................................................ 34
FortiGate-800/800F..................................................................................... 34
FortiGate-500A............................................................................................ 35
FortiGate-500 .............................................................................................. 35
FortiGate-400A............................................................................................ 35
FortiGate-400 .............................................................................................. 35
FortiGate-310B............................................................................................ 36
FortiGate-300A............................................................................................ 36
FortiGate-300 .............................................................................................. 36
FortiGate-224B ........................................................................................... 36
FortiGate-200A ........................................................................................... 37
FortiGate-200 .............................................................................................. 37
FortiGate-100A ........................................................................................... 37
FortiGate-100 .............................................................................................. 37
FortiGate-60B ............................................................................................. 38
FortiWiFi-60B .............................................................................................. 38
FortiGate-60/60M/ADSL ............................................................................. 38
FortiWiFi-60/60A/60AM............................................................................... 39
FortiWiFi-50B .............................................................................................. 39
FortiGate-50B ............................................................................................. 39
FortiGate-50A ............................................................................................. 39
Fortinet family of products ............................................................................. 40
FortiGuard Subscription Services ............................................................... 40
FortiAnalyzer............................................................................................... 40
FortiClient.................................................................................................... 40
FortiManager............................................................................................... 41
FortiBridge .................................................................................................. 41
FortiMail ...................................................................................................... 41
About this document....................................................................................... 41
Document conventions ............................................................................... 43
FortiGate documentation ............................................................................... 44
Fortinet Tools and Documentation CD........................................................ 45
Fortinet Knowledge Center ........................................................................ 46
Comments on Fortinet technical documentation ........................................ 46
Customer service and technical support ...................................................... 46
Register your Fortinet product....................................................................... 46
Web-based manager........................................................................ 47
Common web-based manager tasks ............................................................. 48
Connecting to the web-based manager ...................................................... 48
Changing your FortiGate administrator password ...................................... 49
Changing the web-based manager language ............................................. 50
Changing administrative access to your FortiGate unit .............................. 50
Changing the web-based manager idle timeout ......................................... 51
Connecting to the FortiGate CLI from the web-based manager ................. 51
Button bar features ......................................................................................... 52
Contacting Customer Support ....................................................................... 52
Backing up your FortiGate configuration ..................................................... 52
Using FortiGate Online Help........................................................................... 53
Searching the online help ........................................................................... 54
Logging out...................................................................................................... 56
Antispam......................................................................................... 499
Antispam ........................................................................................................ 499
Order of spam filtering............................................................................... 499
Anti-spam filter controls............................................................................. 500
Banned word .................................................................................................. 502
Viewing the banned word list catalog ........................................................ 502
Creating a new banned word list ............................................................... 503
Viewing the antispam banned word list ..................................................... 503
Adding words to the banned word list ....................................................... 504
Index................................................................................................ 577
• Modem – You can connect a USB modem to any FortiGate unit USB port. You
can also disable PPP echo requests for modem interfaces. See “Modem
support” on page 23.
• SNMP – See “SNMP” on page 23.
• IPv6 – IPv6 Phase II has been implemented. This includes more IPv6
functions on the web-based manager and more IPv6 commands in the CLI.
See “FortiGate IPv6 support” on page 217.
• Chassis monitoring removed – System Chassis monitoring has been
removed from both the web-based manager and CLI (get chassis
status). The high temperature and voltage SNMP events are also no longer
available.
• Routing – See “Router” on page 23.
• Authentication – FortiOS 3.0 MR7 now supports more remote authentication
servers and local certificates as well as longer LDAP DNs. See
“Authentication” on page 24.
• Firewall addresses – FortiOS 3.0 MR7 now supports firewall addresses with
wildcard netmasks. See “Firewall Address” on page 315.
• “Child Abuse” FortiGuard Web Filtering category – The Child Abuse
category has been added to the FortiGuard Web Filtering group “Potential
Liable”. You can enable this filter in protection profiles by going to Firewall >
Protection Profile and configuring FortiGuard Web Filtering. See “FortiGuard
Web Filtering options” on page 370 and the FortiGuard Center Web Filtering
Database Categories.
• SIP servers – While most SIP servers use 5060 as the source port in the
register response, some do not follow this rule. You can now configure the
FortiGate unit, through the CLI, to accept a SIP register response with any
source port number, by enabling the config firewall profile config
sip reg-diff-port keyword.
• IPSec interfaces – You can now use an IPSec interface as the source
interface for an IPSec firewall policy, making it possible to allow traffic between
an interface-based VPN and a policy-based VPN. See “Configuring firewall
policies” on page 297 and “IPSec firewall policy options” on page 306
• SSL VPN – See “SSL VPN client tunnel mode for Mac OS and Linux” on
page 24, “Standalone SSL VPN client” on page 24, “SSL VPN Virtual Desktop
application” on page 24, and “SSL VPN URL obscuration” on page 24
• IPS filters – IPS filters now display more information about IPS signatures.
See “Intrusion Protection” on page 24.
• Log messages – There are several new log messages as well as changes to
existing ones. See “Log messages” on page 25.
• Content archiving – You can now enable content archiving of HTTP, FTP,
SMTP, POP3, HTTPS, and IMAP content without having to enable other
features as well. See “Content archiving” on page 25.
• Alert email – You can now define an alternate port for outgoing alert email.
Alert email categories that display in the Log Config menu may not all display
when in VDOMs or Transparent mode. See “Alert email” on page 25.
• Reports – See “Reports” on page 25.
• Email archiving – See “Email archiving” on page 26.
• HA – See “HA primary unit acts as a router for subordinate unit management
traffic” on page 26, “HA heartbeat IP addresses” on page 27 and “Interface
display order” on page 28.
FSAE
Using the Fortinet Server Authentication Extension (FSAE), FortiGate units
provide transparent user authentication on Windows networks with an Active
Directory server. In FortiOS 3.0 MR7, FSAE is now also available for Novell
networks eDirectory. Note the following changes in the web-based manager
menu:
• User > Windows AD is now User > Directory Service.
• In User > User Group, the Windows AD user group type is now
Directory Service.
Configuration on the FortiGate unit is the same for Windows AD and Novell
eDirectory.
Using FSAE, FortiGate units can now keep better track of frequently changing
user IP addresses on Windows AD networks.
For information about installing and configuring FSAE on Windows AD and Novell
eDirectory, see the FSAE Administration Guide.
AMC support
AMC module interfaces are now named with upper case letters. For example, a
single width AMC card in slot 2 with four network interfaces would have interfaces
named AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and AMC-SW2/4.
You can use the new CLI command config system amc to make it easier to
manage your AMC module configuration. You use this command to specify the
type of module inserted into your FortiGate AMC slots. If you have to temporarily
remove the module from the slot, the FortiGate unit keeps the configuration
settings for the module. And when you re-install the module, the FortiGate unit will
recognize it and resume operating with the configuration settings that were in
place before the module was removed.
For example, if you have a FortiGate-ASM-FB4 module installed in AMC slot
SW1, you can enter the following command:
config system amc
set sw1 asm-fb4
end
You can then add configuration settings for the AMC-SW2/1, AMC-SW2/2, AMC-
SW2/3, and AMC-SW2/4 interfaces.
If you shut down your FortiGate unit, remove the FortiGate-ASM-FB4 module, and
re-start the FortiGate unit, the AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and
AMC-SW2/4 interfaces still appear in web-based manager interface lists, but with
link status down. All configuration settings for these interfaces are also still
available. If you had not entered the above command, the interfaces would have
disappeared from the interface list and the configuration settings would have been
lost.
Similarly, if you shut down your FortiGate unit again, reinstall the FortiGate-ASM-
FB4 module (or install a new FortiGate-ASM-FB4 module), and restart the
FortiGate unit the AMC-SW2/1, AMC-SW2/2, AMC-SW2/3, and AMC-SW2/4
interfaces appear in web-based manager interface lists with link status up.
Other options for the config system amc command are described in the
FortiGate CLI Reference.
Dashboard
If you have installed an AMC hard drive, an icon for the drive that displays the
model name appears on the Unit Operation dashboard widget and a disk usage
graph appears on the System Resources widget.
From the System Information widget you can now update firmware from multiple
sources including:
• the system administrators’s local hard drive
• a USB drive connected to the FortiGate unit
• the FortiGuard network (requires a subscription).
For more information see “Upgrading to a new firmware version” on page 82.
The session list available from the Statistics widget now displays the total number
of sessions being processed by the FortiGate unit.
The Top Attacks widget now displays the names of detected attacks, not just the
attack signature number.
Virtual domains
FortiOS MR7 includes the following enhancements to Virtual Domains:
• The “Override DNS” feature has been disabled on non-management VDOMs.
• The root domain may not be disabled even if it is not the management VDOM.
• Modems can now be assigned to VDOMs other than the root VDOM, similar to
other interfaces; this means that modems are no longer global.
• FortiAnalyzer report configuration and access is now per-VDOM when VDOMs
are enabled.
• When VDOMs are in both NAT and TP operation modes, some interface fields
will be displayed as “-”. Only the super admin can view all the VDOMs.
• Packets that pass through inter-VDOM links have their inter-VDOM link
counter reset when they are encrypted or decrypted. Previously packets were
limited to a maximum of three passes through inter-VDOM links.
For more information, see “Using virtual domains” on page 95.
Modem support
You can now connect a supported USB modem to the USB port of any FortiGate
model that includes a USB port. Previously only models with internal modems
supported USB modems. For more information, see “Configuring the modem
interface” on page 129.
Because PPP echo requests are not supported by all ISPs, a flag has been added
to the modem configuration to disable PPP echo requests if required.
You must use the config system modem CLI command to enable a modem
before it will display in the web-based manager interface list.
SNMP
The following commands were added to the CLI to reflect the new events added
to SNMP communities:
• av-bypass
• av-conserve
• av-oversize-blocked
• av-oversize-pass
• ips-pkg-update
• power-supply-failure (FortiGate-3810A and 3016B models support
managed power supplies).
Previously, a trap could be triggered by a transient high CPU spike. This problem
has now been fixed.
You can now view a complete list of SNMP MIBs that FortiOS supports from the
support web site. If you have a subscription to central management services, this
service allows you to generate an HTML file of the complete, current list of MIBs.
Router
The web-based manager checks RIP timer values and will display an error
message if the timers are incorrect. For example, update timer has to be smaller
than the timeout or garbage timers. For more information see “Selecting
advanced RIP options” on page 270.
For the config router bgp command, the router-id field now has a default
value. If the router-id is not set, the highest IP address in this VDOM will be
used.
The maximum number of configurable BGP neighbors is now 1,000.
Authentication
The maximum number of remote authentication servers (LDAP, RADIUS, and
TACACS+) has been increased from 6 to 10.
The Distinguished Name (DN) for LDAP has been increased to 512 characters.
For the following FortiGate models, the maximum number of local certificates has
been increased as follows:
• FortiGate-50/60B/100/200 - 200
• FortiGate-300 through FG1000 - 500
• FortiGate-3000 and up - 1,000.
Intrusion Protection
Intrusion protection filters contain more information about the type and number of
signatures that are included in the filter. See “Configuring IPS sensors” on
page 470.
A new “Count” column has been added to the filters list. This column displays the
number of signatures are included in the filter.
Each filter also has a View Rules icon that, when selected, displays a complete list
of the included signatures.
Log messages
FortiOS 3.0 MR7 includes the following changes to log messages:
• There are three new sub-types for the event log: vip ssl, ldb-monitor and
his-performance.
• Log messages now contain the fields device_id and devname to help identify
HA members.
• The new event log sub-type, his-performance, provides information about
FortiGate system performance.
• A log message about adding/deleting a zone is included in the event log.
• Quote marks are now included in the log message where a field in the
message does not contain any information.
• The severity level of IPSec negotiation logs is now Notification; alert email now
sends any IPSec tunnel error message with a severity of Error or higher.
• When an administrator disables one or more VDOMs, an event log message is
recorded.
• The count field has been added to attack logs to indicate the number of attack
reports on the FortiGate side.
• An event log message is recorded when the connection between the
FortiGuard Analysis server the FortiGate unit goes up or down.
See the FortiGate Logging Technical Note and the FortiGate Log Message
Reference for more information:
Content archiving
Previously, to content archive HTTP, FTP, SMTP, POP3, and IMAP data, you had
to enable virus scanning. To content archive HTTPS data you had to enable Web
URL filtering.
In FortiOS 3.0 MR7, you can now content archive all of these protocols without
enabling these additional features.
Alert email
Depending on your configuration, in FortiOS 3.0 MR7 not all alert email categories
are displayed in Log&Report > Log Config. If you have VDOMs enabled, you will
not see FortiGuard options.
The following alert email categories are also not available:
• Disk usage warning (if your FortiGate unit does not contain a hard disk)
• SSL VPN login failure (if you are using Transparent mode)
• L2TP/PPPTP/PPPoE errors (if you are using Transparent mode).
You can now change the port to use for sending alert email messages by using
the port keyword of the config system global CLI command.
Reports
Because of changes to FortiAnalyzer reports brought about by FortiAnalyzer 3.0
MR7, the FortiGate Report Access and Report Config settings and pages have
changed as well.
In Log&Report > Report Config, there is a new tab called Schedule. The
Schedule tab displays all report schedules that have been configured for your
FortiGate unit, both from the FortiGate web-based manager and the FortiAnalyzer
web-based manager. This tab also allows you to configure report schedules,
provided there is a report profile.
After upgrading to FortiOS 3.0 MR7, all previously configured reports are
converted to their equivalent in FortiOS 3.0 MR7. This conversion process splits
previously configured reports into two: one report layout and one schedule. This
split may not contain all the settings previously configured because of the new
settings in FortiOS 3.0 MR7. We recommend that you review all reports carried
forward from FortiOS 3.0 MR6 and familiarize yourself with how reports are now
configured, from both the FortiGate and FortiAnalyzer web-based managers.
For more information about configuring report schedules in FortiOS 3.0 MR7, see
“FortiAnalyzer report schedules” on page 551. For additional information, see the
FortiAnalyzer Administration Guide.
Email archiving
Using the FortiGate internal or AMC hard disk, FortiOS 3.0 MR7 provides
failure-proof email archiving by first storing email archive data on the internal or
AMC hard disk.
If you are using the FortiGuard Analysis and Management Service, the FortiGate
unit uploads and verifies content archived data to the FortiGuard Analysis and
Management Service in small batches to reduce overhead. The data is not
deleted from the internal or AMC hard disk until it has been successfully uploaded
to and verified on the FortiGuard Analysis and Management Service.
A similar approach is taken with archiving to a FortiAnalyzer unit, except that only
the AMC hard disk can be used to store archived data on the FortiGate unit and
archived data is uploaded in batches according to a specified schedule.
Now the primary unit acts like a router for most subordinate unit management
traffic. Instead of sending management traffic to the HA proxy, the subordinate
unit sends traffic to its destination over the HA heartbeat link. The primary unit
uses simple routing to send the traffic through the primary unit and on to its
destination. The primary unit also routes replies back to the subordinate unit in the
same way.
HA uses a hidden VDOM called vsys_ha for HA operations. The vsys_ha VDOM
includes the HA heartbeat interfaces, and all communication over the HA
heartbeat link goes through the vsys_ha VDOM. To provide communication from a
subordinate unit to the network, HA adds hidden inter-VDOM links between the
primary unit management VDOM and the primary unit vsys_ha VDOM. By default,
root is the management VDOM.
Management traffic from the subordinate unit originates in the subordinate unit
vsys_ha VDOM. The vsys_ha VDOM routes the management traffic over the HA
heartbeat link to the primary unit vsys_ha VDOM. This management traffic is then
routed to the primary unit management VDOM and from there out onto the
network.
Note: DNS queries and FortiGuard Web Filtering rating requests are still handled by the HA
proxy so that the primary unit and subordinate units share the same DNS query cache and
the same FortiGuard Web Filtering cache.
HA link
169.254.0.65
HA heartbeat IP addresses
Previously, HA heartbeat interfaces were assigned IP addresses in the 10.0.0.x
range. FortiOS 3.0 MR7 uses link-local IP4 addresses (RFC 3927) in the
169.254.0.x range for HA heartbeat interface IP addresses and for inter-VDOM
link interface IP addresses. When a cluster initially starts up, the primary unit
heartbeat interface IP address is 169.254.0.1. Subordinate units are assigned
heartbeat interface IP addresses in the range 169.254.0.2 to 169.254.0.63. HA
inter-VDOM link interfaces on the primary unit are assigned IP addresses
169.254.0.65 and 169.254.0.66.
The ninth line of the following CLI command output shows the HA heartbeat
interface IP address of the primary unit.
You can also use the execute traceroute command from the subordinate unit
CLI to display HA heartbeat IP addresses and the HA inter-VDOM link IP
addresses. For example, use execute ha manage 1 to connect to the
subordinate unit CLI and then enter the following command to trace the route to
an IP address on your network:
execute traceroute 172.20.20.10
traceroute to 172.20.20.10 (172.20.20.10), 32 hops max, 72 byte packets
1 169.254.0.1 0 ms 0 ms 0 ms
2 169.254.0.66 0 ms 0 ms 0 ms
3 172.20.20.10 0 ms 0 ms 0 ms
Note: This change does not interfere with HA heartbeat interface failover. In FortiOS 3.0
MR7 as well as previous FortiOS versions, HA heartbeat interface failover uses the same
hash map order to select the HA heartbeat interface to use. If more than one HA heartbeat
interface has the highest priority, the interface with the highest priority that is also highest in
the interface hash map order is used for all HA heartbeat communication. If this interface
fails or becomes disconnected, the heartbeat interface with the highest priority that is next
highest in hash map order handles all heartbeat communication. For information about HA
heartbeat interfaces, see “HA options” on page 167.
Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
FortiGate™ ASIC-accelerated multi-threat security systems improve network
security, reduce network misuse and abuse, and help you use communications
resources more efficiently without compromising the performance of your
network. FortiGate Systems are ICSA-certified for Antivirus, Firewall, IPSec,
SSL-TLS, IPS, Intrusion detection, and AntiSpyware services.
FortiGate Systems are dedicated, easily managed security devices that deliver a
full suite of capabilities including:
• Application-level services such as virus protection, intrusion protection, spam
filtering, web content filtering, IM, P2P, and VoIP filtering
• Network-level services such as firewall, intrusion detection, IPSec and SSL
VPN, and traffic shaping
• Management services such as user authentication, logging, reporting with
FortiAnalyzer, administration profiles, secure web and CLI administrative
access, and SNMP.
The FortiGate security system uses Fortinet’s Dynamic Threat Prevention System
(DTPS™) technology, which leverages breakthroughs in chip design, networking,
security and content analysis. The unique ASIC-accelerated architecture analyzes
content and behavior in real-time, enabling key applications to be deployed right
at the network edge where they are most effective at protecting your networks.
This chapter contains the following sections:
• Introducing the FortiGate units
• Fortinet family of products
• About this document
• FortiGate documentation
• Customer service and technical support
• Register your Fortinet product
5140 T CA
L R R 1 2 3
SE ITI MAJO MINO USER USER USER
RE CR
13 11 9 7 5 3 1 2 4 6 8 10 12 14
CONSOLE USB 1 2 3 4 5 6 7 8
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
PWR ACC
MANAGEMENT MANAGEMENT CONSOLE USB 1 2 3 4 5 6 7 8
E E
4
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
T T
H H PWR ACC STA IPM
O O
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE USB 1 2 3 4 5 6 7 8
USB
USB
USB
USB
USB
USB
3
USB
USB
USB
USB
USB
USB
SYSTEM SYSTEM PWR ACC STA IPM
CONSOLE CONSOLE
R R
S S
2 2
1
3 3
2 2
HOT SWAP
1
O
H
E
R
MANAGEMENT
E
Z
Z
2
3
2
2
2
FLT
INT
Z Z
OK
E1
SYSTEM
CONSOLE
LED MODE
15
13
RESET
11
R R
1
E E
ZRE
0 0
POWER
14
12
10
E2
CLK
8
EXT
FLT
Z Z
2
R R
5000SM
ETH0 ETH1
E E
1 1
10/100
10/100
link/Act
link/Act
HOT SWAP
O
H
E
R
MANAGEMENT
E
Z
Z
2
3
2
2
1
FLT
INT
OK
E1
SYSTEM
CONSOLE
LED MODE
15
13
RESET
11
Z Z
1
3
3
R R
ZRE
E E
3
2 2 ETH0
Service
14
12
10
E2
CLK
8
EXT
FLT
E2 E1 E2 E1
RESET
14 15 14 15
STATUS
4
12 13 12 13
4
10 11 10 11
5000SM
5050SAP 5000SM
SMC SMC
Hot Swap
Hot Swap
Service
Service
STATUS
STATUS
8 9 8 9
ETH0
ETH0
10/100 10/100
ETH0 ETH1
ETH0 ETH1
Hot Swap
ALARM
RESET
RESET
link/Act SERIAL SERIAL link/Act
2 1
6 7 6 7 10/100
1 2 10/100
link/Act link/Act
5
4 5 4 5
5
2 3 2 3
0 1 0 1
ZRE ZRE
12
6
6
6
CLK OK CLK OK
EXT INT EXT INT
FLT FLT FLT FLT
5000SM
ETH0 ETH1
7
7
7
10/100
10/100
link/Act
link/Act
RESET RESET
8
8
ETH0
LED MODE LED MODE Service
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
RESET
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STA IPM
STATUS
Hot Swap
PSU A
PSU B
FILTER
USB CONSOLE 1 62 53 4 5 6
ALT
RESET ON/OFF
USB CONSOLE 1 62 53 4 5 6
ALT
RESET ON/OFF
0 FA N T R AY 1 FA N T R AY 2 FA N T R AY
FortiGate-5140 chassis
You can install up to 14 FortiGate-5000 series boards in the 14 slots of the
FortiGate-5140 ATCA chassis. The FortiGate-5140 is a 12U chassis that contains
two redundant hot swappable DC power entry boards that connect to -48 VDC
Data Center DC power. The FortiGate-5140 chassis also includes three hot
swappable cooling fan trays.
FortiGate-5050 chassis
You can install up to five FortiGate-5000 series boards in the five slots of the
FortiGate-5050 ATCA chassis. The FortiGate-5050 is a 5U chassis that contains
two redundant DC power connections that connect to -48 VDC Data Center DC
power. The FortiGate-5050 chassis also includes a hot swappable cooling fan
tray.
FortiGate-5020 chassis
You can install one or two FortiGate-5000 series boards in the two slots of the
FortiGate-5020 ATCA chassis. The FortiGate-5020 is a 4U chassis that contains
two redundant AC to DC power supplies that connect to AC power. The
FortiGate-5020 chassis also includes an internal cooling fan tray.
FortiGate-5001A board
The FortiGate-5001A board is a high-performance ACTA-compliant security
system that contains two front panel gigabit ethernet interfaces, two base
backplane gigabit interfaces, and two fabric backplane gigabit interfaces. The
fabric interfaces are reserved for future 10-gigabit operation but can be used now
for board to board 1-gigabit operation. The FortiGate-5001A-DW front panel also
includes a double-width Advanced Mezzanine Card (AMC) opening. You can
install a supported FortiGate ADM module such as the FortiGate-ADM-XB2 or the
FortiGate-ADM-FB8 in the AMC opening. The FortiGate-ADM-XB2 adds two
accelerated 10-gigabit interfaces to the FortiGate-5001A board and the
FortiGate-ADM-FB8 adds 8 accelerated 1 gigabit interfaces.
The FortiGate-5001A board supports high-end features including 802.1Q VLANs
and multiple virtual domains and FortiOS Carrier MMS content processing, GTP
protection, and SIP extensions.
FortiGate-5005FA2 board
The FortiGate-5001SX board is an independent high-performance
ACTA-compliant security system with eight Gigabit ethernet interfaces; two of
which include Fortinet technology to accelerate small packet performance. The
FortiGate-5005FA2 board also supports high-end features including 802.1Q
VLANs, multiple virtual domains and specialized FortiGate-5000 series features
such as base and fabric backplane switching and FortiOS Carrier MMS content
processing, GTP protection, and SIP extensions.
FortiGate-5001SX board
The FortiGate-5001SX board is an independent high-performance
ACTA-compliant security system with eight Gigabit ethernet interfaces. The
FortiGate-5001SX board supports high-end features including 802.1Q VLANs and
multiple virtual domains and specialized FortiGate-5000 series features such as
base and fabric backplane switching and FortiOS Carrier MMS content
processing, GTP protection, and SIP extensions.
FortiGate-5001FA2 board
The FortiGate-5001FA2 board is an independent high-performance
ACTA-compliant security system with six Gigabit ethernet interfaces. The
FortiGate-5001FA2 board is similar to the FortiGate-5001SX board except that
two of the FortiGate-5001FA2 interfaces include Fortinet technology to accelerate
small packet performance.
FortiGate-5002FB2 board
The FortiGate-5002FB2 board is an independent high-performance ACTA
compliant FortiGate security system with a total of 6 Gigabit ethernet interfaces.
Two of the FortiGate-5002FB2 interfaces include Fortinet technology to accelerate
small packet performance.
FortiGate-AMC modules
The FortiGate-AMC modules (including the HS
OOS
FortiGate-3810A
The FortiGate-3810A
multi-threat security AMC-SW1 AMC-DW1
STATUS
POWER
appliance offering
optional 10-Gigabit
Ethernet interfaces. Four AMC expansion slots allow the FortiGate-3810A to be
customized for your exact performance needs. Up to 26 Gbps firewall
performance can be achieved in a full configuration with just a single 2U rack-
mount appliance.
The FortiGate-3810A includes:
• Base unit provides eight 10/100/1000 interfaces plus two SFP (fiber) interfaces
• Supports two dual-width and two single-width AMC expansion modules
• Dual-width AMC slots support up to four 10-Gigabit Ethernet XFP interfaces
• Single-width AMC slots support up to eight additional Gigabit Ethernet SFP
interfaces
FortiGate-3600A
The FortiGate-3600A
multi-threat security
appliance establishes
a new level of price- CONSOLE
Hi-Temp
1 3 5 7 9
gigabit capacity
network security systems. With ten gigabit Ethernet interfaces and up to six Gbps
throughput, the FortiGate-3600A enables a new generation of high performance
protection against blended threats.
The FortiGate-3600A includes
• Multi-Gigabit performance for large enterprises and Managed Security Service
Providers (MSSPs) ensures security and throughput
• Provides eight gigabit copper (10/100/1000) interfaces and two gigabit fiber
(SFP) interfaces for greater flexibility and to meet the needs of large enterprise
and service provider networks
• Advanced Mezzanine Card (AMC) slot provides future upgrade possibilities
with either the four interface hardware accelerated SFP expansion module or
the storage expansion module.
FortiGate-3016B
The FortiGate-3016B
multi-threat security
appliance is a carrier- FG-AMC-SW CONSOLE 1 3 5 7 9 11 13 15 17
MODEM 2 4 6 8 10 12 14 16 18
sixteen gigabit
Ethernet interfaces
and a full complement of network protection features. Each interface of the
FortiGate-3016B provides wire-speed firewall performance using Fortinet's
advanced FortiASIC network processor technology. Multiple FortiGate-3016Bs
can be deployed in redundant clusters to ensure failsafe operation.
The FortiGate-3016B is the ideal solution for large enterprises and Managed
Security Service Providers (MSSPs) looking to add new security services.
The highly available architecture and redundant hot-swappable power supplies
ensure failsafe operation, and AMC expansion provide additional connectivity,
performance and storage capacity.
FortiGate-3600
The FortiGate-3600
unit provides carrier- Esc Enter
POWER
Hi-Temp
1
4
2
5/HA
3
INT EXT
class levels of
performance and 1 2 3 4 5/HA INTERNAL EXTERNAL
reliability demanded by
large enterprises and
service providers. The unit uses multiple CPUs and FortiASIC chips to deliver
throughput of 4Gbps, meeting the needs of the most demanding applications. The
FortiGate-3600 unit includes redundant power supplies, which minimize single-
point failures, and supports load-balanced operation. The high-capacity, reliability
and easy management makes the FortiGate-3600 a natural choice for managed
service offerings.
FortiGate-3000
The FortiGate-3000
POWER 1 2 3
carrier-class levels of
1 2 3 4/HA INTERNAL EXTERNAL
performance and
reliability demanded
by large enterprises and service providers. The unit uses multiple CPUs and
FortiASIC chips to deliver a throughput of 3Gbps, meeting the needs of the most
demanding applications. The FortiGate-3000 unit includes redundant power
supplies to minimize single-point failures, including load-balanced operation and
redundant failover with no interruption in service. The high capacity, reliability, and
easy management of the FortiGate-3000 makes it a natural choice for managed
service offerings.
FortiGate-1000A/AFA2
The FortiGate-1000A/AFA2 Security System is a high performance solution that
delivers gigabit throughput with exceptional reliability for the most demanding
large enterprise. The FortiGate-1000AFA2 optionally provides 2 additional fiber
interfaces featuring FortiAccel ASIC technology enhancing small packet
performance. The FortiGate-1000A/AFA2 deploys easily in existing networks and
can be used for antivirus and content filtering only or can be deployed as a
complete network protection solution. High Availability (HA) operation and
redundant hot-swappable power supplies ensure non-stop operation in mission-
critical applications.
The FortiGate-1000A
offers 10 tri-speed
10/100/1000 Base-TX
interfaces.
The FortiGate-
1000AFA2 offers 10
tri-speed interfaces + CONSOLE USB
Pluggable (SFP)
FortiAccel ASIC
accelerated interfaces for line rate performance of all packet sizes ideal for
applications such as VOIP.
FortiGate-1000
The FortiGate-1000 unit is
designed for larger Esc Enter 1 2 3 4 / HA INTERNAL EXTERNAL
FortiGate-800/800F
The FortiGate-800/800F INTERNAL EXTERNAL DMZ HA 1 2 3 4 CONSOLE USB
Multi-Threat Security 8
Esc Enter
PWR
FortiGate-500A
The FortiGate-500A Multi- CONSOLE USB LAN 10/100 10/100/1000
Esc Enter
provides higher
performance, flexibility, and security necessary to protect today's growing
enterprise networks. The FortiGate-500A platform features two 10/100/1000 tri-
speed ethernet interfaces providing flexibility for networks running at or upgrading
to gigabit speeds, four user-definable 10/100 interfaces for redundant WAN links,
high availability, and multi-zone capabilities that allow administrators a high
degree of flexibility to segment their network into zones for granular control of
network traffic, and an internal 4-port switch for direct connectivity with the
FortiGate-500A.
The FortiGate-500A is ideally suited for enterprise networks, the FortiGate-500A
is unmatched in capabilities, speed, and price/performance.
FortiGate-500
The FortiGate-500 unit is INTERNAL EXTERNAL DMZ HA 1 2 3 4 5 6 7 8
FortiGate-400A
The FortiGate-400A Multi-
CONSOLE USB 10/100 10/100/1000
provides higher
performance, flexibility, and security necessary to protect today's growing
enterprise networks. The FortiGate-400A platform features two 10/100/1000 tri-
speed ethernet interfaces for networks running at or upgrading to gigabit speeds
and 4 user-definable 10/100 interfaces provide redundant WAN links, high
availability, and multi-zone capabilities, allowing administrators a high degree of
flexibility to segment their network into zones and create policies to control
network traffic between zones.
You can deploy the FortiGate-400A as a high performance antivirus and web
content filtering gateway, or as a complete network protection solution leveraging
firewall, intrusion detection and prevention, spam filtering and VPN capabilities.
FortiGate-400
The FortiGate-400 unit is
CONSOLE 1 2 3 4 / HA
FortiGate-310B
The FortiGate-310B is NP2 Powered
STATUS
expectations of mid-range
security devices. Incorporating FortiASIC network processors for firewall/VPN
acceleration and the FortiASIC Content Processor for content inspection
acceleration, the FortiGate-310B yields unmatched multi-threat performance
metrics. AMC module options offer both flexibility and the highest port density of
any product in its class. The FortiGate-310B's accelerated security throughput and
high port density relieves medium sized organizations of the restraints that have
historically prevented internal network security segmentation.
The FortiGate-310B includes:
• 8 Gbps firewall, 6 Gbps VPN as a base model
• 12 Gbps firewall, 9 Gbps VPN with optional AMC module
• SSL hardware acceleration
• Link aggregation
• Customizable expansion options
• Facilitates LAN security segmentation.
FortiGate-300A
The FortiGate-300A Multi-
CONSOLE USB 10/100 10/100/1000
provides performance,
flexibility, and security necessary to protect today's growing small and medium
sized enterprise networks. The FortiGate-300A platform features two 10/100/1000
tri-speed ethernet interfaces for networks running at or upgrading to gigabit
speeds and 4 user-definable 10/100 interfaces.
FortiGate-300
The FortiGate-300 unit is
designed for larger
Esc Enter
FortiGate-224B
The FortiGate-224B converges 1 3 5 7 9 11 13 15 17 19 21 23
FortiGate-200A
The FortiGate-200A Multi- CONSOLE USB INTERNAL DMZ1 DMZ2 WAN1 WAN2
1 2 3 4
FortiGate-200
The FortiGate-200 unit is
designed for small
businesses, home offices or POWER STATUS INTERNAL EXTERNAL DMZ
CONSOLE INTERNAL EXTERNAL DMZ
FortiGate-100A
The FortiGate-100A system is an
ideal solution for small offices. The PWR STATUS WAN 1 WAN 2 DMZ 1 DMZ 2 1 2
INTERNAL
3 4
FortiGate-100
The FortiGate-100 unit is designed
for SOHO, SMB and branch office
applications.
POWER
INTERNAL EXTERNAL DMZ
STATUS
FortiGate-60B
The FortiGate-60B multi-threat
security solution offers Small and 1
INTERNAL
3 5
FortiWiFi-60B
The FortiWiFi-60B multi-threat
security solution offers Small and
Medium Business and SOHO/ROBO
users enterprise-class protection
against blended threats targeting 3G
broadband, wireless LAN and wired
infrastructure. The FortiWiFi-60B 1
INTERNAL
3 5
supports a wide array of wireless POWER STATUS HA ALARM Wifi WAN 1 WAN 2 DMZ 2 4 6
B
broadband PC Cards and optional
built-in 802.11 a/b/g wireless support.
The FortiWiFi-60B offers enterprise-class security for the SOHO/ROBO users and
the flexibility needed for quick Point of Sales deployment.
The FortiWiFi-60B is the only dual wireless enabled platform with supports for
both WiFi and 3G wireless simultaneously. Integrated 802.11a/b/g wireless LAN
access point with a DMZ, Dual WAN and 6 switch interfaces provide ample of
connectivity options for the remote office or small size business.
The FortiWiFi-60B supports a wide range of 3G wireless PC Cards to provide an
ideal wireless broadband and wireless LAN gateway
FortiGate-60/60M/ADSL
The FortiGate-60ADSL offers an
INTERNAL
integrated ADSL modem for Internet PWR STATUS 1 2 3 4 DMZ WAN1 WAN2
connectivity. It supports multiple LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
FortiWiFi-60/60A/60AM
The FortiWiFi-60 model provides a
secure, wireless LAN solution for
wireless connections. It combines
mobility and flexibility with FortiWiFi
Antivirus Firewall features, and can
be upgraded to future radio
technologies. The FortiWiFi-60
serves as the connection point INTERNAL
between wireless and wired networks LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100 LINK 100
FortiWiFi-50B
The FortiWiFi-50B adds wireless
connectivity by providing standard
802.11 b/g support. The FortiWiFi-
50B can be powered by standard
based Power Over Ethernet (POE)
devices to ease installation and
deployment.
INTERNAL
WAN1
(PoE) WAN2
WLAN LINK / ACT
FortiGate-50B
The FortiGate-50B offers dual
WAN interfaces for load WAN1 WAN2
INTERNAL
LINK / ACT
POWER STATUS
FortiGate-50A
The FortiGate-50A unit is designed for
telecommuters and small remote PWR STATUS
INTERNAL EXTERNAL
FortiAnalyzer
FortiAnalyzer™ provides network administrators with the information they need to
enable the best protection and security for their networks against attacks and
vulnerabilities. FortiAnalyzer features include:
• collects logs from FortiGate units and syslog devices and FortiClient
• creates hundreds of reports using collected log data
• scans and reports vulnerabilities
• stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture
real-time traffic on areas of your network where firewalls are not employed. You
can also use the unit as a storage device where users can access and share files,
including the reports and logs that are saved on the FortiAnalyzer hard disk.
FortiClient
FortiClient™ Host Security software provides a secure computing environment for
both desktop and laptop users running the most popular Microsoft Windows
operating systems. FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiClient also offers a silent installation feature, enabling an administrator to
efficiently distribute FortiClient to several users’ computers with preconfigured
settings.
FortiManager
FortiManager™ meets the needs of large enterprises (including managed security
service providers) responsible for establishing and maintaining security policies
across many dispersed FortiGate installations. With FortiManager you can
configure multiple FortiGate units and monitor their status. You can also view real-
time and historical logs for FortiGate units. FortiManager emphasizes ease of use,
including easy integration with third party systems.
FortiBridge
FortiBridge™ products are designed to provide enterprise organizations operating
FortiGate units in Transparent mode with continuous network traffic flow in the
event of a power outage or a FortiGate system failure. The FortiBridge unit
bypasses the FortiGate unit to make sure that the network can continue
processing traffic. FortiBridge products are easy to use and deploy, including
providing customizable actions a FortiBridge unit takes in the event of a power
outage or FortiGate system failure.
FortiMail
FortiMail™ provides powerful, flexible heuristic scanning and reporting
capabilities to incoming and outgoing email traffic. The FortiMail unit has reliable,
high performance features for detecting and blocking malicious attachments and
spam, such as FortiGuard Antispam/Antivirus support, heuristic scanning,
greylisting, and Bayesian scanning. Built on Fortinet’s award winning FortiOS and
FortiASIC technology, FortiMail antivirus technology extends full content
inspection capabilities to detect the most advanced email threats.
The most recent version of this document is available from the FortiGate page of
the Fortinet Technical Documentation web site. The information in this document
is also available in a slightly different form as FortiGate web-based manager
online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the
Fortinet Technical Documentation web site as well as from the Fortinet Knowledge
Center.
This administration guide contains the following chapters:
• Web-based manager provides an introduction to the features of the FortiGate
web-based manager, the button bar, and includes information about how to
use the web-based manager online help.
• System Status describes the System Status page, the dashboard of your
FortiGate unit. At a glance you can view the current system status of the
FortiGate unit including serial number, uptime, FortiGuard license information,
system resource usage, alert messages and network statistics. This section
also describes status changes that you can make, including changing the unit
firmware, host name, and system time. Finally this section also describes the
topology viewer that is available on all FortiGate models except those with
model numbers 50 and 60.
• Using virtual domains describes how to use virtual domains to operate your
FortiGate unit as multiple virtual FortiGate units, providing separate firewall
and routing services to multiple networks.
• System Network explains how to configure physical and virtual interfaces and
DNS settings on the FortiGate unit.
• System Wireless describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
• System DHCP provides information about how to configure a FortiGate
interface as a DHCP server or DHCP relay agent.
• System Config contains procedures for configuring HA and virtual clustering,
configuring SNMP and replacement messages, and changing the operation
mode.
• System Certificates explains how to manage X.509 security certificates used
by various FortiGate features such as IPSec VPN and administrator
authentication.
• System Administrators guides you through adding and editing administrator
accounts, defining access profiles for administrators, configuring central
management using the FortiGuard Management Service or FortiManager,
defining general administrative settings such as language, timeouts, and web
administration ports.
• System Maintenance details how to back up and restore the system
configuration using a management computer or a USB disk, use revision
control, enable FortiGuard services and FortiGuard Distribution Network (FDN)
updates, and enter a license key to increase the maximum number of virtual
domains.
• Router Static explains how to define static routes and create route policies. A
static route causes packets to be forwarded to a destination other than the
factory configured default gateway.
• Router Dynamic contains information about how to configure dynamic
protocols to route traffic through large or complex networks.
• Router Monitor explains how to interpret the Routing Monitor list. The list
displays the entries in the FortiGate routing table.
• Firewall Policy describes how to add firewall policies to control connections
and traffic between FortiGate interfaces, zones, and VLAN subinterfaces.
• Firewall Address describes how to configure addresses and address groups
for firewall policies.
• Firewall Service describes available services and how to configure service
groups for firewall policies.
• Firewall Schedule describes how to configure one-time and recurring
schedules for firewall policies.
• Firewall Virtual IP describes how to configure and use virtual IP addresses and
IP pools.
• Firewall Protection Profile describes how to configure protection profiles for
firewall policies.
• SIP support incudes some high-level information about VoIP and SIP and
describes how FortiOS SIP support works and how to configure the key SIP
features.
• VPN IPSEC provides information about the tunnel-mode and route-based
(interface mode) Internet Protocol Security (IPSec) VPN options available
through the web-based manager.
• VPN PPTP explains how to use the web-based manager to specify a range of
IP addresses for PPTP clients.
• VPN SSL provides information about basic SSL VPN settings.
• User Authentication details how to control access to network resources
through user authentication.
• AntiVirus explains how to enable antivirus options when you create a firewall
protection profile.
• Intrusion Protection explains how to configure IPS options when a firewall
protection profile is created.
• Web Filter explains how to configure web filter options when a firewall
protection profile is created.
• Antispam explains how to configure spam filter options when a firewall
protection profile is created.
• IM, P2P & VoIP explains how to configure IM, P2P, and VoIP options when a
firewall protection profile is created. You can view IM, P2P, and VoIP statistics
to gain insight into how the protocols are being used within the network.
• Log&Report describes how to enable logging, view log files, and view the basic
reports available through the web-based manager.
Document conventions
The following document conventions are used in this guide:
• To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are
fictional and follow the documentation guidelines specific to Fortinet. The
addresses used are from the private IP address ranges defined in RFC 1918:
Address Allocation for Private Internets, available at
http://ietf.org/rfc/rfc1918.txt?number-1918.
• Notes and Cautions are used to provide important information:
Caution: Warns you about commands or procedures that could have unexpected or
! undesirable results including loss of data or damage to equipment.
Typographic conventions
Fortinet documentation uses the following typographical conventions:
Convention Example
Menu commands Go to VPN > IPSEC > Phase 1 and select Create New.
Keyboard input In the Gateway Name field, type a name for the remote VPN
peer or client (for example, Central_Office_1).
Code examples config sys global
set ips-open enable
end
CLI command syntax config firewall policy
edit id_integer
set http_retry_count <retry_integer>
set natip <address_ipv4mask>
end
Document names FortiGate Administration Guide
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Program output Welcome!
Variables <address_ipv4>
The chapter or section contains VDOM configuration settings,
see “VDOM configuration settings” on page 97.
The chapter or section contains Global configuration settings,
see “Global configuration settings” on page 98.
FortiGate documentation
The most up-to-date publications and previous releases of Fortinet product
documentation are available from the Fortinet Technical Documentation web site
at http://docs.forticare.com.
The following FortiGate product documentation is available:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference,
default configuration information, installation procedures, connection
procedures, and basic configuration procedures. Choose the guide for your
product model number.
Web-based manager
This section describes the features of the user-friendly web-based manager
administrative interface (sometimes referred to as a graphical user interface, or
GUI) of your FortiGate unit.
Using HTTP or a secure HTTPS connection from any management computer
running a web browser, you can connect to the FortiGate web-based manager to
configure and manage the FortiGate unit. The recommended minimum screen
resolution for the management computer is 1280 by 1024.
You can configure the FortiGate unit for HTTP and HTTPS web-based
administration from any FortiGate interface. To connect to the web-based
manager you require a FortiGate administrator account and password. The
web-based manager supports multiple languages, but by default appears in
English on first use.
You can go to System > Status to view detailed information about the status of
your FortiGate unit on the system dashboard. The dashboard displays information
such as the current FortiOS firmware version, antivirus and IPS definition
versions, operation mode, connected interfaces, and system resources. It also
shows whether the FortiGate unit is connected to a FortiAnalyzer unit and a
FortiManager unit or other central management services.
You can use the web-based manager menus, lists, and configuration pages to
configure most FortiGate settings. Configuration changes made using the
web-based manager take effect immediately without resetting the FortiGate unit or
interrupting service. You can back up your configuration at any time using the
Backup Configuration button on the button bar. The button bar is located in the
upper right corner of the web-based manager. The saved configuration can be
restored at any time.
The web-based manager also includes detailed context-sensitive online help.
Selecting Online Help on the button bar displays help for the current web-based
manager page.
You can use the FortiGate command line interface (CLI) to configure the same
FortiGate settings that you can configure from the web-based manager, as well as
additional CLI-only settings. The system dashboard provides an easy entry point
to the CLI console that you can use without exiting the web-based manager.
This section describes:
• Common web-based manager tasks
• Button bar features
• Contacting Customer Support
• Backing up your FortiGate configuration
• Using FortiGate Online Help
• Logging out
• Web-based manager pages
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
Note: You can also add new administrator accounts by selecting Create New. For more
information about adding administrators, changing administrator account passwords and
related configuration settings, see “System Administrators” on page 195.
Contact Customer
Support
Online Help
Logout
Back up your FortiGate
Configuration
Show Open the online help navigation pane. From the navigation pane you can
Navigation use the online help table of contents, index, and search to access all of
the information in the online help. The online help is organized in the
same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous Display the previous page in the online help.
Next Display the next page in the online help.
Email Send an email to Fortinet Technical Documentation at
techdoc@fortinet.com if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Print Print the current online help page.
Bookmark Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. You
cannot use the Bookmark icon to add an entry to your favorites list if you
are viewing online help from Internet Explorer running on a management
PC with Windows XP and service pack 2 installed.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For information
about VDOM configuration settings, see “VDOM configuration settings”
on page 97.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For information
about Global configuration settings, see “Global configuration settings”
on page 98.
To view the online help table of contents or index, and to use the search feature,
select Online Help in the button bar in the upper right corner of the web-based
manager. From the online help, select Show Navigation.
Figure 7: Online help page with navigation pane and content pane
Contents Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help is
organized in the same way as the FortiGate web-based manager and the
FortiGate Administration Guide.
Index Display the online help index. You can use the index to find information in
the online help.
Search Display the online help search. For more information, see “Searching the
online help” on page 54.
Show in If you have used the index, search, or hyperlinks to find information in the
Contents online help, the table of contents may not be visible or the table of
contents may be out of sync with the current help page. You can select
Show in Contents to display the location of the current help page within
the table of contents.
• You can use the asterisk (*) as a search wildcard character that is replaced by
any number of characters. For example, if you search for auth* the search
finds help pages containing auth, authenticate, authentication,
authenticates, and so on.
• In some cases the search finds only exact matches. For example, if you
search for windows the search may not find pages containing the word
window. You can work around this using the * wildcard (for example by
searching for window*).
Go
Search
Field
Search
Results
Logging out
The Logout button immediately logs you out of the web-based manager. Log out
before you close the browser window. If you simply close the browser or leave the
web-based manager, you remain logged in until the idle timeout (default 5
minutes) expires. To change the timeout, see “Changing the web-based manager
idle timeout” on page 51.
Tabs Page
Button bar
Menu
Delete
Edit
If you log in as an administrator with an access profile that allows Read Only
access to a list, you will only be able to view the items on the list (see Figure 11).
View
Figure 12: An intrusion protection predefined signatures list filtered to display all
signatures containing “apache” with logging enabled, action set to drop,
and severity set to high
Filter added to
display names that
include “apache” No filter added
The filter configuration is retained after leaving the web-based manager page and
even after logging out of the web-based manager or rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed
in individual columns. In all cases, you configure filters by specifying what to filter
on and whether to display information that matches the filter, or by selecting NOT
to display information that does not match the filter.
Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.
On firewall policy, IPv6 policy, predefined signature and log and report log access
lists, you can combine filters with column settings to provide even more control of
the information displayed by the list. See “Using filters with column settings” on
page 63 for more information.
Figure 13: A session list with a numeric filter set to display sessions with source IP
address in the range of 1.1.1.1-1.1.1.2
The text string can be blank and it can also be very long. The text string can also
contain special characters such as <, &, > and so on. However, filtering ignores
characters following a < unless the < is followed by a space (for example, filtering
ignores <string but not < string). Filtering also ignores matched opening and
closing < and > characters and any characters inside them (for example, filtering
ignores <string> but does not ignore >string>).
Figure 14: A firewall policy list filter set to display all policies that do not include a
source address with a name that contains “My_Address”
Figure 15: An intrusion protection predefined signature list filter set to display all
signatures with Action set to block
Custom filters
Other custom filters are also available. You can filter log messages according to
date range and time range. You can also set the level filter to display log
messages with multiple severity levels.
Figure 16: A log access filter set to display all log messages with level of alert,
critical, error, or warning
Last Page
Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.
To change column settings on a list that supports it, select Column Settings. From
“Available Fields”, select the column headings to be displayed and then select the
Right Arrow to move them to the “Show these fields in this order” list. Similarly, to
hide column headings, use the Left Arrow to move them back to the “Available
fields” list. Use Move up and Move down to change the order in which to display
the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.
Figure 20: A pre-defined signatures list displaying pre-defined signatures for the
Veritas and Winamp applications
For more information, see “Adding filters to web-based manager lists” on page 58.
Insert before Add a new item to a list so that it precedes the current item.
Used in lists when the order of items in the list is significant,
for example firewall policies, IPS Sensors, and DoS Sensors.
Last page View the last page of a list.
Move to Change the position of an item in a list. Used in lists when the
order of items in the list is significant, for example firewall
policies, IPS Sensors, and DoS Sensors.
Next page View the next page of a list.
System Status
This section describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit
including serial number, uptime, FortiGuard™ license information, system
resource usage, alert messages and network statistics.
Note: Your browser must support Javascript to view the System Status page.
If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is
available globally and system status settings are configured globally for the entire
FortiGate unit. The Topology viewer is not available when VDOMs are enabled.
For details, see “Using virtual domains” on page 95.
This section describes:
• Status page
• Changing system information
• Changing the FortiGate firmware
• Viewing operational history
• Manually updating FortiGuard definitions
• Viewing Statistics
• Topology
Status page
View the System Status page, also known as the system dashboard, for a
snapshot of the current operating status of the FortiGate unit. FortiGate
administrators whose access profiles permit read access to System Configuration
can view system status information.
When the FortiGate unit is part of an HA cluster, the System Status page includes
basic high availability (HA) cluster status such as including the name of the cluster
and the cluster members including their host names. To view more complete
status information for the cluster, go to System > Config > HA. For more
information, see “HA” on page 167. HA is not available on FortiGate 50A, and
50AM models.
FortiGate administrators whose access profiles permit write access to system
configuration can change or update FortiGate unit information. For information on
access profiles, see “Access profiles” on page 208.
To view this page, your access profile must permit read access to system
configuration. If you also have system configuration write access, you can modify
system information and update FortiGuard - AV and FortiGuard - IPS definitions.
For information on access profiles, see “Access profiles” on page 208.
The System Status page is customizable. You can select which widgets to display,
where they are located on the page, and if they are minimized or maximized. Each
display has an icon associated with it for easy recognition when minimized.
Select Add Content to add any of the widgets not currently shown on the System
Status page. Any widgets currently on the System Status page will be greyed out
in the Add Content menu, as you can only have one of each display on the
System Status page. Optionally select Back to Default to restore the historic
System Status page configuration.
Position your mouse over a display’s titlebar to see your available options for that
display. The options vary slightly from display to display.
History
Widget title Edit
Disclosure arrow Refresh
Close
System Information
Go to System > Status to find System Information.
Serial Number The serial number of the FortiGate unit. The serial number is specific
to the FortiGate unit and does not change with firmware upgrades.
Uptime The time in days, hours, and minutes since the FortiGate unit was
started.
System Time The current date and time according to the FortiGate unit’s internal
clock.
Select Change to change the time or configure the FortiGate unit to
get the time from an NTP server. See “Configuring system time” on
page 80.
HA Status The status of high availability for this unit.
Standalone indicates the unit is not operating in HA mode.
Active-Passive or Active-Active indicate the unit is operating in HA
mode.
Select Configure to configure the HA status for this unit. See “HA” on
page 167.
Current The number of administrators currently logged into the FortiGate unit.
Administrators Select Details to view more information about each administrator that
is currently logged in. The additional information includes user name,
type of connection, IP address from which they are connecting, and
when they logged in.
License Information
License Information displays the status of your technical support contract and
FortiGuard subscriptions. The FortiGate unit updates the license information
status indicators automatically when attempting to connect to the FortiGuard
Distribution Network (FDN). FortiGuard Subscriptions status indicators are green
if the FDN was reachable and the license was valid during the last connection
attempt, grey if the FortiGate unit cannot connect to the FDN, and orange if the
FDN is reachable but the license has expired.
Selecting any of the Configure options will take you to the Maintenance page. For
more information, see “System Maintenance” on page 229.
Support Contract The Fortinet technical support contract number and expiry
date, or registration status.
If Not Registered appears, select Register to register the
unit.
If Expired appears, select Renew for information on
renewing your technical support contract. Contact your local
reseller.
FortiGuard Subscriptions
AntiVirus The FortiGuard Antivirus version, license issue date and
service status. If your license has expired, you can select
Renew two renew the license.
AV Definitions The currently installed version of the FortiGuard Antivirus
definitions. To update the definitions manually, select
Update. For more information, see “To update FortiGuard AV
Definitions manually” on page 84.
Intrusion Protection The FortiGuard Intrusion Prevention System (IPS) license
version, license issue date and service status. If your license
has expired, you can select Renew two renew the license.
IPS Definitions The currently installed version of the IPS attack definitions.
To update the definitions manually, select Update. For more
information, see “To update FortiGuard IPS Definitions
manually” on page 85.
Web Filtering The FortiGuard Web Filtering license, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
Antispam The FortiGuard Antispam license type, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
Analysis & The FortiGuard Analysis Service and Management Service
Management license, license expiry date and reachability status.
Services
Services Account ID Select “change“ to enter a different Service Account ID. This
ID is used to validate your license for subscription services
such as FortiGuard Management Service and FortiGuard
Analysis Service.
Virtual Domain
VDOMs Allowed The maximum number of virtual domains the unit supports
with the current license.
For FortiGate 3000 models or higher, you can select the
Purchase More link to purchase a license key through
Fortinet technical support to increase the maximum number
of VDOMs. See “License” on page 254.
Unit Operation
In the Unit Operation area, an illustration of the FortiGate unit’s front panel shows
the status of the unit’s Ethernet network interfaces. If a network interface is green,
that interface is connected. Pause the mouse pointer over the interface to view the
name, IP address, netmask and current up/down status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter
the reason for the system event.
You can only have one management and one logging/analyzing method displayed
for your FortiGate unit. The graphic for each will change based on which method
you choose. If none are selected, no graphic is shown.
Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see “Event log” on
page 536.
INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and
1/2/3/4 number of these interfaces vary by model.
The icon below the interface name indicates its up/down status by
color. Green indicates the interface is connected. Grey indicates
there is no connection.
For more information about the configuration and status of an
interface, pause the mouse over the icon for that interface. A
tooltip displays the full name of the interface, its alias if one is
configured, the IP address and netmask, the status of the link, the
speed of the interface, and the number of sent and received
packets.
AMC-SW1/1, ... If your FortiGate unit supports Advanced Mezzanine Card (AMC)
AMC-DW1/1, ... modules and if you have installed an AMC module containing
network interfaces (for example, the FortiGate-ASM-FB4 contains
4 interfaces) these interfaces are added to the interface status
display. The interfaces are named for the module, and the
interface. For example AMC-SW1/3 is the third network interface
on the SW1 module, and AMC-DW2/1 is the first network interface
on the DW2 module.
AMC modules support hard disks as well, such as the ASM-S08
module. When a hard disk is installed, ASM-S08 is visible as well
as a horizontal bar and percentage indicating how full the hard
disk is.
FortiAnalyzer The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP
connection. An ‘X’ on a red icon indicates there is no connection.
A check mark on a green icon indicates there is OFTP
communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. See “Logging to a
FortiAnalyzer unit” on page 529.
FortiGuard Analysis The icon on the link between the FortiGate unit graphic and the
Service FortiGuard Analysis Service graphic indicates the status of their
OFTP connection. An ‘X’ on a red icon indicates there is no
connection. A check mark on a green icon indicates there is OFTP
communication.
Select the FortiGuard Analysis Service graphic to configure
remote logging to the FortiGuard Analysis Service. See
“FortiGuard Analysis and Management Service” on page 526.
FortiManager The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An ‘X’
on a red icon indicates there is no connection. A check mark on a
green icon indicates there is communication between the two
units.
Select the FortiManager graphic to configure central management
on your FortiGate unit. See “Central Management” on page 212.
FortiGuard The icon on the link between the FortiGate unit graphic and the
Management Service FortiGuard Management Service graphic indicates the status of
the connection. An ‘X’ on a red icon indicates there is no
connection. A check mark on a green icon indicates there is
communication.
Select the FortiGuard Management Service graphic to configure
central management on your FortiGate unit. See “Central
Management” on page 212.
Reboot Select to shutdown and restart the FortiGate unit. You will be
prompted to enter a reason for the reboot that will be entered into
the logs.
Shutdown Select to shutdown the FortiGate unit. You will be prompted for
confirmation, and also prompted to enter a reason for the
shutdown that will be entered into the logs.
Reset Select to reset the FortiGate unit to factory default settings. You
will be prompted for confirmation.
System Resources
The System Resources widget displays basic FortiGate unit resource usage, such
as CPU and memory (RAM) usage. Any System Resources that are not displayed
on the status page can be viewed as a graph by selecting the History icon.
The following types of messages can appear in the Alert Message Console:
Statistics
The Statistics widget is designed to allow you to see at a glance what is
happening on your FortiGate unit with regards to network traffic and attack
attempts.
You can quickly see the amount and type of traffic as well as any attack attempts
on your system. To investigate an area that draws your attention, select Details for
a detailed list of the most recent activity.
The information displayed in the statistics widget is derived from log messages
that can be saved to a FortiAnalyzer unit, saved locally, or backed up to an
external source such as a syslog server. You can use this data to see trends in
network activity or attacks over time.
Note: The Email statistics are based on email protocols. POP3 traffic is registered as
incoming email, and SMTP is outgoing email. If incoming or outgoing email does not use
these protocols, these statistics will not be accurate.
For detailed procedures involving the Statistics list, see “Viewing Statistics” on
page 85.
Reset
Since The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you
select Reset.
Reset Reset the Content Archive and Attack Log statistic counts to zero.
Sessions The number of communications sessions being handled by the
FortiGate unit. Select Details for detailed information. See “Viewing
the session list” on page 85.
Content Archive A summary of the HTTP, HTTPS, e-mail, VoIP, and IM/P2P traffic
that has passed through the FortiGate unit, and whose metadata
and/or files or traffic have been content archived.
The Details pages list the last 64 items of the selected type and
provide links to the FortiAnalyzer unit where the archived traffic is
stored. If logging to a FortiAnalyzer unit is not configured, the
Details pages provide a link to Log & Report > Log Config >
Log Settings.
Attack Log A summary of viruses, attacks, spam email messages and blocked
URLs that the FortiGate unit has intercepted. The Details pages list
the most recent 10 items, providing the time, source, destination
and other information.
CLI Console
The System Status page can include a CLI. To use the console, select it to
automatically log in to the admin account you are currently using in the web-based
manager. You can copy (CTRL-C) and paste (CTRL-V) text from or to the CLI
Console.
Customize
The two controls located on the CLI Console widget’s title bar are Customize, and
Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize
and reposition. The two controls on the detached CLI Console are Customize and
Attach. Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts
and colors for the text and background.
Top Sessions
Top Sessions displays a bar graph representing the IP addresses that have the
most sessions open of the FortiGate unit. The sessions are sorted by either their
source or destination IP address. The sort criteria being used is displayed in the
top right corner.
The Top Sessions display polls the kernel for session information, and this slightly
impacts the FortiGate unit performance. For this reason when this display is not
shown on the dashboard, it is not collecting data, and not impacting system
performance. When the display is shown, information is only stored in memory
and a reboot will reset the statistics to zero.
The Top Sessions display is not part of the default dashboard display. It can be
displayed by selecting Add Content, and selecting Top Sessions from the drop
down menu.
Selecting edit for Top Sessions allows changes to the:
• refresh interval
• sort criteria to change between source and destination addresses of the
sessions
• number of top sessions to show
Sort Criteria
Number of
active
sessions
Destination
IP address
of sessions
Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been
detected most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be
displayed by selecting Add Content, and selecting Top Viruses from the drop
down menu.
Selecting the history icon opens a window that displays up to the 20 most recent
viruses that have been detected with information including the virus name, when it
was last detected, and how many times it was detected. The system stores up to
1024 entries, but only displays up to 20 in the GUI.
Selecting the edit icon for Top Viruses allows changes to the:
• refresh interval
• top viruses to show
Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks
detected by the FortiGate unit.
The Top Attacks display is not part of the default dashboard display. It can be
displayed by selecting Add Content > Top Attacks from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent
attacks that have been detected with information including the attack name, when
it was last detected, and how many times it was detected. The FortiGate unit
stores up to 1024 entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
• refresh interval
• top attacks to show
Traffic History
The traffic history display shows the traffic on one selected interface over the last
hour, day, and month. This feature can help you locate peaks in traffic that you
need to address as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface
being monitored by selecting Edit, choosing the interface from the drop down
menu, and selecting Apply. Doing this will clear all the traffic history data.
Interface being
monitored
Set Time Select to set the FortiGate system date and time to the values you
set in the Hour, Minute, Second, Year, Month and Day fields.
Synchronize with Select to use an NTP server to automatically set the system date
NTP Server and time. You must specify the server and synchronization interval.
Server Enter the IP address or domain name of an NTP server. To find an
NTP server that you can use, see http://www.ntp.org.
Sync Interval Specify how often the FortiGate unit should synchronize its time
with the NTP server. For example, a setting of 1440 minutes causes
the FortiGate unit to synchronize its time once a day.
Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to
distinguish the unit from others in the cluster.
Note: To access firmware updates for your FortiGate model, you will need to register your
FortiGate unit with Customer Support. For more information go to
http://support.fortinet.com or contact Customer Support.
For more information about using the USB disk, and the FortiGuard Network see
“System Maintenance” on page 229.
Upgrade From Select the firmware source from the drop down list of available
sources.
Possible sources include Local Hard Disk, USB, and FortiGuard
Network.
Upgrade File Browse to the location of the firmware image on your local hard
disk.
This field is available for local hard disk and USB only.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “To update antivirus and attack definitions” on page 249 to
make sure that antivirus and attack definitions are up to date.
Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “To update antivirus and attack definitions” on page 249 to
make sure that antivirus and attack definitions are up to date.
Time Interval Select the time interval that the graphs show.
CPU Usage History CPU usage for the preceding interval.
Memory Usage History Memory usage for the preceding interval.
Session History Number of sessions over the preceding interval.
Network Utilization History Network utilization for the preceding interval.
Virus History Number of Viruses detected over the preceding interval.
Intrusion History Number of intrusion attempts detected over the preceding
interval.
Note: For information about configuring the FortiGate unit for automatic AV and automatic
IPS (attack) definitions updates, see “FortiGuard” on page 241.
Viewing Statistics
The System Status Statistics provide information about sessions, content
archiving and network protection activity.
Virtual Domain Select a virtual domain to list the sessions being processed by that
virtual domain. Select All to view sessions being processed by all virtual
domains.
This is only available if virtual domains are enabled. For more
information see “Using virtual domains” on page 95.
Refresh Icon Update the session list.
First Page Select to go to the first displayed page of current sessions.
Previous Page Select to go to the page of sessions immediately before the current page
Page Enter the page number of the session to start the displayed session list.
For example if there are 5 pages of sessions and you enter 3, page 3 of
the sessions will be displayed.
The number following the ‘/’ is the number of pages of sessions.
Next Page Select to go to the next page of sessions.
Last Page Select to go to the last displayed page of current sessions.
Total The total number sessions.
Clear All Filters Select to reset any display filters that may have been set.
Filter Icon The icon at the top of all columns except #, and Expiry. When selected it
brings up the Edit Filter dialog allowing you to set the display filters by
column. See “Adding filters to web-based manager lists” on page 58.
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address The source IP address of the connection.
Source Port The source port of the connection.
Destination The destination IP address of the connection.
Address
Destination Port The destination port of the connection.
Policy ID The number of the firewall policy allowing this session or blank if the
session involves only one FortiGate interface (admin session, for
example).
Expiry (sec) The time, in seconds, before the connection expires.
Delete icon Stop an active communication session. Your access profile must include
read and write access to System Configuration.
Date and Time The time when the URL was accessed.
From The IP address from which the URL was accessed.
URL The URL that was accessed.
Date and Time The time that the email passed through the FortiGate unit.
From The sender’s email address.
To The recipient’s email address.
Subject The subject line of the email.
Date and Time The time when the virus was detected.
From The sender’s email address or IP address.
Date and Time The time that the attack was detected.
From The source of the attack.
To The target host of the attack.
Service The service type.
Attack The type of attack that was detected and prevented.
Date and Time The time that the spam was detected.
From->To IP The sender and intended recipient IP addresses.
From->To Email Accounts The sender and intended recipient email addresses.
Service The service type, such as SMTP, POP or IMAP.
SPAM Type The type of spam that was detected.
Date and Time The time that the attempt to access the URL was detected.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.
Topology
The Topology page provides a way to diagram and document the networks
connected to your FortiGate unit. It is available on all FortiGate models except
FortiGate-50 and FortiGate-60. The Topology viewer is not available if Virtual
Domains (VDOMs) are enabled.
Go to System > Status > Topology to view the system topology. The Topology
page consists of a large canvas upon which you can draw a network topology
diagram of your FortiGate installation.
Zoom out. Select to display a larger portion of the drawing area in the
viewport, making objects appear smaller.
Scroll. Select this control and then drag the drawing area
background to move the viewport within the drawing area. This has
the same effect as moving the viewport rectangle within the viewport
control.
Select. Select this control and then drag to create a selection
rectangle. Objects within the rectangle are selected when you
release the mouse button.
Exit. Select to finish editing the diagram. Save changes first.
The toolbar contracts to show only the Refresh and Zoom controls.
The FortiGate unit object shows the link status of the unit’s interfaces. Green
indicates the interface is up. Grey indicates the interface is down. Select the
interface to view its IP address and netmask, if assigned.
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or
more virtual units that function as multiple independent units. A single FortiGate
unit is then flexible enough to serve multiple departments of an organization,
separate organizations, or be the basis for a service provider’s managed security
service.
Some benefits of VDOMs are:
• Easier administration
• Maintain Security
• Easy to increase or decrease number of VDOMs
Easier administration
VDOMs provide separate security domains that allow separate zones, user
authentication, firewall policies, routing, and VPN configurations. Using VDOMs
can also simplify administration of complex configurations because you do not
have to manage as many routes or firewall policies at one time. See “VDOM
configuration settings” on page 97.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all
of the FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall
policies, routing settings, and VPN settings.
Also you can optionally assign an administrator account restricted to that VDOM.
If the VDOM is created to serve an organization, this feature enables the
organization to manage its own configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates
and NTP-based time setting use addresses and routing in the management
VDOM to communicate with the network. They can connect only to network
resources that communicate with the management virtual domain. The
management VDOM is set to root by default, but can be changed. For more
information see “Changing the Management VDOM” on page 106.
Maintain Security
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can
create firewall policies for connections between VLAN subinterfaces or zones in
the VDOM. Packets do not cross the virtual domain border internally. To travel
between VDOMs a packet must pass through a firewall on a physical interface.
The packet then arrives at another VDOM on a different interface where it must
pass through another firewall before entering. Both VDOMs are on the same
FortiGate unit. Inter-VDOMs change this in that they are internal interfaces,
however their packets go through all the same security measures as on physical
interfaces.
Without VDOMs, administrators can easily access settings across the FortiGate.
This can lead to security issues or far-reaching configuration errors. However,
administrator permissions are specific to one VDOM. An admin on one VDOM
can't change information on another VDOM. Any configuration changes, and
potential errors, will apply only to that VDOM and limit any potential down time.
The remainder of FortiGate functionality is global - it applies to all VDOMs. This
means there is one intrusion prevention configuration, one antivirus configuration,
one web filter configuration, one protection profile configuration, and so on. As
well, VDOMs share firmware versions, antivirus and attack databases. The
operating mode, NAT/Route or Transparent, is independently selectable for each
VDOM. For a complete list of shared configuration settings, see “Global
configuration settings” on page 98.
Note: When configuring a FortiAnalyzer unit, VDOMs count toward the maximum number
of FortiGate units allowed by the FortiAnalyzer unit’s license. The total number of devices
registered can be seen on the FortiAnalyzer unit’s System Status page under License
Information.
If virtual domain configuration is enabled and you log in as the default super
admin, you can go to System > Status and look at Virtual Domain in the License
Information section to see the maximum number of virtual domains supported on
your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.
Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM
operation on the FortiGate unit.
Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If
you attempt to name a new VDOM vsys_ha or vsys_fgfm it will generate an error.
Disabled VDOM
Management VDOM
Create New Select to add a new VDOM. Enter the new VDOM name and
select OK.
The VDOM must not have the same name as an existing VDOM,
VLAN or zone. The VDOM name can be a maximum of 11
characters long without spaces.
Management Virtual Change the management VDOM to the selected VDOM in the
Domain drop down list. The management VDOM is indicated in the list of
VDOMs as being greyed out in the Enable column. The default
management VDOM is root.
For more information see “Changing the Management VDOM” on
page 106.
Apply Select Apply to save your changes to the Management VDOM.
Enable There are three states this column can be in.
A green check mark indicates this VDOM is enabled, and you can
select the Enter icon to change to that VDOM.
An empty check box indicates this VDOM is disabled. When
disabled, the configuration of that VDOM is preserved. The Enter
icon is not available.
A greyed out checkbox indicates this VDOM is the management
VDOM. It cannot be deleted or changed to disabled - it is always
active.
Name The name of the VDOM.
Operation Mode The VDOM operation mode, either NAT or Transparent.
Interfaces The interfaces associated with this VDOM, including virtual
interfaces.
Every VDOM includes an SSL VPN virtual interface named for
that VDOM. For the root VDOM this interface is ssl.root.
Comments When you are creating a VDOM you can add comments to
provide custom information about this VDOM.
Delete icon Select to delete the VDOM.
The delete icon appears only when there are no configuration
objects associated with that VDOM. For example you must
remove all referring interfaces, profiles, and so on before you can
delete the VDOM.
If the delete icon does not appear and you do not want to delete
all the referring configuration, you can disable the VDOM instead.
Edit icon Select to change the description of the VDOM. The name of the
VDOM can not be changed.
Enter icon Select to enter the selected VDOM.
After entering a VDOM you will only be able to view and change
settings specific to that VDOM.
Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate
between 2 VDOMs internally without using a physical interface. Inter-VDOM links
have the same security as physical interfaces, but allow more flexible
configurations that are not limited by the number of physical interfaces on your
FortiGate unit. As with all virtual interfaces, the speed of the link depends on the
CPU load but generally it is faster than physical interfaces. There are no MTU
settings for inter-VDOM links. DHCP support includes inter-VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is
to prevent a loop. When traffic is encrypted or decrypted it changes the content of
the packets and this resets the inter-VDOM counter. However using IPIP or GRE
tunnels do not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same
virtual cluster. DHCP over IPSec is supported for inter-VDOM links, however
regular DHCP services are not available.
On the interface screen, an inter-VDOM link has an entry for the link. This can be
expanded to show the 2 virtual interfaces in that link. The type of interface for the
link is “VDOM link” and each of the virtual interfaces is “pair” type. Each of the
virtual interfaces is named using the inter-VDOM link name with an added “0” or
“1”. So if the inter-VDOM link is called “vlink” the interfaces would be “vlink0” and
“vlink1”.
Note: Inter-VDOM links can not refer to a domain that is in transparent mode.
4 Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces, or special characters. Hyphens (“-”) and
underlines (“_”) are allowed. Remember that the name will have a “0” or “1”
attached to the end for the actual interfaces.
5 Configure VDOM link “0”.
6 Select the VDOM from the menu. This is the VDOM this interface will connect to,
and is different from the VDOM for the other interface in the VDOM link.
7 Enter the IP address and netmask for this interface.
8 Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
9 Optionally enter a description for this interface.
10 Repeat steps 6 through 9 for VDOM link “1”.
11 Select OK to save your confrontation and return to the System > Interface
screen.
• routing
• firewall policy
• IP pool
• proxy arp (only accessible through the CLI)
Before removing these configurations, it is recommended that you backup your
configuration, so you can restore it if you want to create this VDOM at a later date.
Delete the items in this list or modify them to remove the interface before
proceeding.
Note: An interface or subinterface is available for reassigning or removing once the delete
icon is displayed. Until then, the interface is used in a configuration somewhere.
Instead of deleting a VDOM, you can disable a VDOM. This has the benefit of
preserving your configuration and saving the time to remove and re-configure it
later.
Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that
account is removed, or assigned to another VDOM.
Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.
System Network
This section describes how to configure your FortiGate unit to operate in your
network. Basic network settings include configuring FortiGate interfaces and DNS
settings. More advanced configuration includes adding VLAN subinterfaces and
zones to the FortiGate network configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most
system network settings globally for the entire FortiGate unit. For example, all
interface settings, including adding interfaces to VDOMs, are part of the global
configuration. However, zones, the modem interface, and the Transparent mode
routing table are configured separately for each virtual domain. For details, see
“Using virtual domains” on page 95.
This section describes:
• Interfaces
• Configuring zones
• Configuring the modem interface
• Configuring Networking Options
• Routing table (Transparent Mode)
• VLAN overview
• VLANs in NAT/Route mode
• VLANs in Transparent mode
Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.
Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.
Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate
interfaces. You can:
• modify the configuration of a physical interface
• add and configure VLAN subinterfaces
• configure an ADSL interface
• aggregate several physical interfaces into an IEEE 802.3ad interface (models
300A, 310B, 400A, 500A, 620B, and 800 or higher)
• combine physical interfaces into a redundant interface
• add wireless interfaces (FortiWiFi models 50B, 60A, 60AM, and 60B) and
service set identifiers (SSIDs) (see “Adding a wireless interface” on page 152)
• add and configure VDOM links (see “Inter-VDOM links” on page 103)
For information about VLANs, see “FortiGate units and VLANs” on page 139.
Figure 48: Interface list - admin view with virtual domains enabled
Description icon The tooltip for this icon displays the Description field for this interface.
For more information see “Interface settings” on page 112.
Name The names of the physical interfaces on your FortiGate unit. This
includes any alias names that have been configured.
The name, including number, of a physical interface depends on the
model. Some names indicate the default function of the interface such
as Internal, External and DMZ. Other names are generic such as port1.
FortiGate models numbered 50 and 60 provide a modem interface. Also
models with a USB port support a connected modem. See “Configuring
the modem interface” on page 129.
The oob/ha interface is the FortiGate-4000 out of band management
interface. You can connect to this interface to manage the FortiGate
unit. This interface is also available as an HA heartbeat interface.
On FortiGate-60ADSL units, you can configure the ADSL interface. See
“Configuring an ADSL interface” on page 115.
On FortiGate models 300A, 400A, 500A, and 800 or higher, if you
combine several interfaces into an aggregate interface, only the
aggregate interface is listed, not the component interfaces. The same is
true for redundant interfaces. See “Creating an 802.3ad aggregate
interface” on page 116 or “Creating a redundant interface” on page 117.
If you have added VLAN subinterfaces, they also appear in the name
list, below the physical or aggregated interface to which they have been
added. See “VLAN overview” on page 138.
If you have loopback virtual interfaces configured you will be able to
view them. You can only edit these interfaces in the CLI. For more
information on these interfaces see “Configuring interfaces with CLI
commands” on page 123 or the config system interface
command in the FortiGate CLI Reference.
If you have software switch interfaces configured, you will be able to
view them. You can only edit these interfaces in the CLI. for more
information on these interfaces see “Configuring interfaces with CLI
commands” on page 123 or the config system switch-
interface command in the FortiGate CLI Reference.
If virtual domain configuration is enabled, you can view information only
for the interfaces that are in your current virtual domain, unless you are
using the super admin account.
If VDOMs are enabled, you will be able to create, edit, and view inter-
VDOM links. For more information see “Inter-VDOM links” on page 103.
If you have interface mode enabled on a FortiGate model 100A or 200A
Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models,
you will see multiple internal interfaces. If switch mode is enabled, there
will only be one internal interface. For more information see “Switch
Mode” on page 111.
If your FortiGate unit supports AMC modules and if you have installed
an AMC module containing interfaces (for example, the
FortiGate-ASM-FB4 contains 4 interfaces) these interfaces are added
to the interface status display. The interfaces are named AMC-SW1/1,
AMC-DW1/2, and so on. SW1 indicates it is a single width or double
width card respectively in slot 1. The last number “/1” indicates the
interface number on that card - for the ASM-FB4 card there would be
“/1” through “/4”.
IP/Netmask The current IP address/netmask of the interface.
In VDOM mode, when VDOMs are not all in NAT or Transparent mode
some values may not be available for display and will be displayed as “-
” instead.
When IPv6 Support on GUI is enabled, IPv6 addresses may be
displayed in this column.
Access The administrative access configuration for the interface.
See “Additional configuration for interfaces” on page 125.
Administrative The administrative status for the interface.
Status If the administrative status is a green arrow, the interface is up and can
accept network traffic. If the administrative status is a red arrow, the
interface is administratively down and cannot accept traffic. To change
the administrative status, select Bring Down or Bring Up.
Column Settings
Go to System > Network > Column Settings to change which information about
the interfaces is displayed.
The VDOM field is only available for display when VDOMs are enabled.
Available fields The list of fields (columns) not currently being displayed.
Show these fields in The list of fields (columns) currently being displayed.
this order They are displayed in order. Top to bottom of the list will be
displayed left to right on screen respectively.
Right arrow Move selected fields to the Show these fields in this order list.
Left arrow Move selected fields to the Available fields list.
Move up Move selected item up in the Show these fields in this order list.
The corresponding column is moved to the left on the network
interface display.
Move down Move selected item down in the Show these fields in this order list.
The corresponding column is moved to the right on the network
interface display.
Switch Mode
The internal interface is a switch with either four or six physical interface
connections, depending on the FortiGate unit model. Normally the internal
interface is configured as a single interface shared by all physical interface
connections - a switch.
The switch mode feature has two states - switch mode and interface mode.
Switch mode is the default mode with only one interface and one address for the
entire internal switch. Interface mode allows you to configure each of the internal
switch physical interface connections separately. This allows you to assign
different subnets and netmasks to each of the internal physical interface
connections.
Note: Interfaces that are part of the switch can not be used for VLANs.
FortiGate unit models 100A and 200A Rev2.0 and higher have four internal
interface connections. The FortiGate-60B and FortiWifi-60B have six internal
interface connections. Consult your release notes for the most current list of
supported models for this feature.
Selecting Switch Mode on the System > Network > Interface screen takes you to
the Switch Mode Management screen.
Caution: Before you are able to change between switch mode and interface mode all
! references to ‘internal’ interfaces must be removed. This includes references such as
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message.
Switch Mode Select Switch Mode. Only one internal interface is displayed. This
is the default mode.
Interface Mode Select Interface Mode. All internal interfaces on the switch are
displayed as individually configurable interfaces.
Switch Mode can also be configured using CLI commands. For more information
see the FortiGate CLI Reference.
Interface settings
Go to System > Network > Interface and select Create New. Selecting the
Create New arrow enables you to create Inter-VDOM links. For more information
on Inter-VDOM links, see “Inter-VDOM links” on page 103.
Some types of interfaces such as loopback interfaces can only be configured
using CLI commands. For more information see “Configuring interfaces with CLI
commands” on page 123. To be able to configure a DHCP server on an interface,
that interface must have a static IP address.
You cannot create a virtual IPSec interface on this screen, but you can specify its
endpoint addresses, enable administrative access and provide a description if you
are editing an existing interface. For more information, see “Configuring a virtual
IPSec interface” on page 122.
Addressing Select the type of addressing mode as static or one of the available
mode dynamic modes.
To configure a static IP address for the interface, select Manual.
You can also configure the interface for dynamic IP address assignment.
See “Configuring DHCP on an interface” on page 118 or “Configuring an
interface for PPPoE or PPPoA” on page 120.
IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field. The IP
address must be on the same subnet as the network to which the
interface connects.
Two interfaces cannot have IP addresses on the same subnet.
This field is only available when Manual addressing mode is selected.
DDNS Select DDNS to configure a Dynamic DNS service for this interface. See
“Configuring Dynamic DNS on an interface” on page 122.
Ping Server To enable dead gateway detection, enter the IP address of the next hop
router on the network connected to the interface and select Enable. See
“Dead gateway detection” on page 137.
Administrative Select the types of administrative access permitted on this interface.
Access
HTTPS Allow secure HTTPS connections to the web-based manager through
this interface.
PING Interface responds to pings. Use this setting to verify your installation
and for testing.
HTTP Allow HTTP connections to the web-based manager through this
interface. HTTP connections are not secure and can be intercepted by a
third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by
connecting to this interface. See “Configuring SNMP” on page 176.
TELNET Allow Telnet connections to the CLI through this interface. Telnet
connections are not secure and can be intercepted by a third party.
MTU To change the MTU, select Override default MTU value (1 500) and
enter the MTU size based on the addressing mode of the interface
• 68 to 1 500 bytes for static mode
• 576 to 1 500 bytes for DHCP mode
• 576 to 1 492 bytes for PPPoE mode
• up to 16 110 bytes for jumbo frames (FortiGate models numbered
3000 and higher)
• NP2-accelerated interfaces support a jumbo frame limit of 16 000
bytes
• FA2-accelerated interfaces do not support jumbo frames
This field is available only on physical interfaces. VLANs inherit the
parent interface MTU size by default.
For more information on MTU and jumbo frames, see “Interface MTU
packet size” on page 125.
Secondary IP Add additional IP addresses to this interface. Select the blue arrow to
Address expand or hide the section. See “Secondary IP Addresses” on
page 126.
Description Enter a description up to 63 characters long.
Administrative Select either up (green arrow) or down (red arrow) as the status of this
Status interface.
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Addressing mode Select the addressing mode that your ISP specifies.
IPoA Enter the IP address and netmask that your ISP provides.
EoA Enter the IP address and netmask that your ISP provides.
DHCP See “Configuring DHCP on an interface” on
page 118.
PPPoE See “Configuring an interface for PPPoE or PPPoA”
on page 120.
PPPoA See “Configuring an interface for PPPoE or PPPoA”
on page 120.
IP/Netmask The IP address and netmask of this interface.
Gateway Enter the default gateway.
Connect to Server Enable Connect to Server so the interface will attempt to
connect automatically. Do not enable this option if you are
configuring the interface offline.
Virtual Circuit Identification Enter the VPI and VCI values your ISP provides.
MUX Type Select the MUX type: LLC Encap or VC Encap.
Your ISP must provide this information.
Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you
will lose the acceleration. For example, if you aggregate two accelerated interfaces you will
get slower throughput than if the two interfaces were separate.
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.
Retrieve default Enable Retrieve default gateway from server to retrieve a default
gateway from server gateway IP address from the DHCP server. The default gateway is
added to the static routing table.
Override internal DNS Enable Override internal DNS to use the DNS addresses retrieved
from the DHCP server instead of the DNS server IP addresses on
the DNS page.
On FortiGate models numbered 100 and lower, you should also
enable Obtain DNS server address automatically in System >
Network > Options. See “DNS Servers” on page 136.
When VDOMs are enabled, you can override the internal DNS
only on the management VDOM.
Connect to Server Enable Connect to Server so that the interface automatically
attempts to connect to a DHCP server. Disable this option if you
are configuring the interface offline.
initializing No activity.
connecting The interface is attempting to connect to the PPPoE or PPPoA server.
connected The interface retrieves an IP address, netmask, and other settings
from the PPPoE server.
When the status is connected, PPPoE or PPPoA connection
information is displayed.
failed The interface was unable to retrieve an IP address and other
information from the PPPoE or PPPoA server.
Reconnect Select to reconnect to the PPPoE or PPPoA server.
Only displayed if Status is connected.
User Name The PPPoE or PPPoA account user name.
Password The PPPoE or PPPoA account password.
Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a
block of IP addresses, use one of them. Otherwise, this IP address can
be the same as the IP address of another interface or can be any IP
address.
Initial Disc Enter Initial discovery timeout. Enter the time to wait before starting to
Timeout retry a PPPoE or PPPoA discovery.
Initial PADT Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in
timeout seconds. Use this timeout to shut down the PPPoE or PPPoA session
if it is idle for this number of seconds. PADT must be supported by your
ISP. Set initial PADT timeout to 0 to disable.
Distance Enter the administrative distance for the default gateway retrieved from
the PPPoE or PPPoA server. The administrative distance, an integer
from 1-255, specifies the relative priority of a route when there are
multiple routes to the same destination. A lower administrative
distance indicates a more preferred route. The default distance for the
default gateway is 1.
Retrieve default Enable Retrieve default gateway from server to retrieve a default
gateway from gateway IP address from a PPPoE server. The default gateway is
server added to the static routing table.
Override internal Enable Override internal DNS to replace the DNS server IP addresses
DNS on the System DNS page with the DNS addresses retrieved from the
PPPoE or PPPoA server.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Connect to server Enable Connect to Server so that the interface automatically attempts
to connect to a PPPoE or PPPoA server when you select OK or Apply.
Disable this option if you are configuring the interface offline.
Server Select a DDNS server to use. The client software for these services is built
into the FortiGate firmware. The FortiGate unit can connect only to one of
these services.
Domain Enter the fully qualified domain name of the DDNS service.
Username Enter the user name to use when connecting to the DDNS server.
Password Enter the password to use when connecting to the DDNS server.
• configure IP addresses for the local and remote endpoints of the IPSec
interface so that you can run dynamic routing over the interface or use ping to
test the tunnel
• enable administrative access through the IPSec interface
• enter a description for the interface
• Loopback interface
• Software switch interface
Loopback interface
A loopback interface is an ‘always up’ virtual interface that is not connected to any
other interfaces. Loopback interfaces connect to a Fortigate unit’s interface IP
address without depending on a specific external port.
A loopback interface is not connected to hardware, so it is not affected by
hardware problems. As long as the FortiGate unit is functioning, the loopback
interface is active. This ‘always up’ feature is useful in dynamic routing where the
Fortigate unit relies on remote routers and the local Firewall policies to access to
the loopback interface.
The CLI command to configure a loopback interface called loop1 with an IP
address of 10.0.0.10 is:
config system interface
edit loop1
set type loopback
set ip 10.0.0.10 255.255.255.0
end
For more information, see config system interface in the FortiGate CLI Reference.
FortiGate models numbered 3 000 and higher support jumbo frames - frames
larger than the traditional 1 500 bytes. Some models support a jumbo frame limit
of 9 000 bytes while others support 16 110 bytes. NP2-accelerated interfaces
support a jumbo frame limit of 16 000 bytes. FA2-accelerated interfaces do not
support jumbo frames. Jumbo frames are much larger than the maximum
standard Ethernet frames (packets) size of 1 500 bytes. As new Ethernet
standards have been implemented (such as Gigabit Ethernet), 1 500 byte frames
remain in the standard for backward compatibility.
To be able to send jumbo frames over a route, all Ethernet devices on that route
must support jumbo frames, otherwise your jumbo frames are not recognized and
are dropped.
If you have standard ethernet and jumbo frame traffic on the same interface,
routing alone cannot route them to different routes based only on frame size.
However you can use VLANs to make sure the jumbo frame traffic is routed over
network devices that support jumbo frames. VLANs will inherit the MTU size from
the parent interface. You will need to configure the VLAN to include both ends of
the route as well as all switches and routers along the route. For more information
on VLAN configurations, see the VLAN and VDOM guide.
Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU
value of VLAN subinterfaces on the modified interface.
Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.
Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply
separate firewall policies for each IP address on an interface. You can also
forward traffic and use RIP or OSPF routing with secondary IP addresses.
There can be up to 32 secondary IP addresses per interface including primary,
secondary, and any other IP addresses assigned to the interface. Primary and
secondary IP addresses can share the same ping generator.
The following restrictions must be in place before you are able to assign a
secondary IP address:
• A primary IP address must be assigned to the interface.
• The interface must use manual addressing mode.
• By default, IP addresses cannot be part of the same subnet. To allow interface
subnet overlap use the CLI command:
Note: It is recommended that after adding a secondary IP, you refresh the secondary IP
table and verify your new address is listed. If not, one of the restrictions (have a primary IP
address, use manual addressing mode, more than one IP on the same subnet, more than
32 IP addresses assigned to the interface, etc.) prevented the address from being added.
Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation.
You can configure policies for connections to and from a zone, but not between
interfaces in a zone.
You can add zones, rename and edit zones, and delete zones from the zone list.
When you add a zone, you select the names of the interfaces and VLAN
subinterfaces to add to the zone.
Zones are configured from virtual domains. If you have added multiple virtual
domains to your FortiGate configuration, make sure you are configuring the
correct virtual domain before adding or editing zones.
Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the config system aux command in the FortiGate
CLI Reference.
Note: You cannot configure and use the modem in Transparent mode.
Figure 65 shows the only the settings specific to standalone mode. The remaining
settings are common to both standalone and redundant modes and are shown in
Figure 66.
Redial Limit The maximum number of times (1-10) that the FortiGate unit
modem attempts to reconnect to the ISP if the connection fails. The
default redial limit is 1. Select None to have no limit on redial
attempts.
Wireless Modem Display a connected wireless modem if available.
Supported Modems Select to view a list of supported modems.
Usage History Display connections made on the modem interface. Information
displayed about connections includes:
• date and time
• duration of the connection in hours, minutes, and
seconds
• IP address connected to
• traffic statistics including received, sent, and total
• current status of the connection
Dialup Account Configure up to three dialup accounts. The FortiGate unit tries
connecting to each account in order until a connection can be
established.
The active dialup account is indicated with a green check mark.
Phone Number The phone number required to connect to the dialup account. Do
not add spaces to the phone number. Make sure to include
standard special characters for pauses, country codes, and other
functions as required by your modem to connect to your dialup
account.
User Name The user name (maximum 63 characters) sent to the ISP.
Password The password sent to the ISP.
To configure the modem in Redundant mode, see “Redundant mode
configuration” on page 132.
To configure the modem in Standalone mode, see “Standalone mode
configuration” on page 133.
Note: Do not add policies for connections between the modem interface and the ethernet
interface that the modem is backing up.
Redundant for From the list, select the interface to back up.
Holddown timer Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit Enter the maximum number of times to retry if the ISP does not
answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to
Dialup Account 2 three dialup accounts.
Dialup Account 3
4 Select Apply.
5 Configure a ping server for the ethernet interface the modem backs up.
See “To add a ping server to an interface” on page 137.
6 Configure firewall policies for network connectivity through the modem interface.
See “Adding firewall policies for modem connections” on page 134.
Auto-dial Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand Select if you want the modem to connect to its ISP whenever there
are unrouted packets.
Idle timeout Enter the timeout duration in minutes. After this period of inactivity,
the modem disconnects.
Redial Limit Enter the maximum number of times to retry if the ISP does not
answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to
Dialup Account 2 three dialup accounts.
Dialup Account 3
4 Select Apply.
5 Configure firewall policies for network connectivity through the modem interface.
See “Adding firewall policies for modem connections” on page 134.
6 Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See “Adding a static route to the routing table” on page 262.
Note: The modem must be in Standalone mode before connecting or disconnecting from a
dialup account.
Figure 67: Configuring Networking Options - FortiGate models 200 and higher
Figure 68: Configuring Networking Options - FortiGate models 100 and lower
Obtain DNS server address This option applies only to FortiGate models 100 and
automatically lower.
Select to obtain the DNS server IP address when DHCP is
used on an interface, also obtain the DNS server IP
address. Available only in NAT/Route mode. You should
also enable Override internal DNS in the DHCP settings of
the interface. See “Configuring DHCP on an interface” on
page 118.
Use the following DNS server This option applies only to FortiGate models 100 and
addresses lower.
Use the specified Primary and Secondary DNS server
addresses.
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Local Domain Name Enter the domain name to append to addresses with no
domain portion when performing DNS lookups.
Enable DNS forwarding from This option applies only to FortiGate models 100 and
lower operating in NAT/Route mode.
Select the interfaces that forward DNS requests they
receive to the DNS servers that you configured.
Dead Gateway Detection Dead gateway detection confirms connectivity using a
ping server added to an interface configuration. For
information about adding a ping server to an interface, see
“Dead gateway detection” on page 137.
Detection Interval Enter a number in seconds to specify how often the
FortiGate unit pings the target.
Fail-over Detection Enter the number of times that the ping test fails before
the FortiGate unit assumes that the gateway is no longer
functioning.
DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You
can specify the IP addresses of the DNS servers to which your FortiGate unit
connects. DNS server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS
server addresses automatically. To obtain these addresses automatically, at least
one FortiGate unit interface must use the DHCP or PPPoE addressing mode. See
“Configuring DHCP on an interface” on page 118 or “Configuring an interface for
PPPoE or PPPoA” on page 120.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces.
Hosts on the attached network use the interface IP address as their DNS server.
DNS requests sent to the interface are forwarded to the DNS server addresses
that you configured or that the FortiGate unit obtained automatically.
Destination IP Enter the destination IP address and netmask for the route.
/Mask To create a default route, set the Destination IP and Mask to 0.0.0.0.
Gateway Enter the IP address of the next hop router to which the route directs
traffic. For an Internet connection, the next hop routing gateway routes
traffic to the Internet.
Distance The administration distance or relative preferability of the route. An
administration distance of 1 is most preferred.
VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as
if they were on the same LAN segment, regardless of their location. For example,
the workstations and servers for an accounting department could be scattered
throughout an office or city and connected to numerous network segments, but
still belong to the same VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated
as a broadcast domain. Devices in VLAN 1 can connect with other devices in
VLAN 1, but cannot connect with devices in other VLANs. The communication
among devices on a VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets
sent and received by the devices in the VLAN. VLAN tags are 4-byte frame
extensions that contain a VLAN identifier as well as other information.
For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.
Internet
Untagged packets
Router
VL AN 1
VL AN 2
VL AN 1 VL AN 2
VLAN Switch
VL AN 1 Network VL AN 2 Network
FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks
between an IEEE 802.1Q-compliant switch (or router) and the FortiGate units.
Normally the FortiGate unit internal interface connects to a VLAN trunk on an
internal switch, and the external interface connects to an upstream Internet router.
The FortiGate unit can then apply different policies for traffic on each VLAN that
connects to the internal interface.
When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN
IDs that match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal
interface. If the IDs don’t match, traffic will not be delivered. The FortiGate unit
directs packets with VLAN IDs to subinterfaces with matching VLAN IDs. For
example packets from the sending system VLAN ID#101 are delivered to the
recipient system’s VLAN ID#101.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate
unit can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN
tags from incoming packets and add different VLAN tags to outgoing packets.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set allow-interface-subnet-
overlap enable to allow IP address overlap. If you enter this command, multiple VLAN
interfaces can have an IP address that is part of a subnet used by another interface. This
command is recommended for advanced users only.
Internet
Untagged packets
External 172.16.21.2
FortiGate unit
Internal 192.168.110.126
802.1Q
trunk
Fa 0/24
Fa 0/3 Fa 0/9
VLAN 100 VLAN Switch VLAN 200
Note: A VLAN must not have the same name as a virtual domain or zone. A VLAN can not
be added to a switch interface. See “Switch Mode” on page 111.
8 Select OK.
The FortiGate unit adds the new VLAN subinterface to the interface that you
selected in step 4.
Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.
Figure 73: FortiGate unit with two virtual domains in Transparent mode
FortiGate unit
VLAN1
Internal root virtual domain External
VLAN1 VLAN1
VLAN2 VLAN1 VLAN1 VLAN2
VLAN3 VLAN3 Internet
VLAN2
VLAN New virtual domain VLAN
trunk trunk VLAN Switch
VLAN2 VLAN2 or router
VLAN Switch VLAN3 VLAN3
or router
VLAN3
Internet
Router
Untagged packets
VLAN Switch
VL AN 1
VLAN Trunk VL AN 2
VL AN 3
FortiGate unit
in Transparent mode
VL AN 1
VLAN Trunk VL AN 2
VL AN 3
VLAN Switch
VL AN 1 VL AN 2 VL AN 3
Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.
Note: A VLAN must not have the same name as a virtual domain or zone.
ARP Forwarding
One solution to the duplicate ARP packet problem is to enable ARP forwarding.
When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets
that resolve the delivery problems caused by duplicate ARP packets. However,
this also opens up your network to potential hacking attempts that spoof packets.
For more secure solutions, see the FortiGate VLANs and VDOMs Guide.
System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi
units. The majority of this section is applicable to all FortiWiFi units. Where
indicated, some features may not be available on the FortiWiFi-60.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and
wireless monitor are configured separately for each virtual domain. System
wireless settings are configured globally. For details, see “Using virtual domains”
on page 95.
This section describes:
• FortiWiFi wireless interfaces
• Channel assignments
• System wireless settings
• FortiWiFi-60 system wireless settings
• Wireless MAC Filter
• Wireless Monitor
Channel assignments
Depending on the wireless protocol selected, you have specific channels available
to you, depending on what region of the world you are in. Set the channel for the
wireless network by going to System > Wireless > Settings. For more
information see “System wireless settings” on page 150.
The following tables list the channel assignments for wireless networks for each
supported wireless protocol.
• IEEE 802.11a channel numbers
• IEEE 802.11b channel numbers
• IEEE 802.11g channel numbers
Regulatory Areas
Note: For a FortiWiFi-60 unit, see “FortiWiFi-60 system wireless settings” on page 154.
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three more
wireless interfaces. All wireless interfaces use the same wireless parameters.
That is, you configure the wireless settings once, and all wireless interfaces use
those settings. For details on adding more wireless interfaces, see “Adding a
wireless interface” on page 152.
When operating the FortiWiFi in Client mode, wireless settings are not
configurable.
SSID Broadcast Green checkmark icon indicates that the wireless interface broadcasts
its SSID. Broadcasting the SSID makes it possible for clients to connect
to your wireless network without first knowing the SSID.
Security Mode Displays information about the security mode for the wireless interface.
Note: You cannot add additional wireless interfaces on the FortiGate-60, or when the
FortiWiFi is in Client mode.
Name Enter a name for the wireless interface. The name cannot be the
same as an existing interface, zone or VDOM.
Type Select Wireless.
Address Mode The wireless interface can only be set as a manual address. Enter
a valid IP address and netmask.
If the FortiWiFi is running in Transparent mode, this field does not
appear. The interface will be on the same subnet as the other
interfaces.
Administrative Set the administrative access for the interface.
Access
4 In the Wireless Settings section, complete the following and select OK:
SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers to connect to the network that broadcasts this
network name.
SSID Select to broadcast the SSID. Broadcasting the SSID enables clients to
Broadcast connect to your wireless network without first knowing the SSID. For
better security, do not broadcast the SSID. If the interface is not
broadcast, there is less chance of an unwanted user connecting to your
wireless network. If you choose not to broadcast the SSID, you need to
inform users of the SSID so they can configure their wireless devices.
Security mode Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
• None has no security. Any wireless user can connect to the wireless
network.
• WEP64 - 64-bit web equivalent privacy (WEP). To use WEP64 you
must enter a Key containing 10 hexadecimal digits (0-9 a-f) and
inform wireless users of the key.
• WEP128 - 128-bit WEP. To use WEP128 you must enter a Key
containing 26 hexadecimal digits (0-9 a-f) and inform wireless users of
the key.
• Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server the wireless clients must have accounts on
the RADIUS server.
• WPA2 provides more security features and is more secure than WPA.
To use WPA2 you must select a data encryption method and enter a
pre-shared key containing at least eight characters or select a
RADIUS server. If you select a RADIUS server the wireless clients
must have accounts on the RADIUS server.
• WPA2 Auto provides the same security features as WPA2. However,
WPA2 Auto also accepts wireless clients using WPA security. To use
WPA2 Auto you must select a data encryption method You must also
enter a pre-shared key containing at least 8 characters or select a
RADIUS server. If you select a RADIUS server the wireless clients
must have accounts on the RADIUS server.
Key Enter the security key. This field appears when selecting WEP64 or
WEP128 security.
Data Select a data encryption method to be used by WPA, WPA2, or WPA
Encryption Auto. Select TKIP to use the Temporal Key Integrity Protocol (TKIP).
Select AES to use advanced encryption standard (AES) encryption. AES
is considered more secure that TKIP. Some implementations of WPA
may not support AES.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA,
WPA2, or WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security.
You can use WPA or WPA2 Radius security to integrate your wireless
network configuration with a RADIUS or Windows AD server. Select a
RADIUS server name from the list. You must configure the Radius server
by going to User > RADIUS. For more information, see “RADIUS
servers” on page 424.
SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must
configure their computers to connect to the network that broadcasts this
network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For
better security, do not broadcast the SSID. If the interface is not
broadcast, there is less chance of an unwanted user connecting to your
wireless network. If you choose not to broadcast the SSID, you need to
inform users of the SSID so they can configure their wireless devices.
Security mode Select the security mode for the wireless interface. Wireless users must
use the same security mode to be able to connect to this wireless
interface.
• None has no security. Any wireless user can connect to the wireless
network.
• WEP64 -64-bit web equivalent privacy (WEP), select. To use WEP64
you must enter a Key containing 10 hexadecimal digits (0-9 a-f) and
inform wireless users of the key.
• WEP128 - 128-bit WEP. To use WEP128 you must enter a Key
containing 26 hexadecimal digits (0-9 a-f) and inform wireless users
of the key.
• Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key
containing at least eight characters or select a RADIUS server. If you
select a RADIUS server the wireless clients must have accounts on
the RADIUS server.
Key Enter the security key. This field appears when selecting WEP64 or
WEP128 security.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA
security.
Radius Server Select to use a RADIUS server when selecting WPA security. You can
Name use WPA Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS
server name from the list. You must configure the Radius server by
going to User > RADIUS. For more information, see “RADIUS servers”
on page 424.
Advanced Open or close the Advanced settings section of the Wireless
Parameters. Change settings if needed to address performance issues.
Default values should work well for most situations. Advanced settings
are available in Access Point mode only.
Tx Power Set the transmitter power level. The higher the number, the larger the
area the FortiWiFi will broadcast. If you want to keep the wireless signal
to a small area, enter a smaller number.
Beacon Interval Set the interval between beacon packets. Access Points broadcast
Beacons or Traffic Indication Messages (TIM) to synchronize wireless
networks.
A higher value decreases the number of beacons sent, however it may
delay some wireless clients from connecting if it misses a beacon
packet.
Decreasing the value will increase the number of beacons sent, while
this will make it quicker to find and connect to the wireless network, it
requires more overhead, slowing throughput.
Note: For the FortiWiFi-60, see “FortiWiFi-60 Wireless MAC Filter” on page 157.
MAC Filter Enable Select to enable the MAC filtering for the wireless interface. When
not selected MAC filtering options are not applied to the interface.
Access for PCs not Select whether to allow or deny access to unlisted MAC addresses.
listed below
MAC Address Enter the MAC address to filter.
Allow or Deny Select whether to allow or deny the MAC Address.
Add Add the MAC address to the Allow or Deny list, as selected.
Allow List List of MAC addresses allowed access to the wireless network.
Deny List List of MAC addresses denied access to the wireless network.
Arrow buttons Move MAC addresses between lists.
Remove (below Remove selected MAC addresses from Allow list.
Allow list)
Remove (below Remove selected MAC addresses from Deny list.
Deny list)
Wireless Monitor
Go to System > Wireless > Monitor to see who is connected to your wireless
LAN.
System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through
the FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see “Using virtual domains” on
page 95.
This section describes:
• FortiGate DHCP servers and relays
• Configuring DHCP services
• Viewing address leases
Note: You can configure a Regular DHCP server on an interface only if the interface has a
static IP address. You can configure an IPSec DHCP server on an interface that has either
a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A
DHCP server dynamically assigns IP addresses to hosts on the network
connected to the interface. The host computers must be configured to obtain their
IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP
server for each network. The IP range of each DHCP server must match the
network address range. The routers must be configured for DHCP relay.
To configure a DHCP server, see “Configuring a DHCP server” on page 163.
You can configure a FortiGate interface as a DHCP relay. The interface forwards
DHCP requests from DHCP clients to an external DHCP server and returns the
responses to the DHCP clients. The DHCP server must have appropriate routing
so that its response packets to the DHCP clients arrive at the FortiGate unit.
Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP
requests pass through the FortiGate unit.
Note: An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to
change the DHCP server settings to match.
Edit
Delete
Interface List of FortiGate interfaces. Expand each listed interface to view the
Relay and Servers.
Server Name/ Name of FortiGate DHCP server or IP address of DHCP server
Relay IP accessed by relay.
Type Type of DHCP relay or server: Regular or IPSec.
Enable Green check mark icon indicates that server or relay is enabled.
Add DHCP Server Select to configure and add a DHCP server for this interface.
icon
Edit icon Select to edit the DHCP relay or server configuration.
Delete icon Select to delete the DHCP server.
Exclude Ranges
Add Add an range of IP addresses to exclude.
You can add up to 16 exclude ranges of IP addresses that the
DHCP server cannot assign to DHCP clients. No range can exceed
65536 IP addresses.
Starting IP Enter the first IP address of the exclude range.
End IP Enter the last IP address of the exclude range.
Delete icon Delete the exclude range.
System Config
This section describes the configuration of several non-network features, such as
HA, SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and
replacement messages are configured globally for the entire FortiGate unit.
Changing operation mode is configured for each individual VDOM. For details,
see “Using virtual domains” on page 95.
This section describes:
• HA
• SNMP
• Replacement messages
• Operation mode and VDOM management access
HA
FortiGate high availability (HA) provides a solution for two key requirements of
critical enterprise networking components: enhanced reliability and increased
performance. This section contains a brief description of HA web-based manager
configuration options, the HA cluster members list, HA statistics, and
disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured
globally for the entire FortiGate unit. For details, see “Using virtual domains” on
page 95.
For complete information about how to configure and operate FortiGate HA
clusters see the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet
Knowledge Center.
HA is not available on FortiGate models 50Aand 50AM. HA is available on all
other FortiGate models, including the FortiGate-50B.
The following topics are included in this section:
• HA options
• Cluster members list
• Viewing HA statistics
• Changing subordinate unit host name and device priority
• Disconnecting a cluster unit from a cluster
HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to
System > Config > HA.
You can configure HA options for a FortiGate unit with virtual domains (VDOMs)
enabled by logging into the web-based manager as the global admin administrator
and then going to System > Config > HA.
Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.
Mode Select an HA mode for the cluster or return the FortiGate units in the
cluster to standalone mode. When configuring a cluster, you must set all
members of the HA cluster to the same HA mode. You can select
Standalone (to disable HA), Active-Passive, or Active-Active. If virtual
domains are enabled you can select Active-Passive or Standalone.
Device Priority Optionally set the device priority of the cluster unit. Each cluster unit can
have a different device priority. During HA negotiation, the unit with the
highest device priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two device
priorities, one for each virtual cluster. During HA negotiation, the unit
with the highest device priority in a virtual cluster becomes the primary
unit for that virtual cluster.
Changes to the device priority are not synchronized. You can accept the
default device priority when first configuring a cluster. When the cluster
is operating you can change the device priority for different cluster units
as required.
Group Name Enter a name to identify the cluster. The maximum length of the group
name is 32 characters. The group name must be the same for all cluster
units before the cluster units can form a cluster. After a cluster is
operating, you can change the group name. The group name change is
synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group
name when first configuring a cluster. When the cluster is operating you
can change the group name, if required. Two clusters on the same
network cannot have the same group name.
Password Enter a password to identify the cluster. The maximum password length
is 15 characters. The password must be the same for all cluster units
before the cluster units can form a cluster.
The default is no password. You can accept the default password when
first configuring a cluster. When the cluster is operating, you can add a
password, if required. Two clusters on the same network must have
different passwords.
Enable Session Select to enable session pickup so that if the primary unit fails, all
pickup sessions are picked up by the cluster unit that becomes the new primary
unit.
Session pickup is disabled by default. You can accept the default setting
for session pickup and then chose to enable session pickup after the
cluster is operating.
Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify that
the monitored interfaces are functioning properly and connected to their
networks.
If a monitored interface fails or is disconnected from its network, the
interface leaves the cluster and a link failover occurs. The link failover
causes the cluster to reroute the traffic being processed by that interface
to the same interface of another cluster unit that still has a connection to
the network. This other cluster unit becomes the new primary unit.
Port monitoring (also called interface monitoring) is disabled by default.
Leave port monitoring disabled until the cluster is operating and then
only enable port monitoring for connected interfaces.
You can monitor up to 16 interfaces. This limit only applies to FortiGate
units with more than 16 physical interfaces.
If virtual domains are enabled, you can display the cluster members list to view the
status of the operating virtual clusters. The virtual cluster members list shows the
status of both virtual clusters including the virtual domains added to each virtual
cluster.
To display the virtual cluster members list for an operating cluster log in as the
global admin administrator and go to System > Config > HA.
View HA Statistics Displays the serial number, status, and monitor information for
each cluster unit. See “Viewing HA statistics” on page 173.
Up and down arrows Changes the order of cluster members in the list. The operation of
the cluster or of the units in the cluster are not affected. All that
changes is the order of the units on the cluster members list.
Cluster member Illustrations of the front panels of the cluster units. If the network
jack for an interface is shaded green, the interface is connected.
Pause the mouse pointer over each illustration to view the cluster
unit host name, serial number, how long the unit has been
operating (up time), and the interfaces that are configured for port
monitoring.
Hostname The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
• To change the primary unit host name, go to System > Status
and select Change beside the current host name.
• To change a subordinate unit host name, from the cluster
members list select the edit icon for a subordinate unit.
Role The status or role of the cluster unit in the cluster.
• Role is MASTER for the primary (or master) unit
• Role is SLAVE for all subordinate (or backup) cluster units
Priority The device priority of the cluster unit. Each cluster unit can have a
different device priority. During HA negotiation, the unit with the
highest device priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from Select to disconnect a selected cluster unit from the cluster. See
cluster “Disconnecting a cluster unit from a cluster” on page 175.
Edit Select to change a cluster unit HA configuration.
• For a primary unit, select Edit to change the cluster HA
configuration (including the device priority) of the primary unit.
• For a primary unit in a virtual cluster, select Edit to change the
virtual cluster HA configuration; including the virtual cluster 1
and virtual cluster 2 device priority of this cluster unit.
• For a subordinate unit, select Edit to change the subordinate
unit host name and device priority. See “Changing subordinate
unit host name and device priority” on page 174.
• For a subordinate unit in a virtual cluster, select Edit to change
the subordinate unit host name and the device priority of the
subordinate unit for the selected virtual cluster. See “Changing
subordinate unit host name and device priority” on page 174.
Download debug log Select to download an encrypted debug log to a file. You can send
this debug log file to Fortinet Technical Support
(http://support.fortinet.com) to help diagnose problems with the
cluster or with individual cluster units.
Viewing HA statistics
From the cluster members list, you can select View HA statistics to display the
serial number, status, and monitor information for each cluster unit. To view HA
statistics, go to System > Config > HA and select View HA Statistics.
Refresh every Select to control how often the web-based manager updates the HA
statistics display.
Back to HA monitor Select to close the HA statistics list and return to the cluster members
list.
Unit The host name and serial number of the cluster unit.
Status Indicates the status of each cluster unit. A green check mark
indicates that the cluster unit is operating normally. A red X indicates
that the cluster unit cannot communicate with the primary unit.
Up Time The time in days, hours, minutes, and seconds since the cluster unit
was last started.
Monitor Displays system status information for each cluster unit.
CPU Usage The current CPU status of each cluster unit. The web-based
manager displays CPU usage for core processes only. CPU usage
for management processes (for example, for HTTPS connections to
the web-based manager) is excluded.
Memory Usage The current memory status of each cluster unit. The web-based
manager displays memory usage for core processes only. Memory
usage for management processes (for example, for HTTPS
connections to the web-based manager) is excluded.
Active Sessions The number of communications sessions being processed by the
cluster unit.
Total Packets The number of packets that have been processed by the cluster unit
since it last started up.
Virus Detected The number of viruses detected by the cluster unit.
Network Utilization The total network bandwidth being used by all of the cluster unit
interfaces.
Total Bytes The number of bytes that have been processed by the cluster unit
since it last started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection
running on the cluster unit.
To change the host name and device priority of a subordinate unit in an operating
cluster with virtual domains enabled, log in as the global admin administrator and
go to System > Config > HA to display the cluster members list. Select Edit for
any slave (subordinate) unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this
subordinate unit. These changes only affect the configuration of the subordinate
unit.
Figure 93: Changing the subordinate unit host name and device priority
Peer View and optionally change the subordinate unit host name.
Priority View and optionally change the subordinate unit device priority.
The device priority is not synchronized among cluster members. In a functioning
cluster you can change device priority to change the priority of any unit in the
cluster. The next time the cluster negotiates, the cluster unit with the highest
device priority becomes the primary unit.
The device priority range is 0 to 255. The default device priority is 128.
Serial Number Displays the serial number of the cluster unit to be disconnected from the
cluster.
Interface Select the interface that you want to configure. You also specify the IP
address and netmask for this interface. When the FortiGate unit is
disconnected, all management access options are enabled for this
interface.
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP
address to connect to this interface to configure the disconnected
FortiGate unit.
SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware
on your network. You can configure the hardware, or FortiGate SNMP agent, to
report system information and send traps (alarms or event messages) to SNMP
managers. An SNMP manager is a computer running an application that can read
the incoming traps from the agent and track the information.
Using an SNMP manager, you can access SNMP traps and data from any
FortiGate interface or VLAN subinterface configured for SNMP management
access.
Note: Part of configuring an SNMP manager is to list it as a host in a community on the
FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps
from that FortiGate unit, or be able to query it.
Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard
RFC 1213 and RFC 2665 MIBs. RFC support includes support for the parts of
RFC 2665 (Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to
FortiGate unit configuration.
The FortiGate MIB is listed in Table 10 along with the two RFC MIBs. You can
obtain these MIB files from Fortinet technical support. To be able to communicate
with the SNMP agent, you must compile all of these MIBs into your SNMP
manager.
Your SNMP manager may already include standard and private MIBs in a
compiled database that is ready to use. You must add the Fortinet proprietary MIB
to this database. If the standard MIBs used by the Fortinet SNMP agent are
already compiled into your SNMP manager you do not have to compile them
again.
FortiGate traps
The FortiGate agent can send traps to SNMP managers that you have added to
SNMP communities. To receive traps, you must load and compile the Fortinet 3.0
MIB into the SNMP manager.
FortiManager related traps are only sent if a FortiManager unit is configured to
manage this FortiGate unit.
All traps sent include the trap message as well as the FortiGate unit serial number
and hostname.
Replacement messages
Go to System > Config > Replacement Messages to change replacement
messages and customize alert email and information that the FortiGate unit adds
to content streams such as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams.
For example, if a virus is found in an email message, the file is removed from the
email and replaced with a replacement message. The same applies to pages
blocked by web filtering and email blocked by spam filtering.
Name The type of replacement message. Select the blue triangle to expand or
collapse the category. You can change messages added to
• email with virus-infected attachments
• web pages (http)
• ftp sessions
• alert mail messages
• smtp email blocked as spam
• web pages blocked by web filter category blocking
• instant messaging and peer-to-peer sessions
Also, you can modify
• the login page and rejected login page for user authentication
• disclaimer messages for user and administrator authentication (some
models)
• keep alive page for authentication
• the FortiGuard web filtering block override page
• the login page for the SSL-VPN
Description Description of the replacement message type. The web-based manager
describes where each replacement message is used by the FortiGate unit.
Edit or view Select to edit or view a replacement message.
icon
Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.
Replacement messages can be text or HTML messages. You can add HTML code
to HTML messages. Allowed Formats shows you which format to use in the
replacement message. There is a limitation of 8192 characters for each
replacement message. The following fields and options are available when editing
a replacement message. Different replacement messages have different sets of
fields and options.
Tag Description
%%AUTH_LOGOUT%% The URL that will immediately delete the current policy and close
the session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL The auth-keepalive page can prompt the user to open a new
%% window which links to this tag.
%%CATEGORY%% The name of the content category of the web site.
%%DEST_IP%% The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that
sent the email containing the virus. For HTTP this is the IP
address of web page that sent the virus.
%%EMAIL_FROM%% The email address of the sender of the message from which the
file was removed.
%%EMAIL_TO%% The email address of the intended receiver of the message from
which the file was removed.
%%FAILED_MESSAGE The failed to login message displayed on the auth-login-failed
%% page.
%%FILE%% The name of a file that has been removed from a content stream.
This could be a file that contained a virus or was blocked by
antivirus file blocking. %%FILE%% can be used in virus and file
block messages.
%%FORTIGUARD_WF% The FortiGuard - Web Filtering logo.
%
%%FORTINET%% The Fortinet logo.
%%HTTP_ERR_CODE% The HTTP error code. “404” for example.
%
%%HTTP_ERR_DESC% The HTTP error description.
%
%%NIDSEVENT%% The IPS attack message. %%NIDSEVENT%% is added to alert email
intrusion messages.
Tag Description
%%OVERRIDE%% The link to the FortiGuard Web Filtering override form. This is
visible only if the user belongs to a group that is permitted to
create FortiGuard web filtering overrides.
%%OVRD_FORM%% The FortiGuard web filter block override form. This tag must be
present in the FortiGuard Web Filtering override form and should
not be used in other replacement messages.
%%PROTOCOL%% The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.
%%QUARFILENAME%% The name of a file that has been removed from a content stream
and added to the quarantine. This could be a file that contained a
virus or was blocked by antivirus file blocking.
%%QUARFILENAME%% can be used in virus and file block
messages. Quarantining is only available on FortiGate units with a
local disk.
%%QUESTION%% Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVICE%% The name of the web filtering service.
%%SOURCE_IP%% The IP address of the request originator who would have received
the blocked file. For email this is the IP address of the user’s
computer that attempted to download the message from which the
file was removed.
%%TIMEOUT%% Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
%%URL%% The URL of a web page. This can be a web page that is blocked
by web filter content or URL blocking. %%URL%% can also be used
in http virus and file block messages to be the URL of the web
page from which a user attempted to download a file that is
blocked.
%%VIRUS%% The name of a virus that was found in a file by the antivirus
system. %%VIRUS%% can be used in virus messages
Example
The following is an example of a simple authentication page that meets the
requirements listed above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%"
TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text">
</TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%"
TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
Interface IP/Netmask Enter a valid IP address and netmask for the network from
which you want to manage the FortiGate unit.
Device Select the interface to which the Interface IP/Netmask
settings apply.
Default Gateway Enter the default gateway required to reach other networks
from the FortiGate unit.
Gateway Device Select the interface to which the default gateway is
connected.
Management access
You can configure management access on any interface in your VDOM. See
“Administrative access to an interface” on page 125. In NAT/Route mode, the
interface IP address is used for management access. In Transparent mode, you
configure a single management IP address that applies to all interfaces in your
VDOM that permit management access. The FortiGate also uses this IP address
to connect to the FDN for virus and attack updates (see “FortiGuard” on
page 241).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the
VDOM to which it belongs. The management computer must connect to an
interface in that VDOM. It does not matter to which VDOM the interface belongs.
In both cases, the management computer must connect to an interface that
permits management access and its IP address must be on the same network.
Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those
services are enabled on the interface. HTTPS and SSH are preferred as they are
more secure.
You can allow remote administration of the FortiGate unit. However, allowing
remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration. To
improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords.
• Change these passwords regularly.
• Enable secure administrative access to this interface using only HTTPS or
SSH.
• Use Trusted Hosts to limit where the remote access can originate from.
• Do not change the system idle timeout from the default value of 5 minutes (see
“Settings” on page 215).
System Administrators
This section describes how to configure administrator accounts on your FortiGate
unit. Administrators access the FortiGate unit to configure its operation. In its
factory default configuration, the unit has one administrator, admin. After
connecting to the web-based manager or the CLI, you can configure additional
administrators with various levels of access to different parts of the FortiGate unit
configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system
administrators are configured globally for the entire FortiGate unit. For details, see
“Using virtual domains” on page 95.
Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.
Administrators
There are two levels of administrator accounts:
Note: The password of users with the super_admin access profile can be reset in the CLI.
If the password of a user who is logged in is changed, they will be logged out and made to
re-authenticate with the new password.
For a user ITAdmin with the access profile super_admin, to set the password to 123456:
config sys admin
edit ITAdmin
set password 123456
end
For a user ITAdmin with the access profile super_admin, to reset the password from
123456 to the default ‘empty’:
config sys admin
edit ITAdmin
unset password 123456
end
There is also an access profile that allows read-only super admin privileges,
super_admin_readonly. The super_admin_readonly profile cannot be deleted or
changed, similar to the super_admin profile. This read-only super-admin profile is
suitable in a situation where it is necessary for a system administrator to
troubleshoot a customer configuration without being able to make changes. Other
than being read-only, the super_admin_readonly profile has full access to the
FortiGate unit configuration.
When you select Type > Regular, you will see Local as the entry in the Type
column when you view the list of administrators. For more details, see “Viewing
the administrators list” on page 204.
You may also configure additional features. For more information, see
“Configuring an administrator account” on page 205.
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
Note: Access to the FortiGate is according to the VDOM associated with the administrator
account.
The following procedures assume that there is a RADIUS server on your network
populated with the names and passwords of your administrators. For information
on how to set up a RADIUS server, see the documentation for your RADIUS
server.
Name A name that identifies the RADIUS server. Use this name when you
create the user group.
Primary Server The domain name or IP address of the RADIUS server.
Name/IP
Primary Server The RADIUS server secret. The RADIUS server administrator can
Secret provide this information.
4 Select OK.
You may also provide information regarding a secondary RADIUS server, custom
authentication scheme, and a NAS IP/Called Station ID. In addition, you can
configure the RADIUS server to be included in every user group in the associated
VDOM. For more information, see “Configuring a RADIUS server” on page 425.
You may also configure additional features. For more information, see
“Configuring an administrator account” on page 205.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Server Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server.
Identifier
Distinguished Name The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to
the Distinguished Name.
For more information, see “Using Query” on page 429.
Bind Type The type of binding for LDAP authentication.
Filter Filter used for group searching.
User DN Distinguished name of user to be authenticated.
Password Password of user to be authenticated.
Secure Connection Use a secure LDAP server connection for authentication.
Protocol A secure LDAP protocol to use for authentication.
Certificate A certificate to use for authentication.
4 Select OK.
For further information about LDAP authentication, see “Configuring an LDAP
server” on page 427.
You may also configure additional features. For more information, see
“Configuring an administrator account” on page 205.
Note: The following fields in the PKI User List correspond to the noted fields in the PKI
User dialog:
User Name: Name
Subject: Subject
CA: Issuer (CA certificate)
You may also configure additional features. For more information, see
“Configuring an administrator account” on page 205
Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.
If you are using remote authentication for this administrator (RADIUS, LDAP, or
TACACS+):
• Select Remote.
• Select Wildcard if you want all accounts on the RADIUS, LDAP, or TACACS+
server to be administrators of this FortiGate unit.
• Type and confirm the password for the administrator account. This step does
not apply if you are using Remote Wildcard or PKI certificate-based
authentication.
• Select the administrators user group from the User Group list.
If you are using PKI certificate-based authentication for this administrator:
• Select PKI.
• Select the administrators user group from the User Group list.
5 If required, type Trusted Host IP address(es) and netmask(s) from which the
administrator can log into the web-based manager.
6 Select the access profile for the administrator.
7 Select OK.
The trusted host addresses all default to 0.0.0.0/0. If you set one of the 0.0.0.0/0
addresses to a non-zero address, the other 0.0.0.0/0 will be ignored. The only way
to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0. However, this
configuration is less secure.
Access profiles
Each administrator account belongs to an access profile. The access profile
separates FortiGate features into access control categories for which you can
enable none (deny), read only, or read/write access. The following table lists the
web-based manager pages to which each category provides access:
You can now expand the firewall configuration access control to enable more
granular control of access to the firewall functionality. You can control
administrator access to policy, address, service, schedule, profile, and other (VIP)
configurations.
Note: When Virtual Domain Configuration is enabled (see “Settings” on page 215), only the
administrators with the access profile super_admin have access to global settings. When
Virtual Domain Configuration is enabled, other administrator accounts are assigned to one
VDOM and cannot access global configuration options or the configuration for any other
VDOM.
For information about which settings are global, see “VDOM configuration settings” on
page 97.
The access profile has a similar effect on administrator access to CLI commands.
The following table shows which command types are available in each access
control category. You can access “get” and “show” commands with read access.
Access to “config” commands requires write access.
Go to System > Admin > Access Profile to add access profiles for FortiGate
administrators. Each administrator account belongs to an access profile. You can
create access profiles that deny access to, allow read-only, or allow both read-
and write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can
access the web-based manager page for that feature but cannot make changes to
the configuration. There are no Create or Apply buttons and lists display only the
View ( ) icon instead of icons for Edit, Delete or other modification commands.
Central Management
The Central Management tab provides the option of remotely managing your
FortiGate unit by either a FortiManager unit or the FortiGuard Analysis and
Management Service.
From System > Admin > Central Management, you can configure your
FortiGate unit to back up or restore configuration settings automatically to the
specified central management server. The central management server is the type
of service you enable, either a FortiManager unit or the FortiGuard Analysis and
Management Service. If you have a subscription for FortiGuard Analysis and
Management Service, you can also remotely upgrade the firmware on the
FortiGate unit.
The Revision Control tab, which is part of Central Management, displays a list of
the backed up configuration files. The list displays only when your FortiGate unit is
managed by a central management server.
From the Revision Control tab, you can download a backed up configuration file,
revert to a selected revision, or compare two revisions.
Current Page
Diff
Revert
Download
Current Page By default, the first page of the list of items is displayed. The total
number of pages appears after the current page number. For
example, if 3/54 appears, you are currently viewing page 3 of 54
pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and
then press Enter.
For more information, see “Using page controls on web-based
manager lists” on page 61.
Revision An incremental number indicating the order the configurations
were saved. These may not be consecutive numbers if one or
more configurations are deleted.
The most recent, which is also the largest number, is first in the
list.
Date/Time Displays the date and time when this configuration was saved on
the FortiGate unit.
Administrator Displays the administrator account that was used to back up this
revision.
Comments Any relevant description or notes that were saved with the
revision.
This is a good place to include information about why the revision
was saved, who saved it, and if there is a date when it can be
deleted to free up space.
Diff icon Select the diff icon to compare two revisions.
This will display a window that lets you compare the selected
revision to one of:
• the current configuration
• a selected revision from the displayed list including revision
history and templates
• a specified revision number
Download icon Select the download icon to download this revision to your local
PC.
Revert icon Select to go back to the selected revision. You will be prompted to
confirm this action.
Settings
Go to System > Admin > Settings to set the following options:
• Ports for HTTP/HTTPS administrative access and SSL VPN login
• The idle timeout setting
• Display settings that include the language of the web-based manager and the
number of lines displayed in generated reports
• PIN protection for LCD and control buttons (LCD-equipped models only)
• Enable SCP capability for users logged in via SSH
• Configure Gi Gatekeeper settings for GTP traffic inspection
• Enable IPv6 support on GUI (default configuration only available in CLI)
Note: If you make a change to the default port number for HTTP, HTTPS, telnet, or SSH,
ensure that the port number is unique.
Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under
System Information, you will see Current Administrators. Click on Details to view
information about the administrators currently logged in to the FortiGate unit.
System Certificates
This section explains how to manage X.509 security certificates using the
FortiGate web-based manager. Certificate authentication allows administrators to
generate certificate requests, install signed certificates, import CA root certificates
and certificate revocation lists, and back up and restore installed certificates and
private keys.
Authentication is the process of determining if a remote host can be trusted, which
ultimately controls remote access to network resources. To establish its
trustworthiness, the remote host must provide an acceptable authentication
certificate by obtaining a certificate from a certification authority (CA). The
application can accept or reject any certificate. The FortiGate device can use
certificate authentication to allow administrative access via HTTPS, and to
authenticate IPSec VPN peers or clients and SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates
are configured globally for the entire FortiGate unit. For details, see “Using virtual
domains” on page 95.
For additional background information on certificates, see the FortiGate
Certificate Management User Guide.
This section describes:
• Local Certificates
• Remote Certificates
• CA Certificates
• CRL
Local Certificates
Certificate requests and installed server certificates are displayed in the Local
Certificates list. After you submit the request to a CA, the CA will verify the
information and register the contact information on a digital certificate that
contains a serial number, an expiration date, and the public key of the CA. The CA
will then sign and send the signed certificate to you to install on the FortiGate unit.
To view certificate requests and/or import signed server certificates, go to System
> Certificates > Local Certificates. To view certificate details, select the View
Certificate Detail icon in the row that corresponds to the certificate.
Download
View Certificate Detail
Delete
Remove/Add OU
Certificate File Enter the full path to and file name of the signed server certificate.
Browse Alternatively, browse to the location on the management computer
where the certificate has been saved, select the certificate, and
then select OK.
Certificate with key Enter the full path to and file name of the previously exported
file PKCS12 file.
Browse Alternatively, browse to the location on the management computer
where the PKCS12 file has been saved, select the file, and then
select OK.
Password Type the password needed to upload the PKCS12 file.
Certificate file Enter the full path to and file name of the previously exported
certificate file.
Key file Enter the full path to and file name of the previously exported key
file.
Browse Browse to the location of the previously exported certificate
file/key file, select the file, and then select OK.
Password If a password is required to upload and open the files, type the
password.
Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
To view installed Remote (OCSP) certificates or import a Remote (OCSP)
certificate, go to System > Certificates > Remote. To view certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.
The system assigns a unique name to each Remote (OCSP) certificate. The
names are numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2,
REMOTE_Cert_3, and so on).
CA Certificates
When you apply for a signed personal or group certificate to install on remote
clients, you must obtain the corresponding root certificate and CRL from the
issuing CA.
When you receive the signed personal or group certificate, install the signed
certificate on the remote client(s) according to the browser documentation. Install
the corresponding root certificate and CRL from the issuing CA on the FortiGate
unit.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete
the Fortinet_CA certificate. To view installed CA root certificates or import a CA
root certificate, go to System > Certificates > CA Certificates. To view root
certificate details, select the View Certificate Detail icon in the row that
corresponds to the certificate.
Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that
has management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates
and select Import.
When you select OK and you have elected to import a certificate via the SCEP
server, the system starts the retrieval process immediately.
The system assigns a unique name to each CA certificate. The names are
numbered consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).
CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired
with certificate status information. Installed CRLs are displayed in the CRL list.
The FortiGate unit uses CRLs to ensure that the certificates belonging to CAs and
remote clients are valid.
To view installed CRLs, go to System > Certificates > CRL.
Import Import a CRL. See “Importing a certificate revocation list” on page 228.
Name The names of existing certificate revocation lists. The FortiGate unit
assigns unique names (CRL_1, CRL_2, CRL_3, and so on) to
certificate revocation lists when they are imported.
Subject Information about the certificate revocation lists.
Delete icon Delete the selected CRL from the FortiGate configuration.
View Certificate Display CRL details such as the issuer name and CRL update dates.
Detail icon See example Figure 128.
Download icon Save a copy of the CRL to a local computer.
Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest
version of the CRL is retrieved automatically from the server when the FortiGate unit does
not have a copy of it or when the current copy expires.
To import a certificate revocation list, go to System > Certificates > CRL and
select Import.
HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL
of the HTTP server.
LDAP Select to use an LDAP server to retrieve the CRL. Select the
LDAP server from the drop-down list.
SCEP Select to use an SCEP server to retrieve the CRL. Select the
Local Certificate from the drop-down list. Enter the URL of the
SCEP server from which the CRL can be retrieved.
Local PC Select to use a local administrator’s PC to upload a public
certificate. Enter the location, or browse to the location on the
management computer where the certificate has been saved,
select the certificate, and then select OK.
The system assigns a unique name to each CRL. The names are numbered
consecutively (CRL_1, CRL_2, CRL_3, and so on).
System Maintenance
This section describes how to maintain your system configuration as well as
information about enabling and updating FDN services. This section also explains
the types of FDN services that are available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance
is configured globally for the entire FortiGate unit. For more information, see
“Using virtual domains” on page 95.
This section includes the following topics:
• Maintenance System Configuration
• Revision Control
• Scripts
• FortiGuard
• Troubleshooting FDN connectivity
• Updating antivirus and attack definitions
• Enabling push updates
• License
When virtual domain configuration is enabled, the content of the backup file
depends on the administrator account that created it. A backup of the system
configuration from the super admin account contains global settings and the
settings included in each VDOM. Only the super admin can restore the
configuration from this file. When you back up the system configuration from a
regular administrator account, the backup file contains the global settings and the
settings for the VDOM that the regular administrator belongs to. A regular
administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that
users can download. The FortiClient section of Backup and Restore is available if
your FortiGate model supports FortiClient. This feature is currently available on
FortiGate-1000A, 3600A, and 5005FA2 models.
The following each explains their corresponding part or section of the Backup &
Restore page. For example, “Backup and Restore” on page 231 contains detailed
information about that part of the Backup and Restore page, such as what
locations you can choose to back up and restore a configuration file to.
These sections are:
• Backup and Restore
• Firmware
• FortiClient
• Advanced
Note: The Firmware Section is available only on FortiGate-100A units and higher. If you
have a FortiGate-100 unit or lower, you can upgrade or downgrade the firmware by going to
System > Status and selecting Update for Firmware Version.
Figure 131:Backup and Restore local options with FortiGuard Analysis and
Management Service enabled
System Displays the date and time of the last local or remote backup.
Configuration If you backed up the configuration file using a USB disk, only the date
(Last Backup:) displays. Time is not saved when backing up using a USB disk.
Backup Displays the options available for backing up your current configuration.
USB Disk Displays only if the FortiGate unit includes a USB port.
You must connect a USB disk to the FortiGate unit
USB port to backup your configuration to a USB disk. If
you do not connect a USB disk this option is grayed
out. See “USB Disks” on page 238.
USB Disk Displays only if the FortiGate unit includes a USB port.
You must connect a USB disk to the FortiGate unit
USB port to restore your configuration from a USB
disk. If you do not connect a USB disk this option is
grayed out See “USB Disks” on page 238.
Filename Select the configuration file name from the Browse list
if you are restoring the configuration from a USB disk.
Enter the configuration file name or use the Browse
button if you are restoring the configuration from a file
on the management computer.
Note: The radio button, Management Station, appears when the FortiGuard Analysis and
Management Service is disabled. The FortiGuard radio button appears when FortiGuard
Analysis and Management Service is enabled.
Backup Displays the options available for backing up your current configuration to a
FortiManager unit.
Backup Select the FortiManager option to upload the configuration to
configuration the FortiManager unit.
to: The Local PC option is always available.
Comments: Enter a description or information about the file in the
Comments field. This is optional.
Backup Select to back up the configuration file to the FortiManager
unit.
A confirmation message displays after successfully
completing the backup.
Restore Displays the options for restoring a configuration file.
Restore Select the FortiManager option to download the configuration
configuration file from the FortiManager unit.
from:
Please Select: Select the configuration file you want to restore from the list.
This list includes the comments you included in the Comment
field before it was uploaded to the FortiManager unit.
The list is in numerical order, with the recent uploaded
configuration first.
Restore Select to restore the configuration from the FortiManager unit.
Backup Displays the options available for backing up your current configuration to the
FortiGuard Analysis and Management Service server.
Backup configuration Select the FortiGuard option to upload the
to: configuration to the FortiGuard Analysis and
Management Service server.
The Local PC option is always available.
Comments: Enter a description or note in the Comments field.
Backup Select to back up the configuration file to the
FortiGuard Analysis and Management Service.
A confirmation message displays after successfully
completing the backup.
Restore Displays the options for restoring a configuration file.
Firmware
The Firmware section displays the current version of firmware installed on your
FortiGate unit, and also displays the firmware version currently in use if there is
more than one firmware image saved on the FortiGate unit.
Partition A partition can contain one version of the firmware and the
system configuration. FortiGate-100A units and higher have two
partitions. One partition is active and the other is used as a
backup.
Active A green check mark indicates the partition currently in use.
Last Upgrade The date and time of the last update to this partition.
Firmware Version The version and build number of the FortiGate firmware. If your
FortiGate model has a backup partition, you can:
• Select Upload to replace with firmware from the management
computer or a USB disk. The USB disk must be connected to
the FortiGate unit USB port. See “USB Disks” on page 238.
• Select Upload and Reboot to replace the firmware and make
this the active partition.
Boot alternate Restart the FortiGate unit using the backup firmware.
firmware This is only available for FortiGate-100 units or higher.
Firmware Upgrade
The Firmware Upgrade section of the Backup and Restore page displays options
for upgrading to a new version using the FortiGuard Analysis and Management
Service if that option is available to you. Using the FortiGuard Analysis and
Management Service to upgrade the firmware on your FortiGate unit is only
available on certain FortiGate units. You must register for the service by
contacting customer support.
Detailed firmware version information is provided if you have subscribed for the
FortiGuard Analysis and Management Service.
Upgrade method Select to upgrade from the FortiGuard Analysis and Management
Service. You can also choose to upgrade by file if a current
firmware version is stored on your management computer.
[Please Select] Select one of the available firmware versions. The list contains the
following information for each available firmware release:
• continent (for example, North America)
• maintenance release number
• patch release number
• build number
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware Select to be able to install older versions than the one currently
downgrade installed.
This is useful if the current version changed functionality you need
and you have to revert to the previous image.
Upgrade by File Select Browse to select a file on your local PC to upload to the
FortiGate unit.
OK Select OK to enable your selection.
FortiClient
If your FortiGate unit supports the host check function, you can view version
information for the FortiClient application stored on the unit, including uploading a
current firmware version of the FortiClient application.
Some FortiGate units provide a host check function that can determine whether
users’ computers have FortiClient Host Security software installed. Users who fail
the host check are redirected to a web portal where they can download the
FortiClient application. For more information, see “Options to detect FortiClient on
hosts” on page 308.
Advanced
The Advanced section on the Backup and Restore page includes the USB Auto
Install feature and the debug log.
Advanced (USB This section is only available if the FortiGate unit includes a USB port.
Auto-Install, You must connect a USB disk to the FortiGate unit USB port to use the
Download Debug USB auto-install feature. See “USB Disks” on page 238.
Log) Select the options as required and restart the FortiGate unit.
If you select both configuration and firmware update, both occur on the
same reboot. The FortiGate unit will not reload a firmware or
configuration file that is already loaded.
Download Debug Download an encrypted debug log to a file. You can send this debug
Log log to Fortinet Technical Support to help diagnose problems with your
FortiGate unit.
USB Disks
FortiGate units with USB port(s) support USB disks for backing up and restoring
configurations.
FortiUSB and generic USB disks are supported, but the generic USB disk must be
formatted as a FAT16 disk. No other partition type is supported.
There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command
syntax, exe usb-disk format. When using a Windows system to format the
disk, at the DOS command prompt or similar prompt type, “format
<drive_letter>: /FS:FAT /V:<drive_label>” where <drive_letter> is
the letter of the connected USB drive you want to format, and <drive_label> is the
name you want to give the USB drive for identification.
Note: Formatting the USB disk deletes all information on the disk. Back up the information
on the USB disk before formatting to ensure all information on the disk is recoverable.
Revision Control
The Revision Control tab enables you to manage multiple versions of
configuration files and appears only after registering and configuring the
FortiGuard Analysis and Management Service. Revision Control requires a
configured central management server. This server can either be a FortiManager
unit or the FortiGuard Analysis and Management Service.
Diff
Download
Revert
Current Page By default, the first page of the list of items is displayed. The total
number of pages appears after the current page number. For example,
if 3/54 appears, you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
For more information, see “Using page controls on web-based
manager lists” on page 61.
Revision An incremental number indicating the order the configurations were
saved. These may not be consecutive numbers if one or more
configurations are deleted.
The most recent, also the largest number, is first in the list.
Date/Time Displays the date and time when this configuration was saved on the
FortiGate unit.
Administrator Displays the administrator account that was used to back up this
revision.
Comments Any relevant information saved with the revision.
A description provides information about why the revision was saved,
who saved it, and if there is a date when it can be deleted to free up
space.
Diff icon Select to compare two revisions.
A window appears after selecting the diff icon, enabling you to view
and compare the selected revision to one of:
• the current configuration
• a selected revision from the displayed list including revision history
and templates
• a specified revision number
Download icon Select to download this revision to your local PC.
Revert icon Select to go to the previous selected revision. You will be prompted to
confirm this action.
Scripts
If you have FortiGuard Analysis and Management Service enabled, you can
configure and manage scripts. Scripts are files that are comprised of command
text and are usually composed in a plain text editor.
From the Script tab, you can upload bulk CLI command files and view what files
were uploaded or executed to the FortiGate unit. The uploaded script files appear
on the FortiGuard Analysis and Management Service portal web site.
After executing scripts, you can view script execution history on the Script page.
The past ten executed scripts display.
Execute Script from Select Browse to location the script file and then select Apply to
[Upload Bulk CLI upload the file to the FortiGuard Analysis and Management
Command File] Service portal web site.
Script Execution Displays the past 10 scripts that were uploaded to the FortiGuard
History (past 10 Analysis and Management Service portal web site, which includes
scripts) their status, name, type, and time when they were uploaded.
Name The name of the script file that was uploaded to the
FortiGuard Analysis and Management Service web
site.
Type The type of upload that occurred either from the
management computer or the FortiGuard Analysis
and Management Service portal web site.
Time The time of when the file was uploaded in the format,
yyyy-mm-dd hh:mm:ss.
Status The status of the uploaded script file, if it succeeded
or failed.
Delete icon Select to delete the script file entry.
Uploading scripts
After you have created a script file, you can then upload the script file in System >
Maintenance > Script. After the script uploads, you can view or configure to run
the script on the FortiGuard Analysis and Management portal web site.
All script files that are uploaded in System > Maintenance > Script are uploaded
to the FortiGuard Analysis and Management Service portal web site.
To execute a script
1 Go to System > Maintenance > Scripts.
2 Verify that the radio button is selected for Upload Bulk CLI Command File.
3 Select Browse to locate the script file.
4 Select Apply.
The following message appears:
Settings successfully uploaded. Please wait while the system restarts.
5 The FortiGate unit restarts and reboots. This may take a few minutes.
You can view the script or run the script from the FortiGuard Analysis and
Management Service portal web site. For more information about viewing or
running an uploaded script on the portal web site, see the FortiGuard Analysis
and Management Service Administration Guide.
FortiGuard
The FortiGuard tab enables you to configure your FortiGate unit to use the
FortiGuard Distribution Network (FDN) and FortiGuard Services. The FDN
provides updates to antivirus and IPS attack definitions. FortiGuard Services
provides online IP address black list, URL black list, and other spam filtering tools.
FortiGuard Services
Worldwide coverage of FortiGuard services are provided by FortiGuard Service
Points. When the FortiGate unit is connecting to the FDN, it is connecting to the
closest FortiGuard Service Point. Fortinet adds new Service Points as required.
By default, the FortiGate unit communicates with the closest Service Point. If the
Service Point becomes unreachable for any reason, the FortiGate unit contacts
another Service Point and information is available within seconds. By default, the
FortiGate unit communicates with the Service Point via UDP on port 53.
Alternately, the UDP port used for Service Point communication can be switched
to port 8888 by going to System > Maintenance > FortiGuard.
If you need to change the default FortiGuard Service Point host name, use the
hostname keyword in the system fortiguard CLI command. You cannot
change the FortiGuard Service Point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web
page.
Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license.
FortiGuard Antispam license management is performed by Fortinet servers; there
is no need to enter a license number. The FortiGate unit automatically contacts a
FortiGuard Antispam Service Point when enabling FortiGuard Antispam. Contact
Fortinet Technical support to renew the FortiGuard Antispam license after the free
trial expires.
You can globally enable FortiGuard Antispam in System > Maintenance >
FortiGuard and then configure Spam Filtering options in each firewall protection
profile in Firewall > Protection Profile. For more information, see “Spam Filtering
options” on page 373.
Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System >
Maintenance > FortiGuard. The FDN page contains four sections of FortiGuard
services.
The four sections are:
• Support Contract and FortiGuard Subscription Services
• AntiVirus and IPS Downloads
• Web Filtering and AntiSpam Options
• Management and Analysis Service Options
Support Contract The availability or status of your FortiGate unit support contract. The
status displays can be one of the following: Unreachable, Not
Registered or Valid Contract.
If Valid Contract is shown, the FortiOS firmware version and contract
expiry date displays. A green checkmark also displays.
[Register] Select to register your FortiGate unit support contract.
This displays only when the support contract is not
registered.
FortiGuard Availability and status information for each of the FortiGuard
Subscription subscription services including:
Services • AntiVirus
AV Definitions
• Intrusion Protection
IPS Definitions
• Web Filtering
• AntiSpam
• Management Service
• Analysis Service
[Availability] The availability of this service on this FortiGate unit,
dependent on your service subscription. The status can
be one of the following:
• Unreachable
• Not Registered
• Valid License
• Valid Contract
The option Subscribe displays if Availability is Not
Registered.
The option Renew displays if Availability has expired.
[Update] Select to manually update this service on your FortiGate
unit. This will prompt you to download the update file
from your local computer. Select Update Now to
immediately download current updates from FDN directly.
[Register] Select to register the service. This displays in
Management Service and Analysis Service.
Use override server Select to configure an override server if you cannot connect to the
address FDN or if your organization provides updates using their own
FortiGuard server.
When selected, enter the IP address or domain name of a
FortiGuard server and select Apply. If the FDN Status still indicates
no connection to the FDN, see “Troubleshooting FDN connectivity”
on page 248.
Allow Push Update Select to allow push updates. Updates are sent to your FortiGate
unit when they are available, without having to check if they are
available.
Push Update Status Icon shows the status of the push update
service.
Allow Push The status of the FortiGate unit for receiving push
Update status updates:
icon • Grey (Unreachable) - FortiGate unit is not able
to connect to push update service
• Yellow (Not Available) - push update service is
not available with current support license
• Green (Available) - push update service is
allowed. See “” on page 251.
If the icon is either grey or yellow, see
“Troubleshooting FDN connectivity” on page 248.
Use override Available only if both “Use override server address”
push IP and “Allow Push Update” are enabled.
Select to allow you to create a forwarding policy
that redirects incoming FDS push updates to your
FortiGate unit.
Enter the IP address of the NAT device in front of
your FortiGate unit. FDS will connect to this device
when attempting to reach the FortiGate unit.
The NAT device must be configured to forward the
FDS traffic to the FortiGate unit on UDP port 9443.
See “Enabling push updates through a NAT
device” on page 251.
Port Select the port on the NAT device that will receive
the FDS push updates. This port must be
forwarded to UDP port 9443 on the FortiGate unit.
Available only if “Use override push” is enabled.
Schedule Updates Select this check box to enable scheduled updates.
Every Attempt to update once every 1 to 23 hours. Select
the number of hours between each update
request.
Daily Attempt to update once a day. You can specify the
hour of the day to check for updates. The update
attempt occurs at a randomly determined time
within the selected hour.
Weekly Attempt to update once a week. You can specify
the day of the week and the hour of the day to
check for updates. The update attempt occurs at a
randomly determined time within the selected hour.
Update Now Select Update Now to manually initiate an FDN update.
Submit attack Fortinet recommends that you select this check box. It helps to
characteristics … improve the quality of IPS signature.
(recommended)
Account ID Enter the name for the Management and Analysis Services that
identifies the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To launch the service Select to go directly to the FortiGuard Analysis and Management
portal, please click Service portal web site to either view logs or configuration. You
here can also select this to register your FortiGate unit with the
FortiGuard Analysis and Management Service.
To configure...please Select the link, please click here, to configure and enable logging
click here. to the FortiGuard Analysis server. The link redirects you to
Log&Report > Log Config > Log Setting.
This displays only after registering for the service.
To purge...please Select the number of months from the list that will remove those
click here. logs from the FortiGuard Analysis server and select the link,
please click here. For example, if you select 2 months, the logs
from the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This displays only after logging is enabled and log messages are
sent to the FortiGuard Analysis server.
Every Once every 1 to 23 hours. Select the number of hours and minutes between
each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of day to
check for updates.
5 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and
IPS attack updates using their own FortiGuard server, you can use the following
procedure to add the IP address of an override FortiGuard server.
Virtual IP
172.16.35.144 10.20.6.135
(external interface) (external interface)
Internet
FDN
Internal Network Server
FortiGate unit NAT Device
The procedure, General procedure, configures both the FortiGate unit and NAT
device so that they FortiGate unit can receive push updates.
General procedure
1 Register the FortiGate unit on the internal network so that it has a current support
license and can receive push updates.
2 Configure the following FortiGuard options on the FortiGate unit on the internal
network.
• Allow push updates
• Add an override push update IP. Usually this would be the IP address of the
external interface of the NAT device
• If required, change the override push update port
3 Add a port forwarding virtual IP to the NAT device.
• Set the external IP address of the virtual IP to match the override push update
IP. Usually this would be the IP address of the external interface of the NAT
device.
4 Add a firewall policy to the FortiGate NAT device that includes the port forwarding
virtual IP.
Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See “To enable scheduled updates through a proxy server” on
page 250 for more information.
4 Select OK.
License
If you have a FortiGate-3000 unit or higher, you can purchase a license key from
Fortinet to increase the maximum number of VDOMs to 25, 50, 100 or 250. By
default, FortiGate units support a maximum of 10 VDOMs.
The license key is a 32-character string supplied by Fortinet. Fortinet requires the
serial number of the FortiGate unit to generate the license key.
The license key is entered in System > Maintenance > License in the Input
License Key field. This appears only on the FortiGate-3000 unit and higher. The
following does not appear on any other FortiGate unit.
Note: VDOMs created on a registered FortiGate unit are considered real devices by the
FortiAnalyzer unit and it includes VDOMs in the total number of registered devices. For
example, three FortiGate units are registered on the FortiAnalyzer unit and contain four
VDOMs: the total number of registered FortiGate units on the FortiAnalyzer unit is seven.
For more information, see the FortiAnalyzer Administration Guide.
Router Static
This section explains some general routing concepts, and how to define static
routes and route policies.
A route provides the FortiGate unit with the information it needs to forward a
packet to a particular destination on the network. A static route causes packets to
be forwarded to a destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to
configure the default gateway. You must either edit the factory configured static
default route to specify a different default gateway for the FortiGate unit, or delete
the factory configured route and specify your own static default route that points to
the default gateway for the FortiGate unit. See “Default route and default gateway”
on page 259.
You define static routes manually. Static routes control traffic exiting the FortiGate
unit—you can specify through which interface the packet will leave and to which
device the packet should be routed.
As an option, you can define route policies. Route policies specify additional
criteria for examining the properties of incoming packets. Using route policies, you
can configure the FortiGate unit to route packets based on the IP source and
destination addresses in packet headers and other criteria such as on which
interface the packet was received and which protocol (service) and port are being
used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Routing concepts
• Static Route
• Policy Route
Routing concepts
The FortiGate unit works as a security device on a network and packets must
pass through it. You need to understand a number of basic routing concepts in
order to configure the FortiGate unit appropriately.
Whether you administer a small or large network, this module will help you
understand how the FortiGate unit performs routing functions.
The following topics are covered in this section:
• How the routing table is built
• How routing decisions are made
• Multipath routing and determining the best routeRoute priority
• Route priority
• Blackhole Route
Another method is to manually change the priority of both of the routes. If the
next-hop administrative distances of two routes on the FortiGate unit are equal, it
may not be clear which route the packet will take. Configuring the priority for each
of those routes will make it clear which next-hop will be used in the case of a tie.
You can set the priority for a route only from the CLI. Lower priorities are
preferred. For more information see the FortiGate CLI Reference.
All entries in the routing table are associated with an administrative distance. If the
routing table contains several entries that point to the same destination (the
entries may have different gateways or interface associations), the FortiGate unit
compares the administrative distances of those entries, selects the entries having
the lowest distances, and installs them as routes in the FortiGate forwarding table.
As a result, the FortiGate forwarding table contains only those routes having the
lowest distances to every possible destination. For information about how to
change the administrative distance associated with a static route, see “Adding a
static route to the routing table” on page 262.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing
preference.
You configure the priority field through the CLI. The route with the lowest value in
the priority field is considered the best route, and it is also the primary route. The
command to set the priority field is: set priority <integer> under the
config route static command. For more information, see the FortiGate CLI
Reference.
In summary, because you can use the CLI to specify which sequence numbers or
priority field settings to use when defining static routes, you can prioritize routes to
the same destination according to their priority field settings. For a static route to
be the preferred route, you must create the route using the config router
static CLI command and specify a low priority for the route. If two routes have
the same administrative distance and the same priority, then they are equal cost
multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be
confusing which route or routes to install and use. However, if you have enabled
load balancing with ECMP routes, then different sessions will resolve this problem
by using different routes to the same address. For more information, see load
balancing in “Configuring virtual IPs” on page 338.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like
/dev/null in Linux programming.
Blackhole routes are used to dispose of packets instead of responding to
suspicious inquiries. This provides added security since the originator will not
discover any information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are
not in use, traffic to those addresses (traffic which may be valid or malicious) can
be directed to a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added
to enable easier configuration of blackhole routing. Similar to a normal interface,
this loopback interface has fewer parameters to configure, and all traffic sent to it
stops there. Since it cannot have hardware connection or link status problems, it is
always available, making it useful for other dynamic routing roles. Once
configured, you can use a loopback interface in firewall policies, routing, and other
places that refer to interfaces. You configure this feature only from the CLI. For
more information see the system chapter of the FortiGate CLI Reference.
Static Route
You configure static routes by defining the destination IP address and netmask of
packets that you intend the FortiGate unit to intercept, and by specifying a
(gateway) IP address for those packets. The gateway address specifies the next-
hop router to which traffic will be routed.
Note: You can use the config router static6 CLI command to add, edit, or delete
static routes for IPv6 traffic. For more information, see the “router” chapter of the FortiGate
CLI Reference.
Note: Unless otherwise specified, static route examples and procedures are for IPv4 static
routes.
To view the static route list, go to Router > Static > Static Route.
Figure 146 shows the static route list belonging to a FortiGate unit that has
interfaces named “port1” and “port2”. The names of the interfaces on your
FortiGate unit may be different.
Expand
Arrow
Delete
Edit
Create New Add a static route to the Static Route list. For more information, see
“Adding a static route to the routing table” on page 262.
Select the down arrow to create an IPv6 static Route.
Route Select the Expand Arrow to display or hide the IPv4 static routes. By
default these routes are displayed.
This is displayed only when IPv6 is enabled in the GUI.
IPv6 Route Select the Expand Arrow to display or hide the IPv6 static routes. By
default these routes are hidden.
This is displayed only when IPv6 is enabled in the GUI.
IP/Mask The destination IP addresses and network masks of packets that the
FortiGate unit intercepts.
Gateway The IP addresses of the next-hop routers to which intercepted packets
are forwarded.
Device The names of the FortiGate interfaces through which intercepted
packets are received and sent.
Distance The administrative distances associated with each route. The values
represent distances to next-hop routers.
Delete and Edit Delete or edit an entry in the list.
icons
Note: For network traffic to pass, even with the correct routes configured, you must have
the appropriate firewall policies. For details, see “Configuring firewall policies” on page 297.
For example, Figure 147 shows a FortiGate unit connected to a router. To ensure
that all outbound packets destined to any network beyond the router are routed to
the correct destination, you must edit the factory default configuration and make
the router the default gateway for the FortiGate unit.
Internet
Gateway
Router
192.168.10.1
external
FortiGate_1
internal
Internal network
192.168.20.0/24
To route outbound packets from the internal network to destinations that are not
on network 192.168.20.0/24, you would edit the default route and include the
following settings:
• Destination IP/mask: 0.0.0.0/0.0.0.0
• Gateway: 192.168.10.1
• Device: Name of the interface connected to network 192.168.10.0/24
(for example “external”).
• Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to
the FortiGate external interface. The interface behind the router (192.168.10.1) is
the default gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination
IP address of a packet is not on the local network but is on a network behind one
of those routers, the FortiGate routing table must include a static route to that
network. For example, in Figure 148, the FortiGate unit must be configured with
static routes to interfaces 192.168.10.1 and 192.168.11.1 in order to forward
packets to Network_1 and Network_2 respectively.
Internet
FortiGate_1
internal dmz
Gateway / Router_1 Gateway / Router_2
192.168.10.1 192.168.11.1
Network_1 Network_2
192.168.20.0/24 192.168.30.0/24
Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your
FortiGate unit, you may have problems configuring a static route. After trying to either
Renew your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable
dynamic-gateway under config system interface for the modem interface. Doing
this will remove the need to specify a gateway for this interface’s route. For more
information see FortiGate CLI Reference.
Destination Type the destination IP address and network mask of packets that the
IP/Mask FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved
for the default route.
Gateway Type the IP address of the next-hop router to which the FortiGate unit will
forward intercepted packets.
Device Select the name of the FortiGate interface through which the intercepted
packets may be routed to the next-hop router.
Distance Type an administrative distance from 1 to 255 for the route. The distance
value is arbitrary and should reflect the distance to the next-hop router. A
lower value indicates a more preferred route.
Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be
useful if you want to route certain types of network traffic differently. You can use
incoming traffic’s protocol, source address or interface, destination address, or
port number to determine where to send the traffic. For example, generally
network traffic would go to the router of a subnet, but you might want to direct
SMTP or POP3 traffic addressed to that subnet directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives
at the FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and
attempts to match the packet with a policy. If a match is found and the policy
contains enough information to route the packet (a minimum of the IP address of
the next-hop router and the FortiGate interface for forwarding packets to it), the
FortiGate unit routes the packet using the information in the policy. If no policy
route matches the packet, the FortiGate unit routes the packet using the routing
table.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy
routing to occur. If the attributes of a packet match all the specified conditions, the
FortiGate unit routes the packet through the specified interface to the specified
gateway.
Figure 150 shows the policy route list belonging to a FortiGate unit that has
interfaces named “external” and “internal”. The names of the interfaces on your
FortiGate unit may be different.
To edit an existing policy route, see “Adding a policy route” on page 264.
Delete
Edit
Move To
Create New Add a policy route. See “Adding a policy route” on page 264.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to
occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To After selecting this icon, enter the destination position in the window that
icon appears, and select OK.
For more information, see “Moving a policy route” on page 265.
Protocol To perform policy routing based on the value in the protocol field of
the packet, enter the protocol number to match. The Internet
Protocol Number is found in the IP packet header, and RFC 5237
includes a list of the assigned protocol numbers. The range is from 0
to 255. A value of 0 disables the feature.
Incoming Interface Select the name of the interface through which incoming packets
subjected to the policy are received.
Source Address / To perform policy routing based on the IP source address of the
Mask packet, type the source address and network mask to match. A value
of 0.0.0.0/0.0.0.0 disables the feature.
Destination To perform policy routing based on the IP destination address of the
Address / Mask packet, type the destination address and network mask to match. A
value of 0.0.0.0/0.0.0.0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is
received, type the same port number in the From and To fields. To
apply policy routing to a range of ports, type the starting port number
in the From field and the ending port number in the To field. A value
of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP
protocols. The ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match to define the
service, or use a two digit hexadecimal bit mask to mask out.
For example if you want the policy to apply to service 14 you would
use a bit pattern of 0E. If you wanted to ignore all odd numbered
services you would use a bit mask of 01.
Outgoing Interface Select the name of the interface through which packets affected by
the policy will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can
access through the specified interface. A value of 0.0.0.0 is not
valid.
Before/After Select Before to place the selected Policy Route before the
indicated route. Select After to place it following the indicated
route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to
move the selected route before or after.
Router Dynamic
This section explains how to configure dynamic protocols to route traffic through
large or complex networks. Dynamic routing protocols enable the FortiGate unit to
automatically share information about routes with neighboring routers and learn
about routes and networks advertised by them. The FortiGate unit supports these
dynamic routing protocols:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP).
Note: You can configure basic RIP, OSPF, and BGP routing options through the web-based
manager. Many additional options are available but only through the CLI. For complete
descriptions and examples of how to use CLI commands to configure RIP, OSPF, and BGP
settings, see the “config router” chapter of FortiGate CLI Reference.
The FortiGate unit selects routes and updates its routing table dynamically based
on the rules you specify. Given a set of rules, the unit can determine the best route
or path for sending packets to a destination. You can also define rules to suppress
the advertising of routes to neighboring routers and change FortiGate routing
information before it is advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.
Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to
quickly discover routers on the network that cannot be contacted, and to re-route
traffic accordingly until those routers can be contacted.
This section describes:
• RIP
• OSPF
• BGP
• Multicast
• Bi-directional Forwarding Detection (BFD)
RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended
for small, relatively homogeneous networks. The FortiGate implementation of RIP
supports RIP version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).
Expand
Arrow
Delete
Edit
RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can
enable global RIP settings on all FortiGate interfaces connected to RIP-
enabled networks:
• Select 1 to send and receive RIP version 1 packets.
• Select 2 to send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see “Configuring a RIP-enabled interface”
on page 272.
Advanced Select the Expand Arrow to view or hide advanced RIP options. For more
Options information, see “Selecting advanced RIP options” on page 270.
Networks The IP addresses and network masks of the major networks (connected to
the FortiGate unit) that run RIP. When you add a network to the Networks
list, the FortiGate interfaces that are part of the network are advertised in
RIP updates. You can enable RIP on all FortiGate interfaces whose IP
addresses match the RIP network address space.
IP/Netmask Enter the IP address and netmask that defines the RIP-
enabled network.
Add Select to add the network information to the Networks
list.
Note: You can configure additional advanced options through the CLI. For example, you
can filter incoming or outgoing updates by using a route map, an access list, or a prefix list.
The FortiGate unit also supports offset lists, which add the specified offset to the metric of a
route. For more information, see the “router” chapter of the FortiGate CLI Reference.
Expand
Arrow
Rip Version Select the version of RIP packets to send and receive.
Advanced Options Select the Expand Arrow to view or hide advanced options.
Default Metric Enter the default hop count that the FortiGate unit should assign
to routes that are added to the FortiGate routing table. The range
is from 1 to 16. This metric is the hop count, with 1 being best or
shortest.
This value also applies to Redistribute unless otherwise specified.
Default-information- Select to generate and advertise a default route into the FortiGate
originate unit’s RIP-enabled networks. The generated route may be based
on routes learned through a dynamic routing protocol, routes in
the routing table, or both.
RIP Timers Enter new values to override the default RIP timer settings. The
default settings are effective in most configurations — if you
change these settings, ensure that the new settings are
compatible with local routers and access servers.
If the Update timer is smaller than Timeout or Garbage timers,
you will get an error.
Update Enter the amount of time (in seconds) that the
FortiGate unit will wait between sending RIP
updates.
Timeout Enter the maximum amount of time (in seconds)
that a route is considered reachable while no
updates are received for the route. This is the
maximum time the FortiGate unit will keep a
reachable route in the routing table while no
updates for that route are received. If the FortiGate
unit receives an update for the route before the
timeout period expires, the timer is restarted.
The Timeout period should be at least three times
longer than the Update period.
Garbage Enter the amount of time (in seconds) that the
FortiGate unit will advertise a route as being
unreachable before deleting the route from the
routing table. The value determines how long an
unreachable route is kept in the routing table.
Redistribute Select one or more of the options to redistribute RIP updates
about routes that were not learned through RIP. The FortiGate
unit can use RIP to redistribute routes learned from directly
connected networks, static routes, OSPF, and BGP.
Connected Select to redistribute routes learned from directly
connected networks. To specify a hop count for
those routes, select Metric, and enter the hop count
in the Metric field. The valid hop count range is from
1 to 16.
Static Select to redistribute routes learned from static
routes. To specify a hop count for those routes,
select Metric, and enter the hop count in the Metric
field. The range is from 1 to 16.
OSPF Select to redistribute routes learned through OSPF.
To specify a hop count for those routes, select
Metric, and enter the hop count in the Metric field.
The range is from 1 to 16.
BGP Select to redistribute routes learned through BGP.
To specify a hop count for those routes, select
Metric, and enter the hop count in the Metric field.
The range is from 1 to 16.
Note: Additional options such as split-horizon and key-chains can be configured per
interface through the CLI. For more information, see the “router” chapter of the FortiGate
CLI Reference or the Fortinet Knowledge Center.
Figure 155 shows the New/Edit RIP Interface dialog box belonging to a FortiGate
unit that has an interface named “internal”. The names of the interfaces on your
FortiGate unit may be different.
Interface Select the name of the FortiGate interface to which these settings
apply. The interface must be connected to a RIP-enabled network.
The interface can be a virtual IPSec or GRE interface.
Send Version, Select to override the default RIP-compatibility setting for sending
Receive Version and receiving updates through the interface: RIP version 1, version 2
or Both.
Authentication Select an authentication method for RIP exchanges on the specified
interface:
• Select None to disable authentication.
• If the interface is connected to a network that runs RIP version 2,
optionally select Text and type a password (up to 35 characters)
in the Password field. The FortiGate unit and the RIP updates
router must both be configured with the same password. The
password is sent in clear text over the network.
• Select MD5 to authenticate the exchange using MD5.
Passive Interface Select to suppress the advertising of FortiGate unit routing
information over the specified interface. Clear the check box to allow
the interface to respond normally to RIP requests.
OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often
used in large heterogeneous networks to share routing information among routers
in the same Autonomous System (AS). FortiGate units support OSPF version 2
(see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change
state instead of at timed intervals, so routing overhead is reduced.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summary-
LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of
the SPF calculation to ensure that an OSPF packet will be routed using the
shortest path to its destination. Depending on the network topology, the entries in
the FortiGate routing table may include:
• the addresses of networks in the local OSPF area (to which packets are sent
directly)
• routes to OSPF area border routers (to which packets destined for another
area are sent)
• if the network contains OSPF areas and non-OSPF domains, routes to AS
boundary routers, which reside on the OSPF network backbone and are
configured to forward packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on
the network topology. A single unit can support tens of thousands of routes if the
OSPF network is configured properly.
To define an OSPF AS
1 Go to Router > Dynamic > OSPF.
2 Under Areas, select Create New.
3 Define the characteristics of one or more OSPF areas. See “Defining OSPF
areas” on page 278.
4 Under Networks, select Create New.
5 Create associations between the OSPF areas that you defined and the local
networks to include in the OSPF AS. See “Specifying OSPF networks” on
page 279.
6 If you need to adjust the default settings of an OSPF-enabled interface, select
Create New under Interfaces.
7 Select the OSPF operating parameters for the interface. See “Selecting operating
parameters for an OSPF interface” on page 279.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
8 Optionally select advanced OSPF options for the OSPF AS. See “Selecting
advanced OSPF options” on page 277.
9 Select Apply.
Expand
Arrow
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned
to any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced Select the Expand Arrow to view or hide advanced OSPF settings. For more
Options information, see “Selecting advanced OSPF options” on page 277.
Areas Information about the areas making up an OSPF AS. The header of an
OSPF packet contains an area ID, which helps to identify the origination of a
packet inside the AS.
Create New Define and add a new OSPF area to the Areas list. For
more information, see “Defining OSPF areas” on page 278.
Area The unique 32-bit identifiers of areas in the AS, in dotted-
decimal notation. Area ID 0.0.0.0 references the backbone
of the AS and cannot be changed or deleted.
Type The types of areas in the AS:
• Regular - a normal OSPF area
• NSSA - a not so stubby area
• Stub - a stub area.
For more information, see “Defining OSPF areas” on
page 278.
Authentication The methods for authenticating OSPF packets sent and
received through all FortiGate interfaces linked to each
area:
• None - authentication is disabled
• Text - text-based authentication is enabled
• MD5 - MD5 authentication is enabled.
A different authentication setting may apply to some of the
interfaces in an area, as displayed under Interfaces. For
example, if an area employs simple passwords for
authentication, you can configure a different password for
one or more of the networks in that area.
Networks The networks in the OSPF AS and their area IDs. When you add a network
to the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see “Specifying OSPF networks” on page 279.
Create New Add a network to the AS, specify its area ID, and add the
definition to the Networks list.
Network The IP addresses and network masks of networks in the AS
on which OSPF runs. The FortiGate unit may have physical
or VLAN interfaces connected to the network.
Area The area IDs that have been assigned to the OSPF network
address space.
Interfaces Any additional settings needed to adjust OSPF operation on a FortiGate
interface. For more information, see “Selecting operating parameters for an
OSPF interface” on page 279.
Create New Create additional/different OSPF operating parameters for a
unit interface and add the configuration to the Interfaces list.
Name The names of OSPF interface definitions.
Interface The names of FortiGate physical or VLAN interfaces having
OSPF settings that differ from the default values assigned to
all other interfaces in the same area.
IP The IP addresses of the OSPF-enabled interfaces having
additional/different settings.
Authentication The methods for authenticating LSA exchanges sent and
received on specific OSPF-enabled interfaces. These
settings override the area Authentication settings.
Delete and Delete or edit an OSPF area entry, network entry, or interface definition.
Edit icons Icons are visible only when there are entries in Areas, Networks, and
Interfaces sections.
Expand
Arrow
Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF
routers.
Expand Arrow Select to view or hide Advanced Options.
Default Generate and advertise a default (external) route to the OSPF AS. You
Information may base the generated route on routes learned through a dynamic
routing protocol, routes in the routing table, or both.
None Prevent the generation of a default route.
Regular Generate a default route into the OSPF AS and advertise the
route to neighboring autonomous systems only if the route is
stored in the FortiGate routing table.
Always Generate a default route into the OSPF AS and advertise the
route to neighboring autonomous systems unconditionally,
even if the route is not stored in the FortiGate routing table.
Redistribute Select one or more of the options listed to redistribute OSPF link-state
advertisements about routes that were not learned through OSPF. The
FortiGate unit can use OSPF to redistribute routes learned from directly
connected networks, static routes, RIP, and BGP.
Connected Select to redistribute routes learned from directly connected
networks.
Enter a cost for those routes in the Metric field. The range is
from 1 to 16 777 214.
Static Select to redistribute routes learned from static routes.
Enter a cost for those routes in the Metric field. The range is
from 1 to 16 777 214.
RIP Select to redistribute routes learned through RIP.
Enter a cost for those routes in the Metric field. The range is
from 1 to 16 777 214.
BGP Select to redistribute routes learned through BGP.
Enter a cost for those routes in the Metric field. The range is
from 1 to 16 777 214.
Note: You can configure many additional advanced OSPF options through the CLI. For
details, see the “router” chapter of the FortiGate CLI Reference.
Note: If required, you can define a virtual link to an area that has lost its physical
connection to the OSPF backbone. Virtual links can be set up only between two FortiGate
units that act as area border routers. For more information on virtual links, see the
FortiGate CLI Reference.
Area Type a 32-bit identifier for the area. The value must resemble an IP
address in dotted-decimal notation. Once you have created the OSPF
area, the area IP value cannot be changed; you must delete the area
and restart.
Type Select an area type to classify the characteristics of the network that will
be assigned to the area:
• Regular - If the area contains more than one router, each having at
least one OSPF-enabled interface to the area.
• NSSA - If you want routes to external non-OSPF domains made
known to OSPF AS and you want the area to be treated like a stub
area by the rest of the AS.
• STUB - If the routers in the area must send packets to an area border
router in order to reach the backbone and you do not want routes to
non-OSPF domains to be advertised to the routers in the area.
Authentication Select the method for authenticating OSPF packets sent and received
through all interfaces in the area:
• None - Disable authentication.
• Text - Enables text-based password authentication. to authenticate
LSA exchanges using a plain-text password. The password is sent in
clear text over the network.
• MD5 - Enable MD5-based authentication using an MD5
cryptographic hash (RFC 1321).
If required, you can override this setting for one or more of the interfaces
in the area. For more information, see “Selecting operating parameters
for an OSPF interface” on page 279.
Note: To assign a network to the area, see “Specifying OSPF networks” on page 279.
IP/Netmask Enter the IP address and network mask of the local network that you want
to assign to an OSPF area.
Area Select an area ID for the network. The attributes of the area must match
the characteristics and topology of the specified network. You must define
the area before you can select the area ID. For more information, see
“Defining OSPF areas” on page 278.
You can configure different OSPF parameters for the same FortiGate interface
when more than one IP address has been assigned to the interface. For example,
the same FortiGate interface could be connected to two neighbors through
different subnets. You could configure an OSPF interface definition containing one
set of Hello and dead-interval parameters for compatibility with one neighbor’s
settings, and a second OSPF interface definition for the same interface to ensure
compatibility with the second neighbor’s settings.
To select OSPF operating parameters for a FortiGate interface, go to Router >
Dynamic > OSPF, and then under Interfaces, select Create New. To edit the
operating parameters of an OSPF-enabled interface, go to Router > Dynamic >
OSPF and select the Edit icon in the row that corresponds to the OSPF-enabled
interface.
Figure 160 shows the New/Edit OSPF Interface dialog box belonging to a
FortiGate unit that has an interface named “port1”. The interface names on your
FortiGate unit may differ.
Add
Name Enter a name to identify the OSPF interface definition. For example, the
name could indicate to which OSPF area the interface will be linked.
Interface Select the name of the FortiGate interface to associate with this OSPF
interface definition (for example, port1, external, or VLAN_1). The
FortiGate unit can have physical, VLAN, virtual IPSec or GRE interfaces
connected to the OSPF-enabled network.
IP Enter the IP address that has been assigned to the OSPF-enabled
interface. The interface becomes OSPF-enabled because its IP address
matches the OSPF network address space.
For example, if you defined an OSPF network of 172.20.120.0/24 and
port1 has been assigned the IP address 172.20.120.140, type
172.20.120.140.
Authentication Select an authentication method for LSA exchanges on the specified
interface:
• None - Disable authentication.
• Text - Authenticate LSA exchanges using a plain-text password. The
password can be up to 35 characters, and is sent in clear text over the
network.
• MD5 - Use one or more keys to generate an MD5 cryptographic hash.
Password Enter the plain-text password. Enter an alphanumeric value of up to 15
characters. The OSPF neighbors that send link-state advertisements to
this FortiGate interface must be configured with an identical password.
This field is available only if you selected plain-text authentication.
MD5 Keys Enter the key identifier for the (first) password in the ID field (the range is
from 1 to 255) and then type the associated password in the Key field.
The password is a 128-bit hash, represented by an alphanumeric string of
up to 16 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate
interface must be configured with an identical MD5 key. If the OSPF
neighbor uses more than one password to generate MD5 hash, select the
Add icon to add additional MD5 keys to the list.
This field is available only if you selected MD5 authentication.
Hello Interval Optionally, set the Hello Interval to be compatible with Hello Interval
settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit
waits between sending Hello packets through this interface.
Dead Interval Optionally, set the Dead Interval to be compatible with Dead Interval
settings on all OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit
waits to receive a Hello packet from an OSPF neighbor through the
interface. If the FortiGate unit does not receive a Hello packet within the
specified amount of time, the FortiGate unit declares the neighbor
inaccessible.
By convention, the Dead Interval value is usually four times greater than
the Hello Interval value.
BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by
ISPs to exchange routing information between different ISP networks. For
example, BGP enables the sharing of network paths between the ISP network
and an autonomous system (AS) that uses RIP, OSPF, or both to route packets
within the AS. The FortiGate implementation of BGP supports BGP-4 and
complies with RFC 1771.
Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the “router” chapter of
the FortiGate CLI Reference.
Delete
Local AS Enter the number of the local AS to which the FortiGate unit belongs.
Router ID Enter a unique router ID to identify the FortiGate unit to other BGP
routers. The router ID is an IP address written in dotted-decimal format,
for example 192.168.0.1.
If you change the router ID while BGP is configured on an interface, all
connections to BGP peers will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM will
be used.
Neighbors The IP addresses and AS numbers of BGP peers in neighboring
autonomous systems.
IP Enter the IP address of the neighbor interface to the BGP-
enabled network.
Remote AS Enter the number of the AS that the neighbor belongs to.
Add/Edit Add the neighbor information to the Neighbors list, or edit
an entry in the list.
Neighbor The IP addresses of BGP peers.
Remote AS The numbers of the autonomous systems associated with
the BGP peers.
Delete icon Delete a BGP neighbor entry.
Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode (RFC
2362) and PIM dense mode (RFC 3973) and can service multicast servers or
receivers on the network segment to which a FortiGate interface is connected.
Note: You can configure basic options through the web-based manager. Many additional
options are available, but only through the CLI. For complete descriptions and examples of
how to use CLI commands to configure PIM settings, see multicast in the “router”
chapter of the FortiGate CLI Reference.
Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note.
Add Static RP
Delete
Edit
Enable Multicast Select to enable PIM version 2 routing. A firewall policy must be
Routing created on PIM-enabled interfaces to pass encapsulated packets
and decapsulated data between the source and destination,
Add Static RP If required for sparse mode operation, enter the IP address of a
Rendezvous Point (RP) that may be used as the root of a packet
distribution tree for a multicast group. Join messages from the
multicast group are sent to the RP, and data from the source is
sent to the RP.
If an RP for the specified IP’s multicast group is already known to
the Boot Strap Router (BSR), the RP known to the BSR is used
and the static RP address that you specify is ignored.
Apply Save the specified static RP addresses.
Create New Create a new multicast entry for an interface.
You can use the new entry to fine-tune PIM operation on a specific
FortiGate interface or override the global PIM settings on a
particular interface. For more information, see “Overriding the
multicast settings on an interface” on page 285.
Interface The names of FortiGate interfaces having specific PIM settings.
Mode The mode of PIM operation (Sparse or Dense) on that interface.
Status The status of parse-mode RP candidacy on the interface.
To change the status of RP candidacy on an interface, select the
Edit icon in the row that corresponds to the interface.
Priority The priority number assigned to RP candidacy on that interface.
Available only when RP candidacy is enabled.
DR Priority The priority number assigned to Designated Router (DR)
candidacy on the interface. Available only when sparse mode is
enabled.
Delete and Edit icons Delete or edit the PIM settings on the interface.
Interface Select the name of the root VDOM FortiGate interface to which
these settings apply. The interface must be connected to a PIM
version 2 enabled network segment.
PIM Mode Select the mode of operation: Sparse Mode or Dense Mode. All
PIM routers connected to the same network segment must be
running the same mode of operation. If you select Sparse Mode,
adjust the remaining options as described below.
DR Priority Enter the priority number for advertising DR candidacy on the
FortiGate unit’s interface. The range is from 1 to 4 294 967 295.
The unit compares this value to the DR interfaces of all other PIM
routers on the same network segment, and selects the router
having the highest DR priority to be the DR.
RP Candidate Enable RP candidacy on the interface.
RP Candidate Priority Enter the priority number for advertising RP candidacy on the
FortiGate interface. The range is from 1 to 255.
Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This
generally excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for
the whole unit, and turn it off for one or two interfaces. Alternatively you can
specifically enable BFD for each neighbor router, or interface. Which method you
choose will be determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a
connection as down. The length of the timeout period is important—if it is too short
connections will be labeled down prematurely, and if it is too long time will be
wasted waiting for a reply from a connection that is down. There is no easy
number, as it varies for each network and unit. High end FortiGate models will
respond very quickly unless loaded down with traffic. Also the size of the network
will slow down the response time—packets need to make more hops than on a
smaller network. Those two factors (CPU load and network traversal time) affect
how long the timeout you select should be. With too short a timeout period, BFD
will not connect to the network device but it will keep trying. This state generates
unnecessary network traffic, and leaves the device unmonitored. If this happens,
you should try setting a longer timeout period to allow BFD more time to discover
the device on the network.
Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is
available separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Viewing routing information
• Searching the FortiGate routing table
Metric The metric associated with the route type. The metric of a route influences
how the FortiGate unit dynamically adds it to the routing table. The following
are types of metrics and when they are applied.
• Hop count - routes learned through RIP.
• Relative cost - routes learned through OSPF.
• Multi-Exit Discriminator (MED) - routes learned through BGP. However,
several attributes in addition to MED determine the best path to a
destination network.
Gateway The IP addresses of gateways to the destination networks.
Interface The interface through which packets are forwarded to the gateway of the
destination network.
Up Time The total accumulated amount of time that a route learned through RIP,
OSPF, or BGP has been reachable.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit,
between FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection
acceptance and packet processing for traffic attempting to pass through. When
the firewall receives a connection packet, it analyzes the packet’s source address,
destination address, and service (by port number), and attempts to locate a
firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow
when it receives matching packets. Some instructions are required, such as
whether to drop or accept and process the packets, while other instructions, such
as logging and authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and
destination IP addresses and port numbers. For details on using virtual IPs and IP
pools, see “Firewall Virtual IP” on page 333.
Policy instructions may also include protection profiles, which can specify
application-layer inspection and other protocol-specific protection and logging. For
details on using protection profiles, see “Firewall Protection Profile” on page 365.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual
domain to configure its firewall policies. For details, see “Using virtual domains” on
page 95.
This section describes:
• How list order affects policy matching
• Multicast policies
• Viewing the firewall policy list
• Configuring firewall policies
• Firewall policy examples
}Exception
}General
FTP connections would immediately match the deny policy, blocking the
connection. Other kinds of services do not match the FTP policy, and so policy
evaluation would continue until reaching the matching general policy. This policy
order has the intended effect. But if you reversed the order of the two policies,
positioning the general policy before the policy to block FTP, all connections,
including FTP, would immediately match the general policy, and the policy to block
FTP would never be applied. This policy order would not have the intended effect.
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you
would position those policies above other potential matches in the policy list.
Otherwise, the other matching policies could always take precedence, and the
required authentication, IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
Multicast policies
FortiGate units support multicast policies. You can configure and create multicast
policies using the following CLI command:
config firewall multicast-policy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.
Filter
Delete
Edit
Insert Policy before
Move To
Create New Add a firewall policy. Select the down arrow beside Create
New to add a firewall policy or firewall policy section. A
firewall policy section visually groups firewall policies. For
more information, see “Configuring firewall policies” on
page 297.
Column Settings Customize the table view. You can select the columns to hide
or display and specify the column displaying order in the
table.
Filter icon Edit the column filters to filter or sort the policy list according
to the criteria you specify. For more information, see “Adding
filters to web-based manager lists” on page 58.
ID The policy identifier. Policies are numbered in the order they
are added to the policy list.
Source The source address or address group to which the policy
applies. For more information, see “Firewall Address” on
page 315.
Destination The destination address or address group to which the policy
applies. For more information, see “Firewall Address” on
page 315.
Schedule The schedule that controls when the policy should be active.
For more information, see “Firewall Schedule” on page 329.
Service The service to which the policy applies. For more information,
see “Firewall Service” on page 321.
Profile The protection profile that is associated with the policy.
Action The response to make when the policy matches a connection
attempt.
Status Either enabled or disabled.
From The source interface.
To The destination interface.
VPN Tunnel The VPN tunnel the VPN policy uses.
Authentication The user authentication method the policy uses.
Comments Comments entered when creating or editing the policy.
Log A green check mark indicates traffic logging is enabled for the
policy; a grey cross mark indicates traffic logging is disabled
for the policy.
Count The FortiGate unit counts the number of packets and bytes
that hit the firewall policy.
For example, 5/50B means that five packets and 50 bytes in
total have hit the policy.
The counter is reset when the FortiGate unit is restarted or
the policy is deleted and re-configured.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Before icon Add a new policy above the corresponding policy (the New
Policy screen appears).
Move To icon Move the corresponding policy before or after another policy
in the list. For more information, see “Moving a policy to a
different position in the policy list” on page 294.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add
a policy or select the edit icon beside an existing firewall policy. Configure the
settings as described in the following table and in the references to specific
features for IPSec, SSL VPN and other specialized settings, and then select OK.
Alternatively, if you want to use IPv6 firewall addresses in your firewall policy, first
go to System > Admin > Settings. Select “IPv6 Support on GUI”. Then go to
Firewall > Policy > IPv6 Policy, and configure the settings according to the
following table.
Firewall policy order affects policy matching. Each time that you create or edit a
policy, make sure that you position it in the correct location in the list. You can
create a new policy and position it right away before an existing one in the firewall
policy list, by selecting Insert Policy before (see “Viewing the firewall policy list” on
page 295).
Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the “firewall” chapter of the FortiGate CLI Reference.
Source Select the name of the FortiGate network interface, virtual domain
Interface/Zone (VDOM) link, or zone on which IP packets are received. Interfaces and
zones are configured on the System Network page. For more
information, see “Interfaces” on page 107 and “Configuring zones” on
page 128.
If Action is set to IPSEC, the interface is associated with the local
private network.
If Action is set to SSL-VPN, the interface is associated with connections
from remote SSL VPN clients.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see “Configuring addresses” on
page 317.
If you want to associate multiple firewall addresses or address groups
with the Source Interface/Zone, from Source Address, select Multiple. In
the dialog box, move the firewall addresses or address groups from the
Available Addresses section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the
host, server, or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients,
select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients,
select the name of the address that you reserved for tunnel mode
clients.
Destination Select the name of the FortiGate network interface, virtual domain
Interface/Zone (VDOM) link, or zone to which IP packets are forwarded. Interfaces and
zones are configured on the System Network page. For more
information, see “Interfaces” on page 107 and “Configuring zones” on
page 128.
If Action is set to IPSEC, the interface is associated with the entrance to
the VPN tunnel.
If Action is set to SSL-VPN, the interface is associated with the local
private network.
Destination Select the name of a firewall address to associate with the Destination
Address Interface/Zone. Only packets whose header contains an IP address
matching the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from
this list. For more information, see “Configuring addresses” on
page 317.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The
applied translation varies by the settings specified in the virtual IP, and
whether you select NAT (below). For more information on using virtual
IPs, see “Firewall Virtual IP” on page 333.
If Action is set to IPSEC, the address is the private IP address to which
packets may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that
corresponds to the host, server, or network that remote clients need to
access behind the FortiGate unit.
Schedule Select a one-time or recurring schedule that controls when the policy is
in effect.
You can also create schedules by selecting Create New from this list.
For more information, see “Firewall Schedule” on page 329.
Service Select the name of a firewall service or service group that packets must
match to trigger this policy.
You can select from a wide range of predefined firewall services, or you
can create a custom service or service group by selecting Create New
from this list. For more information, see “Configuring custom services”
on page 325 and “Configuring service groups” on page 327.
By selecting the Multiple button beside Service, you can select multiple
services or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending
on this selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection
profiles, log traffic, shape traffic, set authentication options, or add a
comment to the policy.
DENY Reject traffic matched by the policy. The only other configurable policy
options are Log Violation Traffic to log the connections denied by this
policy and adding a Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec
VPN packets, as well as configure protection profiles, log traffic, shape
traffic or add a comment to the policy. See “IPSec firewall policy options”
on page 306.
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL
VPN traffic. This option is available only after you have added a SSL-
VPN user group. You can also configure NAT and protection profiles,
log traffic, shape traffic or add a comment to the policy. See “SSL-VPN
firewall policy options” on page 307.
NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable
Network Address Translation (NAT) of the source address and port of
packets accepted by the policy. When NAT is enabled, you can also
configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the
NAT option, the FortiGate unit performs destination NAT (DNAT) rather
than full NAT. Source NAT (SNAT) is not performed.
Dynamic IP Select the check box, then select an IP pool to translate the source
Pool address to an IP address randomly selected from addresses in the IP
Pool.
IP Pool cannot be selected if the destination interface, VLAN
subinterface, or one of the interfaces or VLAN subinterfaces in the
destination zone is configured using DHCP or PPPoE, or if you have
selected a Destination Interface to which no IP Pools are bound.
You cannot use IP pools when using zones. An IP pool can only be
associated with an interface.
For details, see “IP pools” on page 356.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is
translated. In most cases, if Fixed Port is selected, Dynamic IP pool is
also selected. If Dynamic IP pool is not selected, a policy with Fixed Port
selected can allow only one connection to that service at a time.
Protection Select a protection profile to apply antivirus, web filtering, web category
Profile filtering, spam filtering, IPS, content archiving, and logging to a firewall
policy. You can also create a protection profile by selecting Create New
from this list. For more information, see “Firewall Protection Profile” on
page 365.
If you intend to apply authentication to this policy, do not make a
Protection Profile selection. The user group you choose for
authentication is already linked to a protection profile. For more
information, see “Adding authentication to firewall policies” on page 302.
Log Allowed Select to record messages to the traffic log whenever the policy
Traffic processes a connection. You must also enable traffic log for a logging
location (syslog, WebTrends, local disk if available, memory, or
FortiAnalyzer) and set the logging severity level to Notification or lower
using the Log and Report screen. For more information see
“Log&Report” on page 525.
Log Violation Available only if Action is set to DENY. Select Log Violation Traffic, for
Traffic Deny policies, to record messages to the traffic log whenever the policy
processes a connection. You must also enable traffic log for a logging
location (syslog, WebTrends, local disk if available, memory, or
FortiAnalyzer) and set the logging severity level to Notification or lower
using the Log and Report screen. For more information, see
“Log&Report” on page 525.
Authentication Available only if Action is set to ACCEPT or SSL-VPN. Select to require
authentication for using this firewall policy, then specify the valid
authentication methods, group names, and certificate. If FSAE
authentication is selected, also specify a protection profile for Guest
accounts.
Before using this option, you need to add users and a firewall protection
profile to a user group. For more information, see “User groups” on
page 435. For detailed information about configuring authentication
settings, see “Authentication firewall policy options (non-SSL-VPN)” on
page 303 and “SSL-VPN firewall policy options” on page 307.
Check Firewall policies can deny access for hosts that do not have FortiClient
FortiClient is Host Security software installed and operating. For more information,
Installed and see “Options to detect FortiClient on hosts” on page 308.
Running This option appears only on FortiGate-1000A, FortiGate-3600A, and
FortiGate-5005FA2 models.
Traffic Shaping Traffic Shaping controls the bandwidth available to, and sets the priority
of the traffic processed by, the policy.
Note: To ensure that traffic shaping is working at its best, make sure that
the interface ethernet statistics show no errors, collisions, or buffer
overruns. If any of these problems do appear, then FortiGate and switch
settings may require adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth
to 0 (zero), or the policy will not allow any traffic.
For information about traffic shaping, see “Adding traffic shaping to
firewall policies” on page 304 and “Traffic shaping considerations” on
page 305.
Guaranteed Select a value to ensure there is enough bandwidth available for a high-
Bandwidth priority service. Be sure that the sum of all Guaranteed Bandwidth in all
firewall policies is significantly less than the bandwidth capacity of the
interface.
Maximum Select to limit bandwidth in order to keep less important services from
Bandwidth using bandwidth needed for more important ones.
Traffic Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
Priority manages the relative priorities of different types of traffic. For example, a
policy for connecting to a secure web server needed to support
e-commerce traffic should be assigned a high traffic priority. Less
important services should be assigned a low priority. The firewall
provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not
apply any traffic shaping rule to a policy, the policy is set to high priority
by default.
Distribute firewall policies over all three priority queues.
User Available only on some models and only if Action is set to ACCEPT.
Authentication Select this option to display the Authentication Disclaimer page (a
Disclaimer replacement message) to the user. The user must accept the disclaimer
to connect to the destination. You can use the disclaimer together with
authentication or a protection profile.
Redirect URL Available only on some models and only if Action is set to ACCEPT. If
you enter a URL, the user is redirected to the URL after authenticating
and/or accepting the user authentication disclaimer.
Comments Add information about the policy. The maximum length is 63 characters.
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid. For
information on installing certificates, see “System Certificates” on page 219.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see “Authentication
settings” on page 445.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first
create users, assign them to a firewall user group, and assign a protection profile
to that user group. For information on configuring user groups, see “User groups”
on page 435. For information on configuring authentication settings, see
“Authentication firewall policy options (non-SSL-VPN)” on page 303 and “SSL-
VPN firewall policy options” on page 307.
Right Arrow
Left Arrow
Authentication Select the check box then one or more authentication server
types. When a network user attempts to authenticate, options
selected in the Authentication screen indicate which local or
remote authentication servers the FortiGate unit will consult to
verify the user’s credentials. Available only if Action is set to
ACCEPT or SSL-VPN.
Firewall Include firewall user groups defined locally on the FortiGate unit,
as well as on any connected LDAP and RADIUS servers.
Directory Service Include Directory Service groups defined in User > User Group.
(FSAE) The groups are authenticated through a domain controller using
Fortinet Server Authentication Extensions (FSAE). If you select
this option, you must install the FSAE on the Directory Service
domain controller. For information about FSAE, see the FSAE
Technical Note. For information about configuring user groups,
see “User groups” on page 435.
NTLM Authentication Include Directory Service groups defined in User > User Group.
If you select this option, you must use Directory Service groups
as the members of the authentication group for NTLM. For
information about configuring user groups, see “User groups” on
page 435.
Available Groups From Available Groups, select one or more user groups that
must authenticate to be allowed to use this policy. Select the
Right Arrow to move the selected user groups to Allowed.
Allowed To prioritize the allowed user group definitions, select an Allowed
group, then select Move Up or Move Down. User groups located
at the top of the Allowed list have higher priority. If a user is a
member of more than one group, group priority determines which
user group, and therefore which protection profile, will be applied
to the authenticating user’s traffic. Select the Left Arrow to
remove allowed user groups.
Guest Profile Directory Service (FSAE) only. Select the protection profile that
guest accounts will use.
Certificate Certificate-based authentication only. Select the protection profile
that guest accounts will use. Note: In order to implement
certificate-based authentication, you must select a firewall
service group that includes one of the supported authentication
protocols that use certificate-based authentication. You should
also install the certificate on the network user’s web browser. For
more information, see “Adding authentication to firewall policies”
on page 302.
Note: For more information about traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.
The bandwidth available for traffic controlled by a policy is used for both the
control and data sessions and for traffic in both directions. For example, if
guaranteed bandwidth is applied to an internal and an external FTP policy, and a
user on an internal network uses FTP to put and get files, both the put and get
sessions share the bandwidth available to the traffic controlled by the policy.
The guaranteed and maximum bandwidth available for a policy is the total
bandwidth available to all traffic controlled by the policy. If multiple users start
multiple communications session using the same policy, all of these
communications sessions must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using
the same service if these multiple instances are controlled by different policies.
For example, you can create one FTP policy to limit the amount of bandwidth
available for FTP for one network address and create another FTP policy with a
different bandwidth availability for another network address.
Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero),
the policy does not allow any traffic.
Traffic Priority
You can set traffic priority to manage the relative priorities of different types of
traffic. Important and latency-sensitive traffic should be assigned a high priority.
Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when
bandwidth is not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and
e-commerce traffic. Then you can assign a high priority to the policy that controls
voice traffic and a medium priority to the policy that controls e-commerce traffic.
During a busy time, if both voice and e-commerce traffic are competing for
bandwidth, the higher priority voice traffic will be transmitted before the
e-commerce traffic.
Traffic shaping applied to a firewall policy is enforced for traffic which may flow in
either direction. Therefore a session which may be set up by an internal host to an
external one, through an Internal-to-External policy, will have traffic shaping
applied even if the data stream flows external to internal. One example may be an
FTP “get” or a SMTP server connecting to an external one, in order to retrieve
email.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates.
Traffic shaping is not effective during periods when traffic exceeds the capacity of
the FortiGate unit. Since packets must be received by the FortiGate unit before
they are subject to traffic shaping, if the FortiGate unit cannot process all of the
traffic it receives, then dropped packets, delays, and latency are likely to occur.
To ensure that traffic shaping is working at its best, make sure that the interface
ethernet statistics show no errors, collisions or buffer overruns. If any of these
problems do appear, then FortiGate and switch settings may require adjusting.
For more information, see the FortiGate Traffic Shaping Technical Note.
VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration. The
specified tunnel will be subject to this firewall encryption policy.
Allow Inbound Select to enable traffic from a dialup client or computers on the remote
private network to initiate the tunnel.
Allow outbound Select to enable traffic from computers on the local private network to
initiate the tunnel.
Inbound NAT Select to translate the source IP addresses of inbound decrypted
packets into the IP address of the FortiGate interface to the local
private network.
Outbound NAT Select only in combination with a natip CLI value to translate the
source addresses of outbound cleartext packets into the IP address
that you specify. When a natip value is specified, the source
addresses of outbound IP packets are replaced before the packets
are sent through the tunnel. For more information, see the “firewall”
chapter of the FortiGate CLI Reference.
Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.
For more information, see the “Defining firewall policies” chapter of the FortiGate
IPSec VPN User Guide.
Note: The SSL-VPN option is available from the Action list after one or more SSL VPN user
groups have been created. For more information, see “Configuring additional SSL VPN
user group options” on page 442.
Right Arrow
Left Arrow
For information about how to create a firewall encryption policy for SSL VPN
users, see the “SSL VPN administration tasks” chapter of the FortiGate SSL VPN
User Guide.
If you select NAT (above, in the same dialog box), the IP address of the outgoing
interface of the FortiGate unit is used as the source address for new sessions
started by SSL VPN.
The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN
traffic, but has no effect on web-mode SSL VPN traffic.
Check FortiClient Installed Select to check that the source host is running FortiClient
and Running Host Security software. Select the following reasons to
deny access as needed:
• FortiClient is Not Installed
• FortiClient is Not Licensed
• AV/IPS Database Out-of-Date
• AV Disabled
• Firewall Disabled
• Web Filter Disabled
To use AV/IPS Database Out-of-Date you must also select
AV Disabled.
Redirect Restricted Users to Select to redirect denied users to the internal web portal
FortiGate Download Portal which displays to the user the reason for denial. From the
web portal, the user can download FortiClient Host
Security software.
To upload FortiClient software to your FortiGate unit, go to
System > Status or go to System > Maintenance >
Backup & Restore. For more information, see
“FortiClient” on page 236.
Internet
192.168.100.1
Internal Network
3 Select OK.
4 Select Create New and enter or select the following settings for Home_User_2:
5 Select OK.
Email Server
Internal
10.10.10.2
192.168.100.1
The proposed network is based around a ForitGate 100A unit. The 15 internal
computers are behind the FortiGate unit. They now access the email and web
servers in a DMZ, which is also behind the FortiGate unit. All home-based
employees now access the office network through the FortiGate unit via VPN
tunnels.
The library must be able to set different access levels for patrons and staff
members.
The first firewall policy for main office staff members allows full access to the
Internet at all times. A second policy will allow direct access to the DMZ for staff
members. A second pair of policies is required to allow branch staff members the
same access.
The staff firewall policies will all use a protection profile configured specifically for
staff access. Enabled features include virus scanning, spam filtering, IPS, and
blocking of all P2P traffic. FortiGuard web filtering is also used to block
advertising, malware, and spyware sites.
A few users may need special web and catalog server access to update
information on those servers, depending on how they are configured. Special
access can be allowed based on IP address or user.
The proposed topography has the main branch staff and the catalog access
terminals going through a FortiGate HA cluster to the servers in a DMZ. The public
access terminals first go through a FortiWiFi unit, where additional policies can be
applied, to the HA Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main
branch via VPN tunnels.
Policies are configured in Firewall > Policy. Protection Profiles are configured in
Firewall > Protection Profile.
Main office “staff to Internet” policy:
Firewall Address
Firewall addresses and address groups define network addresses that you can
use when configuring firewall policies’ source and destination address fields. The
FortiGate unit compares the IP addresses contained in packet headers with
firewall policy source and destination addresses to determine if the firewall policy
matches the traffic.
You can organize related addresses into address groups to simplify your firewall
policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses
are configured separately for each virtual domain, and you must first enter the
virtual domain to configure its firewall addresses. For details, see “Using virtual
domains” on page 95.
This section describes:
• About firewall addresses
• Viewing the firewall address list
• Configuring addresses
• Viewing the address group list
• Configuring address groups
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses are configurable only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
“Settings” on page 215.
Delete
Edit
Configuring addresses
You can use one of three methods to represent hosts in firewall addresses:
IP/Mask, IP Range, or FQDN.
Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Note: By default, IPv6 firewall addresses are configurable only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
“Settings” on page 215.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names.
Type Select the type of address: Subnet/IP Range or FQDN. The Subnet/IP
Range type allows you to enter either an IP Range or an IP address with
subnet mask.
Subnet/IP Range Enter the firewall IP address, followed by a forward slash (/), then
subnet mask, or enter an IP address range separated by a hyphen.
Interface Select the interface, zone, or virtual domain (VDOM) link to which you
want to bind the IP address. Select Any if you want to bind the IP
address with the interface/zone when you create a firewall policy.
4 Select OK.
Delete
Edit
Group Name Enter a name to identify the address group. Addresses, address
groups, and virtual IPs must have unique names.
Available The list of all configured and default firewall addresses. Use the arrows
Addresses to move selected addresses between the lists of available and member
addresses.
Members The list of addresses included in the address group. Use the arrows to
move selected addresses between the lists of available and member
addresses.
4 Select OK.
Firewall Service
Firewall services define one or more protocols and port numbers associated with
each service. Service definitions are used by firewall policies to match session
types.
You can organize related services into service groups to simplify your firewall
policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall services are
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Viewing the predefined service list
• Viewing the custom service list
• Configuring custom services
• Viewing the service group list
• Configuring service groups
Delete
Edit
Delete
Delete
Edit
Service groups can contain both predefined and custom services. Service groups
cannot contain other service groups.
To organize services into a service group, go to Firewall > Service > Group.
Service groups can also be created during firewall policy configuration by
selecting Create New from the Service drop-down menu.
Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time
schedules or recurring schedules. One-time schedules are in effect only once for
the period of time specified in the schedule. Recurring schedules are in effect
repeatedly at specified times of the day on specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall schedules
are configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Viewing the recurring schedule list
• Configuring recurring schedules
• Viewing the one-time schedule list
• Configuring one-time schedules
Note: A recurring schedule with a stop time that occurs before the start time starts at the
start time and finishes at the stop time on the next day. You can use this technique to
create recurring schedules that run from one day to the next. To create a recurring
schedule that runs for 24 hours, set the start and stop times to the same time.
To view the recurring schedule list, go to Firewall > Schedule > Recurring.
Delete
Edit
Create New Select to add a recurring schedule.
Name The name of the recurring schedule.
Day The initials of the days of the week on which the schedule is active.
Start The start time of the recurring schedule.
Stop The stop time of the recurring schedule.
Delete icon Select to remove the schedule from the list. The Delete icon only
appears if the schedule is not being used in a firewall policy.
Edit icon Select to edit the schedule.
Delete
Edit
Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to
translate IP addresses and ports of packets received by a network interface,
including a modem interface.
When the FortiGate unit receives inbound packets matching a firewall policy
whose Destination Address field is a virtual IP, the FortiGate unit applies NAT,
replacing packets’ IP addresses with the virtual IP’s mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT;
however, IP pools configure dynamic translation of packets’ IP addresses based
on the Destination Interface/Zone, whereas virtual IPs configure dynamic or static
translation of a packets’ IP addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it
to a NAT firewall policy. For details, see “Configuring virtual IPs” on page 338.
Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See “Adding NAT firewall policies in transparent mode”
on page 361.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs
are configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• How virtual IPs map connections through FortiGate units
• Viewing the virtual IP list
• Configuring virtual IPs
• Virtual IP Groups
• Viewing the VIP group list
• Configuring VIP groups
• Health Check Monitor
• IP pools
• Viewing the IP pool list
• Configuring IP Pools
• Double NAT: combining IP pools with virtual IPs
• Adding NAT firewall policies in transparent mode
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not
DENY to apply bidirectional NAT, also known as inbound NAT.
When comparing packets with the firewall policy list to locate a matching policy, if
a firewall policy’s Destination Address is a virtual IP, FortiGate units compares
packets’ destination address to the virtual IP’s external IP address. If they match,
the FortiGate unit applies the virtual IP’s inbound NAT mapping, which specifies
how the FortiGate unit translates network addresses and/or port numbers of
packets from the receiving (external) network interface to the network interface
connected to the destination (mapped) IP address or IP address range.
In addition to specifying IP address and port mappings between interfaces, virtual
IP configurations can optionally bind an additional IP address or IP address range
to the receiving network interface. By binding an additional IP address, you can
configure a separate set of mappings that the FortiGate unit can apply to packets
whose destination matches that bound IP address, rather than the IP address
already configured for the network interface.
Depending on your configuration of the virtual IP, its mapping may involve port
address translation (PAT), also known as port forwarding or network address port
translation (NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies
by your selection of:
• static vs. dynamic NAT mapping
• the dynamic NAT’s load balancing style, if using dynamic NAT mapping
• full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible
when configuring a firewall policy with a virtual IP.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a
web server on a private network that is protected by a FortiGate unit. Reduced to
its essence, this example involves only three hosts, as shown in Figure 193: the
web server on a private network, the client computer on another network, such as
the Internet, and the FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP
on the FortiGate unit’s external interface. The FortiGate unit receives the packets.
The addresses in the packets are translated to private network IP addresses, and
the packet is forwarded to the web server on the private network.
The packets sent from the client computer have a source IP of 192.168.37.55 and
a destination IP of 192.168.37.4. The FortiGate unit receives these packets at its
external interface, and matches them to a firewall policy for the virtual IP. The
virtual IP settings map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes
the packets’ addresses. The source address is changed to 10.10.10.2 and the
destination is changed to 10.10.10.42. The FortiGate unit makes a note of this
translation in the firewall session table it maintains internally. The packets are then
sent on to the web server.
Figure 194:Example of packet address remapping during NAT from client to server
Note that the client computer’s address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no
reference to the client computer’s IP address, except in its session table. The web
server has no indication that another network exists. As far as the server can tell,
all packets are sent by the FortiGate unit.
When the web server replies to the client computer, address translation works
similarly, but in the opposite direction. The web server sends its response packets
having a source IP address of 10.10.10.42 and a destination IP address of
10.10.10.2. The FortiGate unit receives these packets on its internal interface.
This time, however, the session table is used to recall the client computer’s IP
address as the destination address for the address translation. In the reply
packets, the source address is changed to 192.168.37.4 and the destination is
changed to 192.168.37.55. The packets are then sent on to the client computer.
The web server’s private IP address does not appear in the packets the client
receives. After the FortiGate unit translates the network addresses, there is no
reference to the web server’s network. The client has no indication that the web
server’s IP address is not the virtual IP. As far as the client is concerned, the
FortiGate unit’s virtual IP is the web server.
Figure 195:Example of packet address remapping during NAT from server to client
In the previous example, the NAT check box is checked when configuring the
firewall policy. If the NAT check box is not selected when building the firewall
policy, the resulting policy does not perform full NAT; instead, it performs
destination network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped
private IP address, but does not translate the source address. The web server
would be aware of the client’s IP address. For reply traffic, the FortiGate unit
translates packets’ private network source IP address to match the destination
address of the originating packets, which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply
traditional outbound NAT to connections outbound from private network IP
addresses to public network IP addresses. However, if virtual IP configurations
exist, FortiGate units use virtual IPs’ inbound NAT mappings in reverse to apply
outbound NAT, causing IP address mappings for both inbound and outbound
traffic to be symmetric.
VIP requirements
Virtual IPs have the following requirements.
• The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
• The Mapped IP Address/Range must not include any interface IP
addresses.
• If the virtual IP is mapped to a range of IP addresses and its type is Static
NAT, the External IP Address/Range cannot be 0.0.0.0.
• When port forwarding, the External IP Address/Range cannot include any
other interface IP addresses.
• When port forwarding, the count of mapped port numbers and external port
numbers must be the same, and the last port number in the range must not
exceed 65535.
• Virtual IP names must be different from address or address group names.
• A physical external IP address can be used as the external VIP IP address.
• Duplicate entries or overlapping ranges are not permitted.
Delete
Edit
Name Enter or change the name to identify the virtual IP. To avoid
confusion, addresses, address groups, and virtual IPs cannot have
the same names.
External Interface Select the virtual IP external interface from the list. The external
interface is connected to the source network and receives the packets
to be forwarded to the destination network. You can select any
FortiGate interface, VLAN subinterface, VPN interface, or modem
interface.
Type Select Static NAT or Server Load Balance. For details about VIP
types, see “How virtual IPs map connections through FortiGate units”
on page 333.
External IP Enter the external IP address that you want to map to an address on
Address/Range the destination network.
To configure a dynamic virtual IP that accepts connections for any IP
address, set the external IP address to 0.0.0.0. For a static NAT
dynamic virtual IP you can only add one mapped IP address. For a
load balance dynamic virtual IP you can specify a single mapped
address or a mapped address range.
Mapped IP Enter the real IP address on the destination network to which the
Address/Range external IP address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the
FortiGate unit calculates the external IP address range and adds the
IP address range to the External IP Address/Range field.
This option appears only if Type is Static NAT.
Method If you select Server Load Balance, you can select one of the following
load balancing methods.
• Static: The traffic load is spread evenly across all servers, no
additional server is required.
• Round Robin: Directs request to the next server, and treats all
servers as equals regardless of response time or number of
connections. Dead servers or non responsive servers are avoided.
A separate server is required.
• Weighted: Servers with a higher weight value will receive a larger
percentage of connections. Set the server weight when adding a
server.
This option appears only if Type is Server Load Balance.
Port Forwarding Select to perform port address translation (PAT).
Protocol Select the protocol of the forwarded packets.
This option appears only if Port Forwarding is enabled.
External Service Enter the external interface port number for which you want to
Port configure port forwarding.
This option appears only if Port Forwarding is enabled.
Map to Port Enter the port number on the destination network to which the
external port number is mapped.
You can also enter a port number range to forward packets to multiple
ports on the destination network.
For a virtual IP with static NAT, if you add a map to port range the
FortiGate unit calculates the external port number range and adds the
port number range to the External Service port field.
This option appears only if Port Forwarding is enabled.
Real Servers If you select Server Load Balancing for the Type, enter the real server
IP addresses. At least one IP address is required, but you can enter
up to eight (8) real server IP addresses per virtual IP (VIP).
To enter a server IP address, select Add under Real Servers and
enter the following information:
• IP: Enter the IP address of the server.
• Port: If you enable port forwarding, enter the port number on the
destination network to which the external port number is mapped.
• Weight: Determines the weight value of a specific server. The
higher the weight value, the higher the percentage of connections
the server will handle. A range of 1-255 can be used. This option is
available only if Method is Weighted.
• Health Check: Enable this option to use ping detection to check
the status of the server before forwarding the session.
• Monitors: If Health Check is selected, select which health check
monitor method will be used to perform the health check. For
details on configuring a health check monitor, see “Health Check
Monitor” on page 355.
This option appears only if Type is Server Load Balance.
HTTP Multiplexing Select to use the FortiGate unit’s HTTP proxy to multiplex multiple
client connections destined for the web server into a few connections
between the FortiGate unit and the web server. This can improve
performance by reducing server overhead associated with
establishing multiple connections. The server must be HTTP/1.1
compliant.
This option appears only if Port Forwarding is selected.
Note: Additional HTTP Multiplexing options are available in the CLI.
For details, see the FortiGate CLI Reference.
Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-
For HTTP header. This can be useful if you require logging on the
server of the client’s original IP address. If this option is not selected,
the header will contain the IP address of the FortiGate unit.
This option appears only if Port Forwarding is selected, and is
available only if HTTP Multiplexing is selected.
SSL Offloading Select to accelerate clients’ SSL connections to the server by using
the FortiGate unit to perform SSL operations, then select which
segments of the connection will receive SSL offloading.
• Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the
connection between the client and the FortiGate unit. The segment
between the FortiGate unit and the server will use clear text
communications. This results in best performance, but cannot be
used in failover configurations where the failover path does not
have an SSL accelerator.
• Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the
connection: the segment between client and the FortiGate unit,
and the segment between the FortiGate unit and the server. The
segment between the FortiGate unit and the server will use
encrypted communications, but the handshakes will be
abbreviated. This results in performance which is less than the
other option, but still improved over communications without SSL
acceleration, and can be used in failover configurations where the
failover path does not have an SSL accelerator. If the server is
already configured to use SSL, this also enables SSL acceleration
without requiring changes to the server’s configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if Port Forwarding is selected, and only on
FortiGate models whose hardware support SSL acceleration, such as
FortiGate-3600A.
Note: Additional SSL Offloading options are available in the CLI. For
details, see the FortiGate CLI Reference.
Certificate Select which SSL certificate to use with SSL Offloading.
This option appears only if Port Forwarding is selected, and is
available only if SSL Offloading is selected.
To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound
to the network interface, and selecting the mapping type and mapped IP
address(es) and/or port(s). For configuration examples of each type, see:
• “Adding a static NAT virtual IP for a single IP address” on page 341
• “Adding a static NAT virtual IP for an IP address range” on page 343
• “Adding static NAT port forwarding for a single IP address and a single port” on
page 344
• “Adding static NAT port forwarding for an IP address range and a port range”
on page 346
• “Adding a server load balance virtual IP” on page 348
• “Adding a server load balance port forwarding virtual IP” on page 350
• “Adding dynamic virtual IPs” on page 352
• “Adding a virtual IP with port translation only” on page 353
4 Select OK.
The virtual IP appears in the virtual IP list.
5 To implement the virtual IP, select the virtual IP in a firewall policy.
For example, to add a firewall policy that maps public network addresses to a
private network, you might add an external to internal firewall policy and select the
Source Interface/Zone to which a virtual IP is bound, then select the virtual IP in
the Destination Address field of the policy. For details, see “Configuring firewall
policies” on page 297.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Name static_NAT
External Interface wan1
Type Static NAT
External IP The Internet IP address of the web server.
Address/Range The external IP address is usually a static IP address obtained from
your ISP for your web server. This address must be a unique IP
address that is not used by another host and cannot be the same as
the IP address of the external interface the virtual IP will be using.
However, the external IP address must be routed to the selected
interface. The virtual IP address and the external IP address can be
on different subnets. When you add the virtual IP, the external
interface responds to ARP requests for the external IP address.
Map to IP/IP Range The IP address of the server on the internal network. Since there is
only one IP address, leave the second field blank.
4 Select OK.
3 Select NAT.
4 Select OK.
Name static_NAT_range
External Interface wan1
Type Static NAT
External IP Address/Range The Internet IP address range of the web servers.
The external IP addresses are usually static IP addresses
obtained from your ISP for your web server. These
addresses must be unique IP addresses that are not used by
another host and cannot be the same as the IP addresses of
the external interface the virtual IP will be using. However,
the external IP addresses must be routed to the selected
interface. The virtual IP addresses and the external IP
address can be on different subnets. When you add the
virtual IP, the external interface responds to ARP requests
for the external IP addresses.
Map to IP/IP Range The IP address range of the servers on the internal network.
Define the range by entering the first address of the range in
the first field and the last address of the range in the second
field.
4 Select OK.
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42,
port 8000 on a private network. Attempts to communicate with 192.168.37.4,
port 80 from the Internet are translated and sent to 10.10.10.42, port 8000 by the
FortiGate unit. The computers on the Internet are unaware of this translation and
see a single computer at 192.168.37.4, port 80 rather than a FortiGate unit with a
private network behind it.
Figure 202:Static NAT virtual IP port forwarding for a single IP address and a single
port example
To add static NAT virtual IP port forwarding for a single IP address and a
single port
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.
Figure 203:Virtual IP options: Static NAT port forwarding virtual IP for a single IP
address and a single port
Name Port_fwd_NAT_VIP
External Interface wan1
Type Static NAT
External IP Address/Range The Internet IP address of the web server.
The external IP address is usually a static IP address
obtained from your ISP for your web server. This address
must be a unique IP address that is not used by another host
and cannot be the same as the IP address of the external
interface the virtual IP will be using. However, the external IP
address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different
subnets. When you add the virtual IP, the external interface
responds to ARP requests for the external IP address.
Map to IP/IP Range The IP address of the server on the internal network. Since
there is only one IP address, leave the second field blank.
Port Forwarding Selected
Protocol TCP
External Service Port The port traffic from the Internet will use. For a web server,
this will typically be port 80.
Map Port The port on which the server expects traffic. Since there is
only one port, leave the second field blank.
4 Select OK.
To add static NAT virtual IP port forwarding for a single IP address and a
single port to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on
the Internet attempt to connect to the web server IP addresses, packets pass
through the FortiGate unit from the wan1 interface to the dmz1 interface. The
virtual IP translates the destination addresses and ports of these packets from the
external IP to the dmz network IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are
mapped to ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a
private network. Attempts to communicate with 192.168.37.5, port 82 from the
Internet, for example, are translated and sent to 10.10.10.43, port 8002 by the
FortiGate unit. The computers on the Internet are unaware of this translation and
see a single computer at 192.168.37.5 rather than a FortiGate unit with a private
network behind it.
Figure 204:Static NAT virtual IP port forwarding for an IP address range and a port
range example
To add static NAT virtual IP port forwarding for an IP address range and a
port range
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the external
interface of the FortiGate unit is connected to the Internet and the dmz1 interface
is connected to the DMZ network.
Name Port_fwd_NAT_VIP_port_range
External Interface external
Type Static NAT
External IP Address/Range The external IP addresses are usually static IP addresses
obtained from your ISP. This addresses must be unique, not
used by another host, and cannot be the same as the IP
address of the external interface the virtual IP will be using.
However, the external IP addresses must be routed to the
selected interface. The virtual IP addresses and the external
IP address can be on different subnets. When you add the
virtual IP, the external interface responds to ARP requests
for the external IP addresses.
Map to IP/IP Range The IP addresses of the server on the internal network.
Define the range by entering the first address of the range in
the first field and the last address of the range in the second
field.
Port Forwarding Selected
Protocol TCP
External Service Port The ports that traffic from the Internet will use. For a web
server, this will typically be port 80.
Map Port The ports on which the server expects traffic. Define the
range by entering the first port of the range in the first field
and the last port of the range in the second field. If there is
only one port, leave the second field blank.
4 Select OK.
To add static NAT virtual IP port forwarding for an IP address range and a
port range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users
on the Internet attempt to connect to the web server IP addresses, packets pass
through the FortiGate unit from the external interface to the dmz1 interface. The
virtual IP translates the destination addresses and ports of these packets from the
external IP to the dmz network IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:
3 Select NAT.
4 Select OK.
Note: Server load balancing maps a single IP on one network to up to eight real server IPs
on another network. At least one real address must be added to use this feature
Name Load_Bal_VIP
External Interface wan1
Type Server Load Balance
External IP address/Range The public IP addresses of the web servers.
The external IP address is usually a static IP address
obtained from your ISP for your web server. This address
must be a unique IP address that is not used by another host
and cannot be the same as the IP address of the external
interface the virtual IP will be using. However, the external IP
address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different
subnets. When you add the virtual IP, the external interface
responds to ARP requests for the external IP address.
Method Select one of the load balance methods. For details, see
“Configuring virtual IPs” on page 338.
Real Servers If you select Server Load Balancing for the VIP type, enter
the real server IP addresses. For details about real server
settings, see “Configuring virtual IPs” on page 338.
4 Select OK.
3 Select NAT.
4 Select OK.
Name Load_Bal_VIP_port_forward
External Interface wan1
Type Server Load Balance
External IP Address/Range The public IP addresses of the web servers.
The external IP address is usually a static IP address
obtained from your ISP for your web server. This address
must be a unique IP address that is not used by another host
and cannot be the same as the IP address of the wan1
interface the virtual IP will be using. However, the external IP
address must be routed to the selected interface. The virtual
IP address and the external IP address can be on different
subnets. When you add the virtual IP, the external interface
responds to ARP requests for the external IP address.
Method Select one of the load balance methods. For details, see
“Configuring virtual IPs” on page 338.
Real Servers If you select Server Load Balancing for the VIP type, enter
the real server IP addresses. For details about real server
settings, see “Configuring virtual IPs” on page 338.
Port Forwarding Selected
Protocol TCP
External Service Port The ports that traffic from the Internet will use. For a web
server, this will typically be port 80.
4 Select OK.
3 Select NAT.
4 Select OK.
10 Enter the Map to Port number to be added to packets when they are forwarded.
Enter the same number as the External Service Port if the port is not to be
translated.
11 Select OK.
Note: To apply port forwarding to the external interface without binding a virtual IP address
to it, enter the IP address of the network interface instead of a virtual IP address, then
configure port forwarding as usual.
Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall
policy list. For example, instead of having five identical policies for five different
but related virtual IPs located on the same network interface, you might combine
the five virtual IPs into a single virtual IP group, which is used by a single firewall
policy.
Firewall policies using VIP Groups are matched by comparing both the member
VIP IP address(es) and port number(s).
Delete
Edit
Create New Select to add a new VIP group. See “Configuring VIP groups” on
page 354.
Group Name The name of the virtual IP group.
Members Lists the group members.
Interface Displays the interface that the VIP group belongs to.
Delete icon Remove the VIP group from the list. The Delete icon only appears if the
VIP group is not being used in a firewall policy.
Edit icon Edit the VIP group information, including the group name and
membership.
Delete
Edit
4 Select OK.
IP pools
Use IP pools to add NAT policies that translate source addresses to addresses
randomly selected from the IP pool, rather than the IP address assigned to that
FortiGate unit interface. In Transparent mode, IP pools are available from the
FortiGate CLI.
An IP pool defines an address or a range of IP addresses, all of which respond to
ARP requests on the interface to which the IP pool is added.
Select Enable Dynamic IP Pool in a firewall policy to translate the source address
of outgoing packets to an address randomly selected from the IP pool. An IP pool
list appears when the policy destination interface is the same as the IP pool
interface.
With an IP pool added to the internal interface, you can select Dynamic IP pool for
policies with the internal interface as the destination.
Add multiple IP pools to any interface and select the IP pool to use when
configuring a firewall policy.
A single IP address is entered normally. For example, 192.168.110.100 is a
valid IP pool address. If an IP address range is required, use either of the
following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]
Delete
Edit
Create New Select to add an IP pool.
Name Enter the name of the IP pool.
Start IP Enter the start IP defines the start of an address range.
End IP Enter the end IP defines the end of an address range.
Delete icon Select to remove the entry from the list. The Delete icon only appears if
the IP pool is not being used in a firewall policy.
Edit icon Select to edit the following information: Name, Interface, IP
Range/Subnet.
Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.
To allow the local users to access the server, you can use fixed port and IP pool to
allow more than one user connection while using virtual IP to translate the
destination port from 8080 to 80.
To create an IP pool
1 Go to Firewall > Virtual IP > IP Pool.
2 Select Create New.
3 Enter the following information and select OK.
Name pool-1
Interface DMZ
IP Range/Subnet 10.1.3.1-10.1.3.254
Name server-1
External Internal
Interface
Type Static NAT
External IP 172.16.1.1
Address/Range Note this address is the same as the server address.
Mapped IP 172.16.1.1.
Address/Range
Port Forwarding Enable
Protocol TCP
4 Select NAT.
5 Select OK.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a
default route of 10.1.1.99.
The example describes adding an internal to wan1 firewall policy to relay these
packets from the internal interface out the wan1 interface to the Internet. Because
the wan1 interface does not have an IP address of its own, you must add an IP
pool to the wan1 interface that translates the source addresses of the outgoing
packets to an IP address on the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201.
So all packets sent by a PC on the internal network that are accepted by the
internal to wan1 policy leave the wan1 interface with their source address
translated to 10.1.1.201. These packets can now travel across the Internet to their
destination. Reply packets return to the wan1 interface because they have a
destination address of 10.1.1.201. The internal to wan1 NAT policy translates the
destination address of these return packets to the IP address of the originating PC
and sends them out the internal interface to the originating PC.
Use the following steps to configure NAT in Transparent mode
• Adding two management IPs
• Adding an IP pool to the wan1 interface
• Adding an internal to wan1 firewall policy
Internet
Internal network
Transparent mode 192.168.1.0/24
Management IPs:
Router 10.1.1.99
192.168.1.99
DMZ
DMZ network
10.1.1.0/24
Note: If the firewall policy requires authentication, do not select the protection profile in the
firewall policy. The protection profile is specific to the authenticating user group. For details
on configuring the protection profile associated with the user group, see “Configuring a user
group” on page 438.
Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP
traffic. The strict protection profile may not be useful under normal
circumstances, but it is available when maximum protection is required.
Scan Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic.
Quarantine is also selected for all content services. On FortiGate models
with a hard drive, if antivirus scanning finds a virus in a file, the file is
quarantined on the FortiGate hard disk. If a FortiAnalyzer unit is
configured, files are quarantined remotely. Quarantine permits system
administrators to inspect, recover, or submit quarantined files to Fortinet
for analysis.
Web Apply virus scanning and web content blocking to HTTP traffic. Add this
protection profile to firewall policies that control HTTP traffic.
Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if
no content protection for content traffic is required. Add this protection
profile to firewall policies for connections between highly trusted or highly
secure networks where content does not need to be protected.
Note: Content archiving is disabled by default with the unfiltered
protection profile.
Delete
Edit
Note: If both Virus Scan and File Block are enabled, the FortiGate unit blocks files
matching enabled file patterns before scanning files for viruses.
Anti-Virus options
You can apply antivirus scanning options through a protection profile.
In general, client comforting provides a visual display of progress for web page
loading or file downloads. Without client comforting, users have no indication that
the download has started until the FortiGate unit has completely buffered and
scanned the download, and they may cancel or repeatedly retry the transfer,
thinking it has failed. The appearance of a client comforting message (for
example, a progress bar) is browser-dependent. In some instances, there will be
no visual client comforting cue.
For email scanning, the oversize threshold refers to the final size of the email after
encoding by the email client, including attachments. Email clients can use a
variety of encoding types; some result in larger file sizes than the original
attachment. The most common encoding, base64, translates 3 bytes of binary
data into 4 bytes of base64 data. As a result, a file may be blocked or logged as
oversized even if the attachment is several megabytes smaller than the configured
oversize threshold.
To configure antivirus options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Anti-Virus, enter the information as
described below, and select OK. For more antivirus configuration options, see
“AntiVirus” on page 447.
Virus Scan Select virus scanning for each protocol (HTTP, FTP, IMAP, POP3,
SMTP, IM). Virus Scan includes grayware, as well as heuristic
scanning. However, by default neither is enabled. To enable
specific grayware, go to AntiVirus > Config > Grayware. To
enable heuristic scanning, see the config antivirus
heuristic command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning
by splice, the FortiGate unit simultaneously scans and streams
traffic to the destination, terminating the stream to the destination
if a virus is detected. For details on configuring splicing, see the
splice option for each protocol in the config firewall
profile command in the FortiGate CLI Reference. For details on
splicing behavior for each protocol, see the Knowledge Center
article FortiGate Proxy Splice and Client Comforting Technical
Note.
Extended AV Select to scan for viruses that have not been recently observed in
Database the wild.
In addition to the FortiGuard Antivirus wild list database, which
contains viruses currently being detected in the wild, some
FortiGate models are also equipped with an extended antivirus
database that contains viruses not recently observed in the wild.
This option appears only on models with more than one partition,
such as the FortiGate-3810A.
File Filter Select to filter files, then under Options, specify a file filter, which
can consist of file name patterns and file types. For more
information, see “File Filter” on page 450.
Quarantine Select for each protocol to quarantine suspect files for later
inspection or submission to Fortinet for analysis.
This option appears only if the FortiGate unit has a hard drive or a
configured FortiAnalyzer unit, and will take effect only if you have
first enabled and configured the quarantine. For more information,
see “Quarantine” on page 454.
Pass Fragmented Select to allow fragmented email for mail protocols (IMAP, POP3,
Emails and SMTP). Fragmented email cannot be scanned for viruses.
Comfort Clients Select client comforting for each protocol.
Interval The time in seconds before client comforting starts after the
download has begun, and the time between subsequent intervals.
Amount The number of bytes sent at each interval.
Oversized File/Email Select Block or Pass for files and email messages exceeding
configured thresholds for each protocol.
Threshold If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in
memory is 10% of the FortiGate unit’s RAM.
Add signature to Create and enable a signature to append to outgoing email (SMTP
outgoing emails only).
Web Content Block Select the checkbox to block HTTP traffic based on the
words or patterns in the content block filter.
Web content block list Select which content block filter will be used with this
protection profile.
Threshold Enter a score threshold.
Web Content Exempt Select the check box to enable the override of web content
block based on the content exempt patterns in the content
exempt list.
Web content exempt list Select which content exemptions will be used with this
protection profile.
Web URL Filter Select the check box to block HTTP and HTTPS traffic
based on the URL list.
Web URL filter list Select which web URL filter list will be used with this
protection profile.
ActiveX Filter Select to block ActiveX controls.
Cookie Filter Select to block cookies.
Java Applet Filter Select to block Java applets.
Web Resume Download Select to block downloading parts of a file that have already
Block been downloaded. Enabling this option will prevent the
unintentional download of virus files hidden in fragmented
files. Note that some types of files, such as PDFs, are
fragmented to increase download speed, and that selecting
this option can cause download interruptions with these
types.
Block Invalid URLs Select to block web sites whose SSL certificate’s CN field
does not contain a valid domain name.
FortiGate units always validate the CN field, regardless of
whether this option is enabled. However, if this option is not
selected, the following behavior occurs:
• If the request is made directly to the web server, rather
than a web server proxy, the FortiGate unit queries for
FortiGuard Web Filtering category or class ratings using
the IP address only, not the domain name.
• If the request is to a web server proxy, the real IP
address of the web server is not known. Therefore, rating
queries by either or both the IP address and the domain
name is not reliable. In this case, the FortiGate unit does
not perform FortiGuard Web Filtering.
Blocked pages are replaced with a message indicating that the page is not
accessible according to the Internet usage policy.
If the combined scores of the content block patterns appearing on a web page
exceed the threshold value, the page will be blocked. For details, see “Viewing the
web content block list” on page 483.
For more information on web filter configuration options, see “Web Filter” on
page 479. For details on how web URL filter lists are used with HTTP and HTTPS
URLs, see “URL formats” on page 490.
Strict Blocking This option is enabled by default. Strict Blocking only has
an effect when either a URL fits into a protection profile
Category and Classification or “Rate URLs by domain
and IP address” is enabled. With “Rate URLs by domain
and IP address” enabled, all URLs have two categories
and up to two classifications (one set for the domain and
one set for the IP address). All URLs belong to at least
one category (Unrated is a category) and may also
belong to a classification.
If you enable Strict Blocking, a site is blocked if it is in at
least one blocked category or classification and only
allowed if all categories or classifications it falls under are
allowed.
If you do not enable Strict Blocking, a site is allowed if it
belongs to at least one allowed category or classification
and only blocked if all categories or classifications it falls
under are allowed.
For example, suppose a protection profile blocks “Search
Engines” but allows “Image Search” and the URL
“images.example.com” falls into the General Interests
Search Engines category and the Image Search
classification.
With Strict Blocking enabled, this URL is blocked
because it belongs to the Search Engines category,
which is blocked.
With Strict Blocking disabled, the URL is allowed because
it is classified as Image Search, which is allowed. It would
only be blocked if both the Search Engines category and
Image Search classification were blocked.
Rate URLs by domain and IP Select to send both the URL and the IP address of the
address requested site for checking, and thus provide additional
security against attempts to bypass the FortiGuard
system.
However, because IP rating is not updated as quickly as
URL rating, some false ratings may occur.
Block HTTP redirects by Enable to block HTTP redirects.
rating Many web sites use HTTP redirects legitimately;
however, in some cases, redirects may be designed
specifically to circumvent web filtering, as the initial web
page could have a different rating than the destination
web page of the redirect.
Category FortiGuard Web Filtering provides many content
categories by which to filter web traffic. Categories reflect
the subject matter of the content.
For each category, select to Allow or Block, and, if the
category is blocked, whether or not to Allow Override to
permit users to override the filter if they successfully
authenticate. You can also select to log each traffic
occurrence of the category.
Classification In addition to content categories, FortiGuard Web
Filtering provides functional classifications that block
whole classes of web sites based upon their functionality,
media type, or source, rather than the web site’s subject
matter.
Using classifications, you can block web sites that host
cached content or that facilitate image, audio, or video
searches, or web sites from spam URLs. Classification is
in addition to, and can be configured separately from, the
category.
For each class, select to Allow or Block, and, if the class
is blocked, whether or not to Allow Override to permit
users to override the filter if they successfully
authenticate. You can also select to log each traffic
occurrence of the class.
Note: Some popular email clients cannot filter messages based on the MIME header. For
these clients, select to tag email message subject lines instead.
FortiGuard AntiSpam Select one or more check boxes to enable protocols (IMAP,
POP3, SMTP), then apply the options that you need:
IP address check Select to enable the FortiGuard AntiSpam filtering IP address
blacklist.
URL check Select to enable the FortiGuard AntiSpam spam filtering URL
blacklist.
E-mail checksum Select to enable the FortiGuard Antispam email message
check checksum blacklist.
Tag Location Select to affix the tag to the subject or MIME header of the
email identified as spam.
If you select to affix the tag to the subject line, the FortiGate
unit will convert the entire subject line, including tag, to
UTF-8 by default. This improves display for some email
clients that cannot properly display subject lines that use
more than one encoding. For details on preventing
conversion of subject line to UTF-8, see the “System
Settings” chapter of the FortiGate CLI Reference.
To affix the tag to the MIME header, you must enable
spamhdrcheck in the CLI for each protocol (IMAP, SMTP,
and POP3). For more information see “profile” in the
FortiGate CLI Reference.
IPS options
You can apply IPS sensor options through a protection profile.
To configure IPS options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile.
Then select the Expand Arrow beside IPS, enter the information as described
below, and select OK.
For more information on IPS, see “Intrusion Protection” on page 463.
The FortiGate unit only allows one sixteenth of its memory for transferring content
archive files. For example, for FortiGate units with 128RAM, only 8MB of memory
is used when transferring content archive files. It is recommended not to enable
full content archiving if antivirus scanning is also configured because of these
memory constraints.
You can store content archives locally, if your FortiGate unit has a hard drive, or
remotely, on a FortiAnalyzer unit or FortiGuard Analysis and Management
Service, provided that the FortiAnalyzer unit or FortiGuard Analysis and
Management Service is first configured. For instructions on configuring and
viewing remotely stored content archives, see “Logging to a FortiAnalyzer unit” on
page 529 and “Content Archive” on page 545.
To configure Content Archive options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing
protection profile. Then select the Expand Arrow beside Content Archive, enter
the information as described below, and select OK.
Email Protocols
IM Protocols
Display content meta- For each protocol, select whether or not to display the
information on the system content archive summary in the Statistics section of the
dashboard (Email) dashboard.
For details on the dashboard display, see “Statistics” on
page 75.
Archive SPAMed emails to For each email protocol, select to include spam email
FortiAnalyzer/FortiGuard messages in content archives sent to the FortiAnalyzer unit
or FortiGuard Analysis and Management Service.
By default, the FortiGate unit sends content archives of
non-spam email messages only, omitting spam.
Display content meta- For each protocol, select whether or not to display the
information on the system content archive summary in the Statistics section of the
dashboard (IM protocols) dashboard. Note that you need to enable inspection of the
IM protocols by selecting them in the IM/P2P options before
selecting them in the content archive options.
Archive to For each protocol, select to send a full or partial content
FortiAnalyzer/FortiGuard archive to the FortiAnalyzer unit or FortiGuard Analysis and
Management Service, or to not send content archives.
In some cases, the FortiGate unit may not archive content,
or may not make a full content archive, regardless of your
selected option. This behavior varies by prerequisites for
each protocol. For more information, see “Content archiving
requirements and behavior” on page 377.
You can select this option only if a FortiAnalyzer unit or
FortiGuard Analysis and Management Service is
configured. For more information, see “Logging to a
FortiAnalyzer unit” on page 529.
None Do not send content archives.
Summary Content archive metadata only. Content metadata includes
information such as date and time, source and destination,
request and response size, and scan result.
Full Content archive both metadata and copies of files or
messages.
Archive IM to For each IM protocol, select to include IM messages in
FortiAnalyzer/FortiGuard content archives sent to the FortiAnalyzer unit or
FortiGuard Analysis and Management Service.
IM/P2P options
You can apply IM and P2P options through a protection profile.
Any changes to IM protection profile options made while IM users are logged in
will take effect only upon their next login. For example, you cannot use Block
Login to disconnect currently logged-in users.
For more IM configuration options, see “IM, P2P & VoIP” on page 515.
To configure IM/P2P options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IM / P2P, enter the information as
described below, and select OK.
VoIP options
You can apply VoIP options through a protection profile. FortiGate units support
rate limiting for the following types of VoIP traffic:
• Session Initiation Protocol (SIP)
• Skinny Call Control Protocol (SCCP)
• Session Initiation Protocol for Instant Messaging and Presence Leveraging
Extensions (SIMPLE)
Rate limiting of these VoIP protocols can be used to protect the FortiGate unit and
your network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting
protects against SIP DoS attacks by limiting the number of SIP register and invite
requests that the FortiGate unit receives per second. Rate limiting protects
against SCCP DoS attacks by limiting the number of SCCP call setup messages
that the FortiGate unit receives per minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages
per second (or minute) than the configured rate, the extra messages are dropped.
If you are experiencing denial of service attacks from traffic using these VoIP
protocols you can enable VoIP rate limiting and limit the rates for your network.
Limits the rates depending on the amount of SIP and SCCP traffic that you expect
the FortiGate unit to be handling. You can adjust the settings if some calls are lost
or if the amount of SIP or SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE
extensions. For more information, see the description of the config sip,
config sccp, and config simple subcommands of the firewall profile
command in the FortiGate CLI Reference. You can also block SIMPLE sessions
by enabling block login for the SIMPLE IM/P2P protection profile option. See
“IM/P2P options” on page 378.
For more information about FortiGate SIP support see “SIP support” on page 383.
To configure VoIP options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside VoIP, enter the information as
described below, and select OK.
SIP Select to rate limit SIP traffic. Use SIP rate limiting to
prevent SIP DoS attacks by limiting the number of SIP
events accepted by the FortiGate unit.
SCCP Select to enable rate limiting for SCCP traffic.
Limit REGISTER Request Enter a rate limit for SIP REGISTER requests (per second,
(SIP only) per policy). If this option is set to zero (0), requests are not
limited.
Limit INVITE Request (SIP Enter a rate limit for SIP INVITE requests (per second, per
only) policy). If this option is set to zero (0), requests are not
limited.
Limit Call Setup (SCCP Enter a rate limit to SCCP call setup (calls per minute, per
only) client) between call clients and the call manager. If this
option is set to zero (0), setups are not limited.
Logging options
You can enable Logging options in a protection profile to write event log messages
when the options that you have enabled in this protection profile perform an
action. For example, if you enable Antivirus protection you could also enable the
Anti-virus > Viruses protection profile logging options to write an event log
message every time a virus is detected by this protection profile.
For more information about enabling and configuring event logs, see “Event log”
on page 536.
To configure Logging options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Logging, enter the information as
described below, and select OK.
SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing
and conducting multiuser calls over TCP/IP networks using any media. Due to the
complexity of the call setup, not every firewall can handle SIP calls correctly, even
if the firewall is stateful. The FortiGate unit SIP pre-defined service tracks and
scans SIP calls. The FortiGate unit can make all necessary adjustments, to both
the firewall state and call data, to ensure a seamless call is established through
the FortiGate unit regardless of its operation mode, NAT, route, or transparent.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available and makes
managing SIP use easy.
This section includes some high-level information about VoIP and SIP. It also
describes how FortiOS SIP support works and how to configure the key SIP
features. For more configuration information, see FortiGate CLI Reference.
The FortiGate unit supports the following SIP features:
• Stateful SIP tracking
• RTP Pinholing
• Request control
• Rate limiting
• Events logging
• Communication archiving
• NAT IP preservation
• Client connection control
• Register response acceptance
• Application Layer Gateway (ALG) control
Note: Some of the features described in this chapter are available for FortiOS Carrier only.
IP Network 4. Client B is
notified of incoming
RTP Session
call by proxy server
– phone rings
When the SIP server operates in redirect mode (shown in Figure 228), the SIP
client sends its signaling request to a SIP server, which then looks up the
destination address. The SIP server returns the destination address to the
originator of the call, who uses it to signal the destination SIP client.
IP Network 5. Client B is
notified of incoming
RTP Session call by redirect server
– phone rings
The FortiGate unit can effectively secure VoIP solutions since it supports VoIP
protocols such as SIP, MGCP, and H.323, and associates state at the signaling
layer with packet flows at the media layer. Using SIP ALG controls, the FortiGate
unit understands the VoIP signaling protocols used in the network and can
dynamically open and close ports (pinholes) for each specific VoIP call to maintain
security.
The FortiGate Intrusion-prevention system (IPS) provides another strategic line of
defense, particularly against VoIP network predators. With its deep-packet
inspection capabilities, the FortiGate IPS can provide continuous surveillance
across multiple network sectors simultaneously, recognizing network traffic
expected within each and alerting network managers to malicious packets and
other protocol anomalies.
SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
Because of its complexity, this section uses scenarios to explain the FortiGate SIP
NAT support.
217.233.122.132
Internet
10.72.0.57
10.72.0.60 217.233.122.132
Internet
10.72.0.57
In this scenario, the SIP phone connects to a VIP (10.72.0.60). The FortiGate SIP
ALG translates the SIP contact header to 217.10.79.9. The FortiGate ALG will
open the RTP pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenario - the RTP server hides
its real address.
RTP Server
10.0.0.60
217.233.90.60
Internet
SIP Server
In this scenario, a SIP phone connects to the Internet. The VoIP service provider
only publishes a single public IP (a VIP). The SIP phone would connect to the
FortiGate unit (217.233.90.60) and the FortiGate unit would translate the SIP
contact header to the SIP server (10.0.0.60). The SIP server would change the
SIP/SDP connection information (which tells the SIP phone which RTP IP it
should contact) also to 217.233.90.60.
Figure 232:Different source and destination NAT for SIP and RTP
RTP Servers
192.168.0.21 - 192.168.0.23 219.29.81.10 219.29.81.20
RTP Server
10.0.0.60
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70
Internet
SIP: 217.233.90.60
SIP Server
In this scenario, assuming there is a SIP server and a separate media gateway.
The SIP server is configured in such a way that the SIP phone (219.29.81.20) will
connect to 217.233.90.60. The media gateway (RTP server: 219.29.81.10) will
connect to 217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP
contact header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2 The SIP server agrees to carry out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be
opened.
You need to create a SIP triggering firewall policy (also called a ‘dummy’ policy)
for RTP so that the FortiGate ALG knows the ports to be opened. This requires
that RTP VIPs must be created, and firewall policies need to be created using
those VIPs.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the
SIP contact header to 192.168.0.21.
Configuring SIP
You configure most SIP features through the CLI. You can also enable SIP
support, set two rate limits, enable SIP logging, and view SIP statistics using the
web-based manager.
SIP Select to enable SIP support and set rate limiting for SIP and SIMPLE
traffic.
Rate limit for SIP and SIMPLE traffic is useful to protect a SIP server
within a company. Most SIP servers do not have integrated controls and
it is very easy to flood the servers with INVITES or REGISTER requests
to exhaust their resources.
Limit REGISTER Enter a rate limit for SIP REGISTER requests (per second, per policy).
Request If this option is set to zero (0), requests are not limited.
Limit INVITE Enter a rate limit for SIP INVITE requests (per second, per policy). If this
Request option is set to zero (0), requests are not limited.
In CLI, you can enable rate limiting for a more extensive range of SIP requests,
including ACK, INFO, NOTIFY, OPTIONS, PRACK, REFER, SUBSCRIBE, and
UPDATE. For more information, see FortiGate CLI Reference.
4 Select OK.
edit <profile_name>
config sip
set status enable
set call-keepalive <integer>
end
end
Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the
SDP i line. This allows the SIP server to parse this IP for billing purposes.
In CLI, type the following commands:
config firewall profile
edit <profile_name>
config sip
set status enable
set nat-trace enable
end
end
In addition, you can overwrite or append the SDP i line:
config firewall profile
edit <profile_name>
config sip
set status enable
set preserve-override {enable | disable}
end
end
where selecting enable removes the original source IP address from the SDP i
line and disable appends the address.
VPN IPSEC
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units
support both policy-based (tunnel-mode) and route-based (interface mode) VPNs.
Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Overview of IPSec VPN configuration
• Policy-based versus route-based VPNs
• Auto Key
• Manual Key
• Internet browsing configuration
• Concentrator
• Monitor
Policy-based Route-based
Available in NAT/Route or Transparent Available only in NAT/Route mode
mode
Requires a firewall policy with IPSEC Requires only a simple firewall policy with
action that specifies the VPN tunnel. One ACCEPT action. A separate policy is required
policy controls connections in both for connections in each direction.
directions.
Supports DHCP over IPSec Does not support DHCP over IPSec
You create a policy-based VPN by defining an IPSEC firewall policy between two
network interfaces and associating it with the VPN tunnel (phase 1 or manual key)
configuration. You need only one firewall policy, even if either end of the VPN can
initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create
the VPN phase 1 or manual key configuration. This creates a virtual IPSec
interface that is bound to the local interface you selected. You then define an
ACCEPT firewall policy to permit traffic to flow between the virtual IPSec interface
and another network interface. If either end of the VPN can initiate the connection,
you need two firewall policies, one for each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to
System > Network > Interface.) The names of all tunnels bound to physical,
aggregate, VLAN, inter-VDOM link or wireless interfaces are displayed under their
associated interface names in the Name column. For more information, see
“Interfaces” on page 107. As with other interfaces, you can include a virtual IPSec
interface in a zone.
Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can
create the equivalent function for a route-based VPN in any of the following ways:
• Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-
site connections, since the number of policies required increases rapidly as the
number of spokes increases.
• Put all the IPSec interfaces into a zone and then define a single zone-to-zone
policy.
• Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must
be more than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.
Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel
redundancy. You can configure several routes for the same IP traffic with different
route metrics. You can also configure the exchange of dynamic (RIP, OSPF, or
BGP) routing information through VPN tunnels. If the primary VPN connection
fails or the priority of a route changes through dynamic routing, an alternative
route will be selected to forward traffic through the redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec
interface. You can do this in the CLI. For more information, including an example
configuration, see the monitor-phase1 keyword for the ipsec vpn phase1-
interface command in the FortiGate CLI Reference.
Routing
Optionally, through the CLI, you can define a specific default route for a virtual
IPSec interface. For more information, see the default-gw keyword for the
vpn ipsec phase1-interface command in the FortiGate CLI Reference.
Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client)
to generate unique Internet Key Exchange (IKE) keys automatically during the
IPSec phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1
parameters to set up a secure connection for the tunnel and authenticate the
remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).
Edit
Delete
Create Phase 1 Create a new phase 1 tunnel configuration. For more information,
see “Creating a new phase 1 configuration” on page 396.
Create Phase 2 Create a new phase 2 configuration. For more information, see
“Creating a new phase 2 configuration” on page 401.
Peer Options One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any Accept the local ID of any remote VPN peer or client. The FortiGate
peer ID unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
Accept this This option is available only if the remote peer has a dynamic IP
peer ID address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peer’s
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the Local ID field, accessed by selecting Config in the
Policy section of the VPN connection’s Advanced Settings.
Accept peer ID Authenticate multiple FortiGate or FortiClient dialup clients that use
in dialup group unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see “User groups” on page 435.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this This option is available when Authentication Method is set to RSA
peer certificate Signature.
only Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see “PKI
authentication” on page 431.
Accept this This option is available when Authentication Method is set to RSA
peer certificate Signature and Remote Gateway is set to Dialup User.
group only Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the “user” chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see “PKI authentication” on page 431.
Advanced Define advanced phase 1 parameters. For more information, see
“Defining phase 1 advanced settings” on page 399.
Add
Delete
You can use a number of additional advanced phase 2 settings to enhance the
operation of the tunnel. To modify IPSec phase 2 advanced parameters, go to
VPN > IPSEC Auto Key (IKE), select Create Phase 2, and then select Advanced.
For information about how to choose the correct advanced phase 2 settings for
your particular situation, see the FortiGate IPSec VPN User Guide.
Add
Delete
Enable replay Optionally enable or disable replay detection. Replay attacks occur
detection when an unauthorized party intercepts a series of IPSec packets
and replays them back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves
forward secrecy security by forcing a new Diffie-Hellman exchange whenever
(PFS) keylife expires.
DH Group Select one Diffie-Hellman group (1, 2, or 5). This must match the
DH Group that the remote peer or dialup client uses.
Keylife Select the method for determining when the phase 2 key expires:
Seconds, KBytes, or Both. If you select Both, the key expires when
either the time has passed or the number of KB have been
processed. The range is from 120 to 172800 seconds, or from
5120 to 2147483648 KB.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when
no data is being processed.
DHCP-IPSec This is available only for tunnel mode phase 2 configurations
associated with a dialup phase 1 configuration.
Select the check box if the FortiGate unit acts as a dialup server
and will use FortiGate DHCP relay to assign VIP addresses to
FortiClient dialup clients. You must configure the DHCP relay
parameters separately. For more information, see “System DHCP”
on page 161.
If the FortiGate unit acts as a dialup server and you manually
assigned FortiClient dialup clients VIP addresses that match the
network behind the dialup server, selecting the check box will
cause the FortiGate unit to act as a proxy for the dialup clients.
Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see “Internet browsing configuration” on page 407.
Quick Mode Optionally specify the source and destination IP addresses to be used as
Selector selectors for IKE negotiations. If the FortiGate unit is a dialup server, you
should keep the default value 0.0.0.0/0 unless you need to circumvent
problems caused by ambiguous IP addresses between one or more of
the private networks making up the VPN. You can specify a single host IP
address, an IP address range, or a network address. You may optionally
specify source and destination port numbers and a protocol number.
If you are editing an existing phase 2 configuration, the Source address
and Destination address fields are unavailable if the tunnel has been
configured to use firewall addresses as selectors. This option exists only
in the CLI. For more information, see the dst-addr-type, dst-name,
src-addr-type and src-name keywords for the vpn ipsec
phase2 command in the FortiGate CLI Reference.
Source address If the FortiGate unit is a dialup server, type the
source IP address that corresponds to the local
senders or network behind the local VPN peer (for
example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 or
172.16.5.1/255.255.255.255 for a server or
host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100 for an
address range). A value of 0.0.0.0/0 means all IP
addresses behind the local VPN peer.
If the FortiGate unit is a dialup client, source address
must refer to the private network behind the
FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to
transport traffic related to the specified service
(protocol number). The range is from 0 to 65535. To
specify all ports, type 0.
Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec
VPN tunnel. You would define manual keys in situations where:
• You require prior knowledge of the encryption or authentication key (that is,
one of the VPN peers requires a specific IPSec encryption or authentication
key).
• You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you
define manual keys by going to VPN > IPSEC > Manual Key instead.
Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers in a
secure manner.
For general information about how to configure an IPSec VPN, see the FortiGate
IPSec VPN User Guide.
Delete
Edit
Create New Create a new manual key configuration. See “Creating a new
manual key configuration” on page 405.
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption The names of the encryption algorithms specified in the manual key
Algorithm configurations.
Authentication The names of the authentication algorithms specified in the manual
Algorithm key configurations.
Delete and Edit Delete or edit a manual key configuration.
icons
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
! for your particular installation, do not attempt the following procedure without qualified
assistance.
To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key
and select Create New.
Name Type a name for the VPN tunnel. The maximum name length is 15
characters for an interface mode VPN, 35 characters for a policy-
based VPN.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles outbound traffic on the local
FortiGate unit. The valid range is from 0x100 to 0xffffffff. This
value must match the Remote SPI value in the manual key
configuration at the remote peer.
Remote SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that
represents the SA that handles inbound traffic on the local FortiGate
unit. The valid range is from 0x100 to 0xffffffff. This value must
match the Local SPI value in the manual key configuration at the
remote peer.
Remote Gateway Type the IP address of the public interface to the remote peer. The
address identifies the recipient of ESP datagrams.
Local Interface This option is available in NAT/Route mode only. Select the name of
the interface to which the IPSec tunnel will be bound. The FortiGate
unit obtains the IP address of the interface from the network interface
settings. For more information, see “Interfaces” on page 107.
Encryption Select one of the following symmetric-key encryption algorithms:
Algorithm • DES - Digital Encryption Standard, a 64-bit block algorithm that
uses a 56-bit key.
• 3DES - Triple-DES, in which plain text is encrypted three times by
three keys.
• AES128 - a 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 128-bit key.
• AES192 - a 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 192-bit key.
• AES256 - a 128-bit block Cipher Block Chaining (CBC) algorithm
that uses a 256-bit key.
Note: The algorithms for encryption and authentication cannot both
be NULL.
Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of
remote peers radiate from a single, central FortiGate unit. Site-to-site connections
between the remote peers do not exist; however, You can establish VPN tunnels
between any two of the remote peers through the FortiGate unit “hub”.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that
connect to the hub are known as “spokes”. The hub functions as a concentrator
on the network, managing all VPN connections between the spokes. VPN traffic
passes from one tunnel to the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.
Delete
Edit
Right Arrow
Left Arrow
Monitor
You can use the monitor to view activity on IPSec VPN tunnels and start or stop
those tunnels. The display provides a list of addresses, proxy IDs, and timeout
information for all active tunnels, including tunnel mode and route-based
(interface mode) tunnels.
You can use filters control the information displayed in the list. For more
information, see “Adding filters to web-based manager lists” on page 58.
To view active tunnels, go to VPN > IPSEC > Monitor.
Current Page
For Dialup VPNs, the list provides status information about the VPN tunnels
established by dialup clients, including their IP addresses. The number of tunnels
shown in the list can change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing
information about VPN tunnels, active or not, to remote peers that have static IP
addresses or domain names. You can also start and stop individual tunnels from
the list.
VPN PPTP
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers.
Windows or Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit
that has been configured to act as a PPTP server. As an alternative, you can
configure the FortiGate unit to forward PPTP packets to a PPTP server on the
network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of
PPTP sessions is 254.
This section explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients. For information about how to perform other related
PPTP VPN setup tasks, see the FortiGate PPTP VPN User Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN PPTP is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
PPTP Range
The PPTP address range is the range of addresses reserved for remote PPTP
clients. When the remote PPTP client establishes a connection, the FortiGate unit
assigns an IP address from a reserved range of IP addresses to the client PPTP
interface. The PPTP client uses the assigned IP address as its source address for
the duration of the connection.
To enable PPTP and specify the PPTP address range, go to VPN > PPTP >
PPTP Range, select the required options, and then select Apply.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
Enable PPTP Select to enable PPTP. You must add a user group before you can
select the option. See “User groups” on page 435.
Starting IP Type the starting address in the range of reserved IP addresses.
Ending IP Type the ending address in the range of reserved IP addresses.
User Group Select the name of the PPTP user group that you defined.
Disable PPTP Select the option to disable PPTP support.
VPN SSL
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that
can be used with a standard Web browser. SSL VPN does not require the
installation of specialized client software on end users’ computers, and is ideal for
applications including web-based email, business and government directories, file
sharing, remote backup, remote system management, and consumer-level
electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
• web-only mode, for thin remote clients equipped with a web-browser only.
• tunnel mode, for remote computers that run a variety of client and server
applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL
VPN security in the FortiGate unit and the SSL security in the web browser. After
the connection has been established, the FortiGate unit provides access to
selected services and network resources through a web portal.
When users have complete administrative rights over their computers and use a
variety of applications, tunnel mode allows remote clients to access the local
internal network as if they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in
NAT/Route mode support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.
ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdom_name>. The
root VDOM, called ssl.root, appears in the firewall policy interface lists and static
route interface lists. You can use the ssl-root interface to allow access to
additional networks and facilitate a connected user’s ability to browse the Internet
through the FortiGate unit.
The SSL VPN tunnel-mode access requires the following firewall policies:
• External > Internal, with the action set to SSL, with an SSL user group
• ssl.root > Internal, with the action set to Accept
• Internal > ssl.root, with the action set to Accept.
Access also requires a new static route: Destination network - <ssl tunnel mode
assigned range> interface ssl.root.
If you are configuring Internet access through an SSL VPN tunnel, you must add
the following configuration: ssl.root > External, with the action set to Accept, NAT
enabled.
Note: If required, you can enable SSL version 2 encryption (for compatibility with older
browsers) through a FortiGate CLI command. For more information, see the ssl
settings command in the “vpn” chapter of the FortiGate CLI Reference.
To enable and configure SSL VPN, go to VPN > SSL > Config.
Delete
Delete Edit
Bookmark Name The types and names of links to remote server applications and
network services.
Link The URL, host, or folder of the bookmark link.
Delete and Edit Delete or edit an entry in the list.
icons
Bookmark Name Type the text to display in the hyperlink. The name is displayed in the
Bookmarks list.
Application Type Select the abbreviated name of the server application or network
service from the drop-down list:
• Web
• Telnet
• FTP
• SMB/CIFS
• VNC
• RDP
• SSH
URL/Host/Folder Type the information that the FortiGate unit needs to forward client
requests to the correct server application or network service:
• If the application type is Web, type the URL of the web server (for
example, www.example.com).
• If the application type is Telnet, type the IP address of the telnet
host (for example, 10.10.10.10).
• If the application type is FTP, type the IP address of the FTP host
as a root directory/folder (for example, //server/folder/).
• If the application type is SMB/CIFS, type the IP address of the SMB
host and the root directory/folder associated with your account (for
example, //server/folder/).
• If the application type is VNC, type the IP address of the VNC host
(for example, 10.10.10.10).
• If the application type is RDP, type the IP address of the RDP host
(for example, 10.10.10.10).
• If the application type is SSH, type the IP address of the SSH host
(for example, 10.10.10.10).
Right Arrow
Left Arrow
Name Type the name of the bookmark group. The name will be displayed in
the Bookmark Group list.
Available The list of bookmarks available for inclusion in the bookmark group.
Bookmarks Lists bookmarks under the appropriate category (FTP, RDP, SMB,
Telnet, VNC, Web, or SSH).
Used Bookmarks The list of bookmarks that belong to the bookmark group.
Right Arrow Add a bookmark to the Used Bookmarks list.
Select a bookmark in the Available Bookmarks list and then select the
Right Arrow to move it to the Used Bookmarks list.
Left Arrow Remove a bookmark from the Used Bookmarks list.
Select a bookmark in the Used Bookmarks list and then select the Left
Arrow to move it to the Available Bookmarks list.
Create New Select to create a new bookmark for inclusion in the Available
Bookmarks list.
User Authentication
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to
control access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication
is configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Configuring user authentication
• Local user accounts
• Remote authentication
• RADIUS servers
• LDAP servers
• TACACS+ servers
• PKI authentication
• Directory Service servers
• User groups
• Authentication settings
For each network resource that requires authentication, you specify which user
groups are permitted access to the network. There are three types of user groups:
Firewall, Directory Service, and SSL VPN. See “Firewall user groups” on
page 436, “Directory Service user groups” on page 437, and “SSL VPN user
groups” on page 437.
Delete
Edit
Note: Deleting the user name deletes the authentication configured for the user.
Remote authentication
Remote authentication is generally used to ensure that employees working offsite
can remotely access their corporate network with appropriate security measures
in place. In general terms, authentication is the process of attempting to verify the
(digital) identity of the sender of a communication such as a login request. The
sender may be someone using a computer, the computer itself, or a computer
program. Since a computer system should be used only by those who are
authorized to do so, there must be a measure in place to detect and exclude any
unauthorized access.
On a FortiGate unit, you can control access to network resources by defining lists
of authorized users, called user groups. To use a particular resource, such as a
network or VPN tunnel, the user must:
• belong to one of the user groups that is allowed access
• correctly enter a user name and password to prove his or her identity, if asked
to do so.
RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS) servers provide
authentication, authorization, and accounting functions. FortiGate units use the
authentication function of the RADIUS server.To use the RADIUS server for
authentication, you must configure the server before you configure the FortiGate
users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate
using a RADIUS server, the FortiGate unit sends the user’s credentials to the
RADIUS server for authentication. If the RADIUS server can authenticate the
user, the user is successfully authenticated with the FortiGate unit. If the RADIUS
server cannot authenticate the user, the FortiGate unit refuses the connection.
You can override the default authentication scheme by selecting a specific
authentication protocol or changing the default port for RADIUS traffic.
Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the config
system global command in the FortiGate CLI Reference.
To view the list of RADIUS servers, go to User > Remote > RADIUS.
Delete
Edit
Create New Add a new RADIUS server. The maximum number is 10.
Name The name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP The domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user
group.
Edit icon Edit a RADIUS server configuration.
Name Enter the name that is used to identify the RADIUS server
on the FortiGate unit.
Primary Server Name/IP Enter the domain name or IP address of the primary
RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary
RADIUS server. The primary server secret key should be a
maximum of 16 characters in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary
RADIUS server, if you have one.
Secondary Server Secret Enter the RADIUS server secret key for the secondary
RADIUS server. The secondary server secret key should be
a maximum of 16 characters in length.
Authentication Scheme Select Use Default Authentication Scheme to authenticate
with the default method. The default authentication scheme
uses PAP, MS-CHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the
default authentication method, and choose the protocol
from the list: MS-CHAP-V2, MS-CHAP, CHAP, or PAP,
depending on what your RADIUS server needs.
NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more
information about RADIUS Attribute 31, see
RFC 2548 Microsoft Vendor-specific RADIUS Attributes). If
you do not enter an IP address, the IP address that the
FortiGate interface uses to communicate with the RADIUS
server will be applied.
Include in every User Group Select to have the RADIUS server automatically included in
all user groups.
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to
maintain authentication data that may include departments, people, groups of
people, passwords, email addresses, and printers. An LDAP consists of a data-
representation scheme, a set of defined operations, and a request/response
network.
If you have configured LDAP support and require a user to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To
authenticate with the FortiGate unit, the user enters a user name and password.
The FortiGate unit sends this user name and password to the LDAP server. If the
LDAP server can authenticate the user, the FortiGate unit successfully
authenticates the user. If the LDAP server cannot authenticate the user, the
FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in
RFC 2251: Lightweight Directory Access Protocol v3, for looking up and validating
user names and passwords. FortiGate LDAP supports all LDAP servers compliant
with LDAP v3. In addition, FortiGate LDAP supports LDAP over SSL/TLS. To
configure SSL/TLS authentication, refer to the FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as
notification of password expiration, that is available from some LDAP servers. Nor
does the FortiGate LDAP supply information to the user about why authentication
failed.
To view the list of LDAP servers, go to User > Remote > LDAP.
Delete
Edit
Create New Add a new LDAP server. The maximum number is 10.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server. Most LDAP servers
Identifier use cn. However, some servers use other common name identifiers
such as uid.
Distinguished The distinguished name used to look up entries on the LDAP servers
Name use. The distinguished name reflects the hierarchy of LDAP database
object classes above the common name identifier.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.
To add an LDAP server, go to User > Remote > LDAP and select Create New.
Enter the information below and select OK.
Query
Name Enter the name that identifies the LDAP server on the FortiGate
unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when
you select Secure Connection.
Common Name Enter the common name identifier for the LDAP server. The
Identifier maximum number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the
correct X.500 or LDAP format. The FortiGate unit passes this
distinguished name unchanged to the server. The maximum
number of characters is 512.
Query icon View the LDAP server Distinguished Name Query tree for the
LDAP server that you are configuring so that you can cross-
reference to the Distinguished Name.
For more information, see “Using Query”.
Bind Type Select the type of binding for LDAP authentication.
Regular Connect to the LDAP server directly with user name/password,
then receive accept or reject based on search of given values.
Anonymous Connect as an anonymous user on the LDAP server, then
retrieve the user name/password and compare them to given
values.
Simple Connect directly to the LDAP server with user name/password
authentication.
Filter Enter the filter to use for group searching. Available if Bind Type
is Regular or Anonymous.
Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address,
and all the distinguished names associated with the Common Name Identifier for
the LDAP server. The tree helps you to determine the appropriate entry for the DN
field. To see the distinguished name associated with the Common Name identifier,
select the Expand Arrow beside the CN identifier and then select the DN from the
list. The DN you select is displayed in the Distinguished Name field. Select OK to
save your selection in the Distinguished Name field of the LDAP Server
configuration.
To see the users within the LDAP Server user group for the selected
Distinguished Name, select the Expand arrow beside the Distinguished Name in
the LDAP Distinguished Name Query tree.
TACACS+ servers
In recent years, remote network access has shifted from terminal access to LAN
access. Users connect to their corporate network (using notebooks or home PCs)
with computers that use complete network connections and have the same level
of access to the corporate network resources as if they were physically in the
office. These connections are made through a remote access server. As remote
access technology has evolved, the need for network access security has
become increasingly important.
Delete
Edit
Create New Add a new TACACS+ server. The maximum number is 10.
Server The server domain name or IP address of the TACACS+ server.
Authentication Type The supported authentication method. TACACS+ authentication
methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+ server.
Edit icon Edit this TACACS+ server.
PKI authentication
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication
library that takes a list of peers, peer groups, and/or user groups and returns
authentication successful or denied notifications. Users only need a valid
certificate for successful authentication—no user name or password are
necessary. Firewall and SSL VPN are the only user groups that can use PKI
authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration
settings available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.
Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
! value for either subject or ca. If you do not do so, and then open the user record in the web-
based manager, you will be prompted to enter a subject or ca value before you can
continue.
To create a peer user for PKI authentication, go to User > PKI and select Create
New.
Note: You must enter a value for at least one of Subject or CA.
You can configure peer user groups only through the CLI. For more information,
see the FortiGate CLI Reference.
To view the list of Directory Service servers, go to User > Directory Service.
Delete
Edit User/Group
Note: You can create a redundant configuration on your FortiGate unit if you install a
collector agent on two or more domain controllers. If the current (or first) collector agent
fails, the FortiGate unit switches to the next one in its list of up to five collector agents.
To add a new Directory Service server, go to User > Directory Service and select
Create New. You can enter information for up to five collector agents.
Name Enter the name of the Directory Service server. This name appears in
the list of Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where
IP/Name this collector agent is installed. The maximum number of characters is
63.
Port Enter the TCP port used for Directory Service. This must be the same
as the FortiGate listening port specified in the FSAE collector agent
configuration.
Password Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server Select the check box and select an LDAP server to access the
Directory Service.
User groups
A user group is a list of user identities. An identity can be:
• a local user account (user name and password) stored on the FortiGate unit
• a local user account with a password stored on a RADIUS, LDAP, or
TACACS+ server
• a RADIUS, LDAP, or TACACS+ server (all identities on the server can
authenticate)
• a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or
SSL VPN. For information about each type, see “Firewall user groups” on
page 436, “Directory Service user groups” on page 437, and “SSL VPN user
groups” on page 437. For information on configuring each type of user group, see
“Configuring a user group” on page 438.
In most cases, the FortiGate unit authenticates users by requesting each user
name and password. The FortiGate unit checks local user accounts first. If the unit
does not find a match, it checks the RADIUS, LDAP, or TACACS+ servers that
belong to the user group. Authentication succeeds when the FortiGate unit finds a
matching user name and password.
For a Directory Service user group, the Directory Service server authenticates users
when they log in to the network. The FortiGate unit receives the user’s name and
IP address from the FSAE collector agent. For more information about FSAE, see
the FSAE Technical Note.
You can configure user groups to provide authenticated access to:
• Firewall policies that require authentication
See “Adding authentication to firewall policies” on page 302.
• SSL VPNs on the FortiGate unit
See “SSL-VPN firewall policy options” on page 307.
• IPSec VPN Phase 1 configurations for dialup users
See “Creating a new phase 1 configuration” on page 396.
• XAuth for IPSec VPN Phase 1 configurations
See XAUTH in “Defining phase 1 advanced settings” on page 399.
• FortiGate PPTP configuration
See “PPTP Range” on page 411.
• FortiGate L2TP configuration
You can configure this only by using the config vpn l2tp CLI command.
See the FortiGate CLI Reference.
• Administrator login with RADIUS authentication
See “Configuring RADIUS authentication for administrators” on page 198.
• FortiGuard Web Filtering override groups
See “FortiGuard - Web Filter” on page 491.
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user
groups appropriate to your authentication needs.
Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.
For more information, see “Creating a new phase 1 configuration” on page 396.
For information about configuring a Firewall user group, see “Configuring a user
group” on page 438.
You can also use a firewall user group to provide override privileges for
FortiGuard web filtering. For more information, see “Configuring FortiGuard
override options for a user group (Firewall or Directory Service)” on page 441. For
detailed information about FortiGuard Web Filter, including the override feature,
see “FortiGuard - Web Filter” on page 491.
Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.
A Directory Service user group provides access to a firewall policy that requires
Directory Service type authentication and lists the user group as one of the
allowed groups. The members of the user group are Directory Service users or
groups that you select from a list that the FortiGate unit receives from the
Directory Service servers that you have configured. See “Directory Service
servers” on page 433.
Note: A Directory Service user group cannot have SSL VPN access.
You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see “Configuring FortiGuard
override options for a user group (Firewall or Directory Service)” on page 441. For
detailed information about FortiGuard Web Filter, including the override feature,
see “FortiGuard - Web Filter” on page 491.
For information on configuring user groups, see “Configuring a user group” on
page 438.
Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.
Delete
Edit
Expand Arrow
Note: By default, the FortiGate web-based manager displays Firewall options. The
following figures show the variations that display for each of the user group types: Firewall,
Directory Service, and SSL VPN.
Note: If you try to add LDAP servers or local users to a group configured for administrator
authentication, an “Entry not found” error occurs.
Right Arrow
Left Arrow
Expand Arrow
Right Arrow
Left Arrow
Expand Arrow
Right Arrow
Left Arrow
Expand Arrow
Expand Arrow
Allow to create Select to allow members of this group to request an override on the
FortiGuard Web FortiGuard Web Filtering Block page. The firewall protection profile
Filtering overrides governing the connection must have FortiGuard overrides enabled.
The protection profile may have more than one user group as an
override group. Members of an override group can authenticate on
the FortiGuard Web Filter Block Override page to access the
blocked site.
For more information, see “FortiGuard - Web Filter” on page 491.
Override Scope The override can apply to just the user who requested the override,
or include others. Select one of the following from the list:
User Only the user.
User Group The user group to which the user belongs.
IP Any user at the user’s IP address.
Profile Any user with the specified protection profile of the
user group.
Ask Authenticating user, who chooses the override
scope.
Expand Arrow
Enable SSL-VPN Tunnel Select to allow users in this group to connect to the network
Service behind the FortiGate unit using the SSL VPN tunnel.
Allow Split Tunneling Select to allow split tunneling for this group. Split tunneling
ensures that only the traffic for the private network is sent to
the SSL VPN gateway. Internet traffic is sent through the
usual unencrypted route. Not selected as default.
Restrict tunnel IP Type the starting and ending IP address range for this group
range for this group if you want to override a previously defined Tunnel IP range.
For more information, see the FortiGate SSL VPN User
Guide.
Enable Web Application Select the check box to enable the web portal to provide
access to web applications and then select each of the
applications that users in this group are permitted to access.
Host Check
Check FortiClient AV Select to allow the client to connect only if it is running
Installed and Running FortiClient with virus scanning enabled. For more
information about this software, see the Fortinet Technical
Documentation web site.
Check FortiClient FW Select to allow the client to connect only if it is running
Installed and Running FortiClient Host Security FW software. For more information
about this software, see the Fortinet Technical
Documentation web site.
Check for Third Party Select to allow the client to connect only if it running
AV Software FortiClient with firewall enabled. For information about
supported products for Windows XP SP2, see Table 39 on
page 444. For all other Microsoft Windows versions, Norton
(Symantec) AntiVirus or McAfee VirusScan software is
supported.
Check for Third Party Select to allow the client to connect only if it has supported
Firewall Software firewall software installed. The software must be installed
and enabled (running).
See Table 39 on page 444 for supported products for
Windows XP SP2. For all other Microsoft Windows versions,
Norton (Symantec) AntiVirus or McAfee VirusScan software
is supported.
Require Virtual Select to allow the user to set up a SSL VPN tunnel-mode
Desktop Connection session using the Virtual Desktop client only. If the user
attempts to use another method, the connection is refused.
Enable Cache Clean Select to remove all temporary Internet files created on the
client computer between user login and logout. This is
executed with a downloaded ActiveX control for Internet
Explorer, and a plugin for Firefox with Windows 2000/
Windows XP.
If the client’s browser cannot install and run the cache
cleaner, the user is denied access to the SSL VPN portal.
Bookmarks Select to allow the SSL VPN user group to use the pre-
configured bookmark group that you select from the list. For
more information, see the FortiGate SSL VPN User Guide.
Redirect URL Select to open a second browser window at this URL when
the SSL VPN web portal page opens. The web server for
this URL must reside on the private network behind the
FortiGate unit.
You can modify the SSL VPN web portal login page. For
more information, see “Changing the SSL-VPN login
message” on page 192.
Customize portal message Type or edit a custom web portal home page caption for this
for this group group.
McAfee Y Y
Sophos Anti-Virus Y N
F-Secure Y Y
Secure Resolutions Y Y
AhnLab Y Y
Kaspersky Y Y
ZoneAlarm Y Y
Authentication settings
You can define settings for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can
be idle before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication
challenge is normally issued for any of the four protocols (depending on the
connection protocol):
• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet.
The selections made in the Protocol Support list of the Authentication Settings
screen control which protocols support the authentication challenge. Users must
connect with a supported protocol first so they can subsequently connect with
other protocols. If HTTPS is selected as a method of protocol support, it allows the
user to authenticate with a customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user
will be challenged to authenticate. For user ID and password authentication, users
must provide their user names and passwords. For certificate authentication
(HTTPS or HTTP redirected to HTTPS only), you can install customized
certificates on the FortiGate unit and the users can also have customized
certificates installed on their browsers. Otherwise, users will see a warning
message and have to accept a default FortiGate certificate.
Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.
AntiVirus
This section describes how to configure the antivirus options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, most antivirus
options are configured separately for each virtual domain. However, the
quarantine, the virus list and the grayware list are part of the global configuration.
Only administrators with global access can configure and manage the quarantine,
view the virus list, and configure the grayware list. For details, see “Using virtual
domains” on page 95.
This section describes:
• Order of operations
• Antivirus tasks
• Antivirus settings and controls
• File Filter
• Quarantine
• Viewing the virus list
• Viewing and configuring the grayware list
• Antivirus CLI configuration
Order of operations
Antivirus scanning function includes various modules and engines that perform
separate tasks. The FortiGate unit performs antivirus processing in the following
order:
• File size
• File filter
• Virus scan
• Grayware
• Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed.
For example, if the file “fakefile.EXE” is recognized as a blocked pattern, the
FortiGate unit will send the end user a replacement message and the file will be
deleted or quarantined. The virus scan, grayware, heuristics, and file type scans
will not be performed as the file is already been determined to be a threat and has
been dealt with.
Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.
Pass Block
FTP/NNTTP/SMTP/POP3/IMAP
after Web Filter spam checking
Oversize:
Buffered File Pattern: Virus Scan:
Size bigger
contents Blocked file? Infected?
than threshold?
Block Grayware?
Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer
your network unparalleled antivirus protection. The first four tasks have specific
functions, the fourth, the heuristics, is to cover any new, previously unknown, virus
threats. To ensure that your system is providing the most protection available, all
virus definitions and signatures are updated regularly through the FortiGuard
antivirus services. The tasks will be discussed in the order that they are applied
followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured thresholds. It is
enabled by setting the Oversized File/Email option under Firewall > Protection
Profile > Antivirus to Pass.
For more information, see “Anti-Virus options” on page 367.
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter.
The FortiGate unit will check the file against the file pattern setting you have
configured. If the file is a blocked pattern, “.EXE” for example, then it is stopped
and a replacement message is sent to the end user. No other levels of protections
are applied. If the file is not a blocked pattern the next level of protection is
applied.
Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The
virus definitions are keep up to date through the FortiNet Distribution Network.
The list is updated on a regular basis so you do not have to wait for a firmware
upgrade. For more information on updating virus definitions, see “FortiGuard
antivirus” on page 449.
Grayware
Once past the virus scan, the incoming file will be checked for grayware.
Grayware configurations can be turned on and off as required and are kept up to
date in the same manner as the antivirus definitions. For more information on
configuring grayware please see “Viewing and configuring the grayware list” on
page 459.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the
heuristics scan. The FortiGate heuristic antivirus engine, if enabled, performs
tests on the file to detect virus-like behavior or known virus indicators. In this way,
heuristic scanning may detect new viruses, but may also produce some false
positive results.
Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.
File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type
recognition filter. The FortiGate unit will check the file against the file type setting
you have configured. If the file is a blocked type, then it is stopped and a
replacement message is sent to the end user. No other levels of protections are
applied. If the file is not a blocked type, the next level of protection is applied.
FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic
updates of virus and IPS (attack) engines and definitions, as well as the local
spam DNSBL, through the FortiGuard Distribution Network (FDN). The
FortiGuard Center also provides the FortiGuard antivirus virus and attack
encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for
details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard Center. See “Configuring the FortiGate
unit for FDN and FortiGuard subscription services” on page 243 for more
information.
Note: If virtual domains are enabled, you configure antivirus file filtering and antivirus
settings in protection profiles separately for each virtual domain. Antivirus quarantine and
grayware settings are part of the global configuration.
File Filter
Configure the FortiGate file filter to block files by:
• File pattern: Files can be blocked by name, extension, or any other pattern.
File pattern blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the
file pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block.
For details, see “Configuring the file filter list” on page 454.
• File type: In addition to file pattern (file name) checking, you can also configure
the FortiGate unit to analyze the file and determine the file type of the files,
regardless of the file name. For details about supported file types, see “Built-in
patterns and supported file types” on page 451.
For standard operation, you can choose to disable File Filter in the Protection
Profile, and enable it temporarily to block specific threats as they occur.
The FortiGate unit can take any of the following three actions towards the files that
match a configured file pattern or type:
• Allow: the file will be allowed to pass.
• Block: the file will be blocked and a replacement messages will be sent to the
user. If both File Filter and Virus Scan are enabled, the FortiGate unit blocks
files that match enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to
bottom. If a file does not match any specified patterns or types, it is passed along
to antivirus scanning (if enabled). In effect, files are passed if not explicitly
blocked.
Using the allow action, this behavior can be reversed with all files being blocked
unless explicitly passed. Simply enter all the file patterns or types to be passed
with the allow attribute. At the end of the list, add an all-inclusive wildcard (*.*) with
a block action. Allowed files continue to antivirus scanning (if enabled) while files
not matching any allowed patterns are blocked by the wildcard at the end.
The FortiGate unit can take actions against the following file types:
Table 41: Supported file types
Note: The “unknown” type is any file type that is not listed in the table. The “ignored” type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.
Create New Select Create New to add a new file filter list to the catalog.
Name The available file filter lists.
# Entries The number of file patterns or file types in each file filter list.
Profiles The protection profiles each file filter list has been applied to.
Comments Optional description of each file filter list.
Delete icon Select to remove the file filter list from the catalog. The delete icon is
only available if the file filter list is not selected in any protection
profiles.
Edit icon Select to edit the file filter, its name and comment.
The file filter list will be used in protection profiles. For more information, see “Anti-
Virus options” on page 367.
The file filter list has the following icons and features:
Name File filter list name. To change the name, edit text in the name field
and select OK.
Comment Optional comment. To add or edit comment, enter text in comment
field and select OK.
OK If you make changes to the list name or comments, select OK to save
the changes.
Create New Select Create New to add a new file pattern or type to the file filter list.
Filter The current list of file patterns and types.
Action Files matching the file patterns and types can be set to block, allow, or
intercept. For information about actions, see “File Filter” on page 450.
Enable Clear the checkbox to disable the file pattern or type.
Delete icon Select to remove the file pattern or type from the list.
Edit icon Select to edit the file pattern/type and action.
Move To icon Select to move the file pattern or type to any position in the list.
To add a file pattern or type go to AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.
Filter Type Select File Name Pattern if you want to add a file pattern; select
File Type and then select a file type from the supported file type
list.
Pattern Enter the file pattern. The file pattern can be an exact file name or
can include wildcards. The file pattern can be 80 characters long.
File Type Select a file type from the list. For information about supported file
types, see “Built-in patterns and supported file types” on
page 451.
Action Select an action from the drop down list: Block, Allow, or Intercept.
For more information about actions, see “File Filter” on page 450.
Enable Select to enable the pattern.
Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View
the file name and status information about the file in the quarantined file list.
Submit specific files and add file patterns to the AutoSubmit list so they will
automatically be uploaded to Fortinet for analysis.
FortiGate units without a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit. Files stored on the FortiAnalyzer can be retrieved for viewing.
To configure the FortiAnalyzer unit, go to Log & Report > Log Config > Log
Setting.
File quarantine configuration involves several steps.
The quarantined files list has the following features and displays the following
information about each quarantined file:
File Name The processed file name of the quarantined file. When a file is
quarantined, all spaces are removed from the file name, and a 32-bit
checksum is performed on the file. The checksum appears in the
replacement message but not in the quarantined file. The file is stored
on the FortiGate hard disk with the following naming convention:
<32bit_CRC>.<processed_filename>
For example, a file named Over Size.exe is stored as
3fc155d2.oversize.exe.
Date The date and time the file was quarantined, in the format dd/mm/yyyy
hh:mm. This value indicates the time that the first file was quarantined
if the duplicate count increases.
Service The service from which the file was quarantined (HTTP, FTP, IMAP,
POP3, SMTP, IM, or NNTP).
Status The reason the file was quarantined: infected, heuristics, or blocked.
Status Specific information related to the status, for example, “File is infected
Description with “W32/Klez.h”” or “File was stopped by file block pattern.”
DC Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate
unit labels the file as EXP under the TTL heading. In the case of
duplicate files, each duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status Y indicates the file has been uploaded to Fortinet for analysis, N
indicates the file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon Select to download the corresponding file in its original format.
This option is available only if the FortiGate unit has a local hard disk.
Submit icon Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the FortiGate unit has a local hard disk.
Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.
Create New Select to add a new file pattern to the AutoSubmit list.
File Pattern The current list of file patterns that will be automatically uploaded.
Create a pattern by using ? or * wildcard characters. Enable the
check box to enable all file patterns in the list.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: File Pattern and Enable.
File Pattern Enter the file pattern or file name to be upload automatically to
Fortinet.
Enable Select to enable the file pattern
Note: To enable automatic uploading of the configured file patterns, go to AntiVirus >
Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.
Options Quarantine Infected Files: Select the protocols from which to quarantine
infected files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to
quarantine suspicious files identified by heuristics.
Quarantine Blocked Files. Select the protocols from which to quarantine
blocked files identified by antivirus file filtering. The Quarantine Blocked
Files option is not available for IM because a file name is blocked before
downloading and cannot be quarantined.
Age limit The time limit in hours for which to keep files in quarantine. The age limit
is used to formulate the value in the TTL column of the quarantined files
list. When the limit is reached, the TTL column displays EXP. and the file
is deleted (although a record is maintained in the quarantined files list).
Entering an age limit of 0 (zero) means files are stored on disk
indefinitely, depending on low disk space action.
Max filesize to The maximum size of quarantined files in MB. Setting the maximum file
quarantine size too large may affect performance.
Low disk space Select the action to take when the local disk is full: overwrite the oldest
file or drop the newest file.
FortiAnalyzer Select to enable storage of blocked and quarantined files on a
FortiAnalyzer unit. See “Log&Report” on page 525 for more information
about configuring a FortiAnalyzer unit.
Enable Enable AutoSubmit: enables the AutoSubmit feature. Select one or both
AutoSubmit of the options below.
Use file pattern: Enables the automatic upload of files matching the file
patterns in the AutoSubmit list.
Use file status: Enables the automatic upload of quarantined files based
on their status. Select either Heuristics or Block Pattern.
Heuristics is configurable through the CLI only. See “Antivirus CLI
configuration” on page 461.
Apply Select to save the configuration.
Enabling a grayware category blocks all files listed in the category. The categories
may change or expand when the FortiGate unit receives updates. You can choose
to enable the following grayware categories:
Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly
detection and prevention with low latency and excellent reliability. With intrusion
Protection, you can create multiple IPS sensors, each containing a complete
configuration based on signatures. Then, you can apply any IPS sensor to each
protection profile. You can also create DoS sensors to examine traffic for
anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection
settings. For more information about Intrusion Protection, see the FortiGate
Intrusion Protection System (IPS) Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection
is configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• About intrusion protection
• Signatures
• Custom signatures
• Protocol decoders
• IPS sensors
• DoS sensors
• Intrusion protection CLI configuration
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest
signatures, or download the updated attack definition file manually. Alternately,
you can configure the FortiGate unit to allow push updates of the latest attack
definition files as soon as they are available from the FortiGuard Distribution
Network.
You can also create custom attack signatures for the FortiGate unit to use in
addition to an extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it
generates an attack log message. You can configure the FortiGate unit to add the
message to the attack log and send an alert email to administrators, as well as
schedule how often it should send this alert email. You can also reduce the
number of log messages and alerts by disabling signatures for attacks that will not
affect your network. For example, you do not need to enable signatures to detect
web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for forensics and
false positive detection.
For more information about FortiGate logging and alert email, see “Log&Report”
on page 525.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have
grouped the required ones in an IPS sensor, and then selected the IPS sensor in
the protection profile. If required, you can override the default settings of the
signatures specified in an IPS sensor. The FortiGate unit provides a number of
pre-built IPS sensors, but you should check their settings before using them, to
ensure they meet your network requirements.
By using only the signatures you require, you can improve system performance
and reduce the number of log messages and alert email messages the IPS
sensor generates. For example, if the FortiGate unit is not protecting a web
server, do not include any web server signatures.
Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
To view the predefined signature list, go to Intrusion Protection > Signature >
Predefined. You can also use filters to display the signatures you want to view.
For more information, see “Using display filters” on page 466.
By default, the signatures are sorted by name. To sort the table by another
column, select the header of the column to sort by.
Current Page The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
signatures.
Column Select to customize the signature information displayed in the table. You
Settings can also readjust the column order.
Clear All Filters If you have applied filtering to the predefined signature list display, select
this option to clear all filters and display all the signatures.
Name The name of the signature, linked to the FortiGuard Center web page
about the signature.
Severity The severity rating of the signature. The severity levels, from lowest to
highest, are Information, Low, Medium, High, and Critical.
Target The target of the signature: servers, clients, or both.
Protocols The protocol the signature applies to.
OS The operating system the signature applies to.
Applications The applications the signature applies to.
Enable The default status of the signature. A green circle indicates the signature
is enabled. A gray circle indicates the signature is not enabled.
Action The default action for the signature:
• Pass allows the traffic to continue without any modification.
• Drop prevents the traffic with detected signatures from reaching its
destination.
If Logging is enabled, the action appears in the status field of the log
message generated by the signature.
ID A unique numeric identifier for the signature.
Logging The default logging behavior of the signature. A green circle indicates
logging is enabled. A gray circle indicates logging is disabled.
Group A functional group that is assigned to that signature. This group is only
for reference and cannot be used to define filters.
Packet Log The default packet log status of the signature. A green circle indicates
that the packet log is enabled. A gray circle indicates that the packet log
is not enabled.
Revision The revision level of the signature. If the signature is updated, the
revision number will be incremented.
Note: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.
Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate
Intrusion Protection system for diverse network environments. The FortiGate
predefined signatures represent common attacks. If you use an unusual or
specialized application or an uncommon platform, you can add custom signatures
based on the security alerts released by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to
scan traffic. For more information about creating IPS sensors, see “Adding an IPS
sensor” on page 470.
For more information about custom signatures, see the FortiGate Intrusion
Protection System (IPS) Guide.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Edit
Delete
Note: Custom signatures are an advanced feature. This document assumes the user has
previous experience creating intrusion detection signatures.
Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.
Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the
abnormal traffic patterns that do not meet the protocol requirements and
standards. For example, the HTTP decoder monitors traffic to identify any HTTP
packets that do not meet the HTTP protocol standards.
IPS sensors
You can group signatures into IPS sensors for easy selection in protection
profiles. You can define signatures for specific types of traffic in separate IPS
sensors, and then select those sensors in profiles designed to handle that type of
traffic. For example, you can specify all of the web-server related signatures in an
IPS sensor, and the sensor can then be used by a protection profile in a policy
that controls all of the traffic to and from a web server protected by the FortiGate
unit.
The FortiGuard Service periodically updates the pre-defined signatures, with
signatures added to counter new threats. Because the signatures included in
filters are defined by specifying signature attributes, new signatures matching
existing filter specifications will automatically be included in those filters. For
example, if you have a filter that includes all signatures for the Windows operating
system, your filter will automatically incorporate new Windows signatures as they
are added.
Edit
Delete
Create New Add a new IPS sensor. For more information, see “Adding an
IPS sensor” on page 470.
Name The name of each IPS sensor.
Comments An optional description of the IPS sensor.
Delete and Edit icons Delete or edit an IPS sensor.
Five default IPS sensors are provided with the default configuration.
all_default Includes all signatures. The sensor is set to use the default
enable status and action of each signature.
all_default_pass Includes all signatures. The sensor is set to use the default
enable status of each signature, but the action is set to pass.
To view an IPS sensor, go to Intrusion Protection > IPS Sensor and select the
Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three
parts: the sensor attributes, the filters, and the overrides.
Name The name of the IPS sensor. You can change it at any time.
Comments An optional comment describing the IPS sensor. You can change it at
any time.
OK Select to save changes to Name or Comments
Add Filter Add a new filter to the end of the filter list. For more information, see
“Configuring filters” on page 472.
# Current position of each filter in the list.
Name The name of the filter.
Signature Signature attributes specify the type of network traffic the signature
attributes applies to.
Severity The severity of the included signatures.
Target The type of system targeted by the attack. The targets
are client and server.
Protocol The protocols to which the signatures apply. Examples
include HTTP, POP3, H323, and DNS.
OS The operating systems to which the signatures apply.
Application The applications to which the signatures apply.
Enable The status of the signatures included in the filter. The signatures can be
set to enabled, disabled, or default. The default setting uses the default
status of each individual signature as displayed in the signature list.
Logging The logging status of the signatures included in the filter. Logging can
be set to enabled, disabled, or default. The default setting uses the
default status of each individual signature as displayed in the signature
list.
Action The action of the signatures included in the filter. The action can be set
to pass all, block all, reset all, or default. The default setting uses the
action of each individual signature as displayed in the signature list.
Count The number of signatures included in the filter. Overrides are not
included in this total.
Delete icon Delete the filter.
Configuring filters
To configure a filter, go to Intrusion Protection > IPS Sensor. Select the Edit icon
of the IPS sensor containing the filter you want to edit. When the sensor window
opens, select the Edit icon of the filter you want to change, or select Add Filter to
create a new filter. Enter the information as described below and select OK.
Right Arrow
Left Arrow
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to “all” which causes every signature
to be included in the filter. If the severity is changed to high, and the target is changed
to server, the filter includes only signatures checking for high priority attacks targeted
at servers.
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.
Signature Select the browse icon to view the list of available signatures. From this
list, select a signature the override will apply to and then select OK.
Enable Select to enable the signature override.
Action Select one of Pass, Block or Reset. When the override is enabled, the
action determines what the FortiGate will do with traffic containing the
specified signature.
Logging Select to enable creation of a log entry if the signature is discovered in
network traffic.
Packet Log Select to save packets that trigger the override to the FortiGate hard
drive for later examination. This option is only valid on FortiGate units
with an internal hard drive.
Exempt IP: Enter IP addresses to exclude from the override. The override will then
apply to all IP addresses except those defined as exempt. The exempt
IP addresses are defined in pairs, with a source and destination, and
traffic moving from the source to the destination is exempt from the
override.
Source The exempt source IP address. Enter 0.0.0.0/0 to
include all source IP addresses.
Destination: The exempt destination IP address. Enter 0.0.0.0/0 to
include all destination IP addresses.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network
traffic that does not fit known or common traffic patterns and behavior. For
example, one type of flooding is the denial of service (DoS) attack that occurs
when an attacking system starts an abnormally large number of sessions with a
target system. The large number of sessions slows down or disables the target
system so legitimate users can no longer use it. This type of attack gives the DoS
sensor its name, although it is capable of detecting and protecting against a
number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the
detection threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types
that you can configure. Each sensor examines the network traffic in sequence,
from top to bottom. When a sensor detects an anomaly, it applies the configured
action. Multiple sensors allow great granularity in detecting anomalies because
each sensor can be configured to examine traffic from a specific address, to a
specific address, on a specific port, in any combination.
When arranging the DoS sensors, place the most specific sensors at the top and
the most general at the bottom. For example, a sensor with one protected address
table entry that includes all source addresses, all destination addresses, and all
ports will match all traffic. If this sensor is at the top of the list, no subsequent
sensors will ever execute.
The traffic anomaly detection list can be updated only when the FortiGate
firmware image is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.
Create New Add a new DoS sensor to the bottom of the list.
ID A unique identifier for each DoS sensor. The ID does not indicate the
sequence in which the sensors examine network traffic.
Status Select to enable the DoS sensor.
Name The DoS sensor name.
Comments An optional description of the DoS sensor.
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.
To configure DoS sensors, go to Intrusion Protection > DoS Sensor. Select the
Edit icon of an existing DoS sensor, or select Create New to create a new DoS
sensor.
Anomaly configuration
Name The name of the anomaly.
Enable Select the check box to enable the DoS sensor to detect when the
specified anomaly occurs. Selecting the check box in the header row will
enable sensing of all anomalies.
Logging Select the check box to enable the DoS sensor to log when the anomaly
occurs. Selecting the check box in the header row will enable logging for all
anomalies. Anomalies that are not enabled are not logged.
Action Select Pass to allow anomalous traffic to pass when the FortiGate unit
detects it, or set Block to prevent the traffic from passing.
Threshold Displays the number of sessions/packets that must show the anomalous
behavior before the FortiGate unit triggers the anomaly action (pass or
block). If required, change the number. For more information about how
these settings affect specific anomalies, see Table 42 on page 477.
Protected addresses
Each entry in the protected address table includes a source and destination IP
address as well as a destination port. The DoS sensor will be applied to traffic
matching the three attributes in any table entry.
Note: A new DoS sensor has no protected address table entries. If no addresses are
entered, the DoS sensor cannot match any traffic and will not function.
Destination The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If
the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes
the management IP address.
Destination The destination port of the traffic. 0 matches any port.
Port
Source The IP address of the traffic source. 0.0.0.0/0 matches all addresses.
Add After entering the required destination address, destination port, and
source address, select Add to add protected address to the Protected
Addresses list. The DoS sensor will be invoked only on traffic matching all
three of the entered values. If no addresses appear in the list, the sensor
will not be applied to any traffic.
Anomaly Description
tcp_syn_flood If the SYN packet rate, including retransmission, to one destination
IP address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
tcp_port_scan If the SYN packets rate, including retransmission, from one source
IP address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP
address exceeds the configured threshold value, the action is
executed.
Anomaly Description
tcp_dst_session If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is
executed.
udp_flood If the UDP traffic to one destination IP address exceeds the
configured threshold value, the action is executed. The threshold is
expressed in packets per second.
udp_scan If the number of UDP sessions originating from one source IP
address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP
address exceeds the configured threshold value, the action is
executed.
udp_dst_session If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is
executed.
icmp_flood If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP
address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
icmp_src_session If the number of concurrent ICMP connections from one source IP
address exceeds the configured threshold value, the action is
executed.
icmp_dst_session If the number of concurrent ICMP connections to one destination
IP address exceeds the configured threshold value, the action is
executed.
Web Filter
The three main sections of the web filtering function, the Web Filter Content
Block, the URL Filter, and the FortiGuard Web filter, interact with each other in
such a way as to provide maximum control and protection for the Internet users.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Order of web filtering
• How web filtering works
• Web filter controls
• Content block
• URL filter
• FortiGuard - Web Filter
Note: Enabled means that the filter will be used when you turn on web filtering. It does not
mean that the filter is turned on. To turn on all enabled filters you must go to Firewall>
Protection Profile.
Table 43: Web filter and Protection Profile web content block configuration
Table 44: Web filter and Protection Profile web URL filtering configuration
Table 45: Web filter and Protection Profile web script filtering and download
configuration
Table 46: Web filter and Protection Profile web category filtering configuration
Table 46: Web filter and Protection Profile web category filtering configuration
Note: If virtual domains are enabled on the FortiGate unit, web filtering features are
configured globally. To access these features, select Global Configuration on the main
menu.
Content block
Control web content by blocking specific words or patterns. If enabled in the
protection profile, the FortiGate unit searches for words or patterns on requested
web pages. If matches are found, values assigned to the words are totalled. If a
user-defined threshold value is exceeded, the web page is blocked.
Use Perl regular expressions or wildcards to add banned word patterns to the list.
See “Using wildcards and Perl regular expressions” on page 511.
Note: Perl regular expression patterns are case sensitive for Web Filter content block. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i blocks all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
The web content block list catalogue has the following icons and features:
Create New Select Create New to add a new web content block list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied
to.
Comment Optional description of each web content block list. The comment text
must be less than 63 characters long. Otherwise, it will be truncated.
Spaces will also be replaced by the plus sign ( + ).
Delete icon Select to remove the web content block list from the catalog. The
delete icon is only available if the web content block list is not
selected in any protection profiles.
Edit icon Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see
“Web Filtering options” on page 369.
Note: Enable Web Filtering > Web Content Block in a firewall Protection Profile to activate
the content block settings.
The web content block list has the following icons and features:
Name Web content block list name. To change the name, edit text in the name
field and select OK.
Comment Optional comment. To add or edit comment, enter text in comment field
and select OK.
Create new Select to add a pattern to the web content block list.
Total The number of patterns in the web content block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon
Banned word The current list of patterns. Select the check box to enable all the
patterns in the list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or
regular expression. See “Using wildcards and Perl regular expressions”
on page 511.
Language The character set to which the pattern belongs: Simplified Chinese,
Traditional Chinese, French, Japanese, Korean, Thai, or Western.
Score A numerical weighting applied to the pattern. The score values of all the
matching patterns appearing on a page are added, and if the total is
greater than the threshold value set in the protection profile, the page is
blocked.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Banned Word, Pattern Type,
Language, and Enable.
Banned Word Enter the content block pattern. For a single word, the FortiGate
checks all web pages for that word. For a phrase, the FortiGate
checks all web pages for any word in the phrase. For a phrase in
quotation marks, the FortiGate unit checks all web pages for the
entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or regular
Expression.
Language Select a language from the dropdown list.
Score Enter a score for the pattern.
Enable Select to enable the pattern.
The web content exempt list catalogue has the following icons and features:
Create New Select Create New to add a new web content exempt list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied to.
Comment Optional description of each web content block list.
Delete icon Select to remove the web content block list from the catalog. The delete
icon is only available if the web content block list is not selected in any
protection profiles.
Edit icon Select to edit the web content block list, list name, or list comment.
Select web content block lists in protection profiles. For more information, see
“Web Filtering options” on page 369.
Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to
activate the content exempt settings.
The web content exempt list has the following icons and features:
Name Web content exempt list name. To change the name, edit text in the
name field and select OK.
Comment Optional comment. To add or edit comment, enter text in comment field
and select OK.
Create new Select to add a pattern to the web content exempt list.
Total The number of patterns in the web content exempt list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon
Pattern The current list of patterns. Select the check box to enable all the
patterns in the list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or
regular expression. See “Using wildcards and Perl regular expressions”
on page 511.
Language The character set to which the pattern belongs: Simplified Chinese,
Traditional Chinese, French, Japanese, Korean, Thai, or Western.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Pattern, Pattern Type, Language,
and Enable.
Pattern Word Enter the content exempt pattern. For a single word, the FortiGate
checks all web pages for that word. For a phrase, the FortiGate
checks all web pages for any word in the phrase. For a phrase in
quotation marks, the FortiGate unit checks all web pages for the
entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or regular
Expression.
Language Select a language from the dropdown list.
Enable Select to enable the pattern.
URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add
patterns using text and regular expressions (or wildcard characters) to allow or
block URLs. The FortiGate unit allows or blocks web pages matching any
specified URLs or patterns and displays a replacement message instead.
Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.
The URL filter list catalogue has the following icons and features:
Create New Select Create New to add a new web content URL list to the catalog.
Name The available URL filter lists.
# Entries The number of URL patterns in each URL filter list.
Profiles The protection profiles each URL filter list has been applied to.
Comment Optional description of each URL filter list.
Delete icon Select to remove the URL filter list from the catalog. The delete icon
is only available if the URL filter list is not selected in any protection
profiles.
Edit icon Select to edit the URL filter list, list name, or list comment.
Select URL filter lists in protection profiles. For more information, see “Web
Filtering options” on page 369.
The URL filter list has the following icons and features:
Name URL filter list name. To change the name, edit text in the name field
and select OK.
Comment Optional comment. To add or edit comment, enter text in comment
field and select OK.
Create New Select to add a URL to the URL block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Clear All URL Select to clear the table.
Filters icon
URL The current list of blocked/exempt URLs. Select the check box to
enable all the URLs in the list.
Type The type of URL: Simple or Regex (regular expression).
Action The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other
web filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Delete icon Select to remove an entry from the list.
Edit icon Select to edit the following information: URL, Type, Action, and
Enable.
Move icon Select to open the Move URL Filter dialog box.
Note: Type a top-level domain suffix (for example, “com” without the leading period) to
block access to all URLs with this suffix.
To add a URL to the URL filter list go to Web Filter > URL Filter. Select Create
New or edit an existing list.
URL Enter the URL. Do not include http://. For details about URL
formats, see “URL formats” on page 490.
Type Select a type from the dropdown list: Simple or Regex (regular
expression).
Action Select an action from the dropdown list: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web
filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Enable Select to enable the URL.
URL formats
When adding a URL to the URL filter list (see “Configuring the URL filter list” on
page 489), follow these rules:
Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.
Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.
Off-site URLs This option defines whether the override web page will display the
images and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want
to visit a site whose images are served from a different domain.
You can create a directory override for the site and view the page.
If the offsite feature was set to deny, all the images on the page
will appear broken because they come from a different domain for
which the existing override rule does not apply. If you set the
offsite feature to allow, the images on the page will then show up.
Only users that apply under the scope for the page override can
see the images from the temporary overrides. The users will not
be able to view any pages on the sites where the images come
from (unless the pages are served from the same directory as the
images themselves) without having to create a new override rule.
Override End Time Specify when the override rule will end.
To create an override for categories, go to Web Filter > FortiGuard - Web Filter >
Override.
Scope Select one of the following: User, User Group, IP, or Profile.
Depending on the option selected, a different option appears
below Scope.
User Enter the name of the user selected in Scope.
User Group Select a user group from the dropdown list.
IP Enter the IP address of the computer initiating the override.
Profile Select a protection profile from the dropdown list.
Off-site URLs Select Allow or Block. See the previous table for details about off-
site URLs.
Override End Time Specify when the override rule will end.
The local ratings list has the following icons and features:
Category The category or classification in which the URL has been placed.
If the URL is rated in more than one category or classification,
trailing dots appear. Select the gray funnel to open the Category
Filter dialog box. When the list has been filtered, the funnel
changes to green.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: URL, Category Rating, and
Classification Rating.
Note: FortiGuard Web Filtering reports are only available on FortiGate units with a hard
disk.
Generate a text and pie chart format report on FortiGuard Web Filtering for any
protection profile. The FortiGate unit maintains statistics for allowed, blocked, and
monitored web pages for each category. View reports for a range of hours or days,
or view a complete report of all activity.
To create a web filter report go to Web Filter > FortiGuard - Web Filter >
Reports.
Antispam
This section explains how to configure the spam filtering options associated with a
firewall protection profile.
If you enable virtual domains (VDOMs) on the FortiGate unit, Antispam is
configured separately for each virtual domain. For details, see “Using virtual
domains” on page 95.
This section describes:
• Antispam
• Banned word
• Black/White List
• Advanced antispam configuration
• Using wildcards and Perl regular expressions
Antispam
You can configure the FortiGate unit to manage unsolicited commercial email by
detecting and identifying spam transmissions from known or suspected spam
servers.
The FortiGuard Antispam service from Fortinet is designed to manage spam. This
service includes an IP address black list, a URL black list, and spam filtering tools.
The FortiGuard Center accepts submission of spam email messages as well as
reports of false positives. For more information on the FortGuard Center, visit the
FortiGuard Center website at www.fortiguardcenter.com.
Table 47: AntiSpam and Protection Profile spam filtering configuration (Continued)
Table 47: AntiSpam and Protection Profile spam filtering configuration (Continued)
Banned word
Control spam by blocking email messages containing specific words or patterns. If
enabled in the protection profile, the FortiGate unit searches for words or patterns
in email messages. If matches are found, values assigned to the words are
totalled. If a user-defined threshold value is exceeded, the message is marked as
spam. If no match is found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list.
Note: Perl regular expression patterns are case sensitive for antispam banned words. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.
Edit
Delete
Create New Add a new list to the catalog. For more information, see “Creating a
new banned word list” on page 503.
Name The available antispam banned word lists.
# Entries The number of entries in each antispam banned word list.
Profiles The protection profiles each antispam banned word list has been
applied to.
Comments Optional description of each antispam banned word list.
Delete icon Remove the antispam banned word list from the catalog. The delete
icon is available only if the antispam banned word list is not selected
in any protection profiles.
Edit icon Modify the antispam banned word list, list name, or list comment.
To use the banned word list, select antispam banned word lists in protection
profiles. For more information, see “Spam Filtering options” on page 373.
To view the banned word list, go to AntiSpam > Banned Word and select the edit
icon of the banned word list you want to view.
Name Banned word list name. To change the name, edit text in the name field
and select OK.
Comments Optional comment. To add or edit comment, enter text in comment field
and select OK.
Create New Select to add a word or phrase to the banned word list.
Current Page The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of the
banned word list.
Remove All Clear the table.
Entries icon
Pattern The list of banned words. Select the check box to enable all the banned
words in the list.
Pattern Type The pattern type used in the banned word list entry. Choose from
wildcard or regular expression. For more information, see “Using
wildcards and Perl regular expressions” on page 511.
Language The character set to which the banned word belongs.
Where The location where the FortiGate unit searches for the banned word:
Subject, Body, or All.
Score A numerical weighting applied to the banned word. The score values of
all the matching words appearing in an email message are added, and if
the total is greater than the Banned word check value set in the
protection profile, the email is processed according to whether the spam
action is set to Discard or Tagged in the protection profile. The score for
a banned word is counted once even if the word appears multiple times
on the web page in the email. For more information, see “Configuring a
protection profile” on page 367.
Delete and Edit Delete or edit the banned word.
icons
Pattern Enter the word or phrase you want to include in the banned word list.
Pattern Type Select the pattern type for the banned word. Choose from wildcard or
regular expression. For more information, see “Using wildcards and Perl
regular expressions” on page 511.
Language Select the character set for the banned word.
Where Select where the FortiGate unit should search for the banned word:
Subject, Body, or All.
Score A numerical weighting applied to the banned word. The score values of
all the matching words appearing in an email message are added, and if
the total is greater than the Banned word check value set in the
protection profile, the email is processed according to whether the spam
action is set to Discard or Tagged in the protection profile. The score for
a banned word is counted once even if the word appears multiple times
on the web page in the email. For more information, see “Configuring a
protection profile” on page 367.
Enable Select to enable scanning for the banned word.
4 Select OK.
Black/White List
The FortiGate unit uses both an IP address list and an email address list to filter
incoming email, if enabled in the protection profile.
When performing an IP address list check, the FortiGate unit compares the IP
address of the message sender to the IP address list in sequence. When
performing an email list check, the FortiGate unit compares the email address of
the message sender to the email address list in sequence. If a match is found, the
action associated with the IP address or email address is taken. If no match is
found, the message is passed to the next enabled spam filter.
Edit
Delete
To view the antispam IP address list, go to AntiSpam > Black/White List > IP
Address and select the edit icon of the antispam IP address list you want to view.
Current Page
Move To
Edit
Delete
Name Antispam IP address list name. To change the name, edit text in the
name field and select OK.
Comments Optional comment. To add or edit a comment, enter text in the
comments field and select OK.
Create New Add an IP address to the antispam IP address list.
Current Page The current page number of list items that are displayed. Select the
left and right arrows to display the first, previous, next or last page of
the IP address list.
Remove All Entries Clear the table.
icon
IP address/Mask The list of IP addresses.
Action The action to take on email from the configured IP address. Actions
are: Spam to apply the configured spam action, Clear to bypass this
and remaining spam filters, or Reject (SMTP only) to drop the
session.
If an IP address is set to reject but mail is delivered from that IP
address via using POP3 or IMAP, the email messages will be marked
as spam.
Delete icon Remove the address from the list.
Edit icon Edit address information.
Move To icon Select to move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example, if
you have IP address 192.168.100.1 listed as spam and
192.168.100.2 listed as clear, you must put 192.168.100.1 above
192.168.100.2 for 192.168.100.1 to take effect.
To add an IP address go to AntiSpam > Black/White List > IP Address. For the IP
address list name to which you want to add an IP address, select Edit. Then select
Create New.
Edit
Delete
You enable antispam email addresses in protection profiles. For more information, see
“Spam Filtering options” on page 373.
Delete
Edit
Move To
Remove All Entries
Name Antispam email address list name. To change the name, edit text in
the name field and select OK.
Comments Optional comment. To add or edit comment, enter text in comment
field and select OK.
Create New Add an email address to the email address list.
Current Page The current page number of list items that are displayed. Select the
left and right arrows to display the first, previous, next or last page of
the IP address list.
Remove All Entries Clear the table.
icon
Email address The list of email addresses.
Pattern Type The pattern type used in the email address entry.
Action The action to take on email from the configured address. Actions are:
Spam to apply the spam action configured in the protection profile, or
Clear to let the email message bypass this and remaining spam
filters.
Delete icon Remove the email address from the list.
Edit icon Edit the address information.
Move To icon Move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example,
if you have abc@example.com listed as clear and *@example.com
as spam, you must put abc@example.com above *@example.com
for abc@example.com to take effect.
Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL
or ORDBL server, it must be able to look up this name on the DNS server. For information
on configuring DNS, see “Configuring Networking Options” on page 135.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary.
For example, the regular expression “test” not only matches the word “test” but
also any word that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”.
The notation “\b” specifies the word boundary. To match exactly the word “test”,
the expression should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam
filters. To make a word or phrase case insensitive, use the regular expression /i.
For example, /bad language/i will block all instances of “bad language”,
regardless of case.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
^abc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either of “a” and “b”
^abc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b's followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or”
ac”
a.c “a” followed by any single character (not newline) followed by a” c “
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”,
”acbabcacaa”)
[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c”
(such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings “100” and “mk” optionally separated by any amount of white
space (spaces, tabs, newlines)
Overview
Instant Messenger (IM), Peer to Peer (P2P), and Voice over Internet Protocol
(VoIP) protocols are gaining in popularity as an essential way to communicate
between two or more individuals in real time. Some companies even rely on IM
protocols for critical business applications such as Customer/Technical Support.
The most common IM protocols in use today include AOL Instant Messenger,
Yahoo Instant Messenger, MSN messenger, and ICQ. Although these are the
most popular ones, there are always new protocols being developed as well as
newer versions of older ones.
P2P protocols are most commonly used to transfer files from one user to another
and can use large amounts of bandwidth.
VoIP is increasingly being used by businesses to cut down on the cost of long
distance voice communications.
Some organizations need to control or limit the use of IM/P2P and VoIP protocols
in order to more effectively manage bandwidth use.
With FortiOS firmware, you can control and monitor the usage of IM/P2P
applications and VoIP protocols.
FortiOS supports two VoIP protocols: Session Initiation Protocol (SIP) and Skinny
Client Control Protocol (SCCP).
Fortinet Inc. recognizes that IM/P2P applications are becoming part of doing
business but also, if abused, can seriously decrease productivity and network
performance.
FortiGate units allow you to set up user lists that either allow or block the use of
applications, to determine which applications are allowed and how much
bandwidth can be used by the applications.
By combining comprehensive protection policies and easy-to-view statistical
reports, you can see which applications are being used and for what purpose,
making it easy to control IM/P2P applications and to maximize productivity.
The FortiOS system comes with an impressive list of supported IM/P2P protocols
and can be kept up-to-date with upgrades available for download from the Fortinet
Distribution Network. There is no need to wait for firmware upgrade to stay ahead
of the latest protocols.
FortiOS also provides ways for you to deal with unknown protocols even before
upgrades are available. For details, see “Configuring IPS signatures for
unsupported IM/P2P protocols” on page 518.
FortiOS uses IPS signatures to detect IM/P2P/VoIP sessions. Table 49 on
page 516 lists the IM/P2P/VoIP applications that are currently recognized by
FortiOS. The table includes the IPS signatures, the applications associated with
the signatures, and the locations of the signatures
Note: Applications in Table 49 on page 516 marked as bold can connect to multiple P2P
networks. Turning on IM and P2P signatures will help improve IPS performance. For
example, if you want to use IPS, but you do not want to block IM or P2P applications, you
should leave IM/P2P signatures enabled. Normally, if you turn off other signatures, the
performance will be better, but for IM/P2P, it is the opposite.
IPS Applications
Instant Messaging
AIM (Firewall > Protection Profile > IM/P2P) AIM, AIM Triton
ICQ (Firewall > Protection Profile > IM/P2P) ICQ
MSN (Firewall > Protection Profile > IM/P2P) MSN Messenger
SIMPLE (Firewall > Protection Profile > IM/P2P) SIMPLE
qq (Intrusion Protection > Signature > Predefined > qq) QQ
Yahoo! (Firewall > Protection Profile > IM/P2P) Yahoo Messenger
msn_web_messenger (Intrusion Protection > Signature > MSN web Messenger
Predefined > msn_web_messenger)
google_talk (Intrusion Protection > Signature > Google Instant Messenger
Predefined > google_talk)
rediff (Intrusion Protection > Signature > Predefined > Rediff Instant Messenger
rediff)
P2P
BitComet
Bitspirit
BitTorrent (Firewall > Protection Profile > IM/P2P)
Azureus
Shareaza
eMule
Overnet
Edonkey2K
eDonkey (Firewall > Protection Profile > IM/P2P) Shareaza
BearShare
MLdonkey
iMesh
Statistics
You can view the IM, P2P and VoIP statistics to gain insight into how the protocols
are being used within the network. Overview statistics are provided for all
supported IM, P2P and VoIP protocols. Detailed individual statistics are provided
for each IM protocol.
Automatic Refresh Select the automatic refresh interval for statistics. Set the interval
Interval from none to 30 seconds.
Refresh Click to refresh the page with the latest statistics.
Reset Stats Click to reset the statistics to zero.
Users For each IM protocol, the following user information is listed:
• Current Users
• (Users) Since Last Reset
• (Users) Blocked.
Chat For each IM protocol, the following chat information is listed:
• Total Chat Sessions
• Total Messages.
File Transfers For each IM protocol, the following file transfer information is
listed:
(File transfers) Since Last Reset and (File transfers) Blocked.
Voice Chat For each IM protocol, the following voice chat information is listed:
• (Voice chats) Since Last Reset
• (Voice chats) Blocked.
P2P Usage For each P2P protocol, the following usage information is listed:
• Total Bytes transferred
• Average Bandwidth.
When configuring the IM/P2P settings in a protection profile (see
“IM/P2P options” on page 378), you can select Block, Pass, or
Rate limit for the P2P protocols.
If the action for a protocol is set to Block, the statistics will be zero.
If the action for a protocol is set to pass, the statistics will display
the total usage of the P2P application by all the firewall policies.
If the action for a protocol is set to Rate Limit, the statistics will
display the total P2P usage either by all policies or a protection
profile, depending on whether your P2P rate limit settings are per
policy or per profile.
The bandwidth limit can be applied separately for each firewall
policy that uses the protection profile, or shared by all firewall
policies that use the protection profile. By default, the limit is
applied separately to each firewall policy. For information on
configuring per policy or per protection profile P2P bandwidth
limiting, see P2P rate limiting option in the FortiGate CLI
Reference.
VoIP Usage For SIP and SCCP protocol, the following information is listed:
• Active Sessions (phones connected)
• Total calls (since last reset)
• Calls failed/Dropped
• Calls Succeeded
The IM/P2P Protocol tab has the following icons and features:
Automatic Refresh Select the automatic refresh interval for statistics. Set the interval
Interval from none to 30 seconds.
Protocol Select the protocol for which statistics are to be displayed: AIM,
ICQ, MSN, or Yahoo.
Users For the selected protocol, the following user information is
displayed: Current Users, (Users) Since Last Reset, and (Users)
Blocked.
Chat For the selected protocol, the following chat information is
displayed: Total Chat Sessions, Server-based Chat, Group Chat,
and Direct/Private Chat.
Messages For the selected protocol, the following message information is
displayed: Total Messages, (Messages) Sent, and (Messages)
Received.
File Transfers For the selected protocol, the following file transfer information is
displayed: (File transfers) Since Last Reset, (File transfers) Sent,
(File transfers) Received, and (File transfers) Blocked.
Voice Chat For the selected protocol, the following voice chat information is
displayed: (Voice chats) Since Last Reset and (Voice chats)
Blocked.
User
After IM users connect through the firewall, the FortiGate unit displays which
users are connected in the Current Users list. You can analyze the list and decide
which users to allow or block. A policy can be configured to deal with unknown
users.
Note: If virtual domains are enabled on the FortiGate unit, IM features are configured
globally. To access these features, select Global Configuration on the main menu.
Protocol Filter the list by selecting the protocol for which to display current
users: AIM, ICQ, MSN, or Yahoo. All current users can also be
displayed.
Protocol The protocol being used.
User Name The name selected by the user when registering with an IM
protocol. The same user name can be used for multiple IM
protocols. Each user name/protocol pair appears separately in the
list.
Source IP The Address from which the user initiated the IM session.
Last Login The last time the current user used the protocol.
Block Select to add the user name to the permanent black list. Each
user name/protocol pair must be explicitly blocked by the
administrator.
Protocol Select a protocol from the dropdown list: AIM, ICQ, MSN, or
Yahoo!
Username Enter a name for the user.
Policy Select a policy from the dropdown list: Allow or Block.
Automatically Allow Select the protocols that unknown users are allowed to use. The
unknown users are added to a temporary white list.
Automatically Block Select the protocols to which unknown users are denied access.
The unknown users are added to a temporary black list.
List of Temporary New users who have been added to the temporary white or black
Users lists. User information includes Protocol, Username, and the
Policy applied to the user.
Note: If the FortiGate unit is rebooted, the list is cleared.
Protocol Select a protocol by which to filter the list of temporary users.
Username The name selected by the user when registering with an IM
protocol. The same user name can be used for multiple IM
protocols. Each user name/protocol pair appears separately in the
list.
Policy The policy applied to the user when attempting to use the protocol:
Block or Deny.
Permanently Allow Select to add the user to the permanent white list. The user
remains online and is listed in IM, P2P & VoIP > Users > User List.
Permanently Block Select to add the user to the permanent black list. The user is
listed in IM, P2P & VoIP > Users > User List.
Apply Click to apply the global user policy.
Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and
network protection functions. They also allow you to compile reports from the
detailed log information gathered. Reports provide historical and current analysis
of network activity to help identify security issues that will reduce and prevent
network misuse and abuse.
This section provides information about how to enable logging, view log
messages, and configure reports. If you have VDOMs enabled, see “Using virtual
domains” on page 95 for more information.
The following topics are included in this section:
• FortiGate logging
• FortiGuard Analysis and Management Service
• Log severity levels
• High Availability cluster logging
• Storing logs
• Log types
• Accessing Logs
• Viewing log information
• Customizing the display of log messages
• Content Archive
• Alert Email
• Reports
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in Transparent mode. For example, SSL VPN events are not available in Transparent
mode.
FortiGate logging
A FortiGate unit can log many different network activities and traffic including:
• overall network traffic
• system-related events including system restarts, HA and VPN activity
• anti-virus infection and blocking
• web filtering, URL and HTTP content blocking
• signature and anomaly attack and prevention
• spam filtering
• Instant Messaging and Peer-to-Peer traffic
• VoIP telephone calls.
When customizing the logging location, you can also customize what minimum log
severity level the FortiGate unit should log these events at. There are six severity
levels to choose from. For more information, see “Log severity levels” on
page 527.
For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer™ unit. FortiAnalyzer units provide integrated log collection, analysis
tools and data storage. Detailed log reports provide historical as well as current
analysis of network activity. Detailed log reports also help identify security issues,
reducing network misuse and abuse. The FortiGate unit can send all log message
types, including quarantine files and content archives, to a FortiAnalyzer unit for
storage. The FortiAnalyzer unit can upload log files to an FTP server for archival
purposes. For more information about configuring the FortiGate unit to send log
messages to a FortiAnalyzer unit, see “Logging to a FortiAnalyzer unit” on
page 529.
If you have a subscription for the FortiGuard Analysis and Management Service,
your FortiGate unit can send logs to a FortiGuard Analysis server. This service
provides another way to store and view logs, as well as archiving email
messages. For more information, see “FortiGuard Analysis and Management
Service” on page 526. Fortinet recommends reviewing the FortiGuard Analysis
and Management Service Administration Guide to learn more about the logging,
reporting, and remote management features from the FortiGuard Analysis and
Management Service portal web site.
The FortiGate unit can also send log messages to either a Syslog server or
WebTrends server for storage and archival purposes. If your FortiGate unit has a
hard disk, you can also send logs to it by using the CLI. For more information
about configuring logging to the hard disk, see the FortiGate CLI Reference.
In the FortiGate web-based manager, you can view log messages available in
system memory, on a FortiAnalyzer unit running firmware version 3.0 or higher, or,
if available, the hard disk. You can use customizable filters to easily locate specific
information within the log files.
For details and descriptions of log messages and formats, see the FortiGate Log
Message Reference.
When the FortiGate unit connects to the logging and reporting network for the first
time, it retrieves its assigned primary analysis server, contract term, and storage
space quota from the main analysis server. The main analysis server contains this
information so it can maintain and monitor the status of each of the servers.
After configuring logging to the assigned primary analysis server, the FortiGate
unit begins sending encrypted logs to the primary analysis server through TCP
port 514. The connection between the main analysis server and the FortiGate unit
is secured using FCP over HTTPS, through port 443.
Fortinet recommends reviewing the FortiGuard Analysis and Management
Service Administration Guide because it contains very detailed information about
this FortiGuard service. This administration guide contains information about:
• registering your FortiGate unit, or multiple FortiGate units, for this FortiGuard
service
• enabling this FortiGuard service on your FortiGate unit
• configuring remote management and logging and reporting.
Note: After upgrading your FortiGate firmware, you need to re-enter your account ID and
then update the service to re-connect to the servers that support logging and reporting. You
may need to update the service from the portal web site as well.
Levels Description
0 - Emergency The system has become unstable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
The Debug severity level, not shown in Table 50, is rarely used. It is the lowest log
severity level and usually contains some firmware status information that is useful
when the FortiGate unit is not functioning properly. Debug log messages are
generated only if the log severity level is set to Debug. Debug log messages are
generated by all types of FortiGate features.
Storing logs
The type and frequency of log messages you intend to save determines the type
of log storage to use. For example, if you want to log traffic and content logs, you
need to configure the FortiGate unit to log to a FortiAnalyzer unit or Syslog server.
The FortiGate system memory is unable to log traffic and content logs because of
their frequency and large file size.
Storing log messages to one or more locations, such as a FortiAnalyzer unit or
Syslog server, may be a better solution for your logging requirements than the
FortiGate system memory. Configuring your FortiGate unit to log to a FortiGuard
Analysis server may also be a better log storage solution if you do not have a
FortiAnalyzer unit and want to create reports. This particular log storage solution
is available to all FortiGate units running FortiOS 3.0 MR6 or higher, through a
subscription to the FortiGuard Analysis and Management Service. For more
information, see “FortiGuard Analysis and Management Service” on page 526.
If your FortiGate unit has a hard disk, you can also enable logging to the hard disk
from the CLI. See the FortiGate CLI Reference for more information before
enabling logging to the hard disk.
If you require logging to multiple FortiAnalyzer units or Syslog servers, see the
FortiGate CLI Reference.
Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and
Canada and may affect your location. It is recommended to verify if your location observes
this change, since it affects the scope of the report. Fortinet has released supporting
firmware. See the Fortinet Knowledge Center article, New Daylight Saving Time support,
for more information.
Expand
Arrow
Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard
Analysis server, and vice versa. If you require a backup solution for one of these logging
devices, using a Syslog server or WebTrends server is preferred.
Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the CLI
before Automatic Discovery can carry traffic. Use the procedure in the Fortinet Knowledge
Center article, Fortinet Discovery Protocol in Transparent mode, to enable the interface to
also carry traffic when using the Automatic Discovery feature.
You can also test the connection status between the FortiGate unit and the
FortiAnalyzer unit by using the following CLI command:
execute log fortianalyzer test-connectivity
The command displays the connection status and the amount of disk usage in
percent. For more information, see the FortiGate CLI Reference.
Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.
Overwrite oldest Deletes the oldest log entry and continues logging when the
logs maximum log disk space is reached.
Do not log Stops log messages going to the FortiGuard Analysis server when
the maximum log disk space is reached.
Logging to memory
The FortiGate system memory has a limited capacity for log messages. The
FortiGate system memory displays only the most recent log entries. It does not
store traffic and content logs in system memory due to their size and the
frequency of log entries. When the system memory is full, the FortiGate unit
overwrites the oldest messages. All log entries are cleared when the FortiGate
unit restarts.
If your FortiGate unit has a hard disk, use the CLI to enable logging to it. You can
also upload logs stored on the hard disk to a FortiAnalyzer unit. For more
information, see the FortiGate CLI Reference.
Note: You can configure logging to an AMC disk and schedule when to upload logs to a
FortiAnalyzer unit.
The AMC disk is available on FortiGate-3600A, FortiGate-3016B and FortiGate-3810A
units.
5 Select Apply.
Note: If more than one Syslog server is configured, the Syslog servers and their settings
appear on the Log Settings page. You can configure multiple Syslog servers in the CLI. For
more information, see the FortiGate CLI Reference.
Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting
server. FortiGate log formats comply with WebTrends Enhanced Log Format
(WELF) and are compatible with NetIQ WebTrends Security Reporting Center and
Firewall Suite 4.1.
Use the CLI to configure the FortiGate unit to send log messages to WebTrends.
After logging into the CLI, enter the following commands:
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Example
This example shows how to enable logging to a WebTrends server and to set an
IP address for the server.
Log types
The FortiGate unit provides a wide range of features to log, enabling you to better
monitor activity that is occurring on your network. For example, you can enable
logging of IM/P2P features, to obtain detailed information on the activity occurring
on your network where IM/P2P programs are used.
This topic also provides details on each log type and explains how to enable
logging of the log type.
Before enabling FortiGate features, you need to configure what type of logging
device will store the logs. For more information, see “Storing logs” on page 528.
Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because they do not support logging, or are not available in
Transparent mode. For example, SSL VPN events are not available in Transparent mode.
Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You
can configure logging of traffic controlled by firewall policies and for traffic
between any source and destination addresses. You can also filter to customize
the traffic logged:
• Allowed traffic – The FortiGate unit logs all traffic that is allowed according to
the firewall policy settings.
• Violation traffic – The FortiGate unit logs all traffic that violates the firewall
policy settings.
If you are logging “other-traffic”, the FortiGate unit will incur a higher system load
because “other-traffic” logs log individual traffic packets. Fortinet recommends
logging firewall policy traffic since it minimizes the load. Logging “other-traffic” is
disabled by default.
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in Transparent mode, make sure that VDOM
allows access for enabling traffic logs.
Event log
The Event Log records management and activity events, such as when a
configuration has changed, or VPN and High Availability (HA) events occur.
When you are logged into VDOMs that are in Transparent mode, or if all VDOMs
are in Transparent mode, certain options may not be available such as VIP ssl
event or CPU and memory usage event. You can enable event logs only when you
are logged in to a VDOM; you cannot enable event logs in the root VDOM.
System Activity All system-related events, such as ping server failure and gateway
event status.
IPSec negotiation All IPSec negotiation events, such as progress and error reports.
event
DHCP service All DHCP-events, such as the request and response log.
event
L2TP/PPTP/PPPoE All protocol-related events, such as manager and socket creation
service event processes.
Admin event All administrative events, such as user logins, resets, and
configuration updates.
HA activity event All high availability events, such as link, member, and state
information.
Firewall All firewall-related events, such as user authentication.
authentication
event
Pattern update All pattern update events, such as antivirus and IPS pattern
event updates and update failures.
SSL VPN user All user authentication events for an SSL VPN connection, such as
authentication logging in, logging out and timeout due to inactivity.
event
SSL VPN All administration events related to SSL VPN, such as SSL
administration configuration and CA certificate loading and removal.
event
SSL VPN session All session activity such as application launches and blocks,
event timeouts, and verifications.
VIP ssl event All server-load balancing events happening during SSL session,
especially details about handshaking.
VIP server health All related VIP server health monitor events that occur when the
monitor event VIP health monitor is configured, such as an interface failure.
CPU & memory All real-time CPU and memory events, at 5-minute intervals.
usage (every 5 min)
4 Select Apply.
Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For
example, when the FortiGate unit detects an infected file, blocks a file type, or
blocks an oversized file or email that is logged, it records an antivirus log. You can
also apply filters to customize what the FortiGate unit logs, which are:
• Viruses – The FortiGate unit logs all virus infections.
• Blocked Files – The FortiGate unit logs all instances of blocked files.
• Oversized Files/Emails – The FortiGate unit logs all instances of files and
email messages exceeding defined thresholds.
• AV Monitor – The FortiGate unit logs all instances of viruses, blocked files,
and oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP,
and IM traffic.
Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see “Intrusion Protection” on page 463.
VoIP log
You can log Voice over Internet Protocol (VoIP) calls. You can also configure VoIP
rate limiting for Session Initiated Protocol (SIP) and Skinny Client Control Protocol
(SCCP) or Skinny protocol. SIP and SCCP are two types of VoIP protocols.
Rate limiting is generally different between SCCP and SIP. For SIP, rate limiting is
for that SIP traffic flowing through the FortiGate unit. For SCCP, the call setup rate
is between the FortiGate unit and the clients because the call manager normally
resides on the opposite side of the FortiGate unit from the clients.
Accessing Logs
You can use the Log Access feature in the FortiGate web-based manager to view
logs stored in memory, on a hard disk, or stored on a FortiAnalyzer unit running
FortiAnalyzer 3.0, or on the FortiGuard Analysis server.
Log Access provides tabs for viewing logs according to these locations. Each tab
provides options for viewing log messages, such as search and filtering options,
and choice of log type. The Remote tab displays logs stored on either the
FortiGuard Analysis server or FortiAnalyzer unit.
For the FortiGate unit to access logs on a FortiAnalyzer unit, the FortiAnalyzer
unit must run firmware version 3.0 or higher.
Download
Clear
log
Delete
View
Log Type Select the type of log you want to view. Some log files, such as the
traffic log, cannot be stored to memory due to the volume of information
logged.
File name The names of the log files of the displayed Log Type stored on the
FortiGate hard disk.
When a log file reaches its maximum size, the FortiGate unit saves the
log files with an incremental number, and starts a new log file with the
same name. For example, if the current attack log is alog.log, any
subsequent saved logs appear as alog.n, where n is the number of
rolled logs.
Size (bytes) The size of the log file in bytes.
Last access The time a log message was recorded on the FortiGate unit. The time is
time in the format name of day month date hh:mm:ss yyyy, for
example Fri Feb 16 12:30:54 2007.
Clear log icon Clear the current log file. Clearing deletes only the current log
messages of that log file. The log file is not deleted.
Download icon Download the log file or rolled log file. Select either Download file in
Normal format link or Download file in CSV format link. Select the
Return link to return to the Disk tab page. Downloading the current log
file includes only current log messages.
View icon Display the log file in the Log Access menu.
Delete icon Delete rolled logs. It is recommended to download the rolled log file
before deleting it because the rolled log file cannot be retrieved after
deleting it.
Current
Page
Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.
Current
Page
Log Type Select the type of log you want to view. Some log files, such as the
traffic log, cannot be stored to memory due to the volume of
information logged.
Current Page By default, the first page of the list of items is displayed. The total
number of pages displays after the current page number. For example,
if 3/54 appears, you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first,
previous, next, or last page.
To view a specific page, enter the page number in the field and then
press Enter.
For more information, see “Using page controls on web-based
manager lists” on page 61.
Column Settings Select to add or remove columns. This changes what log information
appears in Log Access. For more information, see “Column settings”
on page 543.
Raw or Formatted By default, log messages are displayed in Formatted mode. Select
Formatted to view log messages in Raw mode, without columns.
When in Raw mode, select Formatted to switch back to viewing log
messages organized in columns.
When log messages are displayed in Formatted view, you can
customize the columns, or filter log messages.
Clear All Filters Clear all filter settings. For more information, see “Filtering log
messages” on page 545.
Note: For more information about filtering log messages, see “Adding filters to web-based
manager lists” on page 58.
Column settings
By using Column Settings, you can customize the view of log messages in
Formatted view. By adding columns, changing their order, or removing them, you
can view only the log information you want.
The Column Settings feature is available only in Formatted view.
-> Select the right arrow to move selected fields from the “Available fields”
list to the “Show these fields in this order” list.
<- Select the left arrow to move selected fields from the “Show these fields
in this order” list to the “Available fields” list.
Move up Move the selected field up one position in the “Show these fields in this
order” list.
Move down Move the selected field down one position in the “Show these fields in
this order” list.
7 Select OK.
Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.
You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the Host name that you
configured for the FortiGate unit, for example Headquarters.
Filter icon
Column Filter
(enabled)
(disabled)
The filter settings that are applied remain until you log out of the web-based
manager. Log filters automatically reset to default settings when you log into the
web-based manager.
Content Archive
You can use Content Archive to view archived logs stored on the FortiAnalyzer
unit from the FortiGate web-based manager and the content archives of HTTP,
FTP, Email, IM, and VoIP that are stored on the FortiAnalyzer unit. You can also
view content summaries of HTTP, FTP, Email, IM, and VoIP if you have
subscribed to the FortiGuard Analysis and Management Service.
Before viewing content archives, you need to enable this feature on your
FortiGate unit, within a protection profile. For more information, see “Firewall
Protection Profile” on page 365.
The FortiGate unit allocates only one sixteenth of its memory for transferring
content archive files. For example, FortiGate units with 128RAM use only 8MB of
memory when transferring content archive files. It is recommended not to enable
full content archiving if antivirus scanning is also configured because of these
memory constraints.
Note: Infected files are clearly indicated in the Content Archive menu so that you know
which content archives are infected and which are not.
Note: Email content archiving is also supported on the FortiGuard Analysis server.
Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send
email notification about a specific activity or event logged. For example, if you
require notification about administrators logging in and out, you can configure an
alert email that is sent whenever an administrator logs in and out.
You can also base alert email messages on the severity levels of the logs.
Interval Time Enter the minimum time interval between consecutive alert
(1-9999 minutes) emails. Use this to rate-limit the volume of alert emails.
Intrusion detected Select if you require an alert email message based on
attempted intrusion detection.
Virus detected Select if you require an alert email message based on virus
detection.
Web access Select if you require an alert email message based on blocked
blocked web sites that were accessed.
HA status changes Select if you require an alert email message based on HA
status changes.
Violation traffic Select if you require an alert email message based on violated
detected traffic that is detected by the FortiGate unit.
Firewall authentication Select if you require an alert email message based on firewall
failure authentication failures.
SSL VPN login failure Select if you require an alert email message based on any SSL
VPN logins that failed.
Administrator Select if you require an alert email message based on whether
login/logout administrators log in or out.
IPSec tunnel errors Select if you require an alert email message based on whether
there is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE Select if you require an alert email message based on errors
errors that occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any
changes made to the FortiGate configuration.
FortiGuard license Enter the number of days before the FortiGuard license expiry
expiry time time notification is sent.
(1-9999 days)
FortiGuard log quota Select if you require an alert email message based on the
usage FortiGuard Analysis server log disk quota getting full.
5 Select “Send an alert based on severity” if you require sending an alert email
based on log severity level.
6 Select the minimum severity level in the Minimum severity level list if you are
sending an alert based on severity.
7 Select Apply.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.
Reports
You can use the Log&Report menu to configure FortiAnalyzer report schedules
and to view generated FortiAnalyzer reports. You can also configure basic traffic
reports, which use the log information stored in your FortiGate system memory to
present basic traffic information in a graphical format.
Time Period Select a time range to view for the graphical analysis. You can choose
from one day, three days, one week or one month. The default is one
day. When you refresh your browser or go to a different menu, the
settings revert to default.
Services By default all services are selected. When you refresh your browser or
go to a different menu, all services revert to default settings. Clear the
check boxes beside the services you do not want to include in the
graphical analysis.
• Browsing • Streaming
• DNS • TFTP
• Email • VoIP
• FTP • Generic TCP
• Gaming • Generic UDP
• Instant Messaging • Generic ICMP
• Newsgroups • Generic IP
• P2P
Bandwidth Per This bar graph is based on what services you select, and is updated
Service when you select Apply. The graph is based on date and time, which is
the current date and time.
Top Protocols This bar graph displays the traffic volume for various protocols, in
Ordered by decreasing order of volume. The bar graph does not update when you
Total Volume select different Services and then select Apply.
The report is not updated in real-time. You can refresh the report by selecting the
Memory tab.
Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.
Note: If you require a more specific and detailed report, you can configure a simple report
from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate
over 140 different reports providing you with more options than the FortiGate unit provides.
If you need to configure a FortiAnalyzer report schedule, see “FortiAnalyzer report
schedules” on page 551.
Delete
Edit
Clone
Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.
Report Layout Select a configured report layout from the list. You must apply a
report layout to a report schedule. For more information, see the
FortiAnalyzer Administration Guide.
Language Select the language you want used in the report schedule from the
list.
Schedule Select one of the following to have the report generate once only,
daily, weekly, or monthly at a specified date or time period.
Once Select to have the report generated only once.
Daily Select to generate the report every date at the
same time, and then enter the hour and minute
time period for the report. The format is hh:mm.
These Days Select to generate the report on specified days
of the week, and then select the days of the
week check boxes.
These Dates Select to generate the report on a specific day or
days of the month, and then enter the days with
a comma to separate them. For example, if you
want to generate the report on the first day, the
21st day and 30th day, enter: 1, 21, 30.
Log Data Filtering You can specify the following variables for the report:
Virtual Domain Select to create a report based on virtual
domains. Enter a specific virtual domain to
include in the report.
User Select to create a report based on a network
user. Enter the user or users in the field,
separated by spaces. If a name or group name
contains a space, if should be specified between
quotes, for example, “user 1”.
Group Select to create a report based on a group of
network users, defined locally. Enter the name of
the group or groups in the field.
LDAP Query Select the LDAP Query check box and then
select an LDAP directory or Windows Active
Directory group from the list.
Time Period Select to include the time period of the logs to include in the report.
Relative to Select a time period from the list. For example,
Report Runtime this year.
Specify Select to specify the date, day, year and time for
the report to run.
From – Select the beginning date and time of
the log time range.
To – Select the ending date and time of the log
time range.
Output Select the format you want the report to be in and if you want to
apply an output template.
Output Types Select the type of file format for the generated
report. You can choose from PDF, MS Word,
Text, and MHT.
Email/Upload Select the check box if you want to apply a
report output template from the list.
This list is empty if a report output template does
not exist. For more information, see the
FortiAnalyzer Administration Guide.
4 Select OK.
Report Files The name of the generated report. Select the name to view the
report.
You can also select the Expand Arrow to view the report and the
select the rolled report to view the report.
Date The date the report was generated on.
Size(bytes) The size of the report in bytes.
Other Formats Displays the formats PDF, RTF or MHT or all if these formats were
chosen in the report schedule.
Note: Fortinet does not support upgrading from FortiOS 3.0 MR4 or earlier to FortiOS
3.0 MR7. You must upgrade to FortiOS 3.0 MR5 or MR6 before upgrading to FortiOS
3.0 MR7. Fortinet supports upgrading from the most recent patch release of FortiOS
3.0 MR5 and MR6 to FortiOS 3.0 MR7.
Note: You can enter a password to encrypt the configuration file when backing up.
Note: Before upgrading to FortiOS 3.0, ensure FortiOS 2.80 MR11 is installed.
Note: After upgrading to FortiOS 3.0, perform an “Update Now” to retrieve the latest
AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN. See the
FortiGate Administration Guide for more information about updating AV/NIDS signatures.
See the Fortinet Knowledge Center article, Loading FortiGate firmware using
TFTP for CLI procedure, for additional information about upgrading firmware using
the CLI.
Note: The FortiGate-1000A-FA2 does not support downgrading to FortiOS 2.80 because
with the introduction of the FortiClient Check feature, the flash card has a different partition
layout than it did in FortiOS 2.80.
Note: If FortiOS 3.0 MR1 is installed on your FortiGate unit, ensure that the FortiGate unit
is shutdown and powered off whenever you insert the FortiUSB key into the USB port on
the FortiGate unit.
3 Select Apply.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file checkbox and enter a password, then enter it again to
confirm.
Note: Installing FortiOS 2.80 firmware on a partition in FortiOS 3.0 MR5 will not overwrite
the other partition.
5 Enter the following command to copy the backed up configuration file to restore
the file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the
password you entered when you backed up your configuration settings. For
example, if the backed up configuration file is confall and the IP address of the
TFTP server is 192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
The FortiGate unit responds with the message:
This operation will overwrite the current settings and the
system will reboot!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads,
a message, similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
All done. Rebooting...
This may take a few minutes.
Use the show shell command to verify your settings are restored, or log into the
web-based manager.
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get system status
9 Update antivirus and attack definitions (see the FortiGate Administration Guide),
or from the CLI enter:
execute update-now
To restore configuration settings using the FortiUSB key from the CLI
1 Log into the CLI.
2 Enter the following commands:
execute restore config usb <config_name>
3 A message similar to the following displays:
This operation will overwrite current settings!
Do you want to continue? (y/n)
4 Type y.
This may take a few minutes.
5 Restoring lists using Import Bulk CLI command feature
IPSec-related settings
The following parameters for both phase 1 and phase 2 policy-based IPSec
tunnels are not carried forward.
• phase 1:
config vpn ipsec phase1
FortiGate-3016B upgrade
The interface names on the FortiGate-3016B unit changed in FortiOS 3.0 MR7 to
match the port names on the face plate of the unit. The following table explains the
new naming scheme:
NTP configuration
The following NTP-related configuration commands are now under config
system ntp in the CLI:
config ntpserver
set ntpsync
set syncinterval
System interface
Previously, the command dns-server-override was available only for
interfaces configured in the management VDOM. In FortiOS 3.0 MR7, VLAN
interfaces cannot be created under a FortiGate switch interface, and therefore,
any VLANs under the switch interfaces are not carried forward to FortiOS
3.0 MR7.
Configuring reports
Configuring reports in FortiOS 3.0 MR7 has drastically changed. All reports
configured under the command, config log report, are not carried forward.
Reports that do carry forward are placed as correctly as possible in their FortiOS
3.0 MR7 configuration. You may need to reconfigure some settings – if so, contact
a FortiAnlayzer administrator before reconfiguring settings because you will need
to know if report layouts are available for your report schedules.
FortiGuard configuration
The default setting for the command, central-mgmt-auto-backup, was
changed to enable.
Firewall policy
The commands, auth-path, auth-cert and auth-redirect-addr settings
may not carry forward if the authentication group is not selected in the firewall
policy.
System IPv6
The command, config system ipv6-tunnel is carried forward, now under
config system sit-tunnel in FortiOS 3.0 MR7.
Global setting
The command, allow-interface-subnet-overlap, previously under
global settings, is carried forward into every VDOM and found under
config system setting.
Index
Symbols BFD, 286
BFD on BGP, 287
, 469 BFD on OSPF, 288
BGP settings, 282
Numerics CA certificates, 226
Certificate Revocation List (CRL), 228
802.3ad aggregate interface cipher suite, 415
creating, 116 combined IP pool and virtual IP, 359
content archive, 546
A content archive options, 375
access profile custom firewall service, 325
administrator account, 208 custom IM/P2P/VoIP protocols, 518
CLI commands list, 209 custom service, firewall, 325
configuring, 211 custom signatures, 467
viewing list, 210 customized CLI console, 68
DHCP interface settings, 118
accessing logs stored in hard disk, 540
DHCP relay agent, 163
action DHCP server, 163
firewall policy, 296 Directory Service server, 433, 434
protection profile P2P option, 378 Directory Service user groups, 437
spam filter banned word, 504 DoS sensors, 475
spam filter IP address, 507 Dynamic DNS on an interface, 122
action type dynamic virtual IP, 352
spam filter email address, 509 event logs, 536
active sessions fail-open, IPS, 478
HA statistics, 174 firewall address, 317
ActiveX filter firewall address group, 318
protection profile, 370 firewall policy, 296, 297
add signature to outgoing email firewall policy traffic logging, 535
protection profile, 369 firewall policy, adding to VLAN subinterface, 145
adding, configuring or defining firewall policy, modem connections, 134
access profile, 211 firewall protection profile, 367
administrative access to interface, 125 firewall schedule, 329
administrator account, 205 firewall service group, 327
administrator password, 205 firewall user groups, 436
administrator settings, 215 firewall virtual IP, 333
ADSL interface settings, 115 firmware upgrade, 236
advanced SSL VPN user group options, 442 firmware version, 81
alert email, 547 FortiAnalyzer report schedules, 551
antispam advanced options, 510 FortiClient checking, 308
antispam email address list, 508, 510 FortiGuard override options for a user group, 441
antispam IP address, 507 FortiGuard Web Filtering options, 370
antispam IP address list, 506 FortiWiFi-50B settings, 150, 152
antivirus file filter list, 453, 454 FortiWiFi-60 MAC filter list, 157
antivirus file patterns, 454 FortiWiFi-60 settings, 154
antivirus file quarantine, 454 FortiWiFi-60A settings, 150, 152
antivirus log, 537 FortiWiFi-60AM, 152
antivirus quarantine options, 457 FortiWiFi-60AM settings, 150
antivirus scanning options, 367 FortiWiFi-60B settings, 150, 152
attack log (IPS), 538 gateway for default route, 261
authentication settings, 445 grayware list, 459
authentication, firewall policy, 302 HA, 167
automatic discovery, 530 HA device priority, 174
autosubmit list, 457 HA subordinate unit host name, 174
banned word list, 503, 504 health check monitor, 355
basic traffic report, graphical view, 550 IM user, 522
K local certificates
options, 221
Keepalive Frequency viewing, 219
IPSec VPN, phase 1, 401 Local Gateway IP
key IPSec VPN, phase 1, 399
license, 254 Local ID
wireless setting, 153, 155 IPSec VPN, phase 1, 400
keyboard shortcut Local Interface
online help, 55 IPSec VPN, manual key, 406
Keylife IPSec VPN, phase 1, 397
IPSec VPN, phase 1, 400 local PC
IPSec VPN, phase 2, 403 backup configuration, 231
keylog restore configuration, 232
grayware category, 460 local ratings
Knowledge Center, 46 configuring, 496
local ratings list
L viewing, 495
L2TP, 436 Local SPI
service, 323 IPSec VPN, manual key, 405
language local user, 422
changing the web-based manager language, 50 local user account
spam filter banned word, 504, 505 configuring, 423
web content block, 484, 486 log
web-based manager, 50, 216 attack anomaly, 538
LDAP attack signature, 538
configuring server, 426, 427 column settings, 543
service, 323 messages, 542
SSL VPN, 307 raw or formatted, 543
user authentication, 423 to FortiAnalyzer, 529
LDAP Distinguished Name query, 429 traffic, firewall policy, 301, 304
LDAP server log messages
authentication, 197 viewing, 542
configuring authentication, 199 log traffic
license key, 254 firewall policy, 301, 304
licenses log types, 535
viewing, 70 antivirus, 537
attack, 538
limit (P2P)
event, 536
protection profile, 378
IM, P2P, 538
lists spam filter, 538
using web-based manager, 57 traffic, 535
VOIP, 539
web filter, 537
N online help
content pane, 53
Name keyboard shortcuts, 55
IP pool, 359, 360 navigation pane, 54
IPSec VPN, manual key, 405 search, 54
IPSec VPN, phase 1, 397 using FortiGate online help, 53
IPSec VPN, phase 2, 401 operation mode, 193
NAT wireless setting, 151, 154
in transparent mode, 361 operational history
inbound, IPSec firewall policy, 306 viewing, 84
multicast, 285 optimize
outbound, IPSec firewall policy, 306 antivirus, 461
preserving SIP NAT IP, 391
OSPF
push update, 251
area ID, 279
SIP, 385
AS, 276
symmetric, 336
authentication, 279, 280
NAT virtual IP Dead Interval, 281
adding for single IP address, 341 dead packets, 281
adding static NAT virtual IP for IP address range, GRE, 280
343 Hello Interval, 281
Nat-traversal Hello protocol, 273
IPSec VPN, phase 1, 400 interface definition, 279
netmask IPSec, 280
administrator account, 206, 207 link-state, 273
NetMeeting LSA, 280
service, 323 multiple interface parameter sets, 280
network neighbor, 273
topology viewer, 90 network, 276
network address translation (NAT), 334 network address space, 280
network utilization NSSA, 278, 290
HA statistics, 174 path cost, 273
next regular area, 278
online help icon, 53 service, 323
NFS settings, 274
service, 323 stub, 278
virtual lan, 279
NMT
virtual link, 278
grayware category, 460
VLAN, 280
NNTP
OSPF AS, 273
service, 323
defining, 274
not registered
out of band, 109
subscription, 245
outbound NAT
Not-so-stubby Area (NSSA), 278
IPSec firewall policy, 306
not-so-stubby area (NSSA), 290
override server
Novel edirectory, 433 adding, 250
NTP oversized file/email
service, 323 protection profile, 369
O P
object identifier (OID), 182 P1 Proposal
OCSP certificates IPSec phase 1, 399
importing, 225 P2 Proposal
one-time schedule IPSec VPN, phase 2, 402
adding, 331 P2P, 378
configuring, 331 grayware category, 460
creating new, 330 supported protocols list, 516
list, 330
packets
start, 331
VDOM, 96
stop, 331
page controls
web-based manager, 61
PAP, 425
X
X.509 security certificates. See system certificates
XAuth
IPSec VPN, phase 1, 400
X-WINDOWS
service, 325
Z
zones
configuring, 128