FortiGate Administration Guide 01 400 89802 20090219

Download as pdf or txt
Download as pdf or txt
You are on page 1of 658

FortiGate ™

Version 4.0
Administration Guide

Preliminary version: This version of the FortiGate Administration Guide was completed shortly
before the FortiOS 4.0 GA release. Consult the most recent FortiOS 4.0 GA release notes for up-
to-date information about new 4.0 features. Fortinet Tech Docs will publish an updated version of
the FortiGate Administration Guide before the end of March 2009. Contact [email protected]
if you have any questions or comments about this preliminary version of the FortiGate
Administration Guide.

Visit http://support.fortinet.com to register your FortiGate product. By registering you can


receive product updates, technical support, and FortiGuard services.
FortiGate Administration Guide
Version 4.0
19 February 2009
01-400-89802-20090219

© Copyright 2009 Fortinet, Inc. All rights reserved. No part of this publication including text, examples,
diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of
Fortinet, Inc.

Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents

Contents
What’s new in FortiOS 4.0 ..................................................................... 21
UTM features grouped under new UTM menu............................................................ 22
IPS extensions............................................................................................................... 22
DoS policies for applying IPS sensors...................................................................... 22
NAC quarantine in DoS Sensors .............................................................................. 23
Adding IPS sensors to a DoS policy from the CLI .................................................... 23
One-arm IDS (sniffer mode) ..................................................................................... 23
IPS interface policies for IPv6 ............................................................................... 24
IPS Packet Logging .................................................................................................. 24
Data Leak Prevention.................................................................................................... 25
Application control ....................................................................................................... 25
WAN Optimization......................................................................................................... 25
WCCP v2 support.......................................................................................................... 25
Endpoint control ........................................................................................................... 27
“Any” interface for firewall policies ............................................................................ 27
Global view of firewall policies .................................................................................... 27
Identity-based firewall policies .................................................................................... 28
Web filtering HTTP upload enhancements ................................................................. 28
Traffic shaping enhancements..................................................................................... 28
Firewall load balancing VIP changes .......................................................................... 28
User session persistence.......................................................................................... 29
Health Check Monitor ............................................................................................... 29
Load balancing server monitor ................................................................................. 29
Per-firewall policy session TTL ................................................................................... 29
Gratuitous ARP for virtual IPs ..................................................................................... 29
SSL content scanning and inspection ........................................................................ 29
Customizable web-based manager pages .................................................................. 30
Administration over modem ........................................................................................ 30
Auto-bypass and recovery for AMC bridge module .................................................. 30
Rogue Wireless Access Point detection..................................................................... 31
Configurable VDOM and global resource limits......................................................... 31
User authentication monitor ........................................................................................ 31
OCSP and SCEP certificate using HTTPS .................................................................. 31
Adding non-standard ports for firewall authentication ............................................. 31
VPN client IP addresses can be dynamically assigned from a RADIUS record...... 33
IPSec VPN DHCP server.......................................................................................... 33
PPTP VPN ................................................................................................................ 34

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 3
http://docs.fortinet.com/ • Feedback
Contents

DHCP over Route-based IPSec VPNs ......................................................................... 34


SNMP upgraded to v3.0 ................................................................................................ 34
File Quarantine .............................................................................................................. 34
Enhanced Antispam engine (ASE) .............................................................................. 34
Network Access Control (NAC) quarantine ................................................................ 35
Viewing and releasing quarantined users................................................................. 35
Customizing the quarantine portal ............................................................................ 35
Customizable SSL VPN web portal.............................................................................. 35
Logging improvements................................................................................................. 35
Web Filtering HTTP Post Action .................................................................................. 36

Introduction ............................................................................................ 37
Fortinet family of products........................................................................................... 37
FortiGuard Subscription Services ............................................................................. 37
FortiAnalyzer............................................................................................................. 38
FortiClient ................................................................................................................. 38
FortiManager ............................................................................................................ 38
FortiMail .................................................................................................................... 38
About this document .................................................................................................... 39
Conventions .................................................................................................................. 41
IP addresses............................................................................................................. 41
CLI constraints.......................................................................................................... 41
Notes, Tips and Cautions ......................................................................................... 41
Typographical conventions ....................................................................................... 42
Registering your Fortinet product............................................................................... 42
Customer service and technical support.................................................................... 42
Fortinet documentation ............................................................................................... 43
Fortinet Tools and Documentation CD ..................................................................... 43
Fortinet Knowledge Center ...................................................................................... 43
Comments on Fortinet technical documentation ..................................................... 43

Web-based manager .............................................................................. 45


Common web-based manager tasks........................................................................... 46
Connecting to the web-based manager.................................................................... 46
Changing your FortiGate administrator password .................................................... 47
Changing the web-based manager language........................................................... 48
Changing administrative access to your FortiGate unit ............................................ 48
Changing the web-based manager idle timeout ....................................................... 49
Connecting to the FortiGate CLI from the web-based manager ............................... 49
Button bar features ....................................................................................................... 50
Contacting Customer Support..................................................................................... 50
Backing up your FortiGate configuration ................................................................... 50

FortiGate Version 4.0 Administration Guide


4 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Using FortiGate Online Help ........................................................................................ 51


Searching the online help ......................................................................................... 52
Logging out ................................................................................................................... 54
Web-based manager pages.......................................................................................... 54
Using the web-based manager menu....................................................................... 54
Using web-based manager lists................................................................................ 55
Adding filters to web-based manager lists ................................................................ 56
Using page controls on web-based manager lists .................................................... 59
Using column settings to control the columns displayed .......................................... 60
Using web-based manager icons ............................................................................. 62

System Status ........................................................................................ 65


Status page.................................................................................................................... 65
Viewing system status .............................................................................................. 65
Changing system information ..................................................................................... 79
Configuring system time ........................................................................................... 79
Changing the FortiGate unit host name.................................................................... 80
Changing the FortiGate firmware ................................................................................ 80
Upgrading to a new firmware version ....................................................................... 81
Reverting to a previous firmware version ................................................................. 82
Viewing operational history ......................................................................................... 83
Manually updating FortiGuard definitions.................................................................. 84
Viewing Statistics.......................................................................................................... 84
Viewing the session list............................................................................................. 84
Viewing the Content Archive information.................................................................. 86
Viewing the Attack Log ............................................................................................. 87
Topology ........................................................................................................................ 88
Adding a subnet object ............................................................................................. 91
Customizing the topology diagram ........................................................................... 92

Managing firmware versions................................................................. 93


Backing up your configuration .................................................................................... 94
Backing up your configuration through the web-based manager ............................. 94
Backing up your configuration through the CLI......................................................... 94
Backing up your configuration to a USB key ............................................................ 95
Testing firmware before upgrading............................................................................. 95
Upgrading your FortiGate unit..................................................................................... 97
Upgrading to FortiOS 4.0 in the web-based manager .............................................. 97
Upgrading to FortiOS 4.0 in the CLI ......................................................................... 98
Verifying the upgrade................................................................................................ 99

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 5
http://docs.fortinet.com/ • Feedback
Contents

Reverting to a previous firmware image..................................................................... 99


Downgrading to a previous firmware in the web-based manager............................. 99
Verifying the downgrade ......................................................................................... 100
Downgrading to a previous firmware in the CLI...................................................... 100
Restoring your configuration..................................................................................... 101
Restoring your configuration settings in the web-based manager.......................... 101
Restoring your configuration settings in the CLI ..................................................... 102

Using virtual domains.......................................................................... 103


Virtual domains ........................................................................................................... 103
Benefits of VDOMs ................................................................................................. 103
VDOM configuration settings .................................................................................. 105
Global configuration settings .................................................................................. 106
Enabling VDOMs ......................................................................................................... 107
Configuring VDOMs and global settings .................................................................. 108
VDOM licenses ....................................................................................................... 109
Creating a new VDOM............................................................................................ 110
Working with VDOMs and global settings............................................................... 110
Adding interfaces to a VDOM ................................................................................. 112
Inter-VDOM links .................................................................................................... 112
Assigning an interface to a VDOM.......................................................................... 113
Assigning an administrator to a VDOM................................................................... 114
Changing the management VDOM......................................................................... 115
Configuring global and VDOM resource limits ........................................................ 115
VDOM resource limits............................................................................................. 116
Global resource limits ............................................................................................. 117

System Network ................................................................................... 119


Interfaces ..................................................................................................................... 119
Switch Mode ........................................................................................................... 123
Interface settings .................................................................................................... 123
Configuring an ADSL interface ............................................................................... 127
Creating an 802.3ad aggregate interface ............................................................... 128
Creating a redundant interface ............................................................................... 129
Configuring DHCP on an interface ......................................................................... 130
Configuring an interface for PPPoE or PPPoA ....................................................... 132
Configuring Dynamic DNS on an interface ............................................................. 133
Configuring a virtual IPSec interface ...................................................................... 134
Configuring interfaces with CLI commands ............................................................ 135
Additional configuration for interfaces..................................................................... 136
Configuring zones....................................................................................................... 139

FortiGate Version 4.0 Administration Guide


6 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Configuring the modem interface.............................................................................. 140


Configuring modem settings ................................................................................... 141
Redundant mode configuration............................................................................... 143
Standalone mode configuration .............................................................................. 144
Adding firewall policies for modem connections ..................................................... 145
Connecting and disconnecting the modem............................................................. 145
Checking modem status ......................................................................................... 145
Configuring Networking Options............................................................................... 146
DNS Servers........................................................................................................... 147
Dead gateway detection ......................................................................................... 147
Web Proxy.................................................................................................................... 148
Routing table (Transparent Mode)............................................................................. 149
Transparent mode route settings............................................................................ 150
VLAN overview ............................................................................................................ 151
FortiGate units and VLANs ..................................................................................... 151
VLANs in NAT/Route mode ........................................................................................ 152
Rules for VLAN IDs................................................................................................. 152
Rules for VLAN IP addresses ................................................................................. 152
Adding VLAN subinterfaces.................................................................................... 153
VLANs in Transparent mode...................................................................................... 154
Rules for VLAN IDs................................................................................................. 156
Transparent mode virtual domains and VLANs ...................................................... 156
Troubleshooting ARP Issues .................................................................................. 157

System Wireless................................................................................... 159


FortiWiFi wireless interfaces ..................................................................................... 159
Channel assignments ................................................................................................. 160
IEEE 802.11a channel numbers ............................................................................. 160
IEEE 802.11b channel numbers ............................................................................. 160
IEEE 802.11g channel numbers ............................................................................. 161
Wireless settings......................................................................................................... 162
Adding a wireless interface..................................................................................... 164
Wireless MAC Filter .................................................................................................... 166
Managing the MAC Filter list................................................................................... 166
Wireless Monitor ......................................................................................................... 167
Rogue AP detection .................................................................................................... 169
Viewing wireless access points .............................................................................. 169

System DHCP ....................................................................................... 171


FortiGate DHCP servers and relays .......................................................................... 171

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 7
http://docs.fortinet.com/ • Feedback
Contents

Configuring DHCP services ....................................................................................... 172


Configuring an interface as a DHCP relay agent.................................................... 173
Configuring a DHCP server .................................................................................... 173
Viewing address leases.............................................................................................. 175
Reserving IP addresses for specific clients ............................................................ 175

System Config ...................................................................................... 177


HA ................................................................................................................................. 177
HA options .............................................................................................................. 177
Cluster members list ............................................................................................... 180
Viewing HA statistics .............................................................................................. 182
Changing subordinate unit host name and device priority...................................... 184
Disconnecting a cluster unit from a cluster ............................................................. 184
SNMP............................................................................................................................ 185
Configuring SNMP .................................................................................................. 185
Configuring an SNMP community........................................................................... 186
Fortinet MIBs .......................................................................................................... 188
Fortinet and FortiGate traps.................................................................................... 189
Fortinet and FortiGate MIB fields............................................................................ 192
Replacement messages ............................................................................................. 195
Replacement messages list.................................................................................... 195
Changing replacement messages .......................................................................... 196
Changing the authentication login page ................................................................. 198
Changing the FortiGuard web filtering block override page.................................... 199
Changing the SSL-VPN login message.................................................................. 199
Changing the authentication disclaimer page......................................................... 199
Operation mode and VDOM management access ................................................... 199
Changing operation mode ...................................................................................... 199
Management access............................................................................................... 201

System Admin ...................................................................................... 203


Administrators............................................................................................................. 203
Viewing the administrators list ................................................................................ 205
Configuring an administrator account ..................................................................... 206
Configuring regular (password) authentication for administrators .......................... 208
Configuring remote authentication for administrators ............................................. 208
Configuring PKI certificate authentication for administrators .................................. 214
Admin profiles ............................................................................................................. 216
Viewing the admin profiles list ................................................................................ 218
Configuring an admin profile................................................................................... 219
Central Management................................................................................................... 220
Settings ........................................................................................................................ 222
Monitoring administrators.......................................................................................... 223

FortiGate Version 4.0 Administration Guide


8 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

FortiGate IPv6 support ............................................................................................... 224


Customizable web-based manager ........................................................................... 225

System Certificates.............................................................................. 237


Local Certificates ....................................................................................................... 237
Generating a certificate request.............................................................................. 238
Downloading and submitting a certificate request .................................................. 240
Importing a signed server certificate....................................................................... 240
Importing an exported server certificate and private key ........................................ 241
Importing separate server certificate and private key files...................................... 241
Remote Certificates .................................................................................................... 242
Importing Remote (OCSP) certificates ................................................................... 243
CA Certificates ............................................................................................................ 243
Importing CA certificates......................................................................................... 244
CRL............................................................................................................................... 244
Importing a certificate revocation list ...................................................................... 245

System Maintenance............................................................................ 247


About the Maintenance menu .................................................................................... 247
Backing up and restoring........................................................................................... 248
Basic backup and restore options........................................................................... 249
Upgrading and downgrading firmware.................................................................... 253
Upgrading and downgrading firmware through FortiGuard .................................... 253
Configuring advanced options ................................................................................ 254
Managing configuration revisions............................................................................. 255
Using script files ......................................................................................................... 256
Creating script files ................................................................................................. 257
Uploading script files............................................................................................... 258
Configuring FortiGuard Services .............................................................................. 258
FortiGuard Distribution Network ............................................................................. 258
FortiGuard services ................................................................................................ 259
Configuring the FortiGate unit for FDN and FortiGuard subscription services ....... 260
Troubleshooting FDN connectivity ........................................................................... 264
Updating antivirus and attack definitions................................................................. 265
Enabling push updates............................................................................................... 266
Enabling push updates when a FortiGate unit IP address changes ....................... 267
Enabling push updates through a NAT device ....................................................... 267
Adding VDOM Licenses.............................................................................................. 269

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 9
http://docs.fortinet.com/ • Feedback
Contents

Router Static ........................................................................................ 271


Routing concepts ....................................................................................................... 271
How the routing table is built .................................................................................. 272
How routing decisions are made ........................................................................... 272
Multipath routing and determining the best route ................................................... 272
Route priority ......................................................................................................... 273
Blackhole Route...................................................................................................... 273
Static Route ................................................................................................................ 274
Working with static routes ...................................................................................... 274
Default route and default gateway ......................................................................... 275
Adding a static route to the routing table ............................................................... 278
Policy Route ............................................................................................................... 279
Adding a policy route .............................................................................................. 280
Moving a policy route.............................................................................................. 281

Router Dynamic.................................................................................... 283


RIP ................................................................................................................................ 284
Viewing and editing basic RIP settings................................................................... 284
Selecting advanced RIP options............................................................................. 286
Configuring a RIP-enabled interface....................................................................... 287
OSPF ............................................................................................................................ 288
Defining an OSPF AS—Overview .......................................................................... 289
Configuring basic OSPF settings............................................................................ 290
Selecting advanced OSPF options ......................................................................... 291
Defining OSPF areas.............................................................................................. 292
Specifying OSPF networks ..................................................................................... 294
Selecting operating parameters for an OSPF interface .......................................... 294
BGP .............................................................................................................................. 296
Viewing and editing BGP settings........................................................................... 296
Multicast....................................................................................................................... 297
Viewing and editing multicast settings .................................................................... 298
Overriding the multicast settings on an interface.................................................... 299
Multicast destination NAT ....................................................................................... 300
Bi-directional Forwarding Detection (BFD) .............................................................. 300
Configuring BFD ..................................................................................................... 301
Customizable routing widgets ................................................................................... 303
Access List.............................................................................................................. 303
Distribute List .......................................................................................................... 304
Key Chain ............................................................................................................... 304
Offset List................................................................................................................ 305
Prefix List ................................................................................................................ 306
Route Map .............................................................................................................. 306

FortiGate Version 4.0 Administration Guide


10 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Router Monitor ..................................................................................... 309


Viewing routing information ...................................................................................... 309
Searching the FortiGate routing table....................................................................... 311

Firewall Policy ...................................................................................... 313


How list order affects policy matching ..................................................................... 313
Moving a policy to a different position in the policy list ........................................... 314
Multicast policies ........................................................................................................ 315
Viewing the firewall policy list ................................................................................... 315
Configuring firewall policies ...................................................................................... 316
Adding authentication to firewall policies ................................................................ 321
Identity-based firewall policy options (non-SSL-VPN) ............................................ 322
IPSec firewall policy options ................................................................................... 324
Configuring SSL VPN identity-based firewall policies............................................. 325
Endpoint Compliance Check options...................................................................... 329
DoS policies................................................................................................................. 330
Viewing the DoS policy list...................................................................................... 330
Configuring DoS policies ........................................................................................ 331
Firewall policy examples ............................................................................................ 332
Scenario one: SOHO-sized business ..................................................................... 332
Scenario two: enterprise-sized business ................................................................ 335

Firewall Address .................................................................................. 339


About firewall addresses............................................................................................ 339
Viewing the firewall address list................................................................................ 340
Configuring addresses ............................................................................................... 341
Viewing the address group list .................................................................................. 342
Configuring address groups...................................................................................... 342

Firewall Service .................................................................................... 345


Viewing the predefined service list ........................................................................... 345
Viewing the custom service list................................................................................. 350
Configuring custom services..................................................................................... 350
Viewing the service group list ................................................................................... 352
Configuring service groups ....................................................................................... 352

Firewall Schedule................................................................................. 355


Viewing the recurring schedule list........................................................................... 355
Configuring recurring schedules .............................................................................. 356
Viewing the one-time schedule list ........................................................................... 356
Configuring one-time schedules ............................................................................... 357

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 11
http://docs.fortinet.com/ • Feedback
Contents

Firewall Virtual IP ................................................................................. 359


How virtual IPs map connections through FortiGate units..................................... 359
Inbound connections............................................................................................... 359
Outbound connections............................................................................................ 362
VIP requirements .................................................................................................... 363
Viewing the virtual IP list............................................................................................ 363
Configuring virtual IPs................................................................................................ 364
Adding a static NAT virtual IP for a single IP address ............................................ 366
Adding a static NAT virtual IP for an IP address range .......................................... 367
Adding static NAT port forwarding for a single IP address and a single port.......... 369
Adding static NAT port forwarding for an IP address range and a port range ........ 371
Adding dynamic virtual IPs ..................................................................................... 372
Adding a virtual IP with port translation only........................................................... 373
Virtual IP Groups......................................................................................................... 374
Viewing the VIP group list .......................................................................................... 374
Configuring VIP groups.............................................................................................. 374
IP pools ........................................................................................................................ 375
IP pools and dynamic NAT ..................................................................................... 376
IP Pools for firewall policies that use fixed ports..................................................... 376
Source IP address and IP pool address matching.................................................. 376
Viewing the IP pool list ............................................................................................... 377
Configuring IP Pools................................................................................................... 378
Double NAT: combining IP pool with virtual IP........................................................ 378
Adding NAT firewall policies in transparent mode .................................................. 380

Firewall Load Balance ......................................................................... 383


How load balancer works ........................................................................................... 383
Configuring virtual servers ........................................................................................ 384
Configuring real servers............................................................................................. 386
Configuring health check monitors........................................................................... 387
Monitoring the servers ............................................................................................... 389

Firewall Protection Profile................................................................... 391


What is a protection profile?...................................................................................... 391
Adding a protection profile to a firewall policy ........................................................ 392
Default protection profiles ......................................................................................... 392
Viewing the protection profile list ............................................................................. 393

FortiGate Version 4.0 Administration Guide


12 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Configuring a protection profile ................................................................................ 393


Protocol recognition options ................................................................................... 394
Anti-Virus options.................................................................................................... 396
IPS options ............................................................................................................. 398
Web Filtering options .............................................................................................. 398
FortiGuard Web Filtering options............................................................................ 400
Spam Filtering options ............................................................................................ 402
Data Leak Prevention Sensor options .................................................................... 404
Display content meta-information on the system dashboard options ..................... 404
Application Control options ..................................................................................... 405
Logging options ...................................................................................................... 405

Traffic Shaping ..................................................................................... 409


Guaranteed bandwidth and maximum bandwidth ................................................... 409
Traffic priority.............................................................................................................. 410
Traffic shaping considerations.................................................................................. 410
Configuring traffic shaping ........................................................................................ 411

SIP support ........................................................................................... 413


VoIP and SIP ................................................................................................................ 413
FortiOS and VoIP security.......................................................................................... 415
SIP NAT.................................................................................................................. 415
How SIP support works .............................................................................................. 418
Configuring SIP ........................................................................................................... 418
Enabling SIP support and setting rate limiting from the web-based manager ........ 418
Enabling SIP support from the CLI ......................................................................... 419
Enabling SIP logging .............................................................................................. 420
Viewing SIP statistics.............................................................................................. 420
Enabling advanced SIP features in an application list ............................................ 420

AntiVirus ............................................................................................... 425


Order of operations..................................................................................................... 425
Antivirus tasks ............................................................................................................ 426
FortiGuard antivirus ................................................................................................ 427
Antivirus settings and controls ................................................................................. 428
File Filter ...................................................................................................................... 429
Built-in patterns and supported file types................................................................ 429
Viewing the file filter list catalog.............................................................................. 430
Creating a new file filter list..................................................................................... 431
Viewing the file filter list .......................................................................................... 431
Configuring the file filter list..................................................................................... 432

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 13
http://docs.fortinet.com/ • Feedback
Contents

File Quarantine ............................................................................................................ 432


Viewing the File Quarantine list .............................................................................. 433
Viewing the AutoSubmit list .................................................................................... 434
Configuring the AutoSubmit list .............................................................................. 435
Configuring quarantine options............................................................................... 435
Viewing the virus database information ................................................................... 436
Viewing and configuring the grayware list ............................................................... 437
Antivirus CLI configuration........................................................................................ 438

Intrusion Protection ............................................................................. 441


About intrusion protection......................................................................................... 441
Intrusion Protection settings and controls............................................................... 442
When to use Intrusion Protection............................................................................ 442
Signatures.................................................................................................................... 443
Viewing the predefined signature list ...................................................................... 443
Using display filters................................................................................................. 444
Custom signatures...................................................................................................... 445
Viewing the custom signature list ........................................................................... 445
Creating custom signatures .................................................................................... 445
Protocol decoders....................................................................................................... 446
Viewing the protocol decoder list ............................................................................ 446
Upgrading the IPS protocol decoder list ................................................................. 447
IPS sensors.................................................................................................................. 447
Viewing the IPS sensor list ..................................................................................... 447
Adding an IPS sensor ............................................................................................. 448
Configuring IPS sensors ......................................................................................... 448
Configuring filters.................................................................................................... 450
Configuring pre-defined and custom overrides....................................................... 451
Packet logging ........................................................................................................ 453
DoS sensors ................................................................................................................ 455
Viewing the DoS sensor list .................................................................................... 455
Configuring DoS sensors........................................................................................ 456
Understanding the anomalies ................................................................................. 457
Intrusion protection CLI configuration ..................................................................... 458

Web Filter.............................................................................................. 459


Order of web filtering.................................................................................................. 459
How web filtering works ............................................................................................. 459
Web filter controls....................................................................................................... 460

FortiGate Version 4.0 Administration Guide


14 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Content block .............................................................................................................. 462


Viewing the web content block list catalog ............................................................. 462
Creating a new web content block list .................................................................... 463
Viewing the web content block list .......................................................................... 463
Configuring the web content block list .................................................................... 464
Viewing the web content exempt list catalog .......................................................... 464
Creating a new web content exempt list ................................................................. 465
Viewing the web content exempt list....................................................................... 465
Configuring the web content exempt list................................................................. 466
URL filter ...................................................................................................................... 467
Viewing the URL filter list catalog ........................................................................... 467
Creating a new URL filter list .................................................................................. 467
Viewing the URL filter list........................................................................................ 468
Configuring the URL filter list .................................................................................. 469
URL formats............................................................................................................ 469
Moving URLs in the URL filter list ........................................................................... 470
FortiGuard - Web Filter ............................................................................................... 470
Configuring FortiGuard Web Filtering ..................................................................... 471
Viewing the override list.......................................................................................... 471
Configuring administrative override rules ............................................................... 472
Creating local categories ........................................................................................ 474
Viewing the local ratings list.................................................................................... 474
Configuring local ratings ......................................................................................... 475
Category block CLI configuration............................................................................ 476

Antispam............................................................................................... 477
Antispam...................................................................................................................... 477
Order of spam filtering ............................................................................................ 477
Anti-spam filter controls .......................................................................................... 478
Banned word ............................................................................................................... 480
Viewing the banned word list catalog ..................................................................... 480
Creating a new banned word list ............................................................................ 480
Viewing the antispam banned word list .................................................................. 481
Adding words to the banned word list..................................................................... 482
Black/White List .......................................................................................................... 483
Viewing the antispam IP address list catalog ......................................................... 483
Creating a new antispam IP address list ................................................................ 483
Viewing the antispam IP address list ...................................................................... 484
Adding an antispam IP address.............................................................................. 485
Viewing the antispam email address list catalog .................................................... 485
Creating a new antispam email address list ........................................................... 486
Viewing the antispam email address list................................................................. 486
Configuring the antispam email address list ........................................................... 487

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 15
http://docs.fortinet.com/ • Feedback
Contents

Advanced antispam configuration ............................................................................ 487


config spamfilter mheader ...................................................................................... 487
config spamfilter dnsbl ............................................................................................ 488
Using wildcards and Perl regular expressions ........................................................ 488
Perl regular expression formats.............................................................................. 489
Example regular expressions ................................................................................. 490

Data Leak Prevention........................................................................... 491


DLP Sensors................................................................................................................ 491
Viewing the DLP sensor list .................................................................................... 491
Adding and configuring a DLP sensor .................................................................... 492
Adding or editing a rule in a DLP sensor ................................................................ 492
DLP Rules .................................................................................................................... 494
Viewing the DLP rule list......................................................................................... 494
Adding or configuring DLP rules ............................................................................. 495
DLP Compound Rules ................................................................................................ 497
Viewing the DLP compound rule list ....................................................................... 497
Adding and configuring DLP compound rules ........................................................ 498

Application control .............................................................................. 499


What is application control? ...................................................................................... 499
Viewing the application control lists ........................................................................ 499
Creating a new application control list .................................................................... 500
Configuring an application control list ..................................................................... 500
Adding or configuring an application control list entry ............................................ 501
Application control statistics..................................................................................... 503

VPN IPSEC ............................................................................................ 505


Overview of IPSec VPN configuration....................................................................... 505
Policy-based versus route-based VPNs ................................................................... 506
Auto Key ...................................................................................................................... 507
Creating a new phase 1 configuration .................................................................... 508
Defining phase 1 advanced settings....................................................................... 510
Creating a new phase 2 configuration .................................................................... 512
Defining phase 2 advanced settings....................................................................... 513
Manual Key .................................................................................................................. 515
Creating a new manual key configuration .............................................................. 516
Internet browsing configuration ................................................................................ 518
Concentrator ............................................................................................................... 518
Defining concentrator options ................................................................................. 519
Monitoring VPNs ......................................................................................................... 519

FortiGate Version 4.0 Administration Guide


16 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

VPN PPTP ............................................................................................. 521


PPTP configuration using FortiGate web-based manager...................................... 521
PPTP configuration using CLI commands ............................................................... 523

VPN SSL................................................................................................ 525


ssl.root ......................................................................................................................... 525
Configuring SSL VPN ................................................................................................. 526
Monitoring SSL VPN sessions................................................................................... 527
SSL VPN web portal.................................................................................................... 528
The General tab...................................................................................................... 529
The Advanced tab................................................................................................... 529
Adding and editing widgets..................................................................................... 531
The session Information widget .............................................................................. 532
The Bookmarks widget ........................................................................................... 533
The Connections Tool widget ................................................................................. 536
The Tunnel Mode widget ........................................................................................ 537

User ....................................................................................................... 539


Getting started - User authentication ........................................................................ 539
Local user accounts ................................................................................................... 540
Configuring Local user accounts ............................................................................ 540
Remote ......................................................................................................................... 543
RADIUS ........................................................................................................................ 543
Configuring a RADIUS server................................................................................. 544
LDAP ............................................................................................................................ 546
Configuring an LDAP server ................................................................................... 547
TACACS+ ..................................................................................................................... 549
Configuring TACACS+ servers............................................................................... 550
Directory Service......................................................................................................... 551
Configuring a Directory Service server ................................................................... 552
PKI ............................................................................................................................... 553
Configuring peer users and peer groups ................................................................ 553
User Group .................................................................................................................. 554
Firewall user groups ............................................................................................... 555
Directory Service user groups ................................................................................ 556
SSL VPN user groups............................................................................................. 557
Viewing the User group list ..................................................................................... 557
Configuring a user group ........................................................................................ 558
Configuring FortiGuard Web filtering override options............................................ 560
Options......................................................................................................................... 561

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 17
http://docs.fortinet.com/ • Feedback
Contents

Monitor ......................................................................................................................... 562


Firewall user monitor list ......................................................................................... 562
IPSEC monitor list................................................................................................... 563
SSL VPN monitor list .............................................................................................. 564
IM user monitor list ................................................................................................. 565
Banned user list ...................................................................................................... 566

WAN optimization ................................................................................ 567


Frequently asked questions about FortiGate WAN optimization ........................... 567
Overview of FortiGate WAN optimization ................................................................. 569
FortiGate models that support WAN optimization................................................... 571
Configuring WAN optimization and web cache rules .............................................. 572
How list order affects rule matching........................................................................ 574
Moving a rule to a different position in the rule list.................................................. 575
Web caching ................................................................................................................ 575
Web cache only topology........................................................................................ 576
Configuring web cache only WAN optimization ...................................................... 576
Configuring client/server (active-passive) web caching.......................................... 578
Configuring peer to peer web caching .................................................................... 581
Client/server or active passive WAN optimization................................................... 584
Configuring client/server (active-passive) WAN optimization ................................. 585
Peer to peer WAN optimization.................................................................................. 587
Configuring peer to peer WAN optimization ........................................................... 587
About WAN optimization addresses ....................................................................... 590
Protocol optimization ................................................................................................. 591
Transparent mode....................................................................................................... 592
Byte caching................................................................................................................ 592
SSL WAN optimization ............................................................................................... 593
Secure tunnelling ........................................................................................................ 593
WAN optimization with FortiClient ............................................................................ 594
Configuring peers ....................................................................................................... 594
Configuring authentication groups ........................................................................... 595
Monitoring WAN optimization.................................................................................... 596
Changing web cache settings.................................................................................... 597

Endpoint control .................................................................................. 599


Configuring endpoint control .................................................................................... 599
Viewing FortiClient required version information .................................................... 600
Configuring FortiClient required version and installer download ............................ 600
Viewing the software detection list.......................................................................... 601
Configuring software detection ............................................................................... 601

FortiGate Version 4.0 Administration Guide


18 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Contents

Monitoring endpoints ................................................................................................. 602

Log&Report .......................................................................................... 603


FortiGate logging ........................................................................................................ 603
FortiGuard Analysis and Management Service........................................................ 604
FortiGuard Analysis and Management Service portal web site .............................. 605
Log severity levels ...................................................................................................... 605
High Availability cluster logging ............................................................................... 606
Storing logs ................................................................................................................. 606
Logging to a FortiAnalyzer unit ............................................................................... 606
Connecting to FortiAnalyzer using Automatic Discovery ........................................ 608
Testing the FortiAnalyzer configuration .................................................................. 608
Logging to a FortiGuard Analysis server ................................................................ 610
Logging to memory ................................................................................................. 610
Logging to a Syslog server ..................................................................................... 611
Logging to WebTrends ........................................................................................... 612
Log types ..................................................................................................................... 612
Traffic log ................................................................................................................ 612
Event log................................................................................................................. 613
Data Leak Prevention log ....................................................................................... 614
Application Control log............................................................................................ 614
Antivirus log ............................................................................................................ 615
Web filter log........................................................................................................... 615
Spam filter log......................................................................................................... 615
Attack log (IPS)....................................................................................................... 616
Accessing Logs........................................................................................................... 616
Accessing logs stored in memory ........................................................................... 616
Accessing logs stored on the hard disk .................................................................. 616
Accessing logs stored on the FortiAnalyzer unit..................................................... 617
Accessing logs stored on the FortiGuard Analysis server ...................................... 618
Viewing log information ............................................................................................. 618
Customizing the display of log messages................................................................ 620
Column settings ...................................................................................................... 620
Filtering log messages............................................................................................ 621
Content Archive .......................................................................................................... 622
Configuring content archiving ................................................................................. 622
Viewing content archives ........................................................................................ 623
Alert Email ................................................................................................................... 623
Configuring Alert Email ........................................................................................... 623

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 19
http://docs.fortinet.com/ • Feedback
Contents

Reports......................................................................................................................... 625
Viewing basic traffic reports.................................................................................... 625
FortiAnalyzer report schedules ............................................................................... 627
Viewing FortiAnalyzer reports................................................................................. 630
Printing your FortiAnalyzer report ........................................................................... 630

Index...................................................................................................... 631

FortiGate Version 4.0 Administration Guide


20 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0

What’s new in FortiOS 4.0


This section lists and describes some of the new features and changes in FortiOS Version
4.0.
This section describes the following new FortiOS 4.0 features:
• UTM features grouped under new UTM menu
• IPS extensions
• DoS policies for applying IPS sensors
• NAC quarantine in DoS Sensors
• Adding IPS sensors to a DoS policy from the CLI
• One-arm IDS (sniffer mode)
• IPS interface policies for IPv6
• IPS Packet Logging
• Data Leak Prevention
• Application control
• WAN Optimization
• WCCP v2 support
• Endpoint control
• “Any” interface for firewall policies
• Global view of firewall policies
• Identity-based firewall policies
• Web filtering HTTP upload enhancements
• Traffic shaping enhancements
• Firewall load balancing VIP changes
• Gratuitous ARP for virtual IPs
• SSL content scanning and inspection
• Customizable web-based manager pages
• Administration over modem
• Auto-bypass and recovery for AMC bridge module
• Rogue Wireless Access Point detection
• Configurable VDOM and global resource limits
• User authentication monitor
• OCSP and SCEP certificate using HTTPS
• Adding non-standard ports for firewall authentication
• VPN client IP addresses can be dynamically assigned from a RADIUS record
• DHCP over Route-based IPSec VPNs
• SNMP upgraded to v3.0
• File Quarantine

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 21
http://docs.fortinet.com/ • Feedback
UTM features grouped under new UTM menu What’s new in FortiOS 4.0

• Enhanced Antispam engine (ASE)


• Network Access Control (NAC) quarantine
• Customizable SSL VPN web portal
• Logging improvements
• Web Filtering HTTP Post Action

UTM features grouped under new UTM menu


Antivirus, Intrusion Protection, Web Filter, and AntiSpam as well as the new Data Leak
Prevention and Application Control features are grouped under a new UTM menu. All the
familiar Antivirus, Intrusion Protection, Web Filter, and AntiSpam features are available
here. Most IM, P2P, and VoIP functionality has been integrated into application control. IM
user control has moved to User > Local > IM. IM user monitoring has moved to User >
Monitor > IM User Monitor.
If you enable virtual domains, you configure all UTM features separately for each VDOM
except for the Antivirus quarantine and grayware configuration.

IPS extensions
FortiOS 4.0 includes the following new IPS features:
• DoS policies for applying IPS sensors
• NAC quarantine in DoS Sensors
• Adding IPS sensors to a DoS policy from the CLI
• One-arm IDS (sniffer mode)
• IPS interface policies for IPv6
• IPS Packet Logging

DoS policies for applying IPS sensors


In FortiOS v4.0, you can apply IPS Denial of Service (DoS) sensors to traffic on interfaces
by creating DoS policies. DoS policies are independent from firewall policies and are used
to associate DoS sensors with traffic that reaches a FortiGate interface.
DoS policies deliver packets to the IPS before they are accepted by firewall policies. This
arrangement has the following benefits:
• More effective protection from denial of service attacks because these attacks can be
detected and blocked before the firewall sees the packets. So system resources are
not affected by denial of service attacks.
• All attacking traffic can be filtered out before being accepted by firewall policies.
• IPS can inspect traffic that is not normally processed by the firewall. Including traffic
that is:
• Normally dropped by the firewall (for example, packets with invalid headers are
dropped by the firewall)
• Using a protocol not normally processed firewall policies (for example, flood,
broadcast, and multicast traffic)
• Matched by a deny policy (deny policies do not include protection profiles)
• Not matched by any firewall policy.
For more information, see “DoS policies” on page 330.

FortiGate Version 4.0 Administration Guide


22 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 IPS extensions

NAC quarantine in DoS Sensors


From the FortiGate CLI you can configure NAC quarantine for each anomaly in a DoS
Sensor: You can configure the anomaly to quarantine the source address of the attack
(attacker) or both the source and destination address of the attack (both).
config ips DoS
edit new_DoS-sensor
config anomaly
edit "tcp_dst_session"
set status enable
set quarantine {attacker | both | none}
set quarantine-expiry 600
set threshold 5000
end

Adding IPS sensors to a DoS policy from the CLI


You can add an IPS Sensor to a DoS policy from the CLI. The CLI command for
configuring DoS policies is config firewall interface-policy. The following
command syntax shows how to add a the all-default_pass IPS sensor to a DoS
policy with policy ID 5 that was previously added from the web-based manager.
config firewal interface-policy
edit 5
set ips-sensor-status enable
set ips-sensor all_default_pass
end

One-arm IDS (sniffer mode)


Using the one-arm IDS you can configure a FortiGate unit to operate as an intrusion
detection system (IDS) appliance by sniffing packets for attacks without actually receiving
and otherwise processing the packets.
To configure one-arm IDS you enable sniffer mode on a FortiGate interface and connect
that interface to a hub or to the SPAN port of a switch that is processing network traffic.
Then you can add DoS policies for that FortiGate interface that include DoS sensors and
optionally IPS sensors to detect attacks in the traffic that the FortiGate interface receives
from the hub or switch SPAN port.
In sniffer mode the interface receives packets accepted by DoS policies only. All packets
not received by DoS policies are dropped. All packets received by DoS policies are
dropped after IPS inspection.
One-arm IDS cannot block traffic. However if you enable logging in the DoS and IPS
sensors the FortiGate unit records log messages for all detected attacks.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 23
http://docs.fortinet.com/ • Feedback
IPS extensions What’s new in FortiOS 4.0

Figure 1: One-arm IDS topology

Internet

SPAN
port
Hub or switch

Internal
network

To enable sniffer mode on a FortiGate unit port5 interface:


config system interface
edit port5
set ips-sniffer-mode enable
end

IPS interface policies for IPv6


Similar to interface-based DoS policies for IPv4, from the FortiGate CLI you can use the
config firewall interface-policy6 command to add IPv6 interface-based
policies. In FortiOS version 4.0 you can add IPS Sensors IPv6 interface-based policies.
config firewall interface-policy6
edit 1
set interface "port1”
set srcaddr6 "all"
set dstaddr6 "all"
set service6 "ANY"
set ips-sensor-status enable
set ips-sensor "all_default"
end

IPS Packet Logging


Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
For more information, see “Packet logging” on page 453.

FortiGate Version 4.0 Administration Guide


24 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 Data Leak Prevention

Data Leak Prevention


Data Leak Prevention (DLP) protects sensitive information from being transmitted via web,
email or file transfer protocols. You define rules and compound rules to detect possible
data leaks and specify the action to take in response. Rules and compound rules are
combined into DLP Sensors, which you can enable in firewall protection profiles.
For more information, see “Data Leak Prevention” on page 491.

Application control
Application control is a UTM feature that allows your FortiGate unit to detect and take
action against network traffic depending on the application generating the traffic. Based on
FortiGate Intrusion Protection protocol decoders, application control is a more user-
friendly and powerful way to use Intrusion Protection features to log and manage the
behavior of application traffic passing through the FortiGate unit. Application control uses
IPS protocol decoders that can analyze network traffic to detect application traffic even if
the traffic uses non-standard ports or protocols.
The FortiGate unit is can recognize the network traffic generated by more than 70
applications. You can create application control lists that specify what action will be taken
with the traffic of the applications you need to manage. Specify the application control list
in the protection profile applied to the network traffic you need to monitor. Create multiple
application control lists, each tailored to a particular network, for example.
For more information, see “Application control” on page 499.

WAN Optimization
FortiGate WAN optimization can be used to improve performance and security across a
WAN by applying a number of related techniques including protocol and application-based
data compression and optimization data deduction (a technique that reduces how often
the same data is transmitted across the WAN), web caching, secure tunneling and SSL
acceleration.
For more information about WAN optimization, see “WAN optimization” on page 567.

WCCP v2 support
Using WCCP v2 you can configure a FortiGate unit to optimize web traffic, reducing
transmission costs and downloading time. This traffic includes user requests to view
pages on Web servers and the replies to those requests. When a user requests a page
from a web server, the FortiGate unit sends that request to a cache server (also called a
web-cache server). If the cache server has a copy of the requested page in storage, the
cache server sends the user that page. Otherwise, the cache server retrieves the
requested page, caches a copy of the page, and forwards the page to the user.
The FortiGate unit supports WCCP v2 by transparently redirecting selected types of traffic
to a group of cache servers. When WCCP is enabled, the FortiGate unit maintains a web
cache server list in the WCCP database.
To configure WCCP support you use the config system wccp command to enable
WCCP support. Then you enable WCCP for firewall policies using the wccp keyword.
When these WCCP-enabled firewall policies accept traffic, the traffic is re-directed to a
cache server. The FortiGate unit uses the information in the WCCP database to determine
the cache server to redirect the traffic to.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 25
http://docs.fortinet.com/ • Feedback
WCCP v2 support What’s new in FortiOS 4.0

Finally you must configure interfaces connected to WCCP cache servers to accept wccp
messages.
If virtual domains are enabled, you configure WCCP separately for each virtual domain.

To configure WCCP
You configure WCCP from the CLI.
1 Start WCCP and configure WCCP database settings:
config system wccp
edit <service-id>
set router-id <interface_ipv4>
set server-list <server_ipv4mask>
set group-address <ip_mulicast_ipv4>
set password <password>
set forward-method {GRE | L2 | any}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
next
end
Variable Description Default
authentication Enable or disable using use MD5 authentication for the
{disable | enable} WCCP configuration.
<service-id> 0-255. 0 for HTTP. 1
router-id An IP address known to all cache servers. This IP address 0.0.0.0
<interface_ipv4> identifies a FortiGate interface IP address to the cache
servers. If all cache servers connect to the same FortiGate
interface, <interface_ipv4> can be 0.0.0.0, and the
FortiGate unit uses the IP address of that interface as the
router-id.
If the cache servers can connect to different FortiGate
interfaces, you must set router-id to a single IP address,
and this IP address must be added to the configuration of
the cache servers.
server-list The IP addresses of the cache servers. 0.0.0.0
<server_ipv4mask> 0.0.0.0
group-address The IP multicast address used by the cache servers. 0.0.0.0
0.0.0.0 means the FortiGate unit ignores multicast WCCP
traffic. Otherwise, group-address must be from
224.0.0.0 to 239.255.255.255.
password The MD5 authentication password. Maximum length is 8
<password_str> characters.
forward-method Specifies how the FortiGate unit forwards traffic to cache GRE
{GRE | L2 | any} servers. If forward-method is any the cache server
determines the forward method.
return-method {GRE Specifies how a cache server declines a redirected packet GRE
| L2 | any} and return it to the firewall. If return-method is any the
cache server determines the return method.
assignment-method Specifies which assignment method the FortiGate prefers. If HASH
{HASH | MASK | any} assignment-method is any the cache server determines
the assignment method

FortiGate Version 4.0 Administration Guide


26 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 Endpoint control

2 Add a firewall policy to enable WCCP for traffic accepted by the firewall policy.
config firewall policy
Edit <policy_id>
(configure the firewall policy)
set wccp {enable | disable}
next
end
3 Configure the interfaces that connected to cache servers to accept WCCP traffic.
config system interface
edit <interface_name)
(configure the interface)
set wccp {enable | disable}
next
edit <interface_name)
(configure the interface)
set wccp {enable | disable}
next
end

Endpoint control
The new Endpoint Compliance feature (also called endpoint control) replaces the v3.0
Check FortiClient Installed and Running firewall options. You can enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network and ensure that clients
have both the most recent version of the FortiClient software and the most up-to-date
antivirus signatures.
The FortiGate unit retrieves FortiClient software and antivirus updates from FortiGuard. If
the FortiGate unit contains a hard disk drive, these files are cached to more efficiently
serve downloads to multiple end points. Go to Endpoint Control > FortiClient to see the
software and antivirus signature versions that the Endpoint Control feature enforces.
The Endpoint Compliance feature also provides monitoring. The FortiGate unit gathers
information from client PCs when they use a firewall policy with the Enable Endpoint
Compliance Check option enabled.
For more information, see “Endpoint control” on page 599 and “Endpoint Compliance
Check options” on page 329.

“Any” interface for firewall policies


You can define a firewall policy where the source or destination interface is any. If you add
a firewall policy with the source or destination interface set to any, the firewall will match
the policy with packets to or from any interface.
For more information, see “Viewing the firewall policy list” on page 315.

Global view of firewall policies


For FortiOS 3.0 you can display firewall polices organized by source and destination
interfaces. In FortiOS 4.0 this is called Section view. You can also switch to global view to
list all firewall policies in order according to a sequence number. The sequence number
indicates the order of the policies in the policy list. When you re-arrange the policy order
the sequence number changes. The Policy ID is independent of the sequence number.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 27
http://docs.fortinet.com/ • Feedback
Identity-based firewall policies What’s new in FortiOS 4.0

If you have firewall policies with Any as source or destination, only the Global View is
available.
For more information, see “Viewing the firewall policy list” on page 315.

Figure 2: Example global view including a “any” firewall policy

Identity-based firewall policies


FortiOS 4.0 supports firewall policy authentication in a more flexible way than earlier
releases. Any firewall policy that requires authentication is now known as an identity-
based policy. Optionally, you can permit different schedules or services and apply different
protection profiles to different user groups, as in the following example.
For more information, see “Identity-based firewall policy options (non-SSL-VPN)” on
page 322.

Web filtering HTTP upload enhancements


Web filtering can block HTTP uploads or, optionally, you can use web filtering to send
cached file data slowly to prevent the server from timing out during file scanning. This is a
new option in the Web Filter part of the protection profile. For more information, see “Web
Filtering options” on page 398.

Traffic shaping enhancements


Traffic shaping settings are now configured outside of the firewall policy as Traffic Shaper.
You can configure multiple traffic shapers and add then to different firewall policies.
P2P traffic shaping is configured in the protection profile with separate settings for each
direction.
For more information, see “Traffic Shaping” on page 409.

Firewall load balancing VIP changes


In FortiOS 4.0, server load balance Virtual IPs (VIPs) are configured separately from other
VIPs. To configure load balance VIPs, go to Firewall > Load Balance.
In previous releases of FortiOS, you created VIP mappings between one or more real
servers and an external IP address. In FortiOS v4.0, you define virtual servers, then you
define real servers and associate them with the virtual servers.
For more information, see “Firewall Load Balance” on page 383.

FortiGate Version 4.0 Administration Guide


28 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 Per-firewall policy session TTL

User session persistence


When you create a virtual server, you can enable user session persistence using an HTTP
cookie or the SSL session ID. In the CLI configuration for a VIP, config firewall vip,
you can set the duration, domain and other properties of the cookie.

Health Check Monitor


As in v3.0, you can define health check monitors. The Health Check Monitor tab has
moved to the Load Balance page from the Virtual IP page, but is otherwise unchanged.
You select the health check monitors in the virtual server configuration. For more
information, see “Configuring health check monitors” on page 387.

Load balancing server monitor


A new monitor page (go to Firewall > Load Balance > Monitor) shows the status of each
virtual server and real server. For more information, see “Monitoring the servers” on
page 389.

Per-firewall policy session TTL


If required by a network or by the services to be provided by a FortiGate unit, you can use
the session-ttl keyword of the config firewall policy command to control the
session time to live (TTL) time for communication sessions accepted by a firewall policy.
The default setting for session-ttl in a firewall policy is 0 which means use the default
session TTL as set by the config system session-ttl command. The default
session TTL setting is 3600 seconds. The range for the firewall policy session TTL is 300
to 604800 seconds.

Gratuitous ARP for virtual IPs


You can configure sending of ARP packets to maintain connectivity of virtual IPs where
other routers clear their ARP table periodically. Use the following command syntax to
configure sending of ARP packets by a virtual IP. You can set the time interval between
sending ARP packets. Set the interval to 0 to disable sending ARP packets.
config firewall vip
edit new_vip
(configure the virtual IP)
set gratuitous-arp-interval <interval_seconds>
end

SSL content scanning and inspection


You can now apply antivirus scanning and web filtering to HTTPS, SMTPS, POP3S and
IMAPS traffic. This was not possible in earlier releases of FortiOS. Simply select these
protocols in the protection profile. For more information, see “Configuring a protection
profile” on page 393.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 29
http://docs.fortinet.com/ • Feedback
Customizable web-based manager pages What’s new in FortiOS 4.0

Customizable web-based manager pages


In addition to the ability to configure administrators with varying levels of access to
different parts of the FortiGate unit configuration, you can customize the FortiGate GUI to
show, hide, and arrange widgets/menus/items according to your specific requirements
using the web-based manager. In standard operation mode, the GUI is static. The
customizable GUI feature allows you to present varying GUI configurations to fulfill
different administrator roles. There are also several configuration widgets that you can
enable for CLI-only options which are not displayed by default. Only administrators of the
super-admin admin profile may edit GUI layouts. The customized GUI layouts are stored
as part of the administrator admin profile.
For more information, see “Customizable web-based manager” on page 225.

Administration over modem


You can use the following CLI command to configure a FortiGate modem interface so that
you can dial into the modem and administer the FortiGate unit.
config system dialinsvr
set status enable
set server-ip <ip_address>
set client-ip <ip_address>
set usrgrp "grp1"
set allowaccess ping https ssh http telnet
set modem-dev external
end

Auto-bypass and recovery for AMC bridge module


If you have installed one of the FortiGate-ASM-FX2 or FortiGate-ASM-CX4 AMC bridge
modules, you can use the following CLI command to configure how the bridge module
recovers from switching to bridge mode because of a failure with the FortiGate unit
hardware or software process.

Note: AMC bridge mode is only supported in Transparent mode.

In this example the FortiGate-ASM-CX4 module is installed in slot 1:


config system amc
set sw1 asm-cx4
set watchdog-recovery [enable | disable}
set watchdog-recovery-period <holddown_time>
end
The watchdog-recovery-period determines the length of the hold down period during
which the software watchdog monitors critical software processes before concluding they
have stabilized.

FortiGate Version 4.0 Administration Guide


30 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 Rogue Wireless Access Point detection

Rogue Wireless Access Point detection


FortiWifi-50B and FortiWifi-60B units can use rogue access point detection to scan for
wireless access points.
For more information, see “Rogue AP detection” on page 169.

Configurable VDOM and global resource limits


FortiGate units have upper limits for resources such as firewall policies, protection profiles
and VPN tunnels. These limits vary by model. In previous releases of FortiOS, maximum
values for resources belonging to virtual domains (VDOMs) applied equally to each
VDOM. Maximums for system-wide (global) resources applied globally and the resources
were equally accessible to each VDOM.
In FortiOS 4.0, you can control resource allocation to each VDOM. This limits the impact
of each VDOM on other VDOMs due to resource contention and enables you to provide
tiered services to your customers. Also, you can set global resource limits to control the
impact of various features on system performance.
For more information, see “Configuring global and VDOM resource limits” on page 115

User authentication monitor


You can go to User > Authentication > User Authentication Monitor to view a list of
currently authenticated users. For each authenticated user the list includes the user name,
user group, how long the user has been authenticated (duration), how long until the user’s
session times out (time-left), the user’s source IP Address, the amount of traffic through
the FortiGate unit caused by the user (traffic volume) and the authentication method used
by the FortiGate unit for the user (the authentication methods can be FSAE, firewall
authentication (FW-auth), or NTLM). You can sort and filter the information on the
authentication monitor according to any of the columns in the monitor.
For more information, see “Monitor” on page 562.

OCSP and SCEP certificate using HTTPS


FortiGate units support SCEP and OCSP communication between FortiGate units and
SCEP servers over HTPPS. The SCEP URLs that you add to the FortiGate System
Certificate configuration can be HTTPS URLs if required or supported by your SCEP
server.
For more information, see “System Certificates” on page 237.

Adding non-standard ports for firewall authentication


By default, when a communication session is accepted by an identify-based firewall policy
the user must authenticate with the firewall using the FTP, HTTP, HTTPS, or Telnet
protocol to enter a user name and password before being able to communicate through
the FortiGate unit. By default, users can only authenticate with a communication session
that uses the standard FTP, HTTP, HTTPS, or Telnet TCP ports (21, 80, 443, and 23
respectively).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 31
http://docs.fortinet.com/ • Feedback
Adding non-standard ports for firewall authentication What’s new in FortiOS 4.0

You can use the following command if your firewall users need to authenticate with the
FortiGate unit and if they use a non-standard port for FTP, HTTP, HTTPS, or Telnet
sessions.
config user setting
config auth-ports
edit <auth_port_table_id_int>
set port <port_integer>
set type { ftp | http | https | telnet }
end
end
end
Where <auth_port_table_id_int> is any integer. You can add multiple non-standard
port tables. <port_integer> is the non-standard TCP authentication port number.
For each protocol, adding non-standard authentication ports does not change the
standard authentication port. Instead you use this command to add additional non-
standard authentication ports. The standard authentication port is still valid and cannot be
changed.
For example, if some users on your network web browse using HTTP on ports 8080 and
8008 and use telnet on port 4523 you could use the following commands to add HTTP
authentication on ports 8080 and 8008 and telnet authentication on port 4523:
config user setting
config auth-ports
edit 1
set port 8080
set type http
next
end
edit 2
set port 8008
set type http
next
end
edit 3
set port 4523
set type telnet
end
end
If your FortiGate unit is operating with virtual domains enabled, each VDOM has a
different non-standard authentication port configuration.

FortiGate Version 4.0 Administration Guide


32 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 VPN client IP addresses can be dynamically assigned from a RADIUS record

VPN client IP addresses can be dynamically assigned from a


RADIUS record
SSL VPN tunnel mode, IPSec, and PPTP VPN sessions can now assign IP addresses to
remote users by getting the IP address to assign to the user from the Framed-IP-Address
field in the RADIUS record received when the RADIUS server confirms that the user has
authenticated successfully. See RFC 2865 and RFC 2866 for more information about
RADIUS.
For the FortiGate unit to dynamically assign an IP address, the VPN users must be
configured for RADIUS authentication and you must include the IP address to assign to
the user in the Framed-IP-Address RADIUS field. You configure each type of VPN
differently. In each case you are associating the VPN configuration that assigns IP
addresses to users with a user group.
Assigning IP addresses in this way does not replace assigning IP addresses from a
configured IP address range. In fact you can configure both an IP address range and
enable assigning IP addresses from a RADIUS server. If you configure both, the FortiGate
unit will assign IP address from the RADIUS record if an IP address is available. If the IP
address is not available in the RADIUS record is not available or if a user does not
authenticate with a RADIUS server to use the VPN.

SSL VPN tunnel mode


For SSL VPN you implement this feature by adding the Tunnel Mode widget to the SSL
VPN portal configuration. Go to VPN > SSL > Portal to configure SSL VPN portals. In the
Tunnel Mode configuration, set IP Mode to User Group.

Figure 3: Using RADIUS records to assign IP addresses for SSL VPN tunnel mode

For more information, see “The Tunnel Mode widget” on page 537.
IPSec VPN DHCP server
You can assign IP addresses to IPSec VPN clients using RADIUS records by configuring
the IPSec DHCP server. In the IPSec DHCP server configuration you set ip-mode to
usrgrp:
config system dhcp server
edit dhcp_server
set server-type ipsec
set ip-mode usrgrp
...
end

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 33
http://docs.fortinet.com/ • Feedback
DHCP over Route-based IPSec VPNs What’s new in FortiOS 4.0

PPTP VPN
You can assign IP addresses to PPTP VPN clients using RADIUS records by configuring
the PPTP VPN to use the user group for getting IP addresses:
config vpn pptp
set status enable
set ip-mode usrgrp
...
end

DHCP over Route-based IPSec VPNs


In previous releases of FortiOS, you could use DHCP to assign IP addresses to dialup
clients only on policy-based IPSec VPNs. In FortiOS 4.0, DHCP is also available to dialup
clients on route-based IPSec VPNs.
The configuration has only a few differences from that of a route-based dialup VPN with
static IP addresses.
1 Configure Phase 1 settings.
Remote Gateway must be set to Dailup User.
2 Configure Phase 2 settings.
Set Phase 1 to Dialup User.
In the Advanced Settings, select DHCP-IPsec.
For more information, see “DHCP-IPSec” on page 514.
3 Configure a DHCP server on the virtual IPSec interface.
Set the server Type to DHCP. Enter the IP Range and Netmask that dialup clients will
use and the Default Gateway that dialup clients should use.
4 Configure an ACCEPT firewall policy with the virtual IPSec interface as source and the
local private network as destination.

SNMP upgraded to v3.0


SNMP v3.0 provides up-to-date information and status reporting.
For more information, see “SNMP” on page 185.

File Quarantine
The Quarantine tab is renamed to File Quarantine to distinguish it from the NAC
Quarantine feature that quarantines traffic. For more information, see “Viewing the File
Quarantine list” on page 433.

Enhanced Antispam engine (ASE)


FortiOS 4.0 includes a new Antispam Engine (ASE) that can be updated from the
FortiGuard distribution network to add new antispam techniques without requiring a
FortiOS firmware update. You an also update the ASE manually using the following CLI
command:
execute restore fase {ftp | sftp} <filename> <server> <userid>

FortiGate Version 4.0 Administration Guide


34 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
What’s new in FortiOS 4.0 Network Access Control (NAC) quarantine

Network Access Control (NAC) quarantine


The FortiGate unit can quarantine clients that:
• Originate attacks detected by IPS. Configure NAC quarantine for IPS by enabling
Quarantine Attackers in an IPS Sensor filter. For more information, see “Configuring
filters” on page 450.
• Send viruses detected by the Antivirus feature. Configure NAC quarantine for antivirus
by enabling Quarantine Virus Sender in a protection profile. Fore more information,
see “Anti-Virus options” on page 396.
• Use applications blocked by Data Leak Prevention (DLP). Configure NAC quarantine
for DLP by configuring the action in a DLP sensor rule. For more information, see
“Adding or editing a rule in a DLP sensor” on page 492.
Quarantined users can only access a web portal that explains the reason for the
quarantine and instructs them to contact the system administrator.
The Banned User list shows all quarantined users and you, as administrator, can
selectively release users from quarantine. Optionally, you can configure quarantine to
expire after a selected time period.
Depending on the quarantine settings, the user’s quarantined might apply only to
particular traffic, such as traffic to the victim of an IPS attack.

Viewing and releasing quarantined users


Go to User > Banned User to view the list of quarantined users. For more information, see
“Banned user list” on page 566.

Customizing the quarantine portal


The quarantine portal provides a different message depending on the reason for
quarantine: virus, DoS attack, IPS attack, Data Leak Prevention (DLP). You can modify
these messages. See the NAC Quarantine section in the Replacement Messages. (Go to
System > Config > Replacement Messages). For more information, see “Replacement
messages” on page 195.

Customizable SSL VPN web portal


You can create multiple SSL VPN web portal configurations to control the create different
web portal look and feel configurations and to enable different types of web portal
functionality.
For more information, see “SSL VPN web portal” on page 528.

Logging improvements
Logs provide more information about the FortiGate unit operation, including:
• Event log for VPN tunnel up/down (IPSec, SSL, PPTP VPNs), including authenticated
user name, local and remote IP addresses
• Event log for VPN tunnel re-key
• Event log for VPN tunnel periodic statistics (configurable period)
• Logs for new Data Leak Prevention feature
• Attacks detected by IPS

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 35
http://docs.fortinet.com/ • Feedback
Web Filtering HTTP Post Action What’s new in FortiOS 4.0

• Log lists Admin Profile in Administrator login event log


• Memory log entries increased to 1024 bytes from 512 bytes to reduce the number of
truncated logs. This reduces the number of logs that can be stored.
For more information, see “Log&Report” on page 603.

Web Filtering HTTP Post Action


You can block or provide client comforting for HTTP-POST activity by selecting the HTTP
POST Action in a protection profile. For more information, see “Web Filtering options” on
page 398.

FortiGate Version 4.0 Administration Guide


36 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Introduction Fortinet family of products

Introduction
Welcome and thank you for selecting Fortinet products for your real-time network
protection.
FortiGate™ ASIC-accelerated multi-threat security systems improve network security,
reduce network misuse and abuse, and help you use communications resources more
efficiently without compromising the performance of your network. FortiGate Systems are
ICSA-certified for Antivirus, Firewall, IPSec, SSL-TLS, IPS, Intrusion detection, and
AntiSpyware services.
FortiGate Systems are dedicated, easily managed security devices that deliver a full suite
of capabilities including:
• Application-level services such as virus protection, intrusion protection, spam filtering,
web content filtering, IM, P2P, and VoIP filtering
• Network-level services such as firewall, intrusion detection, IPSec and SSL VPN, and
traffic shaping
• Management services such as user authentication, logging, reporting with
FortiAnalyzer, administration profiles, secure web and CLI administrative access, and
SNMP.
The FortiGate security system uses Fortinet’s Dynamic Threat Prevention System
(DTPS™) technology, which leverages breakthroughs in chip design, networking, security
and content analysis. The unique ASIC-accelerated architecture analyzes content and
behavior in real-time, enabling key applications to be deployed right at the network edge
where they are most effective at protecting your networks.
This chapter contains the following sections:
• Fortinet family of products
• About this document
• Conventions
• Registering your Fortinet product
• Customer service and technical support
• Fortinet documentation

Fortinet family of products


Fortinet offers a family of products that includes both software and hardware appliances
for a complete network security solution including mail, logging, reporting, network
management, and security along with FortiGate Unified Threat Manager Systems. For
more information on the Fortinet product family, go to www.fortinet.com/products.

FortiGuard Subscription Services


FortiGuard Subscription Services are security services created, updated and managed by
a global team of Fortinet security professionals. They ensure the latest attacks are
detected and blocked before harming your corporate resources or infecting your end-user
computing devices. These services are created with the latest security technology and
designed to operate with the lowest possible operational costs. For more information
about FortiGuard services, go to the FortiGuard Center at www.fortiguard.com.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 37
http://docs.fortinet.com/ • Feedback
Fortinet family of products Introduction

FortiAnalyzer
FortiAnalyzer™ provides network administrators with the information they need to enable
the best protection and security for their networks against attacks and vulnerabilities.
FortiAnalyzer features include:
• collects logs from FortiGate units and syslog devices and FortiClient
• creates hundreds of reports using collected log data
• scans and reports vulnerabilities
• stores files quarantined from a FortiGate unit
The FortiAnalyzer unit can also be configured as a network analyzer to capture real-time
traffic on areas of your network where firewalls are not employed. You can also use the
unit as a storage device where users can access and share files, including the reports and
logs that are saved on the FortiAnalyzer hard disk.

FortiClient
FortiClient™ Host Security software provides a secure computing environment for both
desktop and laptop users running the most popular Microsoft Windows operating systems.
FortiClient offers many features including:
• creating VPN connections to remote networks
• configuring real-time protection against viruses
• guarding against modification of the Windows registry
• virus scanning.
FortiClient also offers a silent installation feature, enabling an administrator to efficiently
distribute FortiClient to several users’ computers with preconfigured settings.

FortiManager
FortiManager™ meets the needs of large enterprises (including managed security service
providers) responsible for establishing and maintaining security policies across many
dispersed FortiGate installations. With FortiManager you can configure multiple FortiGate
units and monitor their status. You can also view real-time and historical logs for FortiGate
units. FortiManager emphasizes ease of use, including easy integration with third party
systems.

FortiMail
FortiMail™ provides powerful, flexible heuristic scanning and reporting capabilities to
incoming and outgoing email traffic. The FortiMail unit has reliable, high performance
features for detecting and blocking malicious attachments and spam, such as FortiGuard
Antispam/Antivirus support, heuristic scanning, greylisting, and Bayesian scanning. Built
on Fortinet’s award winning FortiOS and FortiASIC technology, FortiMail antivirus
technology extends full content inspection capabilities to detect the most advanced email
threats.

FortiGate Version 4.0 Administration Guide


38 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Introduction About this document

About this document


This FortiGate Version 4.0 Administration Guide provides detailed information about
FortiGate™ web-based manager options and how to use them. This guide also contains
some information about the FortiGate CLI.
This administration guide describes web-based manager functions in the same order as
the web-based manager menu. The document begins with a general description of the
FortiGate web-based manager and a description of FortiGate virtual domains. Following
these chapters, each item in the System menu, Router menu, Firewall menu, and VPN
menu gets a separate chapter. Then User, AntiVirus, Intrusion Protection, Web Filter,
AntiSpam, IM/P2P, and Log & Report are all described in single chapters. The document
concludes with a detailed index.
VDOM and Global icons appear in this administration guide to indicate of a chapter or the
section of a chapter is part of the VDOM configuration or part of the Global configuration.
VDOM and Global configuration settings only apply to a FortiGate unit operating with
virtual domains enabled. No distinction is made between VDOM and Global configuration
settings when virtual domains are not enabled.
The most recent version of this document is available from the FortiGate page of the
Fortinet Technical Documentation web site. The information in this document is also
available in a slightly different form as FortiGate web-based manager online help.
You can find more information about FortiOS v3.0 from the FortiGate page of the Fortinet
Technical Documentation web site as well as from the Fortinet Knowledge Center.
This administration guide contains the following chapters:
• What’s new in FortiOS 4.0 lists and describes some of the new features and changes
in FortiOS Version 4.0.
• Web-based manager provides an introduction to the features of the FortiGate
web-based manager, the button bar, and includes information about how to use the
web-based manager online help.
• System Status describes the System Status page, the dashboard of your FortiGate
unit. At a glance you can view the current system status of the FortiGate unit including
serial number, uptime, FortiGuard license information, system resource usage, alert
messages and network statistics. This section also describes status changes that you
can make, including changing the unit firmware, host name, and system time. Finally
this section also describes the topology viewer that is available on all FortiGate models
except those with model numbers 50 and 60.
• Managing firmware versions describes upgrading and managing firmware versions.
You should review this section before upgrading your FortiGate firmware because it
contains important information about how to properly back up your current
configuration settings and what to do if the upgrade is unsuccessful.
• Using virtual domains describes how to use virtual domains to operate your FortiGate
unit as multiple virtual FortiGate units, providing separate firewall and routing services
to multiple networks.
• System Network explains how to configure physical and virtual interfaces and DNS
settings on the FortiGate unit.
• System Wireless describes how to configure the Wireless LAN interface on a
FortiWiFi-60 unit.
• System DHCP provides information about how to configure a FortiGate interface as a
DHCP server or DHCP relay agent.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 39
http://docs.fortinet.com/ • Feedback
About this document Introduction

• System Config contains procedures for configuring HA and virtual clustering,


configuring SNMP and replacement messages, and changing the operation mode.
• System Admin guides you through adding and editing administrator accounts, defining
admin profiles for administrators, configuring central management using the
FortiGuard Management Service or FortiManager, defining general administrative
settings such as language, timeouts, and web administration ports.
• System Certificates explains how to manage X.509 security certificates used by
various FortiGate features such as IPSec VPN and administrator authentication.
• System Maintenance details how to back up and restore the system configuration
using a management computer or a USB disk, use revision control, enable FortiGuard
services and FortiGuard Distribution Network (FDN) updates, and enter a license key
to increase the maximum number of virtual domains.
• Router Static explains how to define static routes and create route policies. A static
route causes packets to be forwarded to a destination other than the factory configured
default gateway.
• Router Dynamic contains information about how to configure dynamic protocols to
route traffic through large or complex networks.
• Router Monitor explains how to interpret the Routing Monitor list. The list displays the
entries in the FortiGate routing table.
• Firewall Policy describes how to add firewall policies to control connections and traffic
between FortiGate interfaces, zones, and VLAN subinterfaces.
• Firewall Address describes how to configure addresses and address groups for firewall
policies.
• Firewall Service describes available services and how to configure service groups for
firewall policies.
• Firewall Schedule describes how to configure one-time and recurring schedules for
firewall policies.
• Traffic Shaping how to create traffic shaping instances and add them to firewall
policies.
• Firewall Virtual IP describes how to configure and use virtual IP addresses and IP
pools.
• Firewall Load Balance describes how to use FortiGuard load balancing to intercept
incoming traffic and balance it across available servers.
• Firewall Protection Profile describes how to configure protection profiles for firewall
policies.
• SIP support incudes some high-level information about VoIP and SIP and describes
how FortiOS SIP support works and how to configure the key SIP features.
• AntiVirus explains how to enable antivirus options when you create a firewall protection
profile.
• Intrusion Protection explains how to configure IPS options when a firewall protection
profile is created.
• Web Filter explains how to configure web filter options when a firewall protection profile
is created.
• Antispam explains how to configure spam filter options when a firewall protection
profile is created.
• Data Leak Prevention explains how use FortiGate data leak prevention to prevent
sensitive data from leaving your network.

FortiGate Version 4.0 Administration Guide


40 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Introduction Conventions

• Application control describes how to configure the application control options


associated with firewall protection profiles.
• VPN IPSEC provides information about the tunnel-mode and route-based (interface
mode) Internet Protocol Security (IPSec) VPN options available through the web-
based manager.
• VPN PPTP explains how to use the web-based manager to specify a range of IP
addresses for PPTP clients.
• VPN SSL provides information about basic SSL VPN settings.
• User details how to control access to network resources through user authentication.
• WAN optimization describes how to use FortiGate WAN optimization to improve
performance and security of traffic passing between locations on your wide are
network (WAN).
• Endpoint control describes how to use FortiGate end point control to enforce the use of
FortiClient End Point Security (Enterprise Edition) in your network.
• Log&Report describes how to enable logging, view log files, and view the basic reports
available through the web-based manager.

Conventions
Fortinet technical documentation uses the conventions described below.

IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.

CLI constraints
CLI constraints, such as <address_ipv4>, indicate which data types or string patterns
are acceptable input for a given parameter or variable value. CLI constraint conventions
are described in the CLI Reference document for each product.

Notes, Tips and Cautions


Fortinet technical documentation uses the following guidance and styles for notes, tips
and cautions.

Tip: Highlights useful additional information, often tailored to your workplace activity.

Note: Also presents useful information, but usually focused on an alternative, optional
method, such as a shortcut, to perform a step.

Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 41
http://docs.fortinet.com/ • Feedback
Registering your Fortinet product Introduction

Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 1: Typographical conventions in Fortinet technical documentation

Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiGate Administration Guide.
The chapter or section contains VDOM configuration settings, see
“VDOM configuration settings” on page 105.
The chapter or section contains Global configuration settings, see
“Global configuration settings” on page 106.

Registering your Fortinet product


Before you begin, take a moment to register your Fortinet product at the Fortinet Technical
Support web site, https://support.fortinet.com.
Many Fortinet customer services, such as firmware updates, technical support, and
FortiGuard Antivirus and other FortiGuard services, require product registration.
For more information, see the Fortinet Knowledge Center article Registration Frequently
Asked Questions.

Customer service and technical support


Fortinet Technical Support provides services designed to make sure that your Fortinet
products install quickly, configure easily, and operate reliably in your network.
To learn about the technical support services that Fortinet provides, visit the Fortinet
Technical Support web site at https://support.fortinet.com.
You can dramatically improve the time that it takes to resolve your technical support ticket
by providing your configuration file, a network diagram, and other specific information. For
a list of required information, see the Fortinet Knowledge Center article What does
Fortinet Technical Support require in order to best assist the customer?

FortiGate Version 4.0 Administration Guide


42 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Introduction Fortinet documentation

Fortinet documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.

Fortinet Tools and Documentation CD


Many Fortinet publications are available on the Fortinet Tools and Documentation CD
shipped with your Fortinet product. The documents on this CD are current at shipping
time. For current versions of Fortinet documentation, visit the Fortinet Technical
Documentation web site, http://docs.fortinet.com.

Fortinet Knowledge Center


The Fortinet Knowledge Center provides additional Fortinet technical documentation,
such as troubleshooting and how-to-articles, examples, FAQs, technical notes, a glossary,
and more. Visit the Fortinet Knowledge Center at http://kc.fortinet.com.

Comments on Fortinet technical documentation


Please send information about any errors or omissions in this or any Fortinet technical
document to [email protected].

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 43
http://docs.fortinet.com/ • Feedback
Fortinet documentation Introduction

FortiGate Version 4.0 Administration Guide


44 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager

Web-based manager
This section describes the features of the user-friendly web-based manager administrative
interface (sometimes referred to as a graphical user interface, or GUI) of your FortiGate
unit.
Using HTTP or a secure HTTPS connection from any management computer running a
web browser, you can connect to the FortiGate web-based manager to configure and
manage the FortiGate unit. The recommended minimum screen resolution for the
management computer is 1280 by 1024.
You can configure the FortiGate unit for HTTP and HTTPS web-based administration from
any FortiGate interface. To connect to the web-based manager you require a FortiGate
administrator account and password. The web-based manager supports multiple
languages, but by default appears in English on first use.

Figure 4: Example FortiGate-3600 Web-based manager dashboard (default configuration)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 45
http://docs.fortinet.com/ • Feedback
Common web-based manager tasks Web-based manager

You can go to System > Status to view detailed information about the status of your
FortiGate unit on the system dashboard. The dashboard displays information such as the
current FortiOS firmware version, antivirus and IPS definition versions, operation mode,
connected interfaces, and system resources. It also shows whether the FortiGate unit is
connected to a FortiAnalyzer unit and a FortiManager unit or other central management
services.
You can use the web-based manager menus, lists, and configuration pages to configure
most FortiGate settings. Configuration changes made using the web-based manager take
effect immediately without resetting the FortiGate unit or interrupting service. You can
back up your configuration at any time using the Backup Configuration button on the
button bar. The button bar is located in the upper right corner of the web-based manager.
The saved configuration can be restored at any time.
The web-based manager also includes detailed context-sensitive online help. Selecting
Online Help on the button bar displays help for the current web-based manager page.
You can use the FortiGate command line interface (CLI) to configure the same FortiGate
settings that you can configure from the web-based manager, as well as additional CLI-
only settings. The system dashboard provides an easy entry point to the CLI console that
you can use without exiting the web-based manager.
This section describes:
• Common web-based manager tasks
• Button bar features
• Contacting Customer Support
• Backing up your FortiGate configuration
• Using FortiGate Online Help
• Logging out
• Web-based manager pages

Common web-based manager tasks


This section describes the following common web-based manager tasks:
• Connecting to the web-based manager
• Changing your FortiGate administrator password
• Changing the web-based manager language
• Changing administrative access to your FortiGate unit
• Changing the web-based manager idle timeout
• Connecting to the FortiGate CLI from the web-based manager

Connecting to the web-based manager


To connect to the web-based manager, you require:
• a FortiGate unit connected to your network according to the instructions in the
QuickStart Guide and Install Guide for your FortiGate unit
• the IP address of a FortiGate interface that you can connect to
• a computer with an Ethernet connection to a network that can connect to the FortiGate
unit
• a supported web browser. See the Knowledge Center articles Supported Windows web
browsers and Using a Macintosh and the web-based manager.

FortiGate Version 4.0 Administration Guide


46 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Common web-based manager tasks

To connect to the web-based manager


1 Start your web browser and browse to https:// followed by the IP address of the
FortiGate unit interface that you can connect to.
For example, if the IP address is 192.168.1.99, browse to https://192.168.1.99.
(remember to include the “s” in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a self-
signed security certificate, which is offered to remote clients whenever they initiate a
HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit
displays two security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate unit’s self-
signed security certificate. If you do not accept the certificate, the FortiGate unit
refuses the connection. If you accept the certificate, the FortiGate login page appears.
The credentials entered are encrypted before they are sent to the FortiGate unit. If you
choose to accept the certificate permanently, the warning is not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you that
the FortiGate certificate distinguished name differs from the original request. This
warning occurs because the FortiGate unit redirects the connection. This is an
informational message. Select OK to continue logging in.
2 Type admin or the name of a configured administrator in the Name field.
3 Type the password for the administrator account in the Password field.
4 Select Login.

Changing your FortiGate administrator password


By default you can log into the web-based manager by using the admin administrator
account and no password. You should add a password to the admin administrator account
to prevent anybody from logging into the FortiGate and changing configuration options.
For improved security you should regularly change the admin administrator account
password and the passwords for any other administrator accounts that you add.

Note: See the Fortinet Knowledge Center article Recovering lost administrator account
passwords if you forget or lose an administrator account password and cannot log into your
FortiGate unit.

To change an administrator account password


1 Go to System > Admin > Administrators.
This web-based manager page lists the administrator accounts that can log into the
FortiGate unit. The default configuration includes the admin administrator account.
2 Select the Change Password icon and enter a new password.
3 Select OK.

Note: You can also add new administrator accounts by selecting Create New. For more
information about adding administrators, changing administrator account passwords and
related configuration settings, see “System Admin” on page 203.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 47
http://docs.fortinet.com/ • Feedback
Common web-based manager tasks Web-based manager

Changing the web-based manager language


You can change the web-based manager to display language in English, Simplified
Chinese, Japanese, Korean, Spanish, Traditional Chinese, or French. For best results,
you should select the language that the management computer operating system uses.

To change the web-based manager language


1 Go to System > Admin > Settings.
2 Under display settings, select the web-based manager display language.
3 Select Apply.
The web-based manager displays the dashboard in the selected language. All
web-based manager pages are displayed with the selected language.

Figure 5: System > Admin > Settings displayed in Simplified Chinese

Changing administrative access to your FortiGate unit


Through administrative access an administrator can connect to the FortiGate unit to view
and change configuration settings. The default configuration of your FortiGate unit allows
administrative access to one or more of the interfaces of the unit as described in your
FortiGate unit QuickStart Guide and Install Guide.
You can change administrative access by:
• enabling or disabling administrative access from any FortiGate interface
• enabling or disabling securing HTTPS administrative access to the web-based
manager (recommended)
• enabling or disabling HTTP administrative access to the web-based manager (not
recommended)
• enabling or disabling secure SSH administrative access to the CLI (recommended)
• enabling or disabling SSH or Telnet administrative access to the CLI (not
recommended).

FortiGate Version 4.0 Administration Guide


48 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Common web-based manager tasks

To change administrative access to your FortiGate unit


1 Go to System > Network > Interface.
2 Choose an interface for which to change administrative access and select Edit.
3 Select one or more Administrative Access types for the interface.
4 Select OK.
For more information about changing administrative access see “Administrative access to
an interface” on page 136.

Changing the web-based manager idle timeout


By default, the web-based manager disconnects administrative sessions if no activity
takes place for 5 minutes. This idle timeout is recommended to prevent someone from
using the web-based manager from a PC that is logged into the web-based manager and
then left unattended. However, you can use the following steps to change this idle timeout.

To change the web-based manager idle timeout


1 Go to System > Admin > Settings.
2 Change the Idle Timeout minutes as required.
3 Select Apply.

Connecting to the FortiGate CLI from the web-based manager


You can connect to the FortiGate CLI from the web-based manager dashboard by using
the CLI console widget. You can use the CLI to configure all configuration options
available from the web-based manager. Some configuration options are available only
from the CLI. As well, you can use the CLI to enter diagnose commands and perform
other advanced operations that are not available from the web-based manager. For more
information about the FortiGate CLI see the FortiGate CLI Reference.

To connect to the FortiGate CLI from the web-based manager


1 Go to System > Status.
2 Locate and select the CLI Console.
Selecting the CLI console logs you into the CLI. For more information, see “CLI
Console” on page 75.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 49
http://docs.fortinet.com/ • Feedback
Button bar features Web-based manager

Button bar features


The button bar in the upper right corner of the web-based manager provides access to
several important FortiGate features.

Figure 6: Web-based manager button bar

Contact Customer
Support
Online Help

Logout
Back up your FortiGate
Configuration

Contacting Customer Support


The Contact Customer Support button opens the Fortinet Support web page in a new
browser window. From this page you can:
• visit the Fortinet Knowledge Center
• log into Customer Support (Support Login)
• register your Fortinet product (Product Registration)
• view Fortinet Product End of Life information
• find out about Fortinet Training and Certification
• visit the FortiGuard Center.
You must register your Fortinet product to receive product updates, technical support, and
FortiGuard services. To register a Fortinet product, go to Product Registration and follow
the instructions.

Backing up your FortiGate configuration


The Backup Configuration button opens a dialog box for backing up your FortiGate
configuration to:
• the local PC that you are using to manage the FortiGate unit.
• a management station. This can be a FortiManager unit or the FortiGuard
Management Service. This option changes depending on your central management
configuration (see “Central Management” on page 220).
• a USB disk, if your FortiGate unit has a USB port and you have connected a USB disk
to it (see “Formatting USB Disks” on page 255).
For more information, see “Backing up and restoring” on page 248.

FortiGate Version 4.0 Administration Guide


50 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Using FortiGate Online Help

Figure 7: Backing up your FortiGate configuration

Using FortiGate Online Help


The Online Help button displays context-sensitive online help for the current web-based
manager page. The online help page that is displayed is called a content pane and
contains information and procedures related to the current web-based manager page.
Most help pages also contain hyperlinks to related topics. The online help system also
includes a number of links that you can use to find additional information.
FortiGate context-sensitive online help topics also include a VDOM or Global icon to
indicate whether the web-based manager page is for VDOM-specific or global
configuration settings. VDOM and Global configuration settings apply only to a FortiGate
unit operating with virtual domains enabled. If you are not operating your FortiGate unit
with virtual domains enabled, you can ignore the VDOM and Global icons. For more
information about virtual domains, see “Using virtual domains” on page 103.

Figure 8: A context-sensitive online help page (content pane only)

Show Navigation Bookmark


Previous Print
Next Email

Show Navigation Open the online help navigation pane. From the navigation pane you
can use the online help table of contents, index, and search to access
all of the information in the online help. The online help is organized in
the same way as the FortiGate web-based manager and the FortiGate
Administration Guide.
Previous Display the previous page in the online help.
Next Display the next page in the online help
Email Send an email to Fortinet Technical Documentation at
[email protected] if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Print Print the current online help page.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 51
http://docs.fortinet.com/ • Feedback
Using FortiGate Online Help Web-based manager

Bookmark Add an entry for this online help page to your browser bookmarks or
favorites list to make it easier to find useful online help pages. You
cannot use the Bookmark icon to add an entry to your favorites list if
you are viewing online help from Internet Explorer running on a
management PC with Windows XP and service pack 2 installed.
When you select help for a VDOM configuration settings web-based
manager page the help display includes the VDOM icon. For
information about VDOM configuration settings, see “VDOM
configuration settings” on page 105.
When you select help for a Global configuration settings web-based
manager page the help display includes the Global icon. For
information about Global configuration settings, see “Global
configuration settings” on page 106.
To view the online help table of contents or index, and to use the search feature, select
Online Help in the button bar in the upper right corner of the web-based manager. From
the online help, select Show Navigation.

Figure 9: Online help page with navigation pane and content pane

Contents Index Search Show in Contents

Contents Display the online help table of contents. You can navigate through the
table of contents to find information in the online help. The online help
is organized in the same way as the FortiGate web-based manager
and the FortiGate Administration Guide.
Index Display the online help index. You can use the index to find
information in the online help.
Search Display the online help search. For more information, see “Searching
the online help” on page 52.
Show in Contents If you have used the index, search, or hyperlinks to find information in
the online help, the table of contents may not be visible or the table of
contents may be out of sync with the current help page. You can select
Show in Contents to display the location of the current help page
within the table of contents.

Searching the online help


Using the online help search, you can search for one word or multiple words in the full text
of the FortiGate online help system. Please note the following:
• If you search for multiple words, the search finds only those help pages that contain all
of the words that you entered. The search does not find help pages that only contain
one of the words that you entered.
• The help pages found by the search are ranked in order of relevance. The higher the
ranking, the more likely the help page includes useful or detailed information about the
word or words that you are searching for. Help pages with the search words in the help
page title are ranked highest.

FortiGate Version 4.0 Administration Guide


52 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Using FortiGate Online Help

• You can use the asterisk (*) as a search wildcard character that is replaced by any
number of characters. For example, if you search for auth* the search finds help pages
containing auth, authenticate, authentication, authenticates, and so on.
• In some cases the search finds only exact matches. For example, if you search for
windows the search may not find pages containing the word window. You can work
around this using the * wildcard (for example by searching for window*).

To search in the online help system


1 From any web-based manager page, select the online help button.
2 Select Show Navigation.
3 Select Search.
4 In the search field, enter one or more words to search for and then press the Enter key
on your keyboard or select Go.
The search results pane lists the names of all the online help pages that contain all the
words that you entered. Select a name from the list to display that help page.

Figure 10: Searching the online help system

Go
Search
Field

Search
Results

Using the keyboard to navigate in the online help


You can use the keyboard shortcuts listed in Table 2 to display and find information in the
online help.
Table 2: Online help navigation keys

Key Function
Alt+1 Display the table of contents.
Alt+2 Display the index.
Alt+3 Display the Search tab.
Alt+4 Go to the previous page.
Alt+5 Go to the next page.
Alt+7 Send an email to Fortinet Technical Documentation at
[email protected] if you have comments on or corrections for the
online help or any other Fortinet technical documentation product.
Alt+8 Print the current online help page.
Alt+9 Add an entry for this online help page to your browser bookmarks or
favorites list, to make it easier to find useful online help pages.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 53
http://docs.fortinet.com/ • Feedback
Logging out Web-based manager

Logging out
The Logout button immediately logs you out of the web-based manager. Log out before
you close the browser window. If you simply close the browser or leave the web-based
manager, you remain logged in until the idle timeout (default 5 minutes) expires. To
change the timeout, see “Changing the web-based manager idle timeout” on page 49.

Web-based manager pages


The web-based manager interface consists of a menu and pages. Many of the pages
have multiple tabs. When you select a menu item, such as System, the web-based
manager expands to reveal a submenu. When you select one of the submenu items, the
associated page opens at its first tab. To view a different tab, select the tab.
The procedures in this manual direct you to a page by specifying the menu item, the
submenu item and the tab, for example:
1 Go to System > Network > Interface.

Figure 11: Parts of the web-based manager (shown for the FortiGate-50B)

Page Button bar


Tabs

Menu

Using the web-based manager menu


The web-based manager menu provides access to configuration options for all major
FortiGate features (see Figure 11 on page 54).

System Configure system settings, such as network interfaces, virtual


domains, DHCP services, administrators, certificates, High Availability
(HA), system time and set system options.
Router Configure FortiGate static and dynamic routing and view the router
monitor.
Firewall Configure firewall policies and protection profiles that apply network
protection features. Also configure virtual IP addresses and IP pools.
UTM Configure antivirus and antispam protection, web filtering, intrusion
protection, data leak prevention, and application control.

FortiGate Version 4.0 Administration Guide


54 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Web-based manager pages

VPN Configure IPSec and SSL virtual private networking. PPTP is


configured in the CLI.
User Configure user accounts for use with firewall policies that require user
authentication. Also configure external authentication servers such as
RADIUS, LDAP, TACACS+, and Windows AD. Configure monitoring of
Firewall, IPSec, SSL, IM, and Banned Users.
Endpoint control Configure end points, view FortiClient configuration information, and
configure software detection patterns.
Log&Report Configure logging and alert email. View log messages and reports.

Using web-based manager lists


Many of the web-based manager pages contain lists. There are lists of network interfaces,
firewall policies, administrators, users, and others.
If you log in as an administrator with an admin profile that allows Read-Write access to a
list, depending on the list you will usually be able to:
• select Create New to add a new item to the list
• select the Edit icon for a list item to view and change the settings of the item
• select the Delete icon for a list item to delete the item. The delete icon will not be
available if the item cannot be deleted. Usually items cannot be deleted if they have
been added to another configuration; you must first find the configuration settings that
the item has been added to and remove the item from them. For example, to delete a
user that has been added to a user group you must first remove the user from the user
group (see Figure 12).

Figure 12: A web-based manager list (read-write access)

Delete
Edit

If you log in as an administrator with an admin profile that allows Read Only access to a
list, you will only be able to view the items on the list (see Figure 13).

Figure 13: A web-based manager list (read only access)

View

For more information, see “Admin profiles” on page 216.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 55
http://docs.fortinet.com/ • Feedback
Web-based manager pages Web-based manager

Adding filters to web-based manager lists


You can add filters to control the information that is displayed by the following complex
lists:
• Session list (see “Viewing the session list” on page 84)
• Firewall policy and IPv6 policy list (see “Viewing the firewall policy list” on page 315)
• IPSec VPN monitor list (see “IPSEC monitor list” on page 563)
• Firewall user monitor list (see “Firewall user monitor list” on page 562)
• Intrusion protection predefined signatures list (see “Viewing the predefined signature
list” on page 443)
• Log and report log access list (see “Accessing Logs” on page 616).
Filters are useful for reducing the number of entries that are displayed on a list so that you
can focus on the information that is important to you.
For example, you can go to System > Status, and, in the Statistics section, select Details
on the Sessions line to view the communications sessions that the FortiGate unit is
currently processing. A busy FortiGate unit may be processing hundreds or thousands of
communications sessions. You can add filters to make it easier to find specific sessions.
For example, you might be looking for all communications sessions being accepted by a
specific firewall policy. You can add a Policy ID filter to display only the sessions for a
particular Policy ID or range of Policy IDs.
You add filters to a web-based manager list by selecting any filter icon to display the Edit
Filters window. From the Edit Filters window you can select any column name to filter, and
configure the filter for that column. You can also add filters for one or more columns at a
time. The filter icon remains gray for unfiltered columns and changes to green for filtered
columns.

Figure 14: An intrusion protection predefined signatures list filtered to display all signatures
containing “apache” with logging enabled, action set to drop, and severity set to
high

Filter added to
display names that
include “apache” No filter added

The filter configuration is retained after leaving the web-based manager page and even
after logging out of the web-based manager or rebooting the FortiGate unit.
Different filter styles are available depending on the type of information displayed in
individual columns. In all cases, you configure filters by specifying what to filter on and
whether to display information that matches the filter, or by selecting NOT to display
information that does not match the filter.

Note: Filter settings are stored in the FortiGate configuration and will be maintained the
next time that you access any list for which you have added filters.

FortiGate Version 4.0 Administration Guide


56 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Web-based manager pages

On firewall policy, IPv6 policy, predefined signature and log and report log access lists,
you can combine filters with column settings to provide even more control of the
information displayed by the list. See “Using filters with column settings” on page 61 for
more information.

Filters for columns that contain numbers


If the column includes numbers (for example, IP addresses, firewall policy IDs, or port
numbers) you can filter by a single number or a range of numbers. For example, you could
configure a source address column to display only entries for a single IP address or for all
addresses in a range of addresses. To specify a range, separate the top and bottom
values of the range with a hyphen, for example 25-50.
Figure 15 shows a numeric filter configured to control the source addresses that are
displayed on the session list. In this example, a filter is enabled for the Source Address
column. The filter is configured to display only source addresses in the range of 1.1.1.1-
1.1.1.2. To view the session list, go to System > Status. In the Statistics section, beside
Sessions, select Details.

Figure 15: A session list with a numeric filter set to display sessions with source IP address
in the range of 1.1.1.1-1.1.1.2

Filters for columns containing text strings


If the column includes text strings (for example, names and log messages) you can filter
by a text string. You can also filter information that is an exact match for the text string
(equals), that contains the text string, or that does not equal or does not contain the text
string. You can also specify whether to match the capitalization (case) of the text string.
The text string can be blank and it can also be very long. The text string can also contain
special characters such as <, &, > and so on. However, filtering ignores characters
following a < unless the < is followed by a space (for example, filtering ignores <string
but not < string). Filtering also ignores matched opening and closing < and >
characters and any characters inside them (for example, filtering ignores <string> but
does not ignore >string>).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 57
http://docs.fortinet.com/ • Feedback
Web-based manager pages Web-based manager

Figure 16: A firewall policy list filter set to display all policies that do not include a source
address with a name that contains “My_Address”

Filters for columns that can contain only specific items


For columns that can contain only specific items (for example, a log message severity or a
pre-defined signature action) you can select a single item from a list. In this case, you can
only filter on a single selected item.

Figure 17: An intrusion protection predefined signature list filter set to display all signatures
with Action set to block

FortiGate Version 4.0 Administration Guide


58 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Web-based manager pages

Custom filters
Other custom filters are also available. You can filter log messages according to date
range and time range. You can also set the level filter to display log messages with
multiple severity levels.

Figure 18: A log access filter set to display all log messages with level of alert, critical, error,
or warning

Using page controls on web-based manager lists


The web-based manager includes page controls to make it easier to view lists that contain
more items than you can display on a typical browser window. These page controls are
available for the following lists:
• session list (see “Viewing the session list” on page 84)
• Router Monitor (see “Router Monitor” on page 309)
• IPSec VPN monitor list (see “IPSEC monitor list” on page 563)
• Firewall user monitor list (see “Firewall user monitor list” on page 562)
• Banned User list (see “Banned user list” on page 566)
• intrusion protection predefined signatures list (see “Viewing the predefined signature
list” on page 443)
• web filtering lists (see “Web Filter” on page 459)
• antispam lists (see “Antispam” on page 477)
• log and report log access lists (see “Accessing Logs” on page 616).

Figure 19: Page controls

Previous Page Total Number of Pages


First Page

Last Page

Current Page Next Page


(enter a page number
to display that page)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 59
http://docs.fortinet.com/ • Feedback
Web-based manager pages Web-based manager

First Page Display the first page of items in the list.


Previous Page Display the previous page of items in the list.
Current Page The current page number of list items that are displayed. You can
enter a page number and press Enter to display the items on that
page. For example if there are 5 pages of items and you enter 3, page
3 of the sessions will be displayed.
Total Number of Pages The number of pages of list items that you can view.
Next Page Display the next page of items in the list.
Last Page Display the last page of items in the list.

Using column settings to control the columns displayed


Using column settings, you can format some web-based manager lists so that information
that is important to you is easy to find and less important information is hidden or less
distracting.
On the following web-based manager pages that contain complex lists, you can change
column settings to control the information columns that are displayed for the list and to
control the order in which they are displayed.
• Network interface list (see “Interfaces” on page 119)
• Firewall policy and IPv6 policy (see “Viewing the firewall policy list” on page 315)
• Intrusion protection predefined signatures list (see “Viewing the predefined signature
list” on page 443)
• Log and report log access lists (see “Accessing Logs” on page 616).

Note: Any changes that you make to the column settings of a list are stored in the FortiGate
configuration and will display the next time that you access the list.

To change column settings on a list that supports it, select Column Settings. From
Available fields, select the column headings to be displayed and then select the Right
Arrow to move them to the “Show these fields in this order” list. Similarly, to hide column
headings, use the Left Arrow to move them back to the Available fields list. Use Move Up
and Move Down to change the order in which to display the columns.
For example, you can change interface list column headings to display only the
IP/Netmask, MAC address, MTU, and interface Type for each interface.

Figure 20: Example of interface list column settings

Left Arrow Right Arrow

FortiGate Version 4.0 Administration Guide


60 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Web-based manager pages

Figure 21: A FortiGate-5001SX interface list with column settings changed

Using filters with column settings


On firewall policy, IPv6 policy, predefined signature and log and report log access lists you
can combine filters with column settings to provide even more control of the information
displayed by the list.
For example, you can go to Intrusion Protection > Signature > Predefined and configure
the Intrusion Protection predefined signatures list to show only the names of signatures
that protect against vulnerabilities for a selected application. To do this, set Column
Settings to only display Applications and Name. Then apply a filter to Applications so that
only selected applications are listed. In the pre-defined signatures list you can also sort
the list by different columns; you might want to sort the list by application so that all
signatures for each application are grouped together.

Figure 22: A pre-defined signatures list displaying pre-defined signatures for the Veritas and
Winamp applications

For more information, see “Adding filters to web-based manager lists” on page 56.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 61
http://docs.fortinet.com/ • Feedback
Web-based manager pages Web-based manager

Using web-based manager icons


The web-based manager has icons in addition to buttons to help you to interact with your
FortiGate unit. There are tooltips to assist you in understanding the function of most icons.
Pause the mouse pointer over the icon to view the tooltip. Table 3 describes the icons that
are available in the web-based manager.
Table 3: web-based manager icons

Icon Name Description

Administrative The administrative status of a FortiGate interface is down


status down and the interface will not accept traffic.
Administrative The administrative status of a FortiGate interface is up and
status up the interface accepts traffic.
Change Change the administrator password. This icon appears in the
Password Administrators list if your admin profile enables you to give
write permission to administrators.
Clear Clear all or remove all entries from the current list. For
example, on a URL filter list you can use this icon to remove
all URLs from the current URL filter list.
Delete Delete an item. This icon appears in lists where the item can
be deleted and you have edit permission for the item.
Description The tooltip for this icon displays the Description or
Comments field for this table entry.
Disconnect Disconnect a FortiGate unit from a functioning HA cluster.
from cluster

Download Download information from a FortiGate unit. For example,


you can download certificates and debug logs.

Edit Edit a configuration. This icon appears in lists where you


have write permission for the item.
Enter a VDOM Enter a virtual domain and use the web-based manager to
configure settings for the virtual domain.
Expand Arrow Expand this section to reveal more fields. This icon is used in
(closed) some dialog boxes and lists.
Expand Arrow Close this section to hide some fields. This icon is used in
(open) some dialog boxes and lists.
Filter Set a filter on one or more columns in this table. See “Adding
filters to web-based manager lists” on page 56.

First page View the first page of a list.

Insert before Add a new item to a list so that it precedes the current item.
Used in lists when the order of items in the list is significant,
for example firewall policies, IPS Sensors, and DoS Sensors.
Last page View the last page of a list.

Move to Change the position of an item in a list. Used in lists when the
order of items in the list is significant, for example firewall
policies, IPS Sensors, and DoS Sensors.

FortiGate Version 4.0 Administration Guide


62 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web-based manager Web-based manager pages

Table 3: web-based manager icons (Continued)

Icon Name Description

Next page View the next page of a list.

Previous page View the previous page of a list.

Refresh Update the information on this page.

View View a configuration. This icon appears in lists instead of the


Edit icon when you have read-only access to a web-based
manager list.
View details View detailed information about an item. For example, you
can use this icon to view details about certificates.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 63
http://docs.fortinet.com/ • Feedback
Web-based manager pages Web-based manager

FortiGate Version 4.0 Administration Guide


64 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

System Status
This section describes the System Status page, the dashboard of your FortiGate unit. At a
glance you can view the current system status of the FortiGate unit including serial
number, uptime, FortiGuard™ license information, system resource usage, alert
messages and network statistics.

Note: Your browser must support Javascript to view the System Status page.

If you enable virtual domains (VDOMs) on the FortiGate unit, the status page is available
globally and system status settings are configured globally for the entire FortiGate unit.
The Topology viewer is not available when VDOMs are enabled. For details, see “Using
virtual domains” on page 103.
This section describes:
• Status page
• Changing system information
• Changing the FortiGate firmware
• Viewing operational history
• Manually updating FortiGuard definitions
• Viewing Statistics
• Topology

Status page
View the System Status page, also known as the system dashboard, for a snapshot of the
current operating status of the FortiGate unit. FortiGate administrators whose admin
profiles permit write access to system configuration can change or update FortiGate unit
information. For more information on admin profiles, see “Admin profiles” on page 216.
When the FortiGate unit is part of an HA cluster, the System Status page includes basic
high availability (HA) cluster status such as including the name of the cluster and the
cluster members including their host names. To view more specialized HA status
information for the cluster, go to System > Config > HA. For more information, see “HA” on
page 177. HA is not available on FortiGate 50A, 50AM, and 224B models.

Note: The information on the System Status page applies to the whole HA cluster, not just
the Master unit. This includes information such as URLs visited, emails sent and received,
and viruses caught.

FortiGate administrators whose admin profiles permit write access to system configuration
can change or update FortiGate unit information. For information on admin profiles, see
“Admin profiles” on page 216.

Viewing system status


The System Status page displays by default when you log in to the web-based manager.
Go to System > Status to view the System Status page.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 65
http://docs.fortinet.com/ • Feedback
Status page System Status

To view this page, your admin profile must permit read access to system configuration. If
you also have system configuration write access, you can modify system information and
update FortiGuard - AV and FortiGuard - IPS definitions. For information on admin
profiles, see “Admin profiles” on page 216.
The System Status page is customizable. You can select which widgets to display, where
they are located on the page, and if they are minimized or maximized. Each display has
an icon associated with it for easy recognition when minimized.

Figure 23: System Status page

Select Add Content to add any of the widgets not currently shown on the System Status
page. Any widgets currently on the System Status page will be greyed out in the Add
Content menu, as you can only have one of each display on the System Status page.
Optionally select Back to Default to restore the historic System Status page configuration.
Position your mouse over a display’s titlebar to see your available options for that display.
The options vary slightly from display to display.

Figure 24: A minimized display

History
Widget title Edit
Disclosure arrow Refresh
Close

Widget Title Shows the name of the display


Disclosure arrow Select to maximize or minimize the display.
History Select to show an expanded set of data.
Not available for all widgets.
Edit Select to change settings for the display.
Refresh Select to update the displayed information.
Close Select to close the display. You will be prompted to confirm the
action.

FortiGate Version 4.0 Administration Guide


66 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

The available dashboard widgets are:


• System Information
• License Information
• Unit Operation
• System Resources
• Alert Message Console
• Statistics
• CLI Console
• Top Sessions
• Top Viruses
• Top Attacks
• Traffic History

System Information
Go to System > Status to find System Information.

Figure 25: System Information

Serial Number The serial number of the FortiGate unit. The serial number is specific
to the FortiGate unit and does not change with firmware upgrades.
Uptime The time in days, hours, and minutes since the FortiGate unit was
started.
System Time The current date and time according to the FortiGate unit’s internal
clock.
Select Change to change the time or configure the FortiGate unit to
get the time from an NTP server. For more information, see
“Configuring system time” on page 79.
HA Status The status of high availability for this unit.
Standalone indicates the unit is not operating in HA mode.
Active-Passive or Active-Active indicate the unit is operating in HA
mode.
Select Configure to configure the HA status for this unit. For more
information, see “HA” on page 177.
Host Name The host name of the current FortiGate unit.
Select Change to change the host name.
For more information, see “Changing the FortiGate unit host name”
on page 80.
If the FortiGate unit is in HA mode, this field is not displayed.
Cluster Name The name of the HA cluster for this FortiGate unit. For more
information, see “HA” on page 177.
The FortiGate unit must be operating in HA mode to display this field.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 67
http://docs.fortinet.com/ • Feedback
Status page System Status

Cluster Members The FortiGate units in the HA cluster. Information displayed about
each member includes host name, serial number, and whether the
unit is a primary (master) or subordinate (slave) unit in the cluster. For
more information, see “HA” on page 177.
The FortiGate unit must be operating in HA mode with virtual
domains disabled to display this field.
Virtual Cluster 1 The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2.
Virtual Cluster 2 For more information, see “HA” on page 177.
The FortiGate unit must be operating in HA mode with virtual
domains enabled to display these fields.
Firmware Version The version of the current firmware installed on the FortiGate unit.
The format for the firmware version is
Select Update to change the firmware.
For more information, see “Upgrading to a new firmware version” on
page 81.
FortiClient Version The currently stored version of FortiClient. Select Update to upload a
FortiClient software image to this FortiGate unit from your
management computer.
This option is available only on FortiGate models that provide a portal
from which hosts can download FortiClient software, such as
FortiGate-3600 and 5005 models.
Operation Mode The operating mode of the current FortiGate unit. Except for model
224B in switch view, a FortiGate unit can operate in NAT mode or
Transparent mode. Select Change to switch between NAT and
Transparent mode. For more information, see “Changing operation
mode” on page 199
If virtual domains are enabled, this field shows the operating mode of
the current virtual domain. Each virtual domain can be operating in
either NAT mode or Transparent mode.

Virtual Domain Status of virtual domains on your FortiGate unit. Select enable or
disable to change the status of virtual domains feature. Multiple
VDOM operation is not available on a FortiGate-224B unit in switch
view.
If you enable or disable virtual domains, your session will be
terminated and you will need to log in again. For more information,
see “Using virtual domains” on page 103.

Current The number of administrators currently logged into the FortiGate unit.
Administrators Select Details to view more information about each administrator that
is currently logged in. The additional information includes user name,
type of connection, IP address from which they are connecting, and
when they logged in.

License Information
License Information displays the status of your technical support contract and FortiGuard
subscriptions. The FortiGate unit updates the license information status indicators
automatically when attempting to connect to the FortiGuard Distribution Network (FDN).
FortiGuard Subscriptions status indicators are green if the FDN was reachable and the
license was valid during the last connection attempt, grey if the FortiGate unit cannot
connect to the FDN, and orange if the FDN is reachable but the license has expired.
Selecting any of the Configure options will take you to the Maintenance page. For more
information, see “System Maintenance” on page 247.

FortiGate Version 4.0 Administration Guide


68 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

Figure 26: License Information

Support Contract The Fortinet technical support contract number and expiry
date, or registration status.
If Not Registered appears, select Register to register the
unit.
If Expired appears, select Renew for information on
renewing your technical support contract. Contact your local
reseller.
FortiGuard Subscriptions
AntiVirus The FortiGuard Antivirus version, license issue date and
service status. If your license has expired, you can select
Renew two renew the license.
AV Definitions The currently installed version of the FortiGuard Antivirus
definitions. To update the definitions manually, select
Update. For more information, see “To update FortiGuard AV
Definitions manually” on page 84.
Intrusion Protection The FortiGuard Intrusion Prevention System (IPS) license
version, license issue date and service status. If your license
has expired, you can select Renew two renew the license.
IPS Definitions The currently installed version of the IPS attack definitions.
To update the definitions manually, select Update. For more
information, see “To update FortiGuard IPS Definitions
manually” on page 84.
Web Filtering The FortiGuard Web Filtering license, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
Antispam The FortiGuard Antispam license type, license expiry date
and service status. If your license has expired, you can
select Renew two renew the license.
Analysis & The FortiGuard Analysis Service and Management Service
Management license, license expiry date and reachability status.
Services
Services Account ID Select “change“ to enter a different Service Account ID. This
ID is used to validate your license for subscription services
such as FortiGuard Management Service and FortiGuard
Analysis Service.
Virtual Domain
VDOMs Allowed The maximum number of virtual domains the unit supports
with the current license.
For FortiGate 3000 models or higher, you can select the
Purchase More link to purchase a license key through
Fortinet technical support to increase the maximum number
of VDOMs. See “Adding VDOM Licenses” on page 269.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 69
http://docs.fortinet.com/ • Feedback
Status page System Status

Unit Operation
In the Unit Operation area, an illustration of the FortiGate unit’s front panel shows the
status of the unit’s Ethernet network interfaces. If a network interface is green, that
interface is connected. Pause the mouse pointer over the interface to view the name, IP
address, netmask and current status of the interface.
If you select Reboot or ShutDown, a pop-up window opens allowing you to enter the
reason for the system event.
You can only have one management and one logging/analyzing method displayed for
your FortiGate unit. The graphic for each will change based on which method you choose.
If none are selected, no graphic is shown.

Note: Your reason will be added to the Disk Event Log if disk logging, event logging, and
admin events are enabled. For more information on Event Logging, see “Event log” on
page 613.

Figure 27: Unit Operation (FortiGate-800)

Figure 28: Unit Operation (FortiGate 30B with FGAMS)

Figure 29: Unit Operation (FortiGate 3810A)

FortiGate Version 4.0 Administration Guide


70 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

INT / EXT / DMZ / HA / The network interfaces on the FortiGate unit. The names and
WAN1 / WAN2 / 1 / 2 / number of these interfaces vary by model.
3/4 The icon below the interface name indicates its up/down status by
color. Green indicates the interface is connected. Grey indicates
there is no connection.
For more information about the configuration and status of an
interface, pause the mouse over the icon for that interface. A
tooltip displays the full name of the interface, its alias if one is
configured, the IP address and netmask, the status of the link, the
speed of the interface, and the number of sent and received
packets.
AMC-SW1/1, ... If your FortiGate unit supports Advanced Mezzanine Card (AMC)
AMC-DW1/1, ... modules and if you have installed an AMC module containing
network interfaces (for example, the FortiGate-ASM-FB4 contains
4 interfaces) these interfaces are added to the interface status
display. The interfaces are named for the module, and the
interface. For example AMC-SW1/3 is the third network interface
on the SW1 module, and AMC-DW2/1 is the first network interface
on the DW2 module.
AMC modules support hard disks as well, such as the ASM-S08
module. When a hard disk is installed, ASM-S08 is visible as well
as a horizontal bar and percentage indicating how full the hard
disk is.
FortiAnalyzer The icon on the link between the FortiGate unit graphic and the
FortiAnalyzer graphic indicates the status of their OFTP
connection. An ‘X’ on a red icon indicates there is no connection.
A check mark on a green icon indicates there is OFTP
communication.
Select the FortiAnalyzer graphic to configure remote logging tot he
FortiAnalyzer unit on your FortiGate unit. See “Logging to a
FortiAnalyzer unit” on page 606.
FortiGuard Analysis The icon on the link between the FortiGate unit graphic and the
Service FortiGuard Analysis Service graphic indicates the status of their
OFTP connection. An ‘X’ on a red icon indicates there is no
connection. A check mark on a green icon indicates there is OFTP
communication.
Select the FortiGuard Analysis Service graphic to configure
remote logging to the FortiGuard Analysis Service. See
“FortiGuard Analysis and Management Service” on page 604.
FortiManager The icon on the link between the FortiGate unit graphic and the
FortiManager graphic indicates the status of the connection. An ‘X’
on a red icon indicates there is no connection. A check mark on a
green icon indicates there is communication between the two
units.
Select the FortiManager graphic to configure central management
on your FortiGate unit. See “Central Management” on page 220.
FortiGuard The icon on the link between the FortiGate unit graphic and the
Management Service FortiGuard Management Service graphic indicates the status of
the connection. An ‘X’ on a red icon indicates there is no
connection. A check mark on a green icon indicates there is
communication.
Select the FortiGuard Management Service graphic to configure
central management on your FortiGate unit. See “Central
Management” on page 220.
Reboot Select to shutdown and restart the FortiGate unit. You will be
prompted to enter a reason for the reboot that will be entered into
the logs.
Shutdown Select to shutdown the FortiGate unit. You will be prompted for
confirmation, and also prompted to enter a reason for the
shutdown that will be entered into the logs.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 71
http://docs.fortinet.com/ • Feedback
Status page System Status

System Resources
The System Resources widget displays basic FortiGate unit resource usage, such as
CPU and memory (RAM) usage. Any System Resources that are not displayed on the
status page can be viewed as a graph by selecting the History icon.
To see the most recent CPU and memory usage, select the Refresh icon.

Figure 30: System Resources

History A graphical representation of the last minute of CPU, memory,


sessions, and network usage. This page also shows the virus and
intrusion detections over the last 20 hours. For more information,
see “Viewing operational history” on page 83.
CPU Usage The current CPU status displayed as a dial gauge and as a
percentage.
The web-based manager displays CPU usage for core processes
only. CPU usage for management processes (for example, for
HTTPS connections to the web-based manager) is excluded.
Memory Usage The current memory (RAM) status displayed as a dial gauge and as
a percentage.
The web-based manager displays memory usage for core
processes only. Memory usage for management processes (for
example, for HTTPS connections to the web-based manager) is
excluded.
FortiAnalyzer Usage The current status of the FortiAnalyzer disk space used by this
FortiGate unit’s quota, displayed as a pie chart and a percentage.
You can use the System Resources edit menu to select not to
display this information.
This is available only if you have configured logging to a
FortiAnalyzer unit.
Disk Usage The current status of the FortiGate unit disk space used, displayed
as a pie chart and a percentage.
This is available only if you have a hard disk on your FortiGate unit.

FortiGate Version 4.0 Administration Guide


72 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

Alert Message Console


Alert messages help you track system events on your FortiGate unit such as firmware
changes, network security events, or virus detection events.
Each message shows the date and time that the event occurred.

Figure 31: Alert Message Console

The following types of messages can appear in the Alert Message Console:

System restart The system restarted. The restart could be due to


operator action or power off/on cycling.
Firmware upgraded by The named administrator upgraded the firmware to a
<admin_name> more recent version on either the active or non-active
partition.
Firmware downgraded by The named administrator downgraded the firmware to
<admin_name> an older version on either the active or non-active
partition.
FortiGate has reached connection The antivirus engine was low on memory for the
limit for <n> seconds duration of time shown. Depending on model and
configuration, content can be blocked or can pass
unscanned under these conditions.
Found a new FortiAnalyzer Shows that the FortiGate unit has either found or lost
Lost the connection to FortiAnalyzer the connection to a FortiAnalyzer unit. See “Logging
to a FortiAnalyzer unit” on page 606.
New firmware is available from An updated firmware image is available to be
FortiGuard downloaded to this FortiGate unit.

If there is insufficient space for all of the messages within the Alert Message Console
widget, select History to view the list of alerts in a new window.
To clear alert messages, select the History icon and then select Clear Alert Messages,
which is located at the top of the pop-up window. This will acknowledge and hide all
current alert messages from your FortiGate unit.
Select Edit to display Custom Alert Display options that offer the following customizations
for your alert message display:
• Do not display system shutdown and restart.
• Do not display firmware upgrade and downgrade.
• Do not display conserve mode messages

Statistics
The Statistics widget is designed to allow you to see at a glance what is happening on
your FortiGate unit with regards to network traffic and attack attempts.
You can quickly see the amount and type of traffic as well as any attack attempts on your
system. To investigate an area that draws your attention, select Details for a detailed list of
the most recent activity.
The information displayed in the statistics widget is derived from log messages that can be
saved to a FortiAnalyzer unit, saved locally, or backed up to an external source such as a
syslog server. You can use this data to see trends in network activity or attacks over time.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 73
http://docs.fortinet.com/ • Feedback
Status page System Status

Note: The Email statistics are based on email protocols. POP3 traffic is registered as
incoming email, and SMTP is outgoing email. If incoming or outgoing email does not use
these protocols, these statistics will not be accurate.

For detailed procedures involving the Statistics list, see “Viewing Statistics” on page 84.

Figure 32: Statistics

Reset

Since The date and time when the counts were last reset.
Counts are reset when the FortiGate unit reboots, or when you
select Reset.
Reset Reset the Content Archive and Attack Log statistic counts to zero.
Sessions The number of communications sessions being handled by the
FortiGate unit. Select Details for detailed information. See “Viewing
the session list” on page 84.
Content Archive A summary of the HTTP, HTTPS, e-mail, VoIP, and IM/P2P traffic
that has passed through the FortiGate unit, and whose metadata
and/or files or traffic have been content archived.
The Details pages list the last 64 items of the selected type and
provide links to the FortiAnalyzer unit where the archived traffic is
stored. If logging to a FortiAnalyzer unit is not configured, the
Details pages provide a link to Log & Report > Log Config >
Log Settings.
Attack Log A summary of viruses, attacks, spam email messages and blocked
URLs that the FortiGate unit has intercepted. The Details pages list
the most recent 10 items, providing the time, source, destination
and other information.

FortiGate Version 4.0 Administration Guide


74 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

CLI Console
The System Status page can include a CLI. To use the console, select it to automatically
log in to the admin account you are currently using in the web-based manager. You can
copy (CTRL-C) and paste (CTRL-V) text from or to the CLI Console.

Figure 33: CLI Console

Customize

The two controls located on the CLI Console widget’s title bar are Customize, and Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize and
reposition. The two controls on the detached CLI Console are Customize and Attach.
Attach moves the CLI console widget back onto the System Status page.
Customize allows you to change the appearance of the console by defining fonts and
colors for the text and background.

Figure 34: Customize CLI Console window

Preview A preview of your changes to the CLI Console’s appearance.


Text Select the current color swatch next to this label, then select a
color from the color palette to the right to change the color of the
text in the CLI Console.
Background Select the current color swatch next to this label, then select a
color from the color palette to the right to change the color of the
background in the CLI Console.
Use external Select to display a command input field below the normal console
command input box emulation area. When this option is enabled, you can enter
commands by typing them into either the console emulation area
or the external command input field.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 75
http://docs.fortinet.com/ • Feedback
Status page System Status

Console buffer length Enter the number of lines the console buffer keeps in memory.
Valid numbers range from 20 to 9999.
Font Select a font from the list to change the display font of the CLI
Console.
Size Select the size of the font. The default size is 10 points.

Top Sessions
Top Sessions displays either a bar graph or a table showing the IP addresses that have
the most sessions open on the FortiGate unit. The sessions are sorted by their source or
destination IP address, or the port address. The sort criteria being used is displayed in the
top right corner.
The Top Sessions display polls the kernel for session information, and this slightly impacts
the FortiGate unit performance. For this reason when this display is not shown on the
dashboard, it is not collecting data, and not impacting system performance. When the
display is shown, information is only stored in memory.

Note: Rebooting the FortiGate unit will reset the Top Session statistics to zero.

Figure 35: Top sessions bar graph showing destination IP addresses

Last updated
Sort Criteria
Number of
active
sessions

Change to a detailed table view

Criteria of Top Sessions


Number of
(Source IP Address)
sessions displayed

The Top Sessions display is not part of the default dashboard display. It can be displayed
by selecting Add Content > Top Sessions.
To view detailed information about all displayed sessions at once, select Details. This
changes the Top Sessions display to a table format, without opening a new window. To
return to the chart display, select Return. The table displays more detailed information
about sessions than the chart display, including:
• the session protocol such as tcp or udp
• source address and port
• destination address and port
• the ID of the policy, if any, that applies to the session
• how long until the session expires
• which virtual domain the session belongs to

FortiGate Version 4.0 Administration Guide


76 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Status page

To view detailed information about a single session bar in the chart, click on the bar. The
display will change to the table format, with the filters set to only show the selected
information.
Selecting edit for Top Sessions allows changes to the:
• refresh interval
• sort criteria to change between source and destination addresses of the sessions
• number of top sessions to show

Figure 36: Edit menu for Top Sessions

Sort Criteria Select the method used to sort the Top Sessions on the System
Status display. Choose one of:
• Source Address
• Destination Address
• Port Address
Display UserName Select to include the username associated with this source IP
address, if available. In the table display format this will be a
separate column.
Display UserName is available only when the sort criteria is
Source Address.
Resolve Host Name Select to resolve the IP address to the host name.
Resolve Host Name is not available when the sort criteria is
Destination Port.
Resolve Service Select to resolve a port addresses into their commonly associated
service names. Any port address without a service, will continue to
be displayed as the port address. For example port 443 would
resolve to HTTPS.
Resolve Service is only available when the sort criteria is
Destination Port.
Display Format Select how the Top Session information is displayed. Choose one
of:
• Chart
• Table
Top Sessions to Select the number of sessions to display. Choose to display 5, 10,
Show 15, or 20 sessions.
Refresh Interval Select how often the display is updated. The refresh interval range
is from 10 to 240 seconds. Selecting 0 will disable the automatic
refresh of the display. You will still be able to select the manual
refresh option on the Top Sessions title bar.
Shorter refresh intervals may impact the performance of your
FortiGate unit. If this occurs, try increasing the refresh interval or
disabling the automatic refresh.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 77
http://docs.fortinet.com/ • Feedback
Status page System Status

Top Viruses
Top Viruses displays a bar graph representing the virus threats that have been detected
most frequently by the FortiGate unit.
The Top Viruses display is not part of the default dashboard display. It can be displayed by
selecting Add Content, and selecting Top Viruses from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent viruses
that have been detected with information including the virus name, when it was last
detected, and how many times it was detected. The system stores up to 1024 entries, but
only displays up to 20 in the GUI.
Selecting the edit icon for Top Viruses allows changes to the:
• refresh interval
• top viruses to show

Top Attacks
Top Attacks displays a bar graph representing the most numerous attacks detected by the
FortiGate unit.
The Top Attacks display is not part of the default dashboard display. It can be displayed by
selecting Add Content > Top Attacks from the drop down menu.
Selecting the history icon opens a window that displays up to the 20 most recent attacks
that have been detected with information including the attack name, when it was last
detected, and how many times it was detected. The FortiGate unit stores up to 1024
entries, but only displays up to 20 in the web-based manager.
Selecting the Edit icon for Top Attacks allows changes to the:
• refresh interval
• top attacks to show

Traffic History
The traffic history display shows the traffic on one selected interface over the last hour,
day, and month. This feature can help you locate peaks in traffic that you need to address
as well as their frequency, duration, and other information.
Only one interface at a time can be monitored. You can change the interface being
monitored by selecting Edit, choosing the interface from the drop down menu, and
selecting Apply. Doing this will clear all the traffic history data.

FortiGate Version 4.0 Administration Guide


78 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Changing system information

Figure 37: Traffic History

Interface being
monitored

Interface The interface that is being monitored .


kbit/s The units of the traffic graph. The scale varies based on traffic
levels to allow it to show traffic levels no matter how little or how
much traffic there is.
Last 60 Minutes Three graphs showing the traffic monitored on this interface of the
Last 24 Hours FortiGate unit over different periods of time.
Last 30 Days Certain trends may be easier to spot in one graph over the others.
Traffic In The traffic entering the FortiGate unit on this interface is indicated
with a thin red line.
Traffic Out The traffic leaving the FortiGate unit on this interface is indicated
with a dark green line, filled in with light green.

Changing system information


FortiGate administrators whose admin profiles permit write access to system configuration
can change the system time, host name and the operation mode for the VDOM.

Configuring system time


1 Go to System > Status.
2 In the System Information section, select Change on the System Time line.
3 Select the time zone and then either set the date and time manually or configure
synchronization with an NTP server.

Figure 38: Time Settings

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 79
http://docs.fortinet.com/ • Feedback
Changing the FortiGate firmware System Status

System Time The current FortiGate system date and time.


Refresh Update the display of the current FortiGate system date and time.
Time Zone Select the current FortiGate system time zone.
Automatically adjust Select to automatically adjust the FortiGate system clock when your
clock for daylight time zone changes between daylight saving time and standard time.
saving changes
Set Time Select to set the FortiGate system date and time to the values you set
in the Hour, Minute, Second, Year, Month and Day fields.
Synchronize with Select to use an NTP server to automatically set the system date and
NTP Server time. You must specify the server and synchronization interval.
Server Enter the IP address or domain name of an NTP server. To find an NTP
server that you can use, see http://www.ntp.org.
Sync Interval Specify how often the FortiGate unit should synchronize its time with
the NTP server. For example, a setting of 1440 minutes causes the
FortiGate unit to synchronize its time once a day.

Changing the FortiGate unit host name


The FortiGate host name appears on the Status page and in the FortiGate CLI prompt.
The host name is also used as the SNMP system name. For information about SNMP, see
“SNMP” on page 185.
The default host name is the FortiGate unit serial number. For example
FGT8002805030003 would be a FortiGate-800 unit.
Administrators whose admin profiles permit system configuration write access can change
the FortiGate unit host name.

Note: If the FortiGate unit is part of an HA cluster, you should use a unique host name to
distinguish the unit from others in the cluster.

To change the FortiGate unit host name


If the host name is longer than 16 characters, it will be displayed as being truncated
and end with a “~”. The full host name will be displayed under System > Status, but the
truncated host name will be displayed on the CLI and other places it is used.
1 Go to System > Status.
2 In the Host Name field of the System Information section, select Change.
3 In the New Name field, type a new host name.
4 Select OK.
The new host name is displayed in the Host Name field, and in the CLI prompt, and is
added to the SNMP System Name.

Changing the FortiGate firmware


FortiGate administrators whose admin profiles permit maintenance read and write access
can change the FortiGate firmware. Firmware images can be transferred from a number of
sources including a local hard disk, a local USB disk, or the FortiGuard Network.

Note: To access firmware updates for your FortiGate model, you will need to register your
FortiGate unit with Customer Support. For more information go to
http://support.fortinet.com or contact Customer Support.

FortiGate Version 4.0 Administration Guide


80 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Changing the FortiGate firmware

For more information about using the USB disk, and the FortiGuard Network see “System
Maintenance” on page 247.

Figure 39: Firmware Upgrade/Downgrade

Upgrade From Select the firmware source from the drop down list of available
sources.
Possible sources include Local Hard Disk, USB, and FortiGuard
Network.
Upgrade File Browse to the location of the firmware image on your local hard
disk.
This field is available for local hard disk and USB only.
Upgrade Partition The number of the partition being updated.
This field is available only if your FortiGate unit has more than one
firmware partition.
more info Select to go to the FortiGuard Center to learn more about firmware
updates through the FortiGuard network.

Firmware changes either upgrade to a newer version or revert to an earlier version. Follow
the appropriate procedure to change your firmware.
For more information about managing firmware, see “Managing firmware versions” on
page 93.

Upgrading to a new firmware version


When an update for your FortiGate unit is available, you can update your unit with the new
firmware version.
To determine what version firmware you have, refer to Firmware version on System >
Status > System Information. The version is in the format of “X.Y.Z” where X is the major
version number, Y is the minor version number, and Z is the patch number. For example
firmware version 4.0.1 is major version 4, with patch 1.
Use the following procedure to upgrade the FortiGate unit to a newer firmware version.

Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “To update antivirus and attack definitions” on page 265 to
make sure that antivirus and attack definitions are up to date.

To upgrade the firmware using the web-based manager


1 Copy the new firmware image file to your management computer.
The firmware images for FortiGate units are available at the Fortinet Technical Support
web site. Log in to the site and go to Firmware Images > FortiGate.
2 Log into the web-based manager as the super admin, or an administrator account that
has system configuration read and write privileges.
3 Go to System > Status.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 81
http://docs.fortinet.com/ • Feedback
Changing the FortiGate firmware System Status

4 In the System Information section, select Update on the Firmware Version line.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, closes all sessions, restarts, and displays the FortiGate login. This process
takes a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware
upgrade is successfully installed.
9 Update antivirus and attack definitions. For information about updating antivirus and
attack definitions, see “Configuring FortiGuard Services” on page 258.

Reverting to a previous firmware version


Use the following procedure to revert your FortiGate unit to a previous firmware version.
This also reverts the FortiGate unit to its factory default configuration and deletes IPS
custom signatures, web content lists, email filtering lists, and changes to replacement
messages. Back up your FortiGate unit configuration to preserve this information. For
information, see “About the Maintenance menu” on page 247.
If you are reverting to a previous FortiOS™ version (for example, reverting from FortiOS
v3.0 to FortiOS v2.8), you might not be able to restore the previous configuration from the
backup configuration file.

Note: Installing firmware replaces the current antivirus and attack definitions with the
definitions included with the firmware release that you are installing. After you install new
firmware, use the procedure “To update antivirus and attack definitions” on page 265 to
make sure that antivirus and attack definitions are up to date.

To revert to a previous firmware version using the web-based manager


1 Copy the firmware image file to your management computer.
The firmware images for FortiGate units are available at the Fortinet Technical Support
web site. Log in to the site and go to Firmware Images > FortiGate.
2 Log into the web-based manager as the super admin, or an administrator account that
has system configuration read and write privileges.
3 Go to System > Status.
4 In the System Information section, select Update on the Firmware Version line.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
7 Log into the web-based manager.
8 Go to System > Status and check the Firmware Version to confirm that the firmware is
successfully installed.

FortiGate Version 4.0 Administration Guide


82 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Viewing operational history

9 Restore your configuration.


For information about restoring your configuration, see “About the Maintenance menu”
on page 247.
10 Update antivirus and attack definitions.
For information about antivirus and attack definitions, see “To update antivirus and
attack definitions” on page 265.

Viewing operational history


The System Resource History page displays six graphs representing different system
resources and protection activity over time.
Note the refresh rate is 3 second intervals for the graphs.

To view the operational history


1 Go to System > Status.
2 Select History in the upper right corner of the System Resources section.

Figure 40: Sample system resources history

Time Interval Select the time interval for the graphs to display.
CPU Usage History CPU usage for the preceding interval.
Memory Usage History Memory usage for the preceding interval.
Session History Number of sessions over the preceding interval.
Network Utilization History Network utilization for the preceding interval.
Virus History Number of Viruses detected over the preceding interval.
Intrusion History Number of intrusion attempts detected over the preceding
interval.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 83
http://docs.fortinet.com/ • Feedback
Manually updating FortiGuard definitions System Status

Manually updating FortiGuard definitions


You can update your FortiGuard - AV and FortiGuard - Intrusion Protection definitions at
any time from the License Information section of the System Status page.

Note: For information about configuring the FortiGate unit for automatic AV and automatic
IPS (attack) definitions updates, see “Configuring FortiGuard Services” on page 258.

To update FortiGuard AV Definitions manually


1 Download the latest AV definitions update file from Fortinet and copy it to the computer
that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 In the License Information section, in the AV Definitions field of the FortiGuard
Subscriptions, select Update.
The Anti-Virus Definitions Update dialog box appears.
4 In the Update File field, type the path and filename for the AV definitions update file, or
select Browse and locate the AV definitions update file.
5 Select OK to copy the AV definitions update file to the FortiGate unit.
The FortiGate unit updates the AV definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the FortiGuard - AV Definitions version
information has updated.

To update FortiGuard IPS Definitions manually


1 Download the latest attack definitions update file from Fortinet and copy it to the
computer that you use to connect to the web-based manager.
2 Start the web-based manager and go to System > Status.
3 In the License Information section, in the IPS Definitions field of the FortiGuard
Subscriptions, select Update.
The Intrusion Prevention System Definitions Update dialog box appears.
4 In the Update File field, type the path and filename for the attack definitions update file,
or select Browse and locate the attack definitions update file.
5 Select OK to copy the attack definitions update file to the FortiGate unit.
The FortiGate unit updates the attack definitions. This takes about 1 minute.
6 Go to System > Status to confirm that the IPS Definitions version information has
updated.

Viewing Statistics
The System Status Statistics provide information about sessions, content archiving and
network protection activity.

Viewing the session list


From the Statistics section of the System Status page, you can view statistics about HTTP,
HTTPS, email, FTP and IM traffic through the FortiGate unit. You can select the Details
link beside each traffic type to view more information.

FortiGate Version 4.0 Administration Guide


84 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Viewing Statistics

To view the session list


1 Go to System > Status.
2 In the Statistics section, select Details on the Sessions line.

Figure 41: Session list

Virtual Domain Select a virtual domain to list the sessions being processed by that virtual
domain. Select All to view sessions being processed by all virtual domains.
This is only available if virtual domains are enabled. For more information
see “Using virtual domains” on page 103.
Refresh Icon Update the session list.
First Page Select to go to the first displayed page of current sessions.
Previous Page Select to go to the page of sessions immediately before the current page
Page Enter the page number of the session to start the displayed session list. For
example if there are 5 pages of sessions and you enter 3, page 3 of the
sessions will be displayed.
The number following the ‘/’ is the number of pages of sessions.
Next Page Select to go to the next page of sessions.
Last Page Select to go to the last displayed page of current sessions.
Total The total number sessions.
Clear All Filters Select to reset any display filters that may have been set.
Filter Icon The icon at the top of all columns except #, and Expiry. When selected it
brings up the Edit Filter dialog allowing you to set the display filters by
column. See “Adding filters to web-based manager lists” on page 56.
Protocol The service protocol of the connection, for example, udp, tcp, or icmp.
Source Address The source IP address of the connection.
Source Port The source port of the connection.
Destination The destination IP address of the connection.
Address
Destination Port The destination port of the connection.
Policy ID The number of the firewall policy allowing this session or blank if the session
involves only one FortiGate interface (admin session, for example).
Expiry (sec) The time, in seconds, before the connection expires.
Delete icon Stop an active communication session. Your admin profile must include
read and write access to System Configuration.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 85
http://docs.fortinet.com/ • Feedback
Viewing Statistics System Status

Viewing the Content Archive information


From the Statistics section of the System Status page, you can view statistics about
HTTP, email, FTP and IM traffic through the FortiGate unit. You can select the Details link
beside each traffic type to view more information.
You can select Reset on the header of the Statistics section to clear the content archive
and attack log information and reset the counts to zero.

Viewing archived HTTP content information


1 Go to System > Status.
2 In the Content Archive section, select Details for HTTP.

Date and Time The time when the URL was accessed.
From The IP address from which the URL was accessed.
URL The URL that was accessed.

Viewing archived Email content information


1 Go to System > Status.
2 In the Content Archive section, select Details for Email.

Date and Time The time that the email passed through the FortiGate unit.
From The sender’s email address.
To The recipient’s email address.
Subject The subject line of the email.

FortiGate Version 4.0 Administration Guide


86 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Viewing Statistics

Viewing archived FTP content information


1 Go to System > Status.
2 In the Content Archive section, select Details for FTP.

Date and Time The time of access.


Destination The IP address of the FTP server that was accessed.
User The User ID that logged into the FTP server.
Downloads The names of files that were downloaded.
Uploads The names of files that were uploaded.

Viewing archived IM content information


1 Go to System > Status.
2 In the Content Archive section, select Details for IM.

Date / Time The time of access.


Protocol The protocol used in this IM session.
Kind The kind of IM traffic this transaction is.
Local The local address for this transaction.
Remote The remote address for this transaction
Direction If the file was sent or received.

Viewing the Attack Log


From the Statistics section of the System Status page, you can view statistics about the
network attacks that the FortiGate unit has stopped. You can select the Details link beside
each attack type to view more information.
You can select Reset on the header of the Statistics section to clear the content archive
and attack log information and reset the counts to zero.

Viewing viruses caught


1 Go to System > Status.
2 In the Attack Log section, select Details for AV.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 87
http://docs.fortinet.com/ • Feedback
Topology System Status

Date and Time The time when the virus was detected.
From The sender’s email address or IP address.
To The intended recipient’s email address or IP address.
Service The service type, such as POP or HTTP.
Virus The name of the virus that was detected.

Viewing attacks blocked


1 Go to System > Status.
2 In the Attack Log section, select Details for IPS.

Date and Time The time that the attack was detected.
From The source of the attack.
To The target host of the attack.
Service The service type.
Attack The type of attack that was detected and prevented.

Viewing spam email detected


1 Go to System > Status.
2 In the Attack Log section, select Details for Spam.

Date and Time The time that the spam was detected.
From->To IP The sender and intended recipient IP addresses.
From->To Email Accounts The sender and intended recipient email addresses.
Service The service type, such as SMTP, POP or IMAP.
SPAM Type The type of spam that was detected.

Viewing URLs blocked


1 Go to System > Status.
2 In the Attack Log section, select Details for Web.

Date and Time The time that the attempt to access the URL was detected.
From The host that attempted to view the URL.
URL Blocked The URL that was blocked.

Topology
The Topology page provides a way to diagram and document the networks connected to
your FortiGate unit.The Topology viewer is not available if Virtual Domains (VDOMs) are
enabled.
Go to System > Status > Topology to view the system topology. The Topology page
consists of a large canvas upon which you can draw a network topology diagram of your
FortiGate installation.

FortiGate Version 4.0 Administration Guide


88 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Topology

Figure 42: Topology page

Zoom/Edit controls Text object Subnet object

FortiGate unit object Viewport Viewport


control

Viewport and viewport control


The viewport displays only a portion of the drawing area. The viewport control, at the
bottom right of the topology page, represents the entire drawing area. The darker
rectangle represents the viewport. Drag the viewport rectangle within the viewport control
to determine which part of the drawing area the viewport displays.
The “+” and “-” buttons in the viewport control have the same function as the Zoom in and
Zoom out controls.

FortiGate unit object


The FortiGate unit is a permanent part of the topology diagram. You can move it, but not
delete it.
The FortiGate unit object shows the link status of the unit’s interfaces. Green indicates the
interface is up. Gray indicates the interface is down. Select the interface to view its IP
address and netmask, if assigned.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 89
http://docs.fortinet.com/ • Feedback
Topology System Status

Zoom and Edit controls


The toolbar at the top left of the Topology page shows controls for viewing and editing the
topology diagram.
Table 4: Zoom and Edit controls for Topology

Refresh the displayed diagram.

Zoom in. Select to display a smaller portion of the drawing area in


the viewport, making objects appear larger.

Zoom out. Select to display a larger portion of the drawing area in the
viewport, making objects appear smaller.

Select to begin editing the diagram.


This button expands the toolbar to show the editing controls
described below:

Save changes made to the diagram.


Note: If you switch to any other page in the web-based manager
without saving your changes, your changes are lost.

Add a subnet object to the diagram. The subnet object is based on


the firewall address that you select, and is connected by a line to the
interface associated with that address. See “Adding a subnet object”
on page 91.
Insert Text. Select this control and then click on the diagram where
you want to place the text object. Type the text and then click outside
the text box.
Delete. Select the object(s) to delete and then select this control or
press the Delete key.

Customize. Select to change the colors and the thickness of lines


used in the drawing. See “Customizing the topology diagram” on
page 92.

Drag. Select this control and then drag objects in the diagram to
arrange them.

Scroll. Select this control and then drag the drawing area
background to move the viewport within the drawing area. This has
the same effect as moving the viewport rectangle within the viewport
control.
Select. Select this control and then drag to create a selection
rectangle. Objects within the rectangle are selected when you
release the mouse button.

Exit. Select to finish editing the diagram. Save changes first.


The toolbar contracts to show only the Refresh and Zoom controls.

FortiGate Version 4.0 Administration Guide


90 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Status Topology

Adding a subnet object


While editing the topology diagram, you can select the Add Subnet control to define a
subnet object. The object is drawn and connected by a line to the interface associated with
the address.

Figure 43: Adding an existing subnet to the topology diagram

Figure 44: Adding a new subnet to the topology diagram

Select from existing Create a subnet object based on an existing firewall address. The
address/group object has the name of the firewall address and is connected by a line
to the interface associated with that address. For more information
about firewall addresses, see “Firewall Address” on page 339.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Connect to interface Select the interface or zone to associate with this address. If the field
already displays a name, changing the setting changes the interface
or zone associated with this existing address.
If the address is currently used in a firewall policy, you can choose
only the interface selected in the policy.
New addresses Create a new firewall address and add a subnet object based on that
address to the topology diagram. The address is associated with the
interface you choose.
Address Name Enter a name to identify the firewall address. Addresses, address
groups, and virtual IPs must have unique names to avoid confusion in
firewall policies.
Type Select the type of address: Subnet/IP Range or FQDN.
Subnet / IP Range If Type is Subnet / IP Range, enter the firewall IP address, followed by
a forward slash and then the subnet mask. Alternatively, enter IP
range start address, followed by a hyphen (-) and the IP range end
address.
FQDN If Type is FQDN, enter the fully qualified domain name.
Connect to interface Select the interface or zone to associate with this address.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 91
http://docs.fortinet.com/ • Feedback
Topology System Status

Customizing the topology diagram


In System > Status > Topology, select the Customize button to open the Topology
Customization window. Modify the settings as needed and select OK when you are
finished.

Figure 45: Topology Customization window

Preview A simulated topology diagram showing the effect of the selected appearance
options.
Canvas Size The size of the drawing in pixels.
Resize to Image If you selected an image as Background, resize the diagram to fit within the
image.
Background One of:
Solid A solid color selected in Background Color.
U.S. Map A map of the United States.
World Map A map of the world.
Upload My Upload the image from Image Path
Image
Background Select the color of the diagram background.
Color
Image path If you selected Upload My Image for Background, enter the path to your image,
or use the Browse button to find it.
Exterior Color Select the color of the border region outside your diagram.
Line Color Select the color of connecting lines between subnet objects and interfaces.
Line Width Select the thickness of connecting lines.
Reset to Default Reset all topology diagram settings to default.

FortiGate Version 4.0 Administration Guide


92 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Managing firmware versions

Managing firmware versions


Fortinet recommends reviewing this section before upgrading because it contains
important information about how to properly back up your current configuration settings
and what to do if the upgrade is unsuccessful.
You should also review the FortiGate Upgrade Guide when a new firmware version is
released, or the What’s New chapter of this guide when a new firmware maintenance
release is released. Both contain valuable information about the changes and new
features that may cause issues with the current configuration.
In addition to firmware images, Fortinet releases patch releases—maintenance release
builds that resolve important issues. Fortinet strongly recommends reviewing the release
notes for the patch release before upgrading the firmware. Follow the steps below:
• Download and review the release notes for the patch release.
• Download the patch release.
• Back up the current configuration.
• Install the patch release using the procedure “Testing firmware before upgrading” on
page 95.
• Test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may
result in changes to settings or unexpected issues.
With FortiOS 4.0, you can also configure your FortiGate unit to use NAT while in
transparent mode. For more information, see the Fortinet Knowledge Center article,
Configuring NAT in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, system firmware versions
are configured globally. For more information, see “Using virtual domains” on page 103.
This section describes:
• Backing up your configuration
• Testing firmware before upgrading
• Upgrading your FortiGate unit
• Reverting to a previous firmware image
• Restoring your configuration

Note: For more information about the settings that are available on the Backup and
Restore page, (such as remotely backing up to a FortiManager unit), see “System
Maintenance” on page 247.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 93
http://docs.fortinet.com/ • Feedback
Backing up your configuration Managing firmware versions

Backing up your configuration


Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.

You can back up configuration settings to a local PC, a FortiManager unit, FortiGuard
Management server, or to a USB key. You can also back up to a FortiGuard Management
server if you have FortiGuard Analysis and Management Service enabled.
Fortinet recommends backing up all configuration settings from your FortiGate unit before
upgrading to FortiOS 4.0. This ensures all configuration settings are still available if you
require downgrading to FortiOS 3.0 MR7 and want to restore those configuration settings.

Backing up your configuration through the web-based manager


You can back up your configuration to a variety of locations, such as a FortiManager unit
or a FortiGuard Management server. The following procedure describes how to properly
back up your current configuration in the web-based manager.

To back up your configuration file through the web-based manager


1 Go to System > Maintenance > Backup & Restore.
2 Select to back up the configuration to either a Local PC, FortiManager, or FortiGuard (if
your FortiGate unit is configured for FortiGuard Analysis and Management Service).
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
3 Select Backup.
4 Save the file.
Backing up your configuration through the CLI
You can back up your configuration file using a TFTP or FTP server, or the USB key. If you
have the FortiGuard Analysis and Management Service configured, you can also back up
your configuration to the FortiGuard Management server.
When backing up your configuration in the CLI, you can choose to back up the entire
configuration (execute backup full-config) or part of the configuration (execute
backup config). If you have virtual domains, there are limitations to what certain
administrators are allowed to back up. For more information, see the FortiGate CLI
Reference.
The following procedure describes how to back up your current configuration in the CLI
and assumes that you are familiar with the following commands. For more information
about the individual commands used in the following procedure, see the FortiGate CLI
Reference.

To back up your configuration file through the CLI


1 Enter the following to back up the configuration file to a USB key:
execute backup config usb <backup_filename> <encrypt_passwd>
2 Enter the following to back up the configuration file to a TFTP or FTP server:
execute backup config {tftp | ftp} <backup_filename>
<tftp_server_ipaddress> <ftp server [:ftp port] <ftp_username>
<ftp_passwd> <encrypt_passwd>

FortiGate Version 4.0 Administration Guide


94 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Managing firmware versions Testing firmware before upgrading

3 Enter the following to back up the configuration to a FortiGuard Management server:


execute backup config management-station <comment>

To back up the entire configuration file through the CLI


Enter the following to back up the entire configuration file:
execute backup full-config {tftp | ftp | usb} <backup_filename>
<backup_filename> <tftp_server_ipaddress> <ftp server [:ftp
port] <ftp_username> <ftp_passwd> <encrypt_passwd>

Backing up your configuration to a USB key


If your FortiGate unit has a USB port, you can back up your current configuration to a USB
key. When backing up a configuration file to a USB key, verify that the USB key is
formatted as a FAT16 disk. The FAT16 format is the only supported partition type. For
more information, see “Formatting USB Disks” on page 255.
Before proceeding, ensure that the USB key is inserted in the FortiGate unit’s USB port.

To back up your configuration to the USB key


1 Go to System > Maintenance > Backup & Restore.
2 Select USB Disk from Backup configuration to list.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
3 Select Backup.
After successfully backing up your configuration file, either from the CLI or the web-
based manager, proceed with upgrading to FortiOS 4.0.

Testing firmware before upgrading


You may want to test the firmware that you need to install before upgrading to a new
firmware version, or to a maintenance or patch release. By testing the firmware, you can
familiarize yourself with the new features and changes to existing features, as well as
understand how your configuration works with the firmware. A firmware image is tested by
installing it from a system reboot, and then saving it to system memory. After the firmware
is saved to system memory, the FortiGate unit operates using the firmware with the
current configuration.
The following procedure does not permanently install the firmware; the next time the
FortiGate unit restarts, it operates using the firmware originally installed on the FortiGate
unit. You can install the firmware permanently by using the procedures in “Upgrading your
FortiGate unit” on page 97.
You can use the following procedure for either a regular firmware image or a patch
release.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.

To test the firmware image before upgrading


1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 95
http://docs.fortinet.com/ • Feedback
Testing firmware before upgrading Managing firmware versions

4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following to restart the FortiGate unit.
execute reboot
6 As the FortiGate unit reboots, a series of system startup messages appears. When the
following message appears, immediately press any key to interrupt the system startup:
Press any key to display configuration menu…
You have only three seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must log in and repeat steps 5 to 6 again.
If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.
7 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.188]:
9 Type the internal IP address of the FortiGate unit.
This IP address connects the FortiGate unit to the TFTP server. This IP address must
be on the same network as the TFTP server, but make sure you do not use an IP
address of another device on the network.
The following message appears:
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
11 Type R.
The FortiGate firmware image installs and saves to system memory. The FortiGate unit
starts running the new firmware image with the current configuration.
When you have completed testing the firmware, you can reboot the FortiGate unit and
resume using the original firmware.

FortiGate Version 4.0 Administration Guide


96 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Managing firmware versions Upgrading your FortiGate unit

Upgrading your FortiGate unit


If your upgrade is successful, and your FortiGate unit has a hard drive, you can use the
Boot alternate firmware option located in System > Maintenance > Backup and Restore.
This option enables you to have two firmware images, such as FortiOS 3.0 MR7 and
FortiOS 4.0, available for downgrading or upgrading.
If the upgrade was not successful, go to “Reverting to a previous firmware image” on
page 99.
For additional information about upgrading issues, see the FortiGate Upgrade Guide
for4.0.
You can also use the following procedure when installing a patch release. A patch release
is a firmware image that resolves specific issues, but does not contain new features or
changes to existing features. You can install a patch release whether or not you upgraded
to the current firmware version.

Upgrading to FortiOS 4.0 in the web-based manager


Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.

The following procedure describes how to upgrade to FortiOS 4.0 in the web-based
manager. Fortinet recommends using the CLI to upgrade to FortiOS 4.0. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.

To upgrade to FortiOS 4.0 in the web-based manager


1 Download the firmware image file to your management computer.
2 Log in to the web-based manager.
3 Go to System > Status and locate the System Information widget.
4 Beside Firmware Version, select Update.
5 Enter the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process may take a few
minutes.
When the upgrade is successfully installed:
• ping to your FortiGate unit to verify there is still a connection.
• clear the browser’s cache and log in to the web-based manager.
After logging back in to the web-based manager, you should save the configuration
settings that carried forward. Some settings may have carried forward from FortiOS
3.0 MR7, while others may not have, such as certain IPS group settings. Go to System >
Maintenance > Backup and Restore to save the configuration settings that carried
forward.

Note: After upgrading to FortiOS 4.0, perform an “Update Now” to retrieve the latest
AV/NIDS signatures from the FortiGuard Distribution Network (FDN) as these signatures
included in the firmware may be older than those currently available on the FDN. See the
FortiGate Administration Guide for more information about updating AV/NIDS signatures.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 97
http://docs.fortinet.com/ • Feedback
Upgrading your FortiGate unit Managing firmware versions

Upgrading to FortiOS 4.0 in the CLI


Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading firmware, or resetting configuration to factory defaults.

The following procedure uses a TFTP server to upgrade the firmware. The CLI upgrade
procedure reverts all current firewall configurations to factory default settings.
See the Fortinet Knowledge Center article, Loading FortiGate firmware using TFTP for
CLI procedure, for additional information about upgrading firmware in the CLI.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.

To upgrade to FortiOS 4.0 in the CLI


1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image.out 192.168.1.168
The FortiGate unit responds with a message similar to the following:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, and restarts. This process takes a few minutes.
7 Reconnect to the CLI.
8 Enter the following command to confirm the firmware image installed successfully:
get system status
9 To update antivirus and attack definitions from the CLI, enter the following:
execute update-now
If you want to update antivirus and attack definitions from the web-based manager
instead, log in to the web-based manager and go to System > Maintenance >
FortiGuard.

FortiGate Version 4.0 Administration Guide


98 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Managing firmware versions Reverting to a previous firmware image

Verifying the upgrade


After logging back in to the web-based manager, most of your FortiOS 3.0 MR7
configuration settings have been carried forward. For example, if you go to System >
Network > Options you can see your DNS settings carried forward from your FortiOS
3.0 MR7 configuration settings.
You should verify what configuration settings carried forward. You should also verify that
administrative access settings carried forward as well. Verifying your configuration
settings allows you to familiarize yourself with the new features and changes in FortiOS
4.0.
You can verify your configuration settings by:
• going through each menu and tab in the web-based manager
• using the show shell command in the CLI.

Reverting to a previous firmware image


You may need to revert to a previous firmware image (or version, for example, FortiOS
3.0) if the upgrade was not successfully installed. The following procedures describe how
to properly downgrade to a previous firmware image using either the web-based manager
or CLI, and include steps on how to restore your previous configuration.
The following are included in this topic:
• Downgrading to a previous firmware in the web-based manager
• Downgrading to a previous firmware in the CLI
• Restoring your configuration

Downgrading to a previous firmware in the web-based manager


Caution: Always back up your configuration before installing a patch release,
upgrading/downgrading, or when resetting to factory defaults.

When downgrading to a previous firmware, only the following settings are retained:
• operation mode
• Interface IP/Management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system accprofiles.
If you created additional settings in FortiOS 4.0, make sure to back up the current
configuration before downgrading. For more information, see “Backing up your
configuration” on page 94.

To downgrade in the web-based manager


1 Go to System > Status and locate the System Information widget.
2 Beside Firmware Version, select Update.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 99
http://docs.fortinet.com/ • Feedback
Reverting to a previous firmware image Managing firmware versions

3 Enter the path and filename of the firmware image file, or select Browse and locate the
file..
4 Select OK.
The following message appears:
This version will downgrade the current firmware version. Are
you sure you want to continue?
5 Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version,
resets the configuration, restarts, and displays the FortiGate login. This process takes
a few minutes.
6 Log in to the web-based manager.
Go to System > Status to verify that the firmware version under System Information
has changed to the correct firmware.

Verifying the downgrade


After successfully downgrading to a previous firmware, verify your connections and
settings. If you are unable to connect to the web-based manager, make sure your
administration access settings and internal network IP address are correct. The
downgrade may change your configuration settings to default settings.

Downgrading to a previous firmware in the CLI

Caution: Always back up your configuration before installing a patch release,


upgrading/downgrading, or when resetting to factory defaults.

When downgrading to a previous firmware, only the following settings are retained:
• operation mode
• Interface IP/Management IP
• route static table
• DNS settings
• VDOM parameters/settings
• admin user account
• session helpers
• system accprofiles.
If you have created additional settings in FortiOS 4.0, make sure you back up your
configuration before downgrading. For more information, see “Backing up your
configuration” on page 94.
The following procedure assumes that you have already downloaded the firmware image
to your management computer.

To downgrade in the CLI


1 Copy the new firmware image file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.

FortiGate Version 4.0 Administration Guide


100 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Managing firmware versions Restoring your configuration

4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ipv4> is the
IP address of the TFTP server. For example, if the firmware image file name is
image.out and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out
192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version! Do you
want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following is displayed:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
After the FortiGate unit uploads the firmware, you need to reconfigure your IP address
since the FortiGate unit reverts to default settings, including its default IP address. See
your install guide for configuring IP addresses.
8 Reconnect to the CLI.
9 Enter the following command to confirm the firmware image installed successfully:
get system status
See “Restoring your configuration” on page 101 to restore you previous configuration
settings.

Restoring your configuration


Your configuration settings may not carry forward after downgrading to a previous
firmware. You can restore your configuration settings for a previous firmware with the
configuration file you saved before upgrading to FortiOS 4.0.
You can also use the following procedures for restoring your configuration after installing a
current patch release or maintenance release.

Restoring your configuration settings in the web-based manager


The following procedure restores your previous firmware configuration settings in the
web-based manager.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 101
http://docs.fortinet.com/ • Feedback
Restoring your configuration Managing firmware versions

To restore configuration settings in the web-based manager


1 Log in to the web-based manager.
2 Go to System > Maintenance > Backup & Restore.
3 Select to restore the configuration from either a Local PC, FortiManager or FortiGuard
(if your FortiGate unit is configured for FortiGuard Analysis and Management Service).
4 If required, enter your password for the configuration file.
5 Enter the location of the file or select Browse to locate the file.
6 Select Restore.
The FortiGate unit restores the configuration settings. This may take a few minutes since
the FortiGate unit will reboot.
You can verify that the configuration settings are restored by logging in to the web-based
manager and going through the various menus and tabs.
Restoring your configuration settings in the CLI
The following procedure restores your previous firmware configuration settings in the CLI.

To restore configuration settings in the CLI


1 Copy the backed-up configuration file to the root directory of the TFTP server.
2 Start the TFTP server.
3 Log in to the CLI.
4 Enter the following command to ping the computer running the TFTP server:
execute ping <server_ipaddress>
Pinging the computer running the TFTP server verifies that the FortiGate unit and
TFTP server are successfully connected.
5 Enter the following command to copy the backed -up configuration file to restore the
file on the FortiGate unit:
execute restore allconfig <name_str> <tftp_ipv4> <passwrd>
Where <name_str> is the name of the backed up configuration file and
<tftp_ipv4> is the IP address of the TFTP server and <passwrd> is the password
you entered when you backed up your configuration settings. For example, if the
backed up configuration file is confall and the IP address of the TFTP server is
192.168.1.168 and the password is ghrffdt123:
execute restore allconfig confall 192.168.1.168 ghrffdt123
The FortiGate unit responds with the message:
This operation will overwrite the current settings and the
system will reboot!
Do you want to continue? (y/n)
6 Type y.
The FortiGate unit uploads the backed up configuration file. After the file uploads, a
message, similar to the following, is displayed:
Getting file confall from tftp server 192.168.1.168
##
Restoring files...
All done. Rebooting...
This may take a few minutes.
Use the CLI show shell command to verify your settings are restored, or log in to the
web-based manager.

FortiGate Version 4.0 Administration Guide


102 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Virtual domains

Using virtual domains


This section describes virtual domains (VDOMs) along with some of their benefits, and
how to use VDOMs to operate your FortiGate unit as multiple virtual units.
If you enable VDOMs on the FortiGate unit, you configure virtual domains globally for the
FortiGate unit.
To get started working with virtual domains, see “Enabling VDOMs” on page 107.
This section describes:
• Virtual domains
• Enabling VDOMs
• Configuring global and VDOM resource limits
• Configuring VDOMs and global settings

Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service provider’s managed security service.

Benefits of VDOMs
Some benefits of VDOMs are:
• Easier administration
• Continued security maintenance
• Savings in physical space and power

Easier administration
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. Using VDOMs can also simplify
administration of complex configurations because you do not have to manage as many
routes or firewall policies at one time. For more information, see “VDOM configuration
settings” on page 105.
By default, each FortiGate unit has a VDOM named root. This VDOM includes all of the
FortiGate physical interfaces, modem, VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings.
Also you can assign an administrator account restricted to that VDOM. If the VDOM is
created to serve an organization, this feature enables the organization to manage its own
configuration.
Management systems such as SNMP, logging, alert email, FDN-based updates and NTP-
based time setting use addresses and routing in the management VDOM to communicate
with the network. They can connect only to network resources that communicate with the
management virtual domain. The management VDOM is set to root by default, but you
can change it. For more information, see “Changing the management VDOM” on
page 115.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 103
http://docs.fortinet.com/ • Feedback
Virtual domains Using virtual domains

Continued security maintenance


When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create
firewall policies for connections between VLAN subinterfaces or zones in the VDOM.
Packets do not cross the virtual domain border internally. To travel between VDOMs, a
packet must pass through a firewall on a physical interface. The packet then arrives at
another VDOM on a different interface, but it must pass through another firewall before
entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs change
this behavior in that they are internal interfaces; however their packets go through all the
same security measures as on physical interfaces.
Without VDOMs, administrators can easily access settings across the FortiGate unit. This
can lead to security issues or far-reaching configuration errors. However, administrator
permissions are specific to one VDOM. An admin on one VDOM cannot change
information on another VDOM. Any configuration changes, and potential errors, will apply
only to that VDOM and limit potential down time.
The remainder of the FortiGate unit’s functionality is global—it applies to all VDOMs on
the unit. This means there is one intrusion prevention configuration, one antivirus
configuration, one web filter configuration, one protection profile configuration, and so on.
VDOMs also share firmware versions, as well as antivirus and attack databases. The
operating mode, NAT/Route or Transparent, can be selected independently for each
VDOM. For a complete list of shared configuration settings, see “Global configuration
settings” on page 106.

Savings in physical space and power


Increasing VDOMs involves no extra hardware, no shipping, and very few changes to
existing networking. They take no extra physical space—you are limited only by the size of
the license you buy for your VDOMs.
By default, your FortiGate unit supports a maximum of 10 VDOMs in any combination of
NAT/Route and Transparent modes. For FortiGate models numbered 3000 and higher,
you can purchase a license key to increase the maximum number of VDOMs to 25, 50,
100 or 250. For more information see “Adding VDOM Licenses” on page 269.

Note: There is no support for VDOMs in the FortiGate-30B. Starting with FortiOS 4.0, all
FortiGate models 50 to 110 support only 5 VDOMs.

Note: During configuration on a FortiAnalyzer unit, VDOMs count toward the maximum
number of FortiGate units allowed by the FortiAnalyzer unit’s license. The total number of
devices registered can be seen on the FortiAnalyzer unit’s System Status page under
License Information.

If virtual domain configuration is enabled and you log in as the default super_admin, you
can go to System > Status and look at Virtual Domain in the License Information section to
see the maximum number of virtual domains supported on your FortiGate unit.
For more information on VDOMs, see the FortiGate VLANs and VDOMs Guide.

FortiGate Version 4.0 Administration Guide


104 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Virtual domains

VDOM configuration settings


To configure and use VDOMs, you must enable virtual domain configuration. For more
information, see “Enabling VDOMs” on page 107.
You can configure a VDOM by adding VLAN subinterfaces, zones, firewall policies,
routing settings, and VPN settings. You can also move physical interfaces from the root
VDOM to other VDOMs and move VLAN subinterfaces from one VDOM to another. For
more information on VLANs, see “VLAN overview” on page 151.
The following configuration settings are exclusively part of a virtual domain and are not
shared between virtual domains. A regular VDOM administrator sees only these settings.
The default super_admin can also access these settings, but must first select which
VDOM to configure.
Table 5: VDOM configuration settings

Configuration Object For more information, see


System
Network Zone “Configuring zones” on page 139
Network Web Proxy “Web Proxy” on page 148
Network Routing Table “Routing table (Transparent Mode)” on page 149
(Transparent mode)
Network Modem “Configuring the modem interface” on page 140
Wireless Settings “Wireless settings” on page 162
Wireless MAC Filter “Wireless MAC Filter” on page 166
Wireless Monitor “Wireless Monitor” on page 167
Wireless Rogue AP “Rogue AP detection” on page 169
DHCP service “Configuring DHCP services” on page 172
DHCP Address Leases “Viewing address leases” on page 175
Config Operation mode “Changing operation mode” on page 199
(NAT/Route or
Transparent)
Config Management IP “Changing operation mode” on page 199
(Transparent mode)
Router
Static “Router Static” on page 271
Dynamic “Router Dynamic” on page 283
Monitor “Router Monitor” on page 309
Firewall
Policy “Firewall Policy” on page 313
Address “Firewall Address” on page 339
Service “Firewall Service” on page 345
Schedule “Firewall Schedule” on page 355
Virtual IP “Firewall Virtual IP” on page 359
Virtual IP Group “Virtual IP Groups” on page 374
Virtual IP, IP pool “IP pools” on page 375
Load Balance “Firewall Load Balance” on page 383
Protection Profile “Firewall Protection Profile” on page 391
UTM

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 105
http://docs.fortinet.com/ • Feedback
Virtual domains Using virtual domains

Table 5: VDOM configuration settings (Continued)

Configuration Object For more information, see


AntiVirus File Filter “File Filter” on page 429
Intrusion Protection “Intrusion Protection” on page 441
Web Filter “Web Filter” on page 459
AntiSpam “Antispam” on page 477
Data Leak Prevention “Data Leak Prevention” on page 491
Application Control “Application control” on page 499
VPN
IPSec “VPN IPSEC” on page 505
PPTP “VPN PPTP” on page 521
SSL “VPN SSL” on page 525
User
Local “Local user accounts” on page 540
Remote “Remote” on page 543
Directory Service “Directory Service” on page 551
PKI “PKI” on page 553
User Group “User Group” on page 554
Options “Settings” on page 222
Monitor “Monitoring administrators” on page 223
Log&Report
Logging configuration “FortiGate logging” on page 603
(Memory only)
Alert E-mail “Configuring Alert Email” on page 623
(Send alert email for the following)
Event Log “Event log” on page 613
Log access “Accessing Logs” on page 616
(Memory only)
Content Archive “Content Archive” on page 622
Report Access “Reports” on page 625

Global configuration settings


The following configuration settings affect all virtual domains. When virtual domains are
enabled, only accounts with the default super_admin profile can access global settings.
Table 6: Global configuration settings

Configuration Object For more information, see


System
Status System Time “Configuring system time” on page 79
Status Host name “Changing the FortiGate unit host name” on page 80
Status Firmware “Upgrading to a new firmware version” on page 81 (System
version Status page) or “Managing firmware versions” on page 93.
Network Interfaces and “Interfaces” on page 119 and “VLAN overview” on page 151
VLAN subinterfaces (You configure interfaces as part of the global configuration
but each interface and VLAN subinterface belongs to a
VDOM. You add interfaces to VDOMs as part of the global
configuration.)

FortiGate Version 4.0 Administration Guide


106 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Enabling VDOMs

Table 6: Global configuration settings (Continued)

Configuration Object For more information, see


Network Options DNS “DNS Servers” on page 147
Network Options Dead “Dead gateway detection” on page 147
gateway detection
Admin Settings Idle “Settings” on page 222 and “Getting started - User
and authentication authentication” on page 539
time-out
Admin Settings Web- “Settings” on page 222
based manager
language
Admin Settings LCD “Settings” on page 222
panel PIN, where
applicable
Wireless Settings “Wireless settings” on page 162
Wireless MAC Filter “Wireless MAC Filter” on page 166
Wireless Monitor “Wireless Monitor” on page 167
WIreless Rogue AP “Rogue AP detection” on page 169
Config HA “HA” on page 177
Config SNMP “SNMP” on page 185
Config Replacement “Replacement messages” on page 195
messages
Admin Administrators “Administrators” on page 203
(You can add global administrators. You can also add
administrators to VDOMs. VDOM administrators cannot
add or configure administrator accounts.)
Admin profiles “Admin profiles” on page 216
Admin Central “Central Management” on page 220
Management
configuration
Certificates “System Certificates” on page 237
Configuration backup “Backing up and restoring” on page 248
and restore
Scripts “Using script files” on page 256
FDN update “FortiGuard Distribution Network” on page 258
configuration
UTM
AntiVirus “AntiVirus” on page 425
Log&Report
Log Configuration “FortiGate logging” on page 603
(Remote and Syslog)
Alert E-mail “Configuring Alert Email” on page 623
(Alert email account settings.)
Report Config “Reports” on page 625
Report Access “Reports” on page 625

Enabling VDOMs
Using the default admin administration account, you can enable multiple VDOM operation
on the FortiGate unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 107
http://docs.fortinet.com/ • Feedback
Configuring VDOMs and global settings Using virtual domains

To enable virtual domains


1 Log in to the web-based manager on a super_admin profile account.
2 Go to System > Status.
3 In System Information, next to Virtual Domain select Enable.
The FortiGate unit logs you off. You can now log in again as admin.
Alternatively, through the CLI, enter:
config system global, set vdom-admin
When virtual domains are enabled, the web-based manager and the CLI are changed as
follows:
• Global and per-VDOM configurations are separated.
• A new VDOM entry appears under the System option.
• Within a VDOM, reduced dashboard menu options are available, and a new Global
option appears. Selecting Global exits the current VDOM.
• There is no operation mode selection at the Global level.
• Only super_admin profile accounts can view or configure global options.
• Super_admin profile accounts can configure all VDOM configurations.
• One or more administrators can be set up for each VDOM; however, these admin
accounts cannot edit settings for any VDOMs for which they are not set up.
When virtual domains are enabled, the current virtual domain is displayed at the bottom
left of the screen, in the format Current VDOM: <name of the virtual domain>.

Configuring VDOMs and global settings


A VDOM is not useful unless it contains at least two physical interfaces or virtual
subinterfaces for incoming and outgoing traffic. Availability of the associated tasks
depends on the permissions of the admin. If your are using a super_admin profile account,
you can perform all tasks. If you are using a regular admin account, the tasks available to
you depend on whether you have read only or read/write permissions, Table 6 shows what
roles can perform which tasks.
Table 7: Admin VDOM permissions

Tasks Regular administrator account Super_admin


Read only Read/write profile
permission permission administrator
account
View global settings yes yes yes
Configure global settings no no yes
Create or delete VDOMs no no yes
Configure multiple VDOMs no no yes
Assign interfaces to a VDOM no no yes
Create VLANs no yes - for 1 VDOM yes - for all VDOMs
Assign an administrator to a VDOM no no yes
Create additional admin accounts no yes - for 1 VDOM yes - for all VDOMs
Create and edit protection profiles no yes - for 1 VDOM yes - for all VDOMs

FortiGate Version 4.0 Administration Guide


108 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Configuring VDOMs and global settings

VDOM licenses
All FortiGate units, except the 30B, support VDOMs by default. Low-end models, including
FortiGate models 50 through 110, support 5 VDOMs. The remaining FortiGate models
below 3000 support 10 VDOMs. This capacity is due to limited hardware resources.
FortiGate models numbered 3000 and higher support the purchase of a VDOM license
key from customer service to increase their maximum allowed VDOMs to 25, 50, 100,
250, or 500. Configuring 250 or more VDOMs will result in reduced system performance.
Table 8: VDOM support by FortiGate model

FortiGate model Support Default VDOM Maximum VDOM


VDOMs maximum license
30B no 0 0
50 - 110 yes 5 5
models between 110 - 3000 yes 10 10
3000 and above yes 10 500

Note: Your FortiGate unit has limited resources that are divided amongst all configured
VDOMs. These resources include system memory, and CPU. When running 250 or more
VDOMs, you cannot run Unified Threat Management (UTM) features such as proxies, web
filtering, or antivirus—your FortiGate unit can only provide basic firewall functionality.

Tip: If you do not have a System > Maintenance > License tab, your FortiGate model does
not support more than 10 VDOMs.

To obtain a VDOM license key


1 Log in to your FortiGate unit using the admin account.
Other accounts such as other super_admin profile accounts may also have sufficient
privileges to install VDOM licenses.
2 Go to System > Status.
3 Record your FortiGate unit serial number as shown in “System Information” on
page 67.
4 Under License Information > Virtual Domains, select Purchase More.
5 You will be taken to the Fortinet customer support web site where you can log in and
purchase a license key for 25, 50, 100, 250, or 500 VDOMs.
6 When you receive your license key, go to System > Maintenance > License.
7 In the License Key field, enter the 32-character license key you received from Fortinet
customer support.
8 Select Apply.
To verify the new VDOM license, go to System > Status under Global Configuration. In the
License Information area Virtual Domains, VDOMs Allowed shows the maximum number
of VDOMs allowed.

Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 109
http://docs.fortinet.com/ • Feedback
Configuring VDOMs and global settings Using virtual domains

Creating a new VDOM


By default, every FortiGate unit has a root VDOM that is visible when VDOMs are
enabled. To use additional VDOMs, you must first create them.
When using multiple VDOMs, it can be useful to assign fewer resources to some VDOMs
and more resources to others. This VDOM resource management will result in better
FortiGate unit performance. For more information, see “VDOM resource limits” on
page 116.
VDOM names have the following restrictions:
• Only letters, numbers, “-”, and “_” are allowed.
• A name can have no more than 11 characters.
• A name cannot contain spaces.
• VDOMs cannot have the same names as interfaces, zones, switch interfaces, or other
VDOMs

Note: The VDOM names vsys_ha and vsys_fgfm are in use by the FortiGate unit. If
you attempt to name a new VDOM vsys_ha or vsys_fgfm, the FortiGate unit will
generate an error.

Note: When creating 250 or more VDOMs, you cannot enable UTM features such as
proxies, web filtering, and antivirus due to limited resources. Also when creating large
numbers of VDOMs, you may experience reduced performance. To improve performance
with multiple VDOMs, see “VDOM resource limits” on page 116.

Figure 46: New Virtual Domain

To create a new VDOM


1 Log in as a super_admin profile admin.
2 Ensure VDOMs are enabled. For more information, see “Enabling VDOMs” on
page 107.
3 Go to System > VDOM.
4 Select Create New.
5 Enter a name for the new VDOM, up to a maximum of 11 characters. This name cannot
be changed.
6 Optionally enter a comment for the VDOM, up to a maximum of 63 characters.
7 Select OK.

Working with VDOMs and global settings


When you log in as admin and virtual domains are enabled, the FortiGate unit is
automatically in global configuration, as demonstrated by the appearance of the VDOM
option under System.
To work with virtual domains, select System > VDOM.

FortiGate Version 4.0 Administration Guide


110 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Configuring VDOMs and global settings

Figure 47: VDOM list

Disabled VDOM

Management VDOM

Create New Select to add a new VDOM. Enter the new VDOM name and select OK.
The VDOM must not have the same name as an existing VDOM, VLAN or
zone. The VDOM name can have a maximum of 11 characters and must
not contain spaces.
Management Virtual Change the management VDOM to the selected VDOM in the list. The
Domain management VDOM is then grayed out in the Enable column. The default
management VDOM is root.
For more information, see “Changing the management VDOM” on
page 115.
Apply Select to save your changes to the Management VDOM.
Enable There are three states this column can be in.
• A green check mark indicates this VDOM is enabled, and that you can
select the Enter icon to change to that VDOM.
• An empty check box indicates this VDOM is disabled. When disabled,
the configuration of that VDOM is preserved. The Enter icon is not
available.
• A grayed-out check box indicates this VDOM is the management
VDOM. It cannot be deleted or changed to disabled; it is always active.
Name The name of the VDOM.
Operation Mode The VDOM operation mode, either NAT or Transparent.
When a VDOM is in Transparent mode, SNMP can display the
management address, address type and subnet
mask for that VDOM. For more information, see “SNMP” on page 185.
Interfaces The interfaces associated with this VDOM, including virtual interfaces.
Every VDOM includes an SSL VPN virtual interface named for that VDOM.
For the root VDOM this interface is ssl.root.
Comments Comments added by an admin when this VDOM was created.
Delete icon Delete the VDOM.
The Delete icon appears only when there are no configuration objects
associated with that VDOM. For example, you must remove all referring
interfaces, profiles, and so on before you can delete the VDOM.
If the icon does not appear and you do not want to delete all the referring
configuration, you can disable the VDOM instead. The disabled VDOM
configuration remains in memory, but the VDOM is not usable until it is
enabled.
Edit icon Change the description of the VDOM. The name of the VDOM cannot be
changed.
Enter icon Enter the selected VDOM.
After entering a VDOM you will only be able to view and change settings
specific to that VDOM.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 111
http://docs.fortinet.com/ • Feedback
Configuring VDOMs and global settings Using virtual domains

Adding interfaces to a VDOM


A VDOM must contain at least two interfaces to be useful. These can be physical or virtual
interfaces such as VLAN subinterfaces. By default, all physical interfaces are in the root
virtual domain.
VLAN subinterfaces often need to be in a different VDOM than their physical interface. To
do this, the super administrator must first create the VDOM, create the VLAN subinterface,
and then assign the VLAN to the correct VDOM.
VDOMs can only be added in global settings, and not within VDOMs. For information on
creating VLAN subinterfaces, see “Adding VLAN subinterfaces” on page 153.

Inter-VDOM links
An inter-VDOM link is a pair of interfaces that enable you to communicate between two
VDOMs internally without using a physical interface. Inter-VDOM links have the same
security as physical interfaces, but allow more flexible configurations that are not limited
by the number of physical interfaces on your FortiGate unit. As with all virtual interfaces,
the speed of the link depends on the CPU load, but generally it is faster than physical
interfaces. There are no MTU settings for inter-VDOM links. DHCP support includes inter-
VDOM links.
A packet can pass through an inter-VDOM link a maximum of three times. This is to
prevent a loop. When traffic is encrypted or decrypted, it changes the content of the
packets and this resets the inter-VDOM counter. However, using IPIP or GRE tunnels
does not reset the counter.
In HA mode, inter-VDOM links must have both ends of the link within the same virtual
cluster. DHCP over IPSec is supported for inter-VDOM links, however regular DHCP
services are not available.
To view inter-VDOM links, go to System > Network > Interface. When an inter-VDOM link
is created, it automatically creates a pair of virtual interfaces that correspond to the two
internal VDOMs. Each of the virtual interfaces is named using the inter-VDOM link name
with an added “0” or “1”. So if the inter-VDOM link is called “vlink” the interfaces are
“vlink0” and “vlink1”. Select the Expand Arrow beside the VDOM link to display the virtual
interfaces.

Note: Inter-VDOM links cannot refer to a domain that is in transparent mode.

Figure 48: VDOM link interfaces

To create an inter-VDOM link


1 Log in as admin.
2 Go to System > Network > Interface.

FortiGate Version 4.0 Administration Guide


112 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Configuring VDOMs and global settings

3 Select the arrow on the Create New button.


4 Select VDOM link.
You will see the New VDOM Link screen.

Figure 49: New VDOM link

5 Enter the name for the new VDOM link, up to a maximum of 11 characters.
The name must not contain any spaces or special characters. Hyphens (“-”) and
underlines (“_”) are allowed. Remember that the name will have a “0” or “1” attached to
the end for the actual interfaces.
6 Configure VDOM link “0”.
7 Select the VDOM from the menu that this interface will connect to.
8 Enter the IP address and netmask for this interface.
9 Select the administrative access method or methods. Keep in mind that PING,
TELNET, and HTTP are less secure methods.
10 Optionally enter a description for this interface.
11 Repeat steps 7 through 10 for VDOM link “1”.
12 Select OK to save your configuration and return to the System > Interface screen.

Assigning an interface to a VDOM


The following procedure describes how to reassign an existing interface from one virtual
domain to another. It assumes VDOMs are enabled and more than one VDOM exists.
You cannot delete a VDOM if it is used in any configurations. For example, if an interface
is assigned to that VDOM, you cannot delete the VDOM. You cannot remove an interface
from a VDOM if the interface is included in any of the following configurations:
• DHCP server
• zone
• routing
• firewall policy
• IP pool
• proxy arp (only accessible through the CLI).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 113
http://docs.fortinet.com/ • Feedback
Configuring VDOMs and global settings Using virtual domains

Before removing these configurations, it is recommended that you back up your


configuration, so you can restore it if you want to create this VDOM at a later date.
Delete the items in this list or modify them to remove the interface before proceeding.

Note: You can reassign or remove an interface or subinterface once the Delete icon is
displayed. Absence of the icon means that the interface is being used in a configuration
somewhere.

Tip: You can disable a VDOM instead of deleting it. Your configuration will be preserved,
saving time you would otherwise need to remove and reconfigure it.

To assign an interface to a VDOM


1 Log in as admin.
2 Go to System > Network > Interface.
3 Select Edit for the interface that you want to reassign.
4 Select the new virtual domain for the interface.
5 Configure other settings as required and select OK. For more information, see
“Interface settings” on page 123.
The interface is assigned to the VDOM. Existing firewall IP pools and virtual IP
addresses for this interface are deleted. You should manually delete any routes that
include this interface, and create new routes for this interface in the new VDOM.
Otherwise your network traffic will not be properly routed. For more information on
creating static routes, see “Router Static” on page 271.

Assigning an administrator to a VDOM


If you are creating a VDOM to serve an organization that will be administering its own
resources, you need to create an administrator account for that VDOM.
A VDOM admin can change configuration settings within that VDOM but cannot make
changes that affect other VDOMs on the FortiGate unit.
A regular administrator assigned to a VDOM can log in to the web-based manager or the
CLI only on interfaces that belong to that VDOM. The super administrator can connect to
the web-based manager or CLI through any interface on the FortiGate unit that permits
management access. Only the super administrator or a regular administrator of the root
domain can log in by connecting to the console interface.

Note: If an admin account is assigned to a VDOM, that VDOM cannot be deleted until that
account is assigned to another VDOM or removed.

To assign an administrator to a VDOM


1 Log in as the super_admin.
2 Ensure that virtual domains are enabled. For more information, see “Enabling VDOMs”
on page 107.
3 Go to System > Admin >Administrators.
4 Create a new administrator account or select the Edit icon of an existing administrator
account.
5 Go to the Virtual Domain list.

FortiGate Version 4.0 Administration Guide


114 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Configuring global and VDOM resource limits

6 Select the VDOM that this administrator manages.


Administrators are assigned to a specific VDOM when the account is created unless
they are super_admin administrators. For more information, see “Configuring an
administrator account” on page 206.
7 Configure other settings as required.
For detailed information, see “Configuring an administrator account” on page 206.
8 Select OK.

Changing the management VDOM


The management VDOM on your FortiGate unit is where some default types of traffic
originate, including:
• SNMP
• logging
• alert email
• FDN-based updates
• NTP-based time setting.
Before you change the management VDOM, ensure that virtual domains are enabled on
the system dashboard screen. For more information, see “Enabling VDOMs” on page 107.
Only one VDOM can be the management VDOM at any given time.
Global events are logged with the VDOM set to the management VDOM.

Note: You cannot change the management VDOM if any administrators are using RADIUS
authentication.

To change the management VDOM


1 Go to System > VDOM.
2 From the list of VDOMs, select the VDOM to be the new management VDOM.
This list is located to the immediate left of the Apply button.
3 Select Apply to make the change.
At the prompt, confirm the change.
Management traffic will now originate from the new management VDOM.

Configuring global and VDOM resource limits


FortiGate units have upper limits for resources such as firewall policies, protection profiles
and VPN tunnels. These limits vary by model. In general, the more VDOMs the FortiGate
unit supports, the greater the impact on resource limits. In previous releases of FortiOS,
maximum values for resources belonging to virtual domains (VDOMs) applied equally to
each VDOM. Maximums for system-wide (global) resources applied globally and the
resources were equally accessible to each VDOM.
If you are a super administrator, you can control resource allocation to each VDOM. This
limits the impact of each VDOM on other VDOMs due to resource competition. Also, you
can set global resource limits to control the impact of various features on system
performance.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 115
http://docs.fortinet.com/ • Feedback
Configuring global and VDOM resource limits Using virtual domains

Note: The resource limits vary for different FortiGate models. The resource limits are
increased when two or more FortiGates are in HA mode due to the increased resources
that are available to the HA cluster.

VDOM resource limits


You can configure VDOM resource limits when you create a new VDOM or edit an existing
VDOM. These resource limits are restricted by the FortiGate global limits in that the total
of each resource across all VDOMs cannot exceed the global limit.
You can optionally set a guaranteed minimum level of resources that will be available to
the VDOM. This will ensure that other VDOMs do not use all of an available resource.

To configure VDOM resource limits


1 Go to System > VDOM.
2 Select Create New, enter a name and then select OK, or select the Edit icon of an
existing VDOM.
3 Modify the values described in the table below as required.
4 Select OK.

Figure 50: Configuring VDOM resource limits

Resource Description of the resource.


Maximum Enter the maximum amount of the resource allowed for this VDOM.
This amount might not be available due to usage of this resource type
by other VDOMs.
Guaranteed Enter the minimum amount of the resource available to this VDOM
regardless of usage by other VDOMs.
Current The amount of the resource that this VDOM currently uses.

FortiGate Version 4.0 Administration Guide


116 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Using virtual domains Configuring global and VDOM resource limits

If you enter a value that is not valid, the web-based manager displays the range of valid
values.

Global resource limits


To ensure system performance, you can set global resource limits that are less than the
maximums set by your unit’s hardware. Your configured maximum value for any resource
must be greater than amount of the resource already in use and greater than the sum of
all VDOM guaranteed resource values.
To view or set global resource limits, go to System > VDOM > Global Resources. Select
the Edit icon to change any settings.

Figure 51: Configuring global resource limits

Resource Description of the resource.


Configured The maximum amount of the resource allowed. This amount matches the default
Maximum maximum until you change it.
Default The default maximum value for this resource. This value depends on the unit
Maximum hardware limitations.
Current Usage The amount of the resource currently in use.
Edit icon Change the configured maximum for this resource. The Edit Global Resource
Limits dialog box lists the valid range of values for the configured maximum. For
some resources, you can set the maximum to zero to set no limit.
Reset icon Reset the configured maximum to the default maximum value.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 117
http://docs.fortinet.com/ • Feedback
Configuring global and VDOM resource limits Using virtual domains

FortiGate Version 4.0 Administration Guide


118 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

System Network
This section describes how to configure your FortiGate unit to operate in your network.
Basic network settings include configuring FortiGate interfaces and DNS settings. More
advanced configuration includes adding VLAN subinterfaces and zones to the FortiGate
network configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, you configure most system
network settings globally for the entire FortiGate unit. For example, all interface settings,
including adding interfaces to VDOMs, are part of the global configuration. However,
zones, the modem interface, and the Transparent mode routing table are configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.
This section describes:
• Interfaces
• Configuring zones
• Configuring the modem interface
• Configuring Networking Options
• Web Proxy
• Routing table (Transparent Mode)
• VLAN overview
• VLANs in NAT/Route mode
• VLANs in Transparent mode

Note: Unless stated otherwise, the term interface can refer to either a physical FortiGate
interface or to a virtual FortiGate VLAN subinterface.

Note: If you can enter both an IP address and a netmask in the same field, you can use the
short form of the netmask. For example, 192.168.1.100/255.255.255.0 can also be entered
as 192.168.1.100/24.

Interfaces
In NAT/Route mode, go to System > Network > Interface to configure FortiGate interfaces.
You can:
• modify the configuration of a physical interface
• add and configure VLAN subinterfaces
• configure an ADSL interface
• aggregate several physical interfaces into an IEEE 802.3ad interface (models 300A,
400A, 500A, and 800 or higher)
• combine physical interfaces into a redundant interface
• add wireless interfaces (FortiWiFi models) and service set identifiers (SSIDs) (see
“Adding a wireless interface” on page 164)
• add and configure VDOM links (see “Inter-VDOM links” on page 112)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 119
http://docs.fortinet.com/ • Feedback
Interfaces System Network

• view loopback interfaces


• configure the modem (see “Configuring the modem interface” on page 140)
• change which information about the interfaces is displayed

For information about VLANs, see “FortiGate units and VLANs” on page 151.

Figure 52: Interface list - regular admin view

Figure 53: Interface list - admin view with virtual domains enabled

Create New Select Create New to create a VLAN subinterface.


On models 800 and higher, you can also create an IEEE 802.3ad aggregated
interface.
When VDOMs are enabled, selecting the Create New arrow enables you to
create new Inter-VDOM links. For more information see “Inter-VDOM links” on
page 112.
Switch Mode Select to change between switch mode and interface mode. Switch mode
combines the internal interfaces into one switch with one address. Interface
mode gives each internal interface its own address.
Before switching modes, all configuration settings that point to ‘internal’
interfaces must be removed.
This option is visible on models 100A and 200A for Rev2.0 and higher. Switch
mode is also visible on the FortiGate-60B and FortiWiFi-60B. For more
information see “Switch Mode” on page 123.
show backplane Select to make the two backplane interfaces visible as port9 and port10. Once
interfaces visible these interfaces can be treated as regular physical interfaces.
This option is available only on 5000 models.
Column Settings Select to change the which columns of information about the network
interfaces is displayed. For more information, see “Column Settings” on
page 122.

FortiGate Version 4.0 Administration Guide


120 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Description icon The tooltip for this icon displays the Description field for this interface. For more
information see “Interface settings” on page 123.
Name The names of the physical interfaces on your FortiGate unit. This includes any
alias names that have been configured.
The name, including number, of a physical interface depends on the model.
Some names indicate the default function of the interface such as Internal,
External and DMZ. Other names are generic such as port1.
FortiGate models numbered 50 and 60 provide a modem interface. Also
models with a USB port support a connected modem. See “Configuring the
modem interface” on page 140.
The oob/ha interface is the FortiGate-4000 out of band management interface.
You can connect to this interface to manage the FortiGate unit. This interface is
also available as an HA heartbeat interface.
On FortiGate-60ADSL units, you can configure the ADSL interface. See
“Configuring an ADSL interface” on page 127.
On FortiGate models 300A, 310B, 400A, 500A, 620B, and 800 or higher, if you
combine several interfaces into an aggregate interface, only the aggregate
interface is listed, not the component interfaces. The same is true for
redundant interfaces. See “Creating an 802.3ad aggregate interface” on
page 128 or “Creating a redundant interface” on page 129.
If you have added VLAN subinterfaces, they also appear in the name list,
below the physical or aggregated interface to which they have been added.
See “VLAN overview” on page 151.
If you have loopback virtual interfaces configured you will be able to view them.
You can only edit these interfaces in the CLI. For more information on these
interfaces see “Configuring interfaces with CLI commands” on page 135 or the
config system interface command in the FortiGate CLI Reference.
If you have software switch interfaces configured, you will be able to view
them. You can only edit these interfaces in the CLI. for more information on
these interfaces see “Configuring interfaces with CLI commands” on page 135
or the config system switch-interface command in the
FortiGate CLI Reference.
If virtual domain configuration is enabled, you can view information only for the
interfaces that are in your current virtual domain, unless you are using the
super admin account.
If VDOMs are enabled, you will be able to create, edit, and view inter-VDOM
links. For more information see “Inter-VDOM links” on page 112.
If you have interface mode enabled on a FortiGate model 100A or 200A
Rev2.0 or higher or on the FortiGate-60B and FortiWiFi-60B models, you will
see multiple internal interfaces. If switch mode is enabled, there will only be
one internal interface. For more information see “Switch Mode” on page 123.
If your FortiGate unit supports AMC modules and have installed an AMC
module containing interfaces (for example, the FortiGate-ASM-FB4 contains 4
interfaces) these interfaces are added to the interface status display. The
interfaces are named AMC-SW1/1, AMC-DW1/2, and so on. SW1 indicates it
is a single width or double width card respectively in slot 1. The last number “/1”
indicates the interface number on that card - for the ASM-FB4 card there would
be “/1” through “/4”.
IP/Netmask The current IP address/netmask of the interface.
In VDOM mode, when VDOMs are not all in NAT or Transparent mode some
values may not be available for display and will be displayed as “-” instead.
When IPv6 Support on GUI is enabled, IPv6 addresses may be displayed in
this column.
Access The administrative access configuration for the interface.
See “Additional configuration for interfaces” on page 136.
Administrative The administrative status for the interface.
Status If the administrative status is a green arrow, the interface is up and can accept
network traffic. If the administrative status is a red arrow, the interface is
administratively down and cannot accept traffic. To change the administrative
status, select Bring Down or Bring Up.
Link Status The status of physical connection.
The status of a non-physical interface will always be down.
MAC The MAC address of the interface.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 121
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Mode Shows the addressing mode of this interface such as manual, DHCP, or
PPPoE.
MTU The maximum number of bytes per transmission unit. Anything over 1500 are
jumbo frames. See “Interface MTU packet size” on page 137.
Secondary IP Any secondary IPs for this interface.
Type The type of the interface. Valid types include:
• Physical - a physical network interface, including modem
• VLAN - a virtual network interface
• Aggregate - a group of interfaces
• Redundant - a group of interfaces
• VDOM Link - a pair of virtual interface that join two VDOMs
• Pair - one two interfaces that are joined together, such as 2 VDOM links
Virtual Domain The virtual domain to which the interface belongs. This column is visible only to
the super admin and only when virtual domain configuration is enabled.
VLAN ID The identification number of the VLAN.
Non-VLAN interface entries will be blank.
Delete, edit, and Delete, edit, or view an entry.
view icons

Column Settings
Go to System > Network > Column Settings to change which information about the
interfaces is displayed.
The VDOM field is only available for display when VDOMs are enabled.

Figure 54: Column Settings

Available fields The list of fields (columns) not currently being displayed.
Show these fields in The list of fields (columns) currently being displayed.
this order They are displayed in order. Top to bottom of the list will be displayed left to
right on screen respectively.
Right arrow Move selected fields to the Show these fields in this order list.
Left arrow Move selected fields to the Available fields list.
Move up Move selected item up in the Show these fields in this order list. The
corresponding column is moved to the left on the network interface display.
Move down Move selected item down in the Show these fields in this order list. The
corresponding column is moved to the right on the network interface
display.

FortiGate Version 4.0 Administration Guide


122 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Switch Mode
The internal interface is a switch with either four or six physical interface connections,
depending on the FortiGate model. Normally the internal interface is configured as a
single interface shared by all physical interface connections - a switch.
The switch mode feature has two states - switch mode and interface mode. Switch mode
is the default mode with only one interface and one address for the entire internal switch.
Interface mode allows you to configure each of the internal switch physical interface
connections separately. This allows you to assign different subnets and netmasks to each
of the internal physical interface connections.
FortiGate models 100A and 200A Rev2.0 and higher have four internal interface
connections. The FortiGate-60B and FortiWifi-60B have six internal interface connections.
Consult your release notes for the most current list of supported models for this feature.
Selecting Switch Mode on the System > Network > Interface screen displays the Switch
Mode Management screen.

Caution: Before you are able to change between switch mode and interface mode all
references to ‘internal’ interfaces must be removed. This includes references such as
firewall policies, routing, DNS forwarding, DHCP services, VDOM interface assignments,
and routing. If they are not removed, you will not be able to switch modes, and you will see
an error message.

Figure 55: Switch Mode Management

Switch Mode Select Switch Mode. Only one internal interface is displayed. This is the default
mode.
Interface Mode Select Interface Mode. All internal i nterfaces on the switch are displayed as
individually configurable interfaces.

Switch Mode can also be configured using CLI commands. For more information see the
FortiGate CLI Reference.

Interface settings
Go to System > Network > Interface and select Create New.
Selecting the Create New arrow enables you to create Inter-VDOM links. For more
information on Inter-VDOM links, see “Inter-VDOM links” on page 112.
Some types of interfaces such as loopback interfaces can only be configured using CLI
commands. For more information, see “Configuring interfaces with CLI commands” on
page 135.
To be able to configure a DHCP server on an interface, that interface must have a static IP
address.
You cannot create a virtual IPSec interface on this screen, but you can specify its endpoint
addresses, enable administrative access and provide a description if you are editing an
existing interface. For more information, see “Configuring a virtual IPSec interface” on
page 134.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 123
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Figure 56: Create New Interface settings

Figure 57: Edit Interface settings

Name Enter a name for the interface.


You cannot change the name of an existing interface.
Alias Enter another name for the interface that will easily distinguish this interface from
another. This is available only for physical interfaces where where you cannot
configure the name. The alias can be a maximum of 15 characters.
The alias name is not part of the interface name, but it will appear in brackets
beside the interface name. It will not appears in logs.

FortiGate Version 4.0 Administration Guide


124 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Type The type of the interfaces. When creating a new interface, this is VLAN by default.
On models 300A, 400A, 500A, 800 and higher, you can create VLAN, 802.3ad
Aggregate, and Redundant interfaces.
• On FortiGate 100A and 200A models of Rev2.0 and higher and on all 60B
models, software switch is a valid type. You cannot edit this type in the GUI.
• FortiWiFi models support up to four SSIDs by adding up to three wireless
interfaces (for a total of four wireless interfaces).
• On the 60ADSL model, you can configure an ADSL interface.
Other models support creation of VLAN interfaces only and have no Type field.
You cannot change the type of an existing interface.
Interface Select the name of the physical interface on which to create the VLAN. Once
created, the VLAN subinterface is listed below its physical interface in the
Interface list.
You cannot change the interface of an existing VLAN subinterface.
This field is only displayed when Type is set to VLAN.
VLAN ID Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface. You cannot change the VLAN ID of an existing VLAN
subinterface.
The VLAN ID can be any number between 1 and 4094 and must match the VLAN
ID added by the IEEE 802.1Q-compliant router or switch connected to the VLAN
subinterface. For more information, see “VLAN overview” on page 151.
This field is only displayed when Type is set to VLAN.
Virtual Domain Select the virtual domain to which this VLAN subinterface belongs.
Admin accounts with super-admin profile can change the VDOM for a VLAN when
VDOM configuration is enabled. For more information, see “Using virtual
domains” on page 103.
Physical This section has two different forms depending on the interface type:
Interface • Software switch interface - this section is a display-only field showing the
Members interfaces that belong to the software switch virtual interface
• 802.3ad aggregate or Redundant interface - this section includes available
interface and selected interface lists to enable adding or removing interfaces
from the interface.
Available Select interfaces from this list to include in the grouped interface - either
Interfaces redundant or aggregate interface. Select the right arrow to add an interface to the
grouped interface.
Selected These interfaces are included in the aggregate or redundant interface.
interfaces Select the left arrow to remove an interface from the grouped interface.
For redundant interfaces, the interfaces will be activated during failover from the
top of the list to the bottom
Addressing Select the type of addressing mode as Manual, DHCP, or PPPoE.
mode To configure a static IP address for the interface, select Manual.
By default, low-end models are configured to DHCP addressing mode with
Override Internal DNS and Retrieve default Gateway from DHCP server both
enabled. These settings allow for easy out-of-the-box configuration.
You can also configure the interface for dynamic IP address assignment. For
more information, see “Configuring DHCP on an interface” on page 130 or
“Configuring an interface for PPPoE or PPPoA” on page 132.
IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field. The IP address must
be on the same subnet as the network to which the interface connects.
Two interfaces cannot have IP addresses on the same subnet.
This field is only available when Manual addressing mode is selected.
DDNS Select DDNS to configure a Dynamic DNS service for this interface. For more
information, see “Configuring Dynamic DNS on an interface” on page 133.
Ping Server To enable dead gateway detection, enter the IP address of the next hop router on
the network connected to the interface and select Enable. For more information,
see “Dead gateway detection” on page 147.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 125
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Explicit Web Select to enable explicit web proxying on this interface. When enabled, this
Proxy interface will be displayed on System > Network > Web Proxy under Listen on
Interfaces and web traffic on this interface will be proxied according to the Web
Proxy settings. For more information, see “Web Proxy” on page 148.
Administrative Select the types of administrative access permitted on this interface.
Access
HTTPS Allow secure HTTPS connections to the web-based manager through this
interface.
PING Interface responds to pings. Use this setting to verify your installation and for
testing.
HTTP Allow HTTP connections to the web-based manager through this interface. HTTP
connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to
this interface. See “Configuring SNMP” on page 185.
TELNET Allow Telnet connections to the CLI through this interface. Telnet connections are
not secure and can be intercepted by a third party.
MTU To change the MTU, select Override default MTU value (1 500) and enter the
MTU size based on the addressing mode of the interface
• 68 to 1 500 bytes for static mode
• 576 to 1 500 bytes for DHCP mode
• 576 to 1 492 bytes for PPPoE mode
• up to 16 110 bytes for jumbo frames (FortiGate models numbered 3000 and
higher)
• NP2-accelerated interfaces support a jumbo frame limit of 16 000 bytes
• FA2-accelerated interfaces do not support jumbo frames
This field is available only on physical interfaces. VLANs inherit the parent
interface MTU size by default.
For more information on MTU and jumbo frames, see “Interface MTU packet size”
on page 137.
Secondary IP Add additional IP addresses to this interface. Select the blue arrow to expand or
Address hide the section. See “Secondary IP Addresses” on page 137.
Description Enter a description up to 63 characters.
Administrative Select either Up (green arrow) or Down (red arrow) as the status of this interface.
Status Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.

Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.

To configure a specific type of interface, refer to the appropriate section. To configure:


• an ADSL interface, see “Configuring an ADSL interface” on page 127.
• an aggregate interface, see “Creating an 802.3ad aggregate interface” on page 128.
• a redundant interface, see “Creating a redundant interface” on page 129.
• a VLAN subinterface, see “FortiGate units and VLANs” on page 151.
• a wireless interface, see “Adding a wireless interface” on page 164.

FortiGate Version 4.0 Administration Guide


126 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Configuring an ADSL interface


The information that you need to provide for the ADSL interface depends on the
addressing mode your ISP requires you to use. To use dynamic addressing see
“Configuring DHCP on an interface” on page 130 or “Configuring an interface for PPPoE
or PPPoA” on page 132.
To configure an ADSL interface, your FortiGate unit cannot be in Transparent mode.
ADSL interface addressing mode can be one of:
• IP over ATM (IPoA)
• Ethernet over ATM (EoA) (also known as Bridged mode)
• Dynamic Host Configuration Protocol (DHCP)
• Point-to-Point Protocol over Ethernet (PPPoE)
• Point-to-Point Protocol over ATM (PPPoA).

To configure an ADSL interface


1 Go to System > Network > Interface.
2 Select Create New or select the Edit icon of an existing interface.
3 In the Addressing mode section, select IPoA or EoA.

Figure 58: Settings for an ADSL interface

Addressing mode Select the addressing mode that your ISP specifies.
IPoA Enter the IP address and netmask that your ISP provides.
EoA Enter the IP address and netmask that your ISP provides.
DHCP See “Configuring DHCP on an interface” on page 130.
PPPoE See “Configuring an interface for PPPoE or PPPoA” on page 132.
PPPoA See “Configuring an interface for PPPoE or PPPoA” on page 132.
IP/Netmask The IP address and netmask of this interface.
Gateway Enter the default gateway.
Connect to Server Enable Connect to Server so the interface will attempt to connect
automatically. Do not enable this option if you are configuring the interface
offline.
Virtual Circuit Enter the VPI and VCI values your ISP provides.
Identification
MUX Type Select the MUX type: LLC Encap or VC Encap.
Your ISP must provide this information.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 127
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Creating an 802.3ad aggregate interface


You can aggregate (combine) two or more physical interfaces to increase bandwidth and
provide some link redundancy. An aggregate interface provides more bandwidth but also
creates more points of failure than redundant interfaces. The interfaces must connect to
the same next-hop routing destination.
Support of the IEEE standard 802.3ad for link aggregation is part of FortiGate firmware on
models 300A, 310B, 400A, 500A, 620B, and models 800 and higher.
An interface is available to be an aggregate interface if:
• it is a physical interface, not a VLAN interface
• it is not already part of an aggregate or redundant interface
• it is in the same VDOM as the aggregated interface
• it does not have a IP address and is not configured for DHCP or PPPoE
• it does not have a DHCP server or relay configured on it
• it does not have any VLAN subinterfaces
• it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
• it is not an HA heartbeat interface
• it is not one of the FortiGate 5000 series backplane interfaces

Note: You can add an accelerated interface (FA2 interfaces) to an aggregate link, but you
will lose the acceleration. For example, if you aggregate two accelerated interfaces you will
get slower throughput than if the two interfaces were separate.

Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.

When an interface is included in an aggregate interface, it is not listed on the System >
Network > Interface screen. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, IP pools, or routing.

Figure 59: Settings for an 802.3ad aggregate interface

To create an 802.3ad Aggregate interface


1 Go to System > Network > Interface.
2 Select Create New.

FortiGate Version 4.0 Administration Guide


128 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

3 In the Name field, enter a name for the aggregated interface.


The interface name must be different from any other interface, zone or VDOM.
4 From the Type list, select 802.3ad Aggregate.
5 In the Available Interfaces list, select each interface that you want to include in the
aggregate interface and move it to the Selected Interfaces list.
6 If this interface operates in NAT/Route mode, you need to configure addressing for it.
For information about dynamic addressing, see:
• “Configuring DHCP on an interface” on page 130
• “Configuring an interface for PPPoE or PPPoA” on page 132
7 Configure other interface options as required.
8 Select OK.

Creating a redundant interface


You can combine two or more physical interfaces to provide link redundancy. This feature
allows you to connect to two or more switches to ensure connectivity in the event one
physical interface or the equipment on that interface fails.
In a redundant interface, traffic is only going over one interface at any time. This differs
from an aggregated interface where traffic is going over all interfaces for increased
bandwidth. This difference means redundant interfaces can have more robust
configurations with fewer possible points of failure. This is important in a fully-meshed HA
configuration.
FortiGate firmware on models 800 and higher implements redundant interfaces.
An interface is available to be in a redundant interface if:
• it is a physical interface, not a VLAN interface
• it is not already part of an aggregated or redundant interface
• it is in the same VDOM as the redundant interface
• it has no defined IP address and is not configured for DHCP or PPPoE
• it has no DHCP server or relay configured on it
• it does not have any VLAN subinterfaces
• it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
• it is not monitored by HA
• it is not one of the FortiGate 5000 series backplane interfaces

Note: FortiGate-5000 backplane interfaces have to be made visible before they can be
added to an aggregate or a redundant interface.

When an interface is included in a redundant interface, it is not listed on the System >
Network > Interface page. You cannot configure the interface individually and it is not
available for inclusion in firewall policies, VIPs, IP pools, or routing.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 129
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Figure 60: Settings for a redundant interface

To create a redundant interface


1 Go to System > Network > Interface.
2 Select Create New.
3 In the Name field, enter a name for the redundant interface.
The interface name must different from any other interface, zone or VDOM.
4 From the Type list, select Redundant Interface.
5 In the Available Interfaces list, select each interface that you want to include in the
redundant interface and move it to the Selected Interfaces list.
In a failover situation, the interface activated will be the next interface down the
Selected Interfaces list.
6 If this interface operates in NAT/Route mode, you need to configure addressing for it.
For information about dynamic addressing, see:
• “Configuring DHCP on an interface” on page 130
• “Configuring an interface for PPPoE or PPPoA” on page 132
7 Configure other interface options as required.
8 Select OK.

Configuring DHCP on an interface


If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a
DHCP request. The interface is configured with the IP address and any DNS server
addresses and default gateway address that the DHCP server provides.
By default, low-end models are configured to DHCP addressing mode with Override
Internal DNS and Retrieve default Gateway from DHCP server both enabled. These
settings allow for easy out-of-the-box configuration.

To configure DHCP on an interface


1 Go to System > Network > Interface.
2 Select Create New or select the Edit icon of an existing interface.
3 In the Addressing mode section, select DHCP.

FortiGate Version 4.0 Administration Guide


130 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Figure 61: Interface DHCP settings

Figure 62: ADSL interface DHCP settings

Status Displays DHCP status messages as the FortiGate unit connects to the
DHCP server and gets addressing information. Select Status to refresh
the addressing mode status message.
Only displayed if you selected Edit.
Status can be one of:
• initializing - No activity.
• connecting - interface attempts to connect to the DHCP server.
• connected - interface retrieves an IP address, netmask, and other
settings from the DHCP server.
• failed - interface was unable to retrieve an IP address and other
settings from the DHCP server.
Obtained The IP address and netmask leased from the DHCP server.
IP/Netmask Only displayed if Status is connected.
Renew Select to renew the DHCP license for this interface.
Only displayed if Status is connected.
Expiry Date The time and date when the leased IP address and netmask is no longer
valid.
Only displayed if Status is connected.
Default Gateway The IP address of the gateway defined by the DHCP server.
Only displayed if Status is connected, and if Receive default gateway
from server is selected,.
Distance Enter the administrative distance for the default gateway retrieved from
the DHCP server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 1.
Retrieve default Enable to retrieve a default gateway IP address from the DHCP server.
gateway from server The default gateway is added to the static routing table.
Enabled by default on low-end models.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page.
On low end models, this is enabled by default.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
Connect to Server Enable so that the interface automatically attempts to connect to a DHCP
server. Disable this option if you are configuring the interface offline.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 131
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Configuring an interface for PPPoE or PPPoA


If you configure the interface to use PPPoE or PPPoA, the FortiGate unit automatically
broadcasts a PPPoE or PPPoA request. When configuring the FortiGate unit offline and
you do not want the FortiGate unit to send the PPPoE or PPPoA request, do not enable
Connect to Server.
FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered
IPs, initial discovery timeout and PPPoE Active Discovery Terminate (PADT).
PPPoA is only available on FortiGate models that support ADSL.

To configure an interface for PPPoE or PPPoA


1 Go to System > Network > Interface.
2 Select Create New or select the Edit icon of an existing interface.
3 In the Addressing mode section, select PPPoE or PPPoA.

Figure 63: Interface PPPoE settings

Figure 64: ADSL interface PPPoE or PPPoA settings

Status Displays PPPoE or PPPoA status messages as the FortiGate unit connects
to the PPPoE or PPPoA server and gets addressing information. Select
Status to refresh the addressing mode status message.
Only displayed if you selected Edit.
Status can be one of the following 4 messages.
initializing No activity.
connecting The interface is attempting to connect to the PPPoE or PPPoA server.

FortiGate Version 4.0 Administration Guide


132 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

connected The interface retrieves an IP address, netmask, and other settings from the
PPPoE server.
When the status is connected, PPPoE or PPPoA connection information is
displayed.
failed The interface was unable to retrieve an IP address and other information from
the PPPoE or PPPoA server.
Reconnect Select to reconnect to the PPPoE or PPPoA server.
Only displayed if Status is connected.
User Name The PPPoE or PPPoA account user name.
Password The PPPoE or PPPoA account password.
Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a block
of IP addresses, use one of them. Otherwise, this IP address can be the
same as the IP address of another interface or can be any IP address.
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to retry a
PPPoE or PPPoA discovery.
Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE or PPPoA session if it is idle for this
number of seconds. PADT must be supported by your ISP. Set initial PADT
timeout to 0 to disable.
Distance Enter the administrative distance for the default gateway retrieved from the
PPPoE or PPPoA server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to the
same destination. A lower administrative distance indicates a more preferred
route. The default distance for the default gateway is 1.
Retrieve default Enable to retrieve a default gateway IP address from a PPPoE server. The
gateway from default gateway is added to the static routing table.
server
Override internal Enable to replace the DNS server IP addresses on the System DNS page
DNS with the DNS addresses retrieved from the PPPoE or PPPoA server.
When VDOMs are enabled, you can override the internal DNS only on the
management VDOM.
Connect to server Enable Connect to Server so that the interface automatically attempts to
connect to a PPPoE or PPPoA server when you select OK or Apply. Disable
this option if you are configuring the interface offline.

Configuring Dynamic DNS on an interface


When the FortiGate unit has a static domain name and a dynamic public IP address, you
can use a DDNS service to update Internet DNS servers when the IP address for the
domain changes.
Dynamic DNS is available only in NAT/Route mode.

To configure DDNS on an interface


1 Get the DDNS configuration information from your DDNS service.
2 Go to System > Network > Interface.
3 Select Create New.
4 Enable DDNS.
5 Enter DDNS configuration information.
If at any time your Fortigate unit cannot contact the DDNS server, it will retry three times at
one minute intervals and then change to retrying at three minute intervals. This is to
prevent flooding the DDNS server.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 133
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Figure 65: DDNS service configuration

Server Select a DDNS server to use. The client software for these services is built into the
FortiGate firmware. The FortiGate unit can connect only to one of these services.
Domain Enter the fully qualified domain name of the DDNS service.
Username Enter the user name to use when connecting to the DDNS server.
Password Enter the password to use when connecting to the DDNS server.

Configuring a virtual IPSec interface


You create a virtual IPSec interface by selecting IPSec Interface Mode by going to
VPN > IPSec > Auto Key or VPN > IPSec > Manual Key when you create a VPN. You
also select a physical or VLAN interface from the Local Interface list. The virtual IPSec
interface is listed as a subinterface of that interface by going to
System > Network > Interface. For more information, see
• “Overview of IPSec VPN configuration” on page 505
• “Auto Key” on page 507 or “Manual Key” on page 515
Go to System > Network > Interface and select Edit on an IPSec interface to:
• configure IP addresses for the local and remote endpoints of the IPSec interface so
that you can run dynamic routing over the interface or use ping to test the tunnel
• enable administrative access through the IPSec interface
• enter a description for the interface

Figure 66: Virtual IPSec interface settings

Name The name of the IPSec interface.


Virtual Domain Select the VDOM of the IPSec interface.
IP If you want to use dynamic routing with the tunnel or be able to ping the tunnel
Remote IP interface, enter IP addresses for the local and remote ends of the tunnel. These
two addresses must not be used anywhere else in the network.

FortiGate Version 4.0 Administration Guide


134 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Administrative Select the types of administrative access permitted on this interface.


Access
HTTPS Allow secure HTTPS connections to the web-based manager through this
interface.
PING Allow the interface to respond to pings. Use this setting to verify your
installation and for testing.
HTTP Allow HTTP connections to the web-based manager through this interface.
HTTP connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by connecting to
this interface. See “Configuring SNMP” on page 185.
TELNET Allow Telnet connections to the CLI through this interface. Telnet connections
are not secure and can be intercepted by a third party.
Description Enter a description of the interface. It can be up to 63 characters.

Configuring interfaces with CLI commands


While nearly all types of interfaces can be configured from the GUI interface, a few, such
as loopback and soft switch interface, can only be configured using CLI commands.
Virtual interfaces are not connected to any physical devices or cables outside the
FortiGate unit. They allow additional connections inside the FortiGate unit, which allow for
more complex configurations. Virtual interfaces also have the added benefit of speed.
Depending on the CPU load, virtual interfaces are consistently faster than physical
interfaces.

Loopback interface
A loopback interface is an ‘always up’ virtual interface that is not connected to any other
interfaces. Loopback interfaces connect to a Fortigate unit’s interface IP address without
depending on a specific external port.
A loopback interface is not connected to hardware, so it is not affected by hardware
problems. As long as the FortiGate unit is functioning, the loopback interface is active.
This ‘always up’ feature is useful in dynamic routing where the Fortigate unit relies on
remote routers and the local Firewall policies to access to the loopback interface.
The CLI command to configure a loopback interface called loop1 with an IP address of
10.0.0.10 is:
config system interface
edit loop1
set type loopback
set ip 10.0.0.10 255.255.255.0
end
For more information, see config system interface in the FortiGate CLI Reference.

Software switch interface


A software switch interface forms a simple bridge between two or more physical or
wireless FortiGate interfaces. The interfaces added to a soft switch interface are called
members. The members of a switch interface cannot be accessed as an individual
interface after being added to a soft switch interface. They are removed from the system
interface table.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 135
http://docs.fortinet.com/ • Feedback
Interfaces System Network

Similar to aggregate interfaces, a soft switch interface functions like a normal interface. A
soft switch interface has one IP address. You create firewall policies to and from soft
switch interfaces and soft switch interfaces can be added to zones. There are some
limitations; soft switch interfaces cannot be monitored by HA or used as HA heartbeat
interfaces.
To add interfaces to a software switch group, no configuration settings can refer to those
interfaces. This includes default routes, VLANs, inter-VDOM links, and policies. You can
view available interfaces on the CLI when entering the ‘set member ’ command by using
‘?’ or <TAB> to scroll through the available list.
The CLI command to configure a software switch interface called soft_switch with port1,
external and dmz interfaces is:
config system switch-interface
edit soft_switch
set members port1 external dmz
end
For more information, see config system switch-interface in the FortiGate CLI Reference.

Additional configuration for interfaces


Additional configuration for an interface consists of setting:
• Administrative access to an interface
• Interface MTU packet size
• Secondary IP Addresses

Administrative access to an interface


Administrative access is how an administrator can connect to the FortiGate unit to view
and change configuration settings. Two methods of administrative access are HTTPS and
SSH.
You can allow remote administration of the FortiGate unit running in NAT/Route mode, but
allowing remote administration from the Internet could compromise the security of the
FortiGate unit. You should avoid this unless it is required for your configuration.
To improve the security of a FortiGate unit that allows remote administration from the
Internet:
• Use secure administrative user passwords.
• Change these passwords regularly.
• Enable secure administrative access to this interface using only HTTPS or SSH.
• Do not change the system idle timeout from the default value of 5 minutes (see
“Settings” on page 222).
For more information on configuring administrative access in Transparent mode, see
“Operation mode and VDOM management access” on page 199.

To control administrative access to an interface


1 Go to System > Network > Interface.
2 Choose an interface and select Edit.
3 Select the Administrative Access methods for the interface.
4 Select OK.

FortiGate Version 4.0 Administration Guide


136 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Interfaces

Interface MTU packet size


To improve network performance, you can change the maximum transmission unit (MTU)
of the packets that the FortiGate unit transmits. Ideally, the MTU should be the same as
the smallest MTU of all the networks between the FortiGate unit and the destination of the
packets. If the packets that the FortiGate unit sends are larger than the smallest MTU,
they are broken up or fragmented, which slows down transmission. Experiment by
lowering the MTU to find an MTU size for optimum network performance.
FortiGate models numbered 3 000 and higher support jumbo frames - frames larger than
the traditional 1 500 bytes. Some models support a jumbo frame limit of 9 000 bytes while
others support 16 110 bytes. NP2-accelerated interfaces support a jumbo frame limit of
16 000 bytes. FA2-accelerated interfaces do not support jumbo frames. Jumbo frames are
much larger than the maximum standard Ethernet frames (packets) size of 1 500 bytes.
As new Ethernet standards have been implemented (such as Gigabit Ethernet), 1 500
byte frames remain in the standard for backward compatibility.
To be able to send jumbo frames over a route, all Ethernet devices on that route must
support jumbo frames, otherwise your jumbo frames are not recognized and are dropped.
If you have standard ethernet and jumbo frame traffic on the same interface, routing alone
cannot route them to different routes based only on frame size. However you can use
VLANs to make sure the jumbo frame traffic is routed over network devices that support
jumbo frames. VLANs will inherit the MTU size from the parent interface. You will need to
configure the VLAN to include both ends of the route as well as all switches and routers
along the route. For more information on VLAN configurations, see the VLAN and VDOM
guide.

To change the MTU size of the packets leaving an interface


1 Go to System > Network > Interface.
2 Choose a physical interface and select Edit.
3 Below Administrative Access, select Override default MTU value (1 500).
4 Set the MTU size.
If you select an MTU size larger than your FortiGate unit supports, an error message
will indicate this. In this situation, try a smaller MTU size until the value is supported.
Supported maximums are 16 110, 9 000, and 1 500.

Note: If you change the MTU, you need to reboot the FortiGate unit to update the MTU
value of VLAN subinterfaces on the modified interface.

Note: In Transparent mode, if you change the MTU of an interface, you must change the
MTU of all interfaces to match the new MTU.

Secondary IP Addresses
An interface can be assigned more than one IP address. You can create and apply
separate firewall policies for each IP address on an interface. You can also forward traffic
and use RIP or OSPF routing with secondary IP addresses.
There can be up to 32 secondary IP addresses per interface including primary, secondary,
and any other IP addresses assigned to the interface. Primary and secondary IP
addresses can share the same ping generator.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 137
http://docs.fortinet.com/ • Feedback
Interfaces System Network

The following restrictions must be in place before you are able to assign a secondary IP
address:
• A primary IP address must be assigned to the interface.
• The interface must use manual addressing mode.
• By default, IP addresses cannot be part of the same subnet. To allow interface subnet
overlap use the CLI command:
config system global
set allow-interface-subnet-overlap enable
end
You can use the CLI command config system interface to add a secondary IP
address to an interface. For more information, see config secondaryip under
system interface in the FortiGate CLI Reference.

Figure 67: Adding Secondary IP Addresses

IP/Netmask Enter the IP address/subnet mask in the IP/Netmask field.


The Secondary IP address must be on a different subnet than the Primary IP
address.
This field is only available in Manual addressing mode.
Ping Server To enable dead gateway detection, enter the IP address of the next hop
router on the network connected to the interface and select Enable. See
“Dead gateway detection” on page 147.
Multiple addresses can share the same ping server.
Administrative Select the types of administrative access permitted on the secondary IP.
Access These can be different from the primary address.
HTTPS Allow secure HTTPS connections to the web-based manager through this
secondary IP.
PING Allow secondary IP to respond to pings. Use this setting to verify your
installation and for testing.
HTTP Allow HTTP connections to the web-based manager through this secondary
IP. HTTP connections are not secure and can be intercepted by a third party.
SSH Allow SSH connections to the CLI through this secondary IP.
SNMP Allow a remote SNMP manager to request SNMP information by connecting
to this secondary IP. See “Configuring SNMP” on page 185.
TELNET Allow Telnet connections to the CLI through this secondary IP. Telnet
connections are not secure and can be intercepted by a third party.
Add Select Add to add the configured secondary IP address to the secondary IP
table.
Addresses in this table are not added to the interface until you select OK or
Apply.
Secondary IP table A table that displays all the secondary IP addresses that have been added to
this interface.
These addresses are not permanently added to the interface until you select
OK or Apply.

FortiGate Version 4.0 Administration Guide


138 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Configuring zones

# The identifying number of the secondary IP address.


IP/Netmask The IP address and netmask for the secondary IP.
Ping Server The IP address of the ping server for the address. The ping server can be
shared by multiple addresses.
Enable Indicates if the ping server option is selected.
Access The administrative access methods for this address. They can be different
from the primary IP address.
Delete Icon Select to remove this secondary IP entry.

Note: It is recommended that after adding a secondary IP, you refresh the secondary IP
table and verify your new address is listed. If not, one of the restrictions (have a primary IP
address, use manual addressing mode, more than one IP on the same subnet, more than
32 IP addresses assigned to the interface, etc.) prevented the address from being added.

Configuring zones
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can
configure policies for connections to and from a zone, but not between interfaces in a
zone.
You can add zones, rename and edit zones, and delete zones from the zone list. When
you add a zone, you select the names of the interfaces and VLAN subinterfaces to add to
the zone.
Zones are configured from virtual domains. If you have added multiple virtual domains to
your FortiGate configuration, make sure you are configuring the correct virtual domain
before adding or editing zones.

Figure 68: Zone list

Create New Select to create a new zone.


Name Names of the zones.
Block intra-zone Displays Yes if traffic between interfaces in the same zone is blocked and No
traffic if traffic between interfaces in the same zone is not blocked.
Interface Members Names of the interfaces added to the zone. Interface names depend on the
FortiGate model.
Edit/View icons Edit or view a zone.
Delete icon Delete a zone.

To configure zone settings


1 Go to System > Network > Zone.
2 Select Create New or select the Edit icon for a zone.
3 Select name, and interfaces.
4 Select OK.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 139
http://docs.fortinet.com/ • Feedback
Configuring the modem interface System Network

Figure 69: Zone settings

Zone Name Enter the name to identify the zone.


Block intra-zone traffic Select to block traffic between interfaces or VLAN subinterfaces in the
same zone.
Interface members Select the interfaces that are part of this zone. This list includes
configured VLANs.

Configuring the modem interface


All FortiGate models with a USB interface support USB modems, and FortiGate-50 series
and FortiGate-60 series modules include a serial modem port. In NAT/Route mode the
modem can be in one of two modes:
• In redundant (backup) mode, the modem interface automatically takes over from a
selected ethernet interface when that ethernet interface is unavailable.
• In standalone mode, the modem interface is the connection from the FortiGate unit to
the Internet.
In redundant or standalone mode when connecting to the ISP, you can configure the
FortiGate unit to automatically have the modem dial up to three dialup accounts until the
modem connects to an ISP.
FortiGate models 50AM, 60M have a built-in modem. For these models, you can configure
modem operation in the web-based manager. For more information, see “Configuring
modem settings”.
Other models can connect to an external modem through a USB-to-serial converter. For
these models, you must configure modem operation using the CLI.
Initially modem interfaces are disabled, and must be enabled in the CLI to be visible in the
web-based manager. See the system modem command in the FortiGate CLI Reference.

Note: The modem interface is not the AUX port. While the modem and AUX port may
appear similar, the AUX port has no associated interface and is used for remote console
connection. The AUX port is only available on FortiGate models 1000A, 1000AFA2, and
3000A. For more information, see the config system aux command in the
FortiGate CLI Reference.

This section describes:


• Configuring modem settings
• Redundant mode configuration
• Standalone mode configuration
• Adding firewall policies for modem connections
• Connecting and disconnecting the modem
• Checking modem status

FortiGate Version 4.0 Administration Guide


140 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Configuring the modem interface

Configuring modem settings


Configure modem settings so that the FortiGate unit uses the modem to connect to your
ISP dialup accounts. You can configure up to three dialup accounts, select standalone or
redundant operation, and configure how the modem dials and disconnects.
For FortiGate 60B and FortiWifi 60B models with modems, the modem can be a
management interface. When enabled, a user can dial into the unit’s modem and perform
administration actions as if logged in over one of the standard interfaces. This feature is
enabled in the CLI using
config system dialinsvr.
If VDOMs are enabled, the modem can be assigned to one of the VDOMs just like the
other interfaces.
If the modem is disabled it will not appear in the interface list, and must be enabled from
the CLI using:
config system modem
set status enable
end

Note: You cannot configure and use the modem in Transparent mode.

Figure 70 shows the only the settings specific to standalone mode. The remaining settings
are common to both standalone and redundant modes and are shown in Figure 71.

Figure 70: Modem settings (Standalone)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 141
http://docs.fortinet.com/ • Feedback
Configuring the modem interface System Network

Figure 71: Modem settings (Redundant)

Enable Modem Select to enable the FortiGate modem.


Modem status Modem status can be: not active, connecting, connected, disconnecting,
or hung up.
Dial Now/Hang Up (Standalone mode only) Select Dial Now to manually connect to a dialup
account. If the modem is connected, you can select Hang Up to
manually disconnect the modem.
Mode Select Standalone or Redundant mode.
Auto-dial Select to dial the modem automatically if the connection is lost or the
(Standalone mode) FortiGate unit is restarted.
You cannot select Auto-dial if Dial on demand is selected.
Dial on demand Select to dial the modem when packets are routed to the modem
(Standalone mode) interface. The modem disconnects after the idle timeout period if there is
no network activity.
You cannot select Dial on demand if Auto-dial is selected.
Idle timeout Enter the timeout duration in minutes. After this period of inactivity, the
(Standalone mode) modem disconnects.
Redundant for Select the ethernet interface for which the modem provides backup
(Redundant mode) service.
Holddown (Redundant mode only) Enter the time (1-60 seconds) that the FortiGate
Timer unit waits before switching back to the primary interface from the modem
(Redundant mode) interface, after the primary interface has been restored. The default is 1
second. Configure a higher value if you find the FortiGate unit switching
repeatedly between the primary interface and the modem interface.
Redial Limit The maximum number of times (1-10) that the FortiGate unit modem
attempts to reconnect to the ISP if the connection fails. The default redial
limit is 1. Select None to have no limit on redial attempts.

FortiGate Version 4.0 Administration Guide


142 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Configuring the modem interface

Wireless Modem Display a connected wireless modem if available.


Supported Modems Select to view a list of supported modems.
Usage History Display connections made on the modem interface. Information
displayed about connections includes:
• date and time
• duration of the connection in hours, minutes, and seconds
• IP address connected to
• traffic statistics including received, sent, and total
• current status of the connection
Dialup Account Configure up to three dialup accounts. The FortiGate unit tries
connecting to each account in order until a connection can be
established.
The active dialup account is indicated with a green check mark.
Phone Number The phone number required to connect to the dialup account. Do not add
spaces to the phone number. Make sure to include standard special
characters for pauses, country codes, and other functions as required by
your modem to connect to your dialup account.
User Name The user name (maximum 63 characters) sent to the ISP.
Password The password sent to the ISP.
To configure the modem in Redundant mode, see “Redundant mode configuration” on
page 143.
To configure the modem in Standalone mode, see “Standalone mode configuration” on
page 144.

Redundant mode configuration


In redundant mode the modem interface backs up a selected ethernet interface. If that
ethernet interface disconnects from its network, the modem automatically dials the
configured dialup accounts. When the modem connects to a dialup account, the FortiGate
unit routes IP packets normally destined for the selected ethernet interface to the modem
interface.
The FortiGate unit disconnects the modem interface and switches back to the ethernet
interface when the ethernet interface is able to connect to its network. You can set a
holddown timer that delays the switch back to the ethernet interface to ensure it is stable
and fully active before switching the traffic.
The modem will disconnect after a period of network inactivity set by the value in idle
timeout. This saves money on dialup connection charges.
For the FortiGate unit to be able to switch from an ethernet interface to the modem, you
must select the name of the interface in the modem configuration and configure a ping
server for that interface. You must also configure firewall policies for connections between
the modem interface and other FortiGate interfaces.

Note: Do not add policies for connections between the modem interface and the ethernet
interface that the modem is backing up.

To configure redundant mode


1 Go to System > Network > Modem.
2 Select Redundant mode.
3 Enter the following information:

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 143
http://docs.fortinet.com/ • Feedback
Configuring the modem interface System Network

Redundant for From the list, select the interface to back up.
Holddown timer Enter the number of seconds to continue using the modem after the
network connectivity is restored.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three
Dialup Account 2 dialup accounts.
Dialup Account 3

4 Select Apply.
5 Configure a ping server for the ethernet interface the modem backs up.
See “To add a ping server to an interface” on page 147.
6 Configure firewall policies for network connectivity through the modem interface.
See “Adding firewall policies for modem connections” on page 145.

Standalone mode configuration


In standalone mode, the modem connects to a dialup account to provide a connection to
the Internet. You can configure the modem to dial when the FortiGate unit restarts or when
there are unrouted packets. You can also hang up or redial the modem manually.
If the connection to the dialup account fails, the FortiGate unit will redial the modem. The
modem redials the number of times specified by the redial limit, or until it connects to a
dialup account.
The modem will disconnect after a period of network inactivity set by the value in idle
timeout. This saves money on dialup connection charges.
You must configure firewall policies for connections between the modem interface and
other FortiGate interfaces.
You must also go to Router > Static to configure static routes to route traffic to the modem
interface. For example, if the modem interface is acting as the FortiGate unit external
interface you must set the device setting of the FortiGate unit default route to modem.

To configure standalone mode


1 Go to System > Network > Modem.
2 Select Standalone mode.
3 Enter the following information:

Auto-dial Select if you want the modem to dial when the FortiGate unit restarts.
Dial on demand Select if you want the modem to connect to its ISP whenever there are
unrouted packets.
Idle timeout Enter the timeout duration in minutes. After this period of inactivity, the
modem disconnects.
Redial Limit Enter the maximum number of times to retry if the ISP does not answer.
Dialup Account 1 Enter the ISP phone number, user name and password for up to three
Dialup Account 2 dialup accounts.
Dialup Account 3

4 Select Apply.
5 Configure firewall policies for network connectivity through the modem interface.
See “Adding firewall policies for modem connections” on page 145.

FortiGate Version 4.0 Administration Guide


144 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Configuring the modem interface

6 Go to Router > Static and set device to modem to configure static routes to route
traffic to the modem interface.
See “Adding a static route to the routing table” on page 278.

Adding firewall policies for modem connections


The modem interface requires firewall addresses and policies. You can add one or more
addresses to the modem interface. For information about adding addresses, see
“Configuring addresses” on page 341.
You can configure firewall policies to control the flow of packets between the modem
interface and the other interfaces on the FortiGate unit. For information on configuring
firewall policies, see “Configuring firewall policies” on page 316.

Connecting and disconnecting the modem

Note: The modem must be in Standalone mode before connecting or disconnecting from a
dialup account.

To connect to a dialup account


1 Go to System > Network > Modem.
2 Select Enable USB Modem.
3 Verify the information in Dialup Accounts.
4 Select Apply.
5 Select Dial Now.
The FortiGate unit dials into each dialup account in turn until the modem connects to
an ISP.

To disconnect from a dialup account


1 Go to System > Network > Modem.
2 Select Hang Up to disconnect the modem.

Checking modem status


You can determine the connection status of your modem and which dialup account is
active. If the modem is connected to the ISP, you can see the IP address and netmask.
To check the modem status, go to System > Network > Modem.
Modem status is one of the following:

not active The modem is not connected to the ISP.


connecting The modem is attempting to connect to the ISP.
connected The modem is connected to the ISP.
disconnecting The modem is disconnecting from the ISP.
hung up The modem has disconnected from the ISP. (Standalone mode only)
The modem will not redial unless you select Dial Now.

A green check mark indicates the active dialup account.


The IP address and netmask assigned to the modem interface appears on the System
Network Interface screen of the web-based manager.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 145
http://docs.fortinet.com/ • Feedback
Configuring Networking Options System Network

Configuring Networking Options


Network options include DNS server and dead gateway detection settings.

To configure network options


1 Go to System > Network > Options.
2 Enter primary and secondary DNS servers.
3 Enter local domain name.
4 Enter Dead Gateway Detection settings.
5 Select OK.

Figure 72: Configuring Networking Options - FortiGate models 200 and higher

Figure 73: Configuring Networking Options - FortiGate models 100 and lower

FortiGate Version 4.0 Administration Guide


146 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Configuring Networking Options

Obtain DNS server address This option applies only to FortiGate models 100 and lower.
automatically Select to obtain the DNS server IP address when DHCP is used on
an interface, also obtain the DNS server IP address. Available only
in NAT/Route mode. You should also enable Override internal DNS
in the DHCP settings of the interface. See “Configuring DHCP on an
interface” on page 130.
Use the following DNS This option applies only to FortiGate models 100 and lower.
server addresses Use the specified Primary DNS Server and Secondary DNS Server
addresses.
Primary DNS Server Enter the primary DNS server IP address.
Secondary DNS Server Enter the secondary DNS server IP address.
Local Domain Name Enter the domain name to append to addresses with no domain
portion when performing DNS lookups.
Enable DNS forwarding This option applies only to FortiGate models 100 and lower
from operating in NAT/Route mode.
Select the interfaces that forward DNS requests they receive to the
configured DNS servers.
Dead Gateway Detection Dead gateway detection confirms connectivity using a ping server
added to an interface configuration. For information about adding a
ping server to an interface, see “Dead gateway detection” on
page 147.
Detection Interval Enter a number in seconds to specify how often the FortiGate unit
pings the target.
Fail-over Detection Enter the number of times that the ping test fails before the FortiGate
unit assumes that the gateway is no longer functioning.

DNS Servers
Several FortiGate functions use DNS, including alert email and URL blocking. You can
specify the IP addresses of the DNS servers to which your FortiGate unit connects. DNS
server IP addresses are usually supplied by your ISP.
You can configure FortiGate models numbered 100 and lower to obtain DNS server
addresses automatically. To obtain these addresses automatically, at least one FortiGate
unit interface must use the DHCP or PPPoE addressing mode. See “Configuring DHCP
on an interface” on page 130 or “Configuring an interface for PPPoE or PPPoA” on
page 132.
FortiGate models 100 and lower can provide DNS Forwarding on their interfaces. Hosts
on the attached network use the interface IP address as their DNS server. DNS requests
sent to the interface are forwarded to the DNS server addresses that you configured or
that the FortiGate unit obtained automatically.

Dead gateway detection


Dead gateway detection periodically pings a ping server to confirm network connectivity.
Typically, the ping server is the next-hop router that leads to an external network or the
Internet. The ping period (Detection Interval) and the number of failed pings that is
considered to indicate a loss of connectivity (Fail-over Detection) are set in System >
Network > Options.
To apply dead gateway detection to an interface, you must configure a ping server for that
interface.

To add a ping server to an interface


1 Go to System > Network > Interface.
2 Choose an interface and select Edit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 147
http://docs.fortinet.com/ • Feedback
Web Proxy System Network

3 Set Ping Server to the IP address of the next hop router on the network.
4 Select Enable.
5 Select OK.

Web Proxy
FortiGate models 3000 and up allow you to enable and configure web proxies. When
enabled, the FortiGate unit will become a web proxy server. All HTTP and HTTPS traffic
on monitored interfaces will pass through the FortiGate unit and be relayed to its
destination. This allows the FortiGate unit to perform administration activities such as
apply protection policies, web content filtering, Wan optimization, and AV to web traffic.
To enable explicit web proxy on an interface, go to System > Network > Interface, select
the interface, and enable explicit web proxy. If VDOMs are enabled, only interfaces that
belong to the current VDOM and have explicit web proxy enabled will be displayed. If you
enable the web proxy on an interface that has VLANs on it, the VLANs will only be
enabled for web proxy if you manually enable each of them.
You can cache explicit web proxy using cache settings under Wan optimization. For web
proxy cache settings go to WAN Opt. & Cache > Cache. For more information, see “WAN
optimization” on page 567.

Note: To enable AV on web proxy traffic, you must configure 2 VDOMs and use inter-
VDOM routing to pass the web traffic between them.

Web proxies are configured for each VDOM when VDOMs are enabled.
To configure web proxies go to System > Network > Web Proxy.

Figure 74: Configuring Web Proxy settings

Proxy FQDN Enter the fully qualified domain name (FQDN) for the proxy server.
This is the domain name to enter into browsers to access the proxy
server.
Max HTTP request length Enter the maximum length of an HTTP request. Larger requests
will be rejected.
Max HTTP message length Enter the maximum length of an HTTP message. Larger messages
will be rejected.

FortiGate Version 4.0 Administration Guide


148 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network Routing table (Transparent Mode)

Add headers to Forwarded The web proxy server will forward HTTP requests to the internal
Requests network. You can include the following headers in those requests:
Client IP Header Enable to include the Client IP Header from the original HTTP
request.
Via Header Enable to include the Via Header from the original HTTP request.
X-forwarded-for Header Enable to include the X-Forwarded-For (XFF) HTTP header.
The XFF HTTP header identifies the originating IP address of a
web client or browser that is connecting through an HTTP proxy,
and the remote addresses it passed through to this point.
Front-end HTTPS Header Enable to include the Front-end HTTP Header from the original
HTTPS request.
Explicit Web Proxy Options Web proxies can be transparent or explicit. Transparent web proxy
does not modify the web traffic in any way, but just forwards it to the
destination. Explicit web proxy can modify web traffic to provide
extra services and administration.
Explicit web proxy is configured with the following options.
Enable Explicit Web Enable explicit web proxy server.
Proxy
Port Select the port the web proxy server. This field cannot be left blank.
Listen on Interfaces Displays the interfaces that are being monitored by the web proxy
server.
Unknown HTTP version Select the action to take when the proxy server must handle an
unknown HTTP version request or message. Choose from either
Reject or Best Effort. The Reject option is more secure.

To enable explicit web proxy on an interface


1 Go to System > Network > Interface.
2 Select the interface to edit.
3 Select Enable explicit web proxy, and save the changes.
When you go to System > Network > Web Proxy, under Explicit web proxy you will see
the interface that you enabled.

Note: Only interfaces that have explicit web proxy enabled and are in the current VDOM
will be displayed. If an interface has a VLAN subinterface configured, it must be enabled
separately for explicit web proxy. Enabled interfaces will be displayed independent of
explicit web proxy being enabled or not on the Web Proxy screen.

Routing table (Transparent Mode)


In NAT/Route mode the static routing table is located at System > Routing > Static, but in
Transparent Mode that static routing table is located at System > Network > Routing
Table.

Adding a static route in Transparent Mode


1 Ensure your FortiGate unit is in Transparent mode. For more details see “Changing
operation mode” on page 199.
2 Go to System > Network > Routing Table.
3 Select Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 149
http://docs.fortinet.com/ • Feedback
Routing table (Transparent Mode) System Network

Figure 75: Static routing table - Transparent Mode

Create New Add a new static route.


# Position of the route in the routing table.
IP The destination IP address for the route.
Mask The netmask for the route.
Gateway The IP address of the next hop router to which the route directs traffic.
Distance The administration distance or relative preferability of the route. An
administration distance of 1 is most preferred.
Delete icon Remove a route.
View/edit icon Edit or view a route.
Move To icon Change the position of a route in the list.

Transparent mode route settings


Configuring a static route in Transparent mode
1 Go to System > Network > Routing Table.
2 Select Create New.
You can also select the Edit icon of an existing route to modify it.
3 Enter the Destination IP and netmask.
4 Enter the Gateway IP address.
5 Enter the administrative distance.
6 Select OK.

Figure 76: Transparent mode route settings

Destination IP /Mask Enter the destination IP address and netmask for the route.
To create a default route, set the IP and netmask to 0.0.0.0.
Gateway Enter the IP address of the next hop router to which the route directs traffic.
For an Internet connection, the next hop routing gateway routes traffic to
the Internet.
Distance The administration distance or relative preferability of the route. An
administration distance of 1 is most preferred.

FortiGate Version 4.0 Administration Guide


150 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network VLAN overview

VLAN overview
A VLAN is group of PCs, servers, and other network devices that communicate as if they
were on the same LAN segment, regardless of their location. For example, the
workstations and servers for an accounting department could be scattered throughout an
office or city and connected to numerous network segments, but still belong to the same
VLAN.
A VLAN segregates devices logically instead of physically. Each VLAN is treated as a
broadcast domain. Devices in VLAN 1 can connect with other devices in VLAN 1, but
cannot connect with devices in other VLANs. The communication among devices on a
VLAN is independent of the physical network.
A VLAN segregates devices by adding 802.1Q VLAN tags to all of the packets sent and
received by the devices in the VLAN. VLAN tags are 4-byte frame extensions that contain
a VLAN identifier as well as other information.
For more information on VLANs, see the FortiGate VLANs and VDOMs Guide.

Figure 77: Basic VLAN topology

Internet

Untagged packets

Router

VL AN 1
VL AN 2

VL AN 1 VLAN switch VL AN 2

VLAN 1 network VLAN 2 Network

FortiGate units and VLANs


In a typical VLAN configuration, 802.1Q-compliant VLAN layer-2 switches or layer-3
routers or firewalls add VLAN tags to packets. Packets passing between devices in the
same VLAN are normally handled by layer-2 switches but can be handled by layer-3
devices. Packets passing between devices in different VLANs must be handled by a
layer-3 device such as router, firewall, or layer-3 switch.
Using VLANs, a single FortiGate unit can provide security services and control
connections between multiple security domains. Traffic from each security domain is given
a different VLAN ID. The FortiGate unit can recognize VLAN IDs and apply security
policies to secure network and IPSec VPN traffic between security domains. The
FortiGate unit can also apply policies, protection profiles, and other firewall features for
network and VPN traffic that is allowed to pass between security domains.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 151
http://docs.fortinet.com/ • Feedback
VLANs in NAT/Route mode System Network

VLANs in NAT/Route mode


Operating in NAT/Route mode, the FortiGate unit functions as a layer-3 device to control
the flow of packets between VLANs. The FortiGate unit can also remove VLAN tags from
incoming VLAN packets and forward untagged packets to other networks, such as the
Internet.
FortiGate units in NAT/Route mode can use VLANs for constructing VLAN trunks between
an IEEE 802.1Q-compliant switch (or router) and the FortiGate units. Normally the
FortiGate unit internal interface connects to a VLAN trunk on an internal switch, and the
external interface connects to an upstream Internet router. The FortiGate unit can then
apply different policies for traffic on each VLAN that connects to the internal interface.
When constructing VLAN trunks, you add VLAN subinterfaces that have VLAN IDs that
match the VLAN IDs of packets in the VLAN trunk to the FortiGate internal interface. If the
IDs don’t match, traffic will not be delivered. The FortiGate unit directs packets with VLAN
IDs to subinterfaces with matching VLAN IDs. For example packets from the sending
system VLAN ID#101 are delivered to the recipient system’s VLAN ID#101.
You can also define VLAN subinterfaces on all FortiGate interfaces. The FortiGate unit
can add VLAN tags to packets leaving a VLAN subinterface or remove VLAN tags from
incoming packets and add different VLAN tags to outgoing packets.

Rules for VLAN IDs


In NAT/Route mode, two VLAN subinterfaces added to the same physical interface cannot
have the same VLAN ID. However, you can add two or more VLAN subinterfaces with the
same VLAN IDs to different physical interfaces. There is no internal connection or link
between two VLAN subinterfaces with same VLAN ID. Their relationship is the same as
the relationship between any two FortiGate network interfaces.

Rules for VLAN IP addresses


IP addresses of all FortiGate interfaces cannot overlap. That is, the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
VLAN subinterfaces.

Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set allow-interface-
subnet-overlap enable to allow IP address overlap. If you enter this command,
multiple VLAN interfaces can have an IP address that is part of a subnet used by another
interface. This command is recommended for advanced users only.

Figure 66 shows a simplified NAT/Route mode VLAN configuration. In this configuration,


the FortiGate internal interface connects to a VLAN switch using an 802.1Q trunk and is
configured with two VLAN subinterfaces (VLAN 100 and VLAN 200). The external
interface connects to the Internet. The external interface is not configured with VLAN
subinterfaces.
When the VLAN switch receives packets from VLAN 100 and VLAN 200, it applies VLAN
tags and forwards the packets to local ports and across the trunk to the FortiGate unit. The
FortiGate unit is configured with policies that allow traffic to flow between VLANs and from
the VLANs to the external network.

FortiGate Version 4.0 Administration Guide


152 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network VLANs in NAT/Route mode

Figure 78: FortiGate unit in NAT/Route mode

Internet

Untagged packets
External 172.16.21.2

FortiGate unit

Internal 192.168.110.126
802.1Q
trunk

Fa 0/24

Fa 0/3 Fa 0/9
VLAN 100 VLAN 200
VLAN switch

VLAN 100 network VLAN 200 network


10.1.1.0 10.1.2.0

Adding VLAN subinterfaces


The VLAN ID of each VLAN subinterface must match the VLAN ID added by the IEEE
802.1Q-compliant router. The VLAN ID can be any number between 1 and 4094, as 0 and
4095 are reserved. Each VLAN subinterface must also be configured with its own IP
address and netmask.
VLAN subinterfaces to the physical interface that receives VLAN-tagged packets.

Note: A VLAN must not have the same name as a virtual domain or zone.

To add a VLAN subinterface in NAT/Route mode


1 Go to System > Network > Interface.
2 Select Create New.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.
5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
6 If you are an administrator with a super-admin profile, you can create VLAN
subinterfaces for any virtual domain. If not, you can only create VLAN subinterfaces in
your own VDOM.
See “Using virtual domains” on page 103 for information about virtual domains.
7 Configure the VLAN subinterface settings.
See “Interface settings” on page 123.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 153
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode System Network

8 Select OK.
The FortiGate unit adds the new VLAN subinterface to the interface that you selected
in step 4.

To add firewall policies for a VLAN subinterface


After you add a VLAN subinterface you can add firewall policies for connections between
a VLAN subinterface or from a VLAN subinterface to a physical interface.
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
See “About firewall addresses” on page 339.
3 Go to Firewall > Policy.
4 Configure firewall policies as required.

VLANs in Transparent mode


In Transparent mode, the FortiGate unit can apply firewall policies and services, such as
authentication, protection profiles, and other firewall features, to traffic on an IEEE 802.1
VLAN trunk. You can insert the FortiGate unit into the trunk without making changes to the
network. In a typical configuration, the FortiGate internal interface accepts VLAN packets
on a VLAN trunk from a VLAN switch or router connected to internal VLANs. The
FortiGate external interface forwards tagged packets through the trunk to an external
VLAN switch or router that can be connected to the Internet. The FortiGate unit can be
configured to apply different policies for traffic on each VLAN in the trunk.
For VLAN traffic to be able to pass between the FortiGate internal and external interface
you add a VLAN subinterface to the internal interface and another VLAN subinterface to
the external interface. If these VLAN subinterfaces have the same VLAN IDs, the
FortiGate unit applies firewall policies to the traffic on this VLAN. If these VLAN
subinterfaces have different VLAN IDs, or if you add more than two VLAN subinterfaces,
you can also use firewall policies to control connections between VLANs.
If the network uses IEEE 802.1 VLAN tags to segment your network traffic, you can
configure a FortiGate unit to provide security for network traffic passing between different
VLANs. To support VLAN traffic in Transparent mode, you add virtual domains to the
FortiGate unit configuration. A virtual domain consists of two or more VLAN subinterfaces
or zones. In a virtual domain, a zone can contain one or more VLAN subinterfaces.
When the FortiGate unit receives a VLAN tagged packet at an interface, the packet is
directed to the VLAN subinterface with the matching VLAN ID. The VLAN subinterface
removes the VLAN tag and assigns a destination interface to the packet based on its
destination MAC address. The firewall policies for the source and destination VLAN
subinterface pair are applied to the packet. If the packet is accepted by the firewall, the
FortiGate unit forwards the packet to the destination VLAN subinterface. The destination
VLAN ID is added to the packet by the FortiGate unit and the packet is sent to the VLAN
trunk.

Note: There is a maximum of 255 interfaces total allowed per VDOM in Transparent mode.
This includes VLANs. If no other interfaces are configured for a VDOM, you can configure
up to 255 VLANs in that VDOM.

Figure 79 shows a FortiGate unit operating in Transparent mode with 2 virtual domains
and configured with three VLAN subinterfaces.

FortiGate Version 4.0 Administration Guide


154 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network VLANs in Transparent mode

Figure 79: FortiGate unit with two virtual domains in Transparent mode

FortiGate unit

VLAN1
Internal root virtual domain External
VLAN1 VLAN1
VLAN2 VLAN1 VLAN1 VLAN2
VLAN3 VLAN3 Internet
VLAN2
VLAN New virtual domain VLAN
VLAN trunk trunk VLAN
Switch VLAN2 VLAN2 Switch
or router VLAN3 VLAN3 or router

VLAN3

Figure 80 shows a FortiGate unit operating in Transparent mode and configured with
three VLAN subinterfaces. In this configuration, the FortiGate unit would provide virus
scanning, web content filtering, and other services to each VLAN.

Figure 80: FortiGate unit in Transparent mode

Internet

Router

Untagged packets

VLAN Switch

VL AN 1
VLAN Trunk VL AN 2
VL AN 3

FortiGate unit
in Transparent mode
VL AN 1
VLAN Trunk VL AN 2
VL AN 3

VLAN Switch

VLAN 1 VLAN 2 VLAN 3

VLAN 1 Network VLAN 2 Network VLAN 3 Network

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 155
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode System Network

Rules for VLAN IDs


In Transparent mode, two VLAN subinterfaces added to the same physical interface
cannot have the same VLAN ID. However, you can add two or more VLAN subinterfaces
with the same VLAN IDs to different physical interfaces. There is no internal connection or
link between two VLAN subinterfaces with the same VLAN ID. Their relationship is the
same as the relationship between any two FortiGate network interfaces.

Note: There is a maximum of 255 VLANs allowed per interface in Transparent mode.

Transparent mode virtual domains and VLANs


VLAN subinterfaces are added to and associated with virtual domains. By default the
FortiGate configuration includes one virtual domain, named root, and you can add as
many VLAN subinterfaces as you require to this virtual domain.
You can add more virtual domains if you want to separate groups of VLAN subinterfaces
into virtual domains. For information on adding and configuring virtual domains, see
“Using virtual domains” on page 103

Adding a VLAN subinterface in Transparent mode

Note: A VLAN must not have the same name as a virtual domain or zone.

To add a VLAN subinterface


1 Go to System > Network > Interface.
2 Select Create New.
3 Enter a Name to identify the VLAN subinterface.
4 Select the physical interface that receives the VLAN packets intended for this VLAN
subinterface.
5 Enter the VLAN ID that matches the VLAN ID of the packets to be received by this
VLAN subinterface.
6 Select which virtual domain to add this VLAN subinterface to.
See “Using virtual domains” on page 103 for information about virtual domains.
7 Configure the administrative access, and log settings.
See “Interface settings” on page 123 for more descriptions of these settings.
8 Select OK.
The FortiGate unit adds the new subinterface to the interface that you selected in
step 4.
9 Select Bring up to activate the VLAN subinterface.

FortiGate Version 4.0 Administration Guide


156 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Network VLANs in Transparent mode

To add firewall policies for a VLAN subinterface


After you add a VLAN subinterface, you can add firewall policies for connections between
VLAN subinterfaces or from a VLAN subinterface to a physical interface.
1 Go to Firewall > Address.
2 Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
See “About firewall addresses” on page 339.
3 Go to Firewall > Policy.
4 Add firewall policies as required.

Troubleshooting ARP Issues


Address Resolution Protocol (ARP) traffic is vital to communication on a network and is
enabled on FortiGate interfaces by default. Normally ARP packets to pass through the
FortiGate unit, especially if it is sitting between a client and a server or between a client
and a router.

Duplicate ARP packets


ARP traffic can cause problems such as duplicate ARP packets making the recipient
device think the packets originated from two different device, which is generally an attempt
to hack into the network.
This is true especially in Transparent mode where ARP packets arriving on one interface
are sent to all other interfaces, including VLAN subinterfaces. Some Layer 2 switches
become unstable when they detect the same MAC address originating on more than one
switch interface or from more than one VLAN. This instability can occur if the Layer 2
switch does not maintain separate MAC address tables for each VLAN. Unstable switches
may reset causing network traffic to slow down.

ARP Forwarding
One solution to the duplicate ARP packet problem is to enable ARP forwarding.
When ARP forwarding is enabled, the Fortigate unit allows duplicate ARP packets that
resolve the delivery problems caused by duplicate ARP packets. However, this also opens
up your network to potential hacking attempts that spoof packets.
For more secure solutions, see the FortiGate VLANs and VDOMs Guide.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 157
http://docs.fortinet.com/ • Feedback
VLANs in Transparent mode System Network

FortiGate Version 4.0 Administration Guide


158 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless FortiWiFi wireless interfaces

System Wireless
This section describes how to configure the Wireless LAN interfaces on FortiWiFi units.
The majority of this section is applicable to all FortiWiFi units. Where indicated, some
features may not be available on the FortiWiFi-60.
If you enable virtual domains (VDOMs) on the FortiGate unit, MAC filters and wireless
monitor are configured separately for each virtual domain. System wireless settings are
configured globally. For details, see “Using virtual domains” on page 103.
This section describes:
• FortiWiFi wireless interfaces
• Channel assignments
• Wireless settings
• Wireless MAC Filter
• Wireless Monitor
• Rogue AP detection

FortiWiFi wireless interfaces


FortiWiFi units (except the FortiWiFi-60) support up to four wireless interfaces and four
different SSIDs. Each wireless interface should have a different SSID and each wireless
interface can have different security settings. For details on adding wireless interfaces,
see “Adding a wireless interface” on page 164.
You can configure the FortiWiFi unit to:
• Provide an access point that clients with wireless network cards can connect to. This is
called Access Point mode, which is the default mode. All FortiWiFi units except the
FortiWiFi-60 can have up to 4 wireless interfaces.
or
• Connect the FortiWiFi unit to another wireless network. This is called Client mode. A
FortiWiFi unit operating in client mode can also can only have one wireless interface.
or
• Monitor access points within radio range. This is called Monitoring mode. You can
designate the detected access points as Accepted or Rogue for tracking purposes. No
access point or client operation is possible in this mode. But, you can enable
monitoring as a background activity while the unit is in Access Point mode.
FortiWiFi units support the following wireless network standards:
• IEEE 802.11a (5-GHz Band) (FortiWiFi-60A and FortiWiFi-60B)
• IEEE 802.11b (2.4-GHz Band)
• IEEE 802.11g (2.4-GHz Band)
• WEP64 and WEP128 Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA), WPA2 and WPA2 Auto using pre-shared keys or
RADIUS servers

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 159
http://docs.fortinet.com/ • Feedback
Channel assignments System Wireless

Channel assignments
Depending on the wireless protocol selected, you have specific channels available to you,
depending on what region of the world you are in. Set the channel for the wireless network
by going to System > Wireless > Settings. For more information see “Wireless settings” on
page 162.
The following tables list the channel assignments for wireless networks for each supported
wireless protocol.
• IEEE 802.11a channel numbers
• IEEE 802.11b channel numbers
• IEEE 802.11g channel numbers

IEEE 802.11a channel numbers


Table 9 lists IEEE 802.11a channels supported for FortiWiFi products that support the
IEEE 802.11a wireless standard. 802.11a is only available on the FortiWiFi-60A and
FortiWiFi-60B units.
All channels are restricted to indoor usage except in the Americas, where both indoor and
outdoor use is permitted on channels 52 through 64 in the United States.
Table 9: IEEE 802.11a (5-GHz Band) channel numbers

Channel Frequency Regulatory Areas


number (MHz) Americas Europe Taiwan Singapore Japan
34 5170 • •
36 5180 • • •
38 5190 • •
40 5200 • • •
42 5210 • •
44 5220 • • •
46 5230 • •
48 5240 • • •
52 5260 • • •
56 5280 • • •
60 5300 • • •
64 5320 • • •
149 5745
153 5765
157 5785
161 5805

IEEE 802.11b channel numbers


Table 10 lists IEEE 802.11b channels. All FortiWiFi units support 802.11b.
Mexico is included in the Americas regulatory domain. Channels 1 through 8 are for indoor
use only. Channels 9 through 11 can be used indoors and outdoors. You must make sure
that the channel number complies with the regulatory standards of Mexico.

FortiGate Version 4.0 Administration Guide


160 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless Channel assignments

Table 10: IEEE 802.11b (2.4-Ghz Band) channel numbers

Channel Frequency Regulatory Areas


number (MHz) Americas EMEA Israel Japan
1 2412 • • •
2 2417 • • •
3 2422 • • •
4 2427 • • • •
5 2432 • • • •
6 2437 • • • •
7 2442 • • • •
8 2447 • • • •
9 2452 • • • •
10 2457 • • • •
11 2462 • • •
12 2467 • •
13 2472 • •
14 2484 •

IEEE 802.11g channel numbers


Table 11 lists IEEE 802.11b channels. All FortiWiFi products support 802.11g.
Table 11: IEEE 802.11g (2.4-GHz Band) channel numbers

Channel Frequency Regulatory Areas


number (MHz) Americas EMEA Israel Japan
CCK ODFM CCK ODFM CCK ODFM CCK ODFM
1 2412 • • • • • •
2 2417 • • • • • •
3 2422 • • • • • •
4 2427 • • • • • •
5 2432 • • • • • • • •
6 2437 • • • • • • • •
7 2442 • • • • • • • •
8 2447 • • • • • • • •
9 2452 • • • • • •
10 2457 • • • • • •
11 2462 • • • • • •
12 2467 • • • •
13 2472 • • • •
14 2484 •

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 161
http://docs.fortinet.com/ • Feedback
Wireless settings System Wireless

Wireless settings
To configure the wireless settings, go to System > Wireless > Settings.
By default the FortiWiFi unit includes one wireless interface, called wlan. If you are
operating your FortiWiFi unit in access point mode, you can add up to three virtual
wireless interfaces. All wireless interfaces use the same wireless parameters. That is, you
configure the wireless settings once, and all wireless interfaces use those settings. For
details on adding more wireless interfaces, see “Adding a wireless interface” on page 164.
When operating the FortiWiFi unit in Client mode, radio settings are not configurable.

Figure 81: FortiWiFi wireless parameters - Access Point mode

Figure 82: FortiWiFi wireless parameters - Client mode

Figure 83: FortiWiFi wireless parameters - Monitoring mode

FortiGate Version 4.0 Administration Guide


162 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless Wireless settings

Operation Mode Select Change to switch operation modes.


Access Point — The FortiWiFi unit acts as an access point for wireless users
to connect to send and receive information over a wireless network. It enables
multiple wireless network users access to the network without the need to
connect to it physically. The FortiWiFi unit can connect to the internal network
and act as a firewall to the Internet.
Client — The FortiWiFi unit is set to receive transmissions from another
access point. This enables you to connect remote users to an existing network
using wireless protocols.
Monitoring — Scan for other access points. These are listed in the Rogue AP
list. See “Rogue AP detection” on page 169.
Note: You cannot switch to Client mode or Monitoring mode if you have added
virtual wireless interfaces. For these modes, there must be only one wireless
interface, wlan.
Radio settings — Access Point mode only
Band Select the wireless frequency band. Be aware what wireless cards or devices
your users have as it may limit their use of the wireless network. For example,
if you configure the FortiWiFi unit for 802.11g and users have 802.11b devices,
they may not be able to use the wireless network.
Geography Select your country or region. This determines which channels are available.
See “Channel assignments” on page 160 for channel information.
Channel Select a channel for your wireless network or select Auto. The channels that
you can select depend on the Geography setting. See “Channel assignments”
on page 160 for channel information.
Tx Power Set the transmitter power level. The higher the number, the larger the area the
FortiWiFi will broadcast. If you want to keep the wireless signal to a small area,
enter a smaller number.
Beacon Interval Set the interval between beacon packets. Access Points broadcast Beacons
or Traffic Indication Messages (TIM) to synchronize wireless networks.
A higher value decreases the number of beacons sent, however it may delay
some wireless clients from connecting if it misses a beacon packet.
Decreasing the value will increase the number of beacons sent, while this will
make it quicker to find and connect to the wireless network, it requires more
overhead, slowing throughput.
Background Perform the Monitoring mode scanning function while the unit is in Access
Rogue AP Scan Point mode. Scanning occurs while the access point is idle. The scan covers
all wireless channels. Background scanning can reduce performance if the
access point is busy. See “Rogue AP detection” on page 169.
Wireless interface list — Access Point and Client modes
Interface The name of the wireless interface. To modify wireless interface settings,
select the interface name. To add more wireless interfaces in Access Point
mode, see “Adding a wireless interface” on page 164.
MAC Address The MAC address of the Wireless interface.
SSID The wireless service set identifier (SSID) or network name for the wireless
interface. To communicate, an Access Point and its clients must use the same
SSID.
SSID Broadcast Green checkmark icon indicates that the wireless interface broadcasts its
SSID. Broadcasting the SSID makes it possible for clients to connect to your
wireless network without first knowing the SSID.
This column is visible only in Access Point mode.
Security Mode The wireless interface security mode: WEP64, WEP128, WPA, WPA2,
WPA2 Auto or None.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 163
http://docs.fortinet.com/ • Feedback
Wireless settings System Wireless

Adding a wireless interface


You can add up to three virtual wireless interfaces to your access point. These additional
interfaces share the same wireless parameters configured for the WLAN interface for
Band, Geography, Channel, Tx Power, and Beacon Interval. Ensure each wireless
interface has a unique SSID.

Note: You cannot add additional wireless interfaces when the FortiWiFi unit is in Client
mode or Monitoring mode.

To add a wireless interface


1 Go to System > Network > Interface.
2 Select Create New.
3 Complete the following:

Name Enter a name for the wireless interface. The name cannot be the same
as an existing interface, zone or VDOM.
Type Select Wireless.
Address Mode The wireless interface can only be set as a manual address. Enter a
valid IP address and netmask.
If the FortiWiFi is running in Transparent mode, this field does not
appear. The interface will be on the same subnet as the other interfaces.
Administrative Set the administrative access for the interface.
Access

4 In the Wireless Settings section, complete the following and select OK:

Figure 84: Wireless interface settings (WEP)

Figure 85: Wireless interface settings (WAP)

FortiGate Version 4.0 Administration Guide


164 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless Wireless settings

SSID Enter the wireless service set identifier (SSID) or network name for this
wireless interface. Users who want to use the wireless network must configure
their computers with this network name.
SSID Broadcast Select to broadcast the SSID. Broadcasting the SSID enables clients to
connect to your wireless network without first knowing the SSID. For better
security, do not broadcast the SSID. If the interface is not broadcast, there is
less chance of an unwanted user connecting to your wireless network. If you
choose not to broadcast the SSID, you need to inform users of the SSID so
they can configure their wireless devices.
Security mode Select the security mode for the wireless interface. Wireless users must use
the same security mode to be able to connect to this wireless interface.
None — has no security. Any wireless user can connect to the wireless
network.
WEP64 — 64-bit web equivalent privacy (WEP). To use WEP64 you must
enter a Key containing 10 hexadecimal digits (0-9 a-f) and inform wireless
users of the key.
WEP128 — 128-bit WEP. To use WEP128 you must enter a Key containing 26
hexadecimal digits (0-9 a-f) and inform wireless users of the key.
WPA — Wi-Fi protected access (WPA) security. To use WPA you must select
a data encryption method. You must also enter a pre-shared key containing at
least eight characters or select a RADIUS server. If you select a RADIUS
server the wireless clients must have accounts on the RADIUS server.
WPA2 — WPA with more security features. To use WPA2 you must select a
data encryption method and enter a pre-shared key containing at least eight
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
WPA2 Auto — the same security features as WPA2, but also accepts wireless
clients using WPA security. To use WPA2 Auto you must select a data
encryption method You must also enter a pre-shared key containing at least 8
characters or select a RADIUS server. If you select a RADIUS server the
wireless clients must have accounts on the RADIUS server.
Key Enter the security key. This field appears when selecting WEP64 or WEP128
security.
Data Encryption Select a data encryption method to be used by WPA, WPA2, or WPA Auto.
Select TKIP to use the Temporal Key Integrity Protocol (TKIP). Select AES to
use Advanced Encryption Standard (AES) encryption. AES is considered
more secure that TKIP. Some implementations of WPA may not support AES.
Pre-shared Key Enter the pre-shared key. This field appears when selecting WPA, WPA2, or
WPA2 Auto security.
RADIUS Server Select to use a RADIUS server when selecting WPA or WPA2 security. You
can use WPA or WPA2 Radius security to integrate your wireless network
configuration with a RADIUS or Windows AD server. Select a RADIUS server
name from the list. You must configure the Radius server by going to User >
RADIUS. For more information, see “RADIUS” on page 543.
RTS Threshold Set the Request to Send (RTS) threshold.
The RTS threshold is the maximum size, in bytes, of a packet that the
FortiWiFi will accept without sending RTS/CTS packets to the sending
wireless device. In some cases, larger packets being sent may cause
collisions, slowing data transmissions. By changing this value from the default
of 2346, you can configure the FortiWiFi unit to, in effect, have the sending
wireless device ask for clearance before sending larger transmissions. There
can still be risk of smaller packet collisions, however this is less likely.
A setting of 2346 bytes effectively disables this option.
Fragmentation Set the maximum size of a data packet before it is broken into smaller
Threshold packets, reducing the chance of packet collisions. If the packet is larger than
the threshold, the FortiWiFi unit will fragment the transmission. If the packet
size less than the threshold, the FortiWiFi unit will not fragment the
transmission.
A setting of 2346 bytes effectively disables this option.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 165
http://docs.fortinet.com/ • Feedback
Wireless MAC Filter System Wireless

Wireless MAC Filter


To improve the security of your wireless network, you can enable MAC address filtering on
the FortiWiFi unit. By enabling MAC address filtering, you define the wireless devices that
can access the network based on their system MAC address. When a user attempts to
access the wireless network, the FortiWiFi unit checks the MAC address of the user to the
list you created. If the MAC address is on the approved list, the user gains access to the
network. If the user is not in the list, the user is rejected.
Alternatively, you can create a deny list. Similar to the allow list, you can configure the
wireless interface to allow all connections except those in the MAC address list.
Using MAC address filtering makes it more difficult for a hacker using random MAC
addresses or spoofing a MAC address to gain access to your network. Note you can
configure one list per WLAN interface.
To allow or deny wireless access to wireless clients based on the MAC address of the
client wireless cards, go to System > Wireless > MAC Filter.

Managing the MAC Filter list


The MAC Filter list enables you to view the MAC addresses you have added to a wireless
interface and their status; either allow or deny. It also enables you to edit and manage
MAC Filter lists.

Figure 86: Wireless MAC filter list

Interface The name of the wireless interface.


MAC address The list of MAC addresses in the MAC filter list for the wireless interface.
List Access Allow or deny access to the listed MAC addresses for the wireless interface.
Enable Select to enable MAC filtering for the wireless interface.
Edit icon Edit the MAC address list for an interface.

To edit a MAC filter list


1 Go to System > Wireless > MAC Filter.
2 Select Edit for the wireless interface.

FortiGate Version 4.0 Administration Guide


166 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless Wireless Monitor

Figure 87: Wireless interface MAC filter

3 Complete the following and select OK:

List Access Select to allow or deny the addresses in the MAC Address list from
accessing the wireless network.
MAC Address Enter the MAC address to add to the list.
Add Add the entered MAC address to the list.
Remove Select one or more MAC addresses in the list and select Remove to
deleted the MAC addresses from the list.

Wireless Monitor
Go to System > Wireless > Monitor to view information about your wireless network. In
Access Point mode, you can see who is connected to your wireless LAN. In Client mode,
you can see which access points are within radio range.

Figure 88: Wireless monitor - AP mode

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 167
http://docs.fortinet.com/ • Feedback
Wireless Monitor System Wireless

Figure 89: Wireless monitor - Client mode

Statistics Statistical information about wireless performance for each


wireless interface.
AP Name / Name The name of the wireless interface.
Frequency The frequency that the wireless interface is operating with.
Should be around 5-GHz for 802.11a interfaces and around 2.4-
GHz for 802.11b and 802.11g networks.
Signal Strength (dBm) The strength of the signal from the client.
Noise (dBm) The received noise level.
S/N (dB) The signal-to-noise ratio in deciBels calculated from signal
strength and noise level.
Rx (KBytes) The amount of data in kilobytes received this session.
Tx (KBytes) The amount of data in kilobytes sent this session.
Clients list (AP mode) Real-time details about the client wireless devices that can
reach this FortiWiFi unit access point. Only devices on the
same radio band are listed.
MAC Address The MAC address of the connected wireless client.
IP Address The IP address assigned to the connected wireless client.
AP Name The name of the wireless interface that the client is connected
to.
Neighbor AP list (Client mode) Real-time details about the access points that the client can
receive.
MAC Address The MAC address of the connected wireless client.
SSID The wireless service set identifier (SSID) that this access point
broadcasts.
Channel The wireless radio channel that the access point uses.
Rate (M) The data rate of the access point in Mbits/s.
RSSI The received signal strength indication, a relative value
between 0 (minimum) and 255 (maximum).

FortiGate Version 4.0 Administration Guide


168 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Wireless Rogue AP detection

Rogue AP detection
Rogue Access Point Detection scans for wireless access points in Monitoring mode. You
can also enable scanning in the background while the unit is in Access Point mode.

To enable the monitoring mode


1 Go to System > Wireless > Settings.
2 Select Change beside the current operation mode.
3 Select Monitoring and then select OK.
4 Select OK to confirm the mode change.
5 Select Apply.

To enable background scanning


1 While in Access Point mode, go to System > Wireless > Settings.
2 Enable Background Rogue AP Scan and then select Apply.

Viewing wireless access points


Go to System > Wireless > Rogue AP to view detected access points. This is available in
Monitoring mode, or in Access Point mode with Background Rogue AP Scan enabled.
Access points are listed in the Unknown Access Points list until you mark them as either
Accepted or Rogue access points. This designation helps you to track access points. It
does not affect anyone’s ability to use these access points.

Figure 90: Rogue Access Point list

Refresh Interval Set time between information updates. none means no updates.
Refresh Updates displayed information now.
Inactive Access Points Select which inactive access points to show: all, none, those detected
less than one hour ago, or those detected less than one day ago.
Online A green checkmark indicates an active access point. A grey X indicates
that the access point is inactive.
SSID The wireless service set identifier (SSID) or network name for the
wireless interface.
MAC Address The MAC address of the Wireless interface.
Signal Strength /Noise The signal strength and noise level.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 169
http://docs.fortinet.com/ • Feedback
Rogue AP detection System Wireless

Channel The wireless radio channel that the access point uses.
Rate The data rate of the access point.
First Seen The data and time when the FortiWifi unit first detected the access point.
Last Seen The data and time when the FortiWifi unit last detected the access point.
Mark as ‘Accepted AP’ Select the icon to move this entry to the Accepted Access Points list.
Mark as ‘Rogue AP’ Select the icon to move this entry to the Rogue Access Points list.
Forget AP Return item to Unknown Access Points list from Accepted Access Points
list or Rogue Access Points list.
You can also enter information about accepted and rogue APs in the CLI without having to
detect them first. See the system wireless ap-status command in the FortiGate
CLI Reference.

FortiGate Version 4.0 Administration Guide


170 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System DHCP FortiGate DHCP servers and relays

System DHCP
This section describes how to use DHCP to provide convenient automatic network
configuration for your clients.
DHCP is not available in Transparent mode. DHCP requests are passed through the
FortiGate unit when it is in Transparent mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, DHCP is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.
This section describes:
• FortiGate DHCP servers and relays
• Configuring DHCP services
• Viewing address leases

FortiGate DHCP servers and relays


The DHCP protocol enables hosts to automatically obtain an IP address from a DHCP
server. Optionally, they can also obtain default gateway and DNS server settings. A
FortiGate interface or VLAN subinterface can provide the following DHCP services:
• Basic DHCP servers for non-IPSec IP networks
• IPSec DHCP servers for IPSec (VPN) connections
• DHCP relay for regular Ethernet or IPSec (VPN) connections
An interface cannot provide both a server and a relay for connections of the same type
(regular or IPSec).

Note: You can configure a Regular DHCP server on an interface only if the interface has a
static IP address. You can configure an IPSec DHCP server on an interface that has either
a static or a dynamic IP address.

You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The
host computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server
for each network. The IP range of each DHCP server must match the network address
range. The routers must be configured for DHCP relay.
To configure a DHCP server, see “Configuring a DHCP server” on page 173.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP
requests from DHCP clients to an external DHCP server and returns the responses to the
DHCP clients. The DHCP server must have appropriate routing so that its response
packets to the DHCP clients arrive at the FortiGate unit.
To configure a DHCP relay see “Configuring an interface as a DHCP relay agent” on
page 173.
DHCP services can also be configured through the Command Line Interface (CLI). See
the FortiGate CLI Reference for more information.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 171
http://docs.fortinet.com/ • Feedback
Configuring DHCP services System DHCP

Configuring DHCP services


Go to System > DHCP > Service to configure DHCP services. On each FortiGate
interface, you can configure a DHCP relay or add DHCP servers as needed.
On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface, as follows:

IP Range 192.168.1.110 to 192.168.1.210


Netmask 255.255.255.0
Default gateway 192.168.1.99
Lease time 7 days
DNS Server 1 192.168.1.99

You can disable or change this default DHCP Server configuration.

Note: You can not configure DHCP in Transparent mode. In Transparent mode DHCP
requests pass through the FortiGate unit.

Note: An interface must have a static IP before you configure a DHCP server on it.

These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.

Figure 91: DHCP service list - FortiGate-200A shown

Edit

Delete

Add DHCP Server

Interface List of FortiGate interfaces. Expand each listed interface to view the Relay and
Servers.
Server Name/ Name of FortiGate DHCP server or IP address of DHCP server accessed by
Relay IP relay.
Type Type of DHCP relay or server: Regular or IPSec.
Enable Green check mark icon indicates that server or relay is enabled.
Add DHCP Server Select to configure and add a DHCP server for this interface.
icon
Edit icon Select to edit the DHCP relay or server configuration.
Delete icon Select to delete the DHCP server.

FortiGate Version 4.0 Administration Guide


172 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System DHCP Configuring DHCP services

Configuring an interface as a DHCP relay agent


Go to System > DHCP > Service and select an edit icon to view or modify the DHCP relay
configuration for an interface.

Figure 92: Edit DHCP relay settings for an interface

Interface Name The name of the interface.


DHCP Relay Agent Select to enable the DHCP relay agent on this interface.
Type Select the type of DHCP service required as either Regular or IPSEC.
DHCP Server IP Enter the IP address of the DHCP server that will answer DHCP requests from
computers on the network connected to the interface.

Configuring a DHCP server


The System > DHCP > Service screen gives you access to existing DHCP servers. It is
also where you configure new DHCP servers.

To Configure a DHCP server


1 Go to System > DHCP > Service.
2 Select blue arrow for the interface.
3 Select the Add DHCP Server icon to create a new DHCP server, or select the Edit icon
beside an existing DHCP server to change its settings.
4 Configure the DHCP server.
5 Select OK.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 173
http://docs.fortinet.com/ • Feedback
Configuring DHCP services System DHCP

Figure 93: DHCP Server options

Name Enter a name for the DHCP server.


Enable Enable the DHCP server.
Type Select Regular or IPSEC DHCP server.
You cannot configure a Regular DHCP server on an interface that has a
dynamic IP address.
IP Range Enter the start and end for the range of IP addresses that this DHCP server
assigns to DHCP clients.
These fields are greyed out when IP Assignment Mode is set to User-group
defined method.
Network Mask Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway Enter the IP address of the default gateway that the DHCP server assigns to
DHCP clients.
Domain Enter the domain that the DHCP server assigns to DHCP clients.
Lease Time Select Unlimited for an unlimited lease time or enter the interval in days,
hours, and minutes after which a DHCP client must ask the DHCP server for
new settings. The lease time can range from 5 minutes to 100 days.
Advanced Select to configure advanced options. The remaining options in this table are
advanced options.
IP Assignment Determines how the IP addresses for DHCP are assigned. Select:
Mode • Server IP Range - The server will assign the IP addresses as specified in
IP Range, and Exclude Ranges.
• User-group defined method - The IP addresses will be assigned via
Radius through the group users belong to.
When User-group defined method is selected, the IP Range fields are greyed
out, and the Exclude Ranges table and controls are not visible.

FortiGate Version 4.0 Administration Guide


174 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System DHCP Viewing address leases

DNS Server 1 Enter the IP addresses of up to 3 DNS servers that the DHCP server assigns
DNS Server 2 to DHCP clients.
DNS Server 3
WINS Server 1 Add the IP addresses of one or two WINS servers that the DHCP server
WINS Server 2 assigns to DHCP clients.
Option 1 Enter up to three custom DHCP options that can be sent by the DHCP server.
Option 2 Code is the DHCP option code in the range 1 to 255. Option is an even
Option 3 number of hexadecimal characters and is not required for some option codes.
For detailed information about DHCP options, see RFC 2132, DHCP Options
and BOOTP Vendor Extensions.
Exclude Ranges
Add Add an range of IP addresses to exclude.
You can add up to 16 exclude ranges of IP addresses that the DHCP server
cannot assign to DHCP clients. No range can exceed 65536 IP addresses.
Starting IP Enter the first IP address of the exclude range.
End IP Enter the last IP address of the exclude range.
Delete icon Delete the exclude range.

Viewing address leases


Go to System > DHCP > Address Leases to view the IP addresses that the DHCP servers
have assigned and the corresponding client MAC addresses.

Figure 94: Address leases list

Interface Select interface for which to list leases.


Refresh Select Refresh to update Address leases list.
IP The assigned IP address.
MAC The MAC address of the device to which the IP address is assigned.
Expire Expiry date and time of the DHCP lease.

Reserving IP addresses for specific clients


You can reserve an IP address for a specific client identified by the client device MAC
address and the connection type, regular Ethernet or IPSec. The DHCP server always
assigns the reserved address to that client. You can assign up to 200 IP addresses as
reserved. For more information see the FortiGate Maximum Values for FortiOS 3.0 article
on the Fortinet Knowledge Center.
Use the CLI config system dhcp reserved-address command. For more
information, see the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 175
http://docs.fortinet.com/ • Feedback
Viewing address leases System DHCP

FortiGate Version 4.0 Administration Guide


176 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config HA

System Config
This section describes the configuration of several non-network features, such as HA,
SNMP, custom replacement messages, and Operation mode.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA, SNMP, and replacement
messages are configured globally for the entire FortiGate unit. Changing operation mode
is configured for each individual VDOM. For details, see “Using virtual domains” on
page 103.
This section describes:
• HA
• SNMP
• Replacement messages
• Operation mode and VDOM management access

HA
FortiGate high availability (HA) provides a solution for two key requirements of critical
enterprise networking components: enhanced reliability and increased performance. This
section contains a brief description of HA web-based manager configuration options, the
HA cluster members list, HA statistics, and disconnecting cluster members.
If you enable virtual domains (VDOMs) on the FortiGate unit, HA is configured globally for
the entire FortiGate unit. For details, see “Using virtual domains” on page 103.
For complete information about how to configure and operate FortiGate HA clusters see
the FortiGate HA Overview, the FortiGate HA Guide, and the Fortinet Knowledge Center.
HA is not available on FortiGate models 50A and 50AM. HA is available on all other
FortiGate models, including the FortiGate-50B.
The following topics are included in this section:
• HA options
• Cluster members list
• Viewing HA statistics
• Changing subordinate unit host name and device priority
• Disconnecting a cluster unit from a cluster

HA options
Configure HA options so that a FortiGate unit can join a cluster or to change the
configuration of an operating cluster or cluster member.
To configure HA options so that a FortiGate unit can join an HA cluster, go to System >
Config > HA.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 177
http://docs.fortinet.com/ • Feedback
HA System Config

Note: FortiGate HA is not compatible with PPP protocols such as PPPoE. FortiGate HA is
also not compatible with DHCP. If one or more FortiGate unit interfaces is dynamically
configured using DHCP or PPPoE you cannot switch to operate in HA mode. Also, you
cannot switch to operate in HA mode if one or more FortiGate unit interfaces is configured
as a PPTP or L2TP client or if the FortiGate unit is configured for standalone session
synchronization.

If HA is already enabled, go to System > Config > HA to display the cluster members list.
Select Edit for the FortiGate unit with Role of master (also called the primary unit). When
you edit the HA configuration of the primary unit, all changes are synchronized to the other
cluster units.

Figure 95: FortiGate-3810A unit HA configuration

You can configure HA options for a FortiGate unit with virtual domains (VDOMs) enabled
by logging into the web-based manager as the global admin administrator and then going
to System > Config > HA.

Note: If your FortiGate cluster uses virtual domains, you are configuring HA virtual
clustering. Most virtual cluster HA options are the same as normal HA options. However,
virtual clusters include VDOM partitioning options. Other differences between configuration
options for regular HA and for virtual clustering HA are described below and in the
FortiGate HA Overview and the FortiGate HA Guide.

FortiGate Version 4.0 Administration Guide


178 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config HA

Figure 96: FortiGate-5001SX HA virtual cluster configuration

Mode Select an HA mode for the cluster or return the FortiGate units in the cluster to
standalone mode. When configuring a cluster, you must set all members of the
HA cluster to the same HA mode. You can select Standalone (to disable HA),
Active-Passive, or Active-Active. If virtual domains are enabled you can select
Active-Passive or Standalone.
Device Priority Optionally set the device priority of the cluster unit. Each cluster unit can have a
different device priority. During HA negotiation, the unit with the highest device
priority usually becomes the primary unit.
In a virtual cluster configuration, each cluster unit can have two device priorities,
one for each virtual cluster. During HA negotiation, the unit with the highest
device priority in a virtual cluster becomes the primary unit for that virtual cluster.
Changes to the device priority are not synchronized. You can accept the default
device priority when first configuring a cluster. When the cluster is operating you
can change the device priority for different cluster units as required.
Group Name Enter a name to identify the cluster. The maximum length of the group name is 32
characters. The group name must be the same for all cluster units before the
cluster units can form a cluster. After a cluster is operating, you can change the
group name. The group name change is synchronized to all cluster units.
The default group name is FGT-HA. You can accept the default group name
when first configuring a cluster. When the cluster is operating you can change the
group name, if required. Two clusters on the same network cannot have the
same group name.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 179
http://docs.fortinet.com/ • Feedback
HA System Config

Password Enter a password to identify the cluster. The maximum password length is 15
characters. The password must be the same for all cluster units before the cluster
units can form a cluster.
The default is no password. You can accept the default password when first
configuring a cluster. When the cluster is operating, you can add a password, if
required. Two clusters on the same network must have different passwords.
Enable Session Select to enable session pickup so that if the primary unit fails, all sessions are
pickup picked up by the cluster unit that becomes the new primary unit.
Session pickup is disabled by default. You can accept the default setting for
session pickup and then chose to enable session pickup after the cluster is
operating.
Port Monitor Select to enable or disable monitoring FortiGate interfaces to verify that the
monitored interfaces are functioning properly and connected to their networks.
If a monitored interface fails or is disconnected from its network, the interface
leaves the cluster and a link failover occurs. The link failover causes the cluster to
reroute the traffic being processed by that interface to the same interface of
another cluster unit that still has a connection to the network. This other cluster
unit becomes the new primary unit.
Port monitoring (also called interface monitoring) is disabled by default. Leave
port monitoring disabled until the cluster is operating and then only enable port
monitoring for connected interfaces.
You can monitor up to 16 interfaces. This limit only applies to FortiGate units with
more than 16 physical interfaces.
Heartbeat Select to enable or disable HA heartbeat communication for each interface in the
Interface cluster and set the heartbeat interface priority. The heartbeat interface with the
highest priority processes all heartbeat traffic. If two or more heartbeat interfaces
have the same priority, the heartbeat interface with the lowest hash map order
value processes all heartbeat traffic. The web-based manager lists interfaces in
alphanumeric order:
• port1
• port2 through 9
• port10
Hash map order sorts interfaces in the following order:
• port1
• port10
• port2 through port9
The default heartbeat interface configuration is different for each FortiGate unit.
This default configuration usually sets the priority of two heartbeat interfaces to
50. You can accept the default heartbeat interface configuration if you connect
one or both of the default heartbeat interfaces together.
The heartbeat interface priority range is 0 to 512. The default priority when you
select a new heartbeat interface is 0.
You must select at least one heartbeat interface. If heartbeat communication is
interrupted, the cluster stops processing traffic. For more information about
configuring heartbeat interfaces, see the FortiGate HA Overview.
You can select up to 8 heartbeat interfaces. This limit only applies to FortiGate
units with more than 8 physical interfaces.
VDOM If you are configuring virtual clustering, you can set the virtual domains to be in
partitioning virtual cluster 1 and the virtual domains to be in virtual cluster 2. The root virtual
domain must always be in virtual cluster 1. For more information about
configuring VDOM partitioning, see the FortiGate HA Overview.

Cluster members list


You can display the cluster members list to view the status of an operating cluster and the
status of the FortiGate units in the cluster. The cluster members list shows the FortiGate
units in the cluster and for each FortiGate unit shows interface connections, the cluster
unit and the device priority of the cluster unit. From the cluster members list you can
disconnect a unit from the cluster, edit the HA configuration of primary unit, change the
device priority and host name of subordinate units, and download a debug log for any
cluster unit. You can also view HA statistics for the cluster.

FortiGate Version 4.0 Administration Guide


180 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config HA

To display the cluster members list, log into an operating cluster and go to System >
Config > HA.

Figure 97: Example FortiGate-5001SX cluster members list

Download Debug Log


Up and Down Edit
Arrows Disconnect from Cluster

If virtual domains are enabled, you can display the cluster members list to view the status
of the operating virtual clusters. The virtual cluster members list shows the status of both
virtual clusters including the virtual domains added to each virtual cluster.
To display the virtual cluster members list for an operating cluster log in as the global
admin administrator and go to System > Config > HA.

Figure 98: Example FortiGate-5001SX virtual cluster members list


Download Debug Log
Up and Down Edit
Arrows Disconnect from Cluster

View HA Statistics Displays the serial number, status, and monitor information for each cluster
unit. See “Viewing HA statistics” on page 182.
Up and down arrows Changes the order of cluster members in the list. The operation of the
cluster or of the units in the cluster are not affected. All that changes is the
order of the units on the cluster members list.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 181
http://docs.fortinet.com/ • Feedback
HA System Config

Cluster member Illustrations of the front panels of the cluster units. If the network jack for an
interface is shaded green, the interface is connected. Pause the mouse
pointer over each illustration to view the cluster unit host name, serial
number, how long the unit has been operating (up time), and the interfaces
that are configured for port monitoring.
Hostname The host name of the FortiGate unit. The default host name of the
FortiGate unit is the FortiGate unit serial number.
• To change the primary unit host name, go to System > Status and
select Change beside the current host name.
• To change a subordinate unit host name, from the cluster members list
select the Edit icon for a subordinate unit.
Role The status or role of the cluster unit in the cluster.
• Role is MASTER for the primary (or master) unit
• Role is SLAVE for all subordinate (or backup) cluster units
Priority The device priority of the cluster unit. Each cluster unit can have a different
device priority. During HA negotiation, the unit with the highest device
priority becomes the primary unit.
The device priority range is 0 to 255.
Disconnect from Select to disconnect a selected cluster unit from the cluster. See
cluster “Disconnecting a cluster unit from a cluster” on page 184.
Edit Select to change a cluster unit HA configuration.
• For a primary unit, select Edit to change the cluster HA configuration
(including the device priority) of the primary unit.
• For a primary unit in a virtual cluster, select Edit to change the virtual
cluster HA configuration; including the virtual cluster 1 and virtual
cluster 2 device priority of this cluster unit.
• For a subordinate unit, select Edit to change the subordinate unit host
name and device priority. See “Changing subordinate unit host name
and device priority” on page 184.
• For a subordinate unit in a virtual cluster, select Edit to change the
subordinate unit host name and the device priority of the subordinate
unit for the selected virtual cluster. See “Changing subordinate unit host
name and device priority” on page 184.
Download debug log Select to download an encrypted debug log to a file. You can send this
debug log file to Fortinet Technical Support (http://support.fortinet.com) to
help diagnose problems with the cluster or with individual cluster units.

Viewing HA statistics
From the cluster members list, you can select View HA Statistics to display the serial
number, status, and monitor information for each cluster unit. To view HA statistics, go to
System > Config > HA and select View HA Statistics.

FortiGate Version 4.0 Administration Guide


182 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config HA

Figure 99: Example HA statistics (active-passive cluster)

Refresh every Select to control how often the web-based manager updates the HA
statistics display.
Back to HA monitor Select to close the HA statistics list and return to the cluster members list.
Unit The host name and serial number of the cluster unit.
Status Indicates the status of each cluster unit. A green check mark indicates that
the cluster unit is operating normally. A red X indicates that the cluster unit
cannot communicate with the primary unit.
Up Time The time in days, hours, minutes, and seconds since the cluster unit was last
started.
Monitor Displays system status information for each cluster unit.
CPU Usage The current CPU status of each cluster unit. The web-based manager
displays CPU usage for core processes only. CPU usage for management
processes (for example, for HTTPS connections to the web-based manager)
is excluded.
Memory Usage The current memory status of each cluster unit. The web-based manager
displays memory usage for core processes only. Memory usage for
management processes (for example, for HTTPS connections to the
web-based manager) is excluded.
Active Sessions The number of communications sessions being processed by the cluster
unit.
Total Packets The number of packets that have been processed by the cluster unit since it
last started up.
Virus Detected The number of viruses detected by the cluster unit.
Network Utilization The total network bandwidth being used by all of the cluster unit interfaces.
Total Bytes The number of bytes that have been processed by the cluster unit since it
last started up.
Intrusion Detected The number of intrusions or attacks detected by Intrusion Protection running
on the cluster unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 183
http://docs.fortinet.com/ • Feedback
HA System Config

Changing subordinate unit host name and device priority


To change the host name and device priority of a subordinate unit in an operating cluster,
go to System > Config > HA to display the cluster members list. Select Edit for any slave
(subordinate) unit in the cluster members list.
To change the host name and device priority of a subordinate unit in an operating cluster
with virtual domains enabled, log in as the global admin administrator and go to System >
Config > HA to display the cluster members list. Select Edit for any slave (subordinate)
unit in the cluster members list.
You can change the host name (Peer) and device priority (Priority) of this subordinate unit.
These changes only affect the configuration of the subordinate unit.

Figure 100: Changing the subordinate unit host name and device priority

Peer View and optionally change the subordinate unit host name.
Priority View and optionally change the subordinate unit device priority.
The device priority is not synchronized among cluster members. In a functioning cluster
you can change device priority to change the priority of any unit in the cluster. The next
time the cluster negotiates, the cluster unit with the highest device priority becomes the
primary unit.
The device priority range is 0 to 255. The default device priority is 128.

Disconnecting a cluster unit from a cluster


You can disconnect a cluster unit if you need to use the disconnected FortiGate unit for
another purpose, such as to act as a standalone firewall. You can go to System > Config >
HA and select a Disconnect from cluster icon to disconnect a cluster unit from a
functioning cluster without disrupting the operation of the cluster.

Figure 101: Disconnect a cluster member

Serial Number Displays the serial number of the cluster unit to be disconnected from the cluster.
Interface Select the interface that you want to configure. You also specify the IP address
and netmask for this interface. When the FortiGate unit is disconnected, all
management access options are enabled for this interface.
IP/Netmask Specify an IP address and netmask for the interface. You can use this IP address
to connect to this interface to configure the disconnected FortiGate unit.

FortiGate Version 4.0 Administration Guide


184 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config SNMP

SNMP
Simple Network Management Protocol (SNMP) allows you to monitor hardware on your
network. You can configure the hardware, or FortiGate SNMP agent, to report system
information and send traps (alarms or event messages) to SNMP managers. An SNMP
manager is a computer running an application that can read the incoming traps from the
agent and track the information.
Using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access.

Note: Part of configuring an SNMP manager is to list it as a host in a community on the


FortiGate unit it will be monitoring. Otherwise the SNMP monitor will not receive any traps
from that FortiGate unit, or be able to query it.

The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information and can receive
FortiGate traps. To monitor FortiGate system information and receive FortiGate traps, you
must compile the proprietary Fortinet and FortiGate MIBs as well as Fortinet-supported
standard MIBs into your SNMP manager on your local computer.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-
like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet MIBs” on
page 188.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and
partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to events that happen, such as an a log disk being full or a virus
being detected. For more information about SNMP traps, see “Fortinet and FortiGate
traps” on page 189.
SNMP fields contain information about your FortiGate unit. This information is useful to
monitor the condition of the unit, both on an ongoing basis and to provide more
information when a trap occurs. For more information about SNMP fields, see “Fortinet
and FortiGate MIB fields” on page 192.

Configuring SNMP
Go to System > Config > SNMP v1/v2c to configure the SNMP agent.

Figure 102: Configuring SNMP

SNMP Agent Enable the FortiGate SNMP agent.


Description Enter descriptive information about the FortiGate unit. The description can be
up to 35 characters long.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 185
http://docs.fortinet.com/ • Feedback
SNMP System Config

Location Enter the physical location of the FortiGate unit. The system location
description can be up to 35 characters long.
Contact Enter the contact information for the person responsible for this FortiGate unit.
The contact information can be up to 35 characters.
Apply Save changes made to the description, location, and contact information.
Create New Select Create New to add a new SNMP community.
See “Configuring an SNMP community” on page 186.
Communities The list of SNMP communities added to the FortiGate configuration. You can
add up to 3 communities.
Name The name of the SNMP community.
Queries The status of SNMP queries for each SNMP community. The query status can
be enabled or disabled.
Traps The status of SNMP traps for each SNMP community. The trap status can be
enabled or disabled.
Enable Select Enable to activate an SNMP community.
Delete icon Select Delete to remove an SNMP community.
Edit/View icon Select to view or modify an SNMP community.

Configuring an SNMP community


An SNMP community is a grouping of devices for network administration purposes. Within
that SNMP community, devices can communicate by sending and receiving traps and
other information. One device can belong to multiple communities, such as one
administrator terminal monitoring both a firewall SNMP community and a printer SNMP
community.
Add SNMP communities to your FortiGate unit so that SNMP managers can connect to
view system information and receive SNMP traps.

Figure 103: SNMP community options (part 1)

You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps. Each community can be configured to monitor
the FortiGate unit for a different set of events. You can also add the IP addresses of up to
8 SNMP managers to each community.

FortiGate Version 4.0 Administration Guide


186 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config SNMP

Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.

Figure 104: SNMP community options (part 2)

Community Name Enter a name to identify the SNMP community.


Hosts Enter the IP address and Identify the SNMP managers that can use
the settings in this SNMP community to monitor the FortiGate unit.
IP Address The IP address of an SNMP manager than can use the settings in
this SNMP community to monitor the FortiGate unit. You can also set
the IP address to 0.0.0.0 to so that any SNMP manager can use this
SNMP community.
Interface Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiGate unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiGate unit. This can occur if the SNMP manager is on the
Internet or behind a router.
In virtual domain mode, the interface must belong to the
management VDOM to be able to pass SNMP traps.
Delete Select a Delete icon to remove an SNMP manager.
Add Add a blank line to the Hosts list. You can add up to 8 SNMP
managers to a single community.
Queries Enter the Port number (161 by default) that the SNMP managers in
this community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiGate unit. Select the Enable
check box to activate queries for each SNMP version.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 187
http://docs.fortinet.com/ • Feedback
SNMP System Config

Traps Enter the Local and Remote port numbers (port 162 for each by
default) that the FortiGate unit uses to send SNMP v1 and SNMP
v2c traps to the SNMP managers in this community. Select the
Enable check box to activate traps for each SNMP version.
SNMP Event Enable each SNMP event for which the FortiGate unit should send
traps to the SNMP managers in this community.
“CPU overusage” traps sensitivity is slightly reduced, by spreading
values out over 8 polling cycles. This prevents sharp spikes due to
CPU intensive short-term events such as changing a policy.
“Power Supply Failure” event trap is available only on FortiGate-
3810A, and FortiGate-3016B units.
“AMC interfaces enter bypass mode” event trap is available only on
FortiGate models that support AMC modules.

To configure SNMP access (NAT/Route mode)


Before a remote SNMP manager can connect to the FortiGate agent, you must configure
one or more FortiGate interfaces to accept SNMP connections.
1 Go to System > Network > Interface.
2 Choose an interface that an SNMP manager connects to and select Edit.
3 In Administrative Access, select SNMP.
4 Select OK.

To configure SNMP access (Transparent mode)


1 Go to System > Config > Operation Mode.
2 Enter the IP address that you want to use for management access and the netmask in
the Management IP/Netmask field.
3 Select Apply.

Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can obtain these MIB files from Fortinet technical support. To be able to
communicate with the FortiGate SNMP agent, you must compile all of these MIBs into
your SNMP manager.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database.
You need to obtain and compile the two MIBs for this release.

FortiGate Version 4.0 Administration Guide


188 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config SNMP

Table 12: Fortinet MIBs

MIB file name or RFC Description


FORTINET-CORE-MIB.mib The proprietary Fortinet MIB includes all system
configuration information and trap information that is
common to all Fortinet products.
Your SNMP manager requires this information to
monitor FortiGate unit configuration settings and
receive traps from the FortiGate SNMP agent. For more
information, see “Fortinet and FortiGate traps” on
page 189 and “Fortinet and FortiGate MIB fields” on
page 192.
FORTINET-FORTIGATE-MIB.mib The proprietary FortiGate MIB includes all system
configuration information and trap information that is
specific to FortiGate units.
Your SNMP manager requires this information to
monitor FortiGate configuration settings and receive
traps from the FortiGate SNMP agent. FortiManager
systems require this MIB to monitor FortiGate units.
For more information, see “Fortinet and FortiGate
traps” on page 189 and “Fortinet and FortiGate MIB
fields” on page 192.
RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with
the following exceptions.
• No support for the EGP group from MIB II (RFC
1213, section 3.11 and 6.10).
• Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture
all FortiGate traffic activity. More accurate
information can be obtained from the information
reported by the Fortinet MIB.
RFC-2665 (Ethernet-like MIB) The FortiGate SNMP agent supports Ethernet-like MIB
information with the following exception.
No support for the dot3Tests and dot3Errors groups.

Fortinet and FortiGate traps


An SNMP manager can request information from the Fortinet device’s SNMP agent, or
that agent can send traps when an event occurs. Traps are a method used to inform the
SNMP manager that something has happened or changed on the Fortinet device.
Traps sent include the trap message as well as the FortiGate unit serial number
(fnSysSerial) and hostname (sysName). FortiManager related traps are only sent if a
FortiManager unit is configured to manage this FortiGate unit.
To receive Fortinet device SNMP traps, you must load and compile the FORTINET-
CORE-MIB into your SNMP manager.
The name of the table indicates if it is found in the Fortinet MIB or the FortiGate MIB. The
Trap Message column includes the message included with the trap as well as the SNMP
MIB field name to help locate the information about the trap.
Table 13: Generic FortiGate traps (OID1.3.6.1.4.1.12356.1.3.0)

Trap message Description


ColdStart Standard traps as described in RFC 1215.
WarmStart
LinkUp
LinkDown

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 189
http://docs.fortinet.com/ • Feedback
SNMP System Config

Table 14: FortiGate system traps (OID1.3.6.1.4.1.12356.1.3.0)

Trap message Description


CPU usage high CPU usage exceeds 80%. This threshold can be set in the CLI
(fnTrapCpuThreshold) using config system global.
Memory low Memory usage exceeds 90%. This threshold can be set in the CLI
(fnTrapMemThreshold) using config system global.
Log disk too full Log disk usage has exceeded the configured threshold. Only
(fnTrapLogDiskThreshold) available on devices with log disks.
Temperature too high A temperature sensor on the device has exceeded its threshold.
(fnTrapTempHigh) Not all devices have thermal sensors. See manual for
specifications.
Voltage outside acceptable Power levels have fluctuated outside of normal levels. Not all
range devices have voltage monitoring instrumentation.
(fnTrapVoltageOutOfRange)
Power supply failure Power supply failure detected. Not available on all models.
(fnTrapPowerSupplyFailure) Available on some devices which support redundant power
supplies.
Interface IP change The IP address for an interface has changed.
(fnTrapIpChange) The trap message includes the name of the interface, the new IP
address and the serial number of the Fortinet unit. You can use this
trap to track interface IP address changes for interfaces with
dynamic IP addresses set using DHCP or PPPoE.
Diagnostic trap This trap is sent for diagnostic purposes.
(fnTrapTest) It has an OID index of.999.

Table 15: FortiGate VPN traps

Trap message Description


VPN tunnel is up An IPSec VPN tunnel has started.
(fgTrapVpnTunUp)
VPN tunnel down An IPSec VPN tunnel has shut down.
(fgTrapVpnTunDown)
Local gateway address Address of the local side of the VPN tunnel.
(fnVpnTrapLocalGateway) This information is associated with both of the VPN tunnel traps.
Remote gateway address Address of remote side of the VPN tunnel.
(fnVpnTrapRemoteGateway) This information is associated with both of the VPN tunnel traps.

Table 16: FortiGate IPS traps

Trap message Description


IPS Signature IPS signature detected.
(fgTrapIpsSignature)
IPS Anomaly IPS anomaly detected.
(fgTrapIpsAnomaly)
IPS Package Update The IPS signature database has been updated.
(fgTrapIpsPkgUpdate)
(fgIpsTrapSigId) ID of IPS signature identified in trap.
(fgIpsTrapSrcIp) IP Address of the IPS signature trigger.
(fgIpsTrapSigMsg) Message associated with IPS event.

FortiGate Version 4.0 Administration Guide


190 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config SNMP

Table 17: FortiGate antivirus traps

Trap message Description


Virus detected The antivirus engine detected a virus in an infected file from an HTTP
(fgTrapAvVirus) or FTP download or from an email message.
Oversize file/email detected The FortiGate unit antivirus scanner detected an oversized file.
(fgTrapAvOversize)
Filename block detected The FortiGate unit antivirus scanner blocked a file that matched a
(fgTrapAvPattern) known virus pattern.
Fragmented file detected The FortiGate unit antivirus scanner detected a fragmented file or
(fgTrapAvFragmented) attachment.
(fgTrapAvEnterConserve) The AV engine entered conservation mode due to low memory
conditions.
(fgTrapAvBypass) The AV scanner has been bypassed due to conservation mode.
(fgTrapAvOversizePass) An oversized file has been detected, but has been passed due to
configuration.
(fgTrapAvOversizeBlock) An oversized file has been detected, and has been blocked.
(fgAvTrapVirName) The virus name that triggered the event.

Table 18: FortiGate HA traps

Trap message Description


HA switch The specified cluster member has transitioned from a slave role to a
(fgTrapHaSwitch) master role.
HA Heartbeat Failure The heartbeat failure count has exceeded the configured threshold.
(fgTrapHaHBFail)
(fgTrapHaMemberDown) An HA member becomes unavailable to the cluster.
(fgTrapHaMemberUp) An HA member becomes available to the cluster.
(fgTrapHaStateChange) The trap sent when the HA cluster member changes its state.
(fgHaTrapMemberSerial) Serial number of an HA cluster member. Used to identify the origin of a
trap when a cluster is configured.

Table 19: FortiGate MIB FortiManager related traps

Trap message Description


(fgFmTrapDeployComplete) Indicates when deployment of a new configuration has been
completed.
Used for verification by FortiManager.
(fgFmTrapDeployInProgress) Indicates that a configuration change was not immediate and that
the change is currently in progress.
Used for verification by FortiManager.
(fgFmTrapConfChange) The FortiGate unit configuration has been changed by something
other than the managing FortiManager device.
(fgFmTrapIfChange) No message. Sent to monitoring FortiManager when an interface
changes IP address.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 191
http://docs.fortinet.com/ • Feedback
SNMP System Config

Fortinet and FortiGate MIB fields


The FortiGate MIB contains fields reporting current FortiGate unit status information. The
tables below list the names of the MIB fields and describe the status information available
for each one. You can view more details about the information available from all Fortinet
and FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and FORTINET-
FORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields on your
computer.
Table 20: FortiGate HA MIB fields

MIB field Description


fgHaGroupId HA cluster group ID.
fgHaPriority HA clustering priority (default - 127).
fgHaOverride Status of a master override flag.
fgHaAutoSync Status of an automatic configuration synchronization.
fgHaSchedule Load balancing schedule for cluster in Active-Active mode.
fgHaGroupName HA cluster group name.
fgHaTrapMember Serial number of an HA cluster member.
Serial
fgHaStatsTable Statistics for the individual FortiGate unit in the HA cluster.
fgHaStatsIndex The index number of the unit in the cluster.
fgHaStatsSerial The FortiGate unit serial number.
fgHaStatsCpuUsage The current FortiGate unit CPU usage (%).
fgHaStatsMemUsage The current unit memory usage (%).
fgHaStatsNetUsage The current unit network utilization (Kbps).
fgHaStatsSesCount The number of active sessions.
fgHaStatsPktCount The number of packets processed.
fgHaStatsByteCount The number of bytes processed by the FortiGate
unit
fgHaStatsIdsCount The number of attacks that the IPS detected in the
last 20 hours.
fgHaStatsAvCount The number of viruses that the antivirus system
detected in the last 20 hours.
fgHaStatsHostname Hostname of HA Cluster's unit.

Table 21: FortiGate Administrator accounts

MIB field Description


fgAdminIdelTimeout Idle period after which an administrator is automatically logged out of the
system.
fgAdminLcdProtection Status of the LCD protection, either enabled or disabled.
fgAdminTable Table of administrators on this FortiGate unit.
fgAdminVdom The virtual domain the administrator belongs to.

FortiGate Version 4.0 Administration Guide


192 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config SNMP

Table 22: FortiGate Virtual domains

MIB field Description


fgVdInfo FortiGate unit Virtual Domain related information.
fgVdNumber The number of virtual domains configured on this FortiGate
unit.
fgVdMaxVdoms The maximum number of virtual domains allowed on the
FortiGate unit as allowed by hardware or licensing.
fgVdEnabled Whether virtual domains are enabled on this FortiGate unit.
fgVdTable.fgV Table of information about each virtual domain—each virtual domain has an
dEntry fgVdEntry. Each entry has the following fields.
fgVdEntIndex Internal virtual domain index used to uniquely identify entries
in this table.
This index is also used by other tables referencing a virtual
domain.
fgVdEntName The name of the virtual domain.
fgVdEntOpMode Operation mode of this virtual domain - either NAT or
Transparent.

Table 23: FortiGate Active IP sessions table

MIB field Description


fgIpSessIndex The index number of the IP session within the table
fgIpSessProto The IP protocol the session is using (IP, TCP, UDP, etc.).
fgIpSessFromAddr The source IPv4 address of the active IP session.
fgIpSessFromPort The source port of the active IP session (UDP and TCP only).
fgIpSessToAddr The destination IPv4 address of the active IP session.
fgIpSessToPort The destination port of the active IP session (UDP and TCP only).
fgIpSessExp The number of seconds remaining until the sessions expires (if idle).
fgIpSessVdom Virtual domain the session is part of. Corresponds to the index in fgVdTable.
fgIpSessStatsTable IP Session statistics table for the virtual domain.
fgIpSessNumber Total sessions on this virtual domain.

Table 24: FortiGate Firewall policy statistics table


MIB field Description
fgFwPolicyStatsVdomIndex Index that identifies the virtual domain. This is the same index used
by fgVdTable.
fgFwPolicyID Firewall policy ID.
Only enabled policies are available for querying.
Policy IDs are only unique within a virtual domain.
fgFwPolicyPktCount Number of packets matched to policy (passed or blocked,
depending on policy action). Count is from the time the policy
became active.
fgFwPolicyByteCount Number of bytes matched to policy (passed or blocked, depending
on policy action). Count is from the time the policy became active.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 193
http://docs.fortinet.com/ • Feedback
SNMP System Config

Table 25: FortiGate Dialup VPNs

MIB field Description


fgVpnDialupIndex An index value that uniquely identifies an VPN dial-up peer in the
table.
fgVpnDialupGateway The remote gateway IP address on the tunnel.
fgVpnDialupLifetime VPN tunnel lifetime in seconds.
fgVpnDialupTimeout Time remaining until the next key exchange (seconds) for this tunnel.
fgVpnDialupSrcBegin Remote subnet address of the tunnel.
fgVpnDialupSrcEnd Remote subnet mask of the tunnel.
fgVpnDialupDstAddr Local subnet address of the tunnel.
fgVpnDialupVdom The virtual domain this tunnel is part of. This index corresponds to the
index in fgVdTable.

Table 26: VPN Tunnel table

MIB field Description


fgVpnTunEntIndex An index value that uniquely identifies a VPN tunnel within
the VPN tunnel table.
fgVpnTunEntPhase1Name The descriptive name of the Phase1 configuration for the
tunnel.
fgVpnTunEntPhase2Name The descriptive name of the Phase2 configuration for the
tunnel.
fgVpnTunEntRemGwyIp The IP of the remote gateway used by the tunnel.
fgVpnTunEntRemGwyPort The port of the remote gateway used by the tunnel, if it is
UDP.
fgVpnTunEntLocGwyIp The IP of the local gateway used by the tunnel.
fgVpnTunEntLocGwyPort The port of the local gateway used by the tunnel, if it is UDP.
fgVpnTunEntSelectorSrcBeginIp Beginning of the address range of the source selector.
fgVpnTunEntSelectorSrcEndIp Ending of the address range of the source selector.
fgVpnTunEntSelectorSrcPort Source selector port.
fgVpnTunEntSelectorDstBeginIp Beginning of the address range of the destination selector.
fgVpnTunEntSelectorDstEndIp Ending of the address range of the destination selector.
fgVpnTunEntSelectorDstPort Destination selector port.
fgVpnTunEntSelectorProto Protocol number for the selector.
fgVpnTunEntLifeSecs Lifetime of the tunnel in seconds, if time based lifetime is
used.
fgVpnTunEntLifeBytes Lifetime of the tunnel in bytes, if byte transfer based lifetime
is used.
fgVpnTunEntTimeout Timeout of the tunnel in seconds.
fgVpnTunEntInOctets Number of bytes received on the tunnel.
fgVpnTunEntOutOctets Number of bytes sent out on the tunnel.
fgVpnTunEntStatus Current status of the tunnel - either up or down.
fgVpnTunEntVdom Virtual domain the tunnel belongs to. This index corresponds
to the index used in fgVdTable.

FortiGate Version 4.0 Administration Guide


194 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config Replacement messages

Replacement messages
Go to System > Config > Replacement Messages to change replacement messages and
customize alert email and information that the FortiGate unit adds to content streams such
as email messages, web pages, and FTP sessions.
The FortiGate unit adds replacement messages to a variety of content streams. For
example, if a virus is found in an email message, the file is removed from the email and
replaced with a replacement message. The same applies to pages blocked by web
filtering and email blocked by spam filtering.

Note: Disclaimer replacement messages provided by Fortinet are examples only.

Replacement messages list


To view the replacement messages list go to System > Config > Replacement Messages.
You use the replacement messages list to view and customize replacement messages to
your requirements. The list organizes replacement message into an number of types (for
example, Mail, HTTP, and so on). Use the expand arrow beside each type to display the
replacement messages for that category. Select the Edit icon beside each replacement
message to customize that message for your requirements.

Figure 105: Replacement messages list

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 195
http://docs.fortinet.com/ • Feedback
Replacement messages System Config

Name The type of replacement message. Select the blue triangle to expand or collapse
the category. You can change messages added to
• email with virus-infected attachments
• web pages (http)
• ftp sessions
• alert mail messages
• smtp email blocked as spam
• web pages blocked by web filter category blocking
• instant messaging and peer-to-peer sessions
Also, you can modify
• the login page and rejected login page for user authentication
• disclaimer messages for user and administrator authentication (some models)
• keep alive page for authentication
• the FortiGuard web filtering block override page
• the login page for the SSL-VPN
• the Endpoint Control Download Portal page
Description Description of the replacement message type. The web-based manager describes
where each replacement message is used by the FortiGate unit.
Edit or view Select to edit or view a replacement message.
icon

Note: FortiOS uses HTTP to send the Authentication Disclaimer page for the user to accept
before the firewall policy is in effect. Therefore, the user must initiate an HTTP traffic first in
order to trigger the Authentication Disclaimer page. Once the Disclaimer is accepted, the
user can send whatever traffic is allowed by the firewall policy.

Changing replacement messages


To change a replacement message list go to System > Config > Replacement Messages.
Use the expand arrows to view the replacement message that you want to change. You
can change the content of the replacement message by editing the text and HTML codes
and by working with replacement message tags. For descriptions of the replacement
message tags, see Table 27 on page 197.

Figure 106: Sample HTTP virus replacement message

Replacement messages can be text or HTML messages. You can add HTML code to
HTML messages. Allowed Formats shows you which format to use in the replacement
message. There is a limit of 8192 characters for each replacement message. The
following fields and options are available when editing a replacement message. Different
replacement messages have different sets of fields and options.

FortiGate Version 4.0 Administration Guide


196 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config Replacement messages

Message Setup The name of the replacement message.


Allowed Formats The type of content that can be included in the replacement message.
Allowed formats can be Text or HTML. You should not use HTML code in
Text messages. You can include replacement message tags in text and
HTML messages.
Size The number of characters allowed in the replacement message. Usually
size is 8192 characters.
Message Text The editable text of the replacement message. The message text can
include text, HTML codes (if HTML is the allowed format) and replacement
message tags.

Replacement messages can include replacement message tags. When users receive the
replacement message, the replacement message tag is replaced with content relevant to
the message. Table 27 lists the replacement message tags that you can add.
Table 27: Replacement message tags

Tag Description
%%AUTH_LOGOUT%% The URL that will immediately delete the current policy and close the
session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new window
which links to this tag.
%%CATEGORY%% The name of the content category of the web site.
%%DEST_IP%% The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that sent
the email containing the virus. For HTTP this is the IP address of web
page that sent the virus.
%%EMAIL_FROM%% The email address of the sender of the message from which the file was
removed.
%%EMAIL_TO%% The email address of the intended receiver of the message from which
the file was removed.
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed page.
%%FILE%% The name of a file that has been removed from a content stream. This
could be a file that contained a virus or was blocked by antivirus file
blocking. %%FILE%% can be used in virus and file block messages.
%%FORTIGUARD_WF%% The FortiGuard - Web Filtering logo.
%%FORTINET%% The Fortinet logo.
%%LINK%% The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
%%HTTP_ERR_CODE%% The HTTP error code. “404” for example.
%%HTTP_ERR_DESC%% The HTTP error description.
%%NIDSEVENT%% The IPS attack message. %%NIDSEVENT%% is added to alert email
intrusion messages.
%%OVERRIDE%% The link to the FortiGuard Web Filtering override form. This is visible
only if the user belongs to a group that is permitted to create FortiGuard
web filtering overrides.
%%OVRD_FORM%% The FortiGuard web filter block override form. This tag must be present
in the FortiGuard Web Filtering override form and should not be used in
other replacement messages.
%%PROTOCOL%% The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus messages.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 197
http://docs.fortinet.com/ • Feedback
Replacement messages System Config

Table 27: Replacement message tags (Continued)

Tag Description
%%QUARFILENAME%% The name of a file that has been removed from a content stream and
added to the quarantine. This could be a file that contained a virus or
was blocked by antivirus file blocking. %%QUARFILENAME%% can be
used in virus and file block messages. Quarantining is only available on
FortiGate units with a local disk.
%%QUESTION%% Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVICE%% The name of the web filtering service.
%%SOURCE_IP%% The IP address of the request originator who would have received the
blocked file. For email this is the IP address of the user’s computer that
attempted to download the message from which the file was removed.
%%TIMEOUT%% Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
%%URL%% The URL of a web page. This can be a web page that is blocked by web
filter content or URL blocking. %%URL%% can also be used in http virus
and file block messages to be the URL of the web page from which a
user attempted to download a file that is blocked.
%%VIRUS%% The name of a virus that was found in a file by the antivirus system.
%%VIRUS%% can be used in virus messages

Changing the authentication login page


Users see the authentication login page when they use a VPN or a firewall policy that
requires authentication. You can customize this page in the same way as you modify other
replacement messages, but there are some unique requirements:
• The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
• The form must contain the following hidden controls:
• <INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
• <INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
• <INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
• The form must contain the following visible controls:
• <INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
• <INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>

Example
The following is an example of a simple authentication page that meets the requirements
listed above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR>

FortiGate Version 4.0 Administration Guide


198 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config Operation mode and VDOM management access

<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>

Changing the FortiGuard web filtering block override page


The %%OVRD_FORM%% tag provides the form used to initiate an override if FortiGuard -
Web Filtering blocks access to a web page. Do not remove this tag from the replacement
message.

Changing the SSL-VPN login message


The SSL VPN login message presents a web page through which users log in to the SSL-
VPN web portal. The page is linked to FortiGate functionality and you must construct it
according to the following guidelines to ensure that it will work.
• The login page must be an HTML page containing a form with
ACTION="%%SSL_ACT%%" and METHOD="%%SSL_METHOD%%"
• The form must contain the %%SSL_LOGIN%% tag to provide the login form.
• The form must contain the %%SSL_HIDDEN%% tag.

Changing the authentication disclaimer page


The Authentication Disclaimer page, available on some models, makes a statement about
usage policy to which the user must agree before the FortiGate unit permits access. You
enable the disclaimer in the firewall policy. See User Authentication Disclaimer in
“Configuring firewall policies” on page 316. You should change only the disclaimer text
itself, not the HTML form code.

Operation mode and VDOM management access


You can change the operation mode of each VDOM independently of other VDOMs. This
allows any combination of NAT/Route and Transparent operating modes on the FortiGate
unit VDOMs.
Management access to a VDOM can be restricted based on which interfaces and
protocols can be used to connect to the FortiGate unit.

Changing operation mode


You can set the operating mode for your VDOM and perform sufficient network
configuration to ensure that you can connect to the web-based manager in the new mode.

To switch from NAT/Route to Transparent mode


1 Go to System > Config > Operation Mode or select Change beside Operation Mode on
the System Status page for the virtual domain.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 199
http://docs.fortinet.com/ • Feedback
Operation mode and VDOM management access System Config

2 From the Operation Mode list, select Transparent.

3 Enter the following information and select Apply.

Management IP/Netmask Enter the management IP address and netmask. This must be a
valid IP address for the network from which you want to
manage the FortiGate unit.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.

To switch from Transparent to NAT/Route mode


1 Go to System > Config > Operation Mode or select Change beside Operation Mode on
the System Status page for the virtual domain.
2 From the Operation Mode list, select NAT.

3 Enter the following information and select Apply.

Interface IP/Netmask Enter a valid IP address and netmask for the network from which
you want to manage the FortiGate unit.
Device Select the interface to which the Interface IP/Netmask settings
apply.
Default Gateway Enter the default gateway required to reach other networks from the
FortiGate unit.
Gateway Device Select the interface to which the default gateway is connected.

FortiGate Version 4.0 Administration Guide


200 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Config Operation mode and VDOM management access

Management access
You can configure management access on any interface in your VDOM. See
“Administrative access to an interface” on page 136. In NAT/Route mode, the interface IP
address is used for management access. In Transparent mode, you configure a single
management IP address that applies to all interfaces in your VDOM that permit
management access. The FortiGate also uses this IP address to connect to the FDN for
virus and attack updates (see “Configuring FortiGuard Services” on page 258).
The system administrator (admin) can access all VDOMs, and create regular
administrator accounts. A regular administrator account can access only the VDOM to
which it belongs. The management computer must connect to an interface in that VDOM.
It does not matter to which VDOM the interface belongs. In both cases, the management
computer must connect to an interface that permits management access and its IP
address must be on the same network. Management access can be via HTTP, HTTPS,
telnet, or SSH sessions if those services are enabled on the interface. HTTPS and SSH
are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote
administration from the Internet could compromise the security of the FortiGate unit. You
should avoid this unless it is required for your configuration. To improve the security of a
FortiGate unit that allows remote administration from the Internet:
• Use secure administrative user passwords.
• Change these passwords regularly.
• Enable secure administrative access to this interface using only HTTPS or SSH.
• Use Trusted Hosts to limit where the remote access can originate from.
• Do not change the system idle timeout from the default value of 5 minutes (see
“Settings” on page 222).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 201
http://docs.fortinet.com/ • Feedback
Operation mode and VDOM management access System Config

FortiGate Version 4.0 Administration Guide


202 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

System Admin
This section describes how to configure administrator accounts on your FortiGate unit.
Administrators access the FortiGate unit to configure its operation. The factory default
configuration has one administrator, admin. After connecting to the web-based manager
or the CLI, you can configure additional administrators with various levels of access to
different parts of the FortiGate unit configuration.
If you enable virtual domains (VDOMs) on the FortiGate unit, system administrators are
configured globally for the entire FortiGate unit. For details, see “Using virtual domains” on
page 103.

Note: Always end your FortiGate session by logging out, in the CLI or the web-based
manager. If you do not, the session remains open.

This section describes:


• Administrators
• Admin profiles
• Central Management
• Settings
• Monitoring administrators
• FortiGate IPv6 support
• Customizable web-based manager

Administrators
There are two levels of administrator accounts:

Regular An administrator with any admin profile other than super_admin. A regular
administrators administrator account has access to configuration options as determined by its
Admin Profile. If virtual domains are enabled, the regular administrator is assigned
to one VDOM and cannot access global configuration options or the configuration
for any other VDOM. For information about which options are global and which are
per VDOM, see “VDOM configuration settings” on page 105 and “Global
configuration settings” on page 106.
System Includes the factory default system administrator admin, any other administrators
administrators assigned to the super_admin profile, and any administrator that is assigned to the
super_admin_readonly profile. Any administrator assigned to the super_admin
admin profile, including the default administrator account admin, has full access to
the FortiGate unit configuration and general system settings that includes the
ability to:
• enable VDOM configuration
• create VDOMs
• configure VDOMs
• assign regular administrators to VDOMs
• configure global options
• customize the FortiGate web-based manager.
The super_admin admin profile cannot be changed; it does not appear in the list of
profiles in System > Admin > Admin Profile, but it is one of the selections in the
Admin Profile drop-down list in System > Admin New/Edit Administrator dialog box.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 203
http://docs.fortinet.com/ • Feedback
Administrators System Admin

Figure 107: New Administrator dialog box displaying super_admin readonly option

Users assigned to the super_admin profile:


• cannot delete logged-in users who are also assigned the super_admin profile
• can delete other users assigned the super_admin profile and/or change the configured
authentication method, password, or admin profile, only if the other users are not
logged in
• can delete the default “admin” account only if the default admin user is not logged in.
By default, admin has no password. The password should be 32 characters or less.

Note: The password of users with the super_admin admin profile can be reset in the CLI. If
the password of a user who is logged in is changed, the user will be logged out and
prompted to re-authenticate with the new password.
Example: For a user ITAdmin with the admin profile super_admin, to set the password to
123456:
config sys admin
edit ITAdmin
set password 123456
end
Example: For a user ITAdmin with the admin profile super_admin, to reset the password
from 123456 to the default ‘empty’:
config sys admin
edit ITAdmin
unset password 123456
end

There is also an admin profile that allows read-only super admin privileges,
super_admin_readonly. This profile cannot be deleted or changed, similar to the
super_admin. The read-only super_admin profile is suitable in a situation where it is
necessary for a system administrator to troubleshoot a customer configuration without
being able to make changes. Other than being read-only, the super_admin_readonly
profile can view all the FortiGate configuration tools.

FortiGate Version 4.0 Administration Guide


204 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

You can authenticate an administrator by using a password stored on the FortiGate unit,
an LDAP, RADIUS, or TACACS+ server, or by using PKI certificate-based authentication.
To authenticate an administrator with an LDAP or TACACS+ server, you must add the
server to an authentication list, include the server in a user group, and associate the
administrator with the user group.The RADIUS server authenticates users and authorizes
access to internal network resources based on the admin profile of the user. Users
authenticated with the PKI-based certificate are permitted access to internal network
resources based on the user group they belong to and the associated admin profile.
A VDOM/admin profile override feature supports authentication of administrators via
RADIUS. The admin user will have access depending on which VDOM and associated
admin profile he or she is restricted to. This feature is available only to wildcard
administrators, and can be set only through the FortiGate CLI. There can only be one
VDOM override user per system. For more information, see the FortiGate CLI Reference.

Viewing the administrators list


You need to use the default ”admin” account, an account with the super_admin admin
profile, or an administrator with read-write access control to add new administrator
accounts and control their permission levels. If you log in with an administrator account
that does not have the super_admin admin profile, the administrators list will show only
the administrators for the current virtual domain.
To view the list of administrators, go to System > Admin > Administrators.
Figure 108: Administrators list

Change password

Delete

Edit

Create New Add an administrator account.


Name The login name for an administrator account.
Trusted Hosts The IP address and netmask of trusted hosts from which the administrator can
log in. For more information, see “Using trusted hosts” on page 215.
Profile The admin profile for the administrator.
Type The type of authentication for this administrator, one of:
Local Authentication of an account with a local password stored on the FortiGate unit.
Remote Authentication of a specific account on a RADIUS, LDAP, or TACACS+ server.
Remote+ Authentication of any account on an LDAP, RADIUS, or TACACS+ server.
Wildcard
PKI PKI-based certificate authentication of an account.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 205
http://docs.fortinet.com/ • Feedback
Administrators System Admin

Delete icon Delete the administrator account.


You cannot delete the original “admin” account until you create another user with
the super_admin profile, log out of the “admin” account, and log in with the
alternate user that has the super_admin profile.
Edit or View Edit or view the administrator account.
icon
Change Change the password for the administrator account.
Password
icon
To change an administrator password, go to System > Admin > Administrators, and select
the Change Password icon next to the administrator account you want to change the
password for. Enter and confirm the new password, and select OK to save the changes.

Configuring an administrator account


You need to use the default “admin” account, an account with the super_admin admin
profile, or an administrator with read-write access control to create a new administrator.
To create a new administrator, go to System > Admin > Administrators and select Create
New. To configure the settings for an existing administrator, select the Edit icon beside the
administrator.

Figure 109: Administrator account configuration - Regular (local) authentication

Figure 110: Administrator account configuration - Remote authentication

FortiGate Version 4.0 Administration Guide


206 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

Figure 111: Administrator account configuration - PKI authentication

Administrator Enter the login name for the administrator account.


The name of the administrator should not contain the characters <>()#"'.
Using these characters in the administrator account name can result in a cross
site scripting (XSS) vulnerability.
Type Select the type of administrator account:
Regular Select to create a Local administrator account. For more information, see
“Configuring regular (password) authentication for administrators” on
page 208.
Remote Select to authenticate the administrator using a RADIUS, LDAP, or TACACS+
server. Server authentication for administrators must be configured first. For
more information, see “Configuring remote authentication for administrators”
on page 208.
PKI Select to enable certificate-based authentication for the administrator. Only
one administrator can be logged in with PKI authentication enabled. For more
information, see “Configuring PKI certificate authentication for administrators”
on page 214.
User Group Select the administrator user group that includes the Remote server/PKI
(peer) users as members of the User Group. The administrator user group
cannot be deleted once the group is selected for authentication.
This is available only if Type is Remote or PKI.
Wildcard Select to allow all accounts on the RADIUS, LDAP, or TACACS+ server to be
administrators.
This is available only if Type is Remote. Only one wildcard user is permitted
per VDOM.
Password Enter a password for the administrator account. For improved security, the
password should be at least 6 characters long.
This is not available if Wildcard is selected or when Type is PKI.
See the Fortinet Knowledge Center article Recovering lost administrator
account passwords if you forget or lose an administrator account password
and cannot log in to your FortiGate unit.
Confirm Password Type the password for the administrator account a second time to confirm that
you have typed it correctly.
This is not available if Wildcard is selected or when PKI authentication is
selected.
Trusted Host #1 Enter the trusted host IP address and netmask that administrator login is
Trusted Host #2 restricted to on the FortiGate unit. You can specify up to three trusted hosts.
Trusted Host #3 These addresses all default to 0.0.0.0/0 or 0.0.0.0/0.0.0.0.
For more information, see “Using trusted hosts” on page 215.
Admin Profile Select the admin profile for the administrator. You can also select Create New
to create a new admin profile. For more information on admin profiles, see
“Configuring an admin profile” on page 219.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 207
http://docs.fortinet.com/ • Feedback
Administrators System Admin

Configuring regular (password) authentication for administrators


You can use a password stored on the local FortiGate unit to authenticate an
administrator.

To configure an administrator to authenticate with a password stored on the


FortiGate unit
1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter the following information:
Administrator A name for the administrator.
Type Regular.
Password A password for the administrator to use to authenticate.
Confirm The password entered in Password.
Password
Admin Profile The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an


administrator account” on page 206.
5 Select OK.
When you select Type > Regular, you will see Local as the entry in the Type column when
you view the list of administrators. For more information, see “Viewing the administrators
list” on page 205.

Note: If you forget or lose an administrator account password and cannot log in to your
FortiGate unit, see the Fortinet Knowledge Center article Recovering lost administrator
account passwords.

Configuring remote authentication for administrators


You can authenticate administrators using RADIUS, LDAP, or TACACS+ servers. In order
to do this, you must configure the server, include the server as a user in a user group, and
create the administrator account to include in the user group.

Configuring RADIUS authentication for administrators


Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication and
authorization functions of the RADIUS server. To use the RADIUS server for
authentication, you must configure the server before you configure the FortiGate users or
user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the user’s credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection.
If you want to use a RADIUS server to authenticate administrators in your VDOM, you
must configure the authentication before you create the administrator accounts. To do this
you need to:
• configure the FortiGate unit to access the RADIUS server
• create a user group with the RADIUS server as its only member.

FortiGate Version 4.0 Administration Guide


208 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

Note: Access to the FortiGate unit depends on the VDOM associated with the administrator
account.

The following instructions assume that there is a RADIUS server on your network
populated with the names and passwords of your administrators. For information on how
to set up a RADIUS server, see the documentation for your RADIUS server.
To view the RADIUS server list, go to User > Remote > RADIUS.

Figure 112: Example RADIUS server list

Delete

Edit

Create New Add a new RADIUS server.


Name The name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP The domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user
group.
Edit icon Edit a RADIUS server configuration.

To configure the FortiGate unit to access the RADIUS server


1 Go to User > Remote > RADIUS.
2 Select Create New, or select the Edit icon beside an existing RADIUS server.
3 Enter a name that identifies the RADIUS server. Use this name when you create the
user group.
4 For Primary Server Name/IP, enter the domain name or IP address of the RADIUS
server.
5 For Primary Server Secret, enter the RADIUS server secret. The RADIUS server
administrator can provide this information.
6 Optionally, provide information regarding a secondary RADIUS server, custom
authentication scheme, and a NAS IP/Called Station ID.
7 Optionally, configure the RADIUS server to be included in every user group in the
associated VDOM.
8 Select OK.
For further information about RADIUS authentication, see “Configuring a RADIUS server”
on page 544.

To create the user group (RADIUS)


1 Go to User > User Group.
2 Select Create New or select the Edit icon beside an existing RADIUS group.
3 Enter the name that identifies the user group.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 209
http://docs.fortinet.com/ • Feedback
Administrators System Admin

4 For Type, enter Firewall.


5 In the Available Users/Groups list, select the RADIUS server name and move it to the
Members list.
6 Select OK.

To configure an administrator to authenticate with a RADIUS server


1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter the following information:
Name A name that identifies the administrator.
Type Remote.
User Group The user group that includes the RADIUS server as a member.
Password The password the administrator uses to authenticate.
Confirm The re-entered password that confirms the original entry in Password.
Password
Admin Profile The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an


administrator account” on page 206.
5 Select OK.
For more information about using a RADIUS server to authenticate system administrators,
see Fortinet Knowledge Centre article #3849 Using RADIUS for Admin Access and
Authorization.
• Admin profiles
• Configuring a RADIUS server
• Configuring a user group

Configuring LDAP authentication for administrators


Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, printers, etc.
If you have configured LDAP support and an administrator is required to authenticate
using an LDAP server, the FortiGate unit contacts the LDAP server for authentication. If
the LDAP server cannot authenticate the administrator, the FortiGate unit refuses the
connection.
If you want to use an LDAP server to authenticate administrators in your VDOM, you must
configure the authentication before you create the administrator accounts. To do this you
need to:
• configure the LDAP server
• configure the FortiGate unit to access the LDAP server
• create a user group with the LDAP server as a member.
To view the LDAP server list, go to User > Remote > LDAP.

FortiGate Version 4.0 Administration Guide


210 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

Figure 113: Example LDAP server list

Delete

Edit

Create New Add a new LDAP server.


Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name Identifier The common name identifier for the LDAP server.
Distinguished Name The distinguished name used to look up entries on the LDAP server.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.

To configure an LDAP server


1 Go to User > Remote > LDAP.
2 Select Create New or select the Edit icon beside an existing LDAP server.
3 Enter or select the following and select OK.

Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Server Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server.
Identifier
Distinguished Name The base distinguished name for the server in the correct X.500 or
LDAP format.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see “Using Query” on page 548.
Bind Type The type of binding for LDAP authentication.
Anonymous Bind using anonymous user search.
Regular Bind using a user name/password and then search.
Simple Bind using a simple password authentication without a search.
Filter Filter used for group searching. Available only if Bind Type is
Anonymous or Regular.
User DN Distinguished name of user to be authenticated. Available only if Bind
Type is Regular.
Password Password of user to be authenticated. Available only if Bind Type is
Regular.
Secure Connection A check box that enables a secure LDAP server connection for
authentication.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 211
http://docs.fortinet.com/ • Feedback
Administrators System Admin

Protocol The secure LDAP protocol to use for authentication. Available only if
Secure Connection is selected.
Certificate The certificate to use for authentication. Available only if Secure
Connection is selected.
For further information about LDAP authentication, see “Configuring an LDAP server” on
page 547.

To create the user group (LDAP)


1 Go to User > User Group.
2 Select Create New or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the LDAP server name and move it to the
Members list.
6 Select OK.
To configure an administrator to authenticate with an LDAP server
1 Go to System > Admin.
2 Select Create New or select the Edit icon beside an existing administrator account.
3 Enter or select the following:

Administrator A name that identifies the administrator.


Type Remote.
User Group The user group that includes the LDAP server as a member.
Wildcard A check box that allows all accounts on the LDAP server to be administrators.
Password The password the administrator uses to authenticate. Not available if Wildcard
is enabled.
Confirm The re-entered password that confirms the original entry in Password. Not
Password available if Wildcard is enabled.
Admin Profile The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an


administrator account” on page 206.
5 Select OK.
Configuring TACACS+ authentication for administrators
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers.
If you have configured TACACS+ support and an administrator is required to authenticate
using a TACACS+ server, the FortiGate unit contacts the TACACS+ server for
authentication. If the TACACS+ server cannot authenticate the administrator, the
connection is refused by the FortiGate unit.
If you want to use an TACACS+ server to authenticate administrators in your VDOM, you
must configure the authentication before you create the administrator accounts. To do this
you need to:
• configure the TACACS+ server
• configure the FortiGate unit to access the TACACS+ server
• create a user group with the TACACS+ server as a member.

FortiGate Version 4.0 Administration Guide


212 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

To view the TACACS+ server list, go to User > Remote > TACACS+.

Figure 114: Example TACACS+ server list

Delete

Edit

Create New Add a new TACACS+ server.


Server The server domain name or IP address of the TACACS+ server.
Authentication Type The supported authentication method. TACACS+ authentication
methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+ server
Edit icon Edit this TACACS+ server.

To configure the FortiGate unit to access the TACACS+ server


1 Go to User > Remote > TACACS+.
2 Select Create New, or select the Edit icon beside an existing TACACS+ server.
3 Enter the Name that identifies the TACACS+ server.
4 For Server Name/IP, enter the server domain name or IP address of the TACACS+
server.
5 For Server Key, enter the key to access the TACACS+ server. The maximum number
is 16.
6 For Authentication Type, enter one of Auto, ASCII, PAP, CHAP, and MSCHAP. Auto
authenticates using PAP, MSCHAP, and CHAP (in that order).
7 Select OK.

For further information about TACACS+ authentication, see “Configuring TACACS+


servers” on page 550.

To create the user group (TACACS+)


1 Go to User > User Group.
2 Select Create New, or select the Edit icon beside an existing user group.
3 Enter a Name that identifies the user group.
4 For Type, select Firewall.
5 In the Available Users/Groups list, select the TACACS+ server name and move it to
the Members list.
6 Select OK.

To configure an administrator to authenticate with a TACACS+ server


1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter or select the following:

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 213
http://docs.fortinet.com/ • Feedback
Administrators System Admin

Administrator A name that identifies the administrator.


Type Remote.
User Group The user group that includes the TACACS+ server as a member.
Wildcard Select to allow all accounts on the TACACS+ server to be administrators.
Password The password the administrator uses to authenticate. Not available if Wildcard
is enabled.
Confirm The re-entered password that confirms the original entry in Password. Not
Password available if Wildcard is enabled.
Admin Profile The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an


administrator account” on page 206.
5 Select OK.

Configuring PKI certificate authentication for administrators


Public Key Infrastructure (PKI) authentication uses a certificate authentication library that
takes a list of peers, peer groups, and user groups and returns authentication successful
or denied notifications. Users only need a valid certificate for successful authentication; no
username or password is necessary.
If you want to use PKI authentication for an administrator, you must configure the
authentication before you create the administrator accounts. To do this you need to:
• configure a PKI administrator to be included in the user group
• create a user group.
To view the PKI user list, go to User > PKI.

Figure 115: Example PKI user list

Delete

Edit

Create New Add a new PKI user.


Name The name of the PKI user.
Subject The text string that appears in the subject field of the certificate of the
authenticating user.
CA The CA certificate that is used to authenticate this user.
Delete icon Delete this PKI user.
Edit icon Edit this PKI user.

To configure a PKI user


1 Go to User > PKI.
2 Select Create New, or select the Edit icon beside an existing PKI user.
3 Enter the Name of the PKI user.

FortiGate Version 4.0 Administration Guide


214 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Administrators

4 For Subject, enter the text string that appears in the subject field of the certificate of the
authenticating user.
5 Select the CA certificate used to authenticate this user.
6 Select OK.

To create the user group (PKI)


1 Go to User > User Group.
2 Select Create New, or select the Edit icon beside an existing user group.
3 Enter the Name that identifies the user group.
4 For Type, enter Firewall.
5 In the Available Users/Groups list, select the PKI user name and move it to the
Members list.
6 Select OK.

To configure an administrator to authenticate with a PKI certificate


1 Go to System > Admin.
2 Select Create New, or select the Edit icon beside an existing administrator.
3 Enter or select the following:

Administrator A name that identifies the administrator.


Type PKI.
User Group The user group that includes the PKI user as a member.
Admin Profile The admin profile to apply to the administrator.

4 Configure additional features as required. For more information, see “Configuring an


administrator account” on page 206.
5 Select OK.

Using trusted hosts


Setting trusted hosts for all of your administrators increases the security of your network
by further restricting administrative access. In addition to knowing the password, an
administrator must connect only through the subnet or subnets you specify. You can even
restrict an administrator to a single IP address if you define only one trusted host IP
address with a netmask of 255.255.255.255.
When you set trusted hosts for all administrators, the FortiGate unit does not respond to
administrative access attempts from any other hosts. This provides the highest security. If
you leave even one administrator unrestricted, the unit accepts administrative access
attempts on any interface that has administrative access enabled, potentially exposing the
unit to attempts to gain unauthorized access.
The trusted hosts you define apply both to the web-based manager and to the CLI when
accessed through Telnet or SSH. CLI access through the console connector is not
affected.
The trusted host addresses all default to 0.0.0.0/0.0.0.0. If you set one of the
0.0.0.0/0.0.0.0 addresses to a non-zero address, the other 0.0.0.0/0.0.0.0 will be ignored.
The only way to use a wildcard entry is to leave the trusted hosts at 0.0.0.0/0.0.0.0.
However, this configuration is less secure.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 215
http://docs.fortinet.com/ • Feedback
Admin profiles System Admin

Admin profiles
Each administrator account belongs to an admin profile. The admin profile separates
FortiGate features into access control categories for which an administrator with
read/write access can enable none (deny), read only, or read/write access.
The following table lists the web-based manager pages to which each category provides
access:
Table 28: Admin profile control of access to Web-based manager pages

Access control Affected web-based manager pages


Admin Users System > Admin
System > Admin > Central Management
System > Admin > Settings
Antivirus Configuration UTM > AntiVirus
Auth Users User
Firewall Configuration Firewall
FortiGuard Update System > Maintenance > FortiGuard
IM, P2P & VoIP Configuration IM, P2P & VoIP > Statistics
IM, P2P & VoIP > User > Current Users
IM, P2P & VoIP > User > User List
IM, P2P & VoIP > User > Config
IPS Configuration UTM > Intrusion Protection
Log&Report Log&Report
Maintenance System > Maintenance
Network Configuration System > Network > Interface
System > Network > Zone
System > DHCP
Router Configuration Router
Spamfilter Configuration UTM > AntiSpam
System Configuration System > Status, including Session info
System > Config
System > Hostname
System > Network > Options
System > Admin > Central Management
System > Admin > Settings
System > Status > System Time
VPN Configuration VPN
Webfilter Configuration UTM > Web Filter

Read-only access enables the administrator to view the web-based manager page. The
administrator needs write access to change the settings on the page.
You can expand the firewall configuration access control to enable more granular control
of access to the firewall functionality. You can control administrator access to policy,
address, service, schedule, profile, and other virtual IP (VIP) configurations.

Note: When Virtual Domain Configuration is enabled (see “Settings” on page 222), only the
administrators with the admin profile super_admin have access to global settings. Other
administrator accounts are assigned to one VDOM and cannot access global configuration
options or the configuration for any other VDOM.
For information about which settings are global, see “VDOM configuration settings” on
page 105.

FortiGate Version 4.0 Administration Guide


216 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Admin profiles

The admin profile has a similar effect on administrator access to CLI commands. The
following table shows which command types are available in each Access Control
category. You can access “get” and “show” commands with Read Only access. Access to
“config” commands requires Read-Write access.
Table 29: Admin profile control of access to CLI commands

Access control Available CLI commands


Admin Users (admingrp) system admin
system accprofile
Antivirus Configuration (avgrp) antivirus
Auth Users (authgrp) user
Firewall Configuration (fwgrp) firewall
Use the set fwgrp custom and config fwgrp-
permission commands to set some firewall permissions
individually. You can make selections for policy, address,
service, schedule, profile, and other (VIP) configurations.
For more information, see FortiGate CLI Reference.
FortiProtect Update (updategrp) system autoupdate
execute update-av
execute update-ips
execute update-now
IPS Configuration (ipsgrp) ips
Log & Report (loggrp) alertemail
log
system fortianalyzer
execute log
Maintenance (mntgrp) execute formatlogdisk
execute restore
execute backup
execute batch
execute usb-disk
Network Configuration (netgrp) system arp-table
system dhcp
system interface
system zone
execute dhcp lease-clear
execute dhcp lease-list
execute clear system arp table
execute interface

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 217
http://docs.fortinet.com/ • Feedback
Admin profiles System Admin

Table 29: Admin profile control of access to CLI commands (Continued)

Access control Available CLI commands


Router Configuration (routegrp) router
execute router
execute mrouter
Spamfilter Configuration (spamgrp) spamfilter
System Configuration (sysgrp) system except accprofile, admin,
arp-table, autoupdate, fortianalyzer,
interface, and zone.
execute date
execute ha
execute ping
execute ping-options
execute ping6
execute time
execute traceroute
execute cfg
execute factoryreset
execute reboot
execute shutdown
execute deploy
execute set-next-reboot
execute ssh
execute telnet
execute disconnect-admin-session
execute usb
VPN Configuration (vpngrp) vpn
execute vpn
Webfilter Configuration (webgrp) webfilter
To add admin profiles for FortiGate administrators, go to System > Admin > Admin Profile.
Each administrator account belongs to an admin profile. An administrator with read/write
access can create admin profiles that deny access to, allow read-only, or allow both read-
and write-access to FortiGate features.
When an administrator has read-only access to a feature, the administrator can access
the web-based manager page for that feature but cannot make changes to the
configuration. There are no Create or Apply buttons and lists display only the View ( )
icon instead of icons for Edit, Delete or other modification commands.

Viewing the admin profiles list


You need to use the admin account or an account with Admin Users read/write access to
create or edit admin profiles. To view the admin profiles list, go to System > Admin >
Admin Profile.

Figure 116: Admin profile list

Delete

Edit

FortiGate Version 4.0 Administration Guide


218 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Admin profiles

Create New Add a new admin profile.


Profile Name The name of the admin profile.
Delete icon Select to delete the admin profile.
You cannot delete an admin profile that has administrators assigned to
it.
Edit icon Select to modify the admin profile.

Configuring an admin profile


You need to use the admin account or an account with Admin Users read/write access to
edit an admin profile. To configure an admin profile, go to System > Admin > Admin
Profile. Select Create New or select the Edit icon beside an existing profile. Enter or select
the following, and select OK.

Figure 117: Admin profile options

Profile Name Enter the name of the admin profile.


Access Control List of the items that can customize access control settings if
configured.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 219
http://docs.fortinet.com/ • Feedback
Central Management System Admin

None Deny access to all Access Control categories.


Read Only Enable Read access in all Access Control categories.
Read-Write Select to allow read/write access in all Access Control categories.
Access Control Make specific control selections as required. For detailed information
(categories) about the Access Control categories, see “Admin profiles” on
page 216.
GUI Control Select Standard to use the default FortiGate web-based manager.
Select Customize to create a custom web-based manager
configuration for the administrators who login with this admin profile.
For more information, see “Customizable web-based manager” on
page 225.

Central Management
The Central Management tab provides the option of remotely managing your FortiGate
unit by either a FortiManager unit or the FortiGuard Analysis and Management Service.
From System > Admin > Central Management, you can configure your FortiGate unit to
back up or restore configuration settings automatically to the specified central
management server. The central management server is the type of service you enable,
either a FortiManager unit or the FortiGuard Analysis and Management Service. If you
have a subscription for FortiGuard Analysis and Management Service, you can also
remotely upgrade the firmware on the FortiGate unit.

Figure 118: Central Management using FortiManager

Figure 119: Central Management using the FortiGuard Management Service

FortiGate Version 4.0 Administration Guide


220 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Central Management

Enable Central Enables the Central Management feature on the FortiGate unit.
Management
Type Select the type of central management for this FortiGate unit. You can
select FortiManager or the FortiGuard Management Service.
FortiManager Select to use FortiManager as the central management service for the
FortiGate unit.
Enter the IP address or name of the FortiManager unit in the IP/Name
field.
If your organization is operating a FortiManager cluster, add the IP
address or name of the primary FortiManager unit to the IP/Name field
and add the IP address or name of the backup FortiManager units to
the Trusted FortiManager list.
Status indicates whether or not the FortiGate unit can communicate wit
the FortiManager unit added to the IP/Name field.
Select Register to include the FortiManager unit in the Trusted
FortiManager List.
A red arrow-down indicates that there is no connection enabled; a
green arrow-up indicates that there is a connection.
A yellow caution symbol appears when your FortiGate unit is
considered an unregistered device by the FortiManager unit.
FortiGuard Select to use the FortiGuard Management Service as the central
Management Service management service for the FortiGate unit.
Enter the Account ID in the Account ID field. If you do not have an
account ID, register for the FortiGuard Management Service on the
FortiGuard Management Service web site.
Select Change to go directly to System > Maintenance > FortiGuard.
Under Analysis & Management Service Options, enter the account ID
in the Account ID field.

When you are configuring your FortiGate unit to connect to and communicate with a
FortiManager unit, the following steps must be taken because of the two different
deployment scenarios.
• FortiGate is directly reachable from FortiManager:
• In the FortiManager GUI, add the FortiGate unit to the FortiManager database in
the Device Manager module
• Change the FortiManager IP address
• Change the FortiGate IP address
• FortiGate behind NAT
• In System > Admin > Central Management, choose FortiManager
• Add the FortiManager unit to the Trusted FortiManager List, if applicable
• Change the FortiManager IP address
• Change the FortiGate IP address
• Contact the FortiManager administrator to verify the FortiGate unit displays in the
Device list in the Device Manager module

Revision control
The Revision Control tab displays a list of the backed up configuration files. The list
displays only when your FortiGate unit is managed by a central management server. For
more information, see “Managing configuration revisions” on page 255.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 221
http://docs.fortinet.com/ • Feedback
Settings System Admin

Settings
The Settings tab includes the following features that you can configure:
• ports for HTTP/HTTPS administrative access and SSL VPN login
• the idle timeout setting
• settings for the language of the web-based manager and the number of lines displayed
in generated reports
• PIN protection for LCD and control buttons (LCD-equipped models only)
• SCP capability for users logged in via SSH
• IPv6 support on the web based manager.
To configure settings, go to System > Admin > Settings, enter or select the following and
select OK.

Figure 120: Administrators Settings

Web Administration Ports


HTTP TCP port to be used for administrative HTTP access. The default is
80.
HTTPS TCP port to be used for administrative HTTPS access. The default is
443.
SSLVPN Login Port An alternative HTTPS port number for remote client web browsers to
connect to the FortiGate unit. The default port number is 10443.
Telnet Port TCP port to be used for administrative telnet access. The default is 23.

FortiGate Version 4.0 Administration Guide


222 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Monitoring administrators

SSH Port TCP port to be used for administrative SSH access. The default is 22.
Enable SSH v1 Enable compatibility with SSH v1 in addition to v2. (Optional)
compatibility
Timeout Settings
Idle Timeout The number of minutes that an administrative connection can be idle
before the administrator must log in again. The maximum is 480
minutes (8 hours). To improve security, keep the idle timeout at the
default value of 5 minutes.
Display Settings
Language The language the web-based manager uses. Choose from English,
Simplified Chinese, Japanese, Korean, Spanish, Traditional Chinese
or French.
You should select the language that the management computer
operating system uses.
Lines per Page Number of lines per page to display in table lists. The default is 50.
Range is from 20 - 1000.
IPv6 Support on GUI Enable to configure IPv6 options from the GUI (Firewall policy, route,
address and address group). Default allows configuration from CLI
only.
LCD Panel (LCD-equipped models only)
PIN Protection Select and enter a 6-digit PIN.
Administrators must enter the PIN to use the control buttons and LCD.
Enable SCP Enable users logged in through the SSH to be able to use the SCP to
copy the configuration file.

Note: If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH,
ensure that the port number is unique.

Monitoring administrators
To see the number of logged-in administrators, go to System > Status. Under System
Information, you will see Current Administrators. Select Details to view information about
the administrators currently logged in to the FortiGate unit.

Figure 121: System Information displaying current administrators

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 223
http://docs.fortinet.com/ • Feedback
FortiGate IPv6 support System Admin

Figure 122: Detailed view of Administrators logged in monitor window

Disconnect Select to disconnect the selected administrators. This is available only


if your admin profile gives you System Configuration write permission.
Refresh Select to update the list.
Close Select to close the window.
Select and then select Disconnect to log off this administrator. This is
available only if your admin profile gives you System Configuration
write access. You cannot log off the default “admin” user.
User Name The administrator account name.
Type The type of access: http, https, jsconsole, sshv2.
From If Type is jsconsole, the value in From is N/A.
Otherwise, Type contains the administrator’s IP address.
Time The date and time that the administrator logged on.

FortiGate IPv6 support


IPv6 is version 6 of the Internet Protocol. It can provide billions more unique IP addresses
than the previous standard, IPv4. The internet is currently in transition from IPv4 to IPv6
addressing. IPv6 hosts and routers maintain interoperability with the existing IPv4
infrastructure in two ways:
• implementing dual IP layers to support both IPv6 and IPv4
• using IPv6 over IPv4 tunneling to encapsulate IPv6 packets within IPv4 headers to
carry them over IPv4 infrastructure.
FortiGate units are dual IP layer IPv6/IPv4 nodes. They support IPv6 overIPv4 tunneling,
routing, firewall policies and IPSec VPN. You can assign both an IPv4 and an IPv6
address to any interface on a FortiGate unit—the interface functions as two interfaces,
one for IPv4-addressed packets and another for IPv6-addressed packets.
For more information, see the FortiGate IPv6 Support Technical Note available from the
Fortinet Knowledge Center.
Before you can work with IPv6 on the web-based manager, you must enable IPv6 support.
To enable IPv6 support, go to System > Admin > Settings, then under Display Settings,
select IPv6 Support on GUI.
After you enable IPv6 support in the web-based manager, you can:
• create IPv6 static routes (see Router Static)
• monitor IPv6 routes (see Router Monitor)
• create IPv6 firewall addresses (see Firewall Address)
• create IPv6 firewall address groups (see Firewall Address)
• create IPv6 firewall policies (see Firewall Policy)
• create VPNs that use IPv6 addressing (see VPN IPSEC)

FortiGate Version 4.0 Administration Guide


224 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

Once IPv6 support is enabled, you can configure the IPv6 options using the web-based
manager or the CLI.
See the FortiGate CLI Reference for information on configuring IPv6 support using the
CLI.

Customizable web-based manager


In addition to configuring administrators with varying levels of access to different parts of
the FortiGate unit configuration, you can customize the FortiGate web-based manager (or
GUI) to show, hide, and arrange widgets/menus/items according to your specific
requirements. In standard operation mode, the display is static. Customizing the display
allows you to vary or limit the GUI layout—to fulfill different administrator roles. There are
also several configuration widgets which you can enable for CLI-only options that are not
displayed by default. Only administrators with the super_admin admin profile may create
and edit GUI layouts. The customized GUI layouts are stored as part of the administrator
admin profile.
New admin profiles are based on the default layout. The FortiGate default layout cannot
be modified.
Terms used in this section include:
• Dialog box - HTML-layer pop-up window. Displayed via HTML with grayed-out
background (see Figure 126).
• GUI layout - web-based manager layout configured for a specific Admin Profile (see
Figure 137).
• Page layout - arrangement of widgets on a screen of the web-based manager (see
Figure 134).
• Tier 1 menu item - top-level menu item in web-based manager layout (see “To create
Tier-1 and Tier-2 menu items” on page 229).
• Tier 2 menu item - submenu item in web-based manager layout (see “To create Tier-1
and Tier-2 menu items” on page 229).

Tip: Increase the timeout settings before creating or editing a GUI layout. See “Settings” on
page 222.

GUI layout customization example


The following example illustrates the basic steps to customize the display. The example
assumes that you are an administrator with a super_admin profile performing the
customization. The super_admin will create a profile called Report Profile for a regular
admin user. This protection profile will allow the regular admin user read-only access to
logs and reports produced by the FortiGate unit, and also prevent him or her from viewing
additional FortiGate features.
Before customizing the GUI layout, you need to configure the administrative admin profile.
To configure the profile, go to System > Admin > Admin Profile and select Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 225
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

Figure 123: Admin profile dialog box (default settings)

Note: The current administrator Access Control settings apply only to the fixed components
of the layout (default), not to the customized items. If you want to create a completely
customized layout profile, you must set access for all fixed components to None and also
set all the standard menu items to Hide from within the GUI layout dialog box (see
Figure 126).

The following configuration will set up read-only administrative access to Log&Report


items for the Report Profile profile, and prevent access to the default layout.

FortiGate Version 4.0 Administration Guide


226 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

Figure 124: Admin Profile dialog box - Log & Report access

Access denied
to other layout
items

Read-only access
selected for Log &
Report

Standard GUI
Control Menu
Layout selection

To configure the admin profile


1 Enter the name Report Profile (see Figure 124).
2 To prevent access to the default layout items, set Access Control to None for all items
except Log & Report.
3 Under GUI Control > Menu Layout, select Standard.
4 Select OK to save the settings. The admin profiles list reappears.
5 From the list, select the Edit icon beside Report Profile.
6 Under GUI Control > Menu Layout, select Customize, and then select OK. (see
Figure 125 and Figure 126).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 227
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

Figure 125: Selection of Customize GUI Control option for Report Profile
]

Select Customize
to access the
layout dialog box

Figure 126: Customize GUI layout dialog box for Report Profile

Customization Edit Layout Show Preview


drop-down menu icon Add Content

Customization
drop-down menu Save layout
Cancel layout changes

Layout preview icon

Create new Tier-1 menu item


Reset menu to default layout configuration

In the GUI layout dialog box, select the customization drop-down menu icon beside
System and select hide (see Figure 126). Repeat for each menu item except Log&Report.

FortiGate Version 4.0 Administration Guide


228 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

To start the configuration of customized menu items, select the Create New (Tier-1 menu
item) icon in the FortiGate menu. You will need to:
• configure Tier-1 and Tier-2 menu items
• add tabs to each of these items as required
• add content to the page layout.

To create Tier-1 and Tier-2 menu items


1 Select the Create New Tier-1 icon.
The first Tier-1 menu item with the default name custom menu will appear, with an
additional Create New Tier-1 icon below it (1).
2 Select and rename the default name to Custom Log Report (2).
3 Press Enter to save your change.
The Create New Tier-2 icon will appear, with the default name custom menu.
4 Select the Create New Tier-2 icon (3).
5 The first Tier-2 menu item with the default name custom menu will appear, with an
additional Create New Tier-2 icon below it (4).
6 Select and rename the default name to Custom Log Menu1 (5).
7 Press Enter to save your change.
8 Repeat steps 4 to 7 to create a second Tier-2 menu item called Custom Log Menu2 (5)
and (6).

Figure 127: Creating Tier-1 and Tier-2 menu items in FortiGate menu

1 2
Creation of new
Tier-1 menu item
Custom Log Report

3 4
Creation of new
Tier-2 menu item
Custom Log Menu1

5 6
Creation of new
Tier-2 menu item
Custom Log Menu2

After you create Tier-1 and Tier-2 menu items, you need to create the subset of tab items
across the page layout. The Create New tab icon is not available until you have created
the Tier-1 and Tier-2 menu items.

To create a new tab


1 Select the Create New tab item icon (see Figure 5).
A tab is created with the default name custom menu, and an additional Create New
icon appears beside it.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 229
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

2 Select and rename the default name to Custom Log Report Tab1 (see Figure 129).
3 Press Enter to save your change.
4 Repeat steps 1 to 3 to create a second tab called Custom Log Report Tab2.
5 To save your customized layout, select Save in the GUI layout dialog box (see
Figure 126).

Figure 128: Create New tab

Create New tab item icon

Figure 129: Creating tabs in page layout

Creation of tab
Custom Log Report Tab1

Creation of tab Custom Log Report Tab2

To modify the configuration of the current page


1 Select the required tab, then select Edit Layout.
The Edit this tab dialog box appears (see Figure 130). You may configure the page
layout to display only one widget (Full page), a page layout with one column that
displays up to 8 widgets (1 column), or a page layout with two columns (2 columns)
that displays up to 8 widgets.
2 For the Custom Log Report Tab1, select 2 columns.
3 To save your modified configuration, select Save in the Edit this tab dialog box.

FortiGate Version 4.0 Administration Guide


230 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

Figure 130: Edit this tab dialog box

To add content to the page layout, select Add Content (see Figure 126). The Add content
to the Custom Log Report Tab1 dialog box appears (see Figure 131).

Figure 131: Add content dialog box

Search text box

The Add content dialog box includes a search feature that you can use to find widgets.
This search employs a real-time filtering mechanism with a “contains” type search on the
widget names. For example, if you search on “use”, you will be shown User Group, IM
User Monitor, Firewall User Monitor, Banned User, and Top Viruses (see Figure 132).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 231
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

Figure 132: Search mechanism - results for “use”


Search on “use”

Search results

For Custom Log Report Tab1, select the Log&Report category. All the items related to the
Log&Report menu item are listed (see Figure 133). Select Add next to an item that you
want to include in the tab. The item is placed in the page layout behind the Custom Log
Report Tab1 dialog box. You will see the configured layout when you close the Add
content to the Custom Log Report Tab1 dialog box. The maximum number of items that
can be placed in a page layout is 8.
For the Custom Log Report Tab1, select the following items for inclusion in the layout:
• Alert E-mail
• Schedule.
Close the Edit Layout dialog box.

Figure 133: Log&Report category selection for Custom Log Report Tab1

FortiGate Version 4.0 Administration Guide


232 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

Figure 134: Custom Log Report Tab1 page layout preview

For the Custom Log Report Tab2, select the following items for inclusion in the layout:
• Event Log
• Log Setting.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 233
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

Figure 135: Log&Report category selection for Custom Log Report Tab2

Figure 136: Custom Log Report Tab2 page layout preview

To preview a customized layout in the custom GUI layout dialog box, select Show Preview
(see Figure 137). When you have completed the configuration selections for the page
layout, select Save to close the custom GUI layout dialog box (see Figure 137). To
abandon the configuration, select Reset menus (see Figure 137). To exit the GUI layout
dialog box without saving your changes, select Cancel (see Figure 137).

FortiGate Version 4.0 Administration Guide


234 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Admin Customizable web-based manager

Figure 137: Report Profile customized GUI layout dialog box - complete
Cancel
Show Preview
Save

Reset menus

When you complete the customization, close the dialog box to return to the Admin Profile
dialog box in which you configured the custom GUI. To save the configuration, select OK
to close the Admin Profile dialog box (see Figure 123).
To view the web-based manager configuration created in Report Profile, you must log out
of the FortiGate unit, then log back in using the name and password of an administrator
assigned the Report Profile administrative profile. The FortiGate web-based manager
reflects the customized configuration of Report Profile (see Figure 138).

Figure 138: Customized FortiGate web-based manager page

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 235
http://docs.fortinet.com/ • Feedback
Customizable web-based manager System Admin

FortiGate Version 4.0 Administration Guide


236 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Certificates Local Certificates

System Certificates
This section explains how to manage X.509 security certificates using the FortiGate web-
based manager. Certificate authentication allows administrators to generate certificate
requests, install signed certificates, import CA root certificates and certificate revocation
lists, and back up and restore installed certificates and private keys.
Authentication is the process of determining if a remote host can be trusted with access to
network resources. To establish its trustworthiness, the remote host must provide an
acceptable authentication certificate by obtaining a certificate from a certification authority
(CA). The FortiGate unit can then use certificate authentication to reject or allow
administrative access via HTTPS, and to authenticate IPSec VPN peers or clients, as well
as SSL VPN user groups or clients.
If you enable virtual domains (VDOMs) on the FortiGate unit, system certificates are
configured globally for the entire FortiGate unit. For details, see “Using virtual domains” on
page 103.
For additional background information on certificates, see the FortiGate Certificate
Management User Guide.
This section describes:
• Local Certificates
• Remote Certificates
• CA Certificates
• CRL

Local Certificates
Certificate requests and installed server certificates are displayed in the Local Certificates
list. After you submit the request to a CA, the CA will verify the information and register the
contact information on a digital certificate that contains a serial number, an expiration date,
and the public key of the CA. The CA will then sign the certificate and send it to you to
install on the FortiGate unit.
To view certificate requests and/or import signed server certificates, go to System >
Certificates > Local Certificates. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 237
http://docs.fortinet.com/ • Feedback
Local Certificates System Certificates

Figure 139: Local Certificates list

Download
View Certificate Detail

Delete

Generate Generate a local certificate request. For more information, see “Generating a
certificate request” on page 238.
Import Import a signed local certificate. For more information, see “Importing a signed
server certificate” on page 240.
Name The names of existing local certificates and pending certificate requests.
Subject The Distinguished Names (DNs) of local signed certificates.
Comments A description of the certificate.
Status The status of the local certificate. PENDING designates a certificate request
that needs to be downloaded and signed.
View Certificate Display certificate details such as the certificate name, issuer, subject, and
Detail icon valid certificate dates.
Delete icon Delete the selected certificate request or installed server certificate from the
FortiGate configuration. This is available only if the certificate has PENDING
status.
Download icon Save a copy of the certificate request to a local computer. You can send the
request to your CA to obtain a signed server certificate for the FortiGate unit
(SCEP-based certificates only).

For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.

Generating a certificate request


The FortiGate unit generates a certificate request based on the information you enter to
identify the FortiGate unit. Generated requests are displayed in the Local Certificates list
with a status of PENDING. After you generate a certificate request, you can download the
request to a computer that has management access to the FortiGate unit and then forward
the request to a CA.

FortiGate Version 4.0 Administration Guide


238 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Certificates Local Certificates

To fill out a certificate request, go to System > Certificates > Local Certificates, select
Generate, and complete the fields in the table below. To download and send the certificate
request to a CA, see “Downloading and submitting a certificate request” on page 240.

Figure 140: Generate Certificate Signing Request

Remove/Add OU

Certification Name Enter a certificate name. Typically, this would be the name of the
FortiGate unit. To enable the export of a signed certificate as a PKCS12
file later on if required, do not include spaces in the name.
Subject Information Enter the information needed to identify the FortiGate unit:
Host IP If the FortiGate unit has a static IP address, select Host IP and enter the
public IP address of the FortiGate unit. If the FortiGate unit does not have
a public IP address, use an email address (or domain name if available)
instead.
Domain Name If the FortiGate unit has a static IP address and subscribes to a dynamic
DNS service, use a domain name if available to identify the FortiGate unit.
If you select Domain Name, enter the fully qualified domain name of the
FortiGate unit. Do not include the protocol specification (http://) or any
port number or path names. If a domain name is not available and the
FortiGate unit subscribes to a dynamic DNS service, an “unable to verify
certificate” message may be displayed in the user’s browser whenever
the public IP address of the FortiGate unit changes.
E-Mail If you select E-mail, enter the email address of the owner of the FortiGate
unit.
Optional Information Complete as described or leave blank.
Organization Unit Enter the name of your department or departments. You can enter a
maximum of 5 Organization Units. To add or remove a unit, use the plus
(+) or minus (-) icon.
Organization Enter the legal name of your company or organization.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 239
http://docs.fortinet.com/ • Feedback
Local Certificates System Certificates

Locality (City) Enter the name of the city or town where the FortiGate unit is installed.
State/Province Enter the name of the state or province where the FortiGate unit is
installed.
Country Select the country where the FortiGate unit is installed.
e-mail Enter the contact email address.
Key Type Only RSA is supported.
Key Size Select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to generate
but they provide better security.
Enrollment Method Select one of the following methods:
File Based Select to generate the certificate request.
Online SCEP Select to obtain a signed SCEP-based certificate automatically over the
network.
CA Server URL: Enter the URL of the SCEP server from which to retrieve
the CA certificate.
Challenge Password: Enter the CA server challenge password.

Downloading and submitting a certificate request


You have to fill out a certificate request and generate the request before you can submit
the results to a CA. For more information, see “Generating a certificate request” on
page 238.

To download and submit a certificate request


1 Go to System > Certificates > Local Certificates.
2 In the Local Certificates list, select the Download icon in the row that corresponds to
the generated certificate request.
3 In the File Download dialog box, select Save to Disk.
4 Name the file and save it to the local file system.
5 Submit the request to your CA as follows:
• Using the web browser on the management computer, browse to the CA web site.
• Follow the CA instructions to place a base-64 encoded PKCS#12 certificate request
and upload your certificate request.
• Follow the CA instructions to download their root certificate and Certificate
Revocation List (CRL), and then install the root certificate and CRL on each remote
client (refer to the browser documentation).
6 When you receive the signed certificate from the CA, install the certificate on the
FortiGate unit. See “Importing a signed server certificate” on page 240.

Importing a signed server certificate


Your CA will provide you with a signed server certificate to install on the FortiGate unit.
When you receive the signed certificate from the CA, save the certificate on a computer
that has management access to the FortiGate unit.
To install the signed server certificate, go to System > Certificates > Local Certificates and
select Import. The certificate file can be in either PEM or DER format. The other dialog
boxes are for importing previously exported certificates and private keys.

FortiGate Version 4.0 Administration Guide


240 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Certificates Local Certificates

Figure 141: Upload Local Certificate

Certificate File Enter the full path to and file name of the signed server certificate.
Browse Alternatively, browse to the location on the management computer where the
certificate has been saved, select the certificate, and then select OK.

Importing an exported server certificate and private key


. The file is associated with a password, which you will need to know in order to import the
file. Before you begin, save a copy of the file on a computer that has management access
to the FortiGate unit. For more information, see the FortiGate Certificate Management
User Guide.
To import the PKCS12 file, go to System > Certificates > Local Certificates and select
Import.

Figure 142: Upload PKCS12 Certificate

Certificate with key Enter the full path to and file name of the previously exported PKCS12 file.
file
Browse Alternatively, browse to the location on the management computer where the
PKCS12 file has been saved, select the file, and then select OK.
Password Type the password needed to upload the PKCS12 file.

Importing separate server certificate and private key files


You need to use the Upload Certificate dialog box to import a server certificate and the
associated private key file when the server certificate request and private key were not
generated by the FortiGate unit. The two files to import must be available on the
management computer.

Figure 143: Upload Certificate

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 241
http://docs.fortinet.com/ • Feedback
Remote Certificates System Certificates

Certificate file Enter the full path to and file name of the previously exported certificate file.
Browse Alternatively, browse to the location of the previously exported certificate file,
select the file, and then select OK.
Key file Enter the full path to and file name of the previously exported key file.
Browse Alternatively, browse to the location of the previously exported key file, select the
file, and then select OK.
Password If a password is required to upload and open the files, type the password.

Remote Certificates
Note: The certificate file must not use 40-bit RC2-CBC encryption.

For dynamic certificate revocation, you need to use an Online Certificate Status Protocol
(OCSP) server. Remote certificates are public certificates without a private key. The
OCSP is configured in the CLI only. For more information, see the FortiGate CLI
Reference.
Installed Remote (OCSP) certificates are displayed in the Remote Certificates list.
To view installed Remote (OCSP) certificates or import a Remote (OCSP) certificate, go to
System > Certificates > Remote. To view certificate details, select the View Certificate
Detail icon in the row that corresponds to the certificate.

Note: There is one OCSP per VDOM.

Figure 144: Remote certificate list

Import Import a public OCSP certificate. See “Importing CA certificates” on page 244.
Name The names of existing Remote (OCSP) certificates. The FortiGate unit assigns
unique names (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and so
on) to the Remote (OCSP) certificates when they are imported.
Subject Information about the Remote (OCSP) certificate.
Delete icon Delete a Remote (OCSP) certificate from the FortiGate configuration.
View Certificate Display certificate details.
Detail icon
Download icon Save a copy of the Remote (OCSP) certificate to a local computer.

FortiGate Version 4.0 Administration Guide


242 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Certificates CA Certificates

Importing Remote (OCSP) certificates


To import a Remote (OCSP) certificate, go to System > Certificates > Remote and select
Import.

Figure 145: Upload Remote Certificate

Local PC Enter the location in a management PC to upload a public certificate.


Browse Alternatively, browse to the location on the management computer where
the certificate has been saved, select the certificate, and then select OK.

The system assigns a unique name to each Remote (OCSP) certificate. The names are
numbered consecutively (REMOTE_Cert_1, REMOTE_Cert_2, REMOTE_Cert_3, and
so on).

CA Certificates
When you apply for a signed personal or group certificate to install on remote clients, you
must obtain the corresponding root certificate and CRL from the issuing CA.
When you receive the certificate, install it on the remote clients according to the browser
documentation. Install the corresponding root certificate and CRL from the issuing CA on
the FortiGate unit.
Installed CA certificates are displayed in the CA Certificates list. You cannot delete the
Fortinet_CA certificate. To view installed CA root certificates or import a CA root
certificate, go to System > Certificates > CA Certificates. To view root certificate details,
select the View Certificate Detail icon in the row that corresponds to the certificate.

Figure 146: CA Certificates list

View Certificate Detail


Download

Import Import a CA root certificate. See “Importing CA certificates” on page 244.


Name The names of existing CA root certificates. The FortiGate unit assigns unique
names (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on) to the CA
certificates when they are imported.
Subject Information about the issuing CA.
Delete icon Delete a CA root certificate from the FortiGate configuration.
View Certificate Display certificate details.
Detail icon
Download icon Save a copy of the CA root certificate to a local computer.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 243
http://docs.fortinet.com/ • Feedback
CRL System Certificates

For detailed information and step-by-step procedures related to obtaining and installing
digital certificates, see the FortiGate Certificate Management User Guide.

Importing CA certificates
After you download the root certificate of the CA, save the certificate on a PC that has
management access to the FortiGate unit.
To import a CA root certificate, go to System > Certificates > CA Certificates and select
Import.

Figure 147: Import CA Certificate

SCEP Select to use an SCEP server to access CA certificate for user


authentication. Enter the URL of the SCEP server from which to retrieve
the CA certificate. Optionally, enter identifying information of the CA, such
as the file name. Select OK.
Local PC Select to use a local administrator’s PC to upload a public certificate. Enter
the location, or browse to the location on the management computer where
the certificate has been saved, select the certificate, and then select OK.

If you choose SCEP, the system starts the retrieval process as soon as you select OK.
The system assigns a unique name to each CA certificate. The names are numbered
consecutively (CA_Cert_1, CA_Cert_2, CA_Cert_3, and so on).

CRL
A Certificate Revocation List (CRL) is a list of CA certificate subscribers paired with
certificate status information. Installed CRLs are displayed in the CRL list. The FortiGate
unit uses CRLs to ensure that the certificates belonging to CAs and remote clients are
valid.
To view installed CRLs, go to System > Certificates > CRL.

Figure 148: Certificate revocation list


View Certificate Detail

Download

FortiGate Version 4.0 Administration Guide


244 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Certificates CRL

Import Import a CRL. For more information, see “Importing a certificate revocation list”
on page 245.
Name The names of existing certificate revocation lists. The FortiGate unit assigns
unique names (CRL_1, CRL_2, CRL_3, and so on) to certificate revocation lists
when they are imported.
Subject Information about the certificate revocation lists.
Delete icon Delete the selected CRL from the FortiGate configuration.
View Certificate Display CRL details such as the issuer name and CRL update dates.
Detail icon
Download icon Save a copy of the CRL to a local computer.

Importing a certificate revocation list


Certificate revocation lists from CA web sites must be kept updated on a regular basis to
ensure that clients having revoked certificates cannot establish a connection with the
FortiGate unit. After you download a CRL from the CA web site, save the CRL on a
computer that has management access to the FortiGate unit.

Note: When the CRL is configured with an LDAP, HTTP, and/or SCEP server, the latest
version of the CRL is retrieved automatically from the server when the FortiGate unit does
not have a copy of it or when the current copy expires.

To import a certificate revocation list, go to System > Certificates > CRL and select Import.

Figure 149: Import CRL

HTTP Select to use an HTTP server to retrieve the CRL. Enter the URL of the HTTP
server.
LDAP Select to use an LDAP server to retrieve the CRL, then select the LDAP
server from the list.
SCEP Select to use an SCEP server to retrieve the CRL, then select the Local
Certificate from the list. Enter the URL of the SCEP server from which the
CRL can be retrieved.
Local PC Select to use a local administrator’s PC to upload a public certificate. Enter
the location, or browse to the location on the management computer where
the certificate has been saved, select the certificate, and then select OK.

The system assigns a unique name to each CRL. The names are numbered consecutively
(CRL_1, CRL_2, CRL_3, and so on).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 245
http://docs.fortinet.com/ • Feedback
CRL System Certificates

FortiGate Version 4.0 Administration Guide


246 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance About the Maintenance menu

System Maintenance
This section describes how to maintain your system configuration as well as how to enable
and update FDN services. This section also explains the types of FDN services that are
available for your FortiGate unit.
If you enable virtual domains (VDOMs) on the FortiGate unit, system maintenance is
configured globally for the entire FortiGate unit. For more information, see “Using virtual
domains” on page 103.
This section includes the following topics:
• About the Maintenance menu
• Managing configuration revisions
• Using script files
• Configuring FortiGuard Services
• Troubleshooting FDN connectivity
• Updating antivirus and attack definitions
• Enabling push updates
• Adding VDOM Licenses

About the Maintenance menu


The maintenance menu provides help with maintaining and managing firmware,
configuration revisions, script files, and FortiGuard subscription-based services. From this
menu, you can upgrade or downgrade the firmware, view historical backups of
configuration files, or update FortiGuard services.
The maintenance menu has the following tabs:
• Backup & Restore - allows you to back up and restore your system configuration file,
remotely upgrade firmware, and import CLI commands.
• Revision Control - displays all system configuration backups with the date and time of
when they were backed up. Before you can use revision control, a Central
Management server must be configured and enabled.
• Scripts - displays script history execution and provides a way to upload script files to
the FortiGuard Analysis & Management Service portal web site
• FortiGuard - displays all FDN subscription services, such as antivirus and IPS
definitions as well as the FortiGuard Analysis & Management Service. This tab also
provides configuration options for antivirus, IPS, web filtering, and antispam services.
• License - allows you to increase the maximum number of VDOMs (FortiGate-3000
units and higher only).
When backing up the system configuration, web content files and spam filtering files are
also included. You can save the configuration to the management computer or to a USB
disk if your FortiGate unit includes a USB port (see “Formatting USB Disks” on page 255).
You can also restore the system configuration from previously downloaded backup files in
the Backup & Restore menu.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 247
http://docs.fortinet.com/ • Feedback
Backing up and restoring System Maintenance

When virtual domain configuration is enabled, the content of the backup file depends on
the administrator account that created it. A backup of the system configuration from the
super_admin account contains global settings and the settings included in each VDOM.
Only the super_admin can restore the configuration from this file. When you back up the
system configuration from a regular administrator account, the backup file contains the
global settings and the settings for the VDOM that the regular administrator belongs to. A
regular administrator is the only user account that can restore the configuration from this
file.
Some FortiGate models support FortiClient by storing a FortiClient image that users can
download. The FortiClient section of Backup & Restore is available if your FortiGate model
supports FortiClient. This feature is currently available on FortiGate-1000A, 3600A, and
5005FA2 models.

Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
For
“Managing firmware versions” on page 93.

Note: The Firmware section is available only on FortiGate-100A units and higher. If you
have a FortiGate-60B unit or lower, you can upgrade or downgrade the firmware by going
to System > Status and selecting the Update link that appears beside Firmware Version.

Backing up and restoring


The Backup & Restore tab allows you to back up and restore your FortiGate configuration
to your management PC, a central management server, or a USB disk. You can back up
and restore your configuration to a USB disk if the FortiGate unit includes a USB port and
if you have connected a USB disk to the USB port. FortiGate units support most USB
disks including USB keys and external USB hard disks (see “Formatting USB Disks” on
page 255). The central management server is whatever remote management service the
FortiGate unit is connected to. For example, if the current configuration on a FortiGate-60
is backed up to a FortiManager unit, the central management server is the FortiManager
unit.
You must configure central management in System > Admin > Central Management
before these options are available in the Backup & Restore section. For more information,
see “Central Management” on page 220.
To view the backup and restore options, go to System > Maintenance > Backup and
Restore.

FortiGate Version 4.0 Administration Guide


248 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Backing up and restoring

Figure 150: Backup and restore page on a FortiGate-1000A unit

Basic backup and restore options


This section of the Backup & Restore page provides the option of backing up the current
configuration file to several different locations, including encryption for added security. You
can also restore a backed-up configuration file.
To view the backup and restore options, go to System > Maintenance >
Backup & Restore.

Figure 151: Backup & Restore options with FortiGuard services option enabled

Backup
Backup configuration to: The options available for backing up your current configuration. Select
one of the displayed options:
Local PC Back up the configuration to the management computer the FortiGate
unit is connected to. Local PC is always displayed regardless of
whether a USB disk is available, FortiGuard Analysis & Management
Service is enabled, or the FortiGate unit is connected to a
FortiManager unit.
FortiGuard | Back up the configuration to the FortiGuard Analysis & Management
Management Station Service. If the service is not enabled, Management Station is
displayed.
USB Disk Back up the configuration file to the USB disk connected to the
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes
a USB port. If you do not connect a USB disk, this option is grayed out.
For more information, see “Formatting USB Disks” on page 255.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 249
http://docs.fortinet.com/ • Feedback
Backing up and restoring System Maintenance

FortiManager Back up the configuration to the configured FortiManager unit. If the


FortiGate unit is not connected to a FortiManager unit, this option is not
displayed.
Encrypt configuration Select to encrypt the backup file.
file Encryption must be enabled to save VPN certificates with the
configuration.
This option is not available for configurations backed up to a
FortiManager unit.
Password Enter a password to encrypt the configuration file. You will need this
password to restore the configuration file.
Confirm Enter the password again to confirm the password.
Filename Enter the name of the backup file or select Browse to locate the file.
The Filename field is available only when you choose to back up the
configuration to a USB disk.
Backup Select to back up the configuration.
If you are backing up to a FortiManager device, a confirmation
message is displayed after successfully completion of the backup.
Restore
Restore configuration The options available for restoring the configuration from a specific file.
from: Select one of the displayed options:
Local PC Restore a configuration file from the management computer the
FortiGate unit is connected to. Local PC is always displayed regardless
of whether a USB disk is available, FortiGuard Analysis &
Management Service is enabled, or the FortiGate unit is connected to
a FortiManager unit.
USB disk Restore a configuration file from the USB disk connected to the
FortiGate unit. USB Disk is displayed only if the FortiGate unit includes
a USB port. If you do not connect a USB disk, this option is grayed out.
See “Formatting USB Disks” on page 255.
FortiGuard Restore a configuration from the FortiGuard Analysis & Management
Service. If FortiGuard Management Services is not enabled, this option
is not displayed and instead displays Management Station.
FortiManager Restore a configuration from the configured FortiManager unit. If the
FortiGate unit is not connected to a FortiManager unit, this option is not
displayed.
Filename Select the configuration file name from the Browse list if you are
restoring the configuration from a USB disk.
Enter the configuration file name or select Browse if you are restoring
the configuration from a file on the management computer.
Password Enter the password you entered when backing up the configuration file.
Restore Select to restore the configuration.

Note: When central management is disabled, Management Station appears. FortiGuard


appears when the FortiGuard Analysis & Management Service is enabled.

Remote FortiManager backup and restore options


Your FortiGate unit can be remotely managed by a FortiManager unit. The FortiGate unit
connects using the FortiGuard-FortiManager protocol. This protocol provides
communication between a FortiGate unit and a FortiManager unit, and runs over SSL
using IPv4/TCP port 541.
For detailed instructions on how to install a FortiManager unit, see the FortiManager Install
Guide.

FortiGate Version 4.0 Administration Guide


250 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Backing up and restoring

After successfully connecting to the FortiManager unit from your FortiGate unit, you can
back up your configuration to the FortiManager unit. You can also restore your
configuration.
The automatic configuration backup is available only in local mode on the FortiManager
unit.
A list of revisions is displayed when restoring the configuration from a remote location.
The list allows you to choose the configuration to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.

Figure 152: Backup & Restore options with FortiManager option enabled
\

Backup The options available for backing up your current configuration to a


FortiManager unit.
Backup configuration Select FortiManager to upload the configuration to the FortiManager
to: unit.
The Local PC option is always available.
Comments: Enter a description or information about the file in the Comments field.
This is optional.
Backup Select to back up the configuration file to the FortiManager unit.
A confirmation message appears after successful completion of the
backup.
Restore The options for restoring a configuration file.
Restore configuration Select the FortiManager option to download and restore the
from: configuration from the FortiManager unit.
Please Select: Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiManager unit.
The list is in numerical order, with the recent uploaded configuration
first.
Restore Select to restore the configuration from the FortiManager unit.

Remote FortiGuard backup and restore options


Your FortiGate unit can be remotely managed by a central management server, which is
available when you register for the FortiGuard Analysis & Management Service. The
FortiGuard Analysis & Management Service is a subscription-based service and is
purchased by contacting support. Additional information, including how to register you
FortiGate unit for the FortiGuard Analysis & Management Service, is available in the
FortiGuard Analysis & Management Service Users Guide.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 251
http://docs.fortinet.com/ • Feedback
Backing up and restoring System Maintenance

After registering, you can back up or restore your configuration. The FortiGuard Analysis &
Management Service is useful when administering multiple FortiGate units without having
a FortiManager unit.
You can also upgrade the firmware on your FortiGate unit using the FortiGuard Analysis &
Management Service. Upgrading the firmware is available in the Firmware Upgrade
section of the backup and restore menu. See “Upgrading and downgrading firmware
through FortiGuard” on page 253 for more information about upgrading firmware from the
backup and restore menu.

Tip: For simplified procedures on managing firmware, including backup and restore
options, and on uploading and downloading firmware for your FortiGate unit, see
For
“Managing firmware versions” on page 93.

When restoring the configuration from a remote location, a list of revisions is displayed so
that you can choose the configuration file to restore.
To view the basic backup and restore options, go to System > Maintenance >
Backup & Restore.

Figure 153: Backup & Restore Central Management options

Backup The options available for backing up your current configuration to the
FortiGuard Analysis & Management Service.
Backup configuration Select the FortiGuard option to upload the configuration to the
to: FortiGuard Analysis & Management Service.
The Local PC option is always available.
Comments: Enter a description or information about the file in the Comments field.
This is optional.
Backup Select to back up the configuration file to the FortiGuard Analysis &
Management Service.
A confirmation message appears after successful completion of the
backup.
Restore The options for restoring a configuration file.
Restore configuration Select the FortiGuard option to download the configuration file from
from: the FortiGuard Analysis & Management Service.
Please Select: Select the configuration file you want to restore from the list. This list
includes the comments you included in the Comment field before it
was uploaded to the FortiGuard Analysis & Management Service.
The list is in numerical order, with the recent uploaded configuration
first.
Restore Select to restore the configuration from the FortiGuard Analysis &
Management Service.

FortiGate Version 4.0 Administration Guide


252 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Backing up and restoring

Note: The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard


Analysis & Management Service. This protocol runs over SSL using IPv4/TCP port 541 and
includes the following functions:
• detects FortiGate unit dead or alive status
• detects management service dead or alive status
• notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.

Upgrading and downgrading firmware


The firmware section displays the current version of firmware installed on your FortiGate
unit, as well as the firmware version currently in use if there is more than one firmware
image saved on the FortiGate unit.
To view the firmware options, go to System > Maintenance > Backup & Restore.

Figure 154: Two firmware images displayed on a FortiGate-1000A unit

Partition A partition can contain one version of the firmware and the system
configuration. FortiGate-100A units and higher have two partitions.
One partition is active and the other is used as a backup.
Active A green check mark indicates the partition currently in use.
Last upgrade The date and time of the last update to this partition.
Firmware Version The version and build number of the FortiGate firmware. If your
FortiGate model has a backup partition, you can:
• Select Upload to replace with firmware from the management
computer or a USB disk. The USB disk must be connected to the
FortiGate unit USB port. See “Formatting USB Disks” on page 255.
• Select Upload and Reboot to replace the existing firmware and
make this the active partition.
Boot alternate firmware Restart the FortiGate unit using the backup firmware.
This is available only for FortiGate-100 units or higher.

Upgrading and downgrading firmware through FortiGuard


The Firmware Upgrade section of the backup and restore page displays options for
upgrading to a new version using the FortiGuard Analysis & Management Service if that
option is available to you. Using the FortiGuard Analysis & Management Service to
upgrade the firmware on your FortiGate unit is only available on certain FortiGate units.
You must register for the service by contacting customer support.
Detailed firmware version information is provided if you have subscribed for the
FortiGuard Analysis & Management Service.
To view the firmware options, go to System > Maintenance > Backup & Restore.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 253
http://docs.fortinet.com/ • Feedback
Backing up and restoring System Maintenance

Figure 155: Firmware Upgrade section of the Backup & Restore page

Upgrade from FortiGuard Select one of the available firmware versions. The list contains the
network to firmware following information for each available firmware release:
version: [Please Select] • continent (for example, North America)
• maintenance release number
• patch release number
• build number.
For example, if you are upgrading to FortiOS 3.0 MR6 and the
FortiGate unit is located in North America, the firmware version
available is v3.0 MR6-NA (build 0700).
Allow firmware Select to allow installation of older versions than the one currently
downgrade installed.
This is useful if the current version changed functionality you need and
you have to revert to an older firmware image.
Upgrade by File Select Browse to locate a file on your local PC to upload to the
FortiGate unit.
OK Select OK to enable your selection.

Configuring advanced options


The Advanced section on the backup and restore page includes the USB Auto Install
feature and the debug log. The USB settings are available only if the FortiGate unit
includes a USB port. You must connect a USB disk to the FortiGate unit USB port to use
the USB auto-install feature. See “Formatting USB Disks” on page 255.
To view the advanced options, go to System > Maintenance > Backup & Restore.

Figure 156: Options available in the Advanced section

On system restart, Automatically update the configuration on restart. Ensure that the
automatically update default configuration file name matches the configuration file name on
FortiGate the USB disk.
configuration... If the configuration file on the disk matches the currently installed
configuration, the FortiGate unit skips the configuration update
process.
On system restart, Automatically update the firmware on restart. Ensure that the default
automatically update image name matches the firmware file name on the USB disk.
FortiGate firmware... If the firmware image on the disk matches the currently installed
firmware, the FortiGate unit skips the firmware update process.

FortiGate Version 4.0 Administration Guide


254 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Managing configuration revisions

Apply Select to apply the selected settings.


Download Debug Log Download an encrypted debug log to a file. You can send this debug
log to Fortinet Technical Support to help diagnose problems with your
FortiGate unit.

Formatting USB Disks


FortiGate units with USB ports support USB disks for backing up and restoring
configurations.
FortiUSB and generic USB disks are supported, but the generic USB disk must be
formatted as a FAT16 disk. No other partition type is supported.

Caution: Formatting the USB disk deletes all information on the disk. Back up the
information on the USB disk before formatting to ensure all information on the disk is
recoverable.

There are two ways that you can format the USB disk, either by using the CLI or a
Windows system. You can format the USB disk in the CLI using the command syntax,
exe usb-disk format. When using a Windows system to format the disk, at the
command prompt type, “format <drive_letter>: /FS:FAT /V:<drive_label>”
where <drive_letter> is the letter of the connected USB drive you want to format, and
<drive_label> is the name you want to give the USB drive for identification.

Managing configuration revisions


The Revision Control tab enables you to manage multiple versions of configuration files.
Revision control requires a configured central management server. This server can either
be a FortiManager unit or the FortiGuard Analysis & Management Service.
If central management is not configured on your FortiGate unit, a message appears to tell
you to do one of the following:
• enable central management (see “Central Management” on page 220)
• obtain a valid license.
When revision control is enabled on your FortiGate unit, and configurations have been
backed up, a list of saved revisions of those backed-up configurations appears.
To view the configuration revisions, go to System > Maintenance > Revision Control.

Figure 157: Revision Control page displaying system configuration backups


Current
Page

Diff
Revert
Download

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 255
http://docs.fortinet.com/ • Feedback
Using script files System Maintenance

Current Page The current page number of list items that are displayed. Select the left
and right arrows to display the first, previous, next or last page of
system configuration backups.
For more information, see “Using page controls on web-based
manager lists” on page 59.
Revision An incremental number indicating the order in which the configurations
were saved. These may not be consecutive numbers if configurations
are deleted.
The most recent, and highest, number is first in the list.
Date/Time The date and time this configuration was saved on the FortiGate unit.
Administrator The administrator account that was used to back up this revision.
Comments Any relevant information saved with the revision, such as why the
revision was saved, who saved it, and if there is a date when it can be
deleted to free up space.
Diff icon Select to compare two revisions.
A window will appear, from which you can view and compare the
selected revision to one of:
• the current configuration
• a selected revision from the displayed list including revision history
and templates
• a specified revision number.
Download icon Download this revision to your local PC.
Revert icon Restore the previous selected revision. You will be prompted to confirm
this action.

Using script files


Scripts are text files containing CLI command sequences. These can be uploaded and
executed to run complex command sequences easily. Scripts can be used to deploy
identical configurations to many devices. For example, if all of your devices use identical
administrator admin profiles, you can enter the commands required to create the admin
profiles in a script, and then deploy the script to all the devices which should use those
same settings.
If you are using a FortiGate unit without a FortiManager unit or the FortiGuard Analysis &
Management Service, the scripts you upload are executed and discarded. If you want to
execute a script more than once, you must keep a copy on your management PC.
If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts
to the FortiManager unit, and run them from any FortiGate unit configured to use the
FortiManager unit. If you upload a script directly to a FortiGate unit, it is executed and
discarded.
If your FortiGate unit is configured to use the FortiGuard Analysis & Management Service,
scripts you upload are executed and stored. You can run uploaded scripts from any
FortiGate unit configured with your FortiGuard Analysis & Management Service account.
The uploaded script files appear on the FortiGuard Analysis & Management Service portal
web site.
After executing scripts, you can view the script execution history on the script page. The
list displays the last 10 executed scripts.
To view the script options, go to System > Maintenance > Scripts.

FortiGate Version 4.0 Administration Guide


256 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Using script files

Figure 158: Script execution history

Execute Script from Scripts can be uploaded directly to the FortiGate unit from the
management PC. If you have configured either a FortiManager unit or
the FortiGuard Analysis & Management Service, scripts that have
been stored remotely can also be run on the FortiGate unit.
Upload Bulk CLI Select Browse to locate the script file and then select Apply to upload
Command File and execute the file.
If the FortiGate unit is configured to use the FortiGuard Analysis &
Management Service, the script will be saved on the server for later
use.
Select From remote Select to execute a script from the FortiManager unit or the FortiGuard
management station Analysis & Management Service. Choose the script you want to run
from the list of all scripts stored remotely.
Script Execution History A list of the 10 most recently executed scripts.
(past 10 scripts)
Name The name of the script file.
Type The source of the script file. A local file is uploaded directly to the
FortiGate unit from the management PC and executed. A remote file
is executed on the FortiGate unit after being sent from a FortiManager
unit or the FortiGuard Analysis & Management Service.
Time The date and time the script file was executed.
Status The status of the script file, if its execution succeeded or failed.
Delete icon Delete the script entry from the list.

Creating script files


Script files are text files with CLI command sequences. When a script file is uploaded to a
FortiGate unit, the commands are executed in sequence.

To create a script file


1 Open a text editor application. Notepad on Windows, GEdit on Linux, Textedit on the
Mac, or any editor that will save plain text can create a script file.
2 Enter the CLI commands you want to run.
The commands must be entered in sequence, with one command per line.
3 Save the file to your maintenance PC.

Tip: An unencrypted configuration file uses the same structure and syntax as a script file.
You can save a configuration file and copy the required parts to a new file, making any edits
you require. You can generate script files more quickly this way.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 257
http://docs.fortinet.com/ • Feedback
Configuring FortiGuard Services System Maintenance

Uploading script files


After you have created a script file, you can then upload it through System >
Maintenance > Scripts. When a script is uploaded, it is automatically executed.

Caution: Commands that require the FortiGate unit to reboot when entered on the
command line will also force a reboot if included in a script.

To execute a script
1 Go to System > Maintenance > Scripts.
2 Verify that Upload Bulk CLI Command File is selected.
3 Select Browse to locate the script file.
4 Select Apply.
If the FortiGate unit is not configured for remote management, or if it is configured to use a
FortiManager unit, uploaded scripts are discarded after execution. Save script files to your
management PC if you want to execute them again later.
If the FortiGate unit is configured to use the FortiGuard Analysis & Management Service,
the script file is saved to the remote server for later reuse. You can view the script or run it
from the FortiGuard Analysis & Management Service portal web site. For more
information about viewing or running an uploaded script on the portal web site, see the
FortiGuard Analysis & Management Service Users Guide.

Configuring FortiGuard Services


The FortiGuard tab allows you to configure your FortiGate unit to use the FortiGuard
Distribution Network (FDN) and FortiGuard Services. The FDN provides updates to
antivirus and IPS attack definitions. FortiGuard Services provides online IP address black
list, URL black list, and other spam filtering tools.

FortiGuard Distribution Network


The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). The FDN
provides updates to antivirus (including grayware) and IPS attack definitions. When the
FortiGate unit contacts the FDN, it connects to the nearest FDS based on the current time
zone setting.
The FortiGate unit supports the following update options:
• user-initiated updates from the FDN
• hourly, daily, or weekly scheduled antivirus and attack definition updates from the FDN
• push updates from the FDN
• update status including version numbers, expiry dates, and update dates and times
• push updates through a NAT device.
Registering your FortiGate unit on the Fortinet Support web page provides a valid license
contract and connection to the FDN. On the Fortinet Support web page, go to Product
Registration and follow the instructions.
The FortiGate unit must be able to connect to the FDN using HTTPS on port 443 to
receive scheduled updates. For more information, see “To enable scheduled updates” on
page 265.

FortiGate Version 4.0 Administration Guide


258 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Configuring FortiGuard Services

You can also configure the FortiGate unit to receive push updates. When the FortiGate
unit is receiving push updates, the FDN must be able to route packets to the FortiGate unit
using UDP port 9443. For more information, see “Enabling push updates” on page 266. If
the FortiGate unit is behind a NAT device, see “Enabling push updates through a NAT
device” on page 267.

FortiGuard services
Worldwide coverage of FortiGuard services is provided by FortiGuard service points.
When the FortiGate unit is connecting to the FDN, it is connecting to the closest
FortiGuard service point. Fortinet adds new service points as required.
By default, the FortiGate unit communicates with the closest service point. If the service
point becomes unreachable for any reason, the FortiGate unit contacts another service
point and information is available within seconds. By default, the FortiGate unit
communicates with the service point via UDP on port 53. Alternately, you can switch the
UDP port used for service point communication to port 8888 by going to System >
Maintenance > FortiGuard.
If you need to change the default FortiGuard service point host name, use the hostname
keyword in the system fortiguard CLI command. You cannot change the FortiGuard
service point name using the web-based manager.
For more information about FortiGuard services, see the FortiGuard Center web page.

FortiGuard Antispam service


FortiGuard Antispam is an antispam system from Fortinet that includes an IP address
black list, a URL black list, and spam filtering tools. The IP address black list contains IP
addresses of email servers known to generate spam. The URL black list contains URLs
that are found in spam email.
FortiGuard Antispam processes are completely automated and configured by Fortinet.
With constant monitoring and dynamic updates, FortiGuard Antispam is always current.
You can either enable or disable FortiGuard Antispam in the Firewall menu in a protection
profile. For more information, see “Spam Filtering options” on page 402.
Every FortiGate unit comes with a free 30-day FortiGuard Antispam trial license.
FortiGuard Antispam license management is performed by Fortinet servers; there is no
need to enter a license number. The FortiGate unit automatically contacts a FortiGuard
Antispam service point when enabling FortiGuard Antispam. Contact Fortinet Technical
support to renew the FortiGuard Antispam license after the free trial expires.
You can globally enable FortiGuard Antispam in System > Maintenance > FortiGuard and
then configure Spam Filtering options in each firewall protection profile in Firewall >
Protection Profile. For more information, see “Spam Filtering options” on page 402.

FortiGuard Web Filtering service


FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet.
FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of
categories users can allow, block, or monitor. The FortiGate unit accesses the nearest
FortiGuard Web Filtering service point to determine the category of a requested web
page, then follows the firewall policy configured for that user or interface.
Every FortiGate unit comes with a free 30-day FortiGuard Web Filtering trial license.
FortiGuard license management is performed by Fortinet servers. There is no need to
enter a license number. The FortiGate unit automatically contacts a FortiGuard service
point when enabling FortiGuard category blocking. Contact Fortinet Technical Support to
renew a FortiGuard license after the free trial.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 259
http://docs.fortinet.com/ • Feedback
Configuring FortiGuard Services System Maintenance

You can globally enable FortiGuard Web Filtering in System > Maintenance > FortiGuard
and then configure FortiGuard Web Filtering options for each profile in Firewall >
Protection Profiles. For more information, see “FortiGuard Web Filtering options” on
page 400.

FortiGuard Analysis & Management Service


FortiGuard Analysis & Management Service is a subscription-based service that provides
remote management services, including logging and reporting capabilities for all FortiGate
units. These services were previously available only on FortiAnalyzer and FortiManager
units.
The subscription-based service is available from the FortiGuard Analysis & Management
Service portal web site, which provides a central location for configuring logging and
reporting and remote management, and for viewing subscription contract information,
such as daily quota and the expiry date of the service.

Configuring the FortiGate unit for FDN and FortiGuard subscription services
FDN updates, as well as FortiGuard services, are configured in System > Maintenance >
FortiGuard. The FDN page contains four sections of FortiGuard services:
• Support Contract and FortiGuard Subscription Services
• Downloading antivirus and IPS updates
• Configuring Web Filtering and AntiSpam Options
• Configuring Analysis & Management Service Options

Support Contract and FortiGuard Subscription Services


The Support Contract and FortiGuard Subscription Services sections are displayed in
abbreviated form on the System Status page. See “Viewing system status” on page 65.
To view the FortiGuard options, go to System > Maintenance > FortiGuard.

Figure 159: Support Contract and FortiGuard Subscription Services section

License status icon


License expiry
Valid license

FortiGate Version 4.0 Administration Guide


260 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Configuring FortiGuard Services

Support Contract The availability or status of your FortiGate unit support contract. The
status displays can be one of the following: Unreachable, Not
Registered or Valid Contract.
If Valid Contract is shown, the FortiOS firmware version and contract
expiry date appear. A green checkmark also appears.
[Register] Select to register your FortiGate unit support contract.
This option is available only when the support contract is not
registered.
FortiGuard Subscription Availability and status information for each of the FortiGuard
Services subscription services including:
• AntiVirus
• Intrusion Protection
• Web Filtering
• AntiSpam
• Analysis & Management Service
[Availability] The availability of this service on this FortiGate unit, dependent on
your service subscription. The status can be Unreachable, Not
Registered, Valid License, or Valid Contract.
The option Subscribe appears if Availability is Not Registered.
The option Renew appears if Availability has expired.
[Update] Select to manually update this service on your FortiGate unit. This will
prompt you to download the update file from your local computer.
Select Update Now to immediately download current updates from
FDN directly.
[Register] Select to register the service. This is displayed in Analysis &
Management Service.
Status Icon Indicates the status of the subscription service. The icon corresponds
to the availability description.
Gray (Unreachable) – FortiGate unit is not able to connect to service.
Orange (Not Registered) – FortiGate unit can connect, but is not
subscribed to this service.
Yellow (Expired) – FortiGate unit had a valid license that has expired.
Green (Valid license) – FortiGate unit can connect to FDN and has a
registered support contract.
If the Status icon is green, the expiry date is displayed.
[Version] The version number of the definition file currently installed on the
FortiGate unit for this service.
[Last update date and The date of the last update and method used for last attempt to
method] download definition updates for this service.
[Date] Local system date when the FortiGate unit last checked for updates
for this service.

Downloading antivirus and IPS updates


In the Antivirus and IPS Options section, you can schedule antivirus and IPS updates,
configure an override server, or allow push updates. You can access these options by
selecting the expand arrow.
The SETUP message that the FortiGate unit sends when you enable push updates
includes the IP address of the FortiGate interface that the FDN connects to. Use the Use
override push IP option when your FortiGate unit is behind a NAT device. The FortiGate
unit sends the FDS the IP and port numbers of the NAT device to the FDS. The NAT
device must also be configured to forward the FDS traffic to the FortiGate unit on port
9443.
For more information, see “Enabling push updates through a NAT device” on page 267.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 261
http://docs.fortinet.com/ • Feedback
Configuring FortiGuard Services System Maintenance

Figure 160: AntiVirus and IPS Options section

Expand arrow Allow Push Update Status

Use override server Select to configure an override server if you cannot connect to the
address FDN or if your organization provides updates using their own
FortiGuard server.
When selected, enter the IP address or domain name of a FortiGuard
server and select Apply. If the FDN Status still indicates no connection
to the FDN, see “Troubleshooting FDN connectivity” on page 264.
Allow Push Update Select to allow push updates. Updates are then sent automatically to
your FortiGate unit when they are available, eliminating any need for
you to check if they are available.
Allow Push Update The status of the FortiGate unit for receiving push updates:
status icon Gray (Unreachable) - theFortiGate unit is not able to connect to push
update service
Yellow (Not Available) - the push update service is not available with
current support license
Green (Available) - the push update service is allowed. See
“Enabling push updates” on page 266.
If the icon is gray or yellow, see “Troubleshooting FDN connectivity”
on page 264.
Use override push IP Available only if both Use override server address and Allow Push
Update are enabled.
Select to allow you to create a forwarding policy that redirects
incoming FDS push updates to your FortiGate unit.
Enter the IP address of the NAT device in front of your FortiGate unit.
FDS will connect to this device when attempting to reach the FortiGate
unit.
The NAT device must be configured to forward the FDS traffic to the
FortiGate unit on UDP port 9443. See “Enabling push updates through
a NAT device” on page 267.
Port Select the port on the NAT device that will receive the FDS push
updates. This port must be forwarded to UDP port 9443 on the
FortiGate unit.
Available only if Use override push is enabled.
Schedule Updates Select this check box to enable scheduled updates.
Every Attempt to update once every 1 to 23 hours. Select the number of
hours between each update request.
Daily Attempt to update once a day. You can specify the hour of the day to
check for updates. The update attempt occurs at a randomly
determined time within the selected hour.
Weekly Attempt to update once a week. You can specify the day of the week
and the hour of the day to check for updates. The update attempt
occurs at a randomly determined time within the selected hour.
Update Now Select to manually initiate an FDN update.
Submit attack Fortinet recommends that you select this check box. It helps to
characteristics… improve the quality of IPS signature.
(recommended)

FortiGate Version 4.0 Administration Guide


262 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Configuring FortiGuard Services

Configuring Web Filtering and AntiSpam Options


You can access this section by selecting the expand arrow to view Web Filtering and
AntiSpam Options.

Figure 161: Web Filtering and AntiSpam Options section

Enable Web Filter Select to enable the FortiGuard Web Filter service.
Enable Cache Select to enable caching of web filter queries.
This improves performance by reducing FortiGate unit requests to the
FortiGuard server. The cache uses 6 percent of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is
deleted.
Available if Enable Web Filter is selected.
TTL Time to live. The number of seconds to store blocked IP addresses
and URLs in the cache before contacting the server again.TTL must
be between 300 and 86400 seconds.
Available only if both Enable Web Filter and Enable Cache are
selected.
Enable AntiSpam Select to enable the FortiGuard AntiSpam service.
Enable Cache Select to enable caching of antispam queries.
This improves performance by reducing FortiGate unit requests to the
FortiGuard server. The cache uses 6 percent of the FortiGate memory.
When the cache is full, the least recently used IP address or URL is
deleted.
Available only if Enable AntiSpam is selected.
TTL Time to live. The number of seconds to store blocked IP addresses
and URLs in the cache before contacting the server again.TTL must
be between 300 and 86400 seconds.
Port Section Select one of the following ports for your web filtering and antispam
requirements:
Use Default Port (53) Select to use port 53 for transmitting with FortiGuard Antispam
servers.
Use Alternate Port Select to use port 8888 for transmitting with FortiGuard Antispam
(8888) servers.
Test Availability Select to test the connection to the servers. Results are shown below
the button and on the Status indicators.
To have a URL's category Select to re-evaluate a URL’s category rating on the FortiGuard Web
rating re-evaluated, please Filter service.
click here.
Account ID: Enter your FortiGuard Analysis & Management Service account ID.
To launch the service Select to log into the FortiGuard Analysis & Management Service web
portal, please click here. portal.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 263
http://docs.fortinet.com/ • Feedback
Troubleshooting FDN connectivity System Maintenance

Configuring Analysis & Management Service Options


The Analysis & Management Service Options section contains the Account ID and other
options regarding the FortiGuard Analysis & Management Service.
You can access this section by selecting the expand arrow.

Figure 162: FortiGuard Analysis & Management Service options

Account ID Enter the name for the Analysis & Management Service that identifies
the account.
The account ID that you entered in the Account ID field when
registering is used in this field.
To launch the service Select to go directly to the FortiGuard Analysis & Management Service
portal, please click here portal web site to view logs or configuration. You can also select this to
register your FortiGate unit with the FortiGuard Analysis &
Management Service.
To configure FortiGuard Select the link please click here to configure and enable logging to the
Analysis Service options, FortiGuard Analysis & Management server. The link redirects you to
please click here Log&Report > Log Config > Log Setting.
This appears only after registering for the service.
To purge logs older than n Select the number of months from the list that will remove those logs
months, please click here from the FortiGuard Analysis & Management server and select the link
please click here. For example, if you select 2 months, the logs from
the past two months will be removed from the server.
You can also use this option to remove logs that may appear on a
current report.
This appears only after logging is enabled and log messages are sent
to the FortiGuard Analysis server.

Troubleshooting FDN connectivity


If your FortiGate unit is unable to connect to the FDN, check your configuration. For
example, you may need to add routes to the FortiGate routing table or configure your
network to allow the FortiGate unit to use HTTPS on port 443 to connect to the Internet.
You might have to connect to an override FortiGuard server to receive updates. For more
information, see “To add an override server” on page 266. If this is not successful, check
your configuration to make sure you can connect to the override FortiGuard server from
the FortiGate unit.
Push updates might be unavailable if:
• you have not registered the FortiGate unit (go to Product Registration and follow the
instructions on the web site if you have not already registered your FortiGate unit)
• there is a NAT device installed between the FortiGate unit and the FDN (see “Enabling
push updates through a NAT device” on page 267)
• your FortiGate unit connects to the Internet using a proxy server (see “To enable
scheduled updates through a proxy server” on page 266).

FortiGate Version 4.0 Administration Guide


264 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Updating antivirus and attack definitions

Updating antivirus and attack definitions


Use the following procedures to configure the FortiGate unit to connect to the FDN to
update the antivirus (including grayware) definitions and IPS attack definitions.

Note: Updating antivirus and IPS attack definitions can cause a very short
disruption in traffic scanning while the FortiGate unit applies the new signature
definitions. Fortinet recommends scheduling updates when traffic is light to
minimize disruption.

To make sure the FortiGate unit can connect to the FDN


1 Go to System > Status and select Change on the System Time line in the System
Information section.
Verify that the time zone is set correctly, corresponding to the region where your
FortiGate unit is located.
2 Go to System > Maintenance > FortiGuard.
3 Select the expand arrow beside Web Filtering and AntiSpam Options to reveal the
available options.
4 Select Test Availability.
The FortiGate unit tests its connection to the FDN. The test results displays at the top
of the FortiGuard page.

To update antivirus and attack definitions


1 Go to System > Maintenance > FortiGuard.
2 Select the expand arrow beside Antivirus and IPS Options to reveal the available
options.
3 Select Update Now to update the antivirus and attack definitions.
If the connection to the FDN or override server is successful, the web-based manager
displays a message similar to the following:
Your update request has been sent. Your database will be updated in
a few minutes. Please check your update page for the status of the
update.
After a few minutes, if an update is available, the FortiGuard page lists new version
information for antivirus definitions and IPS attack definitions. The page also displays new
dates and version numbers for the updated definitions and engines. Messages are
recorded to the event log, indicating whether the update was successful or not.

To enable scheduled updates


1 Go to System > Maintenance > FortiGuard.
2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available
options.
3 Select the Scheduled Update check box.
4 Select one of the following:

Every Once every 1 to 23 hours. Select the number of hours and minutes
between each update request.
Daily Once a day. You can specify the time of day to check for updates.
Weekly Once a week. You can specify the day of the week and the time of
day to check for updates.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 265
http://docs.fortinet.com/ • Feedback
Enabling push updates System Maintenance

5 Select Apply.
The FortiGate unit starts the next scheduled update according to the new update
schedule.
Whenever the FortiGate unit runs a scheduled update, the event is recorded in the
FortiGate event log.
If you cannot connect to the FDN, or if your organization provides antivirus and IPS
attack updates using its own FortiGuard server, you can use the following procedure to
add the IP address of an override FortiGuard server.

To add an override server


1 Go to System > Maintenance > FortiGuard.
2 Select the Use override server address check box.
3 Type the fully qualified domain name or IP address of the FortiGuard server.
4 Select Apply.
The FortiGate unit tests the connection to the override server.
If the FortiGuard Distribution Network availability icon changes from gray to green, the
FortiGate unit has successfully connected to the override server.
If the FortiGuard Distribution Network availability icon stays gray, the FortiGate unit
cannot connect to the override server. Check the FortiGate configuration and network
configuration for settings that may prevent the FortiGate unit from connecting to the
override FortiGuard server.

To enable scheduled updates through a proxy server


If your FortiGate unit must connect to the Internet through a proxy server, you can use the
config system autoupdate tunneling command syntax to allow the FortiGate unit
to connect (or tunnel) to the FDN using the proxy server. For more information, see the
FortiGate CLI Reference.

Enabling push updates


The FDN can push updates to FortiGate units to provide the fastest possible response to
critical situations. You must register the FortiGate unit before it can receive push updates.
Register your FortiGate unit by going to the Fortinet Support web site, Product
Registration, and following the instructions.
When you configure a FortiGate unit to allow push updates, the FortiGate unit sends a
SETUP message to the FDN. The next time new antivirus or IPS attack definitions are
released, the FDN notifies all FortiGate units that are configured for push updates, that a
new update is available. Within 60 seconds of receiving a push notification, the FortiGate
unit requests the update from the FDN.
When the network configuration permits, configuring push updates is recommended in
addition to scheduled updates. Scheduled updates ensure that the FortiGate unit receives
current updates, but if push updates are also enabled, the FortiGate unit will usually
receive new updates sooner.
Fortinet does not recommend enabling push updates as the only method for obtaining
updates. The FortiGate unit might not receive the push notification. When the FortiGate
unit receives a push notification, it makes only one attempt to connect to the FDN and
download updates.

FortiGate Version 4.0 Administration Guide


266 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Enabling push updates

Enabling push updates when a FortiGate unit IP address changes


The SETUP message that the FortiGate unit sends when you enable push updates
includes the IP address of the FortiGate interface that the FDN connects to. The interface
used for push updates is the interface configured in the default route of the static routing
table.
The FortiGate unit sends the SETUP message if you:
• change the IP address of this interface manually
• have set the interface addressing mode to DHCP or PPPoE and your DHCP or PPPoE
server changes the IP address.
The FDN must be able to connect to this IP address so that your FortiGate unit can
receive push update messages. If your FortiGate unit is behind a NAT device, see
“Enabling push updates through a NAT device” on page 267.
If you have redundant connections to the Internet, the FortiGate unit also sends the
SETUP message when one Internet connection goes down and the FortiGate unit fails
over to another Internet connection.
In transparent mode, if you change the management IP address, the FortiGate unit also
sends the SETUP message to notify the FDN of the address change.

Enabling push updates through a NAT device


If the FDN connects only to the FortiGate unit through a NAT device, you must configure
port forwarding on the NAT device and add the port forwarding information to the push
update configuration. Port forwarding enables the FDN to connect to the FortiGate unit
using UDP on either port 9443 or an override push port that you specify.
If the external IP address of the NAT device is dynamic (PPPoE or DHCP), the FortiGate
unit is unable to receive push updates through a NAT device.
The following procedures configure the FortiGate unit to push updates through a NAT
device. These procedures also include adding port forwarding virtual IP and a firewall
policy to the NAT device.

Figure 163: Example network: Push updates through a NAT device

Internal Virtual IP
network 172.16.35.144 10.20.6.135
(external interface) (external interface)

Internet

NAT Device FDN Server

The overall process is:


1 Register the FortiGate unit on the internal network so that it has a current support
license and can receive push updates. For more information, see “Registering your
Fortinet product” on page 42.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 267
http://docs.fortinet.com/ • Feedback
Enabling push updates System Maintenance

2 Configure the following FortiGuard options on the FortiGate unit on the internal
network.
• Enable Allow push updates.
• Enable Use override push IP and enter the IP address. Usually this is the IP
address of the external interface of the NAT device.
• If required, change the override push update port.
3 Add a port forwarding virtual IP to the NAT device.
• Set the external IP address of the virtual IP to match the override push update IP.
Usually this is the IP address of the external interface of the NAT device.
Add a firewall policy to the FortiGate NAT device that includes the port forwarding virtual
IP.

Note: Push updates are not supported if the FortiGate unit must use a proxy server to
connect to the FDN. See “To enable scheduled updates through a proxy server” on
page 266 for more information.

To configure FortiGuard options on the FortiGate unit on the internal network


1 Go to System > Maintenance > FortiGuard.
2 Select the expand arrow beside AntiVirus and IPS Options to reveal the available
options.
3 Select the Allow Push Update check box.
4 Select the Use override push IP check box.
5 Enter the IP address of the external interface of the NAT device.
UDP port 9943 is changed only if it is blocked or in use.
6 Select Apply.
You can change to the push override configuration if the external IP address of the
external service port changes; select Apply to have the FortiGate unit send the updated
push information to the FDN.
When the FortiGate unit sends the override push IP address and port to the FDN, the FDN
uses this IP address and port for push updates to the FortiGate unit. However, push
updates will not actually work until a virtual IP is added to the NAT device so that the NAT
device accepts push update packets and forwards them to the FortiGate unit on the
internal network.
If the NAT device is also a FortiGate unit, the following procedure, To add a port
forwarding virtual IP to the FortiGate NAT device, allows you to configure the NAT device
to use port forwarding to push update connections from the FDN to the FortiGate unit on
the internal network.

To add a port forwarding virtual IP to the FortiGate NAT device


1 Go to Firewall > Virtual IP.
2 Select Create New.
3 Enter the appropriate information for the following:

Name Enter a name for the Virtual IP.


External Interface Select an external interface from the list. This is the interface that
connects to the Internet.

FortiGate Version 4.0 Administration Guide


268 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
System Maintenance Adding VDOM Licenses

External IP Enter the IP address and/or range. This is the IP address to which
Address/Range the FDN sends the push updates. This is usually the IP address of
the external interface of the NAT device. This IP address must be
the same as the IP address in User override push update for the
FortiGate unit on the internal network.
Mapped IP Enter the IP address and/or range of the FortiGate unit on the
Address/Range internal network.
Port Forwarding Select Port Forwarding. When you select Port Forwarding, the
options Protocol, External Services Port and Map to Port appear.
Protocol Select UDP.
External Service Port Enter the external service port. The external service port is the port
that the FDN connects to. The external service port for push
updates is usually 9443. If you changed the push update port in the
FortiGuard configuration of the FortiGate unit on the internal
network, you must set the external service port to the changed push
update port.
Map to Port Enter 9443. This is the port number to which the NAT FortiGate unit
will send the push update after it comes through the virtual IP.
FortiGate units expect push update notifications on port 9443.
4 Select OK.

To add a firewall policy to the FortiGate NAT device


1 Go to Firewall > Policy.
2 Select Create New.
3 Configure the external to internal firewall policy.

Source Interface/Zone Select the name of the interface that connects to the Internet.
Source Address Select All
Destination Select the name of the interface of the NAT device that connects to
Interface/Zone the internal network.
Destination Address Select the virtual IP added to the NAT device.
Schedule Select Always.
Service Select ANY.
Action Select Accept.
NAT Select NAT.

4 Select OK.
Verify that push updates to the FortiGate unit on the internal network are working by going
to System > Maintenance > FortiGuard and selecting Test Availability under Web Filtering
and AntiSpam Options. The Push Update indicator should change to green.

Adding VDOM Licenses


If you have a FortiGate-3000 unit or higher, you can purchase a license key from Fortinet
to increase the maximum number of VDOMs to 25, 50, 100 or 250. By default, FortiGate
units support a maximum of 10 VDOMs.
The license key is a 32-character string supplied by Fortinet. Fortinet requires the serial
number of the FortiGate unit to generate the license key.
The license key is entered in System > Maintenance > License in the Input License Key
field. This appears only on the FortiGate-3000 unit and higher.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 269
http://docs.fortinet.com/ • Feedback
Adding VDOM Licenses System Maintenance

Figure 164: License key for additional VDOMs

Current License The current maximum number of virtual domains.


Input License key Enter the license key supplied by Fortinet and select Apply.

Note: VDOMs created on a registered FortiGate unit are recognized as real devices by any
connected FortiAnalyzer unit. The FortiAnalyzer unit includes VDOMs in its total number of
registered devices. For example, if three FortiGate units are registered on the FortiAnalyzer
unit and they contain a total of four VDOMs, the total number of registered FortiGate units
on the FortiAnalyzer unit is seven. For more information, see the FortiAnalyzer
Administration Guide.

FortiGate Version 4.0 Administration Guide


270 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Routing concepts

Router Static
This section explains some general routing concepts, and how to define static routes and
route policies.
A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination on the network. A static route causes packets to be forwarded to a
destination other than the factory configured default gateway.
The factory configured static default route provides you with a starting point to configure
the default gateway. You must either edit the factory configured static default route to
specify a different default gateway for the FortiGate unit, or delete the factory configured
route and specify your own static default route that points to the default gateway for the
FortiGate unit. For more information, see “Default route and default gateway” on
page 275.
You define static routes manually. Static routes control traffic exiting the FortiGate unit—
you can specify through which interface the packet will leave and to which device the
packet should be routed.
As an option, you can define route policies. Route policies specify additional criteria for
examining the properties of incoming packets. Using route policies, you can configure the
FortiGate unit to route packets based on the IP source and destination addresses in
packet headers and other criteria such as on which interface the packet was received and
which protocol (service) and port are being used to transport the packet.
If you enable virtual domains (VDOMs) on the FortiGate unit, static routing is configured
separately for each virtual domain. For more information, see “Using virtual domains” on
page 103.
This section describes:
• Routing concepts
• Static Route
• Policy Route

Routing concepts
The FortiGate unit works as a security device on a network and packets must pass
through it. You need to understand a number of basic routing concepts in order to
configure the FortiGate unit appropriately.
Whether you administer a small or large network, this module will help you understand
how the FortiGate unit performs routing functions.
The following topics are covered in this section:
• How the routing table is built
• How routing decisions are made
• Multipath routing and determining the best routeRoute priority
• Route priority
• Blackhole Route

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 271
http://docs.fortinet.com/ • Feedback
Routing concepts Router Static

How the routing table is built


In the factory default configuration, the FortiGate routing table contains a single static
default route. You can add routing information to the routing table by defining additional
static routes. The table may include several different routes to the same destination—the
IP addresses of the next-hop router specified in those routes or the FortiGate interfaces
associated with those routes may vary.
The FortiGate unit selects the “best” route for a packet by evaluating the information in the
routing table. The best route to a destination is typically associated with the shortest
distance between the FortiGate unit and the closest next-hop router. In some cases, the
next best route may be selected if the best route is unavailable. The FortiGate unit installs
the best available routes in the unit’s forwarding table, which is a subset of the unit’s
routing table. Packets are forwarded according to the information in the forwarding table.

How routing decisions are made


Whenever a packet arrives at one of the FortiGate unit’s interfaces, the unit determines
whether the packet was received on a legitimate interface by doing a reverse lookup using
the source IP address in the packet header. If the FortiGate unit cannot communicate with
the computer at the source IP address through the interface on which the packet was
received, the FortiGate unit drops the packet as it is likely a hacking attempt.
If the destination address can be matched to a local address (and the local configuration
permits delivery), the FortiGate unit delivers the packet to the local network. If the packet
is destined for another network, the FortiGate unit forwards the packet to a next-hop router
according to a policy route and the information stored in the FortiGate forwarding table.
For more information, see “Policy Route” on page 279.

Multipath routing and determining the best route


Multipath routing occurs when more than one entry to the same destination is present in
the routing table. When multipath routing happens, the FortiGate unit may have several
possible destinations for an incoming packet, forcing the FortiGate unit to decide which
next-hop is the best one.
Two methods to manually resolve multiple routes to the same destination are to lower the
administrative distance of one route or to set the priority of both routes. For the FortiGate
unit to select a primary (preferred) route, manually lower the administrative distance
associated with one of the possible routes.
Administrative distance is based on the expected reliability of a given route. It is
determined through a combination of the number of hops from the source and the protocol
used. More hops from the source means more possible points of failure. The
administrative distance can be from 1 to 255, with lower numbers being preferred. A
distance of 255 is seen as infinite and will not be installed in the routing table. Here is an
example to illustrate how administration distance works—if there are two possible routes
traffic can take between 2 destinations with administration distances of 5 (always up) and
31 (sometimes not available), the traffic will use the route with an administrative distance
of 5. Different routing protocols have different default administrative distances. The default
administrative distances for any of these routing protocols are configurable.

FortiGate Version 4.0 Administration Guide


272 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Routing concepts

Table 30: Default administrative distances for routing protocols

Routing protocol Default administrative distance


Direct physical connection 1
Static 10
EBGP 20
OSPF 110
RIP 120
IBGP 200

Another method is to manually change the priority of both of the routes. If the next-hop
administrative distances of two routes on the FortiGate unit are equal, it may not be clear
which route the packet will take. Configuring the priority for each of those routes will make
it clear which next-hop will be used in the case of a tie. You can set the priority for a route
only from the CLI. Lower priorities are preferred. For more information, see the FortiGate
CLI Reference.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries, selects the entries having the lowest distances,
and installs them as routes in the FortiGate forwarding table. As a result, the FortiGate
forwarding table contains only those routes having the lowest distances to every possible
destination. For information about how to change the administrative distance associated
with a static route, see “Adding a static route to the routing table” on page 278.

Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
You configure the priority field through the CLI. The route with the lowest value in the
priority field is considered the best route, and it is also the primary route. The command to
set the priority field is: set priority <integer> under the config route static
command. For more information, see the FortiGate CLI Reference.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address. For more information, see load balancing in “Configuring virtual IPs” on
page 364.

Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in
Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 273
http://docs.fortinet.com/ • Feedback
Static Route Router Static

Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to
enable easier configuration of blackhole routing. Similar to a normal interface, this
loopback interface has fewer parameters to configure, and all traffic sent to it stops there.
Since it cannot have hardware connection or link status problems, it is always available,
making it useful for other dynamic routing roles. Once configured, you can use a loopback
interface in firewall policies, routing, and other places that refer to interfaces. You
configure this feature only from the CLI. For more information, see the system chapter of
the FortiGate CLI Reference.

Static Route
You configure static routes by defining the destination IP address and netmask of packets
that you intend the FortiGate unit to intercept, and by specifying a (gateway) IP address
for those packets. The gateway address specifies the next-hop router to which traffic will
be routed.

Note: You can use the config router static6 CLI command to add, edit, or delete
static routes for IPv6 traffic. For more information, see the “router” chapter of the FortiGate
CLI Reference.

Working with static routes


The Static Route list displays information that the FortiGate unit compares to packet
headers in order to route packets. Initially, the list contains the factory configured static
default route. For more information, see “Default route and default gateway” on page 275.
You can add new entries manually.
When you add a static route to the Static Route list, the FortiGate unit performs a check to
determine whether a matching route and destination already exist in the FortiGate routing
table. If no match is found, the FortiGate unit adds the route to the routing table.
When IPv6 is enabled in the GUI, IPv6 routes are visible on the Static Route list.
Otherwise, IPv6 routes are not displayed. For more information on IPv6, see “FortiGate
IPv6 support” on page 224.

Note: Unless otherwise specified, static route examples and procedures are for IPv4 static
routes.

To view the static route list, go to Router > Static > Static Route.
Figure 165 shows the static route list belonging to a FortiGate unit that has interfaces
named “port1” and “port2”. The names of the interfaces on your FortiGate unit may be
different.

FortiGate Version 4.0 Administration Guide


274 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Static Route

Figure 165: Static Route list when IPv6 is enabled in the GUI

Expand
Arrow

Delete
Edit

Create New Add a static route to the Static Route list. For more information, see “Adding a
static route to the routing table” on page 278.
Select the down arrow to create an IPv6 static Route.
Route Select the Expand Arrow to display or hide the IPv4 static routes. By default
these routes are displayed.
This is displayed only when IPv6 is enabled in the GUI.
IPv6 Route Select the Expand Arrow to display or hide the IPv6 static routes. By default
these routes are hidden.
This is displayed only when IPv6 is enabled in the GUI.
IP/Mask The destination IP addresses and network masks of packets that the FortiGate
unit intercepts.
Gateway The IP addresses of the next-hop routers to which intercepted packets are
forwarded.
Device The names of the FortiGate interfaces through which intercepted packets are
received and sent.
Distance The administrative distances associated with each route. The values represent
distances to next-hop routers.
Delete and Edit Delete or edit an entry in the list.
icons

Default route and default gateway


In the factory default configuration, entry number 1 in the Static Route list is associated
with a destination address of 0.0.0.0/0.0.0.0, which means any/all destinations. This route
is called the “static default route”. If no other routes are present in the routing table and a
packet needs to be forwarded beyond the FortiGate unit, the factory configured static
default route causes the FortiGate unit to forward the packet to the default gateway.
To prevent this you must either edit the factory configured static default route to specify a
different default gateway for the FortiGate unit, or delete the factory configured route and
specify your own static default route that points to the default gateway for the FortiGate
unit.

Note: For network traffic to pass, even with the correct routes configured, you must have
the appropriate firewall policies. For details, see “Configuring firewall policies” on page 316.

For example, Figure 166 shows a FortiGate unit connected to a router. To ensure that all
outbound packets destined to any network beyond the router are routed to the correct
destination, you must edit the factory default configuration and make the router the default
gateway for the FortiGate unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 275
http://docs.fortinet.com/ • Feedback
Static Route Router Static

Figure 166: Making a router the default gateway

Internet

Gateway
Router
192.168.10.1

external

FortiGate_1

internal

Internal network
192.168.20.0/24

To route outbound packets from the internal network to destinations that are not on
network 192.168.20.0/24, you would edit the default route and include the following
settings:
• Destination IP/mask: 0.0.0.0/0.0.0.0
• Gateway: 192.168.10.1
• Device: Name of the interface connected to network 192.168.10.0/24 (for example
“external”).
• Distance: 10
The Gateway setting specifies the IP address of the next-hop router interface to the
FortiGate external interface. The interface behind the router (192.168.10.1) is the default
gateway for FortiGate_1.
In some cases, there may be routers behind the FortiGate unit. If the destination IP
address of a packet is not on the local network but is on a network behind one of those
routers, the FortiGate routing table must include a static route to that network. For
example, in Figure 167, the FortiGate unit must be configured with static routes to
interfaces 192.168.10.1 and 192.168.11.1 in order to forward packets to Network_1 and
Network_2 respectively.

FortiGate Version 4.0 Administration Guide


276 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Static Route

Figure 167: Destinations on networks behind internal routers

Internet

FortiGate_1

internal dmz
192.168.10.1 192.168.11.1

Gateway Gateway
Router_1 Router_2

Network_1 Network_2
192.168.20.0/24 192.168.30.0/24

To route packets from Network_1 to Network_2, Router_1 must be configured to use the
FortiGate internal interface as its default gateway. On the FortiGate unit, you would create
a new static route with these settings:
Destination IP/mask: 192.168.30.0/24
Gateway: 192.168.11.1
Device: dmz
Distance: 10
To route packets from Network_2 to Network_1, Router_2 must be configured to use the
FortiGate dmz interface as its default gateway. On the FortiGate unit, you would create a
new static route with these settings:
Destination IP/mask: 192.168.20.0/24
Gateway: 192.168.10.1
Device: internal
Distance: 10

Changing the gateway for the default route


The default gateway determines where packets matching the default route will be
forwarded.

Note: If you are using DHCP or PPPoE FortiGate over a modem interface on your
FortiGate unit, you may have problems configuring a static route. After trying to either
Renew your DHCP license, or Reconnect the PPPoE connection, go to the CLI and enable
dynamic-gateway under config system interface for the modem interface. Doing
this will remove the need to specify a gateway for this interface’s route. For more
information see FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 277
http://docs.fortinet.com/ • Feedback
Static Route Router Static

To change the gateway for the default route


1 Go to Router > Static > Static Route.
2 Select the Edit icon in row 1.
3 If the FortiGate unit reaches the next-hop router through an interface other than the
interface that is currently selected in the Device field, select the name of the interface
from the Device field.
4 In the Gateway field, type the IP address of the next-hop router to which outbound
traffic may be directed.
5 In the Distance field, optionally adjust the administrative distance value.
6 Select OK.

Adding a static route to the routing table


A route provides the FortiGate unit with the information it needs to forward a packet to a
particular destination. A static route causes packets to be forwarded to a destination other
than the default gateway.
You define static routes manually. Static routes control traffic exiting the FortiGate unit—
you can specify through which interface the packet will leave and to which device the
packet should be routed.

To add a static route entry


1 Go to Router > Static > Static Route.
2 Select Create New.
3 Enter the IP address and netmask.
For example, 172.1.2.0/255.255.255.0 would be a route for all addresses on the
subnet 172.1.2.x.
4 Enter the FortiGate unit interface closest to this subnet, or connected to it.
5 Enter the gateway IP address. Continuing with the example, 172.1.2.3 would be a
valid address.
6 Enter the administrative distance of this route.
The administrative distance allows you to weight one route to be preferred over
another. This is useful when one route is unreliable. For example, if route A has an
administrative distance of 30 and route B has an administrative distance of 10, the
preferred route is route A with the smaller administrative distance of 10. If you discover
that route A is unreliable, you can change the administrative distance for route A from
10 to 40, which will make the route B the preferred route.
7 Select OK to confirm and save your new static route.
When you add a static route through the web-based manager, the FortiGate unit assigns
the next unassigned sequence number to the route automatically and adds the entry to
the Static Route list.
Figure 168 shows the Edit Static Route dialog box belonging to a FortiGate unit that has
an interface named “internal”. The names of the interfaces on your FortiGate unit may be
different.

FortiGate Version 4.0 Administration Guide


278 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Policy Route

Figure 168: Edit Static Route

Destination Type the destination IP address and network mask of packets that the
IP/Mask FortiGate unit has to intercept. The value 0.0.0.0/0.0.0.0 is reserved
for the default route.
Gateway Type the IP address of the next-hop router to which the FortiGate unit will forward
intercepted packets.
Device Select the name of the FortiGate interface through which the intercepted packets
may be routed to the next-hop router.
Distance Type an administrative distance from 1 to 255 for the route. The distance value is
arbitrary and should reflect the distance to the next-hop router. A lower value
indicates a more preferred route.

Policy Route
A routing policy allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffic’s
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic addressed to that subnet
directly to the mail server.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.

Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.

Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Figure 169 shows the policy route list belonging to a FortiGate unit that has interfaces
named “external” and “internal”. The names of the interfaces on your FortiGate unit may
be different.
To edit an existing policy route, see “Adding a policy route” on page 280.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 279
http://docs.fortinet.com/ • Feedback
Policy Route Router Static

Figure 169: Policy Route list

Delete
Edit
Move To

Create New Add a policy route. See “Adding a policy route” on page 280.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see “Moving a policy route” on page 281.

Adding a policy route


To add a policy route, go to Router > Static > Policy Route and select Create New.
Figure 170 shows the New Routing Policy dialog box belonging to a FortiGate unit that
has interfaces named “external” and “internal”. The names of the interfaces on your
FortiGate unit may be different.

Figure 170: New Routing Policy

Protocol To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header, and RFC 5237 includes a list of the assigned
protocol numbers. The range is from 0 to 255. A value of 0 disables the
feature.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.

FortiGate Version 4.0 Administration Guide


280 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Static Policy Route

Source Address / To perform policy routing based on the IP source address of the packet, type
Mask the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination To perform policy routing based on the IP destination address of the packet,
Address / Mask type the destination address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match to define the service, or use
a two digit hexadecimal bit mask to mask out.
For example if you want the policy to apply to service 14 you would use a bit
pattern of 0E. If you wanted to ignore all odd numbered services you would
use a bit mask of 01.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.

Moving a policy route


A routing policy is added to the bottom of the routing table when it is created. If you prefer
to use one policy over another, you may want to move it to a different location in the
routing policy table.
The option to use one of two routes happens when both routes are a match, for example
172.20.0.0/255.255.0.0 and 172.20.120.0/255.255.255.0. If both of these
routes are in the policy table, both can match a route to 172.20.120.112 but you
consider the second one as a better match. In that case the best match route should be
positioned before the other route in the policy table.
In the case of two matches in the routing table, alternating sessions will use both routes in
a load balancing configuration. You can also manually assign priorities to routes. For two
matches in the routing table, the priority will determine which route is used. This feature is
available only through the CLI. For details, see FortiGate CLI Reference.
To change the position of a policy route in the table, go to Router > Static > Policy Route
and select Move To for the policy route you want to move.

Figure 171: Moving a policy route

Before/After Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 281
http://docs.fortinet.com/ • Feedback
Policy Route Router Static

FortiGate Version 4.0 Administration Guide


282 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic

Router Dynamic
This section explains how to configure dynamic protocols to route traffic through large or
complex networks. Dynamic routing protocols enable the FortiGate unit to automatically
share information about routes with neighboring routers and learn about routes and
networks advertised by them. The FortiGate unit supports these dynamic routing
protocols:
• Routing Information Protocol (RIP)
• Open Shortest Path First (OSPF)
• Border Gateway Protocol (BGP).

The FortiGate unit selects routes and updates its routing table dynamically based on the
rules you specify. Given a set of rules, the unit can determine the best route or path for
sending packets to a destination. You can also define rules to suppress the advertising of
routes to neighboring routers and change FortiGate routing information before it is
advertised.
If you enable virtual domains (VDOMs) on the FortiGate unit, dynamic routing is
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 103.

Note: A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2
router in the root virtual domain. FortiGate units support PIM sparse mode and dense mode
and can service multicast servers or receivers on the network segment to which a FortiGate
interface is connected. PIM can use static routes, RIP, OSPF, or BGP to forward multicast
packets to their destinations.

Bi-Directional Forwarding (BFD) is a protocol that works with BGP and OSPF to quickly
discover routers on the network that cannot be contacted, and to re-route traffic
accordingly until those routers can be contacted.
A useful part of the FortiOS web-based management interface is the customizable menus
and widgets. These widgets include the following routing widgets: access list, distribute
list, key chain, offset list, prefix list, and route map. For more information on these routing
widgets, see “Customizable routing widgets” on page 303.
This section describes:
• RIP
• OSPF
• BGP
• Multicast
• Bi-directional Forwarding Detection (BFD)
• Customizable routing widgets

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 283
http://docs.fortinet.com/ • Feedback
RIP Router Dynamic

RIP
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. The FortiGate implementation of RIP supports RIP
version 1 (see RFC 1058) and RIP version 2 (see RFC 2453).

How RIP works


When RIP is enabled, the FortiGate unit broadcasts requests for RIP updates from each
of its RIP-enabled interfaces. Neighboring routers respond with information from their
routing tables. The FortiGate unit adds routes from neighbors to its own routing table only
if those routes are not already recorded in the routing table. When a route already exists in
the routing table, the unit compares the advertised route to the recorded route and
chooses the shortest route for the routing table.
RIP uses hop count as the metric for choosing the best route. A hop count of 1 represents
a network that is connected directly to the unit, while a hop count of 16 represents a
network that the FortiGate unit cannot reach. Each network that a packet travels through
to reach its destination usually counts as one hop. When the FortiGate unit compares two
routes to the same destination, it adds the route having the lowest hop count to the routing
table.
Similarly, when RIP is enabled on an interface, the FortiGate unit sends RIP responses to
neighboring routers on a regular basis. The updates provide information about the routes
in the FortiGate routing table, subject to the rules that you specify for advertising those
routes. You can specify how often the FortiGate unit sends updates, how long a route can
be kept in the routing table without being updated, and, for routes that are not updated
regularly, how long the unit advertises the route as unreachable before it is removed from
the routing table.

Viewing and editing basic RIP settings


When you configure RIP settings, you have to specify the networks that are running RIP
and specify any additional settings needed to adjust RIP operation on the FortiGate
interfaces that are connected to the RIP-enabled network.
To view and edit RIP settings go to Router > Dynamic > RIP.
Figure 172 shows the basic RIP settings on a FortiGate unit that has interfaces named
“dmz” and “external”. The names of the interfaces on your FortiGate unit may be different.

FortiGate Version 4.0 Administration Guide


284 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic RIP

Figure 172: Basic RIP settings

Expand
Arrow

Delete
Edit

RIP Version Select the level of RIP compatibility needed at the FortiGate unit. You can
enable global RIP settings on all FortiGate interfaces connected to RIP-
enabled networks:
1 — send and receive RIP version 1 packets.
2 — send and receive RIP version 2 packets.
You can override the global settings for a specific FortiGate interface if
required. For more information, see “Configuring a RIP-enabled interface” on
page 287.
Advanced Options Select the Expand Arrow to view or hide advanced RIP options. For more
information, see “Selecting advanced RIP options” on page 286.
Networks The IP addresses and network masks of the major networks (connected to the
FortiGate unit) that run RIP. When you add a network to the Networks list, the
FortiGate interfaces that are part of the network are advertised in RIP updates.
You can enable RIP on all FortiGate interfaces whose IP addresses match the
RIP network address space.
IP/Netmask Enter the IP address and netmask that defines the RIP-enabled network.
Add Select to add the network information to the Networks list.
Interfaces Any additional settings needed to adjust RIP operation on a FortiGate
interface.
Create New Add new RIP operating parameters for an interface. These parameters will
override the global RIP settings for that interface. For more information, see
“Configuring a RIP-enabled interface” on page 287.
Interface The name of the unit RIP interface.
Send Version The version of RIP used to send updates through each interface: 1, 2, or both.
Receive Version The versions of RIP used to listen for updates on each interface: 1, 2, or both.
Authentication The type of authentication used on this interface: None, Text or MD5.
Passive Permissions for RIP broadcasts on this interface. A green checkmark means
the RIP broadcasts are blocked.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 285
http://docs.fortinet.com/ • Feedback
RIP Router Dynamic

Delete and Edit Delete or edit a RIP network entry or a RIP interface definition.
icons

Selecting advanced RIP options


With advanced RIP options, you can specify settings for RIP timers and define metrics for
redistributing routes that the FortiGate unit learns through some means other than RIP
updates. For example, if the unit is connected to an OSPF or BGP network or you add a
static route to the FortiGate routing table manually, you can configure the unit to advertise
those routes on RIP-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced
Options. After you select the options, select Apply.

Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see “Customizable routing widgets” on page 303. For more information on CLI
routing commands, see the “router” chapter of the FortiGate CLI Reference.

Figure 173: Advanced Options (RIP)

Expand
Arrow

Rip Version Select the version of RIP packets to send and receive.
Advanced Options Select the Expand Arrow to view or hide advanced options.
Default Metric Enter the default hop count that the FortiGate unit should assign to routes
that are added to the FortiGate routing table. The range is from 1 to 16. This
metric is the hop count, with 1 being best or shortest.
This value also applies to Redistribute unless otherwise specified.
Default-information- Select to generate and advertise a default route into the FortiGate unit’s RIP-
originate enabled networks. The generated route may be based on routes learned
through a dynamic routing protocol, routes in the routing table, or both.
RIP Timers Enter new values to override the default RIP timer settings. The default
settings are effective in most configurations — if you change these settings,
ensure that the new settings are compatible with local routers and access
servers.
If the Update timer is smaller than Timeout or Garbage timers, you will get an
error.
Update Enter the amount of time (in seconds) that the FortiGate unit will wait
between sending RIP updates.

FortiGate Version 4.0 Administration Guide


286 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic RIP

Timeout Enter the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum
time the FortiGate unit will keep a reachable route in the routing table while
no updates for that route are received. If the FortiGate unit receives an
update for the route before the timeout period expires, the timer is restarted.
The Timeout period should be at least three times longer than the Update
period.
Garbage Enter the amount of time (in seconds) that the FortiGate unit will advertise a
route as being unreachable before deleting the route from the routing table.
The value determines how long an unreachable route is kept in the routing
table.
Redistribute Select one or more of the options to redistribute RIP updates about routes
that were not learned through RIP. The FortiGate unit can use RIP to
redistribute routes learned from directly connected networks, static routes,
OSPF, and BGP.
Connected Select to redistribute routes learned from directly connected networks. To
specify a hop count for those routes, select Metric, and enter the hop count
in the Metric field. The valid hop count range is from 1 to 16.
Static Select to redistribute routes learned from static routes. To specify a hop
count for those routes, select Metric, and enter the hop count in the Metric
field. The range is from 1 to 16.
OSPF Select to redistribute routes learned through OSPF. To specify a hop count
for those routes, select Metric, and enter the hop count in the Metric field.
The range is from 1 to 16.
BGP Select to redistribute routes learned through BGP. To specify a hop count for
those routes, select Metric, and enter the hop count in the Metric field. The
range is from 1 to 16.

Configuring a RIP-enabled interface


You can use RIP interface options to override the global RIP settings that apply to all
FortiGate unit interfaces connected to RIP-enabled networks. For example, if you want to
suppress RIP advertising on an interface that is connected to a subnet of a RIP-enabled
network, you can set the interface to operate passively. Passive interfaces listen for RIP
updates but do not respond to RIP requests.
If RIP version 2 is enabled on the interface, you can optionally choose password
authentication to ensure that the FortiGate unit authenticates a neighboring router before
accepting updates from that router. The unit and the neighboring router must both be
configured with the same password. Authentication guarantees the authenticity of the
update packet, not the confidentiality of the routing information in the packet.
To set specific RIP operating parameters for a RIP-enabled interface, go to Router >
Dynamic > RIP and select Create New.

Note: Additional options such as split-horizon and key-chains can be configured per
interface through the CLI. For more information, see the “router” chapter of the FortiGate
CLI Reference or the Fortinet Knowledge Center.

Figure 174 shows the New/Edit RIP Interface dialog box belonging to a FortiGate unit that
has an interface named “internal”. The names of the interfaces on your FortiGate unit may
be different.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 287
http://docs.fortinet.com/ • Feedback
OSPF Router Dynamic

Figure 174: New/Edit RIP Interface

Interface Select the name of the FortiGate interface to which these settings apply. The
interface must be connected to a RIP-enabled network. The interface can be a
virtual IPSec or GRE interface.
Send Version, Select to override the default RIP-compatibility setting for sending and
Receive Version receiving updates through the interface: RIP version 1, version 2 or Both.
Authentication Select an authentication method for RIP exchanges on the specified interface:
None — Disable authentication.
Text — Select if the interface is connected to a network that runs RIP version
2. Type a password (up to 35 characters) in the Password field. The FortiGate
unit and the RIP updates router must both be configured with the same
password. The password is sent in clear text over the network.
MD5 — Authenticate the exchange using MD5.
Passive Interface Select to suppress the advertising of FortiGate unit routing information over
the specified interface. Clear the check box to allow the interface to respond
normally to RIP requests.

OSPF
Open Shortest Path First (OSPF) is a link-state routing protocol that is most often used in
large heterogeneous networks to share routing information among routers in the same
Autonomous System (AS). FortiGate units support OSPF version 2 (see RFC 2328).
The main benefit of OSPF is that it advertises routes only when neighbors change state
instead of at timed intervals, so routing overhead is reduced.

How OSPF works


An OSPF network consists of one or more Autonomous Systems (ASes). An OSPF AS is
typically divided into logical areas linked by Area Border Routers. A group of contiguous
networks form an area. An Area Border Router (ABR) links one or more ASes to the
OSPF network backbone (area ID 0). For information on configuring an OSPF AS, see
“Defining an OSPF AS—Overview” on page 289.
When a FortiGate unit interface is connected to an OSPF area, that unit can participate in
OSPF communications. FortiGate units use the OSPF Hello protocol to acquire neighbors
in an area. A neighbor is any router that directly connected to the same area as the
FortiGate unit. After initial contact, the FortiGate unit exchanges Hello packets with its
OSPF neighbors regularly to confirm that the neighbors can be reached.
OSPF-enabled routers generate Link-State Advertisements (LSA) and send them to their
neighbors whenever the status of a neighbor changes or a new neighbor comes online. As
long as the OSPF network is stable, LSAs between OSPF neighbors do not occur. An LSA
identifies the interfaces of all OSPF-enabled routers in an area, and provides information
that enables OSPF-enabled routers to select the shortest path to a destination. All LSA
exchanges between OSPF-enabled routers are authenticated.

FortiGate Version 4.0 Administration Guide


288 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic OSPF

The FortiGate unit maintains a database of link-state information based on the


advertisements that it receives from OSPF-enabled routers. To calculate the best route
(shortest path) to a destination, the FortiGate unit applies the Shortest Path First (SPF)
algorithm to the accumulated link-state information. OSPF uses relative path cost metric
for choosing the best route. The path cost can be any metric, but is typically the speed of
the path—how fast traffic will get from one point to another. The path cost, similar to
“distance” for RIP, imposes a penalty on the outgoing direction of a FortiGate interface.
The path cost of a route is calculated by adding together all of the costs associated with
the outgoing interfaces along the path to a destination. The lowest overall path cost
indicates the best route, and generally the fastest route.

Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summary-
LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).

The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate routing table
may include:
• the addresses of networks in the local OSPF area (to which packets are sent directly)
• routes to OSPF area border routers (to which packets destined for another area are
sent)
• if the network contains OSPF areas and non-OSPF domains, routes to AS boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
The number of routes that a FortiGate unit can learn through OSPF depends on the
network topology. A single unit can support tens of thousands of routes if the OSPF
network is configured properly.

Defining an OSPF AS—Overview


Defining an OSPF Autonomous System (AS), involves:
• defining the characteristics of one or more OSPF areas
• creating associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS
• if required, adjusting the settings of OSPF-enabled interfaces.
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.

To define an OSPF AS
1 Go to Router > Dynamic > OSPF.
2 Under Areas, select Create New.
3 Define the characteristics of one or more OSPF areas. See “Defining OSPF areas” on
page 292.
4 Under Networks, select Create New.
5 Create associations between the OSPF areas that you defined and the local networks
to include in the OSPF AS. See “Specifying OSPF networks” on page 294.
6 If you need to adjust the default settings of an OSPF-enabled interface, select Create
New under Interfaces.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 289
http://docs.fortinet.com/ • Feedback
OSPF Router Dynamic

7 Select the OSPF operating parameters for the interface. See “Selecting operating
parameters for an OSPF interface” on page 294.
Repeat steps 6 and 7 for any additional OSPF-enabled interfaces.
8 Optionally select advanced OSPF options for the OSPF AS. See “Selecting advanced
OSPF options” on page 291.
9 Select Apply.

Configuring basic OSPF settings


When you configure OSPF settings, you have to define the AS in which OSPF is enabled
and specify which of the FortiGate interfaces participate in the AS. As part of the AS
definition, you specify the AS areas and specify which networks to include those areas.
You may optionally adjust the settings associated with OSPF operation on the FortiGate
interfaces.
To view and edit OSPF settings, go to Router > Dynamic > OSPF.
Figure 175 shows the basic OSPF settings on a FortiGate unit that has an interface
named “port1”. The names of the interfaces on your FortiGate unit may be different.

Figure 175: Basic OSPF settings

Expand
Arrow

Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
By convention, the router ID is the numerically highest IP address assigned to
any of the FortiGate interfaces in the OSPF AS.
If you change the router ID while OSPF is configured on an interface, all
connections to OSPF neighbors will be broken temporarily. The connections
will re-establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM or unit
will be used.
Advanced Options Select the Expand Arrow to view or hide advanced OSPF settings. For more
information, see “Selecting advanced OSPF options” on page 291.
Areas Information about the areas making up an OSPF AS. The header of an OSPF
packet contains an area ID, which helps to identify the origination of a packet
inside the AS.
Create New Define and add a new OSPF area to the Areas list. For more information, see
“Defining OSPF areas” on page 292.

FortiGate Version 4.0 Administration Guide


290 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic OSPF

Area The unique 32-bit identifiers of areas in the AS, in dotted-decimal notation.
Area ID 0.0.0.0 references the backbone of the AS and cannot be changed or
deleted.
Type The types of areas in the AS:
• Regular - a normal OSPF area
• NSSA - a not so stubby area
• Stub - a stub area.
For more information, see “Defining OSPF areas” on page 292.
Authentication The methods for authenticating OSPF packets sent and received through all
FortiGate interfaces linked to each area:
None — authentication is disabled
Text — text-based authentication is enabled
MD5 — MD5 authentication is enabled.
A different authentication setting may apply to some of the interfaces in an
area, as displayed under Interfaces. For example, if an area employs simple
passwords for authentication, you can configure a different password for one
or more of the networks in that area.
Networks The networks in the OSPF AS and their area IDs. When you add a network to
the Networks list, all FortiGate interfaces that are part of the network are
advertised in OSPF link-state advertisements. You can enable OSPF on all
FortiGate interfaces whose IP addresses match the OSPF network address
space. For more information, see “Specifying OSPF networks” on page 294.
Create New Add a network to the AS, specify its area ID, and add the definition to the
Networks list.
Network The IP addresses and network masks of networks in the AS on which OSPF
runs. The FortiGate unit may have physical or VLAN interfaces connected to
the network.
Area The area IDs that have been assigned to the OSPF network address space.
Interfaces Any additional settings needed to adjust OSPF operation on a FortiGate
interface. For more information, see “Selecting operating parameters for an
OSPF interface” on page 294.
Create New Create additional/different OSPF operating parameters for a unit interface
and add the configuration to the Interfaces list.
Name The names of OSPF interface definitions.
Interface The names of FortiGate physical or VLAN interfaces having OSPF settings
that differ from the default values assigned to all other interfaces in the same
area.
IP The IP addresses of the OSPF-enabled interfaces having additional/different
settings.
Authentication The methods for authenticating LSA exchanges sent and received on specific
OSPF-enabled interfaces. These settings override the area Authentication
settings.
Delete and Edit Delete or edit an OSPF area entry, network entry, or interface definition. Icons
icons are visible only when there are entries in Areas, Networks, and Interfaces
sections.

Selecting advanced OSPF options


By selecting advanced OSPF options, you can specify metrics for redistributing routes that
the FortiGate unit learns through some means other than OSPF link-state advertisements.
For example, if the FortiGate unit is connected to a RIP or BGP network or you add a
static route to the FortiGate routing table manually, you can configure the unit to advertise
those routes on OSPF-enabled interfaces.
To select advanced RIP options, go to Router > Dynamic > RIP and expand Advanced
Options. After you select the options, select Apply.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 291
http://docs.fortinet.com/ • Feedback
OSPF Router Dynamic

Figure 176: Advanced Options (OSPF)

Expand
Arrow

Router ID Enter a unique router ID to identify the FortiGate unit to other OSPF routers.
Expand Arrow Select to view or hide Advanced Options.
Default Information Generate and advertise a default (external) route to the OSPF AS. You may
base the generated route on routes learned through a dynamic routing
protocol, routes in the routing table, or both.
None Prevent the generation of a default route.
Regular Generate a default route into the OSPF AS and advertise the route to
neighboring autonomous systems only if the route is stored in the FortiGate
routing table.
Always Generate a default route into the OSPF AS and advertise the route to
neighboring autonomous systems unconditionally, even if the route is not
stored in the FortiGate routing table.
Redistribute Select one or more of the options listed to redistribute OSPF link-state
advertisements about routes that were not learned through OSPF. The
FortiGate unit can use OSPF to redistribute routes learned from directly
connected networks, static routes, RIP, and BGP.
Connected Select to redistribute routes learned from directly connected networks.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
Static Select to redistribute routes learned from static routes.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
RIP Select to redistribute routes learned through RIP.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.
BGP Select to redistribute routes learned through BGP.
Enter a cost for those routes in the Metric field. The range is from 1 to
16 777 214.

Note: You can configure additional advanced options through customizable GUI widgets,
and the CLI. For example, you can filter incoming or outgoing updates by using a route
map, an access list, or a prefix list. The FortiGate unit also supports offset lists, which add
the specified offset to the metric of a route. For more information on customizable GUI
widgets, see “Customizable routing widgets” on page 303. For more information on CLI
routing commands, see the “router” chapter of the FortiGate CLI Reference.

Defining OSPF areas


An area logically defines part of the OSPF AS. Each area is identified by a 32-bit area ID
expressed in dotted-decimal notation, for example 192.168.0.1. Area ID 0.0.0.0 is
reserved for the OSPF network backbone. You can classify the remaining areas of an AS
as regular, stub, or NSSA.
A regular area contains more than one router, each having at least one OSPF-enabled
interface to the area.

FortiGate Version 4.0 Administration Guide


292 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic OSPF

To reach the OSPF backbone, the routers in a stub area must send packets to an area
border router. Routes leading to non-OSPF domains are not advertised to the routers in
stub areas. The area border router advertises to the OSPF AS a single default route
(destination 0.0.0.0) into the stub area, which ensures that any OSPF packet that cannot
be matched to a specific route will match the default route. Any router connected to a stub
area is considered part of the stub area.
In a Not-So-Stubby Area (NSSA), routes that lead out of the area into a non-OSPF domain
are made known to OSPF AS. However, the area itself continues to be treated like a stub
area by the rest of the AS.
Regular areas and stub areas (including not-so-stubby areas) are connected to the OSPF
backbone through area border routers.
To define an OSPF area, go to Router > Dynamic > OSPF, and then under Areas, select
Create New. To edit the attributes of an OSPF area, go to Router > Dynamic > OSPF and
select the Edit icon in the row that corresponds to the area.

Note: If required, you can define a virtual link to an area that has lost its physical
connection to the OSPF backbone. Virtual links can be set up only between two FortiGate
units that act as area border routers. For more information on virtual links, see the
FortiGate CLI Reference.

Figure 177: New/Edit OSPF Area

Area Type a 32-bit identifier for the area. The value must resemble an IP address in
dotted-decimal notation. Once you have created the OSPF area, the area IP
value cannot be changed; you must delete the area and restart.
Type Select an area type to classify the characteristics of the network that will be
assigned to the area:
Regular — If the area contains more than one router, each having at least one
OSPF-enabled interface to the area.
NSSA — If you want routes to external non-OSPF domains made known to
OSPF AS and you want the area to be treated like a stub area by the rest of the
AS.
STUB — If the routers in the area must send packets to an area border router in
order to reach the backbone and you do not want routes to non-OSPF domains to
be advertised to the routers in the area.
Authentication Select the method for authenticating OSPF packets sent and received through all
interfaces in the area:
None — Disable authentication.
Text — Enables text-based password authentication. to authenticate LSA
exchanges using a plain-text password. The password is sent in clear text over
the network.
MD5 — Enable MD5-based authentication using an MD5 cryptographic hash
(RFC 1321).
If required, you can override this setting for one or more of the interfaces in the
area. For more information, see “Selecting operating parameters for an OSPF
interface” on page 294.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 293
http://docs.fortinet.com/ • Feedback
OSPF Router Dynamic

Note: To assign a network to the area, see “Specifying OSPF networks” on page 294.

Specifying OSPF networks


OSPF areas group a number of contiguous networks together. When you assign an area
ID to a network address space, the attributes of the area are associated with the network.
To assign an OSPF area ID to a network, go to Router > Dynamic > OSPF, and then
under Networks, select Create New. To change the OSPF area ID assigned to a network,
go to Router > Dynamic > OSPF and select the Edit icon in the row that corresponds to
the network.

Figure 178: New/Edit OSPF Network

IP/Netmask Enter the IP address and network mask of the local network that you want to assign
to an OSPF area.
Area Select an area ID for the network. The attributes of the area must match the
characteristics and topology of the specified network. You must define the area
before you can select the area ID. For more information, see “Defining OSPF areas”
on page 292.

Selecting operating parameters for an OSPF interface


An OSPF interface definition contains specific operating parameters for a FortiGate
OSPF-enabled interface. The definition includes the name of the interface (for example,
external or VLAN_1), the IP address assigned to the interface, the method for
authenticating LSA exchanges through the interface, and timer settings for sending and
receiving OSPF Hello and dead-interval packets.
You can enable OSPF on all FortiGate interfaces whose IP addresses match the OSPF-
enabled network space. For example, define an area of 0.0.0.0 and the OSPF network as
10.0.0.0/16. Then define vlan1 as 10.0.1.1/24, vlan2 as 10.0.2.1/24 and vlan3 as
10.0.3.1/24. All three VLANs can run OSPF in area 0.0.0.0. To enable all interfaces, you
would create an OSPF network 0.0.0.0/0 .
You can configure different OSPF parameters for the same FortiGate interface when more
than one IP address has been assigned to the interface. For example, the same FortiGate
interface could be connected to two neighbors through different subnets. You could
configure an OSPF interface definition containing one set of Hello and dead-interval
parameters for compatibility with one neighbor’s settings, and a second OSPF interface
definition for the same interface to ensure compatibility with the second neighbor’s
settings.
To select OSPF operating parameters for a FortiGate interface, go to Router > Dynamic >
OSPF, and then under Interfaces, select Create New. To edit the operating parameters of
an OSPF-enabled interface, go to Router > Dynamic > OSPF and select the Edit icon in
the row that corresponds to the OSPF-enabled interface.

FortiGate Version 4.0 Administration Guide


294 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic OSPF

Figure 179 shows the New/Edit OSPF Interface dialog box belonging to a FortiGate unit
that has an interface named “port1”. The interface names on your FortiGate unit may
differ.

Figure 179: New/Edit OSPF Interface

Add

Name Enter a name to identify the OSPF interface definition. For example, the name
could indicate to which OSPF area the interface will be linked.
Interface Select the name of the FortiGate interface to associate with this OSPF interface
definition (for example, port1, external, or VLAN_1). The FortiGate unit can have
physical, VLAN, virtual IPSec or GRE interfaces connected to the OSPF-enabled
network.
IP Enter the IP address that has been assigned to the OSPF-enabled interface. The
interface becomes OSPF-enabled because its IP address matches the OSPF
network address space.
For example, if you defined an OSPF network of 172.20.120.0/24 and port1
has been assigned the IP address 172.20.120.140, type 172.20.120.140.
Authentication Select an authentication method for LSA exchanges on the specified interface:
None — Disable authentication.
Text — Authenticate LSA exchanges using a plain-text password. The password
can be up to 35 characters, and is sent in clear text over the network.
MD5 — Use one or more keys to generate an MD5 cryptographic hash.
Password Enter the plain-text password. Enter an alphanumeric value of up to 15 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate interface
must be configured with an identical password. This field is available only if you
selected plain-text authentication.
MD5 Keys Enter the key identifier for the (first) password in the ID field (the range is from 1 to
255) and then type the associated password in the Key field. The password is a
128-bit hash, represented by an alphanumeric string of up to 16 characters.
The OSPF neighbors that send link-state advertisements to this FortiGate interface
must be configured with an identical MD5 key. If the OSPF neighbor uses more
than one password to generate MD5 hash, select the Add icon to add additional
MD5 keys to the list.
This field is available only if you selected MD5 authentication.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 295
http://docs.fortinet.com/ • Feedback
BGP Router Dynamic

Hello Interval Optionally, set the Hello Interval to be compatible with Hello Interval settings on all
OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit waits
between sending Hello packets through this interface.
Dead Interval Optionally, set the Dead Interval to be compatible with Dead Interval settings on all
OSPF neighbors.
This setting defines the period of time (in seconds) that the FortiGate unit waits to
receive a Hello packet from an OSPF neighbor through the interface. If the
FortiGate unit does not receive a Hello packet within the specified amount of time,
the FortiGate unit declares the neighbor inaccessible.
By convention, the Dead Interval value is usually four times greater than the Hello
Interval value.

BGP
Border Gateway Protocol (BGP) is an Internet routing protocol typically used by ISPs to
exchange routing information between different ISP networks. For example, BGP enables
the sharing of network paths between the ISP network and an autonomous system (AS)
that uses RIP, OSPF, or both to route packets within the AS. The FortiGate implementation
of BGP supports BGP-4 and complies with RFC 1771 and RFC 2385.

How BGP works


When BGP is enabled on an interface, the FortiGate unit sends routing table updates to
neighboring autonomous systems connected to that interface whenever any part of the
FortiGate routing table changes. Each AS to which the unit belongs is associated with an
AS number. The AS number references a particular destination network.
BGP updates advertise the best path to a destination network. When the FortiGate unit
receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED)
attributes of potential routes to determine the best path to a destination network before
recording the path in the FortiGate unit routing table.
BGP has the capability to gracefully restart. This capability limits the effects of software
problems by allowing forwarding to continue when the control plane of the router fails. It
also reduces routing flaps by stabilizing the network.

Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the “router” chapter of
the FortiGate CLI Reference.

Viewing and editing BGP settings


When you configure BGP settings, you need to specify the AS to which the FortiGate unit
belongs and enter a router ID to identify this unit to other BGP routers. You must also
identify the FortiGate unit’s BGP neighbors and specify which of the networks local to the
FortiGate unit should be advertised to BGP neighbors.
To view and edit BGP settings, go to Router > Dynamic > BGP. The web-based manager
offers a simplified user interface to configure basic BGP options. You can also configure
many advanced BGP options through the CLI. For more information, see the “router”
chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


296 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Multicast

Figure 180: Basic BGP options

Delete

Local AS Enter the number of the local AS to which the FortiGate unit belongs.
Router ID Enter a unique router ID to identify the FortiGate unit to other BGP routers. The
router ID is an IP address written in dotted-decimal format, for example
192.168.0.1.
If you change the router ID while BGP is configured on an interface, all
connections to BGP peers will be broken temporarily. The connections will re-
establish themselves.
If Router ID is not explicitly set, the highest IP address of the VDOM will be
used.
Neighbors The IP addresses and AS numbers of BGP peers in neighboring autonomous
systems.
IP Enter the IP address of the neighbor interface to the BGP-enabled network.
Remote AS Enter the number of the AS that the neighbor belongs to.
Add/Edit Add the neighbor information to the Neighbors list, or edit an entry in the list.
Neighbor The IP addresses of BGP peers.
Remote AS The numbers of the autonomous systems associated with the BGP peers.
Delete icon Delete a BGP neighbor entry.
Networks The IP addresses and network masks of networks to advertise to BGP peers.
The FortiGate unit may have a physical or VLAN interface connected to those
networks.
IP/Netmask Enter the IP address and netmask of the network to be advertised.
Add Add the network information to the Networks list.
Network The IP addresses and network masks of major networks that are advertised to
BGP peers.
Delete icon Delete a BGP network definition.

Note: The get router info bgp CLI command provides detailed information about
configured BGP settings. For a complete list of the command options, see the “router”
chapter of the FortiGate CLI Reference.

Multicast
A FortiGate unit can operate as a Protocol Independent Multicast (PIM) version 2 router in
the root virtual domain. FortiGate units support PIM sparse mode (RFC 2362) and PIM
dense mode (RFC 3973) and can service multicast servers or receivers on the network
segment to which a FortiGate interface is connected.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 297
http://docs.fortinet.com/ • Feedback
Multicast Router Dynamic

How multicast works


Multicast server applications use a (Class D) multicast address to send one copy of a
packet to a group of receivers. The PIM routers throughout the network ensure that only
one copy of the packet is forwarded through the network until it reaches an end-point
destination. At the end-point destination, copies of the packet are made only when
required to deliver the information to multicast client applications that request traffic
destined for the multicast address.

Note: To support PIM communications, the sending/receiving applications and all


connecting PIM routers in between must be enabled with PIM version 2. PIM can use static
routes, RIP, OSPF, or BGP to forward multicast packets to their destinations. To support
source-to-destination packet delivery, either sparse mode or dense mode must be enabled
on all the PIM-router interfaces. Sparse mode routers cannot send multicast messages to
dense mode routers. In addition, if a FortiGate unit is located between a source and a PIM
router, or between two PIM routers, or is connected directly to a receiver, you must create a
firewall policy manually to pass encapsulated (multicast) packets or decapsulated data (IP
traffic) between the source and destination.

A PIM domain is a logical area comprising a number of contiguous networks. The domain
contains at least one Boot Strap Router (BSR). If sparse mode is enabled, the domain
also contains a number of Rendezvous Points (RPs) and Designated Routers (DRs).
When you enable PIM on a FortiGate unit, the FortiGate unit can perform any of these
functions at any time as configured. If required for sparse mode operation, you can define
static RPs.

Note: You can configure basic options through the web-based manager. Many additional
options are available, but only through the CLI. For complete descriptions and examples of
how to use CLI commands to configure PIM settings, see multicast in the “router”
chapter of the FortiGate CLI Reference.

Note: For more information about FortiGate multicast support, see the FortiGate Multicast
Technical Note.

Viewing and editing multicast settings


When multicast (PIM) routing is enabled, you can configure sparse mode or dense mode
operation on any FortiGate interface.
To view and edit PIM settings, go to Router > Dynamic > Multicast. The web-based
manager offers a simplified user interface to configure basic PIM options. You can also
configure advanced PIM options through the CLI. For more information, see the “router”
chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


298 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Multicast

Figure 181: Basic Multicast options

Add Static RP

Delete
Edit

Enable Multicast Select to enable PIM version 2 routing. A firewall policy must be created on
Routing PIM-enabled interfaces to pass encapsulated packets and decapsulated data
between the source and destination,
Add Static RP If required for sparse mode operation, enter the IP address of a Rendezvous
Point (RP) that may be used as the root of a packet distribution tree for a
multicast group. Join messages from the multicast group are sent to the RP,
and data from the source is sent to the RP.
If an RP for the specified IP’s multicast group is already known to the Boot
Strap Router (BSR), the RP known to the BSR is used and the static RP
address that you specify is ignored.
Apply Save the specified static RP addresses.
Create New Create a new multicast entry for an interface.
You can use the new entry to fine-tune PIM operation on a specific FortiGate
interface or override the global PIM settings on a particular interface. For
more information, see “Overriding the multicast settings on an interface” on
page 299.
Interface The names of FortiGate interfaces having specific PIM settings.
Mode The mode of PIM operation (Sparse or Dense) on that interface.
Status The status of parse-mode RP candidacy on the interface.
To change the status of RP candidacy on an interface, select the Edit icon in
the row that corresponds to the interface.
Priority The priority number assigned to RP candidacy on that interface. Available
only when RP candidacy is enabled.
DR Priority The priority number assigned to Designated Router (DR) candidacy on the
interface. Available only when sparse mode is enabled.
Delete and Edit Delete or edit the PIM settings on the interface.
icons

Overriding the multicast settings on an interface


You use multicast (PIM) interface options to set operating parameters for FortiGate
interfaces connected to PIM domains. For example, you can enable dense mode on an
interface that is connected to a PIM-enabled network segment. When sparse mode is
enabled, you can adjust the priority number that is used to advertise Rendezvous Point
(RP) and/or Designated Router (DR) candidacy on the interface.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 299
http://docs.fortinet.com/ • Feedback
Bi-directional Forwarding Detection (BFD) Router Dynamic

Figure 182: Multicast interface settings

Interface Select the name of the root VDOM FortiGate interface to which these
settings apply. The interface must be connected to a PIM version 2 enabled
network segment.
PIM Mode Select the mode of operation: Sparse Mode or Dense Mode. All PIM routers
connected to the same network segment must be running the same mode of
operation. If you select Sparse Mode, adjust the remaining options as
described below.
DR Priority Enter the priority number for advertising DR candidacy on the FortiGate
unit’s interface. The range is from 1 to 4 294 967 295.
The unit compares this value to the DR interfaces of all other PIM routers on
the same network segment, and selects the router having the highest DR
priority to be the DR.
RP Candidate Enable RP candidacy on the interface.
RP Candidate Priority Enter the priority number for advertising RP candidacy on the FortiGate
interface. The range is from 1 to 255.

Multicast destination NAT


Multicast destination NAT (DNAT) allows you translate externally received multicast
destination addresses to addresses that conform to an organization's internal addressing
policy.
By using this feature that is available only in the CLI, you can avoid redistributing routes at
the translation boundary into their network infrastructure for Reverse Path Forwarding
(RPF) to work properly. They can also receive identical feeds from two ingress points in
the network and route them independently.
Configure multicast DNAT in the CLI by using the following command:
config firewall multicast-policy
edit p1
set dnat <dnatted-multicast-group>
set ...
next
end
For more information, see the “firewall” chapter of the FortiGate CLI Reference.

Bi-directional Forwarding Detection (BFD)


The bi-directional Forwarding Detection (BFD) protocol is designed to deal with dynamic
routing protocols' lack of a fine granularity for detecting device failures on the network and
re-routing around those failures. BFD can more quickly react to these failures, since it
detects them on a millisecond timer, where other dynamic routing protocols can only
detect them on a second timer.
Your unit supports BFD as part of OSPF and BGP dynamic networking.

FortiGate Version 4.0 Administration Guide


300 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Bi-directional Forwarding Detection (BFD)

Note: You can configure BFD only from the CLI.

How BFD works


When you enable BFD on your FortiGate unit, BFD starts trying to connect to other routers
on the network. You can limit where BFD looks for routers by enabling one interface only,
and by enabling BFD for specific neighboring routers on the network.
Once the connection has been made, BFD will continue to send periodic packets to the
router to make sure it is still operational. These small packets are sent frequently.
If there is no response from the neighboring router within the set period of time, BFD on
your unit reports that router down and changes routing accordingly. BFD continues to try
to reestablish a connection with the non-responsive router.
Once that connection is reestablished, routes are reset to include the router once again.

Configuring BFD
BFD is intended for networks that use BGP or OSPF routing protocols. This generally
excludes smaller networks.
BFD configuration on your FortiGate unit is very flexible. You can enable BFD for the
whole unit, and turn it off for one or two interfaces. Alternatively you can specifically
enable BFD for each neighbor router, or interface. Which method you choose will be
determined by the amount of configuring required for your network
The timeout period determines how long the unit waits before labeling a connection as
down. The length of the timeout period is important—if it is too short connections will be
labeled down prematurely, and if it is too long time will be wasted waiting for a reply from a
connection that is down. There is no easy number, as it varies for each network and unit.
High end FortiGate models will respond very quickly unless loaded down with traffic. Also
the size of the network will slow down the response time—packets need to make more
hops than on a smaller network. Those two factors (CPU load and network traversal time)
affect how long the timeout you select should be. With too short a timeout period, BFD will
not connect to the network device but it will keep trying. This state generates unnecessary
network traffic, and leaves the device unmonitored. If this happens, you should try setting
a longer timeout period to allow BFD more time to discover the device on the network.

Configuring BFD on your FortiGate unit


For this example, BFD is enabled on the FortiGate unit using the default values. This
means that once a connection is established, your unit will wait for up to 150 milliseconds
for a reply from a BFD router before declaring that router down and rerouting traffic—a 50
millisecond minimum transmit interval multiplied by a detection multiplier of 3. The port
that BFD traffic originates from will be checked for security purposes as indicated by
disabling bfd-dont-enforce-src-port.
config system settings
set bfd enable
set bfd-desired-min-tx 50
set bfd-required-min-rx 50
set bfd-detect-mult 3
set bfd-dont-enforce-src-port disable
end

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 301
http://docs.fortinet.com/ • Feedback
Bi-directional Forwarding Detection (BFD) Router Dynamic

Note: The minimum receive interval (bfd-required-min-rx) and the detection


multiplier (bfd-detect-mult) combine to determine how long a period your unit will wait
for a reply before declaring the neighbor down. The correct value for your situation will vary
based on the size of your network and the speed of your unit’s CPU. The numbers used in
this example may not work for your network.

Disabling BFD for a specific interface


The previous example enables BFD for your entire FortiGate unit. If an interface is not
connected to any BFD enabled routers, you can reduce network traffic by disabling BFD
for that interface. For this example, BFD is disabled for the internal interface using CLI
commands.
config system interface
edit <interface>
set bfd disable
end

Configuring BFD on BGP


Configuring BFD on a BGP network involves only one step— enable BFD globally and
then disable it for each neighbor that is running the protocol.
config system settings
set bfd enable
end

config router bgp


config neighbor
edit <ip_address>
set bfd disable
end
end

Configuring BFD on OSPF


Configuring BFD on an OSPF network is very much like enabling BFD on your unit—you
can enable it globally for OSPF, and you can override the global settings at the interface
level.
To enable BFD on OSPF:
configure routing OSPF
set bfd enable
end
To override BFD on an interface:
configure routing OSPF
configure ospf-interface
edit <interface_name>
set bfd disable
end
end

FortiGate Version 4.0 Administration Guide


302 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Customizable routing widgets

Customizable routing widgets


You can customize the FortiGate web-based manager (or GUI) to show, hide, and arrange
widgets/menus/items according to your specific requirements. Customizing the display
allows you to vary or limit the GUI layout to address different administrator needs such as
advanced routing.
Only administrators with the super_admin admin profile may create and edit GUI layouts.
For more information on GUI layouts, see “Customizable web-based manager” on
page 225.
Each of the customizable GUI widgets can be minimized or maximized using the arrow
next to the widget title.
Customizable routing widgets include:
• Access List
• Distribute List
• Key Chain
• Offset List
• Prefix List
• Route Map

Access List
Access lists are filters used by FortiGate unit routing processes to limit access to the
network based on IP addresses. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). The
offset list is part of the RIP and OSPF routing protocols. For more information about RIP,
see “RIP” on page 284. For more information about OSPF, see “OSPF” on page 288.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.

Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose. For more information, see “Prefix List” on page 306.

The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.

Figure 183: Access List GUI widget

Access-list Enter the name of a new access list. Select Add to save the new access list.
Name The name of the access list.
Action The action to take when the prefix of this access list is matched. Actions can
be either permit or deny.
Prefix The IP address prefix for this access-list. When this prefix is matched, the
action is taken. The prefix can match any address, or a specific address.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 303
http://docs.fortinet.com/ • Feedback
Customizable routing widgets Router Dynamic

Delete Icon Select delete to remove this access-list.


Add Icon Select to add a rule to this access-list. Rules include actions and prefixes.
Rules are processed from smallest to highest number.
For more information on access list, see the “router” chapter of the FortiGate CLI
Reference.

Distribute List
The distribute list is a subcommand of OSPF. It filters the networks in routing updates
using an access or prefix list. Routes not matched by any of the distribution lists will not be
advertised. The offset list is part of the RIP and OSPF routing protocols. For more
information about OSPF, see “OSPF” on page 288.

Note: You must configure the access list that you want the distribution list to use before you
configure the distribution list. To configure an access list, see “Access List” on page 303.

Figure 184: Distribute List GUI widget

Create New Select to create a new distribute list. This includes setting the
direction, selecting either the prefix-list or access-list, and
interface.
Direction The name of the access list.
Filter The prefix-list or access-list to apply to this interface.
Interface The interface to apply the filter on.
Enable A green check indicates this distribute list is enabled.
Delete Icon Select to remove a distribution list rule.
Edit Icon Select to change the direction, filter, or interface of the distribute
list.

For more information on the distribute list, see the “router” chapter of the FortiGate CLI
Reference.

Key Chain
A key chain is a list of one or more keys and the send and receive lifetimes for each key.
Keys are used for authenticating routing packets only during the specified lifetimes. The
FortiGate unit migrates from one key to the next according to the scheduled send and
receive lifetimes. The sending and receiving routers should have their system dates and
times synchronized, but overlapping the key lifetimes ensures that a key is always
available even if there is some difference in the system times.
RIP version 2 uses authentication keys to ensure that the routing information exchanged
between routers is reliable. For authentication to work both the sending and receiving
routers must be set to use authentication, and must be configured with the same keys.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see “RIP” on page 284.

FortiGate Version 4.0 Administration Guide


304 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Customizable routing widgets

Figure 185: Key Chain GUI widget

Key-chain Enter the name for a new key-chain. Select Add to save the new key-
chain.
Name The name of the key-chain, or the number of the key on that chain.
Accept Lifetime The start and end time that this key can accept routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in
seconds, or a set time as with the start time.
Send Lifetime The start and end time that this key can send routing packets.
Start The start time for this key. The format is H:M:S M/D/YYYY.
End The end time for this key. The end can be infinite, a set duration in
seconds, or a set time as with the start time.
Delete Icon Select to remove a key or key-chain
Add Icon Select to add keys to the key-chain.
Edit Icon Select to edit an existing key.

For more information on key-chains, see the “router” chapter of the FortiGate CLI
Reference.

Offset List
Use the offset list to change the weighting of the metric (hop count) for a route from the
offset list.
The offset list is part of the RIP and OSPF routing protocols. For more information about
RIP, see “RIP” on page 284. For more information about OSPF, see “OSPF” on page 288.

Figure 186: Offset List GUI widget

Create New Select to add a new offset to the list.


Direction The direction can be In or Out.
Access-list The access-list to use to match the traffic.
Offset The adjustment to the hop count metric.
Interface The interface this offset list applies to.
Delete Icon Select to remove a offset entry.
Edit Icon Select to edit an existing offset entry.

For more information on the offset list, see the “router” chapter of the FortiGate CLI
Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 305
http://docs.fortinet.com/ • Feedback
Customizable routing widgets Router Dynamic

Prefix List
A prefix list is an enhanced version of an access list that allows you to control the length of
the prefix netmask.
Each rule in a prefix list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and maximum and minimum prefix length settings.
The FortiGate unit attempts to match a packet against the rules in a prefix list starting at
the top of the list. If it finds a match for the prefix it takes the action specified for that prefix.
If no match is found the default action is deny. A prefix-list should be used to match the
default route 0.0.0.0/0.
For a prefix list to take effect, it must be called by another FortiGate unit routing feature
such as RIP or OSPF. For more information about RIP, see “RIP” on page 284. For more
information about OSPF, see “OSPF” on page 288.

Figure 187: Prefix List GUI widget

Prefix-list Enter the name of a new prefix-list. Select Add to save the new
prefix list entry.
Name The name of the prefix list, or the number of the prefix entry.
Action The action of the prefix entry. Actions can be permit or deny.
Prefix The IP address and netmask associated with this prefix. Optionally
this can be set to match any address.
GE Select the number of bits to match in the address. This number or
greater will be matched for there to be a match.
LE Select the number of bits to match in the address. This number or
less will be matched for there to be a match
Delete Icon Select to remove a prefix entry or list.
Add Icon Select to add a prefix entry to a list.
Edit Icon Select to edit an existing prefix entry.

For more information on the prefix list, see the “router” chapter of the FortiGate CLI
Reference.

Route Map
Route maps provide a way for the FortiGate unit to evaluate optimum routes for
forwarding packets or suppressing the routing of packets to particular destinations using
the BGP routing protocol. Compared to access lists, route maps support enhanced
packet-matching criteria. In addition, route maps can be configured to permit or deny the
addition of routes to the FortiGate unit routing table and make changes to routing
information dynamically as defined through route-map rules.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes:
• When a single matching match-* rule is found, changes to the routing information are
made as defined through the rule’s set-ip-nexthop, set-metric, set-metric-type, and/or
set-tag settings.

FortiGate Version 4.0 Administration Guide


306 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Dynamic Customizable routing widgets

• If no matching rule is found, no changes are made to the routing information.


• When more than one match-* rule is defined, all of the defined match-* rules must
evaluate to TRUE or the routing information is not changed.
• If no match-* rules are defined, the FortiGate unit makes changes to the routing
information only when all of the default match-* rules happen to match the attributes of
the route.
The default rule in the route map (which the FortiGate unit applies last) denies all routes.
For a route map to take effect, it must be called by a FortiGate unit routing process.

Figure 188: Route Map GUI widget

Route-map Enter the name of a new route-map. Select Add to save the new
route-map.
Name The name of the route map, or the number of the prefix entry.
Action The action of the route map. Actions can be permit or deny.
Rules The rules include the criteria to match and a value to set. The criteria
to match can be an interface, address from access or prefix list, the
next-hop to match from access or prefix list, a metrics, or other
information. The value to set can be the next-hop IP address, the
metric, metric type, and a tag number.
Delete Icon Select to remove a route map or entry.
Add Icon Select to add a route map entry to a route map.
Edit Icon Select to edit an existing route map entry.

For more information on the route map, see the “router” chapter of the FortiGate CLI
Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 307
http://docs.fortinet.com/ • Feedback
Customizable routing widgets Router Dynamic

FortiGate Version 4.0 Administration Guide


308 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Monitor Viewing routing information

Router Monitor
This section explains how to interpret the Routing Monitor list. The list displays the entries
in the FortiGate routing table.
If you enable virtual domains (VDOMs) on the FortiGate unit, router monitoring is available
separately for each virtual domain. For more information, see “Using virtual domains” on
page 103.
This section describes:
• Viewing routing information
• Searching the FortiGate routing table

Viewing routing information


By default, all routes are displayed in the Routing Monitor list. The default static route is
defined as 0.0.0.0/0, which matches the destination IP address of “any/all” packets.
To display the routes in the routing table, go to Router > Monitor.
Figure 189 shows the Routing Monitor list belonging to a FortiGate unit that has interfaces
named “port1”, “port4”, and “lan”. The names of the interfaces on your FortiGate unit may
be different.

Figure 189: Routing Monitor list

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 309
http://docs.fortinet.com/ • Feedback
Viewing routing information Router Monitor

IP version Select IPv4 or IPv6 routes.


Type Select one of the following route types to search the routing table and display routes
of the selected type only:
All — all routes recorded in the routing table.
Connected — all routes associated with direct connections to FortiGate interfaces.
Static — the static routes that have been added to the routing table manually. For
more information see “Static Route” on page 274.
RIP — all routes learned through RIP. For more information see “RIP” on page 284.
OSPF — all routes learned through OSPF. For more information see “OSPF” on
page 288.
BGP — all routes learned through BGP. For more information see “BGP” on
page 296
HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
For details about HA routing synchronization, see the FortiGate High Availability User
Guide.
Network Enter an IP address and netmask (for example, 172.16.14.0/24) to search the
routing table and display routes that match the specified network.
Gateway Enter an IP address and netmask (for example, 192.168.12.1/32) to search the
routing table and display routes that match the specified gateway.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Type The type values assigned to FortiGate routes (Static, Connected, RIP, OSPF, or
BGP).
Subtype If applicable, the subtype classification assigned to OSPF routes.
• An empty string implies an intra-area route. The destination is in an area to which
the FortiGate unit is connected.
• OSPF inter area — the destination is in the OSPF AS, but the FortiGate unit is
not connected to that area.
• External 1 — the destination is outside the OSPF AS. The metric of a
redistributed route is calculated by adding the external cost and the OSPF cost
together.
• External 2 — the destination is outside the OSPF AS. In this case, the metric of
the redistributed route is equivalent to the external cost only, expressed as an
OSPF cost.
• OSPF NSSA 1 — same as External 1, but the route was received through a not-
so-stubby area (NSSA).
• OSPF NSSA 2 — same as External 2, but the route was received through a not-
so-stubby area.
Network The IP addresses and network masks of destination networks that the FortiGate unit
can reach.
Distance The administrative distance associated with the route. A value of 0 means the route
is preferable compared to routes to the same destination.
To modify the administrative distance assigned to static routes, see “Adding a static
route to the routing table” on page 278. To modify this distance for dynamic routes,
see FortiGate CLI Reference.
Metric The metric associated with the route type. The metric of a route influences how the
FortiGate unit dynamically adds it to the routing table. The following are types of
metrics and when they are applied.
• Hop count — routes learned through RIP.
• Relative cost — routes learned through OSPF.
• Multi-Exit Discriminator (MED) — routes learned through BGP. However, several
attributes in addition to MED determine the best path to a destination network.
Gateway The IP addresses of gateways to the destination networks.

FortiGate Version 4.0 Administration Guide


310 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Router Monitor Searching the FortiGate routing table

Interface The interface through which packets are forwarded to the gateway of the destination
network.
Up Time The total accumulated amount of time that a route learned through RIP, OSPF, or
BGP has been reachable.

Searching the FortiGate routing table


You can apply a filter to search the routing table and display certain routes only. For
example, you can display one or more static routes, connected routes, routes learned
through RIP, OSPF, or BGP, and routes associated with the network or gateway that you
specify.
If you want to search the routing table by route type and further limit the display according
to network or gateway, all of the values that you specify as search criteria must match
corresponding values in the same routing table entry in order for that entry to be displayed
(an implicit AND condition is applied to all of the search parameters you specify).
For example, if the FortiGate unit is connected to network 172.16.14.0/24 and you want to
display all directly connected routes to network 172.16.14.0/24, you must select
Connected from the Type list, type 172.16.14.0/24 in the Network field, and then
select Apply Filter to display the associated routing table entry or entries. Any entry that
contains the word “Connected” in its Type field and the specified value in the Gateway
field will be displayed.

To search the FortiGate routing table


1 Go to Router > Monitor > Routing Monitor.
2 From the Type list, select the type of route to display. For example, select Connected
to display all connected routes, or select RIP to display all routes learned through RIP.
3 If you want to display routes to a specific network, type the IP address and netmask of
the network in the Networks field.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.

Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 311
http://docs.fortinet.com/ • Feedback
Searching the FortiGate routing table Router Monitor

FortiGate Version 4.0 Administration Guide


312 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy How list order affects policy matching

Firewall Policy
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers. For details on using virtual IPs and IP pools, see “Firewall
Virtual IP” on page 359.
Policy instructions may also include protection profiles, which can specify application-layer
inspection and other protocol-specific protection and logging. For details on using
protection profiles, see “Firewall Protection Profile” on page 391.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall policies are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall policies. For details, see “Using virtual domains” on page 103.
This section describes:
• How list order affects policy matching
• Multicast policies
• Viewing the firewall policy list
• Configuring firewall policies
• Firewall policy examples

How list order affects policy matching


Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policy’s specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packet’s:
• source and destination interfaces
• source and destination firewall addresses
• services
• time/schedule.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 313
http://docs.fortinet.com/ • Feedback
How list order affects policy matching Firewall Policy

If no policy matches, the connection is dropped.


As a general rule, you should order the firewall policy list from most specific to most
general because of the order in which policies are evaluated for a match, and because
only the first matching firewall policy is applied to a connection. Subsequent possible
matches are not considered or applied. Ordering policies from most specific to most
general prevents policies that match a wide range of traffic from superseding and
effectively masking policies that match exceptions.
For example, you might have a general policy that allows all connections from the internal
network to the Internet, but want to make an exception that blocks FTP. In this case, you
would add a policy that denies FTP connections above the general policy.

Figure 190: Example: Blocking FTP — Correct policy order

}Exception
}General

FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.

Figure 191: Example: Blocking FTP — Incorrect policy order

}General
}Exception

Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies could always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.

Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.

Moving a policy to a different position in the policy list


You can arrange the firewall policy list to influence the order in which policies are
evaluated for matches with incoming traffic. When more than one policy has been defined
for the same interface pair, the first matching firewall policy will be applied to the traffic
session. For more information, see “How list order affects policy matching” on page 313.
Moving a policy in the firewall policy list does not change its ID, which only indicates the
order in which the policy was created.

Figure 192: Move Policy

FortiGate Version 4.0 Administration Guide


314 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Multicast policies

To move a firewall policy in the firewall policy list


1 Go to Firewall > Policy.
2 In the firewall policy list, note the ID of a firewall policy that is before or after your
intended destination.
3 In the row corresponding to the firewall policy that you want to move, select the
Move To icon.
4 Select Before or After, and enter the ID of the firewall policy that is before or after your
intended destination. This specifies the policy’s new position in the firewall policy list.
5 Select OK.

Multicast policies
FortiGate units support multicast policies. You can configure and create multicast policies
using the following CLI command:
config firewall multicast-policy
For more information, see the FortiOS CLI Reference and the FortiGate Multicast
Technical Note.

Viewing the firewall policy list


The firewall policy list displays firewall policies in their order of matching precedence for
each source and destination interface pair.
If virtual domains are enabled on the FortiGate unit, firewall policies are configured
separately for each virtual domain; you must access the VDOM before you can configure
its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to
the VDOM whose policies you want to configure, select Enter.
You can add, delete, edit, and re-order policies in the policy list. Firewall policy order
affects policy matching. For details about arranging policies in a policy list, see “How list
order affects policy matching” on page 313 and “Moving a policy to a different position in
the policy list” on page 314.
To view the policy list, go to Firewall > Policy.

Figure 193: Firewall policy list

Filter

Delete
Edit
Insert Policy before
Move To

Create New Add a firewall policy. Select the down arrow beside Create New to add a firewall
policy or firewall policy section. A firewall policy section visually groups firewall
policies. For more information, see “Configuring firewall policies” on page 316.
Column Settings Customize the table view. You can select the columns to hide or display and
specify the column displaying order in the table.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 315
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

Section View Select to display firewall polices organized by source and destination interfaces.
Note: Section View is not available if any policy selects Any as the source or
destination interface.
Global View Select to list all firewall policies in order according to a sequence number.
Filter icon Edit the column filters to filter or sort the policy list according to the criteria you
specify. For more information, see “Adding filters to web-based manager lists” on
page 56.
ID The policy identifier. Policies are numbered in the order they are added to the
policy list.
From The source interface of the policy. Global view only.
To The destination interface of the policy. Global view only.
Source The source address or address group to which the policy applies. For more
information, see “Firewall Address” on page 339.
Destination The destination address or address group to which the policy applies. For more
information, see “Firewall Address” on page 339.
Schedule The schedule that controls when the policy should be active. For more
information, see “Firewall Schedule” on page 355.
Service The service to which the policy applies. For more information, see “Firewall
Service” on page 345.
Profile The protection profile that is associated with the policy.
Action The response to make when the policy matches a connection attempt.
Status Select the checkbox to enable a policy or deselect it to disable a policy.
From The source interface.
To The destination interface.
VPN Tunnel The VPN tunnel the VPN policy uses.
Authentication The user authentication method the policy uses.
Comments Comments entered when creating or editing the policy.
Log A green check mark indicates traffic logging is enabled for the policy; a grey
cross mark indicates traffic logging is disabled for the policy.
Count The FortiGate unit counts the number of packets and bytes that hit the firewall
policy.
For example, 5/50B means that five packets and 50 bytes in total have hit the
policy.
The counter is reset when the FortiGate unit is restarted or the policy is deleted
and re-configured.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Add a new policy above the corresponding policy (the New Policy screen
Before icon appears).
Move To icon Move the corresponding policy before or after another policy in the list. For more
information, see “Moving a policy to a different position in the policy list” on
page 314.

Configuring firewall policies


You can configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
• Source Interface/Zone

FortiGate Version 4.0 Administration Guide


316 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

• Source Address
• Destination Interface/Zone
• Destination Address
• schedule and time of the session’s initiation
• service and the packet’s port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
Packet handling actions can be ACCEPT, DENY, IPSEC or SSL-VPN.
• ACCEPT policy actions permit communication sessions, and may optionally include
other packet processing instructions, such as requiring authentication to use the policy,
or specifying a protection profile to apply features such as virus scanning to packets in
the session. An ACCEPT policy can also apply interface-mode IPSec VPN traffic if
either the selected source or destination interface is an IPSec virtual interface. For
more information, see “Overview of IPSec VPN configuration” on page 505.
• DENY policy actions block communication sessions, and may optionally log the denied
traffic.
• IPSEC and SSL-VPN policy actions apply a tunnel mode IPSec VPN or SSL VPN
tunnel, respectively, and may optionally apply NAT and allow traffic for one or both
directions. If permitted by the firewall encryption policy, a tunnel may be initiated
automatically whenever a packet matching the policy arrives on the specified network
interface, destined for the local private network. For more information, see “IPSec
firewall policy options” on page 324 and “Configuring SSL VPN identity-based firewall
policies” on page 325.
To add or edit a firewall policy, go to Firewall > Policy. Select Create New to add a policy
or select the edit icon beside an existing firewall policy. Configure the settings as
described in the following table and in the references to specific features for IPSec, SSL
VPN and other specialized settings, and then select OK.
If you want to create a DoS policy, go to Firewall > Policy > DoS Policy, and configure the
settings according to the following table. For more information, see “DoS policies” on
page 330.
If you want to use IPv6 firewall addresses in your firewall policy, first go to System > Admin
> Settings. Select “IPv6 Support on GUI”. Then go to Firewall > Policy > IPv6 Policy, and
configure the settings according to the following table.
Firewall policy order affects policy matching. Each time that you create or edit a policy,
make sure that you position it in the correct location in the list. You can create a new policy
and position it right away before an existing one in the firewall policy list, by selecting
Insert Policy before (see “Viewing the firewall policy list” on page 315).

Note: You can configure differentiated services (DSCP) firewall policy options through the
CLI. See the “firewall” chapter of the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 317
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

Figure 194: Firewall Policy options

Source Select the name of the FortiGate network interface, virtual domain (VDOM) link, or
Interface/Zone zone on which IP packets are received. Interfaces and zones are configured on
the System Network page. For more information, see “Interfaces” on page 119
and “Configuring zones” on page 139.
If you select Any as the source interface, the policy matches all interfaces as
source.
If Action is set to IPSEC, the interface is associated with the local private network.
If Action is set to SSL-VPN, the interface is associated with connections from
remote SSL VPN clients.
Source Select the name of a firewall address to associate with the Source Interface/Zone.
Address Only packets whose header contains an IP address matching the selected firewall
address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list. For
more information, see “Configuring addresses” on page 341.
If you want to associate multiple firewall addresses or address groups with the
Source Interface/Zone, from Source Address, select Multiple. In the dialog box,
move the firewall addresses or address groups from the Available Addresses
section to the Members section, then select OK.
If Action is set to IPSEC, the address is the private IP address of the host, server,
or network behind the FortiGate unit.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the
name of the address that you reserved for tunnel mode clients.

FortiGate Version 4.0 Administration Guide


318 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Destination Select the name of the FortiGate network interface, virtual domain (VDOM) link, or
Interface/Zone zone to which IP packets are forwarded. Interfaces and zones are configured on
the System Network page. For more information, see “Interfaces” on page 119
and “Configuring zones” on page 139.
If you select Any as the destination interface, the policy matches all interfaces as
destination.
If Action is set to IPSEC, the interface is associated with the entrance to the VPN
tunnel.
If Action is set to SSL-VPN, the interface is associated with the local private
network.
Destination Select the name of a firewall address to associate with the Destination
Address Interface/Zone. Only packets whose header contains an IP address matching the
selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list. For
more information, see “Configuring addresses” on page 341.
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you select
NAT (below). For more information on using virtual IPs, see “Firewall Virtual IP”
on page 359.
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds to
the host, server, or network that remote clients need to access behind the
FortiGate unit.
Schedule Select a one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see “Firewall Schedule” on page 355.
Service Select the name of a firewall service or service group that packets must match to
trigger this policy.
You can select from a wide range of predefined firewall services, or you can
create a custom service or service group by selecting Create New from this list.
For more information, see “Configuring custom services” on page 350 and
“Configuring service groups” on page 352.
By selecting the Multiple button beside Service, you can select multiple services
or service groups.
Action Select how you want the firewall to respond when a packet matches the
conditions of the policy. The options available will vary widely depending on this
selection.
ACCEPT Accept traffic matched by the policy. You can configure NAT, protection profiles,
log traffic, shape traffic, set authentication options, or add a comment to the
policy.
DENY Reject traffic matched by the policy. The only other configurable policy options are
Log Violation Traffic to log the connections denied by this policy and adding a
Comment.
IPSEC You can configure an IPSec firewall encryption policy to process IPSec VPN
packets, as well as configure protection profiles, log traffic, shape traffic or add a
comment to the policy. See “IPSec firewall policy options” on page 324.
SSL-VPN You can configure an SSL-VPN firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user group.
You can also configure NAT and protection profiles, log traffic, shape traffic or add
a comment to the policy. See “Configuring SSL VPN identity-based firewall
policies” on page 325.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 319
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

NAT Available only if Action is set to ACCEPT or SSL-VPN. Enable or disable Network
Address Translation (NAT) of the source address and port of packets accepted by
the policy. When NAT is enabled, you can also configure Dynamic IP Pool and
Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Dynamic IP Select the check box, then select an IP pool to translate the source address to an
Pool IP address randomly selected from addresses in the IP Pool.
IP Pool cannot be selected if the destination interface, VLAN subinterface, or one
of the interfaces or VLAN subinterfaces in the destination zone is configured
using DHCP or PPPoE, or if you have selected a Destination Interface to which
no IP Pools are bound.
You cannot use IP pools when using zones. An IP pool can only be associated
with an interface.
For details, see “IP pools” on page 375.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.
Some applications do not function correctly if the source port is translated. In most
cases, if Fixed Port is selected, Dynamic IP pool is also selected. If Dynamic IP
pool is not selected, a policy with Fixed Port selected can allow only one
connection to that service at a time.
Enable Identity Select to configure firewall policies that require authentication. For more
Based Policy information, see “Adding authentication to firewall policies” on page 321.
Enable Firewall policies can deny access for hosts that do not have FortiClient Endpoint
Endpoint Security software installed and operating. For more information, see “Endpoint
Compliance Compliance Check options” on page 329.
Check
User Available only on some models and only if Action is set to ACCEPT. Select this
Authentication option to display the Authentication Disclaimer page (a replacement message) to
Disclaimer the user. The user must accept the disclaimer to connect to the destination. You
can use the disclaimer together with authentication or a protection profile.
Redirect URL Available only on some models and only if Action is set to ACCEPT. If you enter a
URL, the user is redirected to the URL after authenticating and/or accepting the
user authentication disclaimer.
Protection Select a protection profile to apply antivirus, web filtering, web category filtering,
Profile spam filtering, IPS, content archiving, and logging to a firewall policy. You can
also create a protection profile by selecting Create New from this list. For more
information, see “Firewall Protection Profile” on page 391.
If you intend to apply authentication to this policy, do not make a Protection Profile
selection. The user group you choose for authentication is already linked to a
protection profile. For more information, see “Adding authentication to firewall
policies” on page 321.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a new traffic
shaper. Traffic Shaping controls the bandwidth available to, and sets the priority of
the traffic processed by, the policy.
For information about traffic shaping, see “Traffic Shaping” on page 409.
Note: To ensure that traffic shaping is working at its best, make sure that the
interface ethernet statistics show no errors, collisions, or buffer overruns. If any of
these problems do appear, then FortiGate and switch settings may require
adjusting.
Also, do not set both Guaranteed Bandwidth and Maximum Bandwidth to 0
(zero), or the policy will not allow any traffic.
Guaranteed Select a value to ensure there is enough bandwidth available for a high-priority
Bandwidth service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies is
significantly less than the bandwidth capacity of the interface.
Maximum Select to limit bandwidth in order to keep less important services from using
Bandwidth bandwidth needed for more important ones.

FortiGate Version 4.0 Administration Guide


320 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Traffic Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit manages
Priority the relative priorities of different types of traffic. For example, a policy for
connecting to a secure web server needed to support e-commerce traffic should
be assigned a high traffic priority. Less important services should be assigned a
low priority. The firewall provides bandwidth to low-priority connections only when
bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
Reverse Select to enable the reverse traffic shaping. For example, if the traffic direction
Direction that a policy controls is from port1 to port2, select this option will also apply the
Traffic policy shaping configuration to traffic from port2 to port1.
Shaping
Log Allowed Select to record messages to the traffic log whenever the policy processes a
Traffic connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information see “Log&Report” on page 603.
Log Violation Available only if Action is set to DENY. Select Log Violation Traffic, for Deny
Traffic policies, to record messages to the traffic log whenever the policy processes a
connection. You must also enable traffic log for a logging location (syslog,
WebTrends, local disk if available, memory, or FortiAnalyzer) and set the logging
severity level to Notification or lower using the Log and Report screen. For more
information, see “Log&Report” on page 603.
Comments Add information about the policy. The maximum length is 63 characters.

Adding authentication to firewall policies


If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiGate unit will
allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
• HTTP
• HTTPS
• FTP
• Telnet
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
For example, if you want to require HTTPS certificate-based authentication before
allowing SMTP and POP3 traffic, you must select a firewall service (in the firewall policy)
that includes SMTP, POP3 and HTTPS services. Prior to using either POP3 or SMTP, the
network user would send traffic using the HTTPS service, which the FortiGate unit would
use to verify the network user’s certificate; upon successful certificate-based
authentication, the network user would then be able to access his or her email.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 321
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

In most cases, you should ensure that users can use DNS through the FortiGate unit
without authentication. If DNS is not available, users will not be able to use a domain
name when using a supported authentication protocol to trigger the FortiGate unit’s
authentication challenge.

Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid. For
information on installing certificates, see “System Certificates” on page 237.

Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings will be used. If you specify a certificate, the per-policy setting will override the
global setting. For information on global authentication settings, see “Options” on page 561.

Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign a protection profile to that user
group. For information on configuring user groups, see “User Group” on page 554. For
information on configuring authentication settings, see “Identity-based firewall policy
options (non-SSL-VPN)” on page 322 and “Configuring SSL VPN identity-based firewall
policies” on page 325.

Identity-based firewall policy options (non-SSL-VPN)


For network users to use non-SSL-VPN identity-based policies, you need to add user
groups to the policy. For information about configuring user groups, see “User Group” on
page 554.
To configure identity-based policies, go to Firewall > Policy, select Create New to add a
firewall policy, or, in the row corresponding to an existing firewall policy, select Edit. Make
sure that Action is set to ACCEPT. Select Enable Identity Based Policy.

Figure 195: Selecting user groups for authentication

Edit
Delete

Enable Identity Select to enable identity-based policy authentication.


Based Policy When the Action is set to ACCEPT, you can select one or more authentication
server types. When a network user attempts to authenticate, the server types
selected indicate which local or remote authentication servers the FortiGate unit
will consult to verify the user’s credentials.
Add Select to create an identity-based firewall policy. For more information, see “To
create an identity-based firewall policy (non-SSL-VPN)” on page 323.
User Group The selected user groups that must authenticate to be allowed to use this policy.
Schedule The one-time or recurring schedule that controls when the policy is in effect.
You can also create schedules by selecting Create New from this list. For more
information, see “Firewall Schedule” on page 355.
Service The firewall service or service group that packets must match to trigger this policy.

FortiGate Version 4.0 Administration Guide


322 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Profile The protection profile to apply antivirus, web filtering, web category filtering, spam
filtering, IPS, content archiving, and logging to this policy. You can also create a
protection profile by selecting Create New from this list. For more information, see
“Firewall Protection Profile” on page 391.
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see “Firewall Policy” on page 313.
Reverse Select to enable the reverse traffic shaping. For example, if the
Direction traffic direction that a policy controls is from port1 to port2, select
Traffic this option will also apply the policy shaping configuration to traffic
from port2 to port1.
Shaping
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-based policy,
a green check mark appears. Otherwise, a white cross mark appears.
Delete icon Select to remove this policy.
Edit icon Select to modify this policy.
Firewall Include firewall user groups defined locally on the FortiGate unit, as well as on
any connected LDAP and RADIUS servers. This option is selected by default.
Directory Include Directory Service groups defined in User > User Group. The groups are
Service (FSAE) authenticated through a domain controller using Fortinet Server Authentication
Extensions (FSAE). If you select this option, you must install the FSAE on the
Directory Service domain controller. For information about FSAE, see the FSAE
Technical Note. For information about configuring user groups, see “User Group”
on page 554.
NTLM Include Directory Service groups defined in User > User Group. If you select this
Authentication option, you must use Directory Service groups as the members of the
authentication group for NTLM. For information about configuring user groups,
see “User Group” on page 554.
Certificate Certificate-based authentication only. Select the protection profile that guest
accounts will use. Note: In order to implement certificate-based authentication,
you must select a firewall service group that includes one of the supported
authentication protocols that use certificate-based authentication. You should also
install the certificate on the network user’s web browser. For more information,
see “Adding authentication to firewall policies” on page 321.

To create an identity-based firewall policy (non-SSL-VPN)


1 Go to Firewall > Policy > Policy and select Create New.
2 Configure Source Interface/Zone, Source Address, Destination Interface/Zone,
Destination Address, Schedule, and Service. For more information, see “Configuring
firewall policies” on page 316.
3 In the Action field, select ACCEPT.
4 Select the Enable Identity Based Policy check box.
A table opens below the check box.
5 Select Add.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 323
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

Figure 196: Creating identity-based firewall policies

Right Arrow

Left Arrow

6 From the Available User Groups list, select one or more user groups that must
authenticate to be allowed to use this policy. Select the right arrow to move the
selected user groups to the Selected User Groups list.
7 Select services in the Available Services list and then select the right arrow to move
them to the Selected Services list.
8 Select a schedule from the Schedule drop-down list. There is no default.
9 Optionally, select a Protection Profile, enable User Authentication Disclaimer or Log
Allowed Traffic.
10 Optionally, select Traffic Shaping and choose a traffic shaper.
11 Select OK.

IPSec firewall policy options


In a firewall policy (see “Configuring firewall policies” on page 316), the following
encryption options are available for IPSec. To configure these options, go to Firewall >
Policy, select Create New to add a firewall policy, or in the row corresponding to an
existing firewall policy, select Edit. Make sure that Action is set to IPSEC. Enter the
information in the following table and select OK.

Figure 197: IPSEC encryption policy

VPN Tunnel Select the VPN tunnel name defined in the phase 1 configuration. The specified
tunnel will be subject to this firewall encryption policy.
Allow Inbound Select to enable traffic from a dialup client or computers on the remote private
network to initiate the tunnel.
Allow outbound Select to enable traffic from computers on the local private network to initiate
the tunnel.

FortiGate Version 4.0 Administration Guide


324 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Inbound NAT Select to translate the source IP addresses of inbound decrypted packets into
the IP address of the FortiGate interface to the local private network.
Outbound NAT Select only in combination with a natip CLI value to translate the source
addresses of outbound cleartext packets into the IP address that you specify.
When a natip value is specified, the source addresses of outbound IP packets
are replaced before the packets are sent through the tunnel. For more
information, see the “firewall” chapter of the FortiGate CLI Reference.

Note: For a route-based (interface mode) VPN, you do not configure an IPSec firewall
policy. Instead, you configure two regular ACCEPT firewall policies, one for each direction
of communication, with the IPSec virtual interface as the source or destination interface as
appropriate.

For more information, see the “Defining firewall policies” chapter of the FortiGate IPSec
VPN User Guide.

Configuring SSL VPN identity-based firewall policies


For network users to use SSL-VPN identity-based policies, you must configure users, add
them to user groups, and then configure the policy.
To create an identity-based firewall policy (SSL-VPN), go to Firewall > Policy > Policy and
select Create New and enter the information in the following table. Select Action > SSL
VPN.

Note: The SSL-VPN option is only available from the Action list after you have added SSL
VPN user groups. To add SSL VPN user groups, see “SSL VPN user groups” on page 557.

For more information, see “Configuring firewall policies” on page 316.

Figure 198: Configuring a new SSL VPN firewall policy

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 325
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

Source Select the name of the FortiGate network interface, virtual domain (VDOM) link,
Interface/Zone or zone on which IP packets are received.
Source Address Select the name of a firewall address to associate with the Source
Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see “Configuring addresses” on page 341.
If Action is set to SSL-VPN and the policy is for web-only mode clients, select
all.
If Action is set to SSL-VPN and the policy is for tunnel mode clients, select the
name of the address that you reserved for tunnel mode clients.
Destination Select the name of the FortiGate network interface, virtual domain (VDOM) link,
Interface/Zone or zone to which IP packets are forwarded. If Action is set to SSL-VPN, the
interface is associated with the local private network.
Destination Select the name of a firewall address to associate with the Destination
Address Interface/Zone. Only packets whose header contains an IP address matching
the selected firewall address will be subject to this policy.
You can also create firewall addresses by selecting Create New from this list.
For more information, see “Configuring addresses” on page 341.
If you want to associate multiple firewall addresses or address groups with the
Destination Interface/Zone, from Destination Address, select Multiple. In the
dialog box, move the firewall addresses or address groups from the Available
Addresses section to the Members section, then select OK.
If you select a virtual IP, the FortiGate unit applies NAT or PAT. The applied
translation varies by the settings specified in the virtual IP, and whether you
select NAT (below). For more information on using virtual IPs, see “Firewall
Virtual IP” on page 359.
If Action is set to IPSEC, the address is the private IP address to which packets
may be delivered at the remote end of the VPN tunnel.
If Action is set to SSL-VPN, select the name of the IP address that corresponds
to the host, server, or network that remote clients need to access behind the
FortiGate unit.
Action Select SSL-VPN to configure the firewall encryption policy to accept SSL VPN
traffic. This option is available only after you have added a SSL-VPN user
group.
SSL Client Allow traffic generated by holders of a (shared) group certificate. The holders of
Certificate the group certificate must be members of an SSL VPN user group, and the
Restrictive name of that user group must be present in the Allowed field.

Cipher Strength Select the bit level of SSL encryption. The web browser on the remote client
must be capable of matching the level that you select: Any, High >= 164, or
Medium >= 128.
User Select the authentication server type by which the user will be authenticated:
Authentication
Method
Any For all of the above authentication methods. Local is attempted first, then
RADIUS, then LDAP.
Local For a local user group that will be bound to this firewall policy.
RADIUS For remote clients that will be authenticated by an external RADIUS server.
LDAP For remote clients that will be authenticated by an external LDAP server.
TACACS+ For remote clients that will be authenticated by an external TACACS+ server.
NAT Enable or disable Network Address Translation (NAT) of the source address
and port of packets accepted by the policy. When NAT is enabled, you can also
configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select the NAT
option, the FortiGate unit performs destination NAT (DNAT) rather than full NAT.
Source NAT (SNAT) is not performed.
Fixed Port Select Fixed Port to prevent NAT from translating the source port.

FortiGate Version 4.0 Administration Guide


326 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Enable Identity Select to configure a SSL-VPN firewall policy that requires authentication.
Based Policy
Add Select to configure the valid authentication methods, user group names, and
services. For more information, see “User Group” on page 554.
Comments Add information about the policy. The maximum length is 63 characters.
To create an identity based firewall policy, select the Enable Identity Based Policy check
box. A table opens below the check box. Select Add. The New Authentication Rule dialog
opens (see Figure 199).

Figure 199: New Authentication Rule

User Group
Available User Groups List of user groups available for inclusion in the firewall policy. To add
a user group to the list, select the name and then select the Right
Arrow.
Selected User Groups List of user groups that are included in the firewall policy. To remove a
user group from the list, select the name and then select the Left
Arrow.
Service
Available Services List of available services to include in the firewall policy. To add a
service to the list, select the name and then select the Right Arrow.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 327
http://docs.fortinet.com/ • Feedback
Configuring firewall policies Firewall Policy

Selected Services List of services that are included in the firewall policy. To remove a
service from the list, select the name and then select the Left Arrow.
Schedule Select a one-time or recurring schedule that controls when the policy
is in effect.
You can also create schedules by selecting Create New from this list.
For more information, see “Firewall Schedule” on page 355.
Protection Profile Select a protection profile to apply antivirus, web filtering, web
category filtering, spam filtering, IPS, content archiving, and logging to
a firewall policy. You can also create a protection profile by selecting
Create New from this list. For more information, see “Firewall
Protection Profile” on page 391.
Traffic Shaping Select a traffic shaper for the policy. You can also select to create a
new traffic shaper. Traffic Shaping controls the bandwidth available to,
and sets the priority of the traffic processed by, the policy.
For information about traffic shaping, see “Traffic Shaping” on
page 409.
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic
Traffic Shaping direction that a policy controls is from port1 to port2, select this option
will also apply the policy shaping configuration to traffic from port2 to
port1.
Reverse Direction Select to enable the reverse traffic shaping. For example, if the traffic
Traffic Shaping direction that a policy controls is from port1 to port2, select this option
will also apply the policy shaping configuration to traffic from port2 to
port1.
Log Allowed Traffic Select to record messages to the traffic log whenever the policy
processes a connection. You must also enable traffic log for a logging
location (syslog, WebTrends, local disk if available, memory, or
FortiAnalyzer) and set the logging severity level to Notification or lower
using the Log and Report screen. For more information see
“Log&Report” on page 603.
For information about how to create a firewall encryption policy for SSL VPN users, see
the “SSL VPN administration tasks” chapter of the FortiGate SSL VPN User Guide.

Figure 200: Selecting user groups for authentication

Move Up
or Move Down

Delete
Edit

Enable Identity Based Select to enable identity-based policy authentication.


Policy
Add Select to create an identity-based firewall policy.
Rule ID The ID number of the policy.
User Group The selected user groups that must authenticate to be allowed to use
this policy.

FortiGate Version 4.0 Administration Guide


328 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Configuring firewall policies

Schedule The one-time or recurring schedule that controls when the policy is in
effect.
You can also create schedules by selecting Create New from this list.
For more information, see “Firewall Schedule” on page 355.
Service The firewall service or service group that packets must match to
trigger this policy.
Profile The protection profile to apply antivirus, web filtering, web category
filtering, spam filtering, IPS, content archiving, and logging to this
policy. You can also create a protection profile by selecting
Create New from this list. For more information, see “Firewall
Protection Profile” on page 391.
Traffic Shaping The traffic shaping configuration for this policy.
For more information, see “Traffic Shaping” on page 409.
Log Traffic If the Log Allowed Traffic option is selected when adding an identity-
based policy, a green check mark appears. Otherwise, a white cross
mark appears.
Delete icon Select to delete this policy.
Edit icon Select to edit this policy.
Move Up or Move Down Select to move the policy in the list. Firewall policy order affects policy
matching. You can arrange the firewall policy list to influence the order
in which policies are evaluated for matches with user groups.

Tip: If you select NAT, the IP address of the outgoing interface of the FortiGate unit is used
as the source address for new sessions started by SSL VPN.

Note: The traffic shaping option can be used to traffic shape tunnel-mode SSL VPN traffic,
but has no effect on web-mode SSL VPN traffic.

Endpoint Compliance Check options


You can require users of a firewall policy to have FortiClient Endpoint Security software
installed. Optionally, you can also require that the antivirus signatures are up-to-date and
check for the presence of specific applications on the computer. You can quarantine non-
compliant users to a web portal, from which they can download the FortiClient installer or
update their antivirus signatures. For more information about configuring the Endpoint
Control feature and monitoring endpoints, see “Endpoint control” on page 599.
In a new or existing firewall policy, the following options configure the Endpoint
Compliance Check:

Figure 201: Endpoint Compliance firewall policy options

Enable Endpoint Check that the source hosts of this firewall policy have FortiClient
Compliance Check Endpoint Security software installed. Make sure that all of these hosts
are capable of installing the software.
Enforce FortiClient AV Check that the FortiClient Endpoint Security application has the
Up-to-date antivirus (real-time protection) feature enabled and is using the latest
version of the antivirus signatures available from FortiGuard Services.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 329
http://docs.fortinet.com/ • Feedback
DoS policies Firewall Policy

Collect System Collect information about the host computer, its operating system and
Information from the specific installed applications. This information is displayed in the
Endpoints Endpoints list. See “Monitoring endpoints” on page 602.

Redirect The non-compliant user sees a simple web page that explains why
Non-conforming they are non-compliant. The portal provides links to download a
Clients to Download FortiClient application installer or updated antivirus signatures, as
needed.
Portal
If the redirect is not enabled, the non-compliant user simply has no
network access.

Note: If the firewall policy involves a load balancing virtual IP, the endpoint compliance
check is not performed.

DoS policies
DoS policies are primarily used to apply DoS sensors to network traffic based on the
FortiGate interface it is leaving or entering as well as the source and destination
addresses. DoS sensors are a traffic anomaly detection feature to identify network traffic
that does not fit known or common traffic patterns and behavior. A common example of
anomalous traffic is the denial of service attack. A denial of service occurs when an
attacking system starts an abnormally large number of sessions with a target system. The
large number of sessions slows down or disables the target system so legitimate users
can no longer use it.
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mention denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.

Viewing the DoS policy list


The DoS policy list displays the DoS policies in their order of matching precedence for
each interface, source/destination address pair, and service.
If virtual domains are enabled on the FortiGate unit, DoS policies are configured
separately for each virtual domain; you must access the VDOM before you can configure
its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to
the VDOM whose policies you want to configure, select Enter.
You can add, delete, edit, and re-order policies in the DoS policy list. DoS policy order
affects policy matching. As with firewall policies, DoS policies are checked against traffic in
the order in which they appear in the DoS policy list, one at a time, from top to bottom.
When a matching policy is discovered, it is used and further checking for DoS policy
matches are stopped.
To view the DoS policy list, go to Firewall > Policy > DoS Policy.

Figure 202: The DoS policy list

FortiGate Version 4.0 Administration Guide


330 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy DoS policies

Create New Add a firewall policy. Select the down arrow beside Create New to add
a firewall policy or firewall policy section. A firewall policy section
visually groups firewall policies. For more information, see
“Configuring DoS policies” on page 331.
Column Settings Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table.
Section View Select to display firewall polices organized by interface.
Global View Select to list all firewall policies in order according to a sequence
number.
Filter icon Edit the column filters to filter or sort the policy list according to the
criteria you specify. For more information, see “Adding filters to
web-based manager lists” on page 56.
Status When selected, the DoS policy is enabled. Clear the checkbox to
disable the policy.
ID A unique identifier for each policy. Policies are numbered in the order
they are created.
Source The source address or address group to which the policy applies. For
more information, see “Firewall Address” on page 339.
Destination The destination address or address group to which the policy applies.
For more information, see “Firewall Address” on page 339.
Service The service to which the policy applies. For more information, see
“Firewall Service” on page 345.
DoS The DoS sensor selected in this policy.
Interface The interface to which this policy applies.
Delete icon Delete the policy from the list.
Edit icon Edit the policy.
Insert Policy Before icon Add a new policy above the corresponding policy (the New Policy
screen appears).
Move To icon Move the corresponding policy before or after another policy in the list.

Configuring DoS policies


The DoS policy configuration allows you to specify the interface, a source address, a
destination address, and a service. All of the specified attributes must match network
traffic to trigger the policy.
You can also use the config firewall interface-policy CLI command to specify
an IPS sensor to function as part of a DoS policy. For more information, see the FortiGate
CLI Reference.
For IPv6 operation, DoS sensors are not supported. Further, you must specify IPS
sensors with the config firewall interface-policy CLI command. For more
information on FortiGate IPv6 support, see “FortiGate IPv6 support” on page 224.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 331
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policy

Figure 203: Editing a DoS policy

Source Interface/Zone The interface or zone to be monitored.


Source Address Select an address or address range to limit traffic monitoring to
network traffic sent from the specified address or range. Select
Multiple to include multiple addresses or ranges.
Destination Address Select an address or address range to limit traffic monitoring to
network traffic sent to the specified address or range. Select Multiple
to include multiple addresses or ranges.
Service Select a service to limit traffic monitoring to only the selected type.
DoS Sensor Select and specify a DoS sensor to have the FortiGate apply the
sensor to matching network traffic.

Firewall policy examples


FortiGate units are capable of meeting various network requirements from home use to
SOHO, large enterprises and ISPs. The following two scenarios demonstrate practical
applications of firewall policies in the SOHO and large enterprise environments.

Scenario one: SOHO-sized business


Company A is a small software company performing development and providing customer
support. In addition to their internal network of 15 computers, they also have several
employees who work from home all or some of the time.
With their current network topography, all 15 of the internal computers are behind a router
and must go to an external source to access the IPS mail and web servers. All home-
based employees access the router through open/non-secured connections.

FortiGate Version 4.0 Administration Guide


332 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Firewall policy examples

Figure 204: Example SOHO network before FortiGate installation

Internet

IPS Mail ISP Web Home-based Workers


Server Server (no secure connection)
172.16.10.3

192.168.100.1

Finance Help Engineering


Department Desk Department

Internal Network

Company A requires secure connections for home-based workers. Like many companies,
they rely heavily on email and Internet access to conduct business. They want a
comprehensive security solution to detect and prevent network attacks, block viruses, and
decrease spam. They want to apply different protection settings for different departments.
They also want to integrate web and email servers into the security solution.
To deal with their first requirement, Company A configures specific policies for each
home-based worker to ensure secure communication between the home-based worker
and the internal network.
1 Go to Firewall > Policy.
2 Select Create New and enter or select the following settings for Home_User_1:

Interface / Zone Source: internal Destination: wan1


Address Source: Destination: Home_User_1
CompanyA_Network
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel Home1
Allow Inbound yes
Allow outbound yes
Inbound NAT yes

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 333
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policy

Outbound NAT no
Protection Profile Select the check mark and select standard_profile
3 Select OK.
4 Select Create New and enter or select the following settings for Home_User_2:

Interface / Zone Source: internal Destination: wan1


Address Source: Destination: All
CompanyA_network
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel Home2_Tunnel
Allow Inbound yes
Allow outbound yes
Inbound NAT yes
Outbound NAT no
Protection Profile Select the check mark and select standard_profile

5 Select OK.

Figure 205: SOHO network topology with FortiGate-100

VPN Tunnel Internet VPN Tunnel

Home User 1 Home User 2


172.20.100.6 172.25.106.99
External
172.30.120.8
DMZ
FortiGate 10.10.10.1
100A

Email Server
Internal
10.10.10.2
192.168.100.1

Finance Users Engineering Users


192.168.100.10- 192.168.100.51-
Web Server
192.168.100.20 192.168.100.100 10.10.10.3
Help Desk Users
192.168.100.21-
192.168.100.50

The proposed network is based around a ForitGate 100A unit. The 15 internal computers
are behind the FortiGate unit. They now access the email and web servers in a DMZ,
which is also behind the FortiGate unit. All home-based employees now access the office
network through the FortiGate unit via VPN tunnels.

FortiGate Version 4.0 Administration Guide


334 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Firewall policy examples

Scenario two: enterprise-sized business


Located in a large city, the library system is anchored by a main downtown location
serving most of the population, with more than a dozen branches spread throughout the
city. Each branch is wired to the Internet but none are linked with each other by dedicated
connections.
The current network topography at the main location consists of three user groups. The
main branch staff and public terminals access the servers in the DMZ behind the firewall.
The catalog access terminals directly access the catalog server without first going through
the firewall.
The topography at the branch office has all three users accessing the servers at the main
branch through non-secured internet connections.

Figure 206: The library system’s current network topology

The library must be able to set different access levels for patrons and staff members.
The first firewall policy for main office staff members allows full access to the Internet at all
times. A second policy will allow direct access to the DMZ for staff members. A second
pair of policies is required to allow branch staff members the same access.
The staff firewall policies will all use a protection profile configured specifically for staff
access. Enabled features include virus scanning, spam filtering, IPS, and blocking of all
P2P traffic. FortiGuard web filtering is also used to block advertising, malware, and
spyware sites.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 335
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policy

A few users may need special web and catalog server access to update information on
those servers, depending on how they are configured. Special access can be allowed
based on IP address or user.
The proposed topography has the main branch staff and the catalog access terminals
going through a FortiGate HA cluster to the servers in a DMZ. The public access terminals
first go through a FortiWiFi unit, where additional policies can be applied, to the HA
Cluster and finally to the servers.
The branch office has all three users routed through a FortiWiFi unit to the main branch via
VPN tunnels.

Figure 207: Proposed library system network topology

Policies are configured in Firewall > Policy. Protection Profiles are configured in Firewall >
Protection Profile.
Main office “staff to Internet” policy:

Source Interface Internal


Source Address All
Destination Interface External
Destination Address All
Schedule Always
Action Accept

FortiGate Version 4.0 Administration Guide


336 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Policy Firewall policy examples

Main office “staff to DMZ” policy:

Source Interface Internal


Source Address All
Destination Interface DMZ
Destination Address Servers
Schedule Always
Action Accept

Branches “staff to Internet” policy:

Source Interface Branches


Source Address Branch Staff
Destination Interface External
Destination Address All
Schedule Always
Action Accept

Branches “staff to DMZ” policy:

Source Interface Branches


Source Address Branch Staff
Destination Interface DMZ
Destination Address Servers
Schedule Always
Action Accept

For more information about these examples, see:


• SOHO and SMB Configuration Example Guide
• FortiGate Enterprise Configuration Example

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 337
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policy

FortiGate Version 4.0 Administration Guide


338 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Address About firewall addresses

Firewall Address
Firewall addresses and address groups define network addresses that you can use when
configuring firewall policies’ source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic.
You can organize related addresses into address groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall addresses are
configured separately for each virtual domain, and you must first enter the virtual domain
to configure its firewall addresses. For details, see “Using virtual domains” on page 103.
This section describes:
• About firewall addresses
• Viewing the firewall address list
• Configuring addresses
• Viewing the address group list
• Configuring address groups

About firewall addresses


A firewall address can contain one or more network addresses. Network addresses can
be represented by an IP address with a netmask, an IP address range, or a fully qualified
domain name (FQDN).
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a firewall address can be:
• a single computer, such as 192.45.46.45
• a subnetwork, such as 192.168.1.0 for a class C subnet
• 0.0.0.0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
• netmask for a single computer: 255.255.255.255, or /32
• netmask for a class A subnet: 255.0.0.0, or /8
• netmask for a class B subnet: 255.255.0.0, or /16
• netmask for a class C subnet: 255.255.255.0, or /24
• netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
• x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
• x.x.x.x/x, such as 192.168.1.0/24

Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid firewall


address.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 339
http://docs.fortinet.com/ • Feedback
Viewing the firewall address list Firewall Address

When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
• x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
• x.x.x.[x-x], such as 192.168.110.[100-120]
• x.x.x.*, such as 192.168.110.*
When representing hosts by a FQDN, the domain name can be a subdomain, such as
mail.example.com. A single FQDN firewall address may be used to apply a firewall policy
to multiple hosts, as in load balancing and high availability (HA) configurations. FortiGate
units automatically resolve and maintain a record of all addresses to which the FQDN
resolves. Valid FQDN formats include:
• <host_name>.<second_level_domain_name>.<top_level_domain_name>, such as
mail.example.com
• <host_name>.<top_level_domain_name>

Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.

Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
“Settings” on page 222.

Viewing the firewall address list


Firewall addresses in the list are grouped by type: IP/Netmask, FQDN, or IPv6.
FortiGate unit default configurations include the all address, which represents any IP
address on any network.
To view the address list, go to Firewall > Address.

Figure 208: Firewall address list

Create Options

Delete
Edit

Create New Add a firewall address.


If IPv6 Support on GUI is enabled, you can alternatively select Create Options
(the down arrow) located in the Create New button, then select IPv6 Address, to
configure an IPv6 firewall address. For more information on enabling IPv6
support, see “Settings” on page 222.
Name The name of the firewall address.

FortiGate Version 4.0 Administration Guide


340 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Address Configuring addresses

Address / FQDN The IP address and mask, IP address range, or fully qualified domain name.
Interface The interface, zone, or virtual domain (VDOM) to which you bind the IP address.
Delete icon Select to remove the address. The Delete icon appears only if a firewall policy
or address group is not currently using the address.
Edit icon Select to edit the address.

Configuring addresses
You can use one of the following methods to represent hosts in firewall addresses:
IP/Netmask, FQDN, or IPv6.

Caution: Be cautious if employing FQDN firewall addresses. Using a fully qualified domain
name in a firewall policy, while convenient, does present some security risks, because
policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.

Note: By default, IPv6 firewall addresses can be configured only in the CLI. For information
on enabling configuration of IPv6 firewall addresses in the web-based manager, see
“Settings” on page 222.

To add a firewall address


1 Go to Firewall > Address.
2 Select Create New.
If IPv6 Support on GUI is enabled, you can alternatively select the down arrow located
in the Create New button, then select IPv6 Address to configure an IPv6 firewall
address. For information on enabling configuration of IPv6 firewall addresses in the
web-based manager, see “Settings” on page 222.
3 Complete the following:

Figure 209: New address or IP range options

Address Name Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type Select the type of address: Subnet/IP Range or FQDN. You can enter either
an IP range or an IP address with subnet mask.
Subnet / IP Enter the firewall IP address, followed by a forward slash (/), then subnet
Range mask, or enter an IP address range separated by a hyphen.
Interface Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address with the
interface/zone when you create a firewall policy.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 341
http://docs.fortinet.com/ • Feedback
Viewing the address group list Firewall Address

4 Select OK.
Tip: You can also create firewall addresses when configuring a firewall policy: Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Source
Address list, select Address > Create New.

Viewing the address group list


You can organize multiple firewall addresses into an address group to simplify your
firewall policy list. For example, instead of having five identical policies for five different but
related firewall addresses, you might combine the five addresses into a single address
group, which is used by a single firewall policy.
To view the address group list, go to Firewall > Address > Group.

Figure 210: Firewall address group list

Create Options

Delete
Edit

Create New Add an address group.


If IPv6 Support on GUI is enabled, you can alternatively select Create Options
(the down arrow) located in the Create New button, then select IPv6 Address
Group, to configure an IPv6 firewall address group. For more information on
enabling IPv6 Support on GUI, see “Settings” on page 222.
Group Name The name of the address group.
Members The addresses in the address group.
Delete icon Select to remove the address group. The Delete icon appears only if the address
group is not currently being used by a firewall policy.
Edit icon Select to edit the address group.

Configuring address groups


Because firewall policies require addresses with homogenous network interfaces, address
groups should contain only addresses bound to the same network interface, or to Any —
addresses whose selected interface is Any are bound to a network interface during
creation of a firewall policy, rather than during creation of the firewall address. For
example, if address A1 is associated with port1, and address A2 is associated with port2,
they cannot be grouped. However, if A1 and A2 have an interface of Any, they can be
grouped, even if the addresses involve different networks.

To organize addresses into an address group


1 Go to Firewall > Address > Group.
2 Select Create New.
3 Complete the following:

FortiGate Version 4.0 Administration Guide


342 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Address Configuring address groups

Figure 211: Address group options

Group Name Enter a name to identify the address group. Addresses, address groups, and
virtual IPs must have unique names.
Available The list of all configured and default firewall addresses. Use the arrows to
Addresses move selected addresses between the lists of available and member
addresses.
Members The list of addresses included in the address group. Use the arrows to move
selected addresses between the lists of available and member addresses.

4 Select OK.
Tip: You can also create firewall address groups when configuring a firewall policy: Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Source
Address list, select Address Group > Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 343
http://docs.fortinet.com/ • Feedback
Configuring address groups Firewall Address

FortiGate Version 4.0 Administration Guide


344 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Service Viewing the predefined service list

Firewall Service
Firewall services define one or more protocols and port numbers associated with each
service. Firewall policies use service definitions to match session types.
You can organize related services into service groups to simplify your firewall policy list.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
services separately for each virtual domain. For more information, see “Using virtual
domains” on page 103.
This section describes:
• Viewing the predefined service list
• Viewing the custom service list
• Configuring custom services
• Viewing the service group list
• Configuring service groups

Viewing the predefined service list


Many well-known traffic types have been predefined in firewall services. These predefined
services are defaults, and cannot be edited or removed. However, if you require different
services, you can create custom services. For more information, see “Configuring custom
services” on page 350.
To view the predefined service list, go to Firewall > Service > Predefined.

Figure 212: Predefined service list

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 345
http://docs.fortinet.com/ • Feedback
Viewing the predefined service list Firewall Service

Name The name of the predefined service.


Detail The protocol and port number of the predefined service.

Table 31: Predefined services

Service name Description IP Protocol Port


AFS3 Advanced File Security Encrypted File, version 3, of TCP 7000-7009
the AFS distributed file system protocol.
UDP 7000-7009
AH Authentication Header. AH provides source host 51
authentication and data integrity, but not secrecy.
This protocol is used for authentication by IPSec
remote gateways set to aggressive mode.
ANY Matches connections using any protocol over IP. all all
AOL America Online Instant Message protocol. TCP 5190-5194
BGP Border Gateway Protocol. BGP is an TCP 179
interior/exterior routing protocol.
CVSPSERVER Concurrent Versions System Proxy TCP 2401
Server.CSSPServer is very good for providing
anonymous CVS access to a repository. UDP 2401

DCE-RPC Distributed Computing Environment / Remote TCP 135


Procedure Calls. Applications using DCE-RPC can
call procedures from another application without UDP 135
having to know on which host the other application
is running.
DHCP Dynamic Host Configuration Protocol. DHCP UDP 67
allocates network addresses and delivers 68
configuration parameters from DHCP servers to
hosts.
DHCP6 Dynamic Host Configuration Protocol for IPv6. UDP 546, 547
DNS Domain Name Service. DNS resolves domain TCP 53
names into IP addresses.
UDP 53
ESP Encapsulating Security Payload. ESP is used by 50
manual key and AutoIKE IPSec VPN tunnels for
communicating encrypted data. AutoIKE VPN
tunnels use ESP after establishing the tunnel by
IKE.
FINGER A network service providing information about TCP 79
users.
FTP File Transfer Protocol. TCP 21
FTP_GET File Transfer Protocol. FTP-GET is used for FTP TCP 21
connections which upload files.
FTP_PUT File Transfer Protocol. FTP-PUT is used for FTP TCP 21
connections which download files.
GOPHER Gopher organizes and displays Internet server TCP 70
contents as a hierarchically structured list of files.
GRE Generic Routing Encapsulation. GRE allows an 47
arbitrary network protocol to be transmitted over
any other arbitrary network protocol, by
encapsulating the packets of the protocol within
GRE packets.
H323 H.323 multimedia protocol. H.323 is a standard TCP 1720, 1503
approved by the International Telecommunication
Union (ITU) defining how audiovisual conferencing UDP 1719
data can be transmitted across networks. For more
information, see the FortiGate Support for H.323
Technical Note.

FortiGate Version 4.0 Administration Guide


346 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Service Viewing the predefined service list

Table 31: Predefined services (Continued)

Service name Description IP Protocol Port


HTTP Hypertext Transfer Protocol. HTTP is used to TCP 80
browse web pages on the World Wide Web.
HTTPS HTTP with secure socket layer (SSL). HTTPS is TCP 443
used for secure communication with web servers.
ICMP_ANY Internet Control Message Protocol. ICMP allows ICMP Any
control messages and error reporting between a
host and gateway (Internet).
IKE Internet Key Exchange. IKE obtains authenticated UDP 500, 4500
keying material for use with the Internet Security
Association and Key Management Protocol
(ISAKMP) for IPSEC.
IMAP Internet Message Access Protocol. IMAP is used by TCP 143
email clients to retrieves email messages from
email servers.
IMAPS IMAP with SSL. IMAPS is used for secure IMAP TCP 993
communication between email clients and servers.
INFO_ADDRESS ICMP information request messages. ICMP 17
INFO_REQUEST ICMP address mask request messages. ICMP 15
IRC Internet Relay Chat. IRC allows users to join chat TCP 6660-6669
channels.
Internet- Internet Locator Service. ILS includes LDAP, User TCP 389
Locator-Service Locator Service, and LDAP over TLS/SSL.
L2TP Layer 2 Tunneling Protocol. L2TP is a PPP-based TCP 1701
tunnel protocol for remote access.
UDP 1701
LDAP Lightweight Directory Access Protocol. LDAP is TCP 389
used to access information directories.
MGCP Media Gateway Control Protocol. MGCP is used by UDP 2427, 2727
call agents and media gateways in distributed Voice
over IP (VoIP) systems.
MS-SQL Microsoft SQL Server is a relational database TCP 1433, 1434
management system (RDBMS) produced by
Microsoft. Its primary query languages are MS-SQL
and T-SQL.
MYSQL MySQL is a relational database management TCP 3306
system (RDBMS) which runs as a server providing
multi-user access to a number of databases.
NFS Network File System. NFS allows network users to TCP 111, 2049
mount shared files.
UDP 111, 2049
NNTP Network News Transport Protocol. NNTP is used to TCP 119
post, distribute, and retrieve Usenet messages.
NTP Network Time Protocol. NTP synchronizes a host’s TCP 123
time with a time server.
UDP 123
NetMeeting NetMeeting allows users to teleconference using TCP 1720
the Internet as the transmission medium.
ONC-RPC Open Network Computing Remote Procedure Call. TCP 111
ONC-RPC is a widely deployed remote procedure
call system. UDP 111

OSPF Open Shortest Path First. OSPF is a common link 89


state routing protocol.
PC-Anywhere PC-Anywhere is a remote control and file transfer TCP 5631
protocol.
UDP 5632

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 347
http://docs.fortinet.com/ • Feedback
Viewing the predefined service list Firewall Service

Table 31: Predefined services (Continued)

Service name Description IP Protocol Port


PING Ping sends ICMP echo request/replies to test ICMP 8
connectivity to other hosts.
PING6 Ping6 sends ICMPv6 echo request/replies to 58
network hosts to test IPv6 connectivity to other
hosts.
POP3 Post Office Protocol v3. POP retrieves email TCP 110
messages.
PPTP Point-to-Point Tunneling Protocol. PPTP is used to 47
tunnel connections between private network hosts
over the Internet. Note: Also requires IP protocol TCP 1723
47.
QUAKE Quake multi-player computer game traffic. UDP 26000,
27000,
27910,
27960
RADIUS Remote Authentication Dial In User Service. TCP 1812, 1813
RADIUS is a networking protocol that provides
centralized access, authorization and accounting
management for people or computers to connect
and use a network service.
RAUDIO RealAudio multimedia traffic. UDP 7070
RDP Remote Desktop Protocol is a multi-channel TCP 3389
protocol that allows a user to connect to a
networked computer.
REXEC Rexec traffic allows specified commands to be TCP 512
executed on a remote host running the rexecd
service (daemon).
RIP Routing Information Protocol. RIP is a common UDP 520
distance vector routing protocol. This service
matches RIP v1.
RLOGIN Remote login traffic. TCP 513
RSH Remote Shell traffic allows specified commands to TCP 514
be executed on a remote host running the rshd
service (daemon).
RTSP Real Time Streaming Protocol is a protocol for use TCP 554, 7070,
in streaming media systems which allows a client to 8554
remotely control a streaming media server, issuing
VCR-like commands such as play and pause, and UDP 554
allowing time-based access to files on a server.
SAMBA Server Message Block. SMB allows clients to use TCP 139
file and print shares from enabled hosts. This is
primarily used for Microsoft Windows hosts, but
may be used with operating systems running the
Samba daemon.
SCCP Skinny Client Control Protocol. SCCP is a Cisco TCP 2000
proprietary standard for terminal control for use with
voice over IP (VoIP).
SIP Session Initiation Protocol. SIP allows audiovisual UDP 5060
conferencing data to be transmitted across
networks. For more information, see the FortiGate
SIP Support Technical Note.
SIP- Session Initiation Protocol used by Microsoft TCP 1863
MSNmessenger Messenger to initiate an interactive, possibly
multimedia session.

FortiGate Version 4.0 Administration Guide


348 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Service Viewing the predefined service list

Table 31: Predefined services (Continued)

Service name Description IP Protocol Port


SMTP Simple Mail Transfer Protocol. SMTP is used for TCP 25
sending email messages between email clients and
email servers, and between email servers.
SMTPS SMTP with SSL. Used for sending email messages TCP 465
between email clients and email servers, and
between email servers securely.
SNMP Simple Network Management Protocol. SNMP can TCP 161-162
be used to monitor and manage complex networks.
UDP 161-162
SOCKS SOCKetS. SOCKS is an Internet protocol that TCP 1080
allows client-server applications to transparently
use the services of a network firewall. UDP 1080

SQUID A proxy server and web cache daemon that has a TCP 3128
wide variety of uses that includes speeding up a
web server by caching repeated requests; caching
web, DNS and other computer network lookups for
a group of people sharing network resources;
aiding security by filtering traffic.
SSH Secure Shell. SSH allows secure remote TCP 22
management and tunneling.
UDP 22
SYSLOG Syslog service for remote logging. UDP 514
TALK Talk allows conversations between two or more UDP 517-518
users.
TCP Matches connections using any TCP port. TCP 0-65535
TELNET Allows plain text remote management. TCP 23
TFTP Trivial File Transfer Protocol. TFTP is similar to UDP 69
FTP, but without security features such as
authentication.
TIMESTAMP ICMP timestamp request messages. ICMP 13
TRACEROUTE A computer network tool used to determine the TCP 33434
route taken by packets across an IP network.
UDP 33434
UDP Matches connections using any UDP port. UDP 0-65535
UUCP Unix to Unix Copy Protocol. UUCP provides simple UDP 540
file copying.
VDOLIVE VDO Live streaming multimedia traffic. TCP 7000-7010
VNC Virtual Network Computing.VNC is a graphical TCP 5900
desktop sharing system which uses the RFB
protocol to remotely control another computer.
WAIS Wide Area Information Server. WAIS is an Internet TCP 210
search protocol which may be used in conjunction
with Gopher.
WINFRAME WinFrame provides communications between TCP 1494
computers running Windows NT, or Citrix
WinFrame/MetaFrame.
WINS Windows Internet Name Service is Microsoft's TCP 1512
implementation of NetBIOS Name Service (NBNS),
a name server and service for NetBIOS computer UDP 1512
names.
X-WINDOWS X Window System (also known as X11) can forward TCP 6000-6063
the graphical shell from an X Window server to X
Window client.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 349
http://docs.fortinet.com/ • Feedback
Viewing the custom service list Firewall Service

Viewing the custom service list


If you need to create a firewall policy for a service that is not in the predefined service list,
you can add a custom service.
To view the custom service list, go to Firewall > Service > Custom.

Figure 213: Custom service list

Delete
Edit

Create New Add a custom service.


Service Name The name of the custom service.
Detail The protocol and port numbers for each custom service.
Delete icon Remove the custom service. The Delete icon appears only if the service is not
currently being used by a firewall policy.
Edit icon Edit the custom service.

Configuring custom services


If you need to create a firewall policy for a service that is not in the predefined service list,
you can add a custom service.
Tip: You can also create custom services when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Service
list, select Service > Create New.

To add a custom TCP or UDP service


1 Go to Firewall > Service > Custom.
2 Select Create New.
3 Set Protocol Type to TCP/UDP.
4 Complete the fields in the following table and select OK.

Figure 214: New Custom Service - TCP/UDP

Delete

FortiGate Version 4.0 Administration Guide


350 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Service Configuring custom services

Name Enter a name for the custom service.


Protocol Type Select TCP/UDP.
Protocol Select TCP or UDP as the protocol of the port range being added.
Source Port Specify the source port number range for the service by entering the low and
high port numbers. If the service uses one port number, enter this number in
both the Low and High fields. The default values allow the use of any source
port.
Destination Port Specify the destination port number range for the service by entering the low
and high port numbers. If the service uses one port number, enter this number
in both the Low and High fields.
Add If your custom service requires more than one port range, select Add to allow
more source and destination ranges.
Delete Icon Remove the entry from the list.

To add a custom ICMP service


1 Go to Firewall > Service > Custom.
2 Select Create New.
3 Set Protocol Type to ICMP.
4 Complete the fields in the following table and select OK.

Figure 215: New Custom Service - ICMP

Name Enter a name for the ICMP custom service.


Protocol Type Select ICMP.
Type Enter the ICMP type number for the service.
Code If required, enter the ICMP code number for the service.

To add a custom IP service


1 Go to Firewall > Service > Custom.
2 Select Create New.
3 Set Protocol Type to IP.
4 Complete the fields in the following table and select OK.

Figure 216: New Custom Service - IP

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 351
http://docs.fortinet.com/ • Feedback
Viewing the service group list Firewall Service

Name Enter a name for the IP custom service.


Protocol Type Select IP.
Protocol Number Enter the IP protocol number for the service.

Viewing the service group list


You can organize multiple firewall services into a service group to simplify your firewall
policy list. For example, instead of having five identical policies for five different but related
firewall services, you might combine the five services into a single address group that is
used by a single firewall policy.
Service groups can contain both predefined and custom services. Service groups cannot
contain other service groups.
To view the service group list, go to Firewall > Service > Group.

Figure 217: Sample service group list

Delete
Edit

Create New Add a service group.


Group Name The name to identify the service group.
Members The services added to the service group.
Delete icon Remove the entry from the list. The Delete icon appears only if the service group
is not selected in a firewall policy.
Edit icon Select to edit the Group Name and Members.

Configuring service groups


You can organize multiple firewall services into a service group to simplify your firewall
policy list. For example, instead of having five identical policies for five different but related
firewall services, you might combine the five services into a single address group, which is
used by a single firewall policy.
Service groups can contain both predefined and custom services. Service groups cannot
contain other service groups.
To organize services into a service group, go to Firewall > Service > Group.
Tip: You can also create custom service groups when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Service
list, select Service Group > Create New.

FortiGate Version 4.0 Administration Guide


352 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Service Configuring service groups

Figure 218: Service Group

Group Name Enter a name to identify the service group.


Available The list of configured and predefined services available for your group, with
Services custom services at the bottom. Use the arrows to move selected services
between this list and Members.
Members The list of services in the group. Use the arrows to move selected services
between this list and Available Services.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 353
http://docs.fortinet.com/ • Feedback
Configuring service groups Firewall Service

FortiGate Version 4.0 Administration Guide


354 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Schedule Viewing the recurring schedule list

Firewall Schedule
Firewall schedules control when policies are in effect. You can create one-time schedules
or recurring schedules. One-time schedules are in effect only once for the period of time
specified in the schedule. Recurring schedules are in effect repeatedly at specified times
of specified days of the week.
If you enable virtual domains (VDOMs) on the FortiGate unit, you must configure firewall
schedules separately for each virtual domain. For more information, see “Using virtual
domains” on page 103.
This section describes:
• Viewing the recurring schedule list
• Configuring recurring schedules
• Viewing the one-time schedule list
• Configuring one-time schedules

Viewing the recurring schedule list


You can create a recurring schedule that activates a policy during a specified period of
time. For example, you might prevent game playing during office hours by creating a
recurring schedule that covers office hours.

Note: If a recurring schedule has a stop time that is earlier than the start time, the schedule
will take effect at the start time but end at the stop time on the next day. You can use this
technique to create recurring schedules that run from one day to the next. For example, to
prevent game playing except at lunchtime, you might set the start time for a recurring
schedule at 1:00 p.m. and the stop time at 12:00 noon. To create a recurring schedule that
runs for 24 hours, set the start and stop times to 00.

To view the recurring schedule list, go to Firewall > Schedule > Recurring.

Figure 219: Recurring schedule list

Delete

Edit

Create New Add a recurring schedule.


Name The name of the recurring schedule.
Day The initials of the days of the week on which the schedule is active.
Start The start time of the recurring schedule.
Stop The stop time of the recurring schedule.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 355
http://docs.fortinet.com/ • Feedback
Configuring recurring schedules Firewall Schedule

Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.

Configuring recurring schedules


To add a recurring schedule, go to Firewall > Schedule > Recurring. Complete the fields
as described in the following table and select OK.
To put a policy into effect for an entire day, set schedule start and stop times to 00.

Figure 220: New Recurring Schedule

Name Enter a name to identify the recurring schedule.


Select Select the days of the week for the schedule to be active.
Start Select the start time for the recurring schedule.
Stop Select the stop time for the recurring schedule.

Tip: You can also create recurring schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select Recurring > Create New.

Viewing the one-time schedule list


You can create a one-time schedule that activates a policy during a specified period of
time. For example, a firewall might be configured with a default policy that allows access
to all services on the Internet at all times, but you could add a one-time schedule to block
access to the Internet during a holiday.
To view the one-time schedule list, go to Firewall > Schedule > One-time.

Figure 221: One-time schedule list

Delete
Edit

Create New Add a one-time schedule.


Name The name of the one-time schedule.
Start The start date and time for the schedule.
Stop The stop date and time for the schedule.

FortiGate Version 4.0 Administration Guide


356 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Schedule Configuring one-time schedules

Delete icon Remove the schedule from the list. The Delete icon appears only if the schedule
is not being used in a firewall policy.
Edit icon Edit the schedule.

Configuring one-time schedules


To add a one-time schedule, go to Firewall > Schedule > One-time. Complete the fields as
described in the following table and select OK.
To put a policy into effect for an entire day, set schedule start and stop times to 00.

Figure 222: New One-time Schedule

Name Enter a name to identify the one-time schedule.


Start Select the start date and time for the schedule.
Stop Select the stop date and time for the schedule.

Tip: You can also create one-time schedules when you configure a firewall policy. Go to
Firewall > Policy, select the appropriate policy tab and then Create New. From the Schedule
list, select One-time > Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 357
http://docs.fortinet.com/ • Feedback
Configuring one-time schedules Firewall Schedule

FortiGate Version 4.0 Administration Guide


358 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP How virtual IPs map connections through FortiGate units

Firewall Virtual IP
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface, including a modem
interface.
When the FortiGate unit receives inbound packets matching a firewall policy whose
Destination Address field is a virtual IP, the FortiGate unit applies NAT, replacing packets’
IP addresses with the virtual IP’s mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets’ IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For details, see “Configuring virtual IPs” on page 364.

Note: In Transparent mode from the FortiGate CLI you can configure NAT firewall policies
that include Virtual IPs and IP pools. See “Adding NAT firewall policies in transparent mode”
on page 380.

If you enable virtual domains (VDOMs) on the FortiGate unit, firewall virtual IPs are
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 103.
This section describes:
• How virtual IPs map connections through FortiGate units
• Viewing the virtual IP list
• Configuring virtual IPs
• Virtual IP Groups
• Viewing the VIP group list
• Configuring VIP groups
• IP pools
• Viewing the IP pool list
• Configuring IP Pools
• Double NAT: combining IP pool with virtual IP
• Adding NAT firewall policies in transparent mode

How virtual IPs map connections through FortiGate units


Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.

Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 359
http://docs.fortinet.com/ • Feedback
How virtual IPs map connections through FortiGate units Firewall Virtual IP

When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policy’s Destination Address is a virtual IP, FortiGate units compares packets’ destination
address to the virtual IP’s external IP address. If they match, the FortiGate unit applies the
virtual IP’s inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
• static vs. dynamic NAT mapping
• the dynamic NAT’s load balancing style, if using dynamic NAT mapping
• full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.

Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to
the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is
Port Forwarding always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
Server Load Dynamic, one-to-many NAT mapping: an external IP address is translated to one
Balancing of the mapped IP addresses, as determined by the selected load balancing
algorithm for more even traffic distribution. The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP
Balancing with address is translated to one of the mapped IP addresses, as determined by the
Port Forwarding selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.

FortiGate Version 4.0 Administration Guide


360 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP How virtual IPs map connections through FortiGate units

Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.

A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 223: the web server on a
private network, the client computer on another network, such as the Internet, and the
FortiGate unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate unit’s external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.

Figure 223: A simple static NAT virtual IP example

The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets’ addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.

Figure 224: Example of packet address remapping during NAT from client to server

Note that the client computer’s address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computer’s IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 361
http://docs.fortinet.com/ • Feedback
How virtual IPs map connections through FortiGate units Firewall Virtual IP

When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computer’s IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web server’s private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
server’s network. The client has no indication that the web server’s IP address is not the
virtual IP. As far as the client is concerned, the FortiGate unit’s virtual IP is the web server.

Figure 225: Example of packet address remapping during NAT from server to client

In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the client’s IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.

Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1

FortiGate Version 4.0 Administration Guide


362 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Viewing the virtual IP list

VIP requirements
Virtual IPs have the following requirements.
• The Mapped IP Address/Range cannot be 0.0.0.0 or 255.255.255.255.
• The Mapped IP Address/Range must not include any interface IP addresses.
• If the virtual IP is mapped to a range of IP addresses and its type is Static NAT, the
External IP Address/Range cannot be 0.0.0.0.
• When port forwarding, the External IP Address/Range cannot include any other
interface IP addresses.
• When port forwarding, the count of mapped port numbers and external port
numbers must be the same, and the last port number in the range must not exceed
65535.
• Virtual IP names must be different from address or address group names.
• A physical external IP address can be used as the external VIP IP address.
• Duplicate entries or overlapping ranges are not permitted.

Viewing the virtual IP list


To view the virtual IP list, go to Firewall > Virtual IP > Virtual IP.

Figure 226: Virtual IP list

Delete
Edit

Create New Select to add a virtual IP.


Name The name of the virtual IP.
IP The bound network interface and external IP address or IP address, separated
by a slash (/).
Service Port The external port number or port number range. This field is empty if the virtual
IP does not specify port forwarding.
Map to IP/IP The mapped to IP address or address range on the destination network.
Range
Map to Port The mapped to port number or port number range. This field is empty if the
virtual IP does not specify port forwarding.
Delete icon Remove the virtual IP from the list. The Delete icon only appears if the virtual IP
is not selected in a firewall policy.
Edit icon Edit the virtual IP to change any virtual IP option including the virtual IP name.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 363
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs Firewall Virtual IP

Configuring virtual IPs


A virtual IP’s external IP address can be a single IP address or an IP address range, and
is bound to a FortiGate unit interface. When you bind the virtual IP’s external IP address to
a FortiGate unit interface, by default, the network interface responds to ARP requests for
the bound IP address or IP address range. Virtual IPs use proxy ARP, as defined in RFC
1027, so that the FortiGate unit can respond to ARP requests on a network for a server
that is actually installed on another network. To disable ARP replies, see the FortiGate CLI
Reference.
A virtual IP’s mapped IP address can be a single IP address, or an IP address range.
When the FortiGate unit receives packets matching a firewall policy whose Destination
Address field is a virtual IP, the FortiGate unit applies NAT, replacing the packet’s
destination IP address with the virtual IP’s mapped IP address.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy. For example, to add a firewall policy that maps public network
addresses to a private network, add an external to internal firewall policy whose
Destination Address field is a virtual IP.

Figure 227: Creating a Virtual IP

Name Enter or change the name to identify the virtual IP. To avoid confusion,
addresses, address groups, and virtual IPs cannot have the same names.
External Interface Select the virtual IP external interface from the list. The external interface is
connected to the source network and receives the packets to be forwarded to
the destination network. You can select any FortiGate interface, VLAN
subinterface, VPN interface, or modem interface.
Type VIP type is Static NAT, read only.
External IP Enter the external IP address that you want to map to an address on the
Address/Range destination network.
To configure a dynamic virtual IP that accepts connections for any IP address,
set the external IP address to 0.0.0.0. For a static NAT dynamic virtual IP you
can only add one mapped IP address. For a load balance dynamic virtual IP
you can specify a single mapped address or a mapped address range.
Mapped IP Enter the real IP address on the destination network to which the external IP
Address/Range address is mapped.
You can also enter an address range to forward packets to multiple IP
addresses on the destination network.
For a static NAT virtual IP, if you add a mapped IP address range the FortiGate
unit calculates the external IP address range and adds the IP address range to
the External IP Address/Range field.
This option appears only if Type is Static NAT.
Port Forwarding Select to perform port address translation (PAT).

FortiGate Version 4.0 Administration Guide


364 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Configuring virtual IPs

Protocol Select the protocol of the forwarded packets.


This option appears only if Port Forwarding is enabled.
External Service Enter the external interface port number for which you want to configure port
Port forwarding.
This option appears only if Port Forwarding is enabled.
Map to Port Enter the port number on the destination network to which the external port
number is mapped.
You can also enter a port number range to forward packets to multiple ports on
the destination network.
For a virtual IP with static NAT, if you add a map to port range the FortiGate unit
calculates the external port number range and adds the port number range to
the External Service port field.
This option appears only if Port Forwarding is enabled.
SSL Offloading Select to accelerate clients’ SSL connections to the server by using the
FortiGate unit to perform SSL operations, then select which segments of the
connection will receive SSL offloading.
• Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the connection
between the client and the FortiGate unit. The segment between the
FortiGate unit and the server will use clear text communications. This
results in best performance, but cannot be used in failover configurations
where the failover path does not have an SSL accelerator.
• Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the connection:
the segment between client and the FortiGate unit, and the segment
between the FortiGate unit and the server. The segment between the
FortiGate unit and the server will use encrypted communications, but the
handshakes will be abbreviated. This results in performance which is less
than the other option, but still improved over communications without SSL
acceleration, and can be used in failover configurations where the failover
path does not have an SSL accelerator. If the server is already configured
to use SSL, this also enables SSL acceleration without requiring changes to
the server’s configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if Port Forwarding is selected, and only on FortiGate
models whose hardware support SSL acceleration, such as FortiGate-3600A.
Note: Additional SSL Offloading options are available in the CLI. For details,
see the FortiGate CLI Reference.
Certificate Select which SSL certificate to use with SSL Offloading.
This option appears only if Port Forwarding is selected, and is available only if
SSL Offloading is selected.

To configure a virtual IP
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Configure the virtual IP by entering the virtual IP address, if any, that will be bound to
the network interface, and selecting the mapping type and mapped IP address(es)
and/or port(s). For configuration examples of each type, see:
• “Adding a static NAT virtual IP for a single IP address” on page 366
• “Adding a static NAT virtual IP for an IP address range” on page 367
• “Adding static NAT port forwarding for a single IP address and a single port” on
page 369
• “Adding static NAT port forwarding for an IP address range and a port range” on
page 371
• “Adding dynamic virtual IPs” on page 372
• “Adding a virtual IP with port translation only” on page 373

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 365
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs Firewall Virtual IP

4 Select OK.
The virtual IP appears in the virtual IP list.
5 To implement the virtual IP, select the virtual IP in a firewall policy.
For example, to add a firewall policy that maps public network addresses to a private
network, you might add an external to internal firewall policy and select the Source
Interface/Zone to which a virtual IP is bound, then select the virtual IP in the
Destination Address field of the policy. For details, see “Configuring firewall policies” on
page 316.

Adding a static NAT virtual IP for a single IP address


The IP address 192.168.37.4 on the Internet is mapped to 10.10.10.42 on a private
network. Attempts to communicate with 192.168.37.4 from the Internet are translated and
sent to 10.10.10.42 by the FortiGate unit. The computers on the Internet are unaware of
this translation and see a single computer at 192.168.37.4 rather than a FortiGate unit
with a private network behind it.

Figure 228: Static NAT virtual IP for a single IP address example

To add a static NAT virtual IP for a single IP address


1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.

Figure 229: Virtual IP options: static NAT virtual IP for a single IP address

Name static_NAT
External Interface wan1
Type Static NAT

FortiGate Version 4.0 Administration Guide


366 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Configuring virtual IPs

External IP The Internet IP address of the web server.


Address/Range The external IP address is usually a static IP address obtained from your
ISP for your web server. This address must be a unique IP address that is
not used by another host and cannot be the same as the IP address of the
external interface the virtual IP will be using. However, the external IP
address must be routed to the selected interface. The virtual IP address and
the external IP address can be on different subnets. When you add the
virtual IP, the external interface responds to ARP requests for the external IP
address.
Mapped IP The IP address of the server on the internal network. Since there is only one
Address/Range IP address, leave the second field blank.

4 Select OK.

To add a static NAT virtual IP for a single IP address to a firewall policy


Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP address packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination address of these packets from the external IP to the DMZ network IP
address of the web server.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:

Source Interface/Zone external


Source Address All (or a more specific address)
Destination Interface/Zone dmz1
Destination Address simple_static_nat
Schedule always
Service HTTP
Action ACCEPT

3 Select NAT.
4 Select OK.

Adding a static NAT virtual IP for an IP address range


The IP address range 192.168.37.4-192.168.37.6 on the Internet is mapped to
10.10.10.42-10.10.123.44 on a private network. Packets from Internet computers
communicating with 192.168.37.4 are translated and sent to 10.10.10.42 by the FortiGate
unit. Similarly, packets destined for 192.168.37.5 are translated and sent to 10.10.10.43,
and packets destined for 192.168.37.6 are translated and sent to 10.10.10.44. The
computers on the Internet are unaware of this translation and see three computers with
individual IP addresses rather than a FortiGate unit with a private network behind it.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 367
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs Firewall Virtual IP

Figure 230: Static NAT virtual IP for an IP address range example

To add a static NAT virtual IP for an IP address range


1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to three individual web servers on the DMZ network. In this example, the wan1
interface of the FortiGate unit is connected to the Internet and the dmz1 interface is
connected to the DMZ network.

Figure 231: Virtual IP options: static NAT virtual IP with an IP address range

Name static_NAT_range
External Interface wan1
Type Static NAT
External IP The Internet IP address range of the web servers.
Address/Range The external IP addresses are usually static IP addresses obtained
from your ISP for your web server. These addresses must be
unique IP addresses that are not used by another host and cannot
be the same as the IP addresses of the external interface the virtual
IP will be using. However, the external IP addresses must be routed
to the selected interface. The virtual IP addresses and the external
IP address can be on different subnets. When you add the virtual
IP, the external interface responds to ARP requests for the external
IP addresses.
Mapped IP The IP address range of the servers on the internal network. Define
Address/Range the range by entering the first address of the range in the first field
and the last address of the range in the second field.

4 Select OK.

FortiGate Version 4.0 Administration Guide


368 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Configuring virtual IPs

To add a static NAT virtual IP with an IP address range to a firewall policy


Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses of these packets from the wan1 IP to the DMZ network IP
addresses of the servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:

Source Interface/Zone wan1


Source Address All (or a more specific address)
Destination dmz1
Interface/Zone
Destination Address static_NAT_range
Schedule always
Service HTTP
Action ACCEPT

3 Select NAT.
4 Select OK.

Adding static NAT port forwarding for a single IP address and a single port
The IP address 192.168.37.4, port 80 on the Internet is mapped to 10.10.10.42, port 8000
on a private network. Attempts to communicate with 192.168.37.4, port 80 from the
Internet are translated and sent to 10.10.10.42, port 8000 by the FortiGate unit. The
computers on the Internet are unaware of this translation and see a single computer at
192.168.37.4, port 80 rather than a FortiGate unit with a private network behind it.

Figure 232: Static NAT virtual IP port forwarding for a single IP address and a single port
example

To add static NAT virtual IP port forwarding for a single IP address and a single port
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 369
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs Firewall Virtual IP

3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In our example, the wan1 interface of the
FortiGate unit is connected to the Internet and the dmz1 interface is connected to the
DMZ network.

Figure 233: Virtual IP options: Static NAT port forwarding virtual IP for a single IP address
and a single port

Name Port_fwd_NAT_VIP
External Interface wan1
Type Static NAT
External IP The Internet IP address of the web server.
Address/Range The external IP address is usually a static IP address obtained from
your ISP for your web server. This address must be a unique IP
address that is not used by another host and cannot be the same
as the IP address of the external interface the virtual IP will be
using. However, the external IP address must be routed to the
selected interface. The virtual IP address and the external IP
address can be on different subnets. When you add the virtual IP,
the external interface responds to ARP requests for the external IP
address.
Mapped IP The IP address of the server on the internal network. Since there is
Address/Range only one IP address, leave the second field blank.
Port Forwarding Selected
Protocol TCP
External Service Port The port traffic from the Internet will use. For a web server, this will
typically be port 80.
Map to Port The port on which the server expects traffic. Since there is only one
port, leave the second field blank.

4 Select OK.

To add static NAT virtual IP port forwarding for a single IP address and a single port
to a firewall policy
Add a wan1 to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the wan1 interface to the dmz1 interface. The virtual IP translates the
destination addresses and ports of these packets from the external IP to the dmz network
IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:

FortiGate Version 4.0 Administration Guide


370 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Configuring virtual IPs

Source Interface/Zone wan1


Source Address All (or a more specific address)
Destination dmz1
Interface/Zone
Destination Address Port_fwd_NAT_VIP
Schedule always
Service HTTP
Action ACCEPT

3 Select NAT.
4 Select OK.

Adding static NAT port forwarding for an IP address range and a port range
Ports 80 to 83 of addresses 192.168.37.4 to 192.168.37.7 on the Internet are mapped to
ports 8000 to 8003 of addresses 10.10.10.42 to 10.10.10.44 on a private network.
Attempts to communicate with 192.168.37.5, port 82 from the Internet, for example, are
translated and sent to 10.10.10.43, port 8002 by the FortiGate unit. The computers on the
Internet are unaware of this translation and see a single computer at 192.168.37.5 rather
than a FortiGate unit with a private network behind it.

Figure 234: Static NAT virtual IP port forwarding for an IP address range and a port range
example

To add static NAT virtual IP port forwarding for an IP address range and a port
range
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Use the following procedure to add a virtual IP that allows users on the Internet to
connect to a web server on the DMZ network. In this example, the external interface of
the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.

Name Port_fwd_NAT_VIP_port_range
External Interface external
Type Static NAT

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 371
http://docs.fortinet.com/ • Feedback
Configuring virtual IPs Firewall Virtual IP

External IP The external IP addresses are usually static IP addresses obtained


Address/Range from your ISP. This addresses must be unique, not used by another
host, and cannot be the same as the IP address of the external
interface the virtual IP will be using. However, the external IP
addresses must be routed to the selected interface. The virtual IP
addresses and the external IP address can be on different subnets.
When you add the virtual IP, the external interface responds to ARP
requests for the external IP addresses.
Mapped IP The IP addresses of the server on the internal network. Define the
Address/Range range by entering the first address of the range in the first field and
the last address of the range in the second field.
Port Forwarding Selected
Protocol TCP
External Service Port The ports that traffic from the Internet will use. For a web server,
this will typically be port 80.
Map to Port The ports on which the server expects traffic. Define the range by
entering the first port of the range in the first field and the last port of
the range in the second field. If there is only one port, leave the
second field blank.
4 Select OK.

To add static NAT virtual IP port forwarding for an IP address range and a port
range to a firewall policy
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP addresses, packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination addresses and ports of these packets from the external IP to the dmz
network IP addresses of the web servers.
1 Go to Firewall > Policy and select Create New.
2 Configure the firewall policy:

Source Interface/Zone external


Source Address All (or a more specific address)
Destination dmz1
Interface/Zone
Destination Address Port_fwd_NAT_VIP_port_range
Schedule always
Service HTTP
Action ACCEPT

3 Select NAT.
4 Select OK.

Adding dynamic virtual IPs


Adding a dynamic virtual IP is similar to adding a virtual IP. The difference is that the
External IP address must be set to 0.0.0.0 so the External IP address matches any IP
address.

To add a dynamic virtual IP


1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Enter a name for the dynamic virtual IP.

FortiGate Version 4.0 Administration Guide


372 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Configuring virtual IPs

4 Select the virtual IP External Interface from the list.


The external interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Select any firewall interface or a VLAN subinterface.
5 Set the External IP Address to 0.0.0.0.
The 0.0.0.0 External IP Address matches any IP address.
6 Enter the Mapped IP Address to which to map the external IP address. For example,
the IP address of a PPTP server on an internal network.
7 Select Port Forwarding.
8 For Protocol, select TCP.
9 Enter the External Service Port number for which to configure dynamic port forwarding.
The external service port number must match the destination port of the packets to be
forwarded. For example, if the virtual IP provides PPTP passthrough access from the
Internet to a PPTP server, the external service port number should be 1723 (the PPTP
port).
10 Enter the Map to Port number to be added to packets when they are forwarded.
Enter the same number as the External Service Port if the port is not to be translated.
11 Select OK.

Adding a virtual IP with port translation only


When adding a virtual IP, if you enter a virtual IP address that is the same as the mapped
IP address and apply port forwarding, the destination IP address will be unchanged, but
the port number will be translated.

Note: To apply port forwarding to the external interface without binding a virtual IP address
to it, enter the IP address of the network interface instead of a virtual IP address, then
configure port forwarding as usual.

To add a virtual IP with port translation only


1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Enter a name for the dynamic virtual IP.
4 Select the virtual IP External Interface from the list.
The external interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Select any firewall interface or a VLAN subinterface.
5 Set the External IP Address as the mapped IP address.
6 Enter the Mapped IP Address to which to map the external IP address. For example,
the IP address of a PPTP server on an internal network.
7 Select Port Forwarding.
8 For Protocol, select TCP.
9 Enter the External Service Port number for which to configure dynamic port forwarding.
The external service port number must match the destination port of the packets to be
forwarded. For example, if the virtual IP provides PPTP passthrough access from the
Internet to a PPTP server, the external service port number should be 1723 (the PPTP
port).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 373
http://docs.fortinet.com/ • Feedback
Virtual IP Groups Firewall Virtual IP

10 Enter the Map to Port number to be added to packets when they are forwarded.
11 Select OK.

Virtual IP Groups
You can organize multiple virtual IPs into a virtual IP group to simplify your firewall policy
list. For example, instead of having five identical policies for five different but related virtual
IPs located on the same network interface, you might combine the five virtual IPs into a
single virtual IP group, which is used by a single firewall policy.
Firewall policies using VIP Groups are matched by comparing both the member VIP IP
address(es) and port number(s).

Viewing the VIP group list


To view the virtual IP group list, go to Firewall > Virtual IP > VIP Group.

Figure 235: VIP Group list

Delete
Edit

Create New Select to add a new VIP group. See “Configuring VIP groups” on page 374.
Group Name The name of the virtual IP group.
Members Lists the group members.
Interface Displays the interface that the VIP group belongs to.
Delete icon Remove the VIP group from the list. The Delete icon only appears if the VIP
group is not being used in a firewall policy.
Edit icon Edit the VIP group information, including the group name and membership.

Configuring VIP groups


To add a VIP group, go to Firewall > Virtual IP > VIP Group and select Create New. To edit
a VIP group, go to Firewall > Virtual IP > VIP Group and select the Edit icon for the VIP
group to edit. Enter the information as described below, and select OK.

FortiGate Version 4.0 Administration Guide


374 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP IP pools

Figure 236: Editing a VIP group

Group Name Enter or modify the group name.


Interface Select the interface for which you want to create the VIP group. If you
are editing the group, the Interface box is grayed out.
Available VIPs and Select the up or down arrow to move virtual IPs between Available
Members VIPs and Members. Members contains virtual IPs that are a part of
this virtual IP group.

IP pools
Use IP pools to add NAT policies that translate source addresses to addresses randomly
selected from the IP pool, rather than the IP address assigned to that FortiGate unit
interface. In Transparent mode, IP pools are available from the FortiGate CLI.
An IP pool defines an address or a range of IP addresses, all of which respond to ARP
requests on the interface to which the IP pool is added.
Select Enable Dynamic IP Pool in a firewall policy to translate the source address of
outgoing packets to an address randomly selected from the IP pool. An IP pool list
appears when the policy destination interface is the same as the IP pool interface.
With an IP pool added to the internal interface, you can select Dynamic IP pool for policies
with the internal interface as the destination.
Add multiple IP pools to any interface and select the IP pool to use when configuring a
firewall policy.
A single IP address is entered normally. For example, 192.168.110.100 is a valid IP
pool address. If an IP address range is required, use either of the following formats.
• x.x.x.x-x.x.x.x, for example 192.168.110.100-192.168.110.120
• x.x.x.[x-x], for example 192.168.110.[100-120]

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 375
http://docs.fortinet.com/ • Feedback
IP pools Firewall Virtual IP

IP pools and dynamic NAT


Use IP pools for dynamic NAT. For example, an organization might have purchased a
range of Internet addresses but has only one Internet connection on the external interface
of the FortiGate unit.
Assign one of the organization’s Internet IP addresses to the external interface of the
FortiGate unit. If the FortiGate unit is operating in NAT/Route mode, all connections from
the network to the Internet appear to come from this IP address.
For connections to originate from all the Internet IP addresses, add this address range to
an IP pool for the external interface. Then select Dynamic IP Pool for all policies with the
external interface as the destination. For each connection, the firewall dynamically selects
an IP address from the IP pool to be the source address for the connection. As a result,
connections to the Internet appear to be originating from any of the IP addresses in the IP
pool.

IP Pools for firewall policies that use fixed ports


Some network configurations do not operate correctly if a NAT policy translates the source
port of packets used by the connection. NAT translates source ports to keep track of
connections for a particular service. Select fixed port for NAT policies to prevent source
port translation. However, selecting fixed port means that only one connection can be
supported through the firewall for this service. To be able to support multiple connections,
add an IP pool to the destination interface, and then select dynamic IP pool in the policy.
The firewall randomly selects an IP address from the IP pool and assigns it to each
connection. In this case the number of connections that the firewall can support is limited
by the number of IP addresses in the IP pool.

Source IP address and IP pool address matching


When the source addresses are translated to the IP pool addresses, one of the following
three cases may occur:

Scenario 1: The number of source addresses equals that of IP pool addresses


In this case, the FortiGate unit will always match the IP addressed one to one.
If you use fixed port in such a case, the FortiGate unit will preserve the original source
port. However, this may cause conflicts if more than one firewall policy uses the same IP
pool, or the same IP addresses are used in more than one IP pool.

Original address Change to


192.168.1.1 172.16.30.1
192.168.1.2 172.16.30.2
...... ......
192.168.1.254 172.16.30.254

Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you use fixed port in such a case, the FortiGate unit preserves the original source port.
But conflicts may occur since users may have different sessions using the same TCP 5
tuples.

Original address Change to


192.168.1.1 172.16.30.10

FortiGate Version 4.0 Administration Guide


376 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Viewing the IP pool list

192.168.1.2 172.16.30.11
...... ......
192.168.1.10 172.16.30.19
192.168.1.11 172.16.30.10
192.168.1.12 172.16.30.11
192.168.1.13 172.16.30.12
...... ......

Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses will used and the rest of them will not be used.

Original address Change to


192.168.1.1 172.16.30.10
192.168.1.2 172.16.30.11
192.168.1.3 172.16.30.12
No more source addresses 172.16.30.13 and other
addresses will not be used

Viewing the IP pool list


If virtual domains are enabled on the FortiGate unit, IP pools are created separately for
each virtual domain. To access IP pools, select a virtual domain from the list on the main
menu.
To view the IP pool list go to Firewall > Virtual IP > IP Pool.

Figure 237: IP pool list

Delete
Edit
Create New Select to add an IP pool.
Name Enter the name of the IP pool.
Start IP Enter the start IP defines the start of an address range.
End IP Enter the end IP defines the end of an address range.
Delete icon Select to remove the entry from the list. The Delete icon only appears if the IP
pool is not being used in a firewall policy.
Edit icon Select to edit the following information: Name, Interface, IP Range/Subnet.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 377
http://docs.fortinet.com/ • Feedback
Configuring IP Pools Firewall Virtual IP

Configuring IP Pools
To add an IP pool, go to Firewall > Virtual IP > IP Pool.

Figure 238: New Dynamic IP Pool

Name Enter the name of the IP pool.


Interface Select the interface to which to add an IP pool.
IP Range/Subnet Enter the IP address range for the IP pool. The IP range defines the start and
end of an address range. The start of the range must be lower than the end of
the range. The start and end of the IP range does not have to be on the same
subnet as the IP address of the interface to which you are adding the IP pool.

Double NAT: combining IP pool with virtual IP


When creating a firewall policy, you can use both IP pool and virtual IP for double IP
and/or port translation.
For example, in the following network topology:
• Users in the 10.1.1.0/24 subnet use port 8080 to access server 172.16.1.1.
• The server’s listening port is 80.
• Fixed ports must be used.

Figure 239: Double NAT

FortiGate Version 4.0 Administration Guide


378 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Double NAT: combining IP pool with virtual IP

To allow the local users to access the server, you can use fixed port and IP pool to allow
more than one user connection while using virtual IP to translate the destination port from
8080 to 80.

To create an IP pool
1 Go to Firewall > Virtual IP > IP Pool.
2 Select Create New.
3 Enter the following information and select OK.

Name pool-1
Interface DMZ
IP 10.1.3.1-10.1.3.254
Range/Subnet

To create a Virtual IP with port translation only


1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Enter the following information and select OK.

Name server-1
External Internal
Interface
Type Static NAT
External IP 172.16.1.1
Address/Range Note this address is the same as the server address.
Mapped IP 172.16.1.1.
Address/Range
Port Forwarding Enable
Protocol TCP
External Service 8080
Port
Map to Port 80

To create a firewall policy


Add an internal to dmz firewall policy that uses the virtual IP to translate the destination
port number and the IP pool to translate the source addresses.
1 Go to Firewall > Policy.
2 Select Create New.
3 Configure the firewall policy:

Source Interface/Zone internal


Source Address 10.1.1.0/24
Destination dmz
Interface/Zone
Destination Address server-1
Schedule always

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 379
http://docs.fortinet.com/ • Feedback
Adding NAT firewall policies in transparent mode Firewall Virtual IP

Service HTTP
Action ACCEPT
4 Select NAT.
5 Select OK.

Adding NAT firewall policies in transparent mode


Similar to operating in NAT/Route mode, when operating a FortiGate unit in Transparent
mode you can add firewall policies and:
• Enable NAT to translate the source addresses of packets as they pass through the
FortiGate unit.
• Add virtual IPs to translate destination addresses of packets as they pass through the
FortiGate unit.
• Add IP pools as required for source address translation
For NAT firewall policies to work in NAT/Route mode you must have two interfaces on two
different networks with two different subnet addresses. Then you can create firewall
policies to translate source or destination addresses for packets as they are relayed by the
FortiGate unit from one interface to the other.
A FortiGate unit operating in Transparent mode normally has only one IP address, the
management IP. To support NAT in Transparent mode you can add a second
management IP. These two management IPs must be on different subnets. When you add
two management IP addresses, all FortiGate unit network interfaces will respond to
connections to both of these IP addresses.
In the example shown in Figure 240, all of the PCs on the internal network (subnet
address 192.168.1.0/24) are configured with 192.168.1.99 as their default route. One of
the management IPs of the FortiGate unit is set to 192.168.1.99. This configuration results
in a typical NAT mode firewall. When a PC on the internal network attempts to connect to
the Internet, the PC's default route sends packets destined for the Internet to the FortiGate
unit internal interface.
Similarly on the DMZ network (subnet address 10.1.1.0/24) all of the PCs have a default
route of 10.1.1.99.
The example describes adding an internal to wan1 firewall policy to relay these packets
from the internal interface out the wan1 interface to the Internet. Because the wan1
interface does not have an IP address of its own, you must add an IP pool to the wan1
interface that translates the source addresses of the outgoing packets to an IP address on
the network connected to the wan1 interface.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all
packets sent by a PC on the internal network that are accepted by the internal to wan1
policy leave the wan1 interface with their source address translated to 10.1.1.201. These
packets can now travel across the Internet to their destination. Reply packets return to the
wan1 interface because they have a destination address of 10.1.1.201. The internal to
wan1 NAT policy translates the destination address of these return packets to the IP
address of the originating PC and sends them out the internal interface to the originating
PC.

FortiGate Version 4.0 Administration Guide


380 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Virtual IP Adding NAT firewall policies in transparent mode

Figure 240: Example NAT in Transparent mode configuration

Internet

Internal network
Transparent mode 192.168.1.0/24
Management IPs:
Router 10.1.1.99
192.168.1.99

10.1.1.0/24 WAN 1 Internal

DMZ

DMZ network
10 1 1 0/24

Use the following steps to configure NAT in Transparent mode


• Adding two management IPs
• Adding an IP pool to the wan1 interface
• Adding an internal to wan1 firewall policy

To add a source address translation NAT policy in Transparent mode


1 Enter the following command to add two management IPs.
The second management IP is the default gateway for the internal network.
config system settings
set manageip 10.1.1.99/24 192.168.1.99/24
end
2 Enter the following command to add an IP pool to the wan1 interface:
config firewall ippool
edit nat-out
set interface "wan1"
set startip 10.1.1.201
set endip 10.1.1.201
end

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 381
http://docs.fortinet.com/ • Feedback
Adding NAT firewall policies in transparent mode Firewall Virtual IP

3 Enter the following command to add an internal to wan1 firewall policy with NAT
enabled that also includes an IP pool:
config firewall policy
edit 1
set srcintf "internal"
set dstintf "wan1"
set scraddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ANY"
set nat enable
set ippool enable
set poolname nat-out
end

Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.

FortiGate Version 4.0 Administration Guide


382 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Load Balance How load balancer works

Firewall Load Balance


Use the FortiGate load balancing function to intercept the incoming traffic and share it
across the available servers. By doing so, the FortiGate unit enables multiple servers to
respond as if they were a single device or server. This in turn means that more
simultaneous requests can be handled.
There are additional benefits to server load balancing. Firstly, because the load is
distributed across multiple servers, the service being provided can be highly available. If
one of the servers breaks down, the load can still be handled by the other servers.
Secondly, this increases scalability. If the load increases substantially, more servers can
be added behind the FortiGate unit in order to cope with the increased load.
This section describes:
• How load balancer works
• Configuring virtual servers
• Configuring real servers
• Configuring health check monitors
• Monitoring the servers

How load balancer works


You can configure virtual servers on the FortiGate unit (load balancer) and bind them to a
cluster of real servers. Up to 8 real servers can be bound to 1 virtual server. The topology
of cluster is transparent to end users, and the users interact with the system as if it were
only a single virtual server. The real servers may be interconnected by high-speed LAN or
by geographically dispersed WAN. The FortiGate unit schedules requests to the different
servers and makes parallel services of the cluster to appear as a virtual service on a single
IP address.

Figure 241: Virtual server and real servers setup

Internet/Intranet

User

(Virtual Server/Load Balancer)

LAN/WAN

Real Server Real Server

Real Server

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 383
http://docs.fortinet.com/ • Feedback
Configuring virtual servers Firewall Load Balance

Configuring virtual servers


Configure a virtual server’s external IP address and bind it to a FortiGate unit interface.
When you bind the virtual server’s external IP address to a FortiGate unit interface, by
default, the network interface responds to ARP requests for the bound IP address. Virtual
servers use proxy ARP, as defined in RFC 1027, so that the FortiGate unit can respond to
ARP requests on a network for a real server that is actually installed on another network.
To disable ARP replies, see the FortiGate CLI Reference.
To view the virtual server list, go to Firewall > Load Balance > Virtual Server.

Figure 242: Virtual server list

Delete
Edit

Create New Select to add virtual servers. For more information, see “To create a
virtual server” on page 385.
Name Name of the virtual server. This name is not the hostname for the
FortiGate unit.
Type The communication protocol used by the virtual server.
Comments Comments on the virtual server.
Virtual Server IP The IP address of the virtual server.
Virtual server Port The port number to which the virtual server communicates.
Load Balance Method Load balancing methods include:
• Static: The traffic load is spread evenly across all servers, no
additional server is required.
• Round Robin: Directs requests to the next server, and treats all
servers as equals regardless of response time or number of
connections. Dead servers or non responsive servers are avoided. A
separate server is required.
• Weighted: Servers with a higher weight value will receive a larger
percentage of connections. Set the server weight when adding a
server.
• First Alive: Always directs requests to the first alive real server.
• Least RTT: Directs requests to the server with the least round trip
time. The round trip time is determined by a Ping monitor and is
defaulted to 0 if no Ping monitors are defined.
• Least Session: Directs requests to the server that has the least
number of current connections. This method works best in
environments where the servers or other equipment you are load
balancing have similar capabilities.
Health Check The health check monitor selected for this virtual server. For more
information, see “Health Check” on page 386.
Persistence Persistence is the process of ensuring that a user is connected to the
same server every time they make a request within the boundaries of a
single session.
Depending on the type of protocol selected for the virtual server, the
following persistence options are available:
• None: No persistence option is selected.
• HTTP Cookie: Persistence time is equal to the cookie age. Cookie
ages are set in CLI under config firewall vip.
• SSL Session ID: Persistence time is equal to the SSL sessions. SSL
session states are set in CLI under config firewall vip.

FortiGate Version 4.0 Administration Guide


384 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Load Balance Configuring virtual servers

Delete icon Remove the virtual server from the list. The Delete icon only appears if
the virtual server is not bound to a real server.
Edit icon Edit the virtual server to change any virtual server option including the
virtual server name.

To create a virtual server


1 Go to Firewall > Load Balance > Virtual Server > Create New.

Figure 243: Creating a virtual server

2 Complete the following:

Name Enter the name for the virtual server. This name is not the hostname for
the FortiGate unit.
Type Enter the communication protocol used by the virtual server.
Interface Select the virtual server external interface from the list. The external
interface is connected to the source network and receives the packets to
be forwarded to the destination network.
Virtual Server IP Enter the IP address of the virtual server.
Virtual server Port The port number to which the virtual server communicates.
Load Balance Select a load balancing method. For more information, see “Load
Method Balance Method” on page 384.
Persistence Select a persistence for the virtual server. For more information, see
“Persistence” on page 384.
HTTP Multiplexing Select to use the FortiGate unit’s HTTP proxy to multiplex multiple client
connections destined for the web server into a few connections between
the FortiGate unit and the web server. This can improve performance by
reducing server overhead associated with establishing multiple
connections. The server must be HTTP/1.1 compliant.
This option appears only if HTTP or HTTS are selected for Type.
Note: Additional HTTP Multiplexing options are available in the CLI. For
more information, see the FortiGate CLI Reference.
Preserve Client IP Select to preserve the IP address of the client in the X-Forwarded-For
HTTP header. This can be useful if you require logging on the server of
the client’s original IP address. If this option is not selected, the header
will contain the IP address of the FortiGate unit.
This option appears only if HTTP or HTTS are selected for Type, and is
available only if HTTP Multiplexing is selected.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 385
http://docs.fortinet.com/ • Feedback
Configuring real servers Firewall Load Balance

SSL Offloading Select to accelerate clients’ SSL connections to the server by using the
FortiGate unit to perform SSL operations, then select which segments of
the connection will receive SSL offloading.
• Client <-> FortiGate
Select to apply hardware accelerated SSL only to the part of the
connection between the client and the FortiGate unit. The segment
between the FortiGate unit and the server will use clear text
communications. This results in best performance, but cannot be
used in failover configurations where the failover path does not have
an SSL accelerator.
• Client <-> FortiGate <-> Server
Select to apply hardware accelerated SSL to both parts of the
connection: the segment between client and the FortiGate unit, and
the segment between the FortiGate unit and the server. The segment
between the FortiGate unit and the server will use encrypted
communications, but the handshakes will be abbreviated. This results
in performance which is less than the other option, but still improved
over communications without SSL acceleration, and can be used in
failover configurations where the failover path does not have an SSL
accelerator. If the server is already configured to use SSL, this also
enables SSL acceleration without requiring changes to the server’s
configuration.
SSL 3.0, TLS 1.0, and TLS 1.1 are supported.
This option appears only if HTTPS or SSL are selected for Type, and
only on FortiGate models whose hardware support SSL acceleration,
such as FortiGate-3600A.
Note: Additional SSL Offloading options are available in the CLI. For
more information, see the FortiGate CLI Reference.
Certificate Select the certificate to use with SSL Offloading. The certificate key size
must be 1024 or 2048 bits. 4096-bit keys are not supported.
This option appears only if HTTPS or SSL are selected for Type, and is
available only if SSL Offloading is selected.
Health Check Select which health check monitor configuration will be used to
determine a server’s connectivity status.
For information on configuring health check monitors, see “Configuring
health check monitors” on page 387.
Comments Any comments or notes about this virtual server.
3 Select OK.

Configuring real servers


Configure a real server to bind it to a virtual server.
To view the real server list, go to Firewall > Load Balance > Real Server.

Figure 244: Real server list

Delete
Edit

Create New Select to add real servers. For more information, see “To create a real
server” on page 387.
IP Address Select the blue arrow beside a virtual server name to view the IP
addresses of the real servers that are bound to it.

FortiGate Version 4.0 Administration Guide


386 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Load Balance Configuring health check monitors

Port The port number on the destination network to which the external port
number is mapped.
Weight The weight value of the real server. The higher the weight value, the
higher the percentage of connections the server will handle.
Max Connection The limit on the number of active connections directed to a real server. If
the maximum number of connections is reached for the real server, the
FortiGate unit will automatically switch all further connection requests to
another server until the connection number drops below the specified
limit.
Delete icon Remove the real server from the list.
Edit icon Edit the real server to change any virtual server option.

To create a real server


1 Go to Firewall > Load Balance > Real Server > Create New.

Figure 245: Creating a real server

2 Complete the following:

Virtual Server Select the virtual server to which you want to bind this real server.
IP Enter the IP address of the real server.
Port Enter the port number on the destination network to which the external
port number is mapped.
Weight Enter the weight value of the real server. The higher the weight value,
the higher the percentage of connections the server will handle. A
range of 1-255 can be used. This option is available only if the
associated virtual server’s load balance method is Weighted.
Max Connection Enter the limit on the number of active connections directed to a real
server. A range of 1-99999 can be used. If the maximum number of
connections is reached for the real server, the FortiGate unit will
automatically switch all further connection requests to another server
until the connection number drops below the specified limit.

3 Select OK.

Configuring health check monitors


You can specify which health check monitor configuration to use when polling to
determine a virtual server’s connectivity status.
Health check monitor configurations can specify TCP, HTTP or ICMP PING. A health
check occurs every number of seconds indicated by the interval. If a reply is not received
within the timeout period, and you have configured the health check to retry, it will attempt
a health check again; otherwise, the virtual server is deemed unresponsive, and load
balancing will compensate by disabling traffic to that server until it becomes responsive
again.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 387
http://docs.fortinet.com/ • Feedback
Configuring health check monitors Firewall Load Balance

Figure 246: Health check monitor

Delete
Edit

Create New Select to add a health check monitor configuration. For more information, see
“To create a health check monitor configuration” on page 388.
Name The name of the health check monitor configuration. The names are grouped
by the health check monitor types.
Details The details of the health check monitor configuration, which vary by the type of
the health check monitor, and do not include the interval, timeout, or retry,
which are settings common to all types.
This field is empty if the type of the health check monitor is PING.
Delete Select to remove the health check monitor configuration. This option appears
only if the health check monitor configuration is not currently being used by a
virtual server configuration.
Edit Select to change the health check monitor configuration.

To create a health check monitor configuration


1 Go to Firewall > Virtual IP > Health Check Monitor > Create New.

Figure 247: Creating a health check monitor

2 Complete the following:

Name Enter the name of the health check monitor configuration.


Type Select the protocol used to perform the health check.
• TCP
• HTTP
• PING
Port Enter the port number used to perform the health check.
This option does not appear if the Type is PING.
URL Enter the URL that will receive the HTTP request.
This option appears only if Type is HTTP.
Matched Content Enter the HTTP reply content that must be present to indicate proper server
connectivity.
This option appears only if Type is HTTP.
Interval Enter the number of seconds between each server health check.

FortiGate Version 4.0 Administration Guide


388 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Load Balance Monitoring the servers

Timeout Enter the number of seconds which must pass after the server health check
to indicate a failed health check.
Retry Enter the number of times, if any, a failed health check will be retried before
the server is determined to be inaccessible.
3 Select OK.

Monitoring the servers


You can monitor the status of each virtual server and real server and start or stop the real
servers.

Figure 248: Server monitor

Virtual Server The IP addresses of the existing virtual servers.


Real Server The IP addresses of the existing real servers.
Health Status Display the health status according to the health check results for each real
server. A green arrow means the server is up. A red arrow means the server is
down.
Monitor Events Display each real server's up and down times.
Active Sessions Display each real server's active sessions.
RTT (ms) Display the Round Trip Time of each real server. By default, the RTT is “<1".
This value will change only when ping monitoring is enabled on a real server.
Bytes Processed Display the traffic processed by each real server.
Graceful Select to start or stop real servers. When stopping a server, the FortiGate unit
Stop/Start will not accept new sessions but will wait for the active sessions to finish.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 389
http://docs.fortinet.com/ • Feedback
Monitoring the servers Firewall Load Balance

FortiGate Version 4.0 Administration Guide


390 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile What is a protection profile?

Firewall Protection Profile


Protection profiles contain settings for many application layer and other types of
protection, such as antivirus, web filtering, and logging, that you can apply to a firewall
policy. For information on applying a protection profile to a firewall policy, see “Configuring
firewall policies” on page 316.
If you enable virtual domains (VDOMs) on the FortiGate unit, firewall protection profiles
are configured separately for each virtual domain. For more information, see “Using virtual
domains” on page 103.
This section describes:
• What is a protection profile?
• Adding a protection profile to a firewall policy
• Default protection profiles
• Viewing the protection profile list
• Configuring a protection profile

What is a protection profile?


A protection profile is a group of settings that you can apply to one or more firewall
policies.
Because protection profiles can be used by more than one firewall policy, you can
configure one protection profile for the traffic types handled by a set of firewall policies
requiring identical protection levels and types, rather than repeatedly configuring those
same protection profile settings for each individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
protection, traffic between trusted internal addresses might need moderate protection. To
provide the different levels of protection, you might configure two separate protection
profiles: one for traffic between trusted networks, and one for traffic between trusted and
untrusted networks.

Note: If the firewall policy requires authentication, do not select the protection profile in the
firewall policy. The protection profile is specific to the authenticating user group. For details
on configuring the protection profile associated with the user group, see “Configuring a user
group” on page 558.

You can use protection profiles to configure:


• antivirus protection
• web filtering
• FortiGuard Web Filtering
• spam filtering
• IPS
• data leak prevention sensor
• dashboard statistics
• application control
• logging for traffic which violates the protection profile

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 391
http://docs.fortinet.com/ • Feedback
Adding a protection profile to a firewall policy Firewall Protection Profile

Adding a protection profile to a firewall policy


Protection profiles are used when specified in one or more firewall policies whose Action
is set to ACCEPT, IPSEC, or SSL VPN.
For example, if you create a protection profile containing SMTP antivirus settings that you
want to apply to all incoming SMTP connections, you might select that protection profile in
all external-to-internal firewall policies whose service group contain the SMTP service.
Protection profiles can contain settings relevant to many different services. Each firewall
policy uses the subset of the protection profile settings which apply to its specified
Service. In this way, you might define one protection profile that can be used by many
firewall policies, each policy using a different or overlapping subset of the protection
profile.

To add a protection profile to a firewall policy


1 Go to Firewall > Policy.
If virtual domains are enabled on the FortiGate unit, protection profiles are applied
separately in firewall policies for each virtual domain (VDOM). To access firewall
policies, first select a virtual domain from the main menu.
2 Select Create New to add a policy, or select Edit for the policy to which you want to
apply the protection profile.
3 Enable Protection Profile in the firewall policy.
4 Select the Protection Profile that you want to apply to the firewall policy.
The firewall policy will use settings from the protection profile that apply to its Services.
5 If you are creating a new firewall policy, configure other required policy options. For
more information, see “Configuring firewall policies” on page 316.
6 Select OK.

Default protection profiles


FortiGate units have four default protection profiles. You can use these default protection
profiles as bases for creating your own.

Strict Apply maximum protection to HTTP, FTP, IMAP, POP3, and SMTP traffic. The
strict protection profile may not be useful under normal circumstances, but it is
available when maximum protection is required.
Scan Apply virus scanning to HTTP, FTP, IMAP, POP3, and SMTP traffic. Quarantine is
also selected for all content services. On FortiGate models with a hard drive, if
antivirus scanning finds a virus in a file, the file is quarantined on the FortiGate
hard disk. If a FortiAnalyzer unit is configured, files are quarantined remotely.
Quarantine permits system administrators to inspect, recover, or submit
quarantined files to Fortinet for analysis.
Web Apply virus scanning and web content blocking to HTTP traffic. Add this
protection profile to firewall policies that control HTTP traffic.
Unfiltered Apply no scanning, blocking or IPS. Use the unfiltered content profile if no content
protection for content traffic is required. Add this protection profile to firewall
policies for connections between highly trusted or highly secure networks where
content does not need to be protected.
Note: Content archiving is disabled by default with the unfiltered protection
profile.

FortiGate Version 4.0 Administration Guide


392 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Viewing the protection profile list

Viewing the protection profile list


Both default and customized protection profiles appear in the protection profile list.
To view the protection profile list, go to Firewall > Protection Profile.

Figure 249: Default protection profiles

Delete
Edit
Create New Add a protection profile.
Name The name of the protection profile.
Delete icon Delete a protection profile from the list. The Delete icon appears only if the
protection profile is not currently selected in a firewall policy or user group.
Edit icon Modify a protection profile.

Configuring a protection profile


If the default protection profiles, do not provide the settings required, you can create
custom protection profiles.
To add a protection profile, go to Firewall > Protection Profile and select Create New.

Note: If both Virus Scan and File Block are enabled, the FortiGate unit blocks files
matching enabled file patterns before scanning files for viruses.

Figure 250: New Protection Profile

Expand Arrow

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 393
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

Profile Name Enter a name for the protection profile.


Comments Enter a description of the profile. The maximum length is 63 characters.
Protocol Recognition See “Protocol recognition options” on page 394.
Anti-Virus See “Anti-Virus options” on page 396.
IPS See “IPS options” on page 398.
Web Filtering See “Web Filtering options” on page 398.
FortiGuard Web Filtering See “FortiGuard Web Filtering options” on page 400.
Spam Filtering See “Spam Filtering options” on page 402.
Data Leak Prevention See “Data Leak Prevention Sensor options” on page 404.
Sensor
Display content meta- See “Display content meta-information on the system dashboard
information on the options” on page 404.
system dashboard
Application Control See “Application Control options” on page 405
Logging See “Logging options” on page 405.

Protocol recognition options


You configure protocol recognition options to set the HTTPS content filtering mode and to
select the TCP port numbers that the protection profile monitors for the content protocols
HTTP, HTTPS, SMTP, POP3, IMAP, NNTP, FTP, SMTPS, POP3S, and IMAPS.
By default the protection profile monitors the default content protocol port numbers (for
example, port 80 for HTTP and so on). You can edit the settings for each content protocol
and select to inspect all port numbers for that protocol or select one or more port numbers
to monitor for that protocol.
To configure protocol recognition options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Protocol Recognition, enter the information as described
below, and select OK.

FortiGate Version 4.0 Administration Guide


394 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

Figure 251: Protection Profile Protocol Recognition options

Add or
Remove
Port
Numbers

Edit Monitored
Ports

HTTPS Content Filtering Mode Set the mode the protection profile uses for HTTPS traffic. The
mode can be:
• URL Filtering to limit HTTPS content filtering to URL filtering
only. Select this option if all you wan t to do is apply URL web
filtering to HTTPS traffic. If you select this option you cannot
select any Anti-Virus options for HTTPS. Under Web Filtering
you can select only Web URL Filter and Block Invalid URLs
for HTTPS. Selecting this option also limits the FortiGuard
Web Filtering options that you can select for HTTPS.
• Deep Scan (Decryption on SSL Traffic) to decrypt HTTPS
traffic and perform additional scanning of the content of the
HTTPS traffic. Select this option if you want to apply all
applicable protection profile options to HTTPS traffic. Using
this option requires adding HTTPS server certificates to the
FortiGate unit so that HTTPS traffic can be unencrypted.
Protocol The names of the content protocols that you can configure
protocol recognition for. The content protocols are HTTP, HTTPS,
SMTP, POP3, IMAP, NNTP, FTP, SMTPS, POP3S, and IMAPS.
Monitored Ports The port numbers that the protection profile monitors for each
content protocol. You can select multiple port numbers to monitor
for each content protocol. For HTTP, SMTP, POP3, IMAP, NNTP,
and FTP you can select Inspect All Ports to monitor all ports for
these content protocols. Monitoring all ports means the protection
profile uses protocol recognition techniques to determine the
protocol of a communication session independent of the port
number that the session uses.
Edit Icon Select Edit for a content protocol to configure how the protection
profile monitors traffic for that content protocol.
Configure Protocol Configure how to monitor for the selected content protocol.
Inspect All Ports Select to monitor all ports for the content protocol. This option is
available for HTTP, SMTP, POP3, IMAP, NNTP, and FTP.
Specify Ports Select this option and then enter the port numbers to monitor for
the content protocol. You can specify up to 20 ports for each
content protocol.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 395
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

Anti-Virus options
You can apply antivirus scanning options through a protection profile for the HTTP, HTTPS,
SMTP, POP3, IMAP, NNTP, FTP, SMTPS, POP3S, and IMAPS content protocols.

Note: You cannot select Anti-Virus options for HTTPS if HTTPS Content Filtering Mode is
set to URL Filtering. For more information, see “Protocol recognition options” on page 394

In general, client comforting provides a visual display of progress for web page loading or
file downloads. Without client comforting, users have no indication that the download has
started until the FortiGate unit has completely buffered and scanned the download, and
they may cancel or repeatedly retry the transfer, thinking it has failed. The appearance of a
client comforting message (for example, a progress bar) is browser-dependent. In some
instances, there will be no visual client comforting cue.
For email scanning, the oversize threshold refers to the final size of the email after
encoding by the email client, including attachments. Email clients can use a variety of
encoding types; some result in larger file sizes than the original attachment. The most
common encoding, base64, translates 3 bytes of binary data into 4 bytes of base64 data.
As a result, a file may be blocked or logged as oversized even if the attachment is several
megabytes smaller than the configured oversize threshold.
To configure antivirus options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Anti-Virus, enter the information as described below, and select
OK. For more antivirus configuration options, see “AntiVirus” on page 425.

Figure 252: Protection Profile Anti-Virus options

FortiGate Version 4.0 Administration Guide


396 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

Virus Scan Select virus scanning for each protocol. Virus Scan includes
grayware, as well as heuristic scanning. However, by default neither is
enabled. To enable specific grayware, go to UTM > AntiVirus >
Grayware. To enable heuristic scanning, see the config
antivirus heuristic command in the FortiGate CLI Reference.
Note: When you enable virus scanning, scanning by splice, also
called streaming mode, is enabled automatically. When scanning by
splice, the FortiGate unit simultaneously scans and streams traffic to
the destination, terminating the stream to the destination if a virus is
detected. For details on configuring splicing, see the splice option
for each protocol in the config firewall profile command in
the FortiGate CLI Reference. For details on splicing behavior for each
protocol, see the Knowledge Center article FortiGate Proxy Splice and
Client Comforting Technical Note.
Extended AV Database Select to scan for viruses that have not been recently observed in the
wild.
In addition to the FortiGuard Antivirus wild list database, which
contains viruses currently being detected in the wild, some FortiGate
models are also equipped with an extended antivirus database that
contains viruses not recently observed in the wild.
This option appears only on some FortiGate models.
File Filter Select to filter files, then under Option, specify a file filter, which can
consist of file name patterns and file types. For more information, see
“File Filter” on page 429.
Quarantine Select for each protocol to quarantine suspect files for later inspection
or submission to Fortinet for analysis.
This option appears only if the FortiGate unit has a hard drive or a
configured FortiAnalyzer unit, and will take effect only if you have first
enabled and configured the quarantine. For more information, see
“File Quarantine” on page 432.
Pass Fragmented Emails Select to allow fragmented email for mail protocols (IMAP, POP3, and
SMTP). Fragmented email cannot be scanned for viruses.
Comfort Clients Select client comforting for each protocol.
Interval The time in seconds before client comforting starts after the download
has begun, and the time between subsequent intervals.
Amount The number of bytes sent at each interval.
Oversized File/Email Select Block or Pass for files and email messages exceeding
configured thresholds for each protocol.
Threshold If the file is larger than the threshold value in megabytes, the file is
passed or blocked. The maximum threshold for scanning in memory is
10% of the FortiGate unit’s RAM.
Allow Invalid Server Allow HTTPS, MAPS, POP3S, and SMTPS traffic with an invalid
Certificate server certificate.
Quarantine Virus Sender Select Enabled to quarantine/ban the virus senders.
(to Banned Users List)
Method Select to quarantine the virus senders by their IP addresses or by the
incoming interfaces of the viruses.
Expires Select to permanently quarantine the virus senders or set a quarantine
expiry date.
Add signature to outgoing Create and enable a signature to append to outgoing email (SMTP
emails only).

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 397
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

IPS options
You can apply IPS sensor options through a protection profile.
To configure IPS options, go to Firewall > Protection Profile. Select Create New to add a
protection profile, or the Edit icon beside an existing protection profile. Then select the
Expand Arrow beside IPS, enter the information as described below, and select OK.
For more information on IPS, see “Intrusion Protection” on page 441.

Figure 253: Protection profile IPS options

IPS Select to enable and use the specified IPS sensor.


You cannot select denial of service (DoS) sensors through this option. For information on
configuring DoS sensors, see “DoS sensors” on page 455.

Web Filtering options


Web filtering sorts millions of web pages into a wide range of categories that you can
allow, block or monitor. Content block uses words and patterns to block web pages
containing the words or patterns, URL filtering uses URLs and URL patterns to exempt or
block web pages from specific sources, and FortiGuard web filter provides many
additional categories by which to filter web traffic. In some instances, users may require
access to web sites that are blocked by a policy. An administrator can give the user the
ability to override the block for a specified period of time. For more information about
overrides, see “Web Filter” on page 459.

Note: Protection profile web filtering also includes FortiGuard Web Filtering. For
information about FortiGate Web Filtering, see “FortiGuard Web Filtering options” on
page 400.

Note: You cannot select some Web Filtering options for HTTPS if HTTPS Content Filtering
Mode is set to URL Filtering. For more information, see “Protocol recognition options” on
page 394

Filters defined in the web filtering settings are turned on through a protection profile. To
configure web filtering options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Web Filtering, enter the information as described below, and
select OK.

Figure 254: Protection Profile Web Filtering options

FortiGate Version 4.0 Administration Guide


398 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

Web Content Block Select the checkbox to block HTTP traffic based on the words or
patterns in the content block filter.
Web content block list Select which content block filter will be used with this protection
profile.
Threshold Enter a score threshold.
Web Content Exempt Select the check box to enable the override of web content block
based on the content exempt patterns in the content exempt list.
Web content exempt Select which content exemptions will be used with this protection
list profile.
Web URL Filter Select the check box to block HTTP and HTTPS traffic based on the
URL list.
Web URL filter list Select which web URL filter list will be used with this protection profile.
ActiveX Filter Select to block ActiveX controls.
Cookie Filter Select to block cookies.
Java Applet Filter Select to block Java applets.
Web Resume Download Select to block downloading parts of a file that have already been
Block downloaded. Enabling this option will prevent the unintentional
download of virus files hidden in fragmented files. Note that some
types of files, such as PDFs, are fragmented to increase download
speed, and that selecting this option can cause download interruptions
with these types.
Block Invalid URLs Select to block web sites whose SSL certificate’s CN field does not
contain a valid domain name.
FortiGate units always validate the CN field, regardless of whether this
option is enabled. However, if this option is not selected, the following
behavior occurs:
• If the request is made directly to the web server, rather than a web
server proxy, the FortiGate unit queries for FortiGuard Web
Filtering category or class ratings using the IP address only, not
the domain name.
• If the request is to a web server proxy, the real IP address of the
web server is not known. Therefore, rating queries by either or
both the IP address and the domain name is not reliable. In this
case, the FortiGate unit does not perform FortiGuard Web
Filtering.
HTTP POST Action Select the action to take against HTTP uploads.
Normal Allow the traffic to pass, subject to the results of FortiGate firewall
screening.
Block Ban HTTP POST operations.
Comfort Use the comfort amount and interval settings to send “comfort” bytes
to the server in case the client connection is too slow. This is to
prevent a timeout when scanning or other filtering tool is turned on.

Blocked pages are replaced with a message indicating that the page is not accessible
according to the Internet usage policy.
If the combined scores of the content block patterns appearing on a web page exceed the
threshold value, the page will be blocked. For details, see “Viewing the web content block
list” on page 463.
For more information on web filter configuration options, see “Web Filter” on page 459.
For details on how web URL filter lists are used with HTTP and HTTPS URLs, see “URL
formats” on page 469.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 399
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

FortiGuard Web Filtering options


You can enable and apply FortiGuard Web Filtering options by using a protection profile.
If you have blocked a pattern using the FortiGuard Web Filter, but want certain users to
have access to URLs within the pattern, you can use the override feature within the
FortiGuard Web Filter.

Note: You cannot select some FortiGuard Web Filtering options for HTTPS if HTTPS
Content Filtering Mode is set to URL Filtering. For more information, see “Protocol
recognition options” on page 394

For more category blocking configuration options, see “FortiGuard - Web Filter” on
page 470.
To configure FortiGuard Web Filtering options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Web Filtering and scroll down to FortiGuard
Web Filtering. Enter the information as described below, and select OK.

Figure 255: Protection Profile FortiGuard Web Filtering options

Enable FortiGuard Web Select to enable FortiGuard Web Filtering.


Filtering
Enable FortiGuard Web Select to enable category overrides. For more information, see
Filtering Overrides “Viewing the override list” on page 471 and “Configuring
administrative override rules” on page 472.

FortiGate Version 4.0 Administration Guide


400 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

Provide details for blocked Display a replacement message for 400 and 500-series HTTP
HTTP 4xx and 5xx errors errors. If the error is allowed through, malicious or objectionable
sites can use these common error pages to circumvent web
filtering.
Rate images by URL (blocked Block images that have been rated by FortiGuard. Blocked images
images will be replaced with are replaced on the originating web pages with blanks. Rated
blanks) image file types include GIF, JPEG, PNG, BMP, and TIFF.

Allow websites when a rating Allow web pages that return a rating error from the web filtering
error occurs service.
Strict Blocking This option is enabled by default. Strict Blocking only has an effect
when either a URL fits into a protection profile Category and
Classification or “Rate URLs by domain and IP address” is
enabled. With “Rate URLs by domain and IP address” enabled, all
URLs have two categories and up to two classifications (one set
for the domain and one set for the IP address). All URLs belong to
at least one category (Unrated is a category) and may also belong
to a classification.
If you enable Strict Blocking, a site is blocked if it is in at least one
blocked category or classification and only allowed if all categories
or classifications it falls under are allowed.
If you do not enable Strict Blocking, a site is allowed if it belongs to
at least one allowed category or classification and only blocked if
all categories or classifications it falls under are allowed.
For example, suppose a protection profile blocks “Search
Engines” but allows “Image Search” and the URL
“images.example.com” falls into the General Interests Search
Engines category and the Image Search classification.
With Strict Blocking enabled, this URL is blocked because it
belongs to the Search Engines category, which is blocked.
With Strict Blocking disabled, the URL is allowed because it is
classified as Image Search, which is allowed. It would only be
blocked if both the Search Engines category and Image Search
classification were blocked.
Rate URLs by domain and IP Select to send both the URL and the IP address of the requested
address site for checking, and thus provide additional security against
attempts to bypass the FortiGuard system.
However, because IP rating is not updated as quickly as URL
rating, some false ratings may occur.
Block HTTP redirects by Enable to block HTTP redirects.
rating Many web sites use HTTP redirects legitimately; however, in some
cases, redirects may be designed specifically to circumvent web
filtering, as the initial web page could have a different rating than
the destination web page of the redirect.
Category FortiGuard Web Filtering provides many content categories by
which to filter web traffic. Categories reflect the subject matter of
the content.
For each category, select to Allow or Block, and, if the category is
blocked, whether or not to Allow Override to permit users to
override the filter if they successfully authenticate. You can also
select to log each traffic occurrence of the category.
Classification In addition to content categories, FortiGuard Web Filtering
provides functional classifications that block whole classes of web
sites based upon their functionality, media type, or source, rather
than the web site’s subject matter.
Using classifications, you can block web sites that host cached
content or that facilitate image, audio, or video searches, or web
sites from spam URLs. Classification is in addition to, and can be
configured separately from, the category.
For each class, select to Allow or Block, and, if the class is
blocked, whether or not to Allow Override to permit users to
override the filter if they successfully authenticate. You can also
select to log each traffic occurrence of the class.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 401
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

Spam Filtering options


Several spam filters can be configured in the protection profile. With the IP address filter,
FortiGuard AntiSpam extracts the email server source address and sends the IP address
to a FortiGuard Antispam server to check if this IP address matches the list of known
spammers. If the IP address is found, FortiGuard Antispam terminates the session. If
FortiGuard Antispam does not find a match, the email server sends the email to the
recipient. With the URL filter, FortiGuard Antispam checks the body of email messages to
extract any URL links. These URL links are sent to a FortiGuard Antispam server to
determine if any are listed. Spam messages often contain URL links to advertisements
(also called spamvertizing). If a URL match is found, FortiGuard Antispam terminates the
session. If FortiGuard Antispam does not find a match, the email server sends the email to
the recipient. The email checksum filter calculates the checksum of an email message and
sends this checksum to the FortiGuard servers to determine if the checksum is in the
blacklist. The FortiGate unit then passes or marks/blocks the email message according to
the server response.
To configure Spam Filtering options, go to Firewall > Protection Profile. Select Create New
to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Spam Filtering, enter the information as described below,
and select OK.
For more information about this service, see “FortiGuard Antispam service” on
page 259.You can apply spam filtering options through a protection profile.
For more spam filter configuration options, see “Antispam” on page 477. To configure the
FortiGuard Anti-spam service, see “Configuring the FortiGate unit for FDN and FortiGuard
subscription services” on page 260.

Note: Some popular email clients cannot filter messages based on the MIME header. For
these clients, select to tag email message subject lines instead.

Figure 256: Protection Profile Spam Filtering options

FortiGuard AntiSpam Select one or more check boxes to enable protocols (IMAP, POP3,
SMTP), then apply the options that you need:
IP address check Select to enable the FortiGuard AntiSpam filtering IP address
blacklist.
URL check Select to enable the FortiGuard AntiSpam spam filtering URL
blacklist.

FortiGate Version 4.0 Administration Guide


402 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

E-mail checksum Select to enable the FortiGuard Antispam email message checksum
check blacklist.
Spam submission Select to enable all email messages marked as spam to have a link
added to the message body. If an email message is not spam, simply
select the link in the message to inform FortiGuard about the false
positive.
IP address BWL check Black/white list check. Select to check incoming IP addresses against
the configured spam filter IP address list.
IP address BWL check Select which IP address black/white list will be used with this
list protection profile.
HELO DNS lookup Select to enable the look up of the source domain name (from the
SMTP HELO command) in the Domain Name Server.
E-mail address BWL check Select to enable the checking of incoming email addresses against
the configured spam filter email address list.
E-mail address BWL list Select which email address black/white list will be used with this
protection profile.
Return e-mail DNS check Select to enable checking that the domain specified in the reply-to or
from address has an A or MX record.
Banned word check Select to enable checking source email against the configured spam
filter banned word list.
Banned word list Select which banned word list will be used with this protection profile.
Threshold If the combined scores of the banned word patterns appearing in an
email message exceed the threshold value, the message will be
processed according to the Spam Action setting. For details, see
“Viewing the antispam banned word list” on page 481.
Spam Action Select to either tag or discard email that the FortiGate unit determines
to be spam. Tagging affixes custom text to the subject line or header
of email identified as spam.
For SMTP, if you enable virus scanning in the Anti-Virus options
section of the Protection Profile (which is automatically implemented
as a spliced stream), you will only be able to discard spam email if a
virus is detected. Discarding immediately drops the connection. If
virus scanning is not enabled, you can choose to either tag or discard
SMTP spam.
Tag Location Select to affix the tag to the subject or MIME header of the email
identified as spam.
If you select to affix the tag to the subject line, the FortiGate unit will
convert the entire subject line, including tag, to UTF-8 by default. This
improves display for some email clients that cannot properly display
subject lines that use more than one encoding. For details on
preventing conversion of subject line to UTF-8, see the “System
Settings” chapter of the FortiGate CLI Reference.
To affix the tag to the MIME header, you must enable
spamhdrcheck in the CLI for each protocol (IMAP, SMTP, and
POP3). For more information see “profile” in the FortiGate CLI
Reference.
Tag Format Enter a word or phrase (tag) to affix to email identified as spam.
When typing a tag, use the same language as the FortiGate unit’s
current administrator language setting. Tag text using other
encodings may not be accepted. For example, when entering a spam
tag that uses Japanese characters, first verify that the administrator
language setting is Japanese; the FortiGate unit will not accept a
spam tag written in Japanese characters while the administrator
language setting is English. For details on changing the language
setting, see “Settings” on page 222.
Tags must not exceed 64 bytes. The number of characters
constituting 64 bytes of data varies by text encoding, which may vary
by the FortiGate administrator language setting.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 403
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

Data Leak Prevention Sensor options


You apply data leak prevention to traffic by selecting a data leak prevention sensor.
To configure data leak prevention sensor options, go to Firewall > Protection Profile.
Select Create New to add a protection profile, or the Edit icon beside an existing
protection profile. Then select the Expand Arrow beside Data Leak Prevention Sensor,
enter the information as described below, and select OK.

Note: Protection profile data leak prevention sensor also includes display content for meta-
information on system dashboard. For information about displaying content for meta-
information on system dashboard, see “Display content meta-information on the system
dashboard options” on page 404.

For more information on Data Leak Prevention Sensor, see “Data Leak Prevention” on
page 491.

Figure 257: Data Leak Prevention Sensor options

Data Leak Prevention Select to add the specified data leak prevention sensor to the protection
Sensor profile.

Display content meta-information on the system dashboard options


Under the data leak prevention sensor option you can apply dashboard statistics options
through a protection profile to display logged metadata on the FortiGate unit system
dashboard.
To configure dashboard statistics options, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside Data Leak Prevention Sensor, and select the
Display content meta-information on the system dashboard options as described below.

Figure 258: Protection Profile Display content meta-information on the system dashboard

Display content meta- For each protocol, select whether or not to display the content
information on the system summary in the Statistics section of the dashboard. You can select
dashboard HTTP, HTTPS, FTP, IMAP, POP3, SMTP, IMAPS, POP3S, and
SMTPS.
For details on the dashboard display, see “Statistics” on page 73.
NNTP cannot be selected, and is reserved for future use.

FortiGate Version 4.0 Administration Guide


404 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

Application Control options


You can apply application control options through a protection profile.
For more information about application control, see “Application control” on page 499.
To configure application control options, go to Firewall > Protection Profile. Select Create
New to add a protection profile, or the Edit icon beside an existing protection profile. Then
select the Expand Arrow beside Application Control and select the application control list
to add to the protection profile.

Figure 259: Protection Profile Application Control options

Application Control List Select to enable and use the specified application control list in the
protection profile.

Logging options
You can enable Logging options in a protection profile to write event log messages when
the options that you have enabled in this protection profile perform an action. For
example, if you enable Antivirus protection you could also enable the Anti-virus > Viruses
protection profile logging options to write an event log message every time a virus is
detected by this protection profile.
For more information about enabling and configuring event logs, see “Event log” on
page 613.
To configure Logging options, go to Firewall > Protection Profile. Select Create New to
add a protection profile, or the Edit icon beside an existing protection profile. Then select
the Expand Arrow beside Logging, enter the information as described below, and select
OK.

Figure 260: Protection Profile Logging options

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 405
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

Antivirus Viruses Select to log detected viruses.


Blocked Files Select to log blocked files.
Oversized Files / Select to log oversize files and email messages.
E-mails
Web Filtering Content Block Select to log content blocking events.
URL Filter Select to log blocked and exempted URLs.
ActiveX Filter Select to log blocked Active X plugins.
Cookie Filter Select to log blocked cookies.
Java Applet Filter Select to log blocked Java applets.
FortiGuard Web Rating Errors Select to log rating errors.
Filtering (HTTP only)
Spam Filtering Log Spam Select to log detected spam.
IPS Log Intrusions Select to log IPS signature and anomaly events.
IM and P2P Log IM Activity Select to log IM events.
Log P2P Activity Select to log P2P events.
VoIP Log VoIP Activity Select to log VoIP events.
Data Leak Log DLP Select to log DLP events.
Prevention
Sensor

FortiGate Version 4.0 Administration Guide


406 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Firewall Protection Profile Configuring a protection profile

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 407
http://docs.fortinet.com/ • Feedback
Configuring a protection profile Firewall Protection Profile

FortiGate Version 4.0 Administration Guide


408 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Traffic Shaping Guaranteed bandwidth and maximum bandwidth

Traffic Shaping
Traffic shaping, once included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees’ computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or SSL-
VPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP, and
ESP.
Guaranteed and maximum bandwidth in combination with queuing ensures minimum and
maximum bandwidth is available for traffic.
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
For more information about firewall policy, see “Firewall Policy” on page 313.

Note: For more information about traffic shaping you can also see the FortiGate Traffic
Shaping Technical Note.

This section describes:


• Guaranteed bandwidth and maximum bandwidth
• Traffic priority
• Traffic shaping considerations
• Configuring traffic shaping

Guaranteed bandwidth and maximum bandwidth


When you enter a value in the Guaranteed Bandwidth field when adding a traffic shaper,
you guarantee the amount of bandwidth available for selected network traffic (in
Kbytes/sec). For example, you may want to give a higher guaranteed bandwidth to your e-
commerce traffic.
When you enter a value in the Maximum Bandwidth field when adding a traffic shaper, you
limit the amount of bandwidth available for selected network traffic (in Kbytes/sec). For
example, you may want to limit the bandwidth of IM traffic usage, to save some bandwidth
for the more important e-commerce traffic.
The bandwidth available for traffic set in a traffic shaper is used for both the control and
data sessions and for traffic in both directions. For example, if guaranteed bandwidth is
applied to an internal and an external FTP policy, and a user on an internal network uses
FTP to put and get files, both the put and get sessions share the bandwidth available to
the traffic controlled by the policy.
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total
bandwidth available to all traffic controlled by the policy. If multiple users start multiple
communications session using the same policy, all of these communications sessions
must share from the bandwidth available for the policy.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 409
http://docs.fortinet.com/ • Feedback
Traffic priority Traffic Shaping

However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address.

Note: If you set both guaranteed bandwidth and maximum bandwidth to 0 (zero), the policy
does not allow any traffic.

Traffic priority
when adding a traffic shaper, you can set traffic priority to manage the relative priorities of
different types of traffic. Important and latency-sensitive traffic should be assigned a high
priority. Less important and less sensitive traffic should be assigned a low priority.
The FortiGate unit provides bandwidth to low-priority connections only when bandwidth is
not needed for high-priority connections.
For example, you can add policies to guarantee bandwidth for voice and ecommerce
traffic. Then you can assign a high priority to the policy that controls voice traffic and a
medium priority to the policy that controls e-commerce traffic. During a busy time, if both
voice and e-commerce traffic are competing for bandwidth, the higher priority voice traffic
will be transmitted before the ecommerce traffic.

Traffic shaping considerations


Traffic shaping attempts to “normalize” traffic peaks/bursts to prioritize certain flows over
others. But there is a physical limitation to the amount of data which can be buffered and
to the length of time. Once these thresholds have been surpassed, frames and packets
will be dropped, and sessions will be affected in other ways. For example, incorrect traffic
shaping configurations may actually further degrade certain network flows, since the
excessive discarding of packets can create additional overhead at the upper layers that
may be attempting to recover from these errors.
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose
potential discarding is less advantageous. This would mean that you accept sacrificing
certain performance and stability on low-priority traffic, in order to increase or guarantee
performance and stability to high-priority traffic.
If, for example, you are applying bandwidth limitations to certain flows, you must accept
the fact that these sessions can be limited and therefore negatively impacted.
Traffic shaping applied to a firewall policy is enforced for traffic which may flow in either
direction. Therefore a session which may be set up by an internal host to an external one,
through an Internal-to-External policy, will have traffic shaping applied even if the data
stream flows external to internal. One example may be an FTP “get” or a SMTP server
connecting to an external one, in order to retrieve email.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Since packets must be received by the FortiGate unit before they are subject to traffic
shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped
packets, delays, and latency are likely to occur.

FortiGate Version 4.0 Administration Guide


410 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Traffic Shaping Configuring traffic shaping

To ensure that traffic shaping is working at its best, make sure that the interface ethernet
statistics show no errors, collisions or buffer overruns. If any of these problems do appear,
then FortiGate and switch settings may require adjusting. For more information, see the
FortiGate Traffic Shaping Technical Note.

Configuring traffic shaping


Configure traffic shapers to be included in firewall policies.
To view the traffic shaper list, go to Firewall > Traffic Shaping > Traffic Shaping.

Figure 261: Traffic shaper list

Edit
Delete

Create New Add a traffic shaper. For more information, see “To create a traffic shaper” on
page 411.
Name The name of a traffic shaper.
Delete icon Select to remove a traffic shaper.
Edit icon Select to modify a traffic shaper.

To create a traffic shaper


1 Go to Firewall > Traffic Shaping > Traffic Shaping.
2 Select Create New.

Figure 262: Creating traffic shapers

Name Type a name for this traffic shaper.


Name The name of a traffic shaper.
Apply Shaping Select Per Policy to apply this traffic shaper to a single firewall policy that uses
it.
Select For all policies using this shaper to apply this traffic shaper to all firewall
policies that use it.
Guaranteed Select a value to ensure there is enough bandwidth available for a high-priority
Bandwidth service. Be sure that the sum of all Guaranteed Bandwidth in all firewall policies
is significantly less than the bandwidth capacity of the interface.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 411
http://docs.fortinet.com/ • Feedback
Configuring traffic shaping Traffic Shaping

Maximum Select to limit bandwidth in order to keep less important services from using
Bandwidth bandwidth needed for more important ones.
Traffic Priority Select High, Medium, or Low. Select Traffic Priority so the FortiGate unit
manages the relative priorities of different types of traffic. For example, a policy
for connecting to a secure web server needed to support ecommerce traffic
should be assigned a high traffic priority. Less important services should be
assigned a low priority. The firewall provides bandwidth to low-priority
connections only when bandwidth is not needed for high-priority connections.
Be sure to enable traffic shaping on all firewall policies. If you do not apply any
traffic shaping rule to a policy, the policy is set to high priority by default.
Distribute firewall policies over all three priority queues.
3 Select OK.

FortiGate Version 4.0 Administration Guide


412 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support VoIP and SIP

SIP support
The Session Initiation Protocol (SIP) is a signaling protocol used for establishing and
conducting multiuser calls over TCP/IP networks using any media. Due to the complexity
of the call setup, not every firewall can handle SIP calls correctly, even if the firewall is
stateful. The FortiGate unit SIP pre-defined service tracks and scans SIP calls. The
FortiGate unit can make all necessary adjustments, to both the firewall state and call data,
to ensure a seamless call is established through the FortiGate unit regardless of its
operation mode, NAT, route, or transparent.
You can use protection profiles to control the SIP protocol and SIP call activity.
A statistical summary of SIP protocol activity is also available and makes managing SIP
use easy.
This section includes some high-level information about VoIP and SIP. It also describes
how FortiOS SIP support works and how to configure the key SIP features. For more
configuration information, see the FortiGate CLI Reference.
The FortiGate unit supports the following SIP features:
• Stateful SIP tracking
• RTP Pinholing
• Request control
• Rate limiting
• Events logging
• Communication archiving
• NAT IP preservation
• Client connection control
• Register response acceptance
• Application Layer Gateway (ALG) control
• SIP stateful HA
This section describes:
• VoIP and SIP
• FortiOS and VoIP security
• How SIP support works
• Configuring SIP

VoIP and SIP


SIP is an IETF protocol for establishing VoIP connections. Many VoIP networks choose
SIP to handle multimedia sessions between endpoints. This lightweight, text-based
signaling protocol is transported over either Transmission Control Protocol (TCP) or User
Datagram Protocol (UDP). SIP uses invitations to create Session Description Protocol
(SDP) messages that allow participants to agree on a set of compatible media types.
SIP applications are based on client-server structure and support user mobility with two
operating modes: proxy and redirect.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 413
http://docs.fortinet.com/ • Feedback
VoIP and SIP SIP support

In proxy mode (shown in Figure 263), SIP clients send requests to the proxy server. The
proxy server either handles the requests or forwards them to other SIP servers. Proxy
servers can insulate and hide SIP users by proxying the signaling messages. To the other
users on the VoIP network, the signaling invitations look as if they come from the SIP
proxy server.

Figure 263: SIP in proxy mode


SIP Proxy Server
2. Client A dials Client B 3. Proxy server looks up phone number
and a request is sent to the SIP proxy server or URL of destination client (Client B) and sends
invite to Client B

IP Network 4. Client B is
notified of incoming
RTP Session
call by proxy server
– phone rings

SIP Client A 5. RTP session opens when SIP Client B


([email protected]) Client B answers ([email protected])

1. SIP clients register with SIP server

When the SIP server operates in redirect mode (shown in Figure 264), the SIP client
sends its signaling request to a SIP server, which then looks up the destination address.
The SIP server returns the destination address to the originator of the call, who uses it to
signal the destination SIP client.

Figure 264: SIP in redirect mode


SIP Redirect Server
2. Client A dials Client B and 3. Redirect server looks up phone number
request is sent to SIP redirect server or URL of destination client (Client B) and sends
address back to the caller (Client A)

4. Client A sends invitation


to Client B

IP Network 5. Client B is
notified of incoming
RTP Session call by redirect server
– phone rings

SIP Client A 6. RTP session opens when SIP Client B


([email protected]) Client B answers ([email protected])

1. SIP clients register with SIP server

FortiGate Version 4.0 Administration Guide


414 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support FortiOS and VoIP security

FortiOS and VoIP security


Like data networks, VoIP networks are vulnerable to many of the same security risks,
including denial of service (DoS) attacks, service theft, tampering, and fraud. Many
conventional firewalls cannot protect VoIP networks from attacks because VoIP is
implemented at both the signaling and media layers. VoIP calls cannot go through these
firewalls unless a range of ports are opened – which exposes the network for
unauthorized access.
The FortiGate unit can effectively secure VoIP solutions since it supports VoIP protocols
such as SIP, MGCP, and H.323, and associates state at the signaling layer with packet
flows at the media layer. Using SIP ALG controls, the FortiGate unit understands the VoIP
signaling protocols used in the network and can dynamically open and close ports
(pinholes) for each specific VoIP call to maintain security.
The FortiGate Intrusion-prevention system (IPS) provides another strategic line of
defense, particularly against VoIP network predators. With its deep-packet inspection
capabilities, the FortiGate IPS can provide continuous surveillance across multiple
network sectors simultaneously, recognizing network traffic expected within each and
alerting network managers to malicious packets and other protocol anomalies.

SIP NAT
The FortiGate unit supports network address translation (NAT) of SIP because the
FortiGate ALG can modify the SIP headers correctly.
Because of its complexity, this section uses scenarios to explain the FortiGate SIP NAT
support.

Source NAT (SIP and RTP)


In the source NAT scenario, a SIP phone connects to the Internet through a FortiGate unit
with PPPoE. The FortiGate ALG translates all private IPs in the SIP contact header into
public IPs.
You need to configure an internal to external UDP firewall policy with NAT checked and a
SIP-enabled protection profile. For more information about firewall policies, see “Firewall
Policy” on page 313.

Figure 265: SIP source NAT


217.10.79.9 217.10.69.11

SIP Server RTP Server

SIP service provider has a SIP server


and a separate RTP server

217.233.122.132

Internet
10.72.0.57

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 415
http://docs.fortinet.com/ • Feedback
FortiOS and VoIP security SIP support

Destination NAT (SIP and RTP)


In the destination NAT scenario, a SIP phone can connect to a local IP using a FortiOS
VIP. The FortiGate unit translates the SIP contact header to the IP of the real SIP server
located outside.

Figure 266: SIP destination NAT


217.10.79.9 217.10.69.11

SIP Server RTP Server

SIP service provider has a SIP server


and a separate RTP server

10.72.0.60 217.233.122.132

Internet
10.72.0.57

In this scenario, the SIP phone connects to a VIP (10.72.0.60). The FortiGate SIP ALG
translates the SIP contact header to 217.10.79.9. The FortiGate ALG will open the RTP
pinholes and manage NAT.
The FortiGate unit also supports a variation of this scenario - the RTP server hides its real
address.

Figure 267: SIP destination NAT-RTP server hidden


219.29.81.21
192.168.200.99

RTP Server

10.0.0.60
217.233.90.60

Internet
SIP Server

In this scenario, a SIP phone connects to the Internet. The VoIP service provider only
publishes a single public IP (a VIP). The SIP phone would connect to the FortiGate unit
(217.233.90.60) and the FortiGate unit would translate the SIP contact header to the SIP
server (10.0.0.60). The SIP server would change the SIP/SDP connection information
(which tells the SIP phone which RTP IP it should contact) also to 217.233.90.60.

FortiGate Version 4.0 Administration Guide


416 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support FortiOS and VoIP security

Source NAT with IP pool


You can choose NAT with the Dynamic IP Pool option when configuring a firewall policy if
the source IP of the SIP packets is different from the interface IP. The FortiGate ALG
understands this configuration and translates the SIP header accordingly.
This configuration also applies to destination NAT.

Different source and destination NAT for SIP and RTP


This is a more complex scenario that a SIP service provider may use. It can also be
deployed in large scale SIP environments where RTP has to be processed by the
FortiGate unit and the RTP server IP has to be translated differently than the SIP server
IP.

Figure 268: Different source and destination NAT for SIP and RTP

RTP Servers
192.168.0.21 - 192.168.0.23 219.29.81.10 219.29.81.20

RTP Server

10.0.0.60
RTP-1: 217.233.90.65
RTP-2: 217.233.90.70

Internet
SIP: 217.233.90.60
SIP Server

In this scenario, assuming there is a SIP server and a separate media gateway. The SIP
server is configured in such a way that the SIP phone (219.29.81.20) will connect to
217.233.90.60. The media gateway (RTP server: 219.29.81.10) will connect to
217.233.90.65.
What happens is as follows:
1 The SIP phone connects to the SIP VIP. The FortiGate ALG translates the SIP contact
header to the SIP server: 219.29.81.20 > 217.233.90.60 (> 10.0.0.60).
2 The SIP server agrees to carry out RTP to 217.233.90.65.
3 The FortiGate ALG opens pinholes, assuming that it knows the ports to be opened.
4 RTP is sent to the RTP-VIP (217.233.90.65.) The FortiGate ALG translates the SIP
contact header to 192.168.0.21.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 417
http://docs.fortinet.com/ • Feedback
How SIP support works SIP support

How SIP support works


The FortiGate unit uses firewall policies to protect communications between servers and
VoIP end devices. These policies restrict VoIP communication based on authorized end
devices or traffic sourced or destined for a particular IP address or interface. The
FortiGate unit segments the VoIP network, separating the voice traffic from other traffic to
ensure appropriate priority and policies are applied.
The workflow of the FortiOS SIP support is as following:
1 Create a firewall protection profile that enables SIP (see “Enabling SIP support and
setting rate limiting from the web-based manager” on page 418).
Once the profile is included in a policy, the ALG will parse the SIP traffic and open the
RTP ports for each specific VoIP call.
When creating a protection profile, you configure SIP features using the web-based
manager and CLI. You then apply the profile to a firewall policy. You can apply a profile
to multiple policies.
2 Create a firewall policy that allows SIP and includes a SIP-enabled protection profile.
Specifically, select the “SIP” or “Any” pre-defined service for the policy.
When the FortiGate unit receives a SIP packet, it checks the packet against the firewall
policies. If the packet matches a policy, the FortiGate firewall inspects and processes
the packet according to the SIP profile applied to the policy.
For more information about firewall policies, see “Firewall Policy” on page 313.
3 Configure advanced SIP features as required (see “Configuring SIP” on page 418).

Configuring SIP
You configure most SIP features through the CLI. You can also enable SIP support, set
two rate limits, enable SIP logging, and view SIP statistics using the web-based manager.

Enabling SIP support and setting rate limiting from the web-based manager
To enable SIP support you need to:
• Enable SIP in an application control list.
• Select this application control list in a protection profile.
• Add this protection profile to a firewall policy that accepts SIP traffic.
From the web-based manager you can also configure some SIP rate limiting settings.
Rate limiting for SIP also limits SIMPLE traffic. SIP rate limiting is useful for protecting a
SIP server within a company. Most SIP servers do not have integrated controls and it is
very easy to flood SIP servers with INVITE or REGISTER requests.

To Enable SIP and set rate limiting from the web-based manager
1 Go to UTM > Application Control.
2 If you want to Enable SIP for an existing application control list, select the Edit icon for
an application control list. Otherwise, select Create New to add a new application list.
3 Select Create New in the application list to add a new application to the application
control list.
4 Set Application to SIP.
5 Select OK.

FortiGate Version 4.0 Administration Guide


418 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support Configuring SIP

6 Make sure the application control list is selected in a protection profile and that the
protection profile is added to a firewall policy.
For more information about application control, see “Application control” on page 499.

Enabling SIP support from the CLI


From the FortiGate CLI, you can enable rate limiting for a more extensive range of SIP
requests, including ACK, INFO, NOTIFY, OPTIONS, PRACK, REFER, SUBSCRIBE, and
UPDATE. For more information, see FortiGate CLI Reference.
From the CLI, you enable SIP support using the config application list command
to add SIP to an application list. The config application list command uses
application list numbers to identify applications. SIP is application number 12.
Use the following command to enable SIP support in an application list:
config application list
edit <list_name>
config entries
edit 12
end
end
Entering this command enables SIP support with all SIP settings set to defaults. See the
FortiGate CLI Reference for information about all of the SIP settings and their defaults.

Setting SIP rate limiting


Use the following command to enable SIP support in an application list and configure SIP
rate limiting:
config application list
edit <list_name>
config entries
edit 12
set register-rate 100
set invite-rate 30
end
end

More about rate limiting


FortiGate units support rate limiting for the following types of VoIP traffic:
• Session Initiation Protocol (SIP)
• Skinny Call Control Protocol (SCCP)
• Session Initiation Protocol for Instant Messaging and Presence Leveraging Extensions
(SIMPLE)
Rate limiting of these VoIP protocols can be used to protect the FortiGate unit and your
network from SIP and SCCP Denial of Service (DoS) attacks. Rate limiting protects
against SIP DoS attacks by limiting the number of SIP register and invite requests that the
FortiGate unit receives per second. Rate limiting protects against SCCP DoS attacks by
limiting the number of SCCP call setup messages that the FortiGate unit receives per
minute.
When VoIP rate limiting is enabled, if the FortiGate unit receives more messages per
second (or minute) than the configured rate, the extra messages are dropped.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 419
http://docs.fortinet.com/ • Feedback
Configuring SIP SIP support

If you are experiencing denial of service attacks from traffic using these VoIP protocols
you can enable VoIP rate limiting and limit the rates for your network. Limits the rates
depending on the amount of SIP and SCCP traffic that you expect the FortiGate unit to be
handling. You can adjust the settings if some calls are lost or if the amount of SIP or
SCCP traffic is affecting FortiGate unit performance.
From the CLI you can configure additional SIP, SCCP, as well as SIMPLE extensions. For
more information, see the description of the config sip, config sccp, and config
simple subcommands of the application command in the FortiGate CLI Reference.
You can also block SIMPLE sessions by enabling block login for the SIMPLE application.
For more information, see “Application control” on page 499.

Enabling SIP logging


You can log SIP events. For more information about enabling and configuring logging, see
“Log&Report” on page 603.
Go to Firewall > Protection Profile. Open an existing profile or select Create New to create
a new profile. Expand Logging.

Figure 269: Logging SIP events

Log VoIP Activity Select to log VoIP events.

Viewing SIP statistics


You can view VoIP statistics to gain insight into how the protocol is being used within the
network.
For more information, see “Monitor” on page 562.

Enabling advanced SIP features in an application list


You can configure advanced SIP features for an application list.
For more information, see the FortiGate CLI Reference.

Turning on SIP tracking


The FortiGate SIP ALG (Application Level Gateway) tracks the SIP session over its life
span. A SIP session (or SIP dialog) is normally established after the SIP INVITE
procedure. The ALG then tracks this call as a SIP session. A session can end by regular
BYE procedure, such as callers hanging up the phone, or by an unexpected signalling or
transport error.
With FortiOS, you can continue tracking a SIP session for a specified period of time even
when RTP (Real-time Transport Protocol) is lost.
In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set call-keepalive <integer>
end
end

FortiGate Version 4.0 Administration Guide


420 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support Configuring SIP

Managing RTP pinholing


Once you create a firewall policy that allows SIP, the FortiGate ALG will automatically
open the respective RTP ports as long as the SIP session is alive.
You can also manually close RTP ports. This may be useful in cases where the FortiGate
unit only acts as a signalling firewall while RTP is bypassed. Therefore, no pinholes need
to be created.
In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set rtp disable
end
end

Blocking SIP requests


Since SIP requests can be transmitted via UDP, broadcast attacks are possible. To
prevent your site from being used as an intermediary in an attack, you can block various
SIP requests including ACK, INVITE, INFO, PRACK, and so on directed to broadcast
addresses at your router.
For example, you can type the following commands to block INVITE requests:
config application list
edit <list_name>
config entries
edit 12
set block-invite enable
end
end

Archiving SIP communication


You can content archive SIP call metadata. Depending on your log configuration, you can
view the archived information. For more information, see “Log&Report” on page 603.
In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set sip-archive-summary enable
end
end

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 421
http://docs.fortinet.com/ • Feedback
Configuring SIP SIP support

Preserving NAT IP
In NAT operation mode, you can preserve the original source IP address in the SDP i line.
This allows the SIP server to parse this IP for billing purposes. In CLI, type the following
commands:
config application list
edit <list_name>
config entries
edit 12
set nat-trace enable
end
end
In addition, you can overwrite or append the SDP i line:
config application list
edit <list_name>
config entries
edit 12
set preserve-override {enable | disable}
end
end
where selecting enable removes the original source IP address from the SDP i line and
disable appends the address.

Controlling SIP client connection


You can control the SIP client to only connect to the registrar itself. This can avoid VoIP
spoofing. In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set strict-register enable
end
end

Accepting SIP register response


Enable reg-diff-port to accept a SIP register response from a SIP server even if the
source port of the register response is different from the destination port of the register
request.
Most SIP servers use 5060 as the source port in the SIP register response. Some SIP
servers; however, may use a different source port. If your SIP server uses a different
source port, you can enable reg-diff-port and the FortiGate SIP ALG will create a
temporary pinhole when receiving a register request from a SIP client. As a result, the
FortiGate unit will accept a register response with any source port number from the SIP
server. In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set reg-diff-port enable
end
end

FortiGate Version 4.0 Administration Guide


422 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
SIP support Configuring SIP

Controlling the SIP ALG


Enable contact-fixup so that the FortiGate ALG performs normal SIP NAT translation
to SIP contact headers as SIP sessions pass through the FortiGate unit.
Disable contact-fixup if you do not want the FortiGate ALG to perform normal SIP
NAT translation of the SIP contact header if a Record-Route header is also available. If
contact-fixup is disabled, the FortiGate ALG does the following with contact headers:
• For Contact in Requests, if a Record-Route header is present and the request comes
from the external network, the SIP Contact header is not translated.
• For Contact in Responses, if a Record-Route header is present and the response
comes from the external network, the SIP Contact header is not translated.
If contact-fixup is disabled, the FortiGate ALG must be able to identify the external
network. To identify the external network, you must use the config system
interface command to set the external keyword to enable for the interface that is
connected to the external network.
In CLI, type the following commands:
config application list
edit <list_name>
config entries
edit 12
set contact-fixup {enable | disable}
end
end

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 423
http://docs.fortinet.com/ • Feedback
Configuring SIP SIP support

FortiGate Version 4.0 Administration Guide


424 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus Order of operations

AntiVirus
This section describes how to configure the antivirus options associated with firewall
protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, most antivirus options are
configured separately for each virtual domain. However, the file quarantine, the virus list
and the grayware list are part of the global configuration. Only administrators with global
access can configure and manage the file quarantine, view the virus list, and configure the
grayware list. For details, see “Using virtual domains” on page 103.
This section describes:
• Order of operations
• Antivirus tasks
• Antivirus settings and controls
• File Filter
• File Quarantine
• Viewing the virus database information
• Viewing and configuring the grayware list
• Antivirus CLI configuration

Order of operations
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
• File size
• File pattern
• File type
• Virus scan
• Grayware
• Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file “fakefile.EXE” is recognized as a blocked pattern, the FortiGate unit will
send the end user a replacement message and the file will be deleted or quarantined. The
virus scan, grayware, heuristics, and file type scans will not be performed as the file is
already been determined to be a threat and has been dealt with.

Note: File filter includes file pattern and file type scans which are applied at different stages
in the antivirus process.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 425
http://docs.fortinet.com/ • Feedback
Antivirus tasks AntiVirus

Figure 270: Order of operation

FTP, NNTP, SMTP, File or message


POP3, or IMAP traffic Start
is buffered
after web filter spam
checking.

File/email
Oversized
exceeds
file/email
Block Yes oversized
action
threshold

Pass
No

Matching File
Block Pattern
file pattern
file/email Match?
Block action Yes

Allow No

File/email
exceeds Pass
Pass oversized file/email
Yes
file/email threshold

No

No
Block

Yes
Allow
AV scan Matching
detects file type File type
infection? action match?
Yes

No

Antivirus tasks
The antivirus tasks work in sequence to efficiently scan incoming files and offer your
network unparalleled antivirus protection. The first four tasks have specific functions, the
fifth, the heuristics, is to cover any new, previously unknown, virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The tasks will be
discussed in the order that they are applied followed by FortiGuard antivirus.

File size
This task checks if files and email messages exceed configured thresholds. It is enabled
by setting the Oversized File/Email option under Firewall > Protection Profile > Antivirus to
Pass.
For more information, see “Anti-Virus options” on page 396.

FortiGate Version 4.0 Administration Guide


426 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus Antivirus tasks

File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The
FortiGate unit will check the file against the file pattern setting you have configured. If the
file is a blocked pattern, “.EXE” for example, then it is stopped and a replacement
message is sent to the end user. No other levels of protections are applied. If the file is not
a blocked pattern the next level of protection is applied.

Virus scan
If the file passes the file pattern scan, it will have a virus scan applied to it. The virus
definitions are keep up to date through the FortiNet Distribution Network. The list is
updated on a regular basis so you do not have to wait for a firmware upgrade. For more
information on updating virus definitions, see “FortiGuard antivirus” on page 427.

Grayware
Once past the virus scan, the incoming file will be checked for grayware. Grayware
configurations can be turned on and off as required and are kept up to date in the same
manner as the antivirus definitions. For more information on configuring grayware please
see “Viewing and configuring the grayware list” on page 437.

Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.

Note: Heuristics is configurable only through the CLI. See the FortiGate CLI Reference.

File type
Once a file passes the heuristic scan, the FortiGate unit applies the file type recognition
filter. The FortiGate unit will check the file against the file type setting you have configured.
If the file is a blocked type, then it is stopped and a replacement message is sent to the
end user. No other levels of protections are applied. If the file is not a blocked type, the
next level of protection is applied.

FortiGuard antivirus
FortiGuard antivirus services are an excellent resource and include automatic updates of
virus and IPS (attack) engines and definitions, as well as the local spam DNSBL, through
the FortiGuard Distribution Network (FDN). The FortiGuard Center also provides the
FortiGuard antivirus virus and attack encyclopedia and the FortiGuard Bulletin. Visit the
Fortinet Knowledge Center for details and a link to the FortiGuard Center.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard. See “Configuring the FortiGate unit for FDN and
FortiGuard subscription services” on page 260 for more information.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 427
http://docs.fortinet.com/ • Feedback
Antivirus settings and controls AntiVirus

Antivirus settings and controls


While antivirus settings are configured for system-wide use, specific settings can be
implemented on a per profile basis. Table 32 compares antivirus options in protection
profiles and the antivirus menu.

Note: If virtual domains are enabled, you configure antivirus file filtering and antivirus
settings in protection profiles separately for each virtual domain. Antivirus file quarantine
and grayware settings are part of the global configuration.

Table 32: Antivirus and Protection Profile antivirus configuration

Protection Profile antivirus options Antivirus setting


Virus Scan UTM > AntiVirus > Virus Database
Enable or disable virus scanning for each View a read-only list of current viruses.
protocol (HTTP, FTP, IMAP, POP3, SMTP,
IM).
File Filter UTM > AntiVirus > File Filter
Enable or disable file pattern and file type Configure file patterns and types to block or allow
handling for each protocol. files. Patterns and types can also be individually
enabled or disabled.
Quarantine UTM > AntiVirus > Quarantined Files
Enable or disable quarantining for each View and sort the list of quarantined files,
protocol. File Quarantine is only available on configure file patterns to upload automatically to
units with a local disk, or with a configured Fortinet for analysis, and configure quarantining
FortiAnalyzer unit. options in AntiVirus.
Pass fragmented email messages.
Enable or disable passing fragmented email
messages. Fragmented email messages
cannot be scanned for viruses.
Comfort Clients
Enable or disable for HTTP and FTP traffic.
Set the interval and byte amount to trigger
client comforting.
Oversized file/email
Configure the FortiGate unit to block or pass
oversized files and email messages for each
protocol. Set the size thresholds for files and
email messages for each protocol in
AntiVirus.
UTM > AntiVirus > Grayware
Enable or disable blocking of Grayware by
category.
Add signature to outgoing email messages
Create and enable a signature to append to
outgoing email messages (SMTP only).

FortiGate Version 4.0 Administration Guide


428 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus File Filter

File Filter
Configure the FortiGate file filter to block files by:
• File pattern: Files can be blocked by name, extension, or any other pattern. File pattern
blocking provides the flexibility to block potentially harmful content.
File pattern entries are not case sensitive. For example, adding *.exe to the file
pattern list also blocks any files ending in .EXE.
In addition to the built-in patterns, you can specify more file patterns to block. For
details, see “Configuring the file filter list” on page 432.
• File type: Files can be blocked by type, without relying on the file name to indicate what
type of files they are. When blocking by file type, the FortiGate unit analyzes the file
and determines the file type regardless of the file name. For details about supported
file types, see “Built-in patterns and supported file types” on page 429.
For standard operation, you can choose to disable file filter in the protection profile, and
enable it temporarily to block specific threats as they occur.
The FortiGate unit can take any of the following three actions towards the files that match
a configured file pattern or type:
• Allow: the file will be allowed to pass.
• Block: the file will be blocked and a replacement messages will be sent to the user. If
both file filter and virus scan are enabled, the FortiGate unit blocks files that match the
enabled file filter and does not scan these files for viruses.
The FortiGate unit also writes a message to the virus log and sends an alert email
message if configured to do so.
Files are compared to the enabled file patterns and then the file types from top to bottom.
If a file does not match any specified patterns or types, it is passed along to antivirus
scanning (if enabled). In effect, files are passed if not explicitly blocked.
Using the allow action, this behavior can be reversed with all files being blocked unless
explicitly passed. Simply enter all the file patterns or types to be passed with the allow
attribute. At the end of the list, add an all-inclusive wildcard (*.*) with a block action.
Allowed files continue to antivirus scanning (if enabled) while files not matching any
allowed patterns are blocked by the wildcard at the end.

Built-in patterns and supported file types


The FortiGate unit is preconfigured with a default list of file patterns:
• executable files (*.bat, *.com, and *.exe)
• compressed or archive files (*.gz, *.rar, *.tar, *.tgz, and *.zip)
• dynamic link libraries (*.dll)
• HTML application (*.hta)
• Microsoft Office files (*.doc, *.ppt, *.xl?)
• Microsoft Works files (*.wps)
• Visual Basic files (*.vb?)
• screen saver files (*.scr)
• program information files (*.pif)
• control panel files (*.cpl)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 429
http://docs.fortinet.com/ • Feedback
File Filter AntiVirus

The FortiGate unit can take actions against the following file types:
Table 33: Supported file types

exe bat mime javascript html hta msoffice elf


gzip rar tar lzh upx zip cab bzip2
bzip activemime hlp arj base64 binhex uue fsg
aspack jad class cod msc petite sis prc
unknown ignored

Note: The “unknown” type is any file type that is not listed in the table. The “ignored” type is
the traffic the FortiGate unit typically does not scan. This includes primarily streaming audio
and video.

Viewing the file filter list catalog


You can add multiple file filter lists and then select the best file filter list for each protection
profile. To view the file filter list catalog, go to UTM > AntiVirus > File Filter. To view any
individual file filter list, select the edit icon for the list you want to see.

Figure 271: Sample file pattern list catalog

Note: The default file pattern list catalog is called builtin-patterns.

Create New Select Create New to add a new file filter list to the catalog.
Name The available file filter lists.
# Entries The number of file patterns or file types in each file filter list.
Profiles The protection profiles each file filter list has been applied to.
DLP Rule The DLP rules in which each filter is used.
Comments Optional description of each file filter list.
Delete icon Select to remove the file filter list from the catalog. The delete icon is only
available if the file filter list is not selected in any protection profiles.
Edit icon Select to edit the file filter, its name and comment.

The file filter list will be used in protection profiles. For more information, see “Anti-Virus
options” on page 396.

FortiGate Version 4.0 Administration Guide


430 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus File Filter

Creating a new file filter list


To add a file pattern list to the file pattern list catalog, go to UTM > AntiVirus > File Filter
and select Create New.

Figure 272: New File Filter List dialog box

Name Enter the name of the new list.


Comment Enter a comment to describe the list, if required.

Viewing the file filter list


To view the file filter list, go to UTM > AntiVirus > File Filter and select the edit icon of the
file filter list you want to view.

Figure 273: Sample file filter list

The file filter list has the following icons and features:

Name File filter list name. To change the name, edit text in the name field and select
OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
OK If you make changes to the list name or comments, select OK to save the
changes.
Create New Select Create New to add a new file pattern or type to the file filter list.
Filter The current list of file patterns and types.
Action Files matching the file patterns and types can be set to block, allow, or
intercept. For information about actions, see “File Filter” on page 429.
Enable Clear the checkbox to disable the file pattern or type.
Delete icon Select to remove the file pattern or type from the list.
Edit icon Select to edit the file pattern/type and action.
Move To icon Select to move the file pattern or type to any position in the list.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 431
http://docs.fortinet.com/ • Feedback
File Quarantine AntiVirus

Configuring the file filter list


For file patterns, you can add a maximum of 5000 patterns to a list. For file types, you can
only select from the supported types.

Figure 274: New file filter

To add a file pattern or type go to UTM > AntiVirus > File Filter. Select the Edit icon for a
file filter catalog. Select Create New.

Filter Type Select File Name Pattern if you want to add a file pattern; select File Type and then
select a file type from the supported file type list.
Pattern Enter the file pattern. The file pattern can be an exact file name or can include
wildcards. The file pattern can be 80 characters long.
File Type Select a file type from the list. For information about supported file types, see “Built-
in patterns and supported file types” on page 429.
Action Select an action from the drop down list: Block, Allow, or Intercept. For more
information about actions, see “File Filter” on page 429.
Enable Select to enable the pattern.

File Quarantine
FortiGate units with a local disk can quarantine blocked and infected files. View the file
name and status information about the file in the Quarantined Files list. Submit specific
files and add file patterns to the AutoSubmit list so they will automatically be uploaded to
Fortinet for analysis.
FortiGate units without a local disk can quarantine blocked and infected files to a
FortiAnalyzer unit. Files stored on the FortiAnalyzer can be retrieved for viewing. To
configure the FortiAnalyzer unit, go to Log & Report > Log Config > Log Setting.
File quarantine configuration involves several steps.

To configure and enable file quarantine


1 Go to UTM > AntiVirus > Config to configure the quarantine service and destination.
For details, see “Configuring quarantine options” on page 435.
2 Go to Firewall > Protection Profile to enable quarantine for required protocols in the
protection profiles. For details, see “Configuring a protection profile” on page 393.
3 Go to Firewall > Policy and use the protection profile in a policy.

FortiGate Version 4.0 Administration Guide


432 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus File Quarantine

Viewing the File Quarantine list


The Quarantined Files list displays information about each quarantined file because of
virus infection or file blocking. Sort the files by file name, date, service, status, duplicate
count (DC), or time to live (TTL). Filter the list to view only quarantined files with a specific
status or from a specific service.
To view the Quarantined Files list, go to UTM > AntiVirus > Quarantined Files.

Figure 275: File Quarantine list

The file quarantine list displays the following information about each quarantined file:

Source Either FortiAnalyzer or Local disk, depending where you configure to


quarantined files to be stored.
Sort by Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate
Count. Select Apply to complete the sort.
Filter Filter the list. Choose either Status (infected, blocked, or heuristics) or Service
(IMAP, POP3, SMTP, FTP, HTTP, IM, or NNTP). Heuristics mode is configurable
through the CLI only. See “Antivirus CLI configuration” on page 438.
Apply Select to apply the sorting and filtering selections to the list of quarantined files.
Delete Select to delete the selected files.
Page Controls Use the controls to page through the list. For details, see “Using page controls
on web-based manager lists” on page 59.
Remove All Removes all quarantined files from the local hard disk.
Entries This icon only appears when the files are quarantined to the hard disk.
File Name The processed file name of the quarantined file. When a file is quarantined, all
spaces are removed from the file name, and a 32-bit checksum is performed on
the file. The checksum appears in the replacement message but not in the
quarantined file. The file is stored on the FortiGate hard disk with the following
naming convention:
<32bit_CRC>.<processed_filename>
For example, a file named Over Size.exe is stored as 3fc155d2.oversize.exe.
Date The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm.
This value indicates the time that the first file was quarantined if the duplicate
count increases.
Service The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,
SMTP, IM, or NNTP).
Status The reason the file was quarantined: infected, heuristics, or blocked.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 433
http://docs.fortinet.com/ • Feedback
File Quarantine AntiVirus

Status Specific information related to the status, for example, “File is infected with
Description “W32/Klez.h”” or “File was stopped by file block pattern.”
DC Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the file
has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download icon Select to download the corresponding file in its original format.
This option is available only if the FortiGate unit has a local hard disk.
Submit icon Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the FortiGate unit has a local hard disk.

Note: Duplicates of files (based on the checksum) are not stored, only counted. The TTL
value and the duplicate count are updated each time a duplicate of a file is found.

Viewing the AutoSubmit list


If the FortiGate unit has a local hard disk, you can configure the FortiGate unit to upload
suspicious files automatically to Fortinet for analysis. You can add file patterns to the
AutoSubmit list using wildcard characters (* or ?). File patterns are applied for AutoSubmit
regardless of file blocking settings.
Upload files to Fortinet based on status (blocked or heuristics), or submit individual files
directly from the file quarantine. The FortiGate unit uses encrypted email to autosubmit
files to an SMTP server through port 25.
To view the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit.
The autosubmit feature is not available on the FortiGate models without a local hard disk.

Figure 276: Sample AutoSubmit list

AutoSubmit list has the following icons and features:

Create New Select to add a new file pattern to the AutoSubmit list.
File Pattern The current list of file patterns that will be automatically uploaded.
Create a pattern by using ? or * wildcard characters. Enable the
check box to enable all file patterns in the list.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: File Pattern and Enable.

FortiGate Version 4.0 Administration Guide


434 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus File Quarantine

Configuring the AutoSubmit list


To add a file pattern to the AutoSubmit list, go to UTM > AntiVirus > AutoSubmit. Note that
the autosubmit feature is available only if your FortiGate unit has a local hard disk.

Figure 277: New File Pattern dialog box

File Pattern Enter the file pattern or file name to be upload automatically to Fortinet.
Enable Select to enable the file pattern

Note: To enable automatic uploading of the configured file patterns, go to AntiVirus > File
Quarantine > Config, select Enable AutoSubmit, and select Use File Pattern.

Configuring quarantine options


Go to UTM > AntiVirus > Config to set quarantine configuration options, such as whether
to quarantine blocked or infected files and from which service.

Figure 278: Quarantine Configuration (FortiGate unit with local disk)

Quarantine configuration has the following options:

Options Quarantine Infected Files: Select the protocols from which to quarantine infected
files identified by antivirus scanning.
Quarantine Suspicious Files: Select the protocols from which to quarantine
suspicious files identified by heuristic scanning.
Quarantine Blocked Files. Select the protocols from which to quarantine blocked
files identified by antivirus file filtering. The Quarantine Blocked Files option is not
available for IM because a file name is blocked before downloading and cannot
be quarantined.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 435
http://docs.fortinet.com/ • Feedback
Viewing the virus database information AntiVirus

Age limit The time limit in hours for which to keep files in quarantine. The age limit is used
to formulate the value in the TTL column of the quarantined files list. When the
limit is reached, the TTL column displays EXP. and the file is deleted (although the
entry in the quarantined files list is maintained). Entering an age limit of 0 (zero)
means files are stored on disk indefinitely, depending on low disk space action.
Max filesize to The maximum size of quarantined files in MB. Setting the maximum file size too
quarantine large may affect performance.
Low disk space Select the action to take when the local disk is full: overwrite the oldest file or drop
the newest file.
FortiAnalyzer Select to enable storage of blocked and quarantined files on a FortiAnalyzer unit.
See “Log&Report” on page 603 for more information about configuring a
FortiAnalyzer unit.
Enable Enable AutoSubmit: enables the automatic submission feature. Select one or both
AutoSubmit of the options below.
Use file pattern: Enables the automatic upload of files matching the file patterns in
the autoSubmit list.
Use file status: Enables the automatic upload of quarantined files based on their
status. Select either Heuristics or Block Pattern.
Heuristics is configurable through the CLI only. See “Antivirus CLI configuration”
on page 438.
Apply Select to save the configuration.

Viewing the virus database information


The FortiGate unit contains the wildlist antivirus database. It is used to detect viruses in
network traffic. In addition to the wildlist antivirus database, which contains actively
spreading viruses, some newer FortiGate models are also equipped with an extended
antivirus database, which contains viruses that are not considered to be actively
spreading. If required, you can enable this feature to allow the FortiGate unit to scan for
non-active viruses. For details, see “Anti-Virus options” on page 396.
To view information about the virus databases, go to UTM > AntiVirus > Virus Database.
The FortiGuard virus definitions are updated every time the FortiGate unit receives a new
version of the FortiGuard antivirus definitions.
The FortiGuard Center Virus Encyclopedia contains detailed descriptions of the viruses,
worms, trojans, and other threats that can be detected and removed by your FortiGate unit
using the information in the FortiGuard virus definitions.

Figure 279: Virus database information

FortiGate Version 4.0 Administration Guide


436 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus Viewing and configuring the grayware list

Usually the FortiGuard AV definitions are updated automatically from the FortiGuard
Distribution Network (FDN). Go to System > Maintenance > FortiGuard to configure
automatic antivirus definition updates from the FDN.
You can also update the antivirus definitions manually from the system dashboard (go to
System > Status).

Viewing and configuring the grayware list


Grayware programs are unsolicited commercial software programs that get installed on
computers, often without the user’s consent or knowledge. Grayware programs are
generally considered an annoyance, but these programs can cause system performance
problems or be used for malicious ends.
The FortiGate unit scans for known grayware executable programs in each enabled
category. The category list and contents are added or updated whenever the FortiGate
unit receives a virus update package. New categories may be added at any time and will
be loaded with the virus updates. By default, all new categories are disabled. Grayware is
enabled in a protection profile when Virus Scan is enabled.
Grayware categories are populated with known executable files. Each time the FortiGate
unit receives a virus and attack definitions update, the grayware categories and contents
are updated.
To view the grayware list, go to UTM > AntiVirus > Grayware.

Figure 280: Sample grayware options

Enabling a grayware category blocks all files listed in the category. The categories may
change or expand when the FortiGate unit receives updates. You can choose to enable
the following grayware categories:

Adware Block adware programs. Adware is usually embedded in freeware programs and
causes ads to pop up whenever the program is opened or used.
BHO Block browser helper objects. BHOs are DLL files that are often installed as part of a
software package so the software can control the behavior of Internet Explorer 4.x and
later. Not all BHOs are malicious, but the potential exists to track surfing habits and
gather other information.
Dial Block dialer programs. Dialers allow others to use the PC modem to call premium
numbers or make long distance calls.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 437
http://docs.fortinet.com/ • Feedback
Antivirus CLI configuration AntiVirus

Download Block download programs. Download components are usually run at Windows startup
and are designed to install or download other software, especially advertising and dial
software.
Game Block games. Games are usually joke or nuisance games that you may want to block
from network users.
HackerTool Block hacker tools.
Hijacker Block browser hijacking programs. Browser hijacking occurs when a ‘spyware’ type
program changes web browser settings, including favorites or bookmarks, start pages,
and menu options.
Joke Block joke programs. Joke programs can include custom cursors and programs that
appear to affect the system.
Keylog Block keylogger programs. Keylogger programs can record every keystroke made on
a keyboard including passwords, chat, and instant messages.
Misc Block any programs included in the miscellaneous grayware category.
NMT Block network management tools. Network management tools can be installed and
used maliciously to change settings and disrupt network security.
P2P Block peer to peer communications programs. P2P, while a legitimate protocol, is
synonymous with file sharing programs that are used to swap music, movies, and
other files, often illegally.
Plugin Block browser plugins. Browser plugins can often be harmless Internet browsing tools
that are installed and operate directly from the browser window. Some toolbars and
plugins can attempt to control or record and send browsing preferences.
RAT Block remote administration tools. Remote administration tools allow outside users to
remotely change and monitor a computer on a network.
Spy Block spyware programs. Spyware, like adware, is often included with freeware.
Spyware is a tracking and analysis program that can report your activities, such as
web browsing habits, to the advertiser’s web site where it may be recorded and
analyzed.
Toolbar Block custom toolbars. While some toolbars are harmless, spyware developers can
use these toolbars to monitor web habits and send information back to the developer.

Antivirus CLI configuration


This section describes the CLI commands that extend features available through the web-
based manager. For complete descriptions and examples of how to enable additional
features through CLI commands, see the FortiGate CLI Reference.

system global optimize


The optimize feature configures CPU settings to ensure efficient operation of the FortiGate
unit for either antivirus scanning or straight throughput traffic. When optimize is set to
antivirus, the FortiGate unit uses symmetric multiprocessing to spread the antivirus tasks
to several CPUs, making scanning faster.
This feature is available on models numbered 1000 and higher.
For more information, see the Antivirus failopen and optimization Fortinet Knowledge
Center article.

config antivirus heuristic


The FortiGate heuristic antivirus engine performs tests on files to detect virus-like
behavior or known virus indicators. Heuristic scanning is performed last, after file blocking
and virus scanning have found no matches. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.

FortiGate Version 4.0 Administration Guide


438 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
AntiVirus Antivirus CLI configuration

The heuristic engine is disabled by default. You need to enable it to pass suspected files
to the recipient and send a copy to the file quarantine. Once enabled in the CLI, heuristic
scanning is enabled in a protection profile when Virus Scan is enabled.
Use the heuristic command to change the heuristic scanning mode.

config antivirus quarantine


The quarantine command also allows configuration of heuristic related settings.
This feature is available on models numbered 200 and higher.

config antivirus service <service_name>


Use this command to configure how the FortiGate unit handles antivirus scanning of large
files in HTTP, FTP, IM, POP3, IMAP, or SMTP traffic, and what ports the FortiGate unit
scans for the service.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 439
http://docs.fortinet.com/ • Feedback
Antivirus CLI configuration AntiVirus

FortiGate Version 4.0 Administration Guide


440 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection About intrusion protection

Intrusion Protection
The FortiGate Intrusion Protection system combines signature and anomaly detection and
prevention with low latency and excellent reliability. With intrusion Protection, you can
create multiple IPS sensors, each containing a complete configuration based on
signatures. Then, you can apply any IPS sensor to each protection profile. You can also
create DoS sensors to examine traffic for anomaly-based attacks.
This section describes how to configure the FortiGate Intrusion Protection settings. For
more information about Intrusion Protection, see the FortiGate Intrusion Protection
System (IPS) Guide.
If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 103.
This section describes:
• About intrusion protection
• Signatures
• Custom signatures
• Protocol decoders
• IPS sensors
• DoS sensors
• Intrusion protection CLI configuration

About intrusion protection


The FortiGate unit can log suspicious traffic, send alert email messages to system
administrators, and log, pass, or block suspicious packets or sessions. You can adjust the
DoS sensor anomaly thresholds to work best with the normal traffic on the protected
networks. You can also create custom signatures to tailor the FortiGate Intrusion
Protection system to your network environment.
The FortiGate Intrusion Protection system matches network traffic against patterns
contained in attack signatures. Attack signatures reliably protect your network from known
attacks. Fortinet’s FortiGuard infrastructure ensures the rapid identification of new threats
and the development of new attack signatures.
FortiGuard services provide automatic updates of virus and intrusion protection (attack)
engines and definitions to FortiGate customers through the FortiGuard Distribution
Network (FDN). The FortiGuard Center also provides the FortiGuard virus and attack
encyclopedia and the FortiGuard Bulletin. Visit the Fortinet Knowledge Center for details
and a link to the FortiGuard Center.
For more information about configuring the connection between the FortiGate unit and
FortiGuard see “Configuring the FortiGate unit for FDN and FortiGuard subscription
services” on page 260.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 441
http://docs.fortinet.com/ • Feedback
About intrusion protection Intrusion Protection

Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive detection.
For more information about FortiGate logging and alert email, see “Log&Report” on
page 603.

Intrusion Protection settings and controls


You can configure the Intrusion Protection system and then select IPS sensors in
individual firewall protection profiles.
For information about creating IPS sensors, see “Configuring IPS sensors” on page 448.
For information about accessing and modifying the protection profile IPS sensor selection,
see “IPS options” on page 398. For information about creating DoS Sensors, see “DoS
sensors” on page 455.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.

When to use Intrusion Protection


Intrusion Protection is best for large networks or for networks protecting highly sensitive
information. Using IPS effectively requires monitoring and analysis of the attack logs to
determine the nature and threat level of an attack. An administrator can adjust the
threshold levels to ensure a balance between performance and intrusion prevention.
Small businesses and home offices without network administrators may be overrun with
attack log messages and not have the networking background required to configure the
thresholds and other IPS settings.
However, the other protection features in the FortiGate unit, such as antivirus (including
grayware), spam filters, and web filters offer excellent protection for all networks.

FortiGate Version 4.0 Administration Guide


442 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection Signatures

Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
By using only the signatures you require, you can improve system performance and
reduce the number of log messages and alert email messages the IPS sensor generates.
For example, if the FortiGate unit is not protecting a web server, do not include any web
server signatures.

Note: Some default protection profiles include IPS Sensors that use all the available
signatures. By using these default settings, you may be slowing down the overall
performance of the FortiGate unit. By creating IPS sensors with only the signatures your
network requires, you can ensure maximum performance as well as maximum protection.

Viewing the predefined signature list


The predefined signature list displays the characteristics of each signature. Use these
characteristics to define which signatures are included in your IPS sensors. The signature
list also displays the default action, the default logging status, and whether the signature is
enabled by default.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.

To view the predefined signature list, go to UTM > Intrusion Protection > Predefined. You
can also use filters to display the signatures you want to view. For more information, see
“Using display filters” on page 444.

Figure 281: Predefined signature list


Current page Filter

By default, the signatures are sorted by name. To sort the table by another column, select
the header of the column to sort by.

Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of signatures.
Column Settings Select to customize the signature information displayed in the table. You can
also readjust the column order.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 443
http://docs.fortinet.com/ • Feedback
Signatures Intrusion Protection

Clear All Filters If you have applied filtering to the predefined signature list display, select this
option to clear all filters and display all the signatures.
Name The name of the signature, linked to the FortiGuard Center web page about the
signature.
Severity The severity rating of the signature. The severity levels, from lowest to highest,
are Information, Low, Medium, High, and Critical.
Target The target of the signature: servers, clients, or both.
Protocols The protocol the signature applies to.
OS The operating system the signature applies to.
Applications The applications the signature applies to.
Enable The default status of the signature. A green circle indicates the signature is
enabled. A gray circle indicates the signature is not enabled.
Action The default action for the signature:
Pass — allows the traffic to continue without any modification.
Drop — prevents the traffic with detected signatures from reaching its
destination.
If Logging is enabled, the action appears in the status field of the log message
generated by the signature.
ID A unique numeric identifier for the signature.
Logging The default logging behavior of the signature. A green circle indicates logging is
enabled. A gray circle indicates logging is disabled.
Group A functional group that is assigned to that signature. This group is only for
reference and cannot be used to define filters.
Packet Log The default packet log status of the signature. A green circle indicates that the
packet log is enabled. A gray circle indicates that the packet log is not enabled.
Revision The revision level of the signature. If the signature is updated, the revision
number will be incremented.

Tip: To determine what effect IPS protection would have on your network traffic, you can
enable the required signatures, set the action to pass, and enable logging. Traffic will not be
interrupted, but you will be able to examine in detail which signatures were detected.

Using display filters


By default, all the predefined signatures are displayed. You can apply filters to display only
the signatures you want to view. For example, if you want to view only the Windows
signatures, you can use the OS status filter. For more information, see “Adding filters to
web-based manager lists” on page 56.

To apply filters to the predefined signature list


1 Go to UTM > Intrusion Protection > Predefined.
2 Select the filter icon beside any column name in the signature table.
3 In Edit Filters, specify the filtering criteria. The criteria will vary depending on the
column name.
4 Select the Enable check box.
5 Select OK.

FortiGate Version 4.0 Administration Guide


444 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection Custom signatures

Custom signatures
Custom signatures provide the power and flexibility to customize the FortiGate Intrusion
Protection system for diverse network environments. The FortiGate predefined signatures
represent common attacks. If you use an unusual or specialized application or an
uncommon platform, you can add custom signatures based on the security alerts released
by the application and platform vendors.
You can also create custom signatures to help you block P2P protocols.
After creation, you need to specify custom signatures in IPS sensors created to scan
traffic. For more information about creating IPS sensors, see “Adding an IPS sensor” on
page 448.
For more information about custom signatures, see the FortiGate Intrusion Protection
System (IPS) Guide.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.

Viewing the custom signature list


To view the custom signature list, go to UTM > Intrusion Protection > Custom.

Figure 282: The custom signature list

Edit
Delete

Create New Select to create a new custom signature.


Name The custom signature name.
Signature The signature syntax.
Delete and Edit Delete or edit the custom signature.
icons

Creating custom signatures


Use custom signatures to block or allow specific traffic. For example, to block traffic
containing profanity, add custom signatures similar to the following:
set signature 'F-SBID (--protocol tcp; --flow bi_direction; --
pattern "bad words"; --no_case)'
For more information on custom signature syntax, see the FortiGate Intrusion Protection
System (IPS) Guide.

Note: Custom signatures are an advanced feature. This document assumes the user has
previous experience creating intrusion detection signatures.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 445
http://docs.fortinet.com/ • Feedback
Protocol decoders Intrusion Protection

Note: Custom signatures must be added to a signature override in an IPS filter to have any
effect. Creating a custom signature is a necessary step, but a custom signature does not
affect traffic simply by being created.

To create a custom signature, go to UTM > Intrusion Protection > Custom.

Figure 283: Edit Custom Signature

Name Enter a name for the custom signature.


Signature Enter the custom signature, using the appropriate syntax. For more information,
see “Custom signature syntax” in the FortiGate Intrusion Protection System
(IPS) Guide.

Protocol decoders
The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal
traffic patterns that do not meet the protocol requirements and standards. For example,
the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the
HTTP protocol standards.

Viewing the protocol decoder list


To view the decoders and the port numbers that the protocol decoders monitor, go to
UTM > Intrusion Protection > Protocol Decoder. The decoder list is provided for your
reference and can be configured using the CLI. For more information, see the FortiGate
CLI Reference.

Figure 284: The protocol decoder list

Protocols The protocol decoder name.


Ports The port number or numbers that the decoder monitors.

FortiGate Version 4.0 Administration Guide


446 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection IPS sensors

Upgrading the IPS protocol decoder list


The Intrusion Protection system protocol decoders are upgraded automatically through
the FortiGuard Distribution Network (FDN) if existing decoders are modified or new
decoders added. The FDN keeps the protocol decoder list up-to-date with protection
against new threats such as the latest versions of existing IM/P2P as well as against new
applications.

IPS sensors
You can group signatures into IPS sensors for easy selection in protection profiles. You
can define signatures for specific types of traffic in separate IPS sensors, and then select
those sensors in profiles designed to handle that type of traffic. For example, you can
specify all of the web-server related signatures in an IPS sensor, and the sensor can then
be used by a protection profile in a policy that controls all of the traffic to and from a web
server protected by the FortiGate unit.
The FortiGuard Service periodically updates the pre-defined signatures, with signatures
added to counter new threats. Because the signatures included in filters are defined by
specifying signature attributes, new signatures matching existing filter specifications will
automatically be included in those filters. For example, if you have a filter that includes all
signatures for the Windows operating system, your filter will automatically incorporate new
Windows signatures as they are added.

Viewing the IPS sensor list


To view the IPS sensors, go to UTM > Intrusion Protection > IPS Sensor.

Figure 285: IPS Sensor list showing the default sensors

Edit
Delete

Create New Add a new IPS sensor. For more information, see “Adding an IPS
sensor” on page 448.
Name The name of each IPS sensor.
Comments An optional description of the IPS sensor.
Delete and Edit icons Delete or edit an IPS sensor.

Five default IPS sensors are provided with the default configuration.

all_default Includes all signatures. The sensor is set to use the default enable
status and action of each signature.
all_default_pass Includes all signatures. The sensor is set to use the default enable
status of each signature, but the action is set to pass.
protect_client Includes only the signatures designed to detect attacks against clients;
uses the default enable status and action of each signature.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 447
http://docs.fortinet.com/ • Feedback
IPS sensors Intrusion Protection

protect_email_server Includes only the signatures designed to detect attacks against


servers and the SMTP, POP3, or IMAP protocols; uses the default
enable status and action of each signature.
protect_http_server Includes only the signatures designed to detect attacks against
servers and the HTTP protocol; uses the default enable status and
action of each signature.

Adding an IPS sensor


An IPS sensor must be created before it can be configured by adding filters and overrides.
To create an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select
Create New.

Figure 286: New IPS sensor

Name Enter the name of the new IPS sensor.


Comment Enter an optional comment to display in the IPS sensor list.

Configuring IPS sensors


Each IPS sensor consists of two parts: filters and overrides. Overrides are always
checked before filters.
Each filter consists of a number of signatures attributes. All of the signatures with those
attributes, and only those attributes, are checked against traffic when the filter is run. If
multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a
time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate
action and stops further checking.
A signature override can modify the behavior of a signature specified in a filter. A signature
override can also add a signature not specified in the sensor’s filters. Custom signatures
are included in an IPS sensor using overrides.
The signatures in the overrides are first compared to network traffic. If the IPS sensor
does not find any matches, it then compares the signatures in each filter to network traffic,
one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor
allows the network traffic.
To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit
icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor
attributes, Filters, and Overrides.

FortiGate Version 4.0 Administration Guide


448 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection IPS sensors

Figure 287: Edit IPS sensor


Insert
Edit Move To
Signature attributes Delete View

IPS sensor attributes:

Name The name of the IPS sensor. You can change it at any time.
Comments An optional comment describing the IPS sensor. You can change it at any time.
OK Select to save changes to Name or Comments

IPS sensor filters:

Add Filter Add a new filter to the end of the filter list. For more information, see
“Configuring filters” on page 450.
# Current position of each filter in the list.
Name The name of the filter.
Signature Signature attributes specify the type of network traffic the signature applies to.
attributes
Severity The severity of the included signatures.
Target The type of system targeted by the attack. The targets are client
and server.
Protocol The protocols to which the signatures apply. Examples include
HTTP, POP3, H323, and DNS.
OS The operating systems to which the signatures apply.
Application The applications to which the signatures apply.
Enable The status of the signatures included in the filter. The signatures can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Logging The logging status of the signatures included in the filter. Logging can be set to
enabled, disabled, or default. The default setting uses the default status of each
individual signature as displayed in the signature list.
Action The action of the signatures included in the filter. The action can be set to pass
all, block all, reset all, or default. The default setting uses the action of each
individual signature as displayed in the signature list.
Count The number of signatures included in the filter. Overrides are not included in this
total.
Delete icon Delete the filter.
Edit icon Edit the filter.
Insert icon Create a new filter and insert it above the current filter.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 449
http://docs.fortinet.com/ • Feedback
IPS sensors Intrusion Protection

Move to icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
View Rules icon Open a window listing all of the signatures included in the filter.
IPS sensor overrides:

Add Pre-defined Select to create an override based on a pre-defined signature.


Override
Add Custom Select to create an override based on a custom signature.
Override
# Current position of each override in the list.
Name The name of the signature.
Enable The status of the override. A green circle indicates the override is enabled. A
gray circle indicates the override is not enabled.
Logging The logging status of the override. A green circle indicates logging is enabled. A
gray circle indicates logging is not enabled.
Action The action set for the override. The action can be set to pass, block, or reset.
Delete and Edit Delete or edit the filter.
icons

Configuring filters
To configure a filter, go to UTM > Intrusion Protection > IPS Sensor. Select the Edit icon of
the IPS sensor containing the filter you want to edit. When the sensor window opens,
select the Edit icon of the filter you want to change, or select Add Filter to create a new
filter. Enter the information as described below and select OK.

Figure 288: Edit IPS Filter

Right Arrow
Left Arrow

FortiGate Version 4.0 Administration Guide


450 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection IPS sensors

Name Enter or change the name of the IPS filter.


Severity Select All, or select Specify and then one or more severity ratings. Severity
defines the relative importance of each signature. Signatures rated critical detect
the most dangerous attacks while those rated as info pose a much smaller
threat.
Target Select All, or select Specify and then the type of systems targeted by the attack.
The choices are server or client.
OS Select All, or select Specify and then select one or more operating systems that
are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems. These
signatures will be automatically included in any filter regardless of whether a
single, multiple, or all operating systems are specified.
Protocol Select All, or select Specify to list what network protocols are used by the attack.
Use the Right Arrow to move the ones you want to include in the filter from the
Available to the Selected list, or the Left Arrow to remove previously selected
protocols from the filter.
Application Select All, or select Specify to list the applications or application suites
vulnerable to the attack. Use the Right Arrow to move the ones you want to
include in the filter from the Available to the Selected list, or the Left Arrow to
remove previously selected protocols from the filter.
Quarantine Select to ban traffic from an IP address from which the FortiGate has detected an
Attackers (to IPS signature or DoS attack.
Banned Users The FortiGate unit deals with the attack according to the IPS sensor or DoS
List) sensor configuration regardless of this setting.

Method Select Attacker’s IP address to ban all traffic sent from the attacker’s IP address.
The recipient address is not considered.
Select Attacker and Victim IP Addresses to ban all traffic sent from the attacker’s
IP address to the victim’s IP address. Traffic from the attacker’s IP address to
addresses other than the victim’s IP address is allowed.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Enable Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or disable each
according to the individual default values shown in the signature list.
Logging Select from the options to specify whether the FortiGate unit will create log
entries for the signatures included in the filter: enable all, disable all, or enable or
disable logging for each according to the individual default values shown in the
signature list.
Action Select from the options to specify what the FortiGate unit will do with traffic
containing a signature match: pass all, block all, reset all, or block or pass traffic
according to the individual default values shown in the signature list.

The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature to be
included in the filter. If the severity is changed to high, and the target is changed to server,
the filter includes only signatures checking for high priority attacks targeted at servers.

Configuring pre-defined and custom overrides


Pre-defined and custom overrides are configured and work mainly in the same way as
filters. Unlike filters, each override defines the behavior of one signature.
Overrides can be used in two ways:
• To change the behavior of a signature already included in a filter. For example, to
protect a web server, you could create a filter that includes and enables all signatures
related to servers. If you wanted to disable one of those signatures, the simplest way
would be to create an override and mark the signature as disabled.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 451
http://docs.fortinet.com/ • Feedback
IPS sensors Intrusion Protection

• To add an individual signature, not included in any filters, to an IPS sensor. This is the
only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and action
attributes have no effect. These settings must be explicitly set when creating the override.

Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken.

To edit a pre-defined or custom override, go to UTM > Intrusion Protection > IPS Sensor
and select the Edit icon of the IPS sensor containing the override you want to edit. When
the sensor window opens, select the Edit icon of the override you want to change.

Figure 289: Configure IPS override

Signature Select the browse icon to view the list of available signatures. From this list,
select a signature the override will apply to and then select OK.
Enable Select to enable the signature override.
Action Select Pass, Block or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified
signature.
Logging Select to enable creation of a log entry if the signature is discovered in network
traffic.
Packet Log Select to save packets that trigger the override to the FortiGate hard drive for
later examination.
Quarantine Select to ban traffic from an IP address from which the FortiGate has detected
Attackers (to an IPS signature or DoS attack.
Banned Users The FortiGate unit deals with the attack according to the IPS sensor or DoS
List) sensor configuration regardless of this setting.

Method Select Attacker’s IP address to ban all traffic sent from the attacker’s IP address.
The recipient address is not considered.
Select Attacker and Victim IP Addresses to ban all traffic sent from the attacker’s
IP address to the victim’s IP address. Traffic from the attacker’s IP address to
addresses other than the victim’s IP address is allowed.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.

FortiGate Version 4.0 Administration Guide


452 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection IPS sensors

Exempt IP: Enter IP addresses to exclude from the override. The override will then apply to
all IP addresses except those defined as exempt. The exempt IP addresses are
defined in pairs, with a source and destination, and traffic moving from the
source to the destination is exempt from the override.
Source The exempt source IP address. Enter 0.0.0.0/0 to include
all source IP addresses.
Destination: The exempt destination IP address. Enter 0.0.0.0/0 to
include all destination IP addresses.

Packet logging
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.

Configuring packet logging


Packet logging saves the network packets containing an IPS signature to the attack log.
The FortiGate unit will save the logged packets to wherever the logs are configured to be
stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard
Analysis and Management Service.
You can enable packet logging only in signature overrides. It not an available option in
IPS sensors or filters because enabling packet logging on a large number of signatures
could produce an unusably large amount of data. Packet logging is designed as focused
diagnostic tool.
There are a number of CLI commands available to further configure packet logging. When
logging to memory, the packet-log-memory command defines the maximum amount
of memory is used to store logged packets. This command only takes effect when logging
to memory.
Since only the packet containing the signature is sometimes not sufficient to troubleshoot
a problem, the packet-log-history command allows you to specify how many
packets are captured when an IPS signature is found in a packet. If the value is set to
larger than 1, the packet containing the signature is saved in the packet log, as well as
those preceding it, with the total number of logged packets equalling the value. For
example, if packet-log-history is set to 7, the FortiGate unit will save the packet
containing the IPS signature and the six before it.

Note: Setting packet-log-history to a value larger than 1 can affect the maximum
performance of the FortiGate unit because network traffic must be buffered. The
performance penalty depends on the model, the setting, and the traffic load.

To enable packet logging for a signature


1 Create either a pre-defined override or a custom override in an IPS sensor. For more
information. For more information, see “Configuring pre-defined and custom overrides”
on page 451.
2 Enable Packet Log in the override.
3 Select the IPS sensor in the protection profile applied to the firewall policy that allows
the network traffic the FortiGate unit will examine for the signature.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 453
http://docs.fortinet.com/ • Feedback
IPS sensors Intrusion Protection

Viewing and saving logged packets


Once the FortiGate unit logs packets, you can view or save them.

To view and save logged packets


1 Go Log & Report > Log Access.
2 Depending on where the logs are configured to be stored, select the appropriate tab:
• Memory: Select Memory if logs are stored in the FortiGate unit memory.
• Disk: Select Disk if the FortiGate unit has an internal hard disk and logs are stored
there.
• Remote: Select Remote if logs are sent to a FortiAnalyzer unit or to the FortiGuard
Analysis and Management Service.
3 Select the Attack Log log type.
4 Select the Packet Log icon of the log entry you want to view.
The IPS Packet Log Viewer window appears.

Figure 290: Log entry with packet log icon

Figure 291: IPS Packet Log Viewer

5 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
6 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.

FortiGate Version 4.0 Administration Guide


454 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection DoS sensors

DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that
does not fit known or common traffic patterns and behavior. For example, one type of
flooding is the denial of service (DoS) attack that occurs when an attacking system starts
an abnormally large number of sessions with a target system. The large number of
sessions slows down or disables the target system so legitimate users can no longer use
it. This type of attack gives the DoS sensor its name, although it is capable of detecting
and protecting against a number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the detection
threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you
can configure. Each sensor examines the network traffic in sequence, from top to bottom.
When a sensor detects an anomaly, it applies the configured action. Multiple sensors
allow great granularity in detecting anomalies because each sensor can be configured to
examine traffic from a specific address, to a specific address, on a specific port, in any
combination.
When arranging the DoS sensors, place the most specific sensors at the top and the most
general at the bottom. For example, a sensor with one protected address table entry that
includes all source addresses, all destination addresses, and all ports will match all traffic.
If this sensor is at the top of the list, no subsequent sensors will ever execute.
The traffic anomaly detection list can be updated only when the FortiGate firmware image
is upgraded.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
must be configured separately in each VDOM. All sensors and custom signatures will
appear only in the VDOM in which they were created.

Viewing the DoS sensor list


To view the anomaly list, go to UTM > Intrusion Protection > DoS Sensor.

Figure 292: The DoS sensor list


Delete
Edit

Insert DoS Sensor before


Move To

Create New Add a new DoS sensor to the bottom of the list.
ID A unique identifier for each DoS sensor. The ID does not indicate the
sequence in which the sensors examine network traffic.
Status Select to enable the DoS sensor.
Name The DoS sensor name.
Comments An optional description of the DoS sensor.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 455
http://docs.fortinet.com/ • Feedback
DoS sensors Intrusion Protection

Delete Delete the DoS sensor.


Edit icon Edit the following information: Action, Severity, and Threshold.
Insert DoS Sensor Create a new DoS sensor before the current sensor.
before icon
Move To icon Move the current DoS sensor to another position in the list. After
selecting this icon, enter the destination position in the window that
appears, and select OK.

Configuring DoS sensors


Because an improperly configured DoS sensor can interfere with network traffic, no DoS
sensors are present on a factory default FortiGate unit. You must create your own and
then enable them before they will take effect. Thresholds for newly created sensors are
preset with recommended values that you can adjust to meet the needs of your network.

Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.

To configure DoS sensors, go to UTM > Intrusion Protection > DoS Sensor. Select the Edit
icon of an existing DoS sensor, or select Create New to create a new DoS sensor.

Figure 293: Edit DoS Sensor

DoS sensor attributes:

Name Enter or change the DoS sensor name.


Comments Enter or change an optional description of the DoS sensor. This description
will appear in the DoS sensor list.

Anomaly configuration:

Name The name of the anomaly.


Enable Select the check box to enable the DoS sensor to detect when the
specified anomaly occurs. Selecting the check box in the header row will
enable sensing of all anomalies.

FortiGate Version 4.0 Administration Guide


456 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Intrusion Protection DoS sensors

Logging Select the check box to enable the DoS sensor to log when the anomaly
occurs. Selecting the check box in the header row will enable logging for all
anomalies. Anomalies that are not enabled are not logged.
Action Select Pass to allow anomalous traffic to pass when the FortiGate unit
detects it, or set Block to prevent the traffic from passing.
Threshold Displays the number of sessions/packets that must show the anomalous
behavior before the FortiGate unit triggers the anomaly action (pass or
block). If required, change the number. For more information about how
these settings affect specific anomalies, see Table 34 on page 457.
Protected addresses:
Each entry in the protected address table includes a source and destination IP address as
well as a destination port. The DoS sensor will be applied to traffic matching the three
attributes in any table entry.

Note: A new DoS sensor has no protected address table entries. If no addresses are
entered, the DoS sensor cannot match any traffic and will not function.

Destination The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If
the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes
the management IP address.
Destination The destination port of the traffic. 0 matches any port.
Port
Source The IP address of the traffic source. 0.0.0.0/0 matches all addresses.
Add After entering the required destination address, destination port, and
source address, select Add to add protected address to the Protected
Addresses list. The DoS sensor will be invoked only on traffic matching all
three of the entered values. If no addresses appear in the list, the sensor
will not be applied to any traffic.

Understanding the anomalies


For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly
types. The result is twelve configurable anomalies.
Table 34: The twelve individually configurable anomalies

Anomaly Description
tcp_syn_flood If the SYN packet rate, including retransmission, to one destination IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_port_scan If the SYN packets rate, including retransmission, from one source IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP address
exceeds the configured threshold value, the action is executed.
tcp_dst_session If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
udp_flood If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP address
exceeds the configured threshold value, the action is executed.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 457
http://docs.fortinet.com/ • Feedback
Intrusion protection CLI configuration Intrusion Protection

Table 34: The twelve individually configurable anomalies (Continued)

Anomaly Description
udp_dst_session If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
icmp_flood If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_src_session If the number of concurrent ICMP connections from one source IP
address exceeds the configured threshold value, the action is executed.
icmp_dst_session If the number of concurrent ICMP connections to one destination IP
address exceeds the configured threshold value, the action is executed.

Intrusion protection CLI configuration


This section describes the CLI commands that extend features available through the web-
based manager. For complete descriptions and examples of how to enable additional
features through CLI commands, see the FortiGate CLI Reference.

ips global fail-open


If for any reason the IPS should cease to function, it will fail open by default. This means
crucial network traffic will not be blocked, and the FortiGate unit will continue to operate
while the problem is being resolved.

ips global socket-size


Set the size of the IPS buffer.

FortiGate Version 4.0 Administration Guide


458 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter Order of web filtering

Web Filter
The three main sections of the web filtering function, the Web Filter Content Block, the
URL Filter, and the FortiGuard Web filter, interact with each other in such a way as to
provide maximum control and protection for the Internet users.
If you enable virtual domains (VDOMs) on the FortiGate unit, web filtering is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.
This section describes:
• Order of web filtering
• How web filtering works
• Web filter controls
• Content block
• URL filter
• FortiGuard - Web Filter

Order of web filtering


Web filters are applied in a specific order:
1 URL Exempt (Web Exempt List)
2 URL Block (Web URL Block)
3 URL Block (Web Pattern Block)
4 FortiGuard Web Filtering (Also called Category Block)
5 Content Block (Web Content Block)
6 Script Filter (Web Script Filter)
7 Antivirus scanning
The URL filter list is processed in order from top to bottom. An exempt match stops all
further checking including AV scanning. An allow match exits the URL filter list and checks
the other web filters.
Local ratings are checked prior to other FortiGuard Web Filtering categories.
The FortiGate unit applies the rules in this order and failure to comply with a rule will
automatically block a site despite what the setting for later filters might be.

How web filtering works


The following information shows how the filters interact with each other and how to use
them to your advantage.
The first section, the URL exempt and block filters, will allow you to decide what action to
take for specific addresses. For example, if you want to exempt www.google.com from
being scanned, you can add it to the URL exempt list. Then no web filtering or virus
scanning will be taken to this web site.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 459
http://docs.fortinet.com/ • Feedback
Web filter controls Web Filter

If you have blocked a pattern but want certain users to have access to URLs within that
pattern, you can use the Override within the FortiGuard Web Filter. This will allow you to
specify which users have access to which blocked URLs and how long they have that
access. For example, you want user1 to be able to access www.example.com for 1 hour.
You can use this section to set up the exemption. Any user listed in an override must fill
out an online authentication form before the FortiGate unit will grant access to the blocked
URL.
FortiGuard Web Filter also lets you create local categories to block groups of URLs. Once
you have created the category, you can use the local rating to add specific sites to the
local category you have created. You then use the Firewall > Protection Profile to tell the
FortiGuard Unit what action to take with the Local category. The local ratings overwrite the
FortiGuard ratings.
Finally the FortiGuard unit applies script filtering for ActiveX, Cookie, and Java applet,
which can be configured in Firewall > Protection Profile > Web Filtering.
Once you have finished configuring all of these settings, you still have to turn them all on
in the Firewall > Protection Profile > Web filtering and Firewall > Protection Profile >
FortiGuard Web Filtering. By enabling them here, you are telling the FortiGate unit to start
using the filters as you have configured them.
This section describes how to configure web filtering options. Web filtering functions must
be enabled in the active protection profile for the corresponding settings in this section to
have any effect.

Web filter controls


As a general rule you go to Web Filter to configure the web filtering settings and to enable
the filters for use in a protection profile. To actually activate the enabled filters you go to
Firewall > Protection Profile.

Note: Enabled means that the filter will be used when you turn on web filtering. It does not
mean that the filter is turned on. To turn on all enabled filters you must go to Firewall >
Protection Profile.

FortiGuard - Web Filter is described in detail in“FortiGuard Web Filtering options” on


page 400. Rating corrections as well as suggesting ratings for new pages can be
submitted on the FortiGuard Center web page. Visit the Fortinet Knowledge Center for
details and a link to the FortiGuard Center.
The following tables compare web filtering options in protection profiles and the web filter
menu.
Table 35: Web filter and Protection Profile web content block configuration

Protection Profile web filtering options Web Filter setting


Web Content Block UTM > Web Filter > Content Block
Enable or disable web page blocking based Add words and patterns to block web pages
on the banned words and patterns in the containing those words or patterns.
content block list for HTTP traffic.

Table 36: Web filter and Protection Profile web URL filtering configuration

Protection Profile web filtering options Web Filter setting


Web URL Filter UTM > Web Filter > URL Filter
Enable or disable web page filtering for HTTP Add URLs and URL patterns to exempt or block
traffic based on the URL filter list. web pages from specific sources.

FortiGate Version 4.0 Administration Guide


460 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter Web filter controls

Table 37: Web filter and Protection Profile web script filtering and download configuration

Protection Profile web filtering options Web Filter setting


Active X Filter, Cookie Filter, Java Applet Filter n/a
Enable or disable blocking scripts from web
pages for HTTP traffic.
Web resume Download Block n/a
Enable to block downloading the remainder of
a file that has already been partially
downloaded. Enabling this option prevents the
unintentional download of virus files, but can
cause download interruptions.

Table 38: Web filter and Protection Profile web category filtering configuration

Protection Profile web filtering options Web Filter setting


Enable FortiGuard Web Filtering (HTTP only).
Enable FortiGuard Web Filtering Overrides UTM > Web Filter> Overrides
(HTTP only).
Provide details for blocked HTTP 4xx and 5xx
errors (HTTP only.)
Rate images by URL (Blocked images will be
replaced with blanks) (HTTP only).
Allow web sites when a rating error occurs
(HTTP only).
Strict Blocking (HTTP only)
Category / Action
FortiGuard Web Filtering service provides
many categories by which to filter web traffic.
Set the action to take on web pages for each
category. Choose from allow, block, log, or
allow override.
Local Categories can be configured to best UTM > Web Filter > Local Categories | Local
suit local requirements. Ratings
Classification/Action
When selected, users can access web sites
that provide content cache, and provide
searches for image, audio, and video files.
Choose from allow, block, log, or allow
override.

To access protection profile web filter options


1 Go to Firewall > Protection Profile.
2 Select Edit or Create New.
3 Select Web Filtering or Web Category Filtering.

Note: If virtual domains are enabled on the FortiGate unit, web filtering features are
configured globally. To access these features, select Global Configuration on the main
menu.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 461
http://docs.fortinet.com/ • Feedback
Content block Web Filter

Content block
Control web content by blocking specific words or patterns. If enabled in the protection
profile, the FortiGate unit searches for words or patterns on requested web pages. If
matches are found, values assigned to the words are totalled. If a user-defined threshold
value is exceeded, the web page is blocked.
Use Perl regular expressions or wildcards to add banned word patterns to the list. See
“Using wildcards and Perl regular expressions” on page 488.

Note: Perl regular expression patterns are case sensitive for Web Filter content block. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i blocks all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.

Viewing the web content block list catalog


You can add multiple web content block lists and then select the best web content block
list for each protection profile. To view the web content block list catalog, go to UTM >
Web Filter > Web Content Block. To view any individual web content block list, select the
edit icon for the list you want to see.

Figure 294: Sample web content block list catalog

Create New Select to add a new web content block list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied to.
Comment Optional description of each web content block list. The comment text must be
less than 63 characters long. Otherwise, it will be truncated. Spaces will also
be replaced by the plus sign ( + ).
Delete icon Select to remove the web content block list from the catalog. The delete icon is
only available if the web content block list is not selected in any protection
profiles.
Edit icon Select to edit the web content block list, list name, or list comment.

Select web content block lists in protection profiles. For more information, see “Web
Filtering options” on page 398.

FortiGate Version 4.0 Administration Guide


462 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter Content block

Creating a new web content block list


To add a web content block list to the web content block list catalog go to
UTM > Web Filter > Web Content Block. Select Create New.

Figure 295: New Web Content Block list dialog box

Name Enter the name of the new list.


Comment Enter a comment to describe the list, if required.

Viewing the web content block list


With web content block enabled, every requested web page is checked against the
content block list. The score value of each pattern appearing on the page is added, and if
the total is greater than the threshold value set in the protection profile, the page is
blocked. The score for a pattern is applied only once even if it appears on the page
multiple times.
To view the web content block list go to UTM > Web Filter > Web Content Block and select
the Edit icon of the web content block list you want to view.

Figure 296: Sample web content block list

Note: Enable UTM > Web Filtering > Web Content Block in a firewall Protection Profile to
activate the content block settings.

The web content block list has the following icons and features:

Name Web content block list name. To change the name, edit text in the name field and
select OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create new Select to add a pattern to the web content block list.
Total The number of patterns in the web content block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 463
http://docs.fortinet.com/ • Feedback
Content block Web Filter

Banned word The current list of patterns. Select the check box to enable all the patterns in the
list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or regular
expression. See “Using wildcards and Perl regular expressions” on page 488.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, French, Japanese, Korean, Thai, or Western.
Score A numerical weighting applied to the pattern. The score values of all the matching
patterns appearing on a page are added, and if the total is greater than the
threshold value set in the protection profile, the page is blocked.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Banned Word, Pattern Type, Language,
and Enable.

Configuring the web content block list


Web content patterns can be one word or a text string up to 80 characters long. The
maximum number of banned words in the list is 5000.
To add or edit a content block pattern go to UTM > Web Filter > Web Content Block and
select Create New or select the Edit icon of the web content block list you want to view.

Figure 297: New content block pattern

Banned Word Enter the content block pattern. For a single word, the FortiGate checks all
web pages for that word. For a phrase, the FortiGate checks all web pages
for any word in the phrase. For a phrase in quotation marks, the FortiGate
unit checks all web pages for the entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or Regular
Expression.
Language Select a language from the dropdown list.
Score Enter a score for the pattern.
Enable Select to enable the pattern.

Viewing the web content exempt list catalog


You can add multiple web content exempt lists and then select the best web content
exempt list for each protection profile.
To view the web content block list catalog go to UTM > Web Filter > Web Content Exempt.
To view any individual web content exempt list, select the Edit icon for the list you want to
see.

Figure 298: Sample web content exempt list catalog

FortiGate Version 4.0 Administration Guide


464 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter Content block

The web content exempt list catalogue has the following icons and features:

Create New Select to add a new web content exempt list to the catalog.
Name The available web content block lists.
# Entries The number of content patterns in each web content block list.
Profiles The protection profiles each web content block list has been applied to.
Comment Optional description of each web content block list.
Delete icon Select to remove the web content block list from the catalog. The delete
icon is only available if the web content block list is not selected in any
protection profiles.
Edit icon Select to edit the web content block list, list name, or list comment.

Select web content block lists in protection profiles. For more information, see “Web
Filtering options” on page 398.

Creating a new web content exempt list


To add a web content exempt list to the web content exempt list catalog go to UTM > Web
Filter > Web Content Exempt. Select Create New.

Figure 299: New Web Content Exempt list dialog box

Name Enter the name of the new list.


Comment Enter a comment to describe the list, if required.

Viewing the web content exempt list


Web content exempt allows overriding of the web content block feature. If any patterns
defined in the web content exempt list appear on a web page, the page will not be blocked
even if the web content block feature would otherwise block it.
To view the web content exempt list go to UTM > Web Filter > Web Content Exempt.
Select the Edit icon of the web content block list you want to view.

Figure 300: Sample web content exempt list

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 465
http://docs.fortinet.com/ • Feedback
Content block Web Filter

Note: Enable Web Filtering > Web Content Exempt in a firewall Protection Profile to
activate the content exempt settings.

The web content exempt list has the following icons and features:

Name Web content exempt list name. To change the name, edit text in the name field
and select OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create new Select to add a pattern to the web content exempt list.
Total The number of patterns in the web content exempt list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Remove All Select to clear the table.
Entries icon
Pattern The current list of patterns. Select the check box to enable all the patterns in the
list.
Pattern type The pattern type used in the pattern list entry. Choose from wildcard or regular
expression. See “Using wildcards and Perl regular expressions” on page 488.
Language The character set to which the pattern belongs: Simplified Chinese, Traditional
Chinese, French, Japanese, Korean, Thai, or Western.
Delete icon Select to delete an entry from the list.
Edit icon Select to edit the following information: Pattern, Pattern Type, Language, and
Enable.

Configuring the web content exempt list


Web content patterns can be one word or a text string up to 80 characters long. The
maximum number of banned words in the list is 5000.
To add or edit a content block pattern go to UTM > Web Filter > Web Content Exempt.
Select Create New or select the Edit icon of the web content block pattern you want to
view.

Figure 301: New content exempt pattern

Pattern Word Enter the content exempt pattern. For a single word, the FortiGate checks all web
pages for that word. For a phrase, the FortiGate checks all web pages for any
word in the phrase. For a phrase in quotation marks, the FortiGate unit checks all
web pages for the entire phrase.
Pattern Type Select a pattern type from the dropdown list: Wildcard or regular Expression.
Language Select a language from the dropdown list.
Enable Select to enable the pattern.

FortiGate Version 4.0 Administration Guide


466 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter URL filter

URL filter
Allow or block access to specific URLs by adding them to the URL filter list. Add patterns
using text and regular expressions (or wildcard characters) to allow or block URLs. The
FortiGate unit allows or blocks web pages matching any specified URLs or patterns and
displays a replacement message instead.

Note: Enable Web filtering > Web URL Filter in a firewall Protection Profile to activate the
URL filter settings.

Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to
ftp://ftp.example.com. Instead, use firewall policies to deny FTP connections.

Viewing the URL filter list catalog


You can add multiple URL filter lists and then select the best URL filter list for each
protection profile.
To view the URL filter list catalog go to UTM > Web Filter > URL Filter.
To view any individual URL filter list go to UTM > Web Filter > URL Filter. Select the Edit
icon for the list you want to see.

Figure 302: Sample URL filter list catalog

The URL filter list catalogue has the following icons and features:

Create New Select to add a new web content URL list to the catalog.
Name The available URL filter lists.
# Entries The number of URL patterns in each URL filter list.
Profiles The protection profiles each URL filter list has been applied to.
Comment Optional description of each URL filter list.
Delete icon Select to remove the URL filter list from the catalog. The delete icon is only
available if the URL filter list is not selected in any protection profiles.
Edit icon Select to edit the URL filter list, list name, or list comment.

Select URL filter lists in protection profiles. For more information, see “Web Filtering
options” on page 398.

Creating a new URL filter list


Different FortiGate models support different maximum numbers of URL filter lists. For
details, see the FortiGate Maximum Values Matrix in Fortinet’s Knowledge Center web
site http://kc.forticare.com.
To add a URL filter list to the URL filter list catalog go to UTM > Web Filter > URL Filter.
Select Create New.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 467
http://docs.fortinet.com/ • Feedback
URL filter Web Filter

Figure 303: New URL Filter list dialog box

Name Enter the name of the new list.


Comment Enter a comment to describe the list, if required.

Viewing the URL filter list


Add specific URLs to block or exempt. Add the following items to the URL filter list:
• complete URLs
• IP addresses
• partial URLs to allow or block all sub-domains
To view the URL filter list go to UTM > Web Filter > URL Filter. Select the Edit icon of the
URL filter list you want to view.

Figure 304: URL filter list

The URL filter list has the following icons and features:

Name URL filter list name. To change the name, edit text in the name field and select
OK.
Comment Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Select to add a URL to the URL block list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Clear All URL Select to clear the table.
Filters icon
URL The current list of blocked/exempt URLs. Select the check box to enable all
the URLs in the list.
Type The type of URL: Simple or Regex (regular expression).
Action The action taken when the URL matches: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web filters.
An exempt match stops all further checking including AV scanning.
A block match blocks the URL and no further checking will be done.
Delete icon Select to remove an entry from the list.

FortiGate Version 4.0 Administration Guide


468 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter URL filter

Edit icon Select to edit the following information: URL, Type, Action, and Enable.
Move icon Select to open the Move URL Filter dialog box.

Configuring the URL filter list


Each URL filter list can have up to 5000 entries.

Note: Type a top-level domain suffix (for example, “com” without the leading period) to
block access to all URLs with this suffix.

To add a URL to the URL filter list go to UTM > Web Filter > URL Filter. Select Create New
or edit an existing list.

Figure 305: New URL Filter

URL Enter the URL. Do not include http://. For details about URL
formats, see “URL formats” on page 469.
Type Select a type from the dropdown list: Simple or Regex (regular
expression).
Action Select an action from the dropdown list: Allow, Block, or Exempt.
An allow match exits the URL filter list and checks the other web
filters.
An exempt match stops all further checking including AV
scanning.
A block match blocks the URL and no further checking will be
done.
Enable Select to enable the URL.

URL formats
When adding a URL to the URL filter list (see “Configuring the URL filter list” on
page 469), follow these rules:

HTTPs URL formats


Type a top level domain name for HTTPs URL filtering, for example, www.example.com.
HTTPs URL filtering works by extracting the CN from the server certificate during the SSL
negotiation. Because the CN only contains the domain name of the site being accessed,
HTTPS web filtering can only filter by domain names.

HTTP URL formats


• Type a top-level URL or IP address to control access to all pages on a web site. For
example, www.example.com or 192.168.144.155 controls access to all pages at
this web site.
• Enter a top-level URL followed by the path and filename to control access to a single
page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls the news page on this web site.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 469
http://docs.fortinet.com/ • Feedback
FortiGuard - Web Filter Web Filter

• To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls access to
www.example.com, mail.example.com, www.finance.example.com, and so
on.
• Control access to all URLs that match patterns created using text and regular
expressions (or wildcard characters). For example, example.* matches
example.com, example.org, example.net and so on.
FortiGate web pattern blocking supports standard regular expressions.

Note: URLs with an action set to exempt are not scanned for viruses. If users on
the network download files through the FortiGate unit from trusted website, add the
URL of this website to the URL filter list with an action set to exempt so the
FortiGate unit does not virus scan files downloaded from this URL.

Note: Enable Web Filtering > Web URL Filter > HTTP or HTTPS in a firewall Protection
Profile to activate the web URL filter settings for HTTP and/or HTTPS traffic.

Moving URLs in the URL filter list


To make the URL filter list easier to use, the entries can be moved to different positions in
the list.

To move a URL in the URL filter list


1 Go to UTM > Web Filter > URL Filter.
2 Select the Edit icon for the URL list.
3 Drag and drop a URL or select the Move icon to the right of the URL to be moved.
4 Specify the location for the URL.
5 Select OK.

Figure 306: Move URL Filter

Move to Select the location in the list to place the URL.


(URL) Enter the URL before or after which the new URL is to be located in the list.

FortiGuard - Web Filter


FortiGuard Web Filtering is a managed web filtering solution provided by Fortinet.
FortiGuard Web Filtering sorts hundreds of millions of web pages into a wide range of
categories users can allow, block, or monitor. The FortiGate unit accesses the nearest
FortiGuard Web Filtering Service Point to determine the category of a requested web
page then follows the firewall policy configured for that user or interface.

FortiGate Version 4.0 Administration Guide


470 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter FortiGuard - Web Filter

FortiGuard Web Filtering includes over 60 million individual ratings of web sites applying
to hundreds of millions of pages. Pages are sorted and rated into 56 categories users can
allow, block, or monitor. Categories may be added to, or updated, as the Internet evolves.
To make configuration simpler, users can also choose to allow, block, or monitor entire
groups of categories. Blocked pages are replaced with a message indicating that the page
is not accessible according to the Internet usage policy.
FortiGuard Web Filtering ratings are performed by a combination of proprietary methods
including text analysis, exploitation of the Web structure, and human raters. Users can
notify the FortiGuard Web Filtering Service Points if they feel a web page is not
categorized correctly, and new sites are quickly rated as required.
Use the procedure “FortiGuard Web Filtering options” on page 400 to configure
FortiGuard category blocking in a protection profile. To configure the FortiGuard Web
service, see “Configuring the FortiGate unit for FDN and FortiGuard subscription services”
on page 260.

Configuring FortiGuard Web Filtering


To configure the FortiGuard Web Filtering service go to System > Maintenance >
FortiGuard. See “Configuring the FortiGate unit for FDN and FortiGuard subscription
services” on page 260.

Viewing the override list


Users may require access to web sites that are blocked by a policy. In this case, an
administrator can give the user the ability to override the block for a specified period of
time.
When a user attempts to access a blocked site, if override is enabled, a link appears on
the block page directing the user to an authentication form. The user must provide a
correct user name and password or the web site remains blocked. Authentication is based
on user groups and can be performed for local, RADIUS, and LDAP users. For more
information about authentication and configuring user groups, see “User Group” on
page 554.

Administrative overrides vs. user overrides


The administrative overrides are backed up with the main configuration and managed by
the FortiManager system. The administrative overrides are not cleaned up when they
expire and you can reuse these override entries by extending their expiry dates. You can
create administrative overrides using both the CLI and the web-based manager.
The user overrides are not backed up as part of the main configuration and are not
managed by the FortiManager system. These overrides are also purged when they expire.
You can only view and delete the user overrides entries. Users create user overrides
using the authentication form opened from the block page when they attempt to access a
blocked site, if override is enabled.
To view the override list go to UTM > Web Filter > Override. Select the Edit icon for
Administrative Overrides or User Overrides.

Figure 307: Override list

The override list has the following icons and features:

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 471
http://docs.fortinet.com/ • Feedback
FortiGuard - Web Filter Web Filter

Create New Select to add a new override rule to the list.


This button is not available under User Overrides.
Return Select to return to the override category page.
Clear All icon Select to clear the table.
URL/Category The URL or category to which the override applies.
Scope The user or user group who may use the override.
Off-site URLs A green check mark indicates that the off-site URL option is set to Allow,
which means that the overwrite web page will display the contents from off-
site domains. A gray cross indicates that the off-site URL option is set to
Block, which means that the overwrite web page will not display the
contents from off-site domains. For details, see “Configuring administrative
override rules” on page 472.
Initiator The creator of the override rule.
Expiry Date The expiry date of the override rule.
Delete icon Select to remove the entry from the list.
Edit icon Select to edit the following information: Type, URL, Scope, User, Off-site
URLs, and Override Duration.

Configuring administrative override rules


Administrative override rules can be configured to allow access to blocked web sites
based on directory, domain name, or category.
To create an override rule for a directory or domain go to UTM > Web Filter > Override.
Select the Edit icon for Administrative Overrides.

Figure 308: New Override Rule - Directory or Domain

Type Select Directory or Domain.


URL Enter the URL or the domain name of the website.
Scope Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.
User Enter the name of the user selected in Scope.
User Group Select a user group from the dropdown list. User groups must be
configured before FortiGuard Web Filtering configuration. For more
information, see “User Group” on page 554.

FortiGate Version 4.0 Administration Guide


472 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter FortiGuard - Web Filter

Off-site URLs This option defines whether the override web page will display the images
and other contents from the blocked offsite URLs.
For example, all FortiGuard categories are blocked, and you want to visit a
site whose images are served from a different domain. You can create a
directory override for the site and view the page. If the offsite feature was
set to deny, all the images on the page will appear broken because they
come from a different domain for which the existing override rule does not
apply. If you set the offsite feature to allow, the images on the page will then
show up.
Only users that apply under the scope for the page override can see the
images from the temporary overrides. The users will not be able to view
any pages on the sites where the images come from (unless the pages are
served from the same directory as the images themselves) without having
to create a new override rule.
Override End Time Specify when the override rule will end.
To create an override for categories, go to UTM > Web Filter > Override.

Figure 309: New Override Rule - Categories

Type Select Categories.


Categories Select the categories to which the override applies. A category group or a
subcategory can be selected. Local categories are also displayed.
Classifications Select the classifications to which the override applies. When selected,
users can access web sites that provide content cache, and provide
searches for image, audio, and video files.
Scope Select one of the following: User, User Group, IP, or Profile. Depending on
the option selected, a different option appears below Scope.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 473
http://docs.fortinet.com/ • Feedback
FortiGuard - Web Filter Web Filter

User Enter the name of the user selected in Scope.


User Group Select a user group from the dropdown list.
IP Enter the IP address of the computer initiating the override.
Profile Select a protection profile from the dropdown list.
Off-site URLs Select Allow or Block. See the previous table for details about off-site
URLs.
Override End Time Specify when the override rule will end.

Creating local categories


User-defined categories can be created to allow users to block groups of URLs on a per-
profile basis. The categories defined here appear in the global URL category list when
configuring a protection profile. Users can rate URLs based on the local categories.
To create or view local categories, go to UTM > Web Filter > Local Categories.

Figure 310: Local categories list

Add Enter the name of the category then select Add.


Delete icon Select to remove the entry from the list.

Viewing the local ratings list


To view the local ratings list go to UTM > Web Filter > Local Ratings.

Figure 311: Local ratings list

The local ratings list has the following icons and features:

Create New Select to add a rating to the list.


Search Enter search criteria to filter the list.
1 - 3 of 3 The total number of local ratings in the list.
Page up icon Select to view the previous page.
Page down icon Select to view the next page.
Clear All icon Select to clear the table.
URL The rated URL. Select the green arrow to sort the list by URL.
Category The category or classification in which the URL has been placed. If the URL is
rated in more than one category or classification, trailing dots appear. Select
the gray funnel to open the Category Filter dialog box. When the list has been
filtered, the funnel changes to green.

FortiGate Version 4.0 Administration Guide


474 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Web Filter FortiGuard - Web Filter

Delete icon Select to remove the entry from the list.


Edit icon Select to edit the following information: URL, Category Rating, and
Classification Rating.

Figure 312: Category Filter

Clear Filter Select to remove all filters.


Category Name Select the blue arrow to expand the category.
Enable Filter Select to enable the filter for the category or the individual sub-category.
Classification Name The classifications that can be filtered.
Enable Filter Select to enable the classification filter.

Configuring local ratings


Users can create user-defined categories then specify the URLs that belong to the
category. This allows users to block groups of web sites on a per profile basis. The ratings
are included in the global URL list with associated categories and compared in the same
way the URL block list is processed.
The local ratings override the FortiGuard server ratings and appear in reports as “Local
Category”.
To create a local rating go to UTM > Web Filter > Local Ratings.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 475
http://docs.fortinet.com/ • Feedback
FortiGuard - Web Filter Web Filter

Figure 313: New Local Rating

URL Enter the URL to be rated.


Category Name Select the blue arrow to expand the category.
Enable Filter Select to enable the filter for the category or the individual sub-category.
Classification Name The classifications that can be filtered.
Enable Filter Select to enable the classification filter.

Category block CLI configuration


Use the hostname keyword for the webfilter fortiguard command to change the
default host name (URL) for the FortiGuard Web Filtering Service Point. The FortiGuard
Web Filtering Service Point name cannot be changed using the web-based manager.
Configure all FortiGuard Web Filtering settings using the CLI. For more information, see
the FortiGate CLI Reference for descriptions of the webfilter fortiguard keywords.

FortiGate Version 4.0 Administration Guide


476 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Antispam

Antispam
This section explains how to configure the spam filtering options associated with a firewall
protection profile.
If you enable virtual domains (VDOMs) on the FortiGate unit, Antispam is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.
This section describes:
• Antispam
• Banned word
• Black/White List
• Advanced antispam configuration
• Using wildcards and Perl regular expressions

Antispam
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers.
The FortiGuard Antispam service from Fortinet is designed to manage spam. This service
includes an IP address black list, a URL black list, and spam filtering tools. The FortiGuard
Center accepts submission of spam email messages as well as reports of false positives.
For more information on the FortGuard Center, visit the FortiGuard Center website at
www.fortiguardcenter.com.

Order of spam filtering


The FortiGate unit checks for spam using various filtering techniques. The order the
FortiGate unit uses these filters depends on the mail protocol used.
Filters requiring a query to a server and a reply (FortiGuard Antispam Service and
DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other
filters are running. The first reply to trigger a spam action takes effect as soon as the reply
is received.
Each spam filter passes the email to the next if no matches or problems are found. If the
action in the filter is Mark as Spam, the FortiGate unit tags or discards (SMTP only) the
email according to the settings in the protection profile. If the action in the filter is Mark as
Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as
Reject, the email session is dropped. Rejected SMTP email messages are substituted
with a configurable replacement message.

Order of SMTP spam filtering


1 IP address BWL check on last hop IP.
2 DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP,
HELO DNS lookup.
3 MIME headers check, E-mail address BWL check.
4 Banned word check on email subject.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 477
http://docs.fortinet.com/ • Feedback
Antispam Antispam

5 IP address BWL check (for IPs extracted from “Received” headers).


6 Banned word check on email body.
7 Return email DNS check, FortiGuard Anti Spam check, DNSBL & ORDBL check on
public IP extracted from header.

Order of POP3 and IMAP spam filtering


1 MIME headers check, E-mail address BWL check.
2 Banned word check on email subject.
3 IP BWL check.
4 Banned word check on email body.
5 Return e-mail DNS check, FortiGuard AntiSpam check, DNSBL & ORDBL check.

Anti-spam filter controls


Spam filters are configured for system-wide use, but enabled on a per profile basis.
Table 39 describes the Antispam settings and where to configure and access them.
To access protection profile Antispam options, go to Firewall > Protection Profile, select
the Edit icon beside an existing profile, or select Create New. Select Spam Filtering.
Table 39: AntiSpam and Protection Profile spam filtering configuration

Protection Profile spam filtering options AntiSpam setting


IP address FortiGuard Antispam check System > Maintenance > FortiGuard
Configure the FortiGuard Antispam service. Enable FortiGuard Antispam, check the status of
Fortinet has its own DNSBL server for the FortiGuard Antispam server, view the license
FortiGuard Antispam that provides spam IP type and expiry date, and configure the cache. For
address and URL blacklists. Fortinet keeps more information, see “Configuring the FortiGate
the FortiGuard Antispam IP and URLs up-to- unit for FDN and FortiGuard subscription services”
date as new spam sources are found. on page 260
IP address BWL check UTM > AntiSpam > IP Address
Black/white list check. Configure the Add to and edit IP addresses to the list. You can
checking of incoming IP addresses against configure the action to take as spam, clear, or reject
the configured spam filter IP address list. for each IP address. You can place an IP address
(SMTP only.) anywhere in the list. The filter checks each IP
address in sequence. (SMTP only.)
DNSBL & ORDBL check Command line only
Enable or disable checking email traffic Add or remove DNSBL and ORDBL servers to and
against configured DNS Blackhole List from the list. You can configure the action to take as
(DNSBL) and Open Relay Database List spam or reject for email identified as spam from
(ORDBL) servers. each server (SMTP only).
DNSBL and ORDBL configuration can only be
changed using the command line interface. For
more information, see the FortiGate CLI
Reference.
HELO DNS lookup n/a
Enable or disable checking the source
domain name against the registered IP
address in the Domain Name Server. If the
source domain name does not match the IP
address the email is marked as spam and
the action selected in the protection profile is
taken.

FortiGate Version 4.0 Administration Guide


478 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Antispam

Table 39: AntiSpam and Protection Profile spam filtering configuration (Continued)

Protection Profile spam filtering options AntiSpam setting


E-mail address BWL check UTM > AntiSpam > E-mail Address
Enable or disable checking incoming email Add to and edit email addresses to the list, with the
addresses against the configured spam filter option of using wildcards and regular expressions.
email address list. You can configure the action as spam or clear for
each email address. You can place an email
address anywhere in the list. The filter checks each
email address in sequence.
Return e-mail DNS check n/a
Enable or disable checking incoming email
return address domain against the registered
IP address in the Domain Name Server. If
the return address domain name does not
match the IP address the email is marked as
spam and the action selected in the
protection profile is taken.
MIME headers check Command line only
Enable or disable checking source MIME Add to and edit MIME headers, with the option of
headers against the configured spam filter using wildcards and regular expressions. You can
MIME header list. configure the action for each MIME header as spam
or clear.
DNSBL and ORDBL configuration can only be
changed using the command line interface. For
more information, see the FortiGate CLI
Reference.
Banned word check UTM> AntiSpam > Banned Word
Enable or disable checking source email Add to and edit banned words to the list, with the
against the configured spam filter banned option of using wildcards and regular expressions.
word list. You can configure the language and whether to
search the email body, subject, or both. You can
configure the action to take as spam or clear for
each word.
Spam Action n/a
The action to take on email identified as
spam. POP3 and IMAP messages are
tagged. Choose Tagged or Discard for SMTP
messages. You can append a custom word
or phrase to the subject or MIME header of
tagged email. You can choose to log any
spam action in the event log.
For IMAP, spam email may be tagged only
after the user downloads the entire message
by opening the email, since the some IMAP
email clients download the envelope portion
of the email message initially. For details,
see “Spam Filtering options” on page 402.
Tag location: Affix the tag to the subject or
MIME header of the email identified as
spam.
Tag format: Enter a word or phrase (tag) to
affix to email identified as spam.
Add event into the system log
Enable or disable logging of spam actions to
the event log.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 479
http://docs.fortinet.com/ • Feedback
Banned word Antispam

Banned word
Control spam by blocking email messages containing specific words or patterns. If
enabled in the protection profile, the FortiGate unit searches for words or patterns in email
messages. If matches are found, values assigned to the words are totalled. If a user-
defined threshold value is exceeded, the message is marked as spam. If no match is
found, the email message is passed along to the next filter.
Use Perl regular expressions or wildcards to add banned word patterns to the list.

Note: Perl regular expression patterns are case sensitive for antispam banned words. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of bad language regardless of case. Wildcard
patterns are not case sensitive.

Viewing the banned word list catalog


You can add a maximum of two antispam banned word lists and then select the best
antispam banned word list for each protection profile. To view the antispam banned word
list catalog, go to UTM > AntiSpam > Banned Word. To view any individual antispam
banned word list, select the Edit icon for the list you want to see.

Figure 314: Sample antispam banned word list catalog

Edit
Delete

Create New Add a new list to the catalog. For more information, see “Creating a new
banned word list” on page 480.
Name The available antispam banned word lists.
# Entries The number of entries in each antispam banned word list.
Profiles The protection profiles each antispam banned word list has been applied to.
Comments Optional description of each antispam banned word list.
Delete icon Remove the antispam banned word list from the catalog. The delete icon is
available only if the antispam banned word list is not selected in any protection
profiles.
Edit icon Modify the antispam banned word list, list name, or list comment.

To use the banned word list, select antispam banned word lists in protection profiles. For
more information, see “Spam Filtering options” on page 402.

Creating a new banned word list


To add an antispam banned word list to the antispam banned word list catalog, go to
UTM > AntiSpam > Banned Word and select Create New.

Figure 315: New AntiSpam Banned Word list dialog box

FortiGate Version 4.0 Administration Guide


480 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Banned word

Name Enter the name of the new list.


Comments Enter a comment to describe the list, if required.

Viewing the antispam banned word list


The FortiGate unit checks each email message against the antispam banned word list.
The FortiGate unit can sort email messages containing those banned words in the subject,
body, or both. The score value of each banned word appearing in the message is added,
and if the total is greater than the threshold value set in the protection profile, the
FortiGate unit processes the message according to the Spam Action setting in the
protection profile. The score for a pattern is applied only once even if the word appears in
the message multiple times.
To view the banned word list, go to UTM > AntiSpam > Banned Word and select the Edit
icon of the banned word list you want to view.

Figure 316: Sample banned word List

Remove All Entries


Edit
Delete
Current Page

Name Banned word list name. To change the name, edit text in the name field and
select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Select to add a word or phrase to the banned word list.
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of the banned word list.
Remove All Clear the table.
Entries icon
Pattern The list of banned words. Select the check box to enable all the banned words in
the list.
Pattern Type The pattern type used in the banned word list entry. Choose from wildcard or
regular expression. For more information, see “Using wildcards and Perl regular
expressions” on page 488.
Language The character set to which the banned word belongs.
Where The location where the FortiGate unit searches for the banned word: Subject,
Body, or All.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 481
http://docs.fortinet.com/ • Feedback
Banned word Antispam

Score A numerical weighting applied to the banned word. The score values of all the
matching words appearing in an email message are added, and if the total is
greater than the Banned word check value set in the protection profile, the email
is processed according to whether the spam action is set to Discard or Tagged
in the protection profile. The score for a banned word is counted once even if the
word appears multiple times on the web page in the email. For more information,
see “Configuring a protection profile” on page 393.
Delete and Edit Delete or edit the banned word.
icons

Adding words to the banned word list


For a single word, the FortiGate unit blocks all email containing the word. For a phrase,
the FortiGate unit blocks all email containing the exact phrase. To block any word in a
phrase, use Perl regular expressions.

To add a banned word list name


1 Go to UTM > AntiSpam > Banned Word.
2 Select Create New.
3 Enter the banned word list name.
4 Optionally, enter any comments about the name.
5 Select OK.

To add a banned word


1 Go to UTM > AntiSpam > Banned Word.
2 For the banned word list name to which you want to add a banned word, select Edit.
3 Select Create New.

Pattern Enter the word or phrase you want to include in the banned word list.
Pattern Type Select the pattern type for the banned word. Choose from wildcard or regular
expression. For more information, see “Using wildcards and Perl regular
expressions” on page 488.
Language Select the character set for the banned word.
Where Select where the FortiGate unit should search for the banned word: Subject,
Body, or All.
Score A numerical weighting applied to the banned word. The score values of all the
matching words appearing in an email message are added, and if the total is
greater than the Banned word check value set in the protection profile, the
email is processed according to whether the spam action is set to Discard or
Tagged in the protection profile. The score for a banned word is counted once
even if the word appears multiple times on the web page in the email. For
more information, see “Configuring a protection profile” on page 393.
Enable Select to enable scanning for the banned word.

4 Select OK.

FortiGate Version 4.0 Administration Guide


482 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Black/White List

Black/White List
The FortiGate unit uses both an IP address list and an email address list to filter incoming
email, if enabled in the protection profile.
When performing an IP address list check, the FortiGate unit compares the IP address of
the message sender to the IP address list in sequence. When performing an email list
check, the FortiGate unit compares the email address of the message sender to the email
address list in sequence. If a match is found, the action associated with the IP address or
email address is taken. If no match is found, the message is passed to the next enabled
spam filter.

Viewing the antispam IP address list catalog


You can add a maximum of two antispam IP address lists and then select the best one for
each protection profile. To view the antispam IP address list catalog, go to UTM >
AntiSpam > IP Address. To view any individual antispam IP address list, select the Edit
icon for the list you want to see.

Figure 317: Sample antispam IP address list catalog

Edit
Delete

Create New Add a new IP address list to the catalog.


Name The available name of the antispam IP address lists.
# Entries The number of entries in each antispam IP address list.
Profiles The protection profiles each antispam IP address list has been applied to.
Comments Optional description of each antispam IP address list.
Delete icon Remove the antispam IP address list from the catalog. The delete icon is
available only if the antispam IP address list is not selected in any protection
profiles.
Edit icon Edit the antispam IP address list, list name, or list comment.

Creating a new antispam IP address list


To add an antispam IP address list to the antispam IP address list catalog, go to UTM >
AntiSpam > IP Address and select Create New.

Figure 318: New AntiSpam IP Address list dialog box

Name Enter the name of the new list.


Comments Enter a comment to describe the list, if required.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 483
http://docs.fortinet.com/ • Feedback
Black/White List Antispam

Viewing the antispam IP address list


Configure the FortiGate unit to filter email from specific IP addresses. The FortiGate unit
compares the IP address of the sender to the check list in sequence. Mark each IP
address as clear, spam, or reject. Filter single IP addresses or a range of addresses at the
network level by configuring an address and mask.
To view the antispam IP address list, go to UTM > AntiSpam > IP Address and select the
Edit icon of the antispam IP address list you want to view.

Figure 319: Sample IP address list


Remove All Entries

Current Page

Move To
Edit
Delete

Name Antispam IP address list name. To change the name, edit text in the name field
and select OK.
Comments Optional comment. To add or edit a comment, enter text in the comments field
and select OK.
Create New Add an IP address to the antispam IP address list.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the IP address
list.
Remove All Entries Clear the table.
icon
IP address/Mask The list of IP addresses.
Action The action to take on email from the configured IP address. Actions are: Spam
to apply the configured spam action, Clear to bypass this and remaining spam
filters, or Reject (SMTP only) to drop the session.
If an IP address is set to reject but mail is delivered from that IP address via
using POP3 or IMAP, the email messages will be marked as spam.
Delete icon Remove the address from the list.
Edit icon Edit address information.
Move To icon Select to move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example, if you
have IP address 192.168.100.1 listed as spam and 192.168.100.2 listed as
clear, you must put 192.168.100.1 above 192.168.100.2 for 192.168.100.1 to
take effect.

FortiGate Version 4.0 Administration Guide


484 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Black/White List

Adding an antispam IP address


After creating an IP address list, you can add IP addresses to the list.
Enter an IP address or a pair of IP address and mask in the following formats:
• x.x.x.x, for example, 192.168.69.100.
• x.x.x.x/x.x.x.x, for example, 192.168.69.100/255.255.255.0
• x.x.x.x/x, for example, 192.168.69.100/24
To add an IP address go to UTM > AntiSpam > IP Address. For the IP address list name
to which you want to add an IP address, select Edit. Then select Create New.

Figure 320: Adding an antispam IP address

IP Address/Mask Enter the IP address or the IP address/mask pair.


Action Select: Mark as Spam to apply the spam action configured in the protection
profile, Mark as Clear to bypass this and remaining spam filters, or Mark as
Reject (SMTP only) to drop the session.
Enable Select to enable the address.

Viewing the antispam email address list catalog


You can add a maximum of two antispam email address lists and then select the best one
for each protection profile. To view the antispam email address list catalog, go to UTM >
AntiSpam > E-mail Address. To view any individual antispam email address list, select the
Edit icon for the list you want to see.

Figure 321: Sample antispam email address list catalog

Edit
Delete

Create New Create a new antispam address list.


Name Antispam email address lists.
# Entries The number of entries in each antispam email address list.
Profiles The protection profiles each antispam email address list has been applied to.
Comments Optional description of each antispam email address list.
Delete icon Remove the antispam email address list from the catalog. The delete icon is
only available if the antispam email address list is not selected in any
protection profiles.
Edit icon Edit the antispam email address list, list name, or list comment.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 485
http://docs.fortinet.com/ • Feedback
Black/White List Antispam

You enable antispam email addresses in protection profiles. For more information, see
“Spam Filtering options” on page 402.

Creating a new antispam email address list


To add an antispam email address list to the antispam email address list catalog, go to
UTM > AntiSpam > E-mail Address and select Create New.

Figure 322: New AntiSpam E-mail Address list dialog box

Name Enter the name of the new list.


Comment Enter a comment to describe the list, if required.

Viewing the antispam email address list


The FortiGate unit can filter email from specific senders or all email from a domain (such
as example.net).
To view the antispam email address list, go to UTM > AntiSpam > E-mail Address and
select the Edit icon of the antispam email address list you want to view.

Figure 323: Sample email address list


Current Page

Delete
Edit
Move To
Remove All Entries

Name Antispam email address list name. To change the name, edit text in the name
field and select OK.
Comments Optional comment. To add or edit comment, enter text in comment field and
select OK.
Create New Add an email address to the email address list.
Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of the IP address
list.
Remove All Entries Clear the table.
icon
Email address The list of email addresses.
Pattern Type The pattern type used in the email address entry.

FortiGate Version 4.0 Administration Guide


486 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Advanced antispam configuration

Action The action to take on email from the configured address. Actions are: Spam to
apply the spam action configured in the protection profile, or Clear to let the
email message bypass this and remaining spam filters.
Delete icon Remove the email address from the list.
Edit icon Edit the address information.
Move To icon Move the entry to a different position in the list.
The firewall policy executes the list from top to bottom. For example, if you
have [email protected] listed as clear and *@example.com as spam, you
must put [email protected] above *@example.com for [email protected]
to take effect.

Configuring the antispam email address list


To add an email address or domain to a list, go to UTM > AntiSpam > E-mail Address.
Select the Edit icon beside the list you want to add the address to. Select Create New,
enter the information below and select OK.

Figure 324: Add E-mail Address

E-Mail Address Enter the email address.


Pattern Type Select a pattern type: Wildcard or Regular Expression. For more information,
see “Using wildcards and Perl regular expressions” on page 488.
Action Select: Mark as Spam to apply the spam action configured in the protection
profile, or Mark as Clear to bypass this and remaining spam filters.
Enable Select to enable the email address for spam checking.

Advanced antispam configuration


Advanced antispam configuration covers only command line interface (CLI) commands
not represented in the web-based manager. For complete descriptions and examples of
how to use CLI commands, see the FortiGate CLI Reference.

config spamfilter mheader


Use this command to configure email filtering based on the MIME (Multipurpose Internet
Mail Extensions) header. MIME header filtering is enabled within each protection profile.
The FortiGate unit compares the MIME header key-value pair of incoming email to the list
pair in sequence. If a match is found, the corresponding action is taken. If no match is
found, the email is passed on to the next spam filter.
MIME headers are added to email to describe content type and content encoding, such as
the type of text in the email body or the program that generated the email. Some examples
of MIME headers include:
• X-mailer: outgluck
• X-Distribution: bulk
• Content_Type: text/html
• Content_Type: image/jpg

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 487
http://docs.fortinet.com/ • Feedback
Using wildcards and Perl regular expressions Antispam

The first part of the MIME header is called the header or header key. The second part is
called the value. Spammers often insert comments into header values or leave them
blank. These malformed headers can fool some spam and virus filters.
Use the MIME headers list to mark email from certain bulk mail programs or with certain
types of content that are common in spam messages. Mark the email as spam or clear for
each header configured.

config spamfilter dnsbl


Use this command to configure email filtering using DNS-based Blackhole List (DNSBL),
and Open Relay Database List (ORDBL) servers. DNSBL and ORDBL filtering is enabled
within each protection profile.
The FortiGate unit compares the IP address or domain name of the sender to any
database lists configured, in sequence. If a match is found, the corresponding action is
taken. If no match is found, the email is passed on to the next spam filter.
Some spammers use unsecured third party SMTP servers to send unsolicited bulk email.
Using DNSBLs and ORDBLs is an effective way to tag or reject spam as it enters the
network. These lists act as domain name servers that match the domain of incoming email
to a list of IP addresses known to send spam or allow spam to pass through.
There are several free and subscription servers available that provide reliable access to
continually updated DNSBLs and ORDBLs. Check with the service you are using to
confirm the correct domain name for connecting to the server.

Note: Because the FortiGate unit uses the server domain name to connect to the DNSBL
or ORDBL server, it must be able to look up this name on the DNS server. For information
on configuring DNS, see “Configuring Networking Options” on page 146.

Using wildcards and Perl regular expressions


Email address list, MIME headers list, and banned word list entries can include wildcards
or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions.

Regular expression vs. wildcard match pattern


A wildcard character is a special character that represents one or more other characters.
The most commonly used wildcard characters are the asterisk (*), which typically
represents zero or more characters in a string of characters, and the question mark (?),
which typically represents any one character.
In Perl regular expressions, the ‘.’ character refers to any single character. It is similar to
the ‘?’ character in wildcard match pattern. As a result:
• fortinet.com not only matches fortinet.com but also fortinetacom, fortinetbcom,
fortinetccom, and so on.
To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example:
• To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not
0 or more times of any character. For example:
• forti*.com matches fortiiii.com but does not match fortinet.com

FortiGate Version 4.0 Administration Guide


488 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Antispam Using wildcards and Perl regular expressions

To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.

Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression “test” not only matches the word “test” but also any word
that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b”
specifies the word boundary. To match exactly the word “test”, the expression should be
\btest\b.

Case sensitivity
Regular expression pattern matching is case sensitive in the web and antispam filters. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of “bad language”, regardless of case.

Perl regular expression formats


Table 40 lists and describes some example Perl regular expression formats.
Table 40: Perl regular expression formats

Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
^abc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either “a” or “b”
^abc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b's followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or”
ac”
a.c “a” followed by any single character (not newline) followed by a” c “
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
[abc]+ Any (nonempty) string of “a”s, “b”s and “c”s (such as “a”, “abba”,
”acbabcacaa”)
[^abc]+ Any (nonempty) string which does not contain any of “a”, “b”, and “c”
(such as “defg”)
\d\d Any two decimal digits, such as 42; same as \d{2}
/i Makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ A “word”: A nonempty sequence of alphanumeric characters and low
lines (underscores), such as foo and 12bar8 and foo_1
100\s*mk The strings “100” and “mk” optionally separated by any amount of white
space (spaces, tabs, newlines)
abc\b “abc” when followed by a word boundary (for example, in “abc!” but not in
“abcd”)

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 489
http://docs.fortinet.com/ • Feedback
Using wildcards and Perl regular expressions Antispam

Table 40: Perl regular expression formats (Continued)


perl\B “perl” when not followed by a word boundary (for example, in “perlert” but
not in “perl stuff”)
\x Tells the regular expression parser to ignore white space that is neither
preceded by a backslash character nor within a character class. Use this
to break up a regular expression into (slightly) more readable parts.
/x Used to add regular expressions within other text. If the first character in
a pattern is forward slash '/', the '/' is treated as the delimiter. The pattern
must contain a second '/'. The pattern between ‘/’ will be taken as a
regular expressions, and anything after the second ‘/’ will be parsed as a
list of regular expression options ('i', 'x', etc). An error occurs if the
second '/' is missing. In regular expressions, the leading and trailing
space is treated as part of the regular expression.

Example regular expressions

Block any word in a phrase


/block|any|word/

Block purposely misspelled words


Spammers often insert other characters between the letters of a word to fool spam
blocking software.
/^.*v.*i.*a.*g.*r.*o.*$/i
/cr[eéèêë][\+\-\*=<>\.\,;!\?%&§@\^°\$£€\{\}()\[\]\|\\_01]dit/i

Block common spam phrases


The following phrases are some examples of common phrases found in spam messages.
/try it for free/i
/student loans/i
/you’re already approved/i
/special[\+\-\*=<>\.\,;!\?%&~#§@\^°\$£€\{\}()\[\]\|\\_1]offer/i

FortiGate Version 4.0 Administration Guide


490 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Data Leak Prevention DLP Sensors

Data Leak Prevention


The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data
from leaving your network. You can define sensitive data patterns, and data matching
these patterns will be blocked and/or logged when passing through the FortiGate unit. The
DLP system is configured by creating individual rules, combining the rules into DLP
sensors, and then assigning a sensor to a protection profile.
Although the primary use of the DLP feature is to stop sensitive data from leaving your
network, it can also be used to prevent unwanted data from entering your network.
This section describes how to configure the DLP settings.
If you enable virtual domains (VDOMs) on the Fortinet unit, data leak prevention is
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 103
The following topics are included in this section:
• DLP Sensors
• DLP Rules
• DLP Compound Rules

DLP Sensors
DLP sensors are simply collections of DLP rules and DLP compound rules. Once a DLP
sensor is configured, it can be specified in a protection profile. Any traffic handled by the
policy in which the protection profile is specified will enforce the DLP sensor configuration.

Viewing the DLP sensor list


To view the available DLP sensors, go to UTM > Data Leak Prevention > Sensor.

Figure 325: DLP sensor list

Create New Select to create a new DLP sensor.


Name The DLP sensor name.
Comment The optional description of the DLP sensor.
Protection Profiles The names of the protection profiles in which the DLP sensor is
specified are listed.
Delete and Edit icons Delete or edit the DLP sensor.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 491
http://docs.fortinet.com/ • Feedback
DLP Sensors Data Leak Prevention

Adding and configuring a DLP sensor


You can create a new DLP sensor and configure it to include the DLP rules and DLP
compound rules required to protect the traffic leaving your network.
A DLP sensor must be created before it can be configured by adding rules and compound
rules. To create a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select
Create New. Enter the DLP sensor name and optional comment, and select OK. You can
then add the required rules and compound rules.
To configure a DLP sensor, go to UTM > Data Leak Prevention > Sensor and select the
Edit icon of the sensor to be configured. A list of the DLP rules and DLP compound rules
included in the DLP sensor is displayed. A newly created sensor will include no rules.

Figure 326: List of rules in a DLP sensor

Name The DLP sensor name.


Comment The optional description of the DLP sensor.
Create New Select Create New to add a new rule or compound rule to the sensor.
Enable You can disable a rule or compound rule by clearing this check box.
The item will be listed as part of the sensor, but it will not be used.
Rule name The names of the rules and compound rules included in the sensor.
Action The action configured for each rule. If the selected action is None, no
action will be listed.
Although archiving is enabled independent of the action, the Archive
designation will appear with the selected action.
For example, if you select the Block action and enable Archive for a
rule, the action displayed in the sensor rule list is Block, Archive.
Comment The optional description of the rule or compound rule.
Delete and Edit icons Delete or edit a rule or compound rule.

Adding or editing a rule in a DLP sensor


To add or edit a rule in a DLP sensor go to UTM > Data Leak Prevention > Sensor and
select the Edit icon of the sensor to be configured. To add a DLP rule to a sensor, select
Create New. To edit a rule already included in the sensor, select the edit icon of the sensor
you want to edit.

FortiGate Version 4.0 Administration Guide


492 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Data Leak Prevention DLP Sensors

Figure 327: Adding a DLP rule to a DLP sensor

Action Select the action to be taken against traffic matching the configured
DLP rule or DLP compound rule. The actions are:
• None prevents the DLP rule from taking any action on network
traffic. Other matching rules in the same sensor and other sensors
may still operate on matching traffic.
• Block prevents the traffic matching the rule from being delivered.
• Exempt prevents any DLP sensors from taking action on matching
traffic. This action overrides any other action from any matching
sensors.
• Ban if the user is authenticated, will block all traffic to or from the
user using the protocol that triggered the rule and the user will be
added to the Banned User list. If the user is not authenticated, all
traffic of the protocol that triggered the rule from the user using will
be blocked. For more information on the Banned User list, see
“Banned user list” on page 566
• Ban Sender will add the sender of matching email/IM messages to
the Banned User list. This action is available only for IM and email
protocols. For more information on the Banned User list, see
“Banned user list” on page 566.
• Quarantine IP address blocks access to the network from any IP
address that sends traffic matching a sensor with this action. The
IP address is added to the Banned User list. For more information
on the Banned User list, see “Banned user list” on page 566.
• Quarantine Interface blocks access to the network from any client
on the interface that sends traffic matching a sensor with this
action.
Archive Enable this setting to archive any traffic matching the configured rule.
Member Type Select Rule or Compound Rule. The rules of the selected type will be
displayed in the table below.
Name The names of all available rules or compound rules.
Description The optional description entered for each rule or compound rule.

Tip: The None action can be extremely useful when used with the Archive function.
Together, these two settings will have a rule log matching traffic but it to pass. This can be
useful when adding a new rule to FortiGate unit handling live traffic. The effect of the new
rule can be checked before it has any effect on network traffic.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 493
http://docs.fortinet.com/ • Feedback
DLP Rules Data Leak Prevention

DLP Rules
DLP rules are the core element of the data leak prevention feature. These rules define the
data to be protected so the FortiGate unit can recognize it. For example, an included rule
uses regular expressions to describe Social Security number:
([0-6]\d{2}|7([0-6]\d|7[0-2]))[ \-]?\d{2}[ \-]\d{4}
Rather than having to list every possible Social Security number, this regular expression
describes the structure of a Social Security number. The pattern is easily recognizable by
the FortiGate unit. For more information about regular expressions, see “Using wildcards
and Perl regular expressions” on page 488.
DLP rules can be combined into compound rules and they can be included in sensors. If
rules are specified directly in a sensor, traffic matching any single rule will trigger the
configured action. If the rules are first combined into a compound rule and then specified
in a sensor, every rule in the compound rule must match the traffic to trigger the configured
action.
Individual rules in a sensor are linked with an implicit OR condition while rules within a
compound rule are linked with an implicit AND condition.

Viewing the DLP rule list


To view the DLP rule list, go to UTM > Data Leak Prevention > Rule.

Figure 328: The DLP rule list

Create New Select Create New to add a new rule.


Name The rule name.
Comments The optional description of the rule.
Compound Rules If the rule is included in any compound rules, the compound rule
names are listed here.
DLP Sensors If the rule is used in any sensors, the sensor names are listed here.
Delete and Edit icons Delete or edit a rule.
If a compound rule is used in a compound rule or a sensor, the delete
icon will not be available. Remove the compound rule from the
compound rule or sensor and then delete it.

FortiGate Version 4.0 Administration Guide


494 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Data Leak Prevention DLP Rules

Adding or configuring DLP rules


Go to UTM > Data Leak Prevention > Rule. To add a new rule, select Create New. To edit
an existing rule, select the edit icon of the rule to be changed.

Figure 329: DLP rule for SMTP traffic

Name The name of the rule.


Comments An optional comment describing the rule.
Protocol Select the type of network traffic to which the rule will apply. The
available rule options will vary depending on the selected protocol.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, the rule can be
applied to any or all of four IM types. Select the required types.
HTTP POST, HTTP GET When defining a rule for HTTP traffic, you can specify whether it shall
apply to HTTP get, HTTP post, or both types of commands.
PUT, GET When defining a rule for FTP traffic, you can specify whether it shall
apply to FTP get, FTP put, or both types of commands.
SMTP, IMAP, POP3 When you select the Email protocol, the rule can be applied to any or
all of three email traffic types. Select the required types.
Rule
Attachment size Check the attachment file size.
This option is available for Email.
Attachment type Search email messages for file types or file patterns as specified in the
selected file filter.
This option is available for Email.
Authenticated User Search for traffic from the specified authenticated user.
Binary file pattern Search for the specified binary string in network traffic.
Body Search for the specified string in the message or page body.
This option is available for Email, HTTP, and NNTP.
CGI parameters Search for the specified CGI parameters in any web page with CGI
code.
This option is available for HTTP.
Cookie Search the contents of cookies for the specified text.
This option is available for HTTP.
File is/not encrypted Check whether the file is or is not encrypted.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 495
http://docs.fortinet.com/ • Feedback
DLP Rules Data Leak Prevention

File text Search for the specified text in transferred text files or IM
conversations.
This option is available in FTP, IM, and NNTP.
File type Search for the specified file patterns and file types. The patterns and
types configured in file filter lists and a list is selected in the DLP rule.
For more information about file filter lists, see “File Filter” on page 429.
This option is available for FTP, HTTP, IM, and NNTP.
Hostname Search for the specified host name when contacting a HTTP server.
HTTP header Search for the specified string in HTTP headers.
Receiver Search for the specified string in the message recipient email address.
This option is available for Email.
Sender Search for the specified string in the message sender user ID or email
address.
This option is available for Email and IM.
Server Search for the server’s IP address in a specified address range.
This option is available for FTP, NNTP.
Subject Search for the specified string in the message subject.
This option is available for Email.
Transfer size Check the total size of the information transfer. In the case of email
traffic for example, the transfer size includes the message header,
body, and any encoded attachment.
URL Search for the specified URL in HTTP traffic.
User group Search for traffic from any user in the specified user group.
Rule operators:

matches/does not match This operator specifies whether the FortiGate unit is searching for the
presence of specified string, or for the absence of the specified string.
• Matches: The rule will be triggered if the specified string is found in
network traffic.
• Does not match: The rule will be triggered if the specified string is
not found in network traffic.
ASCII/UTF-8 Select the encoding used for text files and messages.
Regular Select the means by which patterns are defined.
Expression/Wildcard For more information about wildcards and regular expressions, see
“Using wildcards and Perl regular expressions” on page 488
is/is not This operator specifies if the rule is triggered when a condition is true
or not true.
• Is: The rule will be triggered if the rule is true.
• Is not: The rule will be triggered if the rule is not true.
For example, if a rule specifies that a file type is found within a
specified file type list, all matching files will trigger the rule.
Conversely, if the rule specifies that a file type is not found in a file
type list, only the file types not in the list would trigger the rule.
==/>=/<=/!= These operators allow you to compare the size of a transfer or
attached file to an entered value.
• == is equal to the entered value.
• >= is greater than or equal to the entered value.
• <= is less than or equal to the entered value.
• != is not equal to the entered value.

FortiGate Version 4.0 Administration Guide


496 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Data Leak Prevention DLP Compound Rules

DLP Compound Rules


DLP compound rules are groupings of DLP rules that also change the way they behave
when added to a DLP sensor. Individual rules can be configured with only a single
attribute. When this attribute is discovered in network traffic, the rule is activated.
Compound rules allow you to group individual rules to specify far more detailed activation
conditions. Each included rule is configured with a single attribute, but every attribute must
be present before the rule is activated.
For example, create two rules and add them to a sensor:
• Rule 1 checks SMTP traffic for a sender address of [email protected]
• Rule 2 checks SMTP traffic for the word “sale” in the message body
When the sensor is used, either rule could be activated its configured condition is true. If
only one condition is true, only the corresponding rule would be activated. Depending on
the contents of the SMTP traffic, neither, either, or both could be activated.
If you remove these rules from the sensor, add them to a compound rule, and add the
compound rule to the sensor, the conditions in both rules have to be present in network
traffic to activate the compound rule. If only one condition is present, the message passes
without any rule or compound rule being activated.
By combining the individually configurable attributes of multiple rules, compound rules
allow you to specify far more detailed and specific conditions to trigger an action.

Viewing the DLP compound rule list


To view the DLP compound rule list, go to UTM > Data Leak Prevention > Compound.

Figure 330: DLP compound rule list

Create New Select Create New to add a new compound rule.


Name The compound rule name.
Comments The optional description of the compound rule.
DLP sensors If the compound rule is used in any sensors, the sensor names are
listed here.
Delete and Edit icons Delete or edit a compound rule.
If a compound rule is used in a sensor, the delete icon will not be
available. Remove the compound rule from the sensor and then delete
it.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 497
http://docs.fortinet.com/ • Feedback
DLP Compound Rules Data Leak Prevention

Adding and configuring DLP compound rules


Go to UTM > Data Leak Prevention > Compound. To add a new compound rule, select
Create New. To edit an existing compound rule, select the edit icon of the compound rule
to be changed.

Figure 331: DLP compound rule

Add rule

Name The compound rule name.


Comments An optional description of the compound rule.
Protocol The network protocol to which the compound rule applies.
HTTP POST/GET When the protocol is set to HTTP, select whether to have the
compound rule apply to POST, GET, or both types of HTTP
transactions.
FTP PUT/GET When the protocol is set to FTP, select whether to have the compound
rule apply to PUT, GET, or both types of FTP transactions.
Rules Select the rule to include in the compound rule.
Add Rule Select the Add Rule icon to have another rule selection appear. This
way, multiple rules may be added to the compound rule.

FortiGate Version 4.0 Administration Guide


498 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Application control What is application control?

Application control
This section describes how to configure the application control options associated with
firewall protection profiles.
If you enable virtual domains (VDOMs) on the FortiGate unit, the application control
configuration of each VDOM is entirely separate. For example, application lists created in
one VDOM will not be visible in other VDOMs. For details, see “Using virtual domains” on
page 103.
The following topics are included in this section:
• What is application control?

What is application control?


Application control is a UTM feature that allows your FortiGate unit to detect and take
action against network traffic depending on the application generating the traffic. Based on
FortiGate Intrusion Protection protocol decoders, application control is a more user-
friendly and powerful way to use Intrusion Protection features to log and manage the
behavior of application traffic passing through the FortiGate unit. Application control uses
IPS protocol decoders that can analyze network traffic to detect application traffic even if
the traffic uses non-standard ports or protocols.
The FortiGate unit is can recognize the network traffic generated by more than 70
applications. You can create application control lists that specify what action will be taken
with the traffic of the applications you need to manage. Specify the application control list
in the protection profile applied to the network traffic you need to monitor. Create multiple
application control lists, each tailored to a particular network, for example.

Viewing the application control lists


Each application control list contains details about the application traffic to be monitored
and the actions to be taken when it is detected. To take effect, an application control list
must be selected in a protection profile.
No default lists are provided.
To view the application control lists, go to UTM > Application Control.

Figure 332: The application control lists

Create New Select Create New to add a new application control list.
Name The available application control lists.
# of Entries The number of application rules in each application control list.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 499
http://docs.fortinet.com/ • Feedback
What is application control? Application control

Profiles The protection profile each application control list has been applied to.
If the list has not been applied to a protection profile, this field will be
blank.
Comment An optional description of each application control list.
Delete icon Select to remove the application control list. The delete icon is only
available if the application control list is not selected in any protection
profiles.
Edit icon Select to edit the application control list.

Creating a new application control list


To create a new application control list, go to UTM > Application Control > Control List and
select Create New. Enter a name and optionally, a comment of description. Select OK.
Since a new application control list is blank, the list edit window appears. For information
on creating application control list entries, see “Configuring an application control list” on
page 500.

Figure 333: The create a new application control list dialog window

Name Enter the name of the application control list.


Comments Optionally, enter a comment or description.

Configuring an application control list


To configure an application control list, go to UTM > Application Control > Control List and
select the Edit icon of the list you want to configure.
The FortiGate unit examines network traffic for the application entries in the listed order,
one at a time, from top to bottom. Whenever a match is detected, the action specified in
the matching rule is applied to the traffic and further checks for application entry matches
are stopped. Because of this, you can use both actions to create a complex rule with fewer
entries.
For example, if your organization has standardized on AIM for instant messaging, you can
allow AIM and block all other IM clients with just two entries. First, create an entry in which
AIM is the specified application. Set the action to Pass. Then create an entry in which the
Category is im, the Application is all, and the action is Block. Since the entries are
checked from top to bottom, AIM traffic will trigger the first rule, and be passed. All other
detected IM traffic will trigger the second rule, and the FortiGate unit will block it.

FortiGate Version 4.0 Administration Guide


500 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Application control What is application control?

Figure 334: Editing an application control list

Name The name of the application control list.


Comments Enter or edit a comment about the list. The comment is optional.
Create New Select to create a new application entry.
ID A unique number used primarily when re-ordering application entries.
Category The category indicates the scope of the applications included in the
application entry if Application is set to all. For example, if Application
is all and Category is toolbar, then all the toolbar applications are
included in the application entry even though they are not specified
individually.
If Application is a single application, the value in Category has no
effect on the operation of the application entry.
Application The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Logging If traffic from the specified application is detected, the FortiGate unit
will log the occurrence and the action taken.
Delete icon Select to delete the application entry.
Edit icon Select to edit the application entry.
Insert Application Before Select to create a new application entry above the entry in which you
icon selected the icon.
Move To icon Select to move the application entry to a different position in the list.

Adding or configuring an application control list entry


To add a new application control list entry or edit an existing one, go to UTM > Application
Control > Control list, and select the Edit icon for the list you want to modify. To add a new
entry, select Create New. To edit an existing entry, select the Edit icon if the entry you want
to modify.

Figure 335: The application control list entry for FTP.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 501
http://docs.fortinet.com/ • Feedback
What is application control? Application control

Category The applications are categorized by type. If you want to choose an IM


application, for example, select the im category, and the application
list will show only the im applications.
The Category selection can also be used to specify an entire category
of applications. To select all IM applications for example, select the im
category, and select all as the application. This specifies all the IM
applications with a single application control list entry.
Application The FortiGate unit will examine network traffic for the listed
application. If Application is all, every application in the selected
category is included.
Action If the FortiGate unit detects traffic from the specified application, the
selected action will be taken.
Options
Session TTL The application’s session TTL. If this option is not enabled, the TTL
defaults to the setting of the config system session-ttl CLI
command.
Enable Logging When enabled, the FortiGate unit will log the occurrence and the
action taken if traffic from the specified application is detected.

In addition to these option, some IM applications and VoIP protocols have additional
options:

IM Options
Block Login Select to prevent users from logging in to the selected IM system.
Block File Transfers Select to prevent the sending and receiving of files using the selected
IM system.
Block Audio Select to prevent audio communication using the selected IM system.
Inspect Non-standard Select to allow the FortiGate unit to examine non-standard ports for
Port the IM client traffic.
Display content meta- Select to include meta-information detected for the IM system on the
information on the FortiGate unit dashboard.
system dashboard
VoIP Options
Limit Call Setup Enter the maximum number of calls each client can set up per minute.
Limit REGISTER Enter the maximum number of register requests per second allowed
request for the firewall policy.
Limit INVITE request Enter the maximum number of invite requests per second allowed for
the firewall policy.
Enable Logging of Select to enable logging of violations.
Violations

FortiGate Version 4.0 Administration Guide


502 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Application control Application control statistics

Application control statistics


The FortiGate unit maintains statistics on selected IM and P2P applications, and VoIP
protocols. You can use these statistics to gain insight into how the protocols are being
used within your network. To view these statistics, go to UTM > Application Control >
Statistics.

Figure 336: Application control statistics

Automatic Refresh Select the automatic refresh interval for statistics. Set the interval from
Interval none to 30 seconds.
Refresh Click to refresh the page with the latest statistics.
Reset Stats Click to reset the statistics to zero.
Users For each IM protocol, the following user information is listed:
• Current Users
• (Users) Since Last Reset
• (Users) Blocked.
Chat For each IM protocol, the following chat information is listed:
• Total Chat Sessions
• Server-based Chat (Sessions)
• Group Chat (Sessions)
• Direct/Private Chat (Sessions)
Messages For each IM protocol, the following message information is listed:
• Total Messages
• Sent
• Received

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 503
http://docs.fortinet.com/ • Feedback
Application control statistics Application control

File Transfers For each IM protocol, the following file transfer information is listed:
• (Files transferred) Since Last Reset
• (Files) Sent
• (Files) Received
• (Files) Blocked.
Voice Chat For each IM protocol, the following voice chat information is listed:
• (Voice chats) Since Last Reset
• (Voice chats) Blocked.
P2P Usage For each P2P protocol, the following usage information is listed:
• Total Bytes (transferred)
• Average Bandwidth.
If the action for a P2P application is set to pass, the statistics will
display the total usage of the P2P application. Applications set to
Block will not affect the statistics.
Note that the same application can have different actions set in
different application control lists. In this case, the traffic handled by the
lists with the Pass action will be reflected in the statistics. The traffic
handled by the lists with the Block action will not be reflected.
VoIP Usage For SIP and SCCP protocol, the following information is listed:
• Active Sessions (phones connected, etc)
• Total Calls (since last reset)
• Calls Failed/Dropped
• Calls Succeeded

FortiGate Version 4.0 Administration Guide


504 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Overview of IPSec VPN configuration

VPN IPSEC
This section provides information about Internet Protocol Security (IPSec) VPN
configuration options available through the web-based manager. FortiGate units support
both policy-based (tunnel-mode) and route-based (interface mode) VPNs.

Note: For information about how to configure an IPSec VPN, see the FortiGate IPSec VPN
User Guide.

If you enable virtual domains (VDOMs) on the FortiGate unit, VPN IPSec is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.
This section describes:
• Overview of IPSec VPN configuration
• Policy-based versus route-based VPNs
• Auto Key
• Manual Key
• Internet browsing configuration
• Concentrator
• Monitoring VPNs

Overview of IPSec VPN configuration


FortiGate units implement the Encapsulated Security Payload (ESP) protocol. The
encrypted packets look like ordinary packets that can be routed through any IP network.
Internet Key Exchange (IKE) is performed automatically based on pre-shared keys or
X.509 digital certificates. As an option, you can specify manual keys. Interface mode,
supported in NAT/Route mode only, creates a virtual interface for the local end of a VPN
tunnel.
Use the following configuration procedures for all IPSec VPNs:
1 Define the phase 1 parameters that the FortiGate unit needs to authenticate remote
peers or clients and establish a secure a connection. See “Creating a new phase 1
configuration” on page 508.
2 Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
with a remote peer or dialup client. See “Creating a new phase 2 configuration” on
page 512.

Note: You must use steps 1 and 2 if you want the FortiGate unit to generate unique
IPSec encryption and authentication keys automatically. If a remote VPN peer or client
requires a specific IPSec encryption or authentication key, you must configure the
FortiGate unit to use manual keys instead. For more information, see “Manual Key” on
page 515.

3 Create a firewall policy to permit communication between your private network and the
VPN. For a policy-based VPN, the firewall policy action is IPSEC. For an interface-
based VPN, the firewall policy action is ACCEPT. See “Configuring firewall policies” on
page 316.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 505
http://docs.fortinet.com/ • Feedback
Policy-based versus route-based VPNs VPN IPSEC

For more information about configuring IPSec VPNs, see the FortiGate IPSec VPN User
Guide.

Policy-based versus route-based VPNs


FortiGate units support both policy-based and route-based VPNs. Generally, you can
configure route-based VPNs more easily than policy-based VPNs. However, the two types
have different requirements that limit where you can use them, as shown in Table 41.
Table 41: Comparison of policy-based and route-based VPNs

Policy-based Route-based
Available in NAT/Route or Transparent Available only in NAT/Route mode
mode
Requires a firewall policy with IPSEC Requires only a simple firewall policy with
action that specifies the VPN tunnel. One ACCEPT action. A separate policy is required
policy controls connections in both for connections in each direction.
directions.

You create a policy-based VPN by defining an IPSEC firewall policy between two network
interfaces and associating it with the VPN tunnel (phase 1 or manual key) configuration.
You need only one firewall policy, even if either end of the VPN can initiate a connection.
You create a route-based VPN by enabling IPSec interface mode when you create the
VPN phase 1 or manual key configuration. This creates a virtual IPSec interface that is
bound to the local interface you selected. You then define an ACCEPT firewall policy to
permit traffic to flow between the virtual IPSec interface and another network interface. If
either end of the VPN can initiate the connection, you need two firewall policies, one for
each direction.
Virtual IPSec interface bindings are shown on the network interfaces page. (Go to System
> Network > Interface.) The names of all tunnels bound to physical, aggregate, VLAN,
inter-VDOM link or wireless interfaces are displayed under their associated interface
names in the Name column. For more information, see “Interfaces” on page 119. As with
other interfaces, you can include a virtual IPSec interface in a zone.

Hub-and-spoke configurations
To function as the hub of a hub-and-spoke VPN, the FortiGate unit provides a
concentrator function. This is available only for policy-based VPNs, but you can create the
equivalent function for a route-based VPN in any of the following ways:
• Define a firewall policy between each pair of IPSec interfaces that you want to
concentrate. This can be time-consuming to maintain if you have many site-to-site
connections, since the number of policies required increases rapidly as the number of
spokes increases.
• Put all the IPSec interfaces into a zone and then define a single zone-to-zone policy.
• Put all the IPSec interfaces in a zone and enable intra-zone traffic. There must be more
than one IPSec interface in the zone.
For more information and an example, see the FortiGate IPSec VPN User Guide.

FortiGate Version 4.0 Administration Guide


506 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Auto Key

Redundant configurations
Route-based VPNs help to simplify the implementation of VPN tunnel redundancy. You
can configure several routes for the same IP traffic with different route metrics. You can
also configure the exchange of dynamic (RIP, OSPF, or BGP) routing information through
VPN tunnels. If the primary VPN connection fails or the priority of a route changes through
dynamic routing, an alternative route will be selected to forward traffic through the
redundant connection.
A simple way to provide failover redundancy is to create a backup IPSec interface. You
can do this in the CLI. For more information, including an example configuration, see the
monitor-phase1 keyword for the ipsec vpn phase1-interface command in the
FortiGate CLI Reference.

Routing
Optionally, through the CLI, you can define a specific default route for a virtual IPSec
interface. For more information, see the default-gw keyword for the
vpn ipsec phase1-interface command in the FortiGate CLI Reference.

Auto Key
You can configure two VPN peers (or a FortiGate dialup server and a VPN client) to
generate unique Internet Key Exchange (IKE) keys automatically during the IPSec
phase 1 and phase 2 exchanges.
When you define phase 2 parameters, you can choose any set of phase 1 parameters to
set up a secure connection for the tunnel and authenticate the remote peer.
Auto Key configuration applies to both tunnel-mode and interface-mode VPNs.
To configure an Auto Key VPN, go to VPN > IPSEC > Auto Key (IKE).

Figure 337: Auto Key list

Edit
Delete

Create Phase 1 Create a new phase 1 tunnel configuration. For more information, see
“Creating a new phase 1 configuration” on page 508.
Create Phase 2 Create a new phase 2 configuration. For more information, see “Creating a
new phase 2 configuration” on page 512.
Phase 1 The names of existing phase 1 tunnel configurations.
Phase 2 The names of existing phase 2 configurations.
Interface Binding The names of the local interfaces to which IPSec tunnels are bound. These
can be physical, aggregate, VLAN, inter-VDOM link or wireless interfaces.
Delete and Edit icons Delete or edit a phase 1 configuration.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 507
http://docs.fortinet.com/ • Feedback
Auto Key VPN IPSEC

Creating a new phase 1 configuration


In phase 1, two VPN peers (or a FortiGate dialup server and a VPN client) authenticate
each other and exchange keys to establish a secure communication channel between
them. The basic phase 1 settings associate IPSec phase 1 parameters with a remote
gateway and determine:
• whether the various phase 1 parameters will be exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (Aggressive mode)
• whether a pre-shared key or digital certificates will be used to authenticate the
identities of the two VPN peers (or a VPN server and its client)
• whether a special identifier, certificate distinguished name, or group name will be used
to identify the remote VPN peer or client when a connection attempt is made.
To define basic IPSec phase 1 parameters, go to VPN > IPSEC > Auto Key (IKE) and
select Create Phase 1. For information about how to choose the correct phase 1 settings
for your particular situation, see the FortiGate IPSec VPN User Guide.

Figure 338: New Phase 1

Name Type a name to represent the phase 1 definition. The maximum


name length is 15 characters for an interface mode VPN, 35
characters for a policy-based VPN. If Remote Gateway is Dialup
User, the maximum name length is further reduced depending on the
number of dialup tunnels that can be established: by 2 for up to 9
tunnels, by 3 for up to 99 tunnels, 4 for up to 999 tunnels, and so on.
For a tunnel mode VPN, the name should reflect where the remote
connection originates. For a route-based tunnel, the FortiGate unit
also uses the name for the virtual IPSec interface that it creates
automatically.
Remote Gateway Select the category of the remote connection:
Static IP Address — If the remote peer has a static IP address.
Dialup User — If one or more FortiClient or FortiGate dialup clients
with dynamic IP addresses will connect to the FortiGate unit.
Dynamic DNS — If a remote peer that has a domain name and
subscribes to a dynamic DNS service will connect to the FortiGate
unit.
IP Address If you selected Static IP Address, type the IP address of the remote
peer.
Dynamic DNS If you selected Dynamic DNS, type the domain name of the remote
peer.

FortiGate Version 4.0 Administration Guide


508 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Auto Key

Local Interface This option is available in NAT/Route mode only. Select the name of
the interface through which remote peers or dialup clients connect to
the FortiGate unit.
By default, the local VPN gateway IP address is the IP address of
the interface that you selected. Optionally, you can specify a unique
IP address for the VPN gateway in the Advanced settings. For more
information, see “Local Gateway IP” on page 511.
Mode Select Main or Aggressive:
• In Main mode, the phase 1 parameters are exchanged in multiple
rounds with encrypted authentication information.
• In Aggressive mode, the phase 1 parameters are exchanged in
single message with authentication information that is not
encrypted.
When the remote VPN peer has a dynamic IP address and is
authenticated by a pre-shared key, you must select Aggressive
mode if there is more than one dialup phase1 configuration for the
interface IP address.
When the remote VPN peer has a dynamic IP address and is
authenticated by a certificate, you must select Aggressive mode if
there is more than one phase 1 configuration for the interface IP
address and these phase 1 configurations use different proposals.
Peer Options settings may require a particular mode. See Peer
Options, below.
Authentication Method Select Preshared Key or RSA Signature.
Pre-shared Key If you selected Pre-shared Key, type the pre-shared key that the
FortiGate unit will use to authenticate itself to the remote peer or
dialup client during phase 1 negotiations. You must define the same
value at the remote peer or client. The key must contain at least 6
printable characters and should be known only by network
administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Certificate Name If you selected RSA Signature, select the name of the server
certificate that the FortiGate unit will use to authenticate itself to the
remote peer or dialup client during phase 1 negotiations. For
information about obtaining and loading the required server
certificate, see the FortiGate Certificate Management User Guide.
Peer Options One or more of the following options are available to authenticate
VPN peers or clients, depending on the Remote Gateway and
Authentication Method settings.
Accept any peer ID Accept the local ID of any remote VPN peer or client. The FortiGate
unit does not check identifiers (local IDs). You can set Mode to
Aggressive or Main.
You can use this option with RSA Signature authentication. But, for
highest security, you should configure a PKI user/group for the peer
and set Peer Options to Accept this peer certificate only.
Accept this peer ID This option is available only if the remote peer has a dynamic IP
address. Enter the identifier that is used to authenticate the remote
peer. This identifier must match the identifier that the remote peer’s
administrator has configured.
If the remote peer is a FortiGate unit, the identifier is specified in the
Local ID field of the phase 1 configuration.
If the remote peer is a FortiClient dialup client, the identifier is
specified in the Local ID field, accessed by selecting Config in the
Policy section of the VPN connection’s Advanced Settings.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 509
http://docs.fortinet.com/ • Feedback
Auto Key VPN IPSEC

Accept peer ID in dialup Authenticate multiple FortiGate or FortiClient dialup clients that use
group unique identifiers and unique pre-shared keys (or unique pre-shared
keys only) through the same VPN tunnel.
You must create a dialup user group for authentication purposes.
(For more information, see “User Group” on page 554.) Select the
group from the list next to the Accept peer ID in dialup group option.
For more information about configuring FortiGate dialup clients, see
the FortiGate IPSec VPN User Guide. For more information about
configuring FortiClient dialup clients, see the Authenticating
FortiClient Dialup Clients Technical Note.
You must set Mode to Aggressive when the dialup clients use unique
identifiers and unique pre-shared keys. If the dialup clients use
unique pre-shared keys only, you can set Mode to Main if there is
only one dialup phase 1 configuration for this interface IP address.
Accept this peer This option is available when Authentication Method is set to
certificate only RSA Signature.
Authenticate remote peers or dialup clients that use a security
certificate. Select the certificate from the list next to the option.
You must add peer certificates to the FortiGate configuration before
you can select them here. For more information, see “PKI” on
page 553.
Accept this peer This option is available when Authentication Method is set to
certificate group only RSA Signature and Remote Gateway is set to Dialup User.
Use a certificate group to authenticate dialup clients that have
dynamic IP addresses and use unique certificates.
Select the name of the peer group from the list. You must first create
the group through the config user peergrp CLI command
before you can select it. For more information, see the “user” chapter
of the FortiGate CLI Reference. Members of the peer group must be
certificates added by using the config user peer CLI command.
You can also add peer certificates using the web-based manager.
For more information, see “PKI” on page 553.
Advanced Define advanced phase 1 parameters. For more information, see
“Defining phase 1 advanced settings” on page 510.

Defining phase 1 advanced settings


You use the advanced P1 Proposal parameters to select the encryption and
authentication algorithms that the FortiGate unit uses to generate keys for the IKE
exchange. You can also select these advanced settings to ensure the smooth operation of
phase 1 negotiations.
To modify IPSec phase 1 advanced parameters, go to VPN > IPSEC > Auto Key (IKE),
select Create Phase 1, and then select Advanced. For information about how to choose
the correct advanced phase 1 settings for your particular situation, see the FortiGate
IPSec VPN User Guide.

FortiGate Version 4.0 Administration Guide


510 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Auto Key

Figure 339: Phase 1 advanced settings

Add
Delete

Enable IPSec Interface This is available in NAT/Route mode only.


Mode Create a virtual interface for the local end of the VPN tunnel. Select this
option to create a route-based VPN, clear it to create a policy-based
VPN.
IPv6 Version Select if you want to use IPv6 addresses for the remote gateway and
interface IP addresses. This is available only when Enable IPSec
Interface Mode is enabled.
Local Gateway IP If you selected Enable IPSec Interface Mode, specify an IP address for
the local end of the VPN tunnel. Select one of the following:
Main Interface IP — The FortiGate unit obtains the IP address of the
interface from the network interface settings. For more information, see
“Interfaces” on page 119.
Specify — You can specify a secondary address of the interface
selected in the phase 1 Local Interface field. For more information, see
“Local Interface” on page 509.
You cannot configure Interface mode in a Transparent mode VDOM.
P1 Proposal Select the encryption and authentication algorithms used to generate
keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer or client must be configured to use at least one of the
proposals that you define.
Select one of the following symmetric-key algorithms:
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that
uses a 128-bit key.
AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that
uses a 192-bit key.
AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that
uses a 256-bit key.
Select either of the following message digests to check the authenticity
of messages during phase 1 negotiations:
MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify a third combination, use the Add button beside the fields for
the second combination.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 511
http://docs.fortinet.com/ • Feedback
Auto Key VPN IPSEC

DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5. At


least one of the DH Group settings on the remote peer or client must
match one the selections on the FortiGate unit.
Keylife Type the time (in seconds) that must pass before the IKE encryption key
expires. When the key expires, a new key is generated without
interrupting service. The keylife can be from 120 to 172 800 seconds.
Local ID If the FortiGate unit will act as a VPN client and you are using peer IDs
for authentication purposes, enter the identifier that the FortiGate unit
will supply to the VPN server during the phase 1 exchange.
If the FortiGate unit will act as a VPN client and you are using security
certificates for authentication, select the distinguished name (DN) of the
local server certificate that the FortiGate unit will use for authentication
purposes.
If the FortiGate unit is a dialup client and will not be sharing a tunnel with
other dialup clients (that is, the tunnel will be dedicated to this FortiGate
dialup client), set Mode to Aggressive.
XAuth This option supports the authentication of dialup clients.
Disable — Select if you do not use XAuth.
Enable as Client — If the FortiGate unit is a dialup client, type the user
name and password that the FortiGate unit will need to authenticate
itself to the remote XAuth server.
Enable as Server — This is available only if Remote Gateway is set to
Dialup User. Dialup clients authenticate as members of a dialup user
group. You must first create a user group for the dialup clients that need
access to the network behind the FortiGate unit. For more information,
see “Configuring a user group” on page 558.
You must also configure the FortiGate unit to forward authentication
requests to an external RADIUS or LDAP authentication server. For
information about these topics, see “Configuring a RADIUS server” on
page 544 or “Configuring an LDAP server” on page 547.
Select a Server Type setting to determine the type of encryption method
to use between the FortiGate unit, the XAuth client and the external
authentication server, and then select the user group from the User
Group list.
Nat-traversal Select the check box if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared) to connect reliably.
Keepalive Frequency If you enabled NAT-traversal, enter a keepalive frequency setting. The
value represents an interval ranging from 10 to 900 seconds.
Dead Peer Detection Select this check box to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required. You can use this option to receive
notification whenever a tunnel goes up or down, or to keep the tunnel
connection open when no traffic is being generated inside the tunnel.
(For example, in scenarios where a dialup client or dynamic DNS peer
connects from an IP address that changes periodically, traffic may be
suspended while the IP address changes).
With Dead Peer Detection selected, you can use the config vpn
ipsec phase1 (tunnel mode) or config vpn ipsec phase1-
interface (interface mode) CLI command to optionally specify a retry
count and a retry interval. For more information, see the FortiGate CLI
Reference.

Creating a new phase 2 configuration


After IPSec phase 1 negotiations end successfully, you begin phase 2. You configure the
phase 2 parameters to define the algorithms that the FortiGate unit may use to encrypt
and transfer data for the remainder of the session. During phase 2, you select specific
IPSec security associations needed to implement security services and establish a tunnel.
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1
configuration that specifies the remote end point of the VPN tunnel. In most cases, you
need to configure only basic phase 2 settings.

FortiGate Version 4.0 Administration Guide


512 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Auto Key

To configure phase 2 settings, go to VPN > IPSEC > Auto Key (IKE) and select Create
Phase 2. For information about how to choose the correct phase 2 settings for your
particular situation, see the FortiGate IPSec VPN User Guide.

Figure 340: New Phase 2

Name Type a name to identify the phase 2 configuration.


Phase 1 Select the phase 1 tunnel configuration. For more information, see “Creating a
new phase 1 configuration” on page 508. The phase 1 configuration describes
how remote VPN peers or clients will be authenticated on this tunnel, and how the
connection to the remote peer or client will be secured.
Advanced Define advanced phase 2 parameters. For more information, see “Defining
phase 2 advanced settings” on page 513.

Defining phase 2 advanced settings


In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish
a secure communication channel between them. You select the encryption and
authentication algorithms needed to generate keys for protecting the implementation
details of Security Associations (SAs). These are called P2 Proposal parameters. The
keys are generated automatically using a Diffie-Hellman algorithm.
You can use a number of additional advanced phase 2 settings to enhance the operation
of the tunnel. To modify IPSec phase 2 advanced parameters, go to VPN > IPSEC
Auto Key (IKE), select Create Phase 2, and then select Advanced. For information about
how to choose the correct advanced phase 2 settings for your particular situation, see the
FortiGate IPSec VPN User Guide.

Figure 341: Phase 2 advanced settings

Add
Delete

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 513
http://docs.fortinet.com/ • Feedback
Auto Key VPN IPSEC

P2 Proposal Select the encryption and authentication algorithms that will be proposed to
the remote VPN peer. You can specify up to three proposals. To establish a
VPN connection, at least one of the proposals that you specify must match
configuration on the remote peer.
Initially there are two proposals. Add and Delete icons are next to the
second Authentication field. To specify only one proposal, select Delete to
remove the second proposal. To specify a third proposal, select Add.
It is invalid to set both Encryption and Authentication to NULL.
Encryption Select one of the following symmetric-key algorithms:
NULL — Do not use an encryption algorithm.
DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 192-bit key.
AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 256-bit key.
Authentication Select one of the following message digests to check the authenticity of
messages during an encrypted session:
NULL — Do not use a message digest.
MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
Enable replay Optionally enable or disable replay detection. Replay attacks occur when an
detection unauthorized party intercepts a series of IPSec packets and replays them
back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forward secrecy forcing a new Diffie-Hellman exchange whenever keylife expires.
(PFS)
DH Group Select one Diffie-Hellman group (1, 2, or 5). This must match the DH Group
that the remote peer or dialup client uses.
Keylife Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172 800 seconds, or from 5120 to 2 147 483 648 KB.
Autokey Keep Alive Select the check box if you want the tunnel to remain active when no data is
being processed.
DHCP-IPSec Provide IP addresses dynamically to VPN clients. This is available for
phase 2 configurations associated with a dialup phase 1 configuration.
You also need configure a DHCP server or relay on the private network
interface. You must configure the DHCP parameters separately. For more
information, see “System DHCP” on page 171.
If you configure the DHCP server to assign IP addresses based on RADIUS
user group attributes, you must also set the Phase 1 Peer Options to Accept
peer ID in dialup group and select the appropriate user group. See “Creating
a new phase 1 configuration” on page 508.
If the FortiGate unit acts as a dialup server and you manually assigned
FortiClient dialup clients VIP addresses that match the network behind the
dialup server, selecting the check box will cause the FortiGate unit to act as
a proxy for the dialup clients.

Note: You can configure settings so that VPN users can browse the Internet through the
FortiGate unit. For more information, see “Internet browsing configuration” on page 518.

FortiGate Version 4.0 Administration Guide


514 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Manual Key

Quick Mode Optionally specify the source and destination IP addresses to be used as selectors
Selector for IKE negotiations. If the FortiGate unit is a dialup server, you should keep the
default value 0.0.0.0/0 unless you need to circumvent problems caused by
ambiguous IP addresses between one or more of the private networks making up
the VPN. You can specify a single host IP address, an IP address range, or a
network address. You may optionally specify source and destination port numbers
and a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured to use
firewall addresses as selectors. This option exists only in the CLI. For more
information, see the dst-addr-type, dst-name, src-addr-type and src-
name keywords for the vpn ipsec phase2 command in the FortiGate CLI
Reference.
Source address If the FortiGate unit is a dialup server, type the source IP
address that corresponds to the local senders or network
behind the local VPN peer (for example, 172.16.5.0/24 or
172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a
server or host, or 192.168.10.[80-100] or
192.168.10.80-192.168.10.100 for an address range).
A value of 0.0.0.0/0 means all IP addresses behind the
local VPN peer.
If the FortiGate unit is a dialup client, source address must
refer to the private network behind the FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Destination Type the destination IP address that corresponds to the
address recipients or network behind the remote VPN peer (for
example, 192.168.20.0/24 for a subnet, or
172.16.5.1/32 for a server or host, or 192.168.10.[80-
100] for an address range). A value of 0.0.0.0/0 means all
IP addresses behind the remote VPN peer.
Destination port Type the port number that the remote VPN peer uses to
transport traffic related to the specified service (protocol
number). The range is from 0 to 65535. To specify all ports,
type 0.
Protocol Type the IP protocol number of the service. The range is from
0 to 255. To specify all services, type 0.

Manual Key
If required, you can manually define cryptographic keys for establishing an IPSec VPN
tunnel. You would define manual keys in situations where:
• You require prior knowledge of the encryption or authentication key (that is, one of the
VPN peers requires a specific IPSec encryption or authentication key).
• You need to disable encryption and authentication.
In both cases, you do not specify IPSec phase 1 and phase 2 parameters; you define
manual keys by going to VPN > IPSEC > Manual Key instead.

Note: You should use manual keys only if it is unavoidable. There are potential difficulties in
keeping keys confidential and in propagating changed keys to remote VPN peers securely.

For general information about how to configure an IPSec VPN, see the FortiGate IPSec
VPN User Guide.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 515
http://docs.fortinet.com/ • Feedback
Manual Key VPN IPSEC

Figure 342: Manual Key list

Delete
Edit

Create New Create a new manual key configuration. See “Creating a new manual key
configuration” on page 516.
Tunnel Name The names of existing manual key configurations.
Remote Gateway The IP addresses of remote peers or dialup clients.
Encryption Algorithm The names of the encryption algorithms specified in the manual key
configurations.
Authentication The names of the authentication algorithms specified in the manual key
Algorithm configurations.
Delete and Edit icons Delete or edit a manual key configuration.

Creating a new manual key configuration


If one of the VPN devices is manually keyed, the other VPN device must also be manually
keyed with the identical authentication and encryption keys. In addition, it is essential that
both VPN devices be configured with complementary Security Parameter Index (SPI)
settings. The administrators of the devices need to cooperate to achieve this.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. You must manually specify an SPI
for each SA. There is an SA for each direction, so for each VPN you must specify two
SPIs, a local SPI and a remote SPI, to cover bidirectional communications between two
VPN devices.

Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.

To specify manual keys for creating a tunnel, go to VPN > IPSEC > Manual Key and
select Create New.

Figure 343: New Manual Key

FortiGate Version 4.0 Administration Guide


516 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Manual Key

Name Type a name for the VPN tunnel. The maximum name length is 15 characters
for an interface mode VPN, 35 characters for a policy-based VPN.
Local SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles outbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Remote SPI value in
the manual key configuration at the remote peer.
Remote SPI Type a hexadecimal number (up to 8 characters, 0-9, a-f) that represents the
SA that handles inbound traffic on the local FortiGate unit. The valid range is
from 0x100 to 0xffffffff. This value must match the Local SPI value in
the manual key configuration at the remote peer.
Remote Gateway Type the IP address of the public interface to the remote peer. The address
identifies the recipient of ESP datagrams.
Local Interface This option is available in NAT/Route mode only. Select the name of the
interface to which the IPSec tunnel will be bound. The FortiGate unit obtains
the IP address of the interface from the network interface settings. For more
information, see “Interfaces” on page 119.
Encryption Select one of the following symmetric-key encryption algorithms:
Algorithm DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-
bit key.
3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
AES128 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 128-bit key.
AES192 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 192-bit key.
AES256 — a 128-bit block Cipher Block Chaining (CBC) algorithm that uses
a 256-bit key.
Note: The algorithms for encryption and authentication cannot both be NULL.

Encryption Key Enter an encryption key appropriate to the encryption algorithm:


• for DES, type a 16-character hexadecimal number (0-9, a-f).
• for 3DES, type a 48-character hexadecimal number (0-9, a-f) separated
into three segments of 16 characters.
• for AES128, type a 32-character hexadecimal number (0-9, a-f) separated
into two segments of 16 characters.
• for AES192, type a 48-character hexadecimal number (0-9, a-f) separated
into three segments of 16 characters.
• for AES256, type a 64-character hexadecimal number (0-9, a-f) separated
into four segments of 16 characters.
Authentication Select one of the following message digests:
Algorithm MD5 — Message Digest 5 algorithm, which produces a 128-bit message
digest.
SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message digest.
Note: The Algorithms for encryption and authentication cannot both be NULL.
Authentication Enter an authentication key appropriate to the authentication algorithm:
Key • for MD5, type a 32-character hexadecimal number (0-9, a-f) separated into
two segments of 16 characters.
• for SHA1, type 40-character hexadecimal number (0-9, a-f) separated into
one segment of 16 characters and a second segment of 24 characters.
IPSec Interface Create a virtual interface for the local end of the VPN tunnel. Select this check
Mode box to create a route-based VPN, clear it to create a policy-based VPN.
This is available only in NAT/Route mode.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 517
http://docs.fortinet.com/ • Feedback
Internet browsing configuration VPN IPSEC

Internet browsing configuration


By using appropriate firewall policies, you can enable VPN users to browse the Internet
through the FortiGate unit. The required policies are different for policy-based and route-
based VPNs. For more information, see “Configuring firewall policies” on page 316.

To create a policy-based VPN Internet browsing configuration


1 Go to Firewall > Policy.
2 Select Create New and enter the following information

Source Interface/Zone Select the FortiGate unit public interface.


Source Address Name Select All.
Destination Interface/Zone Select the FortiGate unit public interface.
Destination Address Name Select the remote network address name.
Action Select IPSEC.
VPN Tunnel Select the tunnel that provides access to the private network
behind the FortiGate unit.
Inbound NAT Select the check box.

3 Configure other settings as required.


4 Select OK.

To configure a route-based VPN Internet browsing configuration


1 Go to Firewall > Policy.
2 Select Create New and enter the following information.

Source Interface/Zone Select the IPSec interface.


Source Address Name Select All.
Destination Interface/Zone Select the FortiGate unit public interface.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Select the check box.

3 Configure other settings as required.


4 Select OK.

Concentrator
In a hub-and-spoke configuration, policy-based VPN connections to a number of remote
peers radiate from a single, central FortiGate unit. Site-to-site connections between the
remote peers do not exist; however, You can establish VPN tunnels between any two of
the remote peers through the FortiGate unit “hub”.
In a hub-and-spoke network, all VPN tunnels terminate at the hub. The peers that connect
to the hub are known as “spokes”. The hub functions as a concentrator on the network,
managing all VPN connections between the spokes. VPN traffic passes from one tunnel to
the other through the hub.
You define a concentrator to include spokes in the hub-and-spoke configuration.

FortiGate Version 4.0 Administration Guide


518 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN IPSEC Monitoring VPNs

To define a concentrator, go to VPN > IPSEC > Concentrator. For detailed information and
step-by-step procedures about how to set up a hub-and-spoke configuration, see the
FortiGate IPSec VPN User Guide.

Figure 344: Concentrator list

Delete
Edit

Create New Define a new concentrator for an IPSec hub-and-spoke configuration. For
more information, see “Defining concentrator options” on page 519.
Concentrator Name The names of existing IPSec VPN concentrators.
Members The tunnels that are associated with the concentrators.
Delete and Edit Delete or edit a concentrator.
icons

Defining concentrator options


A concentrator configuration specifies which spokes to include in an IPSec hub-and-spoke
configuration.
To specify the spokes of an IPSec hub-and-spoke configuration, go to VPN > IPSEC >
Concentrator and select Create New.

Figure 345: New VPN Concentrator

Right Arrow

Left Arrow

Concentrator Name Type a name for the concentrator.


Available Tunnels A list of defined IPSec VPN tunnels. Select a tunnel from the list and then
select the right arrow. Repeat these steps until all of the tunnels associated
with the spokes are included in the concentrator.
Members A list of tunnels that are members of the concentrator. To remove a tunnel
from the concentrator, select the tunnel and select the left arrow.

Monitoring VPNs
To view active VPN tunnels, go to User > Monitor > IPSEC.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 519
http://docs.fortinet.com/ • Feedback
Monitoring VPNs VPN IPSEC

FortiGate Version 4.0 Administration Guide


520 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN PPTP PPTP configuration using FortiGate web-based manager

VPN PPTP
FortiGate units support PPTP to tunnel PPP traffic between two VPN peers. Windows or
Linux PPTP clients can establish a PPTP tunnel with a FortiGate unit that has been
configured to act as a PPTP server. As an alternative, you can configure the FortiGate unit
to forward PPTP packets to a PPTP server on the network behind the FortiGate unit.
PPTP VPN is available only in NAT/Route mode. The current maximum number of PPTP
sessions is 254. If you enable virtual domains (VDOMs) on the FortiGate unit, you need to
configure VPN PPTP separately for each virtual domain. For more information, see “Using
virtual domains” on page 103.
When you intend to use the FortiGate unit as a PPTP gateway, you can select a PPTP
client IP from a local address range or use the server defined in the PPTP user group. You
select which method to use for IP address retrieval and, in the case of the user group
server, provide the IP address and the user group.
This section explains how to specify a range of IP addresses for PPTP clients or configure
the PPTP client-side IP address to be used in the tunnel setup. For information about how
to perform other related PPTP VPN setup tasks, see the FortiGate PPTP VPN User
Guide.

Note: The PPTP feature is disabled by default in the FortiGate web-based manager. You
configure the PPTP tunnel configuration by creating a customized FortiGate screen.

This section describes:


• PPTP configuration using FortiGate web-based manager
• PPTP configuration using CLI commands

PPTP configuration using FortiGate web-based manager


To configure the PPTP tunnel, create a customized screen in the web-based manager.
The PPTP Range tab is found under the Categories heading as a selection in the
Additional category:

Figure 346: Categories > Additional > PPTP Range

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 521
http://docs.fortinet.com/ • Feedback
PPTP configuration using FortiGate web-based manager VPN PPTP

For information about creating customized screens in the FortiGate web-based manager,
see “Customizable web-based manager” on page 225.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP (web-
based manager) or local-ip (CLI). The PPTP client uses the assigned IP address as its
source address for the duration of the connection.
To enable PPTP and specify the PPTP address range or specify the IP address for the
peer’s remote IP on the PPTP client side, go to the customized screen in the web-based
manager, select the required options, and then select Apply.

Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.

Figure 347: Edit PPTP range options, showing both Range and User Group

Enable PPTP Enable PPTP. You must add a user group before you can select the
option. See “User Group” on page 554.
IP Mode Select a method of determining the IP address for the PPTP connection:
Range Enable to specify a local address range to reserve for remote PPTP
clients.

User Group Select to specify that the PPTP client IP address is determined by the
PPTP user group server.
Starting IP Type the starting address in the range of reserved IP addresses.
Ending IP Type the ending address in the range of reserved IP addresses.
Local IP Type the IP address to be used for the peer’s remote IP on the PPTP
client side.
User Group Select the PPTP user group from the list.
Disable PPTP Select to disable PPTP support.

FortiGate Version 4.0 Administration Guide


522 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN PPTP PPTP configuration using CLI commands

PPTP configuration using CLI commands


If you prefer not to set up a customized screen in the FortiGate web-based manager, you
can configure the PPTP tunnel using CLI.

Syntax
config vpn pptp
set eip <address_ipv4>
set ip-mode {range | usrgrp}
set local-ip {disable | enable}
set sip <address_ipv4>
set status {disable | enable}
set usrgrp <group_name>
end
Variables Description Default
eip <address_ipv4> The ending address of the PPTP address range. 0.0.0.0
ip-mode Enable to have the PPTP client retrieve the IP
{range | usrgrp} address from the PPTP user group or select an IP
address from the pre-configured IP address range.
local-ip PPTP server IP address from the PPTP user group.
{disable | enable}
sip <address_ipv4> The starting address of the PPTP IP address range. 0.0.0.0
status Enable or disable PPTP VPN. disable
{disable | enable}
usrgrp <group_name> This keyword is available when status is set to Null.
enable.
Enter the name of the user group for authenticating
PPTP clients. The user group must be added to the
FortiGate configuration before it can be specified
here.
eip <address_ipv4> The ending address of the PPTP address range. 0.0.0.0
ip-mode Enable to have the PPTP client retrieve the IP
{range | usrgrp} address from the PPTP user group or select an IP
address from the pre-configured IP address range.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 523
http://docs.fortinet.com/ • Feedback
PPTP configuration using CLI commands VPN PPTP

FortiGate Version 4.0 Administration Guide


524 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL ssl.root

VPN SSL
An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be
used with a standard Web browser. SSL VPN does not require the installation of
specialized client software on end users’ computers, and is ideal for applications including
web-based email, business and government directories, file sharing, remote backup,
remote system management, and consumer-level electronic commerce.
The two modes of SSL VPN operation (supported in NAT/Route mode only) are:
• web-only mode, for thin remote clients equipped with a web-browser only.
• tunnel mode, for remote computers that run a variety of client and server applications.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal. The FortiGate SSL VPN web portal has a
widget-based layout with customizable themes. Each widget is displayed in a 1- or 2-
column format with the ability to modify settings, minimize the widget window, or other
functions depending on the type of content within the widget.
When users have complete administrative rights over their computers and use a variety of
applications, tunnel mode allows remote clients to access the local internal network as if
they were connected to the network directly.
This section provides information about the features of SSL VPN available for
configuration in the web-based manager. Only FortiGate units that run in NAT/Route mode
support the SSL VPN feature.
If you enable virtual domains (VDOMs) on the FortiGate unit, VPN SSL is configured
separately for each virtual domain. For details, see “Using virtual domains” on page 103.

Note: For detailed instructions about how to configure web-only mode or tunnel-mode
operation, see the FortiGate SSL VPN User Guide.

This section describes:


• ssl.root
• Configuring SSL VPN
• Monitoring SSL VPN sessions
• SSL VPN web portal

ssl.root
The FortiGate unit has a virtual SSL VPN interface called ssl.<vdom_name>. The root
VDOM, called ssl.root, appears in the firewall policy interface lists and static route
interface lists. You can use the ssl-root interface to allow access to additional networks
and facilitate a connected user’s ability to browse the Internet through the FortiGate unit.
The SSL VPN tunnel-mode access requires the following firewall policies:
• External > Internal, with the action set to SSL, with an SSL user group

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 525
http://docs.fortinet.com/ • Feedback
Configuring SSL VPN VPN SSL

• ssl.root > Internal, with the action set to Accept


• Internal > ssl.root, with the action set to Accept.
Access also requires a new static route: Destination network - <ssl tunnel mode assigned
range> interface ssl.root.
If you are configuring Internet access through an SSL VPN tunnel, you must add the
following configuration: ssl.root > External, with the action set to Accept, NAT enabled.

Configuring SSL VPN


You can configure basic SSL VPN settings including timeout values and SSL encryption
preferences. If required, you can also enable the use of digital certificates for
authenticating remote clients.

Note: If required, you can enable SSL version 2 encryption (for compatibility with older
browsers) through a FortiGate CLI command. For more information, see the ssl
settings command in the FortiGate CLI Reference.

To enable SSL VPN connections and configure SSL VPN settings, go to VPN > SSL >
Config and select Enable SSL-VPN. When you have completed configuring the settings,
select Apply.

Figure 348: SSL-VPN Settings

Enable SSL VPN Select to enable SSL VPN connections.


Tunnel IP Range Specify the range of IP addresses reserved for tunnel-mode SSL VPN
clients. Type the starting and ending address that defines the range of
reserved IP addresses.
Server Certificate Select the signed server certificate to use for authentication purposes. If
you leave the default setting (Self-Signed), the FortiGate unit offers its
factory installed (self-signed) certificate from Fortinet to remote clients
when they connect.
Require Client Certificate If you want to enable the use of group certificates for authenticating
remote clients, select the check box. Afterward, when the remote client
initiates a connection, the FortiGate unit prompts the client for its client-
side certificate as part of the authentication process.

FortiGate Version 4.0 Administration Guide


526 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL Monitoring SSL VPN sessions

Encryption Key Select the algorithm for creating a secure SSL connection between the
Algorithm remote client web browser and the FortiGate unit.

Default - RC4(128 If the web browser on the remote client can match a cipher suite greater
bits) and higher than or equal to 128 bits, select this option.
High - AES(128/256 If the web browser on the remote client can match a high level of SSL
bits) and 3DES encryption, select this option to enable cipher suites that use more than
128 bits to encrypt data.
Low - RC4(64 bits), If you are not sure which level of SSL encryption the remote client web
DES and higher browser supports, select this option to enable a cipher suite greater
than or equal to 64 bits.
Idle Timeout Type the period of time (in seconds) to control how long the connection
can remain idle before the system forces the user to log in again. The
range is from 10 to 28800 seconds. You can also set the value to 0 to
have no idle connection timeout. This setting applies to the SSL VPN
session. The interface does not time out when web application sessions
or tunnels are up.
Apply Select to save and apply settings.

Monitoring SSL VPN sessions


You can view a list of all active SSL VPN sessions. The list displays the user name of the
remote user, the IP address of the remote client, and the time the connection was made.
You can also see which services are being provided, and delete an active web session
from the FortiGate unit.
To view the list of active SLS VPN sessions, go to User > Monitor > SSL.

Figure 349: Monitor list

Delete

No. The connection identifiers.


User The user names of all connected remote users.
Source IP The IP addresses of the host devices connected to the FortiGate unit.
Begin Time The starting time of each connection.
Description Information about the services provided by an SSL VPN tunnel
session.
Subsession Tunnel IP: IP address that the Fortigate unit assigned to the remote
client.
Action Select action to apply to current SSL VPN tunnel session or
subsession.
Delete icon Delete the current session or subsession.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 527
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

SSL VPN web portal


The SSL VPN Service portal allows you to access network resources through a secure
channel using a web browser. FortiGate administrators can configure log in privileges for
system users and which network resources are available to the users, such as
HTTP/HTTPS, telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
The portal configuration determines what the system user sees when they log in to the
FortiGate. Both the system administrator and the system user have the ability to
customize the SSL VPN portal.
To use the default SSL VPN web portal configuration, select the Edit icon for New Portal.
The default SSL VPN web portal will appear.
This section describes:
• The General tab
• The Advanced tab
• Adding and editing widgets
• The session Information widget
• The Bookmarks widget
• The Connections Tool widget
• The Tunnel Mode widget

Figure 350: Default SSL VPN web portal

Default SSL VPN web portal

FortiGate Version 4.0 Administration Guide


528 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL SSL VPN web portal

The General tab


To configure the SSL VPN web portal General tab, go to VPN > SSL > Portal and select
Create New. The SSL VPN Web Portal General tab is displayed. Use the General tab to
configure basic settings required for the SSL VPN Web Portal.

Figure 351: SSL VPN web portal - Create New, General tab

OK/Cancel Select OK to save the configuration and Cancel to exit the


configuration window without any saving changes made. If you select
OK, the main portal configuration window appears.
General tab
Name Name of the web portal configuration.
Applications Select the abbreviated name of the server application or network
service.
Portal Message Enter the caption that appears at the top of the web portal home page.
Theme Select the color scheme for the web portal home page from the list.
Page Layout Select the one or two page column format for the web portal home
page.

The Advanced tab


To configure the SSL VPN web portal Advanced tab, go to VPN > SSL > Portal and select
Create New then select Advanced. The SSL VPN Web Portal Advanced tab is displayed.
Use the Advanced tab to configure advanced settings that monitor the SSL VPN clients
and apply other advanced settings.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 529
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

Figure 352: SSL VPN web portal - Create New, Advanced tab

OK/Cancel Select OK to save the configuration and Cancel to exit the


configuration window without any saving changes made. If you select
OK, the main portal configuration window appears.
Advanced tab
Client Check Type Select the method used to determine whether a client is permitted to
connect to the network.
None - Select to enable a client to connect to the SSL VPN session
without determining whether any antivirus or firewall applications are
installed.
FortiClient - Select to allow a client to connect to the SSL VPN
session only if they are running FortiClient.
Third Party - Select to allow a client to connect to the SSL VON
session only if they are running a third party antivirus or firewall
application.
Client Check AV - Select to have the FortiGate unit check for a running antivirus
application
FW - Select to have the FortiGate unit check for a running firewall
application.
Clean Cache Select to enable the FortiGate unit to remove residual information from
the remote client computer just before the SSL VPN session ends.
Virtual Desktop Select to have the SSL VPN Virtual Desktop application automatically
downloaded and started on the client machine. This option is available
only to clients using Microsoft 32-bit XP or Vista.
Redirect URLs Enter the URL of the web page which will enable the FortiGate unit to
display a second HTML page in a popup window when the web portal
home page is displayed.
OS Check
Windows 2000 Action - Select the action for the FortiGate unit to take if the client
Windows XP operating system is Windows 2000 or XP: Allow, Deny, or Check
Latest Version.

FortiGate Version 4.0 Administration Guide


530 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL SSL VPN web portal

Latest Patch Level - If you set Action to Check Latest Version, enter
the latest acceptable patch number.
Tolerance - If you set Action to Check Latest Version, set Tolerance
to 0 if clients must have the latest patch. Set Tolerance to a number to
control how close clients must be to the latest patch. For example, if
the latest patch level is 4 and tolerance is 2, clients will be accepted
with patch 2, 3, 4, 5, or 6.

Adding and editing widgets


To add or edit SSL VPN web portal Widgets, go to VPN > SSL > Portal and select Create
New then select OK. You can also edit an existing SSL VPN Web Portal. The SSL VPN
Web Portal is displayed. You can add, remove, and edit the widgets that appear on the
web portal.

Figure 353: SSL VPN web portal - Default configuration window

Log out icon


Help icon

Add Widget list

OK Select to save the configuration. If you select OK, you exit out of the
SSL VPN web portal configuration window.
Cancel Select to exit the configuration window without saving any changes.
Apply Select to apply any changes made in the widget.
Settings Select to edit the General or Advanced settings for the SSL VPN web
portal. See “SSL VPN web portal” on page 528.
Help Indicates the location of the SSL VPN Web Portal online help icon.
You cannot change or more this icon.
Log out Indicates the location of the SSL VPN Web Portal log out icon. You
cannot change or more this icon.
Add Widget list Select to add a widget to the SSL VPN web portal configuration.
Session Information Displays the login name of the user, the amount of time the user has
been logged in, and the inbound and outbound traffic of HTTP and
HTTPS.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 531
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

Bookmarks Displays configured bookmarks, allows for the addition of new


bookmarks and editing of existing bookmarks.
Connection Tool Enter the URL or IP address for a connection tool application/server
(selected when configuring the Connection Tool). You can also check
connectivity to a host or server on the network behind the FortiGate
unit by selecting the Type Ping.
Tunnel Mode Displays tunnel information and actions in user mode. The
administrator can configure a split-tunneling option.

The session Information widget


The Session Information widget displays the login name of the user, along with the
amount of time the user has been logged in and the inbound and outbound traffic statistics
of HTTP and HTTPS.
To edit the session information, in the Session Information widget select Edit.

Figure 354: Session Information widget - Edit

Close widget
Edit

Edit Select to edit the information in the widget.


Close widget Select to close the widget and remove it from the web portal home
page.
OK Select to save the Session Information configuration.
Cancel Select to exit the Session Information widget without saving any
changes.
Name Enter a customized name for the Session Information widget.

FortiGate Version 4.0 Administration Guide


532 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL SSL VPN web portal

The Bookmarks widget


Bookmarks are used as links to specific resources on the network. When a bookmark is
selected from a bookmark list, a pop-up window appears with the requested web page.
Telnet, VNC, and RDP all pop up a window that requires a browser plug-in. FTP and
Samba replace the bookmarks page with an HTML file-browser.

Adding bookmarks
To add bookmarks, in the Bookmarks widget title bar select Edit, then select Add. The Add
bookmark window opens. When you finish creating the bookmark, select OK in the Add
bookmark window and then in the Bookmarks widget.

Figure 355: Bookmarks widget - Edit


Close widget
Edit

Add bookmark
window

Select OK

Bookmark
added

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 533
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

Edit Select to edit the general configuration information in the Bookmarks


widget.
Close widget Select to close the Bookmarks widget and remove it from the web
portal home page.
OK Select to save the configuration. Select OK before creating any
bookmarks in order for selected applications to appear in the Add or
Edit bookmark window.
Cancel Select to exit the Bookmarks widget without saving any changes.
Name Enter a customized name for the Bookmarks widget.
Applications Select the server application or network service the FortiGate unit will
use to set up web-portal applications.
Add Select to create a bookmark hyperlink.
Edit Select to edit an existing bookmark hyperlink. When you select Edit, a
list of existing bookmarks appears.
Name Enter a name for the bookmark.
Type Select the type of application that the FortiGate unit will use to connect
server applications or network service. Only application types that are
selected in the top window of the Bookmarks widget will be in the list.
Location Enter the information the FortiGate unit needs to forward client
requests to the correct server application or network service.
Description Enter an optional description of the bookmark.
OK Select to save the bookmark configuration. The bookmark will appear
in a list of bookmarks in the Bookmarks widget.
Cancel Select to exit the Bookmarks Add window without saving the new
bookmark configuration.

FortiGate Version 4.0 Administration Guide


534 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL SSL VPN web portal

Editing bookmarks
To edit bookmarks, in the Bookmarks widget title bar, select Edit.

Figure 356: Bookmarks widget - Edit


Close widget
Edit

Delete
bookmark

Select
bookmark
to edit

Bookmark
detail
window

Select
OK

Select
Done

Bookmarks
widget with
list of bookmarks

Edit Select to edit the general configuration information in the Bookmarks


widget.
Close widget Select to close the Bookmarks widget and remove it from the web
portal home page.
Done Select to save the bookmark configuration and close the bookmark
detail window. The bookmark will appear in a list of bookmarks in the
Bookmarks widget.
Add Select to create a bookmark hyperlink
Edit Select to edit an existing bookmark hyperlink. When you select Edit, a
list of existing bookmarks appears. Select the bookmark you want to
edit.
Name The name of the bookmark.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 535
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

Type The type of application that the FortiGate unit will use to connect
server applications or network service. Only application types that are
selected in the top window of the Bookmarks widget will be in the list.
Location The information the FortiGate unit needs to forward client requests to
the correct server application or network service.
Description An optional description of the bookmark.
OK Select to save the bookmark configuration.
Cancel Select to exit the Bookmarks Edit window without saving the new
bookmark configuration.

The Connections Tool widget


Settings in the Connection Tool allow a user to connect to pre-selected connection
application without adding a bookmark to the bookmark list. You specify the URL or IP
address of the host computer, and if required, you can ping a host computer behind the
FortiGate unit to verify connectivity to that host.
To edit the connections tool information, in the Connections Tool widget select Edit.

Figure 357: Connections Tool widget - Edit

Close widget
Edit

Edit Select to edit the information in the Connections Tool widget.


Close widget Select to close the Connections Tool widget and remove it from
the web portal home page.
Name Enter a customized name for the Connections Tool widget.
Applications Select the server application or network service the FortiGate unit
can use to set up the connection.
Type Select the server/application that the FortiGate unit will use to
establish a connection.

FortiGate Version 4.0 Administration Guide


536 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
VPN SSL SSL VPN web portal

Host Enter the information that the FortiGate unit needs to forward
client requests to the correct server/application. Value depends on
value in Type.
Go Select to connect to the server/application specified in Type and
Host.

The Tunnel Mode widget


The Tunnel Mode settings display tunnel information and actions in user mode. As an
administrator, you can also configure a split-tunneling option. The presence of this widget
implies that the user group will have tunnel mode enabled. If IP Range is selected, the IP
range of the tunnel must be specified in the user group.

Figure 358: Tunnel Mode widget

Close widget
Edit

Edit Select to edit the information in the Tunnel Mode widget. Opens the
Tunnel Mode configuration window.
Close widget Select to close the Tunnel Mode widget and remove it from the web
portal home page.
OK Select OK to save the configuration. If you select OK, the Tunnel
Mode configuration window closes.
Cancel Select to exit the Tunnel Mode configuration window without saving
any changes made.
Name Enter a name for the Tunnel Mode widget.
IP Mode Select the
Range

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 537
http://docs.fortinet.com/ • Feedback
SSL VPN web portal VPN SSL

User Group
Split tunneling Select to enable split tunneling.
Start IP Enter the starting IP address for the split tunnel range.
End IP Enter the ending IP address for the split tunnel range.
Connect Initiate a session and establish an SSL VPN tunnel with the FortiGate
unit.
Disconnect End the session and close the tunnel to the FortiGate unit.
Refresh now Refresh the Fortinet SSL VPN Client page (web portal).
Link status Indicates the state of the SSL VPN tunnel:
Up is displayed when an SSL VPN tunnel with the FortiGate unit has
been established.
Down is displayed when a tunnel connection has not been initiated.
Bytes sent: Displays the number of bytes of data transmitted from the client to the
FortiGate unit since the tunnel was established.
Bytes received: The number of bytes of data received by the client from the FortiGate
unit since the tunnel was established.
<status information> Displays detailed information about the tunnel connection (for
example, “Fortinet SSL VPN client connected to server”.)

FortiGate Version 4.0 Administration Guide


538 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Getting started - User authentication

User
This section explains how to set up user accounts, user groups, and external
authentication servers. You can use these components of user authentication to control
access to network resources.
If you enable virtual domains (VDOMs) on the FortiGate unit, user authentication is
configured separately for each virtual domain. For details, see “Using virtual domains” on
page 103.
This section describes:
• Getting started - User authentication
• Local user accounts
• Remote
• RADIUS
• LDAP
• TACACS+
• PKI
• Directory Service
• User Group
• Options
• Monitor

Getting started - User authentication


FortiGate authentication controls access by user group, but you need to complete one or
more of the following tasks prior to configuring the user groups.
• Configure local user accounts. For each user, you can choose whether the password is
verified by the FortiGate unit, by a RADIUS server, by an LDAP server, or by a
TACACS+ server. For more information, see “Local user accounts” on page 540.
• Configure IM user profiles. For IM users, you can configure user lists that either allow
or block use of network resources.FortiGate. For more information, see “IM user
monitor list” on page 565.
• Configure your FortiGate unit to authenticate users by using your RADIUS, LDAP, or
TACACS+ servers. For more information, see “RADIUS” on page 543, “LDAP” on
page 546, and “TACACS+” on page 549.
• Configure access to the FortiGate unit if you use a Directory Service server for
authentication. For more information, see “Configuring a Directory Service server” on
page 552.
• Configure for certificate-based authentication for administrative access (HTTPS web-
based manager), IPSec, SSL-VPN, and web-based firewall authentication. For more
information, see “PKI” on page 553.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 539
http://docs.fortinet.com/ • Feedback
Local user accounts User

You can configure your FortiGate unit to authenticate system administrators with your
FortiGate unit, using RADIUS, LDAP and TACACS+ servers and with certificate-based
authentication using PKI. For more information, see “System Admin” on page 203. You
can change the authentication timeout value or select the protocol supported for Firewall
authentication. For more information, see “Options” on page 561. You can view lists of
currently authenticated users, active SSL VPN sessions, activity on VPN IPSec tunnels,
authenticated IM users, and banned users. For more information, see “Monitor” on
page 562.
For each network resource that requires authentication, you specify which user groups are
permitted access to the network. There are three types of user groups: Firewall, Directory
Service, and SSL VPN. For more information, see “Firewall user groups” on page 555,
“Directory Service user groups” on page 556, and “SSL VPN user groups” on page 557.

Local user accounts


A local user is a user configured on a FortiGate unit. The user can be authenticated with a
password stored on the FortiGate unit (the user name and password must match a user
account stored on the FortiGate unit) or with a password stored on an authentication
server (the user name must match a user account stored on the FortiGate unit and the
user name and password must match a user account stored on the authentication server
associated with the user).
Instant Messenger (IM) protocols are gaining in popularity as an essential way to
communicate between two or more individuals in real time. Some companies even rely on
IM protocols for critical business applications such as Customer/Technical Support.
The most common IM protocols in use today include AOL Instant Messenger, Yahoo
Instant Messenger, MSN messenger, and ICQ. FortiGate units allow you to set up IM
users that either allow or block the use of applications, to determine which applications are
allowed.

Configuring Local user accounts


You can block a user with a valid local user account from authenticating at all, or configure
the FortiGate unit to allow a user to authenticate with a user name and password stored
on the FortiGate unit, or with an account stored on a specific server (LDAP, RADIUS, or
TACACS+).
To view the list of existing local users, go to User > Local.

Figure 359: Example Local user list

Delete
Edit

Create New Add a new local user account.


User Name The local user name.

FortiGate Version 4.0 Administration Guide


540 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Local user accounts

Type The authentication type to use for this user. The authentication types
are Local (user and password stored on FortiGate unit), LDAP,
RADIUS, and TACACS+ (user and password matches a user account
stored on the authentication server).
Delete icon Delete the user.
The delete icon is not available if the user belongs to a user group.
Edit icon Edit the user account.

Note: Deleting the user name deletes the authentication configured for the user.

To add a Local user, go to User > Local, select Create New, and enter or select the
following:

Figure 360: Local user

User Name A name that identifies the user.


Disable Select to prevent this user from authenticating.
Password Select to authenticate this user using a password stored on the FortiGate unit
and then enter the password. The password should be at least six characters.
LDAP Select to authenticate this user using a password stored on an LDAP server.
Select the LDAP server from the list.
You can select only an LDAP server that has been added to the FortiGate LDAP
configuration. For more information, see “LDAP” on page 546.
RADIUS Select to authenticate this user using a password stored on a RADIUS server.
Select the RADIUS server from the list.
You can select only a RADIUS server that has been added to the FortiGate
RADIUS configuration. For more information, see “RADIUS” on page 543.
TACACS+ Select to authenticate this user using a password stored on a TACACS server.
Select the TACACS+ server from the list.
You can select only a TACACS server that has been added to the FortiGate
TACACS configuration. For more information, see “TACACS+” on page 549.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 541
http://docs.fortinet.com/ • Feedback
Local user accounts User

Configuring IM user policies


IM users determine whether they are permitted to access instant messaging services or
are blocked from these services.
If you enable virtual domains (VDOMs) on the FortiGate unit, IM is available separately for
each virtual domain. For more information, see “Using virtual domains” on page 103.

Note: If virtual domains are enabled on the FortiGate unit, IM features are configured
globally. To access these features, select Global Configuration on the main menu.

The IM user list displays information about configured instant messaging user policies.
The list can be filtered by protocol and policy.
To view the list of IM users, go to User > Local > IM.

Figure 361: IM user list

Create New Add a new user to the list.


Protocol Filter the list by selecting a protocol: AIM, ICQ, MSN, Yahoo, or All.
Policy Filter the list by selecting a policy: Allow, Block, or All.
Protocol The protocol associated with the user.
Username The name selected by the user when registering with an IM protocol. The
same user name can be used for multiple IM protocols. Each user
name/protocol pair appears separately in the list.
Policy The policy applied to the user when attempting to use the protocol: Block
or Deny.
Edit icon Change the following user information: Protocol, Username, and Policy.
Delete icon Permanently remove users from the User List.

To add an IM user, go to User > Local > IM, select Create New, and enter or select the
following:

Figure 362: Edit User dialog

Protocol Select a protocol from the dropdown list: AIM, ICQ, MSN, or Yahoo!.
Username Enter a name for the user.
Policy Select a policy from the dropdown list: Allow or Block.

FortiGate Version 4.0 Administration Guide


542 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Remote

The IM user monitor list displays information about instant messaging users who are
currently connected. For more information, see “IM user monitor list” on page 565.

Configuring older versions of IM applications


Some older versions of IM protocols are able to bypass file blocking because the message
types are not recognized.
Supported IM protocols include:
• MSN 6.0 and above
• ICQ 4.0 and above
• AIM 5.0 and above
• Yahoo 6.0 and above
If you want to block a protocol that is older than the ones listed above, use the CLI
command:
config imp2p old-version
For more information, see the FortiGate CLI Reference.

Remote
Remote authentication is generally used to ensure that employees working offsite can
remotely access their corporate network with appropriate security measures in place. In
general terms, authentication is the process of attempting to verify the (digital) identity of
the sender of a communication such as a login request. The sender may be someone
using a computer, the computer itself, or a computer program. Since a computer system
should be used only by those who are authorized to do so, there must be a measure in
place to detect and exclude any unauthorized access.
On a FortiGate unit, you can control access to network resources by defining lists of
authorized users, called user groups. To use a particular resource, such as a network or
VPN tunnel, the user must:
• belong to one of the user groups that is allowed access
• correctly enter a user name and password to prove his or her identity, if asked to do so.

RADIUS
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication function of
the RADIUS server. To use the RADIUS server for authentication, you must configure the
server before you configure the FortiGate users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a
RADIUS server, the FortiGate unit sends the user’s credentials to the RADIUS server for
authentication. If the RADIUS server can authenticate the user, the user is successfully
authenticated with the FortiGate unit. If the RADIUS server cannot authenticate the user,
the FortiGate unit refuses the connection. You can override the default authentication
scheme by selecting a specific authentication protocol or changing the default port for
RADIUS traffic.

Note: The default port for RADIUS traffic is 1812. If your RADIUS server is using port 1645,
use the CLI to change the default RADIUS port. For more information, see the config
system global command in the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 543
http://docs.fortinet.com/ • Feedback
RADIUS User

To view the list of RADIUS servers, go to User > Remote > RADIUS.

Figure 363: Example RADIUS server list

Delete
Edit

Create New Add a new RADIUS server. The maximum number is 10.
Name Name that identifies the RADIUS server on the FortiGate unit.
Server Name/IP Domain name or IP address of the RADIUS server.
Delete icon Delete a RADIUS server configuration.
You cannot delete a RADIUS server that has been added to a user group.
Edit icon Edit a RADIUS server configuration.

Configuring a RADIUS server


The RADIUS server uses a “shared secret” key to encrypt information passed between it
and clients such as the FortiGate unit. When you configure a RADIUS server, you can also
configure a secondary RADIUS server. The FortiGate unit attempts authentication with the
primary server first, and if there is no response, uses the secondary server. You can
include the RADIUS server in every user group without including it specifically in user
group configurations.

Note: The server secret key should be a maximum of 16 characters in length.

The RADIUS server can use several different authentication protocols during the
authentication process:
• MS-CHAP-V2 is the Microsoft challenge-handshake authentication protocol v2
• MS-CHAP is the Microsoft challenge-handshake authentication protocol v1
• CHAP (challenge-handshake authentication protocol) provides the same functionality
as PAP, but does not send the password and other user information over the network to
a security server
• PAP (password authentication protocol) is used to authenticate PPP connections. PAP
transmits passwords and other user information in clear text (unencrypted).
If you have not selected a protocol, the default protocol configuration uses PAP, MS-
CHAPv2, and CHAP, in that order.
To add a new RADIUS server, go to User > Remote > RADIUS, select Create New, and
enter or select the following:

FortiGate Version 4.0 Administration Guide


544 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User RADIUS

Figure 364: RADIUS server configuration

Name Enter the name that is used to identify the RADIUS server on the
FortiGate unit.
Primary Server Name/IP Enter the domain name or IP address of the primary RADIUS server.
Primary Server Secret Enter the RADIUS server secret key for the primary RADIUS server.
The primary server secret key should be a maximum of 16 characters
in length.
Secondary Server Name/IP Enter the domain name or IP address of the secondary RADIUS
server, if you have one.
Secondary Server Secret Enter the RADIUS server secret key for the secondary RADIUS
server. The secondary server secret key should be a maximum of 16
characters in length.
Authentication Scheme Select Use Default Authentication Scheme to authenticate with the
default method. The default authentication scheme uses PAP, MS-
CHAP-V2, and CHAP, in that order.
Select Specify Authentication Protocol to override the default
authentication method, and choose the protocol from the list: MS-
CHAP-V2, MS-CHAP, CHAP, or PAP, depending on what your
RADIUS server needs.
NAS IP/Called Station ID Enter the NAS IP address and Called Station ID (for more information
about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific
RADIUS Attributes). If you do not enter an IP address, the IP address
that the FortiGate interface uses to communicate with the RADIUS
server will be applied.
Include in every User Group Select to have the RADIUS server automatically included in all user
groups.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 545
http://docs.fortinet.com/ • Feedback
LDAP User

LDAP
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
If you have configured LDAP support and require a user to authenticate using an LDAP
server, the FortiGate unit contacts the LDAP server for authentication. To authenticate
with the FortiGate unit, the user enters a user name and password. The FortiGate unit
sends this user name and password to the LDAP server. If the LDAP server can
authenticate the user, the FortiGate unit successfully authenticates the user. If the LDAP
server cannot authenticate the user, the FortiGate unit refuses the connection.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS. To configure SSL/TLS authentication, refer to the
FortiGate CLI Reference.
FortiGate LDAP support does not extend to proprietary functionality, such as notification of
password expiration, that is available from some LDAP servers. Nor does the FortiGate
LDAP supply information to the user about why authentication failed.
To view the list of LDAP servers, go to User > Remote > LDAP.

Figure 365: Example LDAP server list

Delete
Edit

Create New Add a new LDAP server. The maximum number is 10.
Name The name that identifies the LDAP server on the FortiGate unit.
Server Name/IP The domain name or IP address of the LDAP server.
Port The TCP port used to communicate with the LDAP server.
Common Name The common name identifier for the LDAP server. Most LDAP servers use cn.
Identifier However, some servers use other common name identifiers such as uid.
Distinguished The distinguished name used to look up entries on the LDAP servers use. The
Name distinguished name reflects the hierarchy of LDAP database object classes
above the common name identifier.
Delete icon Delete the LDAP server configuration.
Edit icon Edit the LDAP server configuration.

FortiGate Version 4.0 Administration Guide


546 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User LDAP

Configuring an LDAP server


A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic or organizational boundaries,
with the Domain Name System (DNS) names at the top level of the hierarchy. The
common name identifier for most LDAP servers is cn; however some servers use other
common name identifiers such as uid.
For example, you could use the following base distinguished name:
ou=marketing,dc=fortinet,dc=com
where ou is organization unit and dc is a domain component.
You can also specify multiple instances of the same field in the distinguished name, for
example, to specify multiple organization units:
ou=accounts,ou=marketing,dc=fortinet,dc=com
Binding is said to occur when the LDAP server successfully authenticates the user and
allows the user access to the LDAP server based on his or her permissions.
You can configure the FortiGate unit to use one of three types of binding:
• anonymous - bind using anonymous user search
• regular - bind using user name/password and then search
• simple - bind using a simple password authentication without a search.
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
To add an LDAP server, go to User > Remote > LDAP and select Create New. Enter the
information below and select OK.

Figure 366: LDAP server configuration

Query

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 547
http://docs.fortinet.com/ • Feedback
LDAP User

Name Enter the name that identifies the LDAP server on the FortiGate unit.
Server Name/IP Enter the domain name or IP address of the LDAP server.
Server Port Enter the TCP port used to communicate with the LDAP server.
By default, LDAP uses port 389.
If you use a secure LDAP server, the default port changes when you
select Secure Connection.
Common Name Identifier Enter the common name identifier for the LDAP server. The maximum
number of characters is 20.
Distinguished Name Enter the base distinguished name for the server using the correct
X.500 or LDAP format. The FortiGate unit passes this distinguished
name unchanged to the server. The maximum number of characters is
512.
Query icon View the LDAP server Distinguished Name Query tree for the LDAP
server that you are configuring so that you can cross-reference to the
Distinguished Name.
For more information, see “Using Query”.
Bind Type Select the type of binding for LDAP authentication.
Regular Connect to the LDAP server directly with user name/password, then
receive accept or reject based on search of given values.
Anonymous Connect as an anonymous user on the LDAP server, then retrieve the
user name/password and compare them to given values.
Simple Connect directly to the LDAP server with user name/password
authentication.
Filter Enter the filter to use for group searching. Available if Bind Type is
Regular or Anonymous.
User DN Enter the Distinguished name of the user to be authenticated.
Available if Bind Type is Regular.
Password Enter the password of the user to be authenticated. Available if Bind
Type is Regular.
Secure Connection Select to use a secure LDAP server connection for authentication.
Protocol Select a secure LDAP protocol to use for authentication. Depending on
your selection, the value in Server Port will change to the default port
for the selected protocol. Available only if Secure Connection is
selected.
LDAPS: port 636
STARTTLS: port 389
Certificate Select a certificate to use for authentication from the list. The
certificate list comes from CA certificates at System > Certificates >
CA Certificates.

Using Query
The LDAP Distinguished Name Query list displays the LDAP Server IP address, and all
the distinguished names associated with the Common Name Identifier for the LDAP
server. The tree helps you to determine the appropriate entry for the DN field. To see the
distinguished name associated with the Common Name identifier, select the Expand
Arrow beside the CN identifier and then select the DN from the list. The DN you select is
displayed in the Distinguished Name field. Select OK to save your selection in the
Distinguished Name field of the LDAP Server configuration.
To see the users within the LDAP Server user group for the selected Distinguished Name,
select the Expand arrow beside the Distinguished Name in the LDAP Distinguished Name
Query tree.

FortiGate Version 4.0 Administration Guide


548 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User TACACS+

Figure 367: Example LDAP server Distinguished Name Query tree

Common Name Identifier (CN)

Distinguished Name (DN)


Expand Arrow

TACACS+
In recent years, remote network access has shifted from terminal access to LAN access.
Users connect to their corporate network (using notebooks or home PCs) with computers
that use complete network connections and have the same level of access to the
corporate network resources as if they were physically in the office. These connections
are made through a remote access server. As remote access technology has evolved, the
need for network access security has become increasingly important.
Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access servers,
and other networked computing devices via one or more centralized servers. TACACS+
allows a client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user. The default
TCP port for a TACACS+ server is 49.
To view the list of TACACS+ servers, go to User > Remote > TACACS+.

Figure 368: Example TACACS+ server list

Delete
Edit

Create New Add a new TACACS+ server. The maximum number is 10.
Server The server domain name or IP address of the TACACS+ server.
Authentication Type The supported authentication method. TACACS+ authentication
methods include: Auto, ASCII, PAP, CHAP, and MSCHAP.
Delete icon Delete this TACACS+ server.
Edit icon Edit this TACACS+ server.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 549
http://docs.fortinet.com/ • Feedback
TACACS+ User

Configuring TACACS+ servers


There are several different authentication protocols that TACACS+ can use during the
authentication process:
• ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
• PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.
• CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but more secure as it does not send the
password and other user information over the network to the security server.
• MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
To add a new TACACS+ server, go to User > Remote > TACACS+, select Create New,
and enter or select the following:

Figure 369: TACACS+ server configuration

Name Enter the name of the TACACS+ server.


Server Name/IP Enter the server domain name or IP address of the TACACS+ server.
Server Key Enter the key to access the TACACS+ server. The server key should be a
maximum of 16 characters in length.
Authentication Type Select the authentication type to use for the TACACS+ server. Selection
includes: Auto, ASCII, PAP, CHAP, and MSCHAP. Auto authenticates using
PAP, MSCHAP, and CHAP (in that order).

FortiGate Version 4.0 Administration Guide


550 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Directory Service

Directory Service
Windows Active Directory (AD) and Novell eDirectory provide central authentication
services by storing information about network resources across a domain (a logical group
of computers running versions of an operating system) in a central directory database.
Each person who uses computers within a domain receives his or her own unique
account/user name. This account can be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as domain controllers.
A domain controller is a server that manages all security-related features that affect the
user/domain interactions, security centralization, and administrative functions.
FortiGate units use firewall policies to control access to resources based on user groups
configured in the policies. Each FortiGate user group is associated with one or more
Directory Service user groups. When a user logs in to the Windows or Novell domain, a
Fortinet Server Authentication Extension (FSAE) sends the FortiGate unit the user’s IP
address and the names of the Directory Service user groups to which the user belongs.
The FSAE has two components that you must install on your network:
• The domain controller (DC) agent must be installed on every domain controller to
monitor user logins and send information about them to the collector agent.
• The collector agent must be installed on at least one domain controller to send the
information received from the DC agents to the FortiGate unit.
The FortiGate unit uses this information to maintain a copy of the domain controller user
group database. Because the domain controller authenticates users, the FortiGate unit
does not perform authentication. It recognizes group members by their IP address.
You must install the Fortinet Server Authentication Extensions (FSAE) on the network and
configure the FortiGate unit to retrieve information from the Directory Service server. For
more information about FSAE, see the FSAE Technical Note.
To view the list of Directory Service servers, go to User > Directory Service.

Figure 370: Example Directory Service server list

Delete
Edit User/Group

Expand Arrow (Directory Service server) Edit


Add User/Group
Domain and groups

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 551
http://docs.fortinet.com/ • Feedback
Directory Service User

Create New Add a new Directory Service server.


Name Select the Expand arrow beside the server/domain/group name to
display Directory Service domain and group information.
AD Server The name defined for the Directory Service server.
Domain The domain name imported from the Directory Service server.
Groups The group names imported from the Directory Service server.
FSAE Collector IP The IP addresses and TCP ports of up to five FSAE collector agents
that send Directory Service server login information to the FortiGate
unit.
Delete icon Delete this Directory Service server.
Edit icon Edit this Directory Service server.
Add User/Group Add a user or group to the list. You must know the distinguished name
for the user or group.
Edit Users/Group Select users and groups to add to the list.

Configuring a Directory Service server


You need to configure the FortiGate unit to access at least one FSAE collector agent. You
can specify up to five Directory Service servers on which you have installed a collector
agent. If your FSAE collector agent requires authenticated access, you enter a password
for the server. The server name appears in the list of Directory Service servers when you
create user groups. You can also retrieve Directory Service information directly through an
LDAP server instead of through the FSAE agent.

Note: You can create a redundant configuration on your FortiGate unit if you install a
collector agent on two or more domain controllers. If the current (or first) collector agent
fails, the FortiGate unit switches to the next one in its list of up to five collector agents.

You can enter information for up to five collector agents.


To add a new Directory Service server, go to User > Directory Service, select Create New,
and enter or select the following:

Figure 371: Directory Service server configuration

Name Enter the name of the Directory Service server. This name appears in the list of
Directory Service servers when you create user groups.
FSAE Collector Enter the IP address or name of the Directory Service server where this
IP/Name collector agent is installed. The maximum number of characters is 63.
Port Enter the TCP port used for Directory Service. This must be the same as the
FortiGate listening port specified in the FSAE collector agent configuration.

FortiGate Version 4.0 Administration Guide


552 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User PKI

Password Enter the password for the collector agent. This is required only if you
configured your FSAE collector agent to require authenticated access.
LDAP Server Select the check box and select an LDAP server to access the Directory
Service.

PKI
Public Key Infrastructure (PKI) authentication utilizes a certificate authentication library
that takes a list of peers, peer groups, and/or user groups and returns authentication
successful or denied notifications. Users only need a valid certificate for successful
authentication—no user name or password are necessary. Firewall and SSL VPN are the
only user groups that can use PKI authentication.
For more information about certificate authentication, see the FortiGate Certificate
Management User Guide. For information about the detailed PKI configuration settings
available only through the CLI, see the FortiGate CLI Reference.
To view the list of PKI users, go to User > PKI.

Figure 372: Example PKI User list


Delete
Edit

Name The name of the PKI user.


Subject The text string that appears in the subject field of the certificate of the
authenticating user.
CA The CA certificate that is used to authenticate this user.
Delete icon Delete this PKI user.
The delete icon is not available if the peer user belongs to a user group.
Remove it from the user group first.
Edit icon Edit this PKI user.

Configuring peer users and peer groups


You can define peer users and peer groups used for authentication in some VPN
configurations and for PKI certificate authentication in firewall policies.
A peer user is a digital certificate holder that can use PKI authentication. Before using PKI
authentication, you must define peer users to include in the user group that is incorporated
into the firewall authentication policy.
To define a peer user, you need:

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 553
http://docs.fortinet.com/ • Feedback
User Group User

• a peer user name


• the text from the subject field of the certificate of the authenticating peer user, or the
CA certificate used to authenticate the peer user.
You can add or modify other configuration settings for PKI authentication. For more
information, see the FortiGate CLI Reference.

Caution: If you use the CLI to create a peer user, Fortinet recommends that you enter a
value for either subject or ca. If you do not do so, and then open the user record in the web-
based manager, you will be prompted to enter a subject or ca value before you can
continue.

To create a peer user for PKI authentication, go to User > PKI, select Create New., and
enter the following:

Figure 373: PKI user

Name Enter the name of the PKI user.


Subject Enter the text string that appears in the subject field of the certificate of the
authenticating user. This field is optional.
CA Enter the CA certificate that must be used to authenticate this user. This
field is optional.

Note: You must enter a value for at least one of Subject or CA.

You can configure peer user groups only through the CLI. For more information, see the
FortiGate CLI Reference.

User Group
A user group is a list of user identities. An identity can be:
• a local user account (user name and password) stored on the FortiGate unit
• a local user account with a password stored on a RADIUS, LDAP, or TACACS+ server
• a RADIUS, LDAP, or TACACS+ server (all identities on the server can authenticate)
• a user or user group defined on a Directory Service server.
Each user group belongs to one of three types: Firewall, Directory Service or SSL VPN.
For information about each type, see “Firewall user groups” on page 555, “Directory
Service user groups” on page 556, and “SSL VPN user groups” on page 557. For
information on configuring each type of user group, see “Configuring a user group” on
page 558.

FortiGate Version 4.0 Administration Guide


554 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User User Group

In most cases, the FortiGate unit authenticates users by requesting each user name and
password. The FortiGate unit checks local user accounts first. If the unit does not find a
match, it checks the RADIUS, LDAP, or TACACS+ servers that belong to the user group.
Authentication succeeds when the FortiGate unit finds a matching user name and
password.
For a Directory Service user group, the Directory Service server authenticates users when
they log in to the network. The FortiGate unit receives the user’s name and IP address
from the FSAE collector agent. For more information about FSAE, see the
FSAE Technical Note.
You can configure user groups to provide authenticated access to:
• Firewall policies that require authentication
See “Adding authentication to firewall policies” on page 321.
You can choose the user groups that are allowed to authenticate with these policies.
• SSL VPNs on the FortiGate unit
See “Configuring SSL VPN identity-based firewall policies” on page 325.
• IPSec VPN Phase 1 configurations for dialup users
See “Creating a new phase 1 configuration” on page 508.
Only users in the selected user group can authenticate to use the VPN tunnel.
• XAuth for IPSec VPN Phase 1 configurations
See XAUTH in “Defining phase 1 advanced settings” on page 510.
Only user groups in the selected user group can be authenticated using XAuth.
• FortiGate PPTP configuration
See “PPTP configuration using FortiGate web-based manager” on page 521.
Only users in the selected user group can use PPTP.
• FortiGate L2TP configuration
You can configure this only by using the config vpn l2tp CLI command. See the
FortiGate CLI Reference.
Only users in the selected user group can use L2TP.
• Administrator login with RADIUS authentication
See “Configuring RADIUS authentication for administrators” on page 208.
Only administrators with an account on the RADIUS server can log in.
• FortiGuard Web Filtering override groups
See “FortiGuard - Web Filter” on page 470.
When FortiGuard Web Filtering blocks a web page, authorized users can authenticate
to access the web page or to allow members of another group to access it.
For each resource that requires authentication, you specify which user groups are
permitted access. You need to determine the number and membership of user groups
appropriate to your authentication needs.

Firewall user groups


A firewall user group provides access to a firewall policy that requires authentication and
lists the user group as one of the allowed groups. The FortiGate unit requests the group
member’s user name and password when the user attempts to access the resource that
the policy protects.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 555
http://docs.fortinet.com/ • Feedback
User Group User

You can also authenticate a user by certificate if you have selected this method. For more
information, see “Adding authentication to firewall policies” on page 321.
A firewall user group can also provide access to an IPSec VPN for dialup users. In this
case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer
option. The user’s VPN client is configured with the user name as peer ID and the
password as pre-shared key. The user can connect successfully to the IPSec VPN only if
the user name is a member of the allowed user group and the password matches the one
stored on the FortiGate unit.

Note: A user group cannot be a dialup group if any member is authenticated using a
RADIUS or LDAP server.

For more information, see “Creating a new phase 1 configuration” on page 508.
For information about configuring a Firewall user group, see “Configuring a user group” on
page 558.
You can also use a firewall user group to provide override privileges for FortiGuard web
filtering. For more information, see “Configuring FortiGuard Web filtering override options”
on page 560. For detailed information about FortiGuard Web Filter, including the override
feature, see “FortiGuard - Web Filter” on page 470.

Directory Service user groups


On a network, you can configure the FortiGate unit to allow access to members of
Directory Service server user groups who have been authenticated on the network. The
Fortinet Server Authentication Extensions (FSAE) must be installed on the network
domain controllers.

Note: You cannot use Directory Service user groups directly in FortiGate firewall policies.
You must add Directory Service groups to FortiGate user groups. A Directory Service group
should belong to only one FortiGate user group. If you assign it to multiple FortiGate user
groups, the FortiGate unit recognizes only the last user group assignment.

A Directory Service user group provides access to a firewall policy that requires Directory
Service type authentication and lists the user group as one of the allowed groups. The
members of the user group are Directory Service users or groups that you select from a
list that the FortiGate unit receives from the Directory Service servers that you have
configured. See “Directory Service” on page 551.

Note: A Directory Service user group cannot have SSL VPN access.

You can also use a Directory Service user group to provide override privileges for
FortiGuard web filtering. For more information, see “Configuring FortiGuard Web filtering
override options” on page 560. For detailed information about FortiGuard Web Filter,
including the override feature, see “FortiGuard - Web Filter” on page 470.
For information on configuring user groups, see “Configuring a user group” on page 558.

FortiGate Version 4.0 Administration Guide


556 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User User Group

SSL VPN user groups


An SSL VPN user group provides access to a firewall policy that requires SSL VPN type
authentication and lists the user group as one of the allowed groups. Local user accounts,
LDAP, and RADIUS servers can be members of an SSL VPN user group. The FortiGate
unit requests the user’s user name and password when the user accesses the SSL VPN
web portal. The user group settings include options for SSL VPN features.
An SSL VPN user group can also provide access to an IPSec VPN for dialup users. In this
case, the IPSec VPN phase 1 configuration uses the Accept peer ID in dialup group peer
option. You configure the user’s VPN client with the user name as peer ID and the
password as pre-shared key. The user can connect successfully to the IPSec VPN only if
the user name is a member of the allowed user group and the password matches the one
stored on the FortiGate unit. For more information about configuring user groups for IPSec
VPN, see “Creating a new phase 1 configuration” on page 508.

Note: A user group cannot be an IPSec dialup group if any member is authenticated using
a RADIUS or LDAP server.

For information on configuring user groups, see “Configuring a user group” on page 558.
For information on configuring SSL VPN user group options, see “Configuring SSL VPN
identity-based firewall policies” on page 325.

Viewing the User group list


To view the User group list, go to User > User Group.

Figure 374: Example User group list

Delete

Expand Arrow Edit

Create New Add a new user group.


Group Name The name of the user group. User group names are listed by type of user group:
Firewall, Directory Service and SSL VPN. For more information, see “Firewall
user groups” on page 555, “Directory Service user groups” on page 556, and
“SSL VPN user groups” on page 557.
Members The Local users, RADIUS servers, LDAP servers, TACACS+ servers, Directory
Service users/user groups or PKI users found in the user group.
Delete icon Delete the user group.
You cannot delete a user group that is included in a firewall policy, a dialup user
phase 1 configuration, or a PPTP or L2TP configuration.
Edit icon Edit the membership and options of the group.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 557
http://docs.fortinet.com/ • Feedback
User Group User

Configuring a user group


To add a new user group, go to User > User Group, select Create New, and enter or select
the following according to user group type:

Note: By default, the FortiGate web-based manager displays Firewall options. The
following figures show the variations that display for each of the user group types: Firewall,
Directory Service, and SSL VPN.

Note: If you try to add LDAP servers or local users to a group configured for administrator
authentication, an “Entry not found” error occurs.

Figure 375: User group configuration - Firewall

Right Arrow

Expand Arrow Left Arrow

Figure 376: User group configuration - Directory Service

Right Arrow

Left Arrow
Expand Arrow

FortiGate Version 4.0 Administration Guide


558 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User User Group

Figure 377: User group configuration - SSL VPN

Right Arrow

Left Arrow

Name Enter the name of the user group.


Type Select the user group type.
Firewall Select this group in any firewall policy that requires Firewall
authentication. See “Adding authentication to firewall policies” on
page 321 and “Configuring FortiGuard Web filtering override options”
on page 560.
Directory Service Select this group in any firewall policy that requires Directory Service
authentication. See “Adding authentication to firewall policies” on
page 321.
SSL VPN Select this group in any firewall policy with Action set to SSL VPN.
Not available in Transparent mode.
See “Configuring SSL VPN identity-based firewall policies” on
page 325.
Portal Select the SSL VPN web portal configuration to use with the User
Group. For more information, see “SSL VPN web portal” on page 528.
Available Users/Groups The list of Local users, RADIUS servers, LDAP servers, TACACS+
or Available Members* servers, Directory Service users/user groups, or PKI users that can be
added to the user group. To add a member to this list, select the name
and then select the Right Arrow.
* Available Members if user group type is Directory Service.
Members The list of Local users, RADIUS servers, LDAP servers, TACACS+
servers, Directory Service users/user groups, or PKI users that belong
to the user group. To remove a member, select the name and then
select the Left Arrow.
FortiGuard Web Filtering Available only if Type is Firewall or Directory Service.
Override Configure Web Filtering override capabilities for this group.
See “Configuring FortiGuard Web filtering override options” on
page 560.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 559
http://docs.fortinet.com/ • Feedback
User Group User

Configuring FortiGuard Web filtering override options


FortiGuard Web Filtering is a managed web filtering solution that sorts hundreds of
millions of web pages into a wide range of categories that users can allow, block, or
monitor. The FortiGate unit accesses the nearest FortiGuard Web Filtering Service Point
to determine the category of a requested web page and then follows the firewall policy
configured for the user or interface. The FortiGuard Web Filtering Override option is
available only if the user group is Firewall or Directory Service.
To configure FortiGuard Web Filtering Override, go to User > User Group and select the
Edit icon for a Firewall or Directory Service user group. Select the Expand Arrow beside
FortiGuard Web Filtering Override, and enter or select the following information:

Figure 378: FortiGuard Web Filtering Override configuration

Expand Arrow

Allow to create FortiGuard Select to allow members of this group to request an override on the
Web Filtering overrides FortiGuard Web Filtering Block page. The firewall protection profile
governing the connection must have FortiGuard overrides enabled.
The protection profile may have more than one user group as an
override group. Members of an override group can authenticate on the
FortiGuard Web Filter Block Override page to access the blocked site.
For more information, see “FortiGuard - Web Filter” on page 470.
Override Scope The override can apply to just the user who requested the override, or
include others. Select one of the following from the list:
User Only the user.
User Group The user group to which the user belongs.
IP Any user at the user’s IP address.
Profile Any user with the specified protection profile of the user group.
Ask Authenticating user, who chooses the override scope.
User Only the user.
Override Type Select from the list to allow access to:
Directory Only the lowest level directory in the URL.
Domain The entire website domain.
Categories The FortiGuard category.
Ask Authenticating user, who chooses the override type.

FortiGate Version 4.0 Administration Guide


560 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Options

Override Time Select to set the duration of the override:


Constant Select to set the duration of override in days, hours, minutes.
Ask Authenticating user, who determines the duration of override. The
duration set is the maximum.
Protection Profiles One protection profile can have several user groups with override
Available permissions. Verification of the user group occurs once the user name
and password are entered. The overrides can still be enabled or not
enabled on a profile-wide basis regardless of the user groups that
have permissions to override the profile.
Permission Granted For The list of defined protection profiles applied to user groups that have
override privileges.

Options
You can define setting options for user authentication, including authentication timeout,
supported protocols, and authentication certificates.
Authentication timeout controls how long an authenticated firewall connection can be idle
before the user must authenticate again.
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols (depending on the connection protocol):
• HTTP (can also be set to redirect to HTTPS)
• HTTPS
• FTP
• Telnet.
The selections made in the Protocol Support list of the Authentication Settings screen
control which protocols support the authentication challenge. Users must connect with a
supported protocol first so they can subsequently connect with other protocols. If HTTPS
is selected as a method of protocol support, it allows the user to authenticate with a
customized Local certificate.
When you enable user authentication on a firewall policy, the firewall policy user will be
challenged to authenticate. For user ID and password authentication, users must provide
their user names and passwords. For certificate authentication (HTTPS or HTTP
redirected to HTTPS only), you can install customized certificates on the FortiGate unit
and the users can also have customized certificates installed on their browsers.
Otherwise, users will see a warning message and have to accept a default FortiGate
certificate.

Note: When you use certificate authentication, if you do not specify any certificate when
you create the firewall policy, the global settings will be used. If you specify a certificate, the
per-policy setting will overwrite the global setting. For information about how to use
certificate authentication, see FortiGate Certificate Management User Guide.

To configure authentication setting options, go to User > Options.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 561
http://docs.fortinet.com/ • Feedback
Monitor User

Figure 379: Authentication Settings

Authentication Timeout Enter a length of time in minutes, from 1 to 480. Authentication


Timeout controls how long an authenticated firewall connection can be
idle before the user must authenticate again. The default value is 30
Protocol Support Select the protocols to challenge during firewall user authentication.
Certificate If using HTTPS protocol support, select the Local certificate to use for
authentication. Available only if HTTPS protocol support is selected.
Apply Apply selections for user Authentication Settings.

Monitor
You can go to User > Monitor to view lists of currently authenticated users, active SSL
VPN sessions, activity on VPN IPSec tunnels, authenticated IM users, and banned users.
For each authenticated user, the list includes the user name, user group, how long the
user has been authenticated (Duration), how long until the user’s session times out (Time
left), and the method of authentication used. VPN tunnel information includes user name,
IP address of the remote client, connection type (IPSec), Proxy ID source/destination
(IPSec), and start time of the sessions (SSL). The list of IM users includes the source IP
address, protocol, and last time the protocol was used. The banned user list includes
users configured by administrators in addition to those quarantined based on AV, IPS, or
DLP rules.
The following lists are available:
• Firewall user monitor list
• IPSEC monitor list
• SSL VPN monitor list
• IM user monitor list
• Banned user list

Firewall user monitor list


In some environments, it is useful to determine which users are authenticated by the
FortiGate unit and allow the system administrator to de-authenticate (stop current session)
users. With the Firewall monitor, you can de-authenticate all currently authenticated users,
or select single users to de-authenticate. To permanently stop a user from re-
authenticating, change the FortiGate configuration (disable a user account) and then use
the User monitor to immediately end the user’s current session.
To view the list of authenticated users (Firewall), go to User > Monitor > Firewall.

FortiGate Version 4.0 Administration Guide


562 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Monitor

Figure 380: User monitor - Firewall

Refresh
Current Page

Filter
Stop individual
authentication session

Refresh Refresh the Firewall user monitor list.


Current Page The current page number of list items that are displayed. Select the left and
right arrows to display the first, previous, next or last page of logged in users.
Clear All Filters Remove all filters applied to the Firewall user monitor list.
De-authenticate All Stop authenticated sessions for all users in the Firewall user monitor list.
Users User(s) must re-authenticate with the firewall to resume their communication
session.
Filter Icon The icon at the top of all columns. When selected it brings up the Edit Filter
dialog allowing you to set the display filters by column. See “Adding filters to
web-based manager lists” on page 56.
User Name The user names of all connected remote users.
User Group The user group that the remote user is part of.
Duration Length of time since the user was authenticated.
Time-left Length of time remaining until the user session times out. Only available if the
authentication time of the session will be automatically extended
(authentication keepalive is enabled). If authentication keepalive is not
enabled, the value in Time-left will be N/A. For more information, see the
FortiGate CLI Reference.
IP Address The user’s source IP address.
Traffic Volume The amount of traffic through the FortiGate unit generated by the user.
Method Authentication method used for the user by the FortiGate unit (authentication
methods can be FSAE, firewall authentication, or NTLM).

IPSEC monitor list


You can use the IPSEC monitor to view activity on IPSec VPN tunnels and start or stop
those tunnels. The display provides a list of addresses, proxy IDs, and timeout information
for all active tunnels, including tunnel mode and route-based (interface mode) tunnels.
You can use filters to control the information displayed in the list. For more information,
see “Adding filters to web-based manager lists” on page 56.
To view active tunnels, go to User > Monitor > IPSEC.

Figure 381: IPSec Monitor list

Filter Current Page

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 563
http://docs.fortinet.com/ • Feedback
Monitor User

Type Select the types of VPN to display: “All”, “Dialup”, or “Static IP or Dynamic DNS”.
Clear All Filters Select to clear any column display filters you might have applied.
Filter Icon The icon at the top of all columns. When selected it brings up the Edit Filter dialog
allowing you to set the display filters by column. See “Adding filters to web-based
manager lists” on page 56.
Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of monitored VPNs.
Name The name of the phase 1 configuration for the VPN.
Remote The public IP address of the remote host device, or if a NAT device exists in front
Gateway of the remote host, the public IP address of the NAT device.
Remote Port The UDP port of the remote host device, or if a NAT device exists in front of the
remote host, the UDP port of the NAT device. Zero (0) indicates that any port can
be used.
Proxy ID Source The IP addresses of the hosts, servers, or private networks behind the FortiGate
unit. The page may display a network range if the source address in the firewall
encryption policy was expressed as a range of IP addresses.
Proxy ID When a FortiClient dialup client establishes a tunnel:
Destination • If VIP addresses are not used, the Proxy ID Destination field displays the
public IP address of the remote host Network Interface Card (NIC).
• If VIP addresses were configured (manually or through FortiGate DHCP
relay), the Proxy ID Destination field displays either the VIP address belonging
to the FortiClient dialup client, or the subnet address from which VIP
addresses were assigned.
When a FortiGate dialup client establishes a tunnel, the Proxy ID Destination field
displays the IP address of the remote private network.
Tunnel up or A green arrow means the tunnel is currently processing traffic. Select to bring
tunnel down down the tunnel.
icon A red arrow means the tunnel is not processing traffic. Select to bring up the
tunnel.

For Dialup VPNs, the list provides status information about the VPN tunnels established
by dialup clients, including their IP addresses. The number of tunnels shown in the list can
change as dialup clients connect and disconnect.
For Static IP or dynamic DNS VPNs, the list provides status and IP addressing information
about VPN tunnels, active or not, to remote peers that have static IP addresses or domain
names. You can also start and stop individual tunnels from the list.

SSL VPN monitor list


You can view a list of all active SSL VPN sessions. The list displays the user name of the
remote user, the IP address of the remote client, and the time the connection was made.
You can also see which services are being provided, and delete an active web session
from the FortiGate unit. For more information, see “VPN SSL” on page 525.
To view the list of active SLS VPN sessions, go to User > Monitor > SSL.

Figure 382: SSL VPN monitor list

Delete

FortiGate Version 4.0 Administration Guide


564 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
User Monitor

No. The connection identifiers.


User The user names of all connected remote users.
Source IP The IP addresses of the host devices connected to the FortiGate unit.
Begin Time The starting time of each connection.
Description Information about the services provided by an SSL VPN tunnel session.
Subsession
Tunnel IP: IP address that the FortiGate unit assigned to the remote client.
Delete icon: Delete current subsession.
Action Delete a web session.

IM user monitor list


User lists can be managed to allow or block certain users. Each user can be assigned a
policy to allow or block activity for each IM protocol. Each IM function can be individually
allowed or blocked providing the administrator the granularity to block the more bandwidth
consuming features such as voice chat while still allowing text messaging. The IM user
monitor list displays information about instant messaging users who are currently
connected. The list can be filtered by protocol. After IM users connect through the firewall,
the FortiGate unit displays which users are connected. You can analyze the list and
decide which users to allow or block.

To view the list of active IM users, go to User > Monitor > IM.

Figure 383: IM user monitor list

Protocol Filter the list by selecting the protocol for which to display current users: AIM, ICQ,
MSN, or Yahoo. All current users can also be displayed.
# The position number of the IM user in the list.
Protocol The protocol being used.
User Name The name selected by the user when registering with an IM protocol. The same user
name can be used for multiple IM protocols. Each user name/protocol pair appears
separately in the list.
Source IP The Address from which the user initiated the IM session.
Last Login The last time the current user used the protocol.
Block Select to add the user name to the permanent black list. Each user name/protocol pair
must be explicitly blocked by the administrator.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 565
http://docs.fortinet.com/ • Feedback
Monitor User

Banned user list


The Banned User list shows all quarantined users IP addresses. The system administrator
can selectively release users from quarantine or configure quarantine to expire after a
selected time period.
All sessions started by users or IP addresses on the Banned User list are blocked until the
user or IP address is removed from the list.
The FortiGate unit adds users or IP addresses to the Banned User list in the following
ways:

Users or IP addresses To quarantine users or IP addresses that originate attacks, enable and
that originate attacks configure Quarantine Attackers in an IPS Sensor Filter. For more
detected by IPS information, see “Configuring filters” on page 450.

User or IP addresses To quarantine users or IP addresses that send viruses, enable Quarantine
that send viruses Virus Sender in a protection profile. For more information, see “Anti-Virus
detected by the options” on page 396.
Antivirus scanning
Users or IP addresses You can set various options in a Data Leak Prevention sensor to add users
that are banned or or IP addresses to the Banned User List. For more information, see “Adding
quarantined by Data or editing a rule in a DLP sensor” on page 492.
Leak Prevention

Figure 384: Banned User list

Clear
Current Page

Delete

Current Page The current page number of list items that are displayed. Select the left and right
arrows to display the first, previous, next or last page of banned users or IP
addresses.
Clear Remove all users and IP addresses from the Banned User list.
# The position number of the user or IP addresses in the list.
Application The protocol that was used by the user or IP addresses added to the Banned User
Protocol list.
Cause or rule The FortiGate system that caused the user or IP addresses to be added to the
Banned User list. Cause or rule can be IPS, Antivirus, or Data Leak Prevention.
Created The date and time on which the user or IP addresses was added to the Banned
User list.
Expires The date and time on which the user or IP addresses will be automatically removed
from the Banned User list. If Expires is Indefinite you must manually remove the
user or host from the list.
Delete Delete the selected user or IP addresses from the banned user list.

FortiGate Version 4.0 Administration Guide


566 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Frequently asked questions about FortiGate WAN optimization

WAN optimization
You can use FortiGate WAN optimization to improve performance and security of traffic
passing between locations on your wide are network (WAN). This section describes how
FortiGate WAN optimization works and also describes how to configure WAN
optimization.
If you enable virtual domains (VDOMs) on the FortiGate unit, WAN optimization is
available separately for each virtual domain. For details, see “Using virtual domains” on
page 103.
This section describes:
• Frequently asked questions about FortiGate WAN optimization
• Overview of FortiGate WAN optimization
• Configuring WAN optimization and web cache rules
• Web caching
• Client/server or active passive WAN optimization
• Peer to peer WAN optimization
• Protocol optimization
• Transparent mode
• Byte caching
• SSL WAN optimization
• Secure tunnelling
• WAN optimization with FortiClient
• Configuring peers
• Configuring authentication groups
• Monitoring WAN optimization
• Changing web cache settings

Frequently asked questions about FortiGate WAN optimization


Q: Which FortiGate platforms support WAN optimization?
A: WAN optimization is supported on the following models:
• FortiGate-50B-HD and 110C-HD
• FortiGate-310B
• FortiGate-620B
• FortiGate-3000A
• FortiGate-3016B
• FortiGate-3600A
• FortiGate-3810A
• FortiGate-5001A-SW

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 567
http://docs.fortinet.com/ • Feedback
Frequently asked questions about FortiGate WAN optimization WAN optimization

The 310B, 620B, 3000A, 3600A, 3016B, 2300A, 3810A and 5001A-SW must include a
FortiGate-ASM-S08 module or FortiGate-ASM-SAS module or you must configure iSCSI
to support web caching and byte caching.
Q: What happens if my FortiGate unit doesn’t include the FortiGate-ASM-S08 module or
FortiGate-ASM-SAS module?
A: You can still configure and use WAN optimization even if the FortiGate unit does not
have a hard disk. If the hard disk is not available WAN optimization can still apply all
features except web caching and byte caching. If you have an iSCSI device on your
network, you can use the CLI to configure WAN optimization to use iSCSI for web caching
and byte caching.
Q: How does WAN Optimization accept sessions?
A: WAN optimization uses rules to select traffic to be optimized. But, before WAN
optimization rules can accept traffic, the traffic must be accepted by FortiGate a firewall
policy. All sessions accepted by a firewall policy that also match a WAN optimization rule
are processed by WAN optimization.
A: Can you apply protection profiles to WAN optimization traffic?
Q: Within the same VDOM, you cannot apply a protection profile and WAN optimization to
the same communication session. As of FortiOS 4.0, in a single VDOM if a firewall policy
includes a protection profile, all sessions accepted by the policy are processed by the
protection profile and are not processed by WAN optimization. To apply a protection profile
to WAN optimization traffic you can use two VDOMs and an inter-VDOM link (or two
FortiGate units). On the client end of a WAN optimization link, sessions leaving a LAN
should be processed by a protection profile first. Then using the inter-vdom link you can
apply WAN optimization in a second VDOM before sending the session over the WAN
optimization tunnel.
If you want to apply a protection profile to WAN optimized traffic on the server end of a
WAN optimization tunnel before the traffic enters the destination LAN, you also require two
VDOMs. The first VDOM should terminate the WAN optimization tunnel. Then an inter-
VDOM link is required to a second VDOM that applies a protection profile to the sessions
before the sessions are sent to the receiving LAN.
This may be changed in later FortiOS versions.
Q: Does FortiGate WAN optimization work with other vendor’s WAN optimization or
acceleration features?
A: No, FortiGate WAN optimization is proprietary to Fortinet. FortiGate WAN optimization
is compatible with FortiClient WAN optimization.
A: Can the web cache feature be used for caching HTTPs sessions.
Q: Yes, if you import the correct certificates.
Q: To use FortiGate WAN optimization or WEB caching, do end users need to configure
their web browsers to use the FortiGate unit as a proxy server?
A: No, WAN optimization supports both a transparent proxy and explicit proxy. If you
enable transparent mode users do not have to change their browser or network settings.

FortiGate Version 4.0 Administration Guide


568 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Overview of FortiGate WAN optimization

Overview of FortiGate WAN optimization


Using FortiGate WAN optimization you can apply a number of techniques to improve the
efficiency of communication across your WAN. FortiGate WAN optimization can also send
traffic through a secure SSL tunnel to keep WAN traffic private.
The basic topology of FortiGate WAN optimization consists of two FortiGate units
connected to different networks and also connected to the same WAN. The FortiGate
units can be operating in NAT/Route or Transparent mode and both do not have to be
operating in the same mode. WAN optimization is configured for each VDOM and one or
both of the units can be operating with multiple VDOMs enabled. If a FortiGate unit or
VDOM is operating in Transparent mode with WAN optimization enabled, WAN
optimization uses the management IP address as the address of the FortiGate unit
instead of the address of an interface.
Traffic passing from clients to servers and crossing the WAN is intercepted by the
FortiGate units. The FortiGate units apply WAN optimization features such as protocol
optimization, byte caching, web caching, and secure tunneling to optimize the traffic flow
between the clients and servers over the WAN by reducing bandwidth requirements,
increasing throughput, reducing latency, and improving privacy.
WAN optimization can also be expanded to remote PCs running FortiClient.
Figure 385 shows a basic WAN optimization topology that includes two FortiGate units
and a PC running FortiClient all connected to a WAN.

Figure 385: Basic WAN optimization topology


Server Network
Client Network
WAN Optimization WAN optimization tunnel WAN Optimization
Client Server

WAN

WAN
WAN Optimization optimization
Client tunnel

WAN optimization can operate in two modes:

Client/server or Also called automated mode. In this mode the ends of the WAN optimization
active-passive tunnel operate in a kind of client/server configuration. Sessions are originated on
mode the client FortiGate unit and terminated on the server FortiGate unit. You add
active WAN optimization rules to the client FortiGate unit and passive WAN
optimization rules to the server FortiGate unit. Active rules determine the WAN
optimization techniques used and passive rules operate according to the options
selected in the active rule.
Peer to peer In this mode, both ends of the tunnel have peer lists that include names and IP
mode addresses of other FortiGate units that they can form WAN optimization tunnels
with. You add a peer to peer WAN optimization rule to the client and include the
server FortiGate unit peer entry in the rule. As long as the server FortiGate unit
has a peer entry for the client, the server FortiGate unit can start a WAN
optimization tunnel with the client. The tunnel uses the settings configured in the
rule added to the client FortiGate unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 569
http://docs.fortinet.com/ • Feedback
Overview of FortiGate WAN optimization WAN optimization

WAN optimization is transparent to users. With WAN optimization in place users connect
to servers in the same way as they would without WAN optimization. However, servers
receiving packets after WAN optimization see different source addresses depending on
whether transparent mode is enabled for WAN optimization or not. If transparent mode is
enabled, WAN optimization keeps the original source address of the packets, so servers
appear to receive traffic directly from clients. Routing on the server network should be able
to route traffic with client IP addresses to the FortiGate unit.
If transparent mode is not enabled, the source address of the packets received by servers
is changed to the address of the FortiGate unit interface. So servers appear to receive
packets from the FortiGate unit. Routing on the server network is simpler in this case
because client addresses are not involved, but the server sees all traffic as coming from
the FortiGate unit and not from individual clients.

Note: Do not confuse WAN optimization transparent mode with FortiGate unit transparent
mode. WAN optimization transparent mode is configured in individual WAN optimization
rules. FortiGate transparent mode is a system setting that controls how the FortiGate unit
(or a VDOM) processes traffic.

All optimized traffic passes between the FortiGate units or between FortiClient and a
FortiGate unit over a WAN optimization tunnel. Traffic in the tunnel can be sent in plain
text or encrypted. Both the plain text and the encrypted tunnels use TCP port 7810.

Figure 386: WAN optimization flow

3 1
2

3 1 3 1
2 2
Packets in WAN
Packets Optimization Tunnel Packets
Port 7810
WAN WAN
Client Optimization WAN Optimization Server
Client Server

Client Connects to Server Server Receives connection from Client

To configure WAN optimization you add WAN optimization rules to the FortiGate units at
each end of the tunnel. Similar to firewall policies, when the FortiGate unit receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by destination port number), and attempts to locate a matching WAN optimization
rule that decides how to optimize the traffic over WAN. See “How list order affects rule
matching” on page 574.
The FortiGate unit applies firewall policies to packets before WAN optimization rules. A
WAN optimization rule is applied to a packet only after the packet is accepted by a firewall
policy.
If the firewall policy includes a protection profile the packet is processed by the protection
profile and not by WAN optimization. To apply WAN optimization to traffic that is accepted
by a firewall policy containing a protection profile you can use multiple FortiGate units or
multiple VDOMs. Apply the protection profile in the first FortiGate unit or VDOM and apply
WAN optimization in the second FortiGate unit or VDOM.

FortiGate Version 4.0 Administration Guide


570 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Overview of FortiGate WAN optimization

WAN optimization does not apply source and destination NAT settings included in firewall
policies. This means that selecting NAT or adding virtual IPs in a firewall policy does not
affect WAN optimized traffic. WAN optimization is also not compatible with firewall load
balancing. However, traffic accepted by these policies that is not WAN optimized is
processed as expected.
WAN optimization is compatible with identity-based firewall policies. If a session is allowed
after authentication and if the identity-based policies do not include a protection profile the
session can be processed by matching WAN optimization rules.
Firewall traffic shaping is compatible with client/server (active-passive) transparent mode
WAN optimization rules. Traffic shaping is ignored for peer to peer WAN optimization and
for client/server WAN optimization not operating in transparent mode.
FortiGate WAN optimization includes the following features.
• Web caching (a type of object caching)
• Client/server or active passive WAN optimization (also known as automated WAN
optimization mode)
• Peer to peer WAN optimization
• Protocol optimization (increases the efficiency of data transmission of traffic based on
the communication protocol)
• Transparent mode
• Byte caching (reduces the amount of duplicate data transmission caching data for
future re-transmission)
• SSL WAN optimization (using FortiGate CP6 FortiASIC acceleration to accelerate
encryption/decryption of SSL traffic)
• Secure tunnelling (employs SSL encryption to encrypt the WAN optimization tunnel)
• WAN optimization with FortiClient
You can apply different combinations of these WAN optimization techniques to a single
traffic stream depending on the traffic type. For example, you can apply byte caching and
secure tunneling to any TCP traffic. For HTTP traffic you can also apply protocol
optimization and web caching.

FortiGate models that support WAN optimization


WAN optimization is available on newer FortiGate models that also support SSL
acceleration, high-capacity internal hard disks, the FortiGate-ASM-S08 module, or the
FortiGate-ASM-SAS module. This includes the following models:
• FortiGate-50B-HD and 110C-HD
• FortiGate-310B
• FortiGate-620B
• FortiGate-3000A
• FortiGate-3016B
• FortiGate-3600A
• FortiGate-3810A
• FortiGate-5001A-SW

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 571
http://docs.fortinet.com/ • Feedback
Configuring WAN optimization and web cache rules WAN optimization

FortiGate models 50B-HD and 110C-HD use the internal hard disk for web caching and
byte caching. FortiGate models 310B, 620B, 3000A, 3016B, 3600A, 3810A, and
5001A-SW use the hard disk in the FortiGate-ASM-S08 module or the SAS disks
connected to the FortiGate-ASM-SAS module for web caching and byte caching. All
FortiGate models that support WAN optimization can also be configured to use iSCSI for
web caching and byte caching.
All of these options can provide similar web caching and byte caching performance. If you
add more than one storage location (for example, by adding iSCSI to a FortiGate that
already has a FortiGate-ASM-S08 module) you can configure different storage locations
for web caching and byte caching.
If you have not installed a FortiGate-ASM-S08 or ASM-SAS module in a FortiGate unit
with a single-width AMC slot you can still configure and use iSCSI for full WAN
optimization.
A hard disk, the ASM-SAS module, or iSCSI is only required for web caching and byte
caching. All other WAN optimization features, including SSL acceleration, are supported if
the hard disk or ISCSI is not available.
You configure iSCSI support from the FortiGate CLI. See the FortiGate CLI Reference for
more information.

Configuring WAN optimization and web cache rules


The WAN optimization rule list displays WAN optimization rules in their order of matching
precedence.
If virtual domains are enabled on the FortiGate unit, WAN optimization rules are
configured separately for each virtual domain; you must access the VDOM before you can
configure its rules. To access a VDOM, go to System > VDOM, and in the row
corresponding to the VDOM whose policies you want to configure, select Enter.
You can add, delete, edit, and re-order rules in the rule list. WAN optimization rule order
affects rule matching. For details about arranging policies in a policy list, see “How list
order affects rule matching” on page 574 and “Moving a rule to a different position in the
rule list” on page 575.
To view the WAN optimization rule list, got to WAN Opt. & Cache > Rule.
Before you add WAN optimization rules you must add firewall policies to accept the traffic
to be optimized. Then you add WAN optimization rules that:
• Match WAN traffic to be optimized that is accepted by a firewall policy according to
source and destination addresses and destination port of the traffic
• Add the WAN optimization techniques to be applied to the traffic

FortiGate Version 4.0 Administration Guide


572 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Configuring WAN optimization and web cache rules

Figure 387: WAN optimization rule list

Edit
Delete

Enable/ Insert
Disable Before
Rules
Move To

Create New Add a new WAN optimization rule. See:


• “Configuring web cache only WAN optimization” on page 576
• “Configuring client/server (active-passive) web caching” on page 578
• “Configuring peer to peer web caching” on page 581
• “Configuring client/server (active-passive) WAN optimization” on page 585
• “Configuring peer to peer WAN optimization” on page 587
New rules are added to the bottom of the list.
Status Select to enable a rule or deselect to disable a rule. A disabled rule is out of
service.
ID The rule identifier. Rules are numbered in the order they are added to the rule
list.
Source The source address or address range that the rule matches.
Destination The destination address or address range that the rule matches.
Port The destination port number or port number range that the rule matches.
Method Indicates whether you have selected byte caching in the WAN optimization rule.
Auto-Detect Indicates whether the rule is an active (client) rule, a passive (server) rule or if
auto-detect is off. If auto-detect is off the rule can be a peer to peer rule or a web
cache only rule.
Protocol The protocol optimization WAN optimization technique applied by the rule. See
“Protocol optimization” on page 591.
Peer For a peer to peer rule, the name of the peer WAN optimizer at the other end of
the link.
Mode Indicates whether the rule applies full optimization or web cache only.
SSL Indicates whether the rule supports SSL acceleration.
Secure Tunnel Indicates whether the rule supports a secure WAN optimization tunnel.
Delete icon Delete a rule from the list.
Edit icon Edit a WAN optimization rule.
Insert WAN Add a new rule above the corresponding rule (the New rule screen appears).
Optimization
Rule Before icon
Move To icon Move the corresponding rule before or after another rule in the list. See “How list
order affects rule matching” on page 574 and “Moving a rule to a different
position in the rule list” on page 575.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 573
http://docs.fortinet.com/ • Feedback
Configuring WAN optimization and web cache rules WAN optimization

How list order affects rule matching


Similar to firewall policies, you add WAN optimization rules to the WAN optimization rule
list. The FortiGate unit uses the first matching technique to select the WAN optimization
rule to apply to a communication session.
When WAN optimization rules have been added, each time the FortiGate firewall accepts
a communication session, it then searches the WAN optimization rule list for a matching
rule. The search begins at the top of the rule list and progresses in order towards the
bottom. Each rule in the rule list is compared with the communication session until a
match is found. When the FortiGate unit finds the first matching rule, it applies the
matching rule’s specified WAN optimization features to the session, and disregards
subsequent rules. Matching rules are determined by comparing the rule and the session
source and destination addresses and destination port.
If no WAN optimization rule matches, the session is processed according to the firewall
policy that originally accepted the session.
As a general rule, you should order the WAN optimization rule list from most specific to
most general because of the order in which rules are evaluated for a match, and because
only the first matching rule is applied to a session. Subsequent possible matches are not
considered or applied. Ordering rules from most specific to most general prevents rules
that match a wide range of traffic from superseding and effectively masking rules that
match exceptions.
For example, you might have a general WAN optimization rule that applies WAN
optimization features but does not apply secure tunneling to most WAN traffic but you
want to apply secure tunneling to FTP traffic (FTP traffic uses port 21). In this case, you
would add a the rule that creates a secure tunnel for FTP session above the general rule.

Figure 388:Example: secure tunneling for FTP — correct rule order

Exception
General
FTP sessions (using port 21) would immediately match the secure tunnel rule. Other kinds
of services would not match the FTP rule, and so rule evaluation would continue until
reaching the matching general rule. This rule order has the intended effect. But if you
reversed the order of the two rules, positioning the general policy before the FTP rule, all
session, including FTP, would immediately match the general rule, and the rule to secure
FTP would never be applied. This rule order would not have the intended effect.

Figure 389:Example: secure tunneling for FTP — Incorrect policy order

General
Exception

Similarly, if specific traffic requires exceptional WAN optimization rule settings, you would
position those rules above other potential matches in the rule list. Otherwise, the other
matching rules will take precedence, and the required authentication, IPSec VPN, or SSL
VPN might never occur.

FortiGate Version 4.0 Administration Guide


574 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Web caching

Moving a rule to a different position in the rule list


You can arrange the WAN optimization rule list to influence the order in which rules are
evaluated for matches with incoming traffic.
Moving a rule in the rule list does not change its ID, which only indicates the order in which
the rule was created.

Figure 390:Move rule

To move a rule in the WAN optimization rule list


1 Go to WAN Opt & Cache > Rule.
2 In the rule list, note the ID of a rule that is before or after your intended destination.
3 In the row corresponding to the rule that you want to move, select the Move To icon.
4 Select Before or After, and enter the ID of the rule that is before or after your intended
destination. This specifies the rule’s new position in the WAN optimization rule list.
5 Select OK.

Web caching
FortiGate WAN optimization web caching is a form of object caching that accelerates web
applications and web servers by reducing bandwidth usage, server load, and perceived
latency. Web caching supports explicit and transparent proxy caching of HTTP 1.0 and
HTTP 1.1 web sites. See RFC 2616 for information about web caching for HTTP 1.1. Web
caching involves storing HTML pages, images, servlet responses and other web based
objects for later retrieval. FortiGate units cache these objects on the hard disk installed in
the FortiGate unit or on a remote iSCSI device.
There are three significant advantages to using web caching to improve WAN
performance:
• Reduced WAN bandwidth consumption because fewer requests and responses go
over the WAN
• Reduced web server load because there are fewer requests for web servers to handle
• Reduced latency because responses for cached requests are available from a local
FortiGate unit instead of from across the WAN or Internet.
You can use FortiGate web caching to cache any web traffic that passes through the
FortiGate unit, including web pages from web servers on a LAN, WAN or on the Internet.
The FortiGate unit caches web objects for all HTTP traffic processed by WAN optimization
rules that include web caching.
You can add WAN optimization rules for web caching only. You can also add web caching
to WAN optimization rules for HTTP traffic that also include byte caching, protocol
optimization, and other WAN optimization features.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 575
http://docs.fortinet.com/ • Feedback
Web caching WAN optimization

Web cache only topology


A web cache only WAN optimization topology includes one FortiGate unit that acts as a
proxy server and web cache server. Web page requests sent by users from the source
address in the web cache only rule are intercepted by the FortiGate unit. The FortiGate
unit requests web pages from the web servers, caches the web page contents, and
returns the web page contents to the users. When the FortiGate intercepts requests for
cached web pages the FortiGate unit which returns the cached pages and does not
contact the destination web server except to check for changes. You can configure web
cache settings to control how the web cache operates. See “Changing web cache
settings” on page 597.

Figure 391: Example web cache only topology


Web Server
Network
Client Network 192.168.10.0
172.20.120.0
WAN Optimization
Web Cache

WAN, LAN,
or Internet

11010010101

Web Cache

Configuring web cache only WAN optimization


You add WAN optimization rules that enable web caching only by going to
WAN Opt. & Cache > Rule and selecting Create New to add a WAN optimization rule. To
add a rule that enables web caching only, set the Mode to Web Cache Only. If you select
Web Cache only, the WAN optimization rule does not perform byte caching or protocol
optimization.
For example, to configure web caching for users in a network with subnet address
172.20.120.0 connecting to web servers on a network with subnet address 192.168.10.0
you can add a web cache only WAN optimization rule with Source address 172.20.120.0,
Destination address 192.168.10.0, and Port 80 (see Figure 392). This rule caches web
pages requested by users on the 172.20.120.0 network who are using TCP port 80 to
request web pages on the 192.168.10.0 network.

Figure 392: Adding a web cache only WAN optimization rule

FortiGate Version 4.0 Administration Guide


576 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Web caching

To configure web cache only WAN optimization


1 Go to Firewall > Policy and add a firewall policy that accepts traffic to be web cached.
2 Go to WAN Opt. & Cache > Rule and select Create New.
3 Select Web Cache Only.
4 Configure the web cache only rule.

Mode Select Web Cache Only to add a rule that only applies web caching.
You can also apply web caching to other WAN optimization rules.
Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
If you set Destination to 0.0.0.0 the WAN optimization rule caches web
pages on the Internet.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
Usually you would set the port to 80 to cache normal HTTP traffic. But
you can change the Port to a different number (for example 8080) or to
a port number range so that the FortiGate unit provides web caching for
HTTP traffic using other ports.
Transparent Mode If you do not select Transparent mode, users must add a proxy server to
their web browser configuration. The IP address of the proxy server
would be the IP address of the FortiGate interface connected to their
network. The port number of the proxy server would be the same as the
Port added to the web cache only WAN optimization rule.
If you select Transparent mode, users do not have to add a proxy
server. In transparent mode, users are not aware that the FortiGate unit
is caching web pages.
Enable SSL If you select Enable SSL, the FortiGate unit can apply WAN
optimization to SSL-encrypted WAN traffic. If you select Enable SSL,
the Port setting must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS traffic). Also, you
must import the server certificates onto the FortiGate unit. For more
information, see “SSL WAN optimization” on page 593. The certificate
key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

5 Select OK to save the rule.


The rule is added to the bottom of the WAN optimization list.
6 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 577
http://docs.fortinet.com/ • Feedback
Web caching WAN optimization

Configuring client/server (active-passive) web caching


You add web caching support to the passive or server side of an active-passive WAN
optimization configuration. To do this go to WAN Opt. & Cache > Rule and select
Create New. Set Auto-Detect to Passive and select Enable Web Cache. Web pages are
cached on the server side FortiGate unit so you should also Enable Byte Caching for
optimum WAN optimization performance.

Figure 393: Example client/server (active-passive) web cache topology


Web Server
Network
User Network 192.168.10.0
WAN Optimization
172.20.120.0 WAN Optimization
Server (passive rule,
Client (active rule,
Enable Web Cache)
Protocol=HTTP)

WAN

11010010101

Web Cache

Figure 394: Adding web caching to a passive WAN optimization rule

For web caching to work, the WAN optimization tunnel must allow HTTP (and optionally
HTTPS) traffic. To do this, the active rule on the client side must include the ports used for
HTTP (and HTTPS) traffic and the Protocol must be HTTP. With Protocol set to HTTP,
WAN optimization also performs protocol optimization of the HTTP traffic. To enable off
loading and web caching of HTTPS traffic select, Enable SSL. You should also Enable
Byte Caching for optimum WAN optimization performance.

FortiGate Version 4.0 Administration Guide


578 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Web caching

Figure 395: Adding an active WAN optimization rule compatible with web caching

To configure the client (active) FortiGate unit


1 On the client FortiGate unit, go to Firewall > Policy and add a firewall policy that
accepts traffic to be web cached.
2 Go to WAN Opt. & Cache > Rule and select Create New.
3 Configure the rule.

Mode Select Full optimization to add web caching to the active rule.
Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
Usually you would set the port to 80 to cache normal HTTP traffic. But
you can change the Port to a different number (for example 8080) or to
a port number range so that the FortiGate unit provides web caching for
HTTP traffic using other ports.
Auto-Detect Select Active to add an active rule.
Protocol Select HTTP.
Transparent Mode If you do not select Transparent mode, users must add a proxy server to
their web browser configuration. The IP address of the proxy server
would be the IP address of the FortiGate interface connected to their
network. The port number of the proxy server would be the same as the
Port added to the web cache only WAN optimization rule.
If you select Transparent mode, users do not have to add a proxy
server. In transparent mode, users are not aware that the FortiGate unit
is caching web pages.
Enable Byte Caching Optionally select enable byte caching apply WAN optimization byte
caching to the traffic accepted by this rule. For more information, see
“Byte caching” on page 592.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 579
http://docs.fortinet.com/ • Feedback
Web caching WAN optimization

Enable SSL If you select Enable SSL, the FortiGate unit can apply WAN
optimization to SSL-encrypted WAN traffic. If you select Enable SSL,
the Port setting must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS traffic). Also, you
must import the server certificates onto the FortiGate unit. For more
information, see “SSL WAN optimization” on page 593. The certificate
key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
Enable Secure Tunnel If you select Enable Secure Tunnel the WAN optimization tunnel is
encrypted for privacy using SSL encryption. If you enable the secure
tunnel you must also add an authentication group to the WAN
optimization rule. For more information, see “Secure tunnelling” on
page 593.
Authentication Group Select Authentication Group if you want the client and server FortiGate
units to authenticate with each other before starting the WAN
optimization tunnel. Select an authentication group. You must add
authentication groups to the client and server FortiGate units that either
use the same pre-shared key or the same certificate. For more
information, see “Configuring authentication groups” on page 595.
4 Select OK to save the rule.
The rule is added to the bottom of the WAN optimization list.
5 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

To configure the server (passive) FortiGate unit


1 On the server FortiGate unit, go to WAN Opt. & Cache > Rule and select Create New.
2 Configure the rule.

Mode Select Full optimization to add web caching to the active rule.
Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
The server (passive) source address range should be the same or a
subset of the matching client (active) rule source address range.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
The server (passive) destination address range should be the same or a
subset of the matching client (active) rule destination address range.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
Usually you would set the port to 80 to cache normal HTTP traffic. But
you can change the Port to a different number (for example 8080) or to
a port number range so that the FortiGate unit provides web caching for
HTTP traffic using other ports.
The server (passive) port range should be the same or a subset of the
matching client (active) rule port range.
Auto-Detect Select Passive to add a passive rule.
Enable Web Cache Select to enable web caching on the server (passive) FortiGate unit.

FortiGate Version 4.0 Administration Guide


580 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Web caching

3 Select OK to save the rule.


The rule is added to the bottom of the WAN optimization list.
4 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

Configuring peer to peer web caching


In a peer to peer configuration you give each FortiGate unit that can perform WAN
optimization a Local Host ID by going to WAN Opt. & Cache > Peer, adding the Local Host
ID and selecting Apply. Then, you add this Host ID as a peer the other FortiGate units that
this unit can perform WAN optimization with. As a result, each FortiGate unit’s WAN
optimization configuration contains the Host ID and IP address of the peer FortiGate units
that the FortiGate unit can start a WAN optimization tunnel with.
To perform WAN optimization between a client network and a server network, You add
WAN optimization rules to the client FortiGate unit. In the rules you set Auto-Detect to Off
and select the peer FortiGate unit that should be the server side of the WAN optimization
tunnel.
If the server FortiGate unit peer list contains the client FortiGate unit, the server FortiGate
unit accepts WAN optimization tunnel connections from the client FortiGate unit and the
two units can form a WAN optimization tunnel. The settings for the tunnel are added to the
client FortiGate unit rule and shared by both units.
You add web caching support to the WAN optimization rule. To do this go to
WAN Opt. & Cache > Rule and select Create New. Set Auto-Detect to Off, set Protocol to
HTTP, and select Enable Web Cache. You can also select Transparent mode and Enable
Byte Caching.

Figure 396: Example peer to peer web cache topology


Web Server
Network
Client Network 192.168.10.0
WAN Optimization WAN Optimization
172.20.120.0
Client Server
(Local Host ID: Peer_Fgt_1) (Local Host ID: Peer_Fgt_2)
172.20.34.12 192.168.30.12
WAN

11010010101

Web Cache

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 581
http://docs.fortinet.com/ • Feedback
Web caching WAN optimization

Figure 397: Adding web caching to a peer to peer WAN optimization rule

For web caching to work the WAN optimization tunnel must allow HTTP (and optionally
HTTPS) traffic. To do this, the rule must include the ports used for HTTP (and HTTPS)
traffic and the Protocol must be HTTP. With Protocol set to HTTP, WAN optimization also
performs protocol optimization of the HTTP traffic. To enable off loading and web caching
of HTTPS traffic select Enable SSL.

Figure 398: Adding the server FortiGate unit to the client peer list

Figure 399: Adding the client FortiGate unit to the server peer list

To configure the server FortiGate unit


1 On the server FortiGate unit, go to WAN Opt. & Cache > Peer.
2 Enter the server FortiGate unit Local Host ID and select Apply.
3 Select Create New.
4 Add the client FortiGate unit as a peer.

Peer Host ID Enter the client FortiGate unit Local Host ID.
IP address Enter the IP address of the client FortiGate unit interface that the server
FortiGate unit can connect to. Usually this would be the IP address of
the interface connected to the WAN.

5 Select OK to save the peer.

FortiGate Version 4.0 Administration Guide


582 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Web caching

To configure the client FortiGate unit


1 On the client FortiGate unit, go to Firewall > Policy and add a firewall policy that
accepts traffic to be web cached.
2 Go to WAN Opt. & Cache > Peer.
3 Enter the client FortiGate unit Local Host ID.
4 Select Create New.
5 Add the server FortiGate unit as a peer.

Peer Host ID Enter the server FortiGate unit Local Host ID.
IP address Enter the IP address of the server FortiGate unit interface that the client
FortiGate unit can connect to. Usually this would be the IP address of
the interface connected to the WAN.

6 Select OK to save the peer.


7 Go to WAN Opt. & Cache > Rule and select Create New.
8 Configure the rule.

Mode Select Full optimization to add web caching to the active rule.
Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
Usually you would set the port to 80 to cache normal HTTP traffic. But
you can change the Port to a different number (for example 8080) or to
a port number range so that the FortiGate unit provides web caching for
HTTP traffic using other ports.
Auto-Detect Select Off to add a peer to peer rule.
Protocol Select HTTP.
Peer Select the peer that contains the IP address of the server FortiGate unit.
Enable Web Cache Select to enable web caching for this WAN optimization rule. We
caching happens on the server (passive) FortiGate unit.
Transparent Mode If you do not select Transparent mode, users must add a proxy server to
their web browser configuration. The IP address of the proxy server
would be the IP address of the FortiGate interface connected to their
network. The port number of the proxy server would be the same as the
Port added to the web cache only WAN optimization rule.
If you select Transparent mode, users do not have to add a proxy
server. In transparent mode, users are not aware that the FortiGate unit
is caching web pages.
Enable Byte Caching Optionally select enable byte caching apply WAN optimization byte
caching to the traffic accepted by this rule. For more information, see
“Byte caching” on page 592.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 583
http://docs.fortinet.com/ • Feedback
Client/server or active passive WAN optimization WAN optimization

Enable SSL If you select Enable SSL, the FortiGate unit can apply WAN
optimization to SSL-encrypted WAN traffic. If you select Enable SSL,
the Port setting must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS traffic). Also, you
must import the server certificates onto the FortiGate unit. For more
information, see “SSL WAN optimization” on page 593. The certificate
key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
Enable Secure Tunnel If you select Enable Secure Tunnel the WAN optimization tunnel is
encrypted for privacy using SSL encryption. If you enable the secure
tunnel you must also add an authentication group to the WAN
optimization rule. For more information, see.“Secure tunnelling” on
page 593.
Authentication Group Select Authentication Group if you want the client and server FortiGate
units to authenticate with each other before starting the WAN
optimization tunnel. Select an authentication group. You must add
authentication groups to the client and server FortiGate units that either
use the same pre-shared key or the same certificate. For more
information, see “Configuring authentication groups” on page 595.
9 Select OK to save the rule.
The rule is added to the bottom of the WAN optimization list.
10 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

Client/server or active passive WAN optimization


In a typical client/server or active-passive WAN optimization configuration, a pair of WAN
optimizing FortiGate units optimize traffic between a client and a server that are
communicating across a WAN.

Figure 400: WAN optimization basic topology


Server Network
Client Network
WAN Optimization WAN optimization tunnel WAN Optimization
Client Server

WAN

WAN
WAN Optimization optimization
Client tunnel

When the client communicates with the server, the FortiGate unit applies WAN
optimization techniques to traffic sent from the client by the WAN Optimization client. The
optimized traffic is sent through the WAN Optimization tunnel over the WAN. The tunnel is
intercepted by the WAN Optimization server and the server reverses the WAN
optimization techniques before sending the data stream to the server.
In this configuration, the WAN Optimization client operates in active mode and the server
operates in passive mode. You configure an active WAN optimization rule on the client by
setting WAN optimization auto-detect to active. You configure a passive WAN optimization
rule on the server by setting WAN optimization auto-detect to passive.

FortiGate Version 4.0 Administration Guide


584 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Client/server or active passive WAN optimization

Figure 401: Example active (client) WAN optimization rule

Figure 402: Example complimentary passive (server) WAN optimization rule

Configuring client/server (active-passive) WAN optimization


You configure client/server (active-passive) WAN optimization by adding an active WAN
optimization rule to the client FortiGate unit and a passive rule to the server FortiGate unit.
You can add multiple active rules for one passive rule. You might want to do this to add
multiple active rules to optimize different protocols. Since you don’t configure the protocol
in the passive rule one passive rule can be used for each of the active rules. Adding fewer
passive rules simplifies the WAN optimization configuration.

To configure the client (active) FortiGate unit


1 On the client FortiGate unit, go to Firewall > Policy and add a firewall policy that
accepts traffic to be web cached.
2 Go to WAN Opt. & Cache > Rule and select Create New.
3 Configure the rule.

Mode Select Full optimization.


Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 585
http://docs.fortinet.com/ • Feedback
Client/server or active passive WAN optimization WAN optimization

Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
If you set Protocol to CIFS, FTP, HTTP or MAPI you can enter the port
numbers or port number range used by the selected Protocol.
Auto-Detect Select Active to add an active rule.
Protocol Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for
these protocols. See “Protocol optimization” on page 591.
Select TCP if the WAN optimization tunnel accepts packets that use
more than one protocol or that do not use the CIFS, FTP, HTTP, or
MAPI protocol.
Transparent Mode If you select transparent mode, WAN optimization keeps the original
source address of the packets, so servers appear to receive traffic
directly from clients. Routing on the server network should be able to
route traffic with client IP addresses to the FortiGate unit.
If you do not select transparent mode, the source address of the
packets received by servers is changed to the address of the FortiGate
unit interface. So servers appear to receive packets from the FortiGate
unit. Routing on the server network is simpler in this case because client
addresses are not involved, but the server sees all traffic as coming
from the FortiGate unit and not from individual clients.
Enable Byte Caching Optionally select Enable Byte Caching apply WAN optimization byte
caching to the traffic accepted by this rule. For more information, see
“Byte caching” on page 592.
Enable SSL If you select Enable SSL, the FortiGate unit can apply WAN
optimization to SSL-encrypted WAN traffic. If you select Enable SSL,
the Port setting must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS traffic). Also, you
must import the server certificates onto the FortiGate unit. For more
information, see “SSL WAN optimization” on page 593. The certificate
key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
Enable Secure Tunnel If you select Enable Secure Tunnel the WAN optimization tunnel is
encrypted for privacy using SSL encryption. If you enable the secure
tunnel you must also add an authentication group to the WAN
optimization rule. For more information, see.“Secure tunnelling” on
page 593.
Authentication Group Select Authentication Group if you want the client and server FortiGate
units to authenticate with each other before starting the WAN
optimization tunnel. Select an authentication group. You must add
authentication groups to the client and server FortiGate units that either
use the same pre-shared key or the same certificate. For more
information, see “Configuring authentication groups” on page 595.
4 Select OK to save the rule.
The rule is added to the bottom of the WAN optimization list.
5 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

To configure the server (passive) FortiGate unit


1 On the server FortiGate unit, go to WAN Opt. & Cache > Rule and select Create New.
2 Configure the rule.

FortiGate Version 4.0 Administration Guide


586 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Peer to peer WAN optimization

Mode Select Full optimization.


Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
The server (passive) source address range should be the same or a
subset of the matching client (active) rule source address range.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
The server (passive) destination address range should be the same or a
subset of the matching client (active) rule destination address range.
Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
The server (passive) port range should be the same or a subset of the
matching client (active) rule port range.
Auto-Detect Select Passive to add a passive rule.
Enable Web Cache Select to enable web caching on the server (passive) FortiGate unit.

3 Select OK to save the rule.


The rule is added to the bottom of the WAN optimization list.
4 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

Peer to peer WAN optimization


For peer to peer WAN optimization, the WAN optimization configuration of a FortiGate unit
includes local host names and IP addresses of other FortiGate units that can act as WAN
optimization peers with this FortiGate unit. When, the FortiGate unit receives a packet in a
WAN optimization tunnel (using port 7810) it compares the source address of the packet
to its WAN optimization peer list. If there is a match the FortiGate unit assumes this is a
WAN optimization packet from the peer and starts a WAN optimization session with the
peer.
In addition to the peer list, you must also add a WAN optimization rule for each peer. To
configure this WAN optimization rule, set Auto-Detect to Off and select the name of a peer.
Then, when a packet is received from this peer, the WAN optimization rule is applied.
You can add multiple WAN optimization rules for each peer. WAN optimization uses the
first matching to select the WAN optimization to use by selecting the rules based on the
source and destination addresses and port of the received packet.

Configuring peer to peer WAN optimization


In a peer to peer configuration you give each FortiGate unit that can perform WAN
optimization a Local Host ID by going to WAN Opt. & Cache > Peer, adding the Local Host
ID and selecting Apply. Then, you add this Host ID as a peer the other FortiGate units that
this unit can perform WAN optimization with. As a result, each FortiGate unit’s WAN
optimization configuration contains the Host ID and IP address of the peer FortiGate units
that the FortiGate unit can start a WAN optimization tunnel with.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 587
http://docs.fortinet.com/ • Feedback
Peer to peer WAN optimization WAN optimization

To perform WAN optimization between a client network and a server network, You add
WAN optimization rules to the client FortiGate unit. In the rules you set Auto-Detect to Off
and select the peer FortiGate unit that should be the server side of the WAN optimization
tunnel.
If the server FortiGate unit peer list contains the client FortiGate unit, the server FortiGate
unit accepts WAN optimization tunnel connections from the client FortiGate unit and the
two units can form a WAN optimization tunnel. The settings for the tunnel are added to the
client FortiGate unit and shared by both units.

Figure 403: Example peer to peer topology


Web Server
Network
Client Network 192.168.10.0
WAN Optimization WAN Optimization
172.20.120.0
Client Server
(Local Host ID: Peer_Fgt_1) (Local Host ID: Peer_Fgt_2)
172.20.34.12 192.168.30.12
WAN

Figure 404: Adding a peer to peer WAN optimization rule

Figure 405: Adding the server FortiGate unit to the client peer list

FortiGate Version 4.0 Administration Guide


588 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Peer to peer WAN optimization

Figure 406: Adding the client FortiGate unit to the server peer list

To configure the server FortiGate unit


1 On the server FortiGate unit, go to WAN Opt. & Cache > Peer.
2 Enter the server FortiGate unit Local Host ID and select Apply.
3 Select Create New.
4 Add the client FortiGate unit as a peer.

Peer Host ID Enter the client FortiGate unit Local Host ID.
IP address Enter the IP address of the client FortiGate unit interface that the server
FortiGate unit can connect to. Usually this would be the IP address of
the interface connected to the WAN.

5 Select OK to save the peer.

To configure the client FortiGate unit


1 On the client FortiGate unit, go to Firewall > Policy and add a firewall policy that
accepts traffic to be web cached.
2 Go to WAN Opt. & Cache > Peer.
3 Enter the client FortiGate unit Local Host ID.
4 Select Create New.
5 Add the server FortiGate unit as a peer.

Peer Host ID Enter the server FortiGate unit Local Host ID.
IP address Enter the IP address of the server FortiGate unit interface that the client
FortiGate unit can connect to. Usually this would be the IP address of
the interface connected to the WAN.

6 Select OK to save the peer.


7 Go to WAN Opt. & Cache > Rule and select Create New.
8 Configure the rule.

Mode Select Full optimization.


Source Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose source address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.
Destination Enter an IP address, followed by a forward slash (/), then subnet mask,
or enter an IP address range separated by a hyphen. See “About WAN
optimization addresses” on page 590.
Only packets whose destination address header contains an IP address
matching this IP address or address range will be accepted by and
subject to this rule.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 589
http://docs.fortinet.com/ • Feedback
Peer to peer WAN optimization WAN optimization

Port Enter a single port number or port number range. Only packets whose
destination port number matches this port number or port number range
will be accepted by and subject to this rule.
Auto-Detect Select Off to add a peer to peer rule.
Protocol Select CIFS, FTP, HTTP, or MAPI to apply protocol optimization for
these protocols. See “Protocol optimization” on page 591.
Select TCP if the WAN optimization tunnel accepts packets that use
more than one protocol or that do not use the CIFS, FTP, HTTP, or
MAPI protocol.
Peer Select the peer that contains the IP address of the server FortiGate unit.
Enable Web Cache Select to enable web caching. This option is only available if Protocol is
set to HTTP.
Transparent Mode If you select transparent mode, WAN optimization keeps the original
source address of the packets, so servers appear to receive traffic
directly from clients. Routing on the server network should be able to
route traffic with client IP addresses to the FortiGate unit.
If you do not select transparent mode, the source address of the
packets received by servers is changed to the address of the FortiGate
unit interface. So servers appear to receive packets from the FortiGate
unit. Routing on the server network is simpler in this case because client
addresses are not involved, but the server sees all traffic as coming
from the FortiGate unit and not from individual clients.
Enable Byte Caching Optionally select enable byte caching apply WAN optimization byte
caching to the traffic accepted by this rule. For more information, see
“Byte caching” on page 592.
Enable SSL If you select Enable SSL, the FortiGate unit can apply WAN
optimization to SSL-encrypted WAN traffic. If you select Enable SSL,
the Port setting must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS traffic). Also, you
must import the server certificates onto the FortiGate unit. For more
information, see “SSL WAN optimization” on page 593. The certificate
key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
Enable Secure Tunnel If you select Enable Secure Tunnel the WAN optimization tunnel is
encrypted for privacy using SSL encryption. If you enable the secure
tunnel you must also add an authentication group to the WAN
optimization rule. For more information, see.“Secure tunnelling” on
page 593.
Authentication Group Select Authentication Group if you want the client and server FortiGate
units to authenticate with each other before starting the WAN
optimization tunnel. Select an authentication group. You must add
authentication groups to the client and server FortiGate units that either
use the same pre-shared key or the same certificate. For more
information, see “Configuring authentication groups” on page 595.
9 Select OK to save the rule.
The rule is added to the bottom of the WAN optimization list.
10 If required, move the rule to a different position in the list.
See “Moving a rule to a different position in the rule list” on page 575.

About WAN optimization addresses


A WAN optimization source or destination address can contain one or more network
addresses. Network addresses can be represented by an IP address with a netmask or an
IP address range.
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a source or destination address can be:
• a single computer, such as 192.45.46.45
• a subnetwork, such as 192.168.1.0 for a class C subnet

FortiGate Version 4.0 Administration Guide


590 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Protocol optimization

• 0.0.0.0, which matches any IP address


The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
• netmask for a single computer: 255.255.255.255, or /32
• netmask for a class A subnet: 255.0.0.0, or /8
• netmask for a class B subnet: 255.255.0.0, or /16
• netmask for a class C subnet: 255.255.255.0, or /24
• netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
• x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
• x.x.x.x/x, such as 192.168.1.0/24

Note: An IP address 0.0.0.0 with netmask 255.255.255.255 is not a valid source or


destination address.

When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
• x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
• x.x.x.[x-x], such as 192.168.110.[100-120]
• x.x.x.*, such as 192.168.110.*

Protocol optimization
FortiGate WAN optimization applies protocol optimization techniques to optimize
bandwidth use across the WAN. These techniques can improve the efficiency of
communication across the WAN optimization tunnel by reducing the amount of traffic
required by communication protocols. Protocol optimization can be applied to specific
protocols such as CIFS, FTP, HTTP, and MAPI to apply specific techniques based on the
protocol.
For example, Common Internet File System (CIFS) provides file access, record locking,
read/write privileges, change notification, server name resolution, request batching, and
server authentication. CIFS is a fairly “chatty” protocol, requiring many background
transactions to successfully transfer a single file. This is usually not a problem across a
LAN. However, across WAN latency and bandwidth reduction can slow down CIFS
performance.
When you set Protocol to CIFS in a WAN optimization rule, the FortiGate units at either
end of the WAN optimization tunnel use a number of techniques to reduce the amount of
background transactions that occur over the WAN for CIFS traffic.
You can only select one protocol in a WAN optimization rule. For best performance you
should separate the traffic by protocol by creating different WAN optimization rules for
each protocol. For example, to optimize HTTP traffic you should set port to 80 so that only
HTTP traffic is accepted by this WAN optimization rule.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 591
http://docs.fortinet.com/ • Feedback
Transparent mode WAN optimization

Figure 407: WAN optimization rule to optimize HTTP traffic

If the WAN optimization accepts a range of different types of traffic, you can set Protocol to
TCP to employ TCP optimization. This technique applies general optimization techniques
to TCP traffic. Applying TCP optimization to a range of different types of traffic is not as
effective as applying more protocol-specific optimization to specific types of traffic.

Transparent mode
WAN optimization is transparent to users. With WAN optimization in place users connect
to servers in the same way as they would without WAN optimization. However, servers
receiving packets after WAN optimization see different source addresses depending on
whether transparent mode is enabled for WAN optimization or not. If transparent mode is
enabled, WAN optimization keeps the original source address of the packets, so servers
appear to receive traffic directly from clients. Routing on the server network should be able
to route traffic with client IP addresses to the FortiGate unit.
If transparent mode is not enabled, the source address of the packets received by servers
is changed to the address of the FortiGate unit interface. So servers appear to receive
packets from the FortiGate unit. Routing on the server network is simpler in this case
because client addresses are not involved, but the server sees all traffic as coming from
the FortiGate unit and not from individual clients.

Note: Do not confuse WAN optimization transparent mode with FortiGate unit transparent
mode. WAN optimization transparent mode is configured in individual WAN optimization
rules. FortiGate transparent mode is a system setting that controls how the FortiGate unit
(or a VDOM) processes traffic.

Byte caching
FortiGate WAN optimization Byte Caching breaks large units of application data (for
example, a file being downloaded in from a web page) into small chunks of data, labelling
each chunk of data with a hash of the chunk, and storing those chunks and their hashes
on a hard disk on the FortiGate unit. Then, instead of sending the actual data over the
WAN tunnel, the FortiGate unit sends the hashes. The FortiGate unit at the other end of
the tunnel receives the hashes and compares them with the hashes on its local hard disk.
If any hashes match, that data does not have to be transmitted over the WAN optimization
tunnel. The data for any hashes that does not match is transferred over the tunnel and
stored in the FortiGate unit’s hard disk. Then the unit of application data (the file being
downloaded) is reassembled and sent to its destination.

FortiGate Version 4.0 Administration Guide


592 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization SSL WAN optimization

Byte caching is not application specific. Bytes cached from a file in an email can be used
to optimize downloading that same file, or a similar file from a web page.
The result is less data is transmitted over the WAN. Byte caching may reduce
performance until a large enough library of data chunks and hashes is built up.
Select Byte caching in a WAN optimization rule to enable byte caching. You should enable
byte caching at both end of the tunnel. The Protocol setting does not affect byte caching.
Data is byte cached when it is processed by a WAN optimization that include byte
caching.

SSL WAN optimization


Select Enable SSL in WAN optimization rules to apply WAN optimization techniques to
SSL-encrypted WAN traffic. Many organizations use SSL encryption to protect the privacy
of the traffic travelling across their WANs.
In a typical SSL over WAN configuration, a client uses an SSL encrypted protocol to
connect to an SSL server. When SSL WAN optimization is added between the client and
the server, the client FortiGate unit intercepts and decrypts SSL-encrypted traffic from the
client. The client FortiGate unit then apples WAN optimization techniques to the traffic and
sends it across the WAN optimization tunnel to the server FortiGate unit. The server
FortiGate unit then translates the optimized traffic back to un-optimized traffic and
forwards the traffic to the SSL server.
Traffic in the WAN optimization tunnel is encrypted if you select Enable Secure Tunnel in
the WAN optimization rule. Traffic between the server FortiGate unit and the SSL server is
re-encrypted by the FortiGate unit before being sent to the server if the server is operating
in full mode. If the server is operating in half-mode the FortiGate unit forwards the traffic to
the server unencrypted.
The FortiGate units use FortiASIC acceleration to accelerate SSL decryption and
encryption. If you select Enable SSL you can apply WAN optimization techniques to CIFS,
FTP, HTTP, and MAPI traffic encrypted with SSL. You can also apply web caching to
HTTPS web sites.
If you select Enable SSL, the Port must include the TCP port numbers used for the SSL-
encrypted traffic (for example, port 443 for HTTPS). Also, you must import the server
certificates for the encrypted traffic onto the client and server FortiGate units. Go to
System > Certificates > Local Certificates and select Import to import the certificates. For
more information about importing certificates, see “Local Certificates” on page 237.

Note: The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

Secure tunnelling
Select Enable Secure Tunnel in WAN optimization rules to use SSL to encrypt the traffic in
the WAN optimization tunnel. The FortiGate units use FortiASIC acceleration to accelerate
SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same
TCP port as a non-secure tunnel (TCP port 7810).
You must configure and add an authentication group to the WAN optimization rule to use
secure tunneling. The authentication group configures the certificate or pre-shared key
parameters required by the secure tunnel. The WAN optimization rules at both ends of the
tunnel should have compatible authentication group configurations. For example, they
should have the same certificates or the same pre-shared key.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 593
http://docs.fortinet.com/ • Feedback
WAN optimization with FortiClient WAN optimization

WAN optimization with FortiClient


FortiClient 4.0 WAN optimization can work together with WAN optimization on a FortiGate
unit to accelerate network access. FortiClient will automatically detect if WAN optimization
is enabled on the optimizing FortiGate unit it is connected to and transparently make use
of the byte caching and protocol optimization features available.

To enable FortiClient WAN Optimization


From FortiClient:
1 Go to Status > WAN Optimization.
2 Select Enable WAN Optimization.
3 Enable the protocols to be optimized: HTTP (web browsing), CIFS (Windows file
sharing), MAPI (Microsoft Exchange) and FTP (file transfers).
4 Set Maximum Disk Cache to 512, 1024, or 2048MB.
The default is 512MB. If your hard disk can accommodate a larger cache, better
optimization performance is possible.
5 Select Apply.
No special configuration is required on the FortiGate unit to support FortiClient WAN
optimization. If WAN optimization is enabled on FortiClient, when a PC communicates
using one of the enabled protocols, FortiClient starts a WAN optimization tunnel with the
FortiGate unit. For the FortiGate unit to accept the tunnel connection from FortiClient you
must add a passive WAN optimization rule with source, destination, and port that matches
the packets sent by FortiClient.

Configuring peers
Go to WAN Opt. & Cache > Peer to configure WAN optimization peers. Add peers to
support peer to peer WAN optimization and for WAN optimization authentication groups.

Figure 408: WAN optimization peer list

Delete
Edit

Viewing basic information


Create New Add a new peer.
Local Host ID Enter the local host ID of this FortiGate unit and select Apply. If you add this
FortiGate unit as a peer to another FortiGate unit, use this as the Peer Host ID.
Apply Add a change to the Local Host ID to the FortiGate configuration.

FortiGate Version 4.0 Administration Guide


594 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Configuring authentication groups

Adding or Select Create New to add a new peer or select Edit beside an existing peer to
modifying a peer modify it.
Peer Host ID The local host ID of the peer FortiGate unit.
IP Address The IP address of the FortiGate unit. Usually this would be the IP address of the
interface connected to the WAN.

Configuring authentication groups


Add authentication groups to support authentication and secure tunneling between WAN
optimization peers.
Go to WAN Opt. & Cache > Peer > Authentication Group to add authentication groups.

Figure 409: WAN optimization Authentication Group list

Delete
Edit

Viewing basic information


Create New Add a new authentication group.
Name The name of the authentication group. Select this name when adding the
authentication group to a rule.
Peer(s) The Host IDs of the peers added to the authentication group. When you add
the authentication group to a WAN optimization rule, only these FortiGate
units can authenticate to use this WAN optimization rule. Peer(s) can be any
peer, a peer added to the FortiGate unit peer list (defined peers), or a
selected peer.
Adding or modifying Select Create New to add a new authentication group or select Edit beside
an authentication an existing authentication group to modify it.
group
Name Add or change the name of the authentication group.
Authentication Select the authentication method to use.
Method If you select Certificate all peers that use this authentication group must
have the same authentication group with the same certificate. Go to System
> Certificate and take the usual steps to add a certificate.
If you select
Certificate If you select Certificate all peers that use this authentication group must
have the same certificate. Go to System > Certificate and take the usual
steps to add a certificate. Then select this certificate in the certificate field
below.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 595
http://docs.fortinet.com/ • Feedback
Monitoring WAN optimization WAN optimization

Pre-shared key If you select Pre-shared key add a pre-shared key. All peers that use this
authentication group must have the same authentication group with the
same pre-shared key.
If you selected Pre-shared Key, type the pre-shared key that the FortiGate
unit will use to authenticate itself to the remote peer. The key must contain at
least 6 printable characters and should be known only by network
administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric
characters.
Peer Acceptance One or more of the following options are available to authenticate VPN peers
or clients, depending on the Remote Gateway and Authentication Method
settings.
Accept any peer Authenticate with any peer.
Accept defined Authenticate with any peer added to the FortiGate unit peer list.
peers
Specify Peer Authenticate with the selected peer only.

Monitoring WAN optimization


Using WAN optimization monitoring you can view and improve WAN optimization
performance. The monitoring tools help isolate performance problems, aid in
troubleshooting, and enable network optimization and capacity planning.
Go to WAN Opt. & Cache > Monitor to view the WAN optimization monitor.The monitor
unit uses collected log information and presents it in graphical format to show network
traffic summary and bandwidth optimization information.

Figure 410: WAN optimization monitor

Refresh Traffic Summary

Refresh Bandwidth Optimization

FortiGate Version 4.0 Administration Guide


596 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
WAN optimization Changing web cache settings

Traffic Summary Provides traffic optimization information. The piechart illustrates percentage
of traffic for supported applications processed during the selected Period.
The table displays how much traffic has been reduced by WAN optimization
by comparing the amount of LAN and WAN traffic for each protocol.
Refresh icon Refresh the Traffic Summary.
Period Select a time period to show traffic summary for. You can select:
• Last 10 Minutes
• Last 1 Hour
• Last 1 Day
• Last 1 Week
• Last 1 Month
Reduction Rate Displays each application’s optimization rate. For example, a rate of 80%
means the amount of data processed by that application has been reduced
by 20%.
LAN The amount of data in Mbytes received from the LAN for each application.
WAN The amount of data in Mbytes sent across the WAN for each application.
The greater the difference between the LAN and WAN data the greater the
amount of data reduced by WAN optimization byte caching, web caching,
and protocol optimization.
Bandwidth Shows network bandwidth optimization per time Period. A line or column
Optimization chart compares an application’s pre-optimized (LAN data) size with its
optimized size (WAN data).
Refresh icon Select to refresh the Bandwidth Optimization display.
Period Select a time frame to show bandwidth optimization. You can select:
• Last 10 Minutes
• Last 1 Hour
• Last 1 Day
• Last 1 Week
• Last 1 Month
Protocol Select All to display bandwidth optimization for all applications. Select an
individual protocol to display bandwidth optimization for that individual
protocol.
Chart Type Select to display bandwidth optimization with a line chart or a column chart.

Changing web cache settings


Go to WAN Opt. & Cache > Cache to change the settings for the WAN optimization web
cache. In most cases the default settings are acceptable. However you may want to
change these settings to improve performance or optimize the cache for your
configuration.

Always revalidate Select to always to revalidates requested cached object with content
on the server before serving it to the client.
Max Cache Object Set the maximum object size to cache. The default size is 512000 kbytes
Size (512 Mbytes). This object size determines the maximum object size in to
store in the web cache. All objects retrieved that are larger than the
maximum size are delivered to the client but are not stored in the web cache.
Negative Response Set how long in minutes to cache negative responses. The default is 0,
Duration meaning negative responses are not cached. The content server might send
a client error code (4xx HTTP response) or a server error code (5xx HTTP
response) as a response to some requests. If the web cache is configured to
cache these negative responses, it returns that response in subsequent
requests for that page or image for the specified number of minutes.
Fresh Factor Set the fresh factor as a percentage. The default is 100, and the range is 1 to
100. For cached objects that don’t have and expiry time, the web cache
periodically checks the server to see if the object has expired. The higher the
fresh factor the less often the checks.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 597
http://docs.fortinet.com/ • Feedback
Changing web cache settings WAN optimization

Max TTL The maximum amount of time an object can stay in the web cache without
checking to see if it has expired on the server. The default is 7200 minutes
(120 hours or 5 days).
Min TTL The minimum amount of time an object can stay in the web cache before
checking to see if it has expired on the server. The default is 5 minutes.
Default TTL The default expiry time for objects that do not have an expiry time set by the
web server. The default expiry time is 1440 minutes (24 hours).
Explicit Proxy Indicates whether the explicit proxy has been enabled for the FortiGate unit.
See “Web Proxy” on page 148.
Enable Explicit Select to enable using the WAN optimization web cache to cache for the
Proxy explicit proxy.
Ignore
If-modified-since Be default, the time specified by the if-modified-since header in the client's
conditional request is greater than the last modified time of the object in the
cache, it is a strong indication that the copy in the cache is stale. If so, HTTP
does a conditional GET to the Overlay Caching Scheme (OCS), based on
the last modified time of the cached object. Enable ignoring If-modified-since
to override this behavior.
HTTP 1.1 HTTP 1.1 provides additional controls to the client over the behavior of
Conditionals caches concerning the staleness of the object. Depending on various Cache-
Control headers, the FortiGate unit can be forced to consult the OCS before
serving the object from the cache. For more information about the behavior
of cache-control header values, see RFC 2616.
Pragma-no- Typically, if a client sends an HTTP GET request with a pragma no-cache
cache (PNC) or cache-control nocache header, a cache must consult the OCS
before serving the content. This means that the FortiGate unit always re-
fetches the entire object from the OCS, even if the cached copy of the object
is fresh.
Because of this, PNC requests can degrade performance and increase
server-side bandwidth utilization. However, if ignore Pragma-no-cache is
enabled, then the PNC header from the client request is ignored. The
FortiGate unit treats the request as if the PNC header is not present at all.
IE Reload Some versions of Internet Explorer issue Accept / header instead of Pragma
nocache header when you select Refresh. When an Accept header has only
the / value, the FortiGate unit treats it as a PNC header if it is a type-N object.
When ignore IE Reload is enabled, the FortiGate unit ignores the PNC
interpretation of the Accept: / header.
Cache Expired Applies only to type-1 objects. When Cache Expired Objects is enabled,
Objects type-T objects that are already expired at the time of acquisition are cached
(if all other conditions make the object cacheable). When this setting is
disabled, already expired type-1 objects become non-cacheable at the time
of acquisition.
Revalidated Pragma- The pragma-no-cache (PNC) header in a client's request can affect the
no-cache efficiency of the FortiGate unit from a bandwidth gain perspective. If you do
not want to completely ignore PNC in client requests (which you can do by
using the ignore PNC option configuration), you can lower the impact of the
PNC by enabling the revalidate-pragma-no-cache setting. When the
revalidate-pragma-no-cache setting is enabled, a client's non-conditional
PNC-GET request results in a conditional GET request sent to the OCS if the
object is already in the cache. This gives the OCS a chance to return the 304
Not Modified response, consuming less server-side bandwidth, because it
has not been forced to return full content even though the contents have not
actually changed. By default, the revalidate PNC configuration is disabled
and is not affected by changes in the top-level profile. When the Substitute
Get for PNC configuration is enabled, the revalidate PNC configuration has
no effect.
Most download managers make byte-range requests with a PNC header. To
serve such requests from the cache, the revalidate pragma-no-cache option
should be configured along with byte-range support.

FortiGate Version 4.0 Administration Guide


598 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Endpoint control Configuring endpoint control

Endpoint control
Endpoint control enforces the use of FortiClient End Point Security (Enterprise Edition) in
your network. The compliance check ensures that the endpoint is running the most recent
version of the FortiClient software and, optionally, checks that the antivirus signatures are
up-to-date.
You enable endpoint control in a firewall policy. When traffic attempts to pass through the
firewall policy, the FortiGate unit runs compliance checks on the originating host on the
source interface. Non-compliant endpoints are blocked. If web browsing, they receive a
message telling them that they are non-compliant, or they are redirected to a web portal
where they can download the FortiClient application installer.
You can monitor the endpoints that are subject to endpoint control, viewing information
about the computer and its operating system. If you configure software detection, you can
also see if endpoints have specific applications installed.
The following topics are included in this section:
• Configuring endpoint control
• Monitoring endpoints

Configuring endpoint control


Endpoint control requires that all hosts using the firewall policy have FortiClient Endpoint
Security software installed. Make sure that all hosts affected by this policy are able to
install this software. Currently, FortiClient Endpoint Security is available for Microsoft
Windows 2000 and later only.
To set up endpoint control, you need to
• Enable Central Management by the FortiGuard Analysis & Management Service. This
is required if you will use FortiGuard Services to update FortiClient software or
antivirus signatures. You do not need to enter account information. See “Central
Management” on page 220.
• Configure the minimum required version of FortiClient and the source of FortiClient
installer downloads for non-compliant endpoints. See “Configuring FortiClient required
version and installer download” on page 600.
• Enable endpoint control in firewall policies. See “Endpoint Compliance Check options”
on page 329.

Note: You cannot enable Endpoint Compliance Check in firewall policies if the Redirect
HTTP Challenge to a Secure Channel (HTTPS) option is enabled in User > Options >
Authentication.

• Optionally, configure software detection to monitor whether endpoints have specific


applications installed. See “Configuring software detection” on page 601.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 599
http://docs.fortinet.com/ • Feedback
Configuring endpoint control Endpoint control

• Optionally, you can modify the appearance of the FortiClient Download Portal. Go to
System > Config > Replacement Messages > Endpoint Check and edit the Endpoint
Check Download Portal. This is an HTML page. Be sure to retain the %%LINK%% tag
which provides the download URL for the FortiClient installer. For more information
about modifying replacement messages, see “Changing replacement messages” on
page 196.

Viewing FortiClient required version information


Go to Endpoint Control > FortiClient to view the following information:
• minimum required version of FortiClient software
• latest available FortiClient software version
• latest available antivirus signature package version
• the number of downloads of FortiClient software on this FortiGate unit since the last
reboot
Select Customize to set the minimum FortiClient software version that endpoints are
required to run and to configure the download source for the FortiClient installer. See
“Configuring FortiClient required version and installer download” on page 600.

Configuring FortiClient required version and installer download


Go to Endpoint Control > FortiClient and select Customize to set the minimum FortiClient
software version that endpoints are required to run and to configure the download source
for the FortiClient installer.

Figure 411: Configuring FortiClient requirements and installer source

FortiClient Installer Select one of the following options to determine the link that the
Download Location FortiClient Download Portal provides to non-compliant users to
download the FortiClient installer.
FortiGuard FortiClient software is provided by FortiGuard. The FortiGate unit
Distribution Network must have FortiGuard access configured. See “Configuring
FortiGuard Services” on page 258.
If the FortiGate unit contains a hard disk drive, the files from
FortiGuard Services are cached to more efficiently serve downloads to
multiple end points.
This FortiGate Users download a FortiClient installer file from this FortiGate unit.
This option is available only on FortiGate models that support upload
of FortiClient installer files. Upload your FortiClient installer file using
the execute restore forticlient CLI command. For more
information, refer to the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


600 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Endpoint control Configuring endpoint control

Custom URL: Specify a URL from which users can download the FortiClient installer.
You can use this option to provide custom installer files even though
your FortiGate unit does not have storage space for them.
Minimum FortiClient Last Available — The latest version available from the installer
Version Required download location.
Specify — Enter the version number.
Use the This FortiGate or Custom URL option if you want to provide a customized version
of the FortiClient application. This is required if a FortiManager unit will centrally manage
FortiClient applications. For information about customizing the FortiClient application, see
the FortiClient Administration Guide.

Viewing the software detection list


Go to Endpoint Control > Software Detection to view the list of applications that endpoint
control checks for on endpoint PCs.

Figure 412: Software Detection list for Endpoint Control

Create New Add an application to detect. See “Configuring software detection” on


page 601.
Name Application name
Pattern A text pattern to match the application name as it appears in the Add
or Remove Programs list.
Delete icon Remove this item from the list.
Edit icon Modify this item. See “Configuring software detection” on page 601.

Configuring software detection


You can determine whether endpoints have specific applications installed. This
information is displayed in the Detected Software column of the Endpoints list. To detect
an application, you must first add it to the Software Detection list. You can specify up to 10
applications.
Go to Endpoint Control > Software Detection and select Create New to configure software
detection for an application. Enter the following information and select OK.

Name Enter a descriptive name for the application.


Pattern Enter a text pattern to match the application name in the PC’s registry.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 601
http://docs.fortinet.com/ • Feedback
Monitoring endpoints Endpoint control

Monitoring endpoints
Go to Endpoint Control > Endpoints to view the list of known endpoints. An endpoint is
added to the list when it uses a firewall policy that has Endpoint Compliance Check
enabled.

Figure 413: Endpoints list

Refresh Update the list.


Status Display Compliant or Non-compliant endpoints or Both.
Page Shows the current page number in the list. Select the left and
right arrows to display the first, previous, next or last page of
known endpoints.
Column Settings Select the columns to display in the list. You can also determine
the order in which they appear.
Clear All Filters Clear any column display filters you might have applied.
Information columns The Column Settings determine which of these columns display.
AV signature The version of the antivirus signatures present on the endpoint.
Computer Manufacturer
Computer Model
CPU Model
Description
Detected Software The applications that were detected on this endpoint. See
“Configuring software detection” on page 601.
FortiClient Version
Host Name
Installed FCT features The FortiClient features available on the endpoint.
IP Address The endpoint’s IP address.
Last User
Last Update Time of last AV update on endpoint.
Memory Size
OS Version
Status
System Uptime
Traffic Volume/Attempts

FortiGate Version 4.0 Administration Guide


602 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report FortiGate logging

Log&Report
FortiGate units provide extensive logging capabilities for traffic, system and network
protection functions. They also allow you to compile reports from the detailed log
information gathered. Reports provide historical and current analysis of network activity to
help identify security issues that will reduce and prevent network misuse and abuse.
This section provides information about how to enable logging, view log messages, and
configure reports. If you have VDOMs enabled, see “Using virtual domains” on page 103
for more information.
The following topics are included in this section:
• FortiGate logging
• FortiGuard Analysis and Management Service
• Log severity levels
• High Availability cluster logging
• Storing logs
• Log types
• Accessing Logs
• Viewing log information
• Customizing the display of log messages
• Content Archive
• Alert Email
• Reports

Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because certain features do not support logging, or are not available
in Transparent mode. For example, SSL VPN events are not available in Transparent
mode.

FortiGate logging
A FortiGate unit can log many different network activities and traffic including:
• overall network traffic
• system-related events including system restarts, HA and VPN activity
• anti-virus infection and blocking
• web filtering, URL and HTTP content blocking
• signature and anomaly attack and prevention
• spam filtering
• Instant Messaging and Peer-to-Peer traffic
• VoIP telephone calls.
When customizing the logging location, you can also customize what minimum log
severity level the FortiGate unit should log these events at. There are six severity levels to
choose from. For more information, see “Log severity levels” on page 605.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 603
http://docs.fortinet.com/ • Feedback
FortiGuard Analysis and Management Service Log&Report

For better log storage and retrieval, the FortiGate unit can send log messages to a
FortiAnalyzer™ unit. FortiAnalyzer units provide integrated log collection, analysis tools
and data storage. Detailed log reports provide historical as well as current analysis of
network activity. Detailed log reports also help identify security issues, reducing network
misuse and abuse. The FortiGate unit can send all log message types, including
quarantine files and content archives, to a FortiAnalyzer unit for storage. The
FortiAnalyzer unit can upload log files to an FTP server for archival purposes. For more
information about configuring the FortiGate unit to send log messages to a FortiAnalyzer
unit, see “Logging to a FortiAnalyzer unit” on page 606.
If you have a subscription for the FortiGuard Analysis and Management Service, your
FortiGate unit can send logs to a FortiGuard Analysis server. This service provides
another way to store and view logs, as well as archiving email messages. For more
information, see “FortiGuard Analysis and Management Service” on page 604. Fortinet
recommends reviewing the FortiGuard Analysis and Management Service Administration
Guide to learn more about the logging, reporting, and remote management features from
the FortiGuard Analysis and Management Service portal web site.
The FortiGate unit can also send log messages to either a Syslog server or WebTrends
server for storage and archival purposes. If your FortiGate unit has a hard disk, you can
also send logs to it by using the CLI. For more information about configuring logging to the
hard disk, see the FortiGate CLI Reference.
In the FortiGate web-based manager, you can view log messages available in system
memory, on a FortiAnalyzer unit running firmware version 3.0 or higher, or, if available, the
hard disk. You can use customizable filters to easily locate specific information within the
log files.
For details and descriptions of log messages and formats, see the FortiGate Log Message
Reference.

FortiGuard Analysis and Management Service


FortiGuard Analysis and Management Service is a subscription-based service that
provides logging and reporting solutions, as well as remote management service, for all
FortiGate units. The FortiGuard Analysis and Management Service is available on all
FortiGate units running FortiOS 3.0 MR6 and higher.
The logging and reporting side of FortiGuard Analysis and Management Service is made
up of two types of servers, the primary analysis server and the secondary analysis server.
The primary analysis server stores logs generated from the FortiGate unit. The secondary
analysis server provides redundancy, ensuring log data is available at all times. There are
several secondary analysis servers available for redundancy for each FortiGate unit. The
network also includes the main analysis server, which is responsible for monitoring and
maintaining the primary and secondary analysis servers.
When the FortiGate unit connects to the logging and reporting network for the first time, it
retrieves its assigned primary analysis server, contract term, and storage space quota
from the main analysis server. The main analysis server contains this information so it can
maintain and monitor the status of each of the servers.
After configuring logging to the assigned primary analysis server, the FortiGate unit begins
sending encrypted logs to the primary analysis server through TCP port 514. The
connection between the main analysis server and the FortiGate unit is secured using FCP
over HTTPS, through port 443.

FortiGate Version 4.0 Administration Guide


604 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Log severity levels

Fortinet recommends reviewing the FortiGuard Analysis and Management Service


Administration Guide because it contains very detailed information about this FortiGuard
service. This administration guide contains information about:
• registering your FortiGate unit, or multiple FortiGate units, for this FortiGuard service
• enabling this FortiGuard service on your FortiGate unit
• configuring remote management and logging and reporting.

Note: After upgrading your FortiGate firmware, you need to re-enter your account ID and
then update the service to re-connect to the servers that support logging and reporting. You
may need to update the service from the portal web site as well.

FortiGuard Analysis and Management Service portal web site


The portal web site provides a central location for managing your information about the
FortiGate units and service account. The portal web site also allows you to view logs and
reports, including remote management services such as configuration backups.
You need a service account ID, username and password before entering the portal web
site. You receive this information when you register for the FortiGuard Analysis and
Management Service on the Fortinet support web site. After entering all appropriate
information on the Fortinet support web site, you can then log into the FortiGuard Analysis
and Management Service portal web site.
For information about registering, enabling and configuring the FortiGuard Analysis and
Management Service, see the FortiGuard Analysis and Management Service
Administration Guide.
Note: The portal also includes remote management features. For more information about
remotely managing your FortiGate unit using the FortiGuard Analysis and Management
Service, see “System Maintenance” on page 247.

Log severity levels


You can define what severity level the FortiGate unit records logs at when you configure
the logging location. The FortiGate unit logs all messages at and above the logging
severity level you select. For example, if you select Error, the unit logs Error, Critical, Alert
and Emergency level messages.
Table 42: Log severity levels

Levels Description
0 - Emergency The system has become unstable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.

The Debug severity level, not shown in Table 42, is rarely used. It is the lowest log
severity level and usually contains some firmware status information that is useful when
the FortiGate unit is not functioning properly. Debug log messages are generated only if
the log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate features.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 605
http://docs.fortinet.com/ • Feedback
High Availability cluster logging Log&Report

High Availability cluster logging


When configuring logging with a High Availability (HA) cluster, you configure the primary
unit to send logs to a FortiAnalyzer unit or a Syslog server. The settings are applied to the
subordinate units, which send the log messages to the primary unit. The primary unit then
sends all logs to the FortiAnalyzer unit or Syslog server.
If you configured a secure connection via an IPSec VPN tunnel between a FortiAnalyzer
unit and a HA cluster, the connection is between the FortiAnalyzer unit and the HA cluster
primary unit.
For more information, see the FortiGate High Availability User Guide.

Storing logs
The type and frequency of log messages you intend to save determines the type of log
storage to use. For example, if you want to log traffic and content logs, you need to
configure the FortiGate unit to log to a FortiAnalyzer unit or Syslog server. The FortiGate
system memory is unable to log traffic and content logs because of their frequency and
large file size.
Storing log messages to one or more locations, such as a FortiAnalyzer unit or Syslog
server, may be a better solution for your logging requirements than the FortiGate system
memory. Configuring your FortiGate unit to log to a FortiGuard Analysis server may also
be a better log storage solution if you do not have a FortiAnalyzer unit and want to create
reports. This particular log storage solution is available to all FortiGate units running
FortiOS 3.0 MR6 or higher, through a subscription to the FortiGuard Analysis and
Management Service. For more information, see “FortiGuard Analysis and Management
Service” on page 604.
If your FortiGate unit has a hard disk, you can also enable logging to the hard disk from
the CLI. See the FortiGate CLI Reference for more information before enabling logging to
the hard disk.
If you require logging to multiple FortiAnalyzer units or Syslog servers, see the FortiGate
CLI Reference.

Note: Daylight Saving Time (DST) is now extended by four weeks in the United States and
Canada and may affect your location. It is recommended to verify if your location observes
this change, since it affects the scope of the report. Fortinet has released supporting
firmware. See the Fortinet Knowledge Center article, New Daylight Saving Time support,
for more information.

Logging to a FortiAnalyzer unit


FortiAnalyzer units are network devices that provide integrated log collection, analysis
tools and data storage. Detailed log reports provide historical as well as current analysis of
network activity to help identify security issues and reduce network misuse and abuse.
You can configure the FortiGate unit to log up to three FortiAnalyzer units. The FortiGate
unit sends logs to all three FortiAnalyzer units. Each FortiAnalyzer unit stores the same
information. Logging to multiple FortiAnalyzer units provides real-time backup protection
in the event one of the FortiAnalyzer units fails. You can configure logging to multiple
FortiAnalyzer units only in the CLI. For more information, see the FortiGate CLI
Reference.

FortiGate Version 4.0 Administration Guide


606 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Storing logs

Figure 414: Configuring a connection to the FortiAnalyzer unit

Expand
Arrow

To configure the FortiGate unit to send logs to the FortiAnalyzer unit


1 Go to Log&Report > Log Config > Log Setting.
2 Select the Expand Arrow beside Remote Logging to reveal the available options.
3 Select FortiAnalyzer.
4 From the Minimum log level list, select one of the following:
Emergency The system in unusable.
Alert Immediate action is required.
Critical Functionality is affected.
Error An erroneous condition exists and functionality is probably affected.
Warning Functionality might be affected.
Notification Information about normal events.
Information General information about system operations.
Debug Information used for diagnosing or debugging the FortiGate unit.

5 Select Static IP Address.


6 Enter the static IP address of the FortiAnalyzer unit in the Static IP Address field.
7 Select Apply.
The FortiAnalyzer unit needs to be configured to receive logs from the FortiGate unit
after you have configured log settings on the FortiGate unit. Contact a FortiAnalyzer
administrator to complete the configuration.

Note: You cannot configure a FortiAnalyzer unit to be a backup solution for the FortiGuard
Analysis server, and vice versa. If you require a backup solution for one of these logging
devices, using a Syslog server or WebTrends server is preferred.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 607
http://docs.fortinet.com/ • Feedback
Storing logs Log&Report

Connecting to FortiAnalyzer using Automatic Discovery


You can connect to a FortiAnalyzer unit by using the Automatic Discovery feature. This
feature allows the FortiGate unit to find a FortiAnalyzer unit that is on the network within
the same subnet.
When you select Automatic Discovery, the FortiGate unit uses HELLO packets to locate
any FortiAnalyzer units available on the network within the same subnet. When the
FortiGate unit discovers the FortiAnalyzer unit, the FortiGate unit automatically begins
sending log data, if logging is configured for traffic and other events, to the FortiAnalyzer
unit.
The Automatic Discovery feature must be enabled on the FortiAnalyzer side to work
properly. The FortiAnalyzer unit requires 3.0 firmware (and higher) to use this feature.
Fortinet recommends contacting a FortiAnalyzer administrator to verify Automatic
Discovery is enabled on the FortiAnalyzer unit before using this feature.

To enable automatic discovery


1 Go to Log&Report > Log Config > Log Setting.
2 Select the Expand Arrow beside Remote Logging to reveal the available options.
3 Select FortiAnalyzer.
4 Select Automatic Discovery.
5 Select a FortiAnalyzer unit from the Connect To list, if available.
If no FortiAnalyzer unit is available, contact a FortiAnalyzer administrator to verify if
there is one on the network.
6 Select Discover.
The FortiGate unit searches within the same subnet for a response from any available
FortiAnalyzer units.
7 Select Apply.

Note: If your FortiGate unit is in Transparent mode, you must modify the interface in the
CLI before Automatic Discovery can carry traffic. Use the procedure in the Fortinet
Knowledge Center article, Fortinet Discovery Protocol in Transparent mode, to enable the
interface to also carry traffic when using the Automatic Discovery feature.

Testing the FortiAnalyzer configuration


After configuring FortiAnalyzer settings, test the connection between the FortiGate unit
and FortiAnalyzer unit to verify both devices are communicating properly. During testing,
the FortiGate unit displays information about specific settings for transmitting and
receiving logs, reports, content archive and quarantine files.
The FortiGate unit must learn the IP address of the FortiAnalyzer unit before testing the
connection. A false test report failure may result if testing the connection occurs before the
FortiGate unit learns the IP address of the FortiAnalyzer unit.
To test the connection, go to Log&Report > Log Config > Log Setting, expand Remote
Logging options, and then select Test Connectivity.

FortiGate Version 4.0 Administration Guide


608 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Storing logs

Figure 415: Test Connectivity with FortiAnalyzer

FortiAnalyzer The name of the FortiAnalyzer unit. The default name of a FortiAnalyzer unit is
(Hostname) its product name, for example, FortiAnalyzer-400.
FortiGate The serial number of the FortiGate unit.
(Device ID)
Registration The status of whether or not the FortiGate unit is registered with the
Status FortiAnalyzer unit. If the FortiGate unit is unregistered, it may not have full
privileges. For more information, see the FortiAnalyzer Administration Guide.
Connection The connection status between FortiGate and FortiAnalyzer units. A green
Status check mark indicates there is a connection and a gray X indicates there is no
connection.
Disk Space (MB) The amount of disk space, in MB, on the FortiAnalyzer unit for logs.
Allocated The amount of space designated for logs, including quarantine
Space files and content archives.
Used Space The amount of used space.
Total Free The amount of unused space.
Space
Privileges The permissions of the device for sending and viewing logs, reports, content
archives, and quarantined logs.
• Tx indicates the FortiGate unit is allowed to transmit log packets to the
FortiAnalyzer unit.
• Rx indicates the FortiGate unit is allowed to display reports and logs stored
on the FortiAnalyzer unit.
A check mark indicates the FortiGate unit has permissions to send or view log
information and reports. An X indicates the FortiGate unit is not allowed to send
or view log information.

You can also test the connection status between the FortiGate unit and the FortiAnalyzer
unit by using the following CLI command:
execute log fortianalyzer test-connectivity
The command displays the connection status and the amount of disk usage in percent.
For more information, see the FortiGate CLI Reference.

Note: The test connectivity feature also provides a warning when a FortiGate unit requires
a higher-end FortiAnalyzer unit or when the maximum number of VDOMs/FortiGate units
has been reached on the FortiAnalyzer unit.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 609
http://docs.fortinet.com/ • Feedback
Storing logs Log&Report

Logging to a FortiGuard Analysis server


You can configure logging to a FortiGuard Analysis server after registering for the
FortiGuard Analysis and Management Service on the Fortinet support web site. Fortinet
recommends verifying that the connection is working properly before configuring logging
to a FortiGuard Analysis server.
You can enable FortiGate features from the FortiGate web-based manager. For more
information, see “Log types” on page 612. Logging traffic, as well as summary and email
content archiving, is also available.

To log to a FortiGuard Analysis server


1 Go to Log&Report > Log Config.
2 Select the Expand Arrow beside Remote Logging to reveal the available options.
3 Select FortiGuard Analysis Service.
4 Enter the account ID in the Account ID field.
5 Select one of the following:

Overwrite oldest Deletes the oldest log entry and continues logging when the maximum log
logs disk space is reached.
Do not log Stops log messages going to the FortiGuard Analysis server when the
maximum log disk space is reached.

6 Select a severity level.


7 Select Apply.

Logging to memory
The FortiGate system memory has a limited capacity for log messages. The FortiGate
system memory displays only the most recent log entries. It does not store traffic and
content logs in system memory due to their size and the frequency of log entries. When
the system memory is full, the FortiGate unit overwrites the oldest messages. All log
entries are cleared when the FortiGate unit restarts.
If your FortiGate unit has a hard disk, use the CLI to enable logging to it. You can also
upload logs stored on the hard disk to a FortiAnalyzer unit. For more information, see the
FortiGate CLI Reference.

To configure the FortiGate unit to save logs in memory


1 Go to Log&Report > Log Config > Log Setting.
2 Select the check box beside Memory.
3 Select the Expand Arrow beside the check box to reveal the available Memory options.
4 Select a severity level.
The FortiGate unit logs all messages at and above the logging severity level you
select. For more information about the logging levels, see Table 42, “Log severity
levels,” on page 605.

Note: You can configure logging to an AMC disk and schedule when to upload logs to a
FortiAnalyzer unit.
The AMC disk is available on FortiGate-3600A, FortiGate-3016B and FortiGate-3810A
units.

FortiGate Version 4.0 Administration Guide


610 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Storing logs

Logging to a Syslog server


A Syslog server is a remote computer running Syslog software and is an industry standard
for logging. Syslog is used to capture log information provided by network devices. The
Syslog server is both a convenient and flexible logging device, since any computer
system, such as Linux, Unix, and Intel-based Windows can run syslog software.
When configuring logging to a Syslog server, you need to configure the facility and log file
format, normal or Comma Separated Values (CSV). The CSV format contains commas
whereas the normal format contains spaces. Logs saved in the CSV file format can be
viewed in a spread-sheet application, while logs saved in normal format are viewed in a
text editor (such as Notepad) because they are saved as plain text files.
Configuring a facility easily identifies the device that recorded the log file.

Figure 416: Logging to a Syslog server

To configure the FortiGate unit to send logs to a syslog server


1 Go to Log&Report > Log Config > Log Setting.
2 Select the check box beside Syslog.
3 Select the Expand Arrow beside the check box to reveal the Syslog options.
4 Set the following syslog options:

Name/IP The domain name or IP address of the syslog server.


Port The port number for communication with the syslog server, typically port 514.
Minimum log The FortiGate unit logs all messages at and above the logging severity level
level you select. For more information about the logging levels, see Table 42, “Log
severity levels,” on page 605.
Facility Facility indicates to the syslog server the source of a log message. By default,
FortiGate reports Facility as local7. You may want to change Facility to
distinguish log messages from different FortiGate units.
Enable CSV If you enable CSV format, the FortiGate unit produces the log in Comma
Format Separated Value (CSV) format. If you do not enable CSV format the FortiGate
unit produces plain text files.

5 Select Apply.

Note: If more than one Syslog server is configured, the Syslog servers and their settings
appear on the Log Settings page. You can configure multiple Syslog servers in the CLI. For
more information, see the FortiGate CLI Reference.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 611
http://docs.fortinet.com/ • Feedback
Log types Log&Report

Logging to WebTrends
WebTrends is a remote computer running a NetIQ WebTrends firewall reporting server.
FortiGate log formats comply with WebTrends Enhanced Log Format (WELF) and are
compatible with NetIQ WebTrends Security Reporting Center and Firewall Suite 4.1.
Use the CLI to configure the FortiGate unit to send log messages to WebTrends. After
logging into the CLI, enter the following commands:
config log webtrends setting
set server <address_ipv4>
set status {disable | enable}
end
Keywords and Description Default
variables
server Enter the IP address of the WebTrends server that No default.
<address_ipv4> stores the logs.

status Enter enable to enable logging to a WebTrends server. disable


{disable | enable}

Example
This example shows how to enable logging to a WebTrends server and to set an IP
address for the server.
config log webtrends setting
set status enable
set server 172.16.125.99
end
For more information about setting the options for the types of logs sent to WebTrends,
see the Log chapter in the FortiGate CLI Reference.

Log types
The FortiGate unit provides a wide range of features to log, enabling you to better monitor
activity that is occurring on your network. For example, you can enable logging of IM/P2P
features, to obtain detailed information on the activity occurring on your network where
IM/P2P programs are used.
Before enabling FortiGate features, you need to configure what type of logging device will
store the logs. For more information, see “Storing logs” on page 606.
This topic also provides details on each log type and explains how to enable logging of the
log type.

Note: If the FortiGate unit is in Transparent mode, certain settings and options for logging
may not be available because they do not support logging, or are not available in
Transparent mode. For example, SSL VPN events are not available in Transparent mode.

Traffic log
The Traffic log records all the traffic to and through the FortiGate interfaces. You can
configure logging of traffic controlled by firewall policies and for traffic between any source
and destination addresses. You can also filter to customize the traffic logged:
• Allowed traffic – The FortiGate unit logs all traffic that is allowed according to the
firewall policy settings.

FortiGate Version 4.0 Administration Guide


612 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Log types

• Violation traffic – The FortiGate unit logs all traffic that violates the firewall policy
settings.
If you are logging “other-traffic”, the FortiGate unit will incur a higher system load because
“other-traffic” logs log individual traffic packets. Fortinet recommends logging firewall
policy traffic since it minimizes the load. Logging “other-traffic” is disabled by default.
Firewall policy traffic logging records the traffic that is both permitted and denied by the
firewall policy, based on the protection profile. Firewall policy traffic logging records
packets that match the policy.

To enable firewall policy traffic logging


1 Go to Firewall > Policy.
2 Select the Expand Arrow to view the policy list for a policy.
3 Select Edit beside the policy that you want.
If required, create a new firewall policy by selecting Create New. For more information,
see “Firewall Policy” on page 313.
4 Select Log Allowed Traffic.
5 Select OK.

Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages. Traffic log messages generally have a severity level
no higher than Notification. If VDOMs are in Transparent mode, make sure that VDOM
allows access for enabling traffic logs.

Event log
The Event Log records management and activity events, such as when a configuration
has changed, or VPN and High Availability (HA) events occur.
When you are logged into VDOMs that are in Transparent mode, or if all VDOMs are in
Transparent mode, certain options may not be available such as VIP ssl event or CPU and
memory usage event. You can enable event logs only when you are logged in to a VDOM;
you cannot enable event logs in the root VDOM.

To enable the event logs


1 Go to Log&Report > Log Config > Event Log.
2 Select the Enable check box.
3 Select one or more of the following logs:

System Activity All system-related events, such as ping server failure and gateway
event status.
IPSec negotiation All IPSec negotiation events, such as progress and error reports.
event
DHCP service All DHCP-events, such as the request and response log.
event
L2TP/PPTP/PPPoE All protocol-related events, such as manager and socket creation
service event processes.
Admin event All administrative events, such as user logins, resets, and configuration
updates.
HA activity event All high availability events, such as link, member, and state information.
Firewall All firewall-related events, such as user authentication.
authentication event

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 613
http://docs.fortinet.com/ • Feedback
Log types Log&Report

Pattern update All pattern update events, such as antivirus and IPS pattern updates
event and update failures.
SSL VPN user All user authentication events for an SSL VPN connection, such as
authentication event logging in, logging out and timeout due to inactivity.
SSL VPN All administration events related to SSL VPN, such as SSL configuration
administration event and CA certificate loading and removal.
SSL VPN session All session activity such as application launches and blocks, timeouts,
event and verifications.
VIP ssl event All server-load balancing events happening during SSL session,
especially details about handshaking.
VIP server health All related VIP server health monitor events that occur when the VIP
monitor event health monitor is configured, such as an interface failure.
CPU & memory All real-time CPU and memory events, at 5-minute intervals.
usage (every 5 min)
4 Select Apply.

Data Leak Prevention log


Data Leak Prevention provides additional information for administrators that can better
analyze and detect data leaks. You can enable logging of your configured settings for
Data Leak Prevention in a protection profile.

To enable logging of Data Leak Prevention settings


1 Go to Firewall > Protection Profile.
2 Select the Expand Arrow to view the policy list for a policy.
3 Select Edit beside the policy that you want.
4 Select the Expand Arrow to view the Data Leak Prevention options.
5 Select the checkbox next to the sensor list.
6 Select a sensor from the list.
7 Select the Expand Arrow to view the Logging options.
8 Select the Data Leak Prevention Log DLP check box.

Application Control log


This log file includes IPS, IM/P2P and VoIP events that the FortiGate unit records. The
Application Control log also includes some IPS activities.

To enable logging of Application Control settings


1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the Expand Arrow to expand the Logging options.
4 Select the Log Application Control check box.

FortiGate Version 4.0 Administration Guide


614 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Log types

Antivirus log
The Antivirus log records virus incidents in Web, FTP, and email traffic. For example,
when the FortiGate unit detects an infected file, blocks a file type, or blocks an oversized
file or email that is logged, it records an antivirus log. You can also apply filters to
customize what the FortiGate unit logs, which are:
• Viruses – The FortiGate unit logs all virus infections.
• Blocked Files – The FortiGate unit logs all instances of blocked files.
• Oversized Files/Emails – The FortiGate unit logs all instances of files and email
messages exceeding defined thresholds.
• AV Monitor – The FortiGate unit logs all instances of viruses, blocked files, and
oversized files and email. This applies to HTTP, FTP, IMAP, POP3, SMTP, and IM
traffic.

To enable antivirus logs


1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the Expand Arrow beside Logging to reveal the available options.
4 Select the antivirus events you want logged.
5 Select OK.

Web filter log


The Web Filter log records HTTP FortiGuard log rating errors including web content
blocking actions.

To enable web filter logs


1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the Expand Arrow beside Logging to reveal the available options.
4 Select the web filtering events to log.
5 Select the FortiGuard Web Filtering Rating Errors (HTTP only) check box, to log
FortiGuard filtering.
6 Select OK.

Spam filter log


The Spam Filter log records blocking of email address patterns and content in SMTP,
IMAP and POP3 traffic.

To enable the Spam log


1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the Expand Arrow beside Logging to reveal the available options.
4 Select Log Spam.
5 Select OK.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 615
http://docs.fortinet.com/ • Feedback
Accessing Logs Log&Report

Attack log (IPS)


The Attack (IPS) log records attacks detected and prevented by the FortiGate unit. The
FortiGate unit logs the following:
• Attack Signature – The FortiGate unit logs all detected and prevented attacks based
on the attack signature, and the action taken by the FortiGate unit.
• Attack Anomaly – The FortiGate unit logs all detected and prevented attacks based
on unknown or suspicious traffic patterns, and the action taken by the FortiGate unit.
You can view attack log messages from either the Memory or Remote tab.

To enable the attack logs


1 Go to Firewall > Protection Profile.
2 Select Edit beside the protection profile that you want.
3 Select the Expand Arrow beside Logging to reveal the available options.
4 Select Log Intrusions under IPS.
5 Select OK.

Note: Make sure attack signature and attack anomaly DoS sensor settings are enabled to
log the attack. The logging options for the signatures included with the FortiGate unit are
set by default. Ensure any custom signatures also have the logging option enabled. For
more information, see “Intrusion Protection” on page 441.

Accessing Logs
You can use the Log Access feature in the FortiGate web-based manager to view logs
stored in memory, on a hard disk, or stored on a FortiAnalyzer unit running FortiAnalyzer
3.0, or on the FortiGuard Analysis server.
Log Access provides tabs for viewing logs according to these locations. Each tab provides
options for viewing log messages, such as search and filtering options, and choice of log
type. The Remote tab displays logs stored on either the FortiGuard Analysis server or
FortiAnalyzer unit, whichever one is configured for logging.
For the FortiGate unit to access logs on a FortiAnalyzer unit, the FortiAnalyzer unit must
run firmware version 3.0 or higher.

Accessing logs stored in memory


You can access logs stored in the FortiGate system memory from the Memory tab. The
traffic log type is not available in the Log Type list because the FortiGate system memory
is unable to store them; however, you can view attack logs.
To view log messages in the FortiGate memory buffer, go to Log&Report > Log Access,
select the Memory tab, and then select a log type from the Log Type list.

Accessing logs stored on the hard disk


You can access logs stored on the hard disk if your FortiGate unit has a hard disk. Logs
stored on the hard disk are available for viewing in the Disk tab. You can view, navigate,
and download logs stored on the hard disk.
To access log files on the hard disk, go to Log&Report > Log Access, select the Disk tab,
and then select a log type from the Log Type list. The FortiGate unit displays a list of rolled
log files. You can view log messages when you select the View icon.

FortiGate Version 4.0 Administration Guide


616 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Accessing Logs

Figure 417: Viewing log files stored on the FortiGate hard disk

Download
Clear
log

Delete
View

Log Type Select the type of log you want to view. Some log files, such as the traffic log,
cannot be stored to memory due to the volume of information logged.
File name The names of the log files of the displayed Log Type stored on the FortiGate
hard disk.
When a log file reaches its maximum size, the FortiGate unit saves the log files
with an incremental number, and starts a new log file with the same name. For
example, if the current attack log is alog.log, any subsequent saved logs appear
as alog.n, where n is the number of rolled logs.
Size (bytes) The size of the log file in bytes.
Last access The time a log message was recorded on the FortiGate unit. The time is in the
time format name of day month date hh:mm:ss yyyy, for example Fri Feb
16 12:30:54 2007.
Clear log icon Clear the current log file. Clearing deletes only the current log messages of that
log file. The log file is not deleted.
Download icon Download the log file or rolled log file. Select either Download file in Normal
format or Download file in CSV format. Select Return to return to the Disk tab
page. Downloading the current log file includes only current log messages.
View icon View a log file’s log messages.
Delete icon Delete rolled logs. Fortinet recommends to download the rolled log file before
deleting it because the rolled log file cannot be retrieved after deleting it.

Accessing logs stored on the FortiAnalyzer unit


You can view and navigate through logs saved to the FortiAnalyzer unit. For information
about configuring the FortiGate unit to send log files to the FortiAnalyzer unit, see
“Logging to a FortiAnalyzer unit” on page 606.
Logs accessed on a remote logging device such as the FortiAnalyzer unit, automatically
appear in the Remote tab.
To access log files on the FortiAnalyzer unit, go to Log&Report > Log Access, select the
Remote tab, and select a log type from the Log Type list.

Figure 418:Viewing log files stored on the FortiAnalyzer unit

Current
Page

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 617
http://docs.fortinet.com/ • Feedback
Viewing log information Log&Report

Log Type Select the type of log you want to view.


Current Page By default, the first page of the list of items is displayed. The total number of
pages appears after the current page number. For example, if 3/54 appears,
you are currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous,
next, or last page.
To view a specific page, enter the page number in the field and then press
Enter.
For more information, see “Using page controls on web-based manager lists”
on page 59.
Column Settings Select to add or remove columns. This changes what log information appears in
Log Access. For more information, see “Column settings” on page 620.
Raw or Formatted By default, log messages is displayed in Formatted mode. Select Formatted to
view log messages in Raw mode, without columns. When in Raw mode, select
Formatted to switch back to viewing log messages organized in columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Filters Clear all filter settings. For more information, see “Filtering log messages” on
page 621.

Note: The FortiAnalyzer unit must be running firmware version 3.0 or higher to view logs
from the FortiGate unit.

Accessing logs stored on the FortiGuard Analysis server


You can access log files stored on the FortiGuard Analysis server from the FortiGate web-
based manager, if you have subscribed to FortiGuard Analysis and Management Service.
After enabling logging to the FortiGuard Analysis server, a Remote tab appears in the Log
Access menu. For more information about viewing real-time and historical log files, see
the FortiGuard Analysis and Management Service Guide.
To access log files on the FortiGuard Analysis server, go to Log&Report > Log Access,
select the Remote tab, and then select a log type from the Log Type list.

Viewing log information


Log information is displayed in the Log Access menu. Different tabs in Log Access display
log information stored on the FortiAnalyzer unit, FortiGate system memory and hard disk if
available, including the FortiGuard Analysis server.
The columns that appear reflect the content found in the log file. The top portion of the Log
Access page includes navigational features to help you move through the log messages
and locate specific information.
To view log messages, go to Log&Report > Log Access and then select the tab that
corresponds to the log storage device used: Remote, Memory or Disk. If you are logging
to the FortiGate unit’s hard disk, select Edit beside a rolled log file to view log messages.

FortiGate Version 4.0 Administration Guide


618 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Viewing log information

Figure 419: Viewing log messages


Current
Page

Log Type Select the type of log you want to view. Some log files, such as the traffic log, cannot
be stored to memory due to the volume of information logged.
Current Page By default, the first page of the list of items is displayed. The total number of pages
displays after the current page number. For example, if 3/54 appears, you are
currently viewing page 3 of 54 pages.
To view pages, select the left and right arrows to display the first, previous, next, or
last page.
To view a specific page, enter the page number in the field and then press Enter.
For more information, see “Using page controls on web-based manager lists” on
page 59.
Column Select to add or remove columns. This changes what log information appears in Log
Settings Access. For more information, see “Column settings” on page 620.
Raw or By default, log messages are displayed in Formatted mode. Select Formatted to
Formatted view log messages in Raw mode, without columns. When in Raw mode, select
Formatted to switch back to viewing log messages organized in columns.
When log messages are displayed in Formatted view, you can customize the
columns, or filter log messages.
Clear All Clear all filter settings. For more information, see “Filtering log messages” on
Filters page 621.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 619
http://docs.fortinet.com/ • Feedback
Customizing the display of log messages Log&Report

Customizing the display of log messages


By customizing the display of log messages, you can view certain parts or different
formats of log messages. For example, log messages can be viewed in Formatted or Raw
view. In Formatted view, you can customize the columns, or filter log messages. In Raw
view, the log message appears as it would in the log file.
Filtering is also another way to customize the display of log messages. By using the filter
icon, you can display specific information of log messages. For example, you may want to
display only event log messages that have a severity level of alert.

Note: For more information about filtering log messages, see “Adding filters to web-based
manager lists” on page 56.

Column settings
By using Column Settings, you can customize the view of log messages in Formatted
view. By adding columns, changing their order, or removing them, you can view only the
log information you want. The Column Settings feature is available only in Formatted view.

Figure 420: Column settings for viewing log messages

To customize the columns


1 Go to Log&Report > Log Access.
2 Select the tab to view logs from, Memory, Disk or Remote.
3 Select a log type from the Log Type list.
4 Select the View icon if you are viewing a log file on a FortiAnalyzer unit.
5 Select the Column Settings icon.
6 Select a column name in the Available fields list and then select one of the following to
change the views of the log information:

-> Select the right arrow to move selected fields from the Available fields list to
the Show these fields in this order list.
<- Select the left arrow to move selected fields from the Show these fields in this
order list to the “Available fields” list.
Move up Move the selected field up one position in the Show these fields in this order
list.
Move down Move the selected field down one position in the Show these fields in this
order list.

FortiGate Version 4.0 Administration Guide


620 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Customizing the display of log messages

7 Select OK.

Note: The Detailed Information column provides the entire raw log entry and is needed only
if the log contains information not available in any of the other columns. The VDOM column
displays which VDOM the log was recorded in.

You can view the device ID and device name when customizing columns. The device ID
provides the identification name of the device. The device name is the host name that you
configured for the FortiGate unit, for example Headquarters.

Filtering log messages


You can filter log messages by selecting the Filter icon to display specific information
about log messages. The filter settings that are applied remain until you log out of the
web-based manager. Log filters automatically reset to default settings when you log into
the web-based manager.

Figure 421: Log filters

Filter icon
Filter icon
(enabled)
(disabled)

To filter log messages


1 Go to Log&Report > Log Access.
2 Select the tab to view logs from, Memory, Remote or Disk.
3 Select a log type from the Log Type list.
4 Select the Filter icon in the column to view logs.
5 Select Enable to enable filtering for the column.
6 Enter the information as appropriate. Fields vary between type.
For more information about using the filter icons to filter log messages, see “Adding
filters to web-based manager lists” on page 56.
7 Select OK.
8 Select the columns to filter in the Filter list.
You can also select the columns that appear in the Filter list instead of selecting the
actual column.
You can view log messages in Raw format only after configuring the filters. If you want to
delete all filter settings, select the Clear All Filters that is located under the Filters list.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 621
http://docs.fortinet.com/ • Feedback
Content Archive Log&Report

Content Archive
You can use Content Archive to view archived logs stored on the FortiAnalyzer unit from
the FortiGate web-based manager and the content archives of HTTP, FTP, Email, IM, and
VoIP that are stored on the FortiAnalyzer unit. You can also view content archives on the
FortiGuard Analysis server if you have subscribed to the FortiGuard Analysis and
Management Service.
Before viewing content archives, you need to enable this feature on your FortiGate unit,
within a protection profile. For more information, see “Firewall Protection Profile” on
page 391.
The FortiGate unit allocates only one sixteenth of its memory for transferring content
archive files. For example, FortiGate units with 128RAM use only 8MB of memory when
transferring content archive files. It is recommended not to enable full content archiving if
antivirus scanning is also configured because of these memory constraints.

Note: Infected files are clearly indicated in the Content Archive menu so that you know
which content archives are infected and which are not.

Configuring content archiving


When configuring content archiving, you select various archiving options from within a
protection profile in Firewall > Protection Profile. Content archiving is available when the
FortiGate unit is configured to log to either a FortiAnalyzer unit or FortiGuard Analysis
server. If you are logging to the FortiGuard Analysis server, you can receive only content
summary of logs. This includes email content archives as well.

To enable content archiving for your FortiGate unit


1 Go to Firewall > Protection Profile.
2 Select Edit for a protection profile.
3 Select the Expand Arrow to view the Content Archive option.
4 Select the content archives you require beside Display content meta-information on the
system dashboard.
5 Select the available options in each list you require for Archive to
FortiAnalyzer/FortiGuard.
6 Select the check boxes for Archive SPAMed email to FortiAnalyzer, if required.
7 Select OK.

Note: Email content archiving is also supported on the FortiGuard Analysis server.

FortiGate Version 4.0 Administration Guide


622 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Alert Email

Viewing content archives


By using Content Archive, you can view all archived logs in the web-based manager. You
can view either content archive logs stored on a FortiAnalyzer unit or FortiGuard Analysis
server. The FortiGuard Analysis server stores only a content summary of logs.
If you need to view logs in Raw format, select Raw beside the Column Settings icon. For
more information, see “Column settings” on page 620.
Content archives are displayed only if either the FortiAnalyzer unit or the FortiGuard
Analysis server is enabled in the protection profile for that remote logging device. For
example, if the FortiAnalyzer unit is configured to receive content archives, then only
content archives from the FortiAnalyzer unit appear in the Content Archive menu.
To view content archives on a FortiGate unit, go to Log&Report > Content Archive, and
select the archived log type tab to view: Email, Web, FTP, IM, or VoIP.
To view content archives from the FortiGuard Analysis server, go to Log&Report >
Content Archive, and select FortiGuard from Select Log Device. Select the archived log
type tab to view: Email, Web, FTP, IM, or VoIP.

Alert Email
You can use the Alert Email feature to monitor logs for log messages, and to send email
notification about a specific activity or event logged. For example, if you require
notification about administrators logging in and out, you can configure an alert email that is
sent whenever an administrator logs in and out. You can also base alert email messages
on the severity levels of the logs.

Figure 422: Alert Email options part 1

Configuring Alert Email


Before configuring alert email, you must configure at least one DNS server if you are
configuring with an Fully Qualified Domain Server (FQDN). The FortiGate unit uses the
SMTP server name to connect to the mail server, and must look up this name on your
DNS server. You can also specify an IP address.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 623
http://docs.fortinet.com/ • Feedback
Alert Email Log&Report

Figure 423: Alert Email options part 2

To configure alert email


1 Go to Log&Report > Log Config > Alert E-mail.
2 Set the following options and select Apply.

SMTP Server The name/address of the SMTP email server.


Email from The SMTP user name.
Email to Enter up to three email address recipients for the alert email message.
Authentication Select the authentication Enable check box to enable SMTP authentication.
SMTP user Enter the user name for logging on to the SMTP server to send alert email
messages. You need to do this only if you have enabled the SMTP
authentication.
Password Enter the password for logging on to the SMTP server to send alert email. You
need to do this only if you selected SMTP authentication.

3 Select Test Connectivity to send a test email message to the email account you
configured in the above step.
4 Select Send alert email for the following if you require sending an email
based on one or more of the following:

Interval Time Enter the minimum time interval between consecutive alert emails.
(1-9999 minutes) Use this to rate-limit the volume of alert emails.
Intrusion detected Select if you require an alert email message based on attempted
intrusion detection.
Virus detected Select if you require an alert email message based on virus
detection.
Web access Select if you require an alert email message based on blocked web
blocked sites that were accessed.
HA status changes Select if you require an alert email message based on HA status
changes.
Violation traffic Select if you require an alert email message based on violated traffic
detected that is detected by the FortiGate unit.
Firewall authentication Select if you require an alert email message based on firewall
failure authentication failures.

FortiGate Version 4.0 Administration Guide


624 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Reports

SSL VPN login failure Select if you require an alert email message based on any SSL VPN
logins that failed.
Administrator Select if you require an alert email message based on whether
login/logout administrators log in or out.
IPSec tunnel errors Select if you require an alert email message based on whether there
is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE Select if you require an alert email message based on errors that
errors occurred in L2TP, PPTP, or PPPoE.
Configuration changes Select if you require an alert email message based on any changes
made to the FortiGate configuration.
FortiGuard license Enter the number of days before the FortiGuard license expiry time
expiry time notification is sent.
(1-100 days)
FortiGuard log quota Select if you require an alert email message based on the FortiGuard
usage Analysis server log disk quota getting full.

5 Select Send an alert based on severity if you require sending an alert email based on
log severity level.
6 Select the minimum severity level in the Minimum severity level list if you are sending
an alert based on severity.
7 Select Apply.

Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.

Reports
You can use the Log&Report menu to configure FortiAnalyzer report schedules and to
view generated FortiAnalyzer reports. You can also configure basic traffic reports, which
use the log information stored in your FortiGate system memory to present basic traffic
information in a graphical format.

Viewing basic traffic reports


The FortiGate unit uses collected log information and presents it in a graphical format to
show network usage for a number of services. The charts show the bytes used for the
service traffic.
To view basic traffic reports, go to Log&Report > Report Access > Memory.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 625
http://docs.fortinet.com/ • Feedback
Reports Log&Report

Figure 424: Viewing the basic traffic report from a FortiGate-60 unit

Time Period Select a time range to view for the graphical analysis. You can choose from
one day, three days, one week or one month. The default is one day. When
you refresh your browser or go to a different menu, the settings revert to
default.
Services By default all services are selected. When you refresh your browser or go to
a different menu, all services revert to default settings. Clear the check
boxes beside the services you do not want to include in the graphical
analysis.
• Browsing
• DNS
• Email
• FTP
• Gaming
• Instant Messaging
• Newsgroups
• P2P
• Streaming
• TFTP
• VoIP
• Generic TCP
• Generic UDP
• Generic ICMP
• Generic IP

FortiGate Version 4.0 Administration Guide


626 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Reports

Bandwidth Per This bar graph is based on what services you select, and is updated when
Service you select Apply. The graph is based on date and time, which is the current
date and time.
Top Protocols This bar graph displays the traffic volume for various protocols, in
Ordered by Total decreasing order of volume. The bar graph does not update when you
Volume select different Services and then select Apply.

The report is not updated in real-time. You can refresh the report by selecting the Memory
tab.

Note: The data used to present the graphs is stored in the FortiGate system memory.
When the FortiGate unit is reset or rebooted, the data is erased.

Configuring the graphical view


The FortiGate basic traffic report includes a wide range of services you can monitor. For
example, you can choose to view only email services for the last three days.

To change the graphical information


1 Go to Log&Report > Report Access > Memory.
2 Select the time period to include in the graph from the Time Period list.
3 Clear the services to exclude them from the graph. All services are selected by default.
4 Select Apply.
The graph refreshes and displays the content you specified in the above procedure.
The Top Protocols Ordered by Total Volume graph does not change.

Note: If you require a more specific and detailed report, you can configure a simple report
from the FortiAnalyzer web-based manager or CLI. The FortiAnalyzer unit can generate
over 140 different reports providing you with more options than the FortiGate unit provides.
If you need to configure a FortiAnalyzer report schedule, see “FortiAnalyzer report
schedules” on page 627.

FortiAnalyzer report schedules


You can configure a FortiAnalyzer report schedule from FortiGate logs in the web-based
manager or CLI. You need to configure a report layout before configuring a report
schedule. Contact a FortiAnalyzer administrator before configuring report schedules from
the FortiGate unit to verify that the appropriate report layout is configured. Report layouts
can only be configured from the FortiAnalyzer unit.
For information about how to configure a report layout, see the FortiAnalyzer
Administration Guide.
The following procedure describes how to clone a report schedule. When you clone a
report schedule, a duplicate of the original is used as a basis for a new one.
To view the list of report schedules, go to Log&Report > Report Config.
To configure a report schedule, go to Log&Report > Report Config, select Create New,
enter the appropriate information and then select OK.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 627
http://docs.fortinet.com/ • Feedback
Reports Log&Report

Figure 425: Report schedules in Report Config

Delete
Edit
Clone

General report schedule settings


Create New Create a new report schedule.
Name The name of the report schedule.
Description The comment made when the report schedule was created.
Report Layout The name of the report layout used for the report schedule.
Schedule When the report schedule will be generated. The time depends on
what time period was selected when the report schedule was created:
once, daily, or specified days of the week.
For example, if you select monthly, the days of the month and time
(hh:mm) will appear in the format Monthly 2, 10, 21, 12:00.
Delete and Edit icons Delete or edit a report schedule in the list.
Clone icons Select Clone to create a duplicate of the report schedule and use it as
a basis for a new report schedule.
Report schedule configuration settings
Name Enter a name for the schedule.
Description Enter a description for the schedule. This is optional.
Report Layout Select a configured report layout from the list. You must apply a report
layout to a report schedule. For more information, see the
FortiAnalyzer Administration Guide.
Language Select the language you want used in the report schedule from the list.
Schedule Select one of the following to have the report generate once only,
daily, weekly, or monthly at a specified date or time period.

FortiGate Version 4.0 Administration Guide


628 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Log&Report Reports

Once Select to have the report generated only once.


Daily Select to generate the report every date at the same time, and then
enter the hour and minute time period for the report. The format is
hh:mm.
These Days Select to generate the report on specified days of the week, and then
select the days of the week check boxes.
These Dates Select to generate the report on a specific day or days of the month,
and then enter the days with a comma to separate them. For example,
if you want to generate the report on the first day, the 21st day and
30th day, enter: 1, 21, 30.
Log Data Filtering You can specify the following variables for the report:
Virtual Domain Select to create a report based on virtual domains. Enter a specific
virtual domain to include in the report.
User Select to create a report based on a network user. Enter the user or
users in the field, separated by spaces. If a name or group name
contains a space, if should be specified between quotes, for example,
“user 1”.
Group Select to create a report based on a group of network users, defined
locally. Enter the name of the group or groups in the field.
LDAP Query Select the LDAP Query check box and then select an LDAP directory
or Windows Active Directory group from the list.
Time Period Select to include the time period of the logs to include in the report.
Relative to Report Select a time period from the list. For example, this year.
Runtime
Specify Select to specify the date, day, year and time for the report to run.
From – Select the beginning date and time of the log time range.
To – Select the ending date and time of the log time range.
Output Select the format you want the report to be in and if you want to apply
an output template.
Output Types Select the type of file format for the generated report. You can choose
from PDF, MS Word, Text, and MHT.
Email/Upload Select the check box if you want to apply a report output template from
the list.
This list is empty if a report output template does not exist. For more
information, see the FortiAnalyzer Administration Guide.

Note: FortiAnalyzer reports do not appear if the FortiGate unit is not connected to a
FortiAnalyzer unit, or if the FortiAnalyzer unit is not running firmware 3.0 or higher.

To clone a report schedule


1 Go to Log&Report > Report Config.
2 Select Clone in the same row of the report schedule that will be the basis of a new
report schedule.
3 Rename the report schedule.
The report schedule is renamed, for example, CloneOfFGT_100A.
4 Enter the appropriate information and select OK.

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 629
http://docs.fortinet.com/ • Feedback
Reports Log&Report

Viewing FortiAnalyzer reports


After the FortiAnalyzer unit generates the report, it appears on the Report Access page.
All reports are listed on the page, including the rolled reports. A list displays the generated
report schedules as well as other reports that the FortiAnalyzer unit generated.
To view reports, go to Log&Report > Report Access and select a report name in the
Report Files column. You can also select the Expand Arrow to view the rolled report and
view the entire report. After viewing the report, select Historical Reports to return to the
list.

Figure 426: Generated reports displayed in Report Access

Report Files The name of the generated report. Select the name to view the report.
You can also select the Expand Arrow to view the report and the select the
rolled report to view the report.
Date The date the report was generated on.
Size(bytes) The size of the report in bytes.
Other Formats Displays the formats PDF, RTF or MHT or all if these formats were chosen in the
report schedule.

Printing your FortiAnalyzer report


After the FortiAnalyzer unit generates the report, you may want to print the report to have
as a hardcopy reference or for a presentation. To print a FortiAnalyzer report, go to
Log&Report > Report Access, select the report you want printed from the list and then
select Print.

FortiGate Version 4.0 Administration Guide


630 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

Index
Numerics custom firewall service, 350
custom service, firewall, 350
802.3ad aggregate interface custom signatures, 445
creating, 128 customized CLI console, 66
DHCP interface settings, 130
A DHCP relay agent, 173
DHCP server, 173
accept action Directory Service server, 551, 552
firewall policy, 597 Directory Service user groups, 556
access profile, See admin profile, 218 DoS sensors, 455
accessing logs stored in hard disk, 616 Dynamic DNS on an interface, 133
action dynamic virtual IP, 372
firewall policy, 316 event logs, 613
spam filter banned word, 482 fail-open, IPS, 458
spam filter IP address, 484 firewall address, 341
action type firewall address group, 342
spam filter email address, 487 firewall policy, 315, 316, 411
active sessions firewall policy traffic logging, 612
HA statistics, 183 firewall policy, adding to VLAN subinterface, 157
active-passive firewall policy, modem connections, 145
WAN optimization, 569 firewall protection profile, 393
ActiveX filter firewall schedule, 355
protection profile, 399 firewall service group, 352
add signature to outgoing email firewall user groups, 555
protection profile, 397 firewall virtual IP, 359
firmware upgrade, 253
adding, configuring or defining
firmware version, 80
admin profile, 219
FortiAnalyzer report schedules, 627
administrative access to interface, 136
FortiGuard override options for a user group, 560
administrator account, 206
FortiGuard Web Filtering options, 400
administrator password, 206
FortiWiFi-50B settings, 162, 164
administrator settings, 222
FortiWiFi-60A settings, 162, 164
ADSL interface settings, 127
FortiWiFi-60AM, 164
alert email, 623
FortiWiFi-60AM settings, 162
antispam advanced options, 487
FortiWiFi-60B settings, 162, 164
antispam email address list, 486, 487
gateway for default route, 277
antispam IP address, 485
grayware list, 437
antispam IP address list, 483
HA, 177
antivirus file filter list, 431, 432
HA device priority, 184
antivirus file patterns, 432
HA subordinate unit host name, 184
antivirus file quarantine, 432
health check monitor, 387
antivirus log, 615
IM/P2P/VoIP applications, older versions, 543
antivirus quarantine options, 435
interface settings, 123
antivirus scanning options, 396
inter-VDOM links, 112
application control options, 405
IP pool, 378
attack log (IPS), 616
IPS log (attack), 616
authentication settings, 561
IPS options, 398
authentication, firewall policy, 321
IPS sensor filters, 450
automatic discovery, 608
IPS sensors, 447
autosubmit list, 435
IPSec encryption policy, 324
banned word list, 480, 482
IPSec VPN concentrator, 519
basic traffic report, graphical view, 627
IPSec VPN phase 1, 508
BFD, 301
IPSec VPN phase 1 advanced options, 510
BFD on BGP, 302
IPSec VPN phase 2, 512
BFD on OSPF, 302
IPSec VPN phase 2 advanced options, 513
BGP settings, 296
IPv6 support, 224
CA certificates, 243
LDAP authentication, 210
Certificate Revocation List (CRL), 245
LDAP server, 546, 547
cipher suite, 527
license key, 269
combined IP pool and virtual IP, 378
local ratings, 475
content archive, 622

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 631
http://docs.fortinet.com/ • Feedback
Index

local URL block categories, 474 system certificates, 240


local user account, 540 system configuration backup and restore, 248
log message display, 620 system configuration backup and restore, FortiManager,
logging options, 405 250
logging to a FortiAnalyzer unit, 606 system configuration, central management options, 252
logging to a FortiGuard Analysis server, 610 system status widgets, 66
logging to a Syslog server, 611 system time, 79
logging to memory, 610 TACACS+ authentication, 212
logging to WebTrends, 612 TACACS+ server, 549, 550
MAC filter list, 166 topology diagram, 91, 92
modem connections, firewall policy, 145 updates for FDN and FortiGuard services, 260
modem interface, 140 URL filter list, 467, 469
MTU size, 137 URL overrides, 472
multicast settings, 298 user authentication settings, 561
NAT virtual IP, 366 user group, 558
OCSP certificates, 243 user groups, 554
one-time schedule, 357 VDOM configuration settings, 105, 110
OSPF areas, 292 VDOM configuration settings, advanced, 108
OSPF AS, 289 VDOM configuration settings, global, 106
OSPF basic settings, 290 VDOM interface, 112
OSPF interface, operating parameters, 294 VDOM, new, 110
OSPF networks, 294 VIP group, 374
OSPF settings, advanced, 291 virtual IP, 364
override server, 266 virtual IP group, 374
password, 208 virtual IP, port translation only, 373
password, administrator, 206 virtual IPSec interface, 134
peer users and peer groups, 553 VLAN subinterface, 153
ping server, 147 VPN firewall policy-based internet browsing, 518
PKI authentication, 214 VPN route-based internet browsing, 518
policy, 316, 321 web content block list, 463, 464
policy route, 280 web content exempt list, 465, 466
PPPoE or PPPoA interface settings, 132 web filtering options, 398
PPTP range, 521, 523 wireless interface, 164
PPTP VPN, 521, 523 zone, 139
protection profile, 392 address
push updates, 267 firewall address group, 342
RADIUS authentication, 208 list, 340
RADIUS server, 544 address group, 342
recurring schedule, 356 adding, 342
redundant interface, 129 creating new, 342
redundant mode, 143 list, 342
remote authentication, 208 Address Name
RIP settings, advanced, 286 firewall address, 341
RIP settings, basic, 284 admin
RIP-enabled interface, 287 administrator account, 47
scripts, 257
admin profile
secondary IP address, 137
administrator account, 216
SIP, 418
CLI commands list, 217
SIP advanced features, 420
configuring, 219
SNMP community, 186
viewing list, 218
socket-size, IPS, 458
spam filter log, 615 administrative access
spam filtering options, 402 changing, 48
SSL VPN options, firewall policy, 325 interface settings, 126, 135, 138
SSL VPN settings, 526 monitoring logins, 223
SSL VPN user groups, 557 administrative distance, 272
standalone mode, 144 administrative interface. See web-based manager
static NAT port forwarding, IP address and port range, 371 administrator
static NAT port forwarding, single address and port, 369 assigning to VDOM, 114
static NAT virtual IP, IP address range, 367 administrator account
static route (transparent mode), 150 admin, 47
static route, adding to routing table, 278 admin profile, 216
subnet object, 91 configuring, 206
system administrators, 203 netmask, 207

FortiGate Version 4.0 Administration Guide


632 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

administrator password optimize, 438


changing, 47 P2P grayware, 438
administrator settings, 222 plugin grayware, 438
administrators quarantine, 432
viewing list, 205 quarantine files list, 433
administrators, monitoring, 223 RAT grayware, 438
ADSL, 127, 132 scanning large files, 439
splice, 397
Advanced Mezzanine Card (AMC), 71
spy grayware, 438
adware streaming mode, 397
grayware category, 437 system global av_failopen, 438
AFS3, advanced file security encrypted file system global optimize, 438
AFS3, 346 toolbar grayware, 438
age limit virus list, 436
quarantine, 436 antivirus and attack definitions, 265
aggregate interface antivirus options
creating, 128 protection profile, 396
AH, predefined service, 346 antivirus updates, 265
alert email manual, 84
options, 623 through a proxy server, 266
SMTP user, 624 ANY
alert mail messages, 196 service, 346
Alert Message Console AOL
clearing messages, 73 service, 346
alert message console append tag format
viewing, 73 protection profile, 403
ALG append tag to location
controlling the SIP ALG, 423 protection profile, 403
SIP, 415 application control, 499
allow inbound statistics, 503
IPSec firewall policy, 324 application level gateway
allow outbound SIP, 415
IPSec firewall policy, 324 application list
allow web sites when a rating error occurs SIP, 420
protection profile, 401 area border router (ABR), 288, 293
AMC module, 121 ARP, 364, 384
antispam proxy ARP, 364, 384
port 53, 263 AS
port 8888, 263 OSPF, 288
antispam email address list attachments
adding, 486 viruses, 196
viewing, 486 attack updates
antispam IP address list manual, 84
viewing, 484 scheduling, 265
antispam. See also spam filter, 477 through a proxy server, 266
antivirus Authentication
adware grayware, 437 IPSec VPN, phase 2, 514
av_failopen, 438 authentication
BHO grayware, 437 client certificates and SSL VPN, 526
CLI configuration, 438 configuring remote authentication, 208
configure antivirus heuristic, 438 defining settings, 561
configuring grayware list, 437 firewall policy, 321, 327
dial grayware, 437 MD5, 293
download grayware, 438 RIP, 288
file block, 429 server certificate and SSL VPN, 526
file block list, 431 WAN optimization, 571
game grayware, 438 Authentication Algorithm
heuristics, 438 IPSec VPN, manual key, 516, 517
hijacker grayware, 438
Authentication Key
joke grayware, 438
IPSec VPN, manual key, 517
keylog grayware, 438
misc grayware, 438 Authentication Method
NMT grayware, 438 IPSec VPN, phase 1, 509

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 633
http://docs.fortinet.com/ • Feedback
Index

Auto Key BGP


IPSec VPN, 507 AS, 296
Autokey Keep Alive flap, 296
IPSec VPN, phase 2, 514 graceful restart, 296
automated mode MED, 296
WAN optimization, 569 RFC 1771, 296
automatic discovery, 608 service, 346
autonomous system (AS), 288, 296 settings, viewing, 296
stabilizing the network, 296
AutoSubmit
quarantine, 436 BHO
grayware category, 437
autosubmit list
configuring, 435 black/white list, 483
enabling uploading, 435 blackhole route, 273
quarantine files, 434 block, 421
av_failopen block login (IM)
antivirus, 438 protection profile, 405
Boot Strap Router (BSR), 298
B BOOTP, 175
browsing log information, 618
back to HA monitor button bar
HA statistics, 183 features, 50
backing up
2.80 MR11 configuration, 94
3.0 config to FortiUSB, 95
C
config using web-based manager, 2.80 MR11, 94 CA certificates
FortiGate configuration, 50 importing, 243
backup (redundant) mode viewing, 243
modem, 140 cache
backup and restore, system maintenance, 248 WAN optimization web caching, 575
backup mode web, 575
modem, 143 catalog
band banned word, 480
wireless setting, 163 content block, 462
bandwidth content exempt, 464
guaranteed, 320, 411 email address back/white list, 485
maximum, 320, 412, 573, 595 IP address black/white list, 483
banned word URL filter, 467
web content block, 464, 466 viewing file pattern, 430
banned word (spam filter) category
action, 482 protection profile, 401
adding words to the banned word list, 482 category block
catalog, 480 configuration options, 471
language, 481, 482 central management, 220
list, 481 Certificate Name
pattern, 481, 482 IPSec VPN, phase 1, 509
pattern type, 481, 482 certificate, security. See system certificate
banned word check certificate, server, 526
protection profile, 403 certificate. See system certificates
banned word list channel
creating new, 480 wireless setting, 163
banned word list catalog CIDR, 339, 591
viewing, 480 cipher suite
beacon interval SSL VPN, 527
wireless setting, 163 CLI, 46
BFD admin profile, 217
configuring on BGP, 302 connecting to from the web-based manager, 49
configuring on OSPF, 302 CLI command
disabling, 302 PPTP tunnel setup, 523

FortiGate Version 4.0 Administration Guide


634 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

CLI configuration cookie filter


antivirus, 438 protection profile, 399
customizing CLI console, 66 CPU load, 109
system network, 135 CPU usage
using in web-based manager, 75 HA statistics, 183
web category block, 476 CRL (Certificate Revocation List)
CLI console, 75 importing, 245
client certificates viewing, 244
SSL VPN, 526 custom service
client/server adding, 350
WAN optimization, 569 adding a TCP or UDP custom service, 350
cluster member, 180 list, 350
cluster members list, 182 custom signatures
priority, 182 intrusion protection, 445
role, 182 viewing, 445
cluster unit customer service, 42, 109
disconnecting from a cluster, 184 customer support
code, 351 contacting, 50
column settings, 620 customized GUI
configuring, 60 PPTP tunnel setup, 521
system network, 122 CVSPSERVER, concurrent versions system proxy server,
using with filters, 61 346
comfort clients
protection profile, 397 D
comments
firewall policy, 321, 327 dashboard, 46, 65
comments, documentation, 43 dashboard statistics
concentrator protection profile, 404
adding, 519 data encryption
equivalent for route-based VPN, 506 wireless setting, 165
IPSec tunnel mode, 518 data leak prevention sensor, 404
IPSec VPN, policy-based, 518 data leak protection, 491
Concentrator Name compound rule, 497
IPSec VPN, concentrator, 519 rule, 494
config antivirus heuristic sensor, 491
CLI command, 438 date
configuration quarantine files list, 433
backing up FortiGate configuration, 50 DC
configuring quarantine files list, 434
WAN optimization peer, 594 DCE-RPC
WAN optimization rule, 572 firewall service, 346
connect to server, 127 Dead Peer Detection
connecting IPSec VPN, phase 1, 512
modem, dialup account, 145 default gateway, 275
web-based manager, 46 default route, 275
conservation mode, 191 Designated Routers (DR), 298
contact information destination
SNMP, 186 firewall policy, 316, 319, 323, 326
contacting customer support, 50 destination IP address
content archive system status, 85
viewing, 86 destination NAT
content block SIP, 416
catalog, 462 destination network address translation (DNAT)
web filter, 462 virtual IPs, 361, 362
content exempt destination port, custom services, 351
catalog, 464 device priority
content filtering mode HA, 179
HTTPS, 395 subordinate unit, 184
content streams DH Group
replacement messages, 195 IPSec VPN, phase 1, 512
IPSec VPN, phase 2, 514

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 635
http://docs.fortinet.com/ • Feedback
Index

DHCP downgrading. See also reverting


and IP Pools, 320 2.80 MR11 using the CLI, 100
configuring relay agent, 173 2.80 MR11 using web-based manager, 99
configuring server, 173 download
servers and relays, 171 grayware category, 438
service, 172 quarantine files list, 434
system, 171 DSCP, 332
transparent mode, 171 duplicates
viewing address leases, 175 quarantine files list, 434
DHCP (Dynamic Host Configuration Protocol), 127 Dynamic DNS
configuring on an interface, 130 IPSec VPN, phase 1, 508
service, 346 monitor, 519
DHCP6 network interface, 133
service, 346 VPN IPSec monitor, 519
DHCP-IPSec dynamic IP pool
IPSec VPN, phase 2, 514 SIP, 417
diagnose dynamic routing, 283
commands, 49 OSPF, 288
diagram PIM, 297
topology viewer, 88 dynamic virtual IP
dial adding, 372
grayware category, 437
dialup VPN E
monitor, 519
differentiated services ECMP, 273
firewall policy, 332 eip
differentiated services code point (DHCP), 332 vpn pptp, 523
DiffServ email address
firewall policy, 332 action type, 487
Directory Service adding to the email address list, 487
configuring server, 551, 552 back/white list catalog, 485
FSAE, 552 BWL check, protection profile, 403
list, spam filter, 486
disconnecting
pattern type, 486
modem, dialup account, 145
email blocked as spam, 196
disk space
quarantine, 436 enable FortiGuard Web Filtering
protection profile, 400
display content meta-information on dashboard
protection profile option, 404 enable FortiGuard Web Filtering overrides
protection profile, 400
display content meta-information on the system dashboard
protection profile, 404 Enable perfect forward secrecy (PFS)
IPSec VPN, phase 2, 514
Distinguished Name
query, 548 Enable replay detection
IPSec VPN, phase 2, 514
DLP. See data leak protection
enable session pickup
DNAT
HA, 180
virtual IPs, 361, 362
Encryption
DNS
IPSec VPN, phase 2, 514
service, 346
Encryption Algorithm
documentation
IPSec VPN, manual key, 516, 517
commenting on, 43
Fortinet, 43 Encryption Key
IPSec VPN, manual key, 517
domain name, 340
end IP
DoS policy, 330
IP pool, 377
configuring, 331
viewing, 330 Endpoint compliance
firewall policy options, 329
DoS sensor, 455
IPS, 398 Equal Cost Multipath (ECMP), 273
list, 455 ESP
SCCP, 419 service, 346
SIP, 419 Ethernet over ATM (EoA), 127
dotted-decimal notation, 292 example
double NAT, 378 firewall policy, 332
source IP address and IP pool address matching, 376

FortiGate Version 4.0 Administration Guide


636 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

exclude range policy list, 315


adding to DHCP server, 175 policy matching, 313, 574
expire predefined services, 345
system status, 85 recurring schedule, 355
expired virtual IP list, 363
subscription, 261 firewall address
explicit mode adding, 341
WAN optimization, 570, 592 address group, 342
exported server certificates address name, 341
importing, 241 create new, 340
external interface IP range/subnet, 341
virtual IP, 364 list, 340
name, 340
external IP address
subnet, 341
virtual IP, 364
firewall address group
external service port
adding, 342
virtual IP, 365
available addresses, 343
group name, 343
F members, 343
fail-open, CLI command for IPS, 458 firewall IP pool list, 377
FDN firewall IP pool options, 378
attack updates, 201 firewall load balancing
HTTPS, 264 WAN optimization, 571
override server, 262 firewall policy
port 443, 264 accept action, 597
port 53, 263 action, 316
port 8888, 263 adding, 316
port forwarding connection, 267 adding a protection profile, 392
proxy server, 266 allow inbound, 324
push update, 262 allow outbound, 324
troubleshooting connectivity, 264 authentication, 321, 327
updating antivirus and attack definitions, 265 changing the position in the policy list, 314, 575
FDS, 258 comments, 321, 327
file block configuring, 316
antivirus, 429 creating new, 315, 411
default list of patterns, 429 deleting, 314, 575
list, antivirus, 431 destination, 316, 319, 323, 326
protection profile, 397 differentiated services, 332
file name DiffServ, 332
quarantine files list, 433 Endpoint compliance, 329
file pattern example, 332
catalog, 430 guaranteed bandwidth, 320, 411
quarantine autosubmit list, 434 ID, 316
identity-based, 322
filter
inbound NAT, 325
filtering information on web-based manager lists, 56
insert policy before, 316, 573
IPS sensor, 450
list, 315
quarantine files list, 433
log traffic, 321, 323, 328
using with column settings, 61
matching, 313, 574
web-based manager lists, 56
maximum bandwidth, 320, 412, 573, 595
FINGER modem, 145
service, 346 moving, 314, 575
firewall, 313, 339, 345, 355, 359, 391 multicast, 315
address list, 340 outbound NAT, 325
configuring, 313, 339, 391 protection profile, 320, 327
configuring firewall service, 345 schedule, 316, 319
configuring service group, 352 service, 316, 319
configuring virtual IP, 359 source, 316, 318, 326
configuring, schedule, 355 SSL VPN options, 325
custom service list, 350 traffic priority, 573, 595
one-time schedule, 356 traffic shaping, 320, 323, 328
overview, 313, 339, 345, 391 user groups, 555
overview, firewall schedule, 355
overview, virtual IP, 359

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 637
http://docs.fortinet.com/ • Feedback
Index

firewall protection profile SOCKS, 349


default protection profiles, 392 SQUID, 349
list, 393 SSH, 349
options, 393 SYSLOG, 349
firewall service TALK, 349
AFS3, 346 TCP, 349
AH, 346 TELNET, 349
ANY, 346 TFTP, 349
AOL, 346 TIMESTAMP, 349
BGP, 346 UDP, 349
CVSPSERVER, 346 UUCP, 349
DCE-RPC, 346 VDOLIVE, 349
DHCP, 346 viewing custom service list, 350
DHCP6, 346 viewing list, 345
DNS, 346 VNC, 349
ESP, 346 WAIS, 349
FINGER, 346 WINFRAME, 349
FTP, 346 WINS, 349
FTP_GET, 346 X-WINDOWS, 349
FTP_PUT, 346 firmware
GOPHER, 346 reverting to previous version, 82
GRE, 346 upgrading to a new version, 81
group list, 352 viewing, 253
H323, 346 fixed port
HTTP, 347 IP pool, 376
HTTPS, 347 FortiAnalyzer, 37, 607
ICMP_ANY, 347 accessing logs, 617
IKE, 347 configuring report schedules, 627
IMAP, 347 logging to, 606
INFO_ADRESS, 347 printing reports, 630
INFO_REQUEST, 347 VDOM, 104
Internet-Locator-Service, 347 FortiBridge, 37
IRC, 347 FortiClient, 37
L2TP, 347 system maintenance, 248
LDAP, 347
FortiGate 4000, 121
MGCP, 347
MS-SQL, 347 FortiGate documentation
MYSQL, 347 commenting on, 43
NetMeeting, 347 FortiGate logging, 603
NFS, 347 FortiGate SNMP event, 188
NNTP, 347 FortiGate unit
NTP, 347 registering, 50
ONC-RPC, 347 FortiGate-ASM-FB4, 121
OSPF, 347 FortiGuard, 37
PC-Anywhere, 347 changing the host name, 476
PING, 348 CLI configuration, 476
PING6, 348 configuration options, 471
POP3, 348 configuring FortiGuard Web filtering options, 400
PPTP, 348 manually configuring definition updates, 84
QUAKE, 348 override options for user group, 560
RAUDIO, 348 web filter, 470
REXEC, 348 FortiGuard Analysis Service, 604
RIP, 348 accessing logs on FortiGuard Analysis server, 618
RLOGIN, 348 portal web site, 605
RSH, 348 FortiGuard Antispam
RTSP, 348 email checksum check, 403
SAMBA, 348 IP address check, 402
SCCP, 348 FortiGuard Distribution Network. See FDN
SIP, 348
FortiGuard Distribution Server. See FDS
SIP-MSNmessenger, 348
SMTP, 349 FortiGuard Management Services
SNMP, 349 remote management options, 251

FortiGate Version 4.0 Administration Guide


638 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

FortiGuard Services, 259 grayware


antispam service, 259 adware, 437
configuring antispam service, 259 antivirus, 437
configuring updates for FDN and services, 260 BHO, 437
configuring web filter service, 260 dial, 437
FortiGuard Management and Analysis Services, 260 download, 438
licenses, 68, 259 game, 438
management and analysis service options, 264 hijacker, 438
support contract, 260 joke, 438
web filtering, 259 keylog, 438
web filtering and antispam options, 263 misc, 438
FortiMail, 37 NMT, 438
FortiManager, 37 P2P, 438
FortiManager Management Services plugin, 438
revision control, 255 RAT, 438
Fortinet spy, 438
customer service, 109 toolbar, 438
updating antivirus and attack definitions, 265
Fortinet customer service, 42
GRE, 288
Fortinet documentation, 43
service, 346
Fortinet Family Products, 37
group name
Fortinet Knowledge Center, 43 HA, 179
Fortinet MIB, 188, 192 grouping services, 352
FortiWiFi-50B groups
wireless settings, 162 user, 554
FortiWiFi-60A guaranteed bandwidth
wireless settings, 162 firewall policy, 320, 411
FortiWiFi-60AM traffic shaping, 320, 411
wireless settings, 162 GUI. See web-based manager
FortiWiFi-60B
wireless settings, 162
fragmentation threshold
H
wireless setting, 165 H323
FSAE service, 346
Directory Service server, 552 HA, 177, 182
FTP changing cluster unit host names, 182
service, 346 cluster logging, 606
FTP_GET cluster member, 182
service, 346 cluster members list, 180
FTP_PUT configuring, 177
service, 346 device priority, 179
fully qualified domain name (FQDN), 340 disconnecting a cluster unit, 184
enable session pickup, 180
group name, 179
G heartbeat interface, 180
game host name, 182
grayware category, 438 interface monitoring, 180
geography mode, 179
wireless setting, 163 out of band management, 121
GOPHER password, 180
service, 346 port monitor, 180
router monitor, 310
graceful restart, 296
routes, 310
graphical user interface. See web-based manager session pickup, 180
subordinate unit device priority, 184
subordinate unit host name, 184
VDOM partitioning, 180
viewing HA statistics, 182

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 639
http://docs.fortinet.com/ • Feedback
Index

HA statistics idle timeout


active sessions, 183 changing for the web-based manager, 49
back to HA monitor, 183 IEEE 802.11a, channels, 160
CPU usage, 183 IEEE 802.11b, channels, 161
intrusion detected, 183 IEEE 802.11g, channels, 161
memory usage, 183 IEEE 802.3ad, 128
monitor, 183
IKE
network utilization, 183
service, 347
refresh every, 183
status, 183 IMAP
total bytes, 183 service, 347
total packets, 183 inbound NAT
unit, 183 IPSec firewall policy, 325
up time, 183 INFO_ADDRESS
virus detected, 183 service, 347
health check monitor INFO_REQUEST
configuring, 387 service, 347
heartbeat, HA insert policy before
interface, 180 firewall policy, 316, 573
HELO DNS lookup interface
protection profile, 403 adding system settings, 123
help administrative access, 126, 135, 138
navigating using keyboard shortcuts, 53 administrative status, 121
searching the online help, 52 configuring administrative access, 136
using FortiGate online help, 51 GRE, 288
heuristics IP pool, 378
antivirus, 438 loopback, 121, 274
quarantine, 439 modem, configuring, 140
MTU, 126
high availability See HA, 177
proxy ARP, 364, 384
hijacker software switch, 125
grayware category, 438 wireless, 159
host name WLAN, 159
changing, 80 Interface Mode, 123
changing for a cluster, 182
interface monitoring
viewing, 80
HA, 180
hostname
internet browsing
cluster members list, 182
IPSec VPN configuration, 518
HTTP, 387
Internet-Locator-Service
service, 347
service, 347
virus scanning large files, 439
inter-VDOM links, 112
HTTPS, 45, 201
service, 347 introduction
Fortinet documentation, 43
HTTPS content filtering mode, 395
intrusion detected
hub-and-spoke
HA statistics, 183
IPSec VPN (see also concentrator), 506
intrusion protection
custom signature list, 445
I DoS sensor list, 455
ICMP custom service, 351 DoS sensor, protection profile, 398
code, 351 fail-open, CLI command for IPS, 458
protocol type, 351 filter, 450
type, 351 IPS sensor list, 447
ICMP echo request, 387 IPS sensor, protection profile, 398
ICMP_ANY predefined signature list, 443
service, 347 protection profile options, 398
protocol decoder, 446
ID
protocol decoder list, 446
firewall policy, 316
signatures, 443
identity-based socket-size, CLI command for IPS, 458
firewall policy, 322
IP
identity-based firewall policy virtual IP, 363
WAN optimization, 571

FortiGate Version 4.0 Administration Guide


640 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

IP address IPv6, 224, 274


action, antispam, 484 IPv6 support
antispam black/white list catalog, 483 settings, 223
BWL check, protection profile, 403 IRC
defining PPTP range, 521, 523 service, 347
IPSec VPN, phase 1, 508 iSCSI, 572
list, spam filter, 484 ISP, 127
PPTP user group, 521, 523
spam filter, 483
IP address, configuring secondary, 137
J
IP custom service, 352 java applet filter
protocol number, 352 protection profile, 399
protocol type, 352 joke
IP over ATM (IPoA), 127 grayware category, 438
IP pool
adding, 378 K
configuring, 378
creating new, 377 Keepalive Frequency
DHCP, 320 IPSec VPN, phase 1, 512
end IP, 377 key
fixed port, 376 license, 269
interface, 378 wireless setting, 165
IP range/subnet, 378, 379 keyboard shortcut
list, 377 online help, 53
name, 378, 379 Keylife
options, 378 IPSec VPN, phase 1, 512
PPPoE, 320 IPSec VPN, phase 2, 514
proxy ARP, 364, 384 keylog
SIP, 417 grayware category, 438
start IP, 377
transparent mode, 380 L
IP range/subnet
firewall address, 341 L2TP, 555
IP pool, 378, 379 service, 347
IPS language
see intrusion protection changing the web-based manager language, 48
IPS sensor spam filter banned word, 481, 482
filter, 450 web content block, 464, 466
options, protection profile, 398 web-based manager, 48, 223
IPSec, 288 LDAP
IPSec firewall policy configuring server, 546, 547
allow inbound, 324 service, 347
allow outbound, 324 user authentication, 540
inbound NAT, 325 LDAP Distinguished Name query, 548
outbound NAT, 325 LDAP server
IPSec Interface Mode authentication, 208
IPSec VPN, manual key, 517 configuring authentication, 210
IPSec VPN, phase 1, 511 license key, 269
IPSec VPN licenses
adding manual key, 516 viewing, 68
authentication for user group, 555 lists
Auto Key list, 507 using web-based manager, 55
concentrator list, 518 load balancer, 383
configuring phase 1, 508 load balancing
configuring phase 1 advanced options, 510 WAN optimization, 571
configuring phase 2, 512 local certificates
configuring phase 2 advanced options, 513 options, 238
configuring policy-, route-based Internet browsing, 518 viewing, 237
Manual Key list, 515 Local Gateway IP
monitor list, 519 IPSec VPN, phase 1, 511
remote gateway, 555 Local ID
route-based vs policy-based, 506 IPSec VPN, phase 1, 512

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 641
http://docs.fortinet.com/ • Feedback
Index

Local Interface spam, 406


IPSec VPN, manual key, 517 storing logs, 606
IPSec VPN, phase 1, 509 testing FortiAnalyzer configuration, 608
local ratings to a FortiAnalyzer unit, 606
configuring, 475 to memory, 610
local ratings list to syslog server, 611
viewing, 474 to WebTrends, 612
Local SPI URL block, 406
IPSec VPN, manual key, 517 viewing content archives, 623
local user, 540 viewing raw or formatted logs, 619
viruses, 406
local user account
web site, FortiGuard Analysis Service, 605
configuring, 540
logging out
log
web-based manager, 54
attack anomaly, 616
attack signature, 616 loopback interface, 121, 274
column settings, 620 lost password
messages, 618 recovering, 47, 207, 208
raw or formatted, 619 low disk space
to FortiAnalyzer, 607 quarantine, 436
traffic, firewall policy, 321, 323, 328
log messages M
viewing, 618
MAC address
log traffic filtering, 166
firewall policy, 321, 323
MAC filter
log types, 612 wireless, 166
antivirus, 615
MAC filter list
attack, 616
configuring, 166
event, 613
viewing, 166
spam filter, 615
traffic, 612 major version, 81
web filter, 615 management VDOM, 111, 115
logging, 616 Manual Key
accessing logs in memory, 616 IPSec VPN, 515
accessing logs on FortiAnalyzer unit, 617 map to IP
accessing logs on FortiGuard Analysis server, 618 virtual IP, 363
ActiveX filter, 406 map to port
alert email, configuring, 623 virtual IP, 363, 365
applying through protection profile, 405 matched content, 388
basic traffic reports, 625 matching
blocked files, 406 firewall policy, 313, 574
browsing log messages, 618 max filesize to quarantine
cluster, HA, 606 quarantine, 436
configuring content archive, 622 maximum bandwidth, 320, 412, 573, 595
configuring FortiAnalyzer report schedules, 627 firewall policy, 320, 412, 573, 595
configuring graphical system memory report, 627 traffic shaping, 320, 412, 573, 595
connecting using automatic discovery, 608 MD5
content archive, 622 OSPF authentication, 293, 295
content block, 406
Members
cookie filter, 406
IPSec VPN, concentrator, 519
customizing display of log messages, 620
FortiGuard Analysis server, 610 memory, 109
IM activity, 406 memory usage
intrusions, 406 HA statistics, 183
java applet filter, 406 menu
log severity levels, 605 web-based manager menu, 54
log types, 612 messages, log, 618
oversized files/emails, 406 MGCP
P2P activity, 406 service, 347
printing FortiAnalyzer reports, 630 mheader, 487
rating errors, 406 MIB, 192
reports, 625 FortiGate, 188
searching, filtering logs, 621 RFC 1213, 188
SIP, 420 RFC 2665, 188

FortiGate Version 4.0 Administration Guide


642 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

minor version, 81 NAT virtual IP


misc adding for single IP address, 366
grayware category, 438 adding static NAT virtual IP for IP address range, 367
Mode Nat-traversal
IPSec VPN, phase 1, 509 IPSec VPN, phase 1, 512
mode netmask
HA, 179 administrator account, 207
modem NetMeeting
adding firewall policies, 145 service, 347
backup mode, 143 network
connecting and disconnecting to dialup account, 145 topology viewer, 88
redundant (backup) mode, 140 network address translation (NAT), 360
standalone mode, 140, 144 network utilization
viewing status, 145 HA statistics, 183
modem interface NFS
configuring, 140 service, 347
monitor NMT
administrator logins, 223 grayware category, 438
HA statistics, 183 NNTP
IPSec VPN, 519 service, 347
routing, 309 not registered
monitored ports, 395 subscription, 261
monitoring Not-so-stubby Area (NSSA), 293
WAN optimization, 596 not-so-stubby area (NSSA), 310
moving a firewall policy, 314, 575 Novel edirectory, 551
MS-CHAP, 544 NTP
MS-CHAP-V2, 544 service, 347
MS-SQL
service, 347 O
MTU size, 126, 137
multicast, 297 object cache
multicast destination NAT, 300 WAN optimization web caching, 575
multicast policy, 315 OCSP certificates
multicast settings importing, 243
overriding, 299 ONC-RPC
viewing, 298 service, 347
Multi-Exit Discriminator (MED), 296 one-time schedule
MYSQL adding, 357
service, 347 configuring, 357
creating new, 356
list, 356
N start, 357
Name stop, 357
IP pool, 378, 379 online help
IPSec VPN, manual key, 517 content pane, 51
IPSec VPN, phase 1, 508 keyboard shortcuts, 53
IPSec VPN, phase 2, 513 navigation pane, 52
NAT search, 52
in transparent mode, 380 using FortiGate online help, 51
inbound, IPSec firewall policy, 325 operation mode, 200
multicast, 300 wireless setting, 163
outbound, IPSec firewall policy, 325 operational history
preserving SIP NAT IP, 422 viewing, 83
push update, 267 optimize
SIP, 415 antivirus, 438
symmetric, 362
WAN optimization, 571

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 643
http://docs.fortinet.com/ • Feedback
Index

OSPF PAT
area ID, 294 virtual IPs, 360
AS, 291 patch number, 81
authentication, 293, 295 pattern
Dead Interval, 296 default list of file block patterns, 429
dead packets, 296 spam filter banned word, 481, 482
GRE, 295 pattern type
Hello Interval, 296 spam filter banned word, 481, 482
Hello protocol, 288 spam filter email address, 486
interface definition, 294 web content block, 464, 466
IPSec, 295 PC-Anywhere
link-state, 288 service, 347
LSA, 295
peer group
multiple interface parameter sets, 294
configuring, 553
neighbor, 288
network, 291 Peer option
network address space, 295 IPSec VPN, phase 1, 509
NSSA, 293, 310 peer to peer
path cost, 289 WAN optimization, 569
regular area, 292 peer user
service, 347 configuring, 553
settings, 290 Perl regular expressions
stub, 293 spam filter, 488
virtual lan, 294 Phase, 513
virtual link, 293 phase 1
VLAN, 295 IPSec VPN, 508, 513
OSPF AS, 288 phase 1 advanced options
defining, 289 IPSec VPN, 510
out of band, 121 phase 2
outbound NAT IPSec VPN, 512
IPSec firewall policy, 325 phase 2 advanced options
override server IPSec VPN, 513
adding, 266 PIM
oversized file/email BSR, 298
protection profile, 397 dense mode, 297
DR, 298
P RFC 2362, 297
RFC 3973, 297
P1 Proposal RP, 298
IPSec phase 1, 511 sparse mode, 297
P2 Proposal PING, 387
IPSec VPN, phase 2, 514 service, 348
P2P ping server
grayware category, 438 adding to an interface, 147
packets PING6
VDOM, 104 firewall service, 348
page controls pinholing
web-based manager, 59 RTP, 421
PAP, 544 SIP, 421
pass fragmented email PKI, 553
protection profile, 397 authentication, 214
password plugin
configuring authentication password, 208 grayware category, 438
HA, 180 Point-to-Point Protocol over ATM (PPPoA), 127
recovering lost password, 47, 207, 208

FortiGate Version 4.0 Administration Guide


644 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

policy predefined services, 345


accept action, 597 predefined signature
action, 316 default action, 444
adding, 316 list, 443
allow inbound, 324 Pre-shared Key
allow outbound, 324 IPSec VPN, phase 1, 509
authentication, 321, 327 pre-shared key
changing the position in the policy list, 314, 575 wireless setting, 165
comments, 321, 327 priority
configuring, 316 cluster members, 182
creating new, 315, 411
private key
deleting, 314, 575
importing, 241
destination, 316
differentiated services, 332 product registration, 50
DiffServ, 332 products, family, 37
DoS, 330 proposal
example, 332 IPSec phase 1, 511
guaranteed bandwidth, 320, 411 IPSec VPN, phase 2, 514
ID, 316 protection profile
identity-based, 322 ActiveX, 399
inbound NAT, 325 add signature to outgoing email, 397
insert policy before, 316, 573 adding to a firewall policy, 392
list, 315 allow web sites when a rating error occurs, 401
log traffic, 321, 323, 328 antivirus options, 396
matching, 313, 574 append tag format, 403
maximum bandwidth, 320, 412, 573, 595 append tag to location, 403
move, 314, 575 banned word check, 403
multicast, 315 block login (IM), 405
outbound NAT, 325 category, 401
protection profile, 320, 327 comfort clients, 397
schedule, 316, 319 cookie filter, 399
service, 316, 319 dashboard statistics, 404
source, 316 default protection profiles, 392
SSL VPN options, 325 display content meta-information on dashboard, 404
traffic priority, 573, 595 display content meta-information on the system
traffic shaping, 320, 323, 328 dashboard options, 404
policy route DoS sensor, 398
moving in list, 281 email address BWL check, 403
policy-based routing, 279 enable FortiGuard Web Filtering, 400
POP3 enable FortiGuard Web Filtering overrides, 400
service, 348 file block, 397
firewall policy, 320, 327
port 53, 263
FortiGuard Antispam IP address check, 402
port 8888, 263 FortiGuard email checksum check, 403
port 9443, 267 HELO DNS lookup, 403
port address translation IP address BWL check, 403
virtual IPs, 360 IPS sensor, 398
port forwarding, 360 IPS sensor options, 398
port monitor java applet filter, 399
HA, 180 list, 393
PPPoE logging, ActiveX filter, 406
and IP Pools, 320 logging, blocked files, 406
PPPoE (Point-to-Point Protocol over Ethernet) logging, content block, 406
configuring ADSL interface, 127 logging, cookie filter, 406
RFC 2516, 132 logging, IM activity, 406
PPTP, 521, 555 logging, intrusions, 406
service, 348 logging, java applet filter, 406
PPTP IP address logging, oversized files/emails, 406
user group, 521, 523 logging, P2P activity, 406
logging, rating errors, 406
PPTP range
logging, spam, 406
defining addresses, 521, 523
logging, URL block, 406
PPTP tunnel setup logging, viruses, 406
CLI command, 523 options, 393
customized GUI, 521 oversized file/email, 397

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 645
http://docs.fortinet.com/ • Feedback
Index

pass fragmented email, 397 quarantine


provide details for blocked HTTP errors, 401 age limit, 436
quarantine, 397 antivirus, 432
rate images by URL, 401 autosubmit list, 434
rate URLs by domain and IP address, 401 autosubmit list file pattern, 434
return email DNS check, 403 configuring, 435
scan (default protection profile), 392 configuring the autosubmit list, 435
spam action, 403 enable AutoSubmit, 436
spam filtering options, 402 enabling uploading autosubmit file patterns, 435
strict (default protection profile), 392 heuristics, 439
strict blocking (HTTP only), 401 low disk space, 436
tag format, 403 max filesize to quarantine, 436
tag location, 403 options, 435
unfiltered (default protection profile), 392 protection profile, 397
virus scan, 397 quarantine files list
web (default protection profile), 392 antivirus, 433
web content block, 399 apply, 433
web content exempt, 399 date, 433
web filtering options, 398, 460 DC, 434
web resume download block, 399 download, 434
web URL block, 399 duplicates, 434
protocol file name, 433
number, custom service, 352 filter, 433
OSPF Hello, 288 service, 433
service, 346 sorting, 433
system status, 85 status, 433
type, custom service, 351 status description, 434
virtual IP, 365 TTL, 434
protocol decoder, 446 upload status, 434
list, 446 query, 548
Protocol Independent Multicast (PIM), 297 Quick Mode Selector
protocol recognition, 395 IPSec VPN, phase 2, 515
protocol type, 352
provide details for blocked HTTP errors R
protection profile, 401
RADIUS
proxy configuring server, 544
SIP, 413 servers, 543
proxy ARP, 364, 384 user authentication, 540
FortiGate interface, 364, 384 viewing server list, 543
IP pool, 364, 384 WPA Radius, 165
virtual IP, 364, 384 RADIUS authentication
proxy server, 266 VDOM, 115
push updates, 266 RADIUS server
push update, 262 authentication, 208
configuring, 266 wireless setting, 165
external IP address changes, 267 RAT
IP address changes, 267 grayware category, 438
management IP address changes, 267
rate images by URL
through a proxy server, 266
protection profile, 401
rate limiting
Q SCCP, 419
QoS, 332 SIMPLE, 419
QUAKE SIP, 418, 419
service, 348 rate URLs by domain and IP address
quality of service, 332 protection profile, 401
RAUDIO
service, 348
read & write access level
administrator account, 80, 81, 205
read only access level
administrator account, 80, 81, 205, 207
reading log messages, 618

FortiGate Version 4.0 Administration Guide


646 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

real servers RFC 2362, 297


configuring, 386 RFC 2385, 296
monitoring, 389 RFC 2453, 284
recurring schedule RFC 2474, 332
adding, 356 RFC 2475, 332
configuring, 356 RFC 2516, 132
creating new, 355
RFC 2665, 185, 188
list, 355
select, 356 RFC 3509, 289
start, 356 RFC 3973, 297
stop, 356 RFC 5237, 280
redirect RIP
SIP, 413 authentication, 288
redundant interface hop count, 284
adding system settings, 129 RFC 1058, 284
redundant mode RFC 2453, 284
configuring, 143 service, 348
settings, viewing, 284
refresh every
split horizon, 287
HA statistics, 183
version 1, 284
registering version 2, 284
FortiGate unit, 50
RLOGIN
regular administrator, 203 service, 348
relay role
DHCP, 171, 173 cluster members, 182
remote administration, 136, 201 route
remote certificates HA, 310
options, 242 router monitor
viewing, 242 HA, 310
Remote Gateway routing
IPSec manual key setting, 517 administrative distance, 272
IPSec VPN, manual key, 516 blackhole, 273
IPSec VPN, phase 1, 508 configuring, 148
remote peer ECMP, 273
manual key configuration, 516 loopback interface, 274
Remote SPI monitor, 309
IPSec VPN, manual key, 517 static, 274
remote user authentication, 543 routing policy
Rendezvous Point (RP), 298 protocol number, 280
replacement messages, 195 routing table, 309
report searching, 311
basic traffic, 625 RSH
configuring report schedules, 627 firewall service, 348
FortiAnalyzer, printing, 630 RTP, 415
viewing FortiAnalyzer reports, 630 pinholing, 421
restoring 2.80 MR11 configuration, 101 RTS threshold
using the CLI, 102 wireless setting, 165
using web-based manager, 101 RTSP
return email DNS check firewall service, 348
protection profile, 403
Reverse Path Forwarding (RPF), 300 S
REXEC
firewall service, 348 SAMBA
RFC, 297 service, 348
RFC 1058, 284 scan
RFC 1213, 185, 188 default protection profile, 392
RFC 1215, 189 SCCP
DoS sensor, 419
RFC 1321, 293
firewall service, 348
RFC 1771, 296 protection profile, 419
RFC 2132, 175 rate limiting, 419

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 647
http://docs.fortinet.com/ • Feedback
Index

schedule L2TP, 347


antivirus and attack definition updates, 265 LDAP, 347
firewall policy, 316, 319 MGCP, 347
one-time schedule list, 356 MS-SQL, 347
recurring schedule list, 355 MYSQL, 347
scheduled updates NetMeeting, 347
through a proxy server, 266 NFS, 347
screen resolution NNTP, 347
minimum recommended, 45 NTP, 347
search ONC-RPC, 347
online help, 52 organizing services into groups, 352
online help wildcard, 53 OSPF, 347
searching PC-Anywhere, 347
routing table, 311 PING, 348
PING6, 348
security
POP3, 348
MAC address filtering, 166
PPTP, 348
security certificates. See system certificates predefined, 345
security mode QUAKE, 348
wireless setting, 165 quarantine files list, 433
select RAUDIO, 348
recurring schedule, 356 REXEC, 348
sensor RIP, 348
DoS, 455 RLOGIN, 348
IPS, 447 RSH, 348
separate server certificates RTSP, 348
importing, 241 SAMBA, 348
server SCCP, 348
DHCP, 171 service name, 346
log WebTrends setting, 612 SIP, 348
server certificate, 526 SIP-MSNmessenger, 348
server certificates SMTP, 349
importing, 241 SNMP, 349
server health, 388 SOCKS, 349
SQUID, 349
service
SSH, 349
AH, 346
SYSLOG, 349
ANY, 346
TALK, 349
AOL, 346
TCP, 349
BGP, 346
TELNET, 349
custom service list, 350
TFTP, 349
CVSPSERVER, 346
TIMESTAMP, 349
DCE-RPC, 346
UDP, 349
DHCP, 172, 346
UUCP, 349
DHCP6, 346
VDOLIVE, 349
DNS, 346
VNC, 349
ESP, 346
WAIS, 349
FINGER, 346
WINFRAME, 349
firewall policy, 316, 319
WINS, 349
FTP, 346
X-WINDOWS, 349
FTP_GET, 346
FTP_PUT, 346 service group, 352
GOPHER, 346 adding, 352
GRE, 346 create new, 352
group, 352 list, 352
H323, 346 service port
HTTPS, 347 virtual IP, 363
ICMP_ANY, 347 service set identifier (SSID), 119
IKE, 347 Session Initiation Protocol. See SIP
IMAP, 347 session list
INFO_ADDRESS, 347 viewing, 84
INFO_REQUEST, 347 session pickup
Internet-Locator-Service, 347 HA, 180
IRC, 347

FortiGate Version 4.0 Administration Guide


648 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

settings, 164 SNMP


administrators, 222 configuring community, 186
IPv6 support, 223 contact information, 186
timeout, 223 event, 188
Shortest Path First (SPF), 289 manager, 185, 186
signatures MIB, 192
custom, intrusion protection signatures, 445 MIBs, 188
SIMPLE queries, 187
protection profile, 419 RFC 12123, 188
rate limiting, 419 RFC 1215, 189
SIP, 413 RFC 2665, 188
accepting register response, 422 service, 349
ALG, 415 traps, 188, 189
application level gateway, 415 SNMP Agent, 185
application list, 420 SNMP communities, 186
archiving communication, 421 socket-size, CLI command for IPS, 458
blocking requests, 421 SOCKS
configuring, 418 service, 349
configuring advanced features, 420 software switch, 125
controlling client connection, 422 sorting
controlling the SIP ALG, 423 quarantine files list, 433
destination NAT, 416 URL filter list, 470
different source and destination NAT for SIP and RTP, 417 source
DoS sensor, 419 firewall policy, 316, 318, 326
enabling, 418 source IP address
logging, 420 system status, 85
NAT, 415
source IP port
NAT with dynamic IP pool, 417
system status, 85
operating modes, 413
preserving NAT IP, 422 source NAT
protection profile, 419 SIP, 415
proxy, 413 source port, 351
rate limiting, 418, 419 spam action
redirect, 413 protection profile, 403
RTP pinholing, 421 spam filter, 477
service, 348 adding an email address or domain to the email address
source NAT, 415 list, 487
support workflow, 418 adding words to the banned word list, 482
turning on tracking, 420 banned word list, 481
viewing statistics, 420 email address list, 486
VoIP, 413 IP address, 483
sip IP address list, 484
vpn pptp, 523 Perl regular expressions, 488
SIP requests, 421 spam filtering options
SIP support workflow, 418 protection profile, 402
SIP-MSNmessenger splice, 397
service, 348 spy
Skinny Call Control Protocol. See SCCP grayware category, 438
SMTP SQUID
service, 349 service, 349
user, 624 SSH, 201
SNAT service, 349
virtual IPs, 361 SSID
wireless setting, 165
SSID broadcast
wireless setting, 165
SSL
service definition, 347

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 649
http://docs.fortinet.com/ • Feedback
Index

SSL VPN stub


checking client certificates, 526 OSPF area, 293
configuring settings, 526 subnet
default web portal, 528 adding object, 91
firewall policy, 325 firewall address, 341
monitoring sessions, 527 subscription
setting the cipher suite, 527 expired, 261
specifying server certificate, 526 not registered, 261
specifying timeout values, 527 valid license, 261
tunnel IP range, 526 super administrator, 203
web-only mode, 525 switch mode, 123
SSL VPN Client Certificate, 325 sync interval, 80
SSL VPN login message, 199 SYSLOG
SSL VPN web portal, 528 service, 349
default, 528 system administrators, 203
standalone mode system certificate
modem, 140, 144 FortiGate unit self-signed security certificate, 47
start system certificates
IP pool, 377 CA, 243
one-time schedule, 357 CRL, 244
recurring schedule, 356 importing, 240
static IP OCSP, 243
monitor, 519 requesting, 238, 240
static NAT port forwarding viewing, 237
adding for IP address and port range, 371 system configuration, 177
adding for single address and port, 369 system DHCP see also DHCP, 171
static route system global av_failopen
adding, 150, 278 antivirus, 438
adding policy, 280
system global optimize
administrative distance, 272
antivirus, 438
concepts, 271
creating, 274 system idle timeout, 201
default gateway, 275 system information
default route, 275 viewing, 67
editing, 274 system maintenance
moving in list, 281 advanced, 254
overview, 271 backup and restore, 248
policy, 279 creating scripts, 257
policy list, 279 enabling push updates, 266
selecting, 272 firmware, 253
table building, 272 firmware upgrade, 253
table priority, 273 managing configuration, 247
table sequence, 273 push update through a NAT device, 267
viewing, 274 remote FortiManager options, 250
viewing in transparent mode, 149 remote management options, 251
statistics revision control, 255
viewing, 84 scripts, 256
viewing HA statistics, 182 updating antivirus and attack definitions, 265
status uploading scripts, 258
HA statistics, 183 USB disks, 255
interface, 121 VDOM, 248
quarantine files list, 433 system resources
vpn pptp, 523 viewing, 72
status description system status
quarantine files list, 434 viewing, 65
stop system status widgets
one-time schedule, 357 customizing, 66
recurring schedule, 356 system time
streaming mode, 397 configuring, 79
strict system wireless. See wireless
default protection profile, 392
strict blocking (HTTP only)
protection profile, 401

FortiGate Version 4.0 Administration Guide


650 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

T traffic shaping
configuring, 411
TACACS+ firewall policy, 320, 323, 328
configuring server, 549, 550 guaranteed bandwidth, 320, 411
user authentication, 540 guaranteed bandwidth and maximum bandwidth, 409
TACACS+ server maximum bandwidth, 320, 412, 573, 595
authentication, 208, 212 priority, 410
tag format traffic priority, 573, 595
protection profile, 403 WAN optimization, 571
tag location transparent mode
protection profile, 403 IP pools, 380
TALK NAT, 380
service, 349 VDOMs, 104
TCP, 387 VIP, 380
service, 349 virtual IP, 380
TCP custom service, 351 VLAN, 154
adding, 350 WAN optimization, 570, 592
destination port, 351 web cache, 577, 579, 583
protocol type, 351 traps
source port, 351 SNMP, 189
technical support, 42, 109 troubleshooting
TELNET FDN connectivity, 264
service, 349 trusted host
TFTP administrators options, 207
service, 349 security issues, 215
time TTL
configuring, 79 quarantine files list, 434
timeout tunnel
settings, 223 WAN optimization, 570
timeout values tunnel IP range
specifying for SSL VPN, 527 SSL VPN, 526
TIMESTAMP tunnel mode
service, 349 SSL VPN, SSL VPN
toolbar tunnel mode, 525
grayware category, 438 Tunnel Name
top attacks IPSec VPN, manual key, 516
viewing, 78 Tx Power
top sessions wireless setting, 163
viewing, 76 type, 351
top viruses virtual IP, 364
viewing, 78
topology viewer, 88 U
total bytes UDP custom service, 351
HA statistics, 183 adding, 350
total packets destination port, 351
HA statistics, 183 protocol type, 351
tracking source port, 351
SIP, 420 UDP service, 349
traffic history unfiltered
viewing, 78 default protection profile, 392
Traffic Priority, 573, 595 unit
traffic priority HA statistics, 183
firewall policy, 573, 595 unit operation
traffic shaping, 573, 595 viewing, 70
traffic reports up time
viewing, 625 HA statistics, 183
update
push, 266

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 651
http://docs.fortinet.com/ • Feedback
Index

upgrading VDOM
3.0 using the CLI, 98 adding interface, 112
3.0 using web-based manager, 97 assigning administrator, 114
backing up using the CLI, 2.80 MR11, 94 assigning interface, 113
firmware, 81 configuration settings, 105
FortiGate unit to 3.0, 97 enabling multiple VDOMs, 107
using the web-based manager, 97 FortiAnalyzer, 104
using web-based manager, 2.80 MR11, 94 inter-VDOM links, 112
upload status license key, 269
quarantine files list, 434 limited resources, 109
URL block management VDOM, 111
adding a URL to the web filter block list, 469 maximum number, 109
configuring overrides, 472 NAT/Route, 104
local categories, 474 packets, 104
web filter, 467 RADIUS authentication, 115
URL filter system maintenance, 248
adding new list, 467 transparent mode, 104
catalog, 467 VDOM partitioning
sorting in list, 470 HA, 180
viewing list, 468 verifying
URL formats, 469 downgrade to 2.80 MR11, 100
USB disk, 248 upgrade to 3.0, 99
auto-install, 254 viewing
backup and restore configuration, 247 address group list, 342
formatting, 255 admin profiles list, 218
system maintenance, 255 administrators, 223
user authentication administrators list, 205
overview, 539 Alert Message Console, 73
PKI, 553 antispam email address list catalog, 485
remote, 543 antispam IP address list, 484
user group antispam IP address list catalog, 483
configuring, 558 antivirus file filter list, 431
PPTP source IP address, 521, 523 antivirus file pattern list catalog, 430
antivirus list, 436
user groups
antivirus quarantined files list, 433
configuring, 554
autosubmit list, 434
Directory Service, 556
banned word list, 481
firewall, 555
banned word list catalog, 480
SSL VPN, 557
BGP settings, 296
viewing, 557
CA certificates, 243
usrgrp certificates, 237
vpn pptp, 523 cluster members list, 180
UUCP content archive, 86
service, 349 content archives, 623
CRL (Certificate Revocation List), 244
V custom service list, firewall service, 350
custom signatures, 445
valid license, 261
DHCP address leases, 175
VDOLIVE DoS sensor list, 455
service, 349 firewall policy list, 315
firewall service group list, 352
firewall service list, 345
firmware, 253
FortiAnalyzer reports, 630
FortiGuard support contract, 260
grayware list, 437
HA statistics, 182
hostname, 80
IP pool list, 377
IPS sensor list, 447
IPS sensor options, 398
IPSec VPN auto key list, 507
IPSec VPN concentrator list, 518
IPSec VPN manual key list, 515

FortiGate Version 4.0 Administration Guide


652 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

IPSec VPN monitor list, 519 virtual IP, 364, 384


LDAP server list, 546 configuring, 364
licenses, 68 create new, 363, 374
local ratings list, 474 destination network address translation (DNAT), 361, 362
log messages, 618 external interface, 364
modem status, 145 external IP address, 364
multicast settings, 298 external service port, 365
one-time schedule list, 356 IP, 363
operational history, 83 list, 363
protection profile list, 393 map to IP, 363
protocol decoder list, 446 map to port, 363, 365
RADIUS server list, 543 NAT, 360
recurring schedule list, 355 PAT, 360
remote certificates, 242 port address translation, 360
revision control, 255 protocol, 365
RIP settings, 284 server down, 388
routing information, 309 service port, 363
session list, 84 SNAT, 361
SIP statistics, 420 source network address translation, 361
SSL VPN sessions, 527 type, 364
static route, 274 WAN optimization, 571
static route (transparent mode), 149 virtual IP group
statistics, 84 configuring, 374
system information, 67 virtual IP group list
system resources, 72 viewing, 374
system status, 65 virtual IP, port translation only
system topology, 88 adding, 373
TACACS+ server, 549 virtual IPSec
top attacks, 78 configuring interface, 134
top sessions, 76
virtual servers
top viruses, 78
configuring, 384
traffic history, 78
traffic reports, 625 virus detected
unit operation, 70 HA statistics, 183
URL filter list, 468 virus list, 436
URL filter list catalog, 467 virus name, 198
URL override list, 471 virus protection. See antivirus
user group list, 557 virus scan
VIP group list, 374 protection profile, 397
virtual IP group list, 374 virus-infected attachments, 196
virtual IP list, 363 VLAN
virtual IP pool list, 377 adding firewall policy to subinterface, 157
web content block list, 463 adding subinterface, 153
web content block list catalog, 462 jumbo frames, 137
web content exempt list, 465 OSPF, 294
web content exempt list catalog, 464 overview, 151
wireless monitor, 167 VNC
viewport, 89 service, 349
VIP VoIP
transparent mode, 380 SIP, 413
VIP group VoIP security, 415
configuring, 374 VPN IPSec (see also IPSec VPN), 505
Virtual Circuit Identification (VCI), 127 VPN PPTP, 521
Virtual IP VPN SSL. See SSL VPN
transparent mode, 380 VPN tunnel
IPSec VPN, firewall policy, 324
VPN, IPSec
firewall policy, 324
VPNs, 521

W
WAIS
service, 349

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 653
http://docs.fortinet.com/ • Feedback
Index

WAN optimization web filter, 459


active-passive mode, 569 adding a URL to the web URL block list, 469
and virtual IPs, 571 configuring the web content block list, 464
authentication, 571 configuring the web URL block list, 469
automated mode, 569 content block, 462
client/server mode, 569 filter interaction, 459
explicit mode, 570, 592 FortiGuard, 470
firewall load balancing, 571 protection profile options, 460
FortiGate models supported, 571 URL block, 467
identity-based firewall policies, 571 URL category, 263
monitoring, 596 web content block list, 463
NAT, 571 web URL block list, 468
object caching, 575 web filtering options
peer to peer mode, 569 protection profile, 398
traffic shaping, 571 web filtering service, 198
transparent mode, 570, 592 web portal
tunnel, 570 SSL VPN,SSL VPN web portal
web cache, 575 customize, 528
WAN optimization peer web resume download block
configuring, 594 protection profile, 399
WAN optimization rule web site, content category, 197
configuring, 572
Web UI. See web-based manager
web
web URL block
default protection profile, 392
configuring the web URL block list, 469
web cache, 575 list, 468
active-passive WAN optimization, 578 list, web filter, 468
adding to passive WAN optimization rule, 578 protection profile, 399
adding to peer WAN optimization rule, 581
web-based manager, 45, 46
client/server WAN optimization, 578
changing the language, 48
non-standard ports, 577, 579, 580, 583
connecting to the CLI, 49
peer to peer WAN optimization, 581
idle timeout, 49
transparent mode, 577, 579, 583
IPv6 support, 223
web category block language, 48, 223
changing the host name, 476 logging out, 54
CLI configuration, 476 online help, 51
configuration options, 471 pages, 54
web content block screen resolution, 45
banned word, 464, 466 using the menu, 54
language, 464, 466 using web-based manager lists, 55
pattern type, 464, 466 web-only mode
protection profile, 399 SSL VPN, 525
web filter, 464
WebTrends, 612
web content block list
WEP, 165
web filter, 463
WEP128, 159, 165
web content exempt
protection profile, 399 WEP64, 159, 165
web content exempt list WiFi protected access, 165
adding, 465 wildcard
web equivalent privacy, 165 online help search, 53
Windows Active Directory, 551
WINFRAME
service, 349
WINS
service, 349

FortiGate Version 4.0 Administration Guide


654 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
Index

wireless WLAN interface


band, 163 adding to a FortiWiFi-50B, 164
beacon interval, 163 adding to a FortiWiFi-60A, 164
channel, 163 adding to a FortiWiFi-60AM, 164
configuration, 159 adding to a FortiWiFi-60B, 164
data encryption, 165 WPA, 159, 165
fragmentation threshold, 165 WPA Radius
geography, 163 wireless security, 165
interface, 159 WPA2, 159, 165
key, 165 WPA2 Auto, 159, 165
MAC filter, 166
WPA2 Radius
operation mode, 163
wireless security, 165
pre-shared key, 165
RADIUS server, 165
RTS threshold, 165 X
security, 165 X.509 security certificates. See system certificates
security mode, 165 XAuth
settings FortiWiFi-50B, 162 IPSec VPN, phase 1, 512
settings FortiWiFi-60A, 162
X-Forwarded-For (XFF), 149
settings FortiWiFi-60AM, 162
settings FortiWiFi-60B, 162 X-WINDOWS
SSID, 165 service, 349
SSID broadcast, 165
Tx power, 163 Z
viewing monitor, 167 zones
WLAN configuring, 139
interface, 159

FortiGate Version 4.0 Administration Guide


01-400-89802-20090219 655
http://docs.fortinet.com/ • Feedback
Index

FortiGate Version 4.0 Administration Guide


656 01-400-89802-20090219
http://docs.fortinet.com/ • Feedback
www.fortinet.com
www.fortinet.com

You might also like