Escolar Documentos
Profissional Documentos
Cultura Documentos
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS, FortiBridge, FortiClient,
FortiGate®, FortiGate Unified Threat Management System, FortiGuard®, FortiGuard-Antispam,
FortiGuard-Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer, FortiManager,
Fortinet®, FortiOS, FortiPartner, FortiProtect, FortiReporter, FortiResponse, FortiShield, FortiVoIP, and
FortiWiFi are trademarks of Fortinet, Inc. in the United States and/or other countries. The names of actual
companies and products mentioned herein may be the trademarks of their respective owners.
Contents Quick Look
FortiOS™ Handbook v2
01-420-99686-20101026 3
http://docs.fortinet.com/ • Feedback
Contents Quick Look
FortiOS™ Handbook v2
01-420-99686-20101026 5
http://docs.fortinet.com/ • Feedback
Contents Quick Look
FortiOS™ Handbook v2
01-420-99686-20101026 7
http://docs.fortinet.com/ • Feedback
Contents Quick Look
Chapter 18 WAN Optimization, Web Cache, Explicit Proxy, and WCCP 2115
WAN optimization, web cache, and web proxy concepts 2117
WAN optimization and Web cache storage 2133
WAN optimization peers and authentication groups 2135
Configuring WAN optimization rules 2141
WAN optimization configuration examples 2151
Web caching 2171
Advanced configuration example 2189
SSL offloading for WAN optimization and web caching 2211
FortiClient WAN optimization 2219
The FortiGate explicit web proxy 2221
FortiGate WCCP 2239
WAN optimization, web cache and WCCP get and diagnose commands 2245
FortiOS™ Handbook v2
01-420-99686-20101026 9
http://docs.fortinet.com/ • Feedback
Contents Quick Look
FortiOS™ Handbook v2
01-420-99686-20101026 11
http://docs.fortinet.com/ • Feedback
Detailed Contents
CLI 125
grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
IS-IS routing support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
IS-IS CLI commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Trouble-shooting command updates . . . . . . . . . . . . . . . . . . . . . . . . . . 127
System 129
Concurrent username restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
MD5 hash for log transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Limiting the number of concurrent explicit proxy users . . . . . . . . . . . . . . . . . 129
sFlow client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
WCCP client mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
WCCP router mode configuration . . . . . . . . . . . . . . . . . . . . . . . . . 131
WCCP client mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 132
Client certificate handling for SSL inspection. . . . . . . . . . . . . . . . . . . . . . 133
Controlling the source interface IP address for self-originating traffic . . . . . . . . . 133
Web Proxy replacement messages . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
FortiOS™ Handbook v2
01-420-99686-20101026 13
http://docs.fortinet.com/ • Feedback
Detailed Contents
Firewall 141
Protection profile re-organization and enhancement . . . . . . . . . . . . . . . . . . 141
VoIP profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Explicit Proxy improvements (including Citrix/TS support) . . . . . . . . . . . . . . . 142
Central NAT Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
User 145
LDAP/RADIUS password renewal . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
BGP support for four-byte AS Path . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
IM users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
UTM 147
FortiGuard Web Filtering quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Viewing FortiGuard quota usage . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Skype control improvements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Flow-based antivirus database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Extreme antivirus database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
SSL proxy exemption by FortiGuard Web Filter category . . . . . . . . . . . . . . . 149
Application control enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Monitoring application control traffic . . . . . . . . . . . . . . . . . . . . . . . . 150
Applying traffic shaping settings to an application control list . . . . . . . . . . . 151
VPN 153
FortiMobile SSL-VPN app . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
L2TP and IPSec support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Endpoint 155
Endpoint menu enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Endpoint application enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Network Vulnerability Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Configuring assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Scheduling a scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
FortiOS™ Handbook v2
01-420-99686-20101026 15
http://docs.fortinet.com/ • Feedback
Detailed Contents
Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Wildcard masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Fully Qualified Domain Name addresses . . . . . . . . . . . . . . . . . . . . . 211
Virtual IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Address groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
IP pools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
IP Pools for firewall policies that use fixed ports . . . . . . . . . . . . . . . . . . 220
Source IP address and IP pool address matching . . . . . . . . . . . . . . . . . 221
IPv6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Originating traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Receiving traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Closing specific ports to traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Custom service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Schedule groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
UTM profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Profiles and sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
FortiOS™ Handbook v2
01-420-99686-20101026 17
http://docs.fortinet.com/ • Feedback
Detailed Contents
Troubleshooting 251
Basic policy checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Verifying traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Using log messages to view violation traffic . . . . . . . . . . . . . . . . . . . . . . 252
Traffic trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Session table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Finding object dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Flow trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Flow trace output example - HTTP . . . . . . . . . . . . . . . . . . . . . . . . . 256
Packet sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Simple trace example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Simple trace example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Trace with filters example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
FortiOS™ Handbook v2
01-420-99686-20101026 19
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 21
http://docs.fortinet.com/ • Feedback
Detailed Contents
Monitoring 397
Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Widgets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
sFlow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
FortiGate memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
FortiGate hard disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Syslog server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
FortiGuard Analysis and Management service. . . . . . . . . . . . . . . . . . . 400
FortiAnalyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Alert email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
SNMP agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
SNMP community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Enabling on the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Fortinet MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
SNMP get command syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Fortinet and FortiGate traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Fortinet and FortiGate MIB fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
FortiOS™ Handbook v2
01-420-99686-20101026 23
http://docs.fortinet.com/ • Feedback
Detailed Contents
IPv6 459
IPv6 overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Differences between IPv6 and IPv4 . . . . . . . . . . . . . . . . . . . . . . . . 460
IPv6 MTU. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
IPv6 address format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
IP address notation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Netmasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Address scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Address types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
IPv6 neighbor discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
FortiGate IPv6 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
UTM protection for IPv6 networks . . . . . . . . . . . . . . . . . . . . . . . . . 465
Displaying IPv6 options on the web-based manager. . . . . . . . . . . . . . . . 465
Configuring IPv6 interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Configuring IPv6 routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring IPv6 firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Configuring IPv6 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Configuring IPv6 over IPv4 tunneling . . . . . . . . . . . . . . . . . . . . . . . 468
Configuring IPv6 IPSec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Transition from IPv4 to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Configuring FortiOS to connect to an IPv6 tunnel provider. . . . . . . . . . . . . . . 471
IPv6 troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
diagnose sniffer packet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
diagnose debug flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
IPv6 specific diag commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Additional IPv6 resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
FortiOS™ Handbook v2
01-420-99686-20101026 25
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 27
http://docs.fortinet.com/ • Feedback
Detailed Contents
Reports 613
Report overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
FortiOS reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
Creating datasets for charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Configuring the charts for the report . . . . . . . . . . . . . . . . . . . . . . . . 615
Configuring a theme for the report . . . . . . . . . . . . . . . . . . . . . . . . . 616
Customizing and creating styles for a theme. . . . . . . . . . . . . . . . . . . . 617
Importing images for the report. . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Configuring the layout for the report . . . . . . . . . . . . . . . . . . . . . . . . 619
FortiAnalyzer reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
Configuring a FortiAnalyzer report schedule . . . . . . . . . . . . . . . . . . . . 620
Executive Summary reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Report examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
Report for analyzing traffic on the network . . . . . . . . . . . . . . . . . . . . . 622
Report for application usage on the network . . . . . . . . . . . . . . . . . . . . 623
FortiOS™ Handbook v2
01-420-99686-20101026 29
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 31
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 33
http://docs.fortinet.com/ • Feedback
Detailed Contents
AntiVirus 761
Antivirus concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
How antivirus scanning works . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
Antivirus scanning order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Antivirus databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 764
Antivirus techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
FortiGuard Antivirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Enable antivirus scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 766
Viewing antivirus database information . . . . . . . . . . . . . . . . . . . . . . 766
Changing the default antivirus database . . . . . . . . . . . . . . . . . . . . . . 767
Overriding the default antivirus database . . . . . . . . . . . . . . . . . . . . . 767
Adding the antivirus profile to a firewall policy . . . . . . . . . . . . . . . . . . . 768
Configuring the scan buffer size . . . . . . . . . . . . . . . . . . . . . . . . . . 768
Configuring archive scan depth . . . . . . . . . . . . . . . . . . . . . . . . . . 769
Configuring a maximum allowed file size. . . . . . . . . . . . . . . . . . . . . . 769
Configuring client comforting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
Enable the file quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Configuring the file quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . 771
Viewing quarantined files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Downloading quarantined files . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
FortiOS™ Handbook v2
01-420-99686-20101026 35
http://docs.fortinet.com/ • Feedback
Detailed Contents
SafeSearch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 836
Advanced web filter configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
ActiveX filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Cookie filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Java applet filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Web resume download block. . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
Block Invalid URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 837
HTTP POST action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
Web filtering example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
School district . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 838
FortiOS™ Handbook v2
01-420-99686-20101026 37
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 39
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 41
http://docs.fortinet.com/ • Feedback
Detailed Contents
Example 975
Firewall authentication example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 975
Creating a locally-authenticated user account . . . . . . . . . . . . . . . . . . . 976
Creating a RADIUS-authenticated user account . . . . . . . . . . . . . . . . . . 976
Creating user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 977
Defining firewall addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
Creating firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 979
FortiOS™ Handbook v2
01-420-99686-20101026 43
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 45
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 47
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 49
http://docs.fortinet.com/ • Feedback
Detailed Contents
Examples 1249
Basic SSL VPN example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1250
Creating the firewall addresses . . . . . . . . . . . . . . . . . . . . . . . . . 1250
Enabling SSL VPN and setting the tunnel user IP address range . . . . . . . . 1251
Creating the web portal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1251
Creating the user account and user group . . . . . . . . . . . . . . . . . . . . 1252
Creating the firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 1253
Add routing to tunnel mode clients . . . . . . . . . . . . . . . . . . . . . . . . 1254
Multiple user groups with different access permissions example . . . . . . . . . . 1255
General configuration steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 1255
Creating the firewall addresses . . . . . . . . . . . . . . . . . . . . . . . . . 1256
Creating the web portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1257
Creating the user accounts and user groups. . . . . . . . . . . . . . . . . . . 1258
Creating the firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 1259
Create the static route to tunnel mode clients . . . . . . . . . . . . . . . . . . 1262
Enabling SSL VPN operation. . . . . . . . . . . . . . . . . . . . . . . . . . . 1262
OS patch check example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1263
FortiOS™ Handbook v2
01-420-99686-20101026 51
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 53
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 55
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 57
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 59
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 61
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 63
http://docs.fortinet.com/ • Feedback
Detailed Contents
VRRP 1771
Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1772
Example VRRP configuration: two FortiGate units in a VRRP group . . . . . . 1772
Example VRRP configuration: VRRP load balancing two FortiGate
units and two VRRP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 1773
Optional VRRP configuration settings . . . . . . . . . . . . . . . . . . . . . . 1775
FortiOS™ Handbook v2
01-420-99686-20101026 65
http://docs.fortinet.com/ • Feedback
Detailed Contents
Examples 1833
QoS using priority from firewall policies . . . . . . . . . . . . . . . . . . . . . . . 1833
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1834
QoS using priority from ToS or differentiated services . . . . . . . . . . . . . . . . 1835
Sample configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836
Example setup for VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1836
Creating the traffic shapers. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1837
Creating firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1838
Troubleshooting 1841
Interface diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1841
Shaper diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1841
TOS command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1841
Shared shaper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1842
Per-IP shaper. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1842
Packet loss with statistics on shapers . . . . . . . . . . . . . . . . . . . . . . 1843
Packet lost with the debug flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1843
Session list details with dual traffic shaper . . . . . . . . . . . . . . . . . . . . . . 1843
Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1844
FortiOS™ Handbook v2
01-420-99686-20101026 67
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 69
http://docs.fortinet.com/ • Feedback
Detailed Contents
Bypassing message flood protection based on user’s carrier end points . . . . . . 1925
Configuring message flood detection. . . . . . . . . . . . . . . . . . . . . . . . . 1925
Sending administrator alert notifications . . . . . . . . . . . . . . . . . . . . . . . 1926
Configuring how and when to send alert notifications . . . . . . . . . . . . . . 1926
Configuring who to send alert notifications to . . . . . . . . . . . . . . . . . . 1928
Troubleshooting 1969
FortiOS Carrier diagnose commands. . . . . . . . . . . . . . . . . . . . . . . . . 1969
Dynamic Profile diagnose commands . . . . . . . . . . . . . . . . . . . . . . 1969
GTP related diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . 1970
Applying Intrusion and Prevention System (IPS) signatures to IP
packets within GTP-U tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1970
FortiOS™ Handbook v2
01-420-99686-20101026 71
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 73
http://docs.fortinet.com/ • Feedback
Detailed Contents
Reference 2031
Wireless radio channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2031
FortiOS™ Handbook v2
01-420-99686-20101026 75
http://docs.fortinet.com/ • Feedback
Detailed Contents
Chapter 18 WAN Optimization, Web Cache, Explicit Proxy, and WCCP 2115
FortiOS™ Handbook v2
01-420-99686-20101026 77
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 79
http://docs.fortinet.com/ • Feedback
Detailed Contents
WAN optimization, web cache and WCCP get and diagnose commands
2245
get test {wa_cs | wa_dbd | wad | wad_diskd | wccpd} <test_level> . . . . . . . . . 2245
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2245
diagnose wad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2248
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2248
diagnose wacs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2250
diagnose wadbd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2250
diagnose debug application {wa_cs | wa_dbd | wad | wad_diskd |
wccpd} [<debug_level>] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2250
FortiOS™ Handbook v2
01-420-99686-20101026 81
http://docs.fortinet.com/ • Feedback
Detailed Contents
FortiOS™ Handbook v2
01-420-99686-20101026 83
http://docs.fortinet.com/ • Feedback
Detailed Contents
Index 2403
FortiOS™ Handbook v2
01-420-99686-20101026 85
http://docs.fortinet.com/ • Feedback
Detailed Contents
This FortiOS™ Handbook v2 is the definitive guide to configuring and operating FortiOS
4.0 MR2. It contains concept and feature descriptions, as well as configuration examples
worked out in detail for the web-based manager and the CLI. This document also contains
operating and troubleshooting information.
This is the second version of the handbook. This version is still a work in progress but
includes many improvements, corrections and additions. Among the additions are new
chapters that describe troubleshooting and FortiGate hardware (including hardware
installation, hardware acceleration, RAID, and FortiBridge). The new compliances and
certifications chapter describes FortiOS PCI support and FIPS/CC support. New sections
include more information about VRRP, SNMP, sFlow, advanced static routing, and more
information about deploying wireless networks.
The next version of the handbook (v3) will document FortiOS 4.0 MR3 and will also
include more examples, concepts, corrections and improvements. If you notice problems
with the handbook or have suggestions for improvements, send an email about them to
Fortinet Technical Documentation at techdoc@fortinet.com.
This introduction describes the following topics:
• How this Handbook is organized
• Document conventions
• Entering FortiOS configuration data
• Registering your Fortinet product
• Fortinet products End User License Agreement
• Training
• Documentation
• Customer service and technical support
FortiOS™ Handbook v2
01-420-99686-20101026 87
http://docs.fortinet.com/ • Feedback
How this Handbook is organized
• Chapter 4, Logging and Reporting describes how to begin choosing a log device for
your logging requirements, the types of log files, how to configure your chosen log
device, including detailed explanations of each log type of log message.
• Chapter 5, Troubleshooting describes concepts of troubleshooting and solving issues
that may occur with FortiGate units.
• Chapter 6, UTM Guide describes the Unified Threat Management (UTM) features
available on your FortiGate unit, including antivirus, intrusion prevention system (IPS),
anomaly protection (DoS), one-armed IPS (sniffer policies), web filtering, email
filtering, data leak prevention (DLP), and application control. The chapter includes
step-by-step instructions showing how to configure each feature. Example scenarios
are included, with suggested configurations.
• Chapter 7, User Authentication defines authentication and describes the FortiOS
options for configuring authentication for FortiOS.
• Chapter 8, IPsec VPNs provides a general introduction to IPsec VPN technology,
explains the features available with IPsec VPN and gives guidelines to decide what
features you need to use, and how the FortiGate unit is configured to implement the
features.
• Chapter 9, SSL VPNs provides a general introduction to SSL VPN technology, explains
the features available with SSL VPN and gives guidelines to decide what features you
need to use, and how the FortiGate unit is configured to implement the features.
• Chapter 10, Advanced Routing provides detailed information about FortiGate dynamic
routing including common dynamic routing features, troubleshooting, and each of the
protocols including RIP, BGP, and OSPF.
• Chapter 11, Virtual Domains describes FortiGate Virtual Domains (VDOMs) and is
intended for administrators who need guidance on solutions to suit different network
needs and information on basic and advanced configuration of VDOMs. Virtual
Domains (VDOMs) multiply the capabilities of your FortiGate unit by using virtualization
to partition your resources.
• Chapter 12, High Availability describes FortiGate HA, the FortiGate Clustering Protocol
(FGCP), FortiGate support of VRRP, and FortiGate standalone TCP session
synchronization.
• Chapter 13, Endpoint describes how to use the Endpoint features of FortiOS: endpoint
Network Access Control (NAC), endpoint application detection, endpoint monitoring,
and network vulnerability scanning.
• Chapter 14, Traffic Shaping describes how to configure FortiOS traffic shaping.
• Chapter 15, FortiOS Carrier describes FortiOS Carrier dynamic profiles and groups,
Multimedia messaging service (MMS) protection, and GPRS Tunneling Protocol (GTP)
protection.
• Chapter 16, Deploying Wireless Networks describes how to configure wireless
networks with FortiWiFi, FortiGate, and FortiAP units.
• Chapter 17, VoIP Solutions: SIP describes FortiOS SIP support.
• Chapter 18, WAN Optimization, Web Cache, Explicit Proxy, and WCCP describes how
FortiGate WAN optimization, web caching, and web proxy work and also describes
how to configure these features.
• Chapter 19, Load Balancing describes firewall HTTP, HTTPS, SSL or generic
TCP/UDP or IP server load balancing.
• Chapter 20, Hardware describes how to mount, connect power, and turn on your
FortiGate unit. Other topics include descriptions and configuration instructions for
FortiGate accelerated hardware processing, RAID, and FortiBridge protection.
• Chapter 21, Certifications and Compliances explains how Fortinet products can help
you comply with the Payment Card Industry Data Security standard and also describe
FortiOS FIPS/CC support.
FortiOS™ Handbook v2
01-420-99686-20101026 89
http://docs.fortinet.com/ • Feedback
Document conventions
Document conventions
Fortinet technical documentation uses the conventions described below.
IP addresses
To avoid publication of public IP addresses that belong to Fortinet or any other
organization, the IP addresses used in Fortinet technical documentation are fictional and
follow the documentation guidelines specific to Fortinet. The addresses used are from the
private IP address ranges defined in RFC 1918: Address Allocation for Private Internets,
available at http://ietf.org/rfc/rfc1918.txt?number-1918.
Most of the examples in this document use the following IP addressing:
• IP addresses are made up of A.B.C.D
• A - can be one of 192, 172, or 10 - the non-public addresses covered in RFC 1918.
• B - 168, or the branch / device / virtual device number.
• Branch number can be 0xx, 1xx, 2xx - 0 is Head office, 1 is remote, 2 is other.
• Device or virtual device - allows multiple FortiGate units in this address space
(VDOMs).
• Devices can be from x01 to x99.
• C - interface - FortiGate units can have up to 40 interfaces, potentially more than one
on the same subnet
• 001 - 099- physical address ports, and non -virtual interfaces
• 100-255 - VLANs, tunnels, aggregate links, redundant links, vdom-links, etc.
• D - usage based addresses, this part is determined by what device is doing
• The following gives 16 reserved, 140 users, and 100 servers in the subnet.
• 001 - 009 - reserved for networking hardware, like routers, gateways, etc.
• 010 - 099 - DHCP range - users
• 100 - 109 - FortiGate devices - typically only use 100
• 110 - 199 - servers in general (see later for details)
• 200 - 249 - static range - users
• 250 - 255 - reserved (255 is broadcast, 000 not used)
• The D segment servers can be farther broken down into:
• 110 - 119 - Email servers
• 120 - 129 - Web servers
• 130 - 139 - Syslog servers
• 140 - 149 - Authentication (RADIUS, LDAP, TACACS+, FSAE, etc)
• 150 - 159 - VoIP / SIP servers / managers
• 160 - 169 - FortiAnalyzers
• 170 - 179 - FortiManagers
• 180 - 189 - Other Fortinet products (FortiScan, FortiDB, etc.)
• 190 - 199 - Other non-Fortinet servers (NAS, SQL, DNS, DDNS, etc.)
• Fortinet products, non-FortiGate, are found from 160 - 189.
The following table shows some examples of how to choose an IP number for a device
based on the information given. For internal and dmz, it is assumed in this case there is
only one interface being used.
FortiOS™ Handbook v2
01-420-99686-20101026 91
http://docs.fortinet.com/ • Feedback
Document conventions
Linux PC
10.11.101.20
IN
10 T
.11
.10
FortiWiFi-80CM 1.1
01
Windows PC
10.11.101.10
Internal network 10
.11
.10 Po
1.1 rt 2
02
P P
10 ort 2 17 ort 1
.11 10 2.2 (s
.10 .11 0 . 1 n i ff
1.1 Switch .10 Po 20 er
FortiAnalyzer-100B 30 1.1 rt 2 FortiGate-82C .14 mo
00 1 de
)
10
.11
.10 Por
1.1 t 1
10 P
17 ort 1 3)
2.2 nd
0.1 2a
20 s
FortiGate-620B
.14
1 p ort
f
Po rt 8 r o
HA cluster
an rt 2 Po mirro
FortiMail-100C d3 (
rt 1
Po
Switch
He
ad
o ff
ice
P
10 ort 1
.21
.10
FortiGate-3810A 1.1
01
Linux PC 17
2.2
10.21.101.10 Bra 0.1
20 WAN
nch Bra .12 1
o ff nch 2
ice o ff
ice I
10 ntern
.31 al
.10
FortiGate-51B 1.1
0 0
60
1.1
rt 1 10
Po 0.21.
1
Windows PC
10.31.101.10
FortiManager-3000B
rt 4
Po .100
1
2 .10
.2
10 Cluster
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.102
FortiGate-5005FA2
Port 1: 10.21.101.103
FortiSwitch-5003A
Port 1: 10.21.101.161
FortiGate-5050-SM
Port 1: 10.21.101.104
Engineering network
10.22.101.0
Caution: Warns you about commands or procedures that could have unexpected or
undesirable results including loss of data or damage to equipment.
Note: Presents useful information, but usually focused on an alternative, optional method,
such as a shortcut, to perform a step.
Tip: Highlights useful additional information, often tailored to your workplace activity.
FortiOS™ Handbook v2
01-420-99686-20101026 93
http://docs.fortinet.com/ • Feedback
Document conventions
Typographical conventions
Fortinet documentation uses the following typographical conventions:
Table 2: Typographical conventions in Fortinet technical documentation
Convention Example
Button, menu, text box, From Minimum log level, select Notification.
field, or check box label
CLI input config system dns
set primary <address_ipv4>
end
CLI output FGT-602803030703 # get system settings
comments : (null)
opmode : nat
Emphasis HTTP connections are not secure and can be intercepted by a third
party.
File content <HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this
service.</H4>
Hyperlink Visit the Fortinet Technical Support web site,
https://support.fortinet.com.
Keyboard entry Type a name for the remote VPN peer or client, such as
Central_Office_1.
Navigation Go to VPN > IPSEC > Auto Key (IKE).
Publication For details, see the FortiOS Handbook.
Convention Description
Angle brackets < > A word constrained by data type.
To define acceptable input, the angled brackets contain a descriptive
name followed by an underscore ( _ ) and suffix that indicates the
valid data type. For example:
<retries_int>
indicates that you should enter a number of retries, such as 5.
Data types include:
• <xxx_name>: A name referring to another part of the
configuration, such as policy_A.
• <xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
• <xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
• <xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
• <xxx_email>: An email address, such as
admin@mail.example.com.
• <xxx_url>: A uniform resource locator (URL) and its associated
protocol and host name prefix, which together form a uniform
resource identifier (URI), such as
http://www.fortinet./com/.
• <xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
• <xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
• <xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
• <xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as such as
192.168.1.99/24.
• <xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
• <xxx_v6mask>: An IPv6 netmask, such as /96.
• <xxx_ipv6mask>: An IPv6 address and netmask separated by a
space.
• <xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences.
• <xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
FortiOS™ Handbook v2
01-420-99686-20101026 95
http://docs.fortinet.com/ • Feedback
Entering FortiOS configuration data
Convention Description
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces.
You must enter at least one of the options, unless the set of options is
surrounded by square brackets [ ].
Options Mutually exclusive options. For example:
delimited by {enable | disable}
vertical bars | indicates that you must enter either enable or disable, but must
not enter both.
Options Non-mutually exclusive options. For example:
delimited by {http https ping snmp ssh telnet}
spaces indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
Note that the tree command output also shows the number of characters allowed for other
firewall address name settings. For example, the fully-qualified domain name (fqdn) field
can contain up to 256 characters.
FortiOS™ Handbook v2
01-420-99686-20101026 97
http://docs.fortinet.com/ • Feedback
Training
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment,
and certifications to verify your knowledge level. Fortinet provides a variety of training
programs to serve the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training
Services web site at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the
most up-to-date versions of Fortinet publications, as well as additional technical
documentation such as technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet
technical documentation on the Fortinet Tools and Documentation CD, and on the Fortinet
Knowledge Center.
This section explains general upgrading issues for both FortiOS and FortiOS Carrier that
may affect your configuration. This section also includes a top ten features topic that
explains the top most interesting features in FortiOS 4.0 MR2. For more information about
upgrading to FortiOS 4.0 MR2, see “Upgrading practices” on page 103.
This section contains the following topics:
• Top ten features
• Upgrading issues for FortiOS 4.0 MR2
• Upgrading issues for FortiOS Carrier
Topology viewer
The Topology viewer is not supported in FortiOS 4.0 MR2 and, therefore, the settings that
you configured for this feature do not carried forward.
PPTP VPNs
PPTP VPN configuration was previously available in both the web-based manager and
the CLI; however, now PPTP VPNs are configured only in the CLI. The following
commands are used when configuring PPTP VPNs
config vpn pptp
set status {enable | disable}
set eip <end_ip_address>
set ip-mode {range | usrgrp}
set sip <start_ip_address>
set usrgrp <user_group>
end
VoIP settings
When you upgrade to FortiOS 4.0 MR2, VoIP settings that were implemented in the
following scenario are not moved to the DLP archive feature.
• In FortiOS 4.0 Patch Release 4 has two protection profiles, PP1 and PP2.
• PP1 contains a DLP sensor (DLP1) and application control list (APP1); APP1
archives SIP messages.
• PP2 contains a DLP sensor (DLP1) and application control list (APP2); APP2 which
has content-summary enabled for SIMPLE.
HTTPS AV scanning
In FortiOS 4.0 MR2, if the FortiGate unit is configured to perform a deep inspection using
explicit web proxy, it does not work properly. There is currently no workaround.
After upgrading, verify that the build number and branch point match the firmware image.
You can view this in the web-based manager in the System Information widget, or use the
get system status command syntax in the CLI.
You should review the release notes for FortiOS, because it contains specific information
about what did not carry forward when upgrading from the firmware that is mentioned in
the above table.
Upgrading practices
When you are ready to install the new firmware on your unit, for either FortiOS or FortiOS
Carrier, you need to follow the below general procedure for upgrading.
Before installing any firmware image, you must back up the current configuration file on
the FortiGate unit. This ensures that you have a current configuration file if the upgrade is
not successful. You are also ensuring that all configuration settings are available if there
are some that are not carried forward.
The following procedure backs up the configuration file from the web-based manager.
2 In the System Information widget, select Backup in the System Configuration line.
You are automatically redirected to the Backup page.
3 Select the location where the configuration file will be stored on.
4 Select the check box beside Encrypt configuration file to encrypt the configuration file.
If you want to encrypt your configuration file to save VPN certificates, select the
Encrypt configuration file check box, enter a password, and then enter it again to
confirm.
5 Select Backup.
6 Save the file.
Note: You have only three seconds to press any key. If you do not press a key soon
enough, the FortiGate unit reboots and you must log in and repeat the execute reboot
Y
command.
6 If you successfully interrupt the startup process, the following message appears:
[G]: Get firmware image from TFTP server
[F]: Format boot device
[B]: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default firmware
[H]: Display this list of options.
Enter G, F, Q, or H:
7 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
8 Type the address of the TFTP server and press Enter.
The following message appears:
Enter Local Address [192.168.1.168]:
9 Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure you
do not use the IP address of another device on the network.
The following message appears:
Enter File Name [image.out]:
10 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
11 Type R.
The firmware image is installed to system memory and the FortiGate unit starts running
the new firmware image, but with its current configuration.
12 When you are done, reboot the FortiGate unit and it will resume using the previous
firmware image, FortiOS 4.0.4 build-0113.
Figure 3: Modifying settings within the VDOM list in System > VDOM > VDOM
Check box
column
Use the following procedure whenever you need to make modifications to any feature’s
settings. This procedure assumes that you are already at the location where you need to
make modifications in, such as in Figure 2.
Tip: You can edit a row by simply double-clicking your mouse in that row. You are
automatically redirected to the page where you can modify the settings of that item. This
applies only to editing an item.
After the modifications are made, and you are back to the list on the page, the check box
is unselected and the row unhighlighted.
Adding dashboards
You can add multiple dashboards within the Dashboard menu. The dashboards are add
as menus within the Dashboard menu. For example, branchoffice, is added below Usage,
within the Dashboard menu (System > Dashboard > branchoffice).
You must add the first dashboard from within the Status page. The dashboards that you
add to the Dashboard menu appear below the first two menus, Status and Usage. You can
add any type of widget that you want, to the dashboard that you created.
Widgets
The existing IM/P2P/VoIP widgets from UTM > Application Control > Statistics are now
available as widgets an can be customized.
These dashboard widgets are customized using either the web-based manager or CLI;
however, Fortinet encourages administrators to customize dashboard widgets within the
web-based manager, because you can see the customized settings immediately after
applying them.
This topic contains the following:
• Per-IP Bandwidth Usage
• P2P Usage
• IM Usage
• VoIP Usage
• Storage
• Alert Message Console enhancement
P2P Usage
The P2P Usage widget displays the total bytes and total bandwidth for each supported
instant messaging client. These clients are WinNY, BitTorrent, eDonkey, Guntella, and
KaZaa. The P2P Usage widget can be displayed on either the Status or Usage page. You
can add it to either page by select +Widget, which is located at the bottom of the page.
Widgets can be customized to suite your needs; however, the P2P Usage widget can only
be renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
Note: The information displayed in this widget comes from the new application control
monitoring feature. You must enable this feature within the application control so that the
information is displayed in the widget.
IM Usage
The IM Usage widget provides detailed information about instant messaging client activity
that is occurring on your network. In the IM Usage widget, you can view information
regarding users, chats, messages, file transfers between clients, and any voice chats that
occurred as well. IM Usage provides this detailed information for IM, Yahoo!, AIM, and
ICQ.
Widgets can be customized to suite your needs; however, the IM Usage widget can only
be renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
VoIP Usage
The VoIP Usage widget displays information about VoIP calls that use the SIP and SCCP
protocols. You can view the number of calls that were dropped, failed or went
unanswered. You can easily and quickly view how many calls succeeded in getting
through, and how many calls there were in total from when you last cleared the
information in the widget.
Widgets can be customized to suite your needs; however, the VoIP Usage widget can only
be renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
Storage
The Storage widget provides detailed information about the amount of space available and
used on your local hard disk. This widget also shows the interface that is primarily using
the space as well as the total capacity (in GB) of the local disk.
Widgets can be customized to suite your needs; however, the Storage widget can only be
renamed.
To change the name, select the Edit icon in the title bar area and then enter a new name in
the Custom Widget Name field. Select OK to save the change.
The following CLI command syntax supports this new option for the Alert Message
Console widget:
config system global
FSAE enhancements
The Fortinet Server Authentication Extension (FSAE) has two enhancements, support for
polling domain controllers and DC agent distribution. FSAE provides authentication
information to the FortiGate unit so that users automatically gain access to permitted
resources on a Microsoft Windows or Novell network without having to input login
information twice.
You can now install FSAE on a separate Windows server where it will poll the Domain
Controller (DC) periodically for log on and log off events. These events will then be sent
directly to the FortiGate unit.
The FSAE DC agent distribution feature provides a way to automate software distribution
on the FSAE DC agent itself. An MSI file is created which is then installed on the DC
agent. A simple GUI program is created to configure the DC agent setting. The installation
then installs a file (dcagent.dll) and the simple configuration utility to the Windows server.
Disk management
This new feature allows you to manage disk storage for log files as well as WAN Opt
storage. The data that you can store on the disk also includes firmware images,
configuration files, Antivirus databases and IPS databases, and much more.
Partitions are sections or databases within the drive itself. Partitions provide a more
manageable storage location because data is accessed more quickly and efficiently.
The following table explains the data types and where they are located on a drive on a
FortiGate unit. The partitions themselves are represented as numbers, for example,
section 1 of the hard disk contains primary and secondary firmware, section 2 contains
only archives, and section 3 contains only firmware images. The table also explains the
new data types (identified by the asterisk symbol) and their location on the disk.
Table 5: The data types where they are located on the drive
Table 5: The data types where they are located on the drive (Continued)
*Extreme IPS Database IPS Database extensions to include Flash partition on either 2
malware and malicious URL entries or 3
*Vulnerability Database Vulnerability Database Flash partition on either 2
or 3
If your FortiGate unit has a fixed disk, or if there is only a single disk on the unit, the
configuration is determined by the size of the partitions. Platforms that are affected by this
are ones that use one system partition, and two user partitions.
If your FortiGate unit has multiple disks, Fortinet recommends choosing one disk to store
log and system data on, and then choose which disk to use for which data types. For
example, disk 1 is used for log and system data storage, while disk 2 is used for firmware
image storage, disk 3 is used for databases (all databases, such as Vulnerability), and
disk 4 is used for quarantined files. The FortiGate unit will automatically make the decision
on how to load balance WAN Opt and Web Cache storage issues among the multiple
disks.
Configuration options may vary widely with removable disks, since there could be up to
ten removable disks. If the user inserts extra disks into a multiple-disk FortiGate model,
the administrator will have the option to assign the disks for WAN Opt and Web Cache.
Note: RAID is not included in this release of the Disk Management feature.
Firmware images and templates must be deleted when the limit is reached and for
revision history, when the maximum number of files is reached, the FortiGate replaces the
oldest files with the new ones. This behavior is similar to how logs are rolled, since you
can configure the FortiGate unit to roll a log when the maximum log size is reached.
The following is a CLI command syntax that you can use to find the flash size on your
FortiGate unit.
get hardware status
An example of what may display after entering the above CLI command syntax (from a
FortiGate-51B unit):
Model name: Fortigate-51B
ASIC version: CP6
ASIC SRAM: 64M
CPU: Geode(TM) Integrated Processor by AMD PCS
RAM: 502 MB
Compact Flash: 981 MB /dev/hda
Hard disk: 30711 MB /dev/hde
USB Flash: not available
Network Card chipset: ip175c-vdev (rev.)
SIP HA failover
The SIP HA failover supports a low outage configuration for carrier grade networks to
reduce the downtime to a minimum. This applies to planned outages, such as software or
hardware upgrades, or an unplanned outage, such as a hardware failure. In large
enterprise configurations, SIP HA failover has become a requirement for high-end IP
PABX and high capacity SIP trunking applications for the same reason.
• Column – assists the analyst to locate the point where the FortiGate unit believes the
header is malformed.
The following table outlines the SIP header field with the option associated with it in the
CLI.
Table 7: SIP header fields and their associated CLI variable
If the FortiGate unit detects a new or unknown SIP header field, you can configure the
FortiGate unit to take an action in that case. This may mean the message is passed or
discarded.
Protocol 132
Incoming interface internal
Source address/mask 0.0.0.0 0.0.0.0
Destination address/mask 0.0.0.0 0.0.0.0
Destination Ports From 2905 to 2905
Type of Service 00 and 00
Force traffic to:
Outgoing interface external
Gateway address 1.1.1.1
grep
The grep command allows users to search the CLI using the show, get and diag
commands. A grep command is a type of command line text search utility that searches
files or standard input globally for lines that match a given regular expression. The grep
command is based on the standard UNIX grep command.
The grep command supports:
• ignore case distinctions
• print line number with output line
• select non-matching lines
• only print count of matching lines
• print NUM lines of trailing context
• print NUM lines of leading context
• print NUM lines of output context
The grep command is used in the following way:
show <config_command> <subcommand> | grep regex_expression
diag <config_command> <subcommand> | grep regex_expression
get <config_command> <subcommand> | grep regex_expression
Example
The following is an example of how to use the grep command to display all TCP sessions
in the session list, including the session list line number.
get system session list | grep -n tcp
Note: For each routing protocol, you can also use a redistribute command to
redistribute IS-IS routes with the other protocol. For example, to redistribute IS-IS routes
over OSFP enter:
config router ospf
config redistribute isis
set statue enable
end
end
get system auto-update Retrieves update status information for scheduled updates,
status push update, virus defniitions, IPS definitions, server
override, push address override, and web proxy tunneling.
The information also indicates whether FDN is available.
get system auto-update Retrieves information about updates for FortiGuard services,
version such as antivirus.
get system startup-error-log Retrieves any errors that occurred during start up.
get system auto-update Retrieves update status information for scheduled updates,
status push update, virus defniitions, IPS definitions, server
override, push address override, and web proxy tunneling.
The information also indicates whether FDN is available.
get webfilter status The refresh-rate variable provides how often to refresh the
<refresh-rate> server lists in minutes.
exec tac report A debug report is generated.
get system performance Retrieves packet distribution statistics.
firewall packet-distribution
get system performance Retrieves traffic statistics. These statistics retrieve how
firewall statistics many packets were created during sessions such as IM,
web browsing and generic UDP.
get system session-helper- Retrieves the session’s protocol amount and port number
info used.
get system session-ttl Retrieves the session’s TTL configuration information.
get system performance top Retrieves detailed information about the top performance
protocols
get router info kernel Retrieves information about the routing kernel.
get hardware npu Retrieves information about hardware NPU. When you enter
{legacy | npux …} the command, it must be in the following order:
{list | session | setting} get hardware npu {legacy | npu1 | npu2 |
npu3} {list | session | setting}
Note: For get hardware npu there are additional settings
within the NPU device list. For example, under npu2, the
following is available: performance.
Example
When the vdom-admin is enabled, the following CLI command syntaxes are available:
config global
config system resource-limits
You can configure sFlow only from the CLI. To begin using sFlow, you must add the IP
address of your sFlow connector to the FortiGate configuration and then configure sFlow
agents on FortiGate interfaces.
Example configuration
The following is an example that helps to explain how to configure your FortiGate unit to
send sFlow datagrams to an sFlow collector. This example configuration also includes
how to config sFlow with multiple VDOMs.
2 If required you can also change the UDP port number that the sFlow agent uses. You
should only change this port if required by your network configuration or sFlow
collector. The default sFlow port is 6343. The following command changes the sFlow
agent port to 5345.
config system sflow
set collector-port 6345
end
3 Use the following command to enable sFlow for the port1 interface:
config system interface
edit port1
set sflow-sample enable
end
4 Repeat this step to add sFlow agents to other FortiGate interfaces.
5 You can also change the sampling rate, polling interval, and sample direction for each
sFlow agent:
config system interface
edit port1
set sample-rate <rate_number>
set polling-interval <frequency>
set sample-direction {both | rx | tx}
end
Maintenance
The Maintenance menu has been redesigned for FortiOS 4.0 MR2. This new redesign
incorporates the disk management enhancements introduced in this release. The new
redesign moves the Backup and Restore menu’s settings to the System Information
widget.
The System Information widget displays the date and time of when the configuration was
previously backed up, as well as the options to backup (select Backup to back up the
configuration) or restore a configuration (select Restore to restore a previously backed up
configuration). When you select Backup, you are automatically redirected to the Backup
page which contains the same options that were previously found in the Backup and
Restore menu. When you select Restore, you are automatically redirected to the Restore
page, which contains the same options that were previously found in the Backup and
Restore menu.
The Maintenance menu now contains the following menus:
• Firmware – allows you to upgrade firmware; if you have partitioned the hard drive, you
can also upload or upgrade the firmware on that partition
• FortiGuard – allows you to view FortiGuard subscriptions as well as configuring
settings for the FortiGuard Analysis server
• Advanced – allows you to upload scripts, configure an automatic install of a firmware
image and configuration file from a USB key, and you can also download a debug log
file for use in debugging the FortiGate unit.
• License – has not changed; still allows you to include a VDOM license to extend the
amount of VDOMs on your FortiGate unit.
• Disk – provides information about the amount of space being used or that is free on the
hard drive; also includes detailed information about the data that is being stored, for
example disk logging has 5 MB allocated, 1 MB that is being used, and 100 percent of
quota usage.
HA subsecond failover
HA subsecond failover is an extension of the HA failover mechanism. This new feature
allows you to configure subsecond failover for your HA configuration. This feature applies
to interfaces (or ports) with NP2 or newer network processors. FortiGate-310B units and
above support this feature.
The following is an example of the CLI command syntax used to configure subsecond
failover for HA:
config system ha
set subsecond enable
end
Internal
Network
SNMP Server
10.11.101.20
Switch
Port2: 10.11.101.100
Internet
From the CLI, you can also configure a default route that is only used by the reserved
management interface.
You can change the IP address of the primary unit reserved management interface from
the primary unit web-based manager. Configuration changes to the reserved
management interface are not synchronized to other cluster units.
Alias primary_reserved
IP/Netmask 10.11.101.101
Administrative Access Ping, SSH, HTTPS, SNMP
3 Select OK.
You can now log into the primary unit web-based manager by browsing to
https://10.11.101.101 and the primary unit CLI by using an SSH client to connect to
10.11.101.101.
At this point, you cannot connect to the subordinate unit’s reserved management interface
because it does not have an IP address. Instead, the following procedure describes
connecting to the primary unit’s CLI and using the execute ha manage command to
connect to that subordinate unit’s CLI to change the port8 interface. You can also use a
serial connection to connect to the cluster unit’s CLI. Configuration changes to the
reserved management interface are not synchronized to other cluster units.
The following procedure describes how to configure the cluster to allow the SNMP server
to get status information from the primary unit and the subordinate unit. The SNMP
configuration is synchronized to all cluster units. To support using the reserved
management interfaces for, you must add at least one HA direct management host to an
SNMP community. If your SNMP configuration includes SNMP users with user names and
passwords, you must also enable HA direct management for SNMP users.
To configure the cluster for SNMP management using the reserved management
interfaces - CLI
1 Enter the following command syntax to add an SNMP community called Community
and add a host to the community for the reserved management interface of each
cluster unit. The host includes the IP address of the SNMP server (10.11.101.20).
config system snmp community
set name Community
edit 1
config hosts
edit 1
set ha-direct enable
set ip 10.11.101.20
end
end
2 Enter the following command syntax to add an SNMP user for the reserved
management interface.
config system snmp user
edit 1
set ha-direct enable
set notify-hosts 10.11.101.20
end
3 Configure other settings as required.
Example
The following is an example of how to configure a profile in the UTM menu and then how
to apply it to a firewall policy. All profiles are applied to a firewall policy the same way as in
this example, even DLP sensors and protocol options.
4 Select the check box beside Antivirus, and then select av_email from the drop-down
list.
5 Select OK.
VoIP profile
The VoIP menu in UTM contains configuration settings for creating multiple profiles for
applying SIP and SCCP protocols to firewall policies. The VoIP menu allows you to
configure specific SIP or SCCP settings that will monitor and examine these protocols
when applied to a firewall policy. For example, you create a profile that is only for SIP calls
and enable logging which includes logging of violation traffic.
When configuring a VoIP profile, you can enable logging of SIP and/or SCCP traffic,
including violation of traffic. These logs appear in the Log Access menu of the Log&Report
menu.
Move To Select Before to move a NAT rule set before another set, and then enter the ID
(Move Policy number of the set that will come before it. The ID is the number from the NAT ID
page) column. For example, Policy ID is 1; 2 is entered in the Policy ID field so that 2
comes before 1 in the list.
Select After to move a NAT rule set after another set, and then enter the ID
number of the set that comes after it. The ID is the number from the NAT ID
column. For example, Policy ID is 4; 3 is entered in the Policy ID field so that 3
comes before 4.
Status Indicates whether the NAT rule set has been enabled or disabled. The check
mark in the check box indicates that it is enabled. If the row is grayed, and there is
no check mark in the check box, then the NAT rule set is disabled.
NAT ID The NAT identification number. This number is used when indicating where to
move the NAT rule set within the list.
Original The source IP address. You can add multiple IP addresses to the Source Address
Address by select Multiple. When you select Multiple, the Choose Multiple Address
window appears.
To choose multiple addresses, from the Choose Multiple Addresses window,
select the address in Available Addresses, and then select the down arrow to
move it to Members:.
Original Port The original source port number range.
Translated The translated IP address range
Address
Translated Port The translated port number range.
New Nat page
Provides settings for configuring the NAT rule set.
Source Address Select the source IP address from the drop-down list. You can optionally create a
group of source IP addresses when you select Multiple in the drop-down list. You
can also create a new source IP address when you select Create New in the
drop-down list.
Translated Select the dynamic IP pool from the drop-down list.
Address
Original Port Enter the port that the address is originating from.
Translated Port Enter the translated port number range. The number in the Original Source Port
field must be greater than the port number that is entered in this field.
IM users
Previously, by default, the IM tabs in User > IM and User > Monitor > IM appeared by
default. The new menu arrangement in the User menu in FortiOS 4.0 MR2 hides these
menus by default until you create an IM user in the CLI.
The menus for IM users appear in User > User and User > Monitor in the web-based
manager after configuring an IM user using the config imp2p command.
5 In the table under FortiGuard Web Filtering, in the FortiGuard Quota area, use the
following to configure the settings you want for each category, category group and
classification:
Disable By default, quotas are disabled for all categories, category groups and
classifications. Select Enable to allow configuration of quota settings.
Enable Select to allow access to configuring the quota settings.
Exempt The quota checking sequence occurs for every URL that the user accesses and
this can cause unexpected behavior. Select to effectively ignore the category,
category group, or classification entirely. Use when accessed web pages load
elements from other sites that contain different category ratings. For example,
pages that load ads from advertising sites.
This action does not stop an already running quota timers.
Quota Enter a number for the time, which can be in hours, minutes or seconds. Select
the type of time from the drop-down list, Minute(s) Hour(s) or Second(s).
6 Select OK.
Note: You cannot edit the existing Implicit 1 or Implicit 2 application entries to include traffic
shaping.
The following procedure assumes that you have already configured a traffic shaper and an
application control list.
Note: You must have an iTunes account to access the FortiMobile SSL-VPN web access
app.
This negotiation failure is clearly seen in the log message, within the hostname field; the
hostname field contains no information at all.
edit rule-list
config entries
edit 1
set application 379
set category 0
set vendor 446
set action allow
set status installed
next
end
set comment “for branch office use only”
set other-application-action deny
end
end
The Network Vulnerability feature, previously found only on FortiAnalyzer units and
FortiScan, allows you to analyze information as well as ensure and enforce PCI
compliance. This feature is used for larger enterprises.
Network Vulnerability Scan options and settings are found in Endpoint > Network
Vulnerability Scan. When you are ready to start configuring network vulnerability scan
options, you must ensure that an asset is configured and then you can schedule a scan.
An asset must be configured because it is used by the FortiGate unit as instructions on
what to scan and whether there is windows authentication required or unix authentication
required.
When the scan is performed, it automatically applies all assets or asset groups that are
enabled. The scan behaves as follows:
• all Host assets are discovered as specified in the host definition
• all discovered hosts are scanned for the configured sensors, port scan, and so on
• all IP Range assets are discovered as specified in the range definition
• scanning is run for each unique IP in the list, and up to the maximum number of IPs
supported per-platform
• results from the scan are stored either on the FortiAnalyzer unit, or in the SQL
database
In FortiOS 4.0 MR2 Patch 1 release, you can discover assets or start a scan from the
Asset page. You can also view when the last scan was performed, which is displayed
beside Last scan:. For example, if a scan was performed over the weekend, it displays
Last scan: 2010-06-05 13:15:50.
Configuring assets
Assets must be configured so that the unit knows what to scan.
Configure an asset in Endpoint > Network Vulnerability Scan > Asset using the following
table. The information in the following table is based on FortiOS 4.0 MR2 Patch 1 release
because it resolves issues in the GA release.
Asset page
Lists each individual asset that you created. On this page, you can edit, delete or create a new
asset.
Create New Creates a new asset. When you select Create New, you are
automatically redirected to the new asset page, called Asset in the
web-based manager.
Edit Modifies settings in an asset. When you select Edit, you are
automatically redirected to the edit asset page, called Asset in the
web-based manager.
Delete Removes an asset from the list on the Asset page. You can also
remove multiple assets from the list, or remove all assets from the list
as well.
To remove multiple assets in the list, on the Asset page, in each of the
rows of the sets you want removed, select the check box and then
select Delete.
To remove all NAT rules sets in the list, on the Asset page, select the
check box in the check box column, and then select Delete.
Last scan: Displays when the last scanned occurred. The time format is in year,
[yyyy-mm-dd hh:mm:ss] month, day, and then the 24 hour format. For example, a scan was
performed at 1 pm, the time displays 2010-06-04 13:00:00.
Start Running. Started: Appears when a user selects Start Scan, and the FortiGate unit begins
[yyyy-mm-dd hh:mm:ss] scanning the network. Displays the time when the scan began.
Stop Appears when a user selects Start Scan. Select whenever you want to
immediately stop scanning the network.
Assets Found (n) Displays how many assets where found. If there were any found, you
can select Assets Found and view the Assets window, which allows
you to import the assets to the FortiGate unit. Any duplicates that are
found during the importing process are removed.
Discover Assets Select to find out if there are any assets on the network. The FortiGate
unit uses the asset list that you created to perform the scan.
Start Scan The last discovery that the asset found.
Name The name of the asset.
IP Address/Range The IP address and/or range entered for that asset.
If Host was chosen as the type for the asset, then the IP address of
the host displays. If Range was chosen as the type for the asset, the
IP address range appears.
Enable Displays whether or not the asset is enabled for scanning.
Last Discovery The last discovery that was found.
Asset Settings page
Provides settings for configuring an asset.
Name Enter a name for the asset that you are creating.
Type Select Host to configure the host’s IP address. Select Range to
configure the IP address range.
IP Address Enter the IP address of the host, or the IP address range. This
depends on what type you selected in Type.
Scan Type Select Asset Discovery Only to use only the asset for scanning. Select
Vulnerability Scan to scan for various vulnerabilities.
Windows Authentication Select to use authentication on a Windows operating system. Enter
the username and password in the fields provided. The fields appear
after selecting Windows Authentication.
Unix Authentication Select to use authentication on a Unix operating system. Enter the
username and password in the fields provided. The fields appear after
selecting Unix Authentication.
Scheduling a scan
You can configure settings to schedule when a scan is performed by the FortiGate unit.
Configure a schedule in Endpoint > Network Vulnerability Scan > Scan using the following
table.
The following is an example of a configured Web Cache exempt list when configured
using the CLI.
config wanopt webcache
set explicit enable
set cache-exempt enaqble
config cache-exemption-list
edit 1
set url-pattern 192.168.1.99
set status disable
next
edit 2
set url-pattern example.com/pic123/321
next
edit 3
set url-pattern 10.10.10.1
end
The Carrier menu also provides configuration of MMS content checksum lists, notification
lists, carrier endpoint filter lists, and IP filter lists. You can view message floods, or a
volume of messages that have been sent by one subscriber, from the Message Flood
menu. This menu also provides filtering capabilities so that you can view specific
messages. You can also view duplicate messages that were sent by senders from the
Duplicate Message menu. For more information about the features available in UTM >
Carrier, see the FortiOS Carrier MMS Protection chapter.
Profile Group
A profile group is a group of UTM features, including replacement message groups, that
can be applied to a firewall policy. A profile group allows you to group individual profiles for
each UTM function that you would otherwise apply individually to the firewall policy. These
UTM features include the following:
• Protocol options
• antivirus profiles
• IPS sensors
• web filter profiles
• email filter profiles
• DLP sensors
• application control lists
• VoIP profiles
• MMS profiles
• replacement message groups
If you want to include a replacement message group in a profile group, you must first
configure a replacement message group in System > Config > Replacement Message
Group. For more information about the features available in UTM > Carrier, see the
FortiOS Carrier MMS Protection chapter.
The FortiOS Carrier Dynamic Profile feature now dynamically assigns profile groups to
traffic.
Note: The basic traffic reports that were available in Log&Report > Report Access >
Memory are not supported.
Report enhancements
You can now configure reports that are based on logs stored on your FortiGate unit. These
new reports are called FortiOS reports. The Report Config menu provides settings for
configuring the report’s layout and schedule. This enhancement allows you to create and
generate reports directly on the FortiGate unit itself, without having to use a FortiAnalyzer
unit.
The Reports Config menu contains only the menus that are available for the remote
logging configuration. For example, on a FortiGate unit with an SQL database (which has
been configured to store logs), contains the menus Theme, Layout, Chart, and Image.
However, on another FortiGate unit that has been configured to store logs on a
FortiAnalyzer unit, only the FortiAnalyzer menu appears.
Both the menus, Report Config and Report Access, may not appear after upgrading to
FortiOS 4.0 MR2. You must use the following command syntax to enable them on the
web-based manager.
config log fortianalyzer setting
set gui-display enable
end
The Report Config menu contains the following menus:
• Theme – create a simple page layout with report title which you can then apply to a
report layout
• Layout – create a report that includes a theme, chart, image and schedule when the
report will be generated
• Chart – create different charts that will gather specific log information that displays
within the chart
• Image – import your company’s logo to include it within the report
A report is generated similarly to how a report is a generated on a FortiAnalyzer unit.
These new reports are available only on FortiGate units with hard drives that an SQL
database has been configured.
Note: Sending out a report as an email attachment, or uploading report files to a specific
server is not supported in FortiOS 4.0 MR2.
Configuring a theme
A theme allows you to configure how the information displays on the page, as well as the
type of font, page orientation, and if there will be multiple columns. After a theme is
configured, you can then apply it to the report’s layout. Themes are configured only in the
CLI.
If you want, you can apply the two default themes that are available in the Add Report
Layout page.
For more information about the theme commands, see the FortiGate CLI Reference.
To configure a theme for a report, log in to the CLI and then enter the following commands.
config report theme
edit <theme_name>
set column-count [ 1 | 2 | 3]
set default-html-style <string>
set default-pdf-style <string>
set graph-chart-style <string>
set heading1-style <string>
set heading2-style <string>
set heading3-style <string>
set heading4-style <string>
set hline-style <string>
set image-style
set normal-text-style
set page-footer-style
set page-header-style
set page-orient {landscape | portrait}
set page-style
set report-subtitle-style
set report-title-style
set table-chart-caption-style
set table-chart-even-row-style
set table-chart-head-style
set table-chart-odd-row-style
set table-chart-style
set toc-heading1-style
set toc-heading2-style
set toc-heading3-style
set toc-heading4-style
set toc-title-style
end
When you are choosing a setting for any of the above commands (except for column-
count), enter ? to view the choices that are available.
You can configure a specific style that is then applied to the theme using the config
report style command syntax. You must first select the settings in the options
variable before you can configure the styles for each.
Importing images
You can import an image to use for a report. The image formats that are supported are
JPEG, JPG and PNG.
Import images from Log&Report > Report Config > Image using the following table.
Image page
Lists all the images that you have imported. On this page, you can delete an image, import an image
from your local PC, or view an image.
Delete Removes an image from the list on the page. You can remove multiple images,
or all images at once.
To remove multiple images from the list, on the Image page, select the check
box in each of the rows of the images you want to remove, and then select
Delete.
To remove all images from the list, on the Image page, select the check box in
the check box column, and then select Delete.
Configuring a chart
There are default charts available when configuring a report layout; however, you can
configure your own charts for report layouts. When configuring charts, you must also
configure datasets because datasets are used to gather specific data from the SQL
database. You should configure the datasets you need for a report layout first, and then
configure the chart.
You must have prior knowledge about Structured Query Language (SQL) before
configuring datasets because datasets require SQL statements. Datasets are configured
only in the CLI.
Configure charts in Log&Report > Report Config > Chart using the following table.
Chart page
Lists all the charts, both default and the ones that you created. On this page, you can edit, delete
and create new charts.
Create New Creates a new chart. When you select Create New, you are automatically
redirected to the Add Graph Report Chart page.
Edit Modifies settings of an existing chart. When you select Edit, you are
automatically redirected to the Edit Graph Report Chart page.
Delete Removes a chart from the list on the Chart page. You can also remove multiple
charts, or all charts within the list.
To remove multiple charts from the list, on the Chart page, select the check box
in each of the rows of the charts you want to remove, and then select Delete.
To remove all charts from the list, on the Chart page, select the check box in the
check box column, and then select Delete.
Name The name of the chart.
Type The type of information that will display within the chart. For example, a bar
chart displays attack log information in the Attacks_February chart.
Dataset The dataset that will be used for the chart.
Comments The description about the chart.
Add Graph Report Chart page
Provides settings for configuring charts for report layouts.
Name Enter a name for the chart.
Dataset Select a configured dataset for the chart.
Category Select a log category for the chart.
Comments Enter a comment to describe the chart. This is optional.
Graph Type Select the type of graph that will display the information within the chart. If you
select Pie, only Category Series and Value Series appears.
Category Series Enter the fields for the category in the Databind field.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
Value Series Enter the fields for the value in the Databind field.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
X-series The settings for the x axis of the line, bar or flow chart.
Databind Enter an SQL databind value expression for binding data to the series being
configured. For example, field(3).
Category Axis Select to have the axis show the type of log category. The default is no log
category will appear on the axis.
Scale Sets the type of format to display the date and time on the x axis.
Format Choose the type of time format that displays on the x axis.
Number of Step Choose the number of steps on the horizontal axis of the graph.
Step Enter the number of scale units in each x axis scale step.
Unit Select the unit of the scale-step on the x-axis.
Y-series The Y-series settings to configure the y part of the line, bar or flow chart.
Databind Enter the fields for the x-series.
The databind is a combination of the fields derived rom the SQL statement or
named fields in the CLI. For example, field(3).
Group Enter a group in the field.
Layout page
Lists all the report layouts that you configured, as well as default layouts. On this page, you can edit,
delete, clone a report, or create a new report.
Create New Creates a new layout. When you select Create New, you are automatically
redirected to the Add Report Layout page.
Edit Modifies the settings within a layout. When you select Edit, you are
automatically redirected to the Edit Report Layout page.
Delete Removes the layout from the list on the Layout page. You can remove multiple
layouts from the list, or all layouts from the list.
To remove multiple layouts from the list, on the Layout page, select the check
box in each of the rows of the layouts you want to remove, and then select
Delete.
To remove all layouts from the list, on the Layout page, select the check box in
the check box column, and then select Delete.
Clone Use to base a new report layout on an existing one. For example, layout_1 is
used as a base (cloned using the Clone icon) for the new layout, layout_april,
which is a report on application control logs that were recorded in the month of
April.
Run Immediately generates a report.
Disk page
Lists all the reports that are generated by the FortiGate unit. You can also remove reports from the
list.
Delete Select to remove a report from the list.
Report File The report name that the FortiGate unit gave the report. This name is in the
format <scheduletype>-<report_title>-<yyyy-mm-dd>-<start_time>. For
example, Once-examplereport_1-2010-02-12-083054, which indicates that the
report titled examplereport_1 was scheduled to generate only once and did on
February 12, 2010 at 8:30 am. The hour format is in hh:mm:ss format.
Started The time when the report began generating. The format is in yyyy-mm-dd
hh:mm:ss.
Finished The time when the report finished generating. The format is in yyyy-mm-dd
hh:mm:ss.
Size The size of the report after it was generated. The size is in bytes.
Other Formats The other type of format you choose the report to be in, for example, PDF. When
you select PDF in this column, the PDF opens up within the Disk page. You can
save the PDF to your local PC when it is opened on the Disk page as well.
This document describes firewall components, and how to implement firewall policies on
FortiGate units operating in both NAT/Route, and Transparent mode.
This FortiOS Handbook chapter contains the following sections:
The Purpose of a Firewall provides an overview of the FortiGate firewall and its traffic
controlling options.
Life of a Packet describes how a FortiGate unit processes incoming and outgoing network
traffic through its interfaces and firewall policies.
Firewall components describes the FortiGate interfaces, addressing, services and user
configuration that goes into creating a firewall policy.
Firewall Policies describes what policies are, the types of firewall policies and how to
configure and arrange them to ensure proper traffic management.
Troubleshooting describes some common problems and solutions when setting up firewall
policies to manage network traffic.
Concept Example: Small Office Network Protection walks through a small office
configuration of firewall policies.
Concept Example: Library Network Protection walks through an enterprise network
configuration of firewall policies.
v2 FortiGate Fundamentals
01-420-99686-20101026 175
http://docs.fortinet.com/ • Feedback
v2 FortiGate Fundamentals
176 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall
Ranging from the FortiGate-30B series for small offices to the FortiGate-5000 series for
large enterprises, service providers and carriers, the FortiGate line combines the
FortiOS™ security operating system and latest hardware technologies to provide a
comprehensive and high-performance array of security and networking functions.
FortiGate platforms incorporate sophisticated networking features, such as high
availability for maximum network uptime, and virtual domain (VDOM) capabilities to
separate various networks requiring different security policies.
At the heart of these networking security functions, is the firewall policies.Firewall policies
control all traffic attempting to pass through the FortiGate unit, between FortiGate
interfaces, zones, and VLAN subinterfaces. They are instructions the FortiGate unit uses
to decide connection acceptance and packet processing for traffic attempting to pass
through. When the firewall receives a connection packet, it analyzes the packet’s source
address, destination address, and service (by port number), and attempts to locate a
firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional. It is through these policies that the FortiGate unit grants or
denies the packets and information in or out of the network, who gets priority (bandwidth)
over other users, and when the packets can come through.
This chapter describes the features of the FortiGate firewall that help to protect your
network, and the firewall policies that are the instructions for the FortiGate unit. The
following topics are included in this section:
• Firewall features
• NAT vs. Transparent Mode
Firewall features
The FortiGate unit includes a rich feature set to protect your network from unwanted
attacks. This section provides an overview of what the FortiGate unit can protect against.
Each of these elements are configured and added to firewall policies as a means of
instructing the FortiGate unit what to do when encountering an security threat.
Antivirus
Antivirus is a group of features that are designed to prevent unwanted and potentially
malicious files from entering your network. These features all work in different ways,
whether by checking for a file size, name, type, or the presence of a virus or grayware
signature.
The antivirus scanning routines used are designed to share access to the network traffic.
This way, each individual feature does not have to examine the network traffic as a
separate operation, reducing overhead significantly. For example, if you enable file
filtering and virus scanning, the resources used to complete these tasks are only slightly
greater than enabling virus scanning alone. Two features do not require twice the
resources.
v2 FortiGate Fundamentals
01-420-99686-20101026 177
http://docs.fortinet.com/ • Feedback
Firewall features The Purpose of a Firewall
Antivirus scanning function includes various modules and engines that perform separate
tasks. The FortiGate unit performs antivirus processing in the following order:
• File size
• File pattern
• File type
• Virus scan
• Grayware
• Heuristics
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file “fakefile.exe” is recognized as a blocked pattern, the FortiGate unit will
send the recipient a message informing them that the original message had a virus, and
the file will be deleted or quarantined. The virus scan, grayware, heuristics, and file type
scans will not be performed as the file is already been determined to be a threat and has
been dealt with.
For more information on FortiGate antivirus processes, features and configuration, see the
UTM chapter.
Web Filtering
Web filtering is a means of controlling the content that an Internet user is able to view.
With the popularity of web applications, the need to monitor and control web access is
becoming a key component of Secure Content Management systems that employ
antivirus, web filtering, and messaging security. Important reasons for controlling web
content include:
• Lost productivity because employees are accessing the web for non-business reasons.
• Network Congestion - valuable bandwidth is being used for non-business purposes
and legitimate business applications suffer.
• Loss or exposure of confidential information through chat sites, non-approved email
systems, instant messaging, and peer-to-peer file sharing.
• Increased exposure to web-based threats as employees surf non-business related web
sites.
• Legal liability when employees access/download inappropriate and offensive material.
• Copyright infringement caused by employees downloading and/or distributing
copyrighted material.
As the number and severity of threats increase on the web, the risk potential is increasing
within a company's network as well. Casual non-business related web surfing has caused
many businesses countless hours of legal litigation as hostile environments have been
created by employees who download and view offensive content.web-based attacks and
threats are also becoming increasingly sophisticated. New threats and web-based
applications that are causing additional problems for corporations include:
• Spyware/Grayware
• Phishing
• Instant Messaging
• Peer-to-Peer File Sharing
• Streaming Media
• Blended Network Attacks
v2 FortiGate Fundamentals
178 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall Firewall features
Spyware/Grayware
Spyware is also known as Grayware. Spyware is a type of computer program that
attaches itself to a user’s operating system. It does this without the user’s consent or
knowledge. It usually ends up on a computer because of something the user does such as
clicking on a button in a popup window. Spyware can do a number of things such as track
the user’s Internet usage, cause unwanted popup windows, and even direct the user to a
host web site. It is estimated that 80% of all personal computers are infected with
spyware. For further information, visit the FortiGuard Center.
Some of the most common ways of grayware infection include:
• Downloading shareware, freeware or other forms of file-sharing services
• Clicking on pop-up advertising
• Visiting legitimate web sites infected with grayware
Phishing
Phishing is the term used to describe social engineering attacks that use web technology
to trick users into revealing personal or financial information. Phishing attacks use web
sites and emails that claim to be from legitimate financial institutions to trick the viewer into
believing that they are legitimate. Although phishing is initiated by spam email, getting the
user to access the attacker’s web site is always the next step.
Pharming
Pharming is a next generation threat that is designed to identify, and extract financial, and
other key pieces of information for identity theft. Pharming is much more dangerous than
Phishing because it is designed to be completely hidden from the end user. Unlike
phishing attacks that send out spam email requiring the user to click to a fraudulent URL,
Pharming attacks require no action from the user outside of their regular web surfing
activities. Pharming attacks succeed by redirecting users from legitimate web sites to
similar fraudulent web sites that have been created to look and feel like the authentic web
site.
Instant messaging
Instant Messaging presents a number of problems. Instant Messaging can be used to
infect computers with spyware and viruses. Phishing attacks can be made using Instant
Messaging. There is also a danger that employees may use instant messaging to release
sensitive information to an outsider.
Peer-to-peer
Peer-to-Peer networks are used for file sharing. Such files may contain viruses.
Peer-to-Peer applications take up valuable network resources and lower employee
productivity but also has legal implications with the downloading of copyrighted material.
Peer-to-Peer file sharing and applications can also be used to expose company secrets.
Streaming media
Streaming media is a method of delivering multimedia, usually in the form of audio or
video to Internet users. The viewing of streaming media has increased greatly in the past
few years. The problem with this is the way it impacts legitimate business.
v2 FortiGate Fundamentals
01-420-99686-20101026 179
http://docs.fortinet.com/ • Feedback
Firewall features The Purpose of a Firewall
Antispam/Email Filter
The FortiGate unit performs email filtering (formerly called antispam) for IMAP, POP3, and
SMTP email. Email filtering includes both spam filtering and filtering for any words or files
you want to disallow in email messages. If your FortiGate unit supports SSL content
scanning and inspection you can also configure spam filtering for IMAPS, POP3S, and
SMTPS email traffic.
You can configure the FortiGate unit to manage unsolicited commercial email by detecting
and identifying spam messages from known or suspected spam servers. The FortiGuard
Antispam Service uses both a sender IP reputation database and a spam signature
database, along with sophisticated spam filtering tools, to detect and block a wide range of
spam messages. Using FortiGuard Antispam protection profile settings you can enable IP
address checking, URL checking, E-mail checksum check, and Spam submission.
Updates to the IP reputation and spam signature databases are provided continuously via
the global FortiGuard distribution network.
From the FortiGuard Antispam Service page in the FortiGuard center you can use IP and
signature lookup to check whether an IP address is blacklisted in the FortiGuard antispam
IP reputation database, or whether a URL or email address is in the signature database.
v2 FortiGate Fundamentals
180 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall Firewall features
The FortiGate unit takes the domain name specified by the client in the HELO greeting
sent when starting the SMTP session, and does a DNS lookup to determine if the domain
exists. If the lookup fails, the FortiGate unit determines that any messages delivered
during the SMTP session are spam.
The FortiGate unit compares the sender email address, as shown in the message
envelope MAIL FROM, to the addresses in the email address black/white list specified in
the protection profile. If a match is found, the FortiGate unit will take the action configured
for the matching black/white list entry.
The FortiGate unit performs a DNS lookup on the reply-to domain to see if there is an A or
MX record. If no such record exists, the message is treated as spam.
The FortiGate unit will block email messages based on matching the content of the
message with the words or patterns in the selected spam filter banned word list.
For more information on FortiGate antispam processes, features and configuration, see
the UTM chapter.
Intrusion Protection
The FortiGate Intrusion Protection system combines signature detection and prevention
with low latency and excellent reliability. With intrusion Protection, you can create multiple
IPS sensors, each containing a complete configuration based on signatures. Then, you
can apply any IPS sensor to each protection profile. The FortiGate intrusion protection
system protects your network from outside attacks. Your FortiGate unit has two techniques
to deal with these attacks.
Anomaly-based defense is used when network traffic itself is used as a weapon. A host
can be flooded with far more traffic than it can handle, making the host inaccessible. The
most common example is the denial of service attack, in which an attacker directs a large
number of computers to attempt normal access of the target system. If enough access
attempts are made, the target is overwhelmed and unable to service genuine users. The
attacker does not gain access to the target system, but it is not accessible to anyone else.
The FortiGate unit DoS feature will block traffic over a certain threshold from the attacker,
allowing connections from other legitimate users.
Signature-based defense is used against known attacks or vulnerability exploits. These
often involve an attacker attempting to gain access to your network. The attacker must
communicate with the host in an attempt to gain access, and this communication will
include particular commands or sequences of commands and variables. The IPS
signatures include these command sequences, allowing the FortiGate unit to detect and
stop the attack.
The basis of signature-based intrusion protection are the IPS signatures, themselves.
Every attack can be reduced to a particular string of commands or a sequence of
commands and variables. Signatures include this information so your FortiGate unit
knows what to look for in network traffic.
Signatures also include characteristics about the attack it describes. These characteristics
include the network protocol in which it will appear, the vulnerable operating system, and
the vulnerable application.
Before examining network traffic for attacks, the FortiGate will identify each protocol
appearing in the traffic. Attacks are protocol-specific so your FortiGate unit conserves
resources by looking for attacks only in the protocols used to transmit them. For example,
the FortiGate unit will only examine HTTP traffic for the presence of a signature describing
an HTTP attack.
Once the protocol decoders separate the network traffic by protocol, the IPS engine
examines the network traffic for the attack signatures.
v2 FortiGate Fundamentals
01-420-99686-20101026 181
http://docs.fortinet.com/ • Feedback
Firewall features The Purpose of a Firewall
The IPS engine does not examine network traffic for all signatures, however. You must
first create an IPS sensor and specify which signatures are included. You do not have to
choose each signature you want to include individually, however. Instead, filters are used
to define the included signatures.
IPS sensors contain one or more IPS filters. A filter is simply a collection of signature
attributes you specify. The signatures that have all of the attributes specified in a filter are
included in the IPS signature.
For example, if your FortiGate unit protects a Linux server running the Apache web server
software, you could create a new filter to protect it. Set OS to Linux, and Application to
Apache and the filter will include only the signatures applicable to both Linux and Apache.
If you wanted to scan for all the Linux signatures and all the Apache signatures, you would
create two filters, one for each.
For more information on FortiGate IPS processes, features and configuration, see the
UTM chapter.
Traffic Shaping
Traffic shaping, when included in a firewall policy, controls the bandwidth available to, and
sets the priority of the traffic processed by, the policy. Traffic shaping makes it possible to
control which policies have the highest priority when large amounts of data are moving
through the FortiGate unit. For example, the policy for the corporate web server might be
given higher priority than the policies for most employees’ computers. An employee who
needs extra high speed Internet access could have a special outgoing policy set up with
higher bandwidth.
Traffic shaping is available for firewall policies whose Action is ACCEPT, IPSEC, or
SSLVPN. It is also available for all supported services, including H.323, TCP, UDP, ICMP,
and ESP
Traffic shaping cannot increase the total amount of bandwidth available, but you can use it
to improve the quality of bandwidth-intensive and sensitive traffic.
The bandwidth available for traffic set in a traffic shaper is used to control data sessions
for traffic in both directions. For example, if guaranteed bandwidth is applied to an internal
and an external FTP policy, and a user on an internal network uses FTP to put and get
files, both the put and get sessions share the bandwidth available to the traffic controlled
by the policy.
Once included in a firewall policy, the guaranteed and maximum bandwidth is the total
bandwidth available to all traffic controlled by the policy. If multiple users start multiple
communications session using the same policy, all of these communications sessions
must share from the bandwidth available for the policy.
However, bandwidth availability is not shared between multiple instances of using the
same service if these multiple instances are controlled by different policies. For example,
you can create one FTP policy to limit the amount of bandwidth available for FTP for one
network address and create another FTP policy with a different bandwidth availability for
another network address
Traffic shaping attempts to “normalize” traffic peaks/bursts to prioritize certain flows over
others. But there is a physical limitation to the amount of data which can be buffered and
to the length of time. Once these thresholds have been surpassed, frames and packets
will be dropped, and sessions will be affected in other ways. For example, incorrect traffic
shaping configurations may actually further degrade certain network flows, since the
excessive discarding of packets can create additional overhead at the upper layers that
may be attempting to recover from these errors.
v2 FortiGate Fundamentals
182 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall NAT vs. Transparent Mode
A basic traffic shaping approach is to prioritize certain traffic flows over other traffic whose
potential discarding is less advantageous. This would mean that you accept sacrificing
certain performance and stability on low-priority traffic, in order to increase or guarantee
performance and stability to high-priority traffic.
If, for example, you are applying bandwidth limitations to certain flows, you must accept
the fact that these sessions can be limited and therefore negatively impacted. Traffic
shaping applied to a firewall policy is enforced for traffic which may flow in either direction.
Therefore a session which may be set up by an internal host to an external one, through
an Internal-to-External policy, will have traffic shaping applied even if the data stream
flows external to internal. One example may be an FTP “get” or a SMTP server connecting
to an external one, in order to retrieve email.
Note that traffic shaping is effective for normal IP traffic at normal traffic rates. Traffic
shaping is not effective during periods when traffic exceeds the capacity of the FortiGate
unit. Since packets must be received by the FortiGate unit before they are subject to traffic
shaping, if the FortiGate unit cannot process all of the traffic it receives, then dropped
packets, delays, and latency are likely to occur.
For more information on traffic shaping, see the Traffic Shaping chapter.
NAT mode
In NAT mode, the FortiGate unit is visible to the network that it is connected to. All of its
interfaces are on different subnets. Each interface that is connected to a network must be
configured with an IP address that is valid for that subnetwork.
You would typically use NAT mode when the FortiGate unit is deployed as a gateway
between private and public networks. In its default NAT mode configuration, the FortiGate
unit functions as a firewall. Firewall policies control communications through the FortiGate
unit to both the Internet and between internal networks. In NAT mode, the FortiGate unit
performs network address translation before IP packets are sent to the destination
network. For example, a company has a FortiGate unit as their interface to the Internet.
The FortiGate unit also acts as a router to multiple sub-networks within the company.
v2 FortiGate Fundamentals
01-420-99686-20101026 183
http://docs.fortinet.com/ • Feedback
NAT vs. Transparent Mode The Purpose of a Firewall
172
.20 WA
traf NAT .12 N 1
fic po 0.1
ext betw licies 29
P
ern ee
al n n in contr 192 ort 1
etw tern ollin .16
ork al a g 8.1
s. nd .1
k
P w or
10. ort 2 t
Ne /24
10.
10. n al .1.0
1 er 8
Int 2.16
P ffic al n
ol b e
19
ic e tw
tra ern
ie tw o
s e rk
in
co e s
t
nt n .
ro
li
ng
k
w or
t
Ne 24
n al 0.0/
er .1
Int .10
10
In this situation, as shown in Figure 5, the FortiGate unit is set to NAT mode. Using this
mode, the FortiGate unit can have a designated port for the Internet, in this example,
wan1 with an address of 172.20.120.129, which is the public IP address. The internal
network segments are behind the FortiGate unit and invisible to the public access, for
example port 2 with an address of 10.10.10.1. The FortiGate unit translates IP addresses
passing through it to route the traffic to the correct subnet or the Internet.
v2 FortiGate Fundamentals
184 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall NAT vs. Transparent Mode
Figure 6: Sender’s IP internal address translated to the FortiGate unit’s external address
C
tP
en .2
Cli 0.10
.1
10
1 Fir
3 nt ew
2 Se et N A all P
ck T e olic
Pa 1 nab y
led
D S
es o
2
t i n ur
Inte
at ce
3
io : 1
rna
n: 0
l
17 .10
2. .1
5 0 0.
.2 2
0.
d
20
WA 1 ive
N 1 3 e c e et
2 R ck
Pa
D ou
es rc
S
tin e:
at 1
io 72
n: .2
17 0.
2. 12
50 0.
.2 12
0. 9
20
r
rve
b Se .20
0
We 50.2
7 2.
1
When the web server sends the response, it sends it to what it believes to be the
originating address, the FortiGate wan1 address, 172.20.120.129. When the FortiGate
unit receives the information, it determines where it should go by looking at its session
information. Using firewall policies, it determines that the information should be going to
the originating user at 10.10.10.2. The FortiGate changes the destination IP to the correct
user and delivers the packet.
Figure 7: Web server sends to FortiGate external address and translated to internal address
C
tP
en .2
Cli 0.10
.1
10
d
1 ive Fir
ce ew
3
2 R e cket N A all P
Pa T e olic
nab y
1 led
D ou
2
es rc
S
Inte
tin e:
3
at 1
rna
io 72
n: . 5
l
10 0.
.1 20
0. .2
10 0
.2
WA 1
N 1 nt
3
2 Se et
ck
Pa
D So
es u
tin rce
at :
io 17
n: 2
17 .50
2. .2
20 0.
.1 2 0
20
.1
er
S erv 20
b 0.
We 50.2
7 2.
1
v2 FortiGate Fundamentals
01-420-99686-20101026 185
http://docs.fortinet.com/ • Feedback
NAT vs. Transparent Mode The Purpose of a Firewall
Transparent mode
In Transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are
on the same subnet and share the same IP address. You only have to configure a
management IP address so that you can make configuration changes.
You would typically use the FortiGate unit in Transparent mode on a private network
behind an existing firewall or behind a router. In Transparent mode, the FortiGate unit also
functions as a firewall. Firewall policies control communications through the FortiGate unit
to the Internet and internal network. No traffic can pass through the FortiGate unit until you
add firewall policies.
For example, the company has a router or other firewall in place. The network is simple
enough that all users are on the same internal network. They need the FortiGate unit to
perform antispam, antivirus and intrusion protection and similar traffic scanning. In this
situation, as shown in Figure 8, the FortiGate unit is set to transparent mode. The traffic
passing through the FortiGate unit does not change the addressing from the router to the
internal network. Firewall policies and protection profiles define the type of scanning the
FortiGate unit performs on traffic entering the network.
v2 FortiGate Fundamentals
186 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
The Purpose of a Firewall NAT vs. Transparent Mode
20
4.2
3.1
.5
Ga
tew
net ay to 10
.10
wo pu .10 WA
rk blic .2 N1
By default when shipped, the FortiGate unit operates in NAT mode. To use the FortiGate
unit in Transparent mode, you need to switch its mode. When switched to a different
mode, the FortiGate unit does not need to be restarted; the change is automatic.
In the following example, the steps change the FortiGate unit to Transparent mode with an
IP of 10.11.101.10, netmask of 255.255.255.0 and a default gateway of 10.11.101.1
Note: This guide and its examples are constructed with the FortiGate unit running in NAT
mode, unless otherwise noted.
v2 FortiGate Fundamentals
01-420-99686-20101026 187
http://docs.fortinet.com/ • Feedback
NAT vs. Transparent Mode The Purpose of a Firewall
v2 FortiGate Fundamentals
188 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet
Directed by firewall policies, a FortiGate unit screens network traffic from the IP layer up
through the application layer of the TCP/IP stack. This chapter provides a general,
high-level description of what happens to a packet as it travels through a FortiGate
security system.
The FortiGate unit performs three types of security inspection:
• stateful inspection, that provides individual packet-based security within a basic
session state
• flow-based inspection, that buffers packets and uses pattern matching to identify
security threats
• proxy-based inspection, that reconstructs content passing through the FortiGate unit
and inspects the content for security threats.
Each inspection component plays a role in the processing of a packet as it traverses the
FortiGate unit en route to its destination. To understand these inspections is the first step
to understanding the flow of the packet.
Stateful inspection
With stateful inspection, the FortiGate unit looks at the first packet of a session to make a
security decision. Common fields inspected include TCP SYN and FIN flags to identity the
start and end of a session, the source/destination IP, source/destination port and protocol.
Other checks are also performed on the packed payload and sequence numbers to verify
it as a valid communication and that the data is not corrupted or poorly formed.
The FortiGate unit makes the decision to drop, pass or log a session based on what is
found in the first packet of the session. If the FortiGate unit decides to drop or block the
first packet of a session, then all subsequent packets in the same session are also
dropped or blocked without being inspected. If the FortiGate unit accepts the first packet of
a session, then all subsequent packets in the same session are also accepted without
being inspected.
v2 FortiGate Fundamentals
01-420-99686-20101026 189
http://docs.fortinet.com/ • Feedback
Flow inspection Life of a Packet
1 SY
3 N,
2 IP,
1 TC
2 P
nt 3
Se et
ck
Pa
1
3
2
ed
c eiv t
Re cke
Pa
Flow inspection
With flow inspection, the FortiGate unit samples multiple packets in a session and multiple
sessions, and uses a pattern matching engine to determine the kind of activity that the
session is performing and to identify possible attacks or viruses. For example, if
application control is operating, flow inspection can sample network traffic and identify the
application that is generating the activity. Flow-based antivirus can sample network traffic
and determine if the content of the traffic contains a virus, IPS can sample network traffic
and determine if the traffic constitutes an attack. The security inspection occurs as the
data is passing from its source to its destination. Flow inspection identifies and blocks
security threats in real time as they are identified.
IPS
,
3 Ap Flow
p C -AV
2 ont ,
rol
2
nt
Se et
ck
Pa
1
2
d
ive
e ce et
R ck
Pa
Flow-based inspections typically require less processing than proxy-based inspection, and
therefore flow-based antivirus performance can be better than proxy-based antivirus
performance. However, some threats can only be detected when a complete copy of the
payload is obtained so, proxy-based inspection tends to be more accurate and complete
than flow-based inspection.
v2 FortiGate Fundamentals
190 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet Proxy inspection
Proxy inspection
With flow inspection, the FortiGate unit will pass all the packets between the source and
destination, and keeps a copy of the packets in its memory. It then uses a reconstruction
engine to build the content of the original traffic. The security inspection occurs after the
data has passed from its source to its destination.
Proxy inspection examines the content contained a content protocol session for security
threats. Content protocols include the HTTP, FTP, and email protocols. Security threats
can be found in files and other content downloaded using these protocols. With proxy
inspection, the FortiGate unit downloads the entire payload of a content protocol sessions
and re-constructs it. For example, proxy inspection can reconstruct an email message and
its attachments. After a satisfactory inspection the FortiGate unit passes the content on to
the client. If proxy inspection detects a security threat in the content, the content is
removed from the communication stream before the it reaches its destination. For
example, if proxy inspection detects a virus in an email attachment, the attachment is
removed from the email message before its sent to the client. Proxy inspection is the most
thorough inspection of all, although it requires more processing power, and this may result
in lower performance.
1 Em
a
3
2 filteil filter
r, D , we
LP, b
AV
nt
Se et
ck 3
Pa 2
1
1
3
2
d
ive
e ce et
R ck
Pa
v2 FortiGate Fundamentals
01-420-99686-20101026 191
http://docs.fortinet.com/ • Feedback
Packet flow Life of a Packet
Packet flow
After the FortiGate unit’s external interface receives a packet, the packet proceeds
through a number of steps on its way to the internal interface, traversing each of the
inspection types, depending on the firewall policy and UTM profile configuration. The
diagram in Figure 12 on page 193 is a high level view of the packet’s journey.
The description following is a high-level description of these steps as a packet enters the
FortiGate unit towards its destination on the internal network. Similar steps occur for
outbound traffic.
v2 FortiGate Fundamentals
192 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet Packet flow
3 1
2
Packet
Packet flow: Ingress
Interface DoS IP Integrity NAT
IPsec (DNAT) Routing
(Link layer) Sensor Header checking
Stateful
Session Management User Traffic Session Policy
Inspection Helpers Traffic
SSL VPN
Authentication Shaping Tracking Lookup
Engine
No
UTM
Yes
Antivirus, Flow-based
No Web Filter, VoIP Flow-based Application
Email Filter, Inspection Antivirus Control
IPS
Inspection
DLP
Engine
Yes
Antivirus Proxy-based
Web Filter (HTTP(S), SMTP(S),
Data Leak Prevention Email Filter
(HTTP, HTTPS) POP3(S), IMAP(S), FTP, Inspection
NNTP, IM)
Engine
3 1
NAT Routing Interface
IPsec 2
(SNAT)
Interface
Ingress packets are received by a FortiGate interface.The packet enters the system, and
the interface network device driver passes the packet to the Denial of Service (DoS)
sensors, if enabled, to determine whether this is a valid information request or not.
DoS sensor
DoS scans are handled very early in the life of the packet to determine whether the traffic
is valid or port of a DoS attack. Unlike signature-based IPS which inspects all the packets
within a certain traffic flow, the DoS module inspects all traffic flows but only tracks packets
that can be used for DoS attacks (for example TCP SYN packets), to ensure they are
within the permitted parameters. Suspected DoS attacks are blocked, other packets are
allowed.
v2 FortiGate Fundamentals
01-420-99686-20101026 193
http://docs.fortinet.com/ • Feedback
Packet flow Life of a Packet
IPsec
If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. The IPsec engine
applies the correct encryption keys to the IPSec packet and sends the unencrypted packet
to the next step. IPsec is bypassed when for non-IPSec traffic and for IPsec traffic that
cannot be decrypted by the FortiGate unit.
Routing
The routing step determines the outgoing interface to be used by the packet as it leaves
the FortiGate unit. In the previous step, the FortiGate unit determined the real destination
address, so it can now refer to its routing table and decide where the packet must go next.
Routing also distinguishes between local traffic and forwarded traffic and selects the
source and destination interfaces used by the firewall policy engine to accept or deny the
packet.
Policy lookup
The policy look up is where the FortiGate unit reviews the list of firewall policies which
govern the flow of network traffic, from the first entry to the last, to find a match for the
source and destination IP addresses and port numbers. The decision to accept or deny a
packet, after being verified as a valid request within the stateful inspection, occurs here. A
denied packet is discarded. An accepted packet will have further actions taken. If IPS is
enabled, the packet will go to Flow-based inspection engine, otherwise it will go to the
Proxy-based inspection engine.
If no other UTM options are enabled, then the session was only subject to stateful
inspection. If the action is accept, the packet will go to Source NAT to be ready to leave
the FortiGate unit.
Session tracking
Part of the stateful inspection engine, session tracking maintains session tables that
maintain information about sessions that the stateful inspection module uses for
maintaining sessions, NAT, and other session related functions.
v2 FortiGate Fundamentals
194 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet Packet flow
User authentication
User authentication added to firewall policies is handled by the stateful inspection engine,
which is why Firewall authentication is based on IP address. Authentication takes place
after policy lookup selects a firewall policy that includes authentication. This is also known
as identify-based policies. Authentication also takes place before UTM features are
applied to the packet.
Management traffic
This local traffic is delivered to the FortiGate unit TCP/IP stack and includes
communication with the web-based manager, the CLI, the FortiGuard network, log
messages sent to FortiAnalyzer or a remote syslog server, and so on. Management traffic
is processed by applications such as the web server which displays the FortiOS
web-based manager, the SSH server for the CLI or the FortiGuard server to handle local
FortiGuard database updates or FortiGuard Web Filtering URL lookups.
Session helpers
Some protocols include information in the packet body (or payload) that must be analyzed
to successfully process sessions for this protocol. For example, the SIP VoIP protocol
uses TCP control packets with a standard destination port to set up SIP calls. To
successfully process SIP VoIP calls, FortiOS must be able to extract information from the
body of the SIP packet and use this information to allow the voice-carrying packets
through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols
and adjust the firewall to allow those protocols to send packets through the firewall.
Once the packet has passed the flow-based engine, it can be sent to the proxy inspection
engine or egress.
v2 FortiGate Fundamentals
01-420-99686-20101026 195
http://docs.fortinet.com/ • Feedback
Example 1: client/server connection Life of a Packet
IPsec
If the packet is transmitted through an IPsec tunnel, it is at this stage the encryption and
required encapsulation is performed. For non-IPsec traffic (TCP/UDP) this step is
bypassed.
Routing
The final routing step determines the outgoing interface to be used by the packet as it
leaves the FortiGate unit.
Egress
Upon completion of the scanning at the IP level, the packet exits the FortiGate unit.
v2 FortiGate Fundamentals
196 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet Example 1: client/server connection
3 1
2
Stateful
Session User Policy
Policy Tracking Authentication Lookup
Routing
Engine
Proxy
FortiGuard
Inspection Antivirus Web Filter
Web Filtering
Engine
FortiGuard
Packet
NAT Interface
Exits
Routing
(SNAT) (Link layer)
NAT Session
Routing
(SNAT) Tracking
Stateful Policy
Engine
Interface
(Link layer)
v2 FortiGate Fundamentals
01-420-99686-20101026 197
http://docs.fortinet.com/ • Feedback
Example 2: Routing table update Life of a Packet
Routing
3 1
2 update
packet
Packet
FortiGate Unit
Interface DoS IP Integrity Stateful
Management
(Link layer) Sensor Header checking Policy
Traffic
Engine
Routing
Routing Table
Module
v2 FortiGate Fundamentals
198 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Life of a Packet Example 3: Dialup IPsec with application control
v2 FortiGate Fundamentals
01-420-99686-20101026 199
http://docs.fortinet.com/ • Feedback
Example 3: Dialup IPsec with application control Life of a Packet
Packet decryption
Packet Exits
Source Interface
NAT Routing 3 1
(Link layer)
2
Internal
Server
Packet Enters
Packet encryption
Packet
3
2
1 Exits and returns
to source
Encrypted or
encapsulated packet
v2 FortiGate Fundamentals
200 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components
The FortiGate unit’s primary purpose is to act as a firewall to protect your networks from
unwanted attacks and to control the flow of network traffic. The FortiGate unit does this
through the use of firewall policies. The policies you create review the traffic passing
through the device to determine if the traffic is allowed into or out of the network, if it is
normal network traffic or encrypted VPN or SSL VPN traffic, where it is going and how it
should be handled.
Every firewall policy uses similar components. This section briefly describes these
components.
The following topics are included in this section:
• Interfaces
• Addressing
• Ports
• Services
• Schedules
• UTM profiles
Interfaces
Interfaces, both physical and virtual, enable traffic to flow to and from the internal network,
and the Internet and between internal networks. The FortiGate unit has a number of
options for setting up interfaces and groupings of subnetworks that can scale to a
company’s growing requirements.
Physical
FortiGate units have a number of physical ports where you connect Ethernet or optical
cables. Depending on the model, they can have anywhere from four to 40 physical ports.
Some units have a grouping of ports labelled as internal, providing a built-in switch
functionality.
In FortiOS, the port names, as labeled on the FortiGate unit, appear in the web-based
manager in the Unit Operation the Dashboard. They also appear when you are configuring
the interfaces, by going to System > Network > Interface. As shown below, the
FortiGate-100A has eight interfaces
4 3 2 1
DC+12V
v2 FortiGate Fundamentals
01-420-99686-20101026 201
http://docs.fortinet.com/ • Feedback
Interfaces Firewall components
Normally the internal interface is configured as a single interface shared by all physical
interface connections - a switch. The switch mode feature has two states - switch mode
and interface mode. Switch mode is the default mode with only one interface and one
address for the entire internal switch. Interface mode allows you to configure each of the
internal switch physical interface connections separately. This enables you to assign
different subnets and netmasks to each of the internal physical interface connections.
The larger FortiGate units can also include Advanced Mezzanine Cards (AMC), which can
provide additional interfaces (ethernet or optical), with throughput enhancements for more
efficient handling of specialized traffic. These interfaces appear in FortiOS as port
amc/sw1, amc/sw2 and so on. In the following illustration, the FortiGate-3810A has three
AMC cards installed: two single-width (amc/sw1, amc/sw2) and one double-width
(amc/dw).
v2 FortiGate Fundamentals
202 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Interfaces
For more information on configuring physical ports, see “Addressing” on page 209.
Administrative access
Interfaces, especially the public-facing ports can be potentially accessed by those who
you may not want access to the FortiGate unit. When setting up the FortiGate unit, you
can set the type of protocol an administrator must use to access the FortiGate unit. The
options include:
• HTTPS
• HTTP
• SSH
• TELNET
• PING
• SNMP
You can select as many, or as few, even none, that are accessible by an administrator.
Example
This example adds an IPv4 address 172.20.120.100 to the WAN1 interface as well as the
administrative access to HTTPS and SSH. As a good practice, set the administrative
access when you are setting the IP address for the port.
v2 FortiGate Fundamentals
01-420-99686-20101026 203
http://docs.fortinet.com/ • Feedback
Interfaces Firewall components
Wireless
A wireless interface is similar to a physical interface only it does not include a physical
connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be
available at the same time (the FortiWiFi-30B can only have one wireless interface). On
FortiWiFi units, you can configure the device to be either an access point, or a wireless
client. As an access point, the FortiWiFi unit can have up to four separate SSIDs, each on
their own subnet for wireless access. In client mode, the FortiWiFi only has one SSID, and
is used as a receiver, to enable remote users to connect to the existing network using
wireless protocols.
Wireless interfaces also require additional security measures to ensure the signal does
not get hijacked and data tampered or stolen.
Aggregate
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces
together to form an aggregated (combined) link. This new link has the bandwidth of all the
links combined. If a link in the group fails, traffic is transferred automatically to the
remaining interfaces with the only noticeable effect being a reduced bandwidth.
This is similar to redundant interfaces with the major difference being that a redundant
interface group only uses one link at a time, where an aggregate link group uses the total
bandwidth of the functioning links in the group, up to eight.
Support of the IEEE standard 802.3ad for link aggregation is available on some models.
An interface is available to be an aggregate interface if:
• it is a physical interface, not a VLAN interface or subinterface
• it is not already part of an aggregate or redundant interface
• it is in the same VDOM as the aggregated interface. Aggregate ports cannot span
multiple VDOMs.
• it does not have a IP address and is not configured for DHCP or PPPoE
• it is not referenced in any firewall policy, VIP, IP Pool or multicast policy
• it is not an HA heartbeat interface
• it is not one of the FortiGate-5000 series backplane interfaces
To see if a port is being used or has other dependencies, use the following diagnose
command:
diagnose sys system.interface.name <interface_name>
When an interface is included in an aggregate interface, it is not listed on the System >
Network > Interface page. Interfaces will still appear in the CLI, although configuration for
those interfaces will not take affect. You cannot configure the interface individually and it is
not available for inclusion in firewall policies, VIPs, IP pools, or routing.
You can add an accelerated interface (FA2, NP2 interfaces) to an aggregate link, but you
will lose the acceleration. For example, if you aggregate two accelerated interfaces you
will get slower throughput than if the two interfaces were separate.
v2 FortiGate Fundamentals
204 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Interfaces
Example
This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with
an internal IP address of 10.13.101.100, as well as the administrative access to HTTPS
and SSH.
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual
units that function as multiple independent units. A single FortiGate unit is then flexible
enough to serve multiple departments of an organization, separate organizations, or to act
as the basis for a service provider’s managed security service.
VDOMs provide separate security domains that allow separate zones, user authentication,
firewall policies, routing, and VPN configurations. By default, each FortiGate unit has a
VDOM named root. This VDOM includes all of the FortiGate physical interfaces, modem,
VLAN subinterfaces, zones, firewall policies, routing settings, and VPN settings.
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create
firewall policies for connections between Virtual LAN (VLAN) subinterfaces or zones in the
VDOM. Packets do not cross the virtual domain border internally. To travel between
VDOMs, a packet must pass through a firewall on a physical interface. The packet then
arrives at another VDOM on a different interface, but it must pass through another firewall
before entering the VDOM. Both VDOMs are on the same FortiGate unit. Inter-VDOMs
change this behavior in that they are internal interfaces; however their packets go through
all the same security measures as on physical interfaces.
v2 FortiGate Fundamentals
01-420-99686-20101026 205
http://docs.fortinet.com/ • Feedback
Interfaces Firewall components
Example
This example shows how to enable VDOMs on the FortiGate unit and the basic and create
a VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM.
First enable Virtual Domains on the FortiGate unit. When you enable VDOMs, the
FortiGate unit will log you out.
v2 FortiGate Fundamentals
206 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Interfaces
Virtual LANs
The term VLAN subinterface correctly implies the VLAN interface is not a complete
interface by itself. You add a VLAN subinterface to the physical interface that receives
VLAN-tagged packets. The physical interface can belong to a different VDOM than the
VLAN, but it must be connected to a network route that is configured for this VLAN.
Without that route, the VLAN will not be connected to the network, and VLAN traffic will not
be able to access this interface.The traffic on the VLAN is separate from any other traffic
on the physical interface.
FortiGate unit interfaces cannot have overlapping IP addresses—the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be
configured with its own IP address and netmask. This rule helps prevent a broadcast
storm or other similar network problems.
Any FortiGate unit, with or without VDOMs enabled, can have a maximum of 255
interfaces in Transparent operating mode. In NAT/Route operating mode, the number can
range from 255 to 8192 interfaces per VDOM, depending on the FortiGate model. These
numbers include VLANs, other virtual interfaces, and physical interfaces. To have more
than 255 interfaces configured in Transparent operating mode, you need to configure
multiple VDOMs with many interfaces on each VDOM.
Example
This example shows how to add a VLAN, vlan_accounting on the FortiGate unit internal
interface with an IP address of 10.13.101.101.
v2 FortiGate Fundamentals
01-420-99686-20101026 207
http://docs.fortinet.com/ • Feedback
Interfaces Firewall components
Zones
Zones are a group of one or more FortiGate interfaces, both physical and virtual, that you
can apply firewall policies to control inbound and outbound traffic. Grouping interfaces and
VLAN subinterfaces into zones simplifies the creation of firewall policies where a number
of network segments can use the same policy settings and protection profiles. When you
add a zone, you select the names of the interfaces and VLAN subinterfaces to add to the
zone.
For example, in the illustration below, the network includes three separate groups of users
representing different entities on the company network. While each group has its own set
of port and VLANs, in each area, they can all use the same firewall policy and protection
profiles to access the Internet. Rather than the administrator making nine separate firewall
policies, he can add the required interfaces to a zone, and create three policies, making
administration simpler.
Zone 1
Zone 1 policies
WAN1, DMZ1,
Zo VLAN 1, 2, 4
ne
2p
Zone 3
oli
cie
s
policies
Zone 2
Internal
ports 1, 2, 3
Zone 3
WAN2, DMZ2,
VLAN 3
You can configure policies for connections to and from a zone, but not between interfaces
in a zone. Using the above example, you can create a firewall policy to go between zone 1
and zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.
Example
This example explains how to set up a zone on the FortiGate unit to include the Internal
interface and a VLAN.
v2 FortiGate Fundamentals
208 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
3 Select the Internal interface and the virtual LAN interface vlan_accounting from the
previous section.
4 Select OK.
Addressing
Firewall addresses and address groups define network addresses that you can use when
configuring a firewall policies’ source and destination address fields. The FortiGate unit
compares the IP addresses contained in packet headers with firewall policy source and
destination addresses to determine if the firewall policy matches the traffic. Addressing in
firewall policies can be IPv4 addresses and address ranges, IPv6 addresses, and fully
qualified domain names (FQDNs).
A firewall address can contain one or more network addresses. Network addresses can
be represented by an IP address with a netmask, an IP address range, or a fully qualified
domain name (FQDN).
When representing hosts by an IP address with a netmask, the IP address can represent
one or more hosts. For example, a firewall address can be:
• a single computer, such as 192.45.46.45
• a subnetwork, such as 192.168.1.0 for a class C subnet
• 0.0.0.0, which matches any IP address
The netmask corresponds to the subnet class of the address being added, and can be
represented in either dotted decimal or CIDR format. The FortiGate unit automatically
converts CIDR formatted netmasks to dotted decimal format. Example formats:
• netmask for a single computer: 255.255.255.255, or /32
• netmask for a class A subnet: 255.0.0.0, or /8
• netmask for a class B subnet: 255.255.0.0, or /16
• netmask for a class C subnet: 255.255.255.0, or /24
• netmask including all IP addresses: 0.0.0.0
Valid IP address and netmask formats include:
• x.x.x.x/x.x.x.x, such as 192.168.1.0/255.255.255.0
• x.x.x.x/x, such as 192.168.1.0/24
When representing hosts by an IP Range, the range indicates hosts with continuous IP
addresses in a subnet, such as 192.168.1.[2-10], or 192.168.1.* to indicate the
complete range of hosts on that subnet. Valid IP Range formats include:
• x.x.x.x-x.x.x.x, such as 192.168.110.100-192.168.110.120
• x.x.x.[x-x], such as 192.168.110.[100-120]
v2 FortiGate Fundamentals
01-420-99686-20101026 209
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
Caution: Be cautious when employing FQDN firewall addresses. Using a fully qualified
domain name in a firewall policy, while convenient, does present some security risks,
because policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
Example
This example adds an IPv4 firewall address for guest users of 10.13.101.100 address the
port1 interface.
Example
This example adds an IPv4 firewall address range for guest users with the range of
10.13.101.100 to 10.13.101.110 addresses on any interface. By setting the interface to
Any, the address range is not bound to a specific interface on the FortiGate unit.
v2 FortiGate Fundamentals
210 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
Wildcard masks
Wildcard masks, are common with OSPF and Cisco routers. The use of wildcard masks is
most prevalent when building Access Control Lists (ACLs) on Cisco routers. ACLs are
filters and make use of wildcard masks to define the scope of the address filter.
Masks are used with IP addresses to specify what addresses are permitted and denied.
To configure IP addresses on interfaces, the netmask starts with 255. For example, to filter
a subnetwork 10.1.1.0 which has a Class C mask of 255.255.255.0, the ACL will require
the scope of the addresses to be defined by a wildcard mask which, in this example is
0.0.0.255. When the value of the mask is shown in binary (0s and 1s), the results
determine which address bits are the “do and don’t care” bits for processing the traffic. A
zero is the do care bit and the one is a don’t care bit. This is also known as an inverse
mask.
For example, an address of 1.1.1.0, and a netmask of 0.0.0.255 would appear in binary as
an address of 00000001.00000001.00000001.00000000 and a netmask of
00000000.00000000.00000000.11111111
Based on the binary mask, it can be seen that the first three octets of the address must
match the given binary network address exactly (00000001.00000001.00000001). The
last set of numbers is made of “don't cares” (all ones). As such, all traffic that begins with
1.1.1. matches since the last octet o the netmask is “don't care”. All IP addresses 1.1.1.1
through 1.1.1.255 are acceptable.
Wildcard masks are configured in the CLI:
config firewall address
set type wildcard
set wildcard 1.1.1.0/0.0.0.255
end
Caution: Be cautious when employing FQDN firewall addresses. Using a fully qualified
domain name in a firewall policy, while convenient, does present some security risks,
because policy matching then relies on a trusted DNS server. Should the DNS server be
compromised, firewall policies requiring domain name resolution may no longer function
properly.
You specify the TTL time in the CLI only. For example, to set the TTL for 30 minutes on an
FQDN of www.example.com on port 1, enter the following commands:
v2 FortiGate Fundamentals
01-420-99686-20101026 211
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
Virtual IPs
Virtual IP addresses (VIPs) can be used when configuring firewall policies to translate IP
addresses and ports of packets received by a network interface. When the FortiGate unit
receives inbound packets matching a firewall policy whose Destination Address field is a
virtual IP, the FortiGate unit applies NAT, replacing packets’ IP addresses with the virtual
IP’s mapped IP address.
IP pools, similarly to virtual IPs, can be used to configure aspects of NAT; however, IP
pools configure dynamic translation of packets’ IP addresses based on the Destination
Interface/Zone, whereas virtual IPs configure dynamic or static translation of a packets’ IP
addresses based upon the Source Interface/Zone.
To implement the translation configured in the virtual IP or IP pool, you must add it to a
NAT firewall policy.
Note: In Transparent mode, from the CLI, you can configure NAT firewall policies that
include Virtual IPs and IP pools. For more information, see the System Administration
chapter of The Handbook.
Virtual IPs can specify translations of packets’ port numbers and/or IP addresses for both
inbound and outbound connections. In Transparent mode, virtual IPs are available from
the FortiGate CLI.
Example
This example adds a virtual IP of 10.13.100.1 that allows users on the Internet to connect
to a web server on the DMZ IP address of 192.168.1.1. In the example, the wan1 interface
of the FortiGate unit is connected to the Internet and the dmz1 interface is connected to
the DMZ network.
v2 FortiGate Fundamentals
212 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
Inbound connections
Virtual IPs can be used in conjunction with firewall policies whose Action is not DENY to
apply bidirectional NAT, also known as inbound NAT.
When comparing packets with the firewall policy list to locate a matching policy, if a firewall
policy’s Destination Address is a virtual IP, FortiGate units compares packets’ destination
address to the virtual IP’s external IP address. If they match, the FortiGate unit applies the
virtual IP’s inbound NAT mapping, which specifies how the FortiGate unit translates
network addresses and/or port numbers of packets from the receiving (external) network
interface to the network interface connected to the destination (mapped) IP address or IP
address range.
In addition to specifying IP address and port mappings between interfaces, virtual IP
configurations can optionally bind an additional IP address or IP address range to the
receiving network interface. By binding an additional IP address, you can configure a
separate set of mappings that the FortiGate unit can apply to packets whose destination
matches that bound IP address, rather than the IP address already configured for the
network interface.
Depending on your configuration of the virtual IP, its mapping may involve port address
translation (PAT), also known as port forwarding or network address port translation
(NAPT), and/or network address translation (NAT) of IP addresses.
If you configure NAT in the virtual IP and firewall policy, the NAT behavior varies by your
selection of:
• static vs. dynamic NAT mapping
• the dynamic NAT’s load balancing style, if using dynamic NAT mapping
• full NAT vs. destination NAT (DNAT)
The following table describes combinations of PAT and/or NAT that are possible when
configuring a firewall policy with a virtual IP.
Static NAT Static, one-to-one NAT mapping: an external IP address is always translated to
the same mapped IP address.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range.
Static NAT with Static, one-to-one NAT mapping with port forwarding: an external IP address is
Port Forwarding always translated to the same mapped IP address, and an external port number
is always translated to the same mapped port number.
If using IP address ranges, the external IP address range corresponds to a
mapped IP address range containing an equal number of IP addresses, and
each IP address in the external range is always translated to the same IP
address in the mapped range. If using port number ranges, the external port
number range corresponds to a mapped port number range containing an equal
number of port numbers, and each port number in the external range is always
translated to the same port number in the mapped range.
v2 FortiGate Fundamentals
01-420-99686-20101026 213
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
Server Load Dynamic, one-to-many NAT mapping: an external IP address is translated to one
Balancing of the mapped IP addresses, as determined by the selected load balancing
algorithm for more even traffic distribution. The external IP address is not always
translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Server Load Dynamic, one-to-many NAT mapping with port forwarding: an external IP
Balancing with address is translated to one of the mapped IP addresses, as determined by the
Port Forwarding selected load balancing algorithm for more even traffic distribution. The external
IP address is not always translated to the same mapped IP address.
Server load balancing requires that you configure at least one “real” server, but
can use up to eight. Real servers can be configured with health check monitors.
Health check monitors can be used to gauge server responsiveness before
forwarding packets.
Note: If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full (source and destination) NAT; instead, it performs destination
network address translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The private network is aware of the
source’s public IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
A typical example of static NAT is to allow client access from a public network to a web
server on a private network that is protected by a FortiGate unit. Reduced to its essence,
this example involves only three hosts, as shown in Figure 21: the web server on a private
network, the client computer on another network, such as the Internet, and the FortiGate
unit connecting the two networks.
When a client computer attempts to contact the web server, it uses the virtual IP on the
FortiGate unit’s external interface. The FortiGate unit receives the packets. The addresses
in the packets are translated to private network IP addresses, and the packet is forwarded
to the web server on the private network.
Int
e
S 10
10 rnal
10
er .1
ve 0.
.
.10 IP
r 42
.10
IP
.2
V
19 irtua
2.1 l IP
68
.37
.4
19
C 168
lie .
2.
nt 37
IP .55
v2 FortiGate Fundamentals
214 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
The packets sent from the client computer have a source IP of 192.168.37.55 and a
destination IP of 192.168.37.4. The FortiGate unit receives these packets at its external
interface, and matches them to a firewall policy for the virtual IP. The virtual IP settings
map 192.168.37.4 to 10.10.10.42, so the FortiGate unit changes the packets’ addresses.
The source address is changed to 10.10.10.2 and the destination is changed to
10.10.10.42. The FortiGate unit makes a note of this translation in the firewall session
table it maintains internally. The packets are then sent on to the web server.
Figure 22: Example of packet address remapping during NAT from client to server
.2
0 .10 0.42
. 1 1
10 0.
e IP 10.1
urc IP
1
So ation 3
2
n
sti
De NA
Tw
ith
av
irtu
al 1
IP 3
2 5
7.5 4
6 8.3 .37.
2.1 68
P 19 92.1
e I IP 1
o urc tion
S ina
st
De
Note that the client computer’s address does not appear in the packets the server
receives. After the FortiGate unit translates the network addresses, there is no reference
to the client computer’s IP address, except in its session table. The web server has no
indication that another network exists. As far as the server can tell, all packets are sent by
the FortiGate unit.
When the web server replies to the client computer, address translation works similarly,
but in the opposite direction. The web server sends its response packets having a source
IP address of 10.10.10.42 and a destination IP address of 10.10.10.2. The FortiGate unit
receives these packets on its internal interface. This time, however, the session table is
used to recall the client computer’s IP address as the destination address for the address
translation. In the reply packets, the source address is changed to 192.168.37.4 and the
destination is changed to 192.168.37.55. The packets are then sent on to the client
computer.
The web server’s private IP address does not appear in the packets the client receives.
After the FortiGate unit translates the network addresses, there is no reference to the web
server’s network. The client has no indication that the web server’s IP address is not the
virtual IP. As far as the client is concerned, the FortiGate unit’s virtual IP is the web server.
v2 FortiGate Fundamentals
01-420-99686-20101026 215
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
Figure 23: Example of packet address remapping during NAT from server to client
.42
0 .10 10.2
0.1 10.
I P 1 10.
e IP
urc n
1
So inatio 3
2
st
De NA
Tw
ith
av
irtu
al
IP 1
3
2
7.4 5
6 8.3 37.5
.1 .
92 168
I P 1 192.
e
urc IP
So ation
tin
D es
In the previous example, the NAT check box is checked when configuring the firewall
policy. If the NAT check box is not selected when building the firewall policy, the resulting
policy does not perform full NAT; instead, it performs destination network address
translation (DNAT).
For inbound traffic, DNAT translates packets’ destination address to the mapped private IP
address, but does not translate the source address. The web server would be aware of
the client’s IP address. For reply traffic, the FortiGate unit translates packets’ private
network source IP address to match the destination address of the originating packets,
which is maintained in the session table.
Outbound connections
Virtual IPs can also affect outbound NAT, even though they are not selected in an
outbound firewall policy. If no virtual IPs are configured, FortiGate units apply traditional
outbound NAT to connections outbound from private network IP addresses to public
network IP addresses. However, if virtual IP configurations exist, FortiGate units use
virtual IPs’ inbound NAT mappings in reverse to apply outbound NAT, causing IP address
mappings for both inbound and outbound traffic to be symmetric.
For example, if a network interface’s IP address is 10.10.10.1, and its bound virtual IP’s
external IP is 10.10.10.2, mapping inbound traffic to the private network IP address
192.168.2.1, traffic outbound from 192.168.2.1 will be translated to 10.10.10.2, not
10.10.10.1.
Note: A virtual IP setting with port forwarding enabled does not translate the
source address of outbound traffic. If both virtual IP (without port forwarding) and
IP Pools are enabled, IP Pools is preferred for source address translation of
outbound traffic.
v2 FortiGate Fundamentals
216 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
Address groups
Similar to zones, if you have a number of addresses or address ranges that require the
same firewall policies, you can put them into address groups, rather than creating multiple
similar policies. Because firewall policies require addresses with homogenous network
interfaces, address groups should contain only addresses bound to the same network
interface, or to Any — addresses whose selected interface is Any are bound to a network
interface during creation of a firewall policy, rather than during creation of the firewall
address.
For example, if address 1.1.1.1 is associated with port1, and address 2.2.2.2 is associated
with port2, they cannot be in the same group. However, if 1.1.1.1 and 2.2.2.2 are
configured with an interface of Any, they can be grouped, even if the addresses involve
different networks.
You cannot mix IPv4 firewall addresses and IPv6 firewall addresses in the same address
group.
Example
This example creates an address group accounting, where addresses for User_1 and
User_2 have port association of Any. It is recommended to add the addresses you want to
add to the group before setting up the address group.
Setup
To create an address group - web-based manager
1 Go to Firewall > Address > Group, and select Create New.
2 Enter the Group Name of accounting.
3 From the Available Addresses list, select an address and select the down-arrow button
to move the address name to the Members list.
4 Repeat step three as many times as required. You can also hold the SHIFT key to
select a range of address names from the list.
5 Select OK.
v2 FortiGate Fundamentals
01-420-99686-20101026 217
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
DHCP
The Dynamic Host Configuration Protocol (DHCP) enables hosts to automatically obtain
an IP address from a DHCP server. Optionally, hosts can also obtain default gateway and
DNS server settings.
Note: DHCP is not available when the FortiGate unit is operating in Transparent mode.
On FortiGate 30B, 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface, as follows:
Example
This example sets up a DHCP server on the Internal interface for guests with an IP range
of 10.13.101.100 to 10.13.101.110, a default gateway of 10.13.101.2 and address lease of
5 days.
v2 FortiGate Fundamentals
218 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
Example
This example sets up a DHCP relay on the internal interface from the DHCP server
located at 172.20.120.55. The FortiGate unit will send a request for an IP address from the
defined DHCP server and forward it to the requesting connection.
IP pools
An IP pool defines a single IP address or a range of IP addresses. A single IP address in
an IP pool becomes a range of one IP address. For example, if you enter an IP pool as
1.1.1.1, the IP pool is actually the address range, 1.1.1.1 to 1.1.1.1. Use IP pools to add
NAT policies that translate source addresses to addresses randomly selected from the IP
pool, rather than the IP address assigned to that FortiGate interface.
If a FortiGate interface IP address overlaps with one or more IP pool address ranges, the
interface responds to ARP requests for all of the IP addresses in the overlapping IP pools.
v2 FortiGate Fundamentals
01-420-99686-20101026 219
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
For example, consider a FortiGate unit with the following IP addresses for the port1 and
port2 interfaces:
• port1 IP address: 1.1.1.1/255.255.255.0 (range is 1.1.1.0-1.1.1.255)
• port2 IP address: 2.2.2.2/255.255.255.0 (range is 2.2.2.0-2.2.2.255)
And the following IP pools:
• IP_pool_1: 1.1.1.10-1.1.1.20
• IP_pool_2: 2.2.2.10-2.2.2.20
• IP_pool_3: 2.2.2.30-2.2.2.40
The port1 interface overlap IP range with IP_pool_1 is:
• (1.1.1.0-1.1.1.255) and (1.1.1.10-1.1.1.20) = 1.1.1.10-1.1.1.20
The port2 interface overlap IP range with IP_pool_2 is:
• (2.2.2.0-2.2.2.255) & (2.2.2.10-2.2.2.20) = 2.2.2.10-2.2.2.20
The port2 interface overlap IP range with IP_pool_3 is:
• (2.2.2.0-2.2.2.255) & (2.2.2.30-2.2.2.40) = 2.2.2.30-2.2.2.40
And the result is:
• The port1 interface answers ARP requests for 1.1.1.10-1.1.1.20
• The port2 interface answers ARP requests for 2.2.2.10-2.2.2.20 and for 2.2.2.30-
2.2.2.40
Select NAT in a firewall policy and then select Dynamic IP Pool. Select an IP pool to
translate the source address of packets leaving the FortiGate unit to an address randomly
selected from the IP pool.
Example
This example sets up an IP Pool with an address range of 10.13.101.100 to 10.13.101.110
for guest accounts on the network.
v2 FortiGate Fundamentals
220 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Addressing
Scenario 2: The number of source addresses is more than that of IP pool addresses
In this case, the FortiGate unit translates IP addresses using a wrap-around mechanism.
If you enable fixedport in such a case, the FortiGate unit preserves the original source
port. But conflicts may occur since users may have different sessions using the same TCP
5 tuples.
v2 FortiGate Fundamentals
01-420-99686-20101026 221
http://docs.fortinet.com/ • Feedback
Addressing Firewall components
Scenario 3: The number of source addresses is fewer than that of IP pool addresses
In this case, some of the IP pool addresses are used and the rest of them are not be used.
IPv6
Internet Protocol version 6 (IPv6) is the next-generation version of IP addressing, to
eventually replace IPv4. IPv6 was developed because there is a concern that in the near
future, the available addresses for the IPv4 infrastructure will be exhausted. The IPv6
infrastructure will supplement, and eventually, replace the IPv4 standard.
Where IPv4 uses 32 bit addressing, IPv6 uses 128 bit addressing, effectively providing
trillions upon trillions of unique addresses, whereas IPv4 can have a a little over 4 billion.
With this larger address space, allocating addresses and routing traffic becomes easier,
and network address translation (NAT) becomes virtually unnecessary.
Where IPv4 addresses are written numerals separated by a decimal, the IPv6 address is
written with hexadecimal digits separated by a colon. For example,
fe80:218:8bff:fe84:4223.
By default, the FortiGate unit is not enabled to use IPv6 addressing. To enable this
feature, go to System > Admin > Settings and select IPv6 Support on GUI. When enabled
you can use IPv6 addressing on any of the address-dependant components of the
FortiGate unit, including firewall policies, interface addressing, DNS servers. IPv6
addressing can be configured on the web-based manager and in the CLI.
For further information on IPV6 in FortiOS, see “IPv6” on page 459.
Example
This example adds an IPv6 address 2001:db8:0:1234:0:567:1:1 for the WAN1 interface as
well as the administrative access to HTTPS and SSH. As a good practice, set the
administrative access when you are setting the IP address for the port.
v2 FortiGate Fundamentals
222 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Ports
Example
This example adds an IPv6 firewall address for guest users of 2001:db8:0:1234:0:567:1:1.
Ports
A port is a type of address used by specific applications and processes. The FortiGate unit
uses a number of port assignments to send and receive information for basic system
operation and communication by default.
Originating traffic
Function Port(s)
DNS lookup; RBL lookup UDP 53
FortiGuard Antispam or Web Filtering rating lookup UDP 53 or UDP
8888
FDN server list UDP 53 (default) or
Source and destination port numbers vary by originating or reply traffic. UDP 8888, and
UDP 1027 or UDP
1031
NTP synchronization UDP 123
SNMP traps UDP 162
v2 FortiGate Fundamentals
01-420-99686-20101026 223
http://docs.fortinet.com/ • Feedback
Ports Firewall components
Receiving traffic
When operating in the default configuration, FortiGate units do not accept TCP or UDP
connections on any port except the default internal interface, which accepts HTTPS
connections on TCP port 443.
Function Port(s)
FortiGuard Antivirus and IPS update push UDP 9443
The FDN sends notice that an update is available. Update downloads then
occur on standard originating ports for updates.
SSH administrative access to the CLI; remote management from a TCP 22
FortiManager unit
Telnet administrative access to the CLI; HA synchronization (FGCP L2) TCP 23
Changing the telnet administrative access port number also changes the HA
synchronization port number.
HTTP administrative access to the web-based manager TCP 80
HTTPS administrative access to the web-based manager; remote TCP 443
management from a FortiManager unit; user authentication for policy override
SSL management tunnel from FortiGuard Analysis and Management Service TCP 541
(FortiOS v3.0 MR6 or later)
HA heartbeat (FGCP L2) TCP 703
User authentication keep alive and logout for policy override (default value of TCP 1000
port for HTTP traffic)
This port is closed until enabled by the auth-keepalive command.
User authentication keepalive and logout for policy override (default value of TCP 1003
port for HTTPS traffic)
This port is closed until enabled by the auth-keepalive command.
Windows Active Directory (AD) Collector Agent TCP 8000
User authentication for policy override of HTTP traffic TCP 8008
v2 FortiGate Fundamentals
224 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Ports
Port 113
TCP port 113 (Ident/Auth) is an exception to the above rule. By default, FortiGate units
receiving an IDENT request on this port respond with a TCP RST, which resets the
connection. This prevents delay that would normally occur if the requesting host were to
wait for the connection attempt to time out.
This port is less commonly used today. If you do not use this service, you can make your
FortiGate unit less visible to probes. You can disable TCP RST responses to IDENT
requests and subject those requests to firewall policies, and thereby close this port.
For each network interface that should not respond to ident requests on TCP port 113,
enter the following CLI commands:
config system interface
edit <port_name>
set ident-accept enable
end
For example, to disable ident responses on a network interface names port1, enter the
following commands:
config system interface
edit port1
set ident-accept enable
end
Port 541
By default, FortiGate units use this port to initiate an SSL-secured management tunnel
connection to centralized device managers such as the FortiGuard Analysis and
Management Service.
If you do not use centralized management you can make your FortiGate unit less visible to
probes. You can disable the management tunnel feature, and thereby close this port using
the following CLI command:
config sys central-management
set status disable
end
v2 FortiGate Fundamentals
01-420-99686-20101026 225
http://docs.fortinet.com/ • Feedback
Services Firewall components
Services
Services represent typical traffic types and application packets that pass through the
FortiGate unit. Firewall services define one or more protocols and port numbers
associated with each service. Firewall policies use service definitions to match session
types. You can organize related services into service groups to simplify your firewall
policy list.
Many well-known traffic types have been predefined in firewall services and protocols on
the FortiGate unit. These predefined services and protocols are defaults, and cannot be
edited or removed. However, if you require different services, you can create custom
services.
To view the predefined servers, go to Firewall > Service > Predefined.
Custom service
Should there be a service that does not appear on the list, or you have a unique service or
situation, you can create your own custom service. You need to know the port(s), IP
addresses or protocols the particular service or application uses to create the custom
service.
Example
This example creates a custom service for the “Widget” application, which communicates
on TCP port 9620 for source traffic and between ports 4545 and 4550 for destination
traffic.
3 Select OK.
v2 FortiGate Fundamentals
226 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components Schedules
Schedules
When you add firewall policies on a FortiGate unit, those policies are always on, policing
the traffic through the device. Firewall schedules control when policies are in effect, that is,
when they are on. You can create one-time schedules which are schedules that are in
effect only once for the period of time specified in the schedule. You can also create
recurring schedules that are in effect repeatedly at specified times of specified days of the
week.
You can create a recurring schedule that activates a policy during a specified period of
time. For example, you might prevent game playing during office hours by creating a
recurring schedule that covers office hours.
If a recurring schedule has a stop time that is earlier than the start time, the schedule will take effect
at the start time but end at the stop time on the next day. You can use this technique to create
recurring schedules that run from one day to the next. For example, to prevent game playing except
at lunchtime, you might set the start time for a recurring schedule at 1:00 p.m. and the stop time at
12:00 noon. To create a recurring schedule that runs for 24 hours, set the start and stop times to 00.
Example
This example creates a schedule for surfing the Internet at lunch time. The company
restricts the amount of surfing on company time, but over lunch, the restrictions are lifted.
For this schedule, a firewall policy would be created to enable all services for a limited
amount of time. This example sets up the time frame.
Example
This example creates a one-time schedule for a firewall policy. In this example, a company
is shut down over the Christmas holidays. To prevent employees from coming to work to
use the internet connection, the company sets up a one-time firewall policy to block most
internet traffic during this time period. A schedule needs to be created to limit internet
traffic between December 25 and January 1.
v2 FortiGate Fundamentals
01-420-99686-20101026 227
http://docs.fortinet.com/ • Feedback
Schedules Firewall components
/Start
Year 2009
Month 12
Day 25
Hour 00
Minute 00
Stop
Year 2010
Month 01
Day 01
Hour 23
Minute 00
Schedule groups
You can organize multiple firewall schedules into a schedule group to simplify your firewall
policy list. For example, instead of having five identical policies for five different but related
firewall schedules, you might combine the five schedules into a single schedule group that
is used by a single firewall policy.
Schedule groups can contain both recurring and one-time schedules. Schedule groups
cannot contain other schedule groups.
Example
This example creates a schedule group for the schedules created in the previous
schedule examples. The schedule group enables you to have one firewall policy that
covers both schedules, rather than creating two separate policies.
v2 FortiGate Fundamentals
228 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall components UTM profiles
UTM profiles
Where firewall policies provide the instructions to the FortiGate unit as to what traffic is
allowed through the device, the Unified Threat Management (UTM) profiles provide the
screening that filters the content coming and going on the network. The UTM profiles
enable you to instruct the FortiGate unit what to look for in the traffic that you don’t want, or
want to monitor, as it passes through the device.
A UTM profile is a group of options and filters that you can apply to one or more firewall
policies. UTM profiles can be used by more than one firewall policy. You can configure
sets of UTM profiles for the traffic types handled by a set of firewall policies that require
identical protection levels and types, rather than repeatedly configuring those same UTM
profile settings for each individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
antivirus protection, traffic between trusted internal addresses might need moderate
antivirus protection. To provide the different levels of protection, you might configure two
separate protection profiles: one for traffic between trusted networks, and one for traffic
between trusted and untrusted networks.
UTM profiles are available for various unwanted traffic and network threats. Each are
configured separately and can be used in different groupings as needed. You configure
UTM profiles in the UTM menu and applied when creating a firewall policy by selecting the
UTM profile type.
v2 FortiGate Fundamentals
01-420-99686-20101026 229
http://docs.fortinet.com/ • Feedback
UTM profiles Firewall components
Example
This example creates an antivirus profile that will scan all email traffic for viruses. The new
profile will be called email_scan.
Example
This example creates an web filter profile that prevents Active X and Java applets from
being downloaded in a web browser when a user visits a web site with these elements on
the page. The new profile will be called activex_java.
v2 FortiGate Fundamentals
230 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies
Firewall policies control all traffic attempting to pass through the FortiGate unit, between
FortiGate interfaces, zones, and VLAN subinterfaces.
Firewall policies are instructions the FortiGate unit uses to decide connection acceptance
and packet processing for traffic attempting to pass through. When the firewall receives a
connection packet, it analyzes the packet’s source address, destination address, and
service (by port number), and attempts to locate a firewall policy matching the packet.
Firewall policies can contain many instructions for the FortiGate unit to follow when it
receives matching packets. Some instructions are required, such as whether to drop or
accept and process the packets, while other instructions, such as logging and
authentication, are optional.
Policy instructions may include network address translation (NAT), or port address
translation (PAT), or by using virtual IPs or IP pools to translate source and destination IP
addresses and port numbers.
Policy instructions may also include UTM profiles, which can specify application-layer
inspection and other protocol-specific protection and logging, as well as IPS inspection at
the transport layer.
This chapter describes what firewall policies are and how they affect all traffic to and from
your network. It also describes how to configure some key policies; these are basic
policies you can use as a building block to more complex policies, but they enable you to
get the FortiGate unit running on the network quickly.
This chapter contains the following topics:
• Policy order
• Creating basic policies
• DoS Policies
• Sniffer Policies
• Identity-based Policies
• ICMP packet processing
• Firewall policy examples
You configure firewall policies to define which sessions will match the policy and what
actions the FortiGate unit will perform with packets from matching sessions.
Sessions are matched to a firewall policy by considering these features of both the packet
and policy:
• Source Interface/Zone
• Source Address
• Destination Interface/Zone
• Destination Address
• Schedule and time of the session’s initiation
• Service and the packet’s port numbers.
If the initial packet matches the firewall policy, the FortiGate unit performs the configured
Action and any other configured options on all packets in the session.
v2 FortiGate Fundamentals
01-420-99686-20101026 231
http://docs.fortinet.com/ • Feedback
Policy order Firewall Policies
Policy order
Each time a FortiGate unit receives a connection attempting to pass through one of its
interfaces, the unit searches its firewall policy list for a matching firewall policy.
The search begins at the top of the policy list and progresses in order towards the bottom.
The FortiGate unit evaluates each policy in the firewall policy list for a match until a match
is found. When the FortiGate unit finds the first matching policy, it applies the matching
policy’s specified actions to the packet, and disregards subsequent firewall policies.
Matching firewall policies are determined by comparing the firewall policy and the
packet’s:
• source and destination interfaces
• source and destination firewall addresses
• services
• time/schedule.
If no policy matches, the connection is dropped.
As a general rule, you should order the firewall policy list from most specific to most
general because of the order in which policies are evaluated for a match, and because
only the first matching firewall policy is applied to a connection. Subsequent possible
matches are not considered or applied. Ordering policies from most specific to most
general prevents policies that match a wide range of traffic from superseding and
effectively masking policies that match exceptions.
Note: One slight variation on this is identity-based policies. For more information
see “Identity-based Policies” on page 240.
v2 FortiGate Fundamentals
232 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Policy order
For example, you might have a general policy that allows all connections from the internal
network to the Internet, but want to make an exception that blocks FTP. In this case, you
would add a policy that denies FTP connections above the general policy.
}Exception
}General
FTP connections would immediately match the deny policy, blocking the connection.
Other kinds of services do not match the FTP policy, and so policy evaluation would
continue until reaching the matching general policy. This policy order has the intended
effect. But if you reversed the order of the two policies, positioning the general policy
before the policy to block FTP, all connections, including FTP, would immediately match
the general policy, and the policy to block FTP would never be applied. This policy order
would not have the intended effect.
}General
}Exception
Similarly, if specific traffic requires authentication, IPSec VPN, or SSL VPN, you would
position those policies above other potential matches in the policy list. Otherwise, the
other matching policies would always take precedence, and the required authentication,
IPSec VPN, or SSL VPN might never occur.
Note: A default firewall policy may exist which accepts all connections. You can move,
disable or delete it. If you move the default policy to the bottom of the firewall policy list and
no other policy matches the packet, the connection will be accepted. If you disable or delete
the default policy and no other policy matches the packet, the connection will be dropped.
You can arrange the firewall policy list to influence the order in which policies are
evaluated for matches with incoming traffic. When more than one policy has been defined
for the same interface pair, the first matching firewall policy will be applied to the traffic
session.
Rearranging policies
Moving a policy in the firewall policy list does not change its ID, which only indicates the
order in which the policy was created.
v2 FortiGate Fundamentals
01-420-99686-20101026 233
http://docs.fortinet.com/ • Feedback
Policy order Firewall Policies
Firewall policy 0
FortiGate units create a firewall policy of 0 (zero) which can appear in the logs, but will
never appear in the firewall policy list, and therefore can never be repositioned in the list.
When viewing the FortiGate logs, you may find an entry indicating policyid=”0”.
For example:
2008-10-06 00:13:49 log_id=0022013001 type=traffic
subtype=violation pri=warning vd=root SN=179089 duration=0
user=N/A group=N/A rule=0 policyid=0 proto=17 service=137/udp
app_type=N/A status=deny src=10.181.77.73 srcname=10.181.77.73
dst=10.128.1.161 dstname=10.128.1.161 src_int=N/A
dst_int="Internal" sent=0 rcvd=0 src_port=137 dst_port=137 vpn=N/A
tran_ip=0.0.0.0 tran_port=0
Any firewall policy that is automatically added by the FortiGate unit has a policy ID number
of 0. The most common reasons the FortiGate unit creates this policy is
• The IPsec policy for FortiAnalyzer (and FortiManager version 3.0) is automatically
added when an IPsec connection to the FortiAnalyzer unit or FortiManager is enabled.
• The policy to allow FortiGuard servers to be automatically added has a policy ID
number of 0.
• The (default) drop rule that is the last rule in the policy and that is automatically added
has a policy ID number of 0.
• When a network zone is defined within a VDOM, the intra-zone traffic set to allow or
block is managed by policy 0 if it is not processed by a configured firewall policy.
v2 FortiGate Fundamentals
234 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Creating basic policies
v2 FortiGate Fundamentals
01-420-99686-20101026 235
http://docs.fortinet.com/ • Feedback
Creating basic policies Firewall Policies
v2 FortiGate Fundamentals
236 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Creating basic policies
Service FTP
Action DENY
v2 FortiGate Fundamentals
01-420-99686-20101026 237
http://docs.fortinet.com/ • Feedback
DoS Policies Firewall Policies
DoS Policies
Denial of Service (DoS) policies, also known as anomaly thresholds, are primarily used to
apply DoS sensors to network traffic based on the FortiGate interface it is entering as well
as the source and destination addresses. DoS sensors are a traffic anomaly detection
feature to identify network traffic that does not fit known or common traffic patterns and
behavior. A denial of service attack occurs when an attacking system starts an abnormally
large number of sessions with a target system. The large number of sessions slows down
or disables the target system so legitimate users can no longer use it.
DoS policies examine network traffic very early in the sequence of protective measures
the FortiGate unit deploys to protect your network. Because of this, DoS policies are a
very efficient defence, using few resources. The previously mentioned denial of service
would be detected and its packets dropped before requiring firewall policy look-ups,
antivirus scans, and other protective but resource-intensive operations.
You can create DoS sensors to protect against variety of different attack patterns. By
default, the FortiGate unit includes two sensors; one to pass all traffic and one to block the
more common DoS attack patterns. To create your own DoS sensor, go to UTM >
Intrusion Protection > DoS Sensor and select Create New.
For more information on DoS sensor configuration, see the UTM chapter.
DoS sensor policies are stored separately in the FortiGate web-based manager and do
not appear in the firewall policy list. As traffic passes through the FortiGate interface, the
DoS policy is applied first to determine whether the traffic is genuine or an attack. If it is
genuine, the packets are forwarded to the normal firewall policies and applied as required.
If the FortiGate unit determines the traffic is a DoS attack, the policy is applied as
configured in the DoS sensor.
v2 FortiGate Fundamentals
238 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Sniffer Policies
end
Sniffer Policies
Sniffer policies are used to configure a physical interface on the FortiGate unit as a
one-arm intrusion detection system (IDS). Traffic sent to the interface is examined for
matches to the configured IPS sensor and application control list. Matches are logged and
then all received traffic is dropped. Sniffing only reports on attacks. It does not deny or
otherwise influence traffic.
Sniffer policies are applied to sniffer interfaces. Traffic entering a sniffer interface is
checked against the sniffer policies for matching source and destination addresses and for
service. This check against the policies occurs in listed order, from top to bottom. The first
sniffer policy matching all three attributes then examines the traffic. Once a policy matches
the attributes, checks for policy matches stop. If no sniffer policies match, the traffic is
dropped without being examined.
Once a policy match is detected, the matching policy compares the traffic to the contents
of the DoS sensor, IPS sensor, and application control list specified in the policy. If any
matches are detected, the FortiGate unit creates an entry in the log of the matching
sensor/list. If the same traffic matches multiple sensors/lists, it is logged for each match.
Before creating the sniffer policy, you must setup the FortiGate unit to the network and
configure a port as a dedicated sniffer port.The easiest way to do this is to either use a hub
or a switch with a SPAN port. A SPAN port is a special-purpose interface that mirrors all
the traffic the switch receives. Traffic is handled normally on every other switch interface,
but the SPAN port sends a copy of everything. If you connect your FortiGate unit sniffer
interface to the switch SPAN port, all the network traffic will be examined without any being
lost because of the examination.
The FortiGate interface needs to be enabled for sniffing. In the example below, the WAN1
port is configured for one-armed sniffing.
v2 FortiGate Fundamentals
01-420-99686-20101026 239
http://docs.fortinet.com/ • Feedback
Identity-based Policies Firewall Policies
Identity-based Policies
If you enable Enable Identity Based Policy in a firewall policy, network users must send
traffic involving a supported firewall authentication protocol to trigger the firewall
authentication challenge, and successfully authenticate, before the FortiGate unit will
allow any other traffic matching the firewall policy.
User authentication can occur through any of the following supported protocols:
• HTTP
• HTTPS
• FTP
• Telnet
Authentication can also occur through automatic login using NTLM and FSAE, to bypass
user intervention.
The authentication style depends on which of these supported protocols you have
included in the selected firewall services group and which of those enabled protocols the
network user applies to trigger the authentication challenge. The authentication style will
be one of two types. For certificate-based (HTTPS or HTTP redirected to HTTPS only)
authentication, you must install customized certificates on the FortiGate unit and on the
browsers of network users, which the FortiGate unit matches. For user name and
password-based (HTTP, FTP, and Telnet) authentication, the FortiGate unit prompts
network users to input their firewall user name and password.
v2 FortiGate Fundamentals
240 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Identity-based Policies
Note: If you do not install certificates on the network user’s web browser, the network users
may see an SSL certificate warning message and have to manually accept the default
FortiGate certificate, which the network users’ web browsers may then deem as invalid.
Note: When you use certificate authentication, if you do not specify any certificate when
you create a firewall policy, the FortiGate unit will use the default certificate from the global
settings. If you specify a certificate, the per-policy setting will override the global setting.
Authentication requires that Action is ACCEPT or SSL-VPN, and that you first create
users, assign them to a firewall user group, and assign UTM profiles to that user group.
v2 FortiGate Fundamentals
01-420-99686-20101026 241
http://docs.fortinet.com/ • Feedback
Identity-based Policies Firewall Policies
DNS traffic goes through successfully as does any HTTP traffic after being authenticated.
However, if there was FTP traffic, it would not get through. As the FortiGate unit processes
FTP traffic, it skips rule one since it’s matching the source, destination and service. When
it moves to rule two it matches the source and destination, it determines there is a match
and, sees there are also processes the group/service rules, which requires authentication
and acts on those rules. Once satisfied, the FortiGate unit will never go to rule three.
In this situation, where you would want FTP traffic to traverse the FortiGate unit, create a
firewall policy specific to the services you require and place it above the authentication
policy.
Identity-based sub-policies
When adding authentication to a firewall policy, you can add multiple authentication rules,
or sub-policies. Within these policies you can include additional UTM profiles, traffic
shaping and so on, to take affect on the selected services.
v2 FortiGate Fundamentals
242 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies ICMP packet processing
These sub-policies work on the same principle as normal firewall policies, that is, top
down until the criteria has been met (see “Policy order” on page 232). As such, if there is
no matching policy within the list, the packet can still be dropped even after authentication
is successful.
v2 FortiGate Fundamentals
01-420-99686-20101026 243
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policies
Blocking an IP address
This example describes how to create a firewall policy to block a specific IP address. Any
traffic from the configured IP address will be dropped at the point of hitting the FortiGate
unit. To block an IP address, you need to create an address entry before creating a firewall
policy to block the address.
Add an Address
First create the address which the FortiGate will identify to be blocked. In this example, the
address will be 172.20.120.29 for the address name of Blocked_IP.
v2 FortiGate Fundamentals
244 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Firewall policy examples
Note: If the stop time is set earlier than the start time, the stop time will be
considered as the next day. If the start time is equal to the stop time, the schedule
will run for 24 hours.
v2 FortiGate Fundamentals
01-420-99686-20101026 245
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policies
10 Select OK.
11 Select Create New
12 Enter the schedule Name of late evening early morning.
13 Select the days of the week this schedule is employed. In this case, Monday through
Friday.
14 Select the Start Hour of 18.
15 Select the Stop Hour of 08.
16 Select OK.
v2 FortiGate Fundamentals
246 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Firewall policy examples
v2 FortiGate Fundamentals
01-420-99686-20101026 247
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policies
v2 FortiGate Fundamentals
248 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Firewall Policies Firewall policy examples
v2 FortiGate Fundamentals
01-420-99686-20101026 249
http://docs.fortinet.com/ • Feedback
Firewall policy examples Firewall Policies
v2 FortiGate Fundamentals
250 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Troubleshooting
When the firewall policies are in place and traffic is not flowing, or flowing more than it
should, there may be an issue with the one or more firewall policies. This chapter outlines
some troubleshooting tips and steps to diagnose where the traffic is not getting through, or
letting too much traffic through.
This chapter includes the topics:
• Basic policy checking
• Verifying traffic
• Using log messages to view violation traffic
• Traffic trace
• Packet sniffer
Verifying traffic
With many firewall policies in place, you may want to verify that traffic is being affected by
the policy. There is a simple way to get a quick visual confirmation within the web-based
manager. This is done by adding a counter column to the firewall policy table. These steps
are only available in the web-based manager.
v2 FortiGate Fundamentals
01-420-99686-20101026 251
http://docs.fortinet.com/ • Feedback
Using log messages to view violation traffic Troubleshooting
Note: For accelerated traffic, NP2 ports the count does not reflect the real traffic count.
Only the start of a session packet will be counted. For non-accelerated traffic, all packets
are counted.
v2 FortiGate Fundamentals
252 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Troubleshooting Traffic trace
Traffic trace
Traffic tracing enables you to follow a specific packet stream. View the characteristics of a
traffic session though specific firewall policies using the CLI command diagnose
system session, trace per-packet operations for flow tracing using diagnose debug
flow and trace per-Ethernet frame using diagnose sniffer packet.
Session table
The FortiGate session table can be viewed from the web-based manager or the CLI. The
most useful troubleshooting data comes from the CLI. The session table in web-based
manager also provides some useful summary information, particularly the current policy
number that the session is using.
Sessions only are appear if a session was established. If a packet is dropped, then no
session will appear in the table. Using the CLI command diagnose debug flow can be
used to identify why the packet was dropped.
v2 FortiGate Fundamentals
01-420-99686-20101026 253
http://docs.fortinet.com/ • Feedback
Traffic trace Troubleshooting
Sample output
session info: proto=6 proto_state=05 expire=89 timeout=3600
flags=00000000 av_idx=0 use=3
bandwidth=204800/sec guaranteed_bandwidth=102400/sec
traffic=332/sec prio=0 logtype=session ha_id=0 hakey=4450
tunnel=/
state=log shape may_dirty
statistic(bytes/packets/err): org=3408/38/0 reply=3888/31/0
tuples=2
orgin->sink: org pre->post, reply pre->post oif=3/5
gwy=192.168.11.254/10.0.5.100
hook=post dir=org act=snat 10.0.5.100:1251-
>192.168.11.254:22(192.168.11.105:1251)
hook=pre dir=reply act=dnat 192.168.11.254:22-
>192.168.11.105:1251(10.0.5.100:1251)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0x0 vd=0
serial=00007c33 tos=ff/ff
Filter options enable you to view specific information from this command:
diagnose sys session filter <option>
The <option> values available include the following:
clear clear session filter
dport dest port
dst destination IP address
negate inverse filter
policy policy ID
proto protocol number
sport source port
src source IP address
vd index of virtual domain. -1 matches all
Even though UDP is a sessionless protocol, the FortiGate unit still keeps track of the
following two different states:
• UDP reply not seen with a value of 0
• UDP reply seen with a value of 1
The table below shows the firewall session states from the session table:
State Meaning
log Session is being logged.
local Session is originated from or destined for local stack.
ext Session is created by a firewall session helper.
may_dirty Session is created by a policy. For example, the session for ftp control
channel will have this state but ftp data channel will not. This is also seen
when NAT is enabled.
ndr Session will be checked by IPS signature.
nds Session will be checked by IPS anomaly.
br Session is being bridged (TP) mode.
v2 FortiGate Fundamentals
254 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Troubleshooting Traffic trace
Sample output
entry used by table firewall.address:name '10.98.23.23_host’
entry used by table firewall.address:name 'NAS'
entry used by table firewall.address:name 'all'
entry used by table firewall.address:name 'fortinet.com'
entry used by table firewall.vip:name 'TORRENT_10.0.0.70:6883'
entry used by table firewall.policy:policyid '21'
entry used by table firewall.policy:policyid '14'
entry used by table firewall.policy:policyid '19'
In this example, the interface has dependent objects, including four address objects, one
VIP, and three firewall policies.
Flow trace
To trace the flow of packets through the FortiGate unit, use the command
diagnose debug flow trace start
Follow the packet flow by setting a flow filter using the command:
diagnose debug flow filter <option>
Filtering options include:
addr IP address
clear clear filter
daddr destination IP address
dport destination port
negate inverse filter
port port
proto protocol number
saddr source IP address
v2 FortiGate Fundamentals
01-420-99686-20101026 255
http://docs.fortinet.com/ • Feedback
Traffic trace Troubleshooting
Sample output
This an example shows the flow trace for the device at the IP address 203.160.224.97.
diag debug enable
diag debug flow filter addr 203.160.224.97
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
v2 FortiGate Fundamentals
256 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Troubleshooting Traffic trace
v2 FortiGate Fundamentals
01-420-99686-20101026 257
http://docs.fortinet.com/ • Feedback
Packet sniffer Troubleshooting
Packet sniffer
The packet sniffer in the FortiGate unit can sniff traffic on a specific Interface or on all
Interfaces. There are 3 different Level of Information, a.k.a. Verbose Levels 1 to 3, where
verbose 1 shows less information and verbose 3 shows the most information.
Verbose levels in detail:
• 1Print header of packets
• 2Print header and data from the IP header of the packets
• 3Print header and data from the Ethernet header of the packets
• 4Print header of packets with interface name
• 5Print header and data from IP of packets with interface name
• 6Print header and data from ethernet of packets with interface
All Packet sniffing commands are in the format:
diagnose sniffer packet <interface> <'filter'> <verbose> <count>
... where...
<interface> can be an Interface name or “any” for all Interfaces. An interface can be
physical, VLAN, IPsec interface, Link aggregated or redundant.
<verbose> the level of verbosity as described above.
<count> the number of packets the sniffer reads before stopping.
<'filter'> is a very powerful filter functionality which will be described below.
v2 FortiGate Fundamentals
258 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Troubleshooting Packet sniffer
With information level set to verbose 1, the source and destination IP address is visible, as
well as source and destination port. The corresponding Sequence numbers is also visible.
Note: If you do not enter a <count> value, for example as above, 3, the sniffer will
continue to run until you stop it.
v2 FortiGate Fundamentals
01-420-99686-20101026 259
http://docs.fortinet.com/ • Feedback
Packet sniffer Troubleshooting
diagnose sniffer packet internal 'src host 192.168.0.130 and dst host
192.168.0.1 and tcp' 1?
The resulting output would be:
192.168.0.130.3569 -> 192.168.0.1.23: syn 1802541497
192.168.0.1.23 -> 192.168.0.130.3569: syn 4238146022 ack 1802541498
192.168.0.130.3569 -> 192.168.0.1.23: ack 4238146023
Though ICMP (ping) was also running, the trace only shows the TCP part. The destination
IP is 192.168.0.1.23, which is IP 192.168.0.1 on port 23 - a Telnet session.
v2 FortiGate Fundamentals
260 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Configuration Examples
This section describes small parcels of configurations on the FortiGate unit. The
configurations involve practical setups of various features within FortiOS that you can use
to apply to your network.
This chapter is also dynamic, in that it will continue to evolve and grow as configurations
are considered, tested and added.
The examples in this section include
• Exempted URLs
Exempted URLs
With FortiGuard categories, you only need to select the particular categories you wish to
block. However, within those categories, there may be specific sites you still need or want
to access, or certain sites include sub-sites which cause blocks where you don’t need
them. For example, a particular web site may have advertising on it, and you have
enabled blocking of web ads. As such, the web site you want to visit is blocked.
By adding exempted URLs, you can include the site you want to visit to allow it to be
viewed. This is done through the use of local categories and local ratings. This example
describes the steps to create local ratings and local categories.
This configuration involves three steps:
• Create a local category
• Add the URLs to the category
• Enable and set the option for the category in the web filter profile.
To add web filter URLs for the local category - web-based manager
1 Go to UTM > Web Filter > Local Ratings.
v2 FortiGate Fundamentals
01-420-99686-20101026 261
http://docs.fortinet.com/ • Feedback
Exempted URLs Configuration Examples
Test it
Go to the web site that before was blocked. It will now be available, while others within the
FortiGuard category are not.
v2 FortiGate Fundamentals
262 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office
Network Protection
This document describes an example network and firewall configuration for a
small office-home office (SOHO) or a small- to medium-sized business (SMB).
SOHO and SMB networks, in this case, refer to
• small offices
• home offices
• broadband telecommuter sites or large remote access populations
• branch offices (small- to medium-sized)
• retail stores
Note: IP addresses and domain names used in this document are examples and are not valid
outside of this example.
v2 FortiGate Fundamentals
01-420-99686-20101026 263
http://docs.fortinet.com/ • Feedback
Example small office network Concept Example: Small Office Network Protection
Topology
Figure 28 shows the The Example Corporation network configuration after installation of
the FortiGate-100A.
v2 FortiGate Fundamentals
264 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Example small office network
VPN nel
Tun Tun
21 2
90 1
VPN
2
n
8. er
2
8. er
.1
el
.1
16 Us
16 Us
2. e
2. e
19 om
19 om
H
H 17 Exte
2.2 rn
0.1 al
20
.14
1
D
al 1 0 MZ
ern .1 .20
Int 1.10 .10
.1
.1
10
F 1 1.
in 1 1
10 0.1
an .1 01
.
ce 01 .2
1
U 10
se -
. 0
rs
.3 r
10 ve
0. er
.2 S
10 eb
W
.2 er
E 10 .11
ng .1 .
H 0. .11
10 rv
el 11 .1
0. e
in 1. 10
.2 il S
p .1 0
1 0
ee 10 1.
D 0 1.
10
10 ma
rin 1. 10
es 1 5
1
g 51 0
k .21 0
E
U -
U -
se
se
rs
rs
v2 FortiGate Fundamentals
01-420-99686-20101026 265
http://docs.fortinet.com/ • Feedback
First steps Concept Example: Small Office Network Protection
First steps
First steps includes creating a network plan and configuring the basic FortiGate settings.
• Configuring FortiGate network interfaces
• Adding the default route
• Removing the default firewall policy
• Configuring DNS forwarding
• Setting the time and date
• Registering the FortiGate unit
• Scheduling automatic antivirus and attack definition updates
• Configuring administrative access and passwords
v2 FortiGate Fundamentals
266 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection First steps
wan1 HTTPS for remote access to the web-based manager from the Internet.
dmz1 PING access for troubleshooting.
3 Select OK.
4 Select the wan1 interface row and select Edit:
5 Select OK.
6 Select the dmz1 interface row and select Edit:
7 Select OK.
v2 FortiGate Fundamentals
01-420-99686-20101026 267
http://docs.fortinet.com/ • Feedback
First steps Concept Example: Small Office Network Protection
3 Select OK.
3 Select OK
v2 FortiGate Fundamentals
268 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection First steps
v2 FortiGate Fundamentals
01-420-99686-20101026 269
http://docs.fortinet.com/ • Feedback
First steps Concept Example: Small Office Network Protection
To check server access and enable daily and push updates - web-based manager
1 Go to System > Maintenance > FortiGuard.
2 Expand the Antivirus and IPS Options blue arrow.
3 Select Allow Push Update.
4 Select Scheduled Update.
5 Select Daily and select 5 for the hour.
6 Select Apply.
Note: If you want to set the update time to something other than the top of the hour, you
must use the CLI command.
To check server access and enable daily and push updates - CLI
config system autoupdate push-update
set status enable
end
config system autoupdate schedule
set frequency daily
set status enable
set time 05:30
end
v2 FortiGate Fundamentals
270 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection First steps
Administrator admin_2
Password <psswrd>
Confirm Password <psswrd>
Trusted Host #1 10.11.101.60 / 255.255.255.255 (administrator’s computer)
Trusted Host #2 10.11.101.51 / 255.255.255.255 (lab computer)
Access Profile admin_monitor
8 Select OK.
v2 FortiGate Fundamentals
01-420-99686-20101026 271
http://docs.fortinet.com/ • Feedback
Configuring settings for Finance and Engineering departments Concept Example: Small Office Network Protection
3 Select OK.
4 Repeat to add an address called Eng with the IP Range 10.11.101.51–10.11.101.99.
v2 FortiGate Fundamentals
272 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for Finance and Engineering departments
Note: Enabling cache means web site ratings are stored in memory so that the FortiGuard
server need not be contacted each time an often-accessed site is requested.
v2 FortiGate Fundamentals
01-420-99686-20101026 273
http://docs.fortinet.com/ • Feedback
Configuring settings for Finance and Engineering departments Concept Example: Small Office Network Protection
Note: Marking email as spam allows end-users to create custom filters to block tagged
spam using the keyword.
v2 FortiGate Fundamentals
274 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for Finance and Engineering departments
end
config ftp
set options scan
end
config imap
set options scan
end
config pop3
set options scan
end
config smtp
set options scan
end
end
v2 FortiGate Fundamentals
01-420-99686-20101026 275
http://docs.fortinet.com/ • Feedback
Configuring settings for Finance and Engineering departments Concept Example: Small Office Network Protection
end
end
Note: The following policy is an internal to wan1 policy which uses the standard_profile
protection profile to provide antivirus, web category blocking, and FortiGuard spam
filtering.
v2 FortiGate Fundamentals
276 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for the Help Desk department
v2 FortiGate Fundamentals
01-420-99686-20101026 277
http://docs.fortinet.com/ • Feedback
Configuring settings for the Help Desk department Concept Example: Small Office Network Protection
Goals
• Provide complete control of web access. Tasks include:
• Adding the Help Desk department address
• Creating and Configuring URL filters
• Enable greater access at certain times. Tasks include:
• Creating a recurring schedule
• Control traffic and maintain security. Tasks include:
• Configuring firewall policies for help desk
3 Select OK.
v2 FortiGate Fundamentals
278 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for the Help Desk department
URL .*
Type Regex
Action Block
5 Select Enable.
6 Select OK.
This pattern blocks all web sites.
Note: The edit command will only accept a number. Type edit ? for a list of URL filter
lists and their corresponding number
URL www.example.com
Type Simple
Action Exempt
5 Select Enable.
6 Select OK.
7 Repeat for each of the following URLs:
• intranet.example.com
• www.dictionary.com
• www.ExampleReferenceSite.com
v2 FortiGate Fundamentals
01-420-99686-20101026 279
http://docs.fortinet.com/ • Feedback
Configuring settings for the Help Desk department Concept Example: Small Office Network Protection
v2 FortiGate Fundamentals
280 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for the Help Desk department
Note: The move command will only accept a number. Type move ? for a list of URL filter
lists and their corresponding numbers.
v2 FortiGate Fundamentals
01-420-99686-20101026 281
http://docs.fortinet.com/ • Feedback
Configuring settings for the Help Desk department Concept Example: Small Office Network Protection
To create and insert a policy for the help desk - web-based manager
1 Go to Firewall > Policy > Policy.
2 Expand the internal -> wan1 entry and select the Insert Policy before icon beside
policy 1.
3 Enter or select the following settings:
v2 FortiGate Fundamentals
282 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring settings for the Help Desk department
Note: The FortiGate unit checks for matching policies in the order they appear in the list
(not by policy ID number). For the ‘lunch’ policy to work, it must go before the policy using
the help-desk protection profile (above).
v2 FortiGate Fundamentals
01-420-99686-20101026 283
http://docs.fortinet.com/ • Feedback
Configuring remote access VPN tunnels Concept Example: Small Office Network Protection
v2 FortiGate Fundamentals
284 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring remote access VPN tunnels
5 Select OK.
Name Home1 (The name for the peer that connects to the The Example
Corporation network.)
Remote Gateway Static IP Address
IP Address 220.100.65.98
Local Interface wan1
Mode Main (ID protection)
Note: The VPN peers must use the same mode.
Authentication Preshared Key
Method
v2 FortiGate Fundamentals
01-420-99686-20101026 285
http://docs.fortinet.com/ • Feedback
Configuring remote access VPN tunnels Concept Example: Small Office Network Protection
Name Home2 (The name for the peer that connects to the The Example
Corporation network.)
Remote Gateway Dynamic DNS
Dynamic DNS example.net
Local Interface wan1
Mode Main (ID protection)
Note: The VPN peers must use the same mode.
Authentication Preshared Key
Method
Pre-shared Key GT3wlf76FKN5f43U
Note: The key must contain at least 6 printable characters and should only
be known by network administrators. For optimum protection against
currently known attacks, the key should consist of a minimum of 16
randomly chosen alphanumeric characters. The VPN peers must use the
same preshared key.
Peer options Accept any peer ID
7 Select OK.
Note: Both ends (peers) of the VPN tunnel must use the same mode and authentication
method.
v2 FortiGate Fundamentals
286 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring remote access VPN tunnels
Name Home1_Tunnel
Phase 1 Home1
4 Select OK.
5 Select Create Phase 2.
6 Enter or select the following settings:
Name Home2_Tunnel
Phase 1 Home2
7 Select OK.
v2 FortiGate Fundamentals
01-420-99686-20101026 287
http://docs.fortinet.com/ • Feedback
Configuring remote access VPN tunnels Concept Example: Small Office Network Protection
v2 FortiGate Fundamentals
288 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring the web server
Note: The specific configuration given in this example will only function with licensed copies
of the FortiClient software. The default encryption and authentication types on the FortiGate
unit are not available on the FortiClient Demo software.
5 Select OK.
6 Repeat on Home_User_2’s computer for Home_User_2.
v2 FortiGate Fundamentals
01-420-99686-20101026 289
http://docs.fortinet.com/ • Feedback
Configuring the web server Concept Example: Small Office Network Protection
Name Web_Server_VIP
External Interface wan1
Type Static NAT
External IP Address/ Range 172.20.120.141
Mapped IP Address/ Range 10.20.10.3
3 Select OK.
3 Select OK.
v2 FortiGate Fundamentals
290 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring the web server
v2 FortiGate Fundamentals
01-420-99686-20101026 291
http://docs.fortinet.com/ • Feedback
Configuring the web server Concept Example: Small Office Network Protection
3 Select OK.
To add a policy for web master access to the web server - web-based manager
1 Go to Firewall > Policy.
2 Select Create New and enter or select the following settings:
v2 FortiGate Fundamentals
292 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Configuring the email server
To add a policy for web master access to the web server - CLI
config firewall policy
edit 8
set action accept
set dstaddr Web_Server
set dstintf dmz1
set schedule always
set service FTP
set srcaddr Web_Master_J
set srcintf internal
set utm-status enable
set profile-protocol-options default
set av-profile standard_profile
set ips-sensor all_default
set webfilter-profile standard_profile
set spamfilter-profile standard_profile
end
Name Email_Server_VIP
External Interface wan1
Type Static NAT
External IP Address/ Range 172.20.120.141
Mapped IP address/ Range 10.20.10.2
3 Select OK.
v2 FortiGate Fundamentals
01-420-99686-20101026 293
http://docs.fortinet.com/ • Feedback
Adding the email server address Concept Example: Small Office Network Protection
3 Select OK.
v2 FortiGate Fundamentals
294 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection Adding the email server address
v2 FortiGate Fundamentals
01-420-99686-20101026 295
http://docs.fortinet.com/ • Feedback
Adding the email server address Concept Example: Small Office Network Protection
v2 FortiGate Fundamentals
296 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Small Office Network Protection ISP web site and email hosting
v2 FortiGate Fundamentals
01-420-99686-20101026 297
http://docs.fortinet.com/ • Feedback
The Example Corporation internal network configuration Concept Example: Small Office Network Protection
• no need to create policies for external access to the web or email servers
• add an internal -> wan1 firewall policy for the web master to upload web site updates
via FTP
• add an internal -> wan1 POP3 firewall policy so that users can use POP3 to download
email
• add an internal -> wan1 SMTP firewall policy so that users can use SMTP to send
email
v2 FortiGate Fundamentals
298 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network
Protection
Located in a large city, the library system is anchored by a main downtown location
serving most of the population, with a dozen branches spread throughout the city. Each
branch is wired to the Internet but none are linked with each other by dedicated
connections.
v2 FortiGate Fundamentals
01-420-99686-20101026 299
http://docs.fortinet.com/ • Feedback
Current topology and security concerns Concept Example: Library Network Protection
P
ub
lic
te
rm
B
in
ra
al
nc
s
Fir
h
st
ew
af
all
f
C
at
al
og
ac Main office configuration
ce
ss
te
rm
Fir
in
ew
al
s
al l
DM
s s
al es
Z
in cc
rm a
te log
a
at
C
rv log
se ta
er
M
a
P
ai
er C
ub
n
rv b
of
lic
se e
fic
W
te
e
rm
st
in
af
al
f
rv i l
s
se a
er
M
Library requirements
• VPN to secure all traffic between main and branch offices.
• Public wireless Internet access for mobile clients.
• Strict separation of public access terminals from staff computers.
• An automatically maintained and updated system for stopping viruses and intrusions at
the firewall.
• Instant messaging is blocked for public Internet terminals and public wireless access,
but not for staff. Peer-to-peer downloads are blocked network-wide.
• All Internet traffic from branch offices travels securely to the main office and then out
onto the Internet. Inbound traffic follows the reverse route. This allows a single point at
which all protection profiles and policies may be applied for simplified and consistent
management.
• The ability to block specific web sites and whole categories of sites from those using
the public terminals and public wireless access if deemed necessary. Users granted
special permission should be allowed to bypass the restrictions.
• Public access traffic originates from a different address than staff and server traffic.
• DMZ for web and email server hosting in main office.
• The library catalog is available on the library’s web page allowing public access from
anywhere.
• Redundant hardware for main office firewall.
v2 FortiGate Fundamentals
300 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection Current topology and security concerns
• Two FortiGate-800 units for main office. These enterprise-level devices have the
processing power and speed to handle the amount of traffic expected of a large busy
library system with public catalog searches, normal staff use, and on-site research
using the Internet as a resource. The two units are interconnected in HA (high
availability) mode to ensure uninterrupted service in the case of failure. A
FortiWiFi-80CM is also used to provide wireless access for patrons in main office.
• A FortiWiFi-80CM for each branch office. In addition to being able to handle the
amount of traffic expected of a branch office, the FortiWiFi-80CM provides wireless
access for library patrons.
Proposed topology
Figure 30 shows the proposed network topology utilizing the FortiGate units. Only one
branch office is shown in the diagram although more than a dozen are configured in the
same way, including the VPN connection to the main office.
The VPN connections between the branch offices and the main office are a critical feature
securing communication between locations.
The two FortiGate-800 units in HA mode serve as the only point through which traffic flows
between the Internet and the library’s network, including the branch offices. VPN
connections between the main and branch offices provide the means to securely send
data in either direction.
Branch Internet browsing traffic is routed to the main office through the VPN by the
branch’s FortiWiFi-80CM. After reaching the FortiGate-800 at the main office, the traffic
continues out to the Internet. Inbound traffic follows the same path back to the branch
office.
With two FortiGate-800 units in HA mode serving as a single point of contact to the
Internet, only two FortiGuard subscriptions are required to protect the entire network.
Otherwise each branch would also need separate FortiGuard subscription. The
FortiGuard web filtering service can also be configured on the FortiGate-800 units,
ensuring consistent web filtering policies for all locations.
No provision is made for direct communication between branches.
v2 FortiGate Fundamentals
01-420-99686-20101026 301
http://docs.fortinet.com/ • Feedback
Current topology and security concerns Concept Example: Library Network Protection
CM
B .1.
Int
ra 2.
10
80
nc [2
e
Fi-
54 ls
10 rnal
-2 na
h -25
Wi
st 4
Z
]
.[2 mi
.1.
af ]
DM4.1
.4 r
2.1
.1 c te
.1.
10 bli
10
u
P
N2 19 WAN
WA.3.1 2.1 1
. 1 68
10 .23
.8 CM
C
9 80
at
Fi-
al 10
og .1
ac .3.
ce [2- Wi
ss 25
V
P
te 4]
N
rm 00
Tu
19 Exte
in
T-8 er rt4
n
a
ne
ls
2.1 rm FG lust Po .5.1
-2 als
68 al C 00
]
.[2 in
54
.14 HA . 1
.4 rm
7.3 10 rt3
00 te
0 Po .4.1
.1 lic
0
10 ub
.10
P
1 0
rt2
Po .3.1 DM
10 Z
. 1 00 al .10
10 ern 1 0.1
Int 0.2. .1
.10
10
.1 rv log
10 se a
2
00 er
at
.1
C
.1
M .1
ai 00
10
n .2
Ca
of .[
tal
fic 2-
.1 rv il
10 se a
10. og ac
1
00 er
e 25
.1
st 4]
.1
af
100 ces
f
.3.[ s te
2-2 rm
.1 rv b
10 se e
54] ina
0
00 er
W
.1
ls
.1
Main office configuration
Table 11 on page 302 details the allowed connectivity between different parts of the
network.
Connecting to:
Branch Catalog access
Branch Public Access
Internet Access
Catalog Server
Main Catalog
Branch Staff
Web Server
Mail Server
Main Staff
v2 FortiGate Fundamentals
302 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection Current topology and security concerns
Network addressing
The IP addresses used on the library’s internal network follow a 10.x.y.z structure with a
255.255.255.0 subnet mask, where:
• x is the branch number. The main office uses 100 while the branches are assigned
numbers starting with 1
v2 FortiGate Fundamentals
01-420-99686-20101026 303
http://docs.fortinet.com/ • Feedback
Configuring the main office Concept Example: Library Network Protection
Figure 31: IP address ranges are assigned names, and the names combined into address
groups.
The address names defined on the FortiGate-800 for Branch 1 traffic are Branch_1_Staff
(10.1.2.2-10.1.2.254), Branch_1_Catalog (10.1.3.2-10.1.3.254), Branch_1_Public
(10.1.4.2-10.1.4.254), and Branch_1_WiFi (10.1.5.2-10.1.5.254). Four address groups will
be created incorporating each type of address name from all the branches: Branch_Staff,
Branch_Catalog, Branch_Public, and Branch_WiFi.
At the main office, additional address names are configured for the web server
(Web_Server) and for the web and email servers combined (Servers).
Address names are configured in Firewall > Address > Address.
Address groups are configured in Firewall > Address > Group.
v2 FortiGate Fundamentals
304 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection Configuring the main office
Topology
The main office network layout is designed to keep the various parts of the network
separate. Computers on different segments of the network cannot contact each other
unless a FortiGate policy is created to allow the connection. Public terminals can access
the library’s web server for example, but they cannot access any machines belonging to
staff members. See Table 11 on page 302 for details on permitted access between
different parts of the library network.
Staff computers, email and web servers, public access terminals, and WiFi connected
systems are all protected by the FortiGuard service on the FortiGate-800 cluster. Push
updates ensure the FortiGate unit is up to date and prepared to block viruses, worms,
spyware, and attacks.
CM
- 80
W iFi
V
P
N
00
Tu
-2 als
68 al C 0
.10 t3
]
.[2 in
54
.14 HA
.4 rm
7.3 10 r
00 te
0 Po .4.1
.1 lic
0
10 ub
.1 0
P
rt2 10
Po .3.1 D
10 MZ
0 al
.10 .10
10 ern 1 0.1
Int 0.2. .1
.10
10
.1 rv log
10 se a
2
00 er
at
.1
C
.1
M .1
ai 00
10
n .2
Ca
of .[
tal
fic 2-
.1 rv il
10 se a
10. og ac
1
00 er
e 25
.1
st 4]
.1
af
100 ces
f
.3.[ s te
2-2 rm
.1 rv b
10 se e
54] ina
0
00 er
W
ls .1
.1
Configuring HA
Connect the cluster units to each other and to your network. You must connect all
matching interfaces in the cluster to the same hub or switch. Then you must connect these
interfaces to their networks using the same hub or switch.
v2 FortiGate Fundamentals
01-420-99686-20101026 305
http://docs.fortinet.com/ • Feedback
Configuring the main office Concept Example: Library Network Protection
Heartbeat
External
192.168.147.30
Port3
10.100.4.1
DMZ Port2
10.100.1.1 10.100.3.1
Internal Port4
10.100.2.1 10.100.5.1
v2 FortiGate Fundamentals
306 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection FortiGuard
Note: All the FortiGate units in a cluster must have unique host names. Default host names
are the device serial numbers so unique names are automatic unless changed. If any
FortiGate device host names have been changed, confirm that there is no duplication in
those to be clustered.
HA is configured in System > Config > HA. For more information about HA, see the
FortiGate HA Overview on the Fortinet Technical Documentation web page.
FortiGuard
Four FortiGate features take advantage of the FortiGuard Service. They are Antivirus,
Intrusion Prevention, Web Filtering, and Antispam
Antivirus and intrusion prevention (IPS) signatures are updated automatically to detect
new attacks and viruses with FortiGuard updates. Virus scanning and IPS are configured
in protection profiles.
FortiGuard Web filtering is enabled and configured in each protection profile. When a web
page is requested, the URL is sent to the FortiGuard service and the category it belongs to
is returned. The FortiGate unit checks the FortiGuard Web Filtering settings and allows or
blocks the web page. The FortiGuard Web Filtering is configured in protection profiles.
FortiGuard Antispam is also enabled or disabled in each protection profile. The FortiGuard
service is consulted on whether each message in question is spam, and the FortiGate acts
accordingly. There are a number of ways to check a message, and each method can be
enabled or disabled in the protection profile. The Antispam is configured in protection
profiles.
The library network is configured with the FortiGate-800 cluster performing all virus
scanning, spam filtering, and FortiGuard web filtering. The settings defining how the
FortiGuard Distribution Network is contacted are configured in System > Maintenance >
FortiGuard.
v2 FortiGate Fundamentals
01-420-99686-20101026 307
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
IPsec VPN
The main office serves as a hub for the VPN connections from the branch offices. To make
the generation and maintenance of the required policies simpler, interface-mode VPNs will
be used. Interface-mode VPNs are configured largely the same as tunnel-mode VPNs, but
the way they’re use differs significantly. Interface-mode VPNs appear as network
interfaces, like the DMZ, port2, and external network interfaces.
Network topology is easier to visualize because you no longer have a single interface
sending and receiving both encrypted VPN traffic and unencrypted regular traffic. Instead,
the physical interface handles the regular traffic, and the VPN interface handles the
encrypted traffic. Further, policies no longer need to specify whether traffic is IPsec
encrypted. If traffic is directed to a VPN interface, the FortiGate unit knows it is to be
encrypted.
Interface-mode VPNs are used in this configuration because they will require far fewer
policies. Policies for tunnel-mode VPNs require selection of a tunnel in the policy. Many
tunnels can connect to a single physical interface, so the policy needs to know what traffic
it is responsible for.
Since interface-mode VPNs are used as any other network interface, they can be
collected into a zone and treated as a single entity. Addressing names and groups
differentiate what type of user is generating the traffic, so what tunnel it comes out of isn’t
important in the library’s configuration. All branch offices are treated the same.
For example, using tunnel-mode VPNs, 12 branches would require twelve policies to allow
employees to connect directly to the email and web servers. The branch 1 policy would
allow the IP range defined for staff coming from the branch 1 tunnel access to the DMZ. A
second policy would allow the IP range defined for staff coming from the branch 2 tunnel
access to the DMZ, and so on. Since the tunnel must be specified, there must be one
policy for each tunnel, and this is just for branch staff to DMZ traffic. In the library’s network
configuration, there are nine traffic type/destination combinations using the VPN. This
would require 108 policies for 12 branches.
To simplify things we instead give names to the address ranges based on use and
location. IP address range 10.1.2.[2-255] is named Branch 1 Staff and 10.2.2.[2-255] is
named Branch 2 Staff. The same procedure is followed for the remainder of the branches
and all the resulting branch staff names are put into an address group called Branch Staff.
All branch staff computers can be referenced with a single name. Similarly, after all the
branch VPNs are created and named Branch 1, Branch 2, etc., they can be combined into
a single zone named Branches.
From here, it’s a simple matter to configure a single policy to handle staff traffic from all
branches to the email and web servers located on the main office DMZ rather than a policy
for each branch office. Should any branch require special treatment, its VPN interface can
be removed from the zone and separate policies tailored to it.
v2 FortiGate Fundamentals
308 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
Note: The preshared key is a string of alphanumeric characters and should be unique for
each branch. The preshared key entered at each end of the VPN connection must be
identical.
IP Pools
IP Pools allow the traffic leaving an interface to use an IP address different than the one
assigned to the interface itself. One use of IP pools is if the users receive a type of traffic
that cannot be mapped to different ports.Without IP pools, only one user at a time could
send and receive these traffic types.
In the library’s case, a single IP address will be put into an IP pool named
Public_Access_Address. All of the policies that allow traffic from the public access
terminals (including the WiFi access point) will be configured to use this IP pool. The result
is that any traffic from the public access terminals will appear to be coming from the IP
pool address rather than the external interface’s IP address. This is true even though the
public access traffic will flow out of the external interface.
v2 FortiGate Fundamentals
01-420-99686-20101026 309
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
The purpose is to separate the public access users from the library staff from the point of
view of the Internet at large. Should a library patron abuse the Internet connection by
sending spam or attempting to unlawfully access to a system out on the Internet, any
action taken against the source IP will not inconvenience staff. The library can continue to
function normally while the problem is dealt with.
Configuring IP pools
To add a new IP pool for public access users - web-based manager
1 Go to Firewall > Virtual IP > IP Pool and select Create New.
2 Enter Public_Access_Address for the Name.
3 In the IP Range/Subnet field, enter 192.168.230.64. This address was obtained
from the library’s Internet service provider.
4 Select OK.
Note: Although IP pools are usually created with a range of addresses, an IP pool with a
single address is valid.
User Disclaimer
When using the public terminals or wireless access, the first time a web page external to
the library’s network is requested, a disclaimer will pop up. This is configured in policies
controlling access to the Internet. The user must agree to the stated conditions before they
can continue.
v2 FortiGate Fundamentals
310 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
The enabling this feature will be detailed in the policy configuration steps.
Protection Profiles
Policies control whether traffic flowing through a FortiGate unit from a given source is
allows to travel to a given destination. UTM profiles are selected in each policy and define
how the traffic is examined and what action may be taken based on the results of the
examination. But before they can be selected in a policy, UTM profiles have to be defined.
A brief overview is given for a typical protection profile, and the information required for all
protection profiles, in this example, follows in table form. For complete policy construction
steps, see the FortiGate Administration Guide.
UTM profiles are grouped based on the type of network threat, and added as needed to a
given firewall policy. UTM profiles include:
• AntiVirus
• Protocol Options
• Intrusion Protection
• Web Filter
• Email Filter (antispam)
• Data Leak Prevention
• Application Control
• VoIP
The following tables provide all the settings of all four UTM profiles used in the library
network example. Each table focuses on one section of the specific UTM profile settings.
Note: The settings in the tables listed below are for the library example only. For complete
UTM profile information see the FortiGate Administration Guide.
In this example, if a setting is to be left in the default setting, it is not expanded in the tables
below.
The comment field is optional, but recommended. With many profiles, the comment can
be invaluable in quickly identifying profiles.
v2 FortiGate Fundamentals
01-420-99686-20101026 311
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
Note: The FortiGate unit must have either an internal hard drive or a configured
FortiAnalyzer unit for the Quarantine option to appear.
v2 FortiGate Fundamentals
312 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
*The Public protection profile has FortiGuard web filtering enabled and set to block
advertising, malware, and spyware categories. Additional categories can be blocked if
required by library policy.
Email is not scanned for spam using the Public protection profile. Users of the public
access terminals will use their own webmail accounts if checking mail, and WiFi
connected users will have their own spam solutions, if desired.
You can create your own IPS sensors by going to Intrusion Protection > Signature > IPS
Sensor. The IPS option does not select denial of service (DoS) sensors. For more
information, see the FortiGate Administration Guide.
v2 FortiGate Fundamentals
01-420-99686-20101026 313
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
Staff employees are permitted to use instant messaging while public access users are not.
All users have peer to peer clients blocked.
Staff access
Staff members can access the Internet as well as directly connect to the library web and
email servers.
Since the network uses private addresses and has no internal DNS server, connections to
the web and email servers must be specified by IP address. The private network address
will keep all communication between the server and email client on the local network and
secure against interception on the Internet.
If a staff member attempts to open the library web page or connect to the email server
using either server’s virtual IP or fully qualified domain name, their request goes out over
the Internet, and returns through the FortiGate unit. This method will make their
transmission vulnerable to interception.
The web browsers on staff computers will be configured with the library web page as the
default start page. Staff members’ email software should be configured to use the email
server’s private network IP address rather than the virtual IP or fully qualified domain
name. These two steps will prevent staff from having to remember the servers’ IP
addresses.
v2 FortiGate Fundamentals
314 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
Main office staff Main office staff Branch office Branch office
connect to the connect to library staff connect to staff connect to
Internet servers the Internet library servers
Source Internal Internal Branches Branches
Interface/Zone
Source All All Branch_Staff Branch_Staff
Address
Destination External DMZ External DMZ
Interface/Zone
Destination All Servers All Servers
Address
Schedule Always Always Always Always
Service All All All All
Action Accept Accept Accept Accept
NAT Enable Enable Enable Enable
UTM Profiles Enable and select Enable and select Enable and select Enable and
(all configured) Staff Staff Staff select Staff
Log Allowed Enable Enable Enable Enable
Traffic
Authentication Disable Disable Disable Disable
Traffic Shaping Disable Disable Disable Disable
User Disable Disable Disable Disable
Authentication
Disclaimer
Comment Main office: staff Main office: staff Branch offices: Branch offices:
(optional) computers computers staff computers staff computers
connecting to the connecting to the connecting to the connecting to the
Internet. library servers. Internet. library servers.
v2 FortiGate Fundamentals
01-420-99686-20101026 315
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
Catalog terminals
Dedicated computers are provided for the public to search the library catalog. The only
application available on the catalog terminals is a web browser, and the only site the
catalog terminal web browser can access is the library web page, which includes access
to the catalog. The browser is configured to use the library web server’s private network
address as the start page.
v2 FortiGate Fundamentals
316 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
v2 FortiGate Fundamentals
01-420-99686-20101026 317
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
Wireless access
Wireless access allow library visitors to browse the Internet from their own WiFi-enabled
laptops. The same protection profile is applied to WiFi access as is used with the Public
terminals so IM and P2P are blocked, and all the same FortiGuard web blocking is
applied.
Security considerations
The wireless interface of the FortiWiFi-80CM will have its DHCP server assign IP
addresses to users wanting to connect to the Internet. The FortiWiFi-80CM will also have
its SSID broadcast and set to ‘library’ or something similarly identifiable. Stricter security
would be of limited value because anyone could request and receive access. Also, library
staff would spend significant time serving as technical support to patrons not entirely
familiar with their own equipment. Instead, the firewall policy applied to wireless access
will limit Internet connectivity to the main office’s business hours.This decision will be
reviewed periodically, especially if public access is abused.
Wireless security is configured in System > Wireless > Settings.
The number of concurrent wireless users can be adjusted by reducing or expanding the
range of addresses the DHCP server on the WiFi port has available to assign. Using this
means of limiting users is only partially effective because some users may set a static
address in the same subnet and gain access. To prevent this, configure the IP range
specified in the address name used in the policy to have the same range the DHCP server
assigns. Users can still set a static IP, but the policy will not allow any access.
The wireless DHCP server is configured in System > Network > Interface. Select the edit
icon for the wlan interface.
Because of the varying library hours through the week, three separate schedules are
required.
v2 FortiGate Fundamentals
318 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
v2 FortiGate Fundamentals
01-420-99686-20101026 319
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
To facilitate easier firewall policy creation for the wifi policies, these policies created above
can be added to a schedule group, thereby having to make one policy with the schedule
group rather than three separate policies.
v2 FortiGate Fundamentals
320 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
Two branch office WiFi access policies are required. One incorporates the schedules to
cover the entire week and only allow access while the library is open to the public. The
fourth policy allows access to the library web server.
The settings required for all branch office WiFi terminal policies in this example are
provided in Table 24 on page 321.
v2 FortiGate Fundamentals
01-420-99686-20101026 321
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
v2 FortiGate Fundamentals
322 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection IPsec VPN
v2 FortiGate Fundamentals
01-420-99686-20101026 323
http://docs.fortinet.com/ • Feedback
IPsec VPN Concept Example: Library Network Protection
The FortiWiFi-80CM
In the main office network, the FortiWiFi-80CM is used to provide WiFi access to main
library patrons with their own WiFi-capable laptops, and as a connection point to all the
main office public access terminals. Since all the policies and protection profiles are
configured on the FortiGate-800 cluster, the FortiWiFi-80CM only has to pass the traffic
along. For this reason, the FortiWiFi-80CM configuration is not complex.
v2 FortiGate Fundamentals
324 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection Configuring branch offices
WiFi
Source Interface/Zone Wlan
Source Address All
Destination Interface/Zone Wan1
Destination Address All
Schedule Always
Service All
Action Accept
UTM Profiles Disable
Log Allowed Traffic Disable
Authentication Disable
Traffic Shaping Disable
User Authentication Disclaimer Disable
Comments (optional) WiFi users connected to the main office FortiWiFi-80CM
Although the WiFi policy allows access at all times, the policies on the FortiGate-800
cluster restrict Internet access to library business hours.
Topology
The branch network layout is designed to keep the various parts of the network separate.
The staff computers and public terminals are connected to different network interfaces on
the FortiGate, and those interfaces are configured to not allow direct connections between
them. See Table 11 on page 302 for details on permitted access between different network
areas.
Staff computers, email and web servers, public access terminals, WiFi connected systems
are all protected by the FortiGuard service subscription on the FortiGate-800 cluster at the
main branch.
v2 FortiGate Fundamentals
01-420-99686-20101026 325
http://docs.fortinet.com/ • Feedback
Configuring branch offices Concept Example: Library Network Protection
Branch configuration
(only one branch shown)
B .1.
C
ra 2.
10 Int -80
nc [2
54 ls
ern i
-2 na
h -25
10 al Wi F
st 4
Z
]
.[2 mi
af ]
DM4.1
.4 r
.1.
.1 c te
2.1
.1.
10 bli
10
u
P
N2 19 WAN
WA.3.1 2 .1 1
.1 68
10 .23
.89
C
at
al 10
og .1
ac .3.
ce [2-
ss 25
V
P
te 4]
N
rm
Tu
in
n
a
ne
ls
l
Staff access
All staff traffic is routed through the VPN to the main branch. Requests for the email or
web servers are routed to the main office DMZ while general Internet traffic is sent to the
main office then out of the library network to the Internet.
Catalog terminals
Dedicated computers are provided for library patrons to search for books and periodicals
in the library’s catalog. The catalog computers are configured so the only application
available is a web browser, and the only site it can access is the library web page which
includes access to the catalog. Requests are routed through the VPN to the web server in
the library’s main office.
Wireless/public access
Public access terminals and wireless access allow library patrons to access the Internet.
Profile settings deny all instant messaging and peer to peer connections. Also, main
branch library staff can block individual sites and entire site categories as deemed
necessary using FortiGuard web filtering.
v2 FortiGate Fundamentals
326 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection Configuring branch offices
IPsec VPN
Each branch will have a VPN connection to the main office.
To create the Phase 1 portion of the VPN to the main office - web-based manager
1 Go to VPN > IPsec > Auto Key (IKE) and Select Create Phase 1.
2 In the Name field, enter Main_Office.
3 Select Static IP for Remote Gateway.
4 Enter 192.168.147.30 in the IP Address field.
5 Select WAN1 for the Local Interface.
6 Select Main (ID Protection) for the Mode.
7 Select Preshared Key as the Authentication Method and enter the key in the Preshared
Key field.
8 Select Advanced and select Enable IPsec Interface Mode.
9 Select OK.
To create the Phase 1 portion of the VPN to the main office - CLI
config vpn ipsec phase1
edit Main_Office
set remote-qw 192.168.147.30
set interface WAN1
set mode main
set psksecret ########
end
Note: The preshared key is a string of alphanumeric characters and should be unique for
each branch. The preshared key entered at each end of the VPN connection must be
identical.
To create the Phase 2 portion of the VPN to the main office - web-based manager
1 Select Create Phase 2.
2 Enter Branch 1 to Main_Office in the Name field.
3 Select Main_Office from the Phase 1 drop down.
4 Select OK.
To create the Phase 2 portion of the VPN to the main office - CLI
config vpn ipsec phase2
edit Main_Office
set phase1name Main_Office
end
The configuration steps to create the VPN tunnel have to be repeated for each branch
office to be connected in this way. Additional branches use the same Phase 1 settings
except for Name, IP Address, and Preshared Key.
v2 FortiGate Fundamentals
01-420-99686-20101026 327
http://docs.fortinet.com/ • Feedback
Traffic shaping Concept Example: Library Network Protection
Branch policy
Source Interface/Zone Inside_Zone
Source Address All
Destination Interface/Zone Main_Office
Destination Address All
Schedule Always
Service All
Action Accept
UTM Profiles Disable
Log Allowed Traffic Disable
Authentication Disable
Traffic Shaping Disable
User Authentication Disable
Disclaimer
Comments (optional) Policy to allow branch traffic to
main office.
Traffic shaping
Traffic shaping regulates and prioritizes traffic flow. Guaranteed bandwidth allows a
minimum bandwidth to be reserved for traffic controlled by a policy. Similarly, maximum
bandwidth caps the rate of traffic controlled by the policy. Finally, the traffic controlled by a
policy can be assigned a high, medium or low priority. If there is not enough bandwidth to
transmit all traffic, high priority traffic is processed before medium priority traffic, and
medium before low priority traffic.
Traffic shaping limits are applied only to traffic controlled by the policy they're applied to. If
you do not apply any traffic shaping rules to a policy, the policy is set to high priority by
default. Because of this, traffic shaping is of extremely limited use if applied to some
policies and not others. Enable traffic shaping on all firewall policies.
Because guaranteed bandwidth and maximum bandwidth settings are entirely dependant
on the maximum bandwidth available, the current traffic, and the relative priority of each
type of traffic, defining exact values for each policy is beyond the scope of this document
and traffic shaping is therefore disabled in the example policies.
v2 FortiGate Fundamentals
328 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Concept Example: Library Network Protection The future
Priorities
Traffic can be assigned high, medium, or low priority depending on importance. Ideally,
traffic will be spread across all three priorities. If all traffic is assigned the same setting,
prioritizing traffic is effectively disabled.
On the library system’s network, there are four types of users accessing two services.
To servers To Internet
From catalog terminals* high
From Internet† high
From public terminals/WiFi* high low
From staff* high medium
* includes both branch and main office traffic
† includes both inbound and outbound mail server connections
On the library system’s network, the most important traffic is to and from the web and mail
servers. Locating research materials in the library’s collection is extremely difficult without
a working catalog. Email is important to staff members as they maintain important
communication using it.
Staff access to the Internet is of medium priority. Although staff members do need Internet
access, it’s rarely as time-critical as catalog access and email.
Public access to the Internet (both from provided terminals and WiFi connections) are of
the lowest priority.
Although most traffic appears to be of high importance, the most bandwidth is consumed
by Internet access, partly by staff but mostly by the public terminals/WiFi.
With this in mind, a maximum bandwidth value can also be set to limit the bandwidth
consumed by traffic controlled by the public policies. Since the rate entered for maximum
bandwidth applies only to the traffic the policy controls, care has to be taken because
public access traffic is controlled by four policies at any given time. There are branch and
main office policies for public terminals and WiFi connections. The maximum bandwidth
specified in each policy doesn’t take into account any of the others. If you wanted to limit
all public access to the Internet to no more than 200KB/s, you have to divide this value
among the four active policies.
The future
In the design of the example library network detailed in this document, decisions were
made about how it should function when initially installed. Assumptions on how the
network will be used may be incorrect, or usage may change over time. The network can
be modified to facilitate changing usage or new requirements. For example:
Logging
Should the library require detailed logging, a FortiAnalyzer unit can be added to the main
office network. The FortiGate-800 cluster could then be configured to send traffic and
event data to the FortiAnalyzer. Detailed reports can be generated to chart network
utilization, Internet use, and attack activity.
Should the library switch to a VoIP telephone system, reports can also be generated on
telephone usage.
v2 FortiGate Fundamentals
01-420-99686-20101026 329
http://docs.fortinet.com/ • Feedback
The future Concept Example: Library Network Protection
Decentralization
If a more decentralized approach is required, Internet access from branch offices could
bypass the main office entirely. Branch FortiGate units would still maintain VPN-encrypted
communication for secure access to the library servers. A FortiManager device would
minimize the administrative effort required to deploy, configure, monitor, and maintain the
security policies across all branch office FortiGate units.
Staff WiFi
The FortiWiFi-80CM supports the creation of virtual WiFi interfaces. If staff members
require WiFi connectivity, a virtual WiFi interface could be created to allow them full
access to staff network resources while maintaining the current limited access provided to
public access users.
Further redundancy
Although the FortiGate-800 cluster ensures minimal downtime with hardware redundancy,
adding another Internet connection from a different ISP can provide connection
redundancy to the main office.
The FortiWiFi-80CM used in the branch offices supports the same High-Availability
clustering as the FortiGate-800 so if needed, the branch offices could enjoy the same HA
protection as the main office without having to upgrade to higher models.
v2 FortiGate Fundamentals
330 01-420-99686-20101026
http://docs.fortinet.com/ • Feedback
Chapter 3 System Administration
FortiExplorer
Included with the FortiGate-60C and FortiWiFi-60C, is FortiExplorer. FortiExplorer is a
Windows-based application that you can use to connect to the FortiGate unit using a USB
cable. FortiExplorer includes a connection wizard to guide you through the basic setup to
configure administrator password, WAN settings, LAN settings, register your unit with
Fortinet. You can also access the web-based manager and the CLI.
FortiExplorer is available on the Tools and Documentation CD included with the
FortiGate-60C or FortiWiFi-60C, and from the Fortinet website at
http://www.fortinet.com/resource_center/product_demos.html.
For information on installing and using FortiExplorer, see the FortiGate-60C or
FortiWiFi-60C QuickStart Guides.
Distance Enter the administrative distance, between 1 and 255 for the default
gateway retrieved from the DHCP server. The administrative distance
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the DHCP server.
from server
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page on System >
Network > Options. You should also enable Obtain DNS server address
automatically in System > Network > Options.
4 Select OK.
Note: For more information on DHCP, see “DHCP servers and relays” on page 552.
Username Enter the username for the PPPoE server. This may have been
provided by your Internet Service Provider.
Password Enter the password for the PPPoE server for the above user name.
Unnumbered IP Specify the IP address for the interface. If your Internet Service Provider
has assigned you a block of IP addresses, use one of these IP
addresses. Alternatively, you can use, or borrow, the IP address of a
configured interface on the router. You may need to do this to minimize
the number of unique IP addresses within your network.
If you are borrowing an IP address, remember the interface must be
enabled, and the Ethernet cable connected to the FortiGate unit.
Initial Disc Timeout Initial discovery timeout in seconds. The amount of time to wait before
starting to retry a PPPoE discovery. To disable the discovery timeout,
set the value to 0.
Initial PADT Timeout Initial PPPoE Active Discovery Terminate (PADT) timeout in seconds.
Use this timeout to shut down the PPPoE session if it is idle for this
number of seconds. Your Internet Service Provider must support PADT.
To disable the PADT timeout, set the value to 0.
Distance Enter the administrative distance, between 1 and 255, for the default
gateway retrieved from the DHCP server. The administrative distance
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route.
Retrieve default gateway Enable to retrieve a default gateway IP address from the DHCP server.
from server The default gateway is added to the static routing table.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page on System >
Network > Options. On FortiGate-100 units and lower, you should also
enable Obtain DNS server address automatically in System > Network >
Options.
4 Select OK.
The FortiGate unit includes default DNS servers. However, these should be changed to
those provided by your Internet Service Provider. The defaults are DNS proxies and are
not as reliable as those from your ISP.
Note: For more information on DNS servers see “FortiGate DNS services” on page 553.
5 Select Apply.
Additional configuration
Once the FortiGate unit is connected and traffic can pass through, several more
configuration options are available. While not mandatory, they will help to ensure better
control with the firewall.
Note: If you choose the option Automatically adjust clock for daylight saving changes, the
system time must be manually adjusted after daylight saving time ends.
Note: The FortiGate unit maintains its internal clock using the built-in battery. At startup, the
time reported by the FortiGate unit will indicate the hardware clock time, which may not be
accurate. When using NTP, the system time might change after the FortiGate has
successfully obtained the time from a configured NTP server.
Configuring FortiGuard
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When the
FortiGate unit connects to the FDN, it connects to the nearest FDS. To do this, all
FortiGate units are programmed with a list of FDS addresses sorted by nearest time zone
according to the time zone configured for the FortiGate unit.
Before you can begin receiving updates, you must register your FortiGate unit from the
Fortinet web page. After which, you need to configure the FortiGate unit to connect to the
FortiGuard Distribution Network (FDN) to update the antivirus, antispam and IPS attack
definitions.
Note: Updating antivirus definitions can cause a very short disruption in traffic currently
being scanned while the FortiGate unit applies the new signature database. Schedule
updates when traffic is light, for example overnight, to minimize any disruption.
Passwords
The FortiGate unit ships with a default empty password, that is, there is no password.
You will want to apply a password to prevent anyone from logging into the FortiGate unit
and changing configuration options.
Password considerations
When changing the password, consider the following to ensure better security.
• Do not make passwords that are obvious, such as the company name, administrator
names or other obvious word or phrase.
• Use numbers in place of letters, for example, passw0rd. Alternatively, spell words with
extra letters, for example, password.
• Include a mixture of letters, numbers, and upper and lower case.
• Use multiple words together, or possibly even a sentence, for example
keytothehighway, or with a combination of the above suggestions.
• Use a password generator.
• Change the password regularly and always use a code unique (not a variation of the
existing password by adding a “1” to it, for example password, password1).
• Write the password down and store it in a safe place away from the management
computer, in case you forget it.
• Alternatively, ensure at least two people know the password in the event that one
person becomes ill, is away on vacation or leaves the company. Alternatively have two
different admin logins.
Password policy
The FortiGate unit includes the ability to enforce a password policy for administrator login.
with the policy, you can enforce regular changes and specific criteria for a password
including:
• minimum length between 8 and 32 characters.
• if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
• if the password must contain numbers (1, 2, 3).
Forgotten password?
It happens that the administrator of the FortiGate unit leaves the company and does not
have the opportunity to provide the administrative password or forgets. Or you simply
forgot the password.
In the event you lose or forget the password, you need to contact Customer Support for
the steps required to reset the password. For information on contacting Customer
Support, see the Support web site at web site at https://support.fortinet.com.
Administrators
By default, the FortiGate unit has a super administrator called “admin”. This user login
cannot be deleted and always has ultimate access over the FortiGate unit. As well you can
add administrators for various functions and VDOMs. Each one can have their own
username and password and set of access privileges.
Trusted hosts
Setting trusted hosts for an administrators increases limiting what computers an
administrator can log in from. When you identify a trusted host, the FortiGate unit will only
accept the administrator’s login from the configured IP address. Any attempt to log in with
the same credentials from any other IP address will be dropped. To ensure the
administrator has access from different locations, you can enter up to ten IP addresses.
Ideally, this should be kept to a minimum. For higher security, use an IP address with a net
mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default
trusted host fields.
Trusted hosts are configured when adding a new administrator by going to System >
Admin > Administrators in the web-based manager or config system admin in the
CLI.
The trusted hosts apply to the web-based manager, ping, snmp and the CLI when
accessed through Telnet or SSH. CLI access through the console port is not affected.
Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
Enable SCP
To enable SCP - web-based manager
1 Go to System > Admin > Settings.
2 Select Enable SCP.
3 Select Apply.
Note: When adding to, or removing a protocol, you must type the entire list again. For
example, if you have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
Linux
scp admin@<FortiGate_IP>:sys_config <location>
Windows
pscp admin@<FortiGate_IP>:sys_config <location>
These examples show how to download the configuration file from a FortiGate-100A, at IP
address 172.20.120.171, using Linux and Windows SCP clients.
<key-type> must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the
<key-value>, copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, copy one line at a time and
ensure that you paste each line of key data at the end of the previously pasted data. As
well:
• Do not copy the end-of-line characters that appear as small rectangles in Notepad.
• Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: “[2048-
bit dsa,...]” lines.
• Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
4 Type the closing quotation mark and press Enter.
Your SCP client can now authenticate to the FortiGate unit based on SSH keys rather than
the administrator password.
Restoring a configuration
Should you need to restore a configuration file, use the following steps.
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and address
issues. After you have registered your FortiGate unit, you can download firmware updates
from the support web site, http://support.fortinet.com.
You can also use the instructions in this chapter to revert, to a previous version. The
FortiGate unit includes a number of firmware installation options that enables you to test
new firmware without disrupting the existing installation, and load it from different locations
as required.
Fortinet issues patch releases--maintenance release builds that resolve important issues.
Fortinet strongly recommends reviewing the release notes for the patch release, as well
as testing and reviewing the patch release before upgrading the firmware. Follow the
steps below:
• download and review the release notes for the patch release
• download the patch release
• back up the current configuration
• test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may
result in changes to settings or unexpected issues.
Only FortiGate admin user and administrators whose access profiles contain system read
and write privileges can change the FortiGate firmware.
Downloading firmware
Firmware images for all FortiGate units is available on the Fortinet Customer Support web
site. You must register your FortiGate unit to access firmware images. Register the
FortiGate unit by visiting http://support.fortinet.com and select Product Registration.
To download firmware
1 Log into the site using your user name and password.
2 Go to Firmware Images > FortiGate.
3 Select the most recent FortiOS version.
4 Locate the firmware for your FortiGate unit, right-click the link and select the Download
option for your browser.
Note: Always review the Release Notes for a new firmware release before installing. The
Release Notes can include information that is not available in the regular documentation.
Note: Always remember to back up your configuration before doing any firmware upgrade
or downgrade.
5 Type the path and filename of the firmware image file, or select Browse and locate the
file.
6 Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware
version, restarts, and displays the FortiGate login. This process takes a few minutes.
Note: To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
USB Auto-Install
The USB Auto-Install feature automatically updates the FortiGate configuration file and
firmware image file on a system reboot. Also, this feature provides you with an additional
backup if you are unable to save your system settings before shutting down or rebooting
your FortiGate unit.
Note: You need an unencrypted configuration file for this feature. Also the required files,
must be in the root directory of the USB key.
4 The default configuration filename should show in the Default configuration file name
field.
5 Select Apply.
6 Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message
similar to the following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
7 Type y.
The FortiGate unit reverts to the old firmware version, resets the configuration to
factory defaults, and restarts. This process takes a few minutes.
8 Reconnect to the CLI.
9 To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ip4>
10 Update antivirus and attack definitions using the command:
execute update-now.
execute reboot
The FortiGate unit responds with the following message:
This operation will reboot the system!
Do you want to continue? (y/n)
7 Type y.
As the FortiGate unit starts, a series of system startup messages appears. When the
following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8 Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP
address can be any IP address that is valid for the network the interface is connected
to. Make sure you do not enter the IP address of another device on this network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and a message
similar to the following appears:
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type D.
The FortiGate unit installs the new firmware image and restarts. The installation might
take a few minutes to complete.
Note: You can only save VPN certificates if you encrypt the file. Make sure the
configuration encryption is enabled so you can save the VPN certificates with the
configuration file. An encrypted file is ineffective if selected for the USB Auto-Install feature.
Note: You have only 3 seconds to press any key. If you do not press a key soon enough,
the FortiGate unit reboots and you must login and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8 Type G to get the new firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9 Type the address of the TFTP server and press Enter:
The following message appears:
Enter Local Address [192.168.1.188]:
10 Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure you
do not use the IP address of another device on the network.
The following message appears:
Enter File Name [image.out]:
11 Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the
following appears.
Save as Default firmware/Backup firmware/Run image without
saving: [D/B/R]
12 Type R.
The FortiGate image is installed to system memory and the FortiGate unit starts
running the new firmware image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the
FortiGate unit, and the FortiGate unit will resume using the firmware that was running
before you installed the test firmware.
FortiGate configuration
These steps ensure that the FortiGate unit will be able to receive updated antivirus and
IPS updates, and allow remote management through the FortiManager system. You can
add a FortiGate unit whether it is running in either NAT/Route mode or Transparent mode.
Note: If you have not already done so, register the FortiGate unit by visiting
http://support.fortinet.com and select Product Registration. By registering your
Fortinet unit, you will receive updates to threat detection and prevention
databases (Antivirus, Intrusion Detection, etc.) and will also ensure your access to
technical support.
You must enable the FortiGate management option so the FortiGate unit can
accept management updates to firmware, antivirus signatures and IPS signatures.
FortiManager configuration
After enabling Central Management and indicating the FortiManager unit that will provide
the management of the FortiGate unit, you can add it to the Device Manager in the
FortiManager web-based manager.
FortiManager enables you to complete the configuration, by going to the Device Manager,
selecting the FortiGate unit and using the same menu structure and pages as you would
see in the FortiGate web-based manager. All changes to the FortiGate configuration are
stored locally on the FortiManager unit until you synchronize with the FortiGate unit.
Global objects
If you are maintaining a number of FortiGate units within a network, many of the policies
and configuration elements will be the same across the corporation. In these instances,
the adding and editing of many of the same policies will be come a tedious and
error-prone activity. With FortiManager global objects, this level of configuration is
simplified.
A global object is an object that is not associated specifically with one device or group.
Global objects includes firewall policies, a DNS server, VPN, and IP pools.
The Global Objects window is where you can configure global objects and copy the
configurations to the FortiManager device database for a selected device or a group of
devices. You can also import configurations from the FortiManager device database for a
selected device and modify the configuration as required.
When configuring or creating a global policy object the interface, prompts, and fields are
the same as creating the same object on a FortiGate unit using the FortiGate web-based
manager.
Firmware updates
FortiManager can also be the source where firmware updates are performed for multiple
FortiGate units, saving time rather than upgrading each FortiGate unit individually.
The FortiManager unit stores local copies of firmware images by either downloading these
images from the Fortinet Distribution Network (FDN) or by accepting firmware images that
you upload from your management computer.
If you are using the FortiManager unit to download firmware images from the FDN,
FortiManager units first validate device licenses. The FDN validates support contracts and
provides a list of currently available firmware images. For devices with valid Fortinet
Technical Support contracts, you can download new firmware images from the FDN,
including release notes.
After firmware images have been either downloaded from the FDN or imported to the
firmware list, you can either schedule or immediately upgrade/downgrade a device or
group’s firmware.
See the FortiManager Administration Guide for more information on updating the
FortiGate firmware using the FortiManager central management.
FortiGuard
FortiManager can also connect to the FortiGuard Distribution Network to receive push
updates for IPS signatures and antivirus definitions. These updates can then be used to
update multiple FortiGate units throughout an organization. By the FortiManager as the
host for updates, bandwidth use is minimized by downloading to one source instead of
many.
To receive IPS and antivirus updates from FortiManager, indicate an alternate IP address
on the FortiGate unit.
Administrative domains
FortiManager administrative domains enable the admin administrator to create groupings
of devices for configured administrators to monitor and manage. FortiManager can
manage a large number of Fortinet appliances. This enables administrators to maintain
managed devices specific to their geographic location or business division. This also
includes FortiGate units with multiple configured VDOMs.
Note: If you do not want to use an SSH/Telnet client and you have access to the webbiest
manager, you can alternatively access the CLI through the network using the CLI Console
widget in the web-based manager.
You must enable SSH and/or Telnet on the network interface associated with that physical
network port. If your computer is not connected directly or through a switch, you must also
configure the FortiGate unit with a static route to a router that can forward packets from
the FortiGate unit to your computer.
You can do this using either:
• a local console connection
• the web-based manager
Requirements
• a computer with an available serial communications (COM) port and RJ-45 port
• terminal emulation software such as HyperTerminal for Microsoft Windows
• the RJ-45-to-DB-9 or null modem cable included in your FortiGate package
• a network cable
• prior configuration of the operating mode, network interface, and static route (for
details, see)
To enable SSH or Telnet access to the CLI using a local console connection
1 Using the network cable, connect the FortiGate unit’s network port either directly to
your computer’s network port, or to a network through which your computer can reach
the FortiGate unit.
2 Note the number of the physical network port.
3 Using a local console connection, connect and log into the CLI. For details, see
“Connecting to the CLI using a local console” on page 365.
4 Enter the following command:
config system interface
edit <interface_str>
set allowaccess <protocols_list>
next
end
where:
• <interface_str> is the name of the network interface associated with the
physical network port and containing its number, such as port1
• <protocols_list> is the complete, space-delimited list of permitted
administrative access protocols, such as https ssh telnet
For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and
Telnet administrative access on port1:
set system interface port1 config allowaccess ssh telnet
Caution: Telnet is not a secure access method. SSH should be used to access the CLI
from the Internet or any other untrusted network.
5 To confirm the configuration, enter the command to display the network interface’s
settings.
get system interface <interface_str>
The CLI displays the settings, including the allowed administrative access protocols,
for the network interfaces.
To connect to the CLI through the network interface, see “Connecting to the CLI using
SSH” on page 367 or “Connecting to the CLI using Telnet” on page 368.
Note: FortiGate units support 3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface
to accept SSH connections. For details, see “Enabling access to the CLI through the
network (SSH or Telnet)” on page 366.
Note: The following procedure uses PuTTY. Steps may vary with other SSH clients.
8 Type the password for this administrator account and press Enter.
Note: If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.
The FortiGate unit displays a command prompt (its host name followed by a #).
You can now enter CLI commands.
Caution: Telnet is not a secure access method. SSH should be used to access the CLI
from the Internet or any other untrusted network.
Before you can connect to the CLI using Telnet, you must first configure a network
interface to accept SSH connections. For details, see “Enabling access to the CLI through
the network (SSH or Telnet)” on page 366.
Note: If three incorrect login or password attempts occur in a row, you will be disconnected.
Wait one minute, then reconnect to attempt the login again.
The FortiGate unit displays a command prompt (its host name followed by a #).
You can now enter CLI commands.
Command syntax
When entering a command, the command line interface (CLI) requires that you use valid
syntax, and conform to expected input constraints. It will reject invalid commands.
Fortinet documentation uses the following conventions to describe valid command syntax
Terminology
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
To describe the function of each word in the command line, especially if that nature has
changed between firmware versions, Fortinet uses terms with the following definitions.
• command — A word that begins the command line and indicates an action that the
FortiGate unit should perform on a part of the configuration or host on the network,
such as config or execute. Together with other words, such as fields or values, that
end when you press the Enter key, it forms a command line. Exceptions include
multiline command lines, which can be entered using an escape sequence. (See
“Shortcuts and key commands” on page 377.)
Valid command lines must be unambiguous if abbreviated. (See “Command
abbreviation” on page 377.) Optional words or other command line permutations are
indicated by syntax notation. (See “Notation” on page 370.)
• sub-command — A kind of command that is available only when nested within the
scope of another command. After entering a command, its applicable sub-commands
are available to you until you exit the scope of the command, or until you descend an
additional level into another sub-command. Indentation is used to indicate levels of
nested commands. (See “Indentation” on page 370.)
Not all top-level commands have sub-commands. Available sub-commands vary by
their containing scope. (See “Sub-commands” on page 371.)
• object — A part of the configuration that contains tables and/or fields. Valid command
lines must be specific enough to indicate an individual object.
• table — A set of fields that is one of possibly multiple similar sets which each have a
name or number, such as an administrator account, policy, or network interface. These
named or numbered sets are sometimes referenced by other parts of the configuration
that use them. (See “Notation” on page 370.)
• field — The name of a setting, such as ip or hostname. Fields in some tables must
be configured with values. Failure to configure a required field will result in an invalid
object configuration error message, and the FortiGate unit will discard the invalid table.
• value — A number, letter, IP address, or other type of input that is usually your
configuration setting held by a field. Some commands, however, require multiple input
values which may not be named but are simply entered in sequential order in the same
command line. Valid input types are indicated by constraint notation. (See “Notation”
on page 370.)
• option — A kind of value that must be one or more words from of a fixed set of options.
(See “Notation” on page 370.)
Indentation
Indentation indicates levels of nested commands, which indicate what other
subcommittees are available from within the scope. For example, the edit sub-command
is available only within a command that affects tables, and the next sub-command is
available only from within the edit sub-command:
config system interface
edit port1
set status up
next
end
For information about available sub-commands, see “Sub-commands” on page 371.
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax.
Constraint notations, such as <address_ipv4>, indicate which data types or string
patterns are acceptable value input.
Table 29: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word and its
accompanying option, such as verbose 3.
Sub-commands
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
Sub-commands are available from within the scope of some commands.When you enter a
sub-command level, the command prompt changes to indicate the name of the current
command scope. For example, after entering:
config system admin
the command prompt becomes:
(admin)#
Applicable sub-commands are available to you until you exit the scope of the command,
or until you descend an additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects
tables; the next sub-command is available only from within the edit sub-command:
config system interface
edit port1
set status up
next
end
clone <table> Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the following
command to clone firewall policy 27 to create firewall policy 30:
clone 27 to 39
In config antivirus profile, you could enter the following command
to clone an antivirus profile named av_pro_1 to create a new antivirus
profile named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
delete <table> Remove a table from the current object.
For example, in config system admin, you could delete an administrator
account named newadmin by typing delete newadmin and pressing
Enter. This deletes newadmin and all its fields, such as newadmin’s
first-name and email-address.
delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.
For example, in config system admin:
• edit the settings for the default admin administrator account by typing
edit admin.
• add a new administrator account with the name newadmin and edit
newadmin‘s settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are available
from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
In objects such as firewall policies, <table> is a sequence number. To
create a new entry without the risk of overwriting an existing one, enter edit
0. The CLI initially confirms the creation of entry 0, but assigns the next
unused number after you finish editing and enter end.
abort Exit both the edit and/or config commands without saving the fields.
end Save the changes made to the current table or object fields, and exit the config
command. (To exit without saving, use abort instead.)
get List the configuration of the current object or table.
• In objects, get lists the table names (if present), or fields and their values.
• In a table, get lists the fields and their values.
next Save the changes you have made in the current table’s fields, and exit the edit
command to the object prompt. (To save and exit completely to the root prompt,
use end instead.)
next is useful when you want to create or edit several tables in the same object,
without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object
prompt.
Note: When using set to change a field containing a space-delimited list, type
the whole new list. For example, set <field> <new-value> will replace the
list with the <new-value> rather than appending <new-value> to the list.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unset Reset the table or object’s fields to default values.
<field> For example, in config system admin, after typing edit admin, typing
unset password resets the password of the admin administrator account to
the default (in this case, no password).
Permissions
Depending on the account that you use to log in to the FortiGate unit, you may not have
complete access to all CLI commands.
Access profiles control which CLI commands an administrator account can access.
Access profiles assign either read, write, or no access to each area of the FortiGate
software. To view configurations, you must have read access. To make changes, you must
have write access.
Unlike other administrator accounts, the administrator account named admin exists by
default and cannot be deleted. The admin administrator account is similar to a root
administrator account. This administrator account always has full permission to view and
change all FortiGate configuration options, including viewing and changing all other
administrator accounts. Its name and permissions cannot be changed. It is the only
administrator account that can reset another administrator’s password without being
required to enter that administrator’s existing password.
Caution: Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure to
maintain the password of the admin administrator account could compromise the security
of your FortiGate unit.
For complete access to all commands, you must log in with the administrator account
named admin.
Tips
Basic features and characteristics of the CLI environment provide support and ease of use
for many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
• Press the question mark (?) key at the command prompt to display a list of the
commands available and a description of each command.
• Type a word or part of a word, then press the question mark (?) key to display a list of
valid word completions or subsequent words, and to display a description of each.
Action Keys
List valid word completions or subsequent words. ?
If multiple words could complete your entry, display all possible completions with
helpful descriptions of each.
Complete the word with the next available match. Tab
Press the key multiple times to cycle through available matches.
Recall the previous command. Up arrow, or
Command memory is limited to the current session. Ctrl + P
Recall the next command. Down arrow, or
Ctrl + N
Move the cursor left or right within the command line. Left or Right
arrow
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D
Abort current interactive commands, such as when entering multiple lines. Ctrl + C
If you are not currently within an interactive command such as config or edit,
this closes the CLI connection.
Continue typing a command on the next line for a multi-line command. \ then Enter
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then the
Enter key, without an immediately preceding backslash.
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous
characters.
For example, the command get system status could be abbreviated to g sy st.
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.
$USERFROM The management access type (ssh, telnet, jsconsole for the CLI Console
widget in the web-based manager, and so on) and the IP address of the
administrator that configured the item.
$USERNAME The account name of the administrator that configured the item.
$SerialNum The serial number of the FortiGate unit.
For example, the FortiGate unit’s host name can be set to its serial number.
config system global
set hostname $SerialNum
end
As another example, you could log in as admin1, then configure a restricted secondary
administrator account for yourself named admin2, whose first-name is admin1 to
indicate that it is another of your accounts:
config system admin
edit admin2
set first-name $USERNAME
Special characters
The characters <, >, (,), #, ', and “ are not permitted in most CLI fields. These characters
are special characters, sometimes also called reserved characters.
You may be able to enter special character as part of a string’s value by using a special
command, enclosing it in quotes, or preceding it with an escape sequence — in this case,
a backslash ( \ ) character.
Character Keys
? Ctrl + V then ?
Tab Ctrl + V then Tab
Space Enclose the string in quotation marks: "Security Administrator".
(to be interpreted as Enclose the string in single quotes: 'Security Administrator'.
part of a string value, Precede the space with a backslash: Security\ Administrator.
not to end the string)
' \'
(to be interpreted as
part of a string value,
not to end the string)
" \"
(to be interpreted as
part of a string value,
not to end the string)
\ \\
If you need to add configuration via CLI that requires ? as part of config, you need to input
CTRL-V first. If you enter the question mark (?) without first using CTRL-V, the question
mark has a different meaning in CLI: it will show available command options in that
section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:
edit "*.xe?"
new entry '*.xe?' added
Examples
Use the following command to display the MAC address of the FortiGate unit internal
interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Use the following command to display all TCP sessions in the session list and include the
session list line number in the output
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands
that contain URL (upper or lower case):
show system replacemsg http | grep -i url
Note: HTTP clients may send requests in encodings other than UTF-8. Encodings usually
vary by the client’s operating system or input language. If you cannot predict the client’s
encoding, you may only be able to match any parts of the request that are in English,
because regardless of the encoding, the values for English characters tend to be encoded
identically. For example, English words may be legible regardless of interpreting a web
page as either ISO 8859-1 or as GB2312, whereas simplified Chinese characters might
only be legible if the page is interpreted as GB2312.
It configure your FortiGate unit using other encodings, you may need to switch language
settings on your management computer, including for your web browser or Telnet/SSH
client. For instructions on how to configure your management computer’s operating
system language, locale, or input method, see its documentation.
Note: If you choose to configure parts of the FortiGate unit using non-ASCII characters,
verify that all systems interacting with the FortiGate unit also support the same encodings.
You should also use the same encoding throughout the configuration if possible in order to
avoid needing to switch the language settings of the web-based manager and your web
browser or Telnet/SSH client while you work.
Similarly to input, your web browser or CLI client should usually interpret display output as
encoded using UTF-8. If it does not, your configured items may not display correctly in the
web-based manager or CLI. Exceptions include items such as regular expressions that
you may have configured using other encodings in order to match the encoding of HTTP
requests that the FortiGate unit receives.
9 Press Enter.
In the display area, the CLI Console widget displays your previous command
interpreted into its character code equivalent, such as:
edit \743\601\613\743\601\652
and the command’s output.
You may need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet/SSH client’s support for your language’s input methods and
for sending international characters, you may need to interpret them into character
codes before pressing Enter.
For example, you might need to enter:
edit '\743\601\613\743\601\652'
5 The CLI displays your previous command and its output.
Screen paging
You can configure the CLI to, when displaying multiple pages’ worth of output, pause after
displaying each page’s worth of text. When the display pauses, the last line displays
--More--. You can then either:
• press the spacebar to display the next page.
• type Q to truncate the output and return to the command prompt.
This may be useful when displaying lengthy output, such as the list of possible matching
commands for command completion, or a long list of settings. Rather than scrolling
through or possibly exceeding the buffer of your terminal emulator, you can simply display
one page at a time.
To configure the CLI display to pause when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:
config system console
set baudrate {115200 | 19200 | 38400 | 57600 | 9600}
end
Caution: Do not edit the first line. The first line(s) of the configuration file (preceded by a #
character) contains information about the firmware version and FortiGate model. If you
change the model number, the FortiGate unit will reject the configuration file when you
attempt to restore it.
3 Use execute restore to upload the modified configuration file back to the
FortiGate unit.
The FortiGate unit downloads the configuration file and checks that the model
information is correct. If it is, the FortiGate unit loads the configuration file and checks
each command for errors.If a command is invalid, the FortiGate unit ignores the
command. If the configuration file is valid, the FortiGate unit restarts and loads the new
configuration.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression “test” not only matches the word “test” but also matches
any word that contains the word “test” such as “atest”, “mytest”, “testimony”, “atestb”. The
notation “\b” specifies the word boundary. To match exactly the word “test”, the expression
should be \btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam filters. To
make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of “bad language” regardless of case.
Table 35: Perl regular expression examples
Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
^abc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
^abc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c
ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
Administrators
One point of security breach is at the management computer. Administrators who leave
their workstations for a prolonged amount of time while staying logged into the web-based
manager or CLI (whether on purpose or not), leave the firewall open to malicious intent.
Idle time-out
To avoid the possibility of an administrator walking away from the management computer
and leaving it exposed to unauthorized personnel, you can add an idle time-out. That is, if
the web-based manager is not used for a specified amount of time, the FortiGate unit will
automatically log the user out. To continue their work, they must log in to the device again.
The time-out can be set as high as 480 minutes, or eight hours, although this is not
recommend.
Administrator lockout
By default, the FortiGate unit includes set number of password retries. That is, the
administrator has a maximum of three attempts to log into their account before they are
locked out for a set amount of time. The number of attempts can be set to an alternate
value.
As well, the default wait time before the administrator can try to enter a password again is
60 seconds. You can also change this to further sway would-be hackers. Both settings are
configured only in the CLI
To configure the lockout options use the following commands:
config system global
set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end
For example, to set the lockout threshold to one attempt and a five minute duration before
the administrator can try again to log in enter the commands”
config system global
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Administrative ports
You can set the web-based manager access as through HTTP, HTTPS, SSH and Telnet.
In these cases, the default ports for these protocols are 80, 443, 22 and 23 respectively.
You can change the ports used for network administration to a different, unused port to
further limit potential hackers.
Note: Ensure the port you select is not a port you will be using for other applications. For a
list of assigned port numbers see http://www.iana.org/assignments/port-numbers.
Interface settings
Within FortiOS there are a few options you can set to limit unauthorized access.
Disable interfaces
If any of the interfaces on the FortiGate unit are not being used, disable traffic on that
interface. This avoids someone plugging in network cables and potentially causing
network bypass or loop issues.
By default, the ident port is closed. To open it, use the following CLI commands:
config system interface
edit <port_name>
set inden_accept enable
end
You could also further use port forwarding to send the traffic to a non-existent IP address
and thus never have a response packet sent.
Hardware
Environmental specifications
Keep the following environmental specifications in mind when installing and setting up
your FortiGate unit.
• Operating temperature: 32 to 104°F (0 to 40°C)
• If you install the FortiGate unit in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient
temperature. Therefore, make sure to install the equipment in an environment
compatible with the manufacturer's maximum rated ambient temperature.
• Storage temperature: -13 to 158°F (-25 to 70°C)
• Humidity: 5 to 90% non-condensing
• Air flow - For rack installation, make sure that the amount of air flow required for safe
operation of the equipment is not compromised.
• For free-standing installation, make sure that the appliance has at least 1.5 in.
(3.75 cm) of clearance on each side to allow for adequate air flow and cooling.
This device complies with part FCC Class A, Part 15, UL/CUL, C Tick, CE and VCCI.
Operation is subject to the following two conditions:
• This device may not cause harmful interference, and
• This device must accept any interference received, including interference that may
cause undesired operation.
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed
and used in accordance with the instructions, may cause harmful interference to radio
Caution: To reduce the risk of fire, use only No. 26 AWG or larger UL Listed or CSA
Certified Telecommunication Line Cord.
Grounding
• Ensure the FortiGate unit is connected and properly grounded to a lightning and surge
protector. WAN or LAN connections that enter the premises from outside the building
should be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
• Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather
than Unshielded Twisted Pair (UTP).
• Do not connect or disconnect cables during lightning activity to avoid damage to the
FortiGate unit or personal injury.
Shutting down
Always shut down the FortiGate operating system properly before turning off the power
switch to avoid potential hardware problems.
Performance
• Disable any management features you do not need. If you don’t need SSH or SNMP
disable them. SSH also provides another possibility for would-be hackers to infiltrate
your FortiGate unit.
• Put the most used firewall rules to the top of the interface list.
• Log only necessary traffic. The writing of logs, especially if to an internal hard disk,
slows down performance.
• Enable only the required application inspections.
• Keep alert systems to a minimum. If you send logs to a syslog server, you may not
need SNMP or email alerts, making for redundant processing.
• Establish scheduled FortiGuard updates at a reasonable rate. Daily every 4-5 hours for
most situations, or in more heavy-traffic situations, in the evening when more
bandwidth can be available.
• Keep UTM profiles to a minimum. If you do not need a profile on a firewall rule, do not
include it.
• Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible.
• Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition,
slows down traffic.
Firewall
• Avoid using the All selection for the source and destination addresses. Use addresses
or address groups.
• Avoid using Any for the services.
• Use logging on a policy only when necessary. For example, you may want to log all
dropped connections but be aware of the performance impact. However, use this
sparingly to sample traffic data rather than have it continually storing log information
you may not use.
• Use the comment field to input management data; who requested the rule, who
authorized it, etc.
• Avoid FQDN addresses if possible. It can cause a performance impact on DNS queries
and security impact from DNS spoofing.
Intrusion protection
• Create and use UTM profiles with specific signatures and anomalies you need
per-interface and per-rule.
• Do not use predefined or generic profiles. While convenient to supply immediate
protection, you should create profiles to suit your network environment.
• If you do use the default profiles, reduce the IPS signatures/anomalies enabled in the
profile to conserver processing time and memory.
• If you are going to enable anomalies, make sure you tune thresholds according to your
environment.
• If you need protection, but not audit information, disable the logging option.
• Tune the IP-protocol parameter accordingly.
Antivirus
• Enable only the protocols you need to scan. If you have antivirus scans occurring on
the SMTP server, or using FortiMail, it is redundant to have it occur on the FortiGate
unit as well.
• Reduce the maximum file size to be scanned. Viruses travel usually in small files of
around 1 to 2 megabytes.
• Antivirus scanning within an HA cluster can impact performance.
• Enable grayware scanning on UTM profiles tied to internet browsing.
• Do not quarantine files unless you regularly monitor and review them. This is otherwise
a waste of space and impacts performance.
• Use file patterns to avoid scanning where it is not required.
• Enable heuristics from the CLI if high security is required using the command
config antivirus heuristic.
Web filtering
• Web filtering within an HA cluster impacts performance.
• Always review the DNS settings to ensure the servers are fast.
• Content block may cause performance overhead.
• Local URL filter is faster than FortiGuard web filter, because the filter list is local and
the FortiGate unit does not need to go out to the Internet to get the information from a
FortiGuard web server.
Antispam
• If possible use, a FortiMail unit. The antispam engines are more robust.
• Use fast DNS servers.
• Use specific UTM profiles for the rule that will use antispam.
• DNS checks may cause false positive with HELO DNS lookup.
• Content analysis (banned words) may impose performance overhead.
Security
• Use NTP to synchronize time on the FortiGate and the core network systems such as
email servers, web servers and logging services.
• Enable log rules to match corporate policy. For example, log administration
authentication events and access to systems from untrusted interfaces.
• Minimize adhoc changes to live systems if possible to minimize interruptions to the
network.
• When not possible, create backup configurations and implement sound audit systems
using FortiAnalyzer and FortiManager.
• If you only need to allow access to a system on a specific port, limit the access by
creating the strictest rule possible.
Dashboard
The FortiOS dashboard provides a location to view real-time system information. By
default, the dashboard displays the key statistics of the FortiGate unit itself, providing the
memory and CPU status, as well as the health of the ports, whether they are up or down
and their throughput.
Widgets
Within the dashboard is a number of smaller windows, called widgets, that provide this
status information. Beyond what is visible by default, you can add a number of other
widgets that display other key traffic information including application use, traffic per IP
address, top attacks, traffic history and logging statistics.
You will see when you log into the FortiGate unit, there are two separate dashboards. You
can add multiple dashboards to reflect what data you want to monitor, and add the widgets
accordingly. Dashboard configuration is only available through the web-based
manager.Administrators must have read and write privileges to customize and add
widgets when in either menu. Administrators must have read privileges if they want to view
the information.
Tip: You can position widgets within the dashboard frame by clicking and dragging it to a
different location.
sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network
that may impact performance and throughput. sFlow is described in http://www.sflow.org.
FortiOS implements sFlow version 5. sFlow uses packet sampling to monitor network
traffic. That is, an sFlow Agent captures packet information at defined intervals and sends
them to an sFlow Collector for analysis, providing real-time data analysis. The information
sent is only a sampling of the data for minimal impact on network throughput and
performance.
The sFlow Agent is embedded in the FortiGate unit. Once configured, the FortiGate unit
sends sFlow datagrams of the sampled traffic to the sFlow Collector, also called an sFlow
Analyzer. The sFlow Collector receives the datagrams, and provides real-time analysis
and graphing to indicate where potential traffic issues are occurring. sFlow Collector
software is available from a number of third party software vendors.
sFlow data captures only a sampling of network traffic, not all traffic like the traffic logs on
the FortiGate unit. Sampling works by the sFlow Agent looking at traffic packets when they
arrive on an interface. A decision is made whether the packet is dropped, and sent on to
its destination, or a copy is forwarded to the sFlow Collector. The sample used and its
frequency are determined during configuration.
The sFlow datagram sent to the Collector contains the following information:
Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP)
Sample process parameters (rate, pool etc.)
Input/output ports
• Priority (802.1p and TOS)
• VLAN (802.1Q)
• Source/destination prefix
• Next hop address
• Source AS, Source Peer AS
• Destination AS Path
• Communities, local preference
• User IDs (TACACS/RADIUS) for source/destination
• URL associated with source/destination
• Interface statistics (RFC 1573, RFC 2233, and RFC 2358)
sFlow agents can be added to any type of FortiGate interface. sFlow isn't supported on
some virtual interfaces such as VDOM link, IPSec, gre, and ssl.<vdom>.
For more information on sFlow, Collector software and sFlow MIBs, visit www.sflow.org.
Configuration
sFlow configuration is available only from the CLI. Configuration requires two steps:
enabling the sFlow Agent, and configuring the interface for the sampling information.
Enable sFlow
config system sflow
set collector-ip <ip_address>
set collector-port <port_number>
end
The default port for sFlow is UDP 6343. To configure in VDOM, use the following
commands:
config system vdom-sflow
set vdom-sflow enable
set collector-ip <ip_address>
set collector-port <port_number>
end
Configure sFlow agents per interface.
config system interface
edit <interface_name>
set sflow-sampler enable
set sample-rate <every_n_packets>
set sample-direction [tx | rx | both]
set polling-interval <seconds>
end
Logging
FortiOS provides a robust logging environment that enables you to monitor, store and
report traffic information and FortiGate events including attempted log ins and hardware
status. Depending on your requirements, you can log to a number of different hosts.
To configure logging in the web-based manager, go to Log & Report > Log Config > Log
Setting.
To configure logging in the CLI use the commands config log <log_location>.
For details on configuring logging see the accompanying FortiOS documentation and
FortiAnalyzer Administration Guide.
FortiGate memory
Inexpensive yet volatile, for basic event logs or verifying traffic, AV or spam patterns,
logging to memory is a simple option. However, because logs are stored in the limited
space of the internal memory, only a small amount is available for logs. As such logs can
fill up and be overridden with new entries, negating the use of recursive data. This is
especially true for traffic logs. Also, should the FortiGate unit be shut down or rebooted, all
log information will be lost.
Syslog server
An industry standard for collecting log messages, for off site storage. In the web-based
manager, you are able to send logs to a single syslog server, however in the CLI you can
configure up to three syslog servers where you can also use multiple configuration
options. For example, send traffic logs to one server, antivirus logs to another.
FortiAnalyzer
The FortiAnalyzer family of logging, analyzing, and reporting appliances securely
aggregate log data from Fortinet devices and other syslog-compatible devices. Using a
comprehensive suite of easily-customized reports, users can filter and review records,
including traffic, event, virus, attack, Web content, and email data, mining the data to
determine your security stance and assure regulatory compliance. FortiAnalyzer also
provides advanced security management functions such as quarantined file archiving,
event correlation, vulnerability assessments, traffic analysis, and archiving of email, Web
access, instant messaging and file transfer content.
Alert email
As an administrator, you want to be certain you can respond quickly to issues occurring on
your network or on the FortiGate unit. Alert email provides an efficient and direct method
of notifying an administrator of events. By configuring alert messages, you can define the
threshold when a problem becomes critical and needs attention. When this threshold is
reached, the FortiGate unit will send an email to one or more individuals notifying them of
the issue.
In the following example, the FortiGate unit is configured to send email to two
administrators (admin1 and admin2) when multiple intrusions are detected every two
minutes. The FortiGate unit has its own email address on the mail server.
SMTP Server Enter the address or name of the email server. For example,
smtp.example.com.
Email from fortigate@example.com
Email to admin1@example.com
admin2@example.com
Authentication Enable authentication if required by the email server.
SMTP User FortiGate
Password *********************
Interval Time 2
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report
system information and send traps (alarms or event messages) to SNMP managers. An
SNMP manager, or host, is a typically a computer running an application that can read the
incoming trap and event messages from the agent and send out SNMP queries to the
SNMP agents. A FortiManager unit can act as an SNMP manager, or host, to one or more
FortiGate units.
By using an SNMP manager, you can access SNMP traps and data from any FortiGate
interface or VLAN subinterface configured for SNMP management access. Part of
configuring an SNMP manager is to list it as a host in a community on the FortiGate unit it
will be monitoring. Otherwise the SNMP monitor will not receive any traps from that
FortiGate unit, or be able to query that unit.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and
can receive trap messages from the FortiGate unit.
To monitor FortiGate system information and receive FortiGate traps, you must first
compile the Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a
text file that describes a list of SNMP data objects that are used by the SNMP manager.
These MIBs provide information the SNMP manager needs to interpret the SNMP trap,
event, and query messages sent by the FortiGate unit SNMP agent. FortiGate core MIB
files are available on the Customer Support website.
The Fortinet implementation of SNMP includes support for most of RFC 2665
(Ethernet-like MIB) and most of RFC 1213 (MIB II). For more information, see “Fortinet
MIBs” on page 404. RFC support for SNMP v3 includes Architecture for SNMP
Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to events that occur such as an a full log disk or a virus detected.
For more information about SNMP traps, see “Fortinet and FortiGate traps” on page 406.
SNMP fields contain information about the FortiGate unit, such as CPU usage percentage
or the number of sessions. This information is useful for monitoring the condition of the
unit on an ongoing basis and to provide more information when a trap occurs. For more
information about SNMP fields, see “Fortinet and FortiGate MIB fields” on page 409.
The FortiGate SNMP v3 implementation includes support for queries, traps,
authentication, and privacy. Authentication and encryption are configured in the CLI. See
the system snmp user command in the FortiGate CLI Reference.
SNMP agent
You need to first enter information and enable the FortiGate SNMP Agent. Enter
information about the FortiGate unit to identify it so that when your SNMP manager
receives traps from the FortiGate unit, you will know which unit sent the information.
SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within
that SNMP community, devices can communicate by sending and receiving traps and
other information. One device can belong to multiple communities, such as one
administrator terminal monitoring both a firewall SNMP community and a printer SNMP
community.
Add SNMP communities to your FortiGate unit so that SNMP managers can connect to
view system information and receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps. Each community can be configured to monitor
the FortiGate unit for a different set of events. You can also add the IP addresses of up to
8 SNMP managers to each community.
Note: When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on
interfaces in the management virtual domain. Traps cannot be sent over other interfaces.
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC
1213 and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665
(Ethernet-like MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit
configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products.
The FortiGate MIB contains traps, fields and information that is specific to FortiGate units.
Each Fortinet product has its own MIB—if you use other Fortinet products you will need to
download their MIB files as well.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in
this section. You can download the two FortiGate MIB files from Fortinet Customer
Support. The Fortinet MIB contains information for Fortinet products in general. the
Fortinet FortiGate MIB includes the system information for The FortiGate unit and version
of FortiOS. Both files are required for proper SNMP data collection.
Your SNMP manager may already include standard and private MIBs in a compiled
database that is ready to use. You must add the Fortinet proprietary MIB to this database
to have access to the Fortinet specific information.
Note: There were major changes to the MIB files between v3.0 and v4.0. You need to use
the new MIBs for v4.0 or you may mistakenly access the wrong traps and fields.
MIB files are updated for each version of FortiOS. When upgrading the firmware ensure
that you updated the Fortinet FortiGate MIB file as well.
{<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field
name itself.
The following SNMP get command gets firmware version running on the FortiGate unit.
The community name is public. The IP address of the interface configured for SNMP
management access is 10.10.10.1. The firmware version MIB field is fgSysVersion
and the OID for this MIB field is 1.3.6.1.4.1.12356.101.4.1.1 The first command
uses the MIB field name and the second uses the OID:
snmpget -v2c -c public 10.10.10.1 fgSysVersion
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.4.1.1
.403 HA Heartbeat Failure The heartbeat failure count has exceeded the configured
(fgTrapHaHBFail) threshold.
.404 HA Member Unavailable An HA member becomes unavailable to the cluster.
(fgTrapHaMemberDown)
.405 HA Member Available An HA member becomes available to the cluster.
(fgTrapHaMemberUp)
(fgHaTrapMemberSerial) Serial number of an HA cluster member. Used to identify
the origin of a trap when a cluster is configured.
(OID1.3.6.1.4.1.12356.101.13.3.1)
Fortinet MIB
Table 43: OIDs for the Fortinet-Core-MIB
fnMgmt .3.6.1.4.1.12356.100.1.2
fnMgmtLanguage 1.3.6.1.4.1.12356.100.1.2.1 Language used for
administration interfaces.
fnAdmin 1.3.6.1.4.1.12356.100.1.2.100
fnAdminNumber 1.3.6.1.4.1.12356.100.1.2.100.1 The number of admin
accounts in fnAdminTable.
fnAdminTable 1.3.6.1.4.1.12356.100.1.2.100.2 A table of administrator
accounts on the device. This
table is intended to be
extended with platform specific
information.
fnAdminEntry 1.3.6.1.4.1.12356.100.1.2.100.2.1 An entry containing
information applicable to a
particular admin account.
fnAdminIndex 1.3.6.1.4.1.12356.100.1.2.100.2.1.1 An index uniquely defining an
administrator account within
the fnAdminTable.
fmAdminName 1.3.6.1.4.1.12356.100.1.2.100.2.1.2 The user-name of the
specified administrator
account.
fnAddminAddrType 1.3.6.1.4.1.12356.100.1.2.100.2.1.3 The type of address stored in
fnAdminAddr, in compliance
with INET-ADDRESS-MIB
fnAdminAddr 1.3.6.1.4.1.12356.100.1.2.100.2.1.4 The address prefix identifying
where the administrator
account can be used from,
typically an IPv4 address. The
address type/format is
determined by
fnAdminAddrType.
fnTraps 1.3.6.1.4.1.12356.100.1.3
fnTrapsPrefix 1.3.6.1.4.1.12356.100.1.3.0
fnTrapCpuThreshold 1.3.6.1.4.1.12356.100.1.3.0.101 Indicates that the CPU usage
has exceeded the configured
threshold.
fnTrapMemThreshold 1.3.6.1.4.1.12356.100.1.3.0.102 Indicates memory usage has
exceeded the configured
threshold.
fnTrapLogDiskThreshold 1.3.6.1.4.1.12356.100.1.3.0.103 Log disk usage has exceeded
the configured threshold. Only
available on devices with log
disks.
fnTrapTempHigh 1.3.6.1.4.1.12356.100.1.3.0.104 A temperature sensor on the
device has exceeded its
threshold. Not all devices have
thermal sensors. See manual
for specifications.
fnTrapVoltageOutOfRange 1.3.6.1.4.1.12356.100.1.3.0.105 Power levels have fluctuated
outside of normal levels. Not
all devices have voltage
monitoring instrumentation.
See manual for specifications.
fnTrapPowerSupplyFailure 1.3.6.1.4.1.12356.100.1.3.0.106 Power supply failure detected.
Not available on all models.
Available on some devices
which support redundant
power supplies. See manual
for specifications.
fnTrapIpChange 1.3.6.1.4.1.12356.100.1.3.0.201 Indicates that the IP address
of the specified interface has
been changed.
fnTrapTest 1.3.6.1.4.1.12356.100.1.3.0.999 Trap sent for diagnostic
purposes by an administrator.
fnTrapObjects 1.3.6.1.4.1.12356.100.1.3.1
fnGenTrapMsg 1.3.6.1.4.1.12356.100.1.3.1.1 Generic message associated
with an event. The content will
depend on the nature of the
trap.
fnMIBConformance 1.3.6.1.4.1.12356.100.10
fnSystemComplianceGroup 1.3.6.1.4.1.12356.100.10.1 Objects relating to the physical
device.
fnMgmtComplianceGroup 1.3.6.1.4.1.12356.100.10.2 Objects relating the
management of a device.
fnAdmincomplianceGroup 1.3.6.1.4.1.12356.100.10.3 Administration access control
objects.
fnTrapsComplianceGroup 1.3.6.1.4.1.12356.100.10.4 Event notifications.
FortiGate MIB
Table 44: OIDs for the Fortinet-FortiGate-MIB
Multicast IP addresses
Multicast uses the Class D address space. The 224.0.0.0 to 239.255.255.255 IP address
range is reserved for multicast groups. The multicast address range applies to multicast
groups, not to the originators of multicast packets. Table 45 lists reserved multicast
address ranges and describes what they are reserved for:
Note: RIPv1 uses broadcasting to share routing table information. To allow RIPv1 packets
through a FortiGate unit you can add standard firewall policies. Firewall policies to accept
RIPv1 packets can use the ANY predefined firewall service or the RIP predefined firewall
service.
Figure 39: Example multicast network including a FortiGate unit that forwards multicast
packets
of
b ers oup
m r
Me ast G4.0
ic 68. 4
l t
Mu39.1 er_
r_3 ce
iv
2 e ive Re
c
Re
r_2
e ive
c
Re
r_1
e ive
R ec
Fo
r
int tiGat
ern e-
ex al 800
te I
DM rnal P: 19
Z I IP: 2.1
Multicast Forwarding Enabled P: 17 68
Source address: 192.168.5.18 19 2.2 .5.1
2.1 0.
Source interface: internal 68 20.
.6. 10
1
Destination address: 239.168.4.0
Destination interface: external
NAT IP: 192.168.18.10
D 2.1
ev 6
19
el 8.6
op .
m 0/2
ss ing
en 4
M 16
19
ar 8.
re et
t
2.
dd rk
ke 5.
9. dr sts .18 a a
tin 0/2
23 ad a .5 t IP e M
g 4
IP ult 16 a th
m 2. or on
19 tw er
d
8. ss o
ne en
16 e t
8
S
0
c
4.
i
Note: Enabling multicast forwarding is only required if your FortiGate unit is operating in
NAT mode. If your FortiGate unit is operating in Transparent mode, adding a multicast
policy enables multicast forwarding.
Note: The CLI parameter multicast-skip-policy must be disabled when using multicast
firewall policies. To disable enter the command
config system settings
set multicast-skip-policy disable
end
This example shows how to configure a multicast firewall policy so that the FortiGate unit
forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting
to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ
interface.
config firewall multicast-policy
edit 1
set srcintf DMZ
set srcaddr 10.10.10.10 255.255.255.255
set dstintf Internal
set dstaddr 225.1.1.1 255.255.255.255
set action accept
edit 2
set action deny
end
.x
ter 00
ou 4.2
_ 1 r 3.23 ck0)
0 23 ba
75 op
_3 p
i s co grou 0.1 lo
C for .10
RP 9.254
0)
25
(16
(.
23
0/
E
F
16
9.2
54
.82
.0/
24
10
.31
M 9. 25
Cis VL .138.
ul 25 4.
16 3.
tic 4 20
co AN 0/2
23
as .8 0.
_3
t S 2.1 1
75 13 4
ou
0_ 8
rc
2r
e
ou
1)
ter
(.
10
24
.31
0/
E
VL .130.
F
Fo AN 0/2
rtiG
0)
13 4
25
ate
(.
-8 8
23
00
0/
3)
E
F
25
(.
al
rn
Cis 10
te
co .31
ex
_3 .12
1)
75
(.
0_ 8.1
al
28
rn
3r /30
te
ou
in
0)
ter
25
(.
24
0/
E
F
0)
13
(.
23
0/
E
F
1
4. 9)
0.
25 12
20
3. r (.
23 ve
i
up ce
ro e
G R
Configuration steps
The following procedures show how to configure the multicast configuration settings for
the devices in the example configuration.
• Cisco_3750_1 router configuration
• Cisco_3750_2 router configuration
• To configure the FortiGate-800 unit
• Cisco_3750_3 router configuration
interface Vlan182
ip address 169.254.82.250 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
ip classless
ip route 0.0.0.0 0.0.0.0 169.254.82.1
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255
!
ip multicast-routing distributed
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
interface FastEthernet1/0/23
switchport access vlan 128
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 130
switchport mode access
!
interface Vlan128
ip address 10.31.128.130 255.255.255.252
ip pim sparse-mode
ip mroute-cache distributed
!
interface Vlan130
ip address 10.31.130.250 255.255.255.0
ip pim sparse-mode
ip mroute-cache distributed
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.130.1
ip http server
ip pim rp-address 169.254.100.1 Source-RP
!
!
ip access-list standard Source-RP
permit 233.254.200.0 0.0.0.255
10
.16
6.0
.0/
24
M 9.
ul 25
23
tic 5
10
as .2
.13
t S 55
0.0
ou .1
.0/
rc
e
24
(.
11
)
al
rn
te
In
10
7)
.13
l
na
23
2.0
er
(.
xt
1
.0/
T-
E
24
G
F
al
rn
te
In
10
.16
l
7.0
32
na
1/
er
.0/
ck 68 )
ba .1 56
) .1.
xt
24
op 92 (.1
E
(lo 1 -2
R T
G
F
P
2
rt
po
6)
3
22
rt
po
(.
3
T-
G
F
)
62
(.
r
ve
ei
ec
R
Checking that the receiver has joined the required group
From the last hop router, FGT-3, you can use the following command to check that the
receiver has correctly joined the required group.
FGT-3 # get router info multicast igmp groups
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last
Reporter
239.255.255.1 port3 00:31:15 00:04:02
10.167.0.62
Only 1 receiver is displayed for a particular group, this is the device that responded to the
IGMP query request from the FGT-3. If a receiver is active the expire time should drop to
approximately 2 minutes before being refreshed.
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
(*,*,RP) This state may be reached by general joins for all groups served by a
Entries specified RP.
(*,G) Entries State that maintains the RP tree for a given group.
(S,G) Entries State that maintains a source-specific tree for source S and group G.
(S,G,rpt) State that maintains source-specific information about source s on the RP
Entries tree for G. For example, if a source is being received on the source-specific
tree, it will normally have been pruned off the RP tree.
FCR The FCR state entries are for tracking the sources in the <*, G> when <S, G>
is not available for any reason, the stream would typically be flowing when
this state exists.
Joined:
Asserted:
Outgoing:
port3
This is the entry for the SPT, no RP IS listed. The S,G stream will be forwarded out of the
stated outgoing interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 10.132.0.156
RPF idx: port2
Upstream State: NOT PRUNED
Local:
Pruned:
Outgoing:
The above S,G,RPT state is created for all streams that have both a S,G and a *,G entry
on the router. This is not pruned in this case because of the topology, the RP and source
are reachable over the same interface.
Although not seen in this scenario, assert states may be seen when multiple PIM routers
exist on the same LAN which can lead to more than one upstream router having a valid
forwarding state. Assert messages are used to elect a single forwarder from the upstream
devices.
(*,*,RP) Entries: 0
(*,G) Entries: 1
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
(*, 239.255.255.1)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: JOINED
Local:
Joined:
external
Asserted:
FCR:
The *,G entry now has a joined interface rather than local because it has received a PIM
join from FGT-3 rather than a local IGMP join.
(10.166.0.11, 239.255.255.1)
RPF nbr: 10.130.0.237
RPF idx: internal
SPT bit: 1
Upstream State: JOINED
Local:
Joined:
external
Asserted:
Outgoing:
external
The S,G entry shows that we have received a join on the external interface and the stream
is being forwarded out of this interface.
(10.166.0.11, 239.255.255.1, rpt)
RP: 192.168.1.1
RPF nbr: 0.0.0.0
RPF idx: None
Upstream State: PRUNED
Local:
Pruned:
Outgoing:
External
The S,G,RPT is different from FGT-3 because FGT-2 is the RP, it has pruned back the
SPT for the RP to the first hop router.
(*,*,RP) Entries: 0
(*,G) Entries: 0
(S,G) Entries: 1
(S,G,rpt) Entries: 1
FCR Entries: 0
Below the S,G is the SPT termination because this FortiGate unit is the first hop router,
the RPF neighbor always shows as 0.0.0.0 because the source is local to this device. Both
the joined and outgoing fields show as external because the PIM join and the stream is
egressing on this interface.
(10.166.0.11, 239.255.255.1)
RPF nbr: 0.0.0.0
RPF idx: None
SPT bit: 1
Upstream State: JOINED
Local:
Joined:
external
Asserted:
Outgoing:
external
The stream has been pruned back from the RP because the end-to-end SPT is flowing,
there is no requirement for the stream to be sent to the RP in this case.
(10.166.0.11, 239.255.255.1, rpt)
RP: 0.0.0.0
RPF nbr: 10.130.0.156
RPF idx: external
Upstream State: RPT NOT JOINED
Local:
Pruned:
Outgoing:
.3 11
.1
33 .0.
.3
:2 6
IP 16
n 0.
M 10 p 233
io 1
ul .1 23 .3
IP rou p
at P:
tic 6 3 .
10
tin e I
G rou
T
as 6. .2. 3.1
.12
54 10
es rc
G
t S 0.1 2. 1
.1
D ou
5.0
.2 0.
.3
ou 1/
39 8.2
S
.0/
rc 24
:2 6
e
24
IP .1
n 92
1
io 1
at P:
tin e I
es rc
D ou
S
10
.12
8 s
0/ p
6.0
0. ou
.0/
23 f -1
0. gr
R T
24
3. or
G
8
F
P
6
rt
po
10
.12
7.0
7
23 n 4 e
.0/
rt
p co /2 fac
po
2. ed
24
ou in 0.1 er
fo tat 16 ck )
S 2. ba (FW
2. ur
gr jo 2 t
r ic 8. in
3. fig
1
19 p -2
Lo T
G
F
o
.2 11
.1
33 .0.
.2
:2 6
IP 16
up
n 0.
io 1
ro
at P:
g
T
tin e I
16 r
A
0/ fo
.1
54 1
es rc
.2 0.
0. P
.1
D ou
4. R
39 8.2
S
23 SR -3
25 nd
:2 6
B T
IP .1
9. a
G
n 92
F
io 1
at P:
tin e I
9. 25 /2 er
es rc
23 9. .62 iv
D ou
25 4. 4
e
up 2 .0 c
4. 1.1
S
ro p 27 Re
1
3.
G rou .1 st
G 10 ica
IP ult
3
M
config interface
edit loopback
set pim-mode sparse-mode
config join-group
edit 233.2.2.1
next
edit 233.3.3.1
next
end
next
3 In this example, to add firewall multicast policies, different source IP addresses are
required so you must first add an IP pool:
config firewall ippool
edit Multicast_source
set endip 192.168.20.20
set interface port6
set startip 192.168.20.10
next
end
4 Add the translation firewall policies.
Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1,
the DNAT policy, uses an address from the IP pool.
config firewall multicast-policy
edit 1
set dnat 239.254.3.1
set dstaddr 233.3.3.1 255.255.255.255
set dstintf loopback
set nat 192.168.20.10
set srcaddr 10.166.0.11 255.255.255.255
set srcintf port6
next
edit 2
set dnat 239.254.1.1
set dstaddr 233.2.2.1 255.255.255.255
set dstintf loopback
set nat 192.168.20.1
set srcaddr 10.166.0.11 255.255.255.255
set srcintf port6
next
5 Add a firewall multicast policy to forward the stream from the loopback interface to the
physical outbound interface.
This example is an any/any policy that makes sure traffic accepted by the other
multicast policies can exit the FortiGate unit.
config firewall multicast-policy
edit 3
set dstintf port7
set srcintf loopback
next
11
26
i s co er
C out
r
0
55
c o3
Cis witch
s
1
r
ve
ei
ec
R
Fo
rtiG
F P 23 .1
or fo 7. .1
ate
tiG r 1. .1
R
-50
at 237 1.1
e- .1
0A
50 .1
_
23
2
0A .1
8
_1
F RP rio
or
tiG fo ity
a t r o 25
er 40
e- th 6
P
ut 6
50 er
ro o 3
0A s
r
c
_3
is
C
F RP Pr
or
tiG fo rit
at r o y 1
S
e - th
en
50 er
de
io
0A s
r
_4
2
r
ve
ei
ec
R
next
edit 2
set dnat 238.1.1.1
set dstintf lo0
set nat 1.4.50.4
set srcintf port1
next
Configuration steps
In this sample, FortiGate-500A_1 is the RP for the group 228.1.1.1, 237.1.1.1, 238.1.1.1,
and FortiGate-500A_4 is the RP for the other group which has a priority of1. OSPF is used
in this example to distribute routes including the loopback interface. All firewalls have full
mesh firewall policies to allow any to any.
• In the FortiGate-500A_1 configuration, the NAT policy translates source address
236.1.1.1 to 237.1.1.1
• In the FortiGate-500A_4, configuration, the NAT policy translates source 236.1.1.1 to
238.1.1.1
• Source 236.1.1.1 is injected into network as well.
The following procedures include the CLI commands for configuring each of the FortiGate
units in the example configuration.
To configure FortiGate-500A_1
1 Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port4
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo999
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-group 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
To configure FortiGate-500A_2
1 Configure multicast routing.
config router multicast
config interface
edit "lan"
set pim-mode sparse-mode
next
edit "port5"
set pim-mode sparse-mode
next
edit "port2"
set pim-mode sparse-mode
next
edit "port4"
set pim-mode sparse-mode
next
edit "lo_5"
set pim-mode sparse-mode
config join-group
edit 236.1.1.1
next
end
next
end
set multicast-routing enable
end
2 Add multicast firewall policies.
config firewall multicast-policy
edit 1
set dstintf lan
set srcintf port5
next
edit 2
set dstintf port5
set srcintf lan
next
edit 4
set dstintf lan
set srcintf port2
next
edit 5
set dstintf port2
set srcintf lan
next
edit 7
set dstintf port1
set srcintf port2
next
edit 8
set dstintf port2
set srcintf port1
next
edit 9
set dstintf port5
set srcintf port2
next
edit 10
set dstintf port2
set srcintf port5
next
edit 11
set dnat 237.1.1.1
set dstintf lo_5
set nat 5.5.5.5
set srcintf port2
next
edit 12
set dstintf lan
set srcintf lo_5
next
edit 13
set dstintf port1
set srcintf lo_5
next
edit 14
set dstintf port5
set srcintf lo_5
next
edit 15
set dstintf port2
set srcintf lo_5
next
edit 16
next
end
To configure FortiGate-500A_3
1 Configure multicast routing.
config router multicast
config interface
edit port5
set pim-mode sparse-mode
next
edit port6
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
set rp-candidate-priority 255
next
edit lan
set pim-mode sparse-mode
next
end
set multicast-routing enable
config pim-sm-global
set bsr-candidate enable
set bsr-interface lo0
end
end
2 Add multicast firewall policies.
config firewall multicast-policy
edit 1
set dstintf port5
set srcintf port6
next
edit 2
set dstintf port6
set srcintf port5
next
edit 3
set dstintf port6
set srcintf lan
next
edit 4
To configure FortiGate-500A_4
1 Configure multicast routing.
config router multicast
config interface
edit port6
set pim-mode sparse-mode
next
edit lan
set pim-mode sparse-mode
next
edit port1
set pim-mode sparse-mode
next
edit lo0
set pim-mode sparse-mode
set rp-candidate enable
config join-group
edit 236.1.1.1
next
end
set rp-candidate-priority 1
next
end
set multicast-routing enable
config pim-sm-global
set bsr-allow-quick-refresh enable
set bsr-candidate enable
set bsr-interface lo0
set bsr-priority 1
end
end
2 Add multicast firewall policies.
config firewall policy
edit 1
set srcintf lan
set dstintf port6
set srcaddr all
set dstaddr all
set action accept
set schedule always
status=resolved
last_assert=834864 bytes=1765076 pkt=1717 wrong_if=0
num_ifs=1
index(ttl)=[7(1),]
IPv6 overview
IP version 6 handles issues that weren't around decades ago when IPv4 was created such
as running out of IP addresses, fair distributing of IP addresses, built-in quality of service
(QoS) features, better multimedia support, and improved handling of fragmentation. A
bigger address space, bigger default packet size, and more optional header extensions
provide these features with flexibility to customize them to any needs.
IPv6 has 128-bit addresses compared to IPv4's 32-bit addresses, effectively eliminating
address exhaustion. This new very large address space will likely reduce the need for
network address translation (NAT) since IPv6 provides more than a billion IP addresses
for each person on Earth. All hardware and software network components must support
this new address size, an upgrade that may take a while to complete and will force IPv6
and IPv4 to work side-by-side during the transition period. During that time FortiOS
supports IPv4 and IPv6 will ensure a smooth transition for networks.
Larger address IPv4 addresses are 32 bits long while IPv6 addresses are 128 bits
space long. This increase supports 2128 addresses, or more than ten billion
billion billion times as many addresses as IPv4 (232). IPv6 enables
more levels of addressing hierarchy and simplifies auto-configuration
of IP addresses. The IPv6 addressing scheme eliminates the need for
Network Address Translation (NAT) that causes networking problems
due to the end-to-end nature of the Internet, such as hiding multiple
hosts behind a pool of IP addresses.
Simplified The IPv6 header format either drops or makes optional certain IPv4
header formats header fields. This limits the bandwidth cost of the IPv6 header, even
though the IPv6 addresses are four times longer than the IPv4
addresses, the IPv6 header is only twice the size of the IPv4 header.
Improved Changes in the way IP header options are encoded and allows for
support for IP more efficient forwarding and less stringent limits on the length of
header options options. The changes also provide greater flexibility for introducing
new options in the future.
Prioritization of The IPv6 packet header contains a new Flow Label field that allows
packet delivery the sender to request special handling, such as “real-time service” or
using flow non-default quality of service. The Flow Label field replaces Service
labeling Type field in IPv4.
Supported IPv6 extensions support authentication, data integrity, and (optional)
authentication data confidentiality.
IPv6 addresses are assigned to interfaces rather than nodes, thereby recognizing that a
node can have more than one interface, and you can assign more than one IPv6 address
to an interface. In addition, the larger address space in IPv6 addresses allows flexibility in
allocating addresses and routing traffic, and simplifies some aspects of address
assignment and renumbering when changing Internet service providers.
With IPv4, complex Classless Inter-Domain Routing (CIDR) techniques were developed to
make the best use of the small address space. CIDR facilitates routing by allowing blocks
of addresses to be grouped together into a single routing table entry. With IPv4,
renumbering an existing network for a new connectivity provider with different routing
prefixes is a major effort (see RFC 2071, Network Renumbering Overview: Why would I
want it and what is it anyway? and RFC 2072, Router Renumbering Guide). With IPv6,
however, it is possible to renumber an entire network ad hoc by changing the prefix in a
few routers, as the host identifiers are decoupled from the subnet identifiers and the
network provider's routing prefix.
The size of each subnet in IPv6 is 264 addresses (64 bits), which is the square of the size
of the entire IPv4 Internet. The actual address space utilized by IPv6 applications will most
likely be small in IPv6, but both network management and routing will be more efficient.
IPv6 MTU
Maximum Transmission Unit (MTU) refers to the size (in bytes) of the largest packet or
frame that a given layer of a communications protocol can pass onwards. A higher MTU
brings higher bandwidth efficiency. IPv6 requires an MTU of at least 1280 bytes. With
encapsulations (for example, tunneling), an MTU of 1500 or more is recommended.
IP address notation
IPv6 addresses are normally written as eight groups of four hexadecimal digits each,
separated by a colon, for example:
2001:db8:3c4d:0d82:1725:6a2f:0370:6234
is a valid IPv6 address.
There are several ways to shorten the presentation of an IPv6 address. Most IPv6
addresses do not occupy all of the possible 128 bits. This results in fields that are
“padded” with zeros or contain only zeros. If a 4-digit group is 0000, it may be replaced
with two colons (::), for example:
2001:db8:3c4d:0000:1725:6a2f:0370:6234
is the same IPv6 address as:
2001:db8:3c4d::1725:6a2f:0370:6234
Leading zeroes in a group may be omitted, for example (in the address above):
2001:db8:3c4d::1725:6a2f:370:6234
The double colon (::) must only be used once in an IP address, as multiple occurrences
lead to ambiguity in the address translation.
The following examples of shortened IP address presentations all resolve to the same
address.
19a4:0478:0000:0000:0000:0000:1a57:ac9e
19a4:0478:0000:0000:0000::1a57:ac9e
19a4:478:0:0:0:0:1a57:ac9e
19a4:478:0:0::1a57:ac9e
19a4:478::0:0:1a57:ac9e
19a4:478::1a57:ac9e
All of these address presentations are valid and represent the same address.
For IPv4-compatible or IPv4-mapped IPv6 addresses (see “Address types” on page 462),
you can enter the IPv4 portion using either hexadecimal or dotted decimal, but the
FortiGate CLI always shows the IPv4 portion in dotted decimal format. For all other IPv6
addresses, the CLI accepts and displays only hexadecimal.
Netmasks
As with IP addresses, hexadecimal notation replaces the dotted decimal notation of IPv4.
IPv4 Classless Inter-Domain Routing (CIDR) notation can also be used. This notation
appends a slash (“/”) to the IP address, followed by the number of bits in the network
portion of the address.
Table 46: IPv6 address notation
IP Address 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566
Netmask ffff:ffff:ffff:ffff:0000:0000:0000:0000
Network 3ffe:ffff:1011:f101:0000:0000:0000:0000
CIDR IP/Netmask 3ffe:ffff:1011:f101:0210:a4ff:fee3:9566/64
Address scopes
Address scopes define the region where an address may be defined as a unique identifier
of an interface. The regions are: local link (link-local), site network (site-local), and global
network. Each IPv6 address can only belong to one zone that corresponds to its scope.
Address types
IPv6 addresses are classified into three groups - Unicast, Multicast, and Anycast.
Unicast
Identifies an interface of an individual node. Packets sent to a unicast address are sent to
that specific interface. Unicast IPv6 addresses can have a scope reflected in more specific
address names - global unicast address, link-local address, and unique local unicast
address. For more information, see “Global (Unicast)” on page 464, “Link-local (Unicast)”
on page 464, and “Site-local (Unicast)” on page 464.
Multicast
Multicast addresses are assigned to a group of interfaces that typically belong to different
nodes. A packet that is sent to a multicast address is delivered to all interfaces identified
by the address.
IPv6 multicast addresses are distinguished from unicast addresses by the value of the
high-order octet of the addresses. A value of 0xFF (binary 11111111) identifies an address
as a multicast address. Any other value identifies an address as a unicast address.
The four least significant bits of the second address octet identify the address scope or the
span over which the multicast address is propagated.
Anycast
Anycast addresses are assigned to a group of interfaces usually belonging to different
nodes. A packet sent to an anycast address is delivered to just one of the member
interfaces, typically the ‘nearest’ according to the router protocols’ choice of distance.
They cannot be identified easily as their structure is the same as a normal unicast
address, differ only by being injected into the routing protocol at multiple points in the
network. When a unicast address is assigned to more than one interface (making it an
anycast address), the address assigned to the nodes must be configured in such as way
as to indicate that it is an anycast address.
Interfaces configured for IPv6 must have at least one link-local unicast address and
additional ones for site-local or global addressing. Link-local addresses are often used in
network address autoconfiguration where no external source of network addressing
information is available.
Special addresses
The following are special IPv6 addresses:
• Unspecified
• Loopback
For more information about IPv6 addresses, see RFC 4921, IP Version 6 Addressing
Architecture
Static routing
Static routing for IPv6 is essentially the same as with IPv4. From a configuration point of
view, the only difference is the type of addresses used. When both IPv4 and IPv6 static
routes are configured, they are displayed under two separate headings on the static
routing page - Route and IPv6 Route. Use the arrows next to each heading to expand or
minimize that list of routes.
Dynamic routing
As with static routing, the dynamic routing protocols all have IPv6 versions. Both IPv4 and
IPv6 dynamic routing can be running at the same time due to the dual stack architecture of
the FortiGate unit. IPv6 dynamic routing must be configured using CLI commands.
Table 48: Dynamic routing protocols, IPv6 versions, CLI command, and RFCs
interface This interface is the interface the tunnel piggy backs on. Generally
<interface_string> this should be the external interface of the FortiGate unit.
This setting is optional if you don’t have a fixed IP address from
your ISP.
ip6 <ipv6_addr> The IPv6 address of the tunnel.
source <ipv4_addr> This is the FortiGate unit end of the tunnel. It is just like any other
FortiGate unit interface address.
If this address is DHCP-based, it will change. In that case you
should ensure the netmask covers the possible range of
addresses. It is possible to use 0.0.0.0 to cover all possible
addresses if you have a DDNS or PPoE connection where the
address changes.
For more configuration of tunnels see “Configuring FortiOS to connect to an IPv6 tunnel
provider” on page 471.
Compared with IPv4 IPsec VPN functionality, there are some limitations:
• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
This is because FortiOS 3.0 does not support IPv6 DNS.
• You cannot use RSA certificates in which the common name (cn) is a domain name
that resolves to an IPv6 address. This is because FortiOS 3.0 does not support IPv6
DNS.
• DHCP over IPsec is not supported, because FortiOS 3.0 does not support IPv6 DHCP.
• Selectors cannot be firewall address names. Only IP address, address range and
subnet are supported.
• Redundant IPv6 tunnels are not supported.
Certificates
On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in
which the common name (cn) is an IPv6 address. The cn-type keyword of the user
peer command has an option, ipv6, to support this.
Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings.
Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote
gateway.
In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version
to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden
and the corresponding local-gw6 and remote-gw6 keywords are available. The values
for local-gw6 and remote-gw6 must be IPv6 addresses.
For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end
Phase 2 configuration
To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to
define IPv6 selectors in the Advanced settings. Change the default 0.0.0.0/0 address
for Source address and Destination address to the IPv6 value ::/0. If needed, enter
specific IPv6 addresses, address ranges or subnet addresses in these fields.
In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to
specify IPv6 selectors. By default, zero selectors are entered, ::/0 for the subnet6
address type, for example. The simplest IPv6 phase 2 configuration looks like the
following:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
Firewall policies
To complete the VPN configuration, you need a firewall policy in each direction to permit
traffic between the protected network’s port and the IPsec interface. You need IPv6
policies unless the VPN is IPv4 over IPv6.
Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic
within them. You need a route, which could be the default route, to the remote VPN
gateway via the appropriate interface. You also need a route to the remote protected
network via the IPsec interface.
To create a static route in the web-based manager, go to Router > Static > Static Route.
Select the drop-down arrow for Create New and select IPv6 Route. Enter the information
and select OK. In the CLI, use the router static6 command. For example, where the
remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If
the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.
v6
IP
IP b r
v6 ok
tu e r
IP 4
nn
v6 tu
el
IP
-o n n
v
ve el
r
IP Ne
v6 tw
In or
te k
rn
al
Steps to connect to an IPv6 tunnel broker
1 Create a SIT-Tunnel Interface
2 Create a static IPv6 Route into the Tunnel-Interface
3 Assign your IPv6 Network to your FortiGate
4 Create a Firewall-Policy to allow Traffic from LAN to the Tunnel-Interface
Now that the tunnel exists, some additional interface commands are required. Such as
enabling ping6 for troubleshooting and allow HTTPS and SSH administration connections
to the interface.
config system interface
edit HE_ip6_broker
config ipv6
set ip6-allowaccess ping https ssh
end
next
end
Create a firewall policy to allow traffic from port1 to the tunnel interface
With the tunnel configured, it will appear as an interface in the Network interface list. That
means the next step is to add a firewall policies to allow traffic to and from the tunnel.
config firewall policy6
edit 2
IPv6 troubleshooting
There are a number of troubleshooting methods that can be used with IPv6 issues.
ping6
The main method of troubleshooting IPv6 traffic is using the IPv6 version of ping.
You can use the IPv6 ping command to:
• send an ICMP echo request packet to the IPv6 address that you specify.
• specify a source interface other than the one from which the probe originates by using
the source interface keywords.
• specify a source IP address other than the one from which the probe originates by
using the source address keywords
You can specify the following options:
packetCount Number of packets to send to the destination IPv6 address. If you specify a zero,
echo requests packets are sent indefinitely.
data-pattern Sets the type of bits contained in the packet to all ones, all zeros, a random
mixture of ones and zeros, or a specific hexadecimal data pattern that can range
from 0x0 to 0xFFFFFFFF. The default is all zeros.
extended Set the interface type and specifier of a destination address on the system that is
header configured for external loopback; the command succeeds only if the specified
attributes interface is configured for external loopback.
sweep interval Specifies the change in the size of subsequent ping packets while sweeping
across a range of sizes. For example, you can configure the sweep interval to
sweep across the range of packets from 100 bytes to 1000 bytes in increments
specified by the sweep interval. By default, the system increments packets by
one byte; for example, it sends 100, 101, 102, 103, ... 1000. If the sweep interval
is 5, the system sends 100, 105, 110, 115, ... 1000.
sweep sizes Enables you to vary the sizes of the echo packets being sent. Used to determine
the minimum sizes of the MTUs configured on the nodes along the path to the
destination address. This reduces packet fragmentation, which contributes to
performance problems. The default is to not sweep (all packets are the same
size).
timeout Sets the number of seconds to wait for an ICMP echo reply packet before the
connection attempt times out.
hop limit Sets the time-to-live hop count in the range 1-255; the default is 255.
The following characters may appear in the display after the ping command is issued:
! - reply received
. - timed out while waiting for a reply
? - unknown packet type
A - admin unreachable
b - packet too big
H - host unreachable
N - network unreachable
P - port unreachable
p - parameter problem
S - source beyond scope
t - hop limit expired (TTL expired)
-a Audible ping.
-A Adaptive ping. Interpacket interval adapts to round-trip time, so effectively no
more than one (or more, if preload is set) unanswered probe is present in the
network. Minimal interval is 200msec for any user other than administrator. On
networks with low rtt this mode is essentially equivalent to flood mode.
-b Allow pinging of a broadcast address.
-B Do not allow ping to change source address of probes. The address is bound to
one selected when the ping starts.
-c count Stop after sending count ECHO_REQUEST packets. With deadline option, ping
waits for count ECHO_REPLY packets, until the timeout expires.
-d Set the SO_DEBUG option on the socket being used.
This socket option is not used by a Linux kernel.
-F flow label Allocate and set 20 bit flow label on echo request packets (only ping6). If value is
zero, kernel allocates random flow label.
-f Flood ping. For every ECHO_REQUEST sent a period ''.'' is displayed, while for
ever ECHO_REPLY received a backspace is displayed. This provides a rapid
display of how many packets are being dropped. If interval is not specified, it is
set to zero and packets are output as fast as they come back or one hundred
times per second, whichever is faster. Only the administrator may use this option
with zero interval.
-i interval Wait a specified interval of seconds between sending each packet. The default is
1 second between each packet, or no wait in flood mode. Only an administrator
can set the interval to a value of less than 0.2 seconds.
-I interface Set source address to specified interface address. Argument may be numeric IP
address address or name of device. This option is required when you ping an IPv6
link-local address.
-l preload If preload is specified, ping sends this number of packets that are not waiting for
a reply. Only the administrator may select a preload of more than 3.
-L Suppress loopback of multicast packets. This flag only applies if the ping
destination is a multicast address.
-n Numeric output only. No attempt will be made to look up symbolic names for host
addresses.
-p pattern You may specify up to 16 ''pad'' bytes to fill out the packet you send. This is
useful for diagnosing data-dependent problems in a network. For example, -p ff
will cause the sent packet to be filled with all ones.
-Q tos Set Quality of Service -related bits in ICMP datagrams. tos can be either decimal
or hex number. Traditionally (RFC1349), these have been interpreted as: 0 for
reserved (currently being redefined as congestion control), 1-4 for Type of
Service and 5-7 for Precedence. Possible settings for Type of Service are:
minimal cost: 0x02, reliability: 0x04, throughput: 0x08, low delay: 0x10. Multiple
TOS bits should not be set simultaneously. Possible settings for special
Precedence range from priority (0x20) to net control (0xe0). You must be root
(CAP_NET_ADMIN capability) to use Critical or higher precedence value. You
cannot set bit 0x01 (reserved) unless ECN has been enabled in the kernel. In
RFC 2474, these fields has been redefined as 8-bit Differentiated Services (DS),
consisting of: bits 0-1 of separate data (ECN will be used, here), and bits 2-7 of
Differentiated Services Codepoint (DSCP).
-q Quiet output. Nothing is displayed except the summary lines at startup time and
when finished
-R Record route. (IPv4 only) Includes the RECORD_ROUTE option in the
ECHO_REQUEST packet and displays the route buffer on returned packets.
Note that the IP header is only large enough for nine such routes. Many hosts
ignore or discard this option.
-r Bypass the normal routing tables and send directly to a host on an attached
interface. If the host is not on a directly-attached network, an error is returned.
This option can be used to ping a local host through an interface that has no
route through it provided the option -I is also used.
-s packetsize Specifies the number of data bytes to be sent. The default is 56, which translates
into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
-S sndbuf Set socket sndbuf (send buffer). If not specified, it is selected to buffer not more
than one packet.
-t ttl Set the IP Time to Live.
-T timestamp Set special IP timestamp options. May be either tsonly (only timestamps),
option tsandaddr (timestamps and addresses) or tsprespec host1 [host2 [host3 [host4]]]
(timestamp prespecified hops).
-M hint Select Path MTU Discovery strategy. hint may be either do (prohibit
fragmentation, even local one), want (do PMTU discovery, fragment locally when
packet size is large), or don’t (do not set DF flag).
-U Print full user-to-user latency (the old behavior). Normally ping prints network
round trip time, which can be different f.e. due to DNS failures.
-v Verbose output.
-V Show version and exit.
-w deadline Specify a timeout, in seconds, before ping exits regardless of how many packets
have been sent or received. In this case ping does not stop after count packet
are sent, it waits either for deadline expire or until count probes are answered or
for some error notification from network.
-W timeout Time to wait for a response, in seconds. The option affects only timeout in
absence of any responses, otherwise ping waits for two RTTs.
Examples
Ping a global V6 address with a 1400 byte packet from FortiGate CLI:
execute ping6 –s 1400 2001:480:332::10
Ping a multicast group using a ping6 command on FortiGate CLI ( -I and port name must
be specified for CLI ping6 command to ping v6 multicast group):
execute ping6 –I port1 ff02::1
Ping a localnet v6 address from FortiGate CLI:
execute ping6 FE80:0:0:0:213:e8ff:fe9e:ccf7
This address would normally be written as FE80::213:e8ff:fe9e:ccf7.
diagnose ipv6 neighbor-cache Add, delete, flush, or list the IPv6 ARP table or table entry.
diagnose sys session6 Clear, filter, full-stat, list, stat IPv6 sessions.
tree diagnose ipv6 View all the diagnose IPv6 commands.
Note: This guide uses the term “packet” to refer to both layer-2 frames and layer-3 packets.
VLAN ID rules
Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and
remove them before they deliver the traffic to its final destination. Devices such as PCs
and servers on the network do not require any special configuration for VLANs. Twelve
bits of the 4-byte VLAN tag are reserved for the VLAN ID number. Valid VLAN ID numbers
are from 1 to 4094, while 0 is used for high priority frames, and 4095 is reserved.
On a layer-2 switch, you can have only one VLAN subinterface per physical interface,
unless that interface is configured as a trunk link. Trunk links can transport traffic for
multiple VLANs to other parts of the network.
On a FortiGate unit, you can add multiple VLANs to the same physical interface. However,
VLAN subinterfaces added to the same physical interface cannot have the same VLAN ID
or have IP addresses on the same subnet. You can add VLAN subinterfaces with the
same VLAN ID to different physical interfaces.
Creating VLAN subinterfaces with the same VLAN ID does not create any internal
connection between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on
port2 are allowed, but they are not connected. Their relationship is the same as between
any two FortiGate network interfaces.
Table 50: How ports and VLANs are used on Switch A and B
In this example, switch A is connected to the Branch Office and switch B to the Main
Office.
1 A computer on port 1 of switch A sends a data frame over the network.
0
N 10
LA e 00
V
O ffic N2
ch A
n VL
Bra
7
5-
0
P
10
ts
or
or
ts
P N
LA
1-
me
4
V
Fra
P
S
or .1Q
w
t8
80
itc
5
h
A
4,
ts
P
tr
or
or
un
P
t8
k
lin
k
0
20
S
N
w
LA
itc
h
V
B
fice
Of
in
Ma
2 Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is
part of VLAN 100.
3 Switch A forwards the tagged data frame to the other VLAN 100 ports—ports 2 through
4. Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts
of the network that may contain VLAN 100 groups will receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are not part
of VLAN 100. This increases security and decreases network traffic.
0
N 10 20
0
LA LA
N
V fice V
h Of
c
B ran
7
5-
0
P
10
ts
or
or
ts
N
P
LA
1-
me
4
V
Fra
P 2.1
S
or Q
w
t8
80
itc
5
h
A
4,
ts
P ink
tr
or
or
un
P
t8
k
l
00
N2
S
w
A
itc
VL
h
B
fice
Of
M ain
4 Switch B receives the data frame over the trunk link (port 8).
5 Because there are VLAN 100 ports on switch B (ports 4 and 5), the data frame is
forwarded to those ports. As with switch A, the data frame is not delivered to VLAN
200.
If there were no VLAN 100 ports on switch B, the switch would not forward the data frame
and it would stop there.
00 00
A N1 2
VL AN
fice VL
h Of
anc
Br
7
5-
0
P
10
ts
or
or
ts
N
P
A
1-
me VL
4
Fra
P
S
or .1Q
w
t8
80
itc
5
h
A
4,
ts
P
tr
or
or
un
P
t8
k
lin
k
0
20
S
N
w
LA
itc
h
V
B
e
fic
Of
in
Ma
6 The switch removes the VLAN 100 ID tag before it forwards the data frame to an end
destination.
The sending and receiving computers are not aware of any VLAN tagging on the data
frames that are being transmitted. When any computer receives that data frame, it
appears as a normal data frame.
This example explains how traffic can change VLANs—originating on VLAN 100 and
arriving at a destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but
a layer-3 router can.
1 The VLAN 100 computer at the Branch Office sends the data frame to switch A, where
the VLAN 100 tag is added.
00 00
A N1 N2
VL fice VL
A
h Of
nc
Bra
7
5-
P
ts
or
or
ts
P
1-
me
4
Fra
P
S
or .1Q
w
t8
80
itc
2
h
A
tr
un
k
lin
P
k
or
t3
rt 1
Po 300
t1
or
N fice
P
A
VL Of
in
Ma
P
S
or
w
t5
itc
h
B
0
N 30
V LA
2 Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk
link, and to the VLAN 100 interfaces on Switch A.
Up to this point everything is the same as in the layer-2 example.
0
10 00
LA
N
e A N2
V ffic VL
hO
nc
Bra
7
5-
P
ts
or
or
ts
P
1-
4
P 2.1
S
or Q
w
t8
80
me
itc
h
Fra
tr
un
k
li n
P
k
or
t3
rt 1
Po 3 0 0
t1
or
AN fice
P
VL Of
Main
P
S
or
w
t5
itc
h
B
0
30
AN
VL
3 The FortiGate unit removes the VLAN 100 tag, and inspects the content of the data
frame. The FortiGate unit uses the content to select the correct firewall policy and
routing options.
4 The FortiGate unit’s firewall policy allows the data frame to go to VLAN 300 in this
example. The data frame will be sent to all VLAN 300 interfaces, but in the example
there is only one—port 1 on the FortiGate unit. Before the data frame leaves, the
FortiGate unit adds the VLAN ID 300 tag to the data frame.
This is the step that layer 2 cannot do. Only layer 3 can retag a data frame as a
different VLAN.
00 00
A N1 N2
VL ffic
e
VL
A
O
n ch
Bra
7
5-
P
ts
or
or
ts
P
1-
4
P 2.1
S
or Q
w
t8
80
itc
h
A
tr
un
k
lin
P
k
or
Fra
t3
me
rt 1
Po 3 0 0
t1
or
AN fice
P
VL Of
Main
P
S
or
w
t5
itc
h
B
0
30
AN
VL
5 Switch B receives the data frame, and removes the VLAN ID 300 tag, because this is
the last hop, and forwards the data frame to the computer on port 5.
0
10 00
AN N2
VL fice VL
A
h Of
nc
Bra
7
5-
P
ts
or
or
ts
P
1-
4
P 2.1
S
or Q
w
t8
80
me
itc
h
Fra
tr
un
k
li n
P
k
or
t3
rt 1
Po 300
t1
or
N e
fic
P
V LA Of
in
Ma
P
S
or
w
t5
itc
h
B me
Fra
00
A N3
VL
In this example, a data frame arrived at the FortiGate unit tagged as VLAN 100. After
checking its content, the FortiGate unit retagged the data frame for VLAN 300. It is this
change from VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case
the FortiGate unit. Layer-2 switches cannot perform this change.
Physical interface
The term VLAN subinterface correctly implies the VLAN interface is not a complete
interface by itself. You add a VLAN subinterface to the physical interface that receives
VLAN-tagged packets. The physical interface can belong to a different VDOM than the
VLAN, but it must be connected to a network router that is configured for this VLAN.
Without that router, the VLAN will not be connected to the network, and VLAN traffic will
not be able to access this interface. The traffic on the VLAN is separate from any other
traffic on the physical interface.
When you are working with interfaces on your FortiGate unit, use the Column Settings on
the Interface display to make sure the information you need is displayed. When working
with VLANs, it is useful to position the VLAN ID column close to the IP address. If you are
working with VDOMs, including the Virtual Domain column as well will help you
troubleshoot problems more quickly.
To view the Interface display, go to System > Network > Interface.
Note: If you are unable to change your existing configurations to prevent IP overlap, enter
the CLI command config system global and set ip-overlap enable to allow IP
address overlap. If you enter this command, multiple VLAN interfaces can have an IP
address that is part of a subnet used by another interface. This command is recommended
for advanced users only.
VLAN ID
The VLAN ID is part of the VLAN tag added to the packets by VLAN switches and routers.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the
same VLAN ID to be associated together. VLAN ID 0 is used only for high priority frames,
and 4095 is reserved.
All devices along a route must support the VLAN ID of the traffic along that route.
Otherwise, the traffic will be discarded before reaching its destination. For example, if your
computer is part of VLAN_100 and a co-worker on a different floor of your building is also
on the same VLAN_100, you can communicate with each other over VLAN_100, only if all
the switches and routers support VLANs and are configured to pass along VLAN_100
traffic properly. Otherwise, any traffic you send your co-worker will be blocked or not
delivered.
VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also
applies for physical interfaces.
VLAN subinterfaces on separate VDOMs cannot communicate directly with each other. In
this situation, the VLAN traffic must exit the FortiGate unit and re-enter the unit again,
passing through firewalls in both directions. This situation is the same for physical
interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part
of. This is because the traffic on the VLAN is handled separately from the other traffic on
that interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100 to the FortiGate
internal interface with a VLAN ID of 100. It will have an IP address and netmask of
172.100.1.1/255.255.255.0, and allow HTTPS, PING, and TELNET administrative
access. Note that in the CLI, you must enter “set type vlan” before setting the vlanid,
and that the allowaccess protocols are lower case.
5 Select OK.
To view the new VLAN subinterface, select the expand arrow next to the parent physical
interface (the internal interface). This will expand the display to show all VLAN
subinterfaces on this physical interface. If there is no expand arrow displayed, there are no
subinterfaces configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column
settings, its IP address, the Administrative access you selected for it, the VLAN ID
number, and which VDOM it belongs to if VDOMs are enabled.
Configuring routing
As a minimum, you need to configure a default static route to a gateway with access to an
external network for outbound packets. In more complex cases, you will have to configure
different static or dynamic routes based on packet source and destination addresses.
As with firewalls, you need to configure routes for VLAN traffic. VLANs need routing and a
gateway configured to send and receive packets outside their local subnet just as physical
interfaces do. The type of routing you configure, static or dynamic, will depend on the
routing used by the subnet and interfaces you are connecting to. Dynamic routing can be
routing information protocol (RIP), border gateway protocol (BGP), open shortest path first
(OSPF), or multicast.
If you enable SSH, PING, TELNET, HTTPS and HTTP on the VLAN, you can use those
protocols to troubleshoot your routing and test that it is properly configured. Enabling
logging on the interfaces and using CLI diagnose commands such as diagnose sniff
packet <interface_name> can also help locate any possible configuration or
hardware issues.
Un
t
pa agge
ck d
ets
Ex
17 tern
2.1 al
6.2 0
1.2 20
A N
VL
802
19 Inte
2.1 rna
.1Q
68 l trun
.11
0.1
k
26 Fa
rk
/9
o
0/2 0
.0 w
Fa
.2 et
4
.1 N
10 00
2
N
LA
V
h
itc
00 0/3
w
N1
S
Fa
N
A
VL
LA
V
o rk
.0 w
.1 et
.1 N
10 00
1
N
LA
V
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN
ID tags and forwards the packets of each VLAN both to local ports and to the FortiGate
unit across the trunk link. The FortiGate unit has policies that allow traffic to flow between
the VLANs, and from the VLANs to the external network.
This section describes how to configure a FortiGate-800 unit and a Cisco Catalyst 2950
switch for this example network topology. The Cisco configuration commands used in this
section are IOS commands.
It is assumed that both the FortiGate-800 and the Cisco 2950 switch are installed and
connected and that basic configuration has been completed. On the switch, you will need
to be able to access the CLI to enter commands. Refer to the manual for your FortiGate
model as well as the manual for the switch you select for more information.
It is also assumed that no VDOMs are enabled.
The rest of this example shows how to configure the VLAN behavior on the FortiGate unit,
configure the switches to direct VLAN traffic the same as the FortiGate unit, and test that
the configuration is correct.
Adding VLAN subinterfaces can be completed through the web-based manager, or the
CLI.
Name VLAN_100
Interface internal
VLAN ID 100
Addressing mode Manual
IP/Netmask 10.1.1.1/255.255.255.0
Administrative HTTPS, PING, TELNET
Access
Name VLAN_200
Interface internal
VLAN ID 200
Addressing mode Manual
IP/Netmask 10.1.2.1/255.255.255.0
Administrative HTTPS, PING, TELNET
Access
Note: You can customize the Firewall Policy display by including some or all columns, and
customize the column order onscreen. Due to this feature, firewall policy screenshots may
not appear the same as on your screen.
If you do not want to allow all services on a VLAN, you can create a firewall policy for each
service you want to allow. This example allows all services.
One method to configure a Cisco switch is to connect over a serial connection to the
console port on the switch, and enter the commands at the CLI. Another method is to
designate one interface on the switch as the management interface and use a web
browser to connect to the switch’s graphical interface. For details on connecting and
configuring your Cisco switch, refer to the installation and configuration manuals for the
switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands used are
IOS commands. Refer to the switch manual for help with these commands.
Note: To complete the setup, configure devices on VLAN_100 and VLAN_200 with default
gateways. The default gateway for VLAN_100 is the FortiGate VLAN_100 subinterface.
The default gateway for VLAN_200 is the FortiGate VLAN_200 subinterface.
C:\>tracert 172.16.21.2
Tracing route to 172.16.21.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.2.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.
For this example, we are creating a VLAN called internal_v225 on the internal interface,
with a VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are
not enabled.
Name internal_v225
Type VLAN
Interface internal
VLAN ID 225
Ping Server not enabled
Administrative Enable HTTPS, and SSH. These are very secure
Access access methods.
Description VLAN 225 on internal interface
The FortiGate unit adds the new subinterface to the interface that you selected.
Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID,
Name, and possibly Interface when adding additional VLANs.
7 Select the Source and Destination Address names that you added in step 2.
8 Select Protection Profile, and select the profile from the list.
9 Configure other settings as required.
10 Select OK.
10
.1
10 00.0
.20 .1
0.0
.1
V
LA
Ex
N
ter 0
ro
na 20
ut
l
er
AN
VL
802
.1
VLA Q trun
Int
e rn
al N1 k
,2
Fa
k
/9
r
.0 o
0/2 0
.0 t w
Fa
00 Ne
4
.2 0
10 20
N
LA
V
h
itc
0
10 0/3
w
S
AN Fa
N
VL
LA
V
r k
.0 o
.0 tw
00 Ne
.1 0
10 10
N
LA
V
Name VLAN_100_int
Interface internal
VLAN ID 100
Name VLAN_100_ext
Interface external
VLAN ID 100
Name VLAN_200_int
Interface internal
VLAN ID 200
Name VLAN_200_ext
Interface external
VLAN ID 200
end
Asymmetric routing
You might discover unexpectedly that hosts on some networks are unable to reach certain
other networks. This occurs when request and response packets follow different paths. If
the FortiGate unit recognizes the response packets, but not the requests, it blocks the
packets as invalid. Also, if the FortiGate unit recognizes the same packets repeated on
multiple interfaces, it blocks the session as a potential attack.
This is asymmetric routing. By default, the FortiGate unit blocks packets or drops the
session when this happens. You can configure the FortiGate unit to permit asymmetric
routing by using the following CLI command:
config vdom
edit <vdom_name>
config system settings
set asymroute enable
end
end
If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that
has the problem. If this solves your blocked traffic issue, you know that asymmetric routing
is the cause. But allowing asymmetric routing is not the best solution, because it reduces
the security of your network.
For a long-term solution, it is better to change your routing configuration or change how
your FortiGate unit connects to your network. The Asymmetric Routing and Other
FortiGate Layer-2 Installation Issues technical note provides detailed examples of
asymmetric routing situations and possible solutions.
Caution: If you enable asymmetric routing, antivirus and intrusion prevention systems will
not be effective. Your FortiGate unit will be unaware of connections and treat each packet
individually. It will become a stateless firewall.
ARP traffic
Address Resolution Protocol (ARP) packets are vital to communication on a network, and
ARP support is enabled on FortiGate unit interfaces by default. Normally you want ARP
packets to pass through the FortiGate unit, especially if it is sitting between a client and a
server or between a client and a router.
ARP traffic can cause problems, especially in transparent mode where ARP packets
arriving on one interface are sent to all other interfaces including VLAN subinterfaces.
Some layer-2 switches become unstable when they detect the same MAC address
originating on more than one switch interface or from more than one VLAN. This instability
can occur if the layer-2 switch does not maintain separate MAC address tables for each
VLAN. Unstable switches may reset and cause network traffic to slow down considerably.
However, you should not use the multiple VDOMs solution under any of the following
conditions:
• you have more VLANs than licensed VDOMs
• you do not have enough physical interfaces
Instead, use one of two possible solutions, depending on which operation mode you are
using:
• In NAT/Route mode, you can use the vlan forward CLI command.
• In transparent mode, you can use the forward-domain CLI command. But you still
need to be careful in some rare configurations.
Vlanforward solution
If you are using NAT/Route mode, the solution is to use the vlanforward CLI command
for the interface in question. By default, this command is enabled and will forward VLAN
traffic to all VLANs on this interface. When disabled, each VLAN on this physical interface
can send traffic only to the same VLAN—there is no ”cross-talk” between VLANs, and
ARP packets are forced to take one path along the network which prevents the multiple
paths problem.
In the following example, vlanforward is disabled on port1. All VLANs configured on
port1 will be separate and will not forward any traffic to each other.
config system interface
edit port1
set vlanforward disable
end
Forward-domain solution
If you are using transparent mode, the solution is to use the forward-domain CLI
command. This command tags VLAN traffic as belonging to a particular collision group,
and only VLANs tagged as part of that collision group receive that traffic—it is like an
additional set of VLANs. By default, all interfaces and VLANs are part of forward-domain
collision group 0. The many benefits of this solution include reduced administration, the
need for fewer physical interfaces, and the availability of more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on
port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN
341 traffic on port 1 and untagged traffic on port 3. All other interfaces are part of
forward-domain collision group 0 by default. This configuration separates VLANs 340 and
341 from each other on port 1, and prevents the ARP packet problems from before.
Use these CLI commands:
config system interface
edit port1
next
edit port2
set forward_domain 340
next
edit port3
set forward_domain 341
next
edit port1-340
set forward_domain 340
set interface port1
set vlanid 340
next
edit port1-341
set forward_domain 341
set interface port1
set vlanid 341
end
You may experience connection issues with layer-2 traffic, such as ping, if your network
configuration has:
• packets going through the FortiGate unit in transparent mode more than once
• more than one forwarding domain (such as incoming on one forwarding domain and
outgoing on another)
• IPS and AV enabled.
Now IPS and AV is applied the first time packets go through the FortiGate unit, but not on
subsequent passes. Only applying IPS and AV to this first pass fixes the network layer-2
related connection issues.
NetBIOS
Computers running Microsoft Windows operating systems that are connected through a
network rely on a WINS server to resolve host names to IP addresses. The hosts
communicate with the WINS server by using the NetBIOS protocol.
To support this type of network, you need to enable the forwarding of NetBIOS requests to
a WINS server. The following example will forward NetBIOS requests on the internal
interface for the WINS server located at an IP address of 192.168.111.222.
config system interface
edit internal
set netbios_forward enable
set wins-ip 192.168.111.222
end
These commands apply only in NAT/Route mode. If VDOMs are enabled, these
commands are per VDOM—you must set them for each VDOM that has the problem.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an
IEEE 802.1 protocol that ensures there are no layer-2 loops on the network. Loops are
created when there is more than one route for traffic to take and that traffic is broadcast
back to the original switch. This loop floods the network with traffic, reducing available
bandwidth to nothing.
If you use your FortiGate unit in a network topology that relies on STP for network loop
protection, you need to make changes to your FortiGate configuration. Otherwise, STP
recognizes your FortiGate unit as a blocked link and forwards the data to another path. By
default, your FortiGate unit blocks STP as well as other non-IP protocol traffic.
Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the
interface. In this example, layer-2 forwarding is enabled on the external interface:
config system interface
edit external
set l2forward enable
set stpforward enable
end
By substituting different commands for stpforward enable, you can also allow layer-2
protocols such as IPX, PPTP or L2TP to be used on the network. For more information,
see “Layer-2 and Arp traffic” on page 1259.
Note: Your FortiGate unit has limited resources, such as CPU load and memory, that are
divided between all configured VDOMs. When running 250 or more VDOMs, you cannot
run Unified Threat Management (UTM) features such as proxies, web filtering, or
antivirus—your FortiGate unit can only provide basic firewall functionality.
Caution: PPTP control channel messages are not authenticated, and their integrity is not
protected. Furthermore, encapsulated PPP packets are not cryptographically protected and
may be read or modified unless appropriate encryption software such as Secure Shell
(SSH) or Secure File Transfer Protocol (SFTP) is used to transfer data after the tunnel has
been established.
As an alternative, you can use encryption software such as Microsoft
Point-to-Point Encryption (MPPE) to secure the channel. MPPE is built into
Microsoft Windows clients and can be installed on Linux clients. FortiGate units
support MPPE.
1
3
2
de
P atio
st
P n
in
T 1
P 7
pa 2
ck .16
et .3
s 0.
1
1
3
2
.1
.30
de
P atio
.16
st
P n
in
T 1
2
P 7
17
pa 2
on
ck .16
ati
et .3
s 0.
tin
d es .2
ffic .20
1
Tra .168
2 1
19 3
2
In Figure 48, traffic from the remote client is addressed to a computer on the network
behind the FortiGate unit. When the PPTP tunnel is established, packets from the remote
client are encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards
disassembled packets to the computer on the internal network.
When the remote PPTP client connects, the FortiGate unit assigns an IP address from a
reserved range of IP addresses to the client PPTP interface. The PPTP client uses the
assigned IP address as its source address for the duration of the connection.
When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet
and forwards the packet to the correct computer on the internal network. The firewall
policy and protection profiles on the FortiGate unit ensure that inbound traffic is screened
and processed securely.
ork
tw
l Ne
er na
Int
t_1
li en
_C
TP
PP
3
e nt_
Cli
T P_
PP
2
e nt_
_ Cli
TP
PP
If the FortiGate unit will act as a PPTP server, there are a number of steps to complete:
• Configure user authentication for PPTP clients.
• Enable PPTP.
• Specify the range of addresses that are assigned to PPTP clients when connecting
• Configure the firewall policy.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address
range is the range of addresses reserved for remote PPTP clients. When the remote
PPTP client establishes a connection, the FortiGate unit assigns an IP address from the
reserved range of IP addresses to the client PPTP interface or retrieves the assigned IP
address from the PPTP user group. If you use the PPTP user group, you must also define
the FortiGate end of the tunnel by entering the IP address of the unit in Local IP
(web-based manager) or local-ip (CLI). The PPTP client uses the assigned IP address
as its source address for the duration of the connection.
PPTP configuration is only available through the CLI. In the example below, PPTP is
enabled with the use of an IP range of 182.168.1.1 to 192.168.1.10 for addressing.
Note: The start and end IPs in the PPTP address range must be in the same 24-bit subnet,
e.g. 192.168.1.1 - 192.168.1.254.
Note: Do not select identity-based policy, as this will cause the PPTP access to fail.
Authentication is configured in the PPTP configuration setup.
Note: The address range is the external (public) ip address range which requires access to
the internal PPTP server through the FortiGate virtual port-forwarding firewall.
IP addresses used in this document are fictional and follow the technical documentation
guidelines specific to Fortinet. Real external IP addresses are not used.
Schedule always
Service PPTP
Action ACCEPT
According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with
an L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and
located on the ISP premises; the LNS is the gateway to a private network. When a remote
dialup client connects to the Internet through the ISP, the ISP uses a local database to
establish the identity of the caller and determine whether the caller needs access to an
LNS through an L2TP tunnel. If the services registered to the caller indicate that an L2TP
connection to the LNS is required, the ISP LAC attempts to establish an L2TP tunnel with
the LNS.
A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of
L2TP enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit
directly, bypassing any LAC managed by an ISP. The ISP must configure its network
access server to forward L2TP traffic from the remote client to the FortiGate unit directly
whenever the remote client requires an L2TP connection to the FortiGate unit.
When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon
as the remote client connects to the FortiGate unit. The FortiGate unit assigns an IP
address to the client from a reserved range of IP addresses. The remote client uses the
assigned IP address as its source address for the duration of the connection.
More than one L2TP session can be supported on the same tunnel. FortiGate units can be
configured to authenticate remote clients using a plain text user name and password, or
authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are
authenticated as members of a user group.
Caution: FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE)
encryption only. Later implementations of Microsoft L2TP for Windows use IPSec and
require certificates for authentication and encryption. If you want to use Microsoft L2TP with
IPSec to connect to a FortiGate unit, the IPSec and certificate elements must be disabled
on the remote client.
Traffic from the remote client must be encrypted using MPPE before it is encapsulated and
routed to the FortiGate unit. Packets originating at the remote client are addressed to a
computer on the private network behind the FortiGate unit. Encapsulated packets are
addressed to the public interface of the FortiGate unit. See Figure 50.
When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and
forwards the packet to the correct computer on the internal network. The firewall policy
and protection profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.
on
ati
tin
d es 0.2
2
ffic 68.
Tra 92.1 1
1 3
2
1
3
2
de
L2 tio
st
in
T n
a
P 1
pa 72
ck .16
et .3
s 0
.1
1
3
2
0.1
de
6.3
L2 t i o
st
.1
in
T n
72
P 1
1
pa 7 2
on
ck .16
ti
et .3
na
s 0
sti
de 0.2
.1
i c
ff .2
Tra .168
2 1
19 3
2
Note: Fortinet units cannot deliver non-IP traffic such as Frame Relay or ATM frames
encapsulated in L2TP packets — FortiGate units support the IPv4 and IPv6 addressing
you cannot
schemes only.
Network topology
The remote client connects to an ISP that determines whether the client requires an L2TP
connection to the FortiGate unit. If an L2TP connection is required, the connection request
is forwarded to the FortiGate unit directly.
ork
tw
l Ne
e rna
Int
1
e nt_
Cli
o te_
R em
3
e nt_
_ Cli
m ote
Re
2
e nt_
_ Cli
m ote
Re
To define the traffic and services permitted inside the L2TP tunnel
1 Go to Firewall > Policy and select Create New.
2 Enter these settings in particular:
3 You may enable NAT, a protection profile, and/or event logging, or select Enable
Identity Based Policy to add authentication or shape traffic. For more information on
identity based policies, see the FortiGate Fundamentals chapter of the handbook.
4 Select OK.
1 If encryption is required but MPPE support is not already present in the kernel,
download and install an MPPE kernel module and reboot your computer.
2 Download and install the L2TP client package.
3 Configure an L2TP connection to run the L2TP program.
4 Configure routes to determine whether all or some of your network traffic will be sent
through the tunnel. You must define a route to the remote network over the L2TP link
and a host route to the FortiGate unit.
5 Run l2tpd to start the tunnel.
Follow the software supplier’s documentation to complete the steps.
To configure the system, you need to know the public IP address of the FortiGate unit, and
the user name and password that has been set up on the FortiGate unit to authenticate
L2TP clients. Contact the FortiGate administrator if required to obtain this information.
To change the port that the pmap session helper listens on to TCP port 112
1 Confirm that the TCP pmap session helper entry is 11 in the session-helper list:
show system session-helper 11
config system session-helper
edit 11
set name pmap
set port 111
set protocol 6
next
end
2 Enter the following command to change the TCP port to 112.
config system session-helper
edit 11
set port 112
end
3 The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap
session helper entry is 12 in the session-helper list:
show system session-helper 12
config system session-helper
edit 12
set name pmap
set port 111
set protocol 17
next
end
4 Enter the following command to change the UDP port to 112.
config system session-helper
edit 12
set port 112
end
end
Use the following command to set the h323 session helper to listen for ports on the UDP
protocol.
If a session helper listens on more than one port or protocol, then multiple entries for the
session helper must be added to the session helper list, one for each port and protocol
combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and
8554 so there are three rtsp entries in the session-helper list. If your FortiGate unit
receives rtsp packets on a different TCP port (for example, 6677) you can use the
following command to configure the rtsp session helper to listen on TCP port 6677.
To disable the mgcp session helper from listening on UDP port 2427
1 Enter the following command to find the mgcp session helper entry that listens on UDP
port 2427:
show system session-helper
.
.
.
edit 19
set name mgcp
set port 2427
set protocol 17
next
.
.
.
2 Enter the following command to delete session-helper list entry number 19 to disable
the mgcp session helper from listening on UDP port 2427:
config system session-helper
delete 19
By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous
procedure shows how to disable the mgcp protocol from listening on port 2427. The
following procedure completely disables the mgcp session helper by also disabling it from
listening on UDP port 2727.
The alternate gatekeeper provides redundancy and scalability for the H.323 end points. If
the primary gatekeeper fails the H.323 end points that have registered with that
gatekeeper are automatically registered with the alternate gatekeeper. To use the H.323
alternate gatekeeper, you need to configure firewall policies that allow H.323 end points to
reach the alternate gatekeeper.
In a typical RTSP session the client starts the session (for example, when the user selects
the Play button on a media player application) and establishes a TCP connection to the
RTSP server on port 554. The client then sends an OPTIONS message to find out what
audio and video features the server supports. The server responds to the OPTIONS
message by specifying the name and version of the server, and a session identifier, for
example, 24256-1.
The client then sends the DESCRIBE message with the URL of the actual media file the
client wants to play. The server responds to the DESCRIBE message with a description of
the media in the form of SDP code. The client then sends the SETUP message, which
specifies the transport mechanisms acceptable to the client for streamed media, for
example RTP/RTCP or RDT, and the ports on which it receives the media.
In a NAT configuration the rtsp session helper keeps track of these ports and addresses
translates them as necessary. The server responds to the SETUP message and selects
one of the transport protocols. When both client and server agree on a mechanism for
media transport the client sends the PLAY message, and the server begins streaming the
media.
Session tables
Firewall session tables include entries to record source and destination IP addresses and
port numbers. For each packet received by a FortiGate unit, it references the session table
for a match. Packets of an established session are checked against the session table
continually throughout the communication. The performance of depends on the
performance of processing session table.
Firewall sessions clear from the table based on the timeout, that is, Time-to-live (TTL)
setting. Equally, a completely inactive session with no FIN or RESET will be flushed by the
by the session TTL timer. Sessions are not closed based on FIN or a RESET. A FIN that is
acknowledged with a FIN ACK would slush the session.
While this view shows a graph of the connecting users and IP addresses, selecting Details
at the bottom of the widget will display the complete session information.
You can clear a session from the table by scrolling to the right and selecting the delete
icon for a given session.
State Meaning
log Session is being logged
local Session is originating from, or destined for, a local stack.
ext Session is created by a firewall session helper.
may_dirty Session is created by a policy. For example, the session for FTP channel
control will have this state but the FTP data channel will not.
ndr Session will be checked by an IPS signature.
nds Session will be checked by an IPS anomaly.
br Session is being bridged, that is, in transparent mode.
npu Session will possibly be offloaded to NPU.
wccp Session is handled by WCCP.
The example describes adding an IP pool with a single IP address of 10.1.1.201. So all
packets sent by a PC on the internal network that are accepted by the Internal to WAN1
policy leave the WAN1 interface with their source address translated to 10.1.1.201. These
packets can now travel across the Internet to their destination. Reply packets return to the
WAN1 interface because they have a destination address of 10.1.1.201. The Internal to
WAN1 NAT policy translates the destination address of these return packets to the IP
address of the originating PC and sends them out the internal interface to the
originating PC.
Use the following steps to configure NAT in Transparent mode
• Add two management IPs
• Add an IP pool to the WAN1 interface
• Add an Internal to WAN1 firewall policy
Note: You can add the firewall policy from the web-based manager and then use the CLI to
enable NAT and add the IP Pool.
10 Tra
.1.
R
1.0 n
ou
sp
te
/24 are
r
10 nt m
.1. od
WA 1.9 e M
9,
N1 19 anag
2.1 em
68 en
.1. t I
99 Ps
Int :
ern
Z a l
DM
D 0.
M 1.
Z 1.
1
ne 0/
In 92
tw 24
te .1
or
rn 6 8
k
al .1
ne .0
tw /24
or
k
.2
0 .10 0.42
. 1 1
10 0.
e IP 10.1
ur c IP 1
So ation 3
2
n
sti
De NA
T wit
ha
vir
tua
l IP 1
3
S 10
2
.55
10
er .1
Int
ve 0 .
.37 37.4
.
e
10 rnal
r 42
8
IP
.10 IP .16 8.
.10 92 .16
.2 I P 1 192
e IP
urc n
V
19 irtua So inatio
2.1 l IP st
68 De
.37
.4
19
C 168
lie .
2.
nt 37
IP .55
To add a static NAT virtual IP for a single IP address and port - web-based manager
1 Go to Firewall > Virtual IP > Virtual IP.
2 Select Create New.
3 Complete the following and select OK.
.
Name static_NAT
External Interface wan1
Type Static NAT
External IP Address/Range 192.168.37.4.
Mapped IP Address/Range 10.10.10.42
Port Forwarding Selected
Protocol TCP
External Service Port 80
Map to Port 8000
To add a static NAT virtual IP for a single IP address and port - CLI
config firewall vip
edit static_NAT
set extintf wan1
set type static-nat
set extip 192.168.37.4
set mappedip 10.10.10.42
set portforward enable
set extport 80
set mappedport 8000
end
Add a external to dmz1 firewall policy that uses the virtual IP so that when users on the
Internet attempt to connect to the web server IP address packets pass through the
FortiGate unit from the external interface to the dmz1 interface. The virtual IP translates
the destination address of these packets from the external IP to the DMZ network IP
address of the web server.
To add a static NAT virtual IP for a single IP address to a firewall policy - web-based
manager
1 Go to Firewall > Policy > Policy and select Create New.
2 Complete the following:
3 Select NAT.
4 Select OK.
To add a static NAT virtual IP for a single IP address to a firewall policy - CLI
config firewall policy
edit 1
set srcintf wan1
set dstintf internal
set srcaddr all
set dstaddr static_nat
set action accept
set schedule always
set service ANY
set nat enable
end
In 10
In
te .1
10 terna
rn .1
al .0
.1. l
N /2
et 4
3.0
w
or
/16
k
WA
N 1
Z 2
DM120.
0 .
2.2
17
W 2.
eb 20
17
S .12
er 0
ve .1
r
To create an IP pool - web-based manager
1 Go to Firewall > Virtual IP > IP Pool.
2 Select Create New.
3 Enter the Name pool-1.
4 Enter the IP Range/Subnet 10.1.3.1-10.1.3.254.
5 Select OK.
Name server-1
External Interface Internal
Type Static NAT
External IP Address/Range 172.20.120.1
Note this address is the same as the server address.
Mapped IP Address/Range 172.20.120.1
Port Forwarding Enable
Protocol TCP
External Service Port 8080
Map to Port 80
Using VIP range for Source NAT (SNAT) and static 1-to-1 mapping
VIP addresses are typically used to map external (public) to internal (private) IP addresses
for Destination NAT (DNAT).
This example shows how to use VIP ranges to perform Source NAT (SNAT) with a static
1-to-1 mapping from internal to external IP addresses. This is similar to using an IP pool
with the advantage of having predictable and static 1-to-1 address mapping.
.42
0 .10
.1 h
10 roug .46
th .10
.10
In tw 10
te o
N
P
rn rk
e
10 ort 2
al
.10
.10
.2
P
VI ort 1
19 P ra
2.1 ng
6 e
t 8.
19 hrou 36.4
2.1 gh
68
.37
.8
This example will associate each internal IP address to one external IP address for the
Source NAT (SNAT) translation.
Using the diagram above, the translations will look like the following
Service
On FortiGate 50 and 60 series units, a DHCP server is configured, by default, on the
Internal interface:
IP Range 192.168.1.110 to 192.168.1.210
Netmask 255.255.255.0
Default gateway 192.168.1.99
Lease time 7 days
DNS Server 1 192.168.1.99
You can disable or change this default DHCP Server configuration. However, you cannot
configure DHCP in Transparent mode. In Transparent mode DHCP requests pass through
the unit. An interface must have a static IP before you configure a DHCP server on it.
These settings are appropriate for the default Internal interface IP address of
192.168.1.99. If you change this address to a different network, you need to change the
DHCP server settings to match.
Split DNS
In a split DNS configuration you create a DNS database on the FortiGate unit, usually for
host names on an internal network or for a local domain. When users on the internal
network attempt to connect to these host names the IP addresses are provided by the
FortiGate DNS database. Host names that are not in the FortiGate DNS database are
resolved by relaying the DNS lookup to an external DNS server.
A split DNS configuration can be used to provide internal users access to resources on
your private network that can also be accessed from the Internet. For example, you could
have a public web server behind a FortiGate unit operating in NAT/Route mode. Users on
the Internet access this web server using a port forwarding virtual IP. So the web server
has a public IP address for internet users. But you may want users on your internal
network to access the server using its private IP address to keep traffic from internal users
off of the Internet.
To do this, you create a split DNS configuration on the unit and add the host name of the
server to the FortiGate DNS database, but include the internal IP address of server
instead of the external IP address. Because the unit checks the FortiGate DNS database
first, all DNS lookups for the server host name will return the internal IP address of the
server. For an example of how to configure split DNS, see “To configure a split DNS
configuration” on page 555.
4 Go to System > Network > DNS Server and configure the FortiGate DNS database.
Add zones and entries as required. See “Configuring the FortiGate DNS database” on
page 555.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configure a FortiGate interface to relay DNS requests to the DNS servers configured for
the FortiGate unit under System > Network > Options.
To configure a interface to resolve DNS requests using the FortiGate DNS database
1 Go to System > Network > Options and add the IP addresses of a Primary and
Secondary DNS server.
These should be the DNS servers provided by your ISP or other public DNS servers.
The FortiGate unit uses these DNS servers for its own DNS lookups and can be used
to supply DNS look ups for your internal networks.
2 Go to System > Network > Interface and edit the interface connected to a network that
you want the FortiGate unit to be a DNS server.
3 Select Enable DNS Query and select Non-Recursive.
When you select Non-Recursive only the entries in the FortiGate DNS database are
used.
4 Go to System > Network > DNS Server and configure the FortiGate DNS database.
Add zones and entries as required. See “Configuring the FortiGate DNS database” on
page 555.
5 Configure the hosts on the internal network to use the FortiGate interface as their DNS
server.
If you are also using a FortiGate DHCP server to configure the hosts on this network,
add the IP address of the FortiGate interface to the DNS Server IP address list.
Configure an interface to resolve DNS requests using the FortiGate DNS database and
relay DNS requests for host names not in the FortiGate DNS database to the DNS servers
configured under System > Network > Options. This is called a split DNS configuration.
See “Split DNS” on page 553.
To configure the FortiGate DNS database in the web-based manager, go to System >
Network > DNS Server.
To use the CLI use the commands:
conf system dns-database
edit <zone-string>
set domain <domain>
set ttl <int>
config dns-entry
edit <entry-id>
set canonical-name <canonical_name_string>
set hostname <hostname_string>
set ip <ip_address>
set ipv6 <ipv6_address>
set preference <preference_value>
set status {enable | disable}
set ttl <entry_ttl_value>
set type {A|AAAA|MX|NS|CNAME}
end
end
Firewall policies
The default firewall policies in FortiOS allow all traffic on all ports and all IP addresses. Not
the most secure. While applying UTM profiles can help to block viruses, detect attacks and
prevent spam, this doesn’t provide a solid overall security option. The best approach is a
layered approach; the first layer being the firewall policy.
When creating outbound firewall policies, you need to know the answer to the question
“What are the students allowed to do?” The answer is surf the web, connect to FTP sites,
send/receive email, and so on.
Once you know what the students need to do, you can research the software used and
determine the ports the applications use. For example, if the students only require web
surfing, then there are only two ports (80 - HTTP and 443 - HTTPS) needed to complete
their tasks. Setting the firewall policies to only allow traffic through two ports (rather than
all 65,000), this will significantly lower any possible exploits. By restricting the ports to
known services, mean s stopping the use of proxy servers, as many of them operate on a
non-standard port to hide their traffic from URL filtering or HTTP inspection.
DNS
Students should not be allowed to use whatever DNS they want. this opens another port
for them to use and potentially smuggle traffic on. The best approach is to point to an
internal DNS server and only allow those devices out on port 53. Its the same approach
one would use for SMTP. Only allow the mail server to use port 25 since nothing else
should be sending email.
If there is no internal DNS server, then the list of allowed DNS servers they can use should
be restrictive. One possible exploit would be for them to set up their own DNS server at
home that serves different IPs for known hosts, such as having Google.com sent back the
IP for playboy.com.
FTP
For the most part, students should not be using FTP. FTP is not HTTP or HTTPS so you
cannot use URL flitting to restrict where they go. This can be controlled with destination
IPs in the firewall policy. With a policy that specifically outlines which FTP addresses are
allowed, all other will be blocked.
The last policy in the list, included by default, is a deny policy.This adds to the potential of
error that could end up allowing unwanted traffic to pass. The deny policy ensures that any
traffic making it to this point is stopped. It can also help in further troubleshooting by
viewing the logs for denied traffic.
With these policies in place, even before packet inspection occurs, the FortiGate, and the
network are fairly secure. Should any of the UTM profiles fail, there is still a basic level of
security.
UTM Profiles
In FortiOS 4.0 MR2, the protection profiles have been broken into individual profiles. Each
UTM feature is now its own component, which can make setting up network security
easier.
Antivirus profiles
Antivirus screening should be enabled for any service you have enabled in the firewall
policies. In the case above, HTTP, FTP, as well as POP3 and SMTP (assuming there is
email access for students). There is not a virus scan option for HTTPS, because the
content is encrypted. Generally speaking, most of the network traffic will be students
surfing the web.
To configure antivirus profiles in the web-based manager, go to UTM > Antivirus > Profile,
or use the CLI commands under config antivirus profile.
Under the antivirus banner is also file filtering. While there should be no reason for a
student to download files - applications or otherwise - to the host PC, you can enable file
pattern matching to limit what can be downloaded. The most common file types are
available to enable for virus checking.
to configure file filtering in the web-based manager, go to UTM > Antivirus > File Filter, on
in the CLI under config antivirus filepattern.
Web filtering
The actual filtering of URLs - sites and content - should be performed by FortiGuard. It is
easier and web sites are constantly being monitored, and new ones reviewed and added
to the FortiGuard databases every day. The FortiGuard categories provide an extensive
list of offensive, and non-productive sites.
As well, there are additional settings to include in a web filtering profile to best contain a
student’s web browsing.
• Web URL filtering should be enabled to set up exemptions for web sites that are
blocked or reasons other than category filtering. It also prevents the us of IP addresses
to get around web filtering. For details on setting this up, see “Blocking HTTP access
by IP” on page 562.
• Block invalid URLs - HTTPS only. This option inspects the HTTPS certificate and looks
at the URL to ensure it’s valid. It is common for proxy sites to create an HTTPS
certificate with a garbage URL. If the site is legitimate, it should be set up correctly. If
the site approach to security is to ignore it, then their security policy puts your network
at risk and the site should be blocked.
Web filtering options are configured in the web-based manager by going to UTM > Web
filter > Profile, or in the CLI under config webfilter profile.
Advanced options
There are a few Advanced options to consider for a web filtering profile:
• Enable Provide details for blocked HTTP 4xx and 5xx errors. Under normal
circumstances there are exploits that can be used with 400 and 500 series messages
to access the web site. While most students probably won’t know how to do this, there
is no harm in being cautious. It only takes one.
• Enable Rate Images by URL. This option only works with Google images. It examines
the URL that the images is stored at to get a rating on it, then blocks or allows the
image based on the rating of the originating URL. It does not inspect the image
contents. Most image search engines to a prefect and pass the images directly to the
browser.
• Enable Block HTTP redirects by rating. An HTTP redirect is one method of getting
around ratings. Go to one web site that has an allowed rating, and it redirects to
another web site that may want blocked.
Email Filtering
Other than specific teacher-led email inboxes, there is no reason why a student should be
able to access, read or send personal email. Ports for POP3, SMTP and IMAP should not
be opened in a firewall policies.
IPS
The intrusion protection profiles should be used to ensure the student PCs are not
vulnerable to attacks, nor do you want students making attacks. As well, IPS can do more
than simple vulnerability scans. With a FortiGuard subscription, IPS signatures are
pushed to the FortiGate unit. New signatures are released constantly for various intrusions
as they are discovered.
FortiOS includes a number of predefined IPS sensors that you can enable by default.
Selecting the all_default signature is a good place to start as it includes the major
signatures.
To configure IPS sensors in the web-based manager, go to UTM > IPS > IPS Sensor, on
the CLI use commands under config ips sensor.
Application control
Application control uses IPS signatures to limit the use of instant messaging and peer-to-
peer applications which can lead to possible infections on a student’s PC. FortiOS
includes a number of pre-defined application categories. To configure and maintain
application control profiles in the web-based manager, go to UTM > Application Control >
Application Control List. In the CLI use commands under config application list.
Some applications to consider include proxies, botnets, toolbars and P2P applications.
Logging
Turn on all logging - every option in this section should be enabled. This is not where you
decide what you are going to log. It is simply defining what the UTM profiles can log.
Logging everything is a way to monitor traffic on the network, see what student’s are
utilizing the most, and locate any potential holes in your security plan. As well, keeping this
information may help to prove negligence later in necessary.
Dedicated traffic
This example show the steps to ensure only traffic exits from the DMZ where the email
server is connected. The internal port is connected to the internal network and the WAN1
port connects to the Internet.
First, create a firewall policy that will not allow any traffic through port 25 from the internal
interface, which connects to the internal network. Place this policy at the top of the firewall
policy list.
You may also want to enable Log Violation Traffic to see if there is any potential malware
or other user sending email using the non-corporate email server.
To block SMTP traffic on port 25 for the rest of the company - web-based manager
3 Go to Firewall > Policy > Policy and select Create New.
4 Set the following options and select OK.
To block SMTP traffic on port 25 for the rest of the company - CLI
config firewall policy
edit <policy_number>
set srcintf internal
set srcaddr all
set dstintf wan1
set dstaddr all
set schedule always
set service smtp
set action deny
end
When HTTP cookie persistence is enabled the FortiGate unit inserts a header of the
following form into each HTTP response unless the corresponding HTTP request already
contains a FGTServer cookie:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600
The value of the FGTServer cookie encodes the server that traffic should be directed to.
The value is encoded so as to not leak information about the internal network.
Use http-cookie-domain to restrict the domain that the cookie should apply to. For
example, to restrict the cookie to.server.com, enter:
set http-cookie-domain .server.com
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Max-Age=3600
Use http-cookie-path to limit the cookies to a particular path. For example, to limit
cookies to the path /sales, enter:
set http-cookie-path /sales
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales; Max-Age=3600
Use http-cookie-age to change how long the browser caches the cookie. You can
enter an age in minutes or set the age to 0 to make the browser keep the cookie
indefinitely:
set http-cookie-age 0
All generated cookies will have the following form:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Domain=.server.com; Path=/sales
Use http-cookie-generation to invalidate all cookies that have already been
generated. The exact value of the generation is not important, only that it is different from
any generation that has already been used for cookies in this domain. The simplest
approach is to increment the generation by one each time invalidation is required. Since
the default is 0, enter the following to invalidate all existing cookies:
set http-cookie-generation 1
Use http-cookie-share {disable | same-ip} to control the sharing of cookies
across virtual servers in the same virtual domain. The default setting same-ip means that
any FGTServer cookie generated by one virtual server can be used by another virtual
server in the same virtual domain. For example, if you have an application that starts on
HTTP and then changes to HTTPS and you want to make sure that the same server is
used for the HTTP and HTTPS traffic then you can create two virtual servers, one for port
80 (for HTTP) and one for port 443 (for HTTPS). As long as you add the same real servers
to both of these virtual servers (and as long as both virtual servers have the same number
of real servers with the same IP addresses), then cookies generated by accessing the
HTTP server are reused when the application changes to the HTTPS server.
If for any reason you do not want this sharing to occur then select disable to make sure
that a cookie generated for a virtual server cannot be used by other virtual servers.
Use https-cookie-secure to enable or disable using secure cookies. Secure cookies
are disabled by default because secure cookies can interfere with cookie sharing across
HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie
inserted by the FortiGate unit:
Set-Cookie: FGTServer=E7D01637C4B08E89A6714213A9D85D9C7E4D8158;
Version=1; Max-Age=3600; Secure
For more information on load balancing, see the Load Balancing chapter of The
Handbook.
You can configure a FortiGate unit to perform stateful inspection of different types of SCTP
traffic by creating custom SCTP services and defining the port numbers or port ranges
used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit
performs the following checks on SCTP packets:
• Source and Destination Port and Verification Tag.
• Chunk Type, Chunk Flags and Chunk Length
• Verify that association exists
• Sequence of Chunk Types (INIT, INIT ACK, etc)
• Timer checking
• Four way handshake checking
• Heartbeat mechanism
• Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
• Protection against association hijacking
FortiOS also supports SCTP sessions over IPsec VPN tunnels.
FortiOS also supports full traffic and event logging for SCTP sessions.
Name M3UA_service
Protocol Type TCP/UDP/SCTP
Protocol SCTP
Source Port (Low) 1
Source Port (High) 65535
Destination Port (Low) 2905
Destination Port (High) 2905
Protocol 132
Incoming interface internal
Source address / mask 0.0.0.0 0.0.0.0
Destination address / mask 0.0.0.0 0.0.0.0
Destination Ports From 2905 to 2905
Force traffic to:
Outgoing interface external
Gateway Address 1.1.1.1
What is logging?
Logging records the traffic passing through the FortiGate unit to your network and what
action the FortiGate unit took during its scanning process of the traffic. This recorded
information is called a log message.
After a log message is recorded, it is stored within a log file which is then stored on a log
device. A log device is a central storage location for log messages. The FortiGate unit
supports several log devices, such as a FortiGuard Analysis server and the FortiAnalyzer
unit. A FortiGate unit’s system memory and local disk can also be configured to store logs,
and because of this, are also considered log devices.
Note: You must subscribe to the FortiGuard Analysis and Management Service so that you
can configure the FortiGate unit to send logs to a FortiGuard Analysis server.
The log header also contains the log_id field. The log_id field contains the ten-digit
identification number which includes the unique number that is associated with that
specific log message. For example, 0315012552:
• 03 – category number (web filtering log type)
• 15 – subtype number (URL filter block log subtype)
• 012552 – the unique number for that log message.
Table 53 explains which category number is associated with each log type, as well as the
subtype name and associated number. The last six digits, those designated as unique to
that log message, are not included in the table.
Note: When viewing log messages in the Raw format, in Memory, the ten-digit log ID
number is used; however, when viewing the same log messages, in Raw format, in Disk,
the five-digit log ID number is used (except for traffic logs which have only one-digit log
IDs). This five-digit log identification number is used because of log size reduction that
occurred in FortiOS 4.0 MR1.
The log header also contains information about the log severity level and is indicated in
the pri field. This information is important because the severity level indicates various
severities that are occurring. For example, if the pri field contains alert, you need to take
immediate action with regards to what occurred. There are six log severity levels.
You can define what severity level the FortiGate unit records logs at when configuring the
logging location. The FortiGate unit logs all messages at and above the logging severity
level you select. For example, if you select Error, the unit logs Error, Critical, Alert, and
Emergency level messages.
Levels Description
0 - Emergency The system has become unstable.
1 - Alert Immediate action is required.
2 - Critical Functionality is affected.
3 - Error An error condition exists and functionality could be
affected.
4 - Warning Functionality could be affected.
5 - Notification Information about normal events.
6 - Information General information about system operations.
The Debug severity level, not shown in Table 53, is rarely used. It is the lowest log severity
level and usually contains some firmware status information that is useful when the
FortiGate unit is not functioning properly. Debug log messages are only generated if the
log severity level is set to Debug. Debug log messages are generated by all types of
FortiGate activities.
date=(2010-08-03) The year, month and day of when the event occurred in yyyy-mm-dd
format.
time=(12:55:06) The hour, minute and second of when the event occurred in the format
hh:mm:ss.
log_id A ten-digit number. The first two digits represent the log type and the
following two digits represent the log subtype. The last five digits are
the message ID.
type=(dlp) The section of system where the event occurred.
subtype=(dlp) The subtype category of the log message. See Table 53 on page 575.
pri=(notice) The severity level of the event. See Table 53 on page 575.
vd=(root) The name of the virtual domain where the action/event occurred in. If
no virtual domains exist, this field always contains root.
Log body:
policyid=1 identidx=0 serial=73855 src=“10.10.10.1” sport=1190
src_port=1190 srcint=internal dst=“192.168.1.122” dport=80
dst_port=80 dst_int=“wan1” service=“https” status=“detected”
hostname=“example.com” url=“/image/trees_pine_forest/” msg=“data
leak detected(Data Leak Prevention Rule matched)” rulename=“All-
HTTP” action=“log-only” severity=1
policyid=(1) The ID number of the firewall policy that applies to the session or
packet. Any policy that is automatically added by the FortiGate will
have an index number of zero.
identidx=(0) The identity-based policy identification number. This field displays
zero if the firewall policy does not use an identity-based policy;
otherwise, it displays the number of the identity-based policy entry
that the traffic matched. This number is not globally unique, it is only
locally unique within a given firewall policy.
serial=(73855) The serial number of the firewall session of which the event
happened.
src=(10.10.10.1) The source IP address.
sport=(1190) The source port number.
src_port=(1190) The source port number.
srcint=(internal) The source interface name.
dst=(192.168.1.122) The destination IP address.
dport=(80) The destination port number.
dst_port=(80) The destination port number.
dst_int=(wan1) The destination interface name.
service=(https) The IP network service that applies to the session or packet. The
services displayed correspond to the services configured in the
firewall policy.
status=(detected) The action the FortiGate unit took.
hostname=(example.com) The home page of the web site.
url=(/image/trees_pine_for The URL address of the web page that the user was viewing.
est/)
msg=(data leak Explains the FortiGate activity that was recorded. In this example,
detected(Data Leak the data leak that was detected matched the rule, All-HTTP, in the
Prevention Rule matched) DLP sensor.
rulename=(All-HTTP) The name of the DLP rule within the DLP sensor.
action=(log-only) The action that was specified within the rule. In some rules within
sensors, you can specify content archiving. If no action type is
specified, this field display log-only.
severity=(1) The level of severity for that specific rule.
2 A match is found; the DLP sensor, dlp_sensor, had a rule within it called All-HTTP with
the action Exempt applied to the rule. The sensor also has Enable Logging selected,
which indicates to the FortiGate unit that the activity should be recorded and placed in
the DLP log file.
3 The FortiGate unit exempts the match, and places the recorded activity (the log
message) within the DLP log file.
4 According to the log settings that were configured, logs are stored on the FortiGate
unit’s local hard drive. The FortiGate unit places the DLP log file on the local hard drive.
SQL overview
The syntax for SQL queries is based on the SQLite3 syntax (see
http://www.sqlite.org/lang.html for more information).
There is an additional convenience macro, F_TIMESTAMP, that allows you to easily
specify a time interval for the query. It takes this form:
F_TIMESTAMP(base_timestring, unit, relative value). For example,
F_TIMESTAMP('now','hour','-23') means “last 24 hours” or that the hour in the
timestamp is 23 less than now. The FortiGate unit will automatically translate the macro
into SQLite3 syntax.
You can use the following CLI commands to write SQL statements to query the SQLite
database.
config report dataset
edit <dataset_name>
set query <sql_statement>
next
end
For more information about specific examples that are used in creating custom datasets,
see the “SQL statement examples” on page 580.
SQL tables
The FortiGate unit creates a database table for each log type, when log data is recorded. If
the FortiGate unit is not recording log data, it does not create log tables for that device.
The command syntax, get report database schema, allows you to view all the
tables, column names and types that are available to use when creating SQL statements
for datasets.
CLI commands
config report dataset
edit "appctrl.Dist.Type.last24h"
set query "select app_type, count(*) as totalnum from
app_control_log where timestamp >=
F_TIMESTAMP('now','hour','-23') and (app_type is not null
and app_type!='N/A') group by app_type order by totalnum
desc"
next
CLI commands
config report dataset
edit "appctrl.Count.Bandwidth.Top10.Apps.last24h"
set query "select (timestamp-timestamp%3600) as hourstamp,
(CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE service
END) as appname, sum(sent+rcvd) as bandwidth from
traffic_log where timestamp >=
F_TIMESTAMP(\'now\',\'hour\',\'-23\') and (appname in
(select (CASE WHEN app!=\'N/A\' and app!=\'\' then app ELSE
service END) as appname from traffic_log where timestamp >=
F_TIMESTAMP(\'now\',\'hour\',\'-23\') group by appname
order by sum(sent+rcvd) desc limit 10)) group by hourstamp,
appname order by hourstamp desc"
next
Connection problems
If well formed queries do not produce results, and logging is turned on for the log type,
there may be a database configuration problem with the remote database.
Ensure that:
• MySQL is running and using the default port 3306.
• You have created an empty database and a user who has read/write permissions for
the database.
Here is an example of creating a new MySQL database named fazlogs, and adding a
user for the database:
#Mysql –u root –p
mysql> Create database fazlogs;
mysql> Grant all privileges on fazlogs.* to ‘fazlogger’@’*’
identified by ‘fazpassword’;
mysql> Grant all privileges on fazlogs.* to
‘fazlogger’@’localhost’ identified by ‘fazpassword’;
Figure 60: Example of an SQL database error message that appears after logging in to the
web-based manager
The error message indicates that the SQL database is corrupted and cannot be updated
with the SQL schemas any more. When you see this error message, you can do one of
the following:
• select Cancel and back up all log files; then select Rebuild to rebuild the database
• select Rebuild only after verifying that all log files are backed up to a safe location.
When you select Cancel, no logging is recorded by the FortiGate unit regardless of the log
settings that are configured on the unit. When you select Rebuild, all logs are lost because
the SQL database is erased and then rebuilt again. Logging resumes after the SQL
database is rebuilt.
If you want to view the database’s errors, use the diag debug sqldb-error-read
command in the CLI. This command indicates exactly what errors occurred, and what
tables contain those errors.
Log files are backed up using the execute log backup {alllogs | logs}
command in the CLI. You must use the text variable when backing up log files because the
text variable allows you to view the log files outside the FortiGate unit. When you back up
log files, you are really just copying the log files from the database to a specified location,
such as a TFTP server.
Note: You may need to reschedule uploading or rolling of log files because the size of logs
files is reduced in FortiOS 4.0 MR1 and higher. Reduction in size provides more storage
room for large amounts of log files on log devices.
Figure 61: Example of an integrated FortiAnalyzer unit and Syslog servers in a network
Syslog servers
FortiAnalyzer 1U
Internal Network
FortiGate 1U
4 Select a log level from the Minimum log level drop-down list.
5 To enable logging of IPS packet archives, select the check box beside Enable IPS
Packet Archive.
6 Select Apply.
The FortiGate unit logs all messages at and above the logging severity level you select.
To log to an AMC hard disk and schedule uploading of logs to a FortiAnalyzer unit
1 Log in to the CLI.
2 Enter the following command syntax. You need to choose fortianalyzer as the
destination for uploading files to:
config log disk setting
set status {enable | disable}
set upload {enable | disable}
set upload-destination {ftp-server | fortianalyzer}
set uploadip <class_ip>
set uploadtype {app-crtl | attack | dlp | dlp-archive | event
| spamfilter | traffic | virus | webfilter}
set uploadsched {enable | disable}
set uploadtime <time_integer>
end
Note: The FortiGate unit searches within the same subnet for a response from any
available FortiAnalyzer units.
4 Select Apply.
Example
This example shows how to enable logging to and set an IP address for a remote NetIQ
WebTrends server.
4 Enter the following commands for the last FortiAnalyzer unit, using encrypt and
psksecret if you want to encrypt the connection:
config log fortianalyzer3 setting
set status enable
set server <faz_ip address>
set encrypt [disable | enable]
set psksecret <password>
set localid <identification_ipsectunnel>
set conn-timeout <value_seconds>
end
end
8 Repeat steps 6 and 7 for FortiAnalyzer_2.
Logs are now configured to go to multiple FortiAnalyzer units.
Logs
Logs record FortiGate activity, providing detailed information about what is happening on
your network. This recorded activity is found in log files, which are stored on a log device.
However, logging FortiGate activity requires configuring certain settings so that the
FortiGate unit can record the activity. These settings are often referred to as log settings,
and are found in most UTM features, such as profiles, and include the event log settings,
found on the Event Log page.
Log settings provide the information that the FortiGate unit needs so that it knows what
activities to record. This topic explains what activity each log file records, as well as
additional information about the log file, which will help you determine what FortiGate
activity the FortiGate unit should record.
This topic includes the following:
• Traffic
• Event
• Data Leak Prevention
• Application control
• Antivirus
• Web Filter
• IPS (attack)
• Packet logs
• Email filter
• Archives (DLP)
• Network scan
Traffic
Traffic logs record the traffic that is flowing through your FortiGate unit. Since traffic needs
firewall policies to properly flow through the unit, this type of logging is also referred to as
firewall policy logging. Firewall policies control all traffic that attempts to pass through the
FortiGate unit, between FortiGate interfaces, zones and VLAN sub-interfaces.
Logging traffic works in the following way:
• firewall policy has logging enabled on it (Log Allowed Traffic or Log Violation Traffic)
• packet comes into an inbound interface
• a possible log packet is sent regarding a match in the firewall policy, such as URL filter
• traffic log packet is sent, per firewall policy
• packet passes and is sent out an interface
Traffic log messages are stored in the traffic log file. Traffic logs can be stored any log
device, even system memory.
Other Traffic
The traffic log also records interface traffic logging, which is referred to as other traffic.
Other traffic is enabled only in the CLI. When enabled, the FortiGate unit records traffic
activity on interfaces as well as firewall policies. Logging other traffic puts a significant
system load on the FortiGate unit and should be used only when necessary.
Logging other traffic works in the following way:
• firewall policy has logging enabled on it (Log Allowed Traffic or Log Violation Traffic)
and other-traffic
• packet comes into an interface
• interface log packet is sent to the traffic log that is enabled on that particular interface
• possible log packet is sent regarding a match in the firewall policy, such as URL filter
• interface log packet is sent to the traffic log if enabled on that particular interface
• packet passes and is sent out an interface
• interface log packet is sent to traffic (if enabled) on that particular interface
Event
The event log records administration management as well as FortiGate system activity,
such as when a configuration has changed, admin login, or high availability (HA) events
occur. Event logs are an important log file to record because they record FortiGate system
activity, which provides valuable information about how your FortiGate unit is performing.
Event logs help you in the following ways:
• keep track of configuration setting changes
• IPsec negotiation, SSL VPN and tunnel activity
• quarantine events, such as banned users
• system performance
• HA events and alerts
• firewall authentication events
• wireless events on models with WiFi capabilities
• activities concerning modem and internet protocols L2TP, PPP and PPPoE
• VIP activities
NAC Quarantine
Within the DLP sensor, there is an option for enabling NAC Quarantine. The NAC
Quarantine option allows the FortiGate unit to record details of DLP operation that involve
the ban and quarantine actions, and sends these to the event log file. The NAC
Quarantine option must also be enabled within the Event Log settings.
Application control
Application control logs provide detailed information about the traffic that an application is
generating, such as Skype. The application control feature controls the flow of traffic from
a specific application, and the FortiGate unit examines this traffic for signatures that the
application generates.
The log messages that are recorded provide information such as the type of application
being used (for example P2P software), and what type of action the FortiGate unit took.
These log messages can also help you to determine the top ten applications that are
being used on your network. This feature is called application control monitoring and you
can view the information from a widget on the Executive Summary page.
The application control list that is used must have Enabled Logging selected within the list,
as well as logging enabled within each application entry. Each application entry can also
have packet logging enabled. Packet logging for application control records the packet
when an application type is identified, similar to IPS packet logging.
Logging of application control activity can only be recorded when an application control list
is applied to a firewall policy, regardless of whether or not logging is enabled within the
application control list.
Antivirus
Antivirus logs are recorded when, during the antivirus scanning process, the FortiGate unit
finds a match within the antivirus profile, which includes the presence of a virus or
grayware signature. Antivirus logs provide a way to understand what viruses are trying to
get in, as well as additional information about the virus itself, without having to go to the
FortiGuard Center and do a search for the detected virus. The link is provided within the
log message itself.
These logs provide valuable information about:
• name of the detected virus
• name of the oversized file or infected file
• action the FortiGate unit took, for example, a file was blocked
• URL link to the FortiGuard Center which gives detailed information about the virus itself
The antivirus profile must have log settings enabled within it so that the FortiGate unit can
record this activity, as well as having the antivirus profile applied to a firewall policy.
Web Filter
Web filter logs record HTTP traffic activity. These log messages provide valuable and
detailed information about this particular traffic activity on your network. Web filtering
activity is important to log because it can inform you about:
• what types of web sites are employees accessing
• if users try to access a banned web site and how often this occurs
• network congestion due to employees accessing the Internet at the same time
• alerts you to web-based threats when users surf non-business-related web sites
Web Filter logs are an effective tool to help you determine if you need to update your web
filtering settings within a web filter profile due to unforeseen web-based threats, or network
congestion. These logs also inform you about web filtering quotas that were configured for
filtering HTTP traffic as well.
You must configure log settings within the web filter profile as well as apply it to a firewall
policy so that the FortiGate unit can record web filter logs.
IPS (attack)
IPS logs, also referred to as attack logs, record attacks that occurred against your
network. Attack logs contain detailed information about whether the FortiGate unit
protected the network using anomaly-based defense settings or signature-based defense
settings, as well as what the attack was.
The IPS or attack log file is especially useful because the log messages that are recorded
contain a link to the FortiGuard Center, where you can find more information about the
attack. This is similar to antivirus logs, where a link to the FortiGuard Center is provided as
well and informs you of the virus that was detected by the FortiGate unit.
An IPS sensor with log settings enabled must be applied to a firewall policy so that the
FortiGate unit can record the activity.
Packet logs
When you enable packet logging within an IPS signature override or filter, the FortiGate
unit examines network packets, and if a match is found, saves them to the attack log.
Packet logging is designed to be used as a diagnostic tool that can focus on a narrow
scope of diagnostics, rather than a log that informs you of what is occurring on your
network.
You should use caution when enabling packet logging, especially within IPS filters. Filter
configuration that contains thousands of signatures could potentially cause a flood of
saved packets, which would take up a lot of storage space on the log device. This would
also take a great deal of time to sort through all the log messages, as well as consume
considerable system resources to process.
You can archive packets, however, you must enable this option on the Log Setting page. If
your log configuration includes multiple FortiAnalyzer units, packet logs are only sent to
the primary, or first FortiAnalyzer unit. Sending packet logs to the other FortiAnalyzer units
is not supported.
Email filter
Email filter logs, also referred to as spam filter logs, records information regarding the
content within email messages. For example, within an email filter profile, a match is found
that finds the email message to be considered spam.
Email filter logs are recorded when the FortiGate unit finds a match within the email filter
profile and logging settings are enabled within the profile.
Archives (DLP)
Recording DLP logs for network use is called DLP archiving. The DLP engine examines
email, FTP, IM, NNTP, and web traffic. Archived logs are usually saved for historical use
and can be accessed at any time. IPS packet logs can also be archived, within the Log
Settings page.
You can use the two default DLP sensors that were configured specifically for archiving
log data, Content_Archive and Content_Summary. They are available in UTM > Data Leak
Prevention > Sensor. Content_Archive provides full content archiving, while
Content_Summary provides summary archiving.
You must enable the setting Enable DLP Archive in Log&Report > Log Config > Log
Setting to log archives. Logs are not archived unless this setting is enabled, regardless of
whether or not the DLP sensor for archiving is applied to the firewall policy.
Network scan
Network scan logs are recorded when a scheduled scan of the network occurs. These log
messages provide detailed information about the network’s vulnerabilities regarding
software as well as the discovery of any vulnerabilities.
A scheduled scan must be configured, as well as logging enabled within the Event Log
settings, for the FortiGate unit to record these log messages.
When you are ready to enable logging of the FortiGate activities you have chosen, you
must apply them to a firewall policy. When applied to a firewall policy, the FortiGate unit
determines whether to record the activity or event based on what is applied on the firewall
policy and configured within the Log Config page.
The following explains how to enable and configure logging on your FortiGate unit.
This topic includes the following:
• Enabling logging within a firewall policy
• Enabling logging of events
• Configuring logging for the application control monitoring feature
• Configuring IPS packet logging
• Configuring NAC quarantine logging
Note: You need to set the logging severity level to Notification when configuring a logging
location to record traffic log messages.
4 Select Apply.
5 Select OK.
Quarantine page
Lists all files that are considered quarantined by the FortiGate unit. On this page you can filter
information so that only specific files are displayed on the page.
Source Either FortiAnalyzer or Hard disk, depending where you configure to
quarantined files to be stored.
Sort by Sort the list. Choose from: Status, Service, File Name, Date, TTL, or Duplicate
Count. Select Apply to complete the sort.
Filter Filter the list. Choose either Status (infected, blocked, or heuristics) or Service
(IMAP, POP3, SMTP, FTP, HTTP, MM1, MM3, MM4, MM7, IM, or NNTP). Select
Apply to complete the filtering. Heuristics mode is configurable through the CLI
only.
If your FortiGate unit supports SSL content scanning and inspection service can
also be IMAPS, POP3S, SMTPS, or HTTPS. For more information, see the
UTM chapter of the FortiOS Handbook.
Apply Select to apply the sorting and filtering selections to the list of quarantined files.
Delete Select to delete the selected files.
Page Controls Use the controls to page through the list.
Remove All Removes all quarantined files from the local hard disk.
Entries This icon only appears when the files are quarantined to the hard disk.
File Name The file name of the quarantined file.
Date The date and time the file was quarantined, in the format dd/mm/yyyy hh:mm.
This value indicates the time that the first file was quarantined if duplicates are
quarantined.
Service The service from which the file was quarantined (HTTP, FTP, IMAP, POP3,
SMTP, MM1, MM3, MM4, MM7, IM, NNTP, IMAPS, POP3S, SMTPS, or
HTTPS).
Status The reason the file was quarantined: infected, heuristics, or blocked.
Status Specific information related to the status, for example, “File is infected with
Description “W32/Klez.h”” or “File was stopped by file block pattern.”
DC Duplicate count. A count of how many duplicates of the same file were
quarantined. A rapidly increasing number can indicate a virus outbreak.
TTL Time to live in the format hh:mm. When the TTL elapses, the FortiGate unit
labels the file as EXP under the TTL heading. In the case of duplicate files, each
duplicate found refreshes the TTL.
The TTL information is not available if the files are quarantined on a
FortiAnalyzer unit.
Upload status Y indicates the file has been uploaded to Fortinet for analysis, N indicates the
file has not been uploaded.
This option is available only if the FortiGate unit has a local hard disk.
Download Select to download the corresponding file in its original format.
This option is available only if the FortiGate unit has a local hard disk.
Submit Select to upload a suspicious file to Fortinet for analysis.
This option is available only if the FortiGate unit has a local hard disk.
Interval Time Enter the minimum time interval between consecutive alert emails.
(1-9999 minutes) Use this to rate-limit the volume of alert emails.
Intrusion detected Select if you require an alert email message based on attempted
intrusion detection.
Virus detected Select if you require an alert email message based on virus
detection.
Web access blocked Select if you require an alert email message based on blocked
web sites that were accessed.
HA status changes Select if you require an alert email message based on HA status
changes.
Violation traffic Select if you require an alert email message based on violated
detected traffic that is detected by the FortiGate unit.
Firewall Select if you require an alert email message based on firewall
authentication failure authentication failures.
SSL VPN login failure Select if you require an alert email message based on any SSL
VPN logins that failed.
Administrator Select if you require an alert email message based on whether
login/logout administrators log in or out.
IPSec tunnel errors Select if you require an alert email message based on whether
there is an error in the IPSec tunnel configuration.
L2TP/PPTP/PPPoE Select if you require an alert email message based on errors that
errors occurred in L2TP, PPTP, or PPPoE.
Configuration Select if you require an alert email message based on any
changes changes made to the FortiGate configuration.
FortiGuard license Enter the number of days before the FortiGuard license expiry
expiry time (1-100 time notification is sent.
days)
FortiGuard log quota Select if you require an alert email message based on the
usage FortiGuard Analysis server log disk quota getting full.
8 Select Apply.
Note: The default minimum log severity level is Alert. If the FortiGate unit collects more
than one log message before an interval is reached, the FortiGate unit combines the
messages and sends out one alert email.
If you have configured FortiGate system memory as your log device, logging alert email
notifications for FortiGuard license expiry requires you to enable event and admin in the
log memory filter command. Use the following procedure when you want to log this event
and if your log device is system memory. If you have enabled system memory on a
FortiGate unit that has a local disk, you do not have to use the following procedure.
All other log devices, including the FortiGate unit’s local disk, log alert messages by
default. You can find the alert email logs within the event-system log file.
The log messages occur within a given time, and indicate that the units within the cluster
are not aware of each other anymore. These log messages provide the information you
need to fix the problem.
Both these log messages indicate that the scan discovered two separate service-detection
events.
2010-04-05 13:34:31 log_id=1600004100 type=netscan
subtype=discovery pri=notice vd=root action=service-detection
ip=10.10.20.3 service=microsoft-ds proto=tcp prot=445
Using diag log test to verify logs are sent to a log device
After setting up a log device, you may want to verify that everything is working properly,
including sending of logs to the log device. The diag log test command is used to create
various test logs.
diag log test
The command can also be used when a Syslog server is not receiving certain logs. When
the command is entered in the CLI, an output similar to the following appears below the
line:
generating a system event message with level – warning
generating an infected virus message with level – warning
generating a blocked virus message with level – warning
generating a URL block message with level – warning
generating a DLP message with level – warning
generating an attack detection message with level – warning
generating an application control IM message with level –
information
generating an antispam message with level – notification
generating an allowed traffic message with level – notice
generating a wanopt traffic log message with level – notification
generating a HA event message with level – warning
generating netscan log messages with level – notice
generating a VOIP event message with level – information
generating authentication event messages
These log messages can be viewed from the Log Access menu. The following is a test log
message that may be generated and recorded by the FortiGate unit. It is shown as it
would be displayed in Raw format in system memory.
2010-08-10 09:34:22 log_id=0508020480 type=emailfilter
subtype=smtp pri=notice policyid=12345 identidx=67890 serial=312
user=“user” group=“group” vd=”root” src=1.1.1.1 sport=2560
src_port=2560 src_int=”lo” dst=2.2.2.2 dport=5120 dst_port=5120
dst_int=“eth0” service=mm1 carrier_ep=“carrier endpoint”
profile=“N/A” profilegroup=“N/A” profiletype=“N/A” status=detected
from=“from@xxx.com” to=“to@xxx.com” tracker=“Tracker”
msg=“SpamEmail”
Note: Configuring reports from other log devices, such as a Syslog server, are not
supported.
Report overview
Reports provide a clear, concise overview of what is happening on your network based on
log data, without manually going through large amounts of logs. Reports can be
configured and generated from the FortiGate unit, or from a FortiAnalyzer unit. There are
three distinct reports you can configured: a FortiOS report, a FortiAnalyzer report, and
executive summary reports.
A FortiOS report is a report configured and generated from the FortiGate unit. FortiOS
reports consist of charts, a theme, an image (or more), and a layout. The layout is used as
a template by the FortiGate unit to compile the log data and then generate the report. A
FortiOS report is usually configured in the following order:
1 Charts
2 Theme
3 Image
4 Layout
A report schedule is a FortiAnalyzer report configured on the FortiGate unit, and then
generated on the FortiAnalyzer unit. FortiAnalyzer report schedules can be configured on
the FortiGate unit, if logs are being stored on the FortiAnalyzer unit. The report schedule is
generated on the FortiAnalyzer unit and you can view the generated report from either the
FortiGate unit (in Log&Report > Report Access > FortiAnalyzer) or the FortiAnalyzer unit
itself.
An executive summary report is a collection of widgets, which are used to display the log
information in a graphical format are actually charts that are also used when configuring a
FortiOS report layout.. Executive summary reports are configured on the Executive
Summary page, in the Report Access menu. These widgets, or charts, use the log
information that is associated with them, for example, the appcrtl.Count.Bandwidth.Top10
.Apps.last24h(Graph), displays the top ten application control applications, with the
amount of bandwidth usage stated on the y axis of the graph chart.
When you are ready to configure reports, and your FortiGate unit is currently running
FortiOS 4.0 MR2, you may not be able to view the Report Config and Report Access
menus from the web-based manager. You must log in to the CLI and use the following
commands to enable these two menus within the web-based manager. These menus do
not appear regardless of whether your log storage location is the FortiGate unit or the
FortiAnalyzer unit.
config log fortianalyzer setting
set gui-display enable
end
FortiOS reports
FortiOS reports are configured from logs stored on the FortiGate unit’s hard drive. These
reports are generated by the FortiGate unit itself, providing a central location for not only
configuring reports, but also generating them.
FortiOS reports consist of multiple parts which are all configured separately and then
added within the layout. The parts of a report are:
• charts (including datasets within the charts themselves)
• themes (including styles which are within the themes themselves)
• images
• layouts
Charts are used to display the log information in a clear and concise way using graphs and
tables. Charts contain datasets, which are SQL queries and help the FortiGate unit to add
specific log information into the chart using the SQL logs that are stored on the FortiGate
unit’s local disk. If you want to configure a chart, you must configure the dataset first.
Datasets are required for each chart, and if there is no dataset included in a chart, the
chart will not be saved.
Themes provide a one-step style application for report layouts. Themes contain various
styles for the table of contents, headings, headers and footers, as well as the margins of
the report’s pages. Themes are applied to layouts. The styles that are applied to themes
are configured separately.
You can easily upload your company or organization’s logo to use within a report from the
Images menu. By uploading your company or organization’s own logo and applying it in a
report, you provide a personalized report that is recognizable as your company or
organization’s report. The image must be in JPEG, JPG or PNG format.
Layouts provide a way to incorporate the charts, image, and themes that are configured to
create a formatted report. A layout is used as a template by the FortiGate unit to compile
and then generate the report.
This topic contains the following:
• Creating datasets for charts
• Configuring the charts for the report
Note: If you are configuring a chart for a report, you must create a dataset for that chart.
The chart cannot be configured without a dataset. There are no default datasets.
6 To include the chart in the Favorites category, select the check box beside Add to
Favorites.
7 Select the type of graph that you want displayed in the chart from the Graph Type drop-
down list.
8 In the X Series section, enter the information for the x axis part of the chart.
9 In the Y Series section, enter the information for the y axis part of the chart.
10 Select OK.
3 On the Import Image File page, either enter the location of the image file or select
Browse to locate the image file.
4 Select OK.
Note: You must add the report components one at a time to the report layout. Adding
multiple components at the same time is not supported.
6 After adding the report components, arrange them in the order you want them
presented in the report.
Cloning a layout
Cloning a layout allows you to reuse settings in a previously configured layout and apply
those settings along with new settings to a new layout.
To clone a layout
1 Go to Log&Report > Report Config > Layout.
2 Highlight the report that you want to use, and then select the Clone icon.
3 Enter the name of the new report in the Name field.
4 Enter the information for the new report.
5 Select OK.
FortiAnalyzer reports
FortiAnalyzer reports are configured on a FortiAnalyzer unit; however, you can configure a
report schedule from the FortiGate unit in Log&Report > Report Config > Schedule. You
need to have a report layout when configuring a report schedule. Report layouts are
configured only on the FortiAnalyzer unit.
If you want to configure a report schedule based on another report schedule, you can
clone the report schedule. Cloning a report schedule produces a duplicate of the original
and then editing that duplicate to create a new schedule.
Viewing reports
You can view various reports from the Report Access menu, including Executive Summary
reports. When you are viewing FortiOS reports, you go to Log&Report > Report Access >
Disk. When you are viewing FortiAnalyzer reports, you go to Log&Report > Report Access
> FortiAnalyzer.
The following table explains the Disk page when you are viewing FortiOS reports.
Disk page
Displays each generated report. Reports are removed using the Delete icon. You can view either
HTML reports or PDF reports directly from this page. A HTML report opens up in a separate window,
while a PDF report opens within the Disk page.
Delete Removes one, multiple or all reports from the list. If you select the check box in
the check box column, you can remove all reports from the list at one time.
Report File The name of the report file, which includes the date and time.
Note: To view a HTML report, select the name in this column. The HTML report
appears in a separate window.
Started The time when the report began generating. This format includes the date and is
displayed in this type of format, yyyy-mm-dd hh:mm:ss. The hour is in the 24
hour format.
Finished The time when the report stopped generating. This format includes the date and
is displayed in this type of format, yyyy-mm-dd hh:mm:ss. The hour is in the 24
hour format.
Size (bytes) The size of the report file, in bytes.
Other Formats Displays PDF formatted generated reports. Select the format in this column to
view the report in PDF.
The following table explains the FortiAnalyzer page, when you are viewing historical
FortiAnalyzer reports. The current FortiAnalyzer report displays when you go to
Log&Report > Report Access > FortiAnalyzer. If you want a hard copy of a FortiAnalyzer
report, select Print which appears when you are viewing a current report.
FortiAnalyzer page
Displays each historical report that was generated.
Report FIles The name of the report. Expand the report to view
Date The date and time of when the report was generated on. The date is in the
format <day_name> <month_name> <dd> <hh>:<mm>:<ss> <yyyy>. For
example, Thu Apr 22 04:05:55 2010.
Size(bytes) The size of the report file, in bytes.
Other Formats Displays other formats that the report has been formatted in, such as XML and
PDF. Select the format in this column to view the report in PDF.
Report examples
The following are examples of two specific reports, a simple traffic report, and a more
complicated network scan report.
Layout
The following procedure applies the image and theme to the report, as well as the charts
required and additional settings.
To configure a layout
1 Go to Log&Report > Report Config > Layout.
2 Select Create New.
3 On the Add Report Layout page, enter the name for the report, Network
application usage on our network, in the Name field.
4 Select org_theme from the Report Theme drop-down list.
5 Enter the title for the report, The Application usage on our network, in the
Title field.
6 In Option, select the check boxes beside HTML Navigation Bar and Auto Heading
Number.
This removes the HTML navigation bar and heading numbers from being included in
the report.
7 In Output Format, select HTML.
By selecting HTML, only PDF will be applied as the format to the report.
8 Select the plus sign beside Report Components to begin adding the additional
components, such as charts, to the layout.
9 In the Add Component window, add the following charts. You must add each chart
individually:
• appcrtl.Dist.Type.last24h
• appcrtl.Users.Media.last24h
• appcrtl.Users.Web.last24h
• appcrtl.Top10.Apps.Used.last24h
• appcrtl.Top10.Media.Dest.last24h
• appcrtl.Top10.Media.Source.last24h
• appcrtl.Top10.Apps.Bandwidth.last24h
10 In Component Type, select Image, and then select the organization’s image.
11 After the layout is complete, on the Layout page, highlight the report and select Run.
The following message appears:
Report On-Demand-Network application usage on our network-2010-
05-24-161931 has been queued; Please check its progress on
Report Access-> Disk.
12 Select Return to return to the Layout page.
13 Go to Log&Report > Report Access > Disk to view the status of the report.
This handbook chapter describes concepts of troubleshooting and solving issues that may
occur with FortiGate units.
This FortiOS Handbook chapter contains the following sections:
Troubleshooting process walks you through best practice concepts of FortiOS
troubleshooting.
Troubleshooting tools describes some of the basic commands and parts of FortiOS that
can help you with troubleshooting.
Technical Support Organization Overview describes how Fortinet Support operates, what
they will need from you if you contact them, and what you can expect in general.
Troubleshooting connectivity walks you through some troubleshooting methods that apply
to common issues you may have such as network connectivity problems.
Troubleshooting get commands provides a list of diagnostic commands that can help you
troubleshoot your FortiOS unit.
Troubleshooting bootup issues addresses some potential problems your unit may have
when booting up. The format is an easy to follow step by step question and answer format.
Establish a baseline
Note that many of these questions are some form of comparing the current situation to
normal operation. For this reason it is recommended that you know what your normal
operating status is. This can easily be accomplished through logs, or regularly running
information gathering commands and saving the output. Then when there is a problem,
this regular operation data will enable you to determine what is different.
It is a good idea to backup the FortiOS configuration for your unit on a regular basis. Apart
from troubleshooting, if you accidently change something the backup can help you restore
normal operation quickly and easily.
Some simple commands that you can run to get normal operating data include:
These commands are just a sample. Feel free to include any extra information gathering
commands that apply to your system, for example if you regularly have active VPN
connections you should record information about them using the get vpn series of
commands. See “Troubleshooting get commands” on page 687.
Before you can solve a problem, you need to understand it. Often this step can be the
longest in this process.
Ask questions such as:
• What is not working? Be specific.
• Is there more than one thing not working?
• Is it partly working? If so, what parts are working?
• Is it a connectivity issue? or is there an application that isn’t reaching the
Internet?
Be as specific as possible with your answers, even if it takes awhile to find the answers.
These questions will help you define the problem. Once the problem is defined, you can
search for a solution and then create a plan on how to solve it.
Gathering Facts
Fact gathering is an important part of defining the problem.
Consider the following:
• Where did the problem occur?
• When did the problem occur and to whom?
• What components are involved?
• What is the affected application?
• Can the problem be traced using a packet sniffer?
• Can the problem be traced in the session table?
• Can log files be obtained that indicate a failure has occurred?
Answers to these questions will help you narrow down the problem, and what you have to
check during your troubleshooting. The more things you can eliminate, the fewer things
you need to check during troubleshooting.
Technical Documentation
Installation Guides, Administration Guides, Quick Start Guides, and other technical
documents are available online at the following URL:
http://docs.fortinet.com
Release Notes
Issues that are uncovered after the technical documentation has been published will often
be listed in the Release Notes that accompany the device.
Knowledge Center
The Fortinet Knowledge Center provides access to a variety of articles, white papers, and
other documentation providing technical insight into a range of Fortinet products. The
Knowledge Center is available online at the following URL:
http://kc.fortinet.com
Be ready to add to your plan as needed. After you are part way through, you may discover
that you forgot some tests or a test you performed discovered new information. This is
normal.
Also if you contact support, they will require information about your problem as well as
what you have already tried to fix the problem. This should all be part of your plan.
FortiOS Diagnostics
A collection of diagnostic commands are available in FortiOS for troubleshooting and
performance monitoring.
Within the CLI commands, the two main groups of diagnostic commands are get and
diagnose commands. Both commands display information about system resources,
connections, and settings that enable you to locate and fix problems, or to monitor system
performance.
When you call Fortinet Customer Support, you will be asked to provide information about
your unit and its current state through the use of these CLI commands.
This section includes diagnostics commands to help with:
• Resource Usage
• Processes
• Proxy Operation
• Hardware NIC
• Conserve Mode
• Traffic Trace
• Session Table
• Finding Object Dependencies
• Flow Trace
• Packet Sniffer
• Debug Command
Additional diagnostic commands are covered in “Troubleshooting get commands” on
page 687, and commands related to specific features are covered in the chapter for that
specific feature. For example in-depth diagnostics for dynamic routing are covered in the
dynamic routing chapter.
Resource Usage
Monitor the CPU/memory usage of internal processes using the following command:
diag sys top <delay> <max_lines>
The data listed includes the name of the daemon, the process ID, whether the process is
sleeping or running, the CPU percentage being used, and the memory percentage being
used.
Processes
List information about processes running on the FortiGate unit using the following
command:
diag sys top
Sample output:
Run Time: 13 days, 13 hours and 58 minutes
0U, 0S, 98I; 123T, 25F, 32KF
newcli 903 R 0.5 5.5
sshd 901 S 0.5 4.0
Where the codes displayed on the second output line mean the following:
• U is % of user space applications using CPU. In the example, 0U means 0% of the user
space applications are using CPU.
• S is % of system processes (or kernel processes) using CPU. In the example, 0S
means 0% of the system processes are using the CPU.
• I is % of idle CPU. In the example, 98I means the CPU is 98% idle.
• T is the total FortiOS system memory in Mb. In the example, 123T means there are
123 Mb of system memory.
• F is free memory in Mb. In the example, 25F means there is 25 Mb of free memory.
• KF is the total shared memory pages used. In the example, 32KF means the system is
using 32 shared memory pages.
Each additional line of the command output displays information for each of the processes
running on the FortiGate unit. For example, the third line of the output is:
newcli 903 R 0.5 5.5
Where:
• newcli is the process name. Other process names can include ipsengine, sshd,
cmdbsrv, httpsd, scanunitd, and miglogd.
• 903 is the process ID. The process ID can be any number.
• R is the state in which the process is running. The process state can be:
R running.
S sleep.
Z zombie.
D disk sleep.
• 0.5 is the amount of CPU that the process is using. CPU usage can range from 0.0 for
a process that is sleeping to higher values for a process that is taking a lot of CPU time.
• 5.5 is the amount of memory that the process is using. Memory usage can range from
0.1 to 5.5 and higher.
Enter the following single-key commands when diagnose sys top is running:
• Press q to quit.
• Press p to sort the processes by the amount of CPU that the processes are using.
• Press m to sort the processes by the amount of memory that the processes are using.
Proxy Operation
Monitor proxy operations using the following command:
diag test application <application> <option>
The <application> value can include the following:
ftpd ftp proxy
http http proxy
im im proxy
imap imap proxy
ipsengine ips sensor
ipsmonitor ips monitor
pop3 pop3 proxy
smtp smtp proxy
urlfilter urlfilter daemon
The <option> value for use with this command can include:
1 Dump Memory Usage
2 Drop all connections
4 Display connection state *
44 Display info per connection *
444 Display connections per state *
5 Toggle AV Bypass mode
6 Toggle Print Stat mode every ~40 seconds
7 Toggle Backlog Drop
8 Clear stats
88 Toggle statistic recording - stats cleared
9 Toggle Accounting info for display
99 Restart proxy
These commands, except for the ones identified with an “*”, should only be used under the
guidance of Fortinet Support.
Hardware NIC
Monitor hardware network operations using the following command:
diag hardware deviceinfo nic <interface>
The information displayed by this command is important as errors at the interface are
indicative of data link or physical layer issues which may impact the performance of the
FortiGate unit.
The following is sample output when <interface> = internal:
System_Device_Name port5
Current_HWaddr 00:09:0f:68:35:60
Permanent_HWaddr 00:09:0f:68:35:60
Link up
Speed 100
Duplex full
[……]
Rx_Packets=5685708
Tx_Packets=4107073
Rx_Bytes=617908014
Tx_Bytes=1269751248
Rx_Errors=0
Tx_Errors=0
Rx_Dropped=0
Tx_Dropped=0
[…..]
Hardware Troubleshooting
Field Definition
Rx_Errors = rx error Bad frame was marked as error by PHY.
count
Rx_CRC_Errors + This error is only valid in 10/100M mode.
Rx_Length_Errors -
Rx_Align_Errors
Rx_Dropped or Running out of buffer space.
Rx_No_Buffer_Count
Rx_Missed_Errors Equals Rx_FIFO_Errors + CEXTERR (Carrier Extension Error Count).
Only valid in 1000M mode, whichis marked by PHY.
Tx_Errors = ECOL (Excessive Collisions Count). Only valid in half-duplex mode.
Tx_Aborted_Errors
Tx_Window_Errors LATECOL (Late Collisions Count). Late collisions are collisions that
occur after 64-byte time into the transmission of the packet while
working in 10 to100Mb/s data rate and 512-byte timeinto the
transmission of the packet while working in the 1000Mb/s data rate. This
register only increments if transmits are enabled and the device is in
half-duplex mode.
Rx_Dropped See Rx_Errors.
Tx_Dropped Not defined.
Collisions Total number of collisions experienced by the transmitter. Valid in half-
duplex mode.
Rx_Length_Errors Transmission length error.
Rx_Over_Errors Not defined.
Rx_CRC_Errors Frame CRC error.
Rx_Frame_Errors Same as Rx_Align_Errors. This error is only valid in 10/100M mode.
Rx_FIFO_Errors Same as Rx_Missed_Errors - a missed packet count.
Tx_Aborted_Errors See Tx_Errors.
Tx_Carrier_Errors The PHY should assert the internal carrier sense signal during every
transmission. Failure to do so may indicate that the link has failed or the
PHY has an incorrect link configuration. This register only increments if
transmits are enabled. This register is not valid in internal SerDes 1
mode (TBI mode for the 82544GC/EI) and is only valid when the
Ethernet controller is operating at full duplex.
Tx_FIFO_Errors Not defined.
Tx_Heartbeat_Errors Not defined.
Tx_Window_Errors See LATECOL.
Tx_Single_Collision_Fr Counts the number of times that a successfully transmitted packed
ames encountered a single collision. The value only increments if transmits
are enabled and the Ethernet controller is in half-duplex mode.
Tx_Multiple_Collision_ A Multiple Collision Count which counts the number of times that a
Frames transmit encountered more than one collision but less than 16. The
value only increments if transmits are enabled and the Ethernet
controller is in half-duplex mode.
Tx_Deferred Counts defer events. A defer event occurs when the transmitter cannot
immediately send a packet due to the medium being busy because
another device is transmitting, the IPG timer has not expired, half-duplex
deferral events are occurring, XOFF frames are being received, or the
link is not up. This register only increments if transmits are enabled. This
counter does not increment for streaming transmits that are deferred
due to TX IPG.
Rx_Frame_Too_Longs The Rx frame is over size.
Rx_Frame_Too_Shorts The Rx frame is too short.
Rx_Align_Errors This error is only valid in 10/100M mode.
Symbol Error Count Counts the number of symbol errors between reads - SYMERRS. The
count increases for every bad symbol received, whether or not a packet
is currently being received and whether or not the link is up. This register
only increments in internal SerDes mode.
Note: The counters displayed depend on the type of NIC interface. Please see the
following website for more information:
http://kc.forticare.com/default.asp?id=1979&Lang=1&SID=
Conserve Mode
The FortiOS antivirus/IPS system operates in one of two modes, depending on the unit’s
available shared memory. If the shared memory utilization is below a defined upper
threshold, the system is in non-conserve mode. If the used shared memory goes beyond
this threshold, the system enters conserve mode and remains there until the shared
memory utilization drops below a second threshold, slightly lower than the original. These
thresholds are non-configurable; the threshold above which the system enters conserve
mode is 80%, the system will not go back to non-conserve mode until the shared memory
usage goes below 70%.
Conserve mode occurs under high usage and traffic conditions. It is expected to be a
temporary condition that is self-correcting when bursty traffic subsides.
When in conserve mode, any new sessions are ignored (no SYN-ACK from the FortiGate
unit) or passed without being scanned.
The following is sample output from the event log:
66 2008-04-16 14:01:31 critical The system has entered system
conserve mode
Antivirus Failopen
Dealing with high traffic volume may cause the problem dealing with low memory
situations or when dealing with connection pool limits affecting a single proxy. If a
FortiGate unit is receiving large volumes of traffic on a specific proxy, it is possible that the
unit will exceed the connection pool limit. If the number of free connections within a proxy
connection pool reaches zero, problems may occur.
Antivirus failopen is a safeguard feature that determines the behavior of the FortiGate
antivirus system if it becomes overloaded in high traffic. The feature is configurable only
though the CLI.
config system global set av_failopen {off|one-shot|pass
|idledrop}
av-failopen-session controls the behavior when the proxy connection pool is
exhausted. Again in this case, the FortiGate unit does not send the SYN-ACK. Failopen is
only available on FortiGate models 300A and higher. On other lower FortiGate models, the
failopen action is configured to pass.
The set av-failopen command has the following four options:
• off
If the FortiGate unit enters conserve mode, the antivirus system will stop accepting
new AV sessions but will continue to process current active sessions.
• one-shot
If the FortiGate unit enters conserve mode, all subsequent connections bypass the
antivirus system but current active sessions will continue to be processed. One-shot is
similar to pass but will not automatically turn off once the condition causing av-failopen
has stopped.
• idledrop
When configured in this mode, the antivirus failopen mechanism will drop connections
based on the clients that have the most open connections.
• pass
Pass becomes the default setting when the av-failopen-session command has
been run. If the system enters conserve mode, connections bypass the antivirus
system until the system enters non-conserve mode again. Current active sessions will
continue to be processed.
Note: The one-shot and pass options do not content filter traffic. Therefore, the data
stream could contain malicious content.
Traffic Trace
Traffic tracing allows a specific packet stream to be followed.
View the characteristics of a traffic session though specific firewall policies using:
diag sys session
Trace per-packet operations for flow tracing using:
diag debug flow
Trace per-Ethernet frame using:
diag sniffer packet
Session Table
The FortiGate session table can be viewed from either the CLI or Web Config. The most
useful troubleshooting data comes from the CLI. The session table in Web Config also
provides some useful summary information, particularly the current policy number that the
session is using.
In Web Config, click Add Content and select Top Sessions. In the Top Sessions pane, click
the Details link. (If there are not enough entries in the session table, try browsing to a
different web site and re-examine the table.) The Policy ID shows which firewall policy
matches the session. The sessions that do not have a Policy ID entry originate from the
FortiGate device.
The session table output from the CLI (diag system session list) is very verbose,
so even on a system with a small load, displaying the session table will generate a large
amount of output. For this reason, filters are used to display only the session data of
interest.
Filter a column in Web Config by clicking the funnel icon on the column heading or from
the CLI by creating a filter.
An entry is placed in the session table for each traffic session passing through a firewall
policy. The following command will list the information for a session in the table:
diag sys session list
Sample Output:
session info: proto=6 proto_state=05 expire=89 timeout=3600
flags=00000000 av_idx=0 use=3
bandwidth=204800/sec guaranteed_bandwidth=102400/sec
traffic=332/sec prio=0 logtype=session ha_id=0 hakey=4450
tunnel=/
state=log shape may_dirty
statistic(bytes/packets/err): org=3408/38/0 reply=3888/31/0
tuples=2
orgin->sink: org pre->post, reply pre->post oif=3/5
gwy=192.168.11.254/10.0.5.100
hook=post dir=org act=snat 10.0.5.100:1251-
>192.168.11.254:22(192.168.11.105:1251)
hook=pre dir=reply act=dnat 192.168.11.254:22-
>192.168.11.105:1251(10.0.5.100:1251)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 domain_info=0 auth_info=0 ftgd_info=0 ids=0x0 vd=0
serial=00007c33 tos=ff/ff
Since output can be verbose, the filter option allows specific information to be displayed,
for example:
diag sys session filter <option>
The <option> values available include the following:
clear clear session filter
dport dest port
dst destination IP address
negate inverse filter
policy policy ID
proto protocol number
sport source port
src source IP address
vd index of virtual domain. -1 matches all
Even though UDP is a sessionless protocol, the FortiGate unit still keeps track of the
following two different states:
• UDP reply not seen with a value of 0
• UDP reply seen with a value of 1
The following illustrates FW session states from the session table:
State Meaning
log Session is being logged.
local Session is originated from or destined for local stack.
ext Session is created by a firewall session helper.
may_dirty Session is created by a policy. For example, the session for ftp
control channel will have this state but ftp data channel will
not. This is also seen when NAT is enabled.
ndr Session will be checked by IPS signature.
nds Session will be checked by IPS anomaly.
br Session is being bridged (TP) mode.
For example, to verify which objects are referred to in a firewall policy with an ID of 1, enter
the command as follows:
diag sys checkused firewall.policy.policyid 1
To show all the dependencies for an interface, enter the command as follows:
diag sys checkused system.interface.name <interface name>
Sample Output:
entry used by table firewall.address:name '10.98.23.23_host’
entry used by table firewall.address:name 'NAS'
entry used by table firewall.address:name 'all'
entry used by table firewall.address:name 'fortinet.com'
entry used by table firewall.vip:name 'TORRENT_10.0.0.70:6883'
entry used by table firewall.policy:policyid '21'
entry used by table firewall.policy:policyid '14'
entry used by table firewall.policy:policyid '19'
In this example, the interface has dependent objects, including four address objects, one
VIP, and three firewall policies.
Flow Trace
To trace the flow of packets through the FortiGate unit, use the following command:
diag debug flow trace start
Enable the output to be displayed to the CLI console using the following command:
diag debug flow show console
Start flow monitoring with a specific number of packets using this command:
diag debug flow trace start <N>
The following is an example of the flow trace for the device at the following IP address:
203.160.224.97
diag debug enable
diag debug flow filter addr 203.160.224.97
diag debug flow show console enable
diag debug flow show function-name enable
diag debug flow trace start 100
Packet Sniffer
Details within packets passing through particular interfaces can be displayed using the
packet sniffer with the following command:
diag sniffer packet <interface> <filter> <verbose> <count>
The <interface> value can be any physical or virtual interface name. Use any for all
interfaces.
The <filter> value limits the display of packets using filters, including Berkeley Packet
Filtering (BPF) syntax.
'[[src|dst] host<host_name_or_IP1>] [[src|dst]
host<host_name_or_IP2>] [[arp|ip|gre|esp|udp|tcp] [port_no]]
[[arp|ip|gre|esp|udp|tcp] [port_no]]‘
If a second host is specified, only the traffic between the two hosts will be displayed.
Use flexible, logical filters for the packet sniffer or none. For example, to print UDP 1812
traffic between host1 and either host2 or host3, use the following:
'udp and port 1812 and host host1 and \( host2 or host3 \)‘
The <verbose> option allows different levels of information to be displayed. The verbose
levels include:
1 Print header of packets
2 Print header and data from the IP header of the packets
3 Print header and data from the Ethernet header of the packets
4 Print header of packets with interface name
5 Print header and data from ip of packets with interface name
6 Print header and data from ethernet of packets with interface
The <count> value indicates the number of packets the sniffer needs before stopping.
A script to convert FortiGate sniffer output to the PCAP format is available from Fortinet at
the following address:
http://kc.forticare.com/default.asp?id=1186&SID=&Lang=1
Debug Command
Debug output provides continuous, real-time event information. Debugging output
continues until it is explicitly stopped or until the unit is rebooted. Debugging output can
affect system performance and will be continually generated even though output might not
be displayed in the CLI console.
Debug information displayed in the console will scroll in the console display and may
prevent CLI commands from being entered, for example, the command to disable the
debug display. To turn off debugging output as the display is scrolling by, press the Ç key
to recall the recent diag debug command, press backspace, and type “0”, followed by
Enter.
Debug output display is enabled using the following command:
diag debug enable
When finished examining the debug output, disable it using:
diag debug disable
Once enabled, indicate the debug information that is required using this command:
diag debug <option> <level>
Debug command options include the following:
application application
authd authentication daemon
cli debug cli
console console
crashlog crash log info
disable disable debug output
enable enable debug output
flow trace packet flow in kernel
haproxy haproxy
info show active debug level settings
kernel kernel
rating display rating info
report report for tech support
reset reset all debug level to default
The debug level can be set at the end of the command. Typical values are 2 and 3, for
example:
diag debug application DHCPS 2
diag debug application spamfilter 2
Fortinet support will advise which debugging level to use.
Timestamps can be enabled in the debug output using the following command:
diag debug console timestamp enable
Other Commands
ARP Table
To view the ARP cache, use the following command:
get sys arp
To remove all entries associated with a particular interface, use this command:
diag ip arp flush <interface name>
If all devices have the same time, it helps to correlate log entries from different devices.
FortiGate Ports
In the TCP and UDP stacks, there are 65 535 ports available for applications to use when
communicating with each other. Many of these ports are commonly known to be
associated with specific applications or protocols. These known ports can be useful when
troubleshooting your network.
Use the following ports while troubleshooting the FortiGate device:
Port(s) Functionality
UDP 53 DNS lookup, RBL lookup
UDP 53 or UDP FortiGuard Antispam or Web Filtering rating lookup
8888
UDP 53 FDN Server List - source and destination port numbers vary by
(default) or UDP originating or reply traffic. See the article “How do I troubleshoot
8888 and UDP performance issues when FortiGuard Web Filtering is enabled?” in the
Knowledge Center.
1027 or UDP
1031
UDP 123 NTP Synchronization
UDP 162 SNMP Traps
UDP 514 Syslog - All FortiOS versions can use syslog to send log messages to
remote syslog servers. FortiOS v2.80 and v3.0 can also view logs
stored remotely on a FortiAnalyzer unit.
TCP 22 Configuration backup to FortiManager unit or FortiGuard Analysis and
Management Service.
TCP 25 SMTP alert email, encrypted virus sample auto-submit
TCP 389 or TCP LDAP or PKI authentication
636
TCP 443 FortiGuard Antivirus or IPS update - When requesting updates from a
FortiManager unit instead of directly from the FDN, this port must be
reconfigured as TCP 8890.
TCP 443 FortiGuard Analysis and Management Service
TCP 514 FortiGuard Analysis and Management Service log transmission (OFTP)
TCP 541 SSL Management Tunnel to FortiGuard Analysis and Management
Service (FortiOS v3.0 MR6 or later)
TCP 10151 FortiGuard Analysis and Management Service contract validation
TCP 514 Quarantine, remote access to logs and reports on a FortiAnalyzer unit,
device registration with FortiAnalyzer units (OFTP)
TCP 1812 RADIUS authentication
Diagnostic Commands
FortiAnalyzer/FortiManager Ports
If you have a FortiAnalyzer unit or FortiManager unit on your network you may need to use
the following ports for troubleshooting network traffic.
Functionality Port(s)
DNS lookup UDP 53
NTP synchronization UDP 123
Windows share UDP 137-138
SNMP traps UDP 162
Syslog, log forwarding UDP 514
Log and report upload TCP 21 or TCP 22
SMTP alert email TCP 25
User name LDAP queries for reports TCP 389 or TCP 636
RVS update TCP 443
RADIUS authentication TCP 1812
Log aggregation client TCP 3000
Note: For more information about FortiAnalyzer/FortiManager ports, see the Fortinet
Knowledge Center at the following address:
http://kc.forticare.com/default.asp?SID=&Lang=1&id=773.
FortiGuard Troubleshooting
The diag debug rating command shows the list of FDS servers the FortiGate unit is
using to send web filtering requests. Rating requests are only sent to the server on the top
of the list in normal operation. Each server is probed for RTT every two minutes.
diagnose debug rating
Sample Output:
Locale : english
License : Contract
Expiration : Thu Oct 9 02:00:00 2008
Hostname : a.b.c.d
-=- Server List (Mon Feb 18 12:55:48 2008) -=-
Output Details
The following flags in diag debug rating indicate the server status:
• D - the server was found through the DNS lookup of the hostname. If the hostname
returns more than one IP address, all of them will be flagged with D and will be used
first for INIT requests before falling back to the other servers.
• I - the server to which the last INIT request was sent.
• F - the server has not responded to requests and is considered to have failed.
• T - the server is currently being timed.
Calculating Weight
The weight for each server increases with failed packets and decreases with successful
packets. To lower the possibility of using a remote server, the weight is not allowed to dip
below a base weight, calculated as the difference in hours between the FortiGate unit and
the server times 10. The further away the server is, the higher its base weight and the
lower in the list it will appear.
Note: The output for the diag debug rating command will vary based on the state
of the FortiGate device.
The following output is from a FortiGate device that has no DNS resolution for
service.fortiguard.net.
If only three IP addresses appear with the D flag, it means that DNS is good but probably
the FortiGuard ports (53,8888) are blocked.
When the license is expired, an INIT request will be sent every 10 minutes for up to six
attempts. If a license is not found after this limit is reached, the INIT requests will be sent
every day.
A low source port number may appear which means that port 1024 and 1025 could be
blocked on the path to the FDS. Increase the source port on the FortiGate device with the
following commands:
config sys global
set ip-src-port-range <start-end> (Default 1024-25000)
Regional TAC
· Focused Teams
APAC AMER · Technical Support
Corporate · RMA
CSS · Customer Services
· Remote Access Labs
AMEA
24x7
Regional TAC Global Call
Handling Layer
Creating an Account
To receive technical support and service updates, Fortinet products in the organization
must be registered. The Product Registration Form on the support website will allow the
registration to be completed online.
Creating an account on the support website is the first step in registering products.
Once the account has been created, the Product Registration Form will be displayed and
the product details can be provided. Alternately, the product registration can be completed
at a later time.
Registering a Device
Complete the following steps when registering a device for support purposes:
1 Log in using the Username and Password defined when the account was created.
Reporting Problems
Problems can be reported to a Fortinet Technical Assistance Center in the following ways:
• By logging an online ticket
• By phoning a technical support center
Fortinet Partners
Fortinet Partners are entitled to priority web-based technical support. This service is
designed for partners who provide initial support to their customers and who need to open
a support ticket with Fortinet on their behalf. We strongly encourage submission and
follow up of support tickets using this service.
The support ticket can be submitted after logging into the partner website using one of the
following links using FortiPartner account details:
http://partners.fortinet.com
This link will redirect to the general Partner Extranet website. Click Support > Online
Support Ticket.
https://www.forticare.com:1443/customersupport/login/partnerlog
in.aspx
This link redirects to the Partner Online Support Ticket section also known as FortiCare.
Note: The Partner Online Support Ticket section is accessed through HTTPS on port
1443. Ensure that the firewall allows external access this port. Also note that a
customer’s Fortinet device must have a valid support contract to be able submit the
support request as a Partner.
Fortinet Customers
Fortinet customers should complete the following steps to report a technical problem
online:
1 Log in to the support web site at the following address with the account credentials
used when the account was created:
http://support.fortinet.com
2 Click View Products.
3 In the Products List, select the product that is causing the problem.
4 Complete the Create Support Ticket fields.
3 Select the appropriate ticket number. Closed tickets cannot be updated. A new ticket
must be submitted if it concerns the same problem.
4 Add a New Comment or Attachment.
5 Click Submit when complete.
Note: Every web ticket update triggers a notification to the ticket owner or ticket queue
supervisor.
Americas
• Telephone: 1-866-648-4638
• Hours: Monday to Friday 6:00 AM to 6:00 PM (Pacific Daylight Time)
EMEA
• Telephone: +33-4-898-0555
If a support call is placed outside of EMEA business hours (Monday to Friday 9:00 AM
to 6:00 PM (Central European Daylight Time)), priority 1 issues will be transferred to
another Fortinet Technical Solutions center according to the Follow the Sun policy,
meaning wherever it’s daylight, that TAC will be taking all support calls.
• Hours: Monday to Friday 9:00 AM to 6:00 PM (Central European Daylight Time)
APAC
• Telephone: +603-2711-7391
• Hours: Monday to Friday 9:00 AM to 6:00 PM (Malaysia Time)
Priority 1
This Critical priority is assigned to support cases in which:
• The network or system is down causing customers to experience a total loss of service.
• There are continuous or frequent instabilities affecting traffic-handling capability on a
significant portion of the network.
• There is a loss of connectivity or isolation to a significant portion of the network.
• This issue has created a hazard or an emergency.
Priority 2
This Major priority is assigned to support cases in which:
• The network or system event is causing intermittent impact to end customers.
• There is a loss of redundancy.
• There is a loss of routine administrative or diagnostic capability.
• There is an inability to deploy a key feature or function.
• There is a partial loss of service due to a failed hardware component.
Priority 3
This Medium priority is assigned to support cases in which:
• The network event is causing only limited impact to end customers.
• Issues seen in a test or pre-production environment exist that would normally cause
adverse impact to a production network.
• The customer is making time sensitive information requests.
• There is a successful workaround in place for a higher priority issue.
Priority 4
This Minor priority is assigned to support cases in which:
• The customer is making information requests and asking standard questions about the
configuration or functionality of equipment.
Customers must report Priority 1 and 2 issues by phone directly to the Fortinet EMEA
Support Center.
For lower priority issues, you may submit an assistance request (ticket) via the web
system.
The web ticket system also provides a global overview of all ongoing support requests.
The Product Support Details for the selected device will be displayed.
In the RMA Replacement section of the Product Support Details page, enter the serial
number of the replacement device and click RMA Replace.
This will transfer the support contract from the defective unit to the new unit with the serial
number provided.
3 “Verify the contents of the routing table (in NAT mode)” on page 682
Are there routes in the routing table for default and static routes?
Do all connected subnets have a route in the routing table?
Does a route wrongly have a higher priority than it should?
In addition to these steps, you may find other diagnose commands useful. See “Other
diagnose commands” on page 686.
Note: If ping does not work, you likely have it disabled on at least one of the interface
settings, and firewall policies for that interface.
Both ping and traceroute require particular ports to be open on firewalls, or they cannot
function. Since you typically use these tools to troubleshoot, you can allow them in the
firewall policies and on interfaces only when you need them, and otherwise keep the ports
disabled for added security.
Ping
The ping command sends a very small packet to the destination, and waits for a response.
The response has a timer that may expire, indicating the destination is unreachable. The
behavior of ping is very much like a sonar ping from a submarine, where the command
gets its name.
Ping is part of Layer-3 on the OSI Networking Model. Ping sends Internet Control
Message Protocol (ICMP) “echo request” packets to the destination, and listens for “echo
response” packets in reply. However, many public networks block ICMP packets because
ping can be used in a denial of service (DoS) attack (such as Ping of Death or a smurf
attack), or by an attacker to find active locations on the network. By default, FortiGate units
have ping enabled and broadcast-forward is disabled on the external interface.
Traceroute
Where ping will only tell you if it reached its destination and came back successfully,
traceroute will show each step of its journey to its destination and how long each step
takes. If ping finds an outage between two points, traceroute can be used to locate exactly
where the problem is.
What is traceroute
Traceroute works by sending ICMP packets to test each hop along the route. It will send
out three packets, and then increase the time to live (TTL) setting by one each time. This
effectively allows the packets to go one hop farther along the route. This is the reason why
most traceroute commands display their maximum hop count before they start tracing the
route — that is the maximum number of steps it will take before declaring the destination
unreachable. Also the TTL setting may result in steps along the route timing out due to
slow responses. There are many possible reasons for this to occur.
Traceroute by default uses UDP datagrams with destination ports numbered from 33434
to 33534. The traceroute utility usually has an option to specify use of ICMP echo request
(type 8) instead, as used by the Windows tracert utility. If you have a firewall and if you
want traceroute to work from both machines (Unix-like systems and Windows) you will
need to allow both protocols inbound through your FortiGate firewall policies (UDP with
ports from 33434 to 33534 and ICMP type 8).
Trace complete.
The first, or leftmost column, is the hop count, which cannot go over 30 hops.
The second, third, and fourth columns are how long each of the three packets takes to
reach this stage of the route. These values are in milliseconds and normally vary quite a
bit. Typically a value of “<1ms” indicates a local connection.
The fifth, or rightmost column, is the domain name of that device and its IP address or
possibly just the IP address.
To list the existing bridge MAC table, use the following command:
diagnose netlink brctl name host <name>
Sample Output:
show bridge control interface root.b host.
fdb: size=256, used=6, num=7, depth=2, simple=no
Bridge root.b host table
port no device devname mac addr ttl attributes
2 7 wan2 02:09:0f:78:69:00 0 Local Static
5 6 vlan_1 02:09:0f:78:69:01 0 Local Static
3 8 dmz 02:09:0f:78:69:01 0 Local Static
4 9 internal 02:09:0f:78:69:02 0 Local Static
3 8 dmz 00:80:c8:39:87:5a 194
4 9 internal 02:09:0f:78:67:68 8
1 3 wan1 00:09:0f:78:69:fe 0 Local Static
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the sniffer trace. Before performing a trace on any NP2 interfaces, you should disable
offloading on those interfaces.
For a simple sniffing example, enter the CLI command diag sniffer packet port1
none 1 3. This will display the next 3 packets on the port1 interface using no filtering,
and using verbose level 1. At this verbosity level you can see the source IP and port, the
destination IP and port, action (such as ack), and sequence numbers.
In the output below, port 443 indicates these are HTTPS packets, and 172.20.120.17 is
both sending and receiving traffic.
Head_Office_620b # diag sniffer packet port1 none 1 3
interfaces=[port1]
filters=[none]
0.545306 172.20.120.17.52989 -> 172.20.120.141.443: psh
3177924955 ack 1854307757
For a more advanced example of packet sniffing, the following commands will report
packets on any interface travelling between a computer with the host name of “PC1” and
the computer with the host name of “PC2”. With verbosity 4 and above, the sniffer trace
will display the interface names where traffic enters or leaves the FortiGate unit.
Remember to stop the sniffer, type CTRL+C.
or
FGT# diagnose sniffer packet any "(host <PC1> or host <PC2>) and
icmp" 4
The following sniffer CLI command includes the ARP protocol in the filter which may be
useful to troubleshoot a failure in the ARP resolution (for instance PC2 may be down and
not responding to the FortiGate ARP requests).
Note: If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change
the packet flow. Before performing the debug on any NP2 interfaces, you should disable
offloading on those interfaces.
The following configuration assumes that PC1 is connected to the internal interface of the
FortiGate unit and has an IP address of 10.11.101.200. PC1 is the host name of the
computer.
To debug the packet flow in the CLI, enter the following commands:
FGT# diag debug enable
FGT# diag debug flow filter add <PC1>
FGT# diag debug flow show console enable
FGT# diag debug flow trace start 100
FGT# diag debug enable
The start 100 argument in the above list of commands will limit the output to 100
packets from the flow. This is useful for looking at the flow without flooding your log or
display with too much information.
The following is an example of debug flow output for traffic that has no matching Firewall
Policy, and is in turn blocked by the FortiGate unit. The denied message indicates the
traffic was blocked.
id=20085 trace_id=319 func=resolve_ip_tuple_fast line=2825
msg="vd-root received a packet(proto=6,
192.168.129.136:2854->192.168.96.153:1863) from port3."
Syntax
exec tac report
Parameters
None.
Usage/Remarks
Use this command to view the information required when calling customer support.
When you run this command, it will take up to a few minutes to collect and display all the
information.
Scope: Global and Vdom
Output Example
FGT # exec tac report
----------------------------------------------------------------
Serial Number: FGT5002803033313 Diagnose output
----------------------------------------------------------------
Version: Fortigate-500 3.00,build0750,091009
Virus-DB: 8.00631(2008-01-15 14:27)
IPS-DB: 2.00461(2008-01-18 11:23)
Serial-Number: FGT5002803033313
BIOS version: 03000300
Log hard disk: Available
Hostname: FGT5002803033313
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 2 in NAT mode, 1 in TP mode
Virtual domain configuration: enable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 750
MR/Patch Information: MR7 Patch 7
System time: Tue Dec 8 15:35:34 2009
Syntax
get firewall iprope list <policy group number>
Parameters
<policy group > The number of the Policy Group as defined in the Web Config
menu Firewall > Policy > Policy tab.
Usage/Remarks
Use this command to view the view the rules defined for a Policy Group. This is useful to
understand the behavior of the Policy Group per protocol.
Scope: Vdom
Output Example
FGT # get firewall iprope list 1
policy flag (20): auth
flag2 (0): imflag: sockport: 0 action: accept index: 0
schedule() group=00000001 av=00000000 au=00000000 vip=00000000
host=0 misc=0 grp_info=0 seq=0 hash=0
tunnel=
zone(1): 0 ->zone(1): 0
source(1): 0.0.0.0-255.255.255.255,
dest(1): 0.0.0.0-255.255.255.255,
source wildcard(0):
destination wildcard(0):
service(1):
[17:0x0:0/(0,65535)->(53,53)]
Syntax
get firewall iprope appctrl list
get firewall iprope appctrl status
Parameters
Usage/Remarks
Use this command to view the view the rules defined for peer to peer, or the status of
those rules.
Scope: Vdom
Output Example
FGT # get firewall iprope appctrl list
app-id=17953 list-id=2004 action=Pass
app-id=17954 list-id=2004 action=Pass
app-id=17956 list-id=2004 action=Pass
app-id=17957 list-id=2004 action=Pass
app-id=107347980 list-id=2004 action=Pass
app-id=108855300 list-id=2004 action=Pass
app-id=109051910 list-id=2004 action=Pass
app-id=109051912 list-id=2004 action=Pass
Keyword/Variable Description
list Display all the application IDs, which list they are in by ID, and the action
taken for each application.
status Display the number of ipropes for application control tables, lists,
applications, and traffic shapers.
Syntax
get firewall proute
Parameters
None.
Usage/Remarks
Use this command to view the policy routes configured on this unit’s current VDOM.
Scope: Vdom
Output Example
FGT # get firewall proute
Keyword/Variable Description
vf The current virtual domain (VDOM). All policy routes for this VDOM are
displayed.
iff Incoming interface
src The source IP and netmask for incoming traffic to be matched to the
policy
tos Type of service bit pattern in hexadecimal. This is matched and is good
for a specific TOS.
tos_mask Type of service bit mask in hexadecimal. Masks out unwanted bits. This
is good for matching multiple TOS values.
dst The destination IP and netmask for incoming traffic to be matched to the
policy.
protocol The protocol number to be matched.
port The range of ports to match for incoming traffic.
oif Outgoing interface where traffic is being directed to.
gwy Outgoing gateway where traffic is being directed to
Syntax
get hardware cpu
Parameters
Usage/Remarks
Use this command to view the specifications about all CPUs on the FortiGate unit.
Scope: Global
Output Example
FGT # get hardware cpu
Description sundance Ethernet driver1.01+LK1.21
chip_id 6
IRQ 5
System_Device_Name wan1
Current_HWaddr 00:09:0f:78:71:32
Permanent_HWaddr 00:09:0f:78:71:32
State up
Link up
Speed 100
Duplex full
Rx_Packets 52377
Tx_Packets 53098
Rx_Packets 47029877
Tx_Bytes 7199983
Collisions 0
Rx_Missed_Errors 0
Tx_Carrier_Errors 0
Keyword/Variable Description
Description Name of the network driver.
chip_id Id of the chipset
IRQ IRQ
System_Device_Name Network device name (i.e. The physical interface name).
Current_HWaddr Current MAC address.
Permanent_HWaddr Permanent MAC address.
State Administrative status (up/down).
Link Link status (up/down).
Speed Negotiated or configured network speed.
Duplex Negotiator configured duplex mode.
Rx_Packets Packets' number received by the network device.
Tx_Packets Packets number transmitted by the network device.
Rx_Packets Amount of bytes received on the interface.
Tx_Bytes Amount of bytes sent from this interface.
Collisions Number of collisions usually due mostly to incorrect incorrect speed or
duplex settings.
Rx_Missed_Errors Equals Rx_FIFO_Errors + CEXTERR (Carrier Extension Error Count).
Only valid in 1000M mode, which is marked by PHY.
Tx_Carrier_Errors The PHY should assert the internal carrier sense signal during every
transmission. Failure to do so may indicate that the link has failed, or
the PHY has an incorrect link configuration. This register only
increments if transmits are enabled. This register is not valid in internal
SerDes1 mode (TBI mode for the 82544GC/EI), and is only valid when
the Ethernet controller is operating at full duplex.
Syntax
get hardware nic <interface>
Parameters
<interface> Enter the interface name. For example, internal, wan1, wan2.
Usage/Remarks
Use this command to view the interface information and statistics. This is useful when
debugging network problems on a particular interface, or providing Customer Support with
hardware information about your FortiGate unit.
Note that the output will be different for different NICs
Scope: Global
Output Example
FGT # get hardware nic wan1
Description sundance Ethernet driver1.01+LK1.21
chip_id 6
IRQ 5
System_Device_Name wan1
Current_HWaddr 00:09:0f:78:71:32
Permanent_HWaddr 00:09:0f:78:71:32
State up
Link up
Speed 100
Duplex full
FlowControl Tx off, Rx off
MTU_Size 1500
Rx_Packets 52377
Tx_Packets 53098
Rx_Packets 47029877
Tx_Bytes 7199983
Collisions 0
Rx_Missed_Errors 0
Tx_Carrier_Errors 0
Keyword/Variable Description
Description Name of the network driver.
chip_id Id of the chipset
IRQ IRQ
System_Device_Name Network device name (i.e. The physical interface name).
Current_HWaddr Current MAC address.
Permanent_HWaddr Permanent MAC address.
Keyword/Variable Description
State Administrative status (up/down).
Link Link status (up/down).
Speed Negotiated or configured network speed.
Duplex Negotiated or configured duplex mode.
Rx_Packets Packets' number received by the network device.
Tx_Packets Packets number transmitted by the network device.
Rx_Packets Amount of bytes received on the interface.
Tx_Bytes Amount of bytes sent from this interface.
Collisions Number of collisions usually due mostly to incorrect incorrect speed or
duplex settings.
Rx_Missed_Errors Equals Rx_FIFO_Errors + CEXTERR (Carrier Extension Error Count).
Only valid in 1000M mode, which is marked by PHY.
Tx_Carrier_Errors The PHY should assert the internal carrier sense signal during every
transmission. Failure to do so may indicate that the link has failed, or
the PHY has an incorrect link configuration. This register only
increments if transmits are enabled. This register is not valid in internal
SerDes1 mode (TBI mode for the 82544GC/EI), and is only valid when
the Ethernet controller is operating at full duplex.
Syntax
get hardware cpu
Parameters
None.
Usage/Remarks
Use this command to view detailed information about all CPUs on this unit. They are
numbered starting from zero. This list includes the main CPU, any NPUs, and any other
CPUs.
In addition to the brand, family, model, model name, speed and cache of the CPUs you
can also view the flags that are set which may help with advanced debugging.
Scope: Global
Output Example
FGT # get hardware cpu
processor : 0
vendor_id : GenuineIntel
cpu_family : 6
model : 8
model name : Pentium III (Coppermine)
stepping : 10
cpu Mhz : 701.596
cache size : 256 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception: yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca
cmov pat pse36 mmx fxsr sse
bogomips : 1399.19
Syntax
get hardware memory
Parameters
None.
Usage/Remarks
Use this command to view the status of the memory resources. This is useful to confirm
and identify any potential memory leaks or even to simply confirm that reduced FortiOS
performance is due to a shortage of free memory.
Scope: Global
Output Example
FGT # get hardware memory
Keyword/Variable Description
Mem Memory size.
Swap Amount of memory in the swap
MemTotal HighTotal + LowTotal = amount of memory available on the unit
MemFree Free memory on the unit
SwapCached Amount of memory out of the Swap but remaining in the cache
Active Amount of memory recently used
Inactive Amount of memory which has not been used for a while
HighTotal Amount of memory which belongs to the zone ZONE_HIGHMEM
LowFree Amount of Free memory available in the zone ZONE_NORMAL
Syntax
get hardware npu { npu1 | npu2 | npu4} ipsec-sa <dev_name>
Parameters
<dev-name>
Usage/Remarks
Use this command to view the security association for hardware acceleration.
Scope: Global
Syntax
get hardware npu { legacy | np1 | np2 | np4 } list
Parameters
Usage/Remarks
Use this command to view the NPU devices and port numbers. This is useful because
some FortiOS products contain contain network processors. Network processor features,
and therefore offloading requirements, vary by network processor model.
If the specified version of NPU is not present on this FortiOS unit, a message indicating
that will be displayed.
Scope: Global
Output Example
FGT # get hardware npu np1 list
ID Interface
0 port9 port10
ID PORTS
-- -----
1 port5
1 port6
1 port7
1 port8
ID PORTS
-- -----
2 port9
2 port10
2 port11
2 port12
ID PORTS
-- -----
3 port13
3 port14
3 port15
3 port16
Keyword/Variable Description
ID The ID of the NPU assigned to these ports.
Interface The names of the interfaces in the NPU’s paired group.
An NPU can handle either two or four ports. Any incoming traffic on this
group of ports that leaves the FortiOS unit on the same group of ports
can be handled by the NPU. Otherwise, the unit’s CPU will be involved.
PORTS The names of the ports in the NPU’s group.
Syntax
get hardware npu { legacy | np1 | np2 | np4 }performance <dev_id>
Parameters
Usage/Remarks
Use this command to view the performance numbers for NPU devices. This can be useful
when you are checking NPU traffic—either for specific problems or for network
optimization.
Network processor features, and therefore offloading requirements, vary by network
processor model.
The values displayed are generally counts for the stated values. For example BADCSUM
is the number of bad checksums encountered.
Scope: Global
Output Example
FGT # get hardware npu np2 performance 1
ISCP2 Performance:
Nr_int : 0x00000005 INTwoInd : 0x00000000 RXwoDone :
0x00000000
PKTwoEnd : 0x00000000 PKTCSErr : 0x00000000
PKTidErr : 0x00000000 PHYInt : 0x0/0x0/0x0/0x0
CSUMOFF : 0x00000000 BADCSUM : 0x00000000 MSGINT :
0x00000000
IPSEC : 0x00000000 IPSVLAN : 0x00000000 SESMISS :
0x00000000
TOTUP : 0x00000000 TCPPLTOT : 0x00000000 TCPPLBADCT:
0x00000000
TCPPLBADL: 0x00000000 TCPPLSESI : 0x00000000 TCPPLSESR :
0x00000000
TCPPLBD : 0x00000000 TXInt : 0x0/0x0/0x0/0x0 RxI : 0x0
BDEmpty : 0x0/0x0/0x0/0x0 Congest: 0x0/0x0/0x0/0x0
TMM_Busy : 0x0
Poll List: 0 0 0 0
MSG Performance:
TOTMSG : 0x00000000 BADMSG : 0x00000000 TOUTMSG :
0x00000000 MSGLostEvent : 0x00000000
QUERY : 0x00000000 TAE : 0x00000000
SAEXP-SN : 0x00000000 SAEXP-TRF : 0x00000000 OUTUPD :
0x00000000 INUPD : 0x00000000
NULLTK: 0x00000000
NAT Performance: BYPASS (Enable) BLOCK (Disable)
Syntax
get hardware npu { legacy | np1 | np2 | np4 }status <dev_id>
Parameters
{ legacy | np1 | Specify which level of NPU interfaces are to be displayed.
np2 | np4 }
<dev_id> NPU ID number. If you are unsure you can enter a “?” to get a list
of available valid NPU ID numbers.
Usage/Remarks
Use this command to display the status of the interfaces attached to the NPU. This can be
useful for advanced users to debug traffic on the NPU interfaces.
If you enter an NPU or device ID that doesn’t exist, an error message stating that it was na
invalid NPU ID will be displayed.
Scope: Global
Output Example
FGT # get hardware np2 status 1
NP2 Status
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: c2160644, 00000000, 00000000,
00000000
Port c2160644 Id 0 Status Down ictr 4
desc = c2232000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf c2160100
Interface c2160250 netdev c2168c00 1 Name port6
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: c21606f8, 00000000, 00000000,
00000000
Port c21606f8 Id 1 Status Down ictr 0
desc = c2126000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf c2160250
Interface c21603a0 netdev c2168800 2 Name port7
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: c21607ac, 00000000, 00000000,
00000000
Port c21607ac Id 2 Status Down ictr 0
desc = c2123000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf c21603a0
Interface c21604f0 netdev c2168400 3 Name port8
PHY: Attached
LB Mode 0 LB IDX 0/1 LB Ports: c2160860, 00000000, 00000000,
00000000
Port c2160860 Id 3 Status Down ictr 0
desc = c2122000
desc_size = 0x00001000 count = 0x00000100
nxt_to_u = 0x00000000 nxt_to_f = 0x00000000
Intf c21604f0
NAT Information:
cmdq_qw = 0x2000 cmdq = c2140000
head = 0x5 tail = 0x5
APS (Enabled) information:
Session Install when TMM TSE OOE: Disable
Session Install when TMM TAE OOE: Disable
IPS anomaly check policy: Follow config
MSG Base = c2130000 QL = 0x1000 H = 0x0
Syntax
get hardware status
Parameters
None.
Usage/Remarks
Use this command to get basic information about your unit’s hardware. This is a short list
that can be used to help guide troubleshooting efforts, especially by customer service. For
example if there is supposed to be compact flash memory available but this command
shows 0MB available, then you know there is a hardware problem with the memory.
Scope: Global
Output Example
FGT # get hardware status
Model name: Fortigate-3810A
ASIC version: CP6
ASIC SRAM: 64M
CPU: 02/21
RAM: 3532 MB
Compact Flash: 122 MB /dev/hda
USB Flash: not available
Network Card chipset: Broadcom 570x Tigon3 Ethernet Adapter
(rev.0x8003)
Network Card chipset: Intel(R) PRO/1000 Network Connection
(rev.0006)Related Commands
Syntax
get ips session
Parameters
None.
Usage/Remarks
Viewing the IPS session status allows you to see if traffic is checked by the IPS engine
and if the IPS engine is working as expected. You can see the type of traffic and how
many sessions are being processed by the IPS engine. You can also see how much
memory the IPS engine is using.
Scope: Vdom
Output Example
FGT # get ips session
SYSTEM:
memory capacity 73400320
memory used 3982780
Syntax
get router info kernel
Parameters
None.
Usage/Remarks
Use this command to view the kernel routing table. Almost all computers and network
devices connected to Internet use routing tables to compute the next hop for a packet. It is
electronic table that is stored in a router or a networked computer. The routing table stores
the routes to particular network destinations. This information contains the topology of the
network immediately around it. The construction of routing table is the primary goal of
routing protocols and static routes.
Scope: Vdom
Output Example
FGT # get router info kernel
tab=254 vf=2 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0-
>192.168.0.0/24 pref=0.0.0.0 gwy=9.1.1.1 dev=5(port1)
Keyword/Variable Description
192.168.0.0/24 The destination network or destination host.
gwy=9.1.1.1 The gateway address for the next hop.
dev=5(port1) Interface to which packets for this route is sent.
Syntax
get system arp
Parameters
None.
Usage/Remarks
This command is useful to view or alter the contents of the kernel's ARP tables. For
example when you suspect a duplicate Internet address is the cause for some intermittent
network problem.
This command is not available in multiple VDOM mode.
Scope: Vdom
Output Example
FGT # get system arp
Address Age(min) Hardware Addr Interface
172.20.120.16 0 00:0d:87:5c:ab:65 internal
172.20.120.138 0 00:08:9b:09:bb:01 internal
Keyword/Variable Description
Address The IP address that is linked to the MAC address. The default is
0.0.0.0
Age Current duration of the ARP entry in minutes. The default is 0.
Hardware Addr The hardware, or MAC address, to link with this IP
address. The default is 00:00:00:00:00:00:
Interface The physical interface the address is on.
Syntax
get system auto-update status
get system auto-update versions
Parameters
None.
Usage/Remarks
Use this command when you need to view the current antivirus and IPS status from the
FortiGate.
The status command is used to test the current connectivity status, and can retrieve
configuration information, such as Push Updates, Update schedules, or other parameters
related to the FortiGuard service operation.
The versions command provides extended information about each FortiGuard component
and its version, build number, contract expiry date, last update attempts and results.
These commands also allow the user to check whether the FortiGate is running the latest
AV and IPS packages.
Scope: Global
Output Example
FGT # get system auto-update status
FDN availabilty: available at Mon May 26 20:16:43 2008
Keyword/Variable Description
Push address override If push update is enabled, specify wether the Fortigate override
address feature is enabled or disabled.
Possible values are: enable/disable.
If enabled, a new line is displayed showing the FDS IP address
and the TCP port (a.b.c.d:port) defined in the configuration.
Example:
Push address override: enable
Address: 10.0.0.2:9443
Web proxy tunneling Specify wether FortiGate device is using a proxy to retrieve AV
and IPS definitions updates.
Possible values are: enable/disable.
If enabled, additional lines are displayed showing the proxy
settings.
Example:
Web proxy tunneling: enable
Proxy address: 10.0.0.3
Proxy port: 8890
Username: foo
Password: foo
Attack Definitions
---------
Version: 2.00720
Contract Expiry Date: n/a
Last Updated using manual update on Tue Dec 1 17:55:00 2009
Last Update Attempt: Thu Sep 16 01:37:08 2010
Result: Connectivity failure
AS Rule Set
---------
Version: 1.00001
Contract Expiry Date: n/a
Last Updated using manual update on Tue Mar 17 23:30:00 2009
Last Update Attempt: Thu Sep 16 01:37:08 2010
Result: Connectivity failure
AS Engine
---------
Version: 1.00001
Build: 0111
Contract Expiry Date: n/a
Last Updated using manual update on Tue Mar 17 23:30:00 2009
Last Update Attempt: Thu Sep 16 01:37:08 2010
Result: Connectivity failure
Vulnerability Compliance and Mangement
---------
Version: 1.00098
Contract Expiry Date: n/a
Last Updated using manual update on Thu Feb 11 16:40:00 2010
Last Update Attempt: n/a
Result: Updates Installed
Syntax
get system auto-update version
Parameters
None.
Usage/Remarks
Use this command to view the antivirus and IPS engines and definitions and license
information. This is useful in determining when the antivirus engine, virus definitions,
attack definitions, IPS attack definitions, AS Rule set, AS engine, and FDS address were
last updated, when their contracts expire, which version they are using, and the result of
the last update.
Scope: Global
Output Example
FGT # get system auto-update version
AV Engine
---------
Version: 3.003
Contract Expiry Date: n/a
Last Updated using manual update on Wed Jan 9 18:26:00 2008
Last Update Attempt: n/a
Result: Updates Installed
Virus Definitions
---------
Version: 8.631
Contract Expiry Date: n/a
Last Updated using manual update on Tue Jan 15 14:27:00 2008
Last Update Attempt: n/a
Result: Updates Installed
Attack Definitions
---------
Version: 2.461
Contract Expiry Date: n/a
Last Updated using manual update on Fri Jan 18 11:23:00 2008
Last Update Attempt: n/a
FDS Address
---------
Keyword/Variable Description
Version Version number of the engine or the definitions.
Contract Expiry Date The date the contract expires.
Last Updated using Date of the last manual update.
manual update on
Last Update Attempt The date when the last update was attempted.
Result The status of the last update.
Syntax
get system ha status
Parameters
None.
Usage/Remarks
Usually you would log into the primary unit CLI using SSH or telnet. In this case the
diagnose system ha status command displays information about the primary unit
first, and also displays the HA state of the primary unit (the primary unit operates in the
work state).
For a virtual cluster configuration, the diagnose system ha status command displays
information about how the cluster unit that you have logged into is operating in virtual
cluster 1 and virtual cluster 2. For example, if you connect to the cluster unit that is the
primary unit for virtual cluster 1 and the subordinate unit for virtual cluster 2, the output of
the diagnose system ha status command shows virtual cluster 1 in the work state and
virtual cluster 2 in the standby state. The diagnose system ha status command also
displays additional information about virtual cluster 1 and virtual cluster 2.
See the FortiGate CLI Reference Guide for more information.
Scope: Global
Output Example
FGT # get system ha status
Model: 5000
Mode: a-a
Group: 0
Debug: 0
ses_pickup: disable
load_balance: disable
schedule: round robin
Master:128 5001_Slot_4 FG50012204400045 1
Slave :100 5001_Slot_3 FG50012205400050 0
number of vcluster: 1
vcluster 1: work 10.0.0.2
Master:0 FG50012204400045
Slave :1 FG50012205400050
Keyword/Variable Description
Model The FortiGate model number.
Mode The HA mode of the cluster: a-a or a-p.
Group The group ID of the cluster.
Debug The debug status of the cluster.
ses_pickup The status of session pickup: enable or disable.
load_balance The status of the load-balance-all keyword: enable or disable.
Relevant to active-active clusters only.
schedule The active-active load balancing schedule. Relevant to active-active
clusters only.
Master Master displays the device priority, host name, serial number, and
Slave cluster index of the primary (or master) unit.
Slave displays the device priority, host name, serial number, and cluster
index of the subordinate (or slave, or backup) unit or units.
The list of cluster units changes depending on how you log into the CLI.
Usually you would use SSH or telnet to log into the primary unit CLI. In
this case the primary unit would be at the top the list followed by the
other cluster units.
If you use execute ha manage or a console connection to log into a
subordinate unit CLI, and then enter diagnose system ha status the
subordinate unit that you have logged into appears at the top of the list
of cluster units.
number of vcluster The number of virtual clusters. If virtual domains are not enabled, the
cluster has one virtual cluster. If virtual domains are enabled the cluster
has two virtual clusters.
Syntax
get system performance firewall packet-distribution
get system performance firewall statistics
Parameters
None
Usage/Remarks
Use this command to quickly see information about traffic through the firewall.
The Packet-distribution command divides network traffic into ten different packet sizes and
lists the number of packets in each category. This can help you spot hacking attempts or
optimize your network.
The Statistics command provides packet and byte counts for different major protocols and
packet types through the firewall. Packet types include TCP, UDP, ICMP, and IP.
Scope: All (Global and Vdom)
Output Example
FGT# get sys per firewall packet-distribution
getting packet distribution statistics...
0 bytes — 63 bytes: 3624747 packets
64 bytes — 127 bytes: 802612 packets
128 bytes — 255 bytes: 371774 packets
256 bytes — 383 bytes: 712180 packets
384 bytes — 511 bytes: 30691 packets
512 bytes — 767 bytes: 57220 packets
768 bytes — 1023 bytes: 23460 packets
1024 bytes — 1279 bytes: 3055 packets
1280 bytes — 1500 bytes: 64 packets
> 1500 bytes: 0 packets
Syntax
get system performance firewall packet-distribution
Parameters
None.
Usage/Remarks
Use this command to view the number of packets received in each of the listed sizes. This
can help find MTU related problems where larger packets are being split up or not
received properly.
Scope: Vdom
Output Example
FGT # get system performance firewall packet-distribution
getting packet distribution statistics...
0 bytes — 63 bytes: 979911 packets
64 bytes — 127 bytes: 241967 packets
128 bytes — 255 bytes: 183683 packets
256 bytes — 383 bytes: 15961 packets
384 bytes — 511 bytes: 16247 packets
512 bytes — 767 bytes: 10105 packets
768 bytes — 1023 bytes: 21333 packets
1024 bytes — 1279 bytes: 154 packets
1280 bytes — 1500 bytes: 236 packets
> 1500 bytes: 0 packets
Syntax
get system performance status
Parameters
Usage/Remarks
Use this command to quickly see important information about your FortiGate unit’s state.
Information includes CPU usage, memory usage, network usage, number of sessions,
viruses caught, IPS attacks blocked, and FortiGate unit uptime. These numbers provide a
quick look at how the FortiGate unit is doing. If any one number needs attention, you can
use other commands to get more information on that area.
Scope: All (Global and Vdom)
Output Example
FGT# get sys performance status
CPU states: 0% user 0% system 0% nice 100% idle
Memory states: 10% used
Average network usage: 0 kbps in 1 minute, 0 kbps in 10 minutes,
13 kbps in 30 minutes
Average sessions: 31 sessions in 1 minute, 30 sessions in 10
minutes, 31 sessions in 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 44 days, 18 hours, 42 minutes
Syntax
get system performance top <delay> <max_lines>
Parameters
Usage/Remarks
Use this command when you need to view the processes running and the information
about each process. It displays as a static set of columns where the information changes
in place. To exit this display, press <Ctrl-C>.
Scope: All (Global and Vdom)
Output Example
FGT # get system performance top 5 20
Run Time: 0 days, 1 hours and 53 minutes
1U, 1S, 97I; 248T, 99F, 73KF
newcli 113 S 1.0 2.1
sshd 107 S 0.7 1.9
newcli 114 R < 0.3 2.1
thttp 48 S 0.0 5.4
ipsengine 55 S < 0.0 5.2
ipsengine 50 S < 0.0 5.2
cmdbsvr 18 S 0.0 3.7
httpsd 71 S 0.0 3.3
httpsd 92 S 0.0 3.3
httpsd 37 S 0.0 2.8
scanunitd 90 S < 0.0 2.2
scanunitd 91 S < 0.0 2.1
merged_daemons 45 S 0.0 2.1
newcli 108 S 0.0 2.1
updated 59 S 0.0 2.0
newcli 112 S < 0.0 2.0
miglogd 35 S 0.0 1.9
nsm 28 S 0.0 1.9
imd 53 S 0.0 1.8
authd 52 S 0.0 1.7
Keyword/Variable Description
Run Time Displays how long the FortiOS has been running as a string
U User CPU usage (%)
S System CPU usage (%)
Keyword/Variable Description
I Idle CPU usage (%)
T Total memory
F Free memory
KF Kernel-free memory
Column 1 Process name
Column 2 Process identification (PID)
Column 3 One letter process status.
• S: sleeping process
• R: running process
• <: high priority
Column 4 CPU usage (%)
Column 5 Memory usage (%)
Syntax
get system session-info full-stat
Parameters
None.
Usage/Remarks
Use this command to display in-depth information session info about the system’s state.
This includes session table size, expected session table size, session count, firewall error
details, and more.
Scope: Global
Output Example
FGT # get system session-info full-stat
session table: table_size=131072 max_depth=1 used=50
expect session table: table_size=2048 max_depth=1 used=2
misc info: session_count=25 exp_count=2 clash=0
memory_tension_drop=0 ephemeral=0/32752 removeable=24
delete=0, flush=0, dev_down=4/16
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
Syntax
get system session-helper
Parameters
None.
Usage/Remarks
Use this command to display if any of the pre-defined session-helpers are in use.
Scope: Global
Output Example
FGT # get system session-helper
== 1 ==
== 2 ==
== 3 ==
== 4 ==
== 5 ==
== 6 ==
== 7 ==
== 8 ==
== 9 ==
== 10 ==
== 11 ==
== 12 ==
== 13 ==
== 14 ==
== 15 ==
== 16 ==
== 17 ==
== 18 ==
== 19 ==
== 20 ==
Keyword/Variable Description
1...20 If one of the pre-defined session helpers is in use, it will be listed here.
Syntax
get system session-table list
Parameters
None.
Usage/Remarks
Use this command to display information about the current session table. This can be a
quick and easy way to troubleshoot strange connectivity issues, such as some
applications working where others will not, or connectivity to one location but not another.
The session table tells you the protocol, IP addresses on both ends, and ports.
Scope: Global
Output Example
FGT # get system session-table list
PROTO EXPIRE SOURCE SOURCE-NAT DDESTINATION DESTINATION-
NAT
tcp 3600 172.16.200.254:46586 - 172.16.200.1:23 -
Keyword/Variable Description
PROTO The protocol of the session—tcp or udp.
EXPIRE The number of seconds until the session expires.
SOURCE The source IP address and port.
SOURCE-NAT If the source IP is going through NAT, what the new address is.
DDESTINATION The destination IP address and port.
DESTINATION-NAT If the destination IP is going through NAT, what the new address is.
Syntax
get system session-table statistics
Parameters
None.
Usage/Remarks
Use this command to get more in depth information about the session table including
information about any errors.
Scope: Global
Output Example
FGT # diagnose system session-table statistics
misc info: session_count=1 exp_count=0 clash=0
memory_tension_drop=0 emphemeral=0/57344 removeable=1
delete=0, flush=0, dev_down=0/0
firewall error stat:
error1=00000000
error2=00000000
error3=00000000
error4=00000000
tt=00000000
cont=00000000
ids_recv=00000000
url_recv=00000000
av_recv=00000000
fqdn_count=00000000
tcp reset stat:
syncqf=0 acceptqf=0 no-listener=4 data=0 ses=0 ips=0
global: ses_limit=0 ses6_limit=0 rt_limit=0 rt6_limit=0
Syntax
get system session-info ttl
Parameters
None.
Usage/Remarks
Use this command to tell you the default time to live setting for sessions All sessions
created will have this length of time before they expire and need to create a new session
table entry.
Scope: Vdom
Output Example
FGT # get system session-info ttl
default : 3600
port:
Keyword/Variable Description
default The default is 1 hour.
port The session port.
Syntax
get system startup-error-log
Parameters
None.
Usage/Remarks
Use this command to view the start-up configuration errors on the console.
Scope: Global and Vdom
Output Example
FGT # get system startup-error-log
>>> config system replacemsg webproxy "http-err"
>>> set buffer "<html><head><title>%%HTTP_ERR_CODE%%
%%HTTP_ERR_DESC%%</title></head><body><font size=2><table
width=\"100%\"><tr><td bgcolor=#3300cc align=\"center\"
colspan=2><font color=#ffffff><b>%%HTTP_ERR_CODE%%
%%HTTP_ERR_DESC%%</b></font></td></tr></table><br><br>The
webserver for %%PROTOCOL%%%%URL%% reported that an error occurred
while trying to access the website. Please click <u><a
href=\"javascript:history.back()\">here</a></u> to return to the
previous page.<br><br><hr></font></body></html>"
>>> set header http
>>> set format html
Syntax
get test application <application> <level>
Parameters
Usage/Remarks
Use this command to display information about advanced FortiOS applications such as
SSL, and VoIP.
Scope: Global
Output Examples
FGT # get test application ftpd 1
Fortigate-1000#
malloc memory usage
==================
pool buffer size: 2048 count: 2143 available: 2139
total memory used by buffer pools: 4286 (kB)
total allocated (malloc/realloc) memory: 0 (kB)
shm memory usage
==================
buffer pool not initialized
total allocated memory 0
Keyword/Variable Description
Keyword/Variable Description
44 The first number is the counter of currently sessions in the connection
pool of the proxy. The second number is the maximum size of the proxy
connection pool table.
Syntax
get test application urlfilter <number>
Parameters
Usage/Remarks
Use this command to troubleshoot and work with the URL filter engine.
Scope: Global
Output Example
FGT # get system application urlfilter 3
utree_stat: keylen=223 nodes=15 leaf=11
com.cisco.www cate = 52 len=13 ch=1
dhtml_pulldown/dropdownlib-100.js cate = 52 len=33 ch=0
niffer/snifflib-100.js cate = 52 len=22 ch=0
potlight/spotlightlib-120.js cate = 52 len=28 ch=0
offer/sp/cookie.js cate = 52 len=18 ch=0
cisco_detect.js cate = 52 len=15 ch=0
flyouts.js cate = 52 len=10 ch=0
global.js cate = 52 len=9 ch=0
Syntax
get vpn status ike config
Parameters
None.
Usage/Remarks
Use this command to display all the IKE VPN configurations on your unit. It displays pretty
much all the information for them. This command can make it easy to quickly find a
particular IKE configuration you are looking for to verify a setting.
Scope: Vdom
Output Example
FGT # get vpn status ike config
vd: root/0
name: home1
serial: 3
version: 1
type: static
local: 0.0.0.0
remote: 220.100.65.98
mode: main
dpd: enable retry-count 3 interval 5000ms
auth: psk
dhgrp: 5
xauth: none
interface: external
phase2s:
home1_tunnel proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0
dhgrp 5
policies: any interface
Syntax
get vpn status ike crypto
Parameters
None.
Usage/Remarks
Use this command to confirm what cryptography is used by IKE VPN connections.
Customer service may ask for this information if they are helping you are troubleshooting
VPN issues.
Scope: Vdom
Output Example
FGT # get vpn status ike crypto
software.dh: 4 3221216544
hardware.dh: 141492682 1088762808
Syntax
get vpn status ike errors
Parameters
None.
Usage/Remarks
Use this command if you are having IKE VPN problems and you want to determine exactly
what the problems are. This command will list the number of each error. This may allow
you to see a larger pattern of errors.
Scope: Vdom
Output Example
FGT # get vpn status ike errors
limits.euthanized: 141660798
limits.blocked: 3221216504
in.truncated: 0
in.giant: 0
in.baby: 0
in.baby.float: 0
out.fail: 0
iskamp.truncated: 0
iskamp.embryonic.connection.killed: 0
iskamp.embryonic.sa.killed: 0
iskamp.established.sa.killed: 0
quick.bad-status: 0
quick.duplicate-payload: 0
quick.not-encrypted: 0
quick.decryption.fail: 632
info.truncated: 648
info.hash.missing: 2
info.hash.size: 16
info.hash.content: 1074795752
mem.fail: 3221216520 141490409 1088762548
Syntax
get vpn status ike status detailed
Parameters
None.
Usage/Remarks
Use this command to see detailed information about IKE VPN connections. This can be
useful to quickly compare VPN connections when one or some may not be working while
the others are working without problem.
Scope: Vdom
Output Example
FGT # get vpn status ike status detailed
vd: root/0
name: home1
version: 1
ISAKMP SA: created 0/0
IPsec SA: created 0/0
Syntax
get vpn status ipsec
Parameters
None.
Usage/Remarks
Use this command to display which crypto devices are used with VPN such as 3DES,
SHA1, and so on. A zero indicates that type of crypto is not used with any VPN
connections.
Scope: Vdom
Output Example
FGT # get vpn status ipsec
All ipsec crypto devices in use:
CP4:
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
SOFTWARE:
null: 0 0
des: 0 0
3des: 0 0
aes: 0 0
null: 0 0
md5: 0 0
sha1: 0 0
sha256: 0 0
Syntax
get vpn status ssl hw-acceleration-status
Parameters
None.
Usage/Remarks
Use this command to display the status of SSL hardware accelerated VPN connections.
This is useful if you need to troubleshoot a VPN connection that should be accelerated but
is not.
Scope: Vdom
Output Example
FGT # get vpn status ssl hw-acceleration-status
Acceleration hardware detected: kxp=on cipher=on
Syntax
get vpn status ssl list
Parameters
None.
Usage/Remarks
Use this command to display the status of SSL list of VPN connections.
Scope: Vdom
Output Example
FGT # diagnose vpn status ssl list
SSL VPN is disabled.
Syntax
get vpn status tunnel dialup-list <arg>
Parameters
<parameter>
Usage/Remarks
Use this command to display the status of the VPN tunnel dialup list.
Scope: Vdom
Output Example
FGT # get vpn status tunnel dialup-list <arg>
Keyword/Variable Description
Syntax
get vpn status tunnel list
Parameters
None.
Usage/Remarks
Use this command to display the status of all VPN tunnels.
Scope: Vdom
Output Example
FGT # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=phase1 ver=1 serial=1 0.0.0.0:0->10.10.10.20:0 lgwy=dyn
tun=tunnel mode=auto bound_lf=24
prooxy_id=1 child_num=0 refcnt=4 ilast=406158 olast=406158
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=phase2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=1
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
------------------------------------------------------
name=phase12 ver=1 serial=2 10.10.10.20:0->10.10.11.125:0
lgwy=static tun=intf mode=auto bound_if=24
proxyid_num=0 child_num=0 refcnt=4 ilast=406158 olast=406158
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=active on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
Syntax
get vpn status tunnel stat
Parameters
None.
Usage/Remarks
Use this command to display the status of vpn tunnels—this is brief information, suitable
for a quick check on general VPN tunnel information. The information includes the device,
tunnel id, proxy id, and if the tunnel is up or down.
Scope: Vdom
Output Example
FGT # diagnose vpn status tunnel stat
dev=3 tunnel=1 proxyid=3 sa=0 conc=1 up=0
Syntax
get vpn status concentrator <name>
Parameters
Usage/Remarks
Use this command to troubleshoot any VPN concentrators. This will help you locate
problems in your hub and spoke VPN configuration.
Scope: Vdom
Output Example
FGT # get vpn status concentrator phase1 phase2
list all ipsec tunnels in phase1 in vd 0
list all ipsec tunnels in phase2 in vd 0
Syntax
get webfilter fortiguard statistics list ?
Parameters
None.
Usage/Remarks
Use this command to display details about your FortiGuard statistics. These numbers can
be useful in determining the the source of a problem. For example DNS failures can reveal
the source of problems that may be widespread and hard to track back to the source.
Scope: Global
Output Example
FGT # get webfilter fortiguard statistics list
Rating Statistics:
=====================
DNS failures : 3
DNS lookups : 16
Data send failures : 876
Data read failures : 0
Wrong package type : 0
Allowed : 0
Blocked : 0
Logged : 0
Errors : 0
Cache Statistics:
=====================
Maximum memory : 0
Memory usage : 0
Nodes : 0
Leaves : 0
Prefix nodes : 0
Exact nodes : 0
Requests : 0
Misses : 0
Hits : 0
Prefix hits : 0
Exact hits : 0
No cache directives : 0
Add after prefix : 0
Invalid DB put : 0
DB updates : 0
Percent full : 0%
Branches : 0%
Leaves : 0%
Prefix nodes : 0%
Exact nodes : 0%
Miss rate : 0%
Hit rate : 0%
Prefix hits : 0%
Exact hits : 0%
Keyword/Variable Description
DNS lookups Number of DNS look-ups for the domain name of the requested URL.
Data send failures Number of non-responsive servers.
Keyword/Variable Description
Request timeout NUmber of seconds for the request time-out. A FortiGate unit sends the
URL rating request every 2 seconds.
Total requests Total number of URL rating requests to cache and FortiGuard servers.
Requests to Total number of URL rating requests to FortiGuard servers.
FortiGuard servers
Relayed rating The number of times the master communicates with FortiGuard servers
and relays all URL rating requests from the slaves in a HA cluster.
Maximum memory Amount of memory assigned to FortiGuard cache. The default is 2%.
Memory usage The amount of memory used to store the URL tree.
Prefix nodes The number of prefixes used for a URL to increase the cache hit rate.
Exact nodes The number of exact matches used for a URL.
Syntax
get webfilter status <refresh rate>
Parameters
Usage/Remarks
Use this command to display webfilter statistics and server information if the service is
enabled.
If the service is not enabled, this command displays the language of the locale and states
the service is not enabled.
Scope: Global and Vdom
Output Example
FGT # get webfilter status 4
Locale : english
License : Contract
Expiration : Wed Feb 11 02:00:00 2009
Hostname : service.fortiguard.net
69.20.236.180 60 213 -5 83 0 8
209.52.128.90 60 268 -5 84 0 9
121.111.236.179 80 383 9 83 0 8
121.111.236.180 80 404 9 83 0 8
72.52.72.243 90 289 -8 83 0 8
218.106.244.81 90 455 -8 83 0 8
69.90.198.55 90 297 D -8 85 0 9
Keyword/Variable Description
Locale Local environment language.
License The license status:
• Contract
• Expired
• Trial
Expiration The date and time the license expires.
Hostname The FortiGuard server the FortiGate connects to obtain the service. The
FortiGuard server will return the information to the FortiGate. The
default is service.fortiguard.net
IP The IP address of other FortiGuard servers.
Weight The priority value which the FortiGate uses to send the URL rating
request. The lower weight value takes higher preference. The weight is
calculated by time zone, packet round-trip time, and success rate.
RTT Flags The round-trip time between the URL rating request and the response
time from the FortiGuard server.
TZ Time zone of the FortiGuard server (Greenwich Mean Time +/- the
number).
Packets Total packets sent to the FortiGuard server.
Curr Lost The number of times the request is retried in a timeout period. The
default is 15 seconds.
Total Lost Total number of unresponsive requests.
UTM components
AntiVirus
Your FortiGate unit stores a virus signature database that can identify more than 15,000
individual viruses. FortiGate models that support additional virus databases are able to
identify hundreds of thousands of viruses. With a FortiGuard AntiVirus subscription, the
signature databases are updated whenever a new threat is discovered.
AntiVirus also includes file filtering. When you specify files by type or by file name, the
FortiGate unit will stop the matching files from reaching your users.
FortiGate units with a hard drive or configured to use a FortiAnalyzer unit can store
infected and blocked files for that you can examine later.
Web filtering
Web filtering includes a number of features you can use to protect or limit your users’
activity on the web.
FortiGuard Web Filtering is a subscription service that allows you to limit access to web
sites. More than 60 million web sites and two billion web pages are rated by category. You
can choose to allow or block each of the 77 categories.
URL filtering can block your network users from access to URLs that you specify.
Web content filtering can restrict access to web pages based on words and phrases
appearing on the web page itself. You can build lists of words and phrases, each with a
score. When a web content list is selected in a web filter profile, you can specify a
threshold. If a user attempts to load a web page and the score of the words on the page
exceeds the threshold, the web page is blocked.
Email filtering
FortiGuard AntiSpam is a subscription service that includes an IP address black list, a
URL black list, and an email checksum database. These resources are updated whenever
new spam messages are received, so you do not need to maintain any lists or databases
to ensure accurate spam detection.
You can use your own IP address lists and email address lists to allow or deny addresses,
based on your own needs and circumstances.
UTM profiles/lists/sensors
A profile is a group of settings that you can apply to one or more firewall policies. Each
UTM feature is enabled and configured in a profile, list, or sensor. These are then selected
in a firewall policy and the settings apply to all traffic matching the policy. For example, if
you create an antivirus profile that enables antivirus scanning of HTTP traffic, and select
the antivirus profile in the firewall policy that allows your users to access the World Wide
Web, all of their web browsing traffic will be scanned for viruses.
Because you can use profiles in more than one firewall policy, you can configure one
profile for the traffic types handled by a set of firewall policies requiring identical protection
levels and types, rather than repeatedly configuring those same profile settings for each
individual firewall policy.
For example, while traffic between trusted and untrusted networks might need strict
protection, traffic between trusted internal addresses might need moderate protection. To
provide the different levels of protection, you might configure two separate sets of profiles:
one for traffic between trusted networks, and one for traffic between trusted and untrusted
networks.
The UTM profiles include:
• antivirus profile
• IPS sensor
• Web filter profile
• Email filter profile
• Data Leak Prevention profile
• Application Control list
• VoIP profile
Although they’re called profiles, sensors, and lists, they’re functionally equivalent. Each is
used to configure how the feature works.
Conserve mode
FortiGate units perform all UTM processing in physical RAM. Since each model has a
limited amount of memory, conserve mode is activated when the remaining free memory
is nearly exhausted or the AV proxy has reached the maximum number of sessions it can
service. While conserve mode is active, the AV proxy does not accept new sessions.
The AV proxy
Most content inspection the FortiGate unit performs requires that the files, email
messages, URLs, and web pages be buffered and examined as a whole. The AV proxy
performs this function, and because it may be buffering many files at the same time, it
uses a significant amount of memory. Conserve mode is designed to prevent all the
component features of the FortiGate unit from trying to use more memory than it has.
Because the AV proxy uses so much memory, conserve mode effectively disables it in
most circumstances. As a result, the content inspection features that use the AV proxy are
also disabled in conserve mode.
All of the UTM features use the AV proxy with the exception of IPS, application control,
flow-based antivirus scanning, and DoS. These features continue to operate normally
when the FortiGate unit enters conserve mode.
off
The off setting forces the FortiGate unit to stop all traffic that is configured for content
inspection by UTM features that use the AV proxy. New sessions are not allowed but
current sessions continue to be processed normally unless they request more memory.
Sessions requesting more memory are terminated.
For example, if a firewall policy is configured to use antivirus scanning, the traffic it permits
is blocked while in conserve mode. A policy with IPS scanning enabled continues as
normal. A policy with both IPS and antivirus scanning is blocked because antivirus
scanning requires the AV proxy.
Use the off setting when security is more important than a loss of access while the
problem is rectified.
pass
The pass setting allows traffic to bypass the AV proxy and continue to its destination.
Since the traffic is bypassing the proxy, no UTM scanning that requires the AV proxy is
performed. UTM scanning that does not require the AV proxy continues normally.
Use the pass setting when access is more important than security while the problem is
rectified.
Pass is the default setting.
one-shot
The one-shot setting is similar to pass in that traffic is allowed when conserve mode is
active. The difference is that a system configured for one-shot will force new sessions to
bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use
of the AV proxy only when the av-failopen setting is changed or the unit is restarted.
idledrop
The idledrop setting will recover memory and session space by terminating all the
sessions associated with the host that has the most sessions open. The FortiGate may
force this session termination a number of times, until enough memory is available to
allow it to leave conserve mode.
The idledrop setting is primarily designed for situations in which malware may continue to
open sessions until the AV proxy cannot accept more new sessions, triggering conserve
mode. If your FortiGate unit is barely able to handle the traffic of your network, this setting
could cause the termination of valid sessions. Use this option with caution.
Figure 62: FortiGate SSL content scanning and inspection packet flow
3 1
2
Decrypted
packets
Encrypted 3
2
1 3
2
1
Encrypted
packets Firewall packets
Note: You can add one signing CA certificate for SSL content scanning and inspection. The
CA certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported for SSL
content scanning and encryption.
You can replace the default signing CA certificate, Fortinet_CA_SSLProxy, with another
signing CA certificate. To do this, you need the signing CA certificate file, the CA certificate
key file, and the CA certificate password.
All SSL content scanning and inspection uses the same signing CA certificate. If your
FortiGate unit is operating with virtual domains enabled, the same signing CA certificate is
used by all virtual domains.
Setting Description
Predefined The IMAPS, POP3S and SMTPS predefined services. You can select these
firewall services services in a firewall policy and a DoS policy.
Protocol The TCP port numbers that the FortiGate unit inspects for HTTPS, IMAPS,
recognition POP3S, and SMTPS. Go to Firewall > Protocol Options. Add or edit a protocol
options profile, configure HTTPS, IMAPS, POP3S, and SMTPS.
Using Protocol Options, you can also configure the FortiGate unit to perform
URL filtering of HTTPS or to use SSL content scanning and inspection to
decrypt HTTPS so that the FortiGate unit can also apply antivirus and DLP
content inspection and DLP archiving to HTTPS. Using SSL content scanning
and inspection to decrypt HTTPS also allows you to apply more web filtering
and FortiGuard Web Filtering options to HTTPS.
To enable full SSL content scanning of web filtering, select Enable Deep
Scanning under HTTPS in the protocol options profile.
Antivirus Antivirus options including virus scanning and file filtering for HTTPS, IMAPS,
POP3S, and SMTPS.
Go to UTM AntiVirus > Profile. Add or edit a profile and configure Virus Scan for
HTTPS, IMAPS, POP3S, and SMTPS.
Setting Description
Antivirus Antivirus quarantine options to quarantine files in HTTPS, IMAPS, POP3S, and
quarantine SMTPS sessions.
Go to UTM > AntiVirus > Quarantine. You can quarantine infected files,
suspicious files, and blocked files found in HTTPS, IMAPS, POP3S, and
SMTPS sessions.
Web filtering Web filtering options for HTTPS:
• Web Content Filter
• Web URL Filter
• ActiveX Filter
• Cookie Filter
• Java Applet Filter
• Web Resume Download Block
• Block invalid URLs
Go to UTM > Web Filter > Profile. Add or edit a web filter profile and configure
web filtering for HTTPS.
FortiGuard Web FortiGuard Web Filtering options for HTTPS:
Filtering • Enable FortiGuard Web Filtering
• Enable FortiGuard Web Filtering Overrides
• Provide Details for Blocked HTTP 4xx and 5xx Errors
• Rate Images by URL (Blocked images will be replaced with blanks)
• Allow Websites When a Rating Error Occurs
• Strict Blocking
• Rate URLs by Domain and IP Address
• Block HTTP Redirects by Rating
Go to UTM > Web Filter > Profile. Add or edit a profile and configure FortiGuard
Web Filtering for HTTPS.
Email filtering Email filtering options for IMAPS, POP3S, and SMTPS:
• FortiGuard Email Filtering IP Address Check, URL check, E-mail Checksum
Check, and Spam Submission
• IP Address BWL Check
• E-mail Address BWL Check
• Return S-mail DNS Check
• Banned Word Check
• Spam Action
• Tag Location
• Tag Format
Go to UTM > Email Filter > Profile. Add or edit a profile and configure email
filtering for IMAPS, POP3S, and SMTPS.
Data Leak DLP for HTTPS, IMAPS, POP3S, and SMTPS. To apply DLP, follow the steps
Prevention below:
• Go to UTM > Data Leak Prevention > Rule to add DLP rules. For HTTPS,
add an HTTP rule and select HTTPS POST and HTTPS GET. For IMAPS,
POP3S, and SMTPS, add an Email rule and select IMAPS, POP3S, and
SMTPS.
• Go to UTM > Data Leak Prevention > Sensor, create a new DLP sensor or
edit an existing one and then add the DLP rules to a DLP sensor.
• Go to Firewall > Protocol Options. Add or edit a profile and select Enable
Deep Scan under HTTPS.
• Go to Firewall > Policy, edit the required policy, enable UTM, select Enable
DLP Sensor and select the DLP sensor.
• Go to Firewall > Policy, edit the required policy, enable Protocol Options and
select a profile that has Enable Deep Scan selected under HTTPS. Note: If
no protocol options profile is selected, or if Enable Deep Scan is not
selected within the protocol options profile, DLP rules cannot inspect
HTTPS.
Setting Description
DLP archiving DLP archiving for HTTPS, IMAPS, POP3S, and SMTPS. Add DLP Rules for the
protocol to be archived.
Monitor DLP DLP archive information on the Log and Archive Statistics widget on the system
content dashboard for HTTPS, IMAPS, POP3S, and SMTPS.
information on Go to Firewall > Protocol Options. Add or edit a profile. For each protocol you
the system want monitored on the dashboard, enable Monitor Content Information for
Dashboard.
dashboard
These options display meta-information on the Statistics dashboard widget.
3 Select the Packet Log icon of the log entry you want to view.
The IPS Packet Log Viewer window appears.
4 Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
5 Select Save to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
The packet-log-post-attack command specifies how many packets are logged after
the one in which the IPS signature is detected. For example, if packet-log-post-
attack is set to 10, the FortiGate unit will save the ten packets following the one
containing the IPS signature match.
The acceptable range for packet-log-post-attack is from 0 to 255. The default is 0.
Note: To add a question mark (?) character to a regular expression from the FortiGate CLI,
enter Ctrl+V followed by ?. To add a single backslash character (\) to a regular expression
from the CLI you must add precede it with another backslash character. For example,
fortinet\\.com.
To match a special character such as '.' and ‘*’ use the escape character ‘\’. For example:
• To match fortinet.com, the regular expression should be: fortinet\.com
In Perl regular expressions, ‘*’ means match 0 or more times of the character before it, not
0 or more times of any character. For example:
• forti*.com matches fortiiii.com but does not match fortinet.com
To match any character 0 or more times, use ‘.*’ where ‘.’ means any character and the ‘*’
means 0 or more times. For example, the wildcard match pattern forti*.com should
therefore be fort.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For
example, the regular expression “test” not only matches the word “test” but also any word
that contains “test” such as “atest”, “mytest”, “testimony”, “atestb”. The notation “\b”
specifies the word boundary. To match exactly the word “test”, the expression should be
\btest\b.
Case sensitivity
Regular expression pattern matching is case sensitive in the web and Email Filter filters.
To make a word or phrase case insensitive, use the regular expression /i. For example,
/bad language/i will block all instances of “bad language”, regardless of case.
Expression Matches
abc “abc” (the exact character sequence, but anywhere in the string)
^abc “abc” at the beginning of the string
abc$ “abc” at the end of the string
a|b Either “a” or “b”
^abc|abc$ The string “abc” at the beginning or at the end of the string
ab{2,4}c “a” followed by two, three or four “b”s followed by a “c”
ab{2,}c “a” followed by at least two “b”s followed by a “c”
ab*c “a” followed by any number (zero or more) of “b”s followed by a “c”
ab+c “a” followed by one or more b's followed by a c
ab?c “a” followed by an optional “b” followed by a” c”; that is, either “abc” or
”ac”
a.c “a” followed by any single character (not newline) followed by a” c “
a\.c “a.c” exactly
[abc] Any one of “a”, “b” and “c”
[Aa]bc Either of “Abc” and “abc”
Monitoring
Monitoring, in the form of logging, alert email, and SNMP, does not directly protect your
network. But monitoring allows you to review the progress of an attack, whether
afterwards or while in progress. How the attack unfolds may reveal weaknesses in your
preparations. The packet archive and sniffer policy logs can reveal more details about the
attack. Depending on the detail in your logs, you may be able to determine the attackers
location and identity.
While log information is valuable, you must balance the log information with the resources
required to collect and store it.
Address sweeps
An address sweep is a basic network scanning technique to determine which addresses in
an address range have active hosts. A typical address sweep involves sending an ICMP
ECHO request (a ping) to each address in an address range to attempt to get a response.
A response signifies that there is a host at this address that responded to the ping. It then
becomes a target for more detailed and potentially invasive attacks.
Address sweeps do not always reveal all the hosts in an address range because some
systems may be configured to ignore ECHO requests and not respond, and some firewalls
and gateways may be configured to prevent ECHO requests from being transmitted to the
destination network. Despite this shortcoming, Address sweeps are still used because
they are simple to perform with software tools that automate the process.
Use the icmp_sweep anomaly in a DoS sensor to protect against address sweeps.
There are a number of IPS signatures to detect the use of ICMP probes that can gather
information about your network. These signatures include AddressMask, Traceroute,
ICMP.Invalid.Packet.Size, and ICMP.Oversized.Packet. Include ICMP
protocol signatures in your IPS sensors to protect against these probes/attacks.
Port scans
Potential attackers may run a port scan on one or more of your hosts. This involves trying
to establish a communication session to each port on a host. If the connection is
successful, a service may be available that the attacker can exploit.
Use the DoS sensor anomaly tcp_port_scan to limit the number of sessions (complete
and incomplete) from a single source IP address to the configured threshold. If the
number of sessions exceed the threshold, the configured action is taken.
Use the DoS sensor anomaly udp_scan to limit UDP sessions in the same way.
Evasion techniques
Attackers employ a wide range of tactics to try to disguise their techniques. If an attacker
disguises a known attack in such a way that it is not recognized, the attack will evade your
security and possibly succeed. FortiGate security recognizes a wide variety of evasion
techniques and normalizes data traffic before inspecting it.
Packet fragmentation
Information sent across local networks and the Internet is encapsulated in packets. There
is a maximum allowable size for packets and this maximum size varies depending on
network configuration and equipment limitations. If a packet arrives at a switch or gateway
and it is too large, the data it carries is divided among two or more smaller packets before
being forwarded. This is called fragmentation.
When fragmented packets arrive at their destination, they are reassembled and read. If
the fragments do not arrive together, they must be held until all of the fragments arrive.
Reassembly of a packet requires all of the fragments.
The FortiGate unit automatically reassembles fragmented packets before processing
them because fragmented packets can evade security measures. Both IP packets and
TCP packets are reassembled by the IPS engine before examination.
For example, you have configured the FortiGate unit to block access to the example.org
web site. Any checks for example.com will fail if a fragmented packet arrives and one
fragment contains http://www.exa while the other contains mple.com/. Viruses and
malware can be fragmented and avoid detection in the same way. The FortiGate unit will
reassemble fragmented packets before examining network data to ensure that inadvertent
or deliberate packet fragmentation does not hide threats in network traffic.
Non-standard ports
Most traffic is sent on a standard port based on the traffic type. The FortiGate unit
recognizes most traffic by packet content rather than the TCP/UDP port and uses the
proper IPS signatures to examine it. Protocols recognized regardless of port include
DHCP, DNP3, FTP, HTTP, IMAP, MS RPC, NNTP, POP3, RSTP, SIP, SMTP, and SSL, as
well as the supported IM/P2P application protocols.
In this way, the FortiGate unit will recognize HTTP traffic being sent on port 25 as HTTP
rather than SMTP, for example. Because the protocol is correctly identified, the FortiGate
unit will examine the traffic for any enabled HTTP signatures.
Negotiation codes
Telnet and FTP servers and clients support the use of negotiation information to allow the
server to report what features it supports. This information has been used to exploit
vulnerable servers. To avoid this problem, the FortiGate unit removes negotiation codes
before IPS inspection.
Any network traffic the target system receives has to be examined, and then accepted or
rejected. TCP, UDP, and ICMP traffic is most commonly used, but a particular type of TCP
traffic is the most effective. TCP packets with the SYN flag are the most efficient DoS
attack tool because of how communication sessions are started between systems.
Server Client
Connection initiated: ACK
The three-way handshake is a simple way for the server and client to each agree to
establish a connection and acknowledge the other party expressing its intent.
Unfortunately, the three-way handshake can be used to interfere with communication
rather than facilitate it.
SYN flood
When a client sends a SYN packet to a server, the server creates an entry in its session
table to keep track of the connection. The server then sends a SYN+ACK packet
expecting an ACK reply and the establishment of a connection.
An attacker intending to disrupt a server with a denial of service (DoS) attack can send a
flood of SYN packets and not respond to the SYN+ACK packets the server sends in
response. Networks can be slow and packets can get lost so the server will continue to
send SYN+ACK packets until it gives up, and removes the failed session from the session
table. If an attacker sends enough SYN packets to the server, the session table will fill
completely, and further connection attempts will be denied until the incomplete sessions
time out. Until this happens, the server is unavailable to service legitimate connection
requests.
SYN floods are seldom launched from a single address so limiting the number of
connection attempts from a single IP address is not usually effective.
SYN spoofing
With a flood of SYN packets coming from a single attacker, you can limit the number of
connection attempts from the source IP address or block the attacker entirely. To prevent
this simple defense from working, or to disguise the source of the attack, the attacker may
spoof the source address and use a number of IP addresses to give the appearance of a
distributed denial of service (DDoS) attack. When the server receives the spoofed SYN
packets, the SYN+ACK replies will go to the spoofed source IP addresses which will either
be invalid, or the system receiving the reply will not know what to do with it.
Client
Server
Connection initiation request: SYN
The distributed SYN flood is more difficult to defend against because multiple clients are
capable of creating a larger volume of SYN packets than a single client. Even if the server
can cope, the volume of traffic may overwhelm a point in the network upstream of the
targeted server. The only defence against this is more bandwidth to prevent any
choke-points.
SYN proxy
FortiGate units with Fortinet security processing modules installed offer a third action for
the tcp_syn_flood threshold when a module is installed. Instead of Block and Pass,
you can choose to Proxy the incomplete connections that exceed the threshold value.
When the tcp_syn_flood threshold action is set to Proxy, incomplete TCP connections
are allowed as normal as long as the configured threshold is not exceeded. If the
threshold is exceeded, the FortiGate unit will intercept incoming SYN packets from clients
and respond with a SYN+ACK packet. If the FortiGate unit receives an ACK response as
expected, it will “replay” this exchange to the server to establish a communication session
between the client and the server, and allow the communication to proceed.
Traffic inspection
When the FortiGate unit examines network traffic one packet at a time for IPS signatures,
it is performing traffic analysis. This is unlike content analysis where the traffic is buffered
until files, email messages, web pages, and other files are assembled and examined as a
whole.
DoS policies use traffic analysis by keeping track of the type and quantity of packets, as
well as their source and destination addresses.
Application control uses traffic analysis to determine which application generated the
packet.
Although traffic inspection doesn’t involve taking packets and assembling files they are
carrying, the packets themselves can be split into fragments as they pass from network to
network. These fragments are reassembled by the FortiGate unit before examination.
No two networks are the same and few recommendations apply to all networks. This topic
offers suggestions on how you can use the FortiGate unit to help secure your network
against content threats.
IPS signatures
IPS signatures can detect malicious network traffic. For example, the Code Red worm
attacked a vulnerability in the Microsoft IIS web server. Your FortiGate’s IPS system can
detect traffic attempting to exploit this vulnerability. IPS may also detect when infected
systems communicate with servers to receive instructions.
IPS recommendations
• Enable IPS scanning at the network edge for all services.
• Use FortiClient endpoint IPS scanning for protection against threats that get into your
network.
• Subscribe to FortiGuard IPS Updates and configure your FortiGate unit to receive push
updates. This will ensure you receive new IPS signatures as soon as they are
available.
• Your FortiGate unit includes IPS signatures written to protect specific software titles
from DoS attacks. Enable the signatures for the software you have installed and set the
signature action to Block.
You can view these signatures by going to UTM > Intrusion Protection > Predefined
and sorting by, or applying a filter to, the Group column.
• Because it is critical to guard against attacks on services that you make available to the
public, configure IPS signatures to block matching signatures. For example, if you
have a web server, configure the action of web server signatures to Block.
DoS policies
DDoS attacks vary in nature and intensity. Attacks aimed at saturating the available
bandwidth upstream of your service can only be countered by adding more bandwidth.
DoS policies can help protect against DDoS attacks that aim to overwhelm your server
resources.
Application control
While applications can often be blocked by the ports they use, application control allows
convenient management of all supported applications, including those that do not use set
ports.
AntiVirus
The FortiGate antivirus scanner can detect viruses and other malicious payloads used to
infect machines. The FortiGate unit performs deep content inspection. To prevent
attempts to disguise viruses, the antivirus scanner will reassemble fragmented files and
uncompress content that has been compressed. Patented Compact Pattern Recognition
Language (CPRL) allows further inspection for common patterns, increasing detection
rates of virus variations in the future.
AntiVirus recommendations
• Enable antivirus scanning at the network edge for all services.
• Use FortiClient endpoint antivirus scanning for protection against threats that get into
your network.
• Subscribe to FortiGuard AntiVirus Updates and configure your FortiGate unit to receive
push updates. This will ensure you receive new antivirus signatures as soon as they
are available.
• Enable the Extended Virus Database if your FortiGate unit supports it.
• Examine antivirus logs periodically. Take particular notice of repeated detections. For
example, repeated virus detection in SMTP traffic could indicate a system on your
network is infected and is attempting to contact other systems to spread the infection
using a mass mailer.
• The builtin-patterns file filter list contains nearly 20 file patterns. Many of the
represented files can be executed or opened with a double-click. If any of these file
patterns are not received as a part of your normal traffic, blocking them may help
protect your network. This also saves resources since files blocked in this way do not
need to be scanned for viruses.
• To conserve system resources, avoid scanning email messages twice. Scan messages
as they enter and leave your network or when clients send and retrieve them, rather
than both.
Email filter
Spam is a common means by which attacks are delivered. Users often open email
attachments they should not, and infect their own machine. The FortiGate email filter can
detect harmful spam and mark it, alerting the user to the potential danger.
DLP
Most security features on the FortiGate unit are designed to keep unwanted traffic out of
your network while DLP can help you keep sensitive information from leaving your
network. For example, credit card numbers and social security numbers can be detected
by DLP sensors.
DLP recommendations
• Rules related to HTTP posts can be created, but if the requirement is to block all HTTP
posts, a better solution is to use application control or the HTTP POST Action option in
the web filter profile.
• While DLP can detect sensitive data, it is more efficient to block unnecessary
communication channels than to use DLP to examine it. If you don’t use instant
messaging or peer-to-peer communication in your organization, for example, use
application control to block them entirely.
Antivirus concepts
The word “antivirus” refers to a group of features that are designed to prevent unwanted
and potentially malicious files from entering your network. These features all work in
different ways, which include checking for a file size, name, or type, or for the presence of
a virus or grayware signature.
The antivirus scanning routines your FortiGate unit uses are designed to share access to
the network traffic. This way, each individual feature does not have to examine the
network traffic as a separate operation, and the overhead is reduced significantly. For
example, if you enable file filtering and virus scanning, the resources used to complete
these tasks are only slightly greater than enabling virus scanning alone. Two features do
not require twice the resources.
Buffering the entire file allows the FortiGate unit to eliminate the danger of missing an
infection due to fragmentation because the file is reassembled before examination.
Archives can also be expanded and the contents scanned, even if archives are nested.
Since the FortiGate unit has a limited amount of memory, files larger than a certain size do
not fit within the memory buffer. The default buffer size is 10 MB. You can use the
uncompsizelimit CLI command to adjust the size of this memory buffer.
Files larger than the buffer are passed to the destination without scanning. You can use
the Oversize File/Email setting to block files larger than the antivirus buffer if allowing files
that are too large to be scanned is an unacceptable security risk.
Note: Your choice of flow-based or proxy-based scanning affects only antivirus scans. File
filtering requires that files be proxied. If you enable both flow-based antivirus scanning and
file filtering, files will not be proxied for antivirus scans, but they will be proxied for file
filtering.
Note: File filtering includes file pattern and file type scans which are applied at different
stages in the antivirus process.
Figure 67: Antivirus scanning order when using the normal, extended, or extreme database
File or message
Start
is buffered
FTP, NNTP, SMTP,
POP3, IMAP, or
HTTP traffic.
File/email Pass
Oversized
exceeds
file/email
oversized
Yes action
threshold
No
Block
Allow No Allow
No
Yes
Yes No
Yes
Block
Matching Matching
File type Pass File type file type
Pass file type
match? file/email match? action
file/email No Yes action Block No Yes
Allow Allow
If a file fails any of the tasks of the antivirus scan, no further scans are performed. For
example, if the file fakefile.EXE is recognized as a blocked file pattern, the FortiGate
unit will send the end user a replacement message, and delete or quarantine the file. The
unit will not perform virus scan, grayware, heuristics, and file type scans because the
previous checks have already determined that the file is a threat and have dealt with it.
Note: File filtering includes file pattern and file type scans which are applied at different
stages in the antivirus process.
Figure 68: Antivirus scanning order when using the flow-based database
File/email
Oversized
exceeds
file/email
oversized
Yes action
threshold
Block
Pass
No
File Matching
Pattern Block
file pattern
Match? file/email
Yes action Block
Allow
No
Block
File/email
Matching
exceeds File type
file type
uncompsizelimit match?
No Yes action
threshold
Yes
Allow
No
Pass
file/email
Antivirus databases
The antivirus scanning engine relies on a database to detail the unique attributes of each
infection. The antivirus scan searches for these signatures, and when one is discovered,
the FortiGate unit determines the file is infected and takes action.
All FortiGate units have the normal antivirus signature database but some models have
additional databases you can select for use. Which you choose depends on your network
and security needs.
Antivirus techniques
The antivirus features work in sequence to efficiently scan incoming files and offer your
network optimum antivirus protection. The first four features have specific functions, the
fifth, heuristics, protects against any new, previously unknown virus threats. To ensure that
your system is providing the most protection available, all virus definitions and signatures
are updated regularly through the FortiGuard antivirus services. The features are
discussed in the order that they are applied, followed by FortiGuard antivirus.
File size
This task checks if files and email messages exceed configured size thresholds. You
enable this check by editing your protocol options profiles and setting the Oversized
File/Email option to Block for each protocol. The maximum size you can set varies by
model.
File pattern
Once a file is accepted, the FortiGate unit applies the file pattern recognition filter. The unit
will check the file name against the file pattern setting you have configured. If the file name
matches a blocked pattern, “.EXE” for example, then it is stopped and a replacement
message is sent to the end user. No other levels of protection are applied. If the file name
does not match a blocked pattern, the next level of protection is applied.
Virus scan
If the file passes the file pattern scan, the FortiGate unit applies a virus scan to it. The virus
definitions are kept up-to-date through the FortiGuard Distribution Network (FDN). For
more information, see “FortiGuard Antivirus” on page 766.
Grayware
If the file passes the virus scan, it will be checked for grayware. Grayware configurations
can be turned on and off as required and are kept up to date in the same manner as the
antivirus definitions. For more information, see “Enable grayware scanning” on page 775.
Heuristics
After an incoming file has passed the grayware scan, it is subjected to the heuristics scan.
The FortiGate heuristic antivirus engine, if enabled, performs tests on the file to detect
virus-like behavior or known virus indicators. In this way, heuristic scanning may detect
new viruses, but may also produce some false positive results.
Note: You can configure heuristics only through the CLI. See the FortiGate CLI Reference.
File type
Finally, the FortiGate unit applies the file type recognition filter. The FortiGate unit will
check the file against the file type setting you have configured. If the file is a blocked type,
then it is stopped and a replacement message is sent to the end user. No other levels of
protection are applied.
FortiGuard Antivirus
FortiGuard Antivirus services are an excellent resource which includes automatic updates
of virus and IPS (attack) engines and definitions, as well as the local spam DNS black list
(DNSBL), through the FDN. The FortiGuard Center web site also provides the FortiGuard
Antivirus virus and attack encyclopedia.
The connection between the FortiGate unit and FortiGuard Center is configured in
System > Maintenance > FortiGuard.
• Virus Database: Go to UTM > AntiVirus > Virus Database. This page shows the
version number, number of included signatures, and a description of the regular virus
database.
If your FortiGate unit supports extended, extreme, or flow-based virus database
definitions, the version numbers, number of included signatures, and descriptions of
those databases are also displayed.
Note: Flow-based scanning does not use a buffer and therefore has no file-size limit. File
data is scanned as it passes through the FortiGate unit. The uncompsizelimit setting
has no effect for flow-based scanning.
Block Files that exceed the oversize threshold are dropped and a
replacement message is sent to the user instead of the file.
Pass Files exceed the oversized threshold are allowed through the
FortiGate unit to their destination. Note that passed files are not
scanned for viruses. File Filtering, both file pattern and file type, are
applied, however.
You can also use the maximum file size to help secure your network. If you’re using a
proxy-based virus scan, the proxy scan buffer size limits the size of the files that can be
scanned for infection. Files larger than this limit are passed without scanning. If you
configure the maximum file size to block files larger than the scan buffer size, large
infected files will not by-pass antivirus scanning.
In this example, the maximum file size will be configured to block files larger than 10
megabytes, the largest file that can be antivirus scanned with the default settings. You will
need to configure a protocol options profile and add it to a firewall policy.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this risk.
Keeping the client comforting interval high and the amount low will reduce the amount of
potentially infected data that is downloaded.
Client comforting is available for HTTP and FTP traffic. If your FortiGate unit supports SSL
content scanning and inspection, you can also configure client comforting for HTTPS
traffic.
Note: Antivirus profiles also have a configurable feature called Quarantine Virus Sender (to
Banned User List). This is a different feature unrelated to the Quarantine option.
3 If you have not previously done so, go to Firewall > Policy and add the antivirus profile
to a firewall policy.
Note: File filter does not detect files within archives. You can use file filter to block or allow
the archives themselves, but not the contents of the archives.
The new list is created and the edit file filter list window appears. The new list is empty.
You need to populate it with one or more file patterns or file types.
4 At the end of the File Filter row, select the file filter list containing the file types and
patterns that the FortiGate unit will scan.
5 Select OK.
You also need to add the antivirus profile to a firewall policy for all settings to take effect.
For more information, see “Adding the antivirus profile to a firewall policy” on page 768.
Antivirus examples
The following examples provide a sample antivirus configuration scenario for a fictitious
company.
4 Enable UTM.
5 Select default from the Protocol Options list.
UTM can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Enable AntiVirus option.
7 Select the basic_antivirus profile from the list.
8 Select OK to save the firewall policy.
Filters requiring a query to a server and a reply (FortiGuard Antispam Service and
DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other
filters are running. The first reply to trigger a spam action takes effect as soon as the reply
is received.
Each spam filter passes the email to the next if no matches or problems are found. If the
action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to
the settings in the email filter profile.
For SMTP and SMTPS, if the action is discard, the email message is discarded or
dropped.
If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If
the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or
SMTPS email messages are substituted with a configurable replacement message.
Note: Carefully consider the use of the Spam submission option on email leaving your
network. Users not familiar with the feature may click the link on spam messages because
they are curious. This will reduce the accuracy of the feature.
Score
added to
Banned word Pattern Assigned the sum
Comment
pattern type score for the
entire
page
In this example, the message is treated as spam if the banned word threshold is set to 60
or less.
IPS concepts
The FortiGate intrusion protection system protects your network from outside attacks.
Your FortiGate unit has two techniques to deal with these attacks: anomaly- and
signature-based defense.
Anomaly-based defense
Anomaly-based defense is used when network traffic itself is used as a weapon. A host
can be flooded with far more traffic than it can handle, making the host inaccessible. The
most common example is the denial of service (DoS) attack, in which an attacker directs a
large number of computers to attempt normal access of the target system. If enough
access attempts are made, the target is overwhelmed and unable to service genuine
users. The attacker does not gain access to the target system, but it is not accessible to
anyone else.
The FortiGate DoS feature will block traffic above a certain threshold from the attacker and
allow connections from other legitimate users.
Signature-based defense
Signature-based defense is used against known attacks or vulnerability exploits. These
often involve an attacker attempting to gain access to your network. The attacker must
communicate with the host in an attempt to gain access and this communication will
include particular commands or sequences of commands and variables. The IPS
signatures include these command sequences, allowing the FortiGate unit to detect and
stop the attack.
Signatures
IPS signatures are the basis of signature-based intrusion protection. Every attack can be
reduced to a particular string of commands or a sequence of commands and variables.
Signatures include this information so your FortiGate unit knows what to look for in
network traffic.
Signatures also include characteristics about the attack they describe. These
characteristics include the network protocol in which the attack will appear, the vulnerable
operating system, and the vulnerable application.
To view the complete list of predefined signatures, go to UTM > Intrusion Protection >
Predefined.
Protocol decoders
Before examining network traffic for attacks, the IPS engine uses protocol decoders to
identify each protocol appearing in the traffic. Attacks are protocol-specific, so your
FortiGate unit conserves resources by looking for attacks only in the protocols used to
transmit them. For example, the FortiGate unit will only examine HTTP traffic for the
presence of a signature describing an HTTP attack.
To view the protocol decoders, go to UTM > Intrusion Protection > Protocol Decoder.
IPS engine
Once the protocol decoders separate the network traffic by protocol, the IPS engine
examines the network traffic for the attack signatures.
IPS sensors
The IPS engine does not examine network traffic for all signatures, however. You must
first create an IPS sensor and specify which signatures are included. You do not have to
choose each signature you want to include individually. Instead, filters are used to define
the included signatures.
To view the IPS sensors, go to UTM > Intrusion Protection > IPS Sensor.
IPS filters
IPS sensors contain one or more IPS filters. A filter is a collection of signature attributes
that you specify. The signatures that have all of the attributes specified in a filter are
included in the IPS signature.
For example, if your FortiGate unit protects a Linux server running the Apache web server
software, you could create a new filter to protect it. By setting OS to Linux, and Application
to Apache, the filter will include only the signatures that apply to both Linux and Apache. If
you wanted to scan for all the Linux signatures and all the Apache signatures, you would
create two filters, one for each.
To view the filters in an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor, select
the IPS sensor containing the filters you want to view, and choose Edit.
Policies
To use an IPS sensor, you must select it in a firewall policy or an interface policy. An IPS
sensor that it not selected in a policy will have no effect on network traffic.
IPS is most often configured as part of a firewall policy. Unless stated otherwise,
discussion of IPS sensor use will be in regards to firewall policies in this document.
Note: Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a firewall policy. An override does not have the ability to affect network
traffic until these steps are taken. For more information, see “Enable IPS scanning” on
page 799.
6 Select Packet Log to save the packets containing the specified signature. For more
information, see “Enable IPS packet logging” on page 813.
7 Select the Browse icon and choose the signature to include in the override.
8 Select Enable.
9 Select OK.
Active-passive
In an active-passive HA cluster, the primary unit processes all traffic just as it would in a
stand-alone configuration. Should the primary unit fail, a secondary unit will assume the
role of the primary unit and begin to process network traffic. By default, the state of active
communication sessions are not shared with secondary units and will not survive the fail-
over condition. Once the sessions are reestablished however, traffic processing will
continue as normal.
If your network requires that active sessions are taken over by the new primary unit, select
Enable Session Pick-up in your HA configuration. Because session information must be
sent to all subordinate units on a regular basis, session pick-up is a resource-intensive
feature and is not enabled by default.
Active-active
The fail-over process in an active-active cluster is similar to an active-passive cluster.
When the primary unit fails, a secondary unit takes over and traffic processing continues.
The load-balancing schedule used to distribute sessions to the cluster members is used
by the new primary unit to redistribute sessions among the remaining subordinate units. If
session pick-up is not enabled, the sessions active on the failed primary are lost, and the
sessions redistributed among the secondary units may also be lost. If session pick-up is
enabled, all sessions are handled according to their last-known state.
For more information about HA options and settings, see “High Availability” on page 1533.
Configuring fail-open
If the IPS engine fails for any reason, it will fail open by default. This means that traffic
continues to flow without IPS scanning. If IPS protection is more important to your network
than the uninterrupted flow if network traffic, you can disable this behavior using the
fail-open CLI command:
config ips global
set fail-open {enable | disable}
end
The default setting is enable.
Note: Because DoS sensors are configured before being applied to an interface, you can
assign a DoS sensor with the Proxy action to an interface that does not have hardware
SYN proxy support. In this circumstance, the Proxy action is invalid and a Pass action will
be applied.
Caution: Although logging to multiple FortiAnalyzer units is supported, packet logs are not
sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet
logs.
IPS examples
Configuring basic IPS protection
Small offices, whether they are small companies, home offices, or satellite offices, often
have very simple needs. This example details how to enable IPS protection on a FortiGate
unit located in a satellite office. The satellite office contains only Windows clients.
Internal Network
Po
rt 1
Po
rt 2
Ex
ter
na
l
Main Firewall
Web Server
The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux
Server filter and look at the value in the Count column. This shows how many signatures
match the current filter settings. You can select the View Rules icon to see a listing of the
included signatures.
The web server software is Apache, so you need to create a second filter for all Apache
signatures.
Create an Override
1 Select Add Pre-defined Override.
2 Select the signature browse icon.
3 Rather than search through the signature list, use the name filter by selecting the filter
icon in the header of the Name column.
4 In the Filters list, select Name.
5 Select Enable.
6 In the Field selection, choose Contains.
7 Enter EICAR in the Text field.
8 Select OK.
9 Select the EICAR.AV.Test.File.Download signature.
10 Select OK.
11 Select Enable, Logging, and Packet Log.
12 Select OK.
13 Select Block as the Action.
14 Select OK to save the IPS sensor.
You are returned to the IPS sensor list. The EICAR test sensor appears in the list.
Add the IPS sensor to the firewall policy allowing Internet access
1 Go to Firewall > Policy > Policy.
2 Select the firewall policy that allows you to access the Internet.
3 Select the Edit icon.
4 Enable Log Allowed Traffic.
5 Enable UTM.
6 Select Enable IPS.
7 Choose EICAR test from the available IPS sensors.
8 Select OK.
With the IPS sensor configured and selected in the firewall policy, the FortiGate unit
should block any attempt to download the EICAR test file.
Assumptions
As shown in other examples and network diagrams throughout this document, the
Example Corporation has a pair of FortiGate-620B units in an HA cluster. To simplify this
example, the cluster is replaced with a single FortiGate-620B.
An ASM-CE4 is installed in the FortiGate-620B.
The network is configured as shown in Figure 70.
Network configuration
The Example Corporation network needs minimal changes to incorporate the ASM-CE4.
Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface
amc-sw1/1 is connected to the web server.
Since the main office network is connected to port2 and the Internet is connected to port1,
a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.
Internal network
Web server
10.11.201.120
Switch
Internet
The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle
any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from
the Example Corporation internal network. If the switch can not handle the bandwidth, or if
the connection to the service provider can not provide the required bandwidth, traffic will
be lost.
7 Enable DoS Sensor and select the Web site SYN protection sensor from the list.
8 Select OK.
Virtual IP configuration
Traffic destined for the web server will arrive at the amc-sw1/1 interface. You must create
a virtual IP mapping to have the ASM-CE4 direct the traffic to the web server.
Total Proxied TCP Connections The number of proxied TCP connection attempts since
the FortiGate unit was restarted.
This value is the sum of the working and retired
connection totals.
Working Proxied TCP Connections The number of TCP connection attempts currently being
proxied.
Retired TCP Connections The number of proxied TCP connection attempts
dropped or allowed. These connection attempts are no-
longer being serviced.
This value is the sum of the valid and attacks totals.
Valid TCP Connections The number of valid proxied TCP connection attempts.
Attacks, No Ack From Client The number of proxied TCP connection attempts in
which the client did not reply. These are typically attacks.
No SynAck From Server The number of valid client connection attempts in which
the server does not reply.
Rst By Server (service not supported) The number of valid client connection attempts in which
the server resets the connection.
Client timeout setting The client time-out duration.
Server timeout setting The server time-out duration.
• spyware/grayware
• phishing
• pharming
• instant messaging
• peer-to-peer file sharing
• streaming media
• blended network attacks.
Spyware, also known as grayware, is a type of computer program that attaches itself to a
user’s operating system. It does this without the user’s consent or knowledge. It usually
ends up on a computer because of something the user does such as clicking on a button
in a pop-up window. Spyware can track the user’s Internet usage, cause unwanted pop-up
windows, and even direct the user to a host web site. For further information, visit the
FortiGuard Center.
Some of the most common ways of grayware infection include:
• downloading shareware, freeware, or other forms of file-sharing services
• clicking on pop-up advertising
• visiting legitimate web sites infected with grayware.
Phishing is the term used to describe attacks that use web technology to trick users into
revealing personal or financial information. Phishing attacks use web sites and email that
claim to be from legitimate financial institutions to trick the viewer into believing that they
are legitimate. Although phishing is initiated by spam email, getting the user to access the
attacker’s web site is always the next step.
Pharming is a next generation threat that is designed to identify and extract financial, and
other key pieces of information for identity theft. Pharming is much more dangerous than
phishing because it is designed to be completely hidden from the end user. Unlike
phishing attacks that send out spam email requiring the user to click to a fraudulent URL,
pharming attacks require no action from the user outside of their regular web surfing
activities. Pharming attacks succeed by redirecting users from legitimate web sites to
similar fraudulent web sites that have been created to look and feel like the authentic web
site.
Instant messaging presents a number of problems. Instant messaging can be used to
infect computers with spyware and viruses. Phishing attacks can be made using instant
messaging. There is also a danger that employees may use instant messaging to release
sensitive information to an outsider.
Peer-to-peer (P2P) networks are used for file sharing. Such files may contain viruses.
Peer-to-peer applications take up valuable network resources and may lower employee
productivity but also have legal implications with the downloading of copyrighted or
sensitive company material.
Streaming media is a method of delivering multimedia, usually in the form of audio or
video to Internet users. Viewing streaming media impacts legitimate business by using
valuable bandwidth.
Blended network threats are rising and the sophistication of network threats is
increasing with each new attack. Attackers learn from each previous successful attack and
enhance and update attack code to become more dangerous and fast spreading. Blended
attacks use a combination of methods to spread and cause damage. Using virus or
network worm techniques combined with known system vulnerabilities, blended threats
can quickly spread through email, web sites, and Trojan applications. Examples of
blended threats include Nimda, Code Red, Slammer, and Blaster. Blended attacks can be
designed to perform different types of attacks, which include disrupting network services,
destroying or stealing information, and installing stealthy backdoor applications to grant
remote access.
The web content filter feature scans the content of every web page that is accepted by a
firewall policy. The system administrator can specify banned words and phrases and
attach a numerical value, or score, to the importance of those words and phrases. When
the web content filter scan detects banned content, it adds the scores of banned words
and phrases in the page. If the sum is higher than a threshold set in the web filter profile,
the FortiGate unit blocks the page.
Score
added to
Banned Assigned the sum Threshold
Comment
pattern score for the score
entire
page
Enabling the web content filter and setting the content threshold
When you enable the web content filter, the web filter will block any web pages when the
sum of scores for banned content on that page exceeds the content block threshold. The
threshold will be disregarded for any exemptions within the web filter list.
To enable the web content filter and set the content block threshold
1 Go to UTM > Web Filter > Profile.
2 Select Create New to add a new web filter profile or select an existing profile and
choose Edit.
3 Select Web Content Filter.
4 Select the web content list in the Option column.
5 Enter the threshold for the web content filter.
6 Select OK.
URL filter
You can allow or block access to specific URLs by adding them to the URL filter list. You
add the URLs by using patterns containing text and regular expressions. The FortiGate
unit allows or blocks web pages matching any specified URLs or patterns and displays a
replacement message instead.
Note: URL blocking does not block access to other services that users can access with a
web browser. For example, URL blocking does not block access to ftp:// ftp.example.com.
Instead, use firewall policies to deny ftp connections.
When adding a URL to the URL filter list, follow these rules:
• Type a top-level URL or IP address to control access to all pages on a web site. For
example, www.example.com or 192.168.144.155 controls access to all pages at
this web site.
• Enter a top-level URL followed by the path and file name to control access to a single
page on a web site. For example, www.example.com/news.html or
192.168.144.155/news.html controls access to the news page on this web site.
• To control access to all pages with a URL that ends with example.com, add
example.com to the filter list. For example, adding example.com controls access to
www.example.com, mail.example.com, www.finance.example.com, and so on.
• Control access to all URLs that match patterns using text and regular expressions (or
wildcard characters). For example, example.* matches example.com, example.org,
example.net and so on.
Note: URLs with an action set to exempt or pass are not scanned for viruses. If users on
the network download files through the FortiGate unit from a trusted web site, add the URL
of this web site to the URL filter list with an action to pass it so the FortiGate unit does not
virus scan files downloaded from this URL.
Block
Attempts to access any URLs matching the URL pattern are denied. The user will be
presented with a replacement message.
Allow
Any attempt to access a URL that matches a URL pattern with an allow action is
permitted. The traffic is passed to the remaining antivirus proxy operations, including
FortiGuard Web Filter, web content filter, web script filters, and antivirus scanning.
Allow is the default action. If a URL does not appear in the URL list, it is permitted.
Pass
Traffic to, and reply traffic from, sites matching a URL pattern with a pass action will
bypass all antivirus proxy operations, including FortiGuard Web Filter, web content filter,
web script filters, and antivirus scanning.
Make sure you trust the content of any site you pass.
Exempt
Exempt is similar to Pass in that it allows trusted traffic to bypass the antivirus proxy
operations, but it functions slightly differently. In general, if you’re not certain that you need
to use the Exempt action, use Pass.
HTTP 1.1 connections are persistent unless declared otherwise. This means the
connections will remain in place until closed or the connection times out. When a client
loads a web page, the client opens a connection to the web server. If the client follows a
link to another page on the same site before the connection times out, the same
connection is used to request and receive the page data.
When you add a URL pattern to a URL filter list and apply the Exempt action, traffic sent to
and replies traffic from sites matching the URL pattern will bypass all antivirus proxy
operations, as with the Pass action. The difference is that the connection itself inherits the
exemption. This means that all subsequent reuse of the existing connection will also
bypass all antivirus proxy operations. When the connection times out, the exemption is
cancelled.
For example, consider a URL filter list that includes example.com/files configured
with the Exempt action. A user opens a web browser and downloads a file from the URL
example.com/sample.zip. This URL does not match the URL pattern so it is scanned
for viruses. The user then downloads example.com/files/beautiful.exe and since
this URL does match the pattern, the connection itself inherits the exempt action. The user
then downloads example.com/virus.zip. Although this URL does not match the
exempt URL pattern, a previously visited URL did, and since the connection inherited the
exempt action and was re-used to download a file, the file is not scanned.
If the user next goes to an entirely different server, like example.org/photos, the
connection to the current server cannot be reused. A new connection to example.org is
established. This connection is not exempt. Unless the user goes back to example.com
before the connection to that server times out, the server will close the connection. If the
user returns after the connection is closed, a new connection to example.com is created
and it is not exempt until the user visits a URL that matches the URL pattern.
Web servers typically have short time-out periods. A browser will download multiple
components of a web page as quickly as possible by opening multiple connections. A web
page that includes three photos will load more quickly if the browser opens four
connections to the server and downloads the page and the three photos at the same time.
A short time-out period on the connections will close the connections faster, allowing the
server to avoid unnecessarily allocating resources for a long period. The HTTP session
time-out is set by the server and will vary with the server software, version, and
configuration.
Using the exempt action can have unintended consequences in certain circumstances.
You have a web site at example.com and since you control the site, you trust the contents
and configure example.com as exempt. But example.com is hosted on a shared server
with a dozen other different sites, each with a unique domain name. Because of the
shared hosting, they also share the same IP address. If you visit example.com, your
connection your site becomes exempt from any antivirus proxy operations. Visits to any of
the 12 other sites on the same server will reuse the same connection and the data you
receive is exempt from scanned.
Use of the exempt action is not suitable for configuration in which connections through the
FortiGate unit use an external proxy. For example, you use proxy.example.net for all
outgoing web access. Also, as in the first example, URL filter list that includes a URL
pattern of example.com/files configured with the Exempt action. Users are protected
by the antivirus protection of the FortiGate unit until a user visits a URL that matches the of
example.com/files URL pattern. The pattern is configured with the Exempt action so
the connection to the server inherits the exemption. With a proxy however, the connection
is from the user to the proxy. Therefore, the user is entirely unprotected until the
connection times out, no matter what site he visits.
Ensure you are aware of the network topology involving any URLs to which you apply the
Exempt action.
SafeSearch
SafeSearch is a feature of popular search sites that prevents explicit web sites and
images from appearing in search results. Although SafeSearch is a useful tool, especially
in educational environments, the resourceful user may be able to simply turn it off.
Enabling SafeSearch for the supported search sites enforces its use by rewriting the
search URL to include the code to indicate the use of the SafeSearch feature.
Three search sites are supported:
Google Enforce the strict filtering level of safe search protection for Google search results by
adding &safe=on to search URL requests. Strict filtering removes both explicit text
and explicit images from the search results.
Yahoo! Enforce the strict filtering level of safe search protection for Yahoo! search results by
adding &vm=r to search URL requests. Strict filtering removed adult web, video, and
images from search results.
Bing Enforce the strict filtering level of safe search protection for Bing search results by
adding adlt=strict to search URL requests. Strict filtering removes explicit text,
images, and video from the search results.
ActiveX filter
Enable to filter ActiveX scripts from web traffic. Web sites using ActiveX may not function
properly with this filter enabled.
Cookie filter
Enable to filter cookies from web traffic. Web sites using cookies may not function properly
with this enabled.
• If the request is to a web server proxy, the real IP address of the web server is not
known. Therefore, rating queries by either or both the IP address and the domain
name is not reliable. In this case, the FortiGate unit does not perform FortiGuard Web
Filtering.
School district
The background for this scenario is a school district with more than 2300 students and 500
faculty and staff in a preschool, three elementary schools, a middle school, a high school,
and a continuing education center. Each elementary school has a computer lab and the
high school has three computer labs with connections to the Internet. Such easy access to
the Internet ensures that every student touches a computer every day.
With such a diverse group of Internet users, it was not possible for the school district to set
different Internet access levels. This meant that faculty and staff were unable to view
websites that the school district had blocked. Another issue was the students’ use of proxy
sites to circumvent the previous web filtering system. A proxy server acts as a go-between
for users seeking to view web pages from another server. If the proxy server has not been
blocked by the school district, the students can access the blocked website.
When determining what websites are appropriate for each school, the district examined a
number of factors, such as community standards and different needs of each school
based on the age of the students.
The district decided to configure the FortiGate web filtering options to block content of an
inappropriate nature and to allow each individual school to modify the options to suit the
age of the students. This way, each individual school was able to add or remove blocked
sites almost immediately and have greater control over their students’ Internet usage.
In this simplified example of the scenario, the district wants to block any websites with the
word example on them, as well as the website www.example.com. The first task is to
create web content filter lists for the students and the teachers.
Is the URL
Query FortiGuard Deny access to the classification set
Start
for URL category URL and stop any to block or
and classification running quota timer allow?
User attempts to Block Allow
load a URL
Block Yes
No
No
Is the URL Is
category set FortiGuard Quota Allow access
to block or exempt for the to the URL
allow? Category?
Allow Yes
Block
No
Allow
Is there a Is the URL Is Is there any Yes
classification classification set FortiGuard Quota time remaining Start the category
for this URL? to block or enabled for the for this category timer and allow
allow? Category? quota? access to the URL
Yes Yes
No Block No No
No
Is Is Is Yes
Is there any
Allow access to the FortiGuard Quota FortiGuard Quota FortiGuard Quota Start the classification
time remaining
URL and stop any enabled for the exempt for the enabled for the timer and allow
for this classification
running quota timer category group? category group? classification? access to the URL
No No No Yes quota?
Yes Yes No
Yes
Caution: The use of FortiGuard Web Filter quotas requires that users authenticate to gain
web access. The quotas are ignored if applied to a firewall policy in which user
authentication is not required.
When a user first attempts to access a URL, they’re prompted to authenticate with the
FortiGate unit. When they provide their username and password, the FortiGate unit
recognizes them, determines their quota allowances, and monitors their web use. The
category and classification of each page they visit is checked and FortiGate unit adjusts
the user’s remaining available quota for the category or classification.
Note: Editing the web filter profile resets the quota timers for all users.
Quota hierarchy
You can apply quotas to categories, category groups, and classifications. Only one quota
per user can be active at any one time. The one used depends on how you configure the
FortiGuard Web Filter.
When a user visits a URL, the FortiGate unit queries the FortiGuard servers for the
category and classification of the URL. From highest to lowest, the relative priority of the
quotas are:
1 Category
2 Classification
3 Category group
So for example, the Business Oriented category group contains the Information
Technology category. When a user visits a page in the Information Technology category,
the FortiGate unit will check for quotas in sequence:
• Is there is a quota set for the Information Technology category? If there is, the category
quota timer is started and the user is allowed access to the URL. If no time remains in
the category quota, the URL is blocked and the user cannot access it for the remainder
of the day.
• If there is no quota set for the Information Technology category, is there a quota set for
any classification that applies to the URL? If there is, the classification quota timer is
started and the user is allowed access to the URL. If no time remains in the
classification quota, the URL is blocked and the user cannot access it for the remainder
of the day.
• If no quota is set, or no classification exists for the URL, is there a quota set for the
Business Oriented category group? If there is, the category group quota timer is
started and the user is allowed access to the URL. If no time remains in the category
group quota, the URL is blocked and the user cannot access it for the remainder of the
day.
• If there is no category group quota, the user is allowed to access the URL. Getting to
this point means there are no quotas set for the page. The FortiGate unit will stop any
running quota timer because the current URL has no quota.
Only one quota timer can be running at any one time for a single user. Whenever a quota
timer is started or a page is blocked, the timer running, because of the previous URL
access, is stopped. Similarly, a URL with no quotas will stop a quota timer still running
because of the URL the user previously accessed.
Quota exempt
The quota checking sequence occurs for every URL the user accesses. This is true for
every web page, and every element of the web page that is loaded. For example, if a user
loads a web page, the quota is checked for the web page as soon as it is loaded. If there is
a photo on the page, it is also checked and the quota is adjusted accordingly.
This can cause unexpected behavior. For example, if the web page a user loads is in the
Information Technology category and it has a quota, the quota timer is started. The web
page includes a number of graphics, so as these are loaded, each is checked and the
appropriate quota is started. If they all share the same category rating, which they often
will, there is no problem. However, if the last graphic or page element loaded comes from
another site, the quota may not work as you expect. If the last graphic is an ad, loaded
from a site categorized as Advertising, the Information Technology category quota timer
will stop almost as soon as it is started because the FortiGate unit sees the ad URL and
finds that it belongs to the Advertising category. If Advertising has a quota, its timer will
start. If it is blocked or allowed, the Information Technology category quota timer is
stopped and the user can view the page without using the quota set to limit the Information
Technology category.
To solve this problem, you can configure a category, category group, or classification as
exempt. This effectively allows the quota system to ignore it entirely. Any quota timer
running when an exempt URL is encountered continues to run. An exempt category,
category group, or classification can not have a quota. This may sound the same as
simply disabling the quota and setting the FortiGuard Web Filter action to allow, but there
is a difference. This difference is that the allow and block actions stop an already running
quota timer, while the exempt action does not.
The exempt action is generally used for commonly accessed web pages that load
elements from other sites that have different category ratings. Pages that load ads from
advertising sites are the most common example.
If your FortiGate unit cannot contact the FortiGuard service temporarily, this setting
determines what access the FortiGate unit allows until contact is re-established. If
enabled, users will have full unfiltered access to all web sites. If disabled, users will not be
allowed access to any web sites.
Strict Blocking
This setting determines when the FortiGate unit blocks a site. Enable strict blocking to
deny access to a site if any category or classification assigned to the site is set to Block.
Disable strict blocking to deny access to a site only if all categories and classifications
assigned to the site are set to Block.
All rated URLs are assigned one or more categories. URLs may also be assigned a
classification. If Rate URLs by domain and IP address is enabled, the site URL and IP
address each carry separately assigned categories and classifications. Depending on the
FortiGuard rating and the FortiGate configuration, a site could be assigned to at least two
categories and up to two classifications.
Note: FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings
for URLs. This can sometimes cause the FortiGate unit to allow access to sites that should
be blocked, or to block sites that should be allowed.
3 Select Search.
4 If the URL has been rated by the FortiGuard web filter team, the category is displayed.
If a URL has not been rated, or you believe it is incorrectly rated, you can suggest the
appropriate category and classification.
6 Using the Scope selection, choose how the override will be applied:
• A User scope limits the override to a single user. Enter the user ID in the User field.
• A User Group scope limits the override to the users you have included in a user
group. Using the User Group selection, choose the user group.
• An IP scope limits the override to an IPv4 address. Enter the address in the IP field.
• An IPv6 scope limits the override to an IPv6 address. Enter the address in the IPv6
field.
7 Select whether to Allow or Deny content from Off-site URLs.
This option defines whether the web page that is displayed as the result of an override
will display the images and other contents from other blocked offsite URLs.
For example, if all FortiGuard categories are blocked, but you want to allow access to a
web site, you can create a domain override for the site and view the page. If the
images on the site are served from a different domain and Off-site URLs is set to Deny,
all the images on the page will appear broken because they come from a domain that
the existing override rule does not apply to. If Off-site URLs is set to Allow, the images
on the page will appear properly.
8 Select when the override expires by entering the exact time and date.
9 Select OK to save the override rule.
Note: If you have multiple policies, consider enabling web filter scanning for all outgoing
policies
School district
Continuing with the example in the Web filter section, you can use FortiGuard Web Filter
to protect students from inappropriate material. For the first part of this example, see “Web
filtering example” on page 838.
DLP sensor
A DLP sensor is a package of DLP rules and DLP compound rules. To use DLP you must
enable it in a firewall policy and select the DLP sensor to use. The traffic controlled by the
firewall policy will be searched for the patterns defined in the DLP sensor. Matching traffic
will be passed or blocked according to how you configured the DLP sensor and rules. You
can also log the matching traffic.
DLP rule
Each DLP rule includes a single condition and the type of traffic in which the condition is
expected to appear.
For example, the FortiGate DLP system includes a modifiable default rule consisting of a
regular expression that you can use to find messages matching U.S. Social Security
numbers (SSN). You can apply this sample DLP rule, called Email-US-SSN, to have the
FortiGate unit examine the Email protocols SMTP, IMAP, and POP3 for messages in
which the Body has Matches of the ASCII formatted Regular Expression of \b(?!000)([0-
6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00) \d\d\3(?!0000)\d{4}(\b|\W).
DLP rules allow you to specify various conditions depending on the type of traffic for which
the rule is created. Table 67 on page 858 lists the available conditions by traffic type.
The HTTPS protocol is only available on FortiGate units that do not support SSL content
scanning and inspection. Units with SSL content scanning and inspection support include
HTTPS GET and HTTPS POST as options within the HTTP protocol.
your FortiGate unit does support SSL content scanning and inspection, HTTPS POST
and HTTPS GET appear in the HTTP protocol. For more information, see “SSL content
scanning and inspection” on page 741.
5 Below the protocol selection, select the sub-protocols the FortiGate unit will examine
for the presence of the conditions in the DLP rule:
SMTP, IMAP, POP3 When you select the Email protocol, you can configure the rule to
apply to any or all of the supported email protocols (SMTP, IMAP,
and POP3).
SMTPS, IMAPS, POP3S When you select the Email protocol and your FortiGate unit
supports SSL content scanning and inspection, you can also
configure the rule to apply to SMTPS, IMAPS, POP3S or any
combination of these protocols.
HTTP POST, HTTP GET When you select the HTTP protocol, you can configure the rule to
apply to HTTP post traffic, HTTP get traffic, or both. traffic types.
HTTPS POST, HTTPS GET When you select the HTTP protocol and your FortiGate unit
supports SSL content scanning and inspection, you can also
configure the HTTP rule to apply to HTTPS get traffic, HTTPS post
traffic, or both traffic types.
To scan these encrypted traffic types, you must select Enable Deep
Scanning in the HTTPS section of the protocol options profile. If
Enable Deep Scanning is not selected, the DLP sensors will not
scan HTTPS content.
FTP PUT, FTP GET When you select the FTP protocol, you can configure the rule to
apply to FTP put traffic, FTP get traffic, or both traffic types.
AIM, ICQ, MSN, Yahoo! When you select the Instant Messaging protocol, you can configure
the rule to apply to file transfers using any or all of the supported IM
protocols (AIM, ICQ, MSN, and Yahoo!).
Only file transfers using the IM protocols are subject to DLP rules.
IM messages are not scanned.
6 If you select file or attachment rules in a protocol that supports it, you can select
various File options to configure how the DLP rule handles archive files, MS Word files,
and PDF files found in content traffic.
Scan archive contents When selected, files within archives are extracted and scanned in
the same way as files that are not archived.
Scan archive files whole When selected, archives are scanned as a whole. The files within
the archive are not extracted and scanned individually.
Scan MS-Word text When selected, the text contents of MS Word DOC documents are
extracted and scanned for a match. All metadata and binary
information is ignored.
Note: Office 2007/2008 DOCX files are not recognized as
MS-Word by the DLP scanner. To scan the contents of DOCX files,
select the Scan archive contents option.
Scan MS-Word file whole When selected, MS Word DOC files are scanned. All binary and
metadata information is included.
If you are scanning for text entered in a DOC file, use the
Scan MS-Word option. Binary formatting codes and file information
may appear within the text, causing text matches to fail.
Note: Office 2007/2008 DOCX files are not recognized as
MS-Word by the DLP scanner. To scan the contents of DOCX files,
select the Scan archive contents option.
Scan PDF text When selected, the text contents of PDF documents are extracted
and scanned for a match. All metadata and binary information is
ignored.
Scan PDF file whole When selected, PDF files are scanned. All binary and metadata
information is included.
If you are scanning for text in PDF files, use the Scan PDF Text
option. Binary formatting codes and file information may appear
within the text, causing text matches to fail.
7 Select the Rule that defines the condition the FortiGate unit will search for.
Transfer size Check the total size of the information transfer. Email, HTTP,
For email traffic, for example, the transfer size FTP, NNTP, IM
includes the message header, body, and any
encoded attachment.
URL Search for the specified URL in HTTP traffic. HTTP
User group Search for traffic from any user in the specified Email, HTTP,
user group. FTP, NNTP, IM
8 Select the required rule operators, if applicable:
matches/does not match This operator specifies whether the FortiGate unit is searching for
the presence or absence of a specified string.
• Matches: The rule will be triggered if the specified string is
found in network traffic.
• Does not match: The rule will be triggered if the specified string
is not found in network traffic.
ASCII/UTF-8 Select the encoding used for text files and messages.
Regular Select the means by which patterns are defined.
Expression/Wildcard
is/is not This operator specifies if the rule is triggered when a condition is
true or not true.
• Is: The rule will be triggered if the rule is true.
• Is not: The rule will be triggered if the rule is not true.
For example, if a rule specifies that a file type is found within a
specified file type list, all matching files will trigger the rule.
Conversely, if the rule specifies that a file type is not found in a file
type list, only the file types not in the list would trigger the rule.
==/>=/<=/!= These operators allow you to compare the size of a transfer or
attached file to an entered value.
• == is equal to the entered value.
• >= is greater than or equal to the entered value.
• <= is less than or equal to the entered value.
• != is not equal to the entered value.
9 Enter the data pattern, if the rule type you selected requires it.
Most rules types end with a field or selection of the data pattern to be matched,
whether it is a file size, text string, email address, or file name.
10 Select OK.
Note: These rules affect only unencrypted traffic types. If you are using a FortiGate unit that
can decrypt and examine encrypted traffic, you can enable those traffic types in these rules
to extend their functionality if required.
Caution: Before using the rules, examine them closely to ensure you understand how they
will affect the traffic on your network.
All-Email, All-FTP, These rules will detect all email, FTP, HTTP, instant messaging, and
All-HTTP, All-IM, All-NNTP NNTP traffic.
Email-AmEx, These four rules detect American Express numbers, Canadian Social
Email-Canada-SIN, Insurance Numbers, U.S. Social Security Numbers, or Visa and
Email-US-SSN, Mastercard numbers within the message bodies of SMTP, POP3, and
IMAP email traffic.
Email-Visa-Mastercard
HTTP-AmEx, These four rules detect American Express numbers, Canadian Social
HTTP-Canada-SIN, Insurance Numbers, U.S. Social Security Numbers, or Visa and
HTTP-US-SSN, Mastercard numbers sent using the HTTP POST command. The
HTTP POST command is used to send information to a web server.
HTTP-Visa-Mastercard
As written, these rules are designed to detect data the user is sending
to web servers. This rule does not detect the data retrieved with the
HTTP GET command, which is used to retrieve web pages.
Large-Attachment This rule detects files larger than 5MB attached to SMTP, POP3, and
IMAP email messages.
Large-FTP-Put This rule detects files larger than 5MB sent using the FTP PUT
command. Files received using FTP GET are not examined.
Large-HTTP-Post This rule detects files larger than 5MB sent using the HTTP POST
command. Files received using HTTP GET are not examined.
None The FortiGate unit will take no action on network traffic matching a
rule with this action. Other matching rules in the same sensor and
other sensors may still operate on matching traffic.
Block Traffic matching a rule with the block action will not be delivered. The
matching message or download is replaced with the data leak
prevention replacement message.
Exempt The exempt action prevents any DLP sensors from taking action on
matching traffic. This action overrides the action assigned to any
other matching sensors.
Ban If the user is authenticated, this action blocks all traffic to or from the
user using the protocol that triggered the rule and adds the user to
the Banned User list.
If the user is not authenticated, this action blocks all traffic of the
protocol that triggered the rule from the user’s IP address.
If the banned user is using HTTP, FTP, or NNTP (or HTTPS if the
FortiGate unit supports SSL content scanning and inspection) the
FortiGate unit displays the “Banned by data leak prevention”
replacement message for the protocol. If the user is using IM, the IM
and P2P “Banned by data leak prevention” message replaces the
banned IM message and this message is forwarded to the recipient.
If the user is using IMAP, POP3, or SMTP (or IMAPS, POP3S,
SMTPS if your FortiGate unit supports SSL content scanning and
inspection) the Mail “Banned by data leak prevention” message
replaces the banned email message and this message is forwarded
to the recipient. These replacement messages also replace all
subsequent communication attempts until the user is removed from
the banned user list.
Ban Sender This action blocks email or IM traffic from the sender of matching
email or IM messages and adds the sender to the Banned User list.
This action is available only for email and IM protocols. For email,
the sender is determined by the From: address in the email header.
For IM, all members of an IM session are senders and the senders
are determined by finding the IM user IDs in the session. Similar to
Ban, IM or Mail “Banned by data leak prevention” message replaces
the banned message and this message is forwarded to the recipient.
These replacement messages also replace all subsequent
communication attempts until the user is removed from the banned
user list.
Quarantine IP address This action blocks access for any IP address that sends traffic
matching a sensor with this action. The IP address is added to the
Banned User list. The FortiGate unit displays the “NAC Quarantine
DLP Message” replacement message for all connection attempts
from this IP address until the IP address is removed from the banned
user list.
Quarantine Interface This action blocks access to the network for all users connecting to
the interface that received traffic matching a sensor with this action.
The FortiGate unit displays the “NAC Quarantine DLP Message”
replacement message for all connection attempts to the interface
until the interface is removed from the banned user list.
Ban, Ban Sender, Quarantine IP, and Quarantine Interface provide functionality similar
to NAC quarantine. However, these DLP options block users and IP addresses at the
application layer while NAC quarantine blocks IP addresses and interfaces at the
network layer.
Caution: If you have configured DLP to block IP addresses and if the FortiGate unit
receives sessions that have passed through a NAT device, all traffic from that NAT
device—not just traffic from individual users—could be blocked. You can avoid this problem
by implementing authentication or, where possible, select Ban Sender.
Tip: To view or modify the replacement message text, go to System > Config >
Replacement Message.
6 If you selected one of the ban or quarantine actions, the Expires setting allows you to
choose how long the offending user/address/interface will remain on the banned user
list.
Select Indefinitely to keep the banned user entry in place until it is manually deleted.
Select After to enter the number of minutes, hours, or days, after which the banned
user entry is automatically deleted.
7 Choose the Severity rating to be attached to log entries created when network traffic
matches any rules in the sensor.
The severity setting has no effect on how DLP functions. It only affects DLP log entries
and the reports generated from the logs.
8 Select the type of rule you want to add to the DLP sensor using the Member type drop-
down list. You may choose either Rule or Compound rule, and the list below your
selection will display only the type you choose.
9 From the table, select the rule or compound rule to add to the DLP sensor.
10 Select OK.
The rule is added to the sensor. You may select Create New to add more rules, or select
OK to return to the DLP sensor list.
Caution: Before use, examine the sensors and rules in the sensors closely to ensure you
understand how they will affect the traffic on your network.
Note: DLP prevents duplicate action. Even if more than one rule in a sensor matches some
content, DLP will not create more than one content archive entry, quarantine item, or ban
entry from the same content.
Content_Archive All non-encrypted email, FTP, HTTP, IM, and NNTP traffic is archived
to a FortiAnalyzer unit or the FortiGuard Analysis & Management
Service. No blocking or quarantine is performed.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can modify this sensor to archive encrypted traffic as
well.
Content_Summary A summary of all non-encrypted email, FTP, HTTP, IM, and NNTP
traffic is saved to a FortiAnalyzer unit or the FortiGuard Analysis &
Management Service. No blocking or quarantine is performed.
If you have a FortiGate unit that supports SSL content scanning and
inspection, you can modify this sensor to archive a summary of
encrypted traffic as well.
Credit-Card The number formats used by American Express, Visa, and Mastercard
credit cards are detected in HTTP and email traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
Large-File Files larger than 5MB will be detected if attached to email messages or
if send using HTTP or FTP.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
SSN-Sensor The number formats used by U.S. Social Security and Canadian
Social Insurance numbers are detected in email and HTTP traffic.
As provided, the sensor is configured not to archive matching traffic
and an action of None is set. Configure the action and archive options
that you require.
DLP archiving
DLP is typically used to prevent sensitive information from getting out of your company
network, but it can also be used to record network use. This is called DLP archiving. The
DLP engine examines email, FTP, IM, NNTP, and web traffic. Enabling archiving for rules
when you add them to sensors directs the FortiGate unit to record all occurrences of these
traffic types when they are detected by the sensor.
Since the archive setting is configured for each rule in a sensor, you can have a single
sensor that archives only the things you want.
DLP archiving comes in two forms: Summary Only, and Full.
Summary archiving records information about the supported traffic types. For example,
when an email message is detected, the sender, recipient, message subject, and total size
are recorded. When a user accesses the Web, every URL the user visits recorded. The
result is a summary of all activity the sensor detected.
For more detailed records, full archiving is necessary. When an email message is
detected, the message itself, including any attachments, is archived. When a user
accesses the Web, every page the user visits is archived. Far more detailed than a
summary, full DLP archives require more storage space and processing.
Because both types of DLP archiving require additional resources, DLP archives are
saved to a FortiAnalyzer unit or the FortiGuard Analysis and Management Service
(subscription required).
Two sample DLP sensors are provided with DLP archiving capabilities enabled. If you
select the Content_Summary sensor in a firewall policy, it will save a summary DLP
archive of all traffic the firewall policy handles. Similarly, the Content_Archive sensor
will save a full DLP archive of all traffic handled the firewall policy you apply it to. These
two sensors are configured to detect all traffic of the supported types and archive them.
DLP examples
Configuring DLP content archiving
This example details how to enable DLP content archiving on a FortiGate unit located in a
satellite office. With this DLP sensor selected in a firewall policy, all email, FTP, HTTP, IM,
and NNTP traffic controlled by the policy is saved to your FortiAnalyzer unit. This example
assumes the FortiGate unit is configured to send all logs to a FortiAnalyzer unit or to the
FortiGuard Analysis and Management Service.
To select the DLP content archive sensor in a firewall policy — web-based manager
1 Go to Firewall > Policy > Policy.
2 Select a policy and choose the Edit icon.
3 Enable UTM.
4 Select the Enable DLP Sensor option.
5 Select default from the Protocol Options list.
DLP can not be enabled without selecting a protocol options profile. A default profile is
provided.
6 Select the Content_Archive sensor from the list.
7 Select OK to save the firewall policy.
All messages include the text From: president@example.com and Subject: XYZ
Monthly Update where XYZ is the month the update applies to.
You will create a rule for the email address and a rule for the subject, combine them in a
compound rule, and add the compound rule to a DLP sensor. You will then add the DLP
sensor to the firewall policy that controls outgoing email traffic.
5 Using the Application selection, choose the application you want to add.
The application available to you will be limited to those in the category you selected. If
you want to include all the applications in a category, leave Application set to
All Applications.
6 Select the Action the FortiGate unit will take when it detects network traffic from the
application:
• Block will stop all traffic from the application.
• Pass allows the application traffic to flow normally.
If you set the action to Pass, you have the option of enabling traffic shaping for the
application or applications specified in this application list entry. For more information
about application control traffic shaping, see “Application traffic shaping” on page 874
7 Enable Session TTL to specify a time-to-live value for the session, in seconds. If this
option is not enabled, the TTL defaults to the setting of the CLI command config
system session-ttl.
8 Select Enable Logging to have the FortiGate unit log the occurrence and action taken
when traffic from the application is detected.
9 Select Enable Packet Log to have the FortiGate unit save the packets that application
control used to determine the traffic came from the application.
10 Some applications have additional options:
Caution: Before using the default application control lists, examine them closely to ensure
you understand how they will affect the traffic on your network.
block-p2p This list blocks the applications in the P2P category and allow all other
application traffic.
monitor-all This list allows all application traffic and enables the application
control monitoring for all traffic. Only FortiGate units with a hard drive
support application monitoring.
monitor-p2p-and-media This list allows all application traffic, and enables the application
control monitoring for the applications in the P2P and media
categories. Only FortiGate units with a hard drive support application
monitoring.
Shaper re-use
Shapers are created independently of firewall policies and application control lists so you
are free to reuse the same shapers in multiple list entries and policies. Shared shapers
can be configured to apply separately to each firewall policy or across all policies. This
means that if a shaper is configured to guaranteed 1000 KB/s bandwidth, each firewall
policy using the shaper will have its own 1000 KB/s reserved, or all of the policies using
the shaper will share a pool if 1000 KB/s, depending on how it is configured.
The same thing happens when a shaper is used in application control list entries. If an
application control list using a shaper is applied to two separate policies, how the
bandwidth is limited or guaranteed depends on whether the shaper is set to apply
separately to each policy or across all policies. In fact, if a shaper is applied directly to one
firewall policy, and it is also included in an application control list that is applied to another
firewall policy, the same issue occurs. How the bandwidth is limited or guaranteed
depends on the shaper configuration.
If a shaper is used more than once within a single application control list, all of the
applications using the shaper are restricted to the maximum bandwidth or share the same
guaranteed bandwidth.
For example, you want to limit the bandwidth used by Skype and Facebook chat to no
more than 100 KB/s. Create a shaper, enable Maximum Bandwidth, and enter 100. Then
create an application control list with and entry for Skype and another entry for Facebook
chat. Apply the shaper to each entry and select the application control list in the firewall
policy that allows your users to access both services.
This configuration uses the same shaper for each entry, so Skype and Facebook chat
traffic are limited to no more than 100 KB/s in total. That is, traffic from both applications is
added and the total is limited to 100 KB/s. If you want to limit Skype traffic to 100 KB/s and
Facebook chat traffic to 100 KB/s, you must use separate shapers for each application
control entry.
Note: Because the application monitor relies on a SQL database, the feature is
available only on FortiGate units with an internal hard drive.
While the monitor charts are similar to the top application usage dashboard widget, it
offers several advantages. The widget data is stored in memory so when you restart the
FortiGate unit, the data is cleared. Application monitor data is stored on the hard drive and
restarting the system does not affect old monitor data.
Application monitor allows you to choose to compile data for any or all of three charts: top
ten applications by bandwidth use, top ten media users by bandwidth, and top ten P2P
users by bandwidth. Further, there is a chart of each type for the traffic handled by each
firewall policy with application monitor enabled. The top application usage dashboard
widget shows only the bandwidth used by the top applications since the last system
restart.
Caution: Although logging to multiple FortiAnalyzer units is supported, packet logs are not
sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet
logs.
Application considerations
Some applications behave differently from most others. You should be aware of these
differences before using application control to regulate their use.
IM applications
Application control regulates most instant messaging applications by preventing or
allowing user access to the service. Selecting Block Login will not disconnect users who
are logged in when the change is made. Once they log themselves out, however, they will
not be able to log in again.
Skype
Based on the NAT firewall type, Skype takes advantage of several NAT firewall traversal
methods, such as STUN (Simple Traversal of UDP through NAT), ICE (Interactive
Connectivity Establishment) and TURN (Traversal Using Relay NAT), to make the
connection.
The Skype client may try to log in with either UDP or TCP, on different ports, especially
well-known service ports, such as HTTP (80) and HTTPS (443), because these ports are
normally allowed in firewall settings. A client who has previously logged in successfully
could start with the known good approach, then fall back on another approach if the known
one fails.
The Skype client could also employ Connection Relay. This means if a reachable host is
already connected to the Skype network, other clients can connect through this host. This
makes any connected host not only a client but also a relay server.
Enable DoS
A DoS policy examines network traffic arriving at an interface for anomalous patterns
usually indicating an attack. Enable DoS sensors to protect your FortiGate unit from
attack. To apply a DoS policy, you must follow the steps below in sequence:
1 Create a DoS sensor.
2 Create a DoS policy
3 Apply the DoS sensor to the DoS policy.
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could allow otherwise avoidable attacks.
Anomaly Description
tcp_syn_flood If the SYN packet rate of new TCP connections, including
retransmission, to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
tcp_port_scan If the SYN packet rate of new TCP connections, including
retransmission, from one source IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP
address exceeds the configured threshold value, the action is executed.
tcp_dst_session If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
udp_flood If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP
address exceeds the configured threshold value, the action is executed.
udp_dst_session If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
icmp_flood If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
Note: Because DoS sensors are configured before being applied to an interface, you can
assign a DoS sensor with the Proxy action to an interface that does not have hardware
SYN proxy support. In this circumstance, the Proxy action is invalid and a Pass action will
be applied.
7 Set the Threshold value for the anomaly. See the table in step 3 for details about the
threshold values for each anomaly.
8 Select OK.
DoS example
The Example.com corporation installed a web server and connected it to Port5 on its
FortiGate unit. To protect against denial of service attacks, you will configure and apply a
DoS sensor to protect the web server.
Figure 72: How the intrusion detection system uses sniffer policies to examine traffic
Start
A packet arrives at
the sniffer interface
No No
Does this
packet match any
Discard the packet Log the match signatures in the
Yes specified IPS
sensor?
No
End
Does this
packet come
from any application
Log the match
in the specified
application Yes
control list?
No
Connecting the sniffer interface to a regular switch interface will not work because no
traffic is addressed to the sniffer interface. A SPAN port is a special-purpose interface that
mirrors all the traffic the switch receives. Traffic is handled normally on every other switch
interface, but the SPAN port sends a copy of everything. If you connect your FortiGate unit
sniffer interface to the switch SPAN port, all the network traffic will be examined without
any being lost because of the examination.
Figure 73: A network configured for intrusion detection using a sniffer policy
One-Armed
IPS Scanner
Internal Network
o
nt
Main Firewall e ctio ort
nn P
Co PAN
S
Switch
8 To have the sniffer policy log traffic from applications specified in an application control
list, select the Application Black/White List check box and choose the application
control list.
9 Select OK.
DoS sensors, IPS sensors, and application control lists all allow you to choose actions and
log traffic. When included in a sniffer sensor, these settings are ignored. Actions in these
other settings do not apply, and all matches are logged regardless of the logging setting.
Sniffer example
An IDS sniffer configuration
The Example.com Corporation uses a pair of FortiGate-620B units to secure the head
office network. To monitor network attacks and create complete log records of them, the
network administrator has received approval to install a FortiGate-82C to record all IPS
signature matches in incoming and outgoing network traffic using a sniffer policy. This
example details the set-up and execution of this network configuration.
Although this example uses a separate FortiGate unit for sniffer-mode operation, the
sniffer traffic can be sent to the FortiGate unit protecting the network. The switch must still
be configured to create a copy of the data because the sniffer interface drops all incoming
traffic. In this case, the administrator requested a FortiGate-82C for this purpose because
sniffer-mode operation is resource intensive, and using a separate FortiGate unit frees the
FortiGate-620B cluster from this task. The FortiGate-82C unit also has four internal hard
drives, making it ideal for storing large log files.
t1 r
P
m
or
od
t1
e)
2
ort
P
8 r of P 3)
P
or
or
t
t1
r
t3
Po irro Port
(m nd
P
or
a
t2
P
or
t1
Switch
The company Internet feed is connected to Port1 of the switch. The FortiGate units are
connected to Port2 and Port3 of the switch. Since they are configured as an HA cluster,
they must both have access to the Internet in the event of a failure.
To allow a FortiGate unit sniffer interface to examine the network traffic, the switch must be
configured to create a copy of all network traffic entering or leaving Port2 and Port3 and
send it out Port8. When configured this way, the switch port sending the duplicate traffic is
called a mirror port or a SPAN port.
Consult the switch documentation for instructions on how to configure a SPAN port.
Note: The traffic between Port1 and Port2/Port3 is not modified or diverted in any way by
the creation of a SPAN port. The traffic is duplicated with the copy being send out of the
SPAN port.
Caution: All network traffic entering a sniffer-mode interface is dropped after examination
and logging according to the configured sniffer policy.
What is authentication?
Authentication is the act of confirming the identity of a person or other entity. In the context
of a private computer network, the identities of users or host computers must be
established to ensure that only authorized parties can access the network. The FortiGate
unit provides network access control and applies authentication to users of firewall
policies and VPN clients.
Means of authentication
FortiGate unit authentication is divided into two basic types: password authentication for
people and certificate authentication for hosts or endpoints. An exception to this is that
FortiGate units in an HA cluster and FortiManager units use password authentication.
Password authentication verifies individual user identities, but access to network
resources is based on membership in user groups. For example, a firewall policy can be
configured to permit access only to the members of one or more user groups. Any user
who attempts network access through that policy is then authenticated through a request
for their user name and password.
When you use an external authentication server to authenticate users, the FortiGate unit
sends the user’s entered credentials to the external server. The password is encrypted.
The server’s response indicates whether the supplied credentials are valid or not.
You must configure the FortiGate unit to access the external authentication servers that
you want to use. The configuration includes the parameters that authenticate the
FortiGate unit to the authentication server.
You can use external authentication servers in two ways:
• Create user accounts on the FortiGate unit, but instead of storing each user’s
password, specify the server used to authenticate that user. As with accounts that
store the password locally, you add these users to appropriate user groups.
• Add the authentication server to user groups. Any user who has an account on the
server can be authenticated and have the access privileges of the FortiGate user
group. Optionally, when an LDAP server is a FortiGate user group member, you can
limit access to users who belong to specific groups defined on the LDAP server.
Certificate-based authentication
An RSA X.509 server certificate is a small file issued by a Certificate Authority (CA) that is
installed on a computer or FortiGate unit to authenticate itself to other devices on the
network. When one party on a network presents the certificate as authentication, the other
party can validate that the certificate was issued by the CA. The identification is therefore
as trustworthy as the Certificate Authority (CA) that issued the certificate.
To protect against compromised or misused certificates, CAs can revoke any certificate by
adding it to a Certificate Revocation List (CRL). Certificate status can also be checked
online using Online Certificate Status Protocol (OCSP).
RSA X.509 certificates are based on public-key cryptography, in which there are two keys:
the private key and the public key. Data encrypted with the private key can be decrypted
only with the public key and vice versa. As the names suggest, the private key is never
revealed to anyone and the public key can be freely distributed. Encryption with the
recipient’s public key creates a message that only the intended recipient can read.
Encryption with the sender’s private key creates a message whose authenticity is proven
because it can be decrypted only with the sender’s public key.
Server certificates contain a signature string encrypted with the CA’s private key. The CA’s
public key is contained in a CA root certificate. If the signature string can be decrypted with
the CA’s public key, the certificate is genuine.
Certificate authorities
A certificate authority can be:
• an organization, such as VeriSign Inc., that provides certificate services
• a software application, such as Microsoft Certificate Services or OpenSSH
For a company web portal or customer-facing SSL VPN, a third-party certificate service
has some advantages. The CA certificates are already included in popular web browsers
and customers trust the third-party. On the other hand, third-party services have a cost.
For administrators and for employee VPN users, the local CA based on a software
application provides the required security at low cost. You can generate and distribute
certificates as needed. If an employee leaves the organization, you can simply revoke
their certificate.
Two-factor authentication
Optionally, you can require both a certificate and user name/password authentication.
Certificates are installed on the user’s computer. Also requiring a password protects
against unauthorized use of that computer. Two-factor authentication is available for PKI
users. For more information, see “Two-factor authentication” on page 918.
Types of authentication
Authentication applies to several FortiGate features:
• firewall policies (identity-based policies)
• VPNs
VPN authentication
In IPsec VPNs, there is authentication of the peer device and optionally of the peer user.
The user types a user name and password and then selects Continue or Login. If the
credentials are incorrect, the authentication screen is redisplayed with blank fields so that
the user can try again. When the user enters valid credentials, they get access to the
required resource. In some cases, if a user tries to authenticate several times without
success, a message appears, such as: “Too many bad login attempts. Please try again in
a few minutes.”
Note: After a defined period of user inactivity (the authentication timeout, defined by the
FortiGate administrator), the user’s access expires. The default is 5 minutes. To access the
resource, the user will have to authenticate again.
Figure 76: FortiClient application request for user name and password
SSL VPN is a form of VPN that can be used with a standard Web browser. There are two
modes of SSL VPN operation (supported in NAT/Route mode only):
• web-only mode, for remote clients equipped with a web-browser only
• tunnel mode, for remote computers that run a variety of client and server applications.
Note: After a defined period of user inactivity on the VPN connection (the idle timeout,
defined by the FortiGate administrator), the user’s access expires. The default is 30
minutes. To access the resource, the user will have to authenticate again.
• a remote or external authentication server with a database that contains the user name
and password of each person who is permitted access
The general process of setting up authentication is as follows:
1 If remote or external authentication is needed, configure the required servers.
2 Configure local and peer (PKI) user identities. For each local user, you can choose
whether the FortiGate unit or a remote authentication server verifies the password.
Peer members can be included in user groups for use in firewall policies.
3 Create user groups.
Add local/peer user members to each user group as appropriate. You can also add an
authentication server to a user group. In this case, all users in the server’s database
can authenticate. You can only configure peer user groups through the CLI.
4 Configure firewall policies and VPN tunnels that require authenticated access.
RADIUS servers
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication and
accounting functions of the RADIUS server.
Your RADIUS server listens on either port 1812 or port 1645 for authentication requests.
You must configure it to accept the FortiGate unit as a client.
The RADIUS server user database can be any combination of:
• user names and passwords defined in a configuration file
• an SQL database
• user account names and passwords configured on the computer where the RADIUS
server is installed.
The RADIUS server uses a “shared secret” key to encrypt information passed between it
and clients such as the FortiGate unit.
The FortiGate unit sends the following RADIUS attributes:
1. Acct-Session-ID
2. User Name
3. NAS-Identifier (FGT hostname)
4. Framed-IP-Address (IP address assigned to the client)
5. Fortinet-VSA (IP address client is connecting from)
6. Acct-Input-Octets
7. Acct-Output-Octets
Table 68 describes the supported authentication events and the RADIUS attributes that
are sent in the RADIUS accounting message.
ATTRIBUTE
AUTHENTICATION METHOD 1 2 3 4 5 6 7
Web X X X X
SSL-VPN X X X X
LDAP servers
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords,
email addresses, and printers. An LDAP consists of a data-representation scheme, a set
of defined operations, and a request/response network.
The scale of LDAP servers ranges from big public servers such as BigFoot and Infospace,
to large organizational servers at universities and corporations, to small LDAP servers for
workgroups. This document focuses on the institutional and workgroup applications of
LDAP.
A directory is a set of objects with similar attributes organized in a logical and hierarchical
way. Generally, an LDAP directory tree reflects geographic and/or organizational
boundaries, with the Domain name system (DNS) names to structure the top level of the
hierarchy. The common name identifier for most LDAP servers is cn, however some
servers use other common name identifiers such as uid.
If you have configured LDAP support and a user is required to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. To
authenticate with the FortiGate unit, the user enters a user name and password. The
FortiGate unit sends this user name and password to the LDAP server. If the LDAP server
can authenticate the user, the user is successfully authenticated with the FortiGate unit. If
the LDAP server cannot authenticate the user, the connection is refused by the FortiGate
unit.
Binding is the step where the LDAP server authenticates the user, and if the user is
successfully authenticated, allows the user access to the LDAP server based on that
user’s permissions.
The FortiGate unit can be configured to use one of three types of binding:
• anonymous - bind using anonymous user search
• regular - bind using user name/password and then search
• simple - bind using a simple password authentication without a search
You can use simple authentication if the user records all fall under one dn. If the users are
under more than one dn, use the anonymous or regular type, which can search the entire
LDAP database for the required user name.
If your LDAP server requires authentication to perform searches, use the regular type and
provide values for user name and password.
The FortiGate unit supports LDAP protocol functionality defined in RFC 2251: Lightweight
Directory Access Protocol v3, for looking up and validating user names and passwords.
FortiGate LDAP supports all LDAP servers compliant with LDAP v3. In addition, FortiGate
LDAP supports LDAP over SSL/TLS, which can be configured only in the CLI.
FortiGate LDAP does not support proprietary functionality, such as notification of
password expiration, which is available from some LDAP servers. FortiGate LDAP does
not supply information to the user about why authentication failed.
To configure your FortiGate unit to work with an LDAP server, you need to understand the
organization of the information on the server.
The top of the hierarchy is the organization itself. Usually this is defined as Domain
Component (DC), a DNS domain. If the name contains a dot, such as “example.com”, it is
written as two parts: “dc=example,dc=com”.
In this example, Common Name (CN) identifiers reside at the Organization Unit (OU)
level, just below DC. The Distinguished Name (DN) is ou=People,dc=example,dc=com.
In addition to the DN, the FortiGate unit needs an identifier for the individual person.
Although the FortiGate unit GUI calls this the Common Name (CN), the identifier you use
is not necessarily CN. On some servers, CN is the full name of a person. It might be more
convenient to use the same identifier used on the local computer network. In this example,
User ID (UID) is used.
You need to determine the levels of the hierarchy from the top to the level that contains the
identifier you want to use. This defines the DN that the FortiGate unit uses to search the
LDAP database. Frequently used distinguished name elements include:
• pw (password)
• cn (common name)
• ou (organizational unit)
• o (organization)
• c (country)
One way to test this is with a text-based LDAP client program. For example, OpenLDAP
includes a client, ldapsearch, that you can use for this purpose.
Enter the following at the command line:
ldapsearch -x '(objectclass=*)'
The output is lengthy, but the information you need is in the first few lines:
version: 2
#
# filter: (objectclass=*)
# requesting: ALL
#
dn: dc=example,dc=com
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
...
dn: uid=auser,ou=People,dc=example,dc=com
uid: auser
cn: Alex User
TACACS+ servers
In recent years, remote network access has shifted from terminal access to LAN access.
Users are now connecting to their corporate network remotely with computers that utilize
complete network connections. Remote node technology allows users the same level of
access to the corporate network resources as they would have if they were physically in
the office. When users connect to their corporate network remotely, they do so through a
remote access server. As remote access technology has evolved, the need for network
access security has become increasingly important. This need can be filled using a
Terminal Access Controller Access-Control System (TACACS+) server.
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication
protocol that provides access control for routers, network access servers, and other
networked computing devices via one or more centralized servers. TACACS+ allows a
client to accept a user name and password and send a query to a TACACS+
authentication server. The server host determines whether to accept or deny the request
and sends a response back that allows or denies network access to the user.
There are several different authentication protocols that TACACS+ can use during the
authentication process:
• ASCII
Machine-independent technique that uses representations of English characters.
Requires user to type a user name and password that are sent in clear text
(unencrypted) and matched with an entry in the user database stored in ASCII format.
• PAP (password authentication protocol)
Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.
• CHAP (challenge-handshake authentication protocol)
Provides the same functionality as PAP, but is more secure as it does not send the
password and other user information over the network to the security server.
• MS-CHAP (Microsoft challenge-handshake authentication protocol v1)
Microsoft-specific version of CHAP.
The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that order.
Firewall policy
Select Enable Identity Based Policy and then select Add. Add the SecurID user group to
the Selected User Groups list. Set other options as desired and select OK.
PPTP VPN
PPTP VPN is configured in the CLI. In the PPTP configuration (config vpn pptp), set
usrgrp to the SecurID user group.
SSL VPN
In the SecurID user group, select the appropriate web portal for these users. In the firewall
policy for the SSL VPN, include the SecurID user group in the list of selected user groups.
Users
A user is a user account consisting of user name, password, and in some cases other
information, configured on the FortiGate unit or on an external authentication server.
Users can access resources that require authentication only if they are members of an
allowed user group. There are several different types of user accounts with slightly
different methods of authentication:
Table 69: How the FortiGate unit authenticates different types of users
User type Authentication
Local user with password The user name and password must match a user account
stored on the FortiGate unit stored on the FortiGate unit.
Local user with password The user name must match a user account stored on the
stored on an authentication FortiGate unit and the user name and password must
server match a user account stored on the authentication server.
On the external authentication server, there may be user
groups to which users can be assigned. These groups exist
independently of FortiGate unit user groups.
Authentication server user A FortiGate user group can include user accounts that exist
on an external authentication server or particular user
groups on that server.
Any of the included users can authenticate and get access
to the resources permitted to the FortiGate user group.
Peer user with certificate A peer user is a digital certificate holder that authenticates
authentication using a client certificate. No password is required, unless
two-factor authentication is enabled.
2 Select the check box of the user that you want to remove.
3 Select Delete.
4 Select OK.
Note: You cannot remove a user that belongs to a user group. Remove the user from the
user group first.
Note: The configuration page for PKI users in the web-based manager is not available
unless there is at least one peer user defined. Follow the CLI-based instructions to create
the first peer user. Optionally, you can then log into the web-based manager to configure
additional PKI (peer) users.
Note: If you create a PKI user in the CLI with no values in subject or ca, you will not be
able to open the user’s record in the web-based manager. The CLI will prompt you to add a
value in Subject (subject) or CA (ca).
Subject The text string that appears in the Subject field of the user’s certificate.
CA Select the CA certificate that must be used to authenticate this peer user.
4 Select OK.
There are other configuration settings that can be added or modified for PKI
authentication. For example, you can configure the use of an LDAP server to check
access rights for client certificates. For information about the detailed PKI configuration
settings only available through the CLI, see the FortiGate CLI Reference.
Two-factor authentication
You can increase security by requiring both certificate and password authentication for
PKI users. Certificates are installed on the user’s computer. Also requiring a password
protects against unauthorized use of that computer.
To create a peer user with two-factor authentication - web-based manager
While configuring a peer user (see Figure 83, above), select Require two-factor
authentication and enter a password.
User groups
A user group is a list of user identities. An identity can be:
• a local user account (user name/password) stored on the FortiGate unit
• a local user account with the password stored on a RADIUS, LDAP, or TACACS+
server
• a PKI user account with digital client authentication certificate stored on the FortiGate
unit
• a RADIUS, LDAP, or TACACS+ server, optionally specifying particular user groups on
that server
• a user group defined on a Directory Service server.
Identity-based firewall policies and some types of VPN configurations allow access only to
specified user groups.
In most cases, the FortiGate unit authenticates users by requesting their user name and
password. The FortiGate unit checks local user accounts first. If a match is not found, the
FortiGate unit checks the RADIUS, LDAP, or TACACS+ servers that belong to the user
group. Authentication succeeds when a matching user name and password are found.
There are two types of FortiGate user group: Firewall and Directory Services.
Note: A user group cannot be a dialup group if any member is authenticated using an
external authentication server.
Note: Matching user group names from an external authentication server might not work if
the list of group memberships for the user is longer than 8000 bytes. Group names beyond
this limit are ignored.
For more information about user group CLI commands, see the Fortinet CLI Guide.
Note: You cannot remove a user group that is part of a firewall policy. Remove it from the
firewall policy first.
Authentication timeout
You set the firewall user authentication timeout to control how long an authenticated
connection can be idle before the user must authenticate again. The maximum timeout is
480 minutes (8 hours).
Password policy
Password authentication is effective only if the password is sufficiently strong and is
changed periodically. By default, the FortiGate unit requires only that passwords be at
least eight characters in length. You can set a password policy to enforce higher standards
for both length and complexity of passwords. Password policies can apply to administrator
passwords or IPsec VPN preshared keys.
To set a password policy in the web-based manager, go to System > Admin > Settings.
In the CLI, use the config system password-policy command.
Password length
The default minimum password length on the FortiGate unit is eight characters, but up to
32 characters is permitted. Security experts suggest a minimum length of 14 characters.
Password complexity
Users usually create passwords composed of alphabetic characters and perhaps some
numbers. Password policy can require the inclusion of upper case letters, lower case
letters, numerals or punctuation characters.
Authentication protocols
When user authentication is enabled on a firewall policy, the authentication challenge is
normally issued for any of the four protocols, HTTP, HTTPS, FTP, and Telnet, which are
dependent on the connection protocol. By making selections in the Protocol Support list,
the user controls which protocols support the authentication challenge. The user must
connect with a supported protocol first, so that they can subsequently connect with other
protocols.
For example, if you have selected HTTP, FTP, or Telnet, a user name and password-
based authentication occurs. The FortiGate unit then prompts network users to input their
firewall user name and password. If you have selected HTTPS, certificate-based
authentication (HTTPS, or HTTP redirected to HTTPS only) occurs.
For certificate-based authentication, you must install customized certificates on the
FortiGate unit and on the browsers of network users. If you do not install certificates on the
network user’s web browser, the network users may see an SSL certificate warning
message and have to manually accept the default FortiGate certificate. The network
user’s web browser may deem the default certificate as invalid.
When you use certificate authentication, if you do not specify any certificate when you
create the firewall policy, the global settings are used. If you specify a certificate, the per-
policy setting will overwrite the global setting. For more information about the use of
certification authentication see “Certificate-based authentication” on page 961.
Note: You can configure user authentication for firewall policies only when Action is set to
Accept.
6 In the Available User Groups list, select the user groups that will be allowed to use this
policy and then select the right arrow button to move them to the Selected User Groups
list.
7 From from the Available Services list, select the services users will be allowed to
access and then select the right arrow button to move them to the Selected Services
list.
To enable use of all services, select the ANY service.
8 Set other options as required and then select OK.
Figure 88: Identity Based Policy list and options in firewall policy
9 If users will use a certificate for authentication, from the Certificate list select the CA
certificate to use to validate the users’ certificates.
10 To require the user to accept a disclaimer to connect to the destination, select Enable
Disclaimer. If the user is to be redirected after accepting the disclaimer, enter the URL
in the Redirect URL to field.
You can edit the User Authentication Disclaimer replacement message text in
System > Config > Replacement Messages.
11 Select OK.
VPN authentication
All VPN configurations require users to authenticate. Authentication based on user groups
applies to:
• SSL VPNs
• PPTP and L2TP VPNs
• an IPsec VPN that authenticates users using dialup groups
• a dialup IPsec VPN that uses XAUTH authentication (Phase 1)
You must create user accounts and user groups before performing the procedures in this
section. If you create a user group for dialup IPsec clients or peers that have unique peer
IDs, their user accounts must be stored locally on the FortiGate unit. You cannot
authenticate these types of users using a RADIUS or LDAP server.
Name Name for group of dialup users using the VPN for authentication.
Remote Gateway List of the types of remote gateways for VPN. Select Dialup User.
Authentication Method List of authentication methods available for users. Select
Preshared Key and enter the preshared key.
Peer Options Select Accept peer ID in dialup group. Select the user group that is
to be allowed access to the VPN. The listed user groups contain
only users with passwords on the FortiGate unit.
Note: The Accept peer ID in dialup group option does not support authentication of users
through an authentication server. The user accounts must exist on the FortiGate unit.
3 Select Advanced to reveal additional parameters and configure other VPN gateway
parameters as needed.
4 Select OK.
5 Select OK.
For more information about XAUTH configuration, see the IPsec VPN chapter of this
FortiOS Handbook.
Introduction to FSAE
The Fortinet Server Authentication Extension (FSAE) provides seamless authentication
support for Microsoft Windows Active Directory and Novell eDirectory users in a FortiGate
environment.
On a Microsoft Windows or Novell network, users authenticate with the Active Directory or
Novell eDirectory at logon. It would be inconvenient if users then had to enter another user
name and password for network access through the FortiGate unit. FSAE provides
authentication information to the FortiGate unit so that users automatically get access to
permitted resources.
There are several mechanisms for passing user authentication information to the
FortiGate unit:
• FSAE software installed on a Novell network monitors user logons and sends the
required information to the FortiGate unit. The FSAE software can obtain information
from the Novell eDirectory using either the Novell API or LDAP.
• FSAE software installed on a Windows AD network monitors user logons and sends
the required information to the FortiGate unit. The FSAE software can obtain this
information by polling the domain controllers or by using an agent on each domain
controller that monitors user logons in real time. Optionally, a FortiGate unit running
FortiOS 3.0 MR6 or later can obtain group information directly from the AD using
Lightweight Directory Access Protocol (LDAP).
• On a Windows AD network, the FSAE software can also serve NTLM requests coming
from client browsers (forwarded by the FortiGate unit).
DC Agent mode
In DC Agent mode (see Figure 90), an agent is installed on each domain controller to
monitor user logon events and pass the information to the FSAE collector agent, which
forwards the information to the FortiGate unit.
l led
ith sta
e r w ent in
v
er ag
s s or
nit update d ow llect
a te u n
Wi E C
o
rti G A
Fo FS
update
ith
e r s wlled
l
ol ta
ntr ins
r
se
Co gent
U
nt
i n
lie
ma C a
C
Do E D
A
FS
DC Agent mode provides reliable user logon information, however you must install a DC
agent on every domain controller in the domain. A reboot is needed after the agent is
installed.
Polling mode
In Polling mode (see Figure 91), the FSAE collector agent polls each domain controller for
user logon information and forwards it to the FortiGate unit.
lled
ith sta
e r w ent in
v
er ag
s s or
uni
t update d ow llect
n o
i G ate Wi E C
rt A
Fo FS
poll
rs
trolle
on
r
se
C
U
in
nt
ma
lie
Do
C
The polling mode provides logon information less reliably. For example, under heavy
system load a poll might miss some user logon events. However, you do not need to install
a DC agent on each domain controller.
t
en
ag ver
c tor ser
lle D
Co er A
S AE emb
F m
a
on
unit
ate
ortiG
F
rs
olle
ntr
r
o
se
nC
U
i
nt
ma
lie
Do
C
6 If the negotiation is successful and the user belongs to one of the groups permitted in
the firewall policy, the connection is allowed, Otherwise, the FortiGate unit denies the
authentication by issuing a 401 return code and prompts for a username and
password. Unless the TCP connection is broken, no further credentials are sent from
the client to the proxy.
Note: If the authentication policy reaches the authentication timeout period, a new NTLM
handshake occurs.
Installing FSAE
The components you need to install depend on whether you are installing FSAE on
Windows AD or Novell eDirectory.
Note: If you reinstall the FSAE software on this computer, your FSAE configuration is
replaced with default settings.
If you want to create a redundant configuration, repeat the procedure “To install the FSAE
collector agent” on page 938 on at least one other Windows AD server.
Note: When you start to install a second collector agent, when the Install Wizard dialog
appears the second time, cancel it. From the configuration GUI, the monitored domain
controller list should show your domain controllers unselected. Select the ones you wish to
monitor with this collector agent, and click Apply.
Before you can use FSAE, you need to configure it on both Windows AD and on the
FortiGate units. See the next section, “Configuring FSAE on Windows AD”, and
“Configuring FSAE on FortiGate units” on page 952.
eDirectory Server
Server Address Enter the IP address of the eDirectory server.
Use secure connection Select to connect to the eDirectory server
(SSL) using SSL security.
Search Base DN Enter the base Distinguished Name for the
user search.
eDirectory Authentication
User name Enter a user name that has access to the
eDirectory, using LDAP format.
User password Enter the password.
8 Select Next.
9 Select Install.
If you change a user’s group membership, the change does not take effect until the user
logs off and then logs on again.
FSAE sends only Domain Local Security Group and Global Security Group information to
FortiGate units. You cannot use Distribution group types for FortiGate access. No
information is sent for empty groups.
Refer to Microsoft documentation for information about creating groups.
Monitoring user logon events Select to automatically authenticate users as they log on to
the Windows domain.
Support NTLM authentication Select to facilitate logon of users who are connected to a
domain that does not have the DC Agent installed.
Collector Agent Status Shows RUNNING when collector agent is active.
Listening ports You can change port numbers if necessary.
FortiGate TCP port for FortiGate units. Default 8000.
DC Agent UDP port that DC Agents use. Default 8002.
Logging
Log level Select the minimum severity level of logged messages.
Log file size limit (MB) Enter the maximum size for the log file in MB.
View Log View all FSAE logs.
Log logon events in Record user login-related information separately from other
separate logs logs. The information in this log includes
• data received from DC agents
• user logon/logoff information
• workstation IP change information
• data sent to FortiGate units
View Logon Events If Log logon events in separate logs is enabled, you can
view user login-related information.
Authentication
Require authenticated Select to require the FortiGate unit to authenticate before
connection from FortiGate connecting to the Collector Agent.
Password Enter the password that FortiGate units must use to
authenticate. The maximum password length is 16
characters. The default password is “fortinetcanada”.
Timers
Workstation verify interval Enter the interval in minutes at which FSAE checks whether
(minutes) the user is still logged in. The default is every 5 minutes.
If ports 139 or 445 cannot be opened on your network, set
the interval to 0 to prevent checking. See “Configuring TCP
ports for FSAE on client computers” on page 946.
Dead entry timeout interval Enter the interval in minutes after which FSAE purges
information for user logons that it cannot verify. The default
is 480 minutes (8 hours).
Dead entries usually occur because the computer is
unreachable (in standby mode or disconnected, for
example) but the user has not logged off.
You can also prevent dead entry checking by setting the
interval to 0.
IP address change verify FSAE periodically checks the IP addresses of logged-in
interval users and updates the FortiGate unit when user IP
addresses change. This does not apply to users
authenticated through NTLM. Enter the verification interval
in seconds. IP address verification prevents users from
being locked out if they change IP addresses. You can enter
0 to prevent IP address checking if you use static IP
addresses.
Cache user group lookup result Enable caching.
Cache expire in (minutes) FSAE caches group information for logged-in users. Enter
the duration in minutes after which the cache entry expires.
If you enter 0, the cache never expires.
Clear Group Cache Clear group information of logged-in users.
Common Tasks
Show Service Status View information about the status of the collector agent and
connected FortiGate units. See “Viewing collector agent
status” on page 946.
Show Monitored DCs Shows detailed information about connected DC agents.
Use the Select DC to Monitor button to select domain
controllers to monitor and choose Working Mode. See
“Selecting Domain Controllers and working mode for
monitoring” on page 948.
Show Logon Users View a list of currently logged-in users. Select the column
headers to sort the list.
Select Domains to Monitor Select this button to remove domains that you do not want to
monitor. From the Domain Filter dialog box that displays,
clear check boxes for unwanted domains and select OK.
Set Directory Access See “Configuring Directory Access settings” on page 943.
Information
Set Group Filters Configure group filtering for each FortiGate unit. See
“Configuring FortiGate group filters” on page 944.
Set Ignore User List Exclude users such as system accounts that do not
authenticate to any FortiGate unit. See “Configuring the
Ignore User List” on page 943.
Sync Configuration With Copy this collector agent's Ignore User List and Group
Other Agents Filters to the other collector agents to synchronize the
configuration. You are asked to confirm synchronization for
each collector agent.
Export Configuration Export FSAE configuration to a text file. The file is named
“saved_config.txt” and is saved in the FSAE program
directory.
Save & Close Save the modified settings and exit.
Apply Apply changes now.
Default Change all settings to the default values.
Help View the online Help.
Note: To view the version and build number information for your FSAE configuration,
click the Fortinet icon in the upper left corner of the Fortinet Collector Agent
Configuration screen and select “About FSAE configuration”
AD server address Enter the address of your network’s global catalog server.
AD server port The default AD server port is 3268. Change this only if your server
uses a different port.
BaseDN Enter the Base distinguished name for the global catalog.
User name If the global catalog accepts your FSAE agent’s credentials, you can
leave these fields blank. Otherwise, enter credentials for an account
Password that can access the global catalog.
Note: If no filter is defined for a FortiGate unit and there is no default filter, the collector
agent sends all Windows AD group and user logon events to the FortiGate unit. While this
normally is not a problem, limiting the amount of data sent to the FortiGate unit improves
performance by reducing the amount of memory the unit uses to store the group list.
FortiGate SN The serial number of the FortiGate unit to which this filter applies.
Description An optional description of the role of this FortiGate unit.
Monitored The Windows AD user groups that are relevant to the firewall policies
Groups on this FortiGate unit.
Add Create a new filter.
Edit Modify the filter selected in the list.
Remove Remove the filter selected in the list.
OK Save the filter list and exit.
Cancel Cancel changes and exit.
3 Select Add to create a new filter. If you want to modify an existing filter, select it in the
list and then select Edit.
Default filter Select to create the default filter. The default filter applies to any
FortiGate unit that does not have a specific filter defined in the list.
FortiGate Serial Enter the serial number of the FortiGate unit to which this filter applies.
Number This field is not available if Default is selected.
Description Enter a description of this FortiGate unit’s role in your network. For
example, you could list the resources accessed through this unit. This
field is not available if Default is selected.
Monitor the following The collector agent sends to the FortiGate unit the user logon
groups information for the Windows AD user groups in this list. Edit this list
using the Add, Advanced and Remove buttons.
Add In the preceding single-line field, enter the Windows AD domain name
and user group name, and then select Add. If you don’t know the exact
name, use the Advanced button instead.
The format of the entry depends on the AD access mode (see
“Configuring Directory Access settings” on page 943):
Standard: Domain\Group
Advanced: cn=group, ou=corp, dc=domain
Advanced Select Advanced, select the user groups from the list, and then select
Add.
Remove Remove the user groups selected in the monitor list.
You can see which FortiGate units have a collector agent installed and how long the
agent has been connected.
For each DC Agent, you can view the IP address, number of logon events received,
the last logon event and when it was received.
3 If you want to change which DC agents are monitored or change the working mode for
logon event monitoring, select Select DC to Monitor. For more information see
“Selecting Domain Controllers and working mode for monitoring” on page 948.
Working Mode
DC Agent mode — a Domain Controller agent monitors user logon events and
passes the information to the FSAE collector agent. This provides reliable user logon
information, however you must install a DC agent on every domain controller in the
domain.
Polling mode — the FSAE collector agent polls each domain controller for user
logon information. Under heavy system load this might provide information less
reliably, but you do not need to install a DC agent on each domain controller.
eDirectory Authentication
User name Enter a user name that has access to the eDirectory, using
LDAP format.
User password Enter the password.
Listening port Enter the TCP port on which FSAE listens for connections
from FortiGate units. The default is 8000. You can change the
port if necessary.
Refresh interval Enter the interval in seconds between polls of the eDirectory
server to check for new logins. The default is 30 seconds.
FortiGate Connection Authentication
Require authenticated Select to require the FortiGate unit to authenticate before
connection from FortiGate connecting to the eDirectory Agent.
Password Enter the password that FortiGate units must use to
authenticate. The maximum password length is 16 characters.
The default password is “FortinetCanada”.
User logon info search Select how the FSAE eDirectory agent accesses user logon
method information: LDAP or Native (Novell API). LDAP is the default.
If you select Native, you must also have the Novell Client
installed on the PC.
Logging
Log level Select Debug, Info, Warning or Error as the minimum severity
level of message to log or select None to disable logging.
Log file size limit (MB) Enter the maximum size for the log file in MB.
View Log View the current log file.
Dump Session List the currently logged-on users in the log file. This can be
useful for troubleshooting.
eDirectory server list If you specified an eDirectory server during installation, it
appears in this list.
Add Add an eDirectory server. See “To add an eDirectory server”,
next.
Delete Delete the selected eDirectory server.
Edit Modify the settings for the selected server.
Group Filter Select the user groups whose user logons will be reported to
the FortiGate unit. This is used only if user groups are not
selected on the FortiGate unit. See “Configuring a group filter”
on page 951.
If more than one name is listed, you might need to explore each name following the
steps below to determine which one is relevant to your needs.
3 Copy the name string to the Distinguished Name field and select OK.
This closes the window and copies the name string to the Distinguished Name field of
the LDAP Server configuration.
4 Set Bind Type to Regular.
5 In the User DN field, enter the administrative account name that you created for FSAE.
For example, if the account is FSAE_Admin, enter “cn=FSAE_Admin,cn=users”.
6 Make sure that the User DN entry ends with a comma and append the string from the
Distinguished Name field to the end of it.
Example: cn=FSAE_Admin,cn=users,dc=office,dc=example,dc=com
7 Enter the administrative account password in the Password field.
You can expand any of the DNs that contain entries. When you select an expandable
DN, the Distinguished Name field is updated. Look for the DN that contains the users
or groups whose logon you want to monitor.
9 Select the DN that you want to monitor and then select OK.
This closes the window and updates the Distinguished Name field of the LDAP Server
configuration.
10 Check the following fields and select OK:
Name Enter a name for the Windows AD server. This name appears in the list of
Windows AD servers when you create user groups.
Enter the following information for up to five collector agents.
FSAE Collector Enter the IP address or the name of the server where this agent is
IP/Name installed. Maximum name length is 63 characters.
Port Enter the TCP port used for FSAE. This must be the same as the FortiGate
listening port specified in the Novell eDirectory or FSAE collector agent
configuration. See “Configuring collector agent settings” on page 941 or
“Configuring FSAE on Novell networks” on page 949.
Password Enter the password for the collector agent or eDirectory agent. For the
FSAE collector agent, this is required only if you configured the agent to
require authenticated access.
LDAP Server For Novell eDirectory, enable.
For Windows AD, enable if the collector agent is configured to use
Advanced AD access mode.
Select the LDAP server you configured previously. See “Configuring LDAP
server access” on page 952.
3 Select the check boxes of the user groups that you want to monitor and then select OK.
You can also use the Add User/Group icon to select a group by entering its
distinguished name.
Figure 98: List of groups from Active Directory server (Standard AD access mode)
Domain
Groups
Domain
and
groups
in LDAP
format
Remove group
3 In the Name box, enter a name for the group, FSAE_Internet_users for example.
4 In Type, select Directory Service.
5 From the Available Members list, select the required Directory Service groups.
Using the CTRL or SHIFT keys, you can select multiple groups.
6 Select the green right arrow button to move the selected groups to the Members list.
7 Select OK.
Certificates overview
Certificates always play a role in authentication of clients connecting via HTTPS, either as
administrators or SSL VPN users. Certificate authentication is optional for IPsec VPN
peers.
2 Select Generate.
3 In the Certificate Name field, type a name for the certificate request. Typically, this
would be the name of the FortiGate unit.
Note: To enable the export of a signed certificate as a PKCS12 file later on if required, do
not include spaces in the name.
4 Enter values in the Subject Information area to identify the FortiGate unit:
• If the FortiGate unit has a static IP address, select Host IP and enter the public IP
address of the FortiGate unit. If the FortiGate unit does not have a public IP address,
use an email address (or domain name if available) instead.
• If the FortiGate unit has a static IP address and subscribes to a dynamic DNS service,
use a domain name if available to identify the FortiGate unit. If you select
Domain Name, enter the fully qualified domain name of the FortiGate unit. Do not
include the protocol specification (http://) or any port number or path names.
Note: If a domain name is not available and the FortiGate unit subscribes to a dynamic
DNS service, an “unable to verify certificate” type message may be displayed in the user’s
browser whenever the public IP address of the FortiGate unit changes.
• If you select E-Mail, enter the email address of the owner of the FortiGate unit.
5 Enter values in the Optional Information area to further identify the FortiGate unit.
Organization Unit Name of your department. You can enter a maximum of 5 Organization
Units. To add or remove a unit, use the plus (+) or minus (-) icon.
Organization Legal name of your company or organization.
Locality (City) Name of the city or town where the FortiGate unit is installed.
State/Province Name of the state or province where the FortiGate unit is installed.
Country Select the country where the FortiGate unit is installed.
e-mail Contact email address.
6 From the Key Size list, select 1024 Bit, 1536 Bit or 2048 Bit. Larger keys are slower to
generate but more secure.
7 In Enrollment Method, you have two methods to choose from. Select File Based to
generate the certificate request, or Online SCEP to obtain a signed SCEP-based
certificate automatically over the network. For the SCEP method, enter the URL of the
SCEP server from which to retrieve the CA certificate, and the CA server challenge
password.
8 Select OK.
The request is generated and displayed in the Local Certificates list with a status of
PENDING.
9 Select the Download button to download the request to the management computer.
10 In the File Download dialog box, select Save and save the Certificate Signing Request
on the local file system of the management computer.
11 Name the file and save it on the local file system of the management computer.
Server certificate
1 Generate a Certificate Signing Request (CSR) on the FortiGate unit.
2 Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and
generate the certificate.
3 Export the certificate as a X.509 DER encoded binary file with .CER extension
4 Upload the certificate file to the FortiGate unit Local Certificates page (type is
Certificate).
CA certificate
1 Retrieve the CA Certificate from the CA software as a DER encoded file.
2 Upload the CA certificate file to the FortiGate unit CA Certificates page.
PKI certificate
1 Generate a Certificate Signing Request (CSR) on the FortiGate unit.
2 Copy the CSR base-64 encoded text (PKCS#10 or PKCS#7) into the CA software and
generate the certificate.
3 Export the certificate as a X.509 DER encoded binary file with .CER extension.
4 Install the certificate in the user’s web browser or IPsec VPN client as needed.
Local certificates
In the config vpn certificate local command, you can specify automatic
certificate renewal. The relevant fields are:
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
scep-password The password for the SCEP server.
<password_str>
auto-regenerate-days How many days before expiry the FortiGate unit requests an
<days_int> updated local certificate. The default is 0, no auto-update.
auto-regenerate-days- How many days before local certificate expiry the FortiGate
warning <days_int> generates a warning message. The default is 0,no warning.
CA certificates
In the config vpn certificate ca command, you can specify automatic certificate
renewal. The relevant fields are:
scep-url <URL_str> The URL of the SCEP server. This can be HTTP or HTTPS.
auto-update-days How many days before expiry the FortiGate unit requests an
<days_int> updated CA certificate. The default is 0, no auto-update.
auto-update-days- How many days before CA certificate expiry the FortiGate
warning <days_int> generates a warning message. The default is 0,no warning.
Variable Description
http-url URL of the server used for automatic CRL certificate updates. This can
<http_url> be HTTP or HTTPS.
scep-cert Local certificate used for SCEP communication for CRL auto-update.
<scep_certificate>
Variable Description
scep-url URL of the SCEP CA server used for automatic CRL certificate updates.
<scep_url> This can be HTTP or HTTPS.
update-interval How frequently, in seconds, the FortiGate unit checks for an updated
<seconds> CRL. Enter 0 to update the CRL only when it expires.
update-vdom VDOM used to communicate with remote SCEP server for CRL auto-
<update_vdom> update.
Note: As an alternative, you can back up and restore the entire FortiGate configuration
through the System > Maintenance > Backup & Restore page of the web-based manager.
The backup file is created in a FortiGate-proprietary format. For more information, see the
“System Maintenance” chapter of the FortiGate Administration Guide.
Note: The FortiGate unit is shipped with a self-signed certificate to authenticate itself to
SSL VPN clients. This causes two security messages to be displayed to SSL VPN users
when they log in. For more information, see “SSL, HTTPS, and certificates” on page 961.
Optionally, you can install a CA-issued server certificate on the FortiGate unit.
The first line, listing the user name and IP address, is present for a user with either a web-
mode or tunnel-mode connection. The Subsession line is present only if the user has a
tunnel mode connection. The Description column displays the virtual IP address assigned
to the user’s tunnel-mode connection.
SSL-VPN sessions:
Index User Source IP Tunnel/Dest IP
0 user2 172.20.120.51 10.0.0.1
You can use the Index value in the following commands to disconnect user sessions:
For more information, see the IPsec VPN chapter of this Handbook.
17 P
2.2 ort 1
0.1 _1
20
.1 ate
41 rtiG
Fo
Windows network 10 Por
.11 t 3
10.11.101.0/24 .10 Network_1
2.1
0 0 10.11.102.0/24
10 0
rt 2 1.
Po 1.10
. 1
10
in
ma
do AE
D S
s A ith F
ow
i nd ller w 60
W tro 1.1
n
co 1.10
.1
10
Overview
In this example, there is a Windows network connected to Port 2 on the FortiGate unit and
another LAN, Network_1, connected to Port 3.
All Windows network users authenticate when they log on to their network. Members of
the Engineering and Sales groups can access the Internet without entering their
authentication credentials again. The example assumes that the Fortinet Server
Authentication Extension (FSAE) has already been installed and configured on the
domain controller.
LAN users who belong to the Internet_users group can access the Internet after entering
their user name and password to authenticate. This example shows only two users, User1
is authenticated by a password stored on the FortiGate unit, User2 is authenticated on an
external authentication server. Both of these users are referred to as local users because
the user account is created on the FortiGate unit.
3 Select OK.
Name OurRADIUSsrv
Primary Server Name/IP 10.11.101.15
Primary Server Secret OurSecret
Authentication Scheme Select Use Default Authentication Scheme.
Name ADserver
Server Name / IP 10.11.101.160
Distinguished Name dc=office,dc=example,dc=com
Bind Type Regular
User DN cn=FSAE_Admin,cn=users,dc=office,dc=example,dc=com
Password set_a_secure_password
Name WinGroups
Enter on one line
FSAE Collector 10.11.101.160
IP/Name
Port 8000
Password fortinet_canada
LDAP Server ADserver
Name Internet_users
Type Firewall
Members User1, User2
4 Select OK.
4 Select OK.
IP packets
In network terminology, data is sent in something called an IP packet. Packets have a
fixed size, typically about 1500 bytes. Larger amounts of data are sent and received as a
sequence of packets.
IP addresses can be static or dynamic. A static IP address is fixed, like the street address
of a home or business. Your Internet Service Provider (ISP) might provide a dynamic
address instead. In that case, you are assigned an IP address only when you connect to
the network. The address can be different each time you connect. Whether your IP
address is static or dynamic determines the types of VPN configurations that you can
support.
Packets exchanged over an insecure network can be intercepted. A VPN encrypts data to
secure it. Encryption transforms the data so that it appears random and meaningless to
anyone who does not have the correct key to decrypt it. See “Encryption” on page 989.
VPNs also address the issue of authentication. You want to ensure that only authorized
users can connect to your private network. See “Authentication” on page 990.
There are several types of VPN. This guide discusses only Internet Protocol Security
(IPsec) VPN technology.
VPN tunnels
The data path between a user’s computer and a private network through a VPN is often
referred to as a tunnel. Like a tunnel, the route is accessible only at the ends. In the
telecommuting scenario, the tunnel runs between the FortiClient application on the user’s
PC and the FortiGate unit that connects the office private network to the Internet.
What makes this possible is encapsulation. The IPsec packets that pass from one end of
the tunnel to the other contain the data packets that are exchanged between the remote
user and the private network. Encryption of the data packets ensures that any third-party
intercepting the IPsec packets has no access to the data. This idea is shown conceptually
in Figure 107.
VPN gateways
A gateway is a router that connects the local network to other networks. The default
gateway setting in your computer’s TCP/IP properties specifies the gateway for your local
network.
A VPN gateway functions as one end of a VPN tunnel. It receives incoming IPsec packets,
decrypts the encapsulated data packets and passes the data packets to the local network.
Also, it encrypts data packets destined for the other end of the VPN tunnel, encapsulates
them, and sends the IPsec packets to the other VPN gateway.
The IP address of a VPN gateway is usually the IP address of the network interface that
connects to the Internet. Optionally, you can define a secondary IP address for the
interface and use that address as the local VPN gateway address.
The following diagram shows a VPN between two private networks with FortiGate units
acting as the VPN gateways.
y Sit
wa eB
ate (Fo VPN
P N g it) rtiG ga
V n
eA eu a.1.2.3 b.4.5.6 ate tew
Sit rtiGat un ay
(Fo it)
VPN tunnel
Sit Sit
e
10 A ne 19 e B n
.10 tw 2.1 et
.1. ork 68 wo
0/2 .10 rk
4 .0/
24
Although the IPsec traffic may actually pass through many Internet routers, you can think
of the VPN tunnel as a simple secure connection between the two FortiGate units.
Users on the two private networks do not need to be aware of the VPN tunnel. The
applications on their computers generate packets with the appropriate source and
destination addresses, as they normally do. The FortiGate units manage all the details of
encrypting, encapsulating and sending the packets to the remote VPN gateway.
The data is encapsulated in IPsec packets only in the VPN tunnel between the two VPN
gateways. Between the user’s computer and the gateway, the data is in regular IP
packets.
For example, User1 at Site A, IP address 10.10.1.7 sends packets with destination IP
address 192.168.10.8, the address of User2 at Site B. The Site A FortiGate unit is
configured to send packets with destinations on the 192.168.10.0 network through the
VPN, encrypted and encapsulated, of course. Similarly, the Site B FortiGate unit is
configured to send packets with destinations on the 10.10.1.0 network through the VPN
tunnel to the Site A VPN gateway.
In the site-to-site VPN shown in Figure 108, the FortiGate units have static (fixed) IP
addresses and either unit can initiate communication.
You can also create a VPN tunnel between an individual PC running the FortiClient
application and a FortiGate unit, as shown below:
t
uni Fo
rtiC
ate lien
o rtiG a.1.2.3 b.4.5.6
tP
e F C
Offic
VPN tunnel
Of
fic
10 e ne
.10 tw
.1. ork
0/2
4
On the PC, the FortiClient application acts as the local VPN gateway. Packets destined for
the office network are encrypted, encapsulated into IPsec packets, and sent through the
VPN tunnel to the FortiGate unit. Packets for other destinations are routed to the Internet
as usual. IPsec packets arriving through the tunnel are decrypted to recover the original IP
packets.
The site-to-site VPN shown in Figure 108 is a peer-to-peer relationship. Either FortiGate
unit VPN gateway can establish the tunnel and initiate communications. The FortiClient-
to-FortiGate VPN shown in Figure 109 is a client-server relationship. The FortiGate unit
establishes a tunnel when the FortiClient PC requests one.
A FortiGate unit cannot be a VPN server if it has a dynamically-assigned IP address. VPN
clients need to be configured with a static IP address for the server.
A FortiGate unit acts only as a server when the remote VPN gateway has a dynamic IP
address or is a client-only device or application, such as the FortiClient application.
As a VPN server, a FortiGate unit can also offer automatic configuration for FortiClient
PCs. The user needs to know only the IP address of the FortiGate VPN server and a valid
user name/password. The FortiClient application downloads the VPN configuration
settings from the FortiGate VPN server. For information about configuring a FortiGate unit
as a VPN server, see the FortiClient Administration Guide.
Encryption
Encryption mathematically transforms data to look like meaningless random numbers. The
original data is called plaintext and the encrypted data is called ciphertext. The opposite
process, called decryption, performs the inverse operation of recovering the original
plaintext from the ciphertext.
The process by which the plaintext is transformed to ciphertext and back again is called an
algorithm. All algorithms use a small piece of information, known as a key, in the arithmetic
process of converted plaintext to ciphertext, or vice-versa. IPsec uses symmetrical
algorithms, in which the same key is used to both encrypt and decrypt the data.
The security of an encryption algorithm is determined by the length of the key that it uses.
FortiGate IPsec VPNs offer the following encryption algorithms, in descending order of
security:
• AES256 — a 128-bit block algorithm that uses a 256-bit key.
• AES192 — a 128-bit block algorithm that uses a 192-bit key.
• AES128 — a 128-bit block algorithm that uses a 128-bit key.
• 3DES — Triple-DES, in which plain text is DES-encrypted three times by three keys.
• DES — Digital Encryption Standard, a 64-bit block algorithm that uses a 56-bit key.
The default encryption algorithms provided on FortiGate units make recovery of encrypted
data almost impossible without the proper encryption keys.
There is a human factor in the security of encryption. The key must be kept secret, known
only to the sender and receiver of the messages. Also, the key must not be something that
unauthorized parties might guess, such as the sender’s name or birthday or a simple
sequence like “123456”.
Authentication
In addition to protecting data through encryption, a VPN must ensure that only authorized
users can access the private network. You must use either a preshared key on both VPN
gateways or RSA X.509 security certificates. The examples in this guide use only
preshared key authentication.
Preshared keys
A preshared key contains at least 6 randomly chosen alphanumeric characters. Users of
the VPN must obtain the preshared key from the person who manages the VPN server
and add the preshared key to their VPN client configuration.
Although it looks like a password, the preshared key, also known as a shared secret, is
never sent by either gateway. The preshared key is used in the calculations at each end
that generate the encryption keys. As soon as the VPN peers attempt to exchange
encrypted data, preshared keys that do not match will cause the process to fail.
Additional authentication
To increase security, you can use require additional means of authentication:
• an identifier, called a peer ID or a local ID
• extended authentication (XAUTH) which imposes an additional user name/password
requirement
A Local ID is an alphanumeric value assigned in the Phase 1 configuration. The Local ID
of a peer is called a Peer ID.
Note: The FortiClient application distinguishes between Phase 1 and Phase 2 only in the
VPN Advanced settings and uses different terms. Phase 1 is called the IKE Policy. Phase 2
is called the IPsec Policy.
Phase 1
In Phase 1, the two VPN gateways exchange information about the encryption algorithms
that they support and then establish a temporary secure connection to exchange
authentication information.
When you configure your FortiGate unit or FortiClient application, you must specify the
following settings for Phase 1:
All other Phase 1 settings have default values. These settings mainly configure the types
of encryption to be used. The default settings on FortiGate units and in the FortiClient
application are compatible. The examples in this guide use these defaults.
For more detailed information about Phase 1 settings, see the “Auto Key phase 1
parameters” chapter of the FortiGate IPsec VPN User Guide.
Phase 2
Similar to the Phase 1 process, the two VPN gateways exchange information about the
encryption algorithms that they support for Phase 2. Phase 1 and Phase 2 can use
different encryption. If both gateways have at least one encryption algorithm in common, a
VPN tunnel is established.
To configure default Phase 2 settings on a FortiGate unit, you need only select the name
of the corresponding Phase 1 configuration. In the FortiClient application, no action is
required to enable default Phase 2 settings.
For more detailed information about Phase 2 settings, see the “Phase 2 parameters”
chapter of the FortiGate IPsec VPN User Guide.
Security Association
The establishment of a Security Association (SA) is the successful outcome of Phase 1
negotiations. Each peer maintains a database of information about VPN connections. The
information in each SA can include cryptographic algorithms and keys, keylife, and the
current packet sequence number. This information is kept synchronized as the VPN
operates. Each SA has a Security Parameter Index (SPI) that is provided to the remote
peer at the time the SA is established. Subsequent IPsec packets from the peer always
reference the relevant SPI. It is possible for peers to have multiple VPNs active
simultaneously.
Network topologies
The topology of your network will determine how remote peers and clients connect to the
VPN and how VPN traffic is routed. You can read about various network topologies and
find the high-level procedures needed to configure IPsec VPNs in one of these sections:
• Gateway-to-gateway configurations
• Hub-and-spoke configurations
• Dynamic DNS configurations
• FortiClient dialup-client configurations
• FortiGate dialup-client configurations
• Internet-browsing configuration
• Redundant VPN configurations
• Transparent mode VPNs
• Manual-key configurations
These sections contain high-level configuration guidelines with cross-references to
detailed configuration procedures. If you need more detail to complete a step, select the
cross-reference in the step to drill-down to more detail. Return to the original procedure to
complete the procedure. For a general overview of how to configure a VPN, see “General
preparation steps” below.
Where possible, create route-based VPNs. Generally, route-based VPNs are more flexible
and easier to configure than policy-based VPNs. However, the two types have different
requirements that limit where they can be used.
Table 70: Comparison of policy-based and route-based VPNs
Policy-based Route-based
Available in NAT/Route or Transparent mode Available only in NAT/Route mode
Requires a firewall policy with IPSEC action Requires only a simple firewall policy with
that specifies the VPN tunnel. One policy ACCEPT action. A separate policy is required for
controls connections in both directions. connections in each direction.
Supports L2TP-over-IPsec configuration Does not support L2TP-over-IPsec configuration
Doesn’t support GRE-over-IPsec configuration Supports GRE-over-IPsec configuration
Note: The steps given above assume that you will perform Steps 1 and 2 to have the
FortiGate unit generate unique IPsec encryption and authentication keys automatically. In
situations where a remote VPN peer or client requires a specific IPsec encryption and/or
authentication key, you must configure the FortiGate unit to use manual keys instead of
performing Steps 1 and 2. For more information, see “Manual-key configurations” on
page 1091.
Configuration overview
In a gateway-to-gateway configuration, two FortiGate units create a VPN tunnel between
two separate private networks. All traffic between the two networks is encrypted and
protected by FortiGate firewall policies.
Fo
1 rtiG
te_ ate
r tiGa _2
Fo
Site_1 Site_2
Note: In some cases, computers on the private network behind one VPN peer may (by co-
incidence) have IP addresses that are already used by computers on the network behind
the other VPN peer. In this type of situation (ambiguous routing), conflicts may occur in one
or both of the FortiGate routing tables and traffic destined for the remote network through
the tunnel may not be sent. To resolve issues related to ambiguous routing, see “How to
work with overlapping subnets” on page 1006.
In other cases, computers on the private network behind one VPN peer may obtain IP
addresses from a local DHCP server. However, unless the local and remote networks use
different private network address spaces, unintended ambiguous routing and/or IP-address
overlap issues may arise. For a discussion of the related issues, see “FortiGate dialup-
client configurations” on page 1047.
You can set up a fully meshed or partially meshed configuration (see Figure 111 and
Figure 112).
2 Fo
te_ rtiG
r tiGa ate
_3
Fo
Fo
rtiG
_1 ate
i G ate _4
r t
Fo
5
te_
rt iGa
Fo
In a fully meshed network, all VPN peers are connected to each other, with one hop
between peers. This topology is the most fault-tolerant: if one peer goes down, the rest of
the network is not affected. This topology is difficult to scale because it requires
connections between all peers. In addition, unnecessary communication can occur
between peers. We recommend a hub-and-spoke configuration instead (see “Hub-and-
spoke configurations” on page 1011).
Fo
_2 rtiG
i G ate ate
r t _3
Fo
Fo
rtiG
_1 ate
i Gate _4
rt
Fo
_5
i G ate
ort
F
A partially meshed network is similar to a fully meshed network, but instead of having
tunnels between all peers, tunnels are only configured between peers that communicate
with each other regularly.
Name Enter a name to identify the VPN tunnel. This name appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the remote peer public interface.
Local Interface Select the FortiGate unit’s public interface.
Enable IPsec You must select Advanced to see this setting. If IPsec Interface Mode is
Interface Mode enabled, the FortiGate unit creates a virtual IPsec interface for a route-
based VPN. Disable this option if you want to create a policy-based
VPN. For more information, see “Choosing policy-based or route-based
VPNs” on page 994.
After you select OK to create the phase 1 configuration, you cannot
change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 1151. Enter these settings in particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 1157.
Enter these settings in particular:
• Define an address name for the IP address and netmask of the private network behind
the local FortiGate unit.
• Define an address name for the IP address and netmask of the private network behind
the remote peer.
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 1158.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select ACCEPT.
NAT Disable.
To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable.
Source Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 Place VPN policies in the policy list above any other policies having similar source and
destination addresses.
6 Repeat this procedure at the remote FortiGate unit.
Configuration example
The following example demonstrates how to set up a basic gateway-to-gateway IPsec
VPN that uses preshared keys to authenticate the two VPN peers.
P
17 ort Fo
1 2.1 2 rtiG
te_ rt 2 0.1 6.3
r tiGa Po .16.2 0.1 ate
_2
Fo 1 7 2
Po
rt 1
rt 1
Po
Fin H
a 10 R ne
10 nce .31 tw
.21 ne .10 ork
.10 two 1.0
1.0 rk /24
/24
In this example, the network devices are assigned IP addresses as shown in Figure 113.
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
3 Select Create New, enter the following information, and select OK:
4 Place the policies in the policy list above any other policies having similar source and
destination addresses.
Configure FortiGate_2
The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:
• Define the phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1
and establish a secure connection.
• Define the phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with
FortiGate_1.
• Create the firewall policy and define the scope of permitted services between the IP
source and destination addresses.
Advanced
Enable IPsec Enable to create a route-based VPN.
Interface Mode Disable to create a policy-based VPN.
This example shows both policy and route-based VPNs.
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
3 Select Create New, enter the following information to create an inbound policy, and
then select OK:
4 Place the policy in the policy list above any other policies having similar source and
destination addresses.
P
17 ort Fo
2.1 2
at e_1 rt 2 0.1 6.3 rtiG
rtiG Po .16.2 0.1 ate
_2
Fo 17 2
Po
rt 1 rt 1
10 PC
Po .11 2
.10
1.1
0
1 1.10
Fin
a PC 1.10 H
1
1 nc
(V 0.11 e ne
10. 1 Rn
IP t (V 0.11 etw
10 .101 work IP o
10 .101 rk
.21 .0/ .31 .0/
.10 24 .10 24
1.0 1.0
/24) /24
)
After the tunnel is established, hosts on each side can communicate with hosts on the
other side using the mapped IP addresses. For example, PC1 can communicate with PC2
using IP address 10.31.101.10. FortiGate_2 maps connections for IP address
10.31.101.10 to IP address 10.11.101.10.
For example, PC1 uses the destination address 10.31.101.10 to contact PC2. Outbound
NAT on FortiGate_1 translates the PC1 source address to 10.21.101.10. At the
FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination
address to the actual PC2 address of 10.11.101.10. Similarly, PC2 replies to PC1 using
destination address 10.21.101.10, with the PC2 source address translated to
10.31.101.10. PC1 and PC2 can communicate over the VPN even though they both have
the same IP address.
You need to:
• Configure IPsec Phase 1 as you usually would for a policy-based VPN.
• Configure IPsec Phase 2 with the use-natip disable CLI option.
• Define a firewall address for the local private network, 10.11.101.0/24.
• Define a firewall address for the remote private network:
• define a firewall address for 10.31.101.0/24 on FortiGate_1
• define a firewall address for 10.21.101.0/24 on FortiGate_2
• Configure an outgoing IPsec firewall policy with outbound NAT to map 10.11.101.0/24
source addresses:
• to the 10.21.101.0/24 network on FortiGate_1
• to the 10.31.101.0/24 network on FortiGate_2
Configuration overview
In a hub-and-spoke configuration, VPN connections radiate from a central FortiGate unit
(the hub) to a number of remote peers (the spokes). Traffic can pass between private
networks behind the hub and private networks behind the remote peers. Traffic can also
pass between remote peer private networks through the hub.
Site_1 Site_2
Sp
ok
e_ _2
1 oke
Sp
b
Hu
All spokes use the large subnet address, 10.1.0.0/16 for example, as
• the IPsec destination selector
• the destination of the firewall policy from the private subnet to the VPN (required for
policy-based VPN, optional for route-based VPN)
• the destination of the static route to the VPN (route-based)
Each spoke uses the address of its own protected subnet as the IPsec source selector
and as the source address in its VPN firewall policy. The remote gateway is the public IP
address of the hub FortiGate unit.
Authentication
Authentication is by a common preshared key or by certificates. For simplicity, the
examples in this chapter assume that all spokes use the same preshared key.
Name Enter a name to identify the VPN in phase 2 configurations, firewall policies
and the VPN monitor.
Remote Gateway The remote gateway is the other end of the VPN tunnel. There are three
options:
Static IP Address — Enter the spoke’s public IP Address. You will need to
create a phase 1 configuration for each spoke. Either the hub or the spoke
can establish the VPN connection.
Dialup User — No additional information is needed. The hub accepts
connections from peers with appropriate encryption and authentication
settings. Only one phase 1 configuration is needed for multiple dialup
spokes. Only the spoke can establish the VPN tunnel.
Dynamic DNS — If the spoke subscribes to a dynamic DNS service, enter
the spoke’s Dynamic DNS domain name. Either the hub or the spoke can
establish the VPN connection. For more information, see “Dynamic DNS
configurations” on page 1025.
Local Interface Select the FortiGate interface that connects to the remote gateway. This is
usually the FortiGate unit’s public interface.
Enable IPsec You must select Advanced to see this setting. If IPsec Interface Mode is
Interface Mode enabled, the FortiGate unit creates a virtual IPsec interface for a route-
based VPN. Disable this option if you want to create a policy-based VPN.
For more information, see “Choosing policy-based or route-based VPNs”
on page 994.
After you select OK to create the phase 1 configuration, you cannot change
this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with each spoke. See
“Phase 2 parameters” on page 1151. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name Select the address name you defined in Step 2 for the
private network behind the spoke FortiGate unit.
Destination Interface/Zone Select the hub’s interface to the internal (private) network.
Destination Address Name Select the source address that you defined in Step 1.
Action Select ACCEPT.
NAT Enable.
Source Interface/Zone Select the address name you defined in Step 2 for the
private network behind the spoke FortiGate units.
Source Address Name Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Interface/Zone Select the source address that you defined in Step 1.
Destination Address Name Select the hub’s interface to the internal (private) network.
Action Select ACCEPT.
NAT Enable.
Source Interface/Zone Select the hub’s interface to the internal (private) network.
Source Address Name Select the source address that you defined in Step 1.
Destination Interface/Zone Select the hub’s public network interface.
Destination Address Name Select the address name you defined in Step 2 for the private
network behind the spoke FortiGate unit.
Action IPSEC
VPN Tunnel Select the name of the phase 1 configuration that you created
for the spoke in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
Note: To remove tunnels from the VPN concentrator, select the tunnel in the Members list
and select the left-pointing arrow.
4 Repeat Step 3 until all of the tunnels associated with the spokes are included in the
concentrator.
5 Select OK.
Source Interface/Zone Select the zone you created for your VPN.
Source Address Name Select All.
Destination Interface/Zone Select the zone you created for your VPN.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Enable.
UTM If you want to apply UTM features to this traffic, select the
appropriate profiles.
2 Select OK.
3 Select OK.
2 Create the phase 2 tunnel definition. See “Phase 2 parameters” on page 1151. Enter
these settings in particular:
Phase 1 Select the set of phase 1 parameters that you defined for the hub.
You can select the name of the hub from the Static IP Address part
of the list.
Source Interface/Zone Select the spoke’s interface to the internal (private) network.
Source Address Name Select the spoke address you defined in Step 1.
Destination Interface/Zone Select the virtual IPsec interface you created.
Destination Address Name Select the hub destination addresses you defined in Step 2.
Action Select ACCEPT
NAT Enable
Source Interface/Zone Select the spoke’s interface to the internal (private) network.
Source Address Name Select the spoke address you defined in Step 1.
Destination Interface/Zone Select the spoke’s interface to the external (public) network.
Destination Address Name Select the hub address you defined in Step 2.
Action Select IPSEC
VPN Tunnel Select the name of the phase 1 configuration you defined.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
2 Define the firewall policy to enable communication between this spoke and the spokes
in the address group you created.
Policy-based VPN firewall policy
Define an IPsec firewall policy to permit communications with the other spokes. See
“Defining firewall policies” on page 1158. Enter these settings in particular:
Route-based VPN firewall policy
Define two firewall policies to permit communications to and from the other spokes.
Enter these settings in particular:
Source Interface/Zone Select the spoke’s interface to the internal (private) network.
Source Address Name Select this spoke’s address name.
Destination Interface/Zone Select the virtual IPsec interface you created.
Destination Address Name Select the spoke address group you defined in Step 1.
Action Select ACCEPT
NAT Enable
3 Place this policy or policies in the policy list above any other policies having similar
source and destination addresses.
Site_1 Site_2
10.1.1.0/24 10.1.2.0/24
Sp
ok
e_ _2
1 oke
Sp
1
ate_
rtiG
Fo b) 172.16.10.1
(Hu
HR network
10.1.0.0/24
The basic phase 2 settings associate IPsec phase 2 parameters with the phase 1
configuration and specify the remote end points of the VPN tunnels.
Name Enter a name for the phase 2 definition (for example, toSpokes_ph2).
Phase 1 Select the Phase 1 configuration that you defined previously (for example,
toSpokes).
To define the firewall policy for traffic from the hub to the spokes
1 Go to Firewall > Policy > Policy.
2 Select Create New, enter the following information, and select OK:
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
2 Select OK.
3 Select Create New, enter the following information, and select OK:
Source Interface/Zone Select the interface to the internal (private) network, port1.
Address Name Select the address for this spoke’s protected network, LocalNet
Destination Interface/Zone Select the virtual IPsec interface, toHub.
Address Name Select the aggregate protected network address, Spoke_net
Schedule As required.
Service As required.
Action ACCEPT
4 Place these policies in the policy list above any other policies having similar source
and destination addresses.
Configuration overview
In this type of scenario, one of the FortiGate units in a gateway-to-gateway configuration
has a static domain name (for example, example.com) and a dynamic IP address. See
FortiGate_2 in Figure 118. Whenever that FortiGate unit connects to the Internet (and
possibly also at predefined intervals set by the ISP), the ISP may assign a different IP
address to the FortiGate unit. Therefore, remote peers have to locate the FortiGate unit
through DNS lookup.
Site_1 Site_2
ver Sp
S ser ok
e_ _2
DN 1 oke
Sp
172.16.20.1 example.com
When a remote peer (such as FortiGate_1 in Figure 118) initiates a connection to the
domain name, a DNS server looks up and returns the IP address that matches the domain
name. The remote peer uses the retrieved IP address to establish a connection with the
FortiGate unit.
To ensure that DNS servers are able to discover the current IP address associated with a
FortiGate domain name, the FortiGate unit with the domain name subscribes to a dynamic
DNS service. A dynamic DNS service ensures that any changes to IP addresses are
propagated to all Internet DNS servers.
Whenever the FortiGate unit detects that its IP address has changed, it notifies the
dynamic DNS server and provides the new IP address to the server. The dynamic DNS
server makes the updated IP address available to all DNS servers and the new IP address
remains in effect until the FortiGate unit detects that its IP address has changed again.
A FortiGate unit that has static domain name and a dynamic IP address can initiate VPN
connections anytime—the remote peer replies to the FortiGate unit using the source IP
address that was sent in the packet header. However, changes to a dynamic IP address
must be resolved before a remote peer can establish a VPN connection to the domain
name—the remote peer must request a DNS lookup for the matching IP address before
initiating the connection.
Name Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the public interface to the remote peer.
Mode Select Aggressive.
Enable IPsec Interface Enable for a route-based VPN.
Mode Disable for a policy-based VPN.
Local ID Type a character string that the local FortiGate unit can use to identify
itself to the remote peer (for example, you could type the fully qualified
domain name of the FortiGate unit, example.com). This value must
be identical to the value in the Accept this peer ID field of the phase 1
remote gateway configuration on the remote peer.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 1151. Enter these settings in particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 1157.
Enter these settings in particular:
• Define an address name for the IP address and netmask of the private network
behind the local FortiGate unit.
• Define an address name for the IP address and netmask of the private network
behind the remote peer.
4 Define firewall policies to permit communications between the private networks
through the VPN tunnel. Route-based and policy-based VPNs require different firewall
policies. For detailed information about creating firewall policies, see “Defining firewall
policies” on page 1158.
Route-based VPN firewall policies
Define ACCEPT firewall policies to permit communication between the private
networks. To define a policy to permit the local FortiGate unit to initiate communication,
enter these settings in particular:
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select ACCEPT.
NAT Disable.
To permit the remote peer to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPsec Interface) that you configured
in Step 1.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable.
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
5 Place these policies in the policy list above any other policies having similar source
and destination addresses.
Name Enter a name to identify the VPN tunnel. This name appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway Select Dynamic DNS.
Dynamic DNS Type the fully qualified domain name of the remote peer (for example,
example.com).
Mode Select Aggressive.
Peer Options Select Accept this peer ID, and type the identifier of the dynamically-
addressed FortiGate unit. This is the value you entered in the Local ID
field of the other unit’s phase 1 remote gateway configuration.
Enable IPsec Enable for a route-based VPN.
Interface Mode Disable for a policy-based VPN.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 1151. Enter these settings in particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 1157. Enter these settings in
particular:
• Define an address name for the IP address and netmask of the private network
behind the local FortiGate unit.
• Define an address name for the IP address and netmask of the private network
behind the remote peer.
4 Define the firewall policies to permit communications between the source and
destination addresses. See “Defining firewall policies” on page 1158. Enter these
settings in particular and then select OK:
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select ACCEPT.
NAT Disable.
To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Destination Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Action Select ACCEPT.
NAT Disable.
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the remote peer.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network
to initiate the tunnel.
5 Place these policies in the policy list above any other policies having similar source
and destination addresses.
Note: The FortiClient configurations in this guide do not apply to the FortiClient Consumer
Edition, which does not include the IPsec VPN feature.
Configuration overview
Dialup users typically obtain dynamic IP addresses from an ISP through Dynamic Host
Configuration Protocol (DHCP) or Point-to-Point Protocol over Ethernet (PPPoE). Then,
the FortiClient Endpoint Security application initiates a connection to a FortiGate dialup
server.
By default the FortiClient dialup client has the same IP address as the host PC on which it
runs. If the host connects directly to the Internet, this is a public IP address. If the host is
behind a NAT device, such as a router, the IP address is a private IP address. The NAT
device must be NAT traversal (NAT-T) compatible to pass encrypted packets (see “NAT
traversal” on page 1147). The FortiClient application also can be configured to use a
virtual IP address (VIP). For the duration of the connection, the FortiClient application and
the FortiGate unit both use the VIP address as the IP address of the FortiClient dialup
client.
The FortiClient application sends its encrypted packets to the VPN remote gateway, which
is usually the public interface of the FortiGate unit. It also uses this interface to download
VPN settings from the FortiGate unit. See “Automatic configuration of FortiClient dialup
clients” on page 1032.
Dialup_1
1 Dialup_2
te_
r t iGa
Fo
Site_1 Dialup_3
Peer identification
The FortiClient application can establish an IPsec tunnel with a FortiGate unit configured
to act as a dialup server. When the FortiGate unit acts as a dialup server, it does not
identify the client using the phase 1 remote gateway address. The IPsec tunnel is
established if authentication is successful and the IPsec firewall policy associated with the
tunnel permits access. There are several different ways to authenticate dialup clients and
restrict access to private networks based on client credentials. For more information, see
“Authenticating remote peers and clients” on page 1139.
1 Check the virtual domain associated with the connection to determine which VPN
policies might apply.
2 Select the VPN policy that matches the dialup client’s user group and determine which
tunnel (phase 1 configuration) is involved.
3 Check all IPsec firewall policies that use the specified tunnel to determine which
private network(s) the dialup clients may access.
4 Retrieve the rest of the VPN policy information from the existing IPsec phase 1 and
phase 2 parameters in the dialup-client configuration.
Note: On the host computer, you can find out the VIP address that the FortiClient Endpoint
Security application is using. For example,
On Windows, type ipconfig /all at the Windows Command Prompt.
On Linux or Mac OS X, type ifconfig in a terminal window.
The output will also show the IP address that has been assigned to the host Network
Interface Card (NIC).
It is best to assign VIPs using DHCP over IPsec. The FortiGate dialup server can act as a
DHCP server or relay requests to an external DHCP server. You can also configure VIPs
manually on FortiClient applications, but it is more difficult to ensure that all clients use
unique addresses.
Note: If you assign a VIP on the private network behind the FortiGate unit and enable
DHCP-IPsec (a phase 2 advanced option), the FortiGate unit acts as a proxy on the local
private network for the FortiClient dialup client. Whenever a host on the network behind the
dialup server issues an ARP request for the device MAC address of the FortiClient host, the
FortiGate unit answers the ARP request on behalf of the FortiClient host and forwards the
associated traffic to the FortiClient host through the tunnel. For more information, see
“DHCP-IPsec” on page 1153.
Note: FortiGate units fully support RFC 3456. The FortiGate DHCP over IPsec feature can
be enabled to allocate VIP addresses to FortiClient dialup clients using a FortiGate DHCP
server.
Traffic destination
10.11.101.2
Dialup client
3 1 3 1
2 2
VIP address
10.254.254.100
IPSec packets
Destination 172.20.120.141
IPSec packets
Destination 172.20.120.141
3 1
2
172.20.120.141
1 3
2 Fo
rtiG
ate
Traffic destination _1
10.11.101.2 10.11.101.2
Note: When a FortiGate unit has been configured to accept connections from FortiClient
dialup-clients, you can optionally arrange to have an IPsec VPN configuration downloaded
to FortiClient dialup clients automatically. For more information, see “Configuring the
FortiGate unit as a VPN policy server” on page 1038.
Name Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway Select Dialup User.
Local Interface Select the interface through which clients connect to the FortiGate
unit.
Mode Select Main (ID Protection).
Authentication Method Select Pre-shared Key.
Pre-shared Key Enter the pre-shared key. This must be the same preshared key
provided to the FortiClient users.
Peer option Select Accept any peer ID.
Enable IPsec Interface You must select Advanced to see this setting. If IPsec Interface
Mode Mode is enabled, the FortiGate unit creates a virtual IPsec
interface for a route-based VPN.
2 Define the phase 2 parameters needed to create a VPN tunnel with the FortiClient
peer. See “Phase 2 parameters” on page 1151. Enter these settings in particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. These addresses are used in the firewall policies that permit communication
between the networks. For more information, see “Defining firewall addresses” on
page 1157.
Enter these settings in particular:
• Define an address name for the individual address or the subnet address that the
dialup users access through the VPN.
• If FortiClient users are assigned VIP addresses, define an address name for the
subnet to which these VIPs belong.
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 1158.
Route-based VPN firewall policies
Define an ACCEPT firewall policy to permit communications between the source and
destination addresses. Enter these settings in particular:
Source Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Source Address Name Select All.
Destination Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable.
If you want to allow hosts on the private network to initiate communications with the
FortiClient users after the tunnel is established, you need to define a firewall policy for
communication in that direction. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select All.
Destination Interface/Zone Select the VPN Tunnel (IPsec Interface) you configured in
Step 1.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable.
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name If FortiClient users are assigned VIPs, select the address
name that you defined in Step 3 for the VIP subnet.
Otherwise, select All.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound if you want to allow hosts on the private
network to initiate communications with the FortiClient users
after the tunnel is established.
5 Place VPN policies in the policy list above any other policies having similar source and
destination addresses.
Type IPsec
IP Range Enter the range of VIP addresses that the DHCP server can
dynamically assign to dialup clients when they connect. As a
precaution, do not assign VIP addresses that match the private
network behind the FortiGate unit.
If you need to exclude specific IP addresses from the range, you can
define an exclusion range (see Advanced... below).
Note: If you will use a RADIUS server to assign VIP addresses, these
fields are not needed.
Network Mask Enter the network mask of the IP addresses that you specified in the IP
Range fields (for example, 255.255.255.0 for a class C network).
Default Gateway Enter the IP address of the default gateway that the DHCP server
assigns to DHCP clients.
DNS Service Select Use System DNS Setting.
If you want to use a different DNS server for VPN clients, select
Specify and enter an IP address in DNS Server 0.
Advanced... Select Advanced to configure any of the following options.
Domain If you want the FortiGate unit to assign a domain name to dialup clients
when they connect, enter the registered domain name.
Lease Time Specify a lease time:
• Select Unlimited to allow the dialup client to use the assigned IP
address for an unlimited amount of time (that is, until the client
disconnects).
• Enter the amount of time (in days, hours, and minutes) that the
dialup client may use the assigned IP address, after which the
dialup client must request new settings from the DHCP server. The
range is from 5 minutes to 100 days.
IP Assignment Mode Server IP Range — assign addresses from IP Range (default)
User-group defined method — assign addresses from user’s record on
RADIUS server. See “Assigning VIPs by RADIUS user group” on
page 1034.
WINS Server 0 Optionally, enter the IP addresses of one or two Windows Internet
WINS Server 1 Service (WINS) servers that dialup clients can access after the tunnel
has been established.
Options Optionally, you can send up to three DHCP options to the dialup client.
Select Options and enter the option code in the Code field, and if
applicable, type any associated data in the Options field. For more
information, see RFC 2132.
Exclude Ranges To specify any VIP addresses that must be excluded from the VIP
address range, select Exclude Ranges, select the + button and then
type the starting and ending IP addresses. You can add multiple
ranges to exclude.
Note: For VPNs with automatic configuration, only preshared keys are supported.
Certificates are not supported.
4 Follow the remaining steps only if you want to configure a VIP. Otherwise, select OK.
5 Select Advanced.
6 Enable Acquire a virtual IP address and then select the adjacent Config button.
7 Enter the following information and select OK.
Dialup_1
VIP address
10.254.254.1
1
te_ Po
r t iGa 17 rt 1 Dialup_2
Fo 2.2
LAN 0.1
20.1
10.11.101.0/24 41
Po VIP address
rt 2
10.254.254.2
Configuring FortiGate_1
When a FortiGate unit receives a connection request from a dialup client, it uses IPsec
phase 1 parameters to establish a secure connection and authenticate the client. Then, if
the firewall policy permits the connection, the FortiGate unit establishes the tunnel using
IPsec phase 2 parameters and applies the IPsec firewall policy. Key management,
authentication, and security services are negotiated dynamically through the IKE protocol.
To support these functions, the following general configuration steps must be performed at
the FortiGate unit:
• Define the phase 1 parameters that the FortiGate unit needs to authenticate the dialup
clients and establish a secure connection. See “To define the phase 1 parameters” on
page 1043.
• Define the phase 2 parameters that the FortiGate unit needs to create a VPN tunnel
and enable all dialup clients having VIP addresses on the 10.254.254.0/24 network to
connect using the same tunnel definition. See “To define the phase 2 parameters” on
page 1043.
• Create firewall policy to control the permitted services and permitted direction of traffic
between the IP source address and the dialup clients. See “To define the firewall
addresses” on page 1043.
• Configure the FortiGate unit to service DHCP requests from dialup clients. See “To
configure a DHCP server on the FortiGate unit” on page 1045.
Name todialups
Remote Gateway Dialup User
Local Interface Port 1
Mode Main
Authentication Method Preshared Key
Pre-shared Key hardtoguess
Peer Options Accept any peer ID
Advanced Select
Enable IPsec Interface Mode Enable for route-based VPN.
Disable for policy-based VPN.
Name td_2
Phase 1 todialups
Advanced DHCP-IPsec
3 Select Create New, enter the following information, and select OK:
The firewall policies for route-based and policy-based VPNs are described in separate
sections below.
3 Select Create New, enter the following information, and select OK:
4 Place these policies in the policy list above any other policies having similar source
and destination addresses.
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Interface Name Route-based VPN: select virtual IPsec interface. For example, todialups.
Policy-based VPN: select the public interface. For example, Port 1.
Mode Server
Type IPSEC.
IP Range 10.254.254.1 - 10.254.254.10
Network Mask 255.255.255.0
Default Gateway 172.20.120.2
To configure FortiClient
1 At the remote host, start FortiClient.
2 Go to VPN > Connections and select Advanced > Add.
3 Enter the following settings:
4 Select Advanced.
5 In the Advanced Settings dialog box, select Acquire virtual IP address and then select
Config.
6 Verify that the Dynamic Host Configuration Protocol (DHCP) over IPsec option is
selected, and then select OK.
7 Select OK twice to close the dialog boxes.
8 Exit FortiClient and repeat this procedure at all other remote hosts.
Configuration overview
A dialup client can be a FortiGate unit—the FortiGate dialup client typically obtains a
dynamic IP address from an ISP through the Dynamic Host Configuration Protocol
(DHCP) or Point-to-Point Protocol over Ethernet (PPPoE) before initiating a connection to
a FortiGate dialup server.
1 FG
te_ _D
r t iGa ialu
Fo p
Site_1
Site_2
In a dialup-client configuration, the FortiGate dialup server does not rely on a phase 1
remote gateway address to establish an IPsec VPN connection with dialup clients. As long
as authentication is successful and the IPsec firewall policy associated with the tunnel
permits access, the tunnel is established.
Several different ways to authenticate dialup clients and restrict access to private
networks based on client credentials are available. To authenticate FortiGate dialup clients
and help to distinguish them from FortiClient dialup clients when multiple clients will be
connecting to the VPN through the same tunnel, we recommend that you assign a unique
identifier (local ID) to each FortiGate dialup client. For more information, see
“Authenticating remote peers and clients” on page 1139.
Note: Whenever you add a unique identifier (local ID) to a FortiGate dialup client for
identification purposes, you must select Aggressive mode on the FortiGate dialup server
and also specify the identifier as a peer ID on the FortiGate dialup server. For more
information, see “Enabling VPN access using user accounts and pre-shared keys” on
page 1143.
Users behind the FortiGate dialup server cannot initiate the tunnel because the FortiGate
dialup client does not have a static IP address. After the tunnel is initiated by users behind
the FortiGate dialup client, traffic from the private network behind the FortiGate dialup
server can be sent to the private network behind the FortiGate dialup client.
Encrypted packets from the FortiGate dialup client are addressed to the public interface of
the dialup server. Encrypted packets from the dialup server are addressed either to the
public IP address of the FortiGate dialup client (if the dialup client connects to the Internet
directly), or if the FortiGate dialup client is behind a NAT device, encrypted packets from
the dialup server are addressed to the public IP address of the NAT device.
Note: If a router with NAT capabilities is in front of the FortiGate dialup client, the router
must be NAT-T compatible for encrypted traffic to pass through the NAT device. For more
information, see “NAT traversal” on page 1147.
When the FortiGate dialup server decrypts a packet from the FortiGate dialup client, the
source address in the IP header may be one of the following values, depending on the
configuration of the network at the far end of the tunnel:
• If the FortiGate dialup client connects to the Internet directly, the source address will be
the private IP address of a host or server on the network behind the FortiGate dialup
client.
• If the FortiGate dialup client is behind a NAT device, the source address will be the
public IP address of the NAT device.
In some cases, computers on the private network behind the FortiGate dialup client may
(by co-incidence) have IP addresses that are already used by computers on the network
behind the FortiGate dialup server. In this type of situation (ambiguous routing), conflicts
may occur in one or both of the FortiGate routing tables and traffic destined for the remote
network through the tunnel may not be sent.
In many cases, computers on the private network behind the FortiGate dialup client will
most likely obtain IP addresses from a local DHCP server behind the FortiGate dialup
client. However, unless the local and remote networks use different private network
address spaces, unintended ambiguous routing and/or IP-address overlap issues may
arise.
To avoid these issues, you can configure FortiGate DHCP relay on the dialup client
instead of using a DHCP server on the network behind the dialup client. The FortiGate
dialup client can be configured to relay DHCP requests from the local private network to a
DHCP server that resides on the network behind the FortiGate dialup server (see
Figure 123 on page 1049). You configure the FortiGate dialup client to pass traffic from the
local private network to the remote network by enabling FortiGate DHCP relay on the
FortiGate dialup client interface that is connected to the local private network.
1 FG
te_ _D
r t iGa ialu
Fo p
CP
DH er Site_2
r v
se
Afterward, when a computer on the network behind the dialup client broadcasts a DHCP
request, the dialup client relays the message through the tunnel to the remote DHCP
server. The remote DHCP server responds with a private IP address for the computer. To
avoid ambiguous routing and network overlap issues, the IP addresses assigned to
computers behind the dialup client cannot match the network address space used by the
private network behind the FortiGate dialup server.
When the DHCP server resides on the private network behind the FortiGate dialup server
as shown in Figure 123, the IP destination address specified in the IPsec firewall policy on
the FortiGate dialup client must refer to that network.
Note: If the DHCP server is not directly connected to the private network behind the
FortiGate dialup server (that is, its IP address does not match the IP address of the private
network), you must add (to the FortiGate dialup client’s routing table) a static route to the
DHCP server, and the IP destination address specified in the IPsec firewall policy on the
FortiGate dialup client must refer to the DHCP server address. In this case, the DHCP
server must be configured to assign IP addresses that do not belong to the network on
which the DHCP server resides. In addition, the IP addresses cannot match the network
address space used by the private network behind the FortiGate dialup server.
Note: In situations where IP-address overlap between the local and remote private
networks is likely to occur, FortiGate DHCP relay can be configured on the FortiGate dialup
client to relay DHCP requests to a DHCP server behind the FortiGate dialup server. For
more information, see “To configure DHCP relay on the FortiGate unit” on page 1038.
Configuring dialup client capability for FortiGate dialup clients involves the following
general configuration steps:
• Determine which IP addresses to assign to the private network behind the FortiGate
dialup client, and add the IP addresses to the DHCP server behind the FortiGate dialup
client. Refer to the software supplier’s documentation to configure the DHCP server.
• Configure the FortiGate dialup server. See “Configure the server to accept FortiGate
dialup-client connections” on page 1050.
• Configure the FortiGate dialup client. See “Configure the FortiGate dialup client” on
page 1052.
Name Enter a name to identify the VPN tunnel. This name appears in phase
2 configurations, firewall policies and the VPN monitor.
Remote Gateway Select Dialup User.
Local Interface Select the interface through which clients connect to the FortiGate
unit.
Mode If you will be assigning an ID to the FortiGate dialup client, select
Aggressive.
Peer Options If you will be assigning an ID to the FortiGate dialup client, select
Accept this peer ID and type the identifier that you reserved for the
FortiGate dialup client into the adjacent field.
Enable IPsec Interface You must select Advanced to see this setting. If IPsec Interface Mode
Mode is enabled, the FortiGate unit creates a virtual IPsec interface for a
route-based VPN. Disable this option if you want to create a policy-
based VPN.
After you select OK to create the phase 1 configuration, you cannot
change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the FortiGate
dialup client. See “Phase 2 parameters” on page 1151. Enter these settings in
particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 1157. Enter these settings in
particular:
• Define an address name for the server, host, or network behind the FortiGate dialup
server.
• Define an address name for the private network behind the FortiGate dialup client.
4 Define the firewall policies to permit communications between the private networks
through the VPN tunnel. Route-based and policy-based VPNs require different firewall
policies. For detailed information about creating firewall policies, see “Defining firewall
policies” on page 1158.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications between hosts on the
private network behind the FortiGate dialup client and the private network behind this
FortiGate dialup server. Because communication cannot be initiated in the opposite
direction, there is only one policy. Enter these settings in particular:
Source Interface/Zone Select the VPN tunnel (IPsec interface) created in Step 1.
Source Address Name Select All.
Destination Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Destination Address Name Select All.
Action Select ACCEPT.
NAT Disable
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name Select the address name that you defined in Step 3.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created
in Step 1.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Clear Allow outbound to prevent traffic from the local network
from initiating the tunnel after the tunnel has been established.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Name Enter a name to identify the VPN tunnel. This name appears in
phase 2 configurations, firewall policies and the VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Type the IP address of the dialup server’s public interface.
Local Interface Select the interface that connects to the public network.
Mode Because the FortiGate dialup client has a dynamic IP address,
select Aggressive.
Advanced Select to view the following options.
Local ID If you defined a peer ID for the dialup client in the FortiGate dialup
server configuration, enter the identifier of the dialup client. The
value must be identical to the peer ID that you specified previously
in the FortiGate dialup server configuration.
Enable IPsec If IPsec Interface Mode is enabled, the FortiGate unit creates a
Interface Mode virtual IPsec interface for a route-based VPN. Disable this option if
you want to create a policy-based VPN.
After you select OK to create the phase 1 configuration, you
cannot change this setting.
2 Define the phase 2 parameters needed to create a VPN tunnel with the dialup server.
See “Phase 2 parameters” on page 1151. Enter these settings in particular:
3 Define names for the addresses or address ranges of the private networks that the
VPN links. See “Defining firewall addresses” on page 1157. Enter these settings in
particular:
• Define an address name for the server, host, or network behind the FortiGate dialup
server.
• Define an address name for the private network behind the FortiGate dialup client.
4 Define firewall policies to permit communication between the private networks through
the VPN tunnel. Route-based and policy-based VPNs require different firewall policies.
For detailed information about creating firewall policies, see “Defining firewall policies”
on page 1158.
Route-based VPN firewall policy
Define an ACCEPT firewall policy to permit communications between hosts on the
private network behind this FortiGate dialup client and the private network behind the
FortiGate dialup server. Because communication cannot be initiated in the opposite
direction, there is only one policy. Enter these settings in particular:
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select All.
Destination Interface/Zone Select the VPN tunnel (IPsec interface) created in Step 1.
Destination Address Name Select All.
Source Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name Select the address name that you defined in Step 3 for the
private network behind this FortiGate unit.
Destination Interface/Zone Select the FortiGate unit’s public interface.
Destination Address Name Select the address name that you defined in Step 3 for the
private network behind the dialup server.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 configuration that you created in
Step 1.
Clear Allow inbound to prevent traffic from the remote network
from initiating the tunnel after the tunnel has been established.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Variable Description
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.
IKE Mode Config is not compatible with IKE v2.
mode-cfg enable Enable IKE Mode Config.
type {ddns | static} Set to ddns or static as needed. If you set type to
dynamic, an IKE Mode Config server is created.
assign-ip Enable to request an IP address from the server.
{enable | disable}
interface This is a regular IPsec VPN field. Specify the physical,
<interface_name> aggregate, or VLAN interface to which the IPsec tunnel will be
bound.
proposal This is a regular IPsec VPN field that determines the
<encryption_combination> encryption and authentication settings that the client will
accept. For more information, see “Defining IKE negotiation
parameters” on page 1144.
mode-cfg-ip-version {4|6} Select whether an IKE Configuration Method client receives an
IPv4 or IPv6 IP address. The default is 4. This setting should
match the ip-version setting.
ip-version <4 | 6> This is a regular IPsec VPN field. By default, IPsec VPNs use
IPv4 addressing. You can set ip-version to 6 to create a
VPN with IPv6 addressing.
Variable Description
ike-version 1 IKE v1 is the default for FortiGate IPsec VPNs.
IKE Mode Config is not compatible with IKE v2.
mode-cfg enable Enable IKE Mode Config.
type dynamic Any other setting creates an IKE Mode Config client.
interface This is a regular IPsec VPN field. Specify the physical,
<interface_name> aggregate, or VLAN interface to which the IPsec tunnel will be
bound.
proposal This is a regular IPsec VPN field that determines the
<encryption_combination> encryption and authentication settings that the server will
accept. For more information, see “Defining IKE negotiation
parameters” on page 1144.
ip-version <4 | 6> This is a regular IPsec VPN field. By default, IPsec VPNs use
IPv4 addressing. You can set ip-version to 6 to create a
VPN with IPv6 addressing.
After you have enabled the basic configuration, you can configure:
• IP address assignment for clients
• DNS and WINS server assignment
IP address assignment
Usually you will want to assign IP addresses to clients. The simplest method is to assign
addresses from a specific range, similar to a DHCP server.
If your clients are authenticated by a RADIUS server, you can obtain the user’s IP address
assignment from the Framed-IP-Address attribute. The user must be authenticated using
XAuth.
Only the CLI fields required for IKE Mode Config are shown here. For detailed information
about these variables, see the FortiGate CLI Reference.
config vpn ipsec phase1-interface
edit vpn1
set ip-version 4
set type dynamic
set interface port1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set mode-cfg-ipversion 4
set assign-ip enable
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip 10.11.101.160
set ipv4-end-ip 10.11.101.180
set ipv4-netmask 255.255.255.0
set dns-server1 10.11.101.199
set dns-server2 66.11.168.195
set wins-server1 10.11.101.191
set domain example
set ipv4-split-include OfficeLAN
end
Configuration overview
A VPN provides secure access to a private network behind the FortiGate unit. You can
also enable VPN clients to access the Internet securely. The FortiGate unit inspects and
processes all traffic between the VPN clients and hosts on the Internet according to the
Internet browsing policy. This is accomplished even though the same FortiGate interface
is used for both encrypted VPN client traffic and unencrypted Internet traffic.
In Figure 124, FortiGate_1 enables secure Internet browsing for FortiClient Endpoint
Security users such as Dialup_1 and users on the Site_2 network behind FortiGate_2,
which could be a VPN peer or a dialup client.
_1
lup
Dia
FG
_D
_1 ial
ate up
_2
rtiG
Fo
Site_1 Site_2
We
bs
U
Users browse erv
internet through er
the VPN tunnel
You can adapt any of the following configurations to provide secure Internet browsing:
• a gateway-to-gateway configuration (see “Gateway-to-gateway configurations” on
page 997)
• a FortiClient dialup-client configuration (see “FortiClient dialup-client configurations” on
page 1031)
Schedule As required.
Service As required.
Action ACCEPT
NAT Enable
UTM Select the UTM features that you want to apply to Internet
access.
Configure other settings as needed.
The VPN clients must be configured to route all Internet traffic through the VPN tunnel.
All packets are routed through the VPN tunnel, not just packets destined for the protected
private network.
Configuration overview
A FortiGate unit with two interfaces to the Internet can be configured to support redundant
VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can
establish a VPN using the other connection.
A fully-redundant configuration requires redundant connections to the Internet on both
peers. Figure 125 on page 1064 shows an example of this. This is useful to create a
reliable connection between two FortiGate units with static IP addresses.
When only one peer has redundant connections, the configuration is partially-redundant.
For an example of this, see “Partially-redundant route-based VPN example” on
page 1077. This is useful to provide reliable service from a FortiGate unit with static IP
addresses that accepts connections from dialup IPsec VPN clients.
In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths
are possible for VPN traffic from end to end. Each interface on a peer can communicate
with both interfaces on the other peer. This ensures that a VPN will be available as long as
each peer has one working connection to the Internet.
You configure a VPN and an entry in the routing table for each of the four paths. All of
these VPNs are ready to carry data. You set different routing distances for each route and
only the shortest distance route is used. If this route fails, the route with the next shortest
distance is used.
The redundant configurations described in this chapter use route-based VPNs, otherwise
known as virtual IPsec interfaces. This means that the FortiGate unit must operate in
NAT/Route mode. You must use auto-keying. A VPN that is created using manual keys
(see “Manual-key configurations” on page 1091) cannot be included in a redundant-tunnel
configuration.
The configuration described here assumes that your redundant VPNs are essentially
equal in cost and capability. When the original VPN returns to service, traffic continues to
use the replacement VPN until the replacement VPN fails. If your redundant VPN uses
more expensive facilities, you want to use it only as a backup while the main VPN is down.
For information on how to do this, see “Creating a backup IPsec interface” on page 1083.
Redundant tunnel Fo
rtiG
Primary tunnel ate
1
te_ _2
r tiGa
Fo
Site_1 Site_2
Note: A VPN that is created using manual keys (see “Manual-key configurations” on
page 1091) cannot be included in a redundant-tunnel configuration.
Path 2
Path 3
Path 4
For more information, see “Auto Key phase 1 parameters” on page 1135.
3 Create a phase 2 definition for each path. See “Phase 2 parameters” on page 1151.
Enter these settings in particular:
Phase 1 Select the phase 1 configuration (virtual IPsec interface) that you
defined for this path. You can select the name from the Static IP
Address part of the list.
4 Create a route for each path to the other peer. If there are two ports on each peer, there
are four possible paths between the peer devices.
Destination IP/Mask The IP address and netmask of the private network behind the remote
peer.
Device One of the virtual IPsec interfaces on the local peer.
Distance For each path, enter a different value to prioritize the paths.
5 Define the firewall policy for the local primary interface. See “Defining firewall policies”
on page 1158. You need to create two policies for each path to enable communication
in both directions. Enter these settings in particular:
Source Interface/Zone Select the local interface to the internal (private) network
Source Address Name All
Destination Interface/Zone Select one of the virtual IPsec interfaces you created in
Step 2.
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
Source Interface/Zone Select one of the virtual IPsec interfaces you created in
Step 2.
Source Address Name All
Destination Interface/Zone Select the local interface to the internal (private) network.
Destination Address Name All
Schedule Always
Service Any
Action ACCEPT
6 Place the policy in the policy list above any other policies having similar source and
destination addresses.
7 Repeat this procedure at the remote FortiGate unit.
N2 2
17 W Redundant tunnel WA 6.30.
2.1 AN 2 .1
6.2 2 17
0.2 Primary tunnel
N1
WA .2
Finance network WA
8 . 20
10.21.101.0/24 19 N1 .16
2.1 192
68
.10
.2
FFortiGate_2
FFortiGate_1
tiG
iG
G t 1
HR network
10.31.101.0/24
For each path, VPN configuration, firewall policies and routing are defined. By specifying a
different routing distance for each path, the paths are prioritized. A VPN tunnel is
established on each path, but only the highest priority one is used. If the highest priority
path goes down, the traffic is automatically routed over the next highest priority path. You
could use dynamic routing, but to keep this example simple, static routing is used.
Configuring FortiGate_1
You must
• configure the interfaces involved in the VPN
• define the phase 1 configuration for each of the four possible paths, creating a virtual
IPsec interface for each one
• define the phase 2 configuration for each of the four possible paths
• configure routes for the four IPsec interfaces, assigning the appropriate priorities
• configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
3 Select the Edit icon for the WAN1 interface, enter the following information and then
select OK:
4 Select the Edit icon for the WAN2 interface, enter the following information and then
select OK:
Name Site_1_A
Remote Gateway Static IP Address
IP Address 192.168.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
3 Select Create Phase 1, enter the following information, and select OK:
Name Site_1_B
Remote Gateway Static IP Address
IP Address 172.16.30.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
4 Select Create Phase 1, enter the following information, and select OK:
Name Site_1_C
Remote Gateway Static IP Address
IP Address 192.168.20.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Name Site_1_D
Remote Gateway Static IP Address
IP Address 172.16.30.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
Name Route_A.
Phase 1 Site_1_A
3 Select Create Phase 2, enter the following information and select OK:
Name Route_B.
Phase 1 Site_1_B
4 Select Create Phase 2, enter the following information and select OK:
Name Route_C.
Phase 1 Site_1_C
5 Select Create Phase 2, enter the following information and select OK:
Name Route_D.
Phase 1 Site_1_D
To configure routes
1 Go to Router > Static > Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
3 Select Create New, enter the following information and then select OK:
4 Select Create New, enter the following information and then select OK:
5 Select Create New, enter the following information and then select OK:
6 Select Create New, enter the following information and then select OK:
3 Select Create New, enter the following information, and select OK:
4 Select Create New, enter the following information, and select OK:
6 Select Create New, enter the following information, and select OK:
7 Select Create New, enter the following information, and select OK:
8 Select Create New, enter the following information, and select OK:
9 Select Create New, enter the following information, and select OK:
Configuring FortiGate_2
The configuration for FortiGate_2 is very similar that of FortiGate_1. You must
• configure the interfaces involved in the VPN
• define the phase 1 configuration for each of the four possible paths, creating a virtual
IPsec interface for each one
• define the phase 2 configuration for each of the four possible paths
• configure routes for the four IPsec interfaces, assigning the appropriate priorities
• configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
4 Select the WAN2 interface and then select Edit. Enter the following information and
then select OK:
Name Site_2_A
Remote Gateway Static IP Address
IP Address 192.168.10.2
Local Interface WAN1
Mode Main
Name Site_2_B
Remote Gateway Static IP Address
IP Address 172.16.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
4 Select Create Phase 1, enter the following information, and select OK:
Name Site_2_C
Remote Gateway Static IP Address
IP Address 192.168.10.2
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
5 Select Create Phase 1, enter the following information, and select OK:
Name Site_2_D
Remote Gateway Static IP Address
IP Address 172.16.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Name Route_A.
Phase 1 Site_2_A
3 Select Create Phase 2, enter the following information and select OK:
Name Route_B.
Phase 1 Site_2_B
4 Select Create Phase 2, enter the following information and select OK:
Name Route_C.
Phase 1 Site_2_C
5 Select Create Phase 2, enter the following information and select OK:
Name Route_D.
Phase 1 Site_2_D
To configure routes
1 Go to Router > Static > Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
3 Select Create New, enter the following information and then select OK:
4 Select Create New, enter the following information and then select OK:
5 Select Create New, enter the following information and then select OK:
Device Site_2_C
Distance 3
6 Select Create New, enter the following information and then select OK:
3 Select Create New, enter the following information, and select OK:
4 Select Create New, enter the following information, and select OK:
5 Select Create New, enter the following information, and select OK:
Service Any
Action ACCEPT
6 Select Create New, enter the following information, and select OK:
7 Select Create New, enter the following information, and select OK:
8 Select Create New, enter the following information, and select OK:
9 Select Create New, enter the following information, and select OK:
17 W Redundant tunnel
2.1 AN
6.2 2 Primary tunnel
0.2
Corporate network WA
10.21.101.0/24 19 N1
2.1
68
.10 WA
.1
FFortiGate_1
tiG
iG
G t 1 17 N1
2.1
6.3
0.1
FFortiGate_2
iG 2
SOHO network
10.31.101.0/24
Configuring FortiGate_1
You must
• configure the interfaces involved in the VPN
• define the phase 1 configuration for each of the two possible paths, creating a virtual
IPsec interface for each one
• define the phase 2 configuration for each of the two possible paths
• configure incoming and outgoing firewall policies between the internal interface and
each of the virtual IPsec interfaces
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
4 Select the WAN2 interface and then select Edit. Enter the following information and
then select OK:
Name Site_1_A
Remote Gateway Dialup User
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
3 Select Create Phase 1, enter the following information, and select OK:
Name Site_1_B
Remote Gateway Dialup User
Local Interface WAN2
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
Name Route_A.
Phase 1 Site_1_A
3 Select Create Phase 2, enter the following information and select OK:
Name Route_B.
Phase 1 Site_1_B
To configure routes
1 Go to Router > Static > Static Route.
2 Select Create New, enter the following default gateway information and then select
OK:
3 Select Create New, enter the following information, and select OK:
Configuring FortiGate_2
The configuration for FortiGate_2 is similar to that of FortiGate_1. You must
• configure the interface involved in the VPN
• define the phase 1 configuration for the primary and redundant paths, creating a virtual
IPsec interface for each one
• define the phase 2 configurations for the primary and redundant paths, defining the
internal network as the source address so that FortiGate_1 can automatically configure
routing
• configure the routes for the two IPsec interfaces, assigning the appropriate priorities
• configure firewall policies between the internal interface and each of the virtual IPsec
interfaces
3 Select the WAN1 interface and then select Edit. Enter the following information and
then select OK:
Name Site_2_A
Remote Gateway Static IP Address
IP Address 192.168.10.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
3 Select Create Phase 1, enter the following information, and select OK:
Name Site_2_B
Remote Gateway Static IP Address
IP Address 172.16.20.2
Local Interface WAN1
Mode Main
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key.
Peer Options Accept any peer ID
Advanced
Enable IPsec Interface Mode Select
Dead Peer Detection Select
Name Route_A.
Phase 1 Site_2_A
Advanced
Source Address 10.31.101.0/24
3 Select Create Phase 2, enter the following information and select OK:
Name Route_B.
Phase 1 Site_2_B
Advanced
Source Address 10.31.101.0/24
To configure routes
1 Go to Router > Static > Static Route.
2 Select Create New, enter the following information and then select OK:
3 Select Create New, enter the following information and then select OK:
3 Select Create New, enter the following information, and select OK:
Configuration overview
In Transparent mode, all interfaces of the FortiGate unit except the management interface
(which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the
network layer. Typically, when a FortiGate unit runs in Transparent mode, different network
segments are connected to the FortiGate interfaces. Figure 128 shows the management
station on the same subnet. The management station can connect to the FortiGate unit
directly through the web-based manager.
ou ter
ger
Ed
te_1
r tiGa e 10
Fo .10
.10
Ma .1
n
sta age
tio me
n nt
Site_1
10.10.10.0/24
An edge router typically provides a public connection to the Internet and one interface of
the FortiGate unit is connected to the router. If the FortiGate unit is managed from an
external address (see Figure 129 on page 1086), the router must translate (NAT) a
routable address to direct management traffic to the FortiGate management interface.
ter
e rou
g
Ed NAT
h 17
wit 2.1
6.1
0.1
00
e_1
t
r tiGa e 10
Fo .10
.10
.1
Ma
n
sta age
tio me
n nt
Site_1
10.10.10.0/24
In a transparent VPN configuration, two FortiGate units create a VPN tunnel between two
separate private networks transparently. All traffic between the two networks is encrypted
and protected by FortiGate firewall policies.
Both FortiGate units may be running in Transparent mode, or one could be running in
Transparent mode and the other running in NAT/Route mode. If the remote peer is running
in NAT/Route mode, it must have a static public IP address.
Note: VPNs between two FortiGate units running in Transparent mode do not support
inbound/outbound NAT (supported through CLI commands) within the tunnel. In addition, a
FortiGate unit running in Transparent mode cannot be used in a hub-and-spoke
configuration.
Encrypted packets from the remote VPN peer are addressed to the management interface
of the local FortiGate unit. If the local FortiGate unit can reach the VPN peer locally, a
static route to the VPN peer must be added to the routing table on the local FortiGate unit.
If the VPN peer connects through the Internet, encrypted packets from the local FortiGate
unit must be routed to the edge router instead. For information about how to add a static
route to the FortiGate routing table, see the “Router Static” chapter of the FortiGate
Administration Guide.
In the example configuration shown in Figure 129, Network Address Translation (NAT) is
enabled on the router. When an encrypted packet from the remote VPN peer arrives at the
router through the Internet, the router performs inbound NAT and forwards the packet to
the FortiGate unit. Refer to the software supplier’s documentation to configure the router.
If you want to configure a VPN between two FortiGate units running in Transparent mode,
each unit must have an independent connection to a router that acts as a gateway to the
Internet, and both units must be on separate networks that have a different address
space. When the two networks linked by the VPN tunnel have different address spaces
(see Figure 130 on page 1087), at least one router must separate the two FortiGate units,
unless the packets can be redirected using ICMP (see Figure 131 on page 1087).
Figure 130: Link between two FortiGate units running in Transparent mode
r
ute
Ro
e_1 Fo
i Gate rtiG
Fort ate
_2
Network_1 Network_2
In Figure 131, interface C behind the router is the default gateway for both FortiGate units.
Packets that cannot be delivered on Network_1 are routed to interface C by default.
Similarly, packets that cannot be delivered on Network_2 are routed to interface C. In this
case, the router must be configured to redirect packets destined for Network_1 to interface
A and redirect packets destined for Network_2 to interface B.
Figure 131: ICMP redirecting packets to two FortiGate units running in Transparent mode
r
ute
Ro
C ICM
P
e_1 ICM P Fo
i G ate A B
rtiG
rt Network_3 ate
Fo _2
Network_1 Network_2
If there are additional routers behind the FortiGate unit (see Figure 132 on page 1088)
and the destination IP address of an inbound packet is on a network behind one of those
routers, the FortiGate routing table must include routes to those networks. For example, in
Figure 132, the FortiGate unit must be configured with static routes to interfaces A and B
in order to forward packets to Network_1 and Network_2 respectively.
_1
i Gate
or t
F
1
uter_ A Network_3
Ro Ro
B ute
r_2
Network_1 Network_2
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
See “Phase 2 parameters” on page 1151. Enter these settings in particular:
Phase 1 Select the set of phase 1 parameters that you defined for the remote peer. The
name of the remote peer can be selected from the Static IP Address list.
3 Define the source and destination addresses of the IP packets that are to be
transported through the VPN tunnel. See “Defining firewall addresses” on page 1157.
Enter these settings in particular:
• For the originating address (source address), enter the IP address of the local
management interface (for example, 10.10.10.1/32).
• For the remote address (destination address), enter the IP address and netmask of
the private network behind the remote peer (for example, 192.168.10.0/24). If
the remote peer is a FortiGate unit running in Transparent mode, enter the IP
address of the remote management interface instead.
4 Define an IPsec firewall policy to permit communications between the source and
destination addresses. See “Defining firewall policies” on page 1158. Enter these
settings in particular:
Source Interface/Zone Select the local interface to the internal (private) network.
Source Address Name Select the source address that you defined in Step 3.
Destination Interface/Zone Select the interface to the edge router. When you configure the
IPsec firewall policy on a remote peer that operates in
NAT/Route mode, you select the public interface to the external
(public) network instead.
Destination Address Name Select the destination address that you defined in Step 3.
Action IPSEC
VPN Tunnel Select the name of the phase 2 tunnel configuration that you
created in Step 2.
Select Allow inbound to enable traffic from the remote network
to initiate the tunnel.
Select Allow outbound to enable traffic from the local network to
initiate the tunnel.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
6 Repeat this procedure at the remote FortiGate unit.
Configuration overview
You can manually define cryptographic keys for the FortiGate unit to establish an IPsec
VPN.
You define manual keys where prior knowledge of the encryption and/or authentication
key is required (that is, one of the VPN peers requires a specific IPsec encryption and/or
authentication key). In this case, you do not specify IPsec phase 1 and phase 2
parameters; you define manual keys on the VPN > IPSEC > Manual Key tab instead.
If one VPN peer uses specific authentication and encryption keys to establish a tunnel,
both VPN peers must be configured to use the same encryption and authentication
algorithms and keys.
Note: It may not be safe or practical to define manual keys because network administrators
must be trusted to keep the keys confidential, and propagating changes to remote VPN
peers in a secure manner may be difficult.
It is essential that both VPN peers be configured with matching encryption and
authentication algorithms, matching authentication and encryption keys, and
complementary Security Parameter Index (SPI) settings.
You can define either the encryption or the authentication as NULL (disabled), but not
both.
Each SPI identifies a Security Association (SA). The value is placed in ESP datagrams to
link the datagrams to the SA. When an ESP datagram is received, the recipient refers to
the SPI to determine which SA applies to the datagram. An SPI must be specified
manually for each SA. Because an SA applies to communication in one direction only, you
must specify two SPIs per configuration (a local SPI and a remote SPI) to cover
bidirectional communications between two VPN peers.
Caution: If you are not familiar with the security policies, SAs, selectors, and SA databases
for your particular installation, do not attempt the following procedure without qualified
assistance.
3 Select OK.
Compared with IPv4 IPsec VPN functionality, there are some limitations:
• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
This is because FortiOS 3.0 does not support IPv6 DNS.
• You cannot use RSA certificates in which the common name (cn) is a domain name
that resolves to an IPv6 address. This is because FortiOS 3.0 does not support IPv6
DNS.
• DHCP over IPsec is not supported, because FortiOS 3.0 does not support IPv6 DHCP.
• Selectors cannot be firewall address names. Only IP address, address range and
subnet are supported.
• Redundant IPv6 tunnels are not supported.
Certificates
On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in
which the common name (cn) is an IPv6 address. The cn-type keyword of the user
peer command has an option, ipv6, to support this.
Phase 1 configuration
In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings.
Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote
gateway.
In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version
to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden
and the corresponding local-gw6 and remote-gw6 keywords are available. The values
for local-gw6 and remote-gw6 must be IPv6 addresses. For example:
config vpn ipsec phase1-interface
edit tunnel6
set ip-version 6
set remote-gw6 0:123:4567::1234
set interface port3
set proposal 3des-md5
end
Phase 2 configuration
To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to
define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for
Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific
IPv6 addresses, address ranges or subnet addresses in these fields.
In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to
specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6
address type, for example. The simplest IPv6 phase 2 configuration looks like this:
config vpn ipsec phase2-interface
edit tunnel6_p2
set phase1name tunnel6
set proposal 3des-md5
set src-addr-type subnet6
set dst-addr-type subnet6
end
Firewall policies
To complete the VPN configuration, you need a firewall policy in each direction to permit
traffic between the protected network’s port and the IPsec interface. You need IPv6
policies unless the VPN is IPv4 over IPv6.
Routing
Appropriate routing is needed for both the IPsec packets and the encapsulated traffic
within them. You need a route, which could be the default route, to the remote VPN
gateway via the appropriate interface. You also need a route to the remote protected
network via the IPsec interface.
To create a static route in the web-based manager, go to Router > Static. Select the drop-
down arrow on the Create New button and select IPv6 Route. Enter the information and
select OK. In the CLI, use the router static6 command. For example, where the
remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
next
end
If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If
the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.
fec 7
5c
0:0 3:2
00 e8
1:2 fff:f
09
:0f 0 9:0
ff:f
e8 Por rt 2 0 1:2
3:2 t 2 Poc0:00
5f2 fe
Po A Fo
rt 3 ate rtiG
Po
o rtiG ate rt 3
F B
fec fec
0:0 0:0
00 00
0:0 0:0
00 00
0:0 0:0
00 00
0:: 4::
/64 /64
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the public IP address of
FortiGate A. Firewall policies enable traffic to pass between the private network and the
IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes
through the VPN and that all IPv6 packets are routed to the public network.
config system interface
edit port2
config ipv6
set ip6-address fec0::0003:209:0fff:fe83:25c7/64
end
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
end
config vpn ipsec phase1-interface
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
config firewall policy6
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toA
set dst fec0:0000:0000:0000::/64
end
fec c7
0:0 3 :25
00
1:2 ff:fe8
09 9:0f
:0f :20
ff:f
e8 Por rt 2 01
3:2 t 2 Poc0:00
5f2 fe
Po Fo
rt 3 te A rtiG
rtiGa ate Po
rt 3
Fo B
19 19
2.1 2.1
68 68
.2. .3.
0/2 0/2
4 4
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the public IP address of
FortiGate A. The IPsec phase 2 configuration has IPv4 selectors.
IPv4 firewall policies enable traffic to pass between the private network and the IPsec
interface. An IPv4 static route ensures traffic for the private network behind FortiGate A
goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to
the public network.
config system interface
edit port2
config ipv6
set ip6-address fec0::0003:fe83:25c7/64
end
next
edit port3
set 192.168.3.1/24
end
config vpn ipsec phase1-interface
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
set pfs enable
set replay enable
end
10 4
.0. Por rt 2 1/2
0.1 t 2 Po .0.1.
/24 10
Po A Fo
rt 3 ate rtiG
Po
o rtiG ate rt 3
F B
fec fec
0:0 0:0
00 00
0:0 0:0
00 00
0:0 0:0
00 00
0:: 4::
/64 /64
Configure FortiGate B
The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec
interface toA is configured on port2 and its remote gateway is the IPv4 public IP address
of FortiGate A. The IPsec phase 2 configuration has IPv6 selectors.
IPv6 firewall policies enable traffic to pass between the private network and the IPsec
interface. An IPv6 static route ensures traffic for the private network behind FortiGate A
goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to
the public network.
config system interface
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
config vpn ipsec phase1-interface
edit toA
set interface port2
set remote-gw 10.0.0.1
set dpd enable
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
config vpn ipsec phase2-interface
edit toA2
set phase1name toA
set proposal 3des-md5 3des-sha1
Overview
The topology of a VPN for Microsoft Windows dialup clients is very similar to that for
FortiClient Endpoint Security clients.
t
lien
ote C
R em
17 Por
2.2 t 1
0.1
20 N
.1 41 LA /24
ice 1.0
lien
t Off 1.10
10 Por 1
te C .11 t 2 10.
mo .10
Re 1.1
00
_1 H .1
ate T 1.
10
iG T 1
ort P 0
/H 1.
T 12
F
T 0
P
D 11
S
10
N .1
S 0
.
S .
er 16
ve 0
F 11
r
10
T .1
P 0
.
S 1.
er 1
ve 0
r
S .1
am 1
7
10
ba 10
S .1
.
er 80
ve
1
For users, the difference is only that instead of installing and using the FortiClient
application, they configure a network connection using the software built into their
operating system. Starting in FortiOS 4.0 MR2, you can configure a FortiGate unit to work
with unmodified Microsoft VPN client software.
Name Type or edit the user group name (for example, L2TP_group).
Type Select Firewall.
Available The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
Users/Groups or PKI users that can be added to the user group. To add a member to this
list, select the name and then select the right arrow button.
Members The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that belong to the user group. To remove a member, select the
name and then select the left arrow button.
2 Select OK.
Configuring L2TP
You can configure L2TP settings only in the CLI. As well as enabling L2TP, you set the
range of IP address values that are assigned to L2TP clients and specify the user group
that can access the VPN. For example, to allow access to users in the L2TP_group and
assign them addresses in the range 192.168.0.50 to 192.168.0.59, you would enter
config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp "L2TP_group"
end
One of the firewall policies for the L2TP over IPsec VPN uses the client address range, so
you need also need to create a firewall address for that range. For example,
config firewall address
edit L2TPclients
set type iprange
set end-ip 192.168.6.88
set start-ip 192.168.6.85
end
Alternatively, you could define this range in the web-based manager.
Configuring IPsec
The Microsoft VPN client uses IPsec for encryption. The configuration needed on the
FortiGate unit is substantially the same as for any other IPsec VPN except that
• transport mode is used instead of tunnel mode
• the encryption and authentication proposals must be compatible with the Microsoft
client
L2TP over IPsec is supported on the FortiGate unit using policy-based, not route-based
configurations.
3 Make this a transport-mode VPN. You must use the CLI to do this. If your phase 2
name is dialup_p2, you would enter:
config vpn ipsec phase2
edit dialup_p2
set encapsulation transport-mode
end
Source Select the interface that connects to the private network behind this
Interface/Zone FortiGate unit.
Source Address all
Destination Select the FortiGate unit’s public interface.
Interface/Zone
Destination Address all
Action IPSEC
VPN Tunnel Select the name of the phase 1 configuration that you created. For
example, dialup_p1. See “Configuring IPsec” on page 1107.
Allow inbound Enable
Allow outbound Enable
UTM Optional settings for UTM features.
Leave other settings at default values.
Troubleshooting
This section describes some checks and tools you can use to resolve issues with L2TP-
over-IPsec VPNs.
Quick checks
Here is a list of common L2TP over IPsec VPN problems and the likely solutions.
Setting up logging
To configure FortiGate logging for L2TP over IPsec
1 Go to Log&Report > Log Config > Event Log.
2 Select the Enable check box.
3 Select the L2TP/PPTP/PPPoE service event and IPsec negotiation event check boxes.
4 Select Apply.
Table 71: Typical sequence of log messages for L2TP over IPsec VPN connection startup
Note: This table lists messages in top down chronological order. In the web-based
manager log viewer, you need to read the messages from the bottom up. The newest
message appears at the top of that list.
In Table 71, messages 1 through 4 show the IKE phase 1 negotiation stages that result in
the creation of the Security Association (SA) shown in message 6. Phase 2 negotiation in
messages 5, 9, 10 produce the tunnel-up condition reported in message 8.
With IPsec communication established, the L2TP connection is established (message 11),
the pppd daemon starts (message 12), the user is authenticated (message 13), and the
L2TP tunnel is now ready to use.
Typical L2TP over IPsec session startup log entries - raw format
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd="root"
msg="progress IPsec phase 1" action="negotiate" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1" status=success
init=remote mode=main dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd="root"
msg="progress IPsec phase 1" action="negotiate" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1" status=success
init=remote mode=main dir=outbound stage=2 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd="root"
msg="progress IPsec phase 1" action="negotiate" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1" status=success
init=remote mode=main dir=inbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd="root"
msg="progress IPsec phase 1" action="negotiate" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0" status=success
init=remote mode=main dir=outbound stage=3 role=responder result=DONE
2010-01-11 16:39:58 log_id=0101037129 type=event subtype=ipsec pri=notice vd="root"
msg="progress IPsec phase 2" action="negotiate" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0" status=success
init=remote mode=quick dir=outbound stage=1 role=responder result=OK
2010-01-11 16:39:58 log_id=0101037133 type=event subtype=ipsec pri=notice vd="root"
msg="install IPsec SA" action="install_sa" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0" role=responder
in_spi=61100fe2 out_spi=bd70fca1
2010-01-11 16:39:58 log_id=0101037139 type=event subtype=ipsec pri=notice vd="root"
msg="IPsec phase 2 status change" action="phase2-up" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0"
phase2_name=dialup_p2
2010-01-11 16:39:58 log_id=0101037138 type=event subtype=ipsec pri=notice vd="root"
msg="IPsec connection status change" action="tunnel-up" rem_ip=172.20.120.151
loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_intf="port1"
cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A"
xauth_user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0"
tunnel_ip=172.20.120.151 tunnel_id=1552003005 tunnel_type=ipsec duration=0 sent=0
rcvd=0 next_stat=0 tunnel=dialup_p1_0
Overview
Cisco products that include VPN support often use Generic Routing Encapsulation (GRE)
protocol tunnel over IPsec encryption. This chapter describes how to configure a
FortiGate unit to work with this type of Cisco VPN.
Cisco VPNs can use either transport mode or tunnel mode IPsec. Before FortiOS 4.0
MR2, the FortiGate unit was compatible only with tunnel mode IPsec.
1 Cis
te .14
iGa rt 1 20 co
ort Po .20.1 13 rou
F 17 2 8.5.1 ter
.16
192
00
rt 2 1.1
Po 1.10
1
10.
10 LAN 10 LAN
.11 -1 .21 -2
.10 .10
1.0 1.0
/24 /24
Name Enter a name to identify the VPN tunnel, tocisco for example. This
is the name of the virtual IPsec interface. It appears in phase 2
configurations, firewall policies and the VPN monitor.
Remote Gateway Select Static IP Address.
IP Address Enter the IP address of the Cisco device public interface. For
example, 192.168.5.113
Local Interface Select the FortiGate unit’s public interface. For example,
172.20.120.141
Mode Select Main (ID Protection).
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key. It must match the preshared key on the
Cisco device.
Advanced Select the Advanced button to see the following settings.
Enable IPsec Interface Enable.
Mode
P1 Proposal 3DES-MD5
At least one proposal must match the settings on the Cisco unit.
Leave other settings at default values.
For more information about these settings, see “Auto Key phase 1 parameters” on
page 1135.
2 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
For compatibility with the Cisco router, Quick Mode Selectors must be entered, which
includes specifying protocol 47, the GRE protocol. Enter these settings in particular:
For more information about these settings, see “Phase 2 parameters” on page 1151.
3 If the Cisco device is configured to use transport mode IPsec, you need to use
transport mode on the FortiGate VPN. You can configure this only in the CLI. In your
phase 2 configuration, set encapsulation to transport-mode (default is
tunnel-mode) as follows:
config vpn phase2-interface
edit to_cisco_p2
set encapsulation transport-mode
end
Source Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Source Address Name All
Destination Interface/Zone Select the GRE tunnel virtual interface you configured.
Destination Address Name All
Action ACCEPT
NAT Disable.
2 To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction:
Source Interface/Zone Select the GRE tunnel virtual interface you configured.
Source Address Name All
Destination Interface/Zone Select the interface that connects to the private network behind
this FortiGate unit.
Destination Address Name All
Action ACCEPT.
NAT Disable.
3 Define a pair of ACCEPT firewall policies to permit traffic to flow between the GRE
virtual interface and the IPsec virtual interface:
Source Interface/Zone Select the GRE virtual interface. See “Configuring the GRE
tunnel” on page 1120.
Source Address Name All
Destination Interface/Zone Select the virtual IPsec interface you created. See “Configuring
the IPsec VPN” on page 1118.
Destination Address Name All
Action ACCEPT.
NAT Disable.
Source Interface/Zone Select the virtual IPsec interface you created. See “Configuring
the IPsec VPN” on page 1118.
Source Address Name All
Destination Interface/Zone Select the GRE virtual interface. See “Configuring the GRE
tunnel” on page 1120.
Destination Address Name All
Action Select ACCEPT.
NAT Disable.
Configuring routing
Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel.
To do this, create a static route as follows:
Destination IP/Mask Enter the IP address and netmask for the network behind the Cisco
router. For example 10.21.101.0 255.255.255.0
Device Select the GRE virtual interface.
Distance Leave setting at default value.
end
Troubleshooting
This section describes some checks and tools you can use to resolve issues with the
GRE-over-IPsec VPN.
Quick checks
Here is a list of common problems and what to verify.
Setting up logging
To configure FortiGate logging for IPsec
1 Go to Log&Report > Log Config > Event Log.
2 Select the Enable check box.
3 Select the IPsec negotiation event check box.
4 Select Apply.
Note: This table lists messages in top down chronological order. In the web-based
manager log viewer, you need to read the messages from the bottom up. The newest
message appears at the top of that list.
Overview
This chapter shows an example of OSPF routing conducted over an IPsec tunnel between
two FortiGate units. The network shown in Figure 138 is a single OSPF area. FortiGate_1
is an Area border router that advertises a static route to 10.22.10.0/24 in OSPF.
FortiGate_2 advertises its local LAN as an OSPF internal route.
/24
.1 0.0
10.22
19
2.1 P
1 .141 68 ort Fo
rtiG
te_ rt 2 20 .0. 2
iGa Po .20.1 13
1 ate
F ort 172
_2
Po
rt 1
1 Port3 Port3
P ort
10.1.1.1 VPN tunnel 10.1.1.2
“tunnel_wan1”
OSPF cost 10
L
L 10 ocal
10 ocal 10.1.2.1 VPN tunnel 10.1.2.2 .31 LA
.21 LA “tunnel_wan2” .10 N
.10 N 1.0
1.0 OSPF cost 200 /24
/24
The section “OSPF over IPsec configuration” describes the configuration with only one
IPsec VPN tunnel, tunnel_wan1. Then, the section “Creating a redundant configuration”
on page 1133 describes how you can add a second tunnel to provide a redundant backup
path. This is shown in Figure 138 as VPN tunnel “tunnel_wan2”.
Only the parts of the configuration concerned with creating the IPsec tunnel and
integrating it into the OSPF network are described. It is assumed that firewall policies are
already in place to allow traffic to flow between the interfaces on each FortiGate unit.
To configure Phase 1
1 Define the phase 1 configuration needed to establish a secure connection with the
other FortiGate unit. For more information, see “Auto Key phase 1 parameters” on
page 1135. Enter these settings in particular:
FortiGate_1 FortiGate_2
IP 10.1.1.1 10.1.1.2
Remote_IP 10.1.1.2 10.1.1.1
These addresses are from a network that is not used for anything else.
To configure Phase 2
1 Define the phase 2 parameters needed to create a VPN tunnel with the remote peer.
For more information, see “Phase 2 parameters” on page 1151. Enter these settings in
particular:
Name Enter a name to identify this phase 2 configuration, twan1_p2, for example.
Phase 1 Select the name of the phase 1 configuration that you defined in Step 1,
tunnel_wan1 for example.
Leave other settings at default values.
Configuring OSPF
This section does not attempt to explain OSPF router configuration. It focusses on the
integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning
the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.
This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF
router ID is set to the loopback interface address.The loopback interface ensures the
router is always up. Even though technically the router ID doesn’t have to match a valid IP
address on the FortiGate unit, having an IP that matches the router ID makes
troubleshooting a lot easier.
The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border
router that advertises its static default route. FortiGate_2 advertises its local LAN as an
OSPF internal route.
Setting the router ID for each FortiGate unit to the lowest possible value is useful if you
want the FortiGate units to be the designated router (DR) for their respective ASes. This is
the router that broadcasts the updates for the AS.
Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes
will be advertised, and it will not be limited to any specific subnet. For example if this IP
address was 10.1.0.0, then only routes that match that subnet will be advertised through
this interface in OSPF.
edit lback1
set vdom root
set ip 10.0.0.1 255.255.255.255
set type loopback
end
The loopback addresses and corresponding router IDs on the two FortiGate units must be
different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2
loopback to 10.0.0.2.
IP/Netmask 10.1.1.0/255.255.255.0.
Area 0.0.0.0
IP/Netmask 10.0.0.1/255.255.255.255
Area 0.0.0.0
6 Select Apply.
next
edit 2
set prefix 10.0.0.1 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set cost 10
set interface tunnel_wan1
set network-type point-to-point
end
config redistribute connected
set status enable
end
config redistribute static
set status enable
end
end
Router ID 10.0.0.2
Areas Select Create New, enter the Area and Type and then select OK.
Area 0.0.0.0
Type Regular
Interfaces
Name Enter a name for the OSPF interface, ospf_wan1 for example.
Interface Select the virtual IPsec interface, tunnel_wan1
IP 0.0.0.0
3 For Networks, select Create New.
4 Enter the following information for the loopback interface:
IP/Netmask 10.0.0.2/255.255.255.255
Area 0.0.0.0
IP/Netmask 10.1.1.0/255.255.255.0
Area 0.0.0.0
IP/Netmask 10.31.101.0/255.255.255.0
Area 0.0.0.0
9 Select Apply.
Note: The information and procedures in this section do not apply to VPN peers that
perform negotiations using manual keys. Refer to “Manual-key configurations” on
page 1091 instead.
Overview
IPsec phase 1 settings define:
• the ends of the IPsec tunnel, remote and local
• whether the various phase 1 parameters are exchanged in multiple rounds with
encrypted authentication information (main mode) or in a single message with
authentication information that is not encrypted (aggressive mode)
• whether a preshared key or digital certificates will be used to authenticate the
FortiGate unit to the VPN peer or dialup client
• whether the VPN peer or dialup client is required to authenticate to the FortiGate unit.
A remote peer or dialup client can authenticate by peer ID or, if the FortiGate unit
authenticates by certificate, it can authenticate by peer certificate.
• the IKE negotiation proposals for encryption and authentication
• optional XAuth authentication, which requires the remote user to enter a user name
and password. A FortiGate VPN server can act as an XAuth server to authenticate
dialup users. A FortiGate unit that is a dialup client can also be configured as an XAuth
client to authenticate itself to the VPN server.
Name Enter a name that reflects the origination of the remote connection.
Remote Gateway Select the nature of the remote connection:
• Static IP Address
• Dialup User
• Dynamic DNS
For more information, see “Defining the tunnel ends” on page 1136.
Local Interface Select the interface that is the local end of the IPsec tunnel. For
more information, see “Defining the tunnel ends” on page 1136.
4 If you are configuring authentication parameters for a dialup user group, optionally
define extended authentication (XAuth) parameters. See “Using the FortiGate unit as
an XAuth server” on page 1148.
5 Select OK.
• You can permit access to remote peers or dialup clients who each have a unique
preshared key. Each peer or client must have a user account on the FortiGate unit.
See “Enabling VPN access using user accounts and pre-shared keys” on page 1143.
• You can permit access to remote peers or dialup clients who each have a unique peer
ID and a unique preshared key. Each peer or client must have a user account on the
FortiGate unit. See “Enabling VPN access using user accounts and pre-shared keys”
on page 1143.
For authentication of users of the remote peer or dialup client device, see “Using XAuth
authentication” on page 1148.
A group of certificate holders can be created based on existing user accounts for dialup
clients. To create the user accounts for dialup clients, see the “User” chapter of the
FortiGate Administration Guide. To create the certificate group afterward, use the config
user peergrp CLI command. See the “user” chapter of the FortiGate CLI Reference.
5 In the Local ID field, type the identifier that will be shared by all dialup clients. This
value must match the Accept this peer ID value that you specified previously in the
phase 1 gateway configuration on the FortiGate unit.
6 Select OK to close all dialog boxes.
7 Configure all dialup clients the same way using the same preshared key and local ID.
To authenticate dialup clients using unique preshared keys and/or peer IDs
1 At the FortiGate VPN server, go to VPN > IPSEC > Auto Key (IKE).
2 In the list, select the Edit icon of a phase 1 configuration to edit its parameters.
3 If the clients have unique peer IDs, set Mode to Aggressive.
4 Clear the Pre-shared Key field.
The user account password will be used as the preshared key.
5 Select Accept peer ID in dialup group and then select the group name from the list of
user groups.
6 Select OK.
Follow this procedure to add a unique pre-shared key and unique peer ID to an existing
FortiClient configuration.
Phase 1 negotiations (in main mode or aggressive mode) begin as soon as a remote VPN
peer or client attempts to establish a connection with the FortiGate unit. Initially, the
remote peer or dialup client sends the FortiGate unit a list of potential cryptographic
parameters along with a session ID. The FortiGate unit compares those parameters to its
own list of advanced phase 1 parameters and responds with its choice of matching
parameters to use for authenticating and encrypting packets. The two peers handle the
exchange of encryption keys between them, and authenticate the exchange through a
preshared key or a digital signature.
Note: You can enable or disable automatic rekeying between IKE peers through the
phase1-rekey attribute of the config system global CLI command. For more
information, see the “system” chapter of the FortiGate CLI Reference.
When you use a preshared key (shared secret) to set up two-party authentication, the
remote VPN peer or client and the FortiGate unit must both be configured with the same
preshared key. Each party uses a session key derived from the Diffie-Hellman exchange
to create an authentication key, which is used to sign a known combination of inputs using
an authentication algorithm (such as HMAC-MD5 or HMAC-SHA-1). Each party signs a
different combination of inputs and the other party verifies that the same result can be
computed.
Note: When you use preshared keys to authenticate VPN peers or clients, you must
distribute matching information to all VPN peers and/or clients whenever the preshared key
changes.
As an alternative, the remote peer or dialup client and FortiGate unit can exchange digital
signatures to validate each other’s identity with respect to their public keys. In this case,
the required digital certificates must be installed on the remote peer and on the FortiGate
unit. By exchanging certificate DNs, the signed server certificate on one peer is validated
by the presence of the root certificate installed on the other peer. For more information see
the FortiGate Certificate Management User Guide.
The following procedure assumes that you already have a phase 1 definition that
describes how remote VPN peers and clients will be authenticated when they attempt to
connect to a local FortiGate unit. For information about the Local ID and XAuth options,
see “Enabling VPN access using user accounts and pre-shared keys” on page 1143 and
“Using the FortiGate unit as an XAuth server” on page 1148. Follow this procedure to add
IKE negotiation parameters to the existing definition.
P1 Proposal Select the encryption and authentication algorithms that will be used
to generate keys for protecting negotiations.
Add or delete encryption and authentication algorithms as required.
Select a minimum of one and a maximum of three combinations. The
remote peer must be configured to use at least one of the proposals
that you define.
You can select any of the following symmetric-key algorithms:
• DES-Digital Encryption Standard, a 64-bit block algorithm that
uses a 56-bit key.
• 3DES-Triple-DES, in which plain text is encrypted three times by
three keys.
• AES128-A 128-bit block algorithm that uses a 128-bit key.
• AES192-A 128-bit block algorithm that uses a 192-bit key.
• AES256-A 128-bit block algorithm that uses a 256-bit key.
You can select either of the following message digests to check the
authenticity of messages during phase 1 negotiations:
• MD5-Message Digest 5, the hash algorithm developed by RSA
Data Security.
• SHA1-Secure Hash Algorithm 1, which produces a 160-bit
message digest.
To specify a third combination, use the add button beside the fields for
the second combination.
DH Group Select one or more Diffie-Hellman groups from DH group 1, 2, and 5.
When using aggressive mode, DH groups cannot be negotiated.
• If both VPN peers (or a VPN server and its client) have static IP
addresses and use aggressive mode, select a single DH group.
The setting on the FortiGate unit must be identical to the setting on
the remote peer or dialup client.
• When the remote VPN peer or client has a dynamic IP address
and uses aggressive mode, select up to three DH groups on the
FortiGate unit and one DH group on the remote peer or dialup
client. The setting on the remote peer or dialup client must be
identical to one of the selections on the FortiGate unit.
• If the VPN peer or client employs main mode, you can select
multiple DH groups. At least one of the settings on the remote peer
or dialup client must be identical to the selections on the FortiGate
unit.
Keylife Type the amount of time (in seconds) that will be allowed to pass
before the IKE encryption key expires. When the key expires, a new
key is generated without interrupting service. The keylife can be from
120 to 172800 seconds.
Nat-traversal Enable this option if a NAT device exists between the local FortiGate
unit and the VPN peer or client. The local FortiGate unit and the VPN
peer or client must have the same NAT traversal setting (both selected
or both cleared).
Keepalive Frequency If you enabled NAT traversal, enter a keepalive frequency setting. The
value represents an interval from 0 to 900 seconds.
Dead Peer Detection Enable this option to reestablish VPN tunnels on idle connections and
clean up dead IKE peers if required.
4 Select OK.
NAT traversal
Network Address Translation (NAT) is a way to convert private IP addresses to publicly
routable Internet addresses and vise versa. When an IP packet passes through a NAT
device, the source or destination address in the IP header is modified. FortiGate units
support NAT version 1 (encapsulate on port 500 with non-IKE marker), version 3
(encapsulate on port 4500 with non-ESP marker), and compatible versions.
NAT cannot be performed on IPsec packets in ESP tunnel mode because the packets do
not contain a port number. As a result, the packets cannot be demultiplexed. To work
around this, the FortiGate unit provides a way to protect IPsec packet headers from NAT
modifications. When the Nat-traversal option is enabled, outbound encrypted packets are
wrapped inside a UDP IP header that contains a port number. This extra encapsulation
allows NAT devices to change the port number without modifying the IPsec packet directly.
To provide the extra layer of encapsulation on IPsec packets, the Nat-traversal option
must be enabled whenever a NAT device exists between two FortiGate VPN peers or a
FortiGate unit and a dialup client such as FortiClient. On the receiving end, the FortiGate
unit or FortiClient removes the extra layer of encapsulation before decrypting the packet.
Figure 139: Basic Phase 2 settings (VPN > IPSEC > Auto Key (IKE) > Create Phase 2
The information and procedures in this section do not apply to VPN peers that perform
negotiations using manual keys. Refer to “Manual-key configurations” on page 1091
instead.
P2 Proposal
In phase 2, the FortiGate unit and the VPN peer or client exchange keys again to establish
a secure communication channel between them. The P2 Proposal parameters select the
encryption and authentication algorithms needed to generate keys for protecting the
implementation details of Security Associations (SAs). The keys are generated
automatically using a Diffie-Hellman algorithm.
Replay detection
IPsec tunnels can be vulnerable to replay attacks. Replay detection enables the FortiGate
unit to check all IPsec packets to see if they have been received before. If any encrypted
packets arrive out of order, the FortiGate unit discards them.
Keylife
The Keylife setting sets a limit on the length of time that a phase 2 key can be used.
Alternatively, you can set a limit on the number of kilobytes (KB) of processed data, or
both. If you select both, the key expires when either the time has passed or the number of
KB have been processed. When the phase 2 key expires, a new key is generated without
interrupting service.
Auto-negotiate
By default, the phase 2 security association (SA) is not negotiated until a peer attempts to
send data. The triggering packet and some subsequent packets are dropped until the SA
is established. Applications normally resend this data, so there is no loss, but there might
be a noticeable delay in response to the user.
Automatically establishing the SA can also be important on a dialup peer. This ensures
that the VPN tunnel is available for peers at the server end to initiate traffic to the dialup
peer. Otherwise, the VPN tunnel does not exist until the dialup peer initiates traffic.
DHCP-IPsec
Select this option if the FortiGate unit assigns VIP addresses to FortiClient dialup clients
through a DHCP server or relay. This option is available only if the Remote Gateway in the
phase 1 configuration is set to Dialup User and it works only on policy-based VPNs.
The DHCP-IPsec option causes the FortiGate dialup server to act as a proxy for
FortiClient dialup clients that have VIP addresses on the subnet of the private network
behind the FortiGate unit. In this case, the FortiGate dialup server acts as a proxy on the
local private network for the FortiClient dialup client. When a host on the network behind
the dialup server issues an ARP request that corresponds to the device MAC address of
the FortiClient host, the FortiGate unit answers the ARP request on behalf of the
FortiClient host and forwards the associated traffic to the FortiClient host through the
tunnel.
4 Select Advanced.
5 Include appropriate entries as follows:
P2 Proposal Select the encryption and authentication algorithms that will be used to
change data into encrypted code.
Add or delete encryption and authentication algorithms as required. Select a
minimum of one and a maximum of three combinations. The remote peer
must be configured to use at least one of the proposals that you define.
It is invalid to set both Encryption and Authentication to null.
Encryption You can select any of the following symmetric-key algorithms:
• NULL — Do not use an encryption algorithm.
• DES — Digital Encryption Standard, a 64-bit block algorithm that uses a
56-bit key.
• 3DES — Triple-DES, in which plain text is encrypted three times by three
keys.
• AES128 — A 128-bit block algorithm that uses a 128-bit key.
• AES192 — A 128-bit block algorithm that uses a 192-bit key.
• AES256 — A 128-bit block algorithm that uses a 256-bit key.
Authentication You can select either of the following message digests to check the
authenticity of messages during an encrypted session:
• NULL — Do not use a message digest.
• MD5 — Message Digest 5, the hash algorithm developed by RSA Data
Security.
• SHA1 — Secure Hash Algorithm 1, which produces a 160-bit message
digest.
To specify one combination only, set the Encryption and Authentication
options of the second combination to NULL. To specify a third combination,
use the Add button beside the fields for the second combination.
Enable replay Optionally enable or disable replay detection. Replay attacks occur when an
detection unauthorized party intercepts a series of IPsec packets and replays them
back into the tunnel.
Enable perfect Enable or disable PFS. Perfect forward secrecy (PFS) improves security by
forward secrecy forcing a new Diffie-Hellman exchange whenever keylife expires.
(PFS)
DH Group Select one Diffie-Hellman group (1, 2, 5, or 14). The remote peer or dialup
client must be configured to use the same group.
Keylife Select the method for determining when the phase 2 key expires: Seconds,
KBytes, or Both. If you select Both, the key expires when either the time has
passed or the number of KB have been processed. The range is from 120 to
172800 seconds, or from 5120 to 2147483648 KB.
Autokey Keep Enable the option if you want the tunnel to remain active when no data is
Alive being processed.
DHCP-IPsec Select Enable if the FortiGate unit acts as a dialup server and FortiGate
DHCP server or relay will be used to assign VIP addresses to FortiClient
dialup clients. The DHCP server or relay parameters must be configured
separately.
If the FortiGate unit acts as a dialup server and the FortiClient dialup client
VIP addresses match the network behind the dialup server, select Enable to
cause the FortiGate unit to act as a proxy for the dialup clients.
This is available only for phase 2 configurations associated with a dialup
phase 1 configuration. It works only on policy-based VPNs.
Quick Mode Optionally specify the source and destination IP addresses to be used as
Selector selectors for IKE negotiations. If the FortiGate unit is a dialup server, the
default value 0.0.0.0/0 should be kept unless you need to circumvent
problems caused by ambiguous IP addresses between one or more of the
private networks making up the VPN. You can specify a single host IP
address, an IP address range, or a network address. You may optionally
specify source and destination port numbers and/or a protocol number.
If you are editing an existing phase 2 configuration, the Source address and
Destination address fields are unavailable if the tunnel has been configured
to use firewall addresses as selectors. This option exists only in the CLI. See
the dst-addr-type, dst-name, src-addr-type and src-name
keywords for the vpn ipsec phase2 command in the FortiGate CLI
Reference.
Source If the FortiGate unit is a dialup server, type the source IP address that
address corresponds to the local sender(s) or network behind the local VPN peer (for
example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet,
or 172.16.5.1/32 or 172.16.5.1/255.255.255.255 for a server or
host, or 192.168.10.[80-100] or 192.168.10.80-192.168.10.100
for an address range). A value of 0.0.0.0/0 means all IP addresses
behind the local VPN peer.
If the FortiGate unit is a dialup client, source address must refer to the
private network behind the FortiGate dialup client.
Source port Type the port number that the local VPN peer uses to transport traffic related
to the specified service (protocol number). The range is 0 to 65535. To
specify all ports, type 0.
Destination Type the destination IP address that corresponds to the recipient(s) or
address network behind the remote VPN peer (for example, 192.168.20.0/24 for
a subnet, or 172.16.5.1/32 for a server or host, or 192.168.10.[80-
100] for an address range). A value of 0.0.0.0/0 means all IP addresses
behind the remote VPN peer.
Destination Type the port number that the remote VPN peer uses to transport traffic
port related to the specified service (protocol number). The range is 0 to 65535.
To specify all ports, type 0.
Protocol Type the IP protocol number of the service. The range is 1 to 255. To specify
all services, type 0.
6 Select OK.
To define an IP address
1 Go to Firewall > Address > Address and select Create New.
2 In the Address Name field, type a descriptive name that represents the network,
server(s), or host(s).
3 In Type, select Subnet / IP Range.
4 In the Subnet/IP Range field, type the corresponding IP address and subnet mask (for
example, 172.16.5.0/24 or 172.16.5.0/255.255.255.0 for a subnet, or
172.16.5.1/32 for a server or host) or IP address range (for example,
192.168.10.[80-100] or 192.168.10.80-192.168.10.100).
5 Select OK.
When inbound NAT is enabled, inbound encrypted packets are intercepted and decrypted,
and the source IP addresses of the decrypted packets are translated into the IP address of
the FortiGate interface to the local private network before they are routed to the private
network. If the computers on the local private network can communicate only with devices
on the local private network (that is, the FortiGate interface to the private network is not
the default gateway) and the remote client (or remote private network) does not have an
IP address in the same network address space as the local private network, enable
inbound NAT.
Most firewall policies control outbound IP traffic. An outbound policy usually has a source
address originating on the private network behind the local FortiGate unit, and a
destination address belonging to a dialup VPN client or a network behind the remote VPN
peer. The source address that you choose for the firewall policy identifies from where
outbound cleartext IP packets may originate, and also defines the local IP address or
addresses that a remote server or client will be allowed to access through the VPN tunnel.
The destination address that you choose for the firewall policy identifies where IP packets
must be forwarded after they are decrypted at the far end of the tunnel, and determines
the IP address or addresses that the local network will be able to access at the far end of
the tunnel.
You can fine-tune a policy for services such as HTTP, FTP, and POP3; enable logging,
traffic shaping, antivirus protection, web filtering, email filtering, file transfer, and email
services throughout the VPN; and optionally allow connections according to a predefined
schedule. For more information, see the “Firewall Policy” chapter of the FortiGate
Administration Guide.
Note: As an option, differentiated services can be enabled in the firewall policy through CLI
commands. For more information, see the “firewall” chapter of the FortiGate CLI Reference.
When a remote server or client attempts to connect to the private network behind a
FortiGate gateway, the firewall policy intercepts the connection attempt and starts the VPN
tunnel. The FortiGate unit uses the remote gateway specified in its phase 1 tunnel
configuration to reply to the remote peer. When the remote peer receives a reply, it checks
its own firewall policy, including the tunnel configuration, to determine which
communications are permitted. As long as one or more services are allowed through the
VPN tunnel, the two peers begin to negotiate the tunnel.
Source Interface/Zone Select the local interface to the internal (private) network.
Source Address Name Select the name that corresponds to the local network,
server(s), or host(s) from which IP packets may originate.
Destination Interface/Zone Select the local interface to the external (public) network.
Destination Address Name Select the name that corresponds to the remote network,
server(s), or host(s) to which IP packets may be delivered.
Schedule Keep the default setting (always) unless changes are needed
to meet specific requirements.
Service Keep the default setting (ANY) unless changes are needed to
meet your specific requirements.
Action Select IPSEC.
VPN Tunnel Select the name of the phase 1 tunnel configuration to which
this policy will apply.
Allow Inbound Select if traffic from the remote network will be allowed to
initiate the tunnel.
Allow Outbound Select if traffic from the local network will be allowed to initiate
the tunnel.
Inbound NAT Select if you want to translate the source IP addresses of
inbound decrypted packets into the IP address of the FortiGate
interface to the local private network.
Outbound NAT Select in combination with a natip CLI value to translate the
source addresses of outbound cleartext packets into the IP
address that you specify. Do not select Outbound NAT unless
you specify a natip value through the CLI. When a natip
value is specified, the source addresses of outbound IP
packets are replaced before the packets are sent through the
tunnel. For more information, see the “firewall” chapter of the
FortiGate CLI Reference.
3 You may enable UTM features, and/or event logging, or select advanced settings to
authenticate a user group, or shape traffic. For more information, see the “Firewall
Policy” chapter of the FortiGate Administration Guide.
4 Select OK.
5 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Note: Adding multiple IPsec policies for the same VPN tunnel can cause conflicts if the
policies specify similar source and destination addresses but have different settings for the
same service. When policies overlap in this manner, the system may apply the wrong IPsec
policy or the tunnel may fail.
For example, if you create two equivalent IPsec policies for two different tunnels, it does
not matter which one comes first in the list of IPsec policies—the system will select the
correct policy based on the specified source and destination addresses. If you create two
different IPsec policies for the same tunnel (that is, the two policies treat traffic differently
depending on the nature of the connection request), you might have to reorder the IPsec
policies to ensure that the system selects the correct IPsec policy. Reordering is especially
important when the source and destination addresses in both policies are similar (for
example, if one policy specifies a subset of the IP addresses in another policy). In this
case, place the IPsec policy having the most specific constraints at the top of the list so
that it can be evaluated first.
Source Interface/Zone Select the interface that connects to the private network
behind this FortiGate unit.
Source Address Name Select the address name that you defined for the private
network behind this FortiGate unit.
Destination Interface/Zone Select the IPsec Interface you configured.
Destination Address Name Select the address name that you defined for the private
network behind the remote peer.
Action Select ACCEPT.
NAT Disable.
2 To permit the remote client to initiate communication, you need to define a firewall
policy for communication in that direction. Enter these settings in particular:
Overview
Fortinet’s NP2 network processors contain features to improve IPsec tunnel performance.
For example, network processors can encrypt and decrypt packets, offloading
cryptographic load on the FortiGate unit’s main processing resources.
On FortiGate units with the appropriate hardware, you can configure offloading of both
IPsec sessions and HMAC checking.
• In Phase II configuration:
• encryption algorithm must be DES, 3DES, AES-128, AES-192, AES-256, or null
(for NP1 processor, only 3DES is supported)
• authentication must be MD5, SHA1, or null
(for NP1 processor, only MD5 is supported)
• if replay detection is enabled, encryption and decryption options must be enabled in
the CLI (see “IPsec encryption offloading”, below)
If the IPsec session meets the above requirements, the FortiGate unit sends the IPsec
security association (SA) and configured processing actions to the network processor(s).
Packet requirements
In addition to the session requirements, the packets themselves must meet fast-path
requirements:
• Incoming packets must not be fragmented.
• Outgoing packets must not require fragmentation to a size less than 385 bytes.
Because of this requirement, the configured MTU (Maximum Transmission Unit) for
network processors’ network interfaces must also meet or exceed the network
processors’ supported minimum MTU of 385 bytes.
If packet requirements are not met, an individual packet will use FortiGate unit main
processing resources, regardless of whether other packets in the session are offloaded to
the specialized network processor(s).
A
4 Po SM-F Fo
_1 FB c) rt 2 B
ate M- se 3.3 (IPs4
rtiG
rtiG AS t 2 (IP .3. ec ate
F o r
Po 3.1/2
4 2/2 ) _2
. 3 . 4
3
4 AS
FB M-
S M- P FB
A t1
r 4 2.2 ort 1 4
Po 1.0/2 .2.
. 0/2
1.1 4
Pro Pro
tec tec
ted ted
ne ne
two two
rk rk
To configure FortiGate_2
1 Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_2_IPsec), plus
• Select Advanced.
• Select the Enable IPsec Interface Mode check box.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is
the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall > Policy > Policy.
6 Configure two policies (one for each direction) to apply the Phase 1 IPsec configuration
you configured in step 2 to traffic leaving from or arriving on FortiGate-ASM-FB4
module port 1.
7 Go to Router > Static > Static Route.
8 Configure a static route to route traffic destined for FortiGate_1’s protected network to
the virtual IPsec interface, FGT_2_IPsec.
To add the static route from the CLI:
config router static
edit 2
set device "FGT_2_IPsec"
set dst 1.1.1.0 255.255.255.0
end
To configure FortiGate_2
1 Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.
2 Configure Phase 1 settings (name FGT_2_IPsec), plus
• Select Advanced.
• Select the Enable IPsec Interface Mode check box.
• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is
the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.
3 Select OK.
4 Select Create Phase 2 and configure Phase 2 settings, including
• Select the Enable replay detection check box.
• set enc-offload-antireplay to enable using the config system npu CLI
command.
5 Go to Firewall > Policy > Policy.
6 Configure an IPSEC policy to apply the Phase 1 IPsec tunnel you configured in step 2
to traffic between FortiGate-ASM-FB4 module ports 1 and 2.
7 Go to Router > Static > Static Route.
8 Configure a static route to route traffic destined for FortiGate_1’s protected network to
FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2
(device).
To add the static route from the CLI:
config router static
edit 0
set device "AMC-SW1/2"
set dst 1.1.1.0 255.255.255.0
set gateway 3.3.3.2
end
Bring up tunnel
Note: If you take down an active tunnel while a dialup client such as FortiClient is still
connected, FortiClient will continue to show the tunnel connected and idle. The dialup client
must disconnect before another tunnel can be initiated.
Note: If available on your FortiGate unit, you can enable the storage of log messages to a
system hard disk. In addition, as an alternative to the options listed above, you may choose
to forward log messages to a remote computer running a WebTrends firewall reporting
server. For more information about enabling either of these options through CLI
commands, see the “log” chapter of the FortiGate CLI Reference.
3 If the options are concealed, select the blue arrow beside each option to reveal and
configure associated settings.
4 If logs will be written to system memory, from the Log Level list, select Information. For
more information, see the “Log&Report” chapter of the FortiGate Administration Guide.
5 Select Apply.
History
Over the past several years, as organizations have grown and become more complex,
secure remote access to network resources has become critical for day-to-day operations.
In addition, businesses are expected to provide clients with efficient, convenient services
including knowledge bases and customer portals, and employees travelling across the
country or around the world require timely and comprehensive access to network
resources. Initial access to network resources used private networks and leased lines -
options that were inflexible and costly. As a result of the growing need for providing
remote/mobile clients with easy, cost-effective and secure access to a multitude of
resources, the concept of a Virtual Private Network was developed.
In the past, VPN tunneling was performed generally at the Network Layer (Layer 3) or
lower, as is the case with IPsec. To enable remote access, encrypted network connectivity
was established between a remote node and the internal network, thereby making the
remoteness of the connection invisible to all layers above Layer 4. The applications
functioned identically when users were in the office or when they were remote, except that
when requests filtered to the network level, they were relayed over the network connection
tied to the user’s specific location. These connections required the installation and
configuration of complicated client software on user’s computers.
SSL VPNs establish connectivity using SSL, which functions at Levels 4 - 5 (Transport
and Session). Information is encapsulated at Levels 6 - 7 (Presentation and Application),
and SSL VPNs communicate at the highest levels in the OSI model. SSL is not strictly a
web protocol - it is possible to use SSL to encrypt any application-level protocol.
What is a VPN?
Virtual Private Network (VPN) technology allows clients to connect to remote networks in a
secure way. A VPN is a secure logical network created from physically separate networks.
VPNs use encryption and other security methods to ensure that only authorized users can
access the network. VPNs also ensure that the data transmitted between computers
cannot be intercepted by unauthorized users. When data is encoded and transmitted over
the Internet, the data is said to be sent through a “VPN tunnel”. A VPN tunnel is a non-
application oriented tunnel that allows the users and networks to exchange a wide range
of traffic regardless of application or protocol.
The advantages of a VPN over an actual physical private network are two-fold. Rather
than utilizing expensive leased lines or other infrastructure, you use the relatively
inexpensive, high-bandwidth Internet. Perhaps more important though is the universal
availability of the Internet - in most areas, access to the Internet is readily obtainable
without any special arrangements or long wait times.
What is SSL?
SSL (Secure Sockets Layer) as HTTPS is supported by most web browsers for
exchanging sensitive information securely between a web server and a client. SSL
establishes an encrypted link, ensuring that all data passed between the web server and
the browser remains private and secure. SSL protection is initiated automatically when a
user (client) connects to a web server that is SSL-enabled. Once the successful
connection is established, the browser encrypts all the information before it leaves the
computer. When the information reaches its destination, it is decrypted using a secret
(private) key. Any data sent back is first encrypted, and is decrypted when it reaches the
client.
Goals of SSL
SSL has four main goals:
1 Confidentiality of communications
2 Integrity of data
3 Authentication of server
4 Authentication of client (non-repudiation)
Good security for a VPN requires confirming the identity of all communicating parties. You
can ensure identity using password authentication (shared secrets) or digital certificates. A
shared secret is a passphrase or password that is the same on both ends of a tunnel. The
data is encrypted using a session key, which is derived from the shared secret. The
gateways can encrypt and decrypt the data correctly only if they share the same secret.
SSL certificates
SSL certificates are a mechanism by which a web server can prove to users that the
public key that it offers them for use with the SSL is in fact the public key of the
organization with which the user intends to communicate. A trusted third-party signs the
certificate thereby assuring users that the public key contained within the certificate
belongs to the organization whose name appears in the certificate. Upon receiving a
certificate from Your Company, a user can know for sure that the key within the certificate
is Your Company’s key and it is safe to use to encrypt any communications related to
establishment of a session key. The web server transmits their public key to users at the
beginning of an SSL session using an SSL certificate.
Encryption level is determined by the length of the encryption key. The longer the key, the
stronger the encryption level, and the greater the security provided. Within a VPN, after
the end points on a tunnel agree upon an encryption scheme, the tunnel initiator encrypts
the packet and encapsulates it in an IP packet. The tunnel terminator recovers the packet,
removes the IP information, and then decrypts the packet.
Authentication differences
IPsec is a well-established technology with robust features that support many legacy
products such as smart cards and biometrics.
SSL supports a web single sign-on to a web portal front-end, from which a number of
different enterprise applications may be accessed. The Fortinet implementation enables
you to assign a specific port for the web portal and to customize the login page if desired.
Connectivity considerations
IPsec supports multiple connections to the same VPN tunnel—a number of remote VPN
devices effectively become part of the same network.
SSL forms a connection between two end points such as a remote client and an enterprise
network. Transactions involving three (or more) parties are not supported because traffic
passes between client and server applications only.
Access control
IPsec VPNs provide secure network access only. Access to the network resources on a
corporate IPsec VPN can be enabled for specific IPsec peers and/or clients. The amount
of security that can be applied to users is limited.
SSL VPNs provide secure access to certain applications. Web-only mode provides remote
users with access to server applications from any thin client computer equipped with a
web browser. Tunnel-mode provides remote users with the ability to connect to the internal
network from laptop computers as well as airport kiosks, Internet cafes, and hotels.
Access to SSL VPN applications is controlled through user groups.
General topology
In the most common SSL VPN Internet scenario, the remote client connects to the Internet
through an ISP that offers connections with dynamically assigned IP addresses. The
client’s packets are routed to the public interface of the FortiGate unit. For example,
Figure 146 shows a FortiGate gateway that can be reached by a mobile user.
ent
Cli
mote
Re
17 Por
2.2 t 1
0.1
20
.1 41 rs
rve
10 Por Se
.11 t 2
.10
1.1
0 0
10 0
rt 3 1. te_
1
Po 1.20
H .1
T 1.
iGa
10
T 1
. 1
P 0
10 ort
/H 1.
T 2
F
T 0
P
D 11
S
10
N .1
1
S 0
.
S 1.
er 16
ve 0
F 1
r
10
T .1
P 0
.1
S 1.
er 1
ve 70
S 1.2
10
r
ub 0
S .1
.1
am 1
ne 1.0
10
ba 10
t_ /2
2 4
S .1
.
er 80
v
1
er
At the FortiGate unit, you configure a user group for SSL VPN authentication and define
firewall policies for each network resource that users are permitted to access.
You can easily expand the resources available to your users by adding or changing
firewall policies. If you want to provide different resource access to different users, you can
create multiple user groups.
The general infrastructure requirements are quite simple:
• The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
• The ISP assigns IP addresses to remote clients before they connect to the FortiGate
unit.
You can enable a cache cleaner to remove any sensitive data that would otherwise remain
on the remote computer after the session ends. For example, all cache entries, browser
history, cookies, encrypted information related to user authentication, and any temporary
data generated during the session are removed from the remote computer. If the client’s
browser cannot install and run the cache cleaner, the user is not allowed to access the
SSL-VPN portal.
Web-only mode
Web-only mode provides remote users with a fast and efficient way to access server
applications from any thin client computer equipped with a web browser. Web-only mode
offers true clientless network access using any web browser that has built-in SSL
encryption and the Sun Java runtime environment.
Support for SSL VPN web-only mode is built into the FortiOS operating system. The
feature comprises an SSL daemon running on the FortiGate unit, and a web portal, which
provides users with access to network services and resources including HTTP/HTTPS,
telnet, FTP, SMB/CIFS, VNC, RDP and SSH.
In web-only mode, the FortiGate unit acts as a secure HTTP/HTTPS gateway and
authenticates remote users as members of a user group. After successful authentication,
the FortiGate unit redirects the web browser to the web portal home page and the user
can access the server applications behind the FortiGate unit.
When the FortiGate unit provides services in web-only mode, a secure connection
between the remote client and the FortiGate unit is established through the SSL VPN
security in the FortiGate unit and the SSL security in the web browser. After the
connection has been established, the FortiGate unit provides access to selected services
and network resources through a web portal.
FortiGate SSL VPN web portals have a 1- or 2-column page layout with selectable color
schemes. Portal functionality is provided through small applets called widgets. Widget
windows can be moved or minimized. The controls within each widget depend on its
function. There are pre-defined web portals and the administrator can create additional
portals.
Configuring the FortiGate unit involves enabling the SSL VPN feature and selecting the
appropriate web portal configuration in the user group settings. These configuration
settings determine which server applications can be accessed. SSL encryption is used to
ensure traffic confidentiality.
For information about client operating system and browser requirements, see the Release
Notes for your FortiGate firmware.
Tunnel mode
Tunnel mode offers remote users the freedom to connect to the internal network using the
traditional means of web-based access from laptop computers, as well as from airport
kiosks, hotel business centers, and Internet cafés. If the applications on the client
computers used by your user community vary greatly, you can deploy a dedicated SSL
VPN client to any remote client through its web browser. The SSL VPN client encrypts all
traffic from the remote client computer and sends it to the FortiGate unit through an SSL
VPN tunnel over the HTTPS link between the web browser and the FortiGate unit. Also
available is split tunneling, which ensures that only the traffic for the private network is
sent to the SSL VPN gateway. Internet traffic is sent through the usual unencrypted route.
This conserves bandwidth and alleviates bottlenecks.
In tunnel mode, remote clients connect to the FortiGate unit and the web portal login page
using Microsoft Internet Explorer, Mozilla Foundation/Firefox, Mac OS, or Linux. The
FortiGate unit acts as a secure HTTP/HTTPS gateway and authenticates remote users as
members of a user group. After successful authentication, the FortiGate unit redirects the
web browser to the web portal home page dictated by the user group settings. If the user
does not have the SSL VPN client installed, they will be prompted to download the SSL
VPN client (an ActiveX or Java plugin) and install it using controls provided through the
web portal. SSL VPN tunnel mode can also be initiated from a standalone application on
Windows, Mac OS, and Linux.
When the user initiates a VPN connection with the FortiGate unit through the SSL VPN
client, the FortiGate unit establishes a tunnel with the client and assigns the client a virtual
IP address from a range of reserved addresses. The client uses the assigned IP address
as its source address for the duration of the connection. After the tunnel has been
established, the user can access the network behind the FortiGate unit.
Configuring the FortiGate unit to establish a tunnel with remote clients involves enabling
the feature through SSL VPN configuration settings and selecting the appropriate web
portal configuration for tunnel-mode access in the user group settings. The firewall policy
and protection profiles on the FortiGate unit ensure that inbound traffic is screened and
processed securely.
Note: The user account used to install the SSL VPN client on the remote computer must
have administrator privileges.
Note: If you are using Windows Vista, you must disable UAC (User Account Control) before
installing the SSL VPN tunnel client. This UAC setting must be disabled before the SSL
VPN tunnel client is installed. IE7 in Windows Vista runs in Protected Mode by default. To
install SSL VPN client ActiveX, you need to launch IE7 by using 'Run as administrator'
(right-click the IE7 icon and select 'Run as administrator').
For information about client operating system requirements, see the Release Notes for
your FortiGate firmware.
Note: As an alternative, you can connect the management computer to the Console
connector of the FortiGate unit directly using a serial cable and configure the FortiGate unit
through the Command Line Interface (CLI). The CLI can also be launched from within the
web-based manager. For more information, see “Connecting to the FortiGate console” in
the FortiGate CLI Reference.
Refer to the FortiGate Installation Guide and FortiGate Administration Guide to change the
password, configure the interfaces of the FortiGate unit, and assign basic operating
parameters, including a default gateway.
Refer also to the “Examples” chapter for example SSL VPN configurations.
Caution: Take care to prevent overlapping IP addresses. Do not assign to clients any IP
addresses that are already in use on the private network. As a precaution, consider
assigning IP addresses from a network that is not commonly used (for example,
10.254.254.0/24).
Note: When you select Edit, a popup window will open. If your browser blocks popup
windows, you will have to unblock it to continue with the following steps.
8 In the Available list, select the address you created for the SSL VPN tunnel range and
then select the down arrow button to move it to the Selected list. Select OK.
9 Select Apply.
Note: The default value is 28800 seconds (8 hours). You can only modify this timeout value
in the CLI.
For example, to change the authentication timeout to 18 000 seconds, enter the following
commands:
config vpn ssl settings
set auth-timeout 18000
end
In the FortiGate unit SSL VPN settings, you can select which certificate the FortiGate
offers to authenticate itself. By default, the FortiOS™ Handbook unit offers its factory
installed (self-signed) certificate from Fortinet to remote clients when they connect.
Note: If you change the TCP port number, remember to notify your SSL VPN clients. They
must use the new port number to connect to the FortiGate unit.
Note: Do not select port number 443 for user access to the web portal login page. Port
number 443 is reserved to support administrative connections to the FortiGate unit through
the web-based manager.
The login page is a replacement message composed of HTML code, which you can
modify. Global replacement messages apply to all VDOMs by default, but individual
VDOMs can define their own messages.
Caution: Before you begin, copy the default web portal login page text to a separate
text file for safe-keeping. Afterward, if needed you can restore the text to the original
version.
5 Select OK.
You can modify a default portal or a portal that you have already defined. Select the Edit
icon next to the web portal in the Portal list. The SSL VPN web portal you select will open.
3 Optionally, you can select the Virtual Desktop tab to configure the Virtual Desktop
feature. See “Configuring virtual desktop” on page 1209. Or, you can leave this
configuration for later.
4 Optionally, you can select the Security Control tab to configure cache cleaning and
client check. Or, you can leave this configuration for later.
For information on these features, see “Configuring cache cleaning” on page 1209 and
“Configuring host checking” on page 1207.
5 Select OK.
The web portal is displayed.
6 Select Apply to save the settings.
Edit Remove
Add Widget list
next
edit 0
set type tool
set name "Connection Tool"
set column two
end
Note: When you use edit 0, as in this example, the CLI automatically assigns an unused
index value when you exit the edit shell by typing end.
Tunnel controls
(for users only)
Name Enter a name for the Tunnel Mode widget. The default is “Tunnel Mode”.
IP Mode Select the mode by which the IP address is assigned to the user.
Range The user IP address is allocated from the IP address ranges specified by
IP Pools.
User Group The user is assigned the IP address specified in the Framed-IP-Address
field of the user’s record on the RADIUS server. This option is valid only for
users authenticated by a RADIUS server.
IP Pools Leave this field empty to use the IP address range specified by the IP Pools
field on the VPN > SSL > Config page.
If you want to specify an IP address range for clients of this portal only,
select Edit. From the Available list, select the appropriate firewall address.
You must configure the desired IP address range as a firewall address
before you can select it here.
Split Tunneling Select to enable split tunneling. When enabled, only traffic that requires the
SSL VPN is sent through the tunnel. Other traffic follows the user’s regular
routing.
When split tunneling is disabled, all of the user’s traffic with other networks
passes through the tunnel. This does not affect traffic between the user’s
computer and hosts on the local network.
For enhanced security, some administrators prefer to force all traffic through
the SSL VPN tunnel, including traffic between the user and the user’s local
network. To do this, use the CLI tunnel mode settings to enable
exclusive-routing.
The remaining items in the widget are controls that are available to the user during an
SSL VPN session.
5 Select OK in the Tunnel Mode widget.
6 Select Apply.
end
end
The preceding example applies to a web portal that does not already have a tunnel mode
widget. To modify the settings on an existing tunnel mode widget, you need to determine
the widget’s number. Enter:
config vpn ssl web portal
edit portal1
config widget
show
In the output, you will see, for example,
edit 3
set name "Tunnel Mode"
set type tunnel
...
You can now enter edit 3 and modify the tunnel mode widget’s settings.
Remove widget
Edit 1
Widget configuration
Bookmarks list
To delete bookmarks
1 Open the web portal.
2 In the Bookmarks widget, select the Edit button.
Delete
3 Select the X to the right of the bookmark that you want to delete.
4 Select Done.
Adding
Editing
4 Select OK.
5 If there is a Done button, you can select another bookmark to edit or select Done to
leave the edit mode.
6 Select Apply at the top of the web portal page to save the changes that you made.
Widget configuration
Connection controls
(for user only)
5 Select OK.
Name Enter a name for the application. The name does not need to match the
actual application name.
Type Select the type of security application. Can be AV for antivirus or FW for
firewall.
GUID Enter the Globally Unique IDentifier (GUID) for the host check application,
if known.
The GUID is usually in the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx,
where each x is a hexadecimal digit. Windows uses GUIDs to identify
applications in the Windows Registry.
Version The version of the security application.
Add button If you do not know the GUID, add alternative checks for the application.
The security software is considered found only if all checks succeed.
Check Item entry These fields are available when you select the Add button.
Type Select how to check for the application:
• File — Look for a file. This could be the application’s executable file or
any other file that would confirm the presence of the application. In
File/Path, enter the full path to the file. Where applicable, you can use
environment variables enclosed in percent (%) marks. For example,
%ProgramFiles%\Fortinet\FortiClient\FortiClient.exe
• Process — Look for the application as a running process. In Process,
enter the application’s executable file name.
• Registry — Search for a Windows Registry entry. In Registry, enter a
registry item, for example
HKLM\SOFTWARE\Fortinet\FortiClient\Misc
Action Select one of
Require — If the item is found, the client meets the check item condition.
Deny — If the item is found, the client is considered to not meet the check
item condition. Use this option if it is necessary to prevent use of a
particular security product.
MD5 Signatures If Type is File or Process, enter one or more known MD5 signatures for
the application executable file.You can use a third-party utility to calculate
MD5 signatures or hashes for any file. You can enter multiple signatures
to match multiple versions of the application.
3 Select OK.
4 Select OK.
Note: The cache cleaner is effective only if the session terminates normally. The cache is
not cleaned if the session ends due to a malfunction, such as a power failure.
7 Select OK.
8 Select Apply.
edit "BannedApp"
set md5s "06321103A343B04DF9283B80D1E00F6B"
end
end
User Name Type or edit the remote user name (for example, User_1).
Disable Select to prevent this user from authenticating.
Password Select to authenticate this user using a password stored on the FortiGate unit,
and then enter the password. The password should be at least six characters
long.
LDAP Select to authenticate this user using a password stored on an LDAP server.
Select the LDAP server from the list. You can select only an LDAP server that
has been added to the FortiGate LDAP configuration.
RADIUS Select to authenticate this user using a password stored on a RADIUS server.
Select the RADIUS server from the list. You can select only a RADIUS server
that has been added to the FortiGate configuration.
TACACS+ Select to authenticate this user using a password stored on a TACACS+ server.
Select the TACACS+ server from the list. You can select only a TACACS+ server
that has been added to the FortiGate TACACS+ configuration.
2 Select OK.
Name Type or edit the user group name (for example, Web-only_group).
Type Select Firewall.
Allow SSL-VPN Enable and select the SSL VPN web portal configuration to use with the
Access User Group. For more information, see “Configuring SSL VPN web portals”
on page 1193.
Available The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
Users/Groups or PKI users that can be added to the user group. To add a member to this
list, select the name and then select the right arrow button.
Members The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers,
or PKI users that belong to the user group. To remove a member, select the
name and then select the left arrow button.
2 Select OK.
SSL VPN
policy
Address Name Enter a name to identify the firewall address. Addresses, address groups, and
virtual IPs must have unique names.
Type Select Subnet/IP Range.
Subnet / IP Enter the firewall IP address in any of the following formats:
Range • an IP address and a subnet mask, separated by a slash, for example
172.16.10.0/255.255.255.0
• a CIDR-format IP address with netmask, for example 172.16.10.0/24
• a single address, for example 172.16.10.3
• an IP address range, for example 172.16.10.[4-5]
Interface Select the interface, zone, or virtual domain (VDOM) link to which you want to
bind the IP address. Select Any if you want to bind the IP address to the
interface/zone when you create a firewall policy.
In the following example, there are firewall addresses defined for the protected network
OfficeLAN and the SSL VPN tunnel user IP address range SSL_tunnel_users. You can
also see the “all” preconfigured address.
Note: Do not use ALL as the destination address. If you do, you will see
the “Destination address of Split Tunneling policy is invalid” error when
you enable Split Tunneling.
Source Select the name of the FortiGate network interface to that connects to
Interface/Zone the Internet.
Source Address Select all.
Destination Select the FortiGate network interface that connects to the protected
Interface/Zone network.
Destination Address Select the firewall address you created that represents the networks and
servers to which the SSL VPN clients will connect.
If you want to associate multiple firewall addresses or address groups
with the Destination Interface/Zone, from Destination Address, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
Action Select SSL-VPN. This option is available only if there is at least one
user group with SSL VPN access enabled.
SSL Client Certificate Allow access only to holders of a (shared) group certificate. The holders
Restrictive of the group certificate must be members of an SSL VPN user group,
and the name of that user group must be present in the Allowed field.
See “Enabling strong authentication through X.509 security certificates”
on page 1190.
Cipher Strength Select the bit level of SSL encryption. The web browser on the remote
client must be capable of matching the level that you select: Any,
High >= 164, or Medium >= 128.
3 Select OK.
Your identity-based policies are listed in the firewall policy table. The FortiGate unit
searches the table from the top down to find a policy to match the client’s user group.
Using the move icon in each row, you can change the order of the policies in the table
to ensure the best policy will be matched first. You can also use the icons to edit or
delete policies.
Source Interface/Zone Select the virtual SSL VPN interface, such as ssl.root.
Source Address Select the firewall address you created that represents the IP address
range assigned to SSL VPN clients, such as SSL_VPN_tunnel_users.
Destination Select the FortiGate network interface that connects to the protected
Interface/Zone network.
Destination Address Select the firewall address you created that represents the networks
and servers to which the SSL VPN clients will connect.
To select multiple firewall addresses or address groups, select
Multiple. In the dialog box, move the firewall addresses or address
groups from the Available Addresses section to the Members section,
then select OK.
Action Select Accept.
NAT Enable or disable Network Address Translation (NAT) of the source
address and port of packets accepted by the policy. When NAT is
enabled, you can also configure Dynamic IP Pool and Fixed Port.
If you select a virtual IP as the Destination Address, but do not select
the NAT option, the FortiGate unit performs destination NAT (DNAT)
rather than full NAT. Source NAT (SNAT) is not performed.
Enable NAT to use the IP address of the outgoing interface of the
FortiGate unit as the source address for new sessions started by SSL
VPN. Otherwise, disable NAT.
Comments Optionally, add information about the policy. The maximum length is 63
characters.
Leave other settings at their default values.
Destination IP/Mask Enter the Tunnel IP address range that you assigned to users of
the web portal. See “Configuring tunnel mode settings” on
page 1199.
Device Select the SSL VPN virtual interface, ssl.root for example.
Distance Optionally you can set the distance on the SSL VPN higher than
the default route to ensure only SSL VPN traffic uses this route.
Leave other settings at their default values.
Source Interface/Zone Select the virtual SSL VPN interface, ssl.root, for example.
Source Address Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination Select the FortiGate network interface that connects to the Internet.
Interface/Zone
Destination Address Select all.
Action Select Accept.
NAT Enable.
Leave other settings at their default values.
Source Interface/Zone Select the virtual SSL VPN interface, ssl.root, for example.
Source Address Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination Select the virtual IPsec interface for your IPsec VPN.
Interface/Zone
Destination Address Select the address of the IPsec VPN remote protected subnet.
Action Select ACCEPT.
NAT Enable.
Leave other settings at their default values.
Source Interface/Zone Select the virtual SSL VPN interface, ssl.root, for example.
Source Address Select the firewall address you created that represents the IP
address range assigned to SSL VPN clients.
Destination Select the FortiGate network interface that connects to the Internet.
Interface/Zone
Destination Address Select the address of the IPsec VPN remote protected subnet.
Action Select IPSEC.
VPN tunnel Select the Phase 1 configuration name of your IPsec VPN.
Allow inbound Enable
Allow outbound Enable
Note: If available on your FortiGate unit, you can enable the storage of log messages to a
system hard disk. In addition, as an alternative to the options listed above, you may choose
to forward log messages to a remote computer running a WebTrends firewall reporting
server. For more information about enabling either of these options through CLI commands,
see the “log” chapter of the FortiGate CLI Reference.
3 If the options are concealed, select the expand arrow beside each option to reveal and
configure associated settings.
4 If logs will be written to system memory, from the Log Level list, select Information. For
more information, see the “Log & Report” chapter of the FortiGate Administration
Guide.
5 Select Apply.
When a tunnel-mode user is connected, the Description field displays the IP address that
the FortiGate unit assigned to the remote host (see Figure 164).
If required, you can end a session/connection by selecting its check box and then
selecting the Delete icon.
Troubleshooting
Here is a list of common SSL VPN problems and the likely solutions.
No response from SSL VPN URL Check that SSL VPN is enabled.
Check SSL VPN port assignment (default 10443).
Check SSL VPN firewall policy.
Error: “The web page cannot be Check URL:
found.” https://<FortiGate_IP>:<SSLVPN_port>/remote/login
Tunnel connects, but there is no Check that there is a static route to direct packets
communication. destined for the tunnel users to the SSL VPN interface.
See “Configuring routing for tunnel mode” on page 1219.
Tunnel-mode connection shuts down This issue occurs when there are multiple interfaces
after a few seconds connected to the Internet, for example, a dual WAN
configuration. Upgrade the FortiGate unit firmware to at
least v3.0 MR4 or higher, then use the following CLI
command:
config vpn ssl settings
set route-source-interface enable
end
Error: “Destination address of Split The SSL VPN firewall policy uses the ALL address as its
Tunneling policy is invalid.” destination. Specify the address of the protected
network instead.
3 Select Login.
The FortiGate unit will redirect your web browser to the FortiGate SSL VPN web portal
home page automatically.
Help
Note: After making any changes to the web portal configuration, be sure to select Apply.
Note: Windows file sharing through SMB/CIFS is supported through shared directories.
Administrator bookmarks
User bookmarks
The FortiGate unit forwards client requests to servers on the Internet or internal network.
To use the web-portal applications, you add the URL, IP address, or name of the server
application to the My Bookmarks list. For more information, see “Adding bookmarks”.
Note: If you want to access a web server or telnet server without first adding a bookmark to
the My Bookmarks list, use the Connection Tool instead. For more information, see “Using
the Connection Tool” on page 1231.
Adding bookmarks
You can add frequently used connections as bookmarks. Afterward, select any hyperlink
from the Bookmarks list to initiate a session.
To add a bookmark
1 In the Bookmarks widget, select Add.
2 Enter the following information:
Note: When you use the Connection Tool, the FortiGate unit may offer you its self-signed
security certificate. Select Yes to proceed. A second message may be displayed to inform
you of a host name mismatch. This message is displayed because the FortiGate unit is
attempting to redirect your web browser connection. Select Yes to proceed.
3 Select Go.
A Telnet window opens.
4 Select Connect.
5 A telnet session starts and you are prompted to log in to the remote host.
After you log in, you may enter any series of valid telnet commands at the system
prompt.
6 To end the session, select Disconnect (or type exit) and then close the TELNET
connection window.
Delete
Rename
New Directory
Upload Logout
Up
Delete
Rename
5 To end the session, select Disconnect (or type exit) and then close the SSH
connection window.
The screen configuration dialog does not appear if you specified the screen resolution
with the host address.
6 When you are prompted to log in to the remote host, type your user name and
password. You must have a user account on the remote host to log in.
7 Select Login.
If you need to send Ctrl-Alt-Delete in your session, use Ctrl-Alt-End.
8 To end the RDP session, Log out of Windows or select Cancel from the Logon window.
RDP options
When you specify the RDP server address, you can also specify other options for your
remote desktop session.
Locale/Keyboard -m <locale>
Use this option if the remote The supported values of <locale> are:
computer might not use the same
keyboard layout as your computer. ar Arabic it Italian
Select the locale code that matches da Danish ja Japanese
your computer. de German lt Lithuanian
de-ch Swiss German lv Latvian
en-gb British English mk Macedonian
en-uk UK English no Norwegian
en-us US English pl Polish
es Spanish pt Portuguese
fi Finnish pt-br Brazilian Portuguese
fr French ru Russian
fr-be Belgian French sl Slovenian
fr-ca Canadian French sv Sudanese
fr-ch Swiss French tk Turkmen
hr Croatian tr Turkish
hu Hungarian
5 Select OK.
If you need to send Ctrl-Alt-Delete in your session, press F8, then select
Send Ctrl-Alt-Delete from the pop-up menu.
6 To end the VNC session, close the VNC window.
Tunnel-mode features
For Windows users, the web portal Tunnel Mode widget provides controls for your tunnel
mode connection and also provides status and statistics about its operation. You can also
control and monitor tunnel mode operation from the standalone client application. For
more information, see “Using the tunnel mode client” on page 1242.
Connect Initiate a session and establish an SSL VPN tunnel with the FortiGate unit.
Disconnect End the session and close the tunnel to the FortiGate unit.
Refresh Refresh the status and statistics immediately.
Link Status The state of the SSL VPN tunnel:
• Up — an SSL VPN tunnel with the FortiGate unit has been established.
• Down — a tunnel connection has not been initiated.
Bytes Sent The number of bytes of data transmitted from the client to the FortiGate unit
since the tunnel was established.
Bytes Received The number of bytes of data received by the client from the FortiGate unit
since the tunnel was established.
Client configurations
There are several configurations of SSL VPN applications available.
• web mode
• tunnel mode
• virtual desktop
Web mode
SSL VPN web mode requires nothing more than a web browser. Microsoft Internet
Explorer, Mozilla Firefox, and Apple Safari browsers are supported. For detailed
information about supported browsers see the Release Notes for your FortiOS firmware.
Tunnel mode
SSL VPN tunnel mode establishes a connection to the remote protected network that any
application can use. This requires a tunnel client application specific to your computer
operating system. The tunnel client application installs a network driver that sends and
receives data through the SSL VPN tunnel.
If your computer runs Microsoft Windows, you can download the tunnel mode client from
the web portal Tunnel Mode widget. After you install the client, you can start and stop
tunnel operation from the Tunnel Mode widget, or you can open the tunnel mode client as
a standalone application. You can find the tunnel mode client on the Start menu at
All Programs > FortiClient > FortiClient SSL VPN.
If your computer runs Linux or Mac OS X, you can obtain an appropriate tunnel mode
client application from the Fortinet Support web site. See the Release Notes for your
FortiOS firmware for the specific operating system versions that are supported. On Linux
and Mac OS X platforms, tunnel mode operation cannot be initiated from the web portal
Tunnel Mode widget. You must use the standalone tunnel client application.
When a system configuration must involve more secure disposal of cached data, the SSL
VPN Virtual Desktop should be used. (Available on Windows only).
Note: Windows users can also download the tunnel mode client from an SSL VPN web
portal that contains the Tunnel Mode widget.
The most recent version of the SSL VPN standalone client applications can be found at:
http://support.fortinet.com/
Note: The location of the SSL VPN tunnel client on the Support web site is subject to
change. If you have difficulty finding the appropriate file, contact Customer Support.
Windows
Double-click the SslvpnClient.exe or SslvpnClient.msi file and follow the on-
screen instructions.
Linux
1 Extract the forticlientsslvpn_linux_<version>.tar.gz package file to a folder
and run the client program forticlientsslvpn.
When you run the install program for the first time, you will have to set up system
parameters (root privileges) before you run the program or before other users without
administrator privileges can use the application.
MAC OS client
1 Double-click on the forticlientsslvpn_macosx_<version>.dmg file.
The Mac mounts the disk image as forticlientsslvpn.
2 Double-click the forticlientsslvpn.pkg file inside the disk image and follow the
instructions.
The application installs the program forticlientsslvpn.app in the Applications
folder
3 Unmount the disk image by selecting the disk image file
forticlientsslvpn_macosx_<version>.dmg and dragging it into the Trash.
Windows client
To use the SSL VPN standalone tunnel client (Windows)
1 Go to Start > All Programs > FortiClient > FortiClient SSL VPN.
2 Enter the following information. Use the Connect and Disconnect buttons to control the
tunnel connection.
Connection Name If you have pre-configured the connection settings, select the
connection from the list and then select Connect. Otherwise, enter the
settings in the fields below.
To pre-configure connection settings, see “To configure tunnel client
settings (Windows)” on page 1243.
Server Address Enter the IP address or FQDN of the FortiGate unit that hosts the SSL
VPN.
Username Enter your user name.
Password Enter the password associated with your user account.
Client Certificate Use this field if the SSL VPN requires a certificate for authentication.
Select the required certificate from the drop-down list. The certificate
must be installed in the Internet Explorer certificate store.
Connection Status: Connected or Disconnected
Duration: Hours, minutes, seconds since session started
Bytes Sent / Bytes Received: amount of data transferred
Settings... Select to open the Settings dialog. See “To configure tunnel client
settings (Windows)” on page 1243.
Connect Start tunnel mode operation.
Disconnect Stop tunnel mode operation.
Exit Close the tunnel mode client application.
2 Select Settings....
3 Select New Connection, or select an existing connection and then select Edit.
4 Enter the Connection Name.
5 Enter the connection information. You can also enter a Description. Select OK.
See “To use the SSL VPN standalone tunnel client (Windows)” on page 1242 for
information about the fields.
6 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
7 Select OK.
Linux client
To use the SSL VPN standalone tunnel client (Linux)
1 Go to the folder where you installed the Linux tunnel client application and double-click
on ‘forticlientsslvpn’.
The FortiClient SSL VPN tunnel client opens.
2 Enter the following information. Use the Connect and Stop buttons to control the tunnel
connection.
Connection If you have pre-configured the connection settings, select the connection
from the list and then select Connect. Otherwise, enter the settings in the
fields below.
To pre-configure connection settings, see “To configure tunnel client settings
(Windows)” on page 1243.
Server Enter the IP address or FQDN of the FortiGate unit that hosts the SSL VPN.
In the smaller field, enter the SSL VPN port number (default 10443).
User Enter your user name.
Password Enter the password associated with your user account.
Certificate Use this field if the SSL VPN requires a certificate for authentication.
Select the certificate file (PKCS#12) from the drop-down list, or select the
Browse (...) button and find it.
Password Enter the password required for the certificate file.
Settings... Select to open the Settings dialog. See “To configure tunnel client settings
(Linux)” on page 1245.
Connect Start tunnel mode operation.
Stop Stop tunnel mode operation.
2 Select Settings....
3 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
4 Optionally, select Start connection automatically. The next time the tunnel mode
application starts, it will start the last selected connection.
5 If you use a proxy, enter in Proxy the proxy server IP address and port. Enter proxy
authentication credentials immediately below in User and Password.
6 Select the + button to define a new connection, or select from the list an existing
connection to modify.
For a new connection, the Connection window opens. For an existing connection, the
current settings appear in the Settings window and you can modify them.
7 Enter the connection information. If you are creating a new connection, select Create
when you are finished.
See “To use the SSL VPN standalone tunnel client (Linux)” on page 1244 for
information about the fields.
8 Select Done.
MAC OS X client
To use the SSL VPN standalone tunnel client (Mac OS X)
1 Go to the Applications folder and double-click on forticlientsslvpn.app.
The FortiClient SSL VPN tunnel client (Mac OS X) opens.
2 Enter the following information. Use the Connect and Stop buttons to control the tunnel
connection.
2 Select Settings....
3 Optionally, select Keep connection alive until manually stopped to prevent tunnel
connections from closing due to inactivity.
4 Optionally, select Start connection automatically. The next time the tunnel mode
application starts, it will start the last selected connection.
5 If you use a proxy, enter in Proxy the proxy server IP address and port. Enter proxy
authentication credentials immediately below in User and Password.
6 Select the + button to define a new connection, or select from the list an existing
connection to modify.
7 Enter the connection information. If you are creating a new connection, select Create
when you are finished.
See “To use the SSL VPN standalone tunnel client (Mac OS X)” on page 1246 for
information about the fields.
8 Select Done.
ent
te Cli
mo
Re
17 Por
2.2 t 1
0.1
20 N
.1 41 LA /24
ice 1.0
Off 1.10
10 Por 1
.11 t 2 10.
.10
1.1
00
1
te_
H .1
T 1.
iGa
10
T 1
P 0
ort
/H 1.
T 12
F
T 0
P
D 11
S
10
N .1
S 0
.
S .
er 16
ve 0
F 11
r
10
T .1
P 0
.
S 1.
er 1
ve 0
r
S .1
am 1
7
10
ba 10
S .1
.
er 80
ve
1
Infrastructure requirements
• The FortiGate unit must be operating in NAT/Route mode and have a static public IP
address.
• The ISP assigns IP addresses to remote clients before they connect to the FortiGate
unit.
For information about client operating system and browser requirements, see the Release
Notes for your FortiGate firmware.
Enabling SSL VPN and setting the tunnel user IP address range
By default, SSL VPN is not enabled. At the same time as you enable SSL VPN, you can
define the IP address range from which SSL VPN tunnel-mode clients are assigned their
virtual IP addresses.
To enable SSL VPN and set tunnel address range - web-based manager
1 Go to VPN > SSL > Config.
2 Select Enable SSL-VPN.
3 In IP Pools, select Edit.
4 In the Available list, select SSL_tunnel_users and then select the down arrow button to
move the address to the Selected list. Select OK.
5 Select Apply.
Name group1
Type SSL VPN
Portal portal1
3 From the Available list, select user1 and move it to the Members list by selecting the
right arrow button.
4 Select OK.
Figure 170: SSL VPN configuration for different access permissions by user group
er1
Us
er2
Us
17 Por
2.2 t 1
0.1
20
.1 41 t_1 /24
bne 1.0
Su 1.10
10 Por . 1
.11 t 2 10
.10
1.1
0 0
10 0
rt 3 1. te_
1
Po 1.20
H .1
T 1.
iGa
10
T 1
. 1
P 0
10 ort
/H 1.
T 2
F
T 0
P
D 11
S
10
N .1
1
S 0
.
S
er 16
ve 0
F 11
1.
r
10
T .1
P 0
.
S 1.
er 1
ve 70
S 1.2
10
r
ub 0
S .1
.1
am 1
ne 1.0
10
ba 10
t_ /2
2 4
S .1
.
er 80
ve
1
r
In this example configuration, there are two users:
• user1 can access the servers on Subnet_1
• user2 can access the workstation PCs on Subnet_2
You could easily add more users to either user group to provide them access to the user
group’s assigned web portal.
3 Select Create New, enter the following information, and select OK.
3 Select Create New, enter the following information, and select OK.
Name group1
Type SSL VPN
Portal portal1
3 From the Available list, select user1 and move it to the Members list by selecting the
right arrow button.
4 Select OK.
5 Repeat steps 2 through 4 to create group2, assigned to portal2, with user2 as its only
member.
3 Select Create New, enter the following information, and select OK:
end
end
Note: In this example, the IP Pools field on the VPN > SSL > Config page is not used
because each web portal specifies its own tunnel IP address range.
This chapter describes advanced static routing concepts and how to implement dynamic
routing on FortiGate units.
This FortiOS Handbook chapter contains the following sections:
Advanced Static routing explains routing concepts, equal cost multipath (ECMP) and load
balancing, policy routing, routing in transparent mode, and zones.
Dynamic Routing Overview provides some basic routing concepts needed to explain
dynamic routing, compares static and dynamic routing, and walks you through deciding
which dynamic routing protocol is best for you.
Routing Information Protocol (RIP), Border Gateway Protocol (BGP), and Open Shortest
Path First (OSPF) provide background on the protocol, explains the terms used, how the
protocol works, looks at some troubleshooting, and examples on configuring the protocols
in different situations.
Routing concepts
Many routing concepts apply to static routing. However without first understanding these
basic concepts, it is difficult to understand the more complex dynamic routing.
This section includes:
• Routing in VDOMs
• Default route
• Routing table
• Building the routing table
• Static routing security
• Multipath routing and determining the best route
Routing in VDOMs
Routing on FortiGate units is configured per-VDOM. This means if VDOMs are enabled,
you must enter a VDOM to do any routing configuration. This allows each VDOM to
operate independently of each other, with their own default routes and routing
configuration.
In this guide, the procedures assume your FortiGate unit has VDOMs disabled. This is
stated in the assumptions for the examples. If you have VDOMs enabled you will need to
perform the following steps in addition to the procedure’s steps.
Default route
The default route is used if either there are no other routes in the routing table or if none of
the other routes apply to a destination. Including the gateway in the default route gives all
traffic a next-hop address to use when leaving the local network. The gateway address is
normally another router on the edge of the local network.
All routers, including FortiGate units, are shipped with default routes in place. This allows
customers to set up and become operational more quickly. Beginner administrators can
use the default route settings until a more advanced configuration is warranted.
FortiGate units come with a default static route with an IPv4 address of 0.0.0.0, an
administration distance of 10, and a gateway IPv4 address.
Routing table
When two computers are directly connected, there is no need for routing because each
computer knows exactly where to find the other computer. They communicate directly.
Networking computers allows many computers to communicate with each other. This
requires each computer to have an IP address to identify its location to the other
computers. This is much like a mailing address - you will not receive your postal mail at
home if you do not have an address for people to send mail to. The routing table on a
computer is much like an address book used to mail letters to people in that the routing
table maintains a list of how to reach computers. Routing tables may also include
information about the quality of service (QoS) of the route, and the interface associated
with the route if the device has multiple interfaces.
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
Looking at routing as delivering letters is more simple than reality. In reality, routers loose
power or have bad cabling, network equipment is moved without warning, and other such
events happen that prevent static routes from reaching their destinations. When any
changes such as these happen along a static route, traffic can no longer reach the
destination — the route goes down. Dynamic routing can address these changes to
ensure traffic still reaches its destination. The process of realizing there is a problem,
backtracking and finding a route that is operational is called convergence. If there is fast
convergence in a network, users won’t even know that re-routing is taking place.
The routing table for any device on the network has a limited size. For this reason, routes
that aren’t used are replaced by new routes. This method ensures the routing table is
always populated with the most current and most used routes—the routes that have the
best chance of being reused. Another method used to maintain the routing table’s size is if
a route in the table and a new route are to the same destination, one of the routes is
selected as the best route to that destination and the other route is discarded.
Routing tables are also used in unicast reverse path forwarding (uRPF). In uRPF, the
router not only looks up the destination information, but also the source information to
ensure that it exists. If there is no source to be found, then that packet is dropped because
the router assumes it to be an error or an attack on the network.
The routing table is used to store routes that are learned. The routing table for any device
on the network has a limited size. For this reason, routes that aren’t used are replaced by
new routes. This method ensures the routing table is always populated with the most
current and most used routes — the routes that have the best chance of being reused.
Another method used to maintain the routing table’s size is if a route in the table and a
new route are to the same destination, one of the routes is selected as the best route to
that destination and the other route is discarded.
Some actions you can perform on the routing table include:
• Viewing the routing table in the web-based manager
• Viewing the routing table in the CLI
• Viewing the routing table with diagnose commands
• Searching the routing table
IP version Select IPv4 or IPv6 routes. Fields displayed vary depending on which IP version is
selected.
Displayed only if IPv6 display is enabled on the web-based manager
Type Select one of the following route types to search the routing table and display routes
of the selected type only:
All — all routes recorded in the routing table.
Connected — all routes associated with direct connections to FortiGate unit
interfaces.
Static — the static routes that have been added to the routing table manually.
RIP — all routes learned through RIP. For more information see “Routing Information
Protocol (RIP)” on page 1309.
BGP — all routes learned through BGP. For more information see “Border Gateway
Protocol (BGP)” on page 1347.
OSPF — all routes learned through OSPF. For more information see “Open Shortest
Path First (OSPF)” on page 1385.
HA — RIP, OSPF, and BGP routes synchronized between the primary unit and the
subordinate units of a high availability (HA) cluster. HA routes are maintained on
subordinate units and are visible only if you are viewing the router monitor from a
virtual domain that is configured as a subordinate virtual domain in a virtual cluster.
Not displayed when IP version IPv6 is selected.
For details about HA routing synchronization, see the FortiGate HA User Guide.
Network Enter an IP address and netmask (for example, 172.16.14.0/24) to search the
routing table and display routes that match the specified network.
Not displayed when IP version IPv6 is selected.
Gateway Enter an IP address and netmask (for example, 192.168.12.1/32) to search the
routing table and display routes that match the specified gateway.
Not displayed when IP version IPv6 is selected.
Apply Filter Select to search the entries in the routing table based on the specified search criteria
and display any matching routes.
Not displayed when IP version IPv6 is selected.
Type The type values assigned to FortiGate unit routes (Static, Connected, RIP, OSPF, or
BGP).
Not displayed when IP version IPv6 is selected.
Note: If VDOMs are enabled on your FortiGate unit, all routing related CLI commands must
be performed within a VDOM and not in the global context.
Examining an entry:
B 10.160.0.0/23 [20/0] via 10.142.0.74, port3, 2d18h02m
B BGP. The routing protocol used.
10.160.0.0/23 The destination of this route including netmask.
[20/0] 20 indicates and administrative distance of 20 out of a range of 0
to 255.
0 is an additional metric associated with this route, such as in
OSPF
10.142.0.74 The gateway, or next hop.
port3 The interface used by this route.
2d18h02m How old this route is, in this case almost three days old.
tab table number. This will be either 254 (unicast) or 255 (multicast).
vf virtual domain of the firewall. This is the vdom index number. If
vdoms are not enabled, this number will be 0.
4 If you want to display routes to a specific gateway, type the IP address of the gateway
in the Gateway field.
5 Select Apply Filter.
Note: All of the values that you specify as search criteria must match corresponding values
in the same routing table entry in order for that entry to be displayed.
If there are multiple routes that match your filter, they will all be listed, with the best match
at the top of the list as indicated by the word best.
The ACL ensures that traffic follows expected paths, and any unexpected traffic is not
delivered. This stops many network attacks. However, to be effective the ACL must be
kept up to date —when employees or computers are removed from the internal network
their IP addresses must also be removed from the ACL. For more information on the ACL,
see the router chapter of the FortiGate CLI Reference.
Blackhole Route
A blackhole route is a route that drops all traffic sent to it. It is very much like /dev/null in
Linux programming.
Blackhole routes are used to dispose of packets instead of responding to suspicious
inquiries. This provides added security since the originator will not discover any
information from the target network.
Blackhole routes can also limit traffic on a subnet. If some subnet addresses are not in
use, traffic to those addresses (traffic which may be valid or malicious) can be directed to
a blackhole for added security and to reduce traffic on the subnet.
The loopback interface, a virtual interface that does not forward traffic, was added to
enable easier configuration of blackhole routing. Similar to a normal interface, this
loopback interface has fewer parameters to configure, and all traffic sent to it stops there.
Since it cannot have hardware connection or link status problems, it is always available,
making it useful for other dynamic routing roles. Once configured, you can use a loopback
interface in firewall policies, routing, and other places that refer to interfaces. You
configure this feature only from the CLI. For more information, see the system chapter of
the FortiGate CLI Reference.
Another method to determine the best route is to manually change the priority of both
routes in question. If the next-hop administrative distances of two routes on the FortiGate
unit are equal, it may not be clear which route the packet will take. Manually configuring
the priority for each of those routes will make it clear which next-hop will be used in the
case of a tie. The priority for a route can only be set from the CLI. Lower priorities are
preferred. Priority is a Fortinet value that may or may not be present in other brands of
routers.
All entries in the routing table are associated with an administrative distance. If the routing
table contains several entries that point to the same destination (the entries may have
different gateways or interface associations), the FortiGate unit compares the
administrative distances of those entries first, selects the entries having the lowest
distances, and installs them as routes in the FortiGate unit forwarding table. As a result,
the FortiGate unit forwarding table contains only those routes having the lowest distances
to every possible destination. While only static routing uses administrative distance as its
routing metric, other routing protocols such as RIP can use metrics that are similar to
administrative distance.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
Priority is a Fortinet value that may or may not be present in other brands of routers.
You can configure the priority field through the CLI or the web-based manager. Priority
values can range from 0 to 4 294 967 295. The route with the lowest value in the priority
field is considered the best route. It is also the primary route.
If there are other routes set to priority 10, the route set to priority 5 will be preferred. If
there are routes set to priorities less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address.
Ping
Beyond the basic connectivity information, ping can tell you the amount of packet loss (if
any), how long it takes the packet to make the round trip, and the variation in that time
from packet to packet.
If there is no packet loss detected, your basic network connectivity is OK.
If there is some packet loss detected, you should investigate:
• possible ECMP, split horizon, network loops
• cabling to ensure no loose connections
Traceroute
Where ping will only tell you if it reached its destination and came back successfully,
traceroute will show each step of its journey to its destination and how long each step
takes. If ping finds an outage between two points, traceroute can be used to locate exactly
where the problem is.
Route priority
After the FortiGate unit selects static routes for the forwarding table based on their
administrative distances, the priority field of those routes determines routing preference.
Priority is a Fortinet value that may or may not be present in other brands of routers.
You can only configure the priority field through the CLI. Priority values can range from 0
to 255. The route with the lowest value in the priority field is considered the best route, and
it is also the primary route.
For example, use the following command to change the priority of a route to 5 for a route
to the address 10.10.10.1 on the port1 interface.
config router static
edit 1
set device port1
set gateway 10.10.10.10
set dst 10.10.10.1
set priority 5
end
If there are other routes at priority 10, this route will be preferred. If there are routes at
priority less than 5, those other routes will be preferred instead.
In summary, because you can use the CLI to specify which sequence numbers or priority
field settings to use when defining static routes, you can prioritize routes to the same
destination according to their priority field settings. For a static route to be the preferred
route, you must create the route using the config router static CLI command and
specify a low priority for the route. If two routes have the same administrative distance and
the same priority, then they are equal cost multipath (ECMP) routes.
Since this means there is more than one route to the same destination, it can be confusing
which route or routes to install and use. However, if you have enabled load balancing with
ECMP routes, then different sessions will resolve this problem by using different routes to
the same address.
Note: If multiple routes to the same destination have the same priority but different
distances, the route with the lowest distance is used. If multiple routes to the same
destination have the same distance but different priorities, the route with the lowest priority
is used. Distance takes precedence over priority. If multiple routes to the same destination
have different distances and different priorities, the route with the lowest distance is always
used even if it has the highest priority.
Using ECMP, if more than one ECMP route is available you can configure how the
FortiGate unit selects the route to be used for a communication session. If only one ECMP
route is available (for example, because an interface cannot process traffic because
interface status detection does not receive a reply from the configured server) then all
traffic uses this route.
Previous versions of FortiOS provided source IP-based load balancing for ECMP routes,
but now FortiOS includes three configuration options for ECMP route failover and load
balancing:
Source based (also The FortiGate unit load balances sessions among ECMP routes
called source IP based on the source IP address of the sessions to be load
based) balanced. This is the default load balancing method. No
configuration changes are required to support source IP load
balancing.
Weighted (also called The FortiGate unit load balances sessions among ECMP routes
weight-based) based on weights added to ECMP routes. More traffic is directed
to routes with higher weights.
After selecting weight-based you must add weights to static
routes.
Spill-over (also called The FortiGate unit distributes sessions among ECMP routes
usage-based) based on how busy the FortiGate interfaces added to the routes
are.
After selecting spill-over you add route Spillover Thresholds to
interfaces added to ECMP routes. The FortiGate unit sends all
ECMP-routed sessions to the lowest numbered interface until the
bandwidth being processed by this interface reaches its spillover
threshold. The FortiGate unit then spills additional sessions over
to the next lowest numbered interface.
The Spillover Thresholds range is 0-2097000 KBps.
You can configure only one of these ECMP route failover and load balancing methods in a
single VDOM. If your FortiGate unit is configured for multiple VDOM operation, each
VDOM can have its own ECMP route failover and load balancing configuration.
To configure the ECMP route failover and load balancing method from the
web-based manager
1 Go to Router > Static > Static Route.
2 Set ECMP Route failover & Load Balance Method to source based, weighted, or
spill-over.
3 Select Apply.
To configure the ECMP route failover and load balancing method from the CLI
Enter the following command:
config system settings
Interface port3
Spillover Threshold (KBps) 100
Interface port4
Spillover Threshold (KBps) 200
Note: A new session to a destination IP address that already has an entry in the routing
cache is routed using the route already added to the cache for that destination address.
See “ECMP routing of simultaneous sessions to the same destination IP address” on
page 1282.
For example, consider a FortiGate unit with interfaces port3 and port4 both connected to
the Internet through different ISPs. ECMP routing is set to usage-based and route
spillover for to 100 KBps for port3 and 200 KBps for port4. Two ECMP default routes are
added, one for port3 and one for port4.
If the route to port3 is higher in the routing table than the route to port4, the FortiGate unit
sends all default route sessions out port3 until port3 is processing 10Mbps of data. When
port3 reaches its configured bandwidth limit, the FortiGate unit sends all default route
sessions out port4. When the bandwidth usage of port3 falls below 10Mbps, the FortiGate
again sends all default route sessions out port3.
New sessions to designating IP addresses that are already in the routing cache; however,
use the cached routes. This means that even of port3 is exceeding its bandwidth limit, new
sessions can continue to be sent out port3 if their destination addresses are already in the
routing cache. As a result, new sessions are sent out port4 only if port3 exceeds its
bandwidth limit and if the routing cache does not contain a route for the destination IP
address of the new session.
Also, the switch over to port4 does not occur as soon as port3 exceeds its bandwidth limit.
Bandwidth usage has to exceed the limit for a period of time before the switch over takes
place. If port3 bandwidth usage drops below the bandwidth limit during this time period,
sessions are not switched over to port4. This delay reduces route flapping.
FortiGate usage-based ECMP routing is not actually load balancing, since routes are not
distributed evenly among FortiGate interfaces. Depending on traffic volumes, most traffic
would usually be processed by the first interface with only spillover traffic being processed
by other interfaces.
If you are configuring usage-based ECMP in most cases you should add spillover
thresholds to all of the interfaces with ECMP routes. The default spillover threshold is 0
which means no bandwidth limiting. If any interface has a spillover threshold of 0, no
sessions will be routed to interfaces lower in the list unless the interface goes down or is
disconnected. An interface can go down if Detect interface status for Gateway Load
Balancing does not receive a response from the configured server.
Policy Routing
Policy routing allows you to redirect traffic away from a static route. This can be useful if
you want to route certain types of network traffic differently. You can use incoming traffic’s
protocol, source address or interface, destination address, or port number to determine
where to send the traffic. For example, generally network traffic would go to the router of a
subnet, but you might want to direct SMTP or POP3 traffic directly to the mail server on
that subnet.
If you have configured the FortiGate unit with routing policies and a packet arrives at the
FortiGate unit, the FortiGate unit starts at the top of the Policy Route list and attempts to
match the packet with a policy. If a match is found and the policy contains enough
information to route the packet (a minimum of the IP address of the next-hop router and
the FortiGate interface for forwarding packets to it), the FortiGate unit routes the packet
using the information in the policy. If no policy route matches the packet, the FortiGate unit
routes the packet using the routing table.
Note: Most policy settings are optional, so a matching policy alone might not provide
enough information for forwarding the packet. The FortiGate unit may refer to the routing
table in an attempt to match the information in the packet header with a route in the routing
table. For example, if the outgoing interface is the only item in the policy, the FortiGate unit
looks up the IP address of the next-hop router in the routing table. This situation could
happen when the interfaces are dynamic (such as DHCP or PPPoE) and you do not want
or are unable to specify the IP address of the next-hop router.
Policy route options define which attributes of a incoming packet cause policy routing to
occur. If the attributes of a packet match all the specified conditions, the FortiGate unit
routes the packet through the specified interface to the specified gateway.
Table 75 shows the policy route list belonging to a FortiGate unit that has interfaces
named external and internal. The names of the interfaces on your FortiGate unit
may be different.
To edit an existing policy route, see “Adding a policy route” on page 1286.
Table 75: Policy Routing list fields
Create New Add a policy route. See “Adding a policy route” on page 1286.
# The ID numbers of configured route policies. These numbers are sequential
unless policies have been moved within the table.
Incoming The interfaces on which packets subjected to route policies are received.
Outgoing The interfaces through which policy routed packets are routed.
Source The IP source addresses and network masks that cause policy routing to occur.
Destination The IP destination addresses and network masks that cause policy routing to
occur.
Delete icon Delete a policy route.
Edit icon Edit a policy route.
Move To icon After selecting this icon, enter the destination position in the window that
appears, and select OK.
For more information, see “Moving a policy route” on page 1288.
Table 76 shows the New Routing Policy dialog box belonging to a FortiGate unit that has
interfaces named external and internal. The names of the interfaces on your
FortiGate unit may be different.
Table 76: New Routing Policy fields
Protocol To perform policy routing based on the value in the protocol field of the
packet, enter the protocol number to match. The Internet Protocol Number is
found in the IP packet header. RFC 5237 describes protocol numbers and
you can find a list of the assigned protocol numbers here. The range is from 0
to 255. A value of 0 disables the feature.
Tip: Commonly used Protocol settings include 6 to route TCP sessions, 17
for UDP sessions, 1 for ICMP sessions, 47 for GRE sessions, and 92 for
multicast sessions.
For protocols other than 6 and 17, the port number is ignored.
Incoming Interface Select the name of the interface through which incoming packets subjected to
the policy are received.
Source Address / To perform policy routing based on the IP source address of the packet, type
Mask the source address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination To perform policy routing based on the IP destination address of the packet,
Address / Mask type the destination address and network mask to match. A value of
0.0.0.0/0.0.0.0 disables the feature.
Destination Ports To perform policy routing based on the port on which the packet is received,
type the same port number in the From and To fields. To apply policy routing
to a range of ports, type the starting port number in the From field and the
ending port number in the To field. A value of 0 disables this feature.
The Destination Ports fields are only used for TCP and UDP protocols. The
ports are skipped over for all other protocols.
Type of Service Use a two digit hexadecimal bit pattern to match the service, or use a two digit
hexadecimal bit mask to mask out. For more information, see “Type of
Service” on page 1287.
Outgoing Interface Select the name of the interface through which packets affected by the policy
will be routed.
Gateway Address Type the IP address of the next-hop router that the FortiGate unit can access
through the specified interface. A value of 0.0.0.0 is not valid.
Protocol 6
Incoming interface port1
Source address / mask 0.0.0.0/0.0.0.0
Destination address / mask 0.0.0.0/0.0.0.0
Destination Ports From 21 to 21
Type of Service bit pattern: 00 (hex) bit mask: 00 (hex)
Outgoing interface port10
Gateway Address 172.20.120.23
Type of Service
Type of service (TOS) is an 8-bit field in the IP header that enables you to determine how
the IP datagram should be delivered, with such qualities as delay, priority, reliability, and
minimum cost.
Each quality helps gateways determine the best way to route datagrams. A router
maintains a ToS value for each route in its routing table. The lowest priority TOS is 0, the
highest is 7 - when bits 3, 4, and 5 are all set to 1. The router tries to match the TOS of the
datagram to the TOS on one of the possible routes to the destination. If there is no match,
the datagram is sent over a zero TOS route.
Using increased quality may increase the cost of delivery because better performance
may consume limited network resources. For more information, see RFC 791 and RFC
1349.
Table 77: The role of each bit in the IP header TOS 8-bit field
bits 0, 1, 2 Precedence Some networks treat high precedence traffic as more important
traffic. Precedence should only be used within a network, and
can be used differently in each network. Typically you do not
care about these bits.
bit 3 Delay When set to 1, this bit indicates low delay is a priority. This is
useful for such services as VoIP where delays degrade the
quality of the sound.
bit 4 Throughput When set to 1, this bit indicates high throughput is a priority.
This is useful for services that require lots of bandwidth such
as video conferencing.
bit 5 Reliability When set to 1, this bit indicates high reliability is a priority. This
is useful when a service must always be available such as with
DNS servers.
bit 6 Cost When set to 1, this bit indicates low cost is a priority. Generally
there is a higher delivery cost associated with enabling bits 3,4,
or 5, and bit 6 indicates to use the lowest cost route.
bit 7 Reserved for Not used at this time.
future use
For example, if you want to assign low delay, and high reliability, say for a VoIP application
where delays are unacceptable, you would use a bit pattern of xxx1x1xx where an ‘x’
indicates that bit can be any value. Since all bits are not set, this is a good use for the bit
mask; if the mask is set to 0x14, it will match any TOS packets that are set to low delay
and high reliability.
Before/After Select Before to place the selected Policy Route before the indicated route.
Select After to place it following the indicated route.
Policy route ID Enter the Policy route ID of the route in the Policy route table to move the
selected route before or after.
Destination IP/Mask The destination of the traffic being routed. The first entry is
attempted first for a match, then the next, and so on until a match
is found or the last entry is reached. If no match is found, the traffic
will not be routed.
Use 0.0.0.0 to match all traffic destinations. This is the default
route.
Gateway Specifies the next hop for the traffic. Generally the gateway is the
address of a router on the edge of your network.
Priority The priority is used if there is more than one match for a route.
This allows multiple routes to be used, with one preferred. If the
preferred route is unavailable the other routes can be used
instead.
Valid range of priority can be from 0 to 4 294 967 295.
If more than one route matches and they have the same priority it
becomes an ECMP situation and traffic is shared among those
routes. See “Route priority” on page 1280.
When configuring routing on a FortiGate unit in transparent mode, remember that all
interfaces must be connected to the same subnet. That means all traffic will be coming
from and leaving on the same subnet. This is important because it limits your static routing
options to only the gateways attached to this subnet. For example, if you only have one
router connecting your network to the Internet then all static routing on the FortiGate unit
will use that gateway. For this reason static routing on FortiGate units in transparent mode
may be a bit different, but it is not as complex as routing in NAT/Route mode.
Zones
Zones allow you to group interfaces into zones to simplify firewall policy creation. By
grouping interfaces into a zone, you can add one set of firewall policies for the zone
instead of adding separate policies for each interface — what address groups do for
addresses in firewall policies, zones do for interfaces. Once you add interfaces to a zone
you cannot configure policies for the single interfaces, only for the entire zone.
You can add all types of interfaces to a zone (physical, VLAN, switch, and so on) and a
zone can consist of any combination of interface types. You can add zones, rename and
edit zones, and delete zones from the zone list. When you add a zone, you select the
names of the interfaces to add to the zone.
This section includes:
• Creating or editing a zone
• Blocking intra-zone traffic
• IP pools and zones
• Zones in VDOMs
• Zones in transparent mode
Zones in VDOMs
Zones are configured in virtual domains (VDOMs). If you have added multiple VDOMs to
your FortiGate unit configuration, make sure you are configuring the correct VDOM before
adding or editing zones. Zones do not appear on the Global level Network menu.
Link-state protocols
Link-state protocols are also known as shortest path first protocols. Where distance vector
uses information passed along that may or may not be current and accurate, in link-state
protocols each router passes along only information about networks and devices directly
connected to it. This results in a more accurate picture of the network topology around
your router, allowing it to make better routing decisions. This information is passed
between routers using link-state advertisements (LSAs). To reduce the overhead, LSAs
are only sent out when information changes, compared to distance vector sending
updates at regular intervals even if no information has changed. The the more accurate
network picture in link-state protocols greatly speed up convergence and avoid problems
such as routing-loops.
Table 80: Comparing RIP, BGP, and OSPF dynamic routing protocols
Routing protocols
Routing Information Protocol (RIP) uses classful routing, as well as incorporating
various methods to stop incorrect route information from propagating, such as poisoned
horizon. However, on larger networks its frequent updates can flood the network and its
slow convergence can be a problem.
Border Gateway Protocol (BGP) has been the core Internet backbone routing protocol
since the mid 1990s, and is the most used interior gateway protocol (IGP). However, some
configurations require full mesh connections which flood the network, and there can be
route flap and load balancing issues for multihomed networks.
Open Shortest Path First (OSPF) is commonly used in large enterprise networks. It is
the protocol of choice mainly due to its fast convergence. However, it can be complicated
to setup properly.
Routing algorithm
Each protocol uses a slightly different algorithm for choosing the best route between two
addresses on the network. The algorithm is the “intelligent” part of a dynamic protocol
because the algorithm is responsible for deciding which route is best and should be added
to the local routing table. RIP and BGP use distance vector algorithms, where OSPF uses
link-state or a shortest path first algorithm.
Vector algorithms are essentially based on the number of hops between the originator and
the destination in a route, possibly weighting hops based on how reliable, fast, and error-
free they are.
The link-state algorithm used by OSPF is called the Dijkstra algorithm. Link-state treats
each interface as a link, and records information about the state of the interface. The
Dijkstra algorithm creates trees to find the shortest paths to the routes it needs based on
the total cost of the parts of the routes in the tree.
For more information on the routing algorithm used, see “Distance vector versus link-state
protocols” on page 1295.
Authentication
If an attacker gains access to your network, they can masquerade as a router on your
network to either gain information about your network or disrupt network traffic. If you have
a high quality firewall configured, it will help your network security and stop many of this
type of threat. However, the main method for protecting your routing information is to use
authentication in your routing protocol. Using authentication on your FortiGate unit and
other routers prevents access by attackers — all routers must authenticate with
passwords, such as MD5 hash passwords, to ensure they are legitimate routers.
When configuring authentication on your network, ensure you configure it the same on all
devices on the network. Failure to do so will create errors and outages as those forgotten
devices fail to connect to the rest of the network.
For example, to configure an MD5 key of 123 on an OSPF interface called ospf_test,
enter the following CLI command:
config router ospf
config ospf-interface
edit ospf_test
set authentication md5
set md5-key 123
end
end
Convergence
Convergence is the ability of a networking protocol to re-route around network outages.
Static routing cannot do this. Dynamic routing protocols can all converge, but take various
amounts of time to do this. Slow convergence can cause problems such as network loops
which degrade network performance.
You may also hear robustness and redundancy used to describe networking protocols. In
many ways they are the same thing as convergence. Robustness is the ability to keep
working even though there are problems, including configuration problems as well as
network outages. Redundancy involves having duplicate parts that can continue to
function in the event of some malfunction, error, or outage. It is relatively easy to configure
dynamic routing protocols to have backup routers and configurations that will continue to
function no matter the network problem short of a total network failure.
IPv6 Support
IPv4 addressing is in common use everywhere around the world. IPv6 has much larger
addresses and it is used by many large companies and government departments. IPv6 is
not as common as IPv4 yet, but more companies are adopting it.
If your network uses IPv6, your dynamic routing protocol must support it. None of the
dynamic routing protocols originally supported IPv6, but they all have additions,
expansions, or new versions that do support IPv6. For more information, see “RIP and
IPv6” on page 1310, “BGP and IPv6” on page 1348, or “OSPF and IPv6” on page 1386.
Budget
When making any business decision, the budget must always be considered. Static
routing does not involve special hardware, fancy software, or expensive training courses.
Dynamic routing can include all of these extra expenses. Any new routing hardware such
as routers and switches need to support your chosen protocols. Network management
software to help configure and maintain your more complex network, and routing protocol
drivers may be necessary as well. If the network administrators are not well versed in
dynamic routing, either a training course or some hands on learning time must be
budgeted so they can administer the new network with confidence. Together, these factors
will use up your budget quickly.
Additionally people account for network starting costs in the budgets, but usually leave out
the ongoing cost of network maintenance. Any budget must provide for the hours that will
be spent on updating the network routing equipment, and fixing any problems. Without
that money in the budget, you may end up back at static routing before you know it.
The benefit of this method is that you can combine many addresses into one, potentially
reducing the routing table size immensely. The weakness of this method is if there are
holes in the address range you are aggregating you need to decide if its better to break it
into multiple ranges, or accept the possibility of failed routes to the missing addresses.
Note: As of January 2010, AS numbers will be 4-bytes long instead of the older 2-bytes.
RFC 4893 introduced 32-bit ASNs, which FortiGate units support.
AS numbers from 64512 to 65534 are reserved for private use. Private AS numbers can
be used for any internal networks with no outside connections to the Internet such as test
networks, classroom labs, or other internal-only networks that do not access the outside
world. You can also configure border routers to filter out any private ASNs before routing
traffic to the outside world. If you must use private ASNs with public networks, this is the
only way to configure them. However, it is risky because many other private networks
could be using the same ASNs and conflicts will happen. It would be very much like your
local 192.168.0.0 network being made public — the resulting problems would be
widespread.
In 1996, when RFC 1930 was written only 5,100 ASes had been allocated and a little
under 600 ASes were actively routed in the global Internet. Since that time many more
public ASNs have been assigned, leaving only a small number. For this reason 32-bit
ASNs (four-octet ASNs) were defined to provide more public ASNs. RFC 4893 defines 32-
bit ASNs, and FortiGate units support these larger ASNs as of FortiOS version 4.2
Neighbor routers
Routing involves routers communicating with each other. To do this, routers need to know
information about each other. These routers are called neighbor routers, and are
configured in each routing protocol. Each neighbor has custom settings since some
routers may have functionality others routers lack. Neighbour routers are sometimes
called peers.
Generally neighbor routers must be configured, and discovered by the rest of the network
before they can be integrated to the routing calculations. This is a combination of the
network administrator configuring the new router with its neighbor router addresses, and
the routing network discovering the new router, such as the hello packets in OSPF. That
discovery initiates communication between the new router and the rest of the network.
Route maps
Route maps are a way for the FortiGate unit to evaluate optimum routes for forwarding
packets or suppressing the routing of packets to particular destinations. Compared to
access lists, route maps support enhanced packet-matching criteria. In addition, route
maps can be configured to permit or deny the addition of routes to the FortiGate unit
routing table and make changes to routing information dynamically as defined through
route-map rules.
Route maps can be used for limiting both received route updates, and sent route updates.
This can include the redistribution of routes learned from other types of routing. For
example if you don’t want to advertise local static routes to external networks, you could
use a route map to accomplish this.
The FortiGate unit compares the rules in a route map to the attributes of a route. The rules
are examined in ascending order until one or more of the rules in the route map are found
to match one or more of the route attributes.
As an administrator, route maps allow you to group a set of addresses together and assign
them a meaningful name. Then during your configuration, you can use these route-maps
to speed up configuration. The meaningful names ensure fewer mistakes during
configuration as well.
The default rule in the route map (which the FortiGate unit applies last) denies all routes.
For a route map to take effect, it must be called by a FortiGate unit routing process.
Access lists
Use this command to add, edit, or delete access lists. Access lists are filters used by
FortiGate unit routing processes. For an access list to take effect, it must be called by a
FortiGate unit routing process (for example, a process that supports RIP or OSPF). Use
access-list6 for IPv6 routing.
Access lists can be used to filter which updates are passed between routers, or which
routes are redistributed to different networks and routing protocols. You can create lists of
rules that will match all routes for a specific router or group of routers.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
Note: If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose.
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
The syntax for access lists is:
config router access-list, access-list6
edit <access_list_name>
set comments
config rule
edit <access_list_id>
set action
set exact-match
set prefix
set prefix6
set wildcard
For an example of how access lists can be used to create receiving or sending “groups” in
routing, see “Redistributing and blocking routes in BGP” on page 1378.
For more information about BFD in BGP, see “Bi-directional forwarding detection (BFD)”
on page 1363.
Background
Routing Information Protocol (RIP) is a distance-vector routing protocol intended for small,
relatively homogeneous networks. Its widespread use started when an early version of
RIP was included with BSD v4.3 Linux as the routed daemon. The routing algorithm used
by RIP, the Bellman–Ford algorithm, first saw widespread use as the initial routing
algorithm of the ARPANET.
RIP benefits include being well suited to smaller networks, is in widespread use, near
universal support on routing hardware, quick to configure, and works well if there are no
redundant paths. However, RIP updates are sent out node-by-node so it can be slow to
find a path around network outages. RIP also lacks good authentication, can not choose
routes based on different quality of service methods, and can create network loops if you
are not careful.
The FortiGate implementation of RIP supports RIP version 1 (see RFC 1058), RIP version
2 (see RFC 2453), and the IPv6 version RIPng (see RFC 2080).
RIP v1
In 1988 RIP version 1, defined in RFC 1058, was released. The RFC even states that RIP
v1 is based on Linux routed due to it being a “defacto standard”.
It uses classful addressing and uses broadcasting to send out updates to router
neighbors. There is no subnet information included in the routing updates in classful
routing, and it does not support CIDR addressing — subnets must all be the same size.
Also, route summarization is not possible.
RIP v1 has no router authentication method, so it is vulnerable to attacks through packet
sniffing, and spoofing.
RIP v2
In 1993, RIP version 2 was developed to deal with the limitations of RIP v1. It was not
standardized until 1998. This new version supports classless routing, and subnets of
various sizes.
Router authentication was added in RIP v2 — it supports MD5. MD5 hashes are an older
encryption method, but this is much improved over no security at all.
In RIP v2 the hop count remained at 15 to be backwards compatible with RIP v1.
RIP v2 uses multicasting to send the entire routing table to router neighbors, thereby
reducing the traffic for devices that are not participating in RIP routing.
Routing tags were added as well, which allow internal routes or redistributed routes to be
identified as such.
RIPng
RIPng, defined in RFC 2080, is an extension of RIP2 designed to support IPv6. However,
RIPng varies from RIPv2 in that it is not fully backwards compatible with RIPv1.
• RIPng does not support RIPv1 update authentication (it relies on IPsec)
• RIPng does not allow attaching tags to routes as in RIPv2
• RIPng requires specific encoding of the next hop for a set of route entries, unlike RIPv2
that encodes the next-hop into each route entry .
For example, you want to set up a tunnel on the port1 interface starting at
2002:C0A8:3201:: on your local network and tunnel it to address 2002:A0A:A01:: where it
will need access to an IPv4 network again. Use the following command:
config system ipv6-tunnel
edit test_tunnel
set destination 2002:A0A:A01::
set interface port1
set source 2002:C0A8:3201::
end
end
Note: The Timeout period should be at least three times longer than the Update period. If
the Update timer is smaller than Timeout or Garbage timers, you will experience an error.
The CLI commands associated with garbage, timeout, and update timers include:
config router rip
set garbage-timer
set timeout-timer
set update-timer
end
Garbage timer
The garbage timer is the amount of time (in seconds) that the FortiGate unit will advertise
a route as being unreachable before deleting the route from the routing table. If this timer
is shorter, it will keep more up to date routes in the routing table and remove old ones
faster. This will result in a smaller routing table which is useful if you have a very large
network, or if your network changes frequently.
Update timer
The update timer determines the interval between routing updates. Generally, this value is
set to 30 seconds. There is some randomness added to help prevent network traffic
congestion, which could result from all routers simultaneously attempting to update their
neighbors. The update timer should be at least three times smaller than the timeout timer,
otherwise you will experience an error.
If you are experiencing significant RIP traffic on your network, you can increase this
interval to send fewer updates per minute. However, ensure you increase the interval for
all the routers on your network or you will experience time outs that will degrade your
network speed.
Timeout timer
The timeout timer is the maximum amount of time (in seconds) that a route is considered
reachable while no updates are received for the route. This is the maximum time the
FortiGate unit will keep a reachable route in the routing table while no updates for that
route are received. If the FortiGate unit receives an update for the route before the timeout
period expires, the timer is restarted. The timeout period should be at least three times
longer than the depute period, otherwise you will experience an error.
If you are experiencing problems with routers not responding in time to updates, increase
this timer. However, remember that longer timeout intervals result in longer overall update
periods — it may be considerable time before the time the FortiGate unit is done waiting
for all the timers to expire on unresponsive routes.
This example shows how to configure a key-chain with two keys that are valid sequentially
in time. This example creates a key-chain called “rip_key” that has a password of
“fortinet”. The accepted and send lifetimes are both set to the same values — a start time
of 9:00am February 23, 2010 and an end time of 9:00am March 17, 2010. A second key is
configured with a password of “my_fortigate” that is valid from March 17, 2010 9:01am to
April 1 2010 9:00am. This “rip_key” keychain is then used on the port1 interface in RIP.
config router key-chain
edit "rip_key"
config key
edit 1
set accept-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
set key-string "fortinet"
set send-lifetime 09:00:00 23 02 2010 09:00:00 17 03 2010
next
edit 2
set accept-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
set key-string "my_fortigate"
set send-lifetime 09:01:00 17 03 2010 09:00:00 1 04 2010
next
end
end
config router rip
config interface
edit port1
set auth-keychain “rip_key”
end
end
Access Lists
Access lists are filters used by FortiGate unit RIP and OSPF routing. An access list
provides a list of IP addresses and the action to take for them — essentially an access list
makes it easy to group addresses that will be treated the same into the same group,
independent of their subnets or other matching qualities. You add a rule for each address
or subnet that you want to include, specifying the action to take for it. For example if you
wanted all traffic from one department to be routed a particular way, even in different
buildings, you can add all the addresses to an access list and then handle that list all at
once.
Each rule in an access list consists of a prefix (IP address and netmask), the action to take
for this prefix (permit or deny), and whether to match the prefix exactly or to match the
prefix and any more specific prefix.
The FortiGate unit attempts to match a packet against the rules in an access list starting at
the top of the list. If it finds a match for the prefix, it takes the action specified for that
prefix. If no match is found the default action is deny.
Access lists greatly speed up configuration and network management. When there is a
problem, you can check each list instead of individual addresses. Also its easier to
troubleshoot since if all addresses on one list have problems, it eliminates many possible
causes right away.
If you are using the RIPng or OSPF+ IPv6 protocols you will need to use access-list6, the
IPv6 version of access list. The only difference is that access-list6 uses IPv6 addresses.
For example, if you want to create an access list called test_list that only allows an
exact match of 10.10.10.10 and 11.11.11.11, enter the command:
config access-list
edit test_list
config rule
edit 1
set prefix 10.10.10.10 255.255.255.255
set action allow
set exact-match enable
next
edit 2
set prefix 11.11.11.11 255.255.255.255
set action allow
set exact-match enable
end
end
Another example is if you want to deny ranges of addresses in IPv6 that start with the IPv6
equivalents of 10.10.10.10 and 11.11.11.11, enter the command access-list6 as follows:
config router access-list6
edit test_list_ip6
config rule
edit 1
set prefix6 2002:A0A:A0A:0:0:0:0:0:/48
set action deny
next
edit 2
set prefix6 2002:B0B:B0B:0:0:0:0:0/48
set action deny
end
end
To use an access_list, you must call it from a routing protocol such as RIP. The following
example uses the access_list from the earlier example called test_list to match routes
coming in on the port1 interface. When there is a match, it will add 3 to the hop count
metric for those routes to artificially increase . Enter the following command:
config router rip
config offset-list
edit 5
set access-list test_list
set direction in
set interface port1
set offset 3
set status enable
end
end
If you are setting a prefix of 128.0.0.0, use the format 128.0.0.0/1. The default route,
0.0.0.0/0 can not be exactly matched with an access-list. A prefix-list must be used for this
purpose
Router4
Router1
Router4
Router1
Router4
Router4
The good part about the Bellman-Ford algorithm in RIP is that the router only uses the
information it needs from the update. If there are no newer, better routes than the ones the
router already has in its routing table, there is no need to change its routing table. And no
change means no additional update, so less traffic. But even when there is update traffic,
the RIP packets are very small so it takes many updates to affect overall network
bandwidth. For more information about RIP packets, see “RIP packet structure” on
page 1319.
The main disadvantage of the Bellman–Ford algorithm in RIP is that it doesn’t take
weightings into consideration. While it is possible to assign different weights to routes in
RIP, doing so severely limits the effective network size by reducing the hop count limit.
Also other dynamic routing protocols can take route qualities, such as reliability or delay,
into consideration to provide not only the physically shortest but also the fastest or more
reliable routes as you choose.
Another disadvantage of the Bellman-Ford algorithm is due to the slow updates passed
from one RIP router to the next. This results in a slow response to changes in the network
topology, which in turn results in more attempts to use routes that are down which wastes
time and network resources.
RIP version 1
RIP version 1, or RIP IP packets are 24 bytes in length. The empty areas were left for
future expansion.
Table 81: RIP IP packets
1-byte command 1-byte version 2-byte zero field 2-byte AFI 2-byte zero field
4-byte IP address 4-byte zero field 4-byte zero field 4-byte metric
RIP version 2
RIP version 2 has more features that RIP 1 and this is reflected in its packets. RIP 2
packets are similar in format to RIP 1, but carry more information. All but one of the empty
zero fields in RIP 1 packets now contain information.
Table 82: RIP 2 packets
The following descriptions summarize the fields RIP 2 adds to the RIP IP header. The
other fields have been described above for RIP 1.
Unused — Has a value set to zero, and is intended for future use
Route tag — Provides a method for distinguishing between internal routes learned by RIP
and external routes learned from other protocols.
Subnet mask — Contains the subnet mask for the entry. If this field is zero, no subnet
mask has been specified for the entry.
Next hop — Indicates the IP address of the next hop to which packets for the entry should
be forwarded.
Troubleshooting RIP
This section is about troubleshooting RIP. For general troubleshooting information, see “”
on page 1307.
This section includes:
• Routing Loops
• Split horizon and Poison reverse updates
• Debugging IPv6 on RIPng
Routing Loops
Normally in routing, a path between two addresses is chosen and traffic is routed along
that path from one address to the other. When there is a routing loop, that normal path
doubles back on itself creating a loop. When there are loops, the network has problems.
A routing loop happens when a normally functioning network has an outage, and one or
more routers are offline. When packets encounter this, an alternate route is attempted to
maneuver around the outage. During this phase it is possible for a route to be attempted
that involves going back a hop, and trying a different hop forward. If that hop forward is
blocked by the outage as well, a hop back and possibly the original hop forward may be
selected. You can see if this continues, how it can consume not only network bandwidth
but also many resources on those routers affected. The worst part is this situation will
continue until the network administrator changes the router settings, or the downed
routers come back online.
To detect possible routing loops with dead gateway detection and e-mail alerts
1 To configure dead gateway detection, go to System > Network > Options .
2 Set the detection interval (how often to send a ping), and fail-over detection (how many
lost pings before bringing the interface down). A smaller interval and smaller number of
lost pings will result in faster detection, but will create more traffic on your network.
3 To configure interface status change notification, go to Log&Report >Log Config > Alert
E-mail.
4 After you enter your email details, select the events you want to be alerted about — in
our case Configuration changes. You may also want to log CPU and Memory usage as
a network outage will cause your CPU activity to spike.
Note: If you have VDOMs configured, you will have to enter the basic SMTP server
information in the Global section, and the rest of the configuration within the VDOM that
includes this interface.
After this configuration, when this interface on the FortiGate unit cannot connect to the
next router, the FortiGate unit will bring down the interface and alert you with an email to
the outage.
The R&D network has two RIP routers, and each is connected to both other departments
as well as being connected to the Internet through the ISP router. The links to the Internet
are indicated in black.
The three internal networks do not run RIP. They use static routing because they are small
networks. This means the FortiGate units have to redistribute any static routes they learn
so that the internal networks can communicate with each other.
Where possible in this example, the default values will be used or the most general
settings. This is intended to provide an easier configuration that will require less
troubleshooting.
In this example the routers, networks, interfaces used, and IP addresses are as follows.
Note that the Interfaces that connect Router2 and Router3 also connect to the R&D
network.
Table 83: Rip example network topology
ISP router
(172.20.120.5)
RIP Router2
uter2
RIP Router4
RIP Router1
uter1
R&D Network
Accounting
Network
RIP Router3
RI
Sales Network
Assumptions
The following assumptions have been made concerning this example.
• All FortiGate units have 4.0 MR1 firmware, and are running factory default settings.
• All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
• All FortiGate units have interfaces labelled port1 through port4 as required.
• All firewalls have been configured for each FortiGate unit to allow the required traffic to
flow across interfaces.
• Only FortiGate units are running RIP on the internal networks.
• Router2 and Router3 are connected through the internal network for R&D.
• Router2 and Router3 each have their own connection to the Internet, indicated in black
on Figure 175 on page 1326.
Router2 and Router3 have dead gateway detection enabled on the ISP interfaces using
Ping. Remember to contact the ISP and confirm their server has ping enabled.
Alias internal
IP/Netmask 10.11.101.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description Internal sales network
Administrative Status Up
Alias router2
IP/Netmask 10.11.201.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to R&D network & internet through Router2
Administrative Status Up
Alias router3
IP/Netmask 10.11.202.101/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to R&D network and internet through Router3
Administrative Status Up
Alias internal
IP/Netmask 10.12.101.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description R&D internal network and Router3
Administrative Status Up
Alias router1
IP/Netmask 10.12.201.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to Router1 and the Sales network
Administrative Status Up
Alias router4
IP/Netmask 10.12.301.102/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to Router4 and the accounting network
Administrative Status Up
Alias ISP
IP/Netmask 172.20.120.102/255.255.255.0
Administrative Access HTTPS SSH PING
Detect Interface Status enable
for Gateway Load
Balancing
Detect Server 172.20.120.5
Detect Protocol Ping
Detect Interface Status enable
for Gateway Load
Balancing
Description Internet through ISP
Administrative Status Up
end
Alias internal
IP/Netmask 10.12.101.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description R&D internal network and Router2
Administrative Status Up
Alias router1
IP/Netmask 10.13.201.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to Router1 and Sales network
Administrative Status Up
Alias router4
IP/Netmask 10.13.301.103/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to Router4 and accounting network
Administrative Status Up
Alias ISP
IP/Netmask 172.20.120.103/255.255.255.0
Administrative Access HTTPS SSH PING
Detect Interface Status enable
for Gateway Load
Balancing
Detect Server 172.20.120.5
Detect Protocol Ping
Description Internet and ISP
Administrative Status Up
Alias internal
IP/Netmask 10.14.101.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description Internal accounting network
Administrative Status Up
Alias router2
IP/Netmask 10.14.201.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to R&D network & internet through Router2
Administrative Status Up
Alias router3
IP/Netmask 10.14.301.104/255.255.255.0
Administrative Access HTTPS SSH PING
Description Link to R&D network and internet through Router3
Administrative Status Up
7 For interface, select Create New and set the following information.
8 For interface, select Create New and set the following information.
set send-version 1 2
end
config network
edit 1
set prefix 10.11.0.0 255.255.0.0
next
edit 2
set prefix 10.12.0.0 255.255.0.0
next
edit 3
set prefix 10.14.0.0 255.255.0.0
next
edit 4
set prefix 172.20.120.0 255.255.255.0
end
config redistribute "static"
set status enable
end
end
7 For interface, select Create New and set the following information.
8 For interface, select Create New and set the following information.
The first is the internal network devices on the Sales, R&D, and Accounting networks. This
includes simple static routers, computers, printers and other network devices. Once the
FortiGate units are configured, the internal static routers need to be configured using the
internal network IP addresses. Otherwise there should be no configuration required.
The second group of devices is the ISP. This consists of the RIP router the FortiGate
routers 2 and 3 connect to. You need to contact your ISP and ensure they have your
information for your network such as the IP addresses of the connecting RIP routers, what
version of RIP your network supports, and what authentication (if any) is used.
Where possible in this example, the default values will be used or the most general
settings. This is intended to provide an easier configuration that will require less
troubleshooting.
In this example the routers, networks, interfaces used, and IP addresses are as follows.
Table 84: Rip example network topology
ISP router
(2002:AC14:7805::)
RIP Router1
r1 RIP Router2
R
R&D Internal
Network
Assumptions
The following assumptions have been made concerning this example.
• All FortiGate units have 4.0 MR1 firmware, and are running factory default settings.
• All CLI and web-based manager navigation assumes the unit is running in NAT/Route
operating mode, with VDOMs disabled.
• All FortiGate units have interfaces labelled port1 and port2 as required.
• All firewalls have been configured for each FortiGate unit to allow the required traffic to
flow across interfaces.
• All network devices are support IPv6 and are running RIPng.
Alias internal
IP/Netmask 2002:A0B:6565::/0
Administrative Access HTTPS SSH PING
Description Internal RnD network
Administrative Status Up
Alias ISP
IP/Netmask 2002:AC14:7865::/0
Administrative Access HTTPS SSH PING
Description ISP and internet
Administrative Status Up
Alias internal
IP/Netmask 2002:A0B:6566::/0
Administrative Access HTTPS SSH PING
Description Internal RnD network
Administrative Status Up
Alias ISP
IP/Netmask 2002:AC14:7866::/0
Administrative Access HTTPS SSH PING
Description ISP and internet
Administrative Status Up
Background
BGP was first used in 1989. The current version, BGP-4, was released in 1995 and is
defined in RFC 1771. That RFC has since been replaced by the more recent RFC 4271.
The main benefits of BGP-4 are classless inter-domain routing, and aggregate routes.
BGP is the only routing protocol to use TCP for a transport protocol. Other routing
protocols use UDP.
BGP makes routing decisions based on path, network policies and rulesets instead of the
hop-count metric as RIP does, or cost-factor metrics as OSPF does.
BGP-4+ supports IPv6. It was introduced in RFC 2858 and RFC 2545. BGP-4+ also
supports
BGP is the routing protocol used on the Internet. It was designed to replace the old
Exterior Gateway Protocol (EGP) which had been around since 1982, and was very
limited. In doing so, BGP enabled more networks to take part in the Internet backbone to
effectively decentralize it and make the Internet more robust, and less dependent on a
single ISP or backbone network.
Speaker routers
Any router configured for BGP is considered a BGP speaker. This means that a speaker
router advertises BGP routes to its peers.
Any routers on the network that are not speaker routers, are not treated as BGP routers.
In Figure 1, Router A is directly connected to five other routers in a network that contains
12 routers overall. These routers, the ones in the blue circle, are Router A’s peers or
neighbors.
Border Router
Router A
As a minimum, when configuring BGP neighbors you must enter their IP address, and the
AS number (remote_as). This is all the information the web-based manager interface
allows you to enter for a neighbor.
The BGP commands related to neighbors are quite extensive and include:
config router bgp
config neighbor
edit <neighbor_address_ipv4>
set activate {enable | disable}
set advertisement-interval <seconds_integer>
set allowas-in <max_num_AS_integer>
set allowas-in-enable {enable | disable}
set attribute-unchanged [as-path] [med] [next-hop]
set bfd {enable | disable}
set capability-default-originate {enable | disable}
set capability-dynamic {enable | disable}
set capability-graceful-restart {enable | disable}
set capability-orf {both | none | recieve | send}
set capability-route-refresh {enable | disable}
set connect-timer <seconds_integer>
set description <text_str>
set distribute-list-in <access-list-name_str>
set distribute-list-out <access-list-name_str>
set dont-capability-negotiate {enable | disable}
set ebgp-enforce-multihop {enable | disable}
set ebgp-multihop {enable | disable}
set ebgp-multihop-ttl <seconds_integer>
set filter-list-in <aspath-list-name_str>
set filter-list-out <aspath-list-name_str>
set holdtime-timer <seconds_integer>
set interface <interface-name_str>
set keep-alive-timer <seconds_integer>
set maximum-prefix <prefix_integer>
set maximum-prefix-threshold <percentage_integer>
set maximum-prefix-warning-only {enable | disable}
set next-hop-self {enable | disable}
Figure 178: Required sessions within an AS with and without route reflectors
RR
RR
Cluster2
Cluster1
Confederations
Confederations were introduced to reduce the number of BGP advertisements on a
segment of the network, and reduce the size of the routing tables. Confederations
essentially break up an AS into smaller units. Confederations are defined in RFC 3065
and RFC 1965.
Within a confederation, all routers communicate with each other in a full mesh
arrangement. Communications between confederations is more like inter-AS
communications in that many of the attributes are changed as they would be for BGP
communications leaving the AS, or eBGP.
Confederations are useful when merging ASs. Each AS being merged can easily become
a confederation, requiring few changes. Any additional permanent changes can then be
implemented over time as required. The figure below shows the group of ASs before
merging, and the corresponding confederations afterward as part of the single AS with the
addition of a new border router. It should be noted that after merging if the border router
becomes a route reflector, then each confederation only needs to communicate with one
other router, instead of five others.
AS 1
Confed1
Confed1
AS
AS 1 1 (was AS1)
(was AS1) Confed2
AS 2 (was AS2)
rder R
Border outter
Router
Border
B d R Router
t
Confed5 Confed3
AS 3 (was AS5) (was AS3)
AS 5 Confed4
AS 4 (was AS4)
Confederations and route reflectors perform similar functions — they both sub-divide large
ASes for more efficient operation. They differ in that route reflector clusters can include
routers that are not members of a cluster, where routers in a confederation must belong to
that confederation. Also, confederations place their confederation numbers in the
AS_PATH attribute making it easier to trace.
It is important to note that while confederations essentially create sub-ASs, all the
confederations within an AS appear as a single AS to external ASs.
Confederation related BGP commands include:
config router bgp
set confederation-identifier <peerid_integer>
end
BGP attributes
Each route in a BGP network has a set of attributes associated with it. These attributes
define the route, and are modified as required along the route.
BGP can work well with mostly default settings, but if you are going to change settings you
need to understand the roles of each attribute and how they affect those settings.
The BGP attributes include:
Note: Inbound policies on FortiGate units can change the NEXT-HOP,LOCAL-PREF, MED
and AS-PATH attributes of an internal BGP (iBGP) route for its local route selection
purposes. However, outbound policies on the unit cannot affect these attributes.
AS_PATH
AS_PATH is the BGP attribute that keeps track of each AS a route advertisement has
passed through. AS_PATH is used by confederations and by exterior BGP (EBGP) to help
prevent routing loops. A router knows there is a loop if it receives an AS_PATH with that
routers AS in it. The figure below shows the route between router A and router B. The
AS_PATH from A to B would read 701,702,703 for each AS the route passes through.
As of the start of 2010, the industry is upgrading from 2-byte to 4-byte AS_PATHs. This
upgrade was due to the imminent exhaustion of 2-byte AS_PATH numbers.
Network AS702
A
B
Network AS701
Network AS703
3 1
2
MULTI_EXIT_DESC (MED)
BGP AS systems can have one or more routers that connect them to other ASes. For
ASes with more than one connecting router, the Multi-Exit Discriminator (MED) lists which
router is best to use when leaving the AS. The MED is based on attributes such as delay.
It is a recommendation only, as some networks may have different priorities.
BGP updates advertise the best path to a destination network. When the FortiGate unit
receives a BGP update, the FortiGate unit examines the Multi-Exit Discriminator (MED)
attribute of potential routes to determine the best path to a destination network before
recording the path in the local FortiGate unit routing table.
FortiGate units have the option to treat any routes without an MED attribute as the worst
possible routing choice. This can be useful because a lack of MED information is a lack of
routing information which can be suspicious — possibly a hacking attempt or an attack on
the network. At best it is an unreliable route to select.
The BGP commands related to MED include:
config router bgp
set always-compare-med {enable | disable}
set bestpath-med-confed {enable | disable}
set bestpath-med-missing-as-worst {enable | disable}
set deterministic-med {enable | disable}
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
end
end
COMMUNITY
A community is a group of routes that have the same routing policies applied to them. This
saves time and resources. A community is defined by the COMMUNITY attribute of a BGP
route.
The FortiGate unit can set the COMMUNITY attribute of a route to assign the route to
predefined paths (see RFC 1997). The FortiGate unit can examine the COMMUNITY
attribute of learned routes to perform local filtering and/or redistribution.
The BGP commands related to COMMUNITY include:
config router bgp
set send-community {both | disable | extended | standard}
end
NEXT_HOP
The NEXT_HOP attribute says what IP address the packets should be forwarded to next.
Each time the route is advertised, this value is updated. The NEXT_HOP attribute is much
like a gateway in static routing.
FortiGate units allow you to to change the advertising of the FortiGate unit’s IP address
(instead of the neighbor’s IP address) in the NEXT_HOP information that is sent to IBGP
peers. This is changed with the config neighbor, set next-hop-self command.
The BGP commands related to NEXT_HOP include:
config router bgp
config neighbor
set attribute-unchanged [as-path] [med] [next-hop]
set next-hop-self {enable | disable}
end
end
ATOMIC_AGGREGATE
The ATOMIC_AGGREGATE attribute is used when routes have been summarized. It
indicates which AS and which router summarize the routes. It also tells downstream
routers not to de-aggregate the route. Summarized routes are routes with similar
information that have been combined, or aggregated, into one route that is easier to send
in updates. When it reaches its destination, the summarized routes are split back up into
the individual routes.
Your FortiGate unit doesn’t specifically set this attribute in the BGP router command, but it
is used in the route map command.
The commands related to ATOMIC_AGGREGATE include:
config router route-map
edit <route_map_name>
config rule
edit <route_map_rule_id>
set set-aggregator-as <id_integer>
set set-aggregator-ip <address_ipv4>
set set-atomic-aggregate {enable | disable}
end
end
end
ORIGIN
The ORIGIN attribute records where the route came from. The options can be IBGP,
EBGP, or incomplete. This information is important because internal routes (IBGP) are
higher priority than external routes (EBGP). However incomplete ORIGINs are the lowest
priority of the three.
The commands related to ORIGIN include:
config router route-map
edit <route_map_name>
set comments <string>
config rule
edit <route_map_rule_id>
set match-origin {egp | igp | incomplete | none}
end
end
end
Adj-RIB-IN
(new routes)
Calculate:
iBGP or eBGP?
Phase 1 - Calculate route
local route policies preferences on incoming
LOCAL_PREF routes.
3 9
Adj-RIB-IN
(with route 11 6
preferences) 2 5
22
Phase 2 - Install the best
3 routes into the local
Loc-RIB
(with new 5 6 routing RIB
routes)
9
11
Adj-RIB-OUT
(with routes
to send)
Routes
sent in update
Decision phase 1
At this phase, the decision is to calculate how preferred each route and its NRLI are the
Adjacent Routing Information Base Incoming (Adj-RIBs-In) compared to the other routes.
For internal routes (IBGP), policy information or LOCAL_PREF is used. For external peer
learned routes, it is based strictly on policy. These rules set up a list of which routes are
most preferred going into Phase 2.
Decision phase 2
Phase 2 involves installing the best route to each destination into the local Routing
Information Base (Loc-RIB). Effectively, the Loc-RIB is the master routing table. Each
route from Phase 1 has their NEXT_HOP checked to ensure the destination is reachable.
If it is reachable, the AS_PATH is checked for loops. After that, routes are installed based
on the following decision process:
• If there is only one route to a location, it is installed.
• If multiple routes to the same location, use the most preferred route from Level 1.
• If there is a tie, break the tie based on the following in descending order of importance:
shortest AS_PATH, smallest ORIGIN number, smallest MED, EBGP over IBGP,
smallest metric or cost for reaching the NEXT_HOP, BGP identifier, and lowest IP
address.
Note that the new routes that are installed into the Loc-RIB are in addition to any existing
routes in the table. Once Phase 2 is completed the Loc-RIB will consist of the best of both
the new and older routes.
Decision phase 3
Phase 3 is route distribution or dissemination. This is the process of deciding which routes
the router will advertise. If there is any route aggregation or summarizing, it happens here.
Also any route filtering from route maps happens here.
Once Phase 3 is complete, an update can be sent out to update the neighbor of new
routes.
Troubleshooting BGP
There are some features in BGP that are used to deal with problems that may arise.
Typically the problems with a BGP network that has been configured, involve routes going
offline frequently. This is called route flap and causes problems for the routers using that
route.
This section includes:
• Clearing routing table entries
• Route flap
Route flap
When routers or hardware along a route go offline and back online that is called a route
flap. Flapping is the term if these outages continue, especially if they occur frequently.
Route flap is a problem in BGP because each time a peer or a route goes down, all the
peer routers that are connected to that out-of-service router advertise the change in their
routing tables which creates a lot of administration traffic on the network. And the same
traffic happens again when that router comes back online. If the problem is something like
a faulty network cable that wobbles on and offline every 10 seconds, there could easily be
overwhelming amounts of routing updates sent out unnecessarily.
Another possible reason for route flap occurs with multiple FortiGate units in HA mode.
When an HA cluster fails over to the secondary unit, other routers on the network may see
the HA cluster as being offline resulting in route flap. While this doesn’t occur often, or
more than once at a time, it can still result in an interruption in traffic which is unpleasant
for network users. The easy solution for this problem is to increase the timers on the HA
cluster, such as TTL timers, so they do not expire during the failover process. Also
configuring graceful restart on the HA cluster will help with a smooth failover.
The first method of dealing with router flap should be to check your hardware. If a cable is
loose or bad, it can easily be replaced and eliminate the problem. If an interface on the
router is bad, either don’t use that interface or swap in a good router. If the power source is
bad on a router either replace the power supply or use a power conditioning backup power
supply. These quick and easy fixes can save you from configuring more complex BGP
options. However if the route flap is from another source, configuring BGP to deal with the
outages will ensure your network users uninterrupted service.
Some methods of dealing with route flap in BGP include:
• Holddown timer
• Dampening
• Graceful restart
• Bi-directional forwarding detection (BFD)
Holddown timer
The first line of defence to a flapping route is the hold down timer. This timer reduces how
frequently a route going down will cause a routing update to be broadcast.
Once activated, the holddown timer won’t allow the FortiGate unit to accept any changes
to that route for the duration of the timer. If the route flaps five times during the timer
period, only the first outage will be recognized by the FortiGate unit — for the duration of
the other outages there will be no changes because the Fortigate unit is essentially
treating this router as down. After the timer expires, if the route is still flapping it will
happen all over again.
Even if the route isn’t flapping — if it goes down, comes up, and stays back up — the timer
still counts down and the route is ignored for the duration of the timer. In this situation the
route will be seen as down longer than it really is, but there will be only the one set of route
updates. This is not a problem in normal operation because updates are not frequent.
Also the potential for a route to be treated as down when it is really up can be viewed as a
robustness feature. Typically you do not want most of your traffic being routed over an
unreliable route. So if there is route flap going on, it is best to avoid that route if you can.
This is enforced by the holddown timer.
Dampening
Dampening is a method used to limit the amount of network problems due to flapping
routes. With dampening the flapping still occurs, but the peer routers pay less and less
attention to that route as it flaps more often. One flap doesn’t start dampening, but the
second starts a timer where the router will not use that route — it is considered unstable. If
the route flaps again before the timer expires, the timer continues to increase. There is a
period of time called the reachability half-life after which a route flap will only be
suppressed for half the time. This half-life comes into effect when a route has been stable
for a while but not long enough to clear all the dampening completely. For the flapping
route to be included in the routing table again, the suppression time must expire.
If the route flapping was temporary, you can clear the flapping or dampening from the
FortiGate units cache by using one of the execute router clear bgp commands:
execute router clear bgp dampening {ip_address | ip/netmask}
or
execute router clear bgp flap-statistics {ip_address |
ip/netmask}
For example, to remove route flap dampening information for the 10.10.0.0/16 subnet,
enter the command:
FGT# exec router clear bgp dampening 10.10.0.0/16
The BGP commands related to route dampening are:
config router bgp
set dampening {enable | disable}
set dampening-max-suppress-time <minutes_integer>
set dampening-reachability-half-life <minutes_integer>
set dampening-reuse <reuse_integer>
set dampening-route-map <routemap-name_str>
set dampening-suppress <limit_integer>
set dampening-unreachability-half-life <minutes_integer>end
end
Graceful restart
BGP4 has the capability to gracefully restart.
In some situations, route flap is caused by routers that appear to be offline but the
hardware portion of the router (control plane) can continue to function normally. One
example of this is when some software is restarting or being upgraded, but the hardware
can still function normally.
Graceful restart is best used for these situations where routing will not be interrupted, but
the router is unresponsive to routing update advertisements. Graceful restart does not
have to be supported by all routers in a network, but the network will benefit when more
routers support it.
Note: FortiGate HA clusters can benefit from graceful restart. When a failover takes place,
the HA cluster will advertise it is going offline, and will not appear as a route flap. It will also
enable the new HA main unit to come online with an updated and usable routing table — if
there is a flap the HA cluster routing table will be out of date.
If you want to configure graceful restart on your FortiGate unit where you expect the
Fortigate unit to be offline for no more than 2 minutes, and after 3 minutes the BGP
network should consider the FortiGate unit offline, enter the command:
config router bgp
set graceful-restart enable
set graceful-restart-time 120
set graceful-stalepath-time 180
end
.
Note: You can configure graceful restarting and other advanced settings only through CLI
commands. For more information on advanced BGP settings, see the “router” chapter of
the FortiGate CLI Reference.
Configurable granularity
BFD can run on the entire FortiGate unit, selected interfaces, or on BGP for all configured
interfaces. The hierarchy allows each lower level to override the upper level’s BFD setting.
For example, if BFD was enabled for the FortiGate unit, it could be disabled only for a
single interface or for BGP. For information about FortiGate-wide BFD options, see config
system settings in the FortiGate CLI Reference.
BFD support was added in FortiOS v3.0 MR4, and can only be configured through the
CLI.
The BGP commands related to BFD are:
config router bgp
config neighbor
edit <neighbor_address_ipv4>
set bfd {enable | disable}
end
end
Network layout
The network layout for the basic BGP example involves the company network being
connected to both ISPs as shown below. In this configuration the FortiGate unit is the BGP
border router between the Company AS, ISP1’s AS, and ISP2’s AS.
The components of the layout include:
• The Company AS (AS number 1) is connected to ISP1 and ISP2 through the FortiGate
unit.
• The Company has one internal network — the Head Office network at 10.11.101.0/24.
• The FortiGate unit internal interface is on the the Company internal network with an IP
address of 10.11.101.110.
• The FortiGate unit external1 interface is connected to ISP1’s network with an IP
address of 172.21.111.5, an address supplied by the ISP.
• ISP1 AS has an AS number of 6501, and ISP2 has an AS number of 6502
• Both ISPs are connected to the Internet.
• The ISP1 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.21.111.4.
• The ISP2 border router is a neighbor (peer) of the FortiGate unit. It has an address of
172.22.222.4.
• Apart from graceful restart, and shorter timers (holdtimer, and keepalive) default
settings are to be used whenever possible.
ISP2 AS 650002
ISP1 AS 650001
ISP BGP
Border Routers
172.22.222.4
172.21.111.4
l1
external1 e
external2
172.20.111.55 1
172.20.222.5
all
internal
10.11.101.110 Head Office BGP Border Router
Company AS (ASN 1)
Assumptions
The basic BGP configuration procedure follows these assumptions:
• ISP1 is the preferred route, and ISP2 is the secondary route
• all basic configuration can be completed in both GUI and CLI
• only one AS is used for the Company
For these reasons this example configuration does not include:
• Bi-directional forwarding detection (BFD)
• Route maps
• Access lists
• changing redistribution defaults — make link when example is set up
• IPv6
For more information on these features, see the corresponding section.
Alias internal
IP/Netmask 10.11.101.110/255.255.255.0
Administrative Access HTTPS SSH PING
Description Company internal network
Administrative Status Up
Alias external1
IP/Netmask 172.21.111.5/255.255.255.0
Administrative Access HTTPS SSH PING
Description ISP1 External BGP network
Administrative Status Up
Alias external2
IP/Netmask 172.22.222.5/255.255.255.0
Administrative Access HTTPS SSH PING
Description ISP2 External BGP network
Administrative Status Up
4 Select OK.
5 Select Create New, and set the following information.
6 Select OK.
Note: For added security, you may want to define a smaller range of addresses for the
internal network. For example if only 20 addresses are used, only allow those addresses in
the range.
In the interest of keeping things simple, a zone will be used to group the two ISP interfaces
together. This will allow using one firewall policy to apply to both ISPs at the same time.
Remember to block intra-zone traffic as this will help prevent one ISP sending traffic to the
other ISP through your FortiGate unit using your bandwidth. The zone keeps configuration
simple, and in the future if there is a need for separate policies for each ISP, they can be
created and the zone can be deleted.
The addresses that will be used are the addresses of the FortiGate unit internal and
external ports, and the internal network.
More policies or services can be added in the future as applications are added to the
network. For more information on firewall policies, see the firewall chapter of the FortiGate
Administration Guide.
Note: When configuring firewall policies always enable logging to help you track and debug
your traffic flow.
3 Select OK.
3 Select OK.
Source port1(internal)
Interface/Zone
Source Address Internal_network
Destination ISPs
Interface/Zone
Destination Address All
Schedule always
Service Basic_services
Action ACCEPT
NAT Enable
Protection Profile scan
Log Allowed Traffic enable
Comments ISP1 basic services out policy
3 Select OK.
Source ISPs
Interface/Zone
Source Address all
Destination port1(internal)
Interface/Zone
Destination Address Internal_network
Schedule always
Service Basic_services
Action ACCEPT
NAT Enable
Protection Profile scan
Log Allowed Traffic enable
Comments ISP1 basic services in policy
Local AS 1
Router ID 10.11.101.110
edit 172.22.222.4
set connect-timer 60
set description “ISP2”
set holdtime-timer 120
set keepalive-timer 45
set weight 100
next
end
end
Connections to test in this example are the internal network to ISP1’s router or the
internet, and the same for ISP2. If you can connect on the external side of the Fortinet
unit, try to ping the internal network. Those three tests should prove your basic network
connections are working.
Note: Once you have completed testing the network connectivity, turn off ping support on
the external interfaces for additional security.
Network layout
The network layout for the BGP redistributing routes example involves the company
network being connected to two BGP peers as shown below. In this configuration the
FortiGate unit is the BGP border router between the Company AS, and the peer routers.
The components of the layout include:
• There is only one BGP AS in this example — AS 65001, shared by the FortiGate unit
and both peers.
• The Company’s FortiGate unit connects to the Internet through two BGP peers.
• The Company internal networks on the dmz interface of the FortiGate unit with an IP of
10.11.201.0/24.
• The FortiGate units’ interfaces are connected as follows:
• port1 (dmz) has IP 10.11.201.110 and is the internal user and server network
• port2 (external1) has IP 172.21.111.4 and is connected to Peer 1’s network
• port3 (external2) has IP 172.22.222.4 and is connected to Peer 2’s network
• Peer 1 has IP 172.21.111.5, and Peer 2 has IP 172.22.222.5.
• OSPF Area 1 is configured on the dmz interface of the FortiGate unit, and is the routing
protocol used by the internal users and servers.
Peer 1 Peer 2
172.21.111.5 172.22.222.5
BGP
AS 65001
external1 external2
172.21.111.4 172.22.222.4
dm
dmz
10.11.201.110
OSPF
Area 1 http
email
Assumptions
The the BGP redistributing routes configuration procedure follows these assumptions:
• the FortiGate unit has been configured following the Install Guide
• interfaces port1, port2, and port 3 exist on the FortiGate unit
• we don’t know the router manufacturers of Peer 1 and Peer 2
• we don’t know what other devices are on the BGP AS or OSPF Area
• all basic configuration can be completed in both GUI and CLI
• access lists and route maps will only be configured in CLI
• VDOMs are not enabled on the FortiGate unit
Firewall services will change depending on which routing protocol is being used on that
network — either BGP or OSPF. Beyond that, all services that are allowed will be allowed
in both directions due to the internal servers. The services allowed are web-server
services (DNS, HTTP, HTTPS, SSH, NTP, FTP*, SYSLOG, and MYSQL), email services
(POP3, IMAP, and SMTP), and general troubleshooting services (PING, TRACEROUTE).
Those last two can be removed once the network is up and working properly to increase
security. Other services can be added later as needed.
Alias dmz
IP/Netmask 10.11.201.110/255.255.255.0
Administrative Access HTTPS SSH PING
Description OSPF internal networks
Administrative Status Up
Alias external1
IP/Netmask 172.21.111.4/255.255.255.0
Administrative Access HTTPS SSH
Description BGP external Peer 1
Administrative Status Up
Alias external2
IP/Netmask 172.22.222.4/255.255.255.0
Administrative Access HTTPS SSH
Description BGP external2 Peer2
Administrative Status Up
3 Select OK.
4 Select Create New, and enter the following information:
5 Select OK.
Background
OSPF is a link-state interior routing protocol, that is widely used in large enterprise
organizations. It only routes packets within a single autonomous system (AS). This is
different from BGP as BGP can communicate between ASes.
The main benefit of OSPF is that it detects link failures in the network quickly and within
seconds has converged network traffic successfully without any networking loops. Also
OSPF has many features to control which routes are propagated and which are not,
maintaining smaller routing tables. OSPF can also provide better load-balancing on
external links than other interior routing protocols.
OSPF version 2 was defined in 1998 in RFC 2328. OSPF was designed to support
classless IP addressing, and variable subnet masks. This was a shortcoming of the earlier
RIP protocols.
Updates to OSPF version 2 are included in OSPF version 3 defined in 2008 in RFC 5340.
OSPF3 includes support for IPv6 addressing where previously OSPF2 only supports IPv4
addressing.
Router ID
In OSPF, each router has a unique 32-bit number called its Router ID. Often this 32-bit
number is written the same as a 32-bit IPv4 address would be written in dotted decimal
notation. However some brands of routers, such as Cisco routers, support a router ID
entered as an integer instead of an IP address.
It is a good idea to not use IP address in use on the router for the router ID number. The
router ID does not have to be a particular IP address on the router. By choosing a different
number, it will be harder to get confused which number you are looking at. A good idea
can be to use the as much of the area's number as possible. For example if you have 15
routers in area 0.0.0.0 they could be numbered from 0.0.0.1 to 0.0.0.15. If you have an
area 1.1.1.1, then routers in that area could start at 1.1.1.10 for example.
You can manually set the router ID on your FortiGate unit.
Adjacency
In an OSPF routing network, when an OSPF router boots up it sends out OSPF Hello
packets to find any neighbors, or routers that have access to the same network as the
router booting up. Once neighbors are discovered and Hello packets are exchanged,
updates are sent, and the Link State databases of both neighbors are synchronized. At
this point these neighbors are said to be adjacent.
For two OSPF routers to become neighbors, the following conditions must be met.
• The subnet mask used on both routers must be the same subnet.
• The subnet number derived using the subnet mask and each router's interface IP
address must match.
• The Hello interval & The Dead interval must match.
• The routers must have the same OSPF area ID. If they are in different areas, they are
not neighbors.
• If authentication is used, they must pass authentication checks.
If any of these parameters are different between the two routers, the routers do not
become OSPF neighbors and cannot be adjacent. If the routers become neighbors, they
are adjacent.
Benefits
The OSPF concept of the designated router is a big step above RIP. With all RIP routers
doing their own updates all the time, RIP suffers from frequent and sometimes
unnecessary updates that can slow down your network. With OSPF, not only do routing
changes only happen when a link-state changes instead of any tiny change to the routing
table, but the designated router reduces this overhead traffic even more.
However, smaller network topologies may only have a couple routers besides the
designated router. This may seem excessive, but it maintains the proper OSPF form and it
will still reduce the administration traffic but to a lesser extent than on a large network.
Also your network topology is ready for when you expand your network.
Area
An OSPF area is a smaller part of the larger OSPF AS. Areas are used to limit the link-
state updates that are sent out. The flooding used for these updates would overwhelm a
large network, so it is divided into these smaller areas for manageability.
Within an area if there are two or more routers that are viable, there will always be a
designated router (DR) and a backup DR (BDR). For more on these router roles, see
“Designated router (DR) and backup router (BDR)” on page 1387.
Defining a private OSPF area, involves:
• assigning a 32-bit number to the area that is unique on your network
• defining the characteristics of one or more OSPF areas
• creating associations between the OSPF areas that you defined and the local networks
to include in the OSPF area
• if required, adjusting the settings of OSPF-enabled interfaces.
Note: IPv6 OSPF area numbers use the same 32-bit number notation as IPv4 OSPF.
If you are using the web-based manager to perform these tasks, follow the procedures
summarized below.
Backbone area
Every OSPF network has at least one AS, and every OSPF network has a backbone area.
The backbone is the main area, or possibly the only area. All other OSPF areas are
connected to a backbone area. This means if two areas want to pass routing information
back and forth, that routing information will go through the backbone on its way between
those areas. For this reason the backbone not only has to connect to all other areas in the
network, but also be uninterrupted to be able to pass traffic to all points of the network.
The backbone area is referred to as area 0 because it has an IP address of 0.0.0.0.
Stub area
A stub area is an OSPF area that receives no outside routes advertised into it, and all
routing in it is based on a default route. This essentially isolates it from outside areas.
Stub areas are useful for small networks that are part of a larger organization, especially if
the networking equipment can’t handle routing large amounts of traffic passing through, or
there are other reasons to prevent outside traffic, such as security. For example most
organizations don’t want their accounting department to be the center of their network with
everyone’s traffic passing through there. It would increase the security risks, slow down
their network, and it generally doesn’t make sense.
A variation on the stub area is the totally stubby area. It is a stub area that does not allow
summarized routes.
NSSA
A not-so-stubby-area (NSSA) is a stub area that allows for external routes to be injected
into it. While it still does not allow routes from external areas, it is not limited to only using
he default route for internal routing.
Regular area
A regular area is what all the other ASes are, all the non-backbone, non-stub, non-NSSA
areas. A regular area generally has a connection to the backbone, does receive
advertisements of outside routes, and does not have an area number of 0.0.0.0.
Authentication
In the OSPF packet header are two authentication related fields —AuType, and
Authentication.
All OSPF packet traffic is authenticated. Multiple types of authentication are supported in
OSPFv2. However in OSPFv3, there is no authentication built-in but it is assumed that
IPSec will be used for authentication instead.
Packets that fail authentication are discarded.
Null authentication
Null authentication indicates there is no authentication being used. In this case the 16-byte
Authentication field is not checked, and can be any value. However checksumming is still
used to locate errors. On your FortiGate this is the none option for authentication.
Cryptographic authentication
Cryptographic authentication involves the use of a shared secret key to authenticate all
router traffic on a network. The key is never sent over the network in the clear—a packet is
sent and a condensed and encrypted form of the packet is appended to the end of the
packet. A non-repeating sequence number is included in the OSPF packet to protect
against replay attacks that could try to use already sent packets to disrupt the network.
When a packet is accepted as authentic the authentication sequence number is set to the
packet sequence number. If a replay attack is attempted, the packet sent will be out of
sequence and ignored.
Your FortiGate unit supports all three levels of authentication through the authentication
keyword associated with creating an OSPF interface .
For example to create an OSPF interface called Accounting on the port1 interface that
is a broadcast interface, has a hello interval of 10 seconds, has a dead interval of 40
seconds, uses text authentication (simple password) with a password of “ospf_test”, enter
the command:
config router ospf
config ospf-interface
edit Accounting
set interface port1
set network_type broadcast
set hello_interval 10
set dead_interval 40
set authentication text
set authentication-key “ospf_test”
end
end
External routes
OSPF is an internal routing protocol. OSPF external routes are routes with the destination
of the connection using a routing protocol other than OSPF. OSPF handles external routes
by adjusting the cost of the route to include the cost of the other routing protocol. There
are two methods of calculating this cost, used for OSPF E1 and OSPF E2.
Comparing E1 and E2
The best way to understand OSPF E1 and E2 routes is to check routing tables on OSPF
routers. If you look at the routes on an OSPF border router, the redistributed routes will
have an associated cost that represents only the external route, as there is no OSPF cost
to the route due to it already being on the edge of the OSPF domain. However, if you look
at that same route on a different OSPF router inside the OSPF routing domain, it will have
a higher associated cost - essentially the external cost plus the cost over the OSPF
domain to that border router. The border router uses OSPF E2, where the internal OSPF
router uses OSPF E2 for the same route.
Note: The inter-area routes may not be calculated when a Cisco type ABR has no fully
adjacent neighbor in the backbone area. In this situation, the router considers summary-
LSAs from all Actively summary-LSAs from all Actively Attached areas (RFC 3509).
The FortiGate unit dynamically updates its routing table based on the results of the SPF
calculation to ensure that an OSPF packet will be routed using the shortest path to its
destination. Depending on the network topology, the entries in the FortiGate unit routing
table may include:
• the addresses of networks in the local OSPF area (to which packets are sent directly)
• routes to OSPF area border routers (to which packets destined for another area are
sent)
• if the network contains OSPF areas and non-OSPF domains, routes to area boundary
routers, which reside on the OSPF network backbone and are configured to forward
packets to destinations outside the OSPF AS.
OSPF packets
Every OSPF packet starts with a standard 24-byte header, and another 24 bytes of
information or more. The header contains all the information necessary to determine
whether the packet should be accepted for further processing.
Table 85: OSPF packet
1-byte Version field 1-byte Type field 2-byte Packet length 3-byte Router ID
4-byte Network Mask 2-bye Hello interval 1-byte Options field 1-byte Router Priority
4-byte Dead Router 4-byte DR field 4-byte BDR field 4-byte Neighbor ID