Escolar Documentos
Profissional Documentos
Cultura Documentos
Fortinet Publishing
FortiGate Cookbook
A Practical Guide to Getting the best from Your FortiGate
FortiOS 4.0 MR3
1 August 2013
01-432-153797-20130801
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of
Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other conditions
may affect performance results. Nothing herein represents any binding commitment by Fortinet,
and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet
enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that
expressly warrants that the identified product will perform according to the performance metrics
herein. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinets internal lab tests. Fortinet disclaims in full any guarantees. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice,
and the most current version of the publication shall be applicable.
Visit these links for more information and documentation for your Fortinet products:
Fortinet Knowledge Base - http://kb.fortinet.com
Technical Documentation - http://docs.fortinet.com
Training Services - http://campus.training.fortinet.com
Technical Support - http://support.fortinet.com
You can report errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
FortiOS Cookbook
Contents
Introduction
About FortiGate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Administrative interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Revision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Registering your Fortinet product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
For more information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
13
14
18
22
24
27
31
34
37
41
44
Contents
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager) . . . . . . . . . . . . 135
Debugging FortiGate configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Quick reference to common diagnose commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
WiFi Networking
146
147
150
155
158
162
166
170
174
181
UTM Profiles
250
252
255
256
258
260
261
263
265
267
268
270
272
273
FortiGate Cookbook
http://docs.fortinet.com/
Contents
SSL VPN
274
276
278
280
281
282
284
285
286
288
291
292
294
295
297
298
300
Setting up remote web browsing for internal sites through SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Using SSL VPN to provide protected Internet access for remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for
remote users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN . . . . . . . . 315
IPsec VPN
Protecting communication between offices across the Internet using IPsec VPN. . . . . . . . . . . . . . . . . . . . . . . . . .
Using FortiClient VPN for secure remote access to an office network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPsec VPN for a secure connection using an iPhone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPsec VPN for a secure connection using an Android device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network . . . . . . . . . . . . . . . . . . . . . . . . .
Redundant OSPF routing over IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication
Creating a security policy to identify users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Identify users and restrict access to websites by category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating a security policy to identify users, restrict access to certain websites, and control use of applications. .
Configuring FSSO for single sign-on user access in a Windows AD environment. . . . . . . . . . . . . . . . . . . . . . . . . .
Authenticating with FortiAuthenticator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding FortiToken two-factor authentication to a user account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stopping the Connection is untrusted message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
317
318
323
330
336
341
346
352
353
355
357
360
363
366
369
371
372
377
380
383
385
387
FortiOS Cookbook
Introduction
The FortiGate Cookbook provides administrators who are new to FortiGate appliances with
examples of how to implement many basic and advanced FortiGate configurations.
FortiGate products offer administrators a wealth of features and functions for securing their
networks, but to cover the entire scope of configuration possibilities would easily surpass the limits
set forth for this book. Fortunately, much more information can be obtained in the FortiOS Handbook.
The latest version is available from the Fortinet Technical Documentation website
(http://docs.fortinet.com) and is also accessible as FortiGate online help.
rk
o .0
w 55
et 2
n 5.
al 25
r n 5.
te 5
in 0/2
te 1.
va 8.
ri 6
P .1
2
9
17
17
2.
FortiGate
Gate Unitt
Route mode
in NAT/Route
20
.1 w
G
2. a 20 an1
20 te .1
.1 wa 4
20 y
.2
19
2. in
16 te
8. rn
1. al
99
NA
T
inte betw
and rna ee
the l ne n pr
Inte two ivat
rne rk e
t
This cookbook contains a series of sections (or recipes) that describe how to solve problems. Each
section begins with a description of the problem and is followed by a step-by-step solution. Most
sections conclude with results that describe how to verify that the problem was successfully
resolved. Many sections also contain troubleshooting information, best practices and additional
details about the FortiGate features used to solve the problem. Scattered throughout this document
you will also find dedicated troubleshooting sections and sections that describe FortiGate
troubleshooting features such as the packet sniffer and diagnose debug command.
This FortiGate Cookbook was written for FortiOS 4.0 MR3 patch 2 (FortiOS 4.3.2). The solutions in
this document should also work with more recent FortiOS 4.0 MR3 firmware versions, possibly with
minor adjustments.
Introduction
About FortiGate
A PDF copy of this document is available from the FortiGate Cookbook website
(http://docs.fortinet.com/cookbook.html). You can send comments about this document and ideas
for new recipes to techdoc@fortinet.com. New recipes may be published on the FortiGate Cookbook
website and added to future versions of the cookbook.
The FortiGate CookBook videos are visual and audio versions of recipes found in the FortiGate
CookBook. All of the Cookbook videos are available from
http://docs.fortinet.com/cookbook_video.html. We add new videos regularly.
About FortiGate
A FortiGate appliance represents the latest response to the ever changing Internet security threat
landscape. You already know quite well how Internet security covers a wide range of disciplines
across a broad set of services, protocols and network topologies. The FortiGate appliance is
designed specifically to cover a wide range of solutions for your networking requirements, from the
smallest office to the largest Internet service provider. Comprising custom designed silicon and a
dedicated operating system this combination of FortiGate, FortiASIC and FortiOS provides a wide
range of solutions that scale from the smallest office to the largest internet service provider.
APPLICATION
CONTROL
Internal network
FortiGate Unit
Administrative interfaces
Introduction
The FortiOS feature set is constantly evolving and today provides both IPv6 as well as IPv4
protection, high availability, a full suite of dynamic routing protocols, traffic shaping, IPsec and SSL
VPN, user authentication, WAN optimization, and secure WiFi. UTM has been extended beyond virus
scanning and web filtering to include intrusion protection, application control, endpoint security, and
data leak prevention. Application control combined with a whole host of monitoring functions and
network vulnerability scanning provides a complete and detailed picture of the traffic on your
networks allowing you to detect and isolate threats before they happen and take action to control
traffic as it passes through your network.
The advanced capabilities of your FortiGate appliance require an equally advanced and global
presence for ensuring as complete a defence as possible. Updated many times a day, the FortiGuard
network provides a series of databases which are either installed directly or queried on demand to
realize the goal of complete content protection. Whether you are scanning for hundreds of thousands
of viruses, checking millions of URLs or looking for that next SPAM outbreak FortiGuard is the place
to turn.
To ease the introduction of your new FortiGate units they have been designed to operate in what we
call NAT/Route mode or Transparent mode. In NAT/Route mode the FortiGate unit functions as a
router connecting two or more different networks together. Using static and advanced dynamic
routing, in NAT/Route mode the FortiGate unit routes packets between its attached networks. You
can also use security policies and firewall objects to apply network address translation (NAT) to traffic
as it passes back and forth between different networks. NAT hides addresses on private networks to
improve security and also simplifies routing between networks.
In Transparent mode the FortiGate unit is installed in a network transparently to layer 3, without
changing the IP addressing of the network in any way. Its presence on the network restricted to a
single management IP address. In transparent mode, traffic can pass through the FortiGate unit
without any address translation or routing taking place.
Administrative interfaces
A full set of options is available to configure and manage FortiGate units including the web-based
manager for visual management, the CLI for command-line-based management, and FortiExplorer
which allows management over a USB connection.
Web-based Manager
Also called the Web Interface or Web UI, the FortiGate web-based manager is an advanced point and
click, drag and drop interface that provides quick access to most FortiGate configuration settings
and includes a configuration wizard and complementary visual monitoring and management tools.
Using the web-based manager you can for example, add a security policy to monitor application
activity on a network, view the results of this application monitoring policy, and then add additional
policies or change the existing policy to block or limit the traffic produced by some applications.
The web-based manager also provides a wide range of monitoring and reporting tools that provide
detailed information about traffic and events on the FortiGate unit. All aspects of FortiGate operation
can be monitored from the web-based manager. Specialized monitoring pages are available for most
features.
FortiGate Cookbook
http://docs.fortinet.com/
Introduction
Revision History
You access the web-based manager using HTTP or a secure HTTPS connection from any web
browser. By default you can access the web-based manager by connecting to the FortiGate interface
usually attached to a protected network.
Configuration changes made from the web-based manager take effect immediately, without resetting
the unit or interrupting service.
CLI
As its name implies the command line interface (CLI) provides a text-based command line
configuration interface to the FortiGate unit. You can configure all FortiGate configuration options
from the CLI using config commands. The CLI also includes get commands for viewing the
configuration and getting status information, execute commands for performing immediate
operations including setting the date and time, backing up and restoring the configuration, testing
network connections, and so on, and diagnose commands for advanced FortiGate monitoring and
troubleshooting.
You can connect to the CLI using an, RS-232 serial console connection, over a TCP/IP network using
Telnet or SSH. Configuration changes made within the CLI also take effect immediately, without
resetting the unit or interrupting service.
FortiExplorer
FortiExplorer provides a user-friendly and accessible tool that you can use to configure a FortiGate
unit over a standard USB connection. Once you have installed FortiExplorer software on a PC
running Windows or Mac OS X and established a USB connection between the PC and your
FortiGate unit you can use FortiExplorer to register your FortiGate unit, check for and perform
FortiOS firmware updates, use the FortiExplorer configuration wizard to quickly set up the FortiGate
unit and connect to the web-based manager or CLI.
Revision History
Table 1: FortiGate Cookbook Revision History
Version
Changes
01-432-153797-20120601
New Recipes:
01-432-153797-20120501
New Recipes:
Introduction
Version
01-432-153797-20120601
Changes
New Recipes:
01-432-153797-20111021
Initial Version
10
FortiGate Cookbook
http://docs.fortinet.com/
Introduction
Training
Fortinet Training Services provides courses that orient you quickly to your new equipment, and
certifications to verify your knowledge level. Fortinet provides a variety of training programs to serve
the needs of our customers and partners world-wide.
To learn about the training services that Fortinet provides, visit the Fortinet Training Services web site
at http://campus.training.fortinet.com, or email training@fortinet.com.
Documentation
The Fortinet Technical Documentation web site, http://docs.fortinet.com, provides the most up-todate versions of Fortinet publications, as well as additional technical documentation such as
technical notes.
In addition to the Fortinet Technical Documentation web site, you can find Fortinet technical
documentation on the Fortinet Tools and Documentation CD, and on the Fortinet Knowledge Base.
Please send information about any errors or omissions in this or any Fortinet technical document to
techdoc@fortinet.com.
11
12
Introduction
FortiGate Cookbook
http://docs.fortinet.com/
FortiOS Cookbook
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
Changing the address of an internal network in one step using the FortiGate setup wizard
Inserting a FortiGate unit into a network without changing the network configuration (Transparent
mode)
Verifying the current firmware version and upgrading the FortiOS firmware
13
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
e
at
iv
pr k
n or t
ee tw ne
tw ne er
be nal Int
AT er e
N int d th
an
rk
o .0
w 55
et 2
n 5.
al 25
r n 5.
te 5
in 0/2
te 1.
va 8.
ri 6
P .1
2
9
17
17
2.
20
.1 w
G
2. a 20 an1
20 te .1
.1 wa 4
20 y
.2
19
2. in
16 te
8. rn
1. al
99
FortiGate
Gate Unitt
Route mode
in NAT/Route
Solution
Most commonly, FortiGate units are installed as a gateway or router between a private network and
the Internet. The FortiGate unit operates in what is called NAT/Route mode to hide the addresses of
the private network from prying eyes on the Internet.
1
wan1
Internal
Internal Network
14
FortiGate Cookbook
http://docs.fortinet.com/
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
Power on the ISP's equipment, the FortiGate unit, and the PCs on the Internal network.
Go to System > Network > Interface and Edit the wan1 interface and change the following
settings:
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
Manual
IP/Netmask
192.168.1.99/255.255.255.0
Go to Router > Static > Static Route and select Create New to add the following default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
A default route always has a Destination IP/Mask of 0.0.0.0/0.0.0.0. Normally you would have only
one default route. If the static route list already contains a default route, you can edit it or delete it
and add a new one.
9
Go to System > Network > DNS and add Primary and Secondary DNS servers.
15
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
10 Go to Policy > Policy > Policy and select Create New to add the following security policy that
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you and as soon as your FortiGate unit is
connected and the computers on your internal network are configured, they should be able to
access the Internet.
Results
On the PC that you used to connect to the FortiGate internal interface, open a web browser and
browse to any Internet website. You should also be able to connect to the Internet using FTP or any
other protocol or connection method.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit.
16
FortiGate Cookbook
http://docs.fortinet.com/
Connecting a private network to the Internet with a FortiGate unit in NAT/Route mode
The source address of most sessions should be an address on the 192.168.1.0 network. The source
NAT IP for most sessions should be 172.20.120.14 (or the IP address added to the wan1 interface).
The policy ID should be 1, which is the ID of the default security policy that allows users in the
internal network to connect to the Internet.
You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of active
session for each policy. Since there is only one policy, that graph contains only one entry. You can
select the bar graph for policy 1 to view the top sessions by source address, destination address, or
destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
17
W
D AN
H 1
C
P
ad
D
H
re
ss
er
ve
r
od
In
19 ter
2. na
16 l
8.
1.
99
ss
se .0
re 5
d .25
ad 55
rk 2
o 5.
w 5
et 2
n .0/
al .1
r n 68
te .1
In 92
1
te n
va o
ri it
p ra P
e u C
th fig H
n n D
o co m
r s I P f ro
te
u et lly
p g a
m k ic
o r at
C wo m
et to
n au
FortiGate
e Unit
Unit
in NAT/Route mode
IP HC
es D
d h
vi it
ro w
p n
P tio
IS ra
u
ig
n
co
Solution
If your Internet service provider uses DHCP to automatically provide Internet connectivity, only one
FortiGate configuration step is required to get a FortiGate unit up and running and allowing
connections from a private network to the Internet.
The solution involves connecting FortiGate unit to your ISP and your Internal network, configuring the
computers on your internal network to get their IP configuration automatically (using DHCP), and
then powering on the FortiGate unit and configuring it to get network settings from your ISP using
DHCP.
To use this one-step configuration solution, the default configuration of your FortiGate unit must
include a DHCP server for the internal interface and a default security policy that allows all sessions
from the internal network to the Internet. This default configuration is available on many
SMB/SOHO FortiGate and FortiWifi models.
18
FortiGate Cookbook
http://docs.fortinet.com/
Power on the ISP's equipment, the FortiGate unit, and the PCs in the Internal network.
wan1
Internal
Internal Network
If required, configure the PCs to get their IP network configuration automatically using DHCP.
All of the PCs should acquire an IP address on the 192.168.1.0/255.255.255.0 network.
Log in to the FortiGate web-based manager by entering admin as the Name and leaving the
password blank.
Go to System > Network > Interface and Edit the wan1 interface.
Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server, and
Override internal DNS.
If your ISP uses PPPoE or manual addressing you can configure the wan1 interface for these
options instead of DHCP.
Results
On any of the PCs connected to the FortiGate internal interface, open a web browser and browse to
any Internet website. You should also be able to connect to the Internet using FTP or any other
protocol or connection method.
19
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit.
The source address of most sessions should be an address on the 192.168.1.0 network. The source
NAT IP for most sessions should be the IP address acquired by the wan1 interface. The policy ID
should be 1, which is the ID of the default security policy that allows users in the internal network to
connect to the Internet.
You can also see results by going to Policy > Policy > Policy Monitor to view a graph of active
session for each policy. Since there is only one policy, that graph contains only one entry. You can
select the bar graph to view the top sessions by source address, destination address, or destination
port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
to get more info about the current sessions. Other dashboard widgets display session history, traffic
history and per-IP bandwidth usage.
Verify that the wan1 interface is getting IP configuration settings from the ISP. Log in to the
web-based manager and go to System > Network > Interface > wan1. Confirm that the
Addressing Mode is set to DHCP and information similar to the following appears showing that
the wan1 interface has acquired an IP address, one or more DNS server IP addresses, and a
default gateway from the ISP.
If the IP address seems incorrect or is missing, select Renew to renew the lease and get new IP
configuration information from the ISP. If you cannot get a valid IP address in this manner, the
FortiGate unit cannot communicate with the ISPs DNS server.
20
FortiGate Cookbook
http://docs.fortinet.com/
Make sure the options to retrieve a default gateway and override the internal DNS are selected. If
your ISP does not supply a DNS server through DHCP, you can go to System > Network > DNS
and manually add one or more DNS server IP addresses for the FortiGate unit to use. These DNS
server IP addresses are also used by the FortiGate DHCP server to provide the IP configuration
for PCs on the internal network.
If your ISP does not supply a default gateway through DHCP you can go to Router > Static >
Static Route and manually add a default route that points from the wan1 interface to the ISPs
default gateway.
2
If the internal network is configured to get IP addresses from the FortiGate DHCP server, go to
System > Network > DHCP Server and Edit the DHCP server for the internal interface.
Verify that the DHCP server configuration uses the system DNS setting. Go to System > Monitor
> DHCP Monitor to view information about the PCs that have been configured by the FortiGate
unit DHCP server. There should be one entry here for each PC on the network that should have
gotten its address using DHCP.
Check the network configuration of the PCs on the internal network to make sure they are getting
the correct IP configuration from the FortiGate DHCP server. If they are not, they may not be able
to communicate with the FortiGate internal interface. Attempt to renew their DHCP lease, check
other network configuration settings on the PC, and verify the physical connections are OK.
The Use System DNS Setting DHCP server option causes the FortiGate DHCP server to supply
the DNS IP addresses in the System > Network > DNS page of the web-based manager. If
Override internal DNS is selected for a FortiGate interface that gets its configuration from a DHCP
server, the DNS server IP addresses acquired from the ISP are supplied by the FortiGate DHCP
server instead.
If a PC on the internal network sends a DHCP request to the FortiGate unit before it has acquired
DNS IP addresses from the ISP, then the FortiGate unit sends the DNS IP addresses DNS
web-based manager page. To make sure the PCs receive the correct DNS server IP addresses, you
can update the PCs DHCP leases.
If this does not solve the problem, use the steps described in Troubleshooting NAT/Route mode
installations on page 24 to find and fix the problem.
21
Changing the address of an internal network in one step using the FortiGate setup wizard
e
od
er
er
v
re
ss
S
P
W
D AN
H 1
C
P
ad
H
D
es
g 0
an .
5
ch 5
.2
ss 5
.0
re 5
5
d 5.2
5
.2
ad 25
5
5
rk /
o .0
.2
w .1 to 55
et 8
/2
n 16
.
.0
al 2
0
r n 19
.5
8
te
I n ro m . 1 6
f
2
9
1
In
ch ter
19 an na
19 2. ge l IP
2. 16 d a
16 8. fro dd
8. 1.9 m re
ss
50 9
.1 to
0
To use as few steps as possible to quickly change the subnet address of an internal network and all
of the devices connected to it.
FortiGate Unit
in NAT/Route mode
IP HC
es D
d h
vi it
ro w
p n
P tio
IS ra
u
ig
n
co
Solution
Use the FortiGate setup wizard to change the IP address of the FortiGate internal interface and
change the network addresses that the FortiGate DHCP server provides for devices on the Internal
network. Renew the DHCP leases of the devices on the internal network so that they acquire new IP
addresses. You may need to change the address of an internal network if you have two different
internal networks and you want to allow communication between them.
The FortiGate setup wizard deletes all security policies and adds a single security policy configured
by the wizard to allow Internet access from the Internal network. You might not want to use this
solution if you have added custom security policies. However, this solution can be convenient if you
have not added very many security policies.
A more cumbersome solution would be to manually change the IP address of the FortiGate internal
interface and then manually change the IP address of a PC on the internal network. Then you would
need to re-log into the web-based manager and change the configuration of the DHCP server. This
process involves a number of tedious steps; using the wizard simplifies the process to a few simple
steps.
22
FortiGate Cookbook
http://docs.fortinet.com/
Changing the address of an internal network in one step using the FortiGate setup wizard
Page through the wizard without making any changes until you get to the Local Area Network
(LAN) Settings page.
IP Address
192.168.50.10
Netmask
255.255.255.0
192.168.50.20
End Address
192.168.50.60
Continue to step through the wizard without making any other changes.
Most wizard pages display the current configuration and allow you to change it. If you dont make
any changes, the wizard does not change that configuration element. One exception to this is the
Internet Access Policy wizard page. The settings on this page are applied to the security policy
configuration of the FortiGate unit. All existing security policies are removed and replaced with a
single security policy using the settings selected on this wizard page.
7
Renew the DHCP lease for the devices on the internal network. You may have to restart them, or
bring there interfaces down and back up to do this.
Results
All devices on the internal network (including the FortiGate internal interface) are now on the
192.168.50.0/255.255.255.0 subnet. From any device on the internal network, try connecting to the
Internet.
Log in to the FortiGate web-based manager by browsing to https://192.168.50.10. Go to System >
Network > Interface and verify that the IP address of the internal interface has been changed to
192.168.50.10. Also verify that the configuration of other interfaces has not been changed.
Go to System > Network > DHCP Server and Edit the DHCP server for the internal interface. The IP
range should be changed to the range specified in the wizard, and the default gateway should be
changed to the new internal interface IP address.
Go to System > Monitor > DHCP Monitor and verify that devices on the internal network have
acquired a new address from the FortiGate DHCP server.
Go to Policy > Policy > Policy and verify that the policy list includes one security policy that allows
users on the internal network to access the Internet.
Attempt to connect to the Internet from any device on the Internal network.
If you cant connect from a device on the internal network to the Internet, see Troubleshooting
NAT/Route mode installations on page 24.
23
17
17
2.
20
.1 w
G
2. a 20 an1
20 te .1
.1 wa 4
20 y
.2
19
2. in
16 te
8. rn
1. al
99
e
at
iv
pr k
n or t
ee tw ne
tw ne er
be nal Int
AT er e
N int d th
an
rk
o .0
w 55
et 2
n 5.
al 25
r n 5.
te 5
in 0/2
te 1.
va 8.
ri 6
P .1
2
9
1
FortiGate
Gate Unitt
in NAT/Route
Route mode
Solution
Use the following steps to find and fix the problem that is preventing users from connecting to the
Internet.
1
Check the physical network connections between the PC and the FortiGate unit, as well as
between the FortiGate unit and your ISPs equipment.
The Unit Operation dashboard widget indicates the connection status of FortiGate network
interfaces (System > Dashboard > Status).
Verify that you can connect to the internal IP address of the FortiGate unit.
For example, use a web browser to connect to the web-based manager from the FortiGate
internal interface by browsing to its IP address (for example, https://192.168.1.99).
From the PC, ping the internal interface IP address. For example:
ping 192.168.1.99
If you cannot connect to the internal interface, verify the IP configuration of the PC and make sure
cables are connected and all network equipment, such as switches, is powered on and operating.
Go to the next step when you can connect to the internal interface.
4
24
Check the configuration of the FortiGate interface connected to the Internal network.
FortiGate Cookbook
http://docs.fortinet.com/
Check the configuration of the FortiGate interface that connects to the Internet to make sure it
includes the proper addressing mode.
If the addressing mode is manual, make sure the IP address and netmask is correct.
If the addressing mode is DHCP, see What if it didnt work? on page 20.
To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate
CLI and use the execute ping command to ping an address or domain name on the Internet.
You can also use the execute traceroute command to troubleshoot connectivity to the
Internet.
Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can
check for DNS errors by pinging or using traceroute to connect to a domain name. If the name
cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should
confirm the DNS server IP addresses are present and correct. For example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Go to Router > Static > Static Route and verify that the default route is correct. Go to
Router > Monitor > Router Monitor and take a look at the routing monitor and verify
that the default route appears in the list as a static route. Along with the default route,
you should see at least two connected routes, one for each connected FortiGate
interface.
25
If you have enabled web filtering in a security policy it may be blocking access to the web site that
you are attempting to connect to. This can happen for a number of reasons. If disabling web
filtering allows you to connect to the Internet with a web browser, then the web filter profile
selected in the policy was blocking access to the site you were attempting to connect to. This
could happen because the configuration of the default web filter profile is blocking access to your
site. Its also possible that FortiGuard Web Filtering produced a rating error for the web site and
the default web filter profile is configured to block access to sites when a rating error occurs. A
rating error could occur for a number of reasons, including not being able to access FortiGuard
web filter ratings. To fix this problem, you can go to UTM Profiles > Web Filter > Profile, and in
the default profile, select Advanced Filter and enable the Allow Websites When a Rating Error
Occurs option.
Other things you can try:
26
Verify that you can connect to the wan1 IP address of the FortiGate unit. Once you have
established that the internal network is operating, you could try pinging the FortiGate wan1
interface IP address (for example, ping 172.20.120.12). (The wan1 interface responds to pings if
ping administrative access is selected for that interface (go to System > Network > Interface
and edit the wan1 interface to enable ping administrative access)). If you cannot connect to the
wan1 interface, the FortiGate unit is not allowing internal to wan1 sessions.
Verify that you can connect to the gateway provided by your ISP.
FortiGate Cookbook
http://docs.fortinet.com/
Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode)
10
Se
c
be allo urity
twe w
p
seg en traffi olicie
s
me netw c
nts or
k
.31 Int
.10 er n
1.0 al n
/25 etw
5.2 ork
55
.25
5.0
10
FortiGate
rtiGate Unit in
in
Transparent mode
Management IP
10.31.101.40
Ro
ute
.1
.31
01
.10
This solution requires adding network security without replacing the router. The FortiGate unit should
block access from the Internet to the private network but allow users on the private network to
connect to the Internet. The FortiGate unit should also monitor application usage and find and
remove viruses.
Solution
Watch the video: http://docs.fortinet.com/cb/inst1.html
Install a FortiGate unit in Transparent mode between the internal network and the router. Add a
security policy to the FortiGate unit that allows users on the internal network to connect to the
Internet and add virus scanning and application control to this security policy. No network changes
are required, except to provide the FortiGate unit with a management IP address.
Changing to Transparent mode removes most configuration changes made in NAT/Route mode. If
you want to keep your current NAT/Mode configuration you should backup your FortiGate
NAT/Route mode configuration from the System Information dashboard widget.
27
Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode)
Go to System > Dashboard > Status > System Information and beside Operation Mode select
Change and configure the following:
Operation Mode
Transparent
Management IP/Netmask
10.31.101.40/255.255.255.0
Default Gateway
10.31.101.100
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Select UTM. Select Enable Antivirus and select Enable Application Control.
28
FortiGate Cookbook
http://docs.fortinet.com/
Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode)
12 Connect the FortiGate unit between the network and the router.
Router
wan1
internal
Internal Network
Connect the wan1 interface to the router internal interface. Connect the internal network to the
FortiGate-60C internal interface switch. If the Internal network consists of only five devices, they
can all be connected to the internal interface switch.
13 Power on the FortiGate unit.
Results
From a PC on the internal network, open a web browser and browse to any Internet website. You
should also be able to connect to the Internet using FTP or any other protocol or connection method.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit.
29
Inserting a FortiGate unit into a network without changing the network configuration (Transparent mode)
The source address of most sessions should be an address on the 10.31.10.0 network. The Src NAT
IP and Src NAT port columns are blank because no NAT it taking place. The policy ID should usually
be 1, which is usually the ID of first security policy that you added.
You can also see results by going to Policy > Monitor > Policy Monitor, to view a graph of active
session for each policy. Since there is only one policy, that graph contains only one entry. You can
select the bar graph for policy 1 to view the top sessions by source address, destination address, or
destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If a FortiGate unit operating in Transparent mode is installed between a DHCP server and PCs that
get their address by DHCP, you must add a security policy to allow the DHCP servers response to
get back through the FortiGate unit from the DHCP server to the DHCP client. The internal to wan1
policy allows the DHCP request to get from the client to the server, but the response from the server
is a new session, not a typical response to the originating request, so the FortiGate unit will not
accept this new session unless you add a wan1 to internal policy with the service set to DHCP.
If you can browse the Internet from the internal network, your configuration is successful. If you
cannot, try the steps described in Troubleshooting Transparent mode installations on page 31 to
find the problem.
30
FortiGate Cookbook
http://docs.fortinet.com/
.3
1.
10
1.
10
.31 Int
.10 er n
1.0 al n
/25 etw
5.2 ork
55
.25
5.0
10
10
Se
c
be allo urity
twe w
p
seg en traffi olicie
s
me netw c
nts or
k
FortiGate
rtiGate Unit iin
n
Transparent mode
Management IP
10.31.101.40
Ro
ute
Solution
Use the following steps to find and fix the problem that is preventing users from connecting through
the FortiGate unit.
1
Check the physical network connections between the network and the FortiGate unit, and
between the FortiGate unit and the Internet.
The Unit Operation dashboard widget indicates the connection status of FortiGate network
interfaces.
Check the router and ISP-supplied equipment to make sure it is operating correctly.
Verify that you can connect to the internal interface by connecting to the management IP address
of the FortiGate unit from the Internal network.
From the internal network, attempt to ping the management IP address. If you cannot connect to
the internal interface, verify the IP configuration of the PC and make sure the cables are
connected and all switches and other devices on the network are powered on and operating. Go
to the next step when you can connect to the internal interface.
To verify that you can communicate from the FortiGate unit to the Internet, access the FortiGate
CLI and use the execute ping command to ping an address on the Internet. You can also use
the execute traceroute command to troubleshoot connectivity to the Internet.
31
Verify the DNS configurations of the FortiGate unit and the PCs on the internal network. You can
check for DNS errors by pinging or using traceroute to connect to a domain name. If the name
cannot be resolved the FortiGate unit or PC cannot connect to a DNS server and you should
confirm the DNS server IP addresses are present and correct. For example:
ping www.fortinet.com
ping: cannot resolve www.fre.com: Unknown host
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
32
Verify that you can connect to the gateway provided by your ISP. Try pinging the default gateway
IP address from a PC on the internal network.
FortiGate Cookbook
http://docs.fortinet.com/
10 Confirm that the FortiGate unit can connect to the FortiGuard network.
Once registered, the FortiGate unit obtains antivirus and application control and other updates
from the FortiGuard network. Once the FortiGate unit is on your network, you should confirm that
it can reach the FortiGuard network. The FortiGate unit must be able to connect to the network
from its management IP address. If the following tests provide incorrect results, the FortiGate unit
cannot connect to the Internet from its management IP address. Check the FortiGate units
default route to make sure it is correct. Check your Internet firewall to make sure it allows
connections from the FortiGate management IP address to the Internet.
First, check the License Information dashboard widget to make sure the status of all FortiGuard
services matches the services that you have purchased. The FortiGate unit connects to the
FortiGuard network to obtain this information.
Go to System > Config > FortiGuard. Open web filtering and email options and select Test
Availability. After a minute the web-based manager should indicate that the connection was
successful.
11 Check the FortiGate bridge table.
The bridge table is a list of MAC addresses of devices on the same network as the FortiGate unit
and the FortiGate interfaces from which each MAC address was found. The FortiGate unit uses
this table to determine where to forward a packet. If a the MAC address of a specific device is
getting added to in the bridge table, then packets to that MAC address will be blocked. This may
appear as traffic going to a MAC address, but no reply traffic coming back. In this situation, check
the bridge table to ensure the correct MAC addresses have been added to the bridge table. Use
the following CLI command to check the bridge table associated with the root VDOM.
diagnose netlink brctl name host root.b
show bridge control interface root.b host.
fdb: size=2048, used=25, num=25, depth=1
Bridge root.b host table
port no device devname mac addr
ttl
3
4
wan1
00:09:0f:cb:c2:77
88
3
4
wan1
00:26:2d:24:b7:d3
0
3
4
wan1
00:13:72:38:72:21
98
4
3
internal
00:1a:a0:2f:bc:c6
1
6
dmz
00:09:0f:dc:90:69
0
3
4
wan1
c4:2c:03:0d:3a:38
81
3
4
wan1
00:09:0f:15:05:46
89
3
4
wan1
c4:2c:03:1d:1b:10
0
2
5
wan2
00:09:0f:dc:90:68
0
attributes
6
Local Static
Local Static
If your devices MAC address is not listed, the FortiGate unit cannot find the device on the
network. This could indicate that the device is not connected or not operating. Check the devices
network connections and make sure it is operating correctly.
33
Verifying the current firmware version and upgrading the FortiOS firmware
Solution
View the current firmware version from the web-based manager and CLI. Download a new version of
FortiOS from the Fortinet Customer Support web site and install it from the web-based manager.
Firmware images for all FortiGate units are available on the Fortinet Customer Support web site. You
must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting
http://support.fortinet.com and select Product Registration.
Always review the Release Notes before installing a new firmware version. They provide the
recommended upgrade path for the firmware release as well as additional information not available
in other documentation. Only perform a firmware upgrade during a maintenance window.
1
Log in to the web-based manager and view the dashboard System Information widget to see
the Firmware Version currently installed on your FortiGate unit.
From the FortiGate CLI you can also enter the following command. The first output line indicates
FortiOS firmware version installed on your FortiGate unit:
get system status
Version: Fortigate-60C v4.0,build0458,110627 (MR3 Patch 1)
Virus-DB: 11.00773(2010-05-04 13:32)
Extended DB: 0.00000(2010-03-16 10:31)
IPS-DB: 3.00000(2011-05-18 15:09)
FortiClient application signature package: 1.421(2011-09-08 10:19)
Serial-Number: FGT60C3G10002814
BIOS version: 04000010
Log hard disk: Need format
Internal Switch mode: switch
Hostname: FGT60C3G10002814
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
34
FortiGate Cookbook
http://docs.fortinet.com/
Verifying the current firmware version and upgrading the FortiOS firmware
Select FortiGate firmware images and browse to the FortiOS firmware version that you want to
install (for example, browse to FortiGate/v4.00/4.0MR3/MR3_Patch_1).
Download and read the Release Notes for this firmware version.
Always review the Release Notes before installing a new firmware version in case you cannot
update to the new firmware release from the one currently running.
Always remember to back up your configuration before doing any firmware upgrades.
Results
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version, restarts,
and displays the FortiGate login. This process takes a few minutes.
From the FortiGate web-based manager, go to System > Dashboard > Status. In the System
Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI
enter get system status).
35
Verifying the current firmware version and upgrading the FortiOS firmware
Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
Make sure the TFTP server is running and copy the firmware image file to the TFTP server.
As the FortiGate unit starts, a series of system startup messages appears. When the following
messages appears:
Press any key to display configuration menu..........
Enter G, F, Q, or H:
Type G to get to the new firmware image form the TFTP server.
When prompted, enter the TFTP server IP address, and local FortiGate IP address.
The IP address can be any IP address that is valid for the network the interface is connected to.
Make sure you do not enter the IP address of another device on this network.
8
When prompted how to save the default firmware, type D to load it as the default.
The FortiGate unit installs the new firmware image and restarts.
When loading the firmware using this method, the existing configuration is reset to defaults. You will
need to reconfigure the IP addresses and load the configuration file from the System Information
widget on the Dashboard.
36
FortiGate Cookbook
http://docs.fortinet.com/
FortiGuard
Network
Solution
If you have purchased FortiGuard services and registered your FortiGate unit it should automatically
connect to the FortiGuard Distribution Network (FDN) and display license information about your
FortiGuard services. Verify whether the FortiGate unit is communicating with the FDN by checking
the License Information dashboard widget. The FortiGate unit automatically connects with the
FortiGuard network to verify the FortiGuard Services status for the FortiGate unit.
37
Any subscribed services should have a green check mark beside them, indicating that connections
are successful. A grey X indicates that the FortiGate unit cannot connect to the FortiGuard network,
or that the FortiGate unit is not registered. A red X indicates that the FortiGate unit was able to
connect but that a subscription has expired, or has not been activated.
Use the following steps to troubleshoot FortiGuard services.
1
Verify that you have registered your FortiGate unit, purchased FortiGuard services, and that the
services have not expired.
You can verify the support status for your FortiGate unit at the Fortinet Support website
(https://support.fortinet.com/).
Verify that the FortiGate unit can communicate with the Internet.
The FortiGate unit should be able to communicate with the FortiGuard network if it can
communicate with the Internet.
38
Go to Router > Monitor > Routing Monitor (NAT/Route mode) or System > Network > Routing
Table and verify that a default route is available and configured correctly.
FortiGate Cookbook
http://docs.fortinet.com/
Go to System > Network > DNS and make sure the primary and secondary DNS servers are
correct, as provided by your ISP. The FortiGate unit connects to the FortiGuard network using a
domain name, not a numerical IP address.
If the FortiGate interface connected to the Internet gets its IP address using DHCP, you should
make sure Override internal DNS is selected so that the FortiGate unit gets its DNS server IP
addresses from the ISP using DHCP.
Verify that the FortiGate unit can connect to the DNS servers using the execute ping command
to ping them.
You can also attempt a traceroute from FortiGate CLI to an external network using a domain
name for a location, for example, enter the command:
execute traceroute www.fortiguard.com
If the command cannot find the numeric IP address of www.fortiguard.com, then the FortiGate
unit cannot connect to the configured DNS servers.
Make sure that at least one security policy includes antivirus.
If no security policies include antivirus, the antivirus database may not be updated.
Verify that the FortiGate unit can communicate with the FortiGuard network.
At System > Config > FortiGuard > Antivirus and IPS Options, you can select Update now to
force an immediate update of the antivirus and IPS databases. After a few minutes, you can verify
if the updates were successful.
10 Test the availability of web filtering and email filtering lookups from System > Config >
FortiGuard > Web Filtering and Email Filtering options by selecting the Test Availability
button.
If the test is not successful, try changing the port that is used for web filtering and email filtering
lookups. The FortiGate unit uses port 53 or 8888 to communicate with the FortiGuard network
and some ISPs may block one of these ports.
11 Determine if there is anything upstream that might be blocking FortiGuard traffic, either on the
It is possible ports that are used to contact the FortiGuard network are being changed before
reaching FortiGuard, or on the return trip, before reaching your FortiGate unit. A possible solution
for this is to use a fixed-port at the NAT firewall to ensure the port number remains the same.
FortiGate units contact the FortiGuard Network by sending UDP packets with typical source ports
of 1027 or 1031, and destination ports of 53 or 8888. The FDN reply packets would then have a
destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN reply
packets. You can select a different source port range for the FortiGate unit to use. If your ISP
blocks the lower range of UDP ports (around 1024), you can configure your FortiGate unit to use
higher-numbered ports such as 2048-20000, using the following CLI command:
config system global
set ip-src-port-range 2048-20000
end
39
Trial and error may be required to select the best source port range. You can also contact your
ISP to determine the best range to use.
13 Display the FortiGuard server list
The get webfilter status CLI command shows the list of FortiGuard servers that the
FortiGate unit can connect to. The command should show more than one server.
get webfilter status
Locale
: english
License
: Contract
Expiration
: Thu Oct 9 02:00:00 2012
Hostname
: service.fortiguard.net
-=- Server List (Wed Sep 14 14:39:46 2011) -=IP
69.20.236.179
174.137.33.92
208.91.112.196
69.20.236.180
209.222.147.36
66.117.56.42
66.117.56.37
69.20.236.182
69.195.205.101
80.85.69.37
80.85.69.41
80.85.69.40
62.209.40.72
208.91.112.194
116.58.208.39
Weight
30
0
0
30
30
30
30
30
30
80
80
80
90
118
160
RTT Flags
3
91
62
4
22
24
24
4
32
85
85
88
109
128 DI
276
TZ
-5
-8
-8
-5
-5
-5
-5
-5
-5
0
0
0
1
-8
8
Packets
30491
8794
146
11620
8799
8792
8793
11332
8810
8800
8804
8808
8791
12713
8805
Hostname is the name of the FortiGuard server the FortiGate unit will attempt to contact. The
Server List includes the IP addresses of alternate servers if the first entry cannot be reached. In
this example, the IP addresses are not public addresses.
The following flags in get webfilter status indicate the server status:
D - the server was found through the DNS lookup of the hostname. If the hostname returns
more than one IP address, all of them will be flagged with D and will be used first for INIT
requests before falling back to the other servers.
I - the server to which the last INIT request was sent.
F - the server has not responded to requests and is considered to have failed.
T - the server is currently being timed.
40
FortiGate Cookbook
http://docs.fortinet.com/
e
fil
ro o r s
_p at
in tr
m nis
ad mi
ad
In
te
rn
al
N
et
w
or
k
t
ni
U r
e ve
at er
iG S
rt P
Fo HC
D
Solution
Create a new administrator with the super_admin profile, to enable full access to all FortiGate
features.
1
Go to System > Admin > Administrators and select Create New to add the following
administrator:
Administrator
Terry_White
Type
Regular
Password
password
Confirm Password
password
Admin Profile
super_admin
41
Administrator names and passwords are case-sensitive. You cannot include the < > ( ) #
characters in an administrator name or password. Spaces are allowed, but not as the first or last
character. Spaces in a name or password can be confusing and require the use of quotes to enter
the name in the CLI.
The admin profile dictates what parts of the FortiGate configuration the administrator can see and
configure from web-based manager and CLI. You can add multiple profiles and assign users and
administrators different profiles, depending on what they are tasked to do with the FortiGate unit.
Results
Log in to the FortiGate using the user name of Terry_White and the password of password. As this
administrator, you can view all web-based manager pages and change all FortiGate configuration
settings.
From the FortiGate web-based manager,go to Log&Report > Event Log to verify that the login
activity occurred.
Select the log entry to view detailed information, which indicates the admin user connected. The
Message field indicates that Terry White logged in successfully from 192.168.1.1.
42
FortiGate Cookbook
http://docs.fortinet.com/
Go to System > Dashboard > Status, and view the System Information widget. The Current
Administrator field indicates the number of administrators logged in.
43
FortiOS Cookbook
Distributing sessions between dual redundant Internet connections with usage-based ECMP
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
Setting up an administrator account for monitoring firewall activity and basic maintenance
Creating a local DNS server listing for internal web sites and servers
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
44
W
17 AN
G 2. 1
17 ate 20
2. w .12
20 ay 0
.1
.1
4
20
.2
Primary ISP
W
D AN
H 2
C
P
.0
k 5
or 25
w 5.
et 5
N .2
al 55
rn /2
te .0
In 8.1
16
2.
19
In
19 ter
2. na
16 l
8.
1.
9
Create a backup Internet connection with your FortiGate unit, so that if the primary internet
connection fails, some or all traffic automatically switches to the backup Internet connection and
when the primary Internet connection is restored, traffic automatically switches back to it.
Backup ISP
Solution
Watch the video: http://docs.fortinet.com/cb/inst2.html
This solution describes how to improve the reliability of a networks connection to the Internet by
using two Internet connections to two different ISPs. In this solution, the primary ISP is connected to
wan1 with a static IP and the backup ISP is connected to wan2 using DHCP.
To allow the internal network to use wan1 to connect to the Internet add internal to wan1 security
policies. Add duplicate internal to wan2 security policies to use wan2 to connect to the Internet.
You can choose to reduce the amount of traffic when the wan2 interface is operating by adding
fewer security polices for connections to the wan2 interface. You could also use techniques such as
traffic shaping to limit the amount of traffic processed by the wan2 interface. You could also add
security policies that include FortiGuard web filtering or other web filtering techniques to block
popular but less important websites. Application control could also be used to limit the applications
that can be used when traffic is using the wan2 interface.
45
Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the
internal network to the internal interface.
Internal Network
internal
wan1
Primary ISP
2
From a PC on the Internal network, log in to the FortiGate web-based manager using admin and
no password.
Go to System > Network > Interface and Edit the wan1 interface and change the following
settings:
46
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
Manual
IP/Netmask
192.168.1.99/255.255.255.0
Go to Router > Static > Static Route and select Create New to add the following default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
FortiGate Cookbook
http://docs.fortinet.com/
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet through the wan1 interface.
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Go to System > Network > Interface and Edit the wan2 interface.
Set the Addressing Mode to DHCP and select Retrieve Default Gateway from server. Clear
the checkbox for Override internal DNS.
Make sure Retrieve Default Gateway from server is selected so that a default route is added to
the routing table. Normally in a dual Internet configuration, you would not select Override internal
DNS because you would not want the FortiGate unit to use the backup ISPs DNS servers.
47
Internal Network
internal
wan2
wan1
Primary ISP
Backup ISP
6
48
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet through the wan2 interface.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan2
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
FortiGate Cookbook
http://docs.fortinet.com/
Set the default route to wan1 to be the primary default route and add a ping server for wan1 and a
ping server for wan2
As a result of this configuration, the FortiGate unit will have two default routes, one that directs traffic
to wan1 and one that directs traffic to wan2. The default route to wan2 is obtained from the backup
ISPs DHCP server. The ping servers verify the ability of the wan1 and wan2 interfaces to connect to
the Internet.
Because the wan2 default route is acquired from the ISP using DHCP, the distance of the wan2
default route must be changed by editing the wan2 interface.
1
Go to Router > Static > Static Route and Edit the wan1 default route, select Advanced and set
the Distance to 10.
The distance may already be set to 10 so you may not actually have to change it.
Go to System > Network > Interface list. Edit the wan2 interface and set the distance to 20 (or
any number higher than 10).
To confirm which default route is now actually being used by the FortiGate unit, go to Router >
Monitor > Routing Monitor to view the current FortiGate routing table. Routes that are not active
do not appear on the routing monitor. In this example, only the one static route should appear: the
wan1 default route. Its distance should be 10. Connected routes for the connected interfaces
should also appear.
If you edit the wan2 interface and set the distance to a lower value (say 5), the wan1 default route is
removed from the router monitor and is replaced with the wan2 default route (because the wan2
route has the lower distance). You can also have both default routes appear in the router monitor by
setting their distances to the same value (say 10). When both routes have the same distance, this is
known as equal cost multi path (ECMP) routing and both default routes are used. Sessions are load
balanced between them. For an example, see Distributing sessions between dual redundant
Internet connections with usage-based ECMP on page 58.
49
Go to Router > Static > Settings and select Create New and add the wan1 ping server:
Interface
wan1
Ping Server
172.20.120.2
Detect Protocol
ICMP Ping
Failover Threshold
Select Create New and add the wan2 ping server. The wan2 ping server is optional for this
configuration. However adding the wan2 ping server means the FortiGate unit will record even log
messages when the wan2 ping server cant reach its destination.
Interface
wan2
Ping Server
10.41.101.100
Detect Protocol
ICMP Ping
Failover Threshold
Results
If the wan1 ping server can connect to its ping server IP address the routing monitor appears as
shown above with a default route to the wan1 interface. All traffic to the Internet uses the wan1
interface and the internal to wan1 security policy. You can verify this by viewing the routing monitor
and by going to Policy > Policy > Policy and viewing the Count column for the internal to wan1 and
internal to wan2 policies while connecting to the Internet. The internal to wan1 policy count should
increase, while the internal to wan2 count should not.
If you change the network so that the wan1 ping server cannot connect to its ping server IP address,
(for example, by physically disconnecting the cable from the wan1 interface), the default route should
change to the wan2 interface (called default route failover):
50
FortiGate Cookbook
http://docs.fortinet.com/
With the wan2 link active, attempt to connect to the Internet from the Internal network. If you can
connect, this confirms that the dual Internet connection configuration is correct. View the security
policy count column for the internal to wan2 policy. The count should be increasing, indicating that
this policy is accepting traffic.
When you restore the wan1 interfaces connection, the ping server should detect that network traffic
is restored and the routing table should revert to including the wan1 default route. All new sessions
will use the internal to wan1 security policy. Sessions that were established using the internal to wan2
security policy will continue to use this policy and the wan2 interface until they are terminated.
However, all new sessions will use the internal to wan1 security policy.
Outgoing sessions and their responses that are in progress during a failover will have to be restarted
after the failover, since responses to traffic sent out on one interface will not come back on another.
During a failover, incoming sessions received by a firewall VIP security policy from the wan1
interface before the failover may be sent out the wan2 interface after the failover. Outbound
sessions initiated by the server and sent out the VIP security policy will have their source IP address
modified according to the interface that sends the session to the Internet. If the wan1 link fails,
outgoing VIP sessions automatically fail over to wan2. The source address of these sessions
depends on the address defined in the firewall VIP.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
Changing this redundant Internet configuration to use ECMP
The basic redundant Internet connection scenario described in this section should be successful for
many networks. However, to potentially improve default route failover performance and to reduce the
number of fail overs for incoming connections when the primary ISP fails and re-connects you could
implement Equal Cost Multipath (ECMP) routing.
You could implement a basic ECMP configuration of this redundant Internet connection scenario by
setting the distances for both default routes to the same value and setting the priority of the default
route to the primary ISP to a lower value than the priority of the default route to the backup ISP. The
route with the lowest priority value is considered the best route. Use the following steps to modify the
configuration.
Because the wan2 default route is acquired from the ISP using DHCP, the priority of the wan2
default route must be changed by editing the wan2 interface from the CLI.
1
Go to Router > Static > Static Route and Edit the wan1 default route.
Enter the following CLI command to edit the distance and priority of the wan2 default route.
config system interface
edit wan2
set distance 10
set priority 20
end
51
Since the wan1 default route has the lowest priority it is considered the best route and all traffic
heading from the private network for the Internet uses the wan1 interface.
When two different distances are used on the wan1 and wan2 default routes, traffic originating from
the Internet can only be responded to by the interface with the default route with the lowest
distance metric (wan1). If a user from the Internet has established a connection to the Internal
network through the wan1 interface, the user would lose their connection if the wan1 connection to
the Internet fails. After a brief interruption the user would automatically re-connect through the
wan2 interface. When the wan1 Internet connection comes back, the users connection would be
interrupted a second time because it would have to switch back to the wan1 interface since the
wan2 interface would no longer be able to process traffic.
When ECMP is implemented, both interfaces are able to respond to traffic initiated from the Internet
as the routing is based on the session tables. The user would still lose their connection when the
wan1 Internet connection fails, but after connecting through the wan2 interface the users
connection would be able to continue on the wan2 interface after the wan1 connection was
restored resulting in only a single interruption.
A number of ECMP scenarios are available. For another, see Distributing sessions between dual
redundant Internet connections with usage-based ECMP on page 58.
52
FortiGate Cookbook
http://docs.fortinet.com/
9
rk 5
o .2
w 5
et 5
N 5.2
al 5
r n /2
te .0
In 8.1
6
.1
W
17 AN
G 2. 1
17 ate 20
2. w .12
20 ay 0
.1
.1
4
20
.2
In
19 ter
2. na
16 l
8.
1.
99
Create a backup Internet connection using a modem so that if the primary internet connection fails,
some or all traffic automatically switches to the backup Internet connection which is a dialup
connection using the modem interface. When the primary Internet connection is restored, traffic
automatically switches back to it.
od
em
.0
Primary ISP
Backup ISP
Solution
This solution describes how to improve the reliability of a networks connection to the Internet by
using two Internet connections. The primary internet connection is to the wan1 interface and the
backup internet connection is a dial-up connection using a modem and the FortiGate modem
interface. The modem interface is configured to be redundant for the wan1 interface and a ping
server is added for the wan1 interface. When the ping server determines that the wan1 interface
cannot connect to the Internet, the FortiGate unit dials the modem and the modem becomes the
active Internet connection.
You can choose to reduce the amount of traffic when the modem interface is operating, by adding
fewer security polices for connections to the modem interface. You could also use techniques such
as traffic shaping to limit the amount of traffic processed by the modem interface. You could also
add security policies that include FortiGuard web filtering or other web filtering techniques to block
popular, but less important websites. Application control could also be used to limit the applications
that can be used when traffic is using the modem interface.
53
Connect the FortiGate wan1 interface to your primary ISP-supplied equipment. Connect the
internal network to the internal interface.
Internal Network
internal
wan1
Primary ISP
From a PC on the Internal network, log in to the FortiGate web-based manager using admin and
no password.
Go to System > Network > Interface and Edit the wan1 interface and change the following
settings:
54
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
Manual
IP/Netmask
192.168.1.99/255.255.255.0
Go to Router > Static > Static Route and select Create New to add the following default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
FortiGate Cookbook
http://docs.fortinet.com/
Go to Router > Static > Settings, select Create New, and add the following ping server:
Interface
wan1
Ping Server
172.20.120.2
Detect Protocol
ICMP Ping
Failover Threshold
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet through the wan1 interface.
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
55
Internal Network
internal
wan1
modem
Primary ISP
Backup ISP
Go to System > Network > Modem and Edit the modem settings, then select Enable Modem,
and select Apply.
56
Primary Modem
Mode
Redundant
Redundant for
wan1
Dial Mode
Dial on demand
Idle Timeout
5 minutes
Redial Limit
None
User Name
ISP_user
Password
Passw0rd
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet through the modem interface.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
modem
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Results
You can test default route failover by blocking access from the wan1 interface to the ping server
target (for example, by physically disconnecting the wan1 interface cable). The modem should dial in,
and when connected, the routing monitor should show the modem default route replacing the wan1
default route. You can also try connecting to the Internet and verifying that the connection works and
that traffic is accepted by an internal to modem security policy. You can then restore the wan1
connection, see the wan1 default route being added back to the routing monitor, and verify
connectivity.
With the modem dialed in, if you can browse the web from the internal network, your configuration
is successful. If you cannot, try the steps described in Troubleshooting NAT/Route mode
installations on page 24 to find the problem.
57
Distributing sessions between dual redundant Internet connections with usage-based ECMP
9
rk 5
o .2
w 5
et 5
N 5.2
al 5
r n /2
te .0
In 8.1
6
.1
W
17 AN
G 2. 1
17 ate 20
2. w .12
20 ay 0
.1
.1
4
20
.2
In
19 ter
2. na
16 l
8.
1.
99
Your organization uses two different ISPs for reliability and you want to make efficient use of these
two Internet connections by distributing sessions to both, without allowing either one to become
overloaded.
17
17
2.
30 W
.1 A
G
2. a 20 N2
30 te .1
.1 wa 0
20 y
.2
.0
Primary ISP
Backup ISP
Solution
Use spillover (also known as usage-based) Equal Cost Multipath (ECMP) routing route. When one
Internet connection reaches a defined traffic level, sessions spill over to the other connection.
1
Go to Router > Static > Static Route, select Create New to add default routes for the wan1 and
wan2 interfaces
For the wan1 interface:
58
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
FortiGate Cookbook
http://docs.fortinet.com/
Distributing sessions between dual redundant Internet connections with usage-based ECMP
0.0.0.0/0.0.0.0
Device
wan2
Gateway
172.30.120.2
Go to Router > Static > Settings and select Spillover as the ECMP Load Balance Method.
Under Dead Gateway Detection, select Create New to add dead gateway detection for the
wan1 and wan2 interfaces.
For the wan1 interface:
Interface
wan1
Ping Server
172.20.120.2
Detect Protocol
ICMP Ping
Ping Interval
Failover Threshold
Interface
wan2
Ping Server
172.30.120.2
Detect Protocol
ICMP Ping
Ping Interval
Failover Threshold
Go to System > Network > Interface and Edit the wan1 interface and set the Spillover
Threshold to 10000 kbits/s.
59
Distributing sessions between dual redundant Internet connections with usage-based ECMP
Go to System > Network > Interface and Edit the wan2 interface and set the Spillover
Threshold to 20000 kbits/s.
You must add spillover thresholds to both interfaces, since the default spillover threshold of 0
means no bandwidth limiting. If one of the interfaces had a spillover threshold of 0, it would process
all sessions.
Results
Most sessions from the internal network to the Internet should use the wan1 interface. When traffic
on the wan1 interface reaches the spillover threshold, new sessions should begin using the wan2
interface. When usage on the wan1 interface reduces below the spillover threshold new sessions
should will again use the wan1 interface.
Usage-based ECMP routing is not actually load balancing, since routes are not distributed evenly
among the interfaces. A spillover threshold of 10000 kbits (10 Mbps) means that when the wan1
interface usage reaches 10 Mbps new sessions are spilled over to the wan2 interface. So during low
traffic times, wan1 would be processing all sessions.
The spillover threshold does not strictly limit the bandwidth processed by the interface because
new sessions with destination IP addresses that are already in the routing cache will use the cached
routes. This means, that even if wan1 is exceeding its bandwidth limit, new sessions can continue
to be sent out on wan1 if their destination addresses are already in the routing cache.
You can adjust the spillover thresholds to change how sessions are distributed between the ISPs as
you become familiar with your traffic patterns. You can use the Traffic History dashboard widget to
view bandwidth usage for the wan1 and wan2 interfaces.
You can see whether an interface is exceeding its Spillover Threshold by using this CLI command:
diagnose netlink dstmac list
In the output, over_bps=1 means that the interface is exceeding its threshold, over_bps=0 means
that the interface has not exceeded its threshold.
60
FortiGate Cookbook
http://docs.fortinet.com/
DMZ network
10.10.10.0/255.255.255.0
17
2
D .2
17 efa 0.1 w
2. ul 20 an1
20 t r .1
.1 ou 4
20 te
.2
.1
z .10
dm .10
10
in
19 ter
2. na
16 l
8.
1.
9
Web Server
DMZ network address
10.10.10.123
Web Server
Internet address
172.20.120.123
Solution
This solution protects and provides access to the web server by:
Installing the web server on a DMZ (demilitarized zone) network separate from your internal
network that exposes the web server to the Internet and the internal network.
Connecting the DMZ network to a FortiGate interface (the DMZ interface or any other available
interface).
Creating a destination NAT (DNAT) security policy that includes UTM protection and that allows
users on the Internet to access the web server.
Creating a route mode security policy that allows users on the internal network to access the web
server.
When you connect multiple networks to your FortiGate unit, you might want to add interface aliases
that describe the function of the interface or the network connected to it. Aliases are easy to add:
go to System > Network > Interface, edit an interface and then add descriptive text to the Alias
field. The alias appears with the interface name in most places on the web-based manager.
61
Connect the DMZ network to the FortiGate DMZ interface the internal network to the internal
interface and the Internet to the wan1 interface (or any available interfaces).
DMZ
DMZ Network
Internal Network
62
internal
Alias
Addressing mode
Manual
IP/Netmask
10.10.10.10/255.255.255.0
Addressing mode
Manual
IP/Netmask
192.168.1.99/255.255.255.0
Internet
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
FortiGate Cookbook
http://docs.fortinet.com/
Go to Router > Static > Static Route and Edit the default route as follows.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1(Internet)
Gateway
172.20.120.2
Go to System > Network > DNS and add Primary and Secondary DNS servers.
10.10.10.123
Netmask
255.255.255.0
Default Gateway
10.10.10.10
DNS Servers
If the web server does not have the correct default gateway, its response packets will not reach the
DMZ interface, so the web server will appear to not be responding.
Create a DNAT security policy to allow sessions from the Internet to the web server
Configure DNAT (port forwarding) by creating a firewall virtual IP (VIP) that maps the Internet address
of the web server (172.20.120.123) to the actual IP address of the web server on the DMZ network
(10.10.10.123). Then, add this VIP to a security policy that allows users on the Internet to browse to
the Internet address of the web server (in this example, 172.20.120.123) to connect through the
FortiGate unit to the web server on the DMZ network.
1
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a new virtual IP
with the following settings:
Name
Web-server-DNAT
External Interface
wan1(Internet)
Type
Static NAT
External IP Address/Range
172.20.120.123
Mapped IP Address/Range
10.10.10.123
63
Go to Policy > Policy > Policy and select Create New to add a security policy to allow users on
the Internet to connect to the web server on the DMZ network.
Source Interface/Zone
wan1(Internet)
Source Address
all
Destination Interface/Zone
Destination Address
Web-server-DNAT
Schedule
always
Beside Service, select Multiple and add HTTP and HTTPS to the Members list.
Select UTM and select Enable AntiVirus, Enable Application Control, and Enable IPS.
Create a route mode security policy to allow users on the internal network to connect to the web
server on the DMZ network
By using a route mode policy, users on the internal network can connect to the web server using its
real DMZ IP address (by browsing to http://10.10.10.123 or https://10.10.10.123). Since users on the
internal network know the real address of the web server, you do not have to enable NAT in the
security policy that allows this access.
1
64
Go to Firewall Objects > Address > Address and select Create New to add a firewall address
for the user address range on the internal network.
Address Name
Internal-user-addresses
Type
Subnet / IP Range
Subnet / IP Range
Interface
Select Create New to add a firewall address for the web server on the DMZ network.
Address Name
DMZ-web-server-address
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.123/255.255.255.255
Interface
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add a security policy that allows users
on the internal network to connect to the DMZ network.
Source Interface/Zone
Source Address
Internal-user-addresses
Destination Interface/Zone
Destination Address
DMZ-web-server-address
Schedule
Always
Beside Service, select Multiple and add HTTP and HTTPS to the Members list.
Select UTM and select Enable AntiVirus, Enable Application Control, and Enable IPS.
For this policy, you could have selected Enable NAT to enable source NAT. However, doing this
would mean that all packets from the internal network connecting to the web server would have the
same source address (the IP address of the DMZ interface). If you do not select Enable NAT you
can record web server usage according to the actual source address of sessions from the internal
network.
Add a security policy to allow users on the internal network to connect to the Internet
1
Go to Policy > Policy > Policy and select Create New to add the following security policy.
Source Interface/Zone
Source Address
Internal-user-addresses
Destination Interface/Zone
wan1(Internet)
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Select UTM and select Enable AntiVirus and Enable Application Control.
65
Results
Test the configuration by connecting to the web server from the internal network and from the
Internet.
If any of the following tests fail, re-check your FortiGate configuration. Also, make sure the web
server has the correct default route. This is especially important for connections from the internal
network because the security policies do not perform source NAT, so the web server needs the
correct default route to be able to send return packets correctly. You can also try the steps
described in Troubleshooting NAT/Route mode installations on page 24.
Testing the connection from the internal network to the web server
From the internal network, browse to the web servers actual IP address (http://10.10.10.123 or
https://10.10.10.123). The connection should be successful. This communication uses the internal to
dmz policy. Go to Policy > Monitor > Policy Monitor to view sessions accepted by the internal to
dmz policy (in the example, policy 3). Sessions for other policies may also be visible.
Drill down to view details about the sessions accepted by the policy. They should all be HTTP (port
80) or HTTPS (port 443) sessions. The source address should be an address on the internal network
and the destination address should be the real address of the web server (10.10.10.123). The NAT
columns should be blank because no address translation is taking place.
You can also view similar session information using the FortiGate packet sniffer. The following sniffer
output shows HTTP traffic (port 80) between a PC with IP address 192.168.1.110 and the web server
(IP address 10.10.10.123). You can see the HTTP sessions between the PC and the internal interface
and between the dmz interface and the web server. Note that the source and destination addresses
and ports are not translated:
FortiGate Cookbook
http://docs.fortinet.com/
5.361982
5.362165
5.362463
5.366684
5.370189
5.370411
5.370606
5.375160
5.375417
The following FortiGate sniffer output shows HTTPS traffic (port 443) between IP address
192.168.1.110 and the web server (IP address 10.10.10.123). You can see the HTTPS sessions
between the PC and the internal interface and between the dmz interface and the web server. Note
that the source and destination addresses and ports are not translated:
diagnose sniffer packet any 'port 443' 4 10
interfaces=[any]
filters=[port 443]
5.124564 internal in 192.168.1.110.4366 -> 10.10.10.123.443: syn 3141078769
5.128308 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: syn 3141078769
5.128538 dmz in 10.10.10.123.443 -> 192.168.1.110.4366: syn 2403170564 ack 3141078770
5.130991 internal out 10.10.10.123.443 -> 192.168.1.110.4366: syn 2403170564 ack 3141078770
5.131151 internal in 192.168.1.110.4366 -> 10.10.10.123.443: ack 2403170565
5.131414 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: ack 2403170565
5.131702 internal in 192.168.1.110.4366 -> 10.10.10.123.443: psh 3141078770 ack 2403170565
5.138192 dmz out 192.168.1.110.4366 -> 10.10.10.123.443: psh 3141078770 ack 2403170565
5.138361 dmz in 10.10.10.123.443 -> 192.168.1.110.4366: ack 3141078914
5.138632 internal out 10.10.10.123.443 -> 192.168.1.110.4366: ack 3141078914
You could also use the following sniffer command to get similar results:
diagnose sniffer packet any 'host 192.168.1.110 or 10.10.10.123' 4 10
67
Drill down to view details about the sessions accepted by the policy. They should all be HTTP (port
80) or HTTPS (port 443) sessions. The source address should be an address on the Internet (or the
172.20.120.0 network) and the destination address should be the Internet address of the web server
(172.20.120.123). The wan1 to DMZ policy performs DNAT on incoming packets, translating the
destination IP address of the packets from 172.20.120.123 to 10.10.10.123. The destination NAT IP
address is shown in the Src NAT IP column when destination NAT is taking place. The destination
ports are not translated so the Src NAT Port column and Dst Port column both show port 80.
You can also view similar information using the packet sniffer. The following sniffer output shows
HTTP traffic (destination port 80) from 172.20.120.12 to 172.20.120.123. All packets received by the
wan1 interface have a source address of 172.20.120.12 and a destination address of
172.20.120.123. All packets exiting from the dmz interface have a source address of 172.20.120.12
and a destination address of 10.10.10.123:
diagnose sniffer packet any 'port 80' 4 10
interfaces=[any]
filters=[port 80]
5.384633 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: syn 3310195461
5.390855 wan1 out 172.20.120.123.80 -> 172.20.120.12.59485: syn 1257313456 ack 3310195462
5.392429 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: ack 1257313457
5.392970 wan1 in 172.20.120.12.59485 -> 172.20.120.123.80: psh 3310195462 ack 1257313457
5.402474 wan1 out 172.20.120.123.80 -> 172.20.120.12.59485: ack 3310196396
5.404772 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: syn 3794602648
5.405014 dmz in 10.10.10.123.80 -> 172.20.120.12.59485: syn 4209798675 ack 3794602649
5.405236 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: ack 4209798676
5.406434 dmz out 172.20.120.12.59485 -> 10.10.10.123.80: psh 3794602649 ack 4209798676
5.406689 dmz in 10.10.10.123.80 -> 172.20.120.12.59485: ack 3794603583
The following sniffer output shows HTTPS traffic (destination port 443) from 172.20.120.12
172.20.120.123. You can see the HTTPS sessions between the PC and the wan1 interface and
between the dmz interface and the web server. Note that the source and destination addresses and
ports are not translated:
diagnose sniffer packet any 'port 443' 4 10
interfaces=[any]
filters=[port 443]
4.557201 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: syn 2276259104
4.561331 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: syn 2276259104
4.561577 dmz in 10.10.10.123.443 -> 172.20.120.12.59666: syn 3539944843 ack 2276259105
4.562214 wan1 out 172.20.120.123.443 -> 172.20.120.12.59666: syn 3539944843 ack 2276259105
4.562974 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: ack 3539944844
4.563323 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: ack 3539944844
4.563540 wan1 in 172.20.120.12.59666 -> 172.20.120.123.443: psh 2276259105 ack 3539944844
4.570165 dmz out 172.20.120.12.59666 -> 10.10.10.123.443: psh 2276259105 ack 3539944844
4.570270 dmz in 10.10.10.123.443 -> 172.20.120.12.59666: ack 2276259473
4.570566 wan1 out 172.20.120.123.443 -> 172.20.120.12.59666: ack 2276259473
You could also use the following sniffer command to get similar results:
diagnose sniffer packet any 'host 172.20.120.12 or 172.20.120.123' 4 10
68
FortiGate Cookbook
http://docs.fortinet.com/
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
Protected
Email Server
10.31.101.200
an
M
an
10 ag
.3 em
1. e
10 nt
1. IP
40
al
rn
te
in
ec
u
a
be ll rity
tw ow po
e t li
se en raf cie
gm ne fic s
en tw
ts ork
You need to keep an email server free from viruses without changing the server and without changing
the network. For example, you cannot install virus scanning software on the email server or change
the email servers IP address or change the addressing of the network.
FortiGate
F
tiG t U
Unit
in Transparent
mode
10
1.
10
1.
.3
10
.0
5
5
rk 2
o 5. e
w 5 ng
et .2 a ]
N 5 R 0
r 25 s -3
se 0/ es [1
U 1. dr 1.
0 d 0
.1 A .1
1 r 1
.3 e .3
0 Us 10
1
Router
Solution
Insert a FortiGate unit in Transparent mode between the email server and the network. Configure the
FortiGate unit to allow sessions from the network to the email server and apply antivirus protection to
these sessions to keep viruses from reaching the email server.
Users on the Internal network connect to the email server to get their mail using IMAP, IMAPS, POP3,
POP3S, or HTTPS (for webmail) and to send outgoing email using SMTP or SMTPS. The email server
sends outgoing email by connecting to the Internet using SMTP or SMTPS and receives incoming
email from the Internet using SMTP or SMTPS.
69
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
Go to System > Dashboard > Status > System Information and beside Operation Mode select
Change and configure the following:
Operation Mode
Transparent
Management IP/Netmask
10.31.101.40/255.255.255.0
Default Gateway
10.31.101.100
Go to System > Network > Interface and Edit the wan1 interface.
For Administrative Access select HTTPS and SSH and select OK.
Once the FortiGate unit is connected to the network, you will be managing it by connecting to the
wan1 interface.
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Go to Firewall Objects > Address > Address and select Create New to add the following
firewall addresses:
For the email server:
70
Address Name
Email_Server_Address
Type
Subnet/IP Range
Subnet/IP Range
10.31.101.200/255.255.255.255
Interface
internal
FortiGate Cookbook
http://docs.fortinet.com/
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
Address Name
Email_User_Network
Type
Subnet/IP Range
Subnet/IP Range
10.31.101.[1-30]
Interface
wan1
Go to Policy > Policy > Policy and select Create New to add a security policy that allows the
user network to access the email server using IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, and
HTTPS:
Source Interface/Zone
wan1
Source Address
Email_User_Network
Destination Interface/Zone
internal
Destination Address
Email_Server_Address
Schedule
Always
Beside Service, select Multiple and add IMAP, IMAPS, POP3, POP3S, SMTP, SMTPS, and
HTTPS to the Members list.
Go to Policy > Policy > Policy and select Create New to add a security policy that allows the
email server to send outgoing email to the Internet using SMTP and SMTPS:
Source Interface/Zone
internal
Source Address
Email_Server_Address
Destination Interface/Zone
wan1
Destination Address
all
Schedule
Always
Beside Service, select Multiple and add SMTP, and SMTPS to the Members list.
71
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
email server to receive incoming email from the Internet using SMTP and SMTPS:
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Email_Server_Address
Schedule
Always
13 Beside Service, select Multiple and add SMTP, and SMTPS to the Members list.
14 Set Action to ACCEPT.
15 Select UTM and select Enable AntiVirus.
16 Select OK to save the security policy.
17 Go to Policy > Policy > Policy and select Create New to add a security policy that allows the
internal
Source Address
Email_Server_Address
Destination Interface/Zone
wan1
Destination Address
all
Schedule
Always
Service
DNS
Action
ACCEPT
72
FortiGate Cookbook
http://docs.fortinet.com/
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
19 Connect the FortiGate unit between the email server and the user network.
Connect the wan1 interface to a switch connected to the user network. Connect the internal
interface to email server.
Email Server
internal
wan1
User Network
Results
The functionality of the email server should not be changed after the FortiGate unit is inserted. To
confirm this, you should access the email server from the user network using all the email protocols
that users on the network normally use.
As you test email services, on the web-based manager, you can go to Policy > Monitor > Policy
Monitor to view the FortiGate security policy activity. The Policy Monitor displays bar graphs that
show the sessions for each policy. The bar graphs are labelled with the policy ID.
If no other security policies have been added to the FortiGate unit, and if you followed the steps in
the order listed, the FortiGate will have 4 security policies.
Policy 1 allows users to connect to the email server using any email protocol and HTTPS.
73
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
Policy 2 allows the email server to connect to the Internet to send outgoing email.
Policy 3 allows the email server to receive incoming email from the Internet.
When you connect from the user network to the email server using one of the email protocols (POP3,
IMAP, or HTTPS) the sessions are accepted by policy 1 and the policy monitor could look similar to
this:
The policy monitor shows sessions accepted by policy 1. You can display information about the
sessions by selecting the bar graph. For example, you can display the source and destination
addresses and services used by sessions accepted by policy 1 as well as a listing of all active
sessions. When you send an outgoing email to the server using SMTP, the policy monitor could look
similar to this:
74
FortiGate Cookbook
http://docs.fortinet.com/
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
The policy monitor shows sessions accepted by three policies. Drilling down into the policy 1 graph
shows SMTP sessions and possibly POP3 and HTTPS sessions between an address on the user
network and the email server. Drilling down into the policy 2 graph shows SMTP sessions between
the email server and an Internet address caused by the email server sending outgoing email. Drilling
down into the policy 4 graph shows DNS sessions between the email server and a DNS server.
You can test virus scanning by attaching a virus test file to an email message. You can get the EICAR
test file from http://www.eicar.org. You can verify the virus scanning results by going to UTM Profiles
> Monitor > AV Monitor. The following shows the EICAR test file detected three times.
You can drill down to display the FortiGuard Center page for the virus that was detected.
The Log and Archive Statistics dashboard widget also displays information about viruses caught
including details about the date an time on which the virus was detected, the source and destination
address of the session in which the virus was caught, and the service.
Finally, when the file is removed from the email its replaced with a message similar to the following:
Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus.
It was infected with the "EICAR_TEST_FILE" virus. File quarantined as:
""."http://www.fortinet.com/ve?vid=2172"
You can customize this message by going to System > Config > Replacement Message > Mail >
Virus Message. The default message specifies that the file is quarantined. If you have not
configured quarantine, you can remove this part of the message.
75
Protecting an email server with a FortiGate unit without changing the network (Transparent Mode)
If you can send and receive email, your configuration is successful. If you cannot, try the steps
described in Troubleshooting Transparent mode installations on page 31 to find the problem.
76
FortiGate Cookbook
http://docs.fortinet.com/
In
an1
o w pair
t
l
na rt
ter po
inte
wa
n1
Protected
Web Server
10.31.101.210
IP
ent 40
em .101.
g
a
1
n
Ma 10.3
rna
FortiGate
F
tiG t Unit
in Transparent
mode
1
.0
5
5
rk 2
o 5. e
w 5 g
et .2 n ]
n 5 a 0
r 25 s R -3
se 0/ s [1
U 1 . re 1 .
0 d 0
.1 A .1
1 er 1
.3 s .3
0 U 10
10
.1
.31
01
.10
Router
Solution
You can enable port pairing in Transparent mode to so that all traffic accepted by one FortiGate
interface can only exit out of one other FortiGate interface. Restricting traffic in this way simplifies
your FortiGate configuration because security policies between these interfaces are pre-configured.
All you have to do is make the physical configurations and then add a port pair. Then, when you
create a new security policy for sessions accepted by one of the interfaces in the pair, the second
interface is automatically added to the security policy.
Switching to Transparent mode and configuring IP settings
1
77
Go to System > Dashboard > Status > System Information and beside Operation Mode select
Change and configure the following:
Operation Mode
Transparent
Management IP/Netmask
10.31.101.40/255.255.255.0
Default Gateway
10.31.101.100
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Creating the internal and wan1 port pair and adding firewall addresses and security policies for it
1
Go to System > Network > Interface and select Create New > Port Pair to configure the
following port pair:
Name
Selected Members
internal-wan1-port-pair
internal
wan1
You can only add interfaces to a port pair if no other configuration objects have been added for the
interfaces. For example, you can not add an interface to a port pair if you have added security
policies or firewall addresses for it.
2
Go to Firewall Objects > Address > Address and add select Create New to add the following
firewall addresses
For the web server:
78
Address Name
Web-Server-Address
Type
Subnet/IP Range
Subnet/IP Range
10.31.101.210/255.255.255.255
Interface
any
FortiGate Cookbook
http://docs.fortinet.com/
Address Name
Web-Server-User-Network
Type
Subnet/IP Range
Subnet/IP Range
10.31.101.[1-30]
Interface
any
Go to Policy > Policy > Policy and select Create New to add a security policy that allows the
user network to access the email server using HTTP and HTTPS:
Source Interface/Zone
internal
Source Address
Web-Server-User-Network
Destination Interface/Zone
wan1
Destination Address
Web-Server-Address
Schedule
Always
Beside Service, select Multiple and add HTTP and HTTPS to the Members list.
Select UTM and select Enable AntiVirus and Enable Application Control.
Go to Policy > Policy > Policy and select Create New to add a security policy that allows
connections from the web server to the user network and the Internet using any service:
Source Interface/Zone
wan1
Source Address
Web-Server-Address
Destination Interface/Zone
internal
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
10 Select UTM and select Enable AntiVirus and Enable Application Control.
FortiOS 4.0 MR3
http://docs.fortinet.com/
79
internal interface.
Web Server
wan1
internal
User Network
Results
Connect to the web server from the internal network. Go to Policy > Policy > Policy and verify that
the count for the internal to wan1 policy has increased indicating that this policy is accepting traffic
from the user network to the web server. Go to Policy > Monitor > Policy Monitor to drill down for
more information about the sessions accepted by the internal to wan1 policy.
If you can connect to the web server, and if the web server can connect to the Internet, your
configuration is successful. If you cannot, try the steps described in Troubleshooting Transparent
mode installations on page 31 to find the problem.
80
FortiGate Cookbook
http://docs.fortinet.com/
d
10. mz
10.
1
0.1
DMZ network
10.10.10.0/255.255.255.0
17
2
D .2
17 efa 0.1 w
2. ul 20 an1
20 t r .1
.1 ou 4
20 te
.2
rk
o .0
w 55
et 2
N 5.
al 25
r n 5.
te 5
in 0/2
te .1.
va 8
ri 6
P .1
2
9
1
in
19 ter
2. na
16 l
8.
1.
9
You want to control and apply UTM features to traffic between two subnets but you want full visibility
between the networks (no address translation between the subnets).
Solution
Install the FortiGate unit in NAT/Route mode between the subnets and create route mode security
policies that allow sessions between the networks without performing address translation.
Connecting the networks to the FortiGate unit and configuring IP settings
1
Connect the DMZ network to the FortiGate DMZ interface the internal network to the internal
interface and the Internet to the wan1 interface (or any available interfaces).
Go to System > Network > Interface and Edit and configure the dmz, internal, and wan1
interfaces:
For the dmz interface:
Name
dmz
Addressing mode
Manual
IP/Netmask
10.10.10.10/255.255.255.0
81
internal
Addressing mode
Manual
IP/Netmask
192.168.1.99/255.255.255.0
wan1
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
wan1
DMZ
DMZ Network
82
internal
Internal Network
Go to Router > Static > Static Route and Edit the default route as follows.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1(Internet)
Gateway
172.20.120.2
Go to System > Network > DNS and add Primary and Secondary DNS servers.
FortiGate Cookbook
http://docs.fortinet.com/
Configure the following IP network settings for the devices on the internal network.
IP address
192.168.1.x
Netmask
255.255.255.0
Default Gateway
192.168.1.99
DNS Servers
Configure the IP following IP network settings for the devices on the DMZ network.
IP address
10.10.10.x
Netmask
255.255.255.0
Default Gateway
10.10.10.10
DNS Servers
If the devices on both networks do not have the correct default route, their response packets will
not be returned to the source network.
Create route mode security policies to allow connections between the internal and DMZ networks
1
Go to Firewall Objects > Address > Address and select Create New to add a firewall address
for the internal network.
Address Name
Internal-network
Type
Subnet / IP Range
Subnet / IP Range
Interface
Internal
83
84
DMZ-network
Type
Subnet / IP Range
Subnet / IP Range
Interface
dmz
Go to Policy > Policy > Policy and select Create New to add a security policy that allows users
on the internal network to connect to the DMZ network.
Source Interface/Zone
Internal
Source Address
Internal-network
Destination Interface/Zone
dmz
Destination Address
DMZ-network
Schedule
Always
Service
ANY
Action
ACCEPT
Select UTM and select Enable AntiVirus and Enable Application Control.
Go to Policy > Policy > Policy and select Create New to add a security policy that allows users
on the DMZ network to connect to the internal network.
Source Interface/Zone
dmz
Source Address
DMZ-network
Destination Interface/Zone
internal
Destination Address
Internal-network
Schedule
Always
Service
ANY
Action
ACCEPT
FortiGate Cookbook
http://docs.fortinet.com/
Select UTM and select Enable AntiVirus and Enable Application Control.
To make these NAT policies, you could have selected Enable NAT to enable source NAT. However,
doing this would mean that all packets from the one network connecting to the other network would
have the same source address as the FortiGate unit interface connected to that network.
Results
Test the configuration by connecting from one network to the other, for example by pinging an
address on the internal network from the DMZ network. You can use the FortiGate sniffer to show the
ping packets going from one network to the other and the replies coming back without any NAT. The
following example shows a device at 10.10.10.20 pinging 192.168.1.120.
diagnose sniffer packet any 'icmp' 4 8
interfaces=[any]
filters=[icmp]
6.916578 dmz in 10.10.10.20 -> 192.168.1.120: icmp: echo request
6.916794 internal out 10.10.10.20 -> 192.168.1.120: icmp: echo request
6.917459 internal in 192.168.1.120 -> 10.10.10.20: icmp: echo reply
6.917595 dmz out 192.168.1.120 -> 10.10.10.20: icmp: echo reply
7.918637 dmz in 10.10.10.20 -> 192.168.1.120: icmp: echo request
7.918723 internal out 10.10.10.20 -> 192.168.1.120: icmp: echo request
7.919303 internal in 192.168.1.120 -> 10.10.10.20: icmp: echo reply
7.919391 dmz out 192.168.1.120 -> 10.13.10.20: icmp: echo reply
If any of the connections fail, re-check your FortiGate configuration and make sure the devices on
each network have the correct default route. You can also try the steps described in
Troubleshooting NAT/Route mode installations on page 24.
85
.9
al .1
rn 8
te 16
in 2.
19
it
lic xy
xp pro
eb
a
rn
te
In rk
e o
at tw
riv Ne
Solution
Use the following steps to enable the explicit web proxy on the FortiGate internal interface and
configure it to accept HTTP traffic on port 8080.
Enable the explicit web proxy
1
Go to System > Network > Explicit Proxy and select Enable Explicit Web Proxy to turn on the
explicit web proxy for HTTP and HTTPS traffic.
Select Apply.
Go to System > Network > Interface and Edit the internal interface.
Enabling the explicit web proxy on an interface connected to the Internet is a security risk because
anyone on the Internet who finds the proxy could use it to hide their source address. If you enable
the proxy on such an interface make sure authentication is required to use the proxy.
86
FortiGate Cookbook
http://docs.fortinet.com/
Adding a web proxy security policy to allow the web proxy to accept traffic
1
Go to Policy > Policy > Policy and select Create New to add an explicit web proxy security
policy.
Source Interface/Zone
web-proxy
Source Address
Internal_subnet
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
webproxy
Action
ACCEPT
Results
Web browsers configured to use the proxy server are able to connect to the Internet. If no other
security policies allow HTTP traffic from the private network connect to the Internet then users must
use the explicit proxy to connect to the Internet.
You can add authentication to the explicit web proxy security policy to require users to authenticate
before connecting to the Internet.
87
al
rn
te
In rk
e o
at tw
riv Ne
P
e
at e
iG ch
rt a
Fo b C
e
W
Solution
In this configuration, all of the users on the private network access the Internet though a single
security policy on the FortiGate unit that accepts all sessions connecting to the Internet. Web
caching is just added to this security policy.
The example also describes how to configure the security policy to cache HTTP traffic on port 80 and
8080 by adding a protocol options profile that looks for HTTP traffic on TCP ports 80 and 8080.
Add web caching to a security policy
1
Go to Policy > Policy > Policy and Edit the security policy that allows all users on the private
network to access the Internet.
Select Enable web cache and select OK to save the security policy.
Go to Policy > Policy > Protocol Options and Edit the default profile.
Change the HTTP settings of the protocol options profile to look for HTTP traffic on ports 80 and
8080:
Port
88
80, 8080
Edit the security policy that you added web caching to.
Select UTM and set Protocol Options to the default protocol options profile and select OK to
save the security policy.
Results
The FortiGate web cache intercepts all HTTP traffic accepted by the security policy and attempts to
serve cached content instead of downloading content from the Internet.
You can go to WAN Opt. & Cache > Monitor > Cache Monitor to view the Web Cache Monitor
showing caching results for the last 10 minutes, Hour, Day, or Month.
89
R e
ou rn
te al
r
xt
an
in
te
rn
al
an
S
w
itc
an
an
rk
o .0
w 55
et 2
N 5.
al 25
r n 5.
te 5
in 0/2
te .1.
va 8
ri 6
P .1
2
9
1
itc
h
in
te
rn
al
FortiGate
Cluster
Solution
Configure two FortiGate units to form a FortiGate HA cluster. Configure basic settings on the cluster
to allow users on the internal network to access the Internet.
The FortiGate units to be clustered must have the same hardware configuration, including the
following:
The same interface/hub/switch mode if the FortiGate units contain a switch interface.
90
Both FortiGate units are set to the same operating mode (NAT or Transparent).
FortiGate Cookbook
http://docs.fortinet.com/
Setting up HA
1
On the System Information Dashboard widget, beside Host Name select Change.
Go to System > Config > HA and change the following settings to enable HA mode:
Mode
Active-Passive
Device Priority
128
Group Name
My-Cluster
Password
HAPassw0RD
Set dmz and wan2 to be the Heartbeat Interfaces and set the Priority of both to 50.
FortiGate units cannot form a cluster if a FortiGate interface is configured to get its IP address using
DHCP or PPPoE. If the FortiGate unit reverts back standalone mode after you select OK, check the
FortiGate interfaces and if required change the addressing mode of all of the interfaces to Manual.
The best practice is to configure and connect two or more heartbeat interfaces. If heartbeat
communication is interrupted, the cluster will form a so-called split-brain configuration where both
cluster units operate like standalone FortiGate units, but with the same network configuration,
resulting in a service interruption. Redundant heartbeat links avoids this problem.
6
The FortiGate unit negotiates to establish an HA cluster. When you select OK you may temporarily
lose connectivity with the FortiGate unit because HA changes the MAC addresses of the FortiGate
interfaces. To be able to reconnect sooner, you can update the ARP table of your PC by deleting the
ARP table entry for the FortiGate unit (or just deleting all ARP table entries). You may be able to
delete the ARP table of your PC from a command prompt using a command similar to arp -d.
7
Repeat these steps with the second FortiGate unit to configure it for HA operation.
You can optionally configure one of the FortiGate units with a higher Device Priority so that this unit
always becomes the primary unit.
91
Connect FortiGate units to each other to form a cluster and connect the cluster to the network.
Connect the wan1 interfaces of each cluster unit to a switch connected to the Internet.
Connect the internal interfaces of each cluster unit to a switch connected to the internal
network.
Connect the dmz interfaces of the cluster units together using a crossover or regular Ethernet
cable.
Connect the wan2 interfaces of the cluster units together using a crossover or regular Ethernet
cable.
As they start, they negotiate to choose the primary unit and to form a cluster. This negotiation
occurs with no user intervention and normally just takes a few seconds.
The FortiGate units must be connected together by at least one heartbeat interface for to
negotiation to take place.
92
Go to System > Network > Interface and Edit the wan1 interface and change the following
settings:
Addressing mode
Manual
IP/Netmask
172.20.120.14/255.255.255.0
Manual
IP/Netmask
192.168.1.99/255.255.255.0
FortiGate Cookbook
http://docs.fortinet.com/
Go to Router > Static > Static Route and select Create New to add the following default route.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
wan1
Gateway
172.20.120.2
Go to System > Network > DNS and add Primary and Secondary DNS servers.
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet.
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you and as soon as your FortiGate unit is
connected, and the computers on your internal network are configured, they should be able to
access the Internet.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
93
Results
Just like a standard FortiGate NAT/Route
mode configuration, users on the Internal
network should be able to connect to the
Internet. Check the System Information
Widget on the dashboard to confirm the
HA status.
When a cluster first starts up, do the
following to make sure that it is configured
and operating correctly.
1
While traffic is going through the cluster, disconnect the power from one of the cluster units.
Traffic should continue with minimal interruption.
94
Log in to the web-based manager and from the Dashboard, verify that the System Information
widget displays both cluster units.
Verify that the Unit Operation graphic shows that the correct cluster unit interfaces are
connected.
Go to System > Config > HA and verify that all of the cluster units are displayed on the cluster
members list.
From the cluster members list, edit the primary unit (master), and verify the cluster configuration is
as expected.
Go to System > Config > HA > View HA Statistics and view information about the cluster and
the traffic it is processing.
FortiGate Cookbook
http://docs.fortinet.com/
Solution
You can upgrade the FortiOS firmware running on an HA cluster in the same manner as upgrading
the firmware running on a standalone FortiGate unit. During a normal firmware upgrade, the cluster
upgrades the primary unit and all subordinate units to run the new firmware image. The firmware
upgrade takes place without interrupting communication through the cluster.
Upgrading cluster firmware to a new major release (for example upgrading from 3.0 MRx to 4.0
MRx) is supported for clusters. Make sure you are taking an upgrade path described in the Release
Notes. Even so you should back up your configuration. Only perform a firmware upgrade during a
maintenance window.
View the current firmware version from the web-based manager and CLI. Download a new version of
FortiOS from the Fortinet Customer Support web site and install it from the web-based manager.
Firmware images for all FortiGate units are available on the Fortinet Customer Support web site. You
must register your FortiGate unit to access firmware images. Register the FortiGate unit by visiting
http://support.fortinet.com and select Product Registration.
1
Log in to the web-based manager and view the dashboard System Information widget to see
the Firmware Version currently installed on your FortiGate unit.
From the FortiGate CLI, you can also enter the following command. The first output line indicates
FortiOS firmware version installed on your FortiGate unit:
get system status
Version: Fortigate-5001B v4.0,build0458,110627 (MR3 Patch 1)
Virus-DB: 11.00679(2010-04-09 13:44)
Extended DB: 1.00234(2010-04-09 16:38)
Extreme DB: 1.00234(2010-04-09 16:37)
95
Select FortiGate firmware images and browse to the FortiOS firmware version that you want to
install (for example, browse to FortiGate/v4.00/4.0MR3/MR3_Patch_1).
Locate and download the firmware for the FortiGate units in your HA cluster.
Download and read the Release Notes for this firmware version.
Always review the Release Notes before installing a new firmware version in case you cannot
update to the new firmware release from the one that you are currently running.
Always remember to back up your configuration before doing any firmware upgrades.
Results
To upgrade the firmware without interrupting communication through the cluster, the cluster goes
through a series of steps that involve first upgrading the firmware running on the subordinate units,
then making one of the subordinate units the primary unit, and finally upgrading the firmware on the
former primary unit. These steps are transparent to the user and the network, but depending upon
your HA configuration may result in the cluster selecting a new primary unit.
96
FortiGate Cookbook
http://docs.fortinet.com/
From the FortiGate web-based manager go to System > Dashboard > Status. In the System
Information widget, the Firmware Version will show the updated version of FortiOS (or from the CLI
enter get system status).
There is a possibility that the firmware upgrade from the web-based manager does not load
properly. If this occurs, you may find that some of the FortiGate units in the cluster will not boot, or
continuously reboot.
It is best to perform a fresh install of the firmware from a reboot using the CLI. This procedure
installs a firmware image and resets each FortiGate unit to default settings. Once the new firmware
versions is installed you can restore the configuration of the FortiGate units in the cluster and the
cluster should reform. For more information, see Installing FortiGate firmware from a TFTP server
on page 36.
97
ng
in
19 ee
r
2
V .1 ing
LA 6 n
N 8.2 et
ID 0 wo
.
10 0 rk
rk
o
w .0
et 0
N 8.3 30
es 6 D
al .1 I
S 92 AN
1 L
V
w
an
in
te
rn
al
VLAN
Switch
rk
o
w
et 0
N 0.
g 2 0
n . 2
ti 68 D
ke .1 I
ar 92 N
M 1 LA
V
FortiGate
FortiGat
te Unit
Unit
in NAT/Route mode
Solution
This solution uses VLANs to connect three networks to the FortiGate internal interface in the
following way:
Packets from each network pass through a VLAN switch before reaching the FortiGate unit. The
VLAN switch adds different VLAN tags to packets from each network.
To handle VLANs on the FortiGate unit, add VLAN interfaces to the internal interface for each
network
This solution assumes you have configured a VLAN switch to tag packets from the three networks.
98
FortiGate Cookbook
http://docs.fortinet.com/
Go to System > Network > Interface and select Create New to add a VLAN interface for the
engineering network:
Name
Engineering-net
Type
VLAN
Interface
internal
VLAN ID
10
Addressing mode
Manual
IP/Netmask
192.168.10.1
Select Create New to add a VLAN interface for the marketing network:
Name
Marketing-net
Type
VLAN
Interface
internal
VLAN ID
20
Addressing mode
Manual
IP/Netmask
192.168.20.1
Select Create New to add a VLAN interface for the sales network:
Name
Sales-net
Type
VLAN
Interface
internal
VLAN ID
30
Addressing mode
Manual
IP/Netmask
192.168.30.1
99
100
Go to System > Network > DHCP Server and select Create New to add a DHCP server for the
marketing network:
Interface Name
Marketing-net
Mode
Server
Type
Regular
IP
192.168.10.100 - 192.168.10.200
Network Mask
255.255.255.0
Default Gateway
192.168.10.1
DNS Service
Select Create New to add a DHCP server for the engineering network:
Interface Name
Engineering-net
Mode
Server
Type
Regular
IP
192.168.20.100 - 192.168.20.200
Network Mask
255.255.255.0
Default Gateway
192.168.20.1
DNS Service
Select Create New to add a DHCP server for the sales network:
Interface Name
Sales-net
Mode
Server
Type
Regular
IP
192.168.30.100 - 192.168.30.200
Network Mask
255.255.255.0
Default Gateway
192.168.30.1
DNS Service
FortiGate Cookbook
http://docs.fortinet.com/
Configure the devices on the networks to get their addresses using DHCP.
For devices with manual IP configurations, make sure their default routes point to the correct
FortiGate VLAN interface.
Go to Policy > Policy > Policy and select Create New to add a security policy that allows users
on the engineering network to connect to the Internet.
Source Interface/Zone
Engineering-net
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Select Create New to add a security policy that allows users on the marketing network to
connect to the Internet.
Source Interface/Zone
Marketing-net
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
101
Select Create New to add a security policy that allows users on the sales network to connect to
the Internet.
Source Interface/Zone
Sales-net
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
Always
Service
ANY
Action
ACCEPT
Results
Users from any of the networks should be able to connect to the Internet. Go to Policy > Monitor >
Policy Monitor to view information about sessions through the FortiGate unit.
If users on the networks cannot connect to the Internet, re-check your FortiGate configuration. You
can also try the steps described in Troubleshooting NAT/Route mode installations on page 24.
102
FortiGate Cookbook
http://docs.fortinet.com/
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
rt3
po .20
20
.1
20
2.
17
VD
17
OM
rt1
po .10
20
.1
20
2.
Gateway
Router
172.20.120.2
-B
VD
.
rt4 68
po 2.1
19
OM
-A
.1
20
.1
10
.
rt2 68
po 2.1
19
FortiGate Unit
with two Virtual
Domains
Company A
192.168.10.0
Company B
192.168.20.0
Solution
Use Virtual domains (VDOMs) to divide the FortiGate unit into two or more virtual instances of FortiOS
that function similar to two independent FortiGate units. Each VDOM has its own physical interfaces,
routing configuration, and security policies.
This example simulates an ISP that provides Company A and Company B with Internet services.
Each company would have its own Internet IP address and internal network. This configuration
requires:
Two VDOMs: VDOM-A and VDOM-B each operating in NAT/Route mode with two interfaces, one
for a connection to the Internet and one for a connection to the internal network.
The routing configuration of the example is simplified to only require a default static route from
each VDOM to an Internet gateway router.
103
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
Connect to the FortiGate web-based manager and from the Dashboard System Information
widget select Enable beside Virtual Domain.
Go to System > VDOM > VDOM and select Create New to create two VDOMs with the following
configuration:
For company A:
Name
VDOM-A
Enable
Select
Operation Mode
NAT
For company B:
Name
VDOM-B
Enable
Select
Operation Mode
NAT
Go to System > Network > Interface and Edit port1 and add it to VDOM-A.
Name
port1
Virtual Domain
VDOM-A
Addressing Mode
Manual
IP/Netmask
172.20.120.10/255.255.255.0
104
Name
port2
Virtual Domain
VDOM-A
Addressing Mode
Manual
IP/Netmask
192.168.10.1/255.255.255.0
Administrative Access
FortiGate Cookbook
http://docs.fortinet.com/
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
port3
Virtual Domain
VDOM-B
Addressing Mode
Manual
IP/Netmask
172.20.120.20/255.255.255.0
Name
port4
Virtual Domain
VDOM-B
Addressing Mode
Manual
IP/Netmask
192.168.20.1/255.255.255.0
Administrative Access
Go to System > Admin > Administrators and select Create New to add an administrator for
VDOM-A.
Administrator
a-admin
Type
Regular
Password
passw0rda
Confirm Password
passw0rda
Admin Profile
prof_admin
Virtual Domain
VDOM-A
Go to System > Admin > Administrators and select Create New to add an administrator for
VDOM-B.
Administrator
b-admin
Type
Regular
Password
passw0rdb
Confirm Password
passw0rdb
Admin Profile
prof_admin
Virtual Domain
VDOM-B
105
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
Go to Router > Static > Static Route and select Create New to add the default route for
VDOM_A.
106
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port1
Gateway
172.20.120.2
Go to System > Network > DHCP Server and select Create New to add a DHCP server.
Interface Name
port2
Mode
Server
Type
Regular
IP
192.168.10.100-192.168.10.200
Network Mask
255.255.255.0
Default Gateway
192.168.10.1
Connect a PC to the port2 interface and configure it to get an IP address automatically using
DHCP.
Log in to VDOM-A by browsing to https://192.168.10.1 and entering a-admin as the Name and
passw0rda as the Password.
FortiGate Cookbook
http://docs.fortinet.com/
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
Go to Policy > Policy > Policy and select Create New to create a security policy that allows
users on the company A internal network to connect to the Internet.
Source Interface/Zone
port2
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
You should be able to connect to the Internet, if not check the configuration or use the steps
described in Troubleshooting NAT/Route mode installations on page 24 to find the problem.
12 Configure the computers on the company A network to get their IP configuration automatically
using DHCP.
Create a basic configuration for VDOM-B
Add a default route, a DHCP server, and security policy to allow company-B users to get their IP
configuration from the FortiGate unit, and connect to the Internet.
1
Log in to the FortiGate unit as the admin administrator (or any administrator with the
super_admin profile).
Go to Router > Static > Static Route and select Create New to add the default route for
VDOM_A.
Destination IP/Mask
0.0.0.0/0.0.0.0
Device
port3
Gateway
172.20.120.2
107
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
Go to System > Network > DHCP Server and select Create New to add a DHCP server.
Interface Name
port4
Mode
Server
Type
Regular
IP
192.168.20.100-192.168.20.200
Network Mask
255.255.255.0
Default Gateway
192.168.20.1
Connect a PC to the port4 interface and configure it to get an IP address automatically using
DHCP.
Log in to VDOM-B by browsing to https://192.168.20.1 and entering b-admin as the Name and
passw0rdb as the Password.
Go to Policy > Policy > Policy and select Create New to create a security policy that allows
users on the company B internal network to connect to the Internet.
Source Interface/Zone
port4
Source Address
all
Destination Interface/Zone
port3
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
You should be able to connect to the Internet, if not check the configuration or use the steps
described in Troubleshooting NAT/Route mode installations on page 24 to find the problem.
108
FortiGate Cookbook
http://docs.fortinet.com/
Using Virtual Domains to host more than one FortiOS instance on a single FortiGate unit
13 Configure the computers on the company B network to get their IP configuration automatically
using DHCP.
Results
Connect to the Internet from the company A and company B networks. From either VDOM, go to
Policy > Monitor > Policy Monitor and confirm that the policies that you added are allowing traffic
through the individual VDOMs.
You can use the packet sniffer to verify that traffic is staying in a VDOM. For example, enter the
following command from the FortiGate CLI and then ping from one of the internal networks to an
address on the Internet.
diagnose sniffer packet any 'icmp' 4 10
interfaces=[any]
filters=[icmp]
10.728968 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request
10.729158 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request
10.821152 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply
10.821288 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply
11.729230 port4 in 192.168.20.100 -> 66.171.121.34: icmp: echo request
11.729431 port3 out 172.20.120.20 -> 66.171.121.34: icmp: echo request
11.821349 port3 in 66.171.121.34 -> 172.20.120.20: icmp: echo reply
11.821481 port4 out 66.171.121.34 -> 192.168.20.100: icmp: echo reply
The command output shows sessions only uses the port4 and port3 interfaces, both of which are in
VDOM-B.
If you log in as an administrator with the super_admin profile, you can sniff any interface. If you log
in as a-admin or b-admin (an administrator for a single VDOM), you can only sniff interfaces in the
administrators VDOM. To access the packet sniffer, you must log in to a VDOM, you cannot access
the packet sniffer from the global configuration.
109
Setting up an administrator account for monitoring firewall activity and basic maintenance
a
ad dmin
min _p
istr rofi
ato le
rs
Int
er n
al N
etw
ork
m
ad aint_
min m
istr onit
ato or
r
F
DH ortiG
CP ate
Se Un
rve it
r
Solution
Create a new admin profile that only allows the administrator to view and maintain configuration
options, and viewing and configuring log information and reports. Create an administrative user, Terry
White, with the monitoring profile.
1
Go to System > Admin > Admin Profile and select Create New.
Enter the Profile Name of maint_monitor and set the following settings to Read-Write:
FortiGuard Update
Maintenance
Log & Report
110
FortiGate Cookbook
http://docs.fortinet.com/
Setting up an administrator account for monitoring firewall activity and basic maintenance
Go to System > Admin > Administrators and select Create New to add the following
administrator:
Administrator
Terry_White
Type
Regular
Password
password
Confirm Password
password
Admin Profile
maint_monitor
The admin profile dictates what of the FortiGate configuration the administrator can see and
configure from web-based manager and CLI. You can add multiple profiles and assign users and
administrators different profiles depending on what they are tasked to do with the FortiGate unit.
Results
Log in to the FortiGate using the user name of Terry_White and the password of password. When
logged in, the web-based manager menus and sub-menus related to the access control you
configured appear. The OK or Apply buttons will not appear in settings that may be editable on a
Read-Write page.
To confirm that Terry White has logged in successfully, from the FortiGate web-based manager go to
Log&Report > Event Log to see the login message in the Action column.
111
Setting up an administrator account for monitoring firewall activity and basic maintenance
Select the log entry to view the detailed information, which indicates the admin user connected. The
Message row indicates that Terry White connected successfully from 192.168.1.1. The Profile Name
row also indicates the admin profile in use.
Go to System > Dashboard > Status, and look at the System Information widget. In the Current
Administrator row, it will indicate the number of administrators logged in
.
112
FortiGate Cookbook
http://docs.fortinet.com/
Solution
There are a number of measure that you can take to provide maximum security for your FortiGate
unit. Some may seem obvious, but are easily overlooked in the grand scheme of setting up a network
device such as a FortiGate unit.
Some general secure operation best practices
The following are all good practices but may not be necessary or practical on all networks.
Configure and test the configuration of a new FortiGate unit in a controlled environment and not a
product network.
Tighten security and find and fix security flaws before deploying the system.
Do not perform the first testing of new policies on a live system.
Limit access to security policy changes as much as possible and audit security policies regularly
to make sure the configuration hasnt been compromised.
Enforce strong password policies users and for administrators (length, complexity, rotation).
Implement a regular configuration backup plan and make sure it happens.
Only connect network interfaces that are required. A network that does not access resources
through the FortiGate unit should not be connected to it.
Only enable services that are required. It can be easier to set the service in a security policy to
ANY, than to specify individual services, but the ANY service may allow traffic that you dont want.
113
Use NTP to set the system time so that system time is always correct. Correct system time is
necessary for analyzing log messages.
Record as many log messages as you can without affecting FortiGate performance. More log
messages means more visibility into whats happening with the system.
Synchronize log messages with an external log server (syslog or FortiAnalyzer) to have a backup
of log messages for analysis if the FortiGate unit is compromised.
Incorporate log message reviews into regular administration procedures (especially admin
authentication logs).
Disable weak encryption and unencrypted services. For example, all administrator access should
be over HTTPS and SSH not HTTP and Telnet. For IPsec VPN configurations use 3DES or higher
levels of AES encryption and higher levels of SHA authentication.
FortiGate Cookbook
http://docs.fortinet.com/
At least one account should always have the super_admin profile as this profile is required to add
and remove administrators. To improve security only a very few administrators (usually one) should
be able to add new administrators.
If you want some administrator accounts to have limited access to the FortiGate configuration you
can create custom admin profiles that only allow access to selected parts of the configuration. To
add custom admin profiles, go to System > Admin > Admin Profile and select Create New.
For example, if you want to add an admin profile that does not allow changing security policies, when
you configure the admin profile set Firewall Configuration to None or Ready Only.
Change the admin account name and limit access to this account
The default super_admin administrator account, admin, is a well known administrator name so if this
account is available it could be easier for attackers to access the FortiGate unit because they know
they can log in with this name, only having to determine the password. You can improve security by
changing this name to one more difficult for an attacker to guess.
To do this, create a new administrator account with the super_admin admin profile and log in as that
administrator. Then go to System > Admin > Administrators and Edit the admin administrator and
change the Administrator name.
Once the account has been renamed you could delete the super_admin account that you just added.
Consider also only using the super-admin account for adding or changing administrators. The less
this account is used to less likely that it could be compromised. You could also store the account
name and password for this account in a secure location in case for some reason the account name
or password is forgotten.
Limit the interfaces that administrators can log into
Allow administrative access to as few interfaces as possible to have more control on the networks
that administrators can log in from. In general you should also avoid allowing administrative access
to a WiFi interface or interfaces connected to public networks. If you need to allow administrative
access for one of these interfaces, you can use trusted hosts to improve security.
Use trusted hosts to limit where administrators can log into the FortiGate unit from
Setting trusted hosts for an administrator limits what computer/location an administrator can log into
the FortiGate unit from. When you identify a trusted host, the FortiGate unit will only accept the
administrators login from the configured IP address of the trusted host. Any attempt to log in with the
same credentials from any other IP address will be dropped.
To ensure the administrator has access from different locations, you can enter up to ten trusted host
IP addresses. For higher security, use an IP address with a net mask of 255.255.255.255, and enter
an IP address (non-zero) in each of the three default trusted host fields.
The trusted hosts apply to HTTP and HTTPS access to the web-based manager, ping, snmp access
and the CLI when accessed through Telnet or SSH. CLI access through the console port is not
affected.
115
Ensure all entries contain actual IP addresses, not the default 0.0.0.0, even if it is a non-address
such as 1.1.1.1.
If you change the HTTP or HTTPS administrative access port number, the number must be included
in the URL that the administrator uses to connect to the web-based manager in the format of
http[s]://<ip_address>:<port>. For example, if you are connecting to the web-based manager using
HTTPS on port 2112, the url would be https://192.168.1.99:2112.
Maintain short login timeouts
To avoid the possibility of an administrator walking away from the management computer and leaving
it exposed to unauthorized personnel, you can add an idle time-out. That is, if the web-based
manager is not used for a specified amount of time, the FortiGate unit will automatically log the
administrator out. To continue their work, they must log in again.
The time-out can be set as high as 480 minutes, or eight hours, although this is not recommend.
To set the idle time out:
1
When logging into the console using SSH, the default time of inactivity to successfully log into the
FortiGate unit is 120 seconds (2 minutes). You can configure the time to be shorter by using the CLI
to change the length of time the command prompt remains idle before the FortiGate unit will log the
administrator out. The range can be between 10 and 3600 seconds. To set the logout time enter the
following commands:
config system global
set admin-ssh-grace-time <number_of_seconds>
end
116
FortiGate Cookbook
http://docs.fortinet.com/
You could also further use port forwarding to send the traffic to a non-existent IP address and thus
never have a response packet sent.
Obfuscate HTTP headers
The FortiGate unit can obfuscate the HTTP header information being sent to external web servers to
better cloak the source. To obfuscate HTTP headers, use the following CLI command:
config system global
set http-obfucate {none | header-only | modified | no-error}
end
Where:
none do not hide the FortiGate web server identity.
header-only hides the HTTP server banner.
modified provides modified error responses.
no-error suppresses error responses.
117
Creating a local DNS server listing for internal web sites and servers
Creating a local DNS server listing for internal web sites and
servers
Problem
Keeping DNS traffic for company server lookups off of the Internet and on the internal network.
Internal server
name: info.company.com
IP: 192.168.1.2
Internal DNS
Queries
Int
er n
FortiGate
DNS Database
al N
etw
ork
Fo
rtiG
ate
Un
it
Solution
On a FortiGate unit, enable DNS databases, create an internal DNS database with the
IPs/names/URLs of internal sites, and enable the DNS server on the FortiGate internal interface.
Configure the internal network to use the FortiGate internal interface as the authoritative DNS server.
This way, when internal users request a URL, the FortiGate unit will look to its internal DNS. To lookup
external names, the FortiGate unit forwards DNS requests to external DNS servers.
The DNS server setting on the devices on the internal network must use the FortiGate internal
interface as their DNS server.
1
118
Go to System > Admin > Settings, select DNS Database and select Apply.
FortiGate Cookbook
http://docs.fortinet.com/
Creating a local DNS server listing for internal web sites and servers
Go to System > Network > DNS Server and select Create New to add a new DNS Database:
Type
Master
View
Shadow
DNS Zone
Internal
Domain Name
company.com
To add DNS Entries, select Create New and enter the name and IP address of an internal site:
Type
Address (A)
Hostname
info
IP Address
192.168.1.2
Go to System > Network > DNS Server and select Create New under DNS Service on
Interface to configure the mode for queries to the DNS database received at the Internal
interface.
Interface
Internal
Mode
Recursive
Select OK to save the DNS service mode for the internal interface.
Results
To verify that the DNS database is being used, go to System > Network > DNS and temporarily
remove the primary and secondary DNS server settings. That is, leave them empty, and browse to
the http://info.company.com web site. The web site will appear, while surfing to any other site will
not work. This shows that the FortiGate unit is using its internal DNS database to resolve the
configured web site.
119
VE
ER
Reserved
IP: 10.10.10.18
MAC: 00:13:72:38:6a:39
RE
Int
er n
al N
etw
ork
F
DH ortiG
CP ate
Se Un
rve it
r
Solution
If you have an existing DHCP server enabled on the FortiGate unit, enable IP reservation within the
DHCP service settings and then add the MAC addresses of PCs that you want to always get the
same IP address.
120
Go to System > Network > DHCP Server and Edit the DHCP server.
Select IP Reservation and select Create New and add a MAC IP address pair:
IP
10.10.10.18
MAC Address
00:13:72:38:6a:39
FortiGate Cookbook
http://docs.fortinet.com/
If the PC is already connected and has acquired an IP address from the DHCP server, you can set
get its MAC address and IP address by selecting Add from DHCP Client List. When the list
appears, select the PC from the list and select Add To Reserved.
Results
The PC will always acquire the reserved IP address from the FortiGate DHCP server.
Verify that the PC has acquired the correct IP address by viewing its IP configuration or status. For
example, from a command prompt, you may be able to enter the command ipconfig/all.
From the FortiGate web-based manager, go to System > Monitor > DHCP Monitor to view the list
of PCs that are using the DHCP server to acquire IP addresses. The PC with the reserved address will
appear with an R next to the address.
If you do not see the PC in the DHCP Monitor or if the R icon is not visible, you may need to either
restart the PC, or renew its IP configuration.
121
SNMP
Manager
IP: 192.168.1.10
SNMP
Traps
Int
er n
al N
etw
FortiGate
SN
SNMP Agent
ork
Fo
rtiG
ate
Un
it
Solution
Enable SNMP to collect SNMP v1/2c traps for the status of the FortiGate unit.
122
Go to System > Config > SNMP and select Enable to enable the FortiGate SNMP agent.
Location
Contact
admin@company.com
Select Apply to save the configuration and start the FortiGate SNMP agent.
FortiGate Cookbook
http://docs.fortinet.com/
Add the IP address of a Host that can receive SNMP traps by selecting Add under Hosts.
You can also set the IP address/Netmask to 0.0.0.0/0.0.0.0 and the Interface to ANY so that any
SNMP manager at any network connected to the FortiGate unit can use this SNMP community and
receive traps from the FortiGate unit.
How do I get FortiGate MIBs?
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The Fortinet MIB
contains traps, fields and information that is common to all Fortinet products. The FortiGate MIB
contains traps, fields and information that is specific to FortiGate units.
The two FortiGate MIB files are available on the Fortinet Customer Support web site. The Fortinet
MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB includes the
system information for FortiGate unit and version of FortiOS. Both files are required for proper SNMP
data collection.
1
Then add a local-in policy that allows connections from the allowed address range for SNMP
management access:
config firewall local-in-policy
edit 0
set intf internal
FortiOS 4.0 MR3
http://docs.fortinet.com/
123
set
set
set
set
set
end
srcaddr local-address-range
dstaddr all
action accept
service SNMP
schedule always
Since local-in policy lists dont include implicit deny-all policies, this policy alone will not restrict
access. To successfully restrict access you must add the following deny-all policy below the previous
policy in the internal interface local-in policy list:
config firewall local-in-policy
edit 0
set intf internal
set srcaddr all
set dstaddr all
set action deny
set service ANY
set schedule always
end
Results
Configure the SNMP manager at 192.168.1.10 to receive traps from the FortiGate unit. The do
something to trigger a trap, for example, change the IP address of a FortiGate interface. Verify that
the SNMP manager receives the trap.
You can also send a trap by enabling antivirus in a security policy and try downloading an eicar test
file from http://eicar.org. This will trigger a Virus detected event, sending a trap. You can also view the
UTM log by going to Log&Report > Log & Archive Access > UTM Log.
124
FortiGate Cookbook
http://docs.fortinet.com/
Solution
When troubleshooting networks, it helps to look inside the header of the packets. This helps to
determine if the packets, route, and destination are all what you expect. Packet sniffing can also be
called a network tap, packet capture, or logic analyzing.
When to use packet sniffing
Packet sniffing tells you what is happening on the network at a low level. This can be very useful for
troubleshooting problems, such as:
confirming which address a computer is using on the network if they have multiple addresses or
are on multiple networks
a particular type of packet is having problems, such as UDP, which is commonly used for
streaming video
125
Interface and filter arguments are required. To stop the sniffer, press Ctrl+C.
{ <interface> | any }
{ filter_str | none }
{1 | 2 | 3 | 4 | 5 | 6}
126
If you do not put a number here, the sniffer will run forever until you
stop it by pressing Ctrl+C.
FortiGate Cookbook
http://docs.fortinet.com/
This command looks for all packets on the internal interface and returns the packet headers with
interface names attached for first three packets. Three packets was selected for this example so the
output would not overwhelm you. During normal troubleshooting, you will want to capture a larger
number of packets to get a better picture of the network. Also note that if you run this command you
will not see the same three packets listed here, but they will have similar information displayed.
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918816 ack 1949135261
internal out 192.168.0.30.1144 -> 192.168.0.1.22: ack 2859918884
From the look of these packets they are part of a TCP SSH exchange. Lets look at the first packet
sniffed:
internal in 192.168.0.1.22 -> 192.168.0.30.1144: psh 2859918764 ack 1949135261
The sniffer displayed the following info about the first packet:
192.168.0.1.22 the IP address with port number of the packet source (a source IP of
192.168.0.1 with the source port number 22, which is generally associated with SSH).
192.168.0.30.1144 the IP address with port number of the packet destination (a destination
IP of 192.168.0.30 with the destination port number 1144).
psh one of the nine flags from TCP headers (ns, cwr, ece, urg, ack, psh, rst, syn, fin). psh
stands for push function, which asks to push the buffered data to the receiving application.
2859918764 the TCP sequence number. The sequence number, which starts with 285, is
incrementing by small amounts over the three sniffed packets.
1949135261 the acknowledgement number. If ACK is set, this is the next sequence number the
receiver is expecting, in effect acknowledging all prior bytes.
You will notice from this description that, after the IP and port information, all the information is TCP
specific. This information will change, depending on the type of packet (tcp, arp, udp, ip, gre, etc.).
Regardless of how in-depth you need the information to give you, you need to be familiar with the
packet header structure for your type of packets.
The TCP flag and sequence information is displayed because verbosity level 4 was selected. This
information can be useful to ensure that all the traffic for a session is reaching its destination, and
that the session was properly established.
127
This output captured the 16th, 17th, and 18th ping echo requests that were sent out from
172.20.120.17, and the 16th and 17th replies from the FortiGate unit. You can tell this from the
number at the start of each line the 16, 17, or 18, which indicates the packet number and
sequence. It is useful to check this number to see if you are dropping packets. The echo or echo
reply tells you which direction the packet is travelling without the IP address. Note that there is no
other information displayed because icmp packets carry very little information.
If you have icmp packets from other sources showing up in your sniffing, you can add a basic filter
to select only packets to or from 172.20.120.17. To do this, the sniffer command would become:
diag sniffer packet any icmp and host 172.20.120.17 4 5. Filtering is described
in more detail in Advanced troubleshooting by sniffing packets (packet capture) on page 130.
Verbosity level on a random UDP packet
So far, the verbosity level has only determined if interface information is shown or not. However, it
can also be used to display the content or payload of the packets. This is useful if you have packets
with headers inside packets, or other specific plain text information you can read from the packets.
This example shows how to sniff one udp packet on any network of the FortiGate unit at verbosity
level 6 to show the packet contents and interface.
# diag sniffer packet any 'udp' 6 1
interfaces=[any]
filters=[udp]
1.865746 wan1 out 172.20.120.136.60718 ->
0x0000 0000 0000 0000 0009 0f30 ca51 0800
0x0010 003f cee2 0000 4011 771f ac14 7888
0x0020 0808 ed2e 0035 002b c997 db37 0100
0x0030 0000 0000 0000 0361 7273 056f 7363
0x0040 0361 6f6c 0363 6f6d 0000 0100 01
128
8.8.8.8.53: udp 35
4500.........0.Q..E.
0808.?....@.w...x...
0001.....5.+...7....
6172.......ars.exmpl
.aol.com.....
FortiGate Cookbook
http://docs.fortinet.com/
This packet is going out on the wan1 interface, using port 60718. Its destination is 8.8.8.8 using port
53. All six lines of output are for a single packet, and this is a small packet. TCP packets are much
larger. The IP address 8.8.8.8 is Googles public DNS address. UDP port 53 is used for DNS lookups,
and FortiGuard communications. In this case, it seems safe to say its a DNS lookup. If we look at the
payload for the packet, we can see the address ars.exmpl.aol.com, which appears to be a
domain name to be resolved.
Examining DNAT HTTP packets
Here is a practical example to show how this all comes together. Sniffing can show you what NAT is
taking place instead of you guessing. Test destination NAT by browsing to http://172.20.120.14 from
the Internet. The session passes through the FortiGate unit to the web server which sends a
response. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4
interfaces=[any]
filters=[port 80]
6.150356 wan1 in 172.20.120.12.51439 -> 172.20.120.14.80: syn 15893888
6.150637 internal out 172.20.120.12.51439 -> 192.168.1.110.80: syn 15893888
6.150803 internal in 192.168.1.110.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
6.150974 wan1 out 172.20.120.14.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
The first output line shows a packet from a client device with IP address 172.20.120.12 was received
by the wan1 interface with destination address 172.20.120.14 and destination port 80.
The second output line shows that when the packet exits the internal interface the destination
address is changed to 192.168.1.110 and the destination port is still 80.
The third output line shows the response from the web server.
The fourth output line shows the response from the web server being returned to the client device.
The source address has been changed back to 172.20.120.14.
In this example, the source port is not changed.
Best Practices
Here are some tips that will improve your troubleshooting when using the sniffer.
Always log output to a file that you can search, sort, and process later. You can also send the
output log to Fortinet support to assist them in solving your issue.
Visualize the path you expect the packets in question are using. It will help you write your sniffer
command more accurately and reduce your troubleshooting.
If you are not getting the results you expect, broaden your search parameters. Its possible things
are behaving differently than you expect.
You need to know the details about the packet type you are sniffing to maximize the benefits.
Otherwise there will be useful information you do not understand in the sniffing results.
Keep your connection method in mind when sniffing packets. If you are web browsing to the
FortiGate unit, web protocol packets may be affected. If you are using Telnet to connect, those
packets will affect the sniffing results.
If you are sniffing VLAN packets, any configured filter will stop VLAN tags from being displayed.
129
Solution
You can perform some basic packet sniffing and network troubleshooting without using packet
sniffing filters. However, with filters, you can fine tune your troubleshooting to the point of being able
to find a specific ping packet on a busy network.
When packet sniffing, the filter field is very flexible. By using the filter option, you can:
match the type of packet (arp, ip, gre, esp, udp, tcp, icmp)
Lets look at each of the different parts to the filter. Keep in mind that in addition to these formats, you
can also search for individual words using the filter. The following are examples.
IP matching with filters
Lets look at the hostname and IP matching [[src|dst] host <host_name_or_IP1>]. It
allows you to specify either the source or destination host. For example if you want to sniff packets
coming from IP address 192.168.1.27 you would set the filter to src host 192.168.1.27. If
you want to sniff packets going to a computer called my_laptop, the filter would be dst host
my_laptop. This host name is resolved using DNS.
130
FortiGate Cookbook
http://docs.fortinet.com/
In each case, when the sniffer finds packets from that computer, the packets will match the filter and
be displayed. You can enter two or more different computers using this format and join them with
logical ANDs or ORs. For example, you could specify one source and two destinations.
In the following example, lets assume a computer on the network is pinging the FortiGate unit. We
will only be looking for ping packets with a source of 172.20.120.136 which is the FortiGate unit.
diag sniffer packet any 'icmp and src host 172.20.120.136'
interfaces=[any]
filters=[icmp and src host 172.20.120.136]
0.319302 172.20.120.136 -> 172.20.120.17: icmp: echo reply
1.348780 172.20.120.136 -> 172.20.120.17: icmp: echo reply
2.355177 172.20.120.136 -> 172.20.120.17: icmp: echo reply
3.356008 172.20.120.136 -> 172.20.120.17: icmp: echo reply
4 packets received by filter
0 packets dropped by kernel
The result displays four packets, all ping (icmp) packets, originating from the FortiGate unit and going
to 172.20.120.17. This time there was no verbosity level indicated or number of packets. A default
verbosity level 1 is used, and the sniffing continues until you press Ctrl-C to stop it. Note that the last
two lines tell you how many packets were sniffed and if the FortiGate kernel dropped any packets
during this time.
When the sniffing has ended, if you see anything but zero packets dropped, you may have a
problem. Packets dropped indicates the FortiGate unit was not able to sniff and display all the
packets that were coming in. If you were looking for all the packets in a sequence, there may well
be packets missing. For this reason, you should consider possible reasons for those dropped
packets, attempt to fix the problem so all packets are captured, and run the sniffer again. Keep in
mind that the sniffer can take up to 25% of the CPU resources on smaller FortiGate units.
Sniffing a port and specifying multiple hosts using AND and OR operators
When a TCP session is created, the destination port is set to a known port number for example,
port 80 is commonly used for HTTP sessions. But the source port is randomly assigned. The
unknown source port can make troubleshooting difficult. However, the FortiGate packet sniffer can
match the known port if it is the source or destination port you do not need to know which port.
Lets check HTTP packets going between IP 172.20.120.18 (the FortiGate) and on either
10.10.80.110 (wifi interface called Star) or 10.10.10.100 (internal LAN interface).
diag sniffer packet any "port 80 and host 172.20.120.18 and (host 10.10.80.110 or host
10.10.10.100)" 4
interfaces=[any]
filters=[port 80 and host 172.20.120.18 and (host 10.10.10.100 or host 10.10.80.110)]
5.036340 internal in 10.10.10.100.58753 -> 172.20.120.18.80: syn 4189154
5.036664 internal out 172.20.120.18.80 -> 10.10.10.100.58753: syn 1354149395 ack 4189155
6.464015 Star out 172.20.120.18.80 -> 10.10.80.110.56791: syn 2000204115 ack 571678006
6.471966 Star in 10.10.80.110.56791 -> 172.20.120.18.80: ack 2000204116
6.474720 Star in 10.10.80.110.56791 -> 172.20.120.18.80: psh 571678006 ack 2000204116
5.036837 internal in 10.10.10.100.58753 -> 172.20.120.18.80: ack 1354149396
5.037023 internal in 10.10.10.100.58753 -> 172.20.120.18.80: psh 4189155 ack 1354149396
6.463686 Star in 10.10.80.110.56791 -> 172.20.120.18.80: syn 571678005
Since either the source or destination will be using port 80, all HTML traffic between those two
computers will match the filter and be displayed. SSH and HTTPS traffic uses different ports, so that
traffic will not be displayed. The first number of each line of output will vary between sources and is a
good way to quickly determine which IP addresses are in that session.
131
From this output, we can see ARP requests from a computer with IP address 192.168.100.99 that is
looking for the MAC address of a computer with the IP address 192.168.100.1. In the ARP protocol,
the who-has request is broadcast and includes the link layer address of where to send the reply. The
expected response, when a computer has the 192.168.100.1 IP address, will be in the format arp
reply 192.168.100.1 is at 00:26:b9:00:0f:9c. Since there is no such reply in the sniffed
packets, we can either sniff more packets or assume there is no computer on the network with the IP
address 192.168.100.1. This may be important if a computer is supposed to be using that IP address
and is not. It could imply DHCP problems, or that the computer was physically moved to a different
part of the network.
ARP packets can be the source of problems if there is a network loop. As mentioned above, ARP
tries to match a single MAC address to a single IP address. If the request results in two or more
replies with the same IP address, or different IP addresses have the same MAC address, as may
happen with virtual networking solutions, the loop or asymmetric routing is created. Essentially, all
traffic will go to and from both computers. This will appear as a network slowdown or halt. You can
see this happening if you are sniffing ARP packets and seeing the double replies or double MAC
addresses. To confirm that this is the issue, enter the CLI command config system settings,
set asymroute enable, end. This will turn on asymmetric routing, stop these ARP problems,
and disable stateful inspection. Disabling stateful inspection will compromise security, so in most
cases you should only use this command to confirm a problem. Once the problem is confirmed, use
the sniffer output to find and fix the source and then disable asymmetric routing.
Miscellaneous advanced filters
There are some non-standard filters you can use to match traffic with the packet sniffer. These
advanced filters use logical symbols to match specific bits within packet headers. Some examples
are:
If you want to match TTL = 1 in the packet headers on port2:
# diagnose sniffer packet port2 ip[8:1] = 0x01
132
FortiGate Cookbook
http://docs.fortinet.com/
If you want to match packets with a source IP address of 192.168.1.2 in the header:
# diagnose sniffer packet internal "(ether[26:4]=0xc0a80102)"
The source and destination information are stored in different places in the packet headers. If you
want to match packets with a source MAC address of 00:09:0f:89:10:ea on the internal interface
# diagnose sniffer packet internal "(ether[6:4]=0x00090f89) and (ether[10:2]=0x10ea)"
where matching packets with the same MAC address as a destination MAC on the internal interface
is
# diagnose sniffer packet internal "(ether[0:4]=0x00090f89) and (ether[4:2]=0x10ea)"
You can also target specific types of packets, such as addressing the TCP or UDP flags.
If you want to match packets with RST flag set:
# diagnose sniffer packet internal "tcp[13] & 4 != 0"
If your FortiGate unit has NP2 interfaces that are offloading traffic, this will change the sniffer trace.
Before performing a trace on any NP2 interfaces, you should disable offloading on those interfaces.
Best practices
Here are some tips that will improve your troubleshooting using the packet sniffer.
Enabling the sniffer will consume additional CPU resources. This can be as high as an additional
25 percent of CPU usage on low-end models. Therefore, enabling this on a unit that is
experiencing excessively high CPU usage, can only render the situation worse. If you must
perform a sniff, keep the sniffing sessions short and keep the filter specific.
Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can
help identify the cause of the problem. For example:
Use the any interface to sniff all FortiGate unit interfaces. You can use the "any" interface if you
want to confirm that a specific packet is sent and received by different FortiGate interfaces. The
any interface is also useful if you are not sure which interface will send or receive the packet. An
example using the any interface:
The FortiGate unit may not display all packets if too much information is requested. When this
occurs, the FortiGate unit will log the following message once the trace is terminated:
When this occurs, it is possible that what you were attempting to capture, was not actually
captured. In order to avoid this, try to make the filters more specific, reduce the verbosity level, or
run the sniffer during a lower traffic period.
133
134
The packet timestamps, as displayed by the sniffer, may become skewed or delayed under high
load conditions. This may occur even if no packets were dropped. Therefore, it is not
recommended that you rely on these values in order to troubleshoot or measure performance
issues that require absolute precise timing.
Short Ethernet frames sent by the FortiGate unit may appear to be under the minimum length of
64 bytes (also known as runts) and will not be displayed by the sniffer. This is because the sniffer
does not display any Ethernet Trailer/Padding information, although it is sent over the network.
The Ethernet source and/or destination MAC addresses may be incorrect when using the "any"
interface. They may be displayed as all zeros (00:00:00:00:00:00) or 00:00:00:00:00:01.
Try to always include ICMP in the sniffer filter. You may capture an ICMP error message that can
help identify the cause of the problem. For example, diag sniff packet interface wan1
'tcp port 3389 or icmp' 3
If you are sniffing VLAN packets, you cannot have any filter configured if you want to see the
VLAN tags. For example diag sniffer packet wan1 icmp will not show the tags where
diag sniffer packet wan1 will.
FortiGate Cookbook
http://docs.fortinet.com/
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
1
01
00 0111
01
11 0100 011
1
1
01 0110
10
Solution
Packet capturing or packet sniffing through the web-based manager is a new feature for FortiOS 4.0
MR3 Patch 2. From the web-based manager you can go to System > Configure > Advanced and
under Packet Capture select Create New to create and save packet capture filters. Packet capture
filters contain saved packet sniffer settings that define the packets to capture.
You can start a packet capture filter any time when you want to capture the packets defined in the
filter. Results of running a packet capture filter can be download to your computer for viewing and
analysis as a pcap file. The pcap file contains complete details about the packets captured, including
packet content. To read a pcap file, open it with an application that can read pcap files, for example,
tcpdump or Wireshark.
Capturing HTTP packets on the Internal interface
The following filter captures 100 HTTP packets (destination port 80) received at the FortiGate internal
interface with destination address 66.171.121.34, from any source address on the 192.168.1.0/24
network, and with any source port.
1
Go to System > Config > Advanced > Packet Capture, select Create New and create a packet
capture filter to capture HTTP packets sent and received by the internal interface from and IP
address on the 192.168.1.0 network to IP address 66.171.121.34:
Select OK.
135
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
Interface
internal
100
Source Address
192.168.1.0/24
Source Port(s)
Destination Address
66.171.121.34/24
Destination Port
80
Protocol
TCP
Disable
Disable
Start capturing packets by selecting the packet capture filter and selecting Start.
You can also Edit the packet capture filter and select Start Capture.
To download captured packets, stop packet capture if its still running, select the packet capture
filter, select Download, and open or save the downloaded sniffer-internal.pcap file. (The
filename includes the interface name specified in the filter.)
The packets in the pcap file do not include the FortiGate interface name. In this example all of the
packets are received and sent by the internal interface. If you set the Interface to ANY; however,
the pcap file will contain packets from any FortiGate interface. You can use the hardware address to
determine which FortiGate interface received or sent the packet.
136
FortiGate Cookbook
http://docs.fortinet.com/
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
Under Packet Capture, select Create New and create a packet capture filter to capture all HTTP
packets sent or received by any interface:
Interface
any
100
Source Address
0.0.0.0/0.0.0.0
Source Port(s)
Destination Address
0.0.0.0/0.0.0.0
Destination Port
23
Protocol
ALL
Disable
Disable
Select OK.
137
Creating, saving, and using packet capture filters (sniffing packets from the web-based manager)
Start capturing packets by selecting the packet capture filter and selecting Start.
You can also Edit the packet capture filter and select Start Capture.
To download captured packets, stop packet capture if its still running, select the packet capture
filter, select Download, and open or save the downloaded sniffer-any.pcap file.
View the downloaded pcap file with a pcap file viewer such as Wireshark.
The first line below shows a packets with source address 192.168.1.110 and destination address
172.20.120.101 sent by a PC. The second line shows the same packet with source address
changed to 172.20.120.14 exiting the FortiGate wan1 interface.
This packet capture filter may capture many more packets than the ones you are looking for. You
reduce the number of packets captured by specifying the source and destination addresses of the
packets that you are interested in.
138
FortiGate Cookbook
http://docs.fortinet.com/
3 2
Solution
FortiGate units have built-in diagnose debug commands that can be used to debug the operation
of any FortiGate software system by displaying debug messages on the CLI console as the system
operates. When you find the problem you can correct the configuration and run the diagnose
debug command again to verify that the system now operates correctly.
Before performing any debugging, you should connect to the FortiGate CLI with a terminal program
that supports storing the output to a file for later reference. If you do not save the output to a file,
you will miss valuable debugging information.
Keep in mind that debugging consumes system resources and may affect performance. In most
cases this will not be a problem, but if your FortiGate unit is running at 100 percent resource usage
already, it is likely that running the debug application will cause the FortiGate unit to drop more
packets or sessions, and generally increase its overloaded behavior. The worst is when you are
sniffing packets, which can use 10 percent or more of the system resources.
To use the diagnose debug commands you must check the current debug configuration, enable
debugging, select a software system for which to display debugging information, collect and analyze
the results, and stop displaying debugging information. In general you can follow this command
sequence:
139
diagnose
diagnose
diagnose
diagnose
debug
debug
debug
debug
info
<software-system> <debug-level>
enable
disable
diagnose debug report Fortinet support may ask you to run this command and send them
the output.
This is an exhaustive report that runs many different diagnose commands to gather a large amount
of information. It may take up to 20 minutes to run on a FortiGate unit with a complex configuration
and may temporarily affect system performance.
Example diagnose debug procedure for an SSL VPN portal
This procedure describes typical steps for displaying debug information for the SSL VPN
configuration described in Setting up remote web browsing for internal sites through SSL VPN on
page 301. You can use similar steps to display debug info for many other software systems.
1
disable
This is a good command to run first, so you know what filters are in place and so on; otherwise,
you may start debugging and wonder why the output is not what you expected. This output
above indicates that debug output is disabled so debug messages are not displayed. The output
also indicates that debugging has not been enabled for any software systems.
2
Enter the following command to display debug messages for SSL VPN.
diagnose debug application sslvpn -1
This command enables debugging of SSL VPN with a debug level of -1. The -1 debug level
produces detailed results.
You can view all the debug options by entering diagnose debug ? or diagnose debug
application ?
3
This output verifies that SSL VPN debugging is enabled with a debug level of -1.
4
Log into the SSL VPN portal. The CLI displays debug messages similar to the following.
diagnose debug enable
140
FortiGate Cookbook
http://docs.fortinet.com/
Just the first few messages are shown for an SSL VPN user connecting to the portal from IP
address 172.20.120.12. The messages show the connection being accepted and SSL VPN
negotiation taking place.
You can view and analyze the debug messages or save them to a text file using your terminal
program.
Enter the following command to stop displaying debug messages:
If there is a lot of output scrolling by quickly, you may not be able to see the command as you
enter it.
Debugging authentication
Any time a FortiGate unit authenticates a user, the authd daemon is responsible. This is true if the
user is logging in through SSL VPN, connecting over IPsec VPN from FortiClient, and even if
certificates are involved. You can use the following command to debug authentication:
diagnose debug application authd -1
diagnose debug enable
authd_http.c:1910 authd_http_connect: called
authd_http.c:3071 authd_http_change_state: called
change state to: 3
authd_http.c:1112 authd_http_read: called
authd_http.c:2383 authd_http_wait_req: called
authd_http.c:2443 authd_http_read_req: called
authd_http_common.c:276 authd_http_read_http_message: called
authd_http_common.c:229 authd_http_is_full_http_message: called
authd_http.c:4899 authd_http_on_method_get: called
authd_http.c:2098 authd_http_check_auth_action: called
authd_http.c:3071 authd_http_change_state: called
change state to: 2
The output shows the messages the authentication daemon is receiving and the resulting state
changes. This authentication session was between a FortiGate unit and FortiClient during an IPsec
VPN session setup.
Debugging IPsec VPN
You can use the diag debug application ike -1 command to display all the VPN related
traffic, especially for initial negotiations. By doing this, it will give you the information to find and fix
errors that you would only be guessing at, otherwise.
141
This is very useful if you want to test some new URL filter patterns. The following sample output from
this set of commands for a group of URLs that you have included in the UTM Web Filtering Advanced
Filtering list, such as *.ro, would appear as:
msg="received a request /tmp/.proxyworker000_0_0.url.socket, addr_len=38: d=www.example.ro:80,
id=22, vfid=0, type=0, client=10.10.80.110, url=/favicon.ico"
Checking urlfilter list 4
Url filter deny action
This output shows one attempt to browse to http://www.example.ro, which is a match to the
blocked *.ro sites. From this output, we can see the URL, who was going there (the client IP address
of 10.10.80.110), and the action - URL filter deny action. It is good to note that the ID number will
increment by one for each message matched like this. From this information, we now know the *.ro
URL filter is working properly for a client on the 10.10.80.0 subnet.
Debugging packet flow
You can use the diag debug flow command to show packet flow through the FortiGate unit. As
packets are received, you can view debug messages to show how the FortiGate unit processes
them. For more information, see Verifying that traffic is accepted by a security policy on page 196.
142
FortiGate Cookbook
http://docs.fortinet.com/
3
2
To find out more information about diagnose command options, enter the command followed by a ?,
for example, diagnose debug application ?
Display detailed debugging information for FortiGate software systems. For
example:
diagnose debug application ike -1
diagnose
diagnose
diagnose
diagnose
debug
debug
debug
debug
enable
flow show console enable
flow filter add 10.10.20.30
flow trace start 100
143
debug info
Display throughput information for the firewall broken down by both packets
and bytes. Categories include common applications such as DNS, FTP, IM,
P2P, and VoIP and also includes the lower level protocols TCP, UDP, ICMP,
and IP.
fortitoken drift
Display the drift for each configured FortiToken registered on the FortiGate
unit.
hardware certificate
Verify all FortiGate unit certificates. For each certificate the name, test
performed and the results are listed.
Display all disks in the FortiGate unit. This includes hard disks, and SSD disks.
The information includes partitions, size, type, and available space.
Display information about the network card attached to the interface. The
information displayed varies by the type of NIC. It will include the VLAN id,
state, link, speed, counts for received and transmitted packets and bytes. The
MAC for this NIC is Current_HWaddr and Permant_HWaddr, and this is only
place you can see both the old and new MAC when it is changed.
Display statistics for URL filters. This includes number of requests, responses,
pending responses, errors, timeouts, blocked, and allowed.
Display the information from the bridging table in the FortiGate unit. This is
useful when troubleshooting transparent mode. Once you have the bridge
names, you can check their forwarding domain using diag netlink brctl
domain <bridge_name>.
Capture packets on any FortiGate interface that are on port 80, commonly
used by HTTP. Verbosity level 4 displays packet header information and
interface names. You can use this information to test security policies, network
connections, or find where missing packets are going. See Troubleshooting
by sniffing packets (packet capture) on page 125.
Display details about the session table including its size, the sessions in each
state, errors, and other statistics.
test log
Generate default log messages. This allows you to test logging features such
as remote log server connections. See Creating a backup log solution on
page 377
Display information about the update daemon including the last set of
messages from the update daemon, the current object versions, the next
scheduled updates, and counters for various updates for pass, fail, and retry.
Display all configured IPsec VPN tunnels in the current VDOM. This is useful to
compare settings on both ends of a tunnel that is having problems.
144
FortiGate Cookbook
http://docs.fortinet.com/
145
FortiOS Cookbook
WiFi Networking
FortiOS WiFi networking provides a wide range of capabilities for integrating wireless networks into
your organizations network architecture. Each WiFi network or SSID is represented by a virtual
network interface to which you apply security policies, UTM features, traffic shaping, and so on, in
the same way as for physical wired networks.
You can create multiple WiFi networks to serve different groups of users. For example, you might
want one network for your employees and another for guests or customers. Also, with the increase in
use of smartphones, tablets and other mobile devices that use WiFi technology, wireless networks
are becoming busier than ever and have to accommodate a broad range of wireless client devices
each with their own strengths and limitations. You may also want to accommodate these devices and
technologies on multiple overlapping wireless networks. These networks could differ greatly in the
access they provide to other networks, as well as the authentication, access control, and UTM
features they apply.
A network that requires only one WiFi access point is easily created with a FortiWiFi unit operating as
a single thick AP. A thick AP such as a FortiWiFi unit contains the WiFi radio facility as well as access
control and authentication functionality.
A thin AP, such as a FortiAP unit contains only the radio facility and a microcontroller that receives
commands and exchanges data with a WiFi controller. If you already have a FortiGate unit, adding a
FortiAP unit as a thin AP managed by the FortiGate unit operating as a WiFi controller is a costeffective solution for adding WiFi to your network.
The FortiOS WiFi controller feature is available on both FortiGate and FortiWiFi units. A FortiWiFi
units WiFi controller also controls the units internal (Local WiFi) radio facility, treating it much like a
built-in thin AP. Whenever multiple APs are required, a single FortiGate or FortiWiFi unit controlling
multiple FortiAP units is best. A network of multiple thick APs would be more expensive and more
complex to manage.
This chapter includes the following WiFi networking examples:
146
Wireless
network
Inte
rna
l ne
two
rk
FortiWiFi Unit
Solution
Watch the video: http://docs.fortinet.com/cb/wifi2.html
Configure a WiFi network on your FortiWiFi unit. Use DHCP to assign up to 10 IP addresses to office
WiFi users, as most mobile devices are preconfigured to use DHCP. Use WPA2 security. As there is
no authentication in place for the wired network and this is a small team in one place, WPA2-Personal
security is appropriate.
There will be one preshared key that users must know to access the WiFi network. Create security
policies to enable the WiFi network to access both the office network and the Internet.
This solution assumes an area that can be covered by a single FortiWiFi. You can extend the
coverage area by connecting FortiAP units and adding the our_wifi SSID to them.
147
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.19
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
WPA/WPA2-Personal
Data Encryption
AES
Pre-shared Key
justforus
Select OK.
Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select
Enable WiFi Radio.
Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network security
policy that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each
other.
148
FortiGate Cookbook
http://docs.fortinet.com/
Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the
Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the
justforus preshared key when prompted. Verify that you can connect to servers on your office
network. Verify that you can connect to the Internet.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
If you want a more secure authentication method, see Improving WiFi security with WPAEnterprise security on page 155 that requires users to logon instead of using the preshared key.
149
Wireless
network
Inte
rna
inte
rna
l ne
po
rt3
iAP
t
For
uni
two
rk
FortiGate
FortiG
Gate Unit
Solution
Watch the video: http://docs.fortinet.com/cb/wifi3.html
Set up a WiFi network with WPA-Personal authentication.
Using the WiFi Controller feature on your FortiGate unit, configure a WiFi network. Then connect a
FortiAP unit and authorize it to carry your WiFi network.
On your WiFi network, use DHCP to assign IP addresses to WiFi users, as most mobile devices are
preconfigured to use DHCP. Use WPA2 security. As there is no authentication in place for the wired
network and this is a small team in one place, WPA2-Personal security is appropriate. There will be
one preshared key that users must know to access the WiFi network. Create security policies to
enable the WiFi network to access both the office network and the Internet.
Configure port3, an unused network interface on the FortiGate unit, to connect to the FortiAP unit.
Connect the FortiAP unit to the port3 interface and wait for it to be discovered. Authorize the FortiAP
unit.
150
FortiGate Cookbook
http://docs.fortinet.com/
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.19
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
WPA/WPA2-Personal
Data Encryption
AES
Pre-shared Key
justforus
Select OK.
Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy
that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each
other.
FortiOS 4.0 MR3
http://docs.fortinet.com/
151
Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Interne.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Configure a FortiGate interface to connect to the FortiAP unit and connect the devices
1
Go to System > Network > Interface and Edit the port3 interface:
Addressing Mode
Manual
IP/Netmask
192.168.8.1/255.255.255.0
192.168.8.2 - 192.168.8.9
The Reserve IP for FortiAP connection setting automatically configures a DHCP server to assign
an IP address to the FortiAP unit. The FortiGate unit uses these IP addresses to communicate with
the FortiAP unit.
3
Use an Ethernet cable to connect port0 (also the ETH port) on the FortiAP unit to port3 on the
FortiGate unit and power up the FortiAP unit.
On the FortiGate web-based manager, go to WiFi Controller > Managed Access_Points >
Managed FortiAP. Select Refresh every ten seconds or so until the FortiAP unit is listed.
152
FortiGate Cookbook
http://docs.fortinet.com/
If the FortiAP is not listed under Managed FortiAP after two minutes:
Check that port0 (ETH) on the FortiAP unit is connected to port3 on the FortiGate unit.
On the FortiGate unit, go to System > Monitor > DHCP Monitor to see whether the FortiAP
unit is assigned an IP address lease.
See also Using the FortiGate packet sniffer to view the FortiAP discovery process in the
Results section.
Select Authorize.
Ensure that Enable WiFi Radio is selected and then select OK.
This solution assumes an area that can be covered by a single FortiAP. You can extend the
coverage area by connecting and authorizing additional FortiAP units and adding the our_wifi SSID
to them.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the
justforus preshared key when prompted. Verify that you can connect to servers on your office
network. Verify that you can connect to the Internet.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
Using the FortiGate packet sniffer to view the FortiAP discovery process
The FortiGate units built-in packet sniffer can help you to view the discovery process if you
experience difficulty in getting the FortiGate unit to recognize the FortiAP unit. Use the CLI command
diagnose sniffer packet port3 none 4 to capture packets entering or leaving the FortiGate
port3 interface to which the FortiAP unit is connected. Packet headers will be shown. For more
information about using the sniffer, see Troubleshooting by sniffing packets (packet capture) on
page 125.
The FortiAP unit uses several methods to find a WiFi controller. Here are some examples of the
request packets you should see, possibly repeated several times before a response is received and
processed:
Broadcast DHCP request:
port3 -- 0.0.0.0.68 -> 255.255.255.255.67: udp
This DCHP client request should reach the DHCP server configured on port3. The server response
looks like this:
port3 -- 192.168.8.1.67 -> 192.168.8.2.68: udp
FortiOS 4.0 MR3
http://docs.fortinet.com/
153
The FortiAP unit is assigned the IP address 192.168.8.2. It will then communicate with the WiFi
controller on 192.168.8.1 using the CAPWAP control port 5246.
Multicast WiFi controller discovery request:
port3 -- 192.168.8.2.5246 -> 224.0.1.140.5246: udp
Note that this request is on the CAPWAP control port, 5246. The multicast IP address on the FortiAP
unit and the WiFi controller is reconfigurable and must agree. The WiFi controller responds directly to
the FortiAP unit in unicast on port 5246.
Broadcast WiFi controller discovery request:
port3 -- 192.168.8.2.5246 -> 255.255.255.255.5246: udp
This request on the CAPWAP control port 5246 should get a response from the WiFi controller at
192.168.8.1 on port 5246.
ARP request packet and response packets:
port3 -- arp who-has 192.168.8.2 tell 192.168.8.1
port3 -- arp reply 192.168.8.2 is-at 0:9:f:d6:b9:71
ARP who-has packets occur frequently. The ARP reply packet containing your FortiAP units wired
MAC address confirms that the unit has successfully obtained an IP address.
Ongoing communication between FortiAP unit and WiFi controller:
The discovery process should be complete now, with the FortiAP unit listed in the Managed FortiAP
list, ready for you to authorize. Routine control channel communications back and forth look like this:
port3 -- 192.168.8.2.5246 -> 192.168.8.1.5246: udp
port3 -- 192.168.8.1.5246 -> 192.168.8.2.5246: udp
154
FortiGate Cookbook
http://docs.fortinet.com/
k
or
w
et
N
al
rn
te
In
FortiWiFi Unit
Solution
Watch the video: http://docs.fortinet.com/cb/wifi1.html
Create user accounts and a wifi_users user group on the FortiWiFi unit. Modify your SSID to use
WPA/WPA2-Enterprise security and authenticate users who belong to the wifi_users group. There is
no longer a pre-shared key that could fall into the wrong hands or would need to be changed if
someone left the group. Each user has an individual user name and password. Accounts can be
added or removed as needed.
Create WiFi network user accounts
1
Go to User > User > User and select Create New to create a user account:
User Name
wloman
Password
my_secure_pwd
If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this
step and use the existing accounts.
155
Go to User > User Group > User Group and select Create New to create a user group:
Name
wifi_users
Type
Firewall
Members
Select OK.
156
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.100
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
WPA/WPA2-Enterprise
Data Encryption
AES
Authentication
Usergroup
Usergroup
wifi_users
Select OK.
Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select
Enable WiFi Radio.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy to and select Create New to add a WiFi-to-Office network
security policy that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each
other.
2
Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the
Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Unlike
WPA/WPA2-Personal you will be prompted to enter your user name and password. Enter wloman as
the user name and my_secure_pwd as the password. Once you have been authenticated, verify that
you can connect to servers and other resources on your office network. Also verify that you can
connect to the Internet.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
157
Wireless
network
inte
Inte
rna
to
ica
ent it
h
t
u un
rtiA
nal
po
rt3
l ne
Fo
two
rk
FortiWiFi Unit
Solution
Set up a FortiAuthenticator unit as a RADIUS server and use WPA-Enterprise authentication for your
WiFi network.
On the FortiAuthenticator unit, you need to create a user group with a user account for each
employee. Register the FortiWiFi unit as a Network Access Server (NAS) so that it can request user
authentication.
Create user accounts on the FortiAuthenticator unit
1
158
Go to Authentication > Users > Users and select Create New to create a user account:
Username
wloman
Password
my_secure_pwd
Password confirmation
my_secure_pwd
FortiGate Cookbook
http://docs.fortinet.com/
Go to Authentication > NAS > NAS and select Create New. Enter the following information
about the FortiWiFi unit:
Name
FortiAP1
Server Name / IP
172.20.120.132
Secret
hardtoguess
(You will also enter this Secret on the FortiWiFi
unit.)
Go to User > Remote > RADIUS and select Create New to add the FortiAuthenticator unit as a
RADIUS server.
Name
facRADIUS
Type
Query
172.20.120.53
hardtoguess
(This is the same Secret that you entered on the
FortiAuthenticator unit.)
Go to User > User Group > User Group and create a user group with facRADIUS as its only
member:
Name
wifi-user-grp
Type
Firewall
159
facRADIUS
Group Name
Any
Create the SSID and enable the WiFi radio on the FortiWiFi unit
1
160
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.210
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
WPA/WPA2-Enterprise
Data Encryption
AES
Authentication
Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select
Enable WiFi Radio.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy
that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are
visible to each other.
2
Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. You should be
asked for your user name and password. After entering valid credentials, you should have access to
the office network and the Internet.
161
Wireless
network
Inte
rna
inte
rna
l ne
nit
Pu
po
rt3
tiA
For
two
rk
FortiGate
FortiG
Gate Unit
Solution
Watch the video: http://docs.fortinet.com/cb/wifi4.html
Set up a captive portal configuration that intercepts connections to the wireless network and displays
a portal on wireless clients devices. Users must authenticate with the portal to get access to the
wireless network.
To configure the portal you must Create a user group with a user account for each employee. Create
a WiFi network with captive portal authentication. A captive portal appears to be an open WiFi
access point, allowing any WiFi device to connect. On the first attempt to connect to a web site, the
captive portal presents a web page that requests the users logon credentials which must match
credentials in the user group.
162
FortiGate Cookbook
http://docs.fortinet.com/
Go to User > User > User and select Create New to create a user account:
User Name
wloman
Password
my_secure_pwd
If your employees already have user accounts on the FortiWiFi or FortiGate unit, you can skip this
step and use the existing accounts.
3
Go to User > User Group > User Group and select Create New to create a user group:
Name
wifi_users
Type
Firewall
Members
Select OK.
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.210
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
163
Captive Portal
User Groups
wifi_users
Select OK.
Go to WiFi Controller > Managed Access Points > Local WiFi Radio and select
Enable WiFi Radio.
Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network policy
that allows WiFi users to access to the office network.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Source NAT is not required for this policy since the WiFi and internal networks are visible to each
other.
2
164
Select Create New to add a WiFi-to-Internet policy that allows WiFi users to access the Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
FortiGate Cookbook
http://docs.fortinet.com/
Select OK.
Results
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Your device
should connect quickly because no password is required at this stage.
Some mobile devices display the
Fortinet Terms and Disclaimer
Agreement portal as soon as you
connect to the SSID. Some devices
only display the portal when you
open a web browser and attempt to
connect to an Internet destination.
Select the I accept... check box
below the Agreement text to indicate
that you agree. Enter wloman as
Username and my_secure_pwd as
Password, then select Continue.
Your requested web site should then
be displayed and you can otherwise
use the WiFi network. You can
continue browsing until your
authentication times out. Then, you
will have to accept the disclaimer and
re-enter your logon credentials again.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
In User > Monitor > Firewall, you can see the authenticated captive portal user:
165
Software switch
network
10.10.10.0
255.255.255.0
Wireless
network
or
t1
Software
switch interface
combo_lan
10.10.10.1
Internal network
FortiWiFi Unit
Solution
Watch the video: http://docs.fortinet.com/cb/wifi5.html
Create a software switch interface with the internal LAN interface and WiFi network virtual interfaces
as members.
A software switch interface can only include physical and WiFi interfaces. Before adding an
interface to a software switch interface you must delete all configuration objects that use that
interface. This includes factory default security policies and DHCP server configurations.
Create the SSID and enable the WiFi radio
1
166
Go to WiFi Controller > WiFi Network > SSID and select Create New to add the SSID to be
added to the software switch:
Interface Name
wifi
SSID
our_wifi
FortiGate Cookbook
http://docs.fortinet.com/
There is no need to specify an IP address for the SSID because the IP address of the software
switch interface will be used. Also, you should disable the DHCP server for the SSID since you will
add one later for the software switch interface.
3
WPA/WPA2-Personal
Data Encryption
AES
Pre-shared Key
justforus
Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select
Enable WiFi Radio.
You can extend the coverage area by connecting FortiAP units and adding the our_wifi SSID to
them.
Go to System > Network > Interface and select Create New to add the software switch:
Name
combo_lan
Type
Software Switch
wifi
port1
Addressing Mode
Manual
IP/Netmask
10.10.10.1/255.255.255.0
167
Go to System > Network > DHCP Server and select Create New to add a DHCP server for the
devices on the wired and wireless networks connected to the software switch:
Interface Name
combo_lan
Mode
Server
Enable
Selected
Type
Regular
IP
10.10.10.2-10.10.10.199
Network Mask
255.255.255.0
Default Gateway
10.10.10.1
DNS Service
Select OK.
Go to Policy > Policy > Policy to create the security policy that enables users connected to the
software switch to connect to the Internet.
Source Interface/Zone
combo_lan
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Results
Configure the devices on the internal network to get their IP addresses using DHCP and renew their
leases if required. They should all have IP addresses on the 10.10.10.0/255.255.255.0 network.
168
FortiGate Cookbook
http://docs.fortinet.com/
On your laptop or mobile device, look for the our_wifi SSID and attempt to connect. Enter the
justforus preshared key when prompted. Wireless devices should also acquire IP addresses in the
10.10.10.0/255.255.255.0 network.
Verify that you can connect to servers on your office network from mobile devices and verify that you
can connect to the Internet.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
You can also go to System > Monitor > DHCP Monitor to view information about all the address
leases for both wired and wireless clients.
169
er
rv 1
se 10
P 1.
C .
H 68
D 2.1
19
Wireless
network
r
te
In
na
or
w
et
ln
k
FortiWiFi Unit
Solution
When you configure the SSID (WiFi network) dont configure a DHCP server. On the WiFi interface,
specify a DHCP relay to the companys DCHP server. Check your security policies to ensure that
DHCP packets can pass through the FortiGate unit from the WiFi network to the LAN where the
DHCP server resides.
This example shows a FortiWiFi-based network with WPA/WPA2-Personal security. You can also
apply this DHCP configuration to WiFi networks with other security settings and to WiFi networks
based on FortiAP units.
Create the SSID and enable the WiFi radio
1
170
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
FortiGate Cookbook
http://docs.fortinet.com/
WPA/WPA2-Personal
Data Encryption
AES
Pre-shared Key
justforus
Select OK.
Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select
Enable WiFi Radio.
Go to System > Network > DHCP Server, select Create New and enter the following settings to
configure the WiFi interface to support DHCP relay:
Interface Name
wifi
Mode
Relay
Type
Regular
DHCP Server IP
192.168.1.101
Go to Policy > Policy > Policy and select Create New to add a WiFi-to-Office network security
policy that allows WiFi users to access to the office network:
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
171
Source NAT is not required for this policy since the WiFi and internal networks are visible to each
other.
The default ANY service accepts DHCP sessions. If you make a more restrictive policy, make sure
that DHCP sessions are allowed.
If the DHCP server that you will use is not on the office network, you will also need a policy to allow
DHCP traffic to pass from the DHCP servers network to the WiFi network.
2
Select Create New to add a WiFi-to-Internet security policy that allows WiFi users to access the
Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Results
On your mobile device, look for the our_wifi SSID and attempt to connect. Enter the justforus
preshared key when prompted. Once you are connected, verify that you can connect to servers on
your office network, and to the Internet.
You can go to WiFi Controller > Monitor > Client Monitor to view information about the clients that
are connected to your WiFi network.
172
FortiGate Cookbook
http://docs.fortinet.com/
If the Auth column shows Pass, but the IP column shows 0.0.0.0, the DHCP Relay configuration
isnt working. Check the following:
Does the wifi-to-wan1 policy allow DHCP service to pass? (ANY service includes DHCP.)
Does the DHCP server have a route to the WiFi network? To check this, add a temporary wan1to-wifi policy and ping the WiFi network gateway from the DHCP server.
Is the DHCP server configured to provide IP addresses for your WiFi networks subnet?
A complete configuration includes the default route and DNS server addresses.
The normal DHCP sequence as seen in the servers log messages looks like this:
dhcpd: DHCPDISCOVER from 00:23:4e:52:fd:6f via 10.10.10.1
dhcpd: DHCPOFFER on 10.10.10.10 to 00:23:4e:52:fd:6f (user1-AOA150) via 10.10.10.1
dhcpd: DHCPREQUEST for 10.10.10.10 (192.168.1.101) from 00:23:4e:52:fd:6f (user1-AOA150) via
10.10.10.1
dhcpd: DHCPACK on 10.10.10.10 to 00:23:4e:52:fd:6f (user1-AOA150) via 10.10.10.1
Repeated DHCPDISCOVER and DHCPOFFER messages with no DHCPACK response suggest that
these messages are not reaching the client.
It is also normal to see a DCHCPREQUEST message for an IP address that was not offered in a
prior DHCPOFFER message. Many clients automatically request the IP address that they used
previously. If this IP address is acceptable to the server, it will issue a DHCPACK message
immediately.
173
do WIn
172 main dows
.20 con AD
.12 tro
0.3 ller
2
Inte
or
t
Wireless
network
rna
wifi
l ne
two
an
rk
FortiWiFi Unit
Solution
Configure a RADIUS server (Network Policy Server) in Windows Active Directory (AD). Configure the
your WiFi network with WPA-Enterprise to authenticate users with this Windows RADIUS (NPS)
server.
This example assumes that
You have a Windows AD network which currently uses a RADIUS (NPS) server for
authentication.
The server to which the FortiWiFi unit connects is a domain controller with a DNS server, NPS
server (same domain), and a CA Authority installed.
WiFi users have been added to a group called WiFi_users. Determine the IP address of the
RADIUS server before you begin.
174
In Windows AD, go to Start > Administrative Tools > Network Policy Server.
In the left pane expand Policies right-click Network Policies and select New.
On the Specify Network Policy Name and Connection Type screen, for Policy name enter
FortinetWiFi. Leave the Type of network access server as Unspecified and select Next.
On the Specify Conditions screen, select Add. Select Windows Groups and select Add.
In the Select Group dialog, enter WiFi_users. Select Check Names to verify your entry, then
select OK.
In the Specify Access Permission window, select Access Granted, then select Next.
10 In the Configure Authentication Methods window, use the Add button to add PEAP and EAP-
MSCHAP v2 to the EAP Types list. Select MS-CHAP-v2 and PAP methods, then select Next.
11 Select Next until you reach the Completing New Network Policy page, then select Finish.
In the mmc left pane, expand Certificates, right-click Personal, select All Tasks >
Request New Certificate.
175
In the list of available server roles, select the Active Directory Certificate Services and select
Next twice.
Specify Root CA and select Next. (Selection must match type of CA you are changing from.)
On the Set Up Private Key page, select Next. Keep selecting Next until the Install button is
available, then select Install.
In the left pane, expand RADIUS Clients and Servers. Right-click RADIUS Clients and select
New. Enter the following information:
Enable this RADIUS client
Selected
Friendly name
FortiWiFi_1
172.20.120.32
Shared secret
secure_value
Select OK.
176
Select Connection Request Policies. Right-click the default policy and select Delete.
In the left pane, right-click Connection Request Policies and select New. Enter the following
information:
Policy name
FortiWiFi_1_policy
Unspecified
FortiGate Cookbook
http://docs.fortinet.com/
Double-click NAS IPv4 Address and add the FortiWiFi units IP Address: 172.20.120.32.
Select Next. Make sure that Authenticate Requests on this server is selected and then select
Next.
Select Add, Select Microsoft: Protected EAP (PEAP), and then select OK.
10 Select the PEAP option in EAP Types and then select Edit.
11 Check that Certificate Issued has the appropriate CA certificate selected.
12 Ensure that Enforce Network Access Protection is selected. Select OK.
13 Select Next. Select Next again. Select Finish.
In the Server Manager left pane, go to Roles > Network Policy and Access > NPS (Local) >
Network Access Protection > System Health Validators.
In the right pane, select Windows Security Health Validator. Select Settings. Double-click
Default Configuration.
Ensure that only A firewall is enabled for all network connections is enabled. Select OK.
In the Network Policy Server, expand Policies, right-click Health Policies, and select New.
WiFi_compliant
Policy name
WiFi_noncompliant
177
In the Network Policy Server, expand Policies, right-click Network Policies, and select New.
Select Add. Double-click Windows Groups. Add the WiFi_users group and select OK.
Select Add. Double-click NAS IPv4 Address. Add the FortiWiFi unit IP address and select OK.
Select Add. Double-click Health Policy. Add the WiFi_compliant policy and select OK.
Select Next. Ensure that Access Granted is selected. Select Next three times.
Select Add. Select Enter Vendor Code. Enter the Fortinet vendor code 12356.
Vendor-assigned attribute
number
Attribute format
String
Attribute value
WiFi_users
178
FortiGate Cookbook
http://docs.fortinet.com/
Go to User > Remote > RADIUS. Select Create New, enter the following information and then
select OK:
Name
Win_NPS
Type
Query
172.20.120.2
secure_value
Authentication Scheme
Go to WiFi Controller > WiFi Network > SSID and select Create New to define your wireless
network like this:
Interface Name
wifi
IP/Netmask
10.10.10.1/255.255.255.0
SSID
our_wifi
10.10.10.10-10.10.10.210
Netmask
255.255.255.0
Default Gateway
Same as Interface IP
DNS Server
WPA/WPA2-Enterprise
Data Encryption
AES
Authentication
179
Go to Policy > Policy > Policy to create the security policies that enable WiFi users to connect to
the office network and to the Internet.
WiFi-to-Office network policy
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
port1
Destination Address
all
Enable NAT
Selected
WiFi-to-Internet policy
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Enable NAT
Selected
Go to WiFi Controller > Managed Access_Points > Local WiFi Radio and select
Enable WiFi Radio.
This solution assumes an area that can be covered by a single FortiWiFi. You can extend the
coverage area by connecting FortiAP units and adding the our_wifi SSID to them.
Results
Verify that WiFi users can authenticate and have access to both the office LAN and the Internet.
180
FortiGate Cookbook
http://docs.fortinet.com/
FortiOS Cookbook
Security policies
It is simple to set up a FortiGate unit to allow users on a network to access the Internet while blocking
traffic from the Internet from accessing the protected network. All that is required is a single security
policy that allows traffic from the Internal network to connect to the Internet. As long as you do not
add a security policy to allow traffic from the Internet onto your internal network, your network is
protected.
When a user connects to the Internet, they expect a reply (for example, when you connect to a web
site you expect to see a web page). The same security policy that allows you to connect to the
Internet also allows servers you contact to respond to you. In effect, a single policy allows two-way
traffic, but the incoming traffic is only allowed in response to requests sent by you.
Even though there is no risk of unwanted traffic originating from the Internet getting onto your internal
network, users are connecting to the Internet and downloading data. These downloads can
sometimes include unwanted items, such as viruses. that make their way through to FortiGate unit to
your network. To protect your network from this problem, security policies are also the way to turn on
all FortiGate UTM features. For example, users may download a virus when browsing the web or
retrieving email. You can protect your network from this danger by adding virus scanning to security
polices that allow users to connect to the Internet. All traffic in either direction that is controlled by a
181
19
5
rk 5
o 2
w 5.
et 5
N 5.2
al 5
r n /2
te .0
In 8.1
16
2.
]
55
-2
.[1
.1
01
.1
68
.1 ] 20
92 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
17
2.
20
.1 wa
20 n
.1 1
4
19
2. in
16 te
8. rn
1. al
99
.0
Sta
tic
inte betw sou
and rn ee rce
the al ne n the NAT
Int two
ern rk
et
14
0.
01
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
security policy that includes virus scanning will be scanned for viruses. The benefit of this approach
is that you can apply security features directly to allowed traffic. This also means that you can apply
custom security features to each security policy and to each type of traffic allowed through the
FortiGate unit. Security features are applied using UTM objects and profiles. You can create as many
profiles as you need and mix and match them in a security policy as required.
For example, it might be acceptable to you to apply only web filtering to the security policy that
allows users on the protected internal network to access web sites on the Internet. If you have a
separate security policy that allows users on the internal network to download and send email, you
could apply virus scanning to this traffic to make sure users cannot download email attachments
containing viruses. In addition you could apply data leak protection to the email traffic to prevent
users from sending confidential email to the Internet.
All of these security features can be added to security policies as you create them. Or once you have
security policies that control traffic patterns you can edit them to add or change security features as
you build up your security requirements or as those requirements change.
182
FortiGate Cookbook
http://docs.fortinet.com/
FortiGate units include a wide range of pre-defined network services that can be added to security
policies. For example, you can add a security policy that intercepts all HTTP traffic just by adding the
HTTP service to a security policy. Pre-defined services include basic network services such as HTTP,
FTP, TCP, SMTP and more specialized services such as H323 (used for VoIP and media), MMS (the
multimedia messaging service used by mobile phones) and so on. You can also easily create custom
services if your network uses network services that are not in the FortiGate pre-defined services list.
You must add at least one service to a security policy. You can also add multiple services to a single
security policy if you want to policy to multiple traffic types. The ANY pre-defined service accepts
traffic using any network service.
Firewall schedules control when security policies are active. The default always schedule does not
restrict when a policy is active. You can limit when a policy is active by adding schedules defining the
time for which the policy is active. You can create recurring schedules that take effect repeatedly at
specified times of specified days of the week (for example, a schedule that is active during office
hours: weekdays between 9am and 5 pm). You can also create one-time schedules that take effect
only once for the period of time (for example, for a week in September 2020).
Firewall objects also include traffic shapers, used to normalize traffic peaks and bursts to prioritize
certain flows over others. A wide variety of traffic shaping options are available, allowing you to
customize traffic shaping according to your networks requirements and apply custom traffic shaping
to any security policy.
The Virtual IP firewall objects are added to security policies to perform various forms of destination
network address translation (D-NAT) including destination IP address and destination port translation
and port forwarding.
The final firewall object is load balancing, which is an extension of virtual IPs to load balance traffic
passing through the FortiGate unit to multiple servers. FortiGate load balancing supports various load
balancing schedules, real server health monitoring, persistence, and SSL acceleration.
This chapter includes the following security policy and firewall object examples:
Providing Internet access for your private network users (static source NAT)
Providing Internet access for a private network with multiple Internet addresses (dynamic source
NAT)
Dynamic source NAT without changing the source port (one-to-one source NAT)
Allowing access to a web server on an internal network when you only have one Internet IP
address
183
184
Allowing Internet access to a web server on a protected network when you only have one Internet
IP address, using port translation
Allowing Internet access to a web server on a protected network when you have an IP address for
the web server
FortiGate Cookbook
http://docs.fortinet.com/
in
te
rn
al
You want to limit employee Internet access for YouTube and Facebook to between 12 noon and 2
pm.
In
te
rn
al
n
et
w
o
w
an
rk
YouTube
Facebook
Solution
Create a firewall schedule that allows access to YouTube and Facebook between 12 and 2. Create a
new security policy that includes the schedule. This policy will be independent of the current Internet
browsing policy.
This procedure presumes the following configurations are already complete:
Users that connect to the FortiGate unit for access to the Internet.
Security policies to allow traffic to and from the Internet. For simplicity, this example uses a wide
open policy for all other Internet browsing.
Create a security policy that references these sites and the schedule.
185
Go to Firewall Objects > Address > Address and select Create New and complete the
following:
Address Name
YouTube
Type
FQDN
FQDN
www.youtube.com
Interface
wan1
Select OK.
Address Name
Type
FQDN
FQDN
www.facebook.com
Interface
wan1
Select OK.
Go to Firewall Objects > Schedule > Recurring and select Create New and complete the
following:
Name
Lunch Access
Start Time
Stop Time
186
Hour 12
Minute 00
Hour 14
Minute 00
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add the security policy that restricts
Internet access to between 12 and 2:
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
YouTube
Facebook
Schedule
Lunch Access
Service
ANY
Action
ACCEPT
Enable NAT
Select to enable
Select OK.
Select Create New to add a security policy that restricts access to YouTube and Facebook:
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
YouTube
Facebook
Schedule
Always
Service
ANY
Action
DENY
Select OK.
187
Select Before and enter the policy number for the all access policy.
Select OK.
Repeat these steps for the Deny policy to move it after the Lunch Access policy.
The schedule in the security policy enables network traffic to occur for a specific length of time. The
policy is active for a given time frame, and as long as the session is open, traffic can continue to
flow. That means, that if a user opens a session for YouTube two minutes before the schedule ends,
the user can use YouTube until they stop the session. To ensure all sessions terminate at the end of
the desired time, use these CLI commands:
config firewall policy
edit 2 (whichever is the schedule policy)
set schedule-timeout enable
end
Results
With these policies in place, A user trying to access YouTube or Facebook, will not be able to
connect. Once the allotted time occurs, access is allowed. The best way to test this is to try to
connect to YouTube. It wont connect. Change either the system time on the FortiGate unit or the
schedule time to be within the current time, to see that access to the site is allowed.
188
FortiGate Cookbook
http://docs.fortinet.com/
g 0
in 5
er -1
ne 00
gi .1
En .20
0
.1
10
10 M
.1 ar
0. ke
20 ti
.3 ng
050
How do I restrict access to the Internet based on IP addresses of users on an internal network?
in
ct
tri
es
R
c
ffi
tra
Solution
Identify groups of users according to their IP addresses and add firewall addresses for these groups.
Two user groups are identified:
The solution shows how to allow marketing access to the Internet during office hours (between 8:00
am and 6:00 pm) but restricting engineering to only being able to access the Internet between 12:00
noon and 2:00 pm.
Creating the firewall addresses for each user group
1
Go to Firewall Objects > Address > Address and select Create New to add the engineering
address range:
Address Name
engineering
Type
Subnet / IP Range
Subnet / IP Range
10.10.20.[100-150]
Interface
internal
189
marketing
Type
Subnet / IP Range
Subnet / IP Range
10.10.20.[30-50]
Interface
internal
190
Go to Firewall Objects > Schedule > Recurring and select Create New to add a schedule for
engineering:
Name
engineering-restrict
Day of Week
Start Time
12:00
Stop Time
14:00
marketing-all
Day of Week
Start Time
08:00
Stop Time
18:00
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to create the security policy for marketing:
Source Interface/Zone
internal
Source Address
marketing
Destination Interface/Zone
wan1
Destination Address
all
Schedule
marketing-all
Service
ANY
Action
ACCEPT
internal
Source Address
engineering
Destination Interface/Zone
wan1
Destination Address
all
Schedule
engineering-restrict
Service
ANY
Action
ACCEPT
Select OK.
191
Select After and enter the policy number for the Engineering policy.
Select OK.
Results
The marketing department should be able to connect to the Internet immediately and the engineering
department should not be able to connect to the Internet until the specified time in the schedule. You
should also see packets in the Count column in the marketing policy, but nothing in the engineering
policy.
To test that things are correct, try accessing web sites on the Internet using and IP address assigned
to the engineering department. All access should be denied. Try accessing web sites from an IP
address assigned by the marketing department. All access should be allowed.
To test that the engineering department policy is correct, change the time frame in the engineeringrestrict firewall schedule to the current time, and then try accessing web sites from the engineering
department. You should be seeing packets in the Count column in the engineering policy as well as
in the marketing policy.
Change the time range back to the original time in the engineering-restrict firewall schedule, and all
packets should stop and the Count for this policy should not increase.
192
FortiGate Cookbook
http://docs.fortinet.com/
be
to from
ers d g
Us clude lterin .20
ex TM fi .101 1.21
U 0.31 .10
1 0.31
1
rk
o
w 4
et /2
n .0
al 01
r n .1
te 1
In 0.3
1
rna
inte
n1
wa
Solution
Add a general security policy to the FortiGate unit that accepts all connections from the Internal
network and applies UTM filtering. Add a specific security policy that does not apply UTM filtering
and only accepts connections from the users to be excluded. To only accept connections from
selected users, add firewall addresses for each users computer. Move the specific security policy
above the general policy in the security policy list.
Creating the general security policy that accepts all sessions from the internal network to the
Internet
1
2
FortiOS 4.0 MR3
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the internal network to access the Internet.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Select UTM and enable the UTM filtering features required for the users on your network.
Creating the specific security policy that accepts sessions only from selected users
1
Go to Firewall Objects > Address > Address and select Create New to add an address for the
first user to be excluded:
Address Name
excluded-user-20
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.20/255.255.255.255
Interface
internal
Select OK.
Select Create New to add an address for the second user to be excluded:
Address Name
excluded-user-21
Type
Subnet / IP Range
Subnet / IP Range
10.31.101.21/255.255.255.255
Interface
internal
Select OK.
Go to Firewall Objects > Address > Group and select Create New to add an address group that
includes the addresses of the users to be excluded:
Group Name
Members
excluded-user-group
excluded-user-21
excluded-user-22
Select OK.
You could have also added an address range for these two users to the Subnet / IP Range field in
the format 10.31.101.[20-21]. In this case you would not need the address group. However, if the
addresses of the excluded users are not in a continuous range, you would need to add multiple
addresses and add these addresses to a group.
7
194
Go to Policy > Policy > Policy and right-click on the general security policy added in the previous
procedure.
FortiGate Cookbook
http://docs.fortinet.com/
Select Insert Above to add a specific security policy that accepts sessions from the selected
users on the internal network above the general security policy.
Source Interface/Zone
internal
Source Address
excluded-user-group
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Results
Because the specific security policy is in policy list above the general security policy traffic from the
selected users is intercepted by the specific security policy. Verify that the specific security policy is
accepting sessions from the users to be excluded from filtering by browsing to the Internet from an
excluded users PC. Go to Policy > Monitor > Policy Monitor to verify that the specific policy is
accepting sessions from the excluded users IP addresses.
Using diagnose debug flow to show traffic hitting the specific policy
You can use the diagnose debug flow command to show packet flow through the FortiGate unit.
As packets are received you can view debug messages to show how the FortiGate unit processes
them. The following command sequence displays packet flow for packets from IP address
10.31.101.22.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 10.31.101.22
diagnose debug flow trace start 100
195
g 0
in 5
er -1
ne 00
gi .1
En .20
0
.1
10
10 M
.1 ar
0. ke
20 ti
.3 ng
050
How can I verify that traffic is being accepted by (or hitting) a security policy?
in
ct
tri
es
R
c
ffi
tra
Solution
Use the security policy list Count column and the policy monitors. The Count column and the policy
monitors provide a visual verification that packets are hitting a policy.
This solution uses the security policies created in Restricting Internet access per IP address on
page 189.
1
Go to Policy > Policy > Policy and locate the engineering-restrict and marketing-all policies.
The Count column in the following example shows that there are currently no packets hitting the
engineering-restrict policy, but packets are hitting the marketing-all policy.
196
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Monitor > Policy Monitor to view the marketing-all policy sessions.
In the list, you should be seeing that the policy ID, in this case ID number 5, is the marketing-all
policy that is accepting these sessions. You can verify this by selecting Refresh to see the byte
and packet count increase.
You can drill down to see a graph of the individual sessions accepted by the policy by source or
destination address or destination port.
197
You can drill down one more level to see a detailed list of the sessions currently accepted by the
policy.
Go to the engineering-restrict schedule and change the original time to current time so that you
can verify that traffic is hitting that policy.
On both the policy list and Policy Monitor, you can verify that traffic is now hitting both policies.
Results
You can use these web-based manager tools to verify that traffic is hitting the expected security
policies. More advanced tools for verifying that traffic is hitting the expected policy are available from
the CLI.
198
FortiGate Cookbook
http://docs.fortinet.com/
The following command sequence and output shows what happens when you do a debug trace for
packets that contain IP address 172.20.120.2 and then ping from 10.10.20.30 to 172.20.120.2
through the FortiGate unit. The first six output lines shows the ping packet received from 10.10.20.30
and being accepted by the security policy ID 5. The final four lines show how the reply from
172.20.120.2 is received by an existing session and passed through the FortiGate unit to the source.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 172.20.120.2
diagnose debug flow trace start 100
id=36871 trace_id=1147 msg="vd-root received a packet(proto=1, 10.10.20.30:512>172.20.120.2:8) from internal."
id=36871 trace_id=1147 msg="allocate a new session-00012259"
id=36871 trace_id=1147 msg="find a route: gw-172.20.120.2 via wan1"
id=36871 trace_id=1147 msg="find SNAT: IP-172.20.120.230, port-59532"
id=36871 trace_id=1147 msg="Allowed by Policy-5: SNAT"
id=36871 trace_id=1147 msg="SNAT 10.10.20.30->172.20.120.230:59532"
id=36871 trace_id=1148 msg="vd-root received a packet(proto=1, 172.20.120.2:59532>172.20.120.230:0)from wan1."
id=36871 trace_id=1148 msg="Find an existing session, id-00012259, reply direction"
id=36871 trace_id=1148 msg="DNAT 172.20.120.230:0->10.10.20.30:512"
id=36871 trace_id=1148 msg="find a route: gw-10.10.20.30 via internal"
199
200
trace_id=126
internal."
trace_id=126
trace_id=126
trace_id=126
FortiGate Cookbook
http://docs.fortinet.com/
0
11
1.
8.
16
2.
19
ss
ce d
Ac nie
de
k
or
tw 0
ne .1. .0
al 8 55
rn 16 .2
te 2. 5
In 19 .25
5
25
ss
ce ed
Ac ow
al
Solution
More specific security policies should be placed in the security policy list above more general
policies. In this case the specific policy that blocks one source address should be placed above the
general policy that allows access from any source address.
1
2
FortiOS 4.0 MR3
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to add a security policy to allow all users
on the internal network to access the Internet.
Source Interface/Zone
internal
Source Address
All
Destination Interface/Zone
wan1
Destination Address
All
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you.
4
Go to Firewall Objects > Address > Address and select Create New to add the specific
address to be blocked:
Address Name
Blocked address
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.110/255.255.255.255
Interface
internal
Select OK.
Go Policy > Policy > Policy and select Create New to add a security policy to deny access for
sessions from the source address 192.161.1.110:
Source Interface/Zone
internal
Source Address
Blocked address
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
DENY
Results
New security policies are always added to the bottom of the policy list so this specific policy is added
below the general policy that allows access.
1
Test the configuration by attempting to connect to the Internet from a PC with IP address
192.168.1.110.
Access should be allowed. If you go to Policy > Policy > Policy, the Count column should show
that the general policy is accepting packets.
202
Select the specific policy and select Move to and move this policy Before policy 1.
FortiGate Cookbook
http://docs.fortinet.com/
Test this new configuration by attempting to connect to the Internet from a PC with IP address
192.168.1.110.
Access should be denied. If you go to Policy > Policy > Policy the Count column should show
that the deny policy is blocking packets.
Packet flow
The following command sequence displays packet flow for packets from IP address 192.168.1.110
that are blocked by the deny policy.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 192.168.1.110
diagnose debug flow trace start 100
id=36871 trace_id=301 msg="vd-root received a packet(proto=6, 192.168.1.110:3858>172.16.100.148:80) from internal."
id=36871 trace_id=301 msg="allocate a new session-0000876e"
id=36871 trace_id=301 msg="find a route: gw-172.20.120.2 via wan1"
id=36871 trace_id=301 msg="Denied by forward policy check"
The following command sequence displays packet flow for packets from IP address 192.168.1.120
that are allowed by policy 1.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 192.168.1.120
diagnose debug flow trace start 100
id=36871 trace_id=310 msg="vd-root received a packet(proto=6, 192.168.1.120:3907>172.16.100.148:80) from internal."
id=36871 trace_id=310 msg="allocate a new session-000088a8"
id=36871 trace_id=310 msg="find a route: gw-172.20.120.2 via wan1"
id=36871 trace_id=310 msg="find SNAT: IP-172.20.120.11, port-53199"
id=36871 trace_id=310 msg="Allowed by Policy-1: SNAT"
203
r
te
In
l
na
Ap
k
or
pr
20 S ov
8. er ed
91 ve D
.1 r NS
12
.5
3
tw
ne
Solution
Watch the video: http://docs.fortinet.com/cb/sp1.html
Block all DNS sessions except for sessions to the approved DNS server.
In this example, the approved DNS server is 208.91.112.53. This DNS server is maintained by
Fortinet and is the Primary DNS server in the default configuration of every FortiGate unit.
To do this, create a firewall address for the approved DNS server and then add it to a security policy
that uses the DNS service and allows access to the Internet. Create another security policy that
blocks all DNS sessions.
Arrange the allow DNS policy above the more general deny DNS policy. Arrange both of these
policies above any general policies that allow access to the Internet.
Make sure the devices on the internal network are configured to use the approved DNS server.
1
204
Go to Policy > Policy > Policy and select Create New to add a security policy to allow all users
on the internal network to access the Internet.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
FortiGate Cookbook
http://docs.fortinet.com/
Select OK.
Some FortiGate models include this security policy in the default configuration. If you have one of
these models, this step has already been done for you.
4
Go to Firewall Objects > Address > Address and select Create New and add a firewall address
for the approved DNS server:
Address Name
Type
Subnet / IP Range
Subnet/IP Range
208.91.112.53/255.255.255.255
Interface
wan1
Select OK.
Go to Policy > Policy > Policy and select Create New to add a policy that allows DNS sessions
to access the approved DNS server:
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
Schedule
always
Service
DNS
Action
ACCEPT
Select OK.
205
Select Create New to add a policy to block all DNS sessions to the Internet:
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
DNS
Action
DENY
If you completed the steps in order the internal to wan1 policy list should look similar to the
following:
Results
Use the following steps to test the configuration.
1
Go to Policy > Policy > Policy view the Count column for the security policies.
The policy 2 Count column should show that it is processing traffic. The policy monitor (at Policy
> Monitor > Policy Monitor) should show that all sessions accepted by policy 2 are DNS
sessions with a destination address of 208.91.112.53.
206
FortiGate Cookbook
http://docs.fortinet.com/
Enter the following command to verify DNS sessions from a PC with IP address 192.168.1.110 to
IP address 208.91.112.53 are accepted by policy 2.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 192.168.1.110
diagnose debug flow trace start 100
id=36871 trace_id=459 msg="vd-root received a packet(proto=17, 192.168.1.120:1207>208.91.112.53:53) from internal."
id=36871 trace_id=459 msg="allocate a new session-00009c6f"
id=36871 trace_id=459 msg="find a route: gw-172.20.120.2 via wan1"
id=36871 trace_id=459 msg="find SNAT: IP-172.20.120.11, port-42043"
id=36871 trace_id=459 msg="Allowed by Policy-2: SNAT"
id=36871 trace_id=459 msg="SNAT 192.168.1.120->172.20.120.11:42043"
id=36871 trace_id=459 msg="run helper-dns-udp(dir=original)"
Change the PC to use a different but still valid DNS server on the Internet.
Enter the following command to verify that DNS sessions from a PC with IP address
192.168.1.110 to a different DNS server are blocked.
diagnose debug enable
diagnose debug flow show console enable
show trace messages on console
diagnose debug flow filter add 192.168.1.110
diagnose debug flow trace start 100
id=36871 trace_id=409
>8.8.8.8:53) from
id=36871 trace_id=409
id=36871 trace_id=409
id=36871 trace_id=409
207
Solution
To configure the FortiWiFi unit to allow printing to an AirPrint-compatible printer, the network
topology determines the solution. For example, if an iPhone and an AirPrint-compatible printer both
use WiFi to connect to the same FortiWiFi wireless access point on the same subnet, no FortiWiFi
configuration changes are required as long as intra-SSID traffic is not blocked. The iPhone and the
printer can communicate directly.
If the iPhone and the AirPrint-compatible printer are on different networks separated by a FortiWiFi
unit you can use the information below to set all AirPrint communication through the FortiWiFi unit.
The following examples also describe how to allow AirPlay communication between AirPlay devices
also separated by a FortiWiFi unit.
Enable multicast forwarding
If you require AirPrint or AirPlay traffic to pass through a FortiWiFi unit, the first step is to enable
multicast forwarding in the FortiWiFi unit.
1
208
FortiGate Cookbook
http://docs.fortinet.com/
iOS device
In
ne ter
tw na
or l
k
al
rn k
te or
In tw
ne
FortiWiFi1
AirPrint-capable
printer
FortiWiFi 2
On both FortiWiFi units, enable multicast forwarding and create security policies to allow
multicast traffic. See Enable multicast forwarding on page 208.
Go to Firewall Objects > Service > Custom and select Create New to create an Internet
Printing Protocol (IPP) custom service for AirPrint:
Name
IPP
Protocol Type
TCP/UDP/SCTP
Protocol
TCP
65535
631
631
Select OK.
209
On FortiWiFi 1 go to Policy > Policy > Policy and select Create New to add a security policy to
allow the AirPrint traffic from the wireless network to the internal network.
Source Interface/Zone
wlan
Source Address
all
Destination Interface/Zone
internal
Destination Address
all
Schedule
always
Service
IPP
Action
ACCEPT
Select OK.
On FortiWiFi 2 go to Policy > Policy > Policy and select Create New to add a security policy to
allow the AirPrint traffic from the internal network to the wireless network.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wlan
Destination Address
all
Schedule
always
Service
IPP
Action
ACCEPT
Select OK.
With this configuration in place, anyone using an iOS device on FortiWiFi 1s wireless network can
use AirPrint to print to the printer.
210
FortiGate Cookbook
http://docs.fortinet.com/
AirPrint from OS X
In
ne ter
tw na
or l
k
To allow an OS X computer to print to an AirPrint enabled printer on a WiFi network, configure the
FortiWiFi unit according to these procedures:
OS X computers
AirPrint-capable
printer
FortiWiFi
Forti
iWiFi unit
Enable multicast forwarding and create security policies to allow multicast traffic. See Enable
multicast forwarding on page 208.
Go to Firewall Objects > Service > Custom and select Create New to create a PDL data
streaming custom service:
Name
PDL
Protocol Type
TCP/UDP/SCTP
Protocol
TCP
65535
9100
9100
Select OK.
Select Create New to allow AirPrint traffic from the internal network to the wireless network:
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wlan
Destination Address
all
Schedule
always
Service
IPP
Action
ACCEPT
211
Select OK.
With this configuration in place, anyone using an OS X computer on the network connected to the
internal interface of the FortiWiFi unit can use AirPrint to print to the printer.
AirPlay from iOS
To allow an iOS device (iPhone, iPad, or iPod Touch) to play to an Apple TV on a separate network,
configure the FortiWiFi unit according to these procedures:
In
ne ter
tw na
or l
k
iOS device
FortiWiFi
App TV
Apple
Enable multicast forwarding and create security policies to allow multicast traffic. See Enable
multicast forwarding on page 208.
Go to Firewall Objects > Service > Custom and select Create New to create a new custom
service with these characteristics:
212
Name
Protocol Type
TCP/UDP/SCTP
Protocol
Source Port
Low
Source Port
High
Destination
Port Low
Destination
Port High
TCP
65535
7000
7000
TCP
65535
7100
7100
TCP
65535
49152
50000
UDP
65535
65535
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Select Create New to create another new custom service with these characteristics:
Name
Protocol Type
TCP/UDP/SCTP
Protocol
Source Port
Low
Source Port
High
Destination
Port Low
Destination
Port High
TCP
65535
7000
7000
UDP
65535
65535
Select OK.
Go to Policy > Policy > Policy and select Create New to create a security policy to allow AirPlay
traffic from the wireless network to the internal network.
Source Interface/Zone
wlan
Source Address
all
Destination Interface/Zone
internal
Destination Address
all
Schedule
always
Service
Action
ACCEPT
Select OK.
Select Create New to create a security policy to allow the AirPlay traffic from the internal network
to the wireless network.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wlan
Destination Address
all
Schedule
always
Service
Action
ACCEPT
213
Select OK.
With this configuration in place, anyone using an iOS device on the wireless interface of the FortiWiFi
unit can use AirPlay to play media on the Apple TV.
Although AirPlay will function with this configuration, playing You Tube video requires that security
policies allow the iOS device and the Apple TV to access the Internet.
AirPlay from OS X
To allow an OS X computer to play to an Apple TV on a separate network, configure the FortiWiFi unit
according to these procedures:
Apple TV
App
In
ne ter
tw na
or l 1
k
2
al
rn rk
te o
In etw
n
OS X computers
FortiWiFi
FortiWiF
Fi unit
Enable multicast forwarding and create security policies to allow multicast traffic. See Enable
multicast forwarding on page 208.
Go to Firewall Objects > Service > Custom and select Create New to create a new custom
service with these characteristics:
214
Name
AirPlay - OS X to Apple TV
Protocol Type
TCP/UDP/SCTP
Protocol
Source Port
Low
Source Port
High
Destination
Port Low
Destination
Port High
TCP
65535
7000
7000
TCP
65535
49152
49152
UDP
65535
65535
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Select Create New to create another new custom service with these characteristics:
Name
AirPlay - Apple TV to OS X
Protocol Type
TCP/UDP/SCTP
Protocol
Source Port
Low
Source Port
High
Destination
Port Low
Destination
Port High
TCP
65535
3689
3689
UDP
65535
6002
6002
Go to Policy > Policy > Policy and select Create New to create a security policy to allow AirPlay
traffic from the OS X computer network to the Apple TV network.
Source Interface/Zone
internal1
Source Address
all
Destination Interface/Zone
internal2
Destination Address
all
Schedule
always
Service
AirPlay - OS X to Apple TV
Action
ACCEPT
Select Create New to create a security policy to allow the AirPlay traffic from the Apple TV
network to the OS X computer network.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wlan
Destination Address
all
Schedule
always
Service
AirPlay - Apple TV to OS X
Action
ACCEPT
With this configuration in place, anyone using an iOS device on the wireless interface of the
FortiWiFi unit can use AirPlay to play media on the Apple TV.
215
Inte
rn
net al IP
wo ph
rk one
al
ern
rk
wo
net
Int
Solution
Using traffic shaping, you can configure shared shapers that ensure a consistent amount of
bandwidth is reserved for VoIP/SIP communications and still maintain bandwidth for other Internet
traffic such as email and web browsing. For this solution, 200000 kbits/s is guaranteed to be
available for VoIP and VoIP traffic is given higher priority than other traffic. Other traffic is limited to a
maximum bandwidth of 100000 kbits/s.
In this configuration, the internal IP phone network and internal network both connect to the
FortiGate internal interface.
When creating a traffic shaper, you must include a data value for the Maximum Bandwidth and/or
the Guaranteed Bandwidth as well as selecting the Traffic Priority.
Create traffic shapers for VoIP traffic and for other traffic
1
216
Go to Firewall Objects > Traffic Shaper > Shared and select Create New to add a shared
shaper for IP phone traffic:
Name
VoIP
Apply Shaper
Per Policy
Traffic Priority
High
Maximum Bandwidth
16776000
Guaranteed Bandwidth
2000000
FortiGate Cookbook
http://docs.fortinet.com/
Select OK.
Select Create New and add a shared shaper for other traffic:
Name
Daily_Traffic
Apply Shaper
Per Policy
Traffic Priority
Medium
Maximum Bandwidth
1000000
Creating the firewall addresses for the IP phone and internal networks
1
Go to Firewall Objects > Address > Address and select Create New to add the engineering
address range:
Address Name
IP Phone net
Type
Subnet / IP Range44444
Subnet / IP Range
10.10.10.[10-50]
Interface
internal
Internal net
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.[100-200]
Interface
internal
Go to Policy > Policy > Policy and select Create New and add a security policy for VoIP/SIP
traffic:
Source Interface/Zone
internal
Source address
IP Phone net
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
SIP
Action
ACCEPT
217
Select Traffic Shaping and select the VoIP shaper for both directions:
Shared Traffic Shaper
VoIP
VoIP
Select OK.
Select Create New and add a security policy for other traffic from the Internal network to the
Internet:
Source Interface/Zone
internal
Source address
Internal net
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select Traffic Shaping and select the daily traffic shaper for both directions:
Shared Traffic Shaper
Daily_Traffic
Daily_Traffic
To monitor the data passing through the FortiGate unit for troubleshooting, remember to enable
Log Allowed Traffic in both policies.
Results
Phone usage has a guaranteed bandwidth and a higher priority than other standard Internet usage.
As such, telephony use will not be degraded by other traffic between the internal network and the
Internet.
218
FortiGate Cookbook
http://docs.fortinet.com/
Go to Firewall Objects > Monitor > Traffic Shaper Monitor and select Current Bandwidth to view
the current bandwidth being used by active traffic shapers. If standard traffic volume is high enough,
it will top out at the maximum bandwidth defined in each shaper,
To ensure that the shaper is in use, go to Log&Report > Log & Archive Access > Traffic Log. Filter
the Service by SIP to see the telephony traffic.
Viewing the detailed information for a SIP log messages, the shaper name appears in the Sent
Shaper Name field.
219
zil
Bra
2 - 22
e
1
c
offi 0.1nch 8.11
Bra 2.16
19
Br
10. anch
10. offi
20. ce
1-2 3 5
C
hin
and
Irel
1 - 55
e
1
c
offi .15nch .144
Bra 2.16
17
H
172 eadq
.26 uart
.12 ers
0.1
-15
5
Solution
Create schedules for each branch office, as well as addresses with the geographic-based address
feature.
The geographic-based addresses allow you to indicate the country, and the traffic originating or
going to this country is logged, blocked or specific filtering is applied. The schedules, in this case, will
block employee access to the servers at specified times.
For this solution, we are using Eastern Time zone (GMT -5:00) as the time zone for the location of the
schedules and addresses.
Creating the geographic addresses
220
Go to Firewall Objects > Address > Address and create a new address.
Select OK.
Create the other two addresses using steps 2 to 6; use the names branch_office_2 for Brazil, and
branch_office_3 for Egypt.
Go to Firewall Objects > Address > Group and create a group of the three addresses.
Create a new schedule for the Ireland branch, and enter branch_office1 for the Name of the
schedule.
Select 11:00 as the Start Time and 13:00 as the Stop Time.
Create a new schedule for Brazil and enter branch_office1 for the Name of the schedule.
Select 16:00 as the Start Time and 18:00 as the Stop Time.
10 Create a new schedule for Egypt and enter branch_office3 for the Name of the schedule.
11 For Day of Week, select Tuesday and Saturday.
12 Select 11:00 as the Start Time and 13:00 as the Stop Time.
13 Select OK to save the schedule.
14 Go to Firewall Objects > Schedule > Group and group these three schedules.
Results
Employee access to these servers should be blocked during the times specified in the firewall
schedules. You can test this by trying to access a server in Ireland at 11:00 am your time; you should
not be able to access the server.
221
Providing Internet access for your private network users (static source NAT)
Sta
tic
inte betw sou
and rna ee rce
the l ne n the NAT
Inte two
rne rk
t
17
2.
20
.1 wa
20 n
.1 1
4
19
2. in
16 te
8. rn
1. al
99
.0
1
]
3 2
55
-2
.[1
.1
01
.1
68
.1 ] 20
92 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
14
0.
01
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
Solution
Static source address translation (or static SNAT) is most often used to allow users on an internal
network to connect to the Internet. Static SNAT translates the source addresses of all outgoing
packets to the IP address of the external interface. To keep track of individual sessions, the FortiGate
unit also translates the source port of all packets. This type of NAT is also called port address
translation (PAT), network address and port translation (NAPT), IP masquerading, NAT overload, and
many-to-one NAT.
222
FortiGate Cookbook
http://docs.fortinet.com/
Providing Internet access for your private network users (static source NAT)
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Results
All packets accepted by this security policy have their source IP addresses translated from a private
IP address on the 192.168.1.0 network to the IP address of the wan1 interface (172.20.120.14). As
well, the source port is translated to a random source port. The destination IP address and
destination port are not changed.
Test source NAT by browsing a website on the Internet from a device on the internal network. Use the
following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 4
interfaces=[any]
filters=[port 80]
7.863458 internal in 192.168.1.110.3444 -> 172.20.120.101.80: syn 2322143869
7.872937 wan1 out 172.20.120.14.36344 -> 172.20.120.101.80: syn 2322143869
7.873146 wan1 in 172.20.120.101.80 -> 172.20.120.14.36344: syn 593799196 ack 2322143870
7.873325 internal out 172.20.120.101.80 -> 192.168.1.110.3444: syn 593799196 ack 2322143870
The first output line shows a packet was received by the Internal interface with source address
192.168.110.
The second output line shows that when the packet exits the wan1 interface the source address
is changed to 172.20.120.14.
The third output line shows that when the response packet is received by the wan1 interface the
destination address is still 172.20.120.14.
The fourth output line shows that when the response packet exits the internal interface to return
to the source, its destination address has changed to 192.168.1.110.
Notice also in this example, the source port is translated from 3444 to 36344 and then back to
3444.
The source IP of all packets from any source IP is always translated to 172.20.120.14.
223
Providing Internet access for your private network users (static source NAT)
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
224
FortiGate Cookbook
http://docs.fortinet.com/
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT)
5
rk 5
o .2
w 5
et 5
N 5.2
al 5
r n /2
te .0
In 8.1
6
AT
N
ce
ur e k
h
so t or
ic een tw net
e
am tw l n ter
yn e a n
D b rn e I
te h
in d t
an
19
.1 wa
20 n
.1 1
4 E
x
17 te
17 2. rna
17 2. 20 l I
2. 20 .12 Ps
20 .1 0
.1 20 .13
20 .1
.1 4
5
2. in
16 te
8. rn
1. al
99
.0
2.
20
17
]
55
-2
.[1
.1
01
.1
68
.1 ] 20
92 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
]
15
3[1
0.
01
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
Solution
Use dynamic source address translation when you have more than one external IP address and you
want outgoing packets to use some or all of these addresses. To get the FortiGate unit to use more
than one IP address for source NAT, you add the addresses to an IP pool. This example uses an IP
pool containing only 3 IP addresses: 172.20.120.[13-15]. Then you add a security policy and select
Use Dynamic IP Pool.
1
Go to Firewall Objects > Virtual IP > IP Pool and select Create New to add the following IP
pool.
Name
Dynamic-Source
IP Range/Subnet
172.20.120.13-172.20.120.15
225
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT)
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select Enable NAT and Use Dynamic IP Pool and select the Dynamic-Source IP Pool.
Results
All packets accepted by this security policy have their source IP addresses translated from a private
IP address on the 192.168.1.0 network to one of the IP addresses in the IP pool. (172.20.120.[13-15]).
As well, the source port is translated to a random source port. The destination IP address and
destination port are not changed.
Test dynamic source NAT by browsing a website on the Internet from multiple IP addresses on the
internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 8
interfaces=[any]
filters=[port 80]
4.893372 internal in 192.168.1.120.4806 -> 172.20.120.101.80: syn 1222685135
4.893644 wan1 out 172.20.120.14.45642 -> 172.20.120.101.80: syn 1222685135
4.893855 wan1 in 172.20.120.101.80 -> 172.20.120.14.45642: syn 3955257209 ack
4.894016 internal out 172.20.120.101.80 -> 192.168.1.120.4806: syn 3955257209
4.559945 internal in 192.168.1.110.4834 -> 172.20.120.101.80: syn 2817814036
4.560189 wan1 out 172.20.120.13.49774 -> 172.20.120.101.80: syn 2817814036
4.562207 wan1 in 172.20.120.101.80 -> 172.20.120.13.49774: syn 1591702338 ack
4.562383 internal out 172.20.120.101.80 -> 192.168.1.110.4834: syn 1591702338
1222685136
ack 1222685136
2817814037
ack 2817814037
The first four output lines show a session from IP address 192.168.1.120 where the source IP
address has been translated to 172.20.120.14.
The next four output lines show a session from IP address 192.168.1.110 where the source IP
address has been translated to 172.20.120.13.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
226
FortiGate Cookbook
http://docs.fortinet.com/
Providing Internet access for a private network with multiple Internet addresses (dynamic source NAT)
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
227
Dynamic source NAT without changing the source port (one-to-one source NAT)
Dynamic source NAT without changing the source port (one-toone source NAT)
Problem
Some protocols or services will only function if they use a specific source port, or a source port that
does not change. Normally source NAT changes the source port to allow multiple simultaneous
sessions.
19
.0
AT
N
ce
ur e k
h
so t or
d
ic een tw net ge
e
am tw l n ter an
yn e a n ch
D b ern e I ot
t h n
in d t rt
an po
e
rc
5
rk 5
o .2
w 5
et 5
N 5.2
al 5
r n /2
te .0
In 8.1
16
2.
17
2.
20
.1 wa
20 n
.1 1
4
19
E
x
17 te
17 2. rna
17 2. 20 l IP
2. 20 .12 s
20 .1 0
.1 20 .13
20 .1
.1 4
5
2. in
16 te
8. rn
1. al
99
u
so
1
]
3 2
55
-2
.[1
.1
01
.1
68
.1 5 20
92 41 0.1
: 1 : 2 .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
]
1
15
33 2
[1
0.
01
12
.1
0.
.2 5 20
72 41 0.1
: 1 : 2 .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
Solution
You can select the fixed port option to restrict the FortiGate unit to not translate the source port. This
results in a one-to-one NAT configuration. One-to-one NAT limits the number of simultaneous
sessions that are supported because one variable for tracking sessions (the source port number) is
no longer available. To allow more sessions, one-to-one NAT is normally used with multiple external
IPs added to an IP pool.
In this example, you enable one-to-one NAT by enabling the fixed port option in a security policy and
adding an IP pool containing three IP addresses: 172.20.120.[13-15]. The fixed port option is enabled
from the CLI so this entire example is configured from the CLI.
1
228
FortiGate Cookbook
http://docs.fortinet.com/
Dynamic source NAT without changing the source port (one-to-one source NAT)
Enter the following command to add a security policy that allows users on the private network to
access the Internet.
If you edit this policy from the web-based manager, you will notice that the Fixed Port option is
visible and is selected.
Results
All packets accepted by this security policy have their source IP addresses translated from a private
IP address on the 192.168.1.0 network to one of the IP addresses in the IP pool. (172.20.120.[13-15]).
The source port, destination IP address, and destination port are not changed.
Test dynamic source NAT by browsing to a website on the Internet from multiple IP addresses on the
internal network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 18
interfaces=[any]
filters=[port 80]
17.388234 internal in 192.168.1.110.2415 -> 172.20.120.101.80: syn 1350596827
17.392883 wan1 out 172.20.120.13.2415 -> 172.20.120.101.80: syn 1350596827
17.395249 wan1 in 172.20.120.101.80 -> 172.20.120.13.2415: syn 927139461 ack 1350596828
17.395425 internal out 172.20.120.101.80 -> 192.168.1.110.2415: syn 927139461 ack 1350596828
17.395537 internal in 192.168.1.110.2415 -> 172.20.120.101.80: ack 927139462
17.395626 wan1 out 172.20.120.13.2415 -> 172.20.120.101.80: ack 927139462
17.406820 internal in 192.168.1.110.2416 -> 172.20.120.101.80: syn 1206067881
17.407038 wan1 out 172.20.120.13.2416 -> 172.20.120.101.80: syn 1206067881
17.407246 wan1 in 172.20.120.101.80 -> 172.20.120.13.2416: syn 921167482 ack 1206067882
17.407383 internal out 172.20.120.101.80 -> 192.168.1.110.2416: syn 921167482 ack 1206067882
17.407493 internal in 192.168.1.110.2416 -> 172.20.120.101.80: ack 921167483
17.407582 wan1 out 172.20.120.13.2416 -> 172.20.120.101.80: ack 921167483
2.872214 internal in 192.168.1.120.2483 -> 172.20.120.101.80: syn 543091999
2.872890 wan1 out 172.20.120.14.2483 -> 172.20.120.101.80: syn 543091999
2.873090 wan1 in 172.20.120.101.80 -> 172.20.120.14.2483: syn 868936759 ack 543092000
2.873263 internal out 172.20.120.101.80 -> 192.168.1.120.2483: syn 868936759 ack 543092000
2.873413 internal in 192.168.1.120.2483 -> 172.20.120.101.80: ack 868936760
2.873513 wan1 out 172.20.120.14.2483 -> 172.20.120.101.80: ack 868936760
The first six output lines show a session from IP address 192.168.1.110 where the source IP
address has been translated to 172.20.120.13. The source port remains unchanged at 2415.
The next six output lines also show a session from IP address 192.168.1.110 where the source IP
address has been translated to 172.20.120.13. The source port for this session was 2416 and
was also not changed.
The final six output lines show a session from IP address 192.168.1.120 where the source IP
address has been translated to 172.20.120.14. The source port for this session was 2483 and
was also not changed.
229
Dynamic source NAT without changing the source port (one-to-one source NAT)
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
230
FortiGate Cookbook
http://docs.fortinet.com/
5
.0
19
.1 wa
20 n
.1 1
1 Ex
17 te
17 2. rna
17 2. 20 l I
2. 20 .12 Ps
20 .1 0
.1 20 .13
20 .1
.1 4
5
2. in
16 te
8. rn
1. al
99
e
bl
ta rce
AT ou n
l N g s tio
tra l in sla
en o n
C ntr tra
t
co or
p
2.
20
17
]
55
-2 ]
.[1 00
.1 34 01
68 - .1
.1 0 20
92 38 0.1
: 1 : [3 .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
]
15
3- 0]
[1 2
0. 00 1
12 3 0
0. - .1
.2 00 20
72 00 0.1
: 1 : [3 .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
Solution
The central NAT table provides full control over how source addresses and source ports are
translated and is the only solution when you want to control how source ports are translated. By
using the central NAT table, you can specify an incoming source address range and source port
range and specify how the source address and source ports are translated. This can be useful for
protocols that require a fixed source port or that require the source port be translated in a controlled
and predictable way.
In this example:
Packets with a source IP on the internal network and a source port in the range 3380 to 3400 will
have their source address translated to an address in the range 172.20.120.[13-15] and their
source ports translated to a port number in the range 30000 to 30020.
Packets with a source IP on the internal network and a source port in the range 1 to 3379 and
3401 to 65,535 will have their source address translated to the IP address of the FortiGate wan1
interface (172.20.120.11). This is the default source NAT behavior.
231
Name
Dynamic-Source
IP Range/Subnet
172.20.120.13-172.20.120.15
Go to Firewall Objects > Address> Address and select Create New to add the following firewall
address.
Name
Internal Network
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.1 - 192.168.1.255
Interface
internal
Go to System > Admin > Settings and under Display Options on GUI, make sure the Central
NAT Table option is selected.
Go to Policy > Policy > Central NAT Table and select Create New to add a central NAT table
entry.
232
Go to Firewall Objects > Virtual IP > IP Pool and select Create New to add the following IP
pool.
Source Address
Internal Network
Translated Address
Dynamic-Source
3380 - 3400
Translated Port
30000 - 30020
Go to Policy > Policy > Policy and select Create New to add the following security policy that
allows users on the private network to access the Internet.
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Results
All packets accepted by this security policy from the internal network with source ports in the range
3380 to 3400 have their source IP addresses translated to one of the IP addresses in the IP pool.
(172.20.120.[13-15]) and their source ports translated to a number in the range 30000 to 30020.
Packets with any other source port are handled according to the default source NAT behavior (if you
selected Use Destination Interface Address).
Test the configuration by browsing a website on the Internet from any IP address on the internal
network. Use the following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80' 4 8
interfaces=[any]
filters=[port 80]
5.117683 internal in 192.168.1.110.3364 -> 172.16.100.148.80: syn 3821216192
5.117980 wan1 out 172.20.120.11.40360 -> 172.16.100.148.80: syn 3821216192
5.177848 wan1 in 172.16.100.148.80 -> 172.20.120.11.40360: syn 1388291811 ack 3821216193
5.178020 internal out 172.16.100.148.80 -> 192.168.1.110.3364: syn 1388291811 ack 3821216193
5.178181 internal in 192.168.1.110.3364 -> 172.16.100.148.80: ack 1388291812
5.178297 wan1 out 172.20.120.11.40360 -> 172.16.100.148.80: ack 1388291812
6.950657 wan1 in 172.16.100.148.80 -> 172.20.120.11.40360: fin 1388326799 ack 3821216763
129.595427 internal in 192.168.1.110.3385 -> 172.20.120.101.80: syn 2385736674
129.595715 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: syn 2385736674
129.598782 wan1 in 172.20.120.101.80 -> 172.20.120.13.30005: syn 2238273308 ack 2385736675
129.598923 internal out 172.20.120.101.80 -> 192.168.1.110.3385: syn 2238273308 ack 2385736675
129.599054 internal in 192.168.1.110.3385 -> 172.20.120.101.80: ack 2238273309
129.599164 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: ack 2238273309
144.656912 wan1 in 172.20.120.101.80 -> 172.20.120.13.30005: fin 2238273938 ack 2385737098
144.657027 internal out 172.20.120.101.80 -> 192.168.1.110.3385: fin 2238273938 ack 2385737098
145.982513 internal in 192.168.1.110.3385 -> 172.20.120.101.80: fin 2385737098 ack 2238273939
145.982631 wan1 out 172.20.120.13.30005 -> 172.20.120.101.80: fin 2385737098 ack 2238273939
The first seven output lines show a session from IP address 192.168.1.110 with a source port of
3364. Since this source port is outside the range specified in the central NAT table entry (3380 to
3400) the source port has been translated to any source port (in this case 40360) and the source
address has been translated to 172.20.120.11 (the IP address of the wan1 interface).
The next ten output lines show sessions from IP address 192.168.1.110 with a source port of
3385. Since this source port is in the range specified in the central NAT table entry the source port
has been translated to 30005, which is in the range specified in the central NAT table entry (30000
to 30020) and the source address has been translated to 172.20.120.13, one of the addresses in
the IP pool.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
If you can browse the web from the internal network, your configuration is successful. If you cannot,
try the steps described in Troubleshooting NAT/Route mode installations on page 24 to find the
problem.
233
Allowing access to a web server on an internal network when you only have one Internet IP address
.1 wa
20 n
.1 1
4
19
2. in
16 te
8. rn
1. al
99
r t
fo rne
AT te
N In
n e er
io th rv
at m se
tin ro b
es f e
D ons e w
i h
ss o t
se t
2.
20
17
12
0.
0
12
0.
11
.2 ] .1.
72 ny 68
: 1 : [a .1
IP rt 2
c o 19 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
12
0.
4
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr p P: t: 8
c
sr t I or
s
d tp
s
d
3
2
Solution
In this basic DNAT example, to allow connections to the web server, you must configure the FortiGate
unit to accept HTTP sessions with a destination address of 172.20.120.14 and translate this
destination IP address to the IP address of the web server (192.168.1.110) before forwarding the
session to the internal network.
1
234
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that
maps the wan1 interface IP address to the web server IP address.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
FortiGate Cookbook
http://docs.fortinet.com/
Allowing access to a web server on an internal network when you only have one Internet IP address
Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the
Internet to access the web server.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Schedule
always
Service
HTTP
Action
ACCEPT
If you select NAT, the source address is changed to the internal interface address. Normally, you
would not want to perform source NAT since this has the affect of hiding the actual source address
of the sessions.
Results
All HTTP packets accepted by this security policy have their destination IP addresses translated from
172.20.120.14 to 192.168.1.110 before being forwarded to the Internal network where they are
received by the web server. The source IP address and source port are not changed.
As a result of this configuration, you cannot establish an administrative connection to the wan1
interface because all sessions with a destination address of the wan1 interface (172.20.120.14) are
accepted or denied by the security policy. This configuration is not recommended, especially if you
want to remotely administer your FortiGate unit from the wan1 interface. Instead, you should get
another Internet IP address for the web server and change the VIP to forward this address to the
web server.
Test destination NAT by browsing to http://172.20.120.14 from the Internet. The session passes
through the FortiGate unit to the web server which sends a response. Use the following packet sniffer
command to see the results.
diagnose sniffer packet any 'port 80' 4 4
interfaces=[any]
filters=[port 80]
6.150356 wan1 in 172.20.120.12.51439 -> 172.20.120.14.80: syn 15893888
6.150637 internal out 172.20.120.12.51439 -> 192.168.1.110.80: syn 15893888
6.150803 internal in 192.168.1.110.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
6.150974 wan1 out 172.20.120.14.80 -> 172.20.120.12.51439: syn 553485227 ack 15893889
The first output line shows a packet from a client device with IP address 172.20.120.12 was
received by the wan1 interface with destination address 172.20.120.14 and destination port 80.
235
Allowing access to a web server on an internal network when you only have one Internet IP address
The second output line shows that when the packet exits the internal interface the destination
address is changed to 192.168.1.110 and the destination port is still 80.
The third output line shows the response from the web server.
The fourth output line shows the response from the web server being returned to the client
device. The source address has been changed back to 172.20.120.14.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
236
FortiGate Cookbook
http://docs.fortinet.com/
Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation
2.
20
17
12
0.
0
12
0.
11
.2 ] .1.
72 ny 68
: 1 : [a .1
IP rt 2
c o 19 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
.1 wa
20 n
.1 1
4
19
2. in
16 te
8. rn
1. al
99
D
ses po estin
sio rt t atio
to ns f rans n NA
the rom lat
T
we th ion with
b s e In for
erv ter
er net
12
0.
4
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2 80
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
Solution
In this DNAT example, to allow connections to the web server you must configure the FortiGate unit
to accept HTTP sessions with a destination address of 172.20.120.14 and translate this destination
IP address to the IP address of the web server (192.168.1.110) before forwarding the session to the
internal network.
In addition, the web server accepts connections on the standard HTTP port (port 80), but you want
sessions from the Internet to the web server to use port 8080. The FortiGate unit must also translate
the destination port from 8080 to 80.
237
Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that
maps the wan1 interface IP address to the web server IP address and maps connections from
port 8080 to port 80.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
Select Port Forwarding and configure the following port forwarding settings:
Protocol
TCP
8080 - 8080
Map to Port
80 - 80
Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the
Internet to access the web server.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Schedule
always
Service
HTTP
Action
ACCEPT
If you select NAT, the source address is changed to the internal interface address. Normally, you
would not want to perform source NAT since this has the affect of hiding the actual source address
of the sessions.
238
FortiGate Cookbook
http://docs.fortinet.com/
Allowing Internet access to a web server on a protected network when you only have one Internet IP address, using port translation
Results
All HTTP packets accepted by this security policy have their destination IP addresses translated from
172.20.120.14 to 192.168.1.110 and their destination port translated from 8080 to 80 before being
forwarded to the Internal network where they are received by the web server. The source IP address
and source port are not changed.
Even though in the security policy, the Service is set to the HTTP predefined service, which would
normally only receive packets on port 80, this configuration still accepts HTTP packets on port
8080.
Test destination NAT by browsing to http://172.20.120.14:8080. Use the following packet sniffer
command to see the results.
diagnose sniffer packet any 'port 80 or port 8080' 4 4
interfaces=[any]
filters=[port 80 or port 8080]
8.823058 wan1 in 172.20.120.12.52568 -> 172.20.120.14.8080: syn 2855697809
8.829146 internal out 172.20.120.12.52568 -> 192.168.1.110.80: syn 2855697809
8.829287 internal in 192.168.1.110.80 -> 172.20.120.12.52568: syn 2151198672 ack 2855697810
8.838931 wan1 out 172.20.120.14.8080 -> 172.20.120.12.52568: syn 2151198672 ack 2855697810
The first output line shows a packet from a client device with IP address 172.20.120.12 was
received by the wan1 interface with destination address 172.20.120.14 and destination port 8080.
The second output line shows that when the packet exits the internal interface the destination
address is changed to 192.168.1.110 and the destination port has been changed to 80.
The third output line shows the response from the web server.
The fourth output line shows the response from the web server being returned to the client
device. The source address has been changed back to 172.20.120.14 and the source port to
8080.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more information about current sessions. Other dashboard widgets display session
history, traffic history, and per-IP bandwidth usage.
239
Allowing Internet access to a web server on a protected network when you have an IP address for the web server
19
2.
20
17
12
0.
0
12
0.
11
.2 ] .1.
72 ny 68
: 1 : [a .1
IP rt 2
c o 19 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
r ss
v e re
er d 1
S ad .1
0
eb IP 2
W et 0.1
r n .2
te 2
In 17
2. in
16 te
8. rn
1. al
99
ses De
si sti
to ons f natio
the rom n N
we th AT
b s e In for
erv ter
er net
12
0.
1
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2
c o 17 0
sr c p P: t: 8
sr t I or
s
d tp
s
d
3
2
Solution
In this DNAT example, to allow connections to the web server, you must configure the FortiGate unit
to accept HTTP sessions with a destination address 172.20.120.11 and translate this destination IP
address to 192.168.1.110 before forwarding the session to the web server.
1
240
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that
maps the wan1 interface IP address to the web server IP address.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.11-172.20.120.11
Mapped IP Address/Range
192.168.1.110-192.168.1.110
Allowing Internet access to a web server on a protected network when you have an IP address for the web server
Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the
Internet to access the web server.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Schedule
always
Service
HTTP
Action
ACCEPT
If you select NAT, the source address is changed to the internal interface address. Normally, you
would not want to perform source NAT since this has the affect of hiding the actual source address
of the sessions.
Results
All HTTP packets accepted by this security policy have their destination IP addresses translated from
172.20.120.11 to 192.168.1.110 before being forwarded to the Internal network where they are
received by the web server. The source IP address and source port are not changed.
Test destination NAT by browsing to http://172.20.120.11 from the Internet. The session passes
through the FortiGate unit to the web server which sends a response. Use the following packet sniffer
command to see the results.
diagnose sniffer packet any 'port 80' 4
interfaces=[any]
filters=[port 80]
3.454327 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: syn 3420016827
3.458908 internal out 172.20.120.12.51526 -> 192.168.1.110.80: syn 3420016827
3.459044 internal in 192.168.1.110.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828
3.468915 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: syn 3323826862 ack 3420016828
3.469133 wan1 in 172.20.120.12.51526 -> 172.20.120.11.80: ack 3323826863
3.469260 internal out 172.20.120.12.51526 -> 192.168.1.110.80: ack 3323826863
3.470322 internal in 192.168.1.110.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308
3.470453 wan1 out 172.20.120.11.80 -> 172.20.120.12.51526: psh 3323826863 ack 3420017308
The first output line shows a packet from a client device with IP address 172.20.120.12 was
received by the wan1 interface with destination address 172.20.120.11 and destination port 80.
The second output line shows that when the packet exits the internal interface the destination
address is changed to 192.168.1.110 and the destination port is still 80.
The third output line shows the response from the web server.
The fourth output line shows the response from the web server being returned to the client
device. The source address has been changed back to 172.20.120.11.
241
Allowing Internet access to a web server on a protected network when you have an IP address for the web server
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active session for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph form the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
Allowing the web server to connect to the Internet
You can add the following security policy to allow sessions from the web server to connect to the
Internet. (The web server might need to contact servers on the Internet for software updates, etc.)
Source Interface/Zone
internal
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
242
FortiGate Cookbook
http://docs.fortinet.com/
2.
20
3
2
o
12
0.
9,
1 11
12
.1 2
0.
.2 ] 20 9,
72 ny 0.1 99
: 1 : [a .2 -7
IP rt 2 82
c o 17 8
sr c p P: t: 7
sr I r
st o
d tp
s
d
12
0.
9,
0 11
12
0.
11 2
.2 ] .1. 9,
72 ny 68 99
: 1 : [a .1 -7 5
IP rt 2 82 9
c o 19 8 9
sr c p P: t: 7 r 2
sr I r o
st o
d tp
s
d
3
2
.1 wa
20 n
.1 1
4
19
2. in
16 te
8. r n
1. al
99
Op
en
T
2 CP
f
Inte or tr 119, ports
rne affic and 788
t to fro 299 2the m t 5 7999
,
ser he
ver
95
29
Solution
This DNAT example describes how to configure firewall VIPs to map the following sessions to the PC
on the internal network:
TCP sessions to the wan1 IP address with destination port in the range 7882 to 7999.
UDP sessions to the wan1 IP address with destination port 2119 or 2995.
The solution involves creating multiple VIPs that map sessions from the wan1 IP address to the PC IP
address and adding the VIPs to a VIP group and adding that VIP group to a wan1 to internal security
policy.
243
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
Select Port Forwarding and configure the following port forwarding settings:
Protocol
TCP
7882 - 7999
Map to Port
7882 - 7999
Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port
2119 to the server.
244
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that
maps connections to the wan1 interface on ports 7882 to 7999 to the server.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
Select Port Forwarding and configure the following port forwarding settings:
Protocol
UDP
2119
Map to Port
2119
FortiGate Cookbook
http://docs.fortinet.com/
Select Create New to add a virtual IP that maps connections to the wan1 interface on UDP port
2995 to the server.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.14-172.20.120.14
Mapped IP Address/Range
192.168.1.110-192.168.1.110
Select Port Forwarding and configure the following port forwarding settings:
Protocol
UDP
2995
Map to Port
2995
10 Go to Firewall Objects > Virtual IP > VIP Group and select Create New to add a VIP Group that
Interface
wan1
11 Add Server Port Range, First UDP Port VIP, and Second UDP Port VIP to the Members list.
12 Go to Policy > Policy > Policy and select Create New to add a policy that accepts includes the
VIP Group.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Schedule
always
Service
ANY
Action
ACCEPT
245
If you select NAT, the source address is changed to the internal interface address. Normally, you
would not want to perform source NAT since this has the affect of hiding the actual source address
of the sessions.
Results
All packets accepted by this security policy have to have a destination port defined in the VIPs. The
VIPs also translate the destination IP address 172.20.120.14 to 192.168.1.110 before being
forwarded to the Internal network where they are received by the server. The destination ports,
source IP address and source port are not changed.
Test the configuration by operating the service and using the packet sniffer to see the results. For
example, you could try the following command:
diagnose sniffer packet any 'port 7882' 4
interfaces=[any]
filters=[port 7882]
4.150689 wan1 in 172.20.120.12.56825 -> 172.20.120.14.7882: syn 2904689044
4.150936 internal out 172.20.120.12.56825 -> 192.168.1.110.7882: syn 2904689044
4.151102 internal in 192.168.1.110.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045
4.151258 wan1 out 172.20.120.14.7882 -> 172.20.120.12.56825: syn 1081214414 ack 2904689045
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active session for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph form the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more info about current sessions. Other dashboard widgets display session history, traffic
history, and per-IP bandwidth usage.
246
FortiGate Cookbook
http://docs.fortinet.com/
19
2.
20
17
3
12
0.
12
012
0.
12
.2 ] .1.
72 ny 68
: 1 : [a .1
IP rt 2
c o 19 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
s
r se
ve es 03
er r 1
S dd 0a 0
eb P .1
W t I 20
e 1
r n 0.
te .2
In 72
1
2. in
16 te
8. rn
1. al
99
ses De
st
s
to ions f inatio
the rom n
N
we
b s the I AT fo
erv nte r
ers rne
t
0
12
-1
0.
00
12
.1
0.
.2 ] 20
72 ny 0.1
: 1 : [a .2
IP rt 2 80
c o 17 0
sr c p P: t: 8
sr I r
st o
d tp
s
d
3
2
Solution
To allow connections to the web servers, you must configure the FortiGate unit to accept HTTP
sessions with a destination address in the range 172.20.120.100-103 and translate this destination IP
address to 192.168.1.120-123 before forwarding the session to a web server.
In addition, the port used by each web server to accept HTTP connections is the standard HTTP port
80. But you want connections from the Internet to the web servers to use port 8000.
247
Go to Firewall Objects > Virtual IP > Virtual IP and select Create New to add a virtual IP that
maps the internet IP addresses of the web server to its actual internal network IPs.
Name
External Interface
wan1
Type
Static NAT
External IP Address/Range
172.20.120.100-172.20.120.103
Mapped IP Address/Range
192.168.1.120-192.168.1.123
Select Port Forwarding and configure the following port forwarding settings:
Protocol
TCP
8000 - 8000
Map to Port
80 - 80
Go to Policy > Policy > Policy and select Create New to add a policy that allows users on the
Internet to access the web server.
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Schedule
always
Service
HTTP
Action
ACCEPT
If you select NAT, the source address is changed to the internal interface address. Normally, you
would not want to perform source NAT since this has the affect of hiding the actual source address
of the sessions.
248
FortiGate Cookbook
http://docs.fortinet.com/
Results
HTTP packets accepted by this security policy have their destination IP addresses translated as
follows:
172.20.120.100 to 192.168.1.120
172.20.120.101 to 192.168.1.121
172.20.120.102 to 192.168.1.122
172.20.120.103 to 192.168.1.123
In all cases the destination port is translated from 8080 to 80. The source IP address and source port
are not changed.
Test destination NAT by browsing to http://172.20.120.100 - 103:8000 from the Internet. Use the
following packet sniffer command to see the results.
diagnose sniffer packet any 'port 80 or port 8000' 4
interfaces=[any]
filters=[port 80 or port 8000]
10.603074 wan1 in 172.20.120.12.57053 -> 172.20.120.100.8000: syn 3591312927
10.603312 internal out 172.20.120.12.57053 -> 192.168.1.120.80: syn 3591312927
10.603479 internal in 192.168.1.120.80 -> 172.20.120.12.57053: syn 3848795067 ack
10.603635 wan1 out 172.20.120.100.8000 -> 172.20.120.12.57053: syn 3848795067 ack
16.422671 wan1 in 172.20.120.12.57070 -> 172.20.120.102.8000: syn 1145994219
16.422927 internal out 172.20.120.12.57070 -> 192.168.1.122.80: syn 1145994219
16.423096 internal in 192.168.1.122.80 -> 172.20.120.12.57070: syn 3958945838 ack
16.423264 wan1 out 172.20.120.102.8000 -> 172.20.120.12.57070: syn 3958945838 ack
3591312928
3591312928
1145994220
1145994220
The first output line shows a packet from a client device with IP address 172.20.120.12 was
received by the wan1 interface with destination address 172.20.120.100 and destination port
8000.
The second output line shows that when the packet exits the internal interface the destination
address is changed to 192.168.1.120 and the destination port has been changed to 80.
The third output line shows the response from the web server.
The fourth output line shows the response from the web server being returned to the client
device. The source address has been changed back to 172.20.120.100 and the source port back
to 8000.
The original source port is not changed.
Go to Policy > Policy > Policy and check the Count column for the security policy you added to
verify that it is processing traffic.
Go to Policy > Monitor > Session Monitor to view the sessions being processed by the FortiGate
unit. You can also see results by going to Policy > Monitor > Policy Monitor to view a graph of
active sessions for each policy. Since there is only one policy, that graph contains only one entry. You
can select the bar graph for the policy to view the top sessions by source address, destination
address, or destination port/service.
The Top Sessions dashboard widget presents another view of sessions that you can also drill down
into to get more information about current sessions. Other dashboard widgets display session
history, traffic history, and per-IP bandwidth usage.
249
FortiOS Cookbook
UTM Profiles
UTM profiles, including antivirus, web filtering, application control, intrusion protection (IPS),
email filtering, and data leak prevention (DLP) apply core UTM security functions to traffic
accepted by security policies. The FortiGate unit comes pre-configured with default UTM profiles for
all of these security features, and you can apply UTM features to traffic accepted by a security policy
by selecting the default profiles for the UTM features that you want to apply.
You can also create UTM profile groups to group together sets of UTM profiles to further simplify
adding UTM features to security policies.
The default profiles are designed to provide basic protection. You can modify the default profiles for
you needs or create new ones. Creating multiple profiles means you can apply different levels of
protection to different traffic types according to the security policies that accept the traffic.
In addition to the basic set of UTM profiles, the FortiGate unit includes specialized profiles for
protecting SIP and SCCP VoIP traffic and offloading additional security functions using ICAP.
Endpoint control profiles are created to ensure that workstation computers (also known as
endpoints) on your network, meet the networks security requirements; otherwise, they are not
permitted access. Enhanced by Fortinets FortiClient Endpoint Security software, FortiGate endpoint
control can block or control access through the FortiGate unit for workstation computers depending
on the security functions enabled on the computers and the applications running on them. After
creating endpoint control profiles, you can add endpoint security profiles to security policies.
The final UTM profile feature, vulnerability scanning is independent of security policies. By using
vulnerability scanning, you can scan computers on your network for multiple vulnerabilities, and take
action to remove those vulnerabilities.
This chapter includes the following UTM examples:
Prevent offensive search results in Google, Bing and Yahoo search engines
250
UTM Profiles
Blocking all web sites except those you specify using a whitelist
Using the FortiGate vulnerability scanner to check your network for vulnerabilities
251
Internal network
Virus
FortiGate Unit
Malware
Spyware
Solution
Configure your FortiGate unit to scan all Internet traffic for viruses and other malware and if a virus is
found the file containing the virus is removed or blocked.
FortiGate units are shipped with a default antivirus profile, so all you have to do to enable virus
scanning is add UTM antivirus scanning to security policies that accept connections to the Internet
1
Go to Policy > Policy > Policy and Edit a security policy that allows access to the Internet.
Select OK.
All traffic accepted by this security policy will now be scanned for viruses. You can repeat these steps
for all security policies that allow access to the Internet or a high-risk network.
Results
You can test virus scanning by downloading the EICAR Anti-Malware test file from
http://www.eicar.org. If you attempt to download the icar test file using a web browser and if the
session is accepted by a security policy with virus scanning enabled, the file is blocked and a
message similar to the following should appear in your browser:
252
FortiGate Cookbook
http://docs.fortinet.com/
You can also test virus scanning by attaching a virus test file to an email message that you send
through the FortiGate unit to the Internet.
You can verify the virus scanning results by going to UTM Profiles > Monitor > AV Monitor. The
following shows the EICAR test file detected three times.
You can drill down to display the FortiGuard Center page for the virus that was detected.
The Log and Archive Statistics dashboard widget also displays information about viruses caught
including details about the date an time on which the virus was detected, the source and destination
address of the session in which the virus was caught, and the service.
253
Finally, when the file is removed from the email its replaced with a message similar to the following:
Dangerous Attachment has been Removed. The file "eicar.com" has been removed because of a virus.
It was infected with the "EICAR_TEST_FILE" virus. File quarantined as:
""."http://www.fortinet.com/ve?vid=2172"
You can customize this message by going to System > Config > Replacement
Message > Mail > Virus Message. The default message specifies that the file is
quarantined. If you have not configured quarantine, you can remove this part of the
message.
254
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
Greyware
FortiGate Unit
Greyware
Solution
Enable greyware scanning.
1
By enabling grayware detection, all security policies with antivirus protection will also detect
greyware. If you have configured your FortiGate unit to protect your network against viruses, enabling
greyware protection allows your FortiGate unit to scan for greyware threats as well.
Results
With greyware detection enabled, all traffic scanned for viruses is also scanned for greyware.
Greyware scanning works in parallel with antivirus scanning. To protect against greyware, ensure
the security policy allowing the traffic to be protected has an antivirus profile active in which
antivirus scanning is enabled. If traffic is not scanned for viruses, it is not scanned for greyware,
even if greyware detection is enabled.
255
Internal network
Virus
FortiGate Unit
Malware
Extreme virus
database
Legacy
Virus
Spyware
Solution
Configure your FortiGate unit to use the Extreme Virus Database by entering these CLI commands.
config antivirus settings
set default-db extreme
end
In addition to the signatures of current common viruses, the Extreme Virus Database contains
signatures of all the viruses detected by the FortiGuard Antivirus Service.
If your FortiGate unit does not offer the Extreme Virus Database, select the Extended Virus Database.
The extended database contains the signatures of current common viruses and a large library of
older viruses that are no longer common.
While larger AV databases can detect more viruses, they also require more resources. For regular
virus protection, use the normal virus database. If you choose a more capable database for all AV
scanning, and your FortiGate unit frequently enters conserve mode, you may need to consider
measures to save system memory.
Only the some FortiGate units support all the AV databases. Other FortiGate units offer a subset
from which you may choose. All FortiGate units have the Regular Virus Database, which includes all
the currently detected viruses on the Internet.
256
FortiGate Cookbook
http://docs.fortinet.com/
Results
Manually force a virus database update to ensure the database is current.
1
Check the recent log entries for one that begins with Fortigate update now. This indicates a
manually triggered update.
If the log entry timestamp matches when you triggered the manual update, the virus database was
updated successfully.
If the update does not occur, ensure that you have an antivirus profile in which antivirus scanning is
enabled and selected in a security policy. If no antivirus scanning is enabled, no antivirus databases
are updated.
257
Internal network
FortiGate Unit
Solution
Use the uncompsizelimit CLI command to change the maximum uncompressed file size that the
antivirus service will scan.
In this example, the antivirus service is configured to scan uncompressed files up to 15 MB in size.
config antivirus service http
set uncompsizelimit 15
end
The size limit can be set for FTP, HTTP, IM, IMAP, NNTP, POP3, and SMTP traffic. If your FortiGate
unit supports encrypted content inspection, you can also set the size limit for FTPS, HTTPS, IMAPS,
POP3S, and SMTPS traffic.
Archive files, such as ZIP and RAR, are extracted and the contents are scanned for viruses. The
total size of all the contents of an archive must be smaller than the uncompsizelimit for the archive
contents to be scanned for viruses.
The default value is 10 MB. The maximum size varies by FortiGate model. To determine the limit for
your model, enter:
config antivirus service http
set uncompsizelimit ?
The result is a brief description of the command and the acceptable range. For example:
<value> max uncompressed size to scan (1-547MB or use 0 for unlimited)
258
FortiGate Cookbook
http://docs.fortinet.com/
Results
The FortiGate antivirus scanner will examine any file smaller than the size limit you set. For archives,
the extracted contents must total a size smaller than the limit to be scanned.
If you increase the size limit, you may be more likely to push the FortiGate unit into conserve mode
because each simultaneous download has the potential to make a greater demand on the available
memory.
259
Internal network
FortiGate Unit
Solution
Configure the protocol options to block files larger than the FortiGate is configured to cache.
This procedure applies only to proxy-based scanning. Flow-based scanning has no maximum file
size limits.
1
If you have used the uncompsizelimit CLI command to change the maximum scan size,
change the Threshold value to match the setting you used. The default value for all FortiGate
models is 10 MB.
All the protocols have default values of Pass and 10 MB. Change the settings for each protocol as
required.
Results
If you leave the Threshold setting at 10 MB and set the Oversized File/Email action to Block, any
attempt to download a file larger than 10 MB is blocked. The FortiGate unit displays a replacement
message explaining why the attempt failed.
Each supported content protocol can be configured separately. You can set some to Block and
others Pass, and each can have a different threshold.
260
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
Attacks
FortiGate Unit
Attacks
Solution
Enable flow-based antivirus scanning, web filtering, and DLP.
In addition to faster scanning, flow-based scanning can save considerable resources. Flow-based
scans examine files as they pass through while proxy-based scans require that files are cached as
they come in and examined once complete. Caching files takes more memory and system
resources.
Flow-based scanning is an ideal solution to ease the memory requirements of some UTM scans,
but it can be difficult to achieve. The problem is that if any proxy-based scan is active, files are
cached. For example, if you configure antivirus and DLP to use flow-based scanning, and leave
web filtering as a proxy-based scan, no memory is saved.
Even if your FortiGate unit is configured so that flow-based scanning does not save memory, there
is an advantage to using it. Should your FortiGate unit approach its memory or session limits, it will
enter conserve mode. Conserve mode stops all proxy-based scans on new connections until the
FortiGate unit leaves conserve mode. UTM features using flow-based scans will continue to protect
network traffic without interruption.
261
Select the Flow-based inspection mode. Note that flow-based scanning is not available on all
FortiGate units.
Select Apply.
The inspection mode setting affects only the profile in which it is changed. If you use multiple profiles
and want all antivirus scanning to be flow-based, you much change the inspection mode setting in all
your antivirus profiles.
Flow-based antivirus scanning is used to examine network traffic instead of the default proxy-based
scan. Files will be checked as they flow through the FortiGate unit, rather than being buffered and
examined whole.
Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements,
and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages
include no detection of polymorphic and self-cloaking viruses, support for fewer file archive formats,
and no replacement messages.
Enable flow-based web filtering
1
Select Apply.
Flow-based scanning does not support web content filtering. If you use flow-based web filtering
and enable web content filtering, the FortiGate will use proxy-based scanning for web content
filtering and flow-based scanning for other web filtering.
Flow-based web filtering is used to filter web traffic instead of the default proxy-based scan. Files will
be checked as they flow through the FortiGate unit, rather than being buffered and examined whole.
Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements,
and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages
include support for fewer file archive formats and no support for web content filtering, meaning that
both flow-based and proxy-based scanning operates when web filtering is configured for flow-based
scanning and web content filtering is enabled.
Enable flow-based DLP
1
Select Apply.
Advantages of flow-based antivirus scanning include faster scanning, lower memory requirements,
and no file size limitation. Clients also begin receiving download file data immediately. Disadvantages
include no detection of polymorphic and self-cloaking viruses and support for fewer file archive
formats.
262
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Unit
Solution
Watch the video: http://docs.fortinet.com/cb/utm1.html
FortiGuard web filtering assigns web sites into nearly 100 categories. The categories are organized
into six major groups. You can configure web filter profiles to allow, block, monitor, warn, or require
authentication for categories and category groups as required by your network.
In this example, configure a web filter to block the Bandwidth Consuming category group.
1
Go to UTM Profiles > Web Filter > Profile and enable FortiGuard Categories.
Select the Block action for Change Action for Selected Categories to and select Apply.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
263
Results
Users will not be able to visit web sites belonging to the categories within the Bandwidth
Consuming category group. When attempting to visit these web sites, users will be presented with a
replacement message explaining that visiting the site violates the Internet usage policy.
You can customize replacement messages by going to System > Config >
Replacement Message, selecting the feature, the replacement message to be customized, and
selecting Edit.
264
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Unit
Solution
Configure FortiGuard web filtering to use the Authenticate action rather than Block. Put the users
who need to override the restriction into a user group and specify it in the web filter profile. When a
user attempts to visit a restricted site, they will be asked for their username and password. Those in
the user group will be allowed access after providing their credentials while the others will be
blocked.
This example, allows the users Sally and Roger to override the restriction on the Potentially Liable
category group.
Create the users and the user group
1
Go to User > User Group > User Group and select Create New.
Enter Web filter override users for the user group name.
Select Sally from the Available Users window and select the right arrow icon to move them to
the Members window.
265
Select the Authenticate action for Change Action for Selected Categories to.
Select the Web filter override users group and select the right arrow icon to move the group to
the Selected User Groups window.
Select OK.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
Results
Browse to a proxy web site such as proxy.org. Before being allowed access, you are asked for a
username and password. If you provide credentials for a user in the user group applied to the web
filter profile, you are allowed access to the site. Further, once you provide a valid username and
password, you will be able to browse any sites in the category group before having to authenticate
again. If you do not have a valid username and password, you are denied access to any web site in
the category group.
This test involves proxy.org because it is classified as Proxy Avoidance, part of the Potentially
Liable category group. Any site in a classification that is part of the Potentially Liable category
group will function in exactly the same way with this configuration.
266
FortiGate Cookbook
http://docs.fortinet.com/
Prevent offensive search results in Google, Bing and Yahoo search engines
Internal network
FortiGate Unit
Unit
Solution
Configure the default web filter to block offensive search results.
1
Select Apply.
Select the default web filter in the security policy that allows Internet access.
1
Enable UTM and Web Filter, and select the profile named default.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
Results
Google, Yahoo, and Bing search results will no longer contain offensive sites.
267
Internal network
FortiGate Unit
Unit
Solution
The FortiGuard Centre web site offers a web-based URL lookup.
1
Go to http://www.fortiguard.com/tools/url_lookup.html
Enter the URL in the first field. enter the displayed code in the second field and select Search.
Results
The page is refreshed, listing the category of the URL you entered.
The lookup may also show a classification. The classification is not used by FortiOS 4.0 MR3
firmware and is included for those still using older firmware versions in which it is supported.
If a URL hasnt been categorized, or if you feel the categorization is incorrect, you can submit the
URL to the FortiGuard team and suggest a category.
268
FortiGate Cookbook
http://docs.fortinet.com/
Choose the category you feel best represents the URL and select Submit.
When a web site contains elements in different categories, web pages on the site are categorized
according to their contents. A web page will be assigned to only one category, but the web pages
at a single URL may not all share the same category.
269
Internal network
FortiGate Unit
Unit
Solution
Watch the video: http://docs.fortinet.com/cb/utm2.html
Use web filtering to log every site that anyone on your network visits.
1
Go to UTM Profiles > Web Filter > Profile to configure the default web filter profile.
Select Monitor from the Change Action for Selected Categories to drop-down menu.
Select Apply.
With these changes, all allowed categories are monitored. Access to the categories is allowed, but
the monitor action also logs visits to the sites.
To use this profile, you must select it in the security policies that allow users on your network to visit
web sites.
1
Go to Policy > Policy > Policy and select the security policy that allows your used to visit web
sites.
Select Edit.
Enable UTM.
Select OK.
If you have multiple security policies that allow users to visit web sites, follow these steps for each of
them.
270
FortiGate Cookbook
http://docs.fortinet.com/
Results
The web sites your users visit will be recorded in the UTM log. The default settings of the UTM log
page do not display the URLs. Configure the log settings to display URLs.
1
Choose Hostname in the left column and select the right arrow button to move it to the right
column.
Choose URL in the left column and select the right arrow button to move it to the right column.
Select OK.
When you view the UTM log, the hostname column will display the domain name of site, and the URL
will display the path of the file accessed on the host.
271
Internal network
FortiGate Unit
Unit
Solution
Use FortiGuard web filtering to block web proxies.
1
In the FortiGuard Categories window, expand the Potentially Liable category group and select
Proxy Avoidance.
For the Change Action for Selected Categories to setting, select the Block action and choose
Apply.
Go to Policy > Policy > Policy and in the policies that allow access to the Internet, enable UTM
and Web Filter, and then select the web filter profile named default.
Select OK.
Results
After configuring the web filter to block the Proxy Avoidance category, go to the proxy.org web site. If
the web filter is configured correctly, any attempt to visit proxy.org will be blocked. Although the web
site itself is not a proxy, it maintains a large list of proxies and is, therefore, categorized as a proxy
avoidance cite.
Reporting proxy sites
If you discover a proxy that isnt correctly categorized, go to
http://www.fortiguard.com/tools/url_lookup.html and use the URL lookup to check the assigned
category. If it is incorrect, or not categorized, submit the URL with a suggested category. The
FortiGuard web filter team will review the site categorization, usually within 24 hours.
272
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Unit
Solution
Configure FortiGuard web filter to block sites that offer streaming media.
1
Expand the Bandwidth Consuming FortiGuard Category and select the Streaming Media and
Download and Internet Radio and TV categories.
Select Apply.
Verify that UTM and Web Filtering are enabled in the security policies that allow access to the
Internet.
Results
After making these configuration changes, visit http://www.youtube.com. The FortiGate unit prevents
you from visiting the site so you can not view any streaming video.
273
Internal network
FortiGate Unit
Unit
Solution
Create a web filter profile that blocks access to those web sites you specify. In this example, users
will be blocked from visiting fortinet.com.
Create the web filter profile
1
Go to UTM Profiles > Web Filter > URL Filter and select Create New.
Name the new URL filter list Block List and select OK.
Select Create New to create a list entry that blocks access to any web site with a domain name
ending in fortinet.com.
274
URL
*fortinet.com
Type
Wildcard
Action
Block
Enable
Checked
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Select Apply.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
Results
In this example configuration, you can visit web sites normally but all web access to any domain
ending in fortinet.com is blocked. Visit http://fortinet.com after completing the configuration above to
see the result.
Add more list entries to Block List to block access to other web sites as required.
275
Blocking all web sites except those you specify using a whitelist
Internal network
FortiGate Unit
Unit
Solution
Watch the video: http://docs.fortinet.com/cb/utm3.html
Create a web filter profile that blocks all sites except those you explicitly allow. In this example, users
will be blocked from all sites except fortinet.com. You can do this by making a URL filter that has an
entry that blocks all sites, and entries that allow individual sites. Ensure the entry that blocks all sites
is the last entry in the URL filter list.
1
Go to UTM Profiles > Web Filter > URL Filter and select Create New.
Name the new URL filter list White List and select OK.
Select Create New to create a new list entry that blocks all web access.
4
276
URL
Type
Wildcard
Action
Block
Enable
Checked
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Blocking all web sites except those you specify using a whitelist
Select Create New to create another new list entry that allows access to any web site with a
domain name ending in fortinet.com.
URL
*fortinet.com
Type
Wildcard
Action
Allow
Enable
Checked
The list entries are processed from top to bottom. Since the block entry is first, all sites will be
blocked regardless of any following items that allow sites. To fix this problem, move the entries
allowing access above the block entry. The entry blocking all sites should always be last.
6
Select the check box in the first column of the *fortinet.com entry.
Move to
Before
URL
Select OK.
Enable Web Filter URL and select White List from the list.
Select Apply.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
Results
In this example configuration, you can view fortinet.com and go anywhere on the site, but all other
web sites are blocked.
URL filtering uses a black list approach. That is, all sites are allowed, except those that are blocked.
Adding an entry that blocks all sites reverses this behavior. All sites are blocked except those that
you add to the top of the list and allow access to.
277
Internal network
FortiGate Unit
Unit
Solution
Configure FortiGuard web filtering to check IP addresses as well as domain names. This will prevent
users from bypassing FortiGuard web filtering by using IP addresses to access web sites.
1
Go to UTM Profiles > Web Filter > Profile and expand Advanced Filter.
Results
The FortiGate unit submits IP addresses to the FortiGuard service just as it submits domain names
when FortiGuard web filtering is enabled. If a site is part of a blocked category, the users will get the
same result whether they use the site domain name or IP address when they visit.
FortiGuard Web Filter ratings for IP addresses are not updated as quickly as ratings for URLs. This
can sometimes temporarily cause the FortiGate unit to allow access to sites that should be
blocked, or to block sites that should be allowed.
Test the configuration by blocking access to fortinet.com and then attempt to access it using the
sites IP address.
Configure FortiGuard web filtering to block access to the Information Technology category which is
part of the General Interest - Business category group. Browse to http://www.fortinet.com/ and
confirm that you are not allowed access.
278
FortiGate Cookbook
http://docs.fortinet.com/
ms
ms
ms
ms
ms
--- fortinet.com ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 92.7/93.3/94.7 ms
Browse to http://66.171.121.34/ and if your attempt is blocked, you have verified that FortiGuard web
filtering is checking IP addresses in addition to domain names.
279
Internal network
FortiGate Unit
Unit
Solution
Configure FortiGuard web filtering to check images themselves as well as domain names.
This will prevent users from bypassing FortiGuard web filtering by loading images directly. Since
images are checked on their own, an image in a blocked category will not be blocked even if part of
an allowed web site.
1
Go to UTM Profiles > Web Filter > Profile and expand Advanced Filter.
Enable Rate Images by URL (Blocked images will be replaced with blanks) and select Apply.
Results
With this feature active, the FortiGate unit submits image addresses to the FortiGuard service just as
it submits site addresses when FortiGuard web filtering is enabled. If an image is part of a blocked
category, users will not be permitted to view it whether they access it directly, or as part of a site in an
allowed category. If a blocked image is part of an allowed web site, the user is able to visit the web
site, but the image is replaced by a placeholder.
280
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Unit
Solution
Configure your FortiGate unit to consider the FortiGuard web filter category of the redirect
destination, and act accordingly.
Web sites can use HTTP redirects to seamlessly move users to other web pages or web sites. By
default, the FortiGate unit does not check the FortiGuard web filter rating of the destination.
1
Results
When a user is redirected, the FortiGate unit checks the category of the destination before allowing
access to the web page. If the category is blocked, the user is denied access to the web page and
presented with a replacement message.
281
Internal network
FortiGate Unit
Solution
Find the security policies that process the most data and add the application control sensor named
default to them. Use the application monitor to view a graph of the 10 applications using the most
bandwidth.
1
Go to Policy > Policy > Policy and check the Count column to find security policies that process
large amounts of data.
Edit each of these policies, enable UTM and Application Control, and select the application
control sensor named default.
If the application monitor does not show any information, verify that the security policies are
processing traffic by viewing the Count column in the policy list. If the count is increasing the policy
is processing traffic. You can also view policy usage from Policy > Monitor > Policy Monitor.
282
FortiGate Cookbook
http://docs.fortinet.com/
Results
Go to UTM Profiles > Monitor > Application Monitor to view a graph that shows the 10 applications
that are currently using the most data. The graph displays date and time on which data collection
started. You can reset the graph to restart data collection. You can select Refresh to update the data
displayed by the graph.
You can drill down into any bar on the graph to display the source and destination addresses or
names of the hosts that used the application. If the user authenticated you can also display the name
of the user that used the application.
The application monitor shows the results for all traffic being monitored by application control. You
can monitor selected traffic by only adding application control monitoring to selected security
policies. You can monitor all traffic by adding application control monitoring to all security policies.
283
Internal network
FortiGate Unit
Solution
Configure application control to block instant messaging:
1
Confirm that the Action is set to Block, and then select OK.
Ensure that UTM and Application Control are enabled in the security policies that allow access
to the Internet.
Results
Open any recognized instant messaging client and attempt to log in to the IM service. Your attempt is
blocked. Users can run any instant messaging clients they may have installed, but the FortiGate unit
will not allow them to log in to IM services.
Users already logged in when you make this change may continue their IM session uninterrupted
because only logging in to instant messaging services is blocked.
You can view the instant messaging clients the FortiGate unit recognizes by filtering the application
list to display only IM category applications:
1
2
3
284
Internal network
FortiGate Unit
Solution
Configure the default application control sensor to block access to social media web sites.
1
Go to UTM > Application Control > Application Sensor and select Create New.
Ensure that UTM and Application Control are enabled in the security policies that allow access
to the Internet.
Results
Users will not be able to access social media web sites. To confirm this, open a web browser and visit
facebook.com. Instead of the Facebook web site, you are presented with a replacement message
explaining that the site is blocked.
There are many subcategories in the web category. Other combinations of selections may better
suit your needs. Choose other subcategories and view the resulting sites in the
Applications/Settings window.
285
Internal network
FortiGate Unit
Solution
Configure the default application control sensor to block peer-to-peer sharing.
1
Go to UTM > Application Control > Application Sensor and select Create New.
Select OK.
Select the default application control sensor in the security policy that allows Internet access.
1
Enable UTM and Application Control, and select the application sensor named default.
If you have multiple security policies that allow Internet access, make these same changes to each of
them.
Results
Users will not be taking advantage of P2P transfers to share files in traffic controlled by the security
policies incorporating the default application sensor.
You can view which P2P protocols are blocked from the Application List.
1
286
Select OK.
The application list displays only the items in the P2P category. These are the blocked items. the
Category heading filter is highlighted to indicate an active filter.
As applications are added to the application list by FortiGuard updates, new items in the P2P
category will be automatically included in your sensor.
287
Internal Network
Po
Po
rt 1
rt 2
Ex
ter
nal
FortiGate IPS
Web Server
Solution
Since web servers must be accessible, protection is not as simple as blocking access. This example
uses IPS to protect a web server by placing the web server on a separate internal network and
creating a security policy that allows web access from the Internet to the server. IPS is added to the
policy to protect the server from attacks. Since the web server is running Apache under Linux, IPS is
configured to detect and block known Apache and Linux attacks.
Create a new IPS sensor
1
Go to UTM Profiles > Intrusion Protection > IPS Sensor and select Create New.
Select OK.
The new IPS sensor is created but it has no filters, and therefore no signatures are included.
288
Go to UTM Profiles > Intrusion Protection > IPS Sensor and select the web-server IPS sensor.
All
Target
server
OS
Linux
Protocol
Application
All
Tags
All
Select OK.
The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter
and look at the value in the Matched Signatures column. This shows how many signatures match
the current filter settings. You can select filter and select the View Rules icon to see a listing of the
included signatures.
The web server software is Apache, so you need to create a second filter for all Apache signatures.
Create the Apache filter
1
All
Target
server
OS
Linux
Protocol
All
Application
Apache
Tags
All
Select OK.
It might seem that you can skip a step and create one filter that specifies both Linux server and
Apache signatures. However, this would include a smaller number of filters. It would not include
signatures to detect attacks against the operating system directly, for example.
FortiOS 4.0 MR3
http://docs.fortinet.com/
289
Add the IPS sensor to the security policy that allows access from the Internet to the web
server
1
Go to Policy > Policy > Policy and Edit the security policy that allows access from the Internet to
the web server.
Select UTM.
Results
The web_server IPS sensor examines the web server traffic for matches to the signatures it contains.
290
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
Attacks
FortiGate Unit
Attacks
Solution
Disable the IPS fail-open behavior by entering this CLI command:
config ips global
set fail-open disable
end
Results
Under normal circumstances, changing the IPS failover setting will not change how your FortiGate
unit behaves. In the unlikely event that the IPS scanner fails, however, all traffic controlled by security
policies with IPS scanning will be blocked until the IPS scanner is working again.
Traffic controlled by security policies without IPS scanning will continue to flow, regardless of the IPS
fail-over setting and the state of the IPS scanner.
Before making this change, consider whether a period without IPS protection is worse than your
users having no Internet access. Even more important is whether your web server should continue
to be accessible without IPS protection or inaccessible while the problem is fixed.
291
Internal network
DoS Attacks
FortiGate Unit
DoS Attacks
Solution
Create a DoS sensor, enable it in a DoS policy and adjust the threshold for your network.
Create a new DoS sensor
1
Go to UTM Profiles > Intrusion Protection > DoS Sensor and select Create New.
292
Go to Policy > Policy > DoS Policy and select Create New.
For the Source Interface/Zone, select the interface connected to the Internet that visitors use to
connect to your web site. Leave the source and destination addresses set to all and the Service
set to ANY.
Enable DoS Sensor and select General Protection from the list.
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
The DoS policy will scan incoming traffic and take no action when the number of SYN packets
exceed the threshold, but it will log these occurrences. Run the DoS policy for a period to check the
suitability of the default threshold of 2000 SYN packets per second to your network traffic. If a traffic
peak triggers the DoS policy, increase the threshold. The idea is to set the threshold high enough that
legitimate traffic will not trigger any action, but not so high that attacks are permitted.
When you have found a threshold that fits these criteria for your network, change the tcp_syn_flood
action to Block.
Results
Once you have determined the ideal threshold for your network, normal traffic will not exceed the
threshold and it will be allowed.
When an attack occurs, the attack will be blocked but legitimate traffic is permitted. This is because
a communication session is initiated by a client sending a SYN packet. Legitimate clients send a
second SYN packet when they do not receive the expected ACK acknowledgement and are allowed.
Attackers attempt to open as many sessions as possible and will not retry a connection attempt by
sending a second SYN packet. In this way, the FortiGate unit can distinguish between an attack and
legitimate traffic, and act accordingly.
Periodically monitor the UTM log for traffic exceeding the threshold. Over time, your web site traffic
may increase, requiring a higher threshold. Temporary traffic changes may also require a threshold
adjustment, for example, increased traffic for a commerce web site during the holiday season.
293
Internal network
FortiGate Unit
Solution
Configure the default email filter profile to detect and filter spam.
1
Go to UTM Profiles > Email Filter > Profile and select Enable Spam Detection and Filtering.
Verify that the email protocols (POP3, SMTP, IMAP) are all enabled.
The SMTP spam action can be set to Discard, but always set the action to Tagged when creating
or editing a spam filter profile. This will allow you to see the messages that the FortiGate unit
determines are spam and ensures that no important messages are discarded if the profile doesnt
function as expected.
4
Expand FortiGuard Spam Filtering and enable IP Address Check, E-mail Checksum Check,
and URL Check.
Find the security policies that process incoming email and add the email filter profile named
default to them.
Results
Incoming email messages are scanned and those that the FortiGate unit determines are spam, are
tagged with the word Spam at beginning of the email messages subject. Go to Log&Report >
Log & Archive Access > UTM Log periodically to review the email filter activity.
Users can configure their email client software to move spam messages to their email clients spam
or junk folder automatically, if required.
294
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Solution
Configure Data Leak Prevention (DLP) to examine HTTP traffic for credit card and other numbers and
write a log message when a number is detected.
1
Go to UTM Profiles > Data Leak Prevention > Sensor and select Create New to create a new
DLP sensor named Personal-ID-HTTP.
Select Create New to add a filter to find American Express credit cards.
Name
HTTP-AmEx
Filter Byt
Advanced Rule
Advanced Rule
HTTP-AmEx
Action
Log Only
Archive
Disable
295
Select Create New to add a filter to find Canadian Social Insurance Numbers (SINs).
Name
HTTP-Canada-SIN
Filter By
Advanced Rule
Advanced Rule
HTTP-Canada-SIN
Action
Log Only
Archive
Disable
Select Create New to add a filter to find American Social Security Numbers (SSNs).
Name
HTTP-US-SSN
Filter By
Advanced Rule
Advanced Rule
HTTP-US-SSN
Action
Log Only
Archive
Disable
Select Create New to add a filter to find Visa and Mastercard credit cards.
Name
HTTP-Visa-Mastercard
Filter By
Advanced Rule
Advanced Rule
HTTP-Visa-Mastercard
Action
Log Only
Archive
Disable
Go to Policy > Policy > Policy and edit the security policy that allows Internet access.
Select UTM and DLP Sensor, and select the DLP sensor named Personal-ID-in-HTTP.
Results
To test, enter a random credit number into a web form. Check the UTM log for DLP log messages
showing that a credit card number was found.
296
FortiGate Cookbook
http://docs.fortinet.com/
Internal network
FortiGate Unit
Solution
Configure Data Leak Prevention (DLP) to examine outgoing email for sensitive data. In this example,
configure Visa and Mastercard credit card numbers as the information to protect.
1
Go to UTM Profiles > Data Leak Prevention > Sensor and select Create New to create a new
DLP sensor:
Filter Name
Filter By
Advanced Rule
Advanced Rule
Email-Visa-Mastercard
Action
Log Only
Archive
Disable
Go to Policy > Policy > Policy and edit the security policy that allows Internet access.
Select Advanced.
Edit each of these policies, enable UTM and DLP Sensor, and select the DLP sensor named
default.
Results
To test, create an email message with a credit card number and send it. Your email client will return
an error indicating that the message is blocked because it contains sensitive information.
FortiOS 4.0 MR3
http://docs.fortinet.com/
297
Using the FortiGate vulnerability scanner to check your network for vulnerabilities
Internal network
FortiGate Unit
Solution
Configure your FortiGate unit to scan your network for vulnerable hosts.
In this example, the local network uses the 172.20.120.0/24 subnet. The FortiGate unit internal
interface is a part on this subnet.
Configure a vulnerability scan to run at midnight on the first day of every month.
Create the asset definition
1
298
Go to UTM > Profiles > Vulnerability Scan > Asset Definition and select Create New to create
a new asset.
Name
172.20.120 subnet
Type
Range
Range
172.20.120.1-172.20.120.255
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Using the FortiGate vulnerability scanner to check your network for vulnerabilities
Go to UTM > Profiles > Vulnerability Scan > Scan Schedule and configure the following
settings:
Recurrence
Monthly
Day of Month
Hour
00
Minutes
00
Quick
Select Apply.
Vulnerability scans should always be schedule for periods of off-peak traffic. These scans can use
significant network and FortiGate resources and may impact network performance.
Go to UTM > Profiles > Vulnerability Scan > Asset Definition and specify the
172.20.120 subnet by selecting the check box at the beginning of the row.
Results
When the scan is complete, go to UTM > Profiles > Vulnerability Scan > Vulnerability Result.
The results are broken down into four sections:
Summary
The scan start and stop time, the current scan status, and
number of hosts scanned.
Vulnerability by
Severity
Vulnerability by
Category
Results by host
The table listing all of the scanned hosts. The Asset Definition
used to target the scan is listed as well as the host IP
address, the OS Version, the Vulnerability Severity, and the
number of vulnerabilities for the host. You may select the
host to view further details, including a list of the
vulnerabilities.
299
FortiOS Cookbook
SSL VPN
SSL is an easy to use application-level network independent method of ensuring private
communication over the Internet. Commonly used to protect the privacy of online shopping
payments, customers web browsers can almost transparently switch to using SSL for secure
communication without customers being required to do any SSL-related configuration or have any
extra SSL-related software.
SSL protection can also be applied to secure communication over the Internet between client PCs
and a remote network using SSL VPN. For basic SSL VPN functionality all a user needs to do to
access an SSL VPN is to browse to the IP address of a FortiGate unit configured for SSL VPN. The
users do not require any special SSL VPN software or configuration since SSL in the form of HTTPS
is automatically enabled by most web browsers.
The FortiGate SSL VPN configuration requires an SSL VPN web portal for SSL VPN users to log into,
the addition of a user authentication configuration to allow SSL VPN users to login and then the
creation of SSL VPN security policies that control the source and destination access of SSL VPN
users. SSL VPN security policies can also apply UTM and other security features to all SSL VPN
traffic. FortiASIC processors can accelerate SSL VPN encryption, optimizing SSL VPN performance
for a large user base.
Additional SSL VPN features are available including tunnel mode, virtual desktop for enhanced
endpoint protection, and endpoint security checks. These features are supported for SSL VPN
clients that can be downloaded automatically by SSL VPN users after logging into the SSL VPN
portal. Users can also download Fortinet SSL VPN clients to access these additional SSL VPN
features without logging into and SSL VPN portal. Fortinet supports SSL VPN clients for many PC
and mobile platforms.
This chapter includes the following SSL VPN examples:
Setting up remote web browsing for internal sites through SSL VPN
Using SSL VPN to provide protected Internet access for remote users
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to
head office servers for remote users
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL
VPN
300
Setting up remote web browsing for internal sites through SSL VPN
ser
te U in 3
o
m
og .22
Re
er L 20
Us .20.1
172
136
20.
.1
n1
wa 72.20
1
Fo
rtiG
ate
Un
it
er
erv 1
il S 68.1.
a
Em 92.1
1
Solution
Using SSL VPN you can create a web portal, which, when the remote user connects they can view a
list of links for internal servers and web sites.
Creating a firewall address for the email server
Create a firewall address for the email server.
1
To add the email server address, go to Firewall Objects > Address > Address, select Create
New and enter the email server address:
Address Name
Email Server
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.12
Interface
Internal
301
Setting up remote web browsing for internal sites through SSL VPN
Select OK.
Go to VPN > SSL > Config and for IP Pools select Edit and add twhite to the Selected table.
Go to VPN > SSL > Portal and select Create New to create the portal:
Name
Internal_company_sites_portal
Applications
HTTP/HTTPS
Portal Message
On the default web portal delete the Bookmarks widget by selecting its Remove icon (looks like
an X).
On the Add Widget on the right of the default portal select Bookmarks.
In the new Bookmarks widget select the Edit icon (looks like a pencil).
Optionally edit the Name and make sure Applications is set to HTTP/HTTPS.
In the Bookmarks widget select Add and create a bookmark to link the email server web page:
Name
Type
HTTP/HTTPS
Location
https://mail.company.com
Description
Adding and working with web portal widgets can be confusing and produce unexpected results.
Always select Apply at the top of the web portal page after making a change. When you have
completed making changes, navigate to another web-based manager page and then navigate back
to the web portal to make sure your changes were saved.
302
FortiGate Cookbook
http://docs.fortinet.com/
Setting up remote web browsing for internal sites through SSL VPN
Go to User > User > User and select Create New to add the user:
User Name
twhite
Password
password
Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN
user group:
Name
Sales
Type
Firewall
Internal_company_sites_portal
Make sure you select the Allow SSL-VPN Access option and that you also select the SSL VPN web
portal that the members of this user group connect to. If not selected, the Sales user group will not
appear in the group list when configuring the SSL VPN authentication security policy.
3
Select OK.
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy:
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Action
SSL-VPN
303
Setting up remote web browsing for internal sites through SSL VPN
Select Configure SSL-VPN Users and select Add to add an authentication rule for remote SSL
VPN users:
Selected User Groups
Selected Services
Schedule
Sales
HTTP
HTTPS
always
If the Sales user group does not appear in the User Group list, ensure you selected the SSL PVN
Access option when creating the user group. If that option is not selected, the Sales user group will
not appear in the group list when configuring the authentication security policy.
3
Select OK.
Results
To verify the setup works:
1
twhite
Password
password
304
FortiGate Cookbook
http://docs.fortinet.com/
Setting up remote web browsing for internal sites through SSL VPN
The portal launches a new window that displays the email server website.
4
From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the
list of users connected using SSL VPN.
From the FortiGate web-based manager, go to Policy > Monitor > Session Monitor to view the
session information for the SSL connection. Because of the internal nature of the SSL connection,
the source address appears as 0.0.0.0 and the destination is the internal home address of 224.0.0.1
You can also use the diagnose debug application sslvpn -1 command to debug this
configuration as described in Debugging FortiGate configurations on page 139.
305
Using SSL VPN to provide protected Internet access for remote users
ser
NU
P
V
in 0
SL Log .20
te S User 2.134
o
m
21
Re
10.
ot
.ro ing
ssl rows
b
n1
wa .136
0
.12
.20 Fo
2
7
rtiG
1
ate
Un
it
Solution
Watch the video: http://docs.fortinet.com/cb/ssl1.html
Using SSL VPN and FortiClient SSL VPN software, you create a means to use the corporate
FortiGate to browse the web safely.
Creating an SSL VPN IP pool and SSL VPN web portal
306
Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to
the Selected table.
Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access.
Select the Edit pencil icon for the Tunnel Mode widget and enter the following:
Name
Browsing
IP Mode
User Group
IP Pools
SSLVPN_TUNNEL_ADDR1
FortiGate Cookbook
http://docs.fortinet.com/
Using SSL VPN to provide protected Internet access for remote users
Select OK.
Go to User > User > User and select Create New to add the user:
User Name
twhite
Password
password
Select OK.
Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN
user group:
Name
Tunnel
Type
Firewall
tunnel-access
Make sure you select the Allow SSL VPN Access option. If not selected, the Tunnel user group will
not appear in the group list when configuring the authentication security policy.
4
Select OK.
Go to Router > Static > Static and select Create New to add the static route:
Destination IP/Mask
10.212.134.0/255.255.255.0
Device
ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
Select OK.
307
Using SSL VPN to provide protected Internet access for remote users
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy:
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
Destination Address
SSLVPN_TUNNEL_ADDR1
Action
SSL-VPN
Under Configure SSL-VPN Users, select Add to add an authentication rule for the remote user:
Selected User Groups
Tunnel
Selected Services
ANY
Schedule
always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN
Access option when creating the user group. If that option is not selected, the Tunnel user group
will not appear in the user group list when configuring the authentication security policy.
3
Select OK.
Select Create New to add a security policy that allows remote SSL VPN users to connect to the
Internet:
5
6
308
Source Interface/Zone
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Using SSL VPN to provide protected Internet access for remote users
Results
Using FortiClient SSLVPN application, log into the VPN using the address
https://172.20.120.136:10443/ and log in as twhite. Once connected, you can browse the Internet.
From the FortiGate web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of
users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects to
the Internet.
From the FortiGate web-based manager, go to Policy > Monitor > Policy Monitor to view the policy
information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs
will also show the source interface for outbound traffic from the SSL connection through the ssl.root
interface.
309
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
em
.1 w
20 an
.1 1
36
20
2.
17
ea
d
19 Se Of
r
2. v fic
16 er e
8.
1.
1
e
fic it
of Un
d te
ea a
H tiG
r
Fo
ot
e
10 Us U SS
s
e
.2 r e L V
12 Lo r P
N
.1 g
34 in
.2
00
ss
br l.ro
ow o
si t
ng
You want remote users to be able to securely access head office internal network servers and browse
the Internet through the head office firewall.
Solution
This solution describes how to configure FortiGate SSL VPN split tunnelling using the FortiClient SSL
VPN software, available from the Fortinet Support site.
Using split tunneling, all communication from remote SSL VPN users to the head office internal
network and to the Internet uses an SSL VPN tunnel between the users PC and the head office
FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the
Internet. Replies come back into the head office FortiGate unit before being routed back through the
SSL VPN tunnel to the remote user.
Creating a firewall address for the head office server
1
2
310
Go to Firewall Objects > Address > Address and select Create New and add the head office
server address:
Address Name
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.12
Interface
Internal
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Go to VPN > SSL > Config and for IP Pools select Edit and add SSLVPN_TUNNEL_ADDR1 to
the Selected table.
Create the SSL VPN portal to by going to VPN > SSL > Portal and selecting tunnel-access.
Select the Edit pencil icon for the Tunnel Mode widget and enter the following:
Name
IP Mode
User Group
IP Pools
SSLVPN_TUNNEL_ADDR1
Split Tunneling
Enable
Select OK.
Go to User > User > User, select Create New and add the user:
User Name
twhite
Password
password
Select OK.
Go to User > User Group > User Group and select Create New to add twhite to the SSL VPN
user group:
Name
Tunnel
Type
Firewall
tunnel-access
Make sure you select the Allow SSL-VPN Access option. If not selected, the Tunnel user group will
not appear in the group list when configuring the authentication security policy.
4
Select OK.
311
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Go to Router > Static > Static and select Create New to add the static route:
Destination IP/Mask
10.212.134.0/255.255.255.0
Device
ssl.root
The Destination IP/Mask matches the network address of the remote SSL VPN user.
Select OK.
Go to Policy > Policy > Policy and select Create New to add the SSL VPN security policy:
Source Interface/Zone
wan1
Source Address
all
Destination Interface/Zone
internal
Destination Address
Action
SSL-VPN
Select Configure SSL-VPN Users and select Add to add an authentication rule for the remote
user:
Selected User Groups
Tunnel
Selected Services
ANY
Schedule
always
If the Tunnel user group does not appear in the User Group list, ensure you select the SSL VPN
Access option when creating the user group. If that option is not selected, the Tunnel user group
will not appear in the user group list when configuring the authentication security policy.
312
FortiGate Cookbook
http://docs.fortinet.com/
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Select OK.
Select Create New to add a security policy that allows remote SSL VPN users to connect to the
Internet:
Source Interface/Zone
ssl.root
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Results
Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address
https://172.20.120.136:10443/ and log in with the twhite user account. Once connected, you can
connect to the head office server or browse to web sites on the Internet.
From the web-based manager go to VPN > Monitor > SSL-VPN Monitor to view the list of users
connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN
sessions to the Internet.
From the web-based manager, go to Policy > Monitor > Session Monitor to view the session
information for the SSL connection. For any web traffic, the source interface becomes ssl.root.
313
SSL VPN split tunneling: Using SSL VPN to provide protected Internet access and access to head office servers for remote users
Go to Log&Report > Log & Archive Access > Traffic Log to view the log information, and the logs
will also show the source interface for outbound traffic from the SSL connection through the ssl.root
interface.
314
FortiGate Cookbook
http://docs.fortinet.com/
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
Verifying that SSL VPN users have the most recent AV software
before they can log into the SSL VPN
Problem
Before a remote SSL VPN user logs into the network, you want to be sure that they have approved
antivirus software installed on their computers. Only clients that meet the requirements are permitted
to log on.
l
rna rk
Inte etwo
n
Se
rve
Fo
rtiG
ate
Un
it
Re
VP mote
Nu S
ser SL
Solution
Use SSL VPN host checking. When the remote client attempts to log in to the VPN network, the
FortiGate unit uses the host check information to verify that the approved antivirus software is
installed on the client computer.
1
Go to VPN > SSL > Portal, Edit a portal and select Settings.
Custom
Policy
If your company does not require a standard AV software on remote computers, you can set
Custom to AV option, in which case, the FortiGate unit will check for any AV software from its SSL
VPN antivirus software database.
315
Verifying that SSL VPN users have the most recent AV software before they can log into the SSL VPN
Results
When a remote user connects to the SSL VPN tunnel, the FortiGate unit verifies that the approved
antivirus software is installed on the remote users device. If it is, the user can log in.
If the approved antivirus software is not installed, the remote user sees the following error message:
From the FortiGate web-based manager go to Log&Report > Event Log to see the tunnel message
in the Action column.
Select the log entry to view the detailed information, which indicates the user attempting to connect.
The Reason row indicates that the host check failed.
To make sure that SSL logs appear in the event log, go to Log&Report > Log Config > Log
Setting. Enable Event Logging and select SSL VPN user authentication event and SSL VPN
session event.
316
FortiGate Cookbook
http://docs.fortinet.com/
FortiOS Cookbook
IPsec VPN
IPsec VPN is a common method for enabling private communication over the Internet. IPsec
supports a similar client server architecture as SSL VPN. However, to support a client server
architecture, IPsec clients must install and configure an IPsec VPN client (such as Fortinets
FortiClient Endpoint Security) on their PCs or mobile devices. IPsec client configurations can be
cryptic and complex, usually making SSL VPN more convenient for users with little networking
knowledge.
IPsec VPN, however, supports more configurations than SSL VPN. A common application of IPsec
VPN is for a gateway to gateway configuration that allows users to transparently communicate
between remote networks over the Internet. When a user on one network starts a communication
session with a server on the other network, a security policy configured for IPsec VPN intercepts the
communication session and uses an associated IPsec configuration to both encrypt the session for
privacy but also transparently route the session over the Internet to the remote network. At the
remote network the encrypted communication session is intercepted and decrypted by the IPsec
gateway at the remote network and the unencrypted traffic is forwarded to the server. Responses
from the server than pass back over the encrypted tunnel to the client.
Many variations of the gateway to gateway configuration are available depending on the
requirements. In addition to gateway to gateway IPsec VPNs, FortiGate units also support various
mesh IPsec VPN configurations that can allow transparent communication between networks at
multiple locations around the world.
FortiGate units also support automated IPsec configurations of FortiClient software running on client
PCs.
All communication over IPsec VPNs is controlled by security policies. Security policies allow for full
access control and can be used to apply UTM and other features to IPsec VPN traffic.
Fortinet IPsec VPNs employs industry standard features to ensure the best security and interoperability with industry standard VPN solutions provided by other vendors.
This chapter includes the following IPsec VPN examples:
Protecting communication between offices across the Internet using IPsec VPN
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
317
Protecting communication between offices across the Internet using IPsec VPN
ch
ran
_B
to
Q_
c
se
IP N
VP
al
rn
te
In
w
17 an
2. 1
20
.1
2
0.
12
Q)
l (H 24
a
n
r
0/
Inte 0.10.
1
.
10
HQ
to_
ch_
17
2.
20
.1 w
20 a
.2 n1
00
n
Bra
al
rn
te
In
)
nch
Bra 24
(
l
rna .0/
Inte.168.1
2
19
Solution
Create a gateway-to-gateway IPsec VPN between headquarters and the branch office.
This basic gateway-to-gateway IPsec VPN assumes that both office have connections to the Internet
with static IP addresses. This configuration uses a basic policy-based IPsec VPN configuration.
318
FortiGate Cookbook
http://docs.fortinet.com/
Protecting communication between offices across the Internet using IPsec VPN
Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase
1 configuration.
Name
HQ_to_Branch_p1
Remote Gateway
Static IP Address
IP Address
172.20.120.200
Local Interface
wan1
Mode
Authentication Method
Preshared Key
Pre-shared Key
fortinet123
Select OK.
HQ_to_Branch_p2
Phase 1
HQ_to_Branch_p1
Select OK.
Go to Firewall Objects > Address > Address and select Create New to add a firewall address
for the HQ network.
Name
HQ_net
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.0/255.255.255.0
Interface
internal
Select Create New to add a firewall address for the branch office network.
Name
Branch_net
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.0/255.255.255.0
Interface
wan1
319
Protecting communication between offices across the Internet using IPsec VPN
Select OK.
Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN.
Source Interface/Zone
internal
Source Address
HQ_net
Destination Interface/Zone
wan1
Destination Address
Branch_net
Schedule
always
Service
ANY
Action
IPSEC
VPN Tunnel
HQ_to_Branch_p1
10 Select OK.
320
Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase
1 configuration.
Name
Branch_to_HQ_p1
Remote Gateway
Static IP Address
IP Address
172.20.120.122
Local Interface
wan1
Mode
Authentication Method
Preshared Key
Pre-shared Key
fortinet123
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Protecting communication between offices across the Internet using IPsec VPN
Branch_to_HQ_p2
Phase 1
Branch_to_HQ_p1
Select OK.
Go to Firewall Objects > Address > Address and select Create New to add a firewall address
for the branch office network.
Name
Branch_net
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.0/255.255.255.0
Interface
internal
HQ_net
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.0/255.55.255.0
Interface
wan1
Select OK.
Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN.
Source Interface/Zone
internal
Source Address
Branch_net
Destination Interface/Zone
wan1
Destination Address
HQ_net
Schedule
always
Service
ANY
Action
IPSEC
VPN Tunnel
Branch_to_HQ_p1
321
Protecting communication between offices across the Internet using IPsec VPN
Results
A user on either of the office networks should be able to connect to any address on the other office
network transparently. For example, from a PC on the branch office with IP address 192.168.1.100
you should be able to ping a device on the HQ network with the IP address 10.10.10.100.
When the VPN is operating you should be able to go to VPN > Monitor > IPsec Monitor and verify
that its status is up.
322
FortiGate Cookbook
http://docs.fortinet.com/
l
rna k
Inte twor
ne
l
.
rna 8.1
inte 92.16
1
.14
Offi
ce
For
0
n1 .12
wa 72.20
1
tiG
ate
I
wit Psec
h X VP
Au N
th
er
Us ss
ent addre
i
l
tiC P
For ic I
ote ynam
m
Re ith D
w
Solution
Create an IPsec VPN between FortiClient on the remote users PC and the office FortiGate unit that
uses XAuth to authenticate the remote user. The remote users IP address changes so you need to
configure a dialup IPsec VPN on the FortiGate unit. As well the remote user must start the VPN
because the office FortiGate unit doesnt know the users IP address.
Creating a user and user group to support XAuth
1
Go to User > User > User and select Create New to add the user:
User Name
fsmith
Password
passw0rd
323
Go to User > User Group > User Group and select Create New to add fsmith to the user group:.
Name
FortiClient_group
Type
Firewall
Select OK.
Creating the IPsec VPN phase 1 and phase 2 and a DHCP server for the IPsec VPN
1
Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure Phase 1.
Name
Remote Gateway
Dialup User
Local Interface
wan1
Mode
Authentication Method
Preshared Key
Pre-shared Key
fortinet123
Peer Options
IPv6 Version
Local Gateway IP
Main Interface IP
DNS Server
P1 Proposal
324
DH Group
Keylife
28800
FortiGate Cookbook
http://docs.fortinet.com/
XAuth
Enable as Server
Server Type
PAP
User Group
FortiClient_group
NAT Traversal
Enable
Keepalive Frequency
10
Enable
Select OK.
Go to System > Network > Interface and verify that a tunnel interface named FortiClient_VPN
has been added under the wan1 interface.
Edit the FortiClient_VPN tunnel interface and verify that the IP and Remote IP are both 0.0.0.0.
These IPs must be set to 0.0.0.0 for the DHCP server to supply IP addresses to the remote users.
5
Go to System > Interface > DHCP server and elect Create New to add a DHCP server for the
IPsec VPN
Interface Name
FortiClient_VPN
Mode
Server
Enable
Select
Type
IPsec
IP
10.254.254.1 - 10.254.254.254
Network Mask
255.255.255.0
Default Gateway
192.168.1.1
DNS Service
Select OK.
Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2 to configure the phase 2 for the
IPsec VPN.
Name
FortiClient_VPN2
Phase 1
FortiClient_VPN
325
Select
Select
DH Group
Keylife
1800 Seconds
Do not select
DHCP-IPsec
Enable
If DHCP-IPsec is grey, there is no valid DHCP server attached to the FortiClient _VPN tunnel
interface. If there are static IP addresses assigned to the FortiClient_VPN tunnel interface IP and
Remote IP, delete the Phase1 entry and start again. The DHCP server will not work if static IPs are
assigned to the FortiClient_VPN tunnel interface.
Creating a static route and security policies for the IPsec VPN configuration
The static route ensures that traffic for the VPN does not leave the FortiGate unit for the default
gateway. When you select the VPN interface as the Device, there is no requirement for a gateway, as
shown by it being greyed out.
1
326
Go to Router > Static > Static Route and select Create New to add a static route for the IPsec
VPN.
Destination IP/Mask
10.254.254.0/255.255.255.0
Device
FortiClient_VPN
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Policy > Policy > Policy and select Create New to create a policy to allow IPsec VPN
traffic on the FortiClient_VPN interface.
Source Interface/Zone
FortiClient_VPN
Source Address
all
Destination Interface/Zone
internal
Destination Address
all
Schedule
always
Service
ANY
Action
ACCEPT
Select OK.
Configure FortiClient
These instructions were tested on FortiClient 4.2.1, and FortiClient 4.3.2.
1
Connection Name
Work_VPN
VPN Type
Manual IPsec
Remote Gateway
172.20.120.146
Remote Network
192.168.1.0 / 255.255.255.0
Authentication Method
Preshared Key
Pre-Shared Key
fortinet123
Select Advanced.
327
eXtended Authentication
Remote Network
192.168.1.0 / 255.255.255.0
For both IKE and IPsec Proposals, remove the MD5 authentication entries.
Results
You know your VPN is successful when you select the VPN on FortiClient, select Connection, and
receive a Connection Successful! message. In FortiClient, the status next to the VPN connection
will appear as Up, with the number of seconds it has been up, next to it.
To ensure your new VPN works, from FortiClient select the Work_VPN entry, and then select
Advanced > Test. This will open a window and display each step of the attempted connection. If
there are any problems they will appear here for troubleshooting. For additional information, look at
the event log of the FortiGate unit by going to Log&Report > Log & Archive Access > Event Log.
In particular, the Message, Action, and Error Reason parts of the log messages can be useful
when troubleshooting.
328
Ensure both ends are using main mode, unless there are connection problems and you want to
try aggressive mode on both ends which is easier to connect but less secure.
Ensure XAuth settings are the same for both ends, with the FortiGate unit being the Server if it is
enabled.
When working with policy routing, ensure you have allowed inbound and outbound, especially if
network services such as DNS or DHCP are having problems.
Check your NAT settings - for best results NAT traversal is enabled in the Phase 1 configuration,
and NAT is not enabled in the security policy.
FortiGate Cookbook
http://docs.fortinet.com/
Only the FortiClient end can initiate the VPN tunnel because the FortiGate does not know the
FortiClient IP address.
Best Practices
There are CLI only options that can help with FortiClient VPNs in certain situations.
Phase1
Phase2
set forticlient-enforcement
{enable | disable}
329
IP
se
c
VP
iPhone
exa
mp
le.c
om
w
an1
O
ne ffic
tw e
or
k
inte
rna
l
Solution
The easiest way to connect to the office from a remote location is by an IPsec VPN connection. It is
secure, and to the user, it appears as if they are on the network at work. The iPhone IPsec client is a
Cisco UNITY client.
In this example, user fsmith is part of the iPhoneVPN usergroup. F. Smiths iPhone will be assigned an
IP address in the range 172.16.1.1 - 172.16.1.254. The VPN is interface based.
You already have three security policies to allow traffic to flow on your network; Internal to Wan1,
Internal to dmz, and dmz to Internal.
This example uses an Apple iPhone 4 running iOS 5.1. Menu options may vary for different models
and iOS versions.
The steps involved include:
330
FortiGate Cookbook
http://docs.fortinet.com/
Configure iPhone VPN Phase 1 access to the DMZ subnet in the CLI.
Go to User > User > User and select Create New and add a user account for an iPhone user.
User Name
fsmith
Password
my1pwd
Select OK.
Go to User > User Group > User Group and select Create New to create a user group for
iPhone users.
Name
iPhoneVPN
Type
Firewall
Available Users
Select OK.
Create a firewall addresses for the web server on DMZ and iPhone Users
1
Go to Firewall Objects > Address > Address and select Create New to enter the following
information.
Address Name
DMZ_WebServer
Type
Subnet / IP Range
Subnet / IP Range
10.0.0.0/255.255.255.0
Interface
dmz
Select OK.
331
iPhoneVPNUsers
Type
Subnet / IP Range
Subnet / IP Range
172.16.1.0/255.255.255.0
Interface
Any
Select OK.
3
332
Go to VPN > IPsec Auto Key (IKE), select Create Phase 1 and enter the following.
Name
iPhone
Remote Gateway
Dialup User
Local Interface
wan1
Mode
Main
Authentication Method
Preshared Key
Preshared Key
mykey123
Peer Options
Enable
IKE Version
Local Gateway IP
Main Interface IP
DH Group
XAUTH
Enable as Server
Server Type
AUTO
User Group
iPhoneVPN
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Name
iPhone_P2
Phase1
iPhone
DH Group
Select OK.
Go to Policy > Policy and select Create new to enter the following information
Source Interface/Zone
iPhone
Source Address
iPhoneVPNUsers
Destination Interface/Zone
DMZ
Destination Address
DMZ_WebServer
Schedule
Always
Service
ANY
Action
Accept
Enable NAT
Disable
Select OK.
333
Move this policy to the top of the policy list, to ensure it will be matched first.
Office_VPN
Server
Account
fsmith
Password
my1pwd
Use Certificate
OFF
Group Name
iPhoneVPN
Secret
mykey123
Results
To test the configuration, on the iPhone:
1
When iPhone connects, a VPN icon appears next to the battery power indicator.
On the FortiGate unit you can see the connection attempt and completion by going to Log&Report >
Event Log.
Figure 1: Sample event log of the iPhone VPN connection
334
FortiGate Cookbook
http://docs.fortinet.com/
When your VPN connection is established on your iPhone there will be a small VPN tag at the top of
the screen. However, this is easily missed. If you want a clear message that your VPN connection is
up and working on the iPhone, then enter the following CLI command on the FortiGate unit:
config vpn ipsec phase1-interface
edit iPhone
set banner YOU ARE NOW CONNECTED
next
end
This creates a pop-up banner message that is displayed on your iPhone when the VPN connection
is successful.
For example, for a failed connection, the debug output below indicates that the pre-shared keys did
not match. In this case, the iPhone user incorrectly entered the pre-shared key. Re-entering the key
corrected the problem.
ike 0:iPhone:12: responder: main mode get 3rd message...
ike 0:iPhone:12: dec
6FE92716080DA88485CF802B911B8B2A05100201000000000000006412F660DA267B11216B9A74F5D661FBBF7D9
C2CA9976C873AC02FF991FA073C7840C6E5C7A2A0AFD08477B1715E2E1031A9E0469D8EF992EF8F74FC4C1A0F84
66C875E5B2193FDC29
ike 0:iPhone:12: probable pre-shared secret mismatch
ike 0:iPhone:12: unable to parse msg
ike 0:iPhone:12: negotiation timeout, deleting
ike 0:iPhone: connection expiring due to phase1 down
ike 0:iPhone: deleting
ike 0:iPhone: flushing
ike 0:iPhone: sending SNMP tunnel DOWN trap
335
Android device
PN
cV
e
IPs
exa
mp
le.
wa com
n1
dm
z
ers
erv
s
ce
Offi
Solution
The easiest way to connect to the office from a remote location is by VPN. It is secure and it appears
as if you are physically on the network at the office. To connect over an IPsec VPN connection with
an Android device, you need to use L2TP.
In this example, user wloman is part of the Android_Users user group. The Android mobile device will
be assigned an IP address in the range 192.168.1.90 - 192.168.1.99. This is a VPN policy; not
interface based.
For this example an LG P999 mobile phone running Android 2.2.2 was used. Menu options may
vary for different models or versions of the Android OS.
The steps involved include:
336
Go to User > User > User, select Create New and create the following user account.:
Name
wloman
Password
my1pass
Select OK.
Go to User > User Group > User Group select Create New to create a user group for Android
users.
Name
Android_users
Type
Firewall
Available Users
Select OK.
Go to Firewall Objects > Address > Address and select Create New to add and a firewall
address for Android users.
Address Name
Android_Users
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.[90-99]
Interface
wan1
Select OK.
Select Create New to add a firewall address for the DMZ network.
Address Name
DMZ_Server
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.0/255.255.255.0
Interface
dmz
337
Select OK.
Go to VPN > IPsec > Auto Key (IKE), and select Create Phase 1.
338
Name
AndroidVPN
Remote Gateway
Dialup User
Local Interface
wan1
Mode
Main
Authentication Method
Preshared Key
Preshared Key
fortinet123
Peer Options
Disable
1 - Encryption
AES256
1 - Authentication
MD5
2 - Encryption
3DES
2 - Authentication
SHA1
DH Group
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
WAN1
Source Address
Android_Users
Destination Interface/Zone
DMZ
Destination Address
DMZ_Server
Action
IPSEC
enable
VPN Tunnel
AndroidVPN
Inbound
enable
Outbound
enable
Select OK.
Move the policy to the top of your policy list to ensure it is matched first.
On the Android device, go to Settings > Wireless & Networks > VPN Settings.
Enter the following information, and select the Menu Key > Save.
VPN Name
Office_DMZ_server
VPN Server
210.0.0.1
fortinet123
339
Results
To test the configuration:
1
When the VPN connects, you will have access to the office servers as expected.
The output can indicate something as simple as a pre-shared key mismatch, caused by the Android
user entering the password incorrectly.
340
FortiGate Cookbook
http://docs.fortinet.com/
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
l
rna k
Inte twor
e
n
l
.
rna 8.1
inte 92.16
1
.14
Offi
ce
For
0
n1 .12
wa 72.20
1
tiG
ate
I
wit Psec
h X VP
Au N
th
ser
t U ress
lien add
C
i
t
or ic IP
te F am
mo yn
Re ith D
w
Solution
Watch the video: http://docs.fortinet.com/cb/vpn1.html
Within FortiOS 4.3.1, there is a feature called the FortiClient VPN Wizard, that provides and easy way
to setup a VPN with your FortiClient Connect. The wizard and FortiClient connect take care of
encryption, authentication and related options.
In this example, user sgreen is part of the Wizard_Users usergroup. Once the VPN tunnel is up,
sgreens FortiClient Connect will be assigned an IP address in the range 192.168.1.90 - 192.168.1.99.
The VPN is a VPN route is interface based.
The FortiClient VPN Wizard configuration here was tested with FortiClient 4.2.1, FortiClient Connect
(4.3), and FortiClient 4.3.2.
On the FortiGate unit, the VPN is on the wan1 interface, the public facing interface with a domain of
example.com. The office network is on the FortiGate internal interface.
341
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
The FortiGate units public facing interface, wan1 here, must have a public IP address, a public
domain name, or a domain name resolved by dynamic DNS. This example uses the domain name
example.com for the FortiGate unit gateway information.
Create sgreen user account, and Wizard_users group
1
Go to User > User > User and select Create New and add a user account for an iPhone user.
User Name
sgreen
Password
my1pwd
Select OK.
Go to User > User Group > User Group and select Create New to create a user group for
iPhone users.
Name
Wizard_users
Type
Firewall
Available USers
Select OK.
342
Go to Firewall Objects > Address > Address and select Create New to enter the following
information.
Address Name
Wizard_Range
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.[80-89]
Interface
Any
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
Internal_Range
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.0/255.255.255.0
Interface
Any
Select OK.
Go to VPN > IPsec > Auto Key (IKE), select Create FortiClient VPN and enter the following:.
Name
Wiz
wan1
Authentication Method
Pre-shared key
Pre-shared Key
fortinet123
User Group
Wizard_users
192.168.1.80
192.168.1.89
Subnet Mask
255.255.255.0
Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 2 to enter the following
information.
Name
Wiz2
Phase1
Wiz
343
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
Go to Policy > Policy > Policy and select Create new and enter the following.
Source Interface/Zone
Wiz
Source Address
Wizard_Range
Destination Interface/Zone
Internal
Destination Address
Internal_Range
Action
ACCEPT
enable
Enable NAT
disable
Go to IPsec VPN.
Connection name
Wizard
Description
Remote gateway
example.com
Authentication Method
Pre-shared Key
Pre-shared Key
fortinet123
Authentication (XAuth)
Prompt on Login
Select OK.
Results
To test the configuration, select the Wizard VPN configuration in FortiClient Connect and select
Connect. When connected, the status will appear as UP.
344
FortiGate Cookbook
http://docs.fortinet.com/
Using the FortiGate FortiClient VPN Wizard to set up a VPN to a private network
The output can indicate something as simple as a pre-shared key mismatch, caused by the
FortiClient user entering the password incorrectly.
345
rt3
po .1.1
20
10.
FortiGate 1
.1.1
rt1
po 72.16
1
rt2
po .1.1
8
.16
rt2
192
po .1.2
8
.16
192
.1.2
rt1
po 72.16
1
FortiGate 2
rt3
po .1.1
21
10.
Solution
On each FortiGate unit, configure the redundant OSFP network and distance and the redundant
IPsec VPN setup. These steps assume that all FortiGate interfaces have been connected and
configured for their networks.
Add redundant IPsec tunnels to FortiGate 1
First, configure two IPsec VPN tunnels.
1
346
Go to VPN > IPsec > Auto Key (IKE) , select Create Phase 1 and enter the following:
Name
primary_tunnel
Remote Gateway
Static IP Address
IP Address
172.16.1.2
Local Interface
port1
Authentication Method
Preshared Key
Pre-shared Key
primarypassword
FortiGate Cookbook
http://docs.fortinet.com/
Select OK.
P2_primary_tunnel
Phase 1
primary_tunnel
Select OK.
second_tunnel
Remote Gateway
Static IP Address
IP Address
192.168.1.2
Local Interface
port2
Authentication Method
Preshared Key
Pre-shared Key
secondpassword
10 Select OK.
11 Select Create Phase 2 and enter the following:
Name
P2_secondary_tunnel
Phase 1
second_tunnel
12 Select OK.
IP
10.1.1.1
Remote IP
10.1.1.2
347
Select OK.
IP
10.2.1.1
Remote IP
10.2.1.2
Select OK.
primary_tunnel
Interface
primary_tunnel
second_tunnel
Interface
second_tunnel
Select OK.
Finally, configure the cost of both tunnels so that the primary tunnel is the default connection with
the secondary tunnel as redundant failover. The cost is set in the CLI:
config router ospf
config ospf-interface
edit primary_tunnel
set cost 10
set interface primary_tunnel
next
edit second_tunnel
set cost 100
set interface second_tunnel
end
end
348
FortiGate Cookbook
http://docs.fortinet.com/
Go to VPN > IPsec > Auto Key (IKE) , select Create Phase 1 and enter the following:
Name
primary_tunnel
Remote Gateway
Static IP Address
IP Address
172.16.1.1
Local Interface
port1
Authentication Method
Preshared Key
Pre-shared Key
primarypassword
Select OK.
P2_primary_tunnel
Phase 1
primary_tunnel
Select OK.
second_tunnel
Remote Gateway
Static IP Address
IP Address
192.168.1.1
Local Interface
port2
Authentication Method
Preshared Key
Pre-shared Key
secondpassword
10 Select OK.
349
11 Select Create Phase 2 and enter the following and select OK:
Name
P2_second_tunnel
Phase 1
second_tunnel
12 Select OK.
10.1.1.2
Remote IP
10.1.1.1
Select OK.
IP4
10.2.1.2
Remote IP
10.2.1.1
Select OK.
350
primary_tunnel
Interface
primary_tunnel
FortiGate Cookbook
http://docs.fortinet.com/
Select OK.
second_tunnel
Interface
second_tunnel
Select OK.
Finally, configure the cost of both tunnels so that the primary tunnel is the default connection with the
secondary tunnel as redundant failover. The cost is set in the CLI:
config router ospf
config ospf-interface
edit primary_tunnel
set cost 10
set interface primary_tunnel
next
edit second_tunnel
set cost 100
set interface second_tunnel
end
end
Results
The VPN network between the two OSPF networks will use the primary VPN connection. In the event
that the VPN tunnel goes down, the secondary tunnel will be used automatically.
Use the CLI commands to view the status and traffic on the network:
get router info ospf neighbor
get router info routing-table ospf
351
FortiOS Cookbook
Authentication
Identifying users and other computers (authentication) is a key part of network security. This chapter
describes some basic elements and concepts of authentication.
Businesses need to authenticate people who have access to company resources. In the physical
world this may be a swipe card to enter the building, or a code to enter a locked door. If a person has
this swipe card or code, they have been authenticated as someone allowed in that building or room.
Authentication is the act of confirming the identity of a person or other entity. In the context of a
private computer network, the identities of users or host computers must be established to ensure
that only authorized parties can access the network. The FortiGate unit enables controlled network
access and applies authentication to users of security policies and VPN clients.
This chapter includes the following authentication examples:
Creating a security policy to identify users, restrict access to certain websites, and control use of
applications
352
Solution
Watch the video: http://docs.fortinet.com/cb/auth1.html
Enable FortiGate user authentication by creating a user group named Sales and adding a user named
wloman to this group. Then add an identity based policy to a security policy that accepts
connections from the internal network to the Internet. Add the Sales user group to the identity based
policy. Test the configuration by authenticating with the FortiGate unit and viewing the information
displayed in the user monitor.
This solution describes adding a user to the FortiGate local user database. FortiOS user
authentication can also integrate with LDAP, RADIUS, or TACAS+ servers, Windows NTLM, Fortinet
single sign on (FSSO), and PKI solutions.
1
Go to User > User Group > User Group and select Create New to add a user group with the
following settings:
Name
Sales
Type
Firewall
Select OK.
353
Go to User > User > User and select Create New to a user with the following settings:
Name
wloman
Password
password
Sales
Select OK.
Go to Policy > Policy > Policy and Edit a policy that allows users to access the Internet.
Select Enable Identity Based Policy and Add an identity-based policy with the following
settings:
Sales
Selected Services
ANY
Schedule
always
Results
From a web browser on the internal network, attempt to access the Internet. If the session is
accepted by the policy that you added the identity based policy to you should be prompted for a user
name and password. Enter wloman and password. If authentication is successful you should be able
to browse anywhere on the Internet.
You can customize the authentication page that users see by going to System > Config >
Replacement Message > Authentication > Login page.
Form the FortiGate web-based manager go to User > Monitor > Firewall to view the list of
authenticated firewall users. An entry similar to the following should appear,
If you select De-authenticate All Users or if you select the De-authenticate user icon for
Example_user you will have to authenticate with the firewall again to continue browsing the Internet.
You can also go to Log&Report > Log & Archive Access > Event Log to view log messages
recorded when the users authenticated.
354
FortiGate Cookbook
http://docs.fortinet.com/
WEB FILTERING
Solution
Block access to shopping and auction websites by adding a web filter profile named Sales_web_filter
that blocks shopping and auction websites. Enable web filtering for the identity based policy created
in Creating a security policy to identify users on page 353 and add the Sales_web_filter profile to it.
Test the configuration by authenticating and then attempting to browse to an online shopping web
site.
This example requires the FortiGate unit to have a valid FortiGuard Web Filtering license.
1
Go to UTM Profiles > Web Filter > Profile and select Create New to add a new web filter profile
group named Sales_web_filter.
Select the FortiGuard Categories > General Interest - Personal > Shopping and Auction
category, then select Block as the action for selected categories.
Go to Policy > Policy > Policy and Edit the policy that allows users to access the Internet and
contains the identity based policy.
Edit the identity based policy that includes the Sales user group.
Select UTM.
Save the changes to the identity based policy and the security policy.
355
Results
Go to User > Monitor > Firewall and deauthenticate the wloman user. From a web browser on the
internal network, attempt to access the Internet. If the session is accepted by the identity based
policy you should be prompted for a user name and password. Enter wloman and password. If
authentication is successful you should be able to browse the Internet.
Attempt to access an online shopping or auction website. FortiGuard Web Filtering web page
blocked message appears, blocking access to the website.
If you attempt to access an online shopping page before authenticating, the FortiGate unit would
ask you to authenticate. After authenticating the FortiGuard web page blocked message appears.
You can customize the FortiGuard web filtering page that appears by going to System > Config >
Replacement Message > FortiGuard Web Filtering > URL block message.
Form the FortiGate web-based manager go to UTM Profiles > Monitor > Web Monitor to view
graphs of FortiGuard Web Filtering activity. The graphs should show the Shopping and Auction
category has been blocked,
356
FortiGate Cookbook
http://docs.fortinet.com/
Creating a security policy to identify users, restrict access to certain websites, and control use of applications
WEB FILTERING
Solution
Blocking nuisance applications is common on corporate networks to control bandwidth usage, illegal
file sharing, and employee time wasting.
Enable web filtering and block access to shopping and auction websites for the identity based policy
as described in Identify users and restrict access to websites by category on page 355. Then add
the Sales_app_sensor profile to it to block excessive bandwidth applications. Test the configuration
by authenticating and then attempting to use a blocked application such as bitTorrent, KaZaa, or
eDonkey. This example requires the FortiGate unit to have a valid FortiGuard Web Filtering license.
1
Go to UTM Profiles > Application Control > Application Sensor and select Create New to add
a new detection list named Sales_app_sensor.
Select Create New above the list to create a new application detection entry that blocks all
running applications in the instant messaging category.
Select Create New to create a new application detection entry that allows Skype. Select Instant
Messaging category, and specify the application. Select Filter by Vendor and find Skype
Technologies in the list, and select Allow for the action.
357
Creating a security policy to identify users, restrict access to certain websites, and control use of applications
Move the Skype entry above the block all instant messaging. Otherwise, Skype will be blocked
with all the other IM applications.
Go to Policy > Policy > Policy and Edit the policy that allows users to access the Internet and
contains the identity based policy.
Edit the identity based policy that includes the Sales user group.
10 Select UTM.
11 Select Enable Web Filter and select the Sales_web_filter profile.
12 Save the changes to the identity based policy and the security policy.
Results
Go to User > Monitor > Firewall and deauthenticate wloman. From a web browser on the internal
network, attempt to access the Internet. If the session is accepted by the policy that you added the
identity based policy to, you should be prompted for a user name and password. Enter wloman and
password. If authentication is successful you should be able to browse the Internet.
Attempt to access an online shopping or auction website. FortiGuard Web Filtering web page
blocked message appears, blocking access to the website.
Attempt to use one of the blocked high bandwidth applications. It should be blocked through the
Application Sensor.
If you attempt to access an online shopping page before authenticating, the FortiGate unit would
ask you to authenticate. After authenticating the FortiGuard web page blocked message appears.
You can customize the FortiGuard web filtering page that appears by going to System > Config >
Replacement Message > FortiGuard Web Filtering > URL block message.
Form the FortiGate web-based manager go to UTM Profiles > Monitor > Web Monitor to view
graphs of FortiGuard Web Filtering activity. The graphs should show the Shopping and Auction
category has been blocked,
358
FortiGate Cookbook
http://docs.fortinet.com/
Creating a security policy to identify users, restrict access to certain websites, and control use of applications
If you use the Application Sensor to block games if you are not logged in, the games will not be able
to connect and because of that some just will not start up. For example World of Warcraft launcher
never appears after you start it when it is blocked like this. Where other games, such as World of
Tanks, load their loading application before attempting to connect so you will get an error message
with those games.
359
Inte
rna
p
10 ort
.1 10
.1
00
.1
do WInd
ma ow
in
s
10. ad86 cont AD
1.1 4r2 rolle
00.
r
131
l ne
two
p
17 ort
2. 9
16
.2
0
0.
rk
FortiGate U
Unit
nit
Solution
Configure the FortiGate unit to obtain logon information about Windows AD users from the Windows
AD domain controller. This information includes each users Windows AD user group. Create an
identity-based policy to grant access only to users belonging to specific groups.
The FortiGate unit obtains logon information about Windows AD users from the FSSO Collector
Agent.
Configure the FSSO Agent
1
2
3
4
5
6
360
On the Windows AD server, from the Start menu, select Programs > FortiNet >
Fortinet Single Sign On Agent > Configure Fortinet Single Sign On Agent.
Select Require Authenticated Connection from FortiGate and enter a password, forti123,
for example.
In the Common Tasks section, select Set Directory Access Information and set AD access
mode to Standard. Select OK.
In the Common Tasks section, select Set Group Filters, and then select Add to create a new
filter.
Add the groups AD864R2/GROUP1 AD864R2/GROUP2, AD864R2/GROUP3, and
AD864R2/GROUP4.
Select OK.
FortiGate Cookbook
http://docs.fortinet.com/
Name
AD-server
10.1.100.131
Port
8000
Password
forti123
Select OK.
2
FortiOS 4.0 MR3
http://docs.fortinet.com/
Go to User > User Group > User Group and select Create New to enter the following user
group configuration:
Name
AD
Type
Members
Select OK.
361
Go to Policy > Policy > Policy and select Create New to add an identity-based policy that
requires authentication for connections from port10 to port9.
Enter:
Source Interface/Zone
port10
Source Address
all
Destination Interface/Zone
port9
Destination Address
all
Action
ACCEPT
Enable NAT
Select.
Select.
Select.
NTLM Authentication
Select.
Select Add and add the AD user group to the identity-based policy:
User Group
AD
Service
ANY
Schedule
always
Select OK to save the authentication rule and then select OK to save the policy.
Results
Windows AD users in the selected Windows AD user groups who have already logged into the
Windows AD network can access the Internet without being asked by the FortiGate unit to enter their
logon credentials again.
362
FortiGate Cookbook
http://docs.fortinet.com/
or
t
ica
ent it
h
t
u un
tiA
al
Inte
rn
inte
rna
po
rt3
l ne
For
two
rk
FortiGate
FortiG
Gate Unit
Solution
Set up a FortiAuthenticator unit as a RADIUS server that multiple FortiGate units can use for
authentication.
On the FortiAuthenticator unit, you need to create a user account for each employee. Register each
FortiGate unit on the FortiAuthenticator unit as a Network Access Server (NAS) so that it can request
user authentication.
Create user accounts on the FortiAuthenticator unit
1
Go to Authentication > Users > Users and select Create New to create a user account:
Username
wloman
Password
my_secure_pwd
Password confirmation
my_secure_pwd
363
Go to Authentication > NAS > NAS and select Create New. Enter the following information
about the FortiGate unit:
Name
FortiGate1
Server Name / IP
172.20.120.132
Secret
hardtoguess
You will also enter this Secret on the FortiWiFi
unit.
364
Go to User > Remote > RADIUS and select Create New to add the FortiAuthenticator unit as a
RADIUS server.
Name
facRADIUS
Type
Query
172.20.120.53
hardtoguess
This is the same Secret that you entered on the
FortiAuthenticator unit.
Go to User > User Group > User Group and create a user group with facRADIUS as its only
member:
Name
wifi-user-grp
Type
Firewall
FortiGate Cookbook
http://docs.fortinet.com/
facRADIUS
Group Name
Any
Go to Policy > Policy > Policy and select Create New to add a Office-to-Internet policy that
allows users to access the Internet.
Source Interface/Zone
wifi
Source Address
all
Destination Interface/Zone
wan1
Destination Address
all
Select Enable Identity Based Policy, select Add, and enter the following information:
User Group
wifi-user-grp
Service
ANY
Schedule
always
Select OK.
Results
On your a computer connected to the internal network, attempt to connect to a web site on the
Internet. You should be asked for your user name and password. After entering valid credentials, you
should have access to the web site.
365
User
FortiGate Unit
Solution
Two-factor authentication is fast becoming an industry requirement. FortiToken is a cost effective
solution. With its combination of information you know (your username and password) and
something you have (the FortiToken device), it improves your network security with little extra work
for administrators.
FortiToken is a one-time password generator that users must carry with them. It generates a six-digit
token that the user enters in addition to username and password at logon as an extra factor of
security. It serves a similar purpose to RSAs SecureID tokens.
To add a new FortiToken to a user, the FortiToken must first be added to the FortiGate unit, verified by
the FortiGuard system, and FortiGate and FortiToken time must be synchronized. Then the
FortiToken can be applied to the user account. Test the configuration by the user logging in and being
prompted for the FortiToken generated code.
This solution assumes you have a FortiToken, the user account wloman is already created, and is part
of a user group that is used in an identity-based security policy.
FortiTokens and other two-factor authentication can be added to local or remote users or
administrators. This applies to FortiToken-200, with other models having minor variations.
1
366
Get your FortiToken and make sure it is working. Press the button. It should display a six-digit
number and to the left a stack of up to six bars. These represent the time until the code changes,
one bar for each 10 seconds. After a few seconds the display should turn off to save power. Turn
FortiGate Cookbook
http://docs.fortinet.com/
the FortiToken over and verify there is a serial number. It is 16-digits long and starts with FTK. For
this example the token serial number is FTK2000BHV1KRZCC.
1
FTK2000BHV1KRZCC
Automatically Send
Activate Request to
FortiGuard
Select
You may have problems entering the serial number. If any of the characters are wrong it will be
invalid. If you already entered this serial number, it will be invalid. If it is the wrong length, it will be
invalid. For security reasons there is no hint of what is wrong you must determine that by
yourself.
3
Wait for the FortiGuard system to validate your FortiTokens serial number. When you first enter
the serial number its status is listed as New. Once FortiGuard validates the serial number, the
status will change to Active.
Go to User > FortiToken > FortiToken, select the FortiToken serial number you just added, and
select Synchronization.
The FortiToken Synchronization window appears.
Press the button on your FortiToken, and enter the resulting six-digit number in the First Code
field. The bars displayed on the left size of the FortiToken display are a count down to when the
code changes. When the displayed code changes, press the FortiToken button again, and enter
that code in the Second Code field.
Go to User > User > User and edit the user account. Select Enable Two-factor Authentication,
under Deliver Token Code by ensure FortiToken is selected, and choose your serial number from
the drop-down list.
367
If there are no FortiTokens listed in the drop-down list on the user edit page, go to User >
FortiToken > FortiToken and verify the status of the entry. If it does not say Active, it is not
available to be associated with a users account. Generally the FortiGuard system will verify the
FortiToken serial number after a short period of time. If this does not happen, ensure you have a
valid connection to the FortiGuard network. See (FortiGuard Troubleshooting section).
7
Results
To verify the user has two-factor authentication configured, go to User > User > User. On the list of
users that is displayed wloman will have a green check under two-factor authentication. This verifies
that some form of two-factor authentication is associated with this account.
To verify the user has FortiToken two-factor authentication properly configured, go to User >
FortiToken > FortiToken. On the list of FortiToken serial numbers, the one associated with the
wloman account will have wloman displayed in the User column.
You can also go to Log&Report > Log & Archive Access > Event Log to view log messages
recorded while registering the FortiToken, and changing the user account:
Best Practices
If you are assigning an administrator a FortiToken, ensure there is another administrator account
configured as a backdoor in if there are problems authenticating. Otherwise you will be unable to
logon.
On a regular basis, check all FortiTokens for drift. To do this take the token in your hand, go to User >
FortiToken > FortiToken, and select Synchronize. When you enter the 2 codes, you are updating
the FortiGate unit clock with any drift in the FortiToken clock that might have happened. This
prevents logon issues due to drift.
368
FortiGate Cookbook
http://docs.fortinet.com/
CERTIFICATE
Solution
When you see a Connection is untrusted type message, it means there is a problem with the
certificate for the website you are connecting to.
Anytime you browse a website, you are using either HTTP or HTTPS. The difference between them is
that HTTPS has security. This security is in the form of certificates that identify the source as being
legitimate. Without a valid certificate, the customer does not know if it is really the true website, or if a
hacker hijacked their connection with malicious intent.
With FortiGate units, this message occurs for two reasons because the default certificate used by
the FortiGate unit is a self-signed certificate, and because the certificate is valid only for the FortiGate
unit. To be trusted, a certificate must be signed by a known certificate authority (CA) that the web
browser can verify. For example if Freds certificate is signed by Bob, and Bobs certificate is signed
by Peter, then anytime someone checks Freds certificate they must be able to trace it back to Peter
and verify that Peter is trustworthy. Any break in that chain, and Freds certificate is seen as
untrustworthy.
Contact your ISP or other online services provider to get a trusted intermediate CA certificate for your
FortiGate unit. When you are giving them the information, make sure it is clear where you will be
using this certificate: on an internal network, a public facing website, or across your enterprise.
Ensure it is a CA certificate as this allows you to sign certificates for local users for applications such
as VPN.
369
Generally online services providers include a form for you to fill out to create your certificate when
you are paying for it on their website. However another common method is to generate a certificate
signing request (CSR) with an application like openssl. This is a request that is sent to the certificate
authority providing you with your certificate. They process the request, usually automatically, and
return a certificate to the email address provided based on the information in the CSR.
The certificate from the CA is a text file that contains the information you included in the CSR as well
as details about the CA who issued the certificate, when it was issued and when it expires, and the
fingerprints or encryption associated with it.
To install a CA certificate from your computer to the FortiGate unit you go to System > Certificates >
CA Certificates and select Import. After you browse to the certificate file, which is usually a .cer or
.p12 format text file, and select it will be installed on your FortiGate unit. You can verify this by
refreshing the display to see the new certificate. It will be displayed by name and subject, and you
can select it for more in-depth details if you need to verify it.
Now when you are using HTTPS or other SSL connection, your FortiGate unit will not generate
untrusted certificate-based error messages.
370
FortiGate Cookbook
http://docs.fortinet.com/
FortiOS Cookbook
371
I
172ntern
.16 al ne
.12 tw
0.1 ork
0-1
00
t
uni 01
ate 120.2
G
i
t
.
For 72.16
1
172 FortiA
.16 nal
.12 yze
0.1 r u
54 nit
Solution
Find out what these log messages mean by understanding each part of the log message.
The parts of the log message, called log fields, contain specific information. For example, the date
log field contains information about the day, month and year of when the log message was recorded.
You can look at log messages as puzzles each piece of the log message is a piece of a puzzle, and
when those pieces are put together, they show the whole picture. Log messages provide valuable
insight into how to better protect the network traffic against attacks, misuse and abuse.
1
372
FortiGate Cookbook
http://docs.fortinet.com/
The log messages saved to your computer are in a format called Raw. This format is how the log
messages appear in the log file on the FortiGate unit. When viewing the log messages in the webbased manager, you are viewing them in the format called Format. This view allows you to
customize what information you see on the page, where in Raw format you cannot.
3
On your computer, open the file up and scroll down to locate the application control log
messages with the message web: HTTP.BROWSER.
373
Since these log messages are the same, pick one and break it into the two groups that make up a
log message: the log header and log body. The first group is what will be looked at first, the log
header.
2011-08-17 13:40:20 log_id=28704 type=app-ctrl subtype=app-ctrl-all pri=information vd=root
date=2011-08-17
The year, month and day of when the event occurred in yyyymm-dd format.
time=13:40:20
log_id=28704
type=app-crtl
subtype=app-crtl-all
pri=information
The severity level of the event. In this log message, this means
that there is general system information.
vd=root
Now we know the first part of the what the log message is saying an application control event
occurred on August 17, 2011 at 1:40 pm and this is just general system information.
Next, understanding the rest of the log message from the log body.
5
374
attack_id=15893
src=10.10.20.3
src_port=52315
src_int= internal
dst=67.69.176.57
dst_port=80
FortiGate Cookbook
http://docs.fortinet.com/
dst_int=wan1
src_name=10.10.20.3
dst_name=67.69.176.57
proto=6
service=http
policyid=1
serial=20596
app_list=default
msg=web:HTTP.BROWSER
From the log body, we now know the traffic that was flowing through wan1 (the external interface
on the FortiGate unit) was scanned by the FortiGate unit using the security policy 1, which had
the default application control profile applied to it. From those rules, the FortiGate unit matched
the traffic. The user (internal=10.10.20.3) was accessing the Internet and was using the
application HTTP.BROWSER.
Knowing the application was HTTP.BROWSER, we can lookup exactly what this application is by
going to the FortiGuard Center.
6
In the web-based manager, go to UTM Profiles > Application Control > Application List.
375
In the search field, enter HTTP.BROWSER; when it appears in the list on the page, select its
name.
You are automatically redirected to the FortiGuard Center page that contains all the information
you need to know about the application, HTTP.BROWSER.
The description for this log message on the FortiGuard Center page says this application only has
a medium risk, and indicates that an HTTP client request attempted to contact with a HTTP
server, which usually listens on port 80. This is not an attack or an exploit.
You can use the FortiGate Log Message Reference to understand log messages. It contains an
explanation of each log field for each log message.
376
FortiGate Cookbook
http://docs.fortinet.com/
al
rn
te
In
Sy
sl
og
Se
rv
er
Lo
th gs
e
th F be
e or in
Sy tiG g
sl a se
og te nt
se un fro
rv it t m
er o
You have recently setup a FortiAnalyzer unit and need a backup solution. Before integrating the
FortiGate unit into your network, you were using a Syslog server, which you would like to use again.
Lo
g
un s b
it ei
to ng
th s
e en
Fo t
rti fro
An m
al th
yz e
er Fo
un rtiG
it a
te
or
et
N
er
yz
al
An
rti
Fo
it
un
Solution
Configure the FortiAnayzer and Syslog server first, and then configure the FortiGate unit to send logs
to both log devices.
The FortiAnalyzer unit, a Fortinet log device, can help you provide another storage location for storing
logs. The FortiAnalyzer unit can log all FortiGate activity that is available for logging, including
archival of log files. The FortiAnalyzer unit has many features, for example managing multiple
FortiGate units logging requirements, as well as creating FortiAnalyzer customized reports that
organize and monitor FortiAnalyzer unit information.
The following steps begin immediately after you have set up the FortiAnalyzer unit on your network.
Before configuring the FortiGate unit, ensure both the FortiGate unit and the FortiAnalyzer unit have
the same firmware version and maintenance release. If both do not have the same firmware version
and maintenance release, issues may arise, such as being unable to send logs to the FortiAnalyzer
unit.
1
Update your third party Syslog server software, and verify that it is up and running properly.
377
On the FortiGate unit, use the CLI command execute ping to ping the FortiAnalyzer unit and
then do the same for your Syslog server.
If there is 100 percent packet loss, troubleshoot the networking problem before proceeding.
On the FortiGate unit, go to Log&Report > Log Config > Log Setting and verify that you are
currently logging to the FortiGate units local disk.
Enter the following CLI command to add the FortiAnalyzer unit:
config log fortianalyzer setting
set status enable
set address-mode static
set server 172.20.120.138
set upload-option realtime
end
Test the connection between the FortiGate unit and FortiAnalyzer unit. On your FortiGate unit go
to Log&Report > Log Config > Log Setting, select Upload logs remotely, and then select Test
Connectivity.
By selecting Test Connectivity, you can see if there are any issues with the settings. For example,
if Connection Status in the FortiAnalyzer Connection Summary window has Logs not received,
this means that there is an issue about sending the logs to the FortiAnalyzer unit. You can
troubleshoot the problem by checking the FortiGate and FortiAnalyzer configurations and
verifying that network connections between the two devices are possible. If the Connection
Status has a green checkmark, you are able to successfully log to the first FortiAnalyzer.
On the same page, select Apply to enable uploading of logs to the FortiAnalyzer units.
To upload the logs to the FortiAnalyzer unit at a scheduled time, select Change beside
FortiAnalyzer (Daily at 00:60), to change the daily upload time to 22:00.
378
FortiGate Cookbook
http://docs.fortinet.com/
Results
On the FortiAnalyzer unit, you should now see logs appearing on each unit, in Log & Archive > Log
Access. You should also be seeing logs appear on the Syslog server.
If you are not seeing any logs on the FortiAnalyzer unit, verify that the device has been included in the
Devices menu list. Check with the FortiAnalyzer documentation to help troubleshoot any
FortiAnalyzer problems that appear.
There is no command to verify the FortiGate units connection with the Syslog server. If you are
having issues between the Syslog server and FortiGate unit, you should verify that you can ping to
the Syslog server through your FortiGate unit.
You should test that logs can be sent to the FortiAnalyzer units to ensure log messages are being
sent. By testing the connection, you can easily and quickly resolve any issues that may occur, such
as logs not being sent or an issue that is on the FortiAnalyzer side, such as the device is not
appearing on the FortiAnalyzer units Devices list.
To test that the FortiGate unit can send logs to the FortiAnalyzer unit, use the diag log test to
generate logs and view them from the FortiAnalyzer unit to verify that they were sent.
diag log test
generating
generating
generating
generating
generating
generating
generating
generating
generating
generating
generating
generating
generating
generating
379
For
tiG
ate
uni
t
PN
use
LV
in
ork
SS
adm
tw
Ne
Solution
Create an alert email to notify you that an SSL VPN login failure occurred.
The following assumes that you have already set up logging and that event logging has been
enabled. For this example, turn off all event logging before you start to prevent other possible nonSSL VPN log messages from confusing things.
Event logging must be enabled (in Log&Report > Log Config > Log Setting) so that this alert email
can be sent. SSL VPN events are one of the event types logged to the event log and therefore must
be enabled in Event Logging.
When entering the email addresses for the alert email configuration, you need to enter two email
addresses. The first email address is for the sender of the alert email and the second is for receiver of
the alert email. The sender can be any email address that helps to identify that the email has been
sent from the FortiGate unit. In this solution, we use fortigate@example.com to help identify that the
alert email is sent by the FortiGate unit. The email that you receive is your email address, and in this
solution it is referred to as myemail@example.com
380
Under Event Logging, select SSL VPN user authentication so that all SSL VPN authentication
events are logged.
FortiGate Cookbook
http://docs.fortinet.com/
Go to Log&Report > Log Config > Alert E-mail and configure the following:
SMTP server
mail.example.com
Email from
fortigate@example.com
Email to
myemail@example.com
Select Authentication and provide the following authentication log in credentials for the SMTP
server.
SMTP user
myemail
Password
!eMa1L9
Verify that all information is correct and then select Test Connectivity.
When you select Test Connectivity, the FortiGate unit generates a test alert email message and
sends it to your email address. If you do not receive an email, you need to troubleshoot the
problem. An email log message is only recorded if the SMTP server name is misspelled.
If you accidently have a typo is in the SMTP server field it appears as follows:
2010-04-05 13:34:31 log_id=01000200003 type=event subtype=system
vd=root pri=notice user=system ui=system action=alert-email
status=failure count=5 msg=Failed to send alert email from mail.exmpl.com to
myemailaddress@example.com
In the above log message, highlighted in bold, you can see that mail.example.com has been
misspelled. To fix the problem, make the spelling correction and select Test Connectivity again.
6
Select SSL VPN login failure in Send alert email for the following.
Results
When an SSL VPN user attempts to authenticate using the SSL VPN tunnel, and they are
unsuccessful, this event is logged by the FortiGate unit and you receive an alert email in your inbox.
The body of the email contains the event log message.
Alert email can be sent for any configured event logging events such as DHCP event, IPsec event, or
quarantine event. The complete list of available events can be found at Log&Report > Log Config >
Log Setting.
Select only specific alert email notification options that you require. Otherwise your inbox could be
flooded with unwanted email messages. a
381
To test that you can receive an alert email notification, on the Alert E-Mail page, select Administrator
login/logout and then select Apply. Log out of the web-based manager and then log back in again.
Check your inbox; an alert email message should be there, with the subject line Message meets
Alert condition that should be similar to the following:
382
FortiGate Cookbook
http://docs.fortinet.com/
Solution
Modify the default FortiOS UTM report so that it has exactly what you need. Modifying this report is
easy and less time consuming than creating a new custom report. You can create a custom report
but its a complex task done entirely from the CLI.
After creating your modified version of the default FortiOS UTM report, you can restore the report
back to its default settings which includes all pages and charts.
1
2
3
4
Go to Log&Report > Report Access > Cover Page and select Edit to change the cover page
information.
Change the following information:
FortiGate UTM
Remove the FortiGate Host Name and FortiGate Serial Number text boxes.
Remove the The FortiGate Advantage text box.
383
7
8
Under Sections, select VPN Usage, Threats, Emails, and Bandwidth and Application Usage
and then select Delete.
Under Report Schedule, select Demand from the Schedule Type list.
When you select Demand, you are creating an on-demand report which is available for
generating whenever you want.
Select OK.
If you have been logging web usage for a while, you may see information in some of the charts.
14 Select Run to immediately generate the report.
The report may take a while, depending on how much information has been gathered from the
logs.
Results
A generated report should appear in the list on the Historical Reports page. The following shows a
page of the report in a PDF.
You can view the generated report either as a HTML report, by select the reports name in the Report
File column, or as a PDF, by selecting PDF in the Other Formats column. The PDF can be easily
downloaded to your computer and then distributed in an email to others.
384
FortiGate Cookbook
http://docs.fortinet.com/
I
172ntern
.16 al ne
.12 tw
0.1 ork
0-1
00
t
uni 01
ate 120.2
G
i
t
.
For 72.16
1
172 FortiA
.16 nal
.12 yze
0.1 r u
54 nit
Solution
Test the configuration by using Test Connectivity, as well as the diag log test command.
Testing connections between a FortiGate unit and a WebTrends server or Syslog server are not
available. Testing between the FortiGuard Analysis server and the FortiGate unit is also supported.
The test involves using both the CLI and web-based manager.
1
In the web-based manager, go to Log&Report > Log Config > Log Setting.
To test the connection other than using the web-based manager, in the CLI use diag log test
command.
385
To verify the number of logs sent, failed, dropped or buffered to the FortiAnalyzer unit, use the
diag fortianalyzer-log mgstats show command.
Go to the FortiAnalyzer unit, and under Log & Archive, view the logs that you just sent from your
FortiGate device.
To check the connectivity between your FortiGate and the FortiGuard Analysis server, in
Log&Report > Log Config > Log Setting, under Logging and Archiving, select Test
Connectivity for the FortiGuard Analysis & Management Service.
The FortiGuard Connection Summary window appears, showing the expiry date, disk quota and
daily volume, and whether or not you are sending DLP archives to the server.
Results
You should be seeing successful results, where logging is being sent to the log device, either a
FortiGuard Analysis server or a FortiAnalyzer unit.
386
FortiGate Cookbook
http://docs.fortinet.com/
FortiOS Cookbook
Index
A
access point, 146
Active Directory, 174, 360
admin
idle timeout, 116
trusted location, 115
admin profile
custom, 110
super_admin, 41
administrative port
port
administrative, 116
administrator
creating, 41, 110
administrator profile
custom, 110
alert email, 380
alert notification email for SSL VPN login failures, 380
antivirus
changing the maximum file size, 258
flow-based, 262
software, 315
application control, 282, 357
adding a sensor to a policy, 282
blocking access to social media, 285
blocking instant messaging, 284
blocking peer to peer file sharing, 286
troubleshooting, 282
application monitor, 283
drill down, 283
applications
bandwidth use, 263, 282, 285, 286, 318, 323, 330, 336,
341, 369, 372, 377
blocking, 357
debugging, 143
visualizing, 282
ARP
packet sniffer, 132
assigning IP addresses, 120
authenticate
web filtering, 266
authentication
debugging, 141
two-factor, 366
authoritative dns, 118
B
backup
configuration, 35, 96
backup Internet connection, 45, 53
backup log solution, 377
bandwidth
application use, 263, 282, 285, 286, 318, 323, 330, 336,
341, 369, 372, 377
bandwidth consuming
web filtering, 263
Bing
safe search, 267
bridge table, 33
C
CA Authority, 174
caching
web, 88
captive portal
WiFi, 162
capture
packet, 125
central NAT table, 231
certification, 11
Cisco UNITY client, 330
cloak HTTP headers, 117
cluster, 90
connecting an HA cluster, 92
configuration
backup, 35, 96
connecting a FortiGate HA cluster, 92
count, 196
policy, 196
security policy, 282
customer service, 11
D
Data Leak Prevention, 295, 297
DCHP server, 170
debug
application, 143
authentication, 141
diagnose command, 139
flow, 143, 195, 199
info, 144
IPsec VPN, 141
packet flow, 142
SSL VPN, 140
URL filtering, 142
debugging FortiGate configurations, 139
default route failover, 50, 57
demilitarized zone
network, 61
denial of service
protection, 292
deny policy
count column, 203
verifying, 200
387
Index
E
ECMP
route priority, 51
routing, 51, 58
spillover, 58
usage-based, 58
email filtering, 294
FortiGuard, 39
enterprise security
wireless, 155
equal cost multipath
routing, 51, 58
ESP
packet sniffer, 132
event log, 380
explicit web proxy
UTM, 87
extended
virus database, 256
extreme
virus database, 256
F
facebook, 185
388
failover
default route, 50, 57
FAQ, 10
file size
antivirus maximum, 258
filter
packet capture, 135
packet sniffer, 130
firewall
excluding users from UTM, 193
limiting employees Internet access, 185
ordering policies, 201
restricting all DNS queries to a selected DNS server, 204,
208
restricting Internet access per IP address, 189
using geographic addresses, 220
verifying that traffic is hitting a security policy, 196
firewall statistics
diag, 144
firmware
download from Fortinet support, 34
TFTP upgrade, 36
upgrading, 34, 95
version, 34, 95
flow
debug, 143
diag debug, 199
diagnose debug flow, 195
flow-based
antivirus, 261
DLP, 261
UTM, 261
web filtering, 261
FortiAnalyzer, 377
FortiAnalyzer unit, 377
testing sending logs, 379
FortiAP, 146, 150, 170
FortiAP, troubleshooting, 153
FortiASIC, 300
FortiAuthenticator, 363
with FortiWiFi, 158
FortiClient
SSL VPN, 310
FortiClient SSL VPN, 306
FortiGate
security, 113
FortiGuard
Antivirus, 10
email filtering lookups, 39
overriding web filtering, 265
ports used, 39
server list, 40
services, 10
setup, 37
transparent mode, 33
troubleshooting, 37
web filtering category, 268
web filtering lookups, 39
FortiGuard Centre, 268
FortiGuard web filtering, 263
check IP addresses, 278
images, 280
FortiGate Cookbook
http://docs.fortinet.com/
Index
Fortinet
customer service, 11
Knowledge Base, 10
Knowledge Center, 10
MIB, 123
SSL VPN clients, 300
Technical Documentation, 11
Technical Support, 11
Technical Support, registering with, 10
Technical Support, web site, 10
Training Services, 11
Fortinet documentation, 11
Fortitoken
drift, 144
FortiToken device
using with FortiOS, 366
FortiWiFi, 146, 147, 155, 163, 174
IP masquerading, 222
IP Phone
traffic shaping, 216
IP reservation, 120
IPS
fail closed, 291
failover, 291
ips urlfilter status
diagnose, 144
IPsec VPN
debugging, 141
HA, 90
firmware upgrade, 95
hardware configuration, 90
split brain, 91
hardware certificate
diagnose, 144
hardware deviceinfo disk
diagnose, 144
hardware deviceinfo nic eth0
diagnose, 144
high availability, 90
host checking, 315
how-to, 10
HTTP headers, 117
legacy viruses
protecting your network from, 256
license information
dashboard widget, 37
local disk, 378
local DNS server, 118
local server, 118
local-in
policy, 123
location access, 115
location specific login, 115
log messages, 173, 372
DCHCPREQUEST, 173
DHCPACK, 173
DHCPDISCOVER, 173
DHCPOFFER, 173
log to disk, 378
logging
alert notification email for SSL VPN login failures, 380
backup log solution, 377
FortiAnalyzer unit, 377
log message body, 374
log message header, 374
Log Message Reference, 376
testing log configuration, 385
testing sending logs to a FortiAnalyzer unit, 379
understanding log messages, 372
login
alternate port, 116
specific address, 115
general
security policy, 193
geographic addresses, firewall, 220
get system status, 34, 95
glossary, 10
Google
safe search, 267
GRE
packet sniffer, 132
greyware, 255
guest network, 146
documentation, 11
IP address
private network, 7
IP addresses
assigning, 120
web filtering, 278
FortiOS 4.0 MR3
http://docs.fortinet.com/
K
Knowledge Center, 10
N
NAPT, 222
389
Index
NAT
destination NAT, 234, 237, 240, 243, 247
dynamic SNAT, 225
IP masquerading, 222
many-to-one, 222
NAPT, 222
one-to-one, 228
PAT, 222
SNAT, 222
NAT overload, 222
netlink brctl list
diagnose, 144
network
visualizing applications on, 282
network address and port translation, 222
Network Policy Server., 174
networking
WiFi, 147, 150, 155, 170
O
one-to-one NAT, 228
open port 113, 117
override
web filtering, 265
override internal DNS
DHCP, 21
oversized email, 260
oversized file, 260
P
packet
sniffer, 126
packet capture, 130, 135
filters, 135
packet flow
debugging, 142
packet sniffer
filters, 130
protocols, 132
packet sniffing, 125, 135
password
attempts, 117
lockout, 117
wait time
, 117
PAT, 222
pcap
packet capture file, 135
PEAP, 177
PEAP authentication, 174
peer-to-peer file sharing
blocking, 286
ping server, 50
policy
adding an application control sensor, 282
count, 196
DoS, 292
local-in, 123
policy monitor, 197
port
alternate login, 116
port 113, 117
port address translation, 222
port forwarding, 234, 237, 240, 243, 247
web server, 63
390
R
RADIUS
WiFi, 158
RADIUS (NPS), 174
rating error, 26, 32
web filtering, 26, 32
recursive
DNS server mode, 119
recursive dns, 118
redundant Internet connections, 45
registering
with Fortinet Technical Support, 10
release notes, 34
remote Internet access, 306
replacement message
virus message, 75, 254
reporting
FortiOS UTM report, 383
modifying default report, 383
RFC
1918, 7
route
priority, 51
route failover, 50, 57
route mode, 81
security policy, 64
routing
ECMP, 51, 58
equal cost multipath, 51, 58
S
safe search
web filtering, 267
security, 113
security policies
excluding users from UTM filtering, 193
ordering, 201
restricting all DNS queries to a selected DNS server, 204,
208
restricting employees Internet access, 185
using geographic addresses, 220
security policy, 196
adding an application control sensor, 282
count column, 282
general, 193
restricting Internet access per IP address, 189
verifying traffic, 196
sensitive information
blocking, 295, 297
sensor
DoS, 292
FortiGate Cookbook
http://docs.fortinet.com/
Index
service
multiple, 64
shared shapers, 216
SNAT, 222, 225, 231
sniffer packet
diagnose, 144
sniffing
packet, 125
social media
blocking, 285
software switch
WiFi, 166
source address translation, 222
spam
filtering, 294
spillover
ECMP, 58
split tunnel, 309
split tunneling
SSL VPN, 310
split-brain
HA, 91
SSID, 166, 170
SSL VPN, 301
access email server, 301
debugging, 140
endpoint security, 300
FortiClient, 310
portal, 301
remote user, 315
split tunneling, 310
Subsession, 309
tunnel mode, 300
virtual desktop, 300
ssl.root, 307, 312
ssl.root interface, 309
static SNAT, 222
storage location, 377
streaming media
blocking, 273
suggest a URL category
web filtering, 269
super_admin
administrator profile, 41
sys session full-stat
diagnose, 144
Syslog server, 377
T
TCP 113, 117
technical
documentation, 11
notes, 10
support, 11
technical support, 11
test log
diagnose, 144
test update info
diagnose, 144
TFTP, 36
thin AP, 146
threshold
oversized file/email, 260
timeout
idle, 116
traceroute, 39
FortiOS 4.0 MR3
http://docs.fortinet.com/
traffic shaping
shared shapers, 216
VoIP, 216
Training Services, 11
Transparent mode, 33
transparent mode
port pairing, 77
protecting a server, 69
troubleshooting, 31
transport-mode, 329
troubleshooting
DHCP, 20
FortiGuard, 37
ISP connection, 20
NAT configuration, 20
packet sniffing, 125, 130
transparent mode, 31
verifying that traffic is hitting a security policy, 196
trusted host, 115
Tunnel Mode, 306
U
unity-support, 333
upgrade
firmware, 34
HA cluster firmware, 95
uploading logs, 378
URL
FortiGuard web filtering category, 268
URL filtering
debugging, 142
usage-based
ECMP, 58
USB modem, 55
users
identifying, 353
monitoring, 353
UTM, 252
explicit web proxy, 87
web proxy, 87
V
VDOM, 103
VIP
web server
firewall VIP, 63
virtual domain, 103
virtual FortiOS instances, 103
virtual interface, 166
virtual LANs, 98
virus
legacy, 256
virus database
extended, 256
extreme, 256
viruses
protecting your network from, 252
visual
applications, 282
VLANs, 98
configuring, 98
VoIP
traffic shaping, 216
391
Index
VPN
Cisco UNITY client, 330
Dialup, 324
L2TP, 329
SSL, 301
vpn tunnel list
diagnose, 144
VPN, IPsec
from FortiClient PC, 323
from iPhone, 330, 336
overview, 317
vulnerability scanner, 298
W
web browsing
blocking web sites by category, 355
web caching, 88
web filter
blocking streaming media, 273
record websites, 270
safe search, 267
whitelist, 276
Web filtering
correct a URL category, 269
web filtering, 26, 32, 263
authenticate, 266
errors, 26
flow-based, 262
FortiGuard, 39, 263, 355
suggest a URL category, 269
web monitoring, 356
web portal, 301
web proxy
UTM, 87
392
web server
port forwarding, 63
web sites users have visited, 270
websites
blocking, 355
whitelist
web filter, 276
WiFi
captive portal, 162
DHCP relay, 170
RADIUS, 158
software switch, 166
WiFi access, 147, 150, 155, 170
WiFi access point, 146
WiFi Controller, 149
WiFi controller feature, 146
Windows AD, 174, 360
Windows Security Health Validator, 177
Windows Server 2008, 174, 360
wireless
WPA/WPA2 enterprise security, 155
WPA2 security, 147
WPA/WPA2 enterprise security
wireless security, 155
WPA2
wireless security, 147
WPA2-Personal, 150, 170
WPA-Enterprise, 174
Y
Yahoo
safe search, 267
youtube, 185
FortiGate Cookbook
http://docs.fortinet.com/