FortiOS 5.0 Handbook

FortiOS Handbook
Install and System Administration for FortiOS 5.0

Install and System Administration for FortiOS 5.0
December 27, 2012
01-500-142188-20121227
Copyright 2012 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are
registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks
of Fortinet. All other product or company names may be trademarks of their respective owners.
Performance metrics contained herein were attained in internal lab tests under ideal conditions,
and performance may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment
by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the
extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a
purchaser that expressly warrants that the identified product will perform according to the
performance metrics herein. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in
full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise
this publication without notice, and the most current version of the publication shall be
applicable.
Technical Documentation docs.fortinet.com
Knowledge Base kb.fortinet.com
Customer Service & Support support.fortinet.com
Training Services training.fortinet.com
FortiGuard fortiguard.com
Document Feedback techdocs@fortinet.com
Page 1
Table of Contents
Introduction..................................................................................................... 10
Before you begin.................................................................................................... 10
How this guide is organized............................................................................. 10
Using the web-based manager ..................................................................... 11
Web-based manager overview.............................................................................. 11
Web-based manager menus and pages ............................................................... 11
Using information tables .................................................................................. 12
Using column settings ..................................................................................... 13
Entering text strings............................................................................................... 13
Entering text strings (names) ........................................................................... 13
Entering numeric values................................................................................... 14
Enabling or disabling options........................................................................... 14
Dashboard ............................................................................................................. 14
Adding dashboards and widgets..................................................................... 15
System Information widget .............................................................................. 15
License Information widget.............................................................................. 21
FortiGate unit Operation widget....................................................................... 23
System Resources widget ............................................................................... 23
Alert Message Console widget ........................................................................ 23
Log and Archive Statistics widget ................................................................... 24
CLI Console widget.......................................................................................... 25
Session History widget .................................................................................... 25
Top Sessions widget........................................................................................ 25
Traffic History widget ....................................................................................... 25
RAID monitor widget........................................................................................ 25
Device Type Distribution widget ...................................................................... 27
Storage widget................................................................................................. 27
P2P Usage widget ........................................................................................... 28
Top Clients by Bandwidth widget.................................................................... 28
VoIP Usage widget........................................................................................... 28
IM Usage widget .............................................................................................. 28
Protocol Usage widget .................................................................................... 28
Basic configurations .............................................................................................. 28
Changing your administrator password........................................................... 28
Changing the web-based manager language.................................................. 29
Changing administrative access...................................................................... 29
Changing the web-based manager idle timeout.............................................. 29
Switching VDOMs............................................................................................ 29
Connecting to the CLI from the web-based manager ..................................... 29
Logging out ...................................................................................................... 30
Fortinet Technologies Inc. Page 2 Install and System Administration for FortiOS 5.0
Using the CLI .................................................................................................. 31
Connecting to the CLI............................................................................................ 31
Connecting to the CLI using a local console ................................................... 31
Enabling access to the CLI through the network (SSH or Telnet) ................... 32
Connecting to the CLI using SSH.................................................................... 33
Connecting to the CLI using Telnet ................................................................. 34
Command syntax................................................................................................... 35
Terminology ..................................................................................................... 35
Indentation ....................................................................................................... 36
Notation ........................................................................................................... 36
Sub-commands ..................................................................................................... 38
Example of table commands ........................................................................... 40
Permissions ........................................................................................................... 41
Tips ........................................................................................................................ 42
Help.................................................................................................................. 42
Shortcuts and key commands......................................................................... 42
Command abbreviation ................................................................................... 43
Environment variables...................................................................................... 43
Special characters ........................................................................................... 43
Using grep to filter get and show command output ........................................ 44
Language support and regular expressions .................................................... 45
Screen paging.................................................................................................. 47
Baud rate ......................................................................................................... 47
Editing the configuration file on an external host............................................. 47
Using Perl regular expressions ........................................................................ 48
Basic Administration...................................................................................... 51
Connecting to the FortiGate unit ........................................................................... 51
Connecting to the web-based manager .......................................................... 51
Connecting to the CLI ...................................................................................... 52
System configuration............................................................................................. 52
Setting the time and date................................................................................. 52
Configuring FortiGuard .................................................................................... 53
Passwords ............................................................................................................. 54
Password considerations................................................................................. 54
Password policy............................................................................................... 55
Forgotten password?....................................................................................... 56
Administrators........................................................................................................ 56
Administrator configuration.............................................................................. 56
Regular (password) authentication for administrators..................................... 56
Management access........................................................................................ 56
Tightening Security .......................................................................................... 57
Log in/out warning message............................................................................ 60
Disable the console interface........................................................................... 60
Disable interfaces............................................................................................. 60
Change the admin username........................................................................... 60
Segregated administrative roles ...................................................................... 61
RADIUS authentication for administrators....................................................... 61
Configuring LDAP authentication for administrators ....................................... 61
TACACS+ authentication for administrators.................................................... 61
PKI certificate authentication for administrators.............................................. 62
Administrator profiles....................................................................................... 62
Adding administrators...................................................................................... 63
LDAP Admin Access and Authorization........................................................... 64
Monitoring administrators................................................................................ 65
Trusted hosts ................................................................................................... 66
General Settings .................................................................................................... 66
Administrative port settings ............................................................................. 66
Password policies............................................................................................ 67
Display options ................................................................................................ 67
Backing up the configuration................................................................................. 67
Backup and restore a configuration file using SCP......................................... 68
Restoring a configuration................................................................................. 70
Configuration revisions .................................................................................... 71
Restore factory defaults................................................................................... 71
Firmware ................................................................................................................ 71
Downloading firmware ..................................................................................... 72
Upgrading the firmware - web-based manager............................................... 72
Reverting to a previous firmware version ........................................................ 72
Configuration Revision..................................................................................... 73
Upgrading the firmware - CLI .......................................................................... 73
Installing firmware from a system reboot using the CLI .................................. 76
Testing new firmware before installing ............................................................ 78
Controlled upgrade................................................................................................ 79
Central management...................................................................................... 81
Adding a FortiGate to FortiManager ...................................................................... 81
FortiGate configuration .................................................................................... 81
FortiManager configuration.............................................................................. 83
Configuration through FortiManager ..................................................................... 83
Global objects.................................................................................................. 83
Locking the FortiGate web-based manager .................................................... 83
Firmware updates .................................................................................................. 84
FortiGuard.............................................................................................................. 84
Backup and restore configurations........................................................................ 84
Administrative domains ......................................................................................... 84
Best practices................................................................................................. 86
Hardware ............................................................................................................... 86
Environmental specifications ........................................................................... 86
Grounding ........................................................................................................ 87
Rack mount instructions .................................................................................. 87
Shutting down........................................................................................................ 88
Performance .......................................................................................................... 88
Firewall ................................................................................................................... 89
Intrusion protection................................................................................................ 89
Antivirus ................................................................................................................. 89
Web filtering........................................................................................................... 90
Antispam................................................................................................................ 90
Security.................................................................................................................. 90
FortiGuard....................................................................................................... 91
FortiGuard Services ............................................................................................... 91
Support Contract and FortiGuard Subscription Services................................ 92
FortiGuard Analysis Service Options ............................................................... 93
Antivirus and IPS.................................................................................................... 93
Antivirus and IPS Options................................................................................ 93
Manual updates ............................................................................................... 94
Automatic updates........................................................................................... 94
Web filtering........................................................................................................... 97
Web Filtering and Email Filtering Options........................................................ 97
URL verification................................................................................................ 97
Email filtering ......................................................................................................... 98
Security tools ......................................................................................................... 98
URL lookup ...................................................................................................... 99
IP and signature lookup................................................................................... 99
Online virus scanner......................................................................................... 99
Malware removal tools..................................................................................... 99
Troubleshooting..................................................................................................... 99
Web-based manager verification..................................................................... 99
CLI verification ............................................................................................... 101
Port assignment ............................................................................................. 102
Monitoring..................................................................................................... 103
Dashboard ........................................................................................................... 103
Widgets.......................................................................................................... 103
FortiClient connections.................................................................................. 104
sFlow.................................................................................................................... 104
Configuration ................................................................................................. 105
Monitor menus..................................................................................................... 105
Logging................................................................................................................ 105
FortiGate memory .......................................................................................... 106
FortiGate hard disk ........................................................................................ 106
Syslog server ................................................................................................. 106
FortiGuard Analysis and Management service .............................................. 107
FortiAnalyzer .................................................................................................. 107
Sending logs using a secure connection....................................................... 108
Alert email ............................................................................................................ 109
SNMP................................................................................................................... 110
SNMP configuration settings ......................................................................... 111
Gigabit interfaces........................................................................................... 113
SNMP agent................................................................................................... 114
SNMP community.......................................................................................... 114
Enabling on the interface ............................................................................... 116
Fortinet MIBs.................................................................................................. 116
SNMP get command syntax................................................................................ 117
Fortinet and FortiGate traps........................................................................... 118
Fortinet and FortiGate MIB fields......................................................................... 121
Fortinet MIB ................................................................................................... 122
Interfaces ...................................................................................................... 156
Physical................................................................................................................ 156
Interface settings ................................................................................................. 158
Interface configuration and settings .............................................................. 160
Software switch ................................................................................................... 163
Soft switch example....................................................................................... 163
Virtual Switch....................................................................................................... 164
Loopback interfaces ............................................................................................ 165
Redundant interfaces........................................................................................... 165
On-armed sniffer.................................................................................................. 166
Aggregate Interfaces............................................................................................ 166
DHCP on an interface .......................................................................................... 167
PPPoE on an interface......................................................................................... 168
Administrative access.......................................................................................... 170
Wireless ............................................................................................................... 171
Interface MTU packet size................................................................................... 171
Secondary IP addresses to an interface.............................................................. 172
Virtual domains .................................................................................................... 172
Virtual LANs ......................................................................................................... 174
Zones ................................................................................................................... 175
Virtual LANs .................................................................................................. 177
VLAN ID rules....................................................................................................... 178
VLAN switching and routing ................................................................................ 178
VLAN layer-2 switching.................................................................................. 178
VLAN layer-3 routing...................................................................................... 181
VLANs in NAT mode ............................................................................................ 184
Adding VLAN subinterfaces........................................................................... 184
Configuring security policies and routing ...................................................... 186
Example VLAN configuration in NAT mode......................................................... 187
General configuration steps........................................................................... 188
Configure the FortiGate unit .......................................................................... 189
Configure the VLAN switch............................................................................ 194
Test the configuration .................................................................................... 195
VLANs in transparent mode................................................................................. 195
VLANs and transparent mode........................................................................ 195
Example of VLANs in transparent mode........................................................ 198
General configuration steps........................................................................... 198
Configure the FortiGate unit .......................................................................... 199
Configure the Cisco switch and router .......................................................... 202
Test the configuration .................................................................................... 204
Troubleshooting VLAN issues.............................................................................. 204
Asymmetric routing........................................................................................ 204
Layer-2 and Arp traffic................................................................................... 205
Forward-domain solution............................................................................... 206
NetBIOS......................................................................................................... 207
STP forwarding .............................................................................................. 207
Too many VLAN interfaces ............................................................................ 208
PPTP and L2TP............................................................................................. 209
How PPTP VPNs work......................................................................................... 209
FortiGate unit as a PPTP server........................................................................... 211
Configuring user authentication for PPTP clients.......................................... 211
Enabling PPTP and specifying the PPTP IP address range ......................... 212
Adding the security policy ............................................................................. 213
Configuring the FortiGate unit for PPTP VPN...................................................... 214
Configuring the FortiGate unit for PPTP pass through........................................ 214
Configuring a virtual IP address..................................................................... 214
Configuring a port-forwarding security policy ............................................... 215
Testing PPTP VPN connections .......................................................................... 216
Logging VPN events ............................................................................................ 216
Configuring L2TP VPNs ....................................................................................... 216
Network topology .......................................................................................... 218
L2TP infrastructure requirements ................................................................. 218
L2TP configuration overview .............................................................................. 218
Authenticating L2TP clients .......................................................................... 219
Enabling L2TP and specifying an address range ......................................... 219
Defining firewall source and destination addresses ..................................... 219
Adding the security policy ................................................................................... 220
Configuring a Linux client ............................................................................. 220
Monitoring L2TP sessions.............................................................................. 221
Testing L2TP VPN connections ..................................................................... 221
Logging L2TP VPN events............................................................................. 221
Session helpers ............................................................................................ 222
Viewing the session helper configuration ............................................................ 222
Changing the session helper configuration ......................................................... 223
Changing the protocol or port that a session helper listens on..................... 223
Disabling a session helper ............................................................................. 225
DCE-RPC session helper (dcerpc)....................................................................... 226
DNS session helpers (dns-tcp and dns-udp)....................................................... 226
File transfer protocol (FTP) session helper (ftp) ................................................... 226
H.245 session helpers (h245I and h245O) ........................................................... 227
H.323 and RAS session helpers (h323 and ras) .................................................. 227
Alternate H.323 gatekeepers ......................................................................... 227
Media Gateway Controller Protocol (MGCP) session helper (mgcp)................... 227
ONC-RPC portmapper session helper (pmap) .................................................... 228
PPTP session helper for PPTP traffic (pptp) ........................................................ 228
Remote shell session helper (rsh) ........................................................................ 229
Real-Time Streaming Protocol (RTSP) session helper (rtsp) ............................... 230
Session Initiation Protocol (SIP) session helper (sip) ........................................... 230
Trivial File Transfer Protocol (TFTP) session helper (tftp) .................................... 230
Oracle TNS listener session helper (tns) .............................................................. 231
Advanced concepts...................................................................................... 232
Dual internet connections.................................................................................... 232
Redundant interfaces..................................................................................... 232
Load sharing .................................................................................................. 235
Link redundancy and load sharing................................................................. 235
Single firewall vs. multiple virtual domains .......................................................... 235
Single firewall vs. vdoms................................................................................ 236
Modem................................................................................................................. 238
USB modem port ........................................................................................... 238
Modes ............................................................................................................ 238
Additional modem configuration.................................................................... 240
Modem interface routing................................................................................ 240
DHCP servers and relays..................................................................................... 241
DHCP Server configuration............................................................................ 241
DHCP in IPv6 ................................................................................................. 243
Service ........................................................................................................... 243
DHCP options ................................................................................................ 243
DHCP Monitor................................................................................................ 244
Breaking a address lease............................................................................... 244
Assigning IP address by MAC address ............................................................... 244
DNS services ....................................................................................................... 245
DNS queries................................................................................................... 245
Additional DNS CLI configuration.................................................................. 245
DNS server..................................................................................................... 246
Recursive DNS............................................................................................... 247
Dynamic DNS....................................................................................................... 247
FortiClient discovery and registration.................................................................. 248
FortiClient discovery ...................................................................................... 248
FortiClient Registration .................................................................................. 249
IP addresses for self-originated traffic................................................................. 249
Administration for schools ................................................................................... 250
Security policies............................................................................................. 250
DNS................................................................................................................ 250
Encrypted traffic (HTTPS) .............................................................................. 250
FTP................................................................................................................. 251
Example security policies .............................................................................. 251
UTM security profiles..................................................................................... 251
Logging.......................................................................................................... 253
Tag management ................................................................................................. 253
Adding and removing tags............................................................................. 253
Reviewing tags............................................................................................... 254
Tagging guidelines......................................................................................... 255
Replacement messages list ................................................................................. 255
Replacement message images...................................................................... 255
Adding images to replacement messages..................................................... 256
Modifying replacement messages................................................................. 256
Replacement message tags .......................................................................... 256
Administration replacement message ........................................................... 259
Alert Mail replacement messages.................................................................. 259
Authentication replacement messages.......................................................... 259
Captive Portal Default replacement messages.............................................. 260
Device Detection Portal replacement message............................................. 260
Email replacement messages ........................................................................ 260
Endpoint Control replacement message ....................................................... 261
FTP replacement messages .......................................................................... 261
FortiGuard Web Filtering replacement messages ......................................... 261
HTTP replacement messages........................................................................ 261
IM replacement messages............................................................................. 261
NNTP replacement messages ....................................................................... 261
Spam replacement messages ....................................................................... 261
NAC quarantine replacement messages ....................................................... 261
SSL VPN replacement message.................................................................... 262
Web Proxy replacement messages ............................................................... 262
Traffic quota control replacement messages ................................................ 262
MM1 replacement messages......................................................................... 262
MMS replacement messages ........................................................................ 263
Replacement message groups ...................................................................... 263
Disk ...................................................................................................................... 263
Formatting the disk........................................................................................ 264
Setting space quotas..................................................................................... 264
CLI Scripts ........................................................................................................... 264
Uploading script files ..................................................................................... 264
Rejecting PING requests ..................................................................................... 265
Opening TCP 113 ................................................................................................ 265
Obfuscate HTTP headers .................................................................................... 266
Index .............................................................................................................. 267
Page 10
Introduction
Welcome and thank you for selecting Fortinet products for your network protection.
This guide describes a number of administrative tasks to configure and setup the FortiGate unit
for the first time, best practices and sample configuration tips to secure your network and the
FortiGate unit. It also includes numerous topics covering components of FortiOS that can be
used to configure your network and firewall.
Before you begin
Before you begin using this guide, please ensure that:
You have administrative access to the web-based manager and/or CLI.
The FortiGate unit is integrated into your network.
Firmware, FortiGuard Antivirus and FortiGuard Antispam updates are completed.
How this guide is organized
This guide contains the following sections:
Using the web-based manager provides an overview of the web-based manager interface for
FortiOS. If you are new to the FortiOS web-based manager, this chapter provides a high level
overview of how to use this method of administration.
Using the CLI provides an overview of the command line interface (CLI) for FortiOS. If you are
new to the FortiOS CLI, this chapter provides a high level overview of how to use this method of
administration.
Basic Administration describes the simple setup requirements an Administrator should do to
get the FortiGate unit on the network and enabling the flow of traffic.
Central management describes how to configure the FortiGate unit to use FortiManager as a
method of maintaining the device and other features that FortiManager has to facilitate the
administration of multiple devices.
Best practices discusses methods to make the various components of FortiOS more efficient,
and offer suggestions on ways to configure the FortiGate unit.
FortiGuard discusses the FortiGuard network services and configuration examples.
Monitoring describes various methods of collecting log data and tracking traffic flows and
tends.
Interfaces describes the FortiGate interface options and configuration choices.
Virtual LANs discusses their implementation in FortiOS and how to configure and use them.
PPTP and L2TP describes these VPN types and how to configure them.
Session helpers describes what they are and now to view and configure various session
helpers.
Advanced concepts describes more involved administrative topics to enhance network security
and traffic efficiency.
Page 11
Using the web-based manager
This section describes the features of the web-based manager administrative interface
(sometimes referred to as a graphical user interface, or GUI) of your unit. This section also
explains common web-based manager tasks that an administrator does on a regular basis, as
well as online help.
The following topics are included in this section:
Web-based manager overview
Web-based manager menus and pages
Entering text strings
Basic configurations
Web-based manager overview
The web-based manager is a user-friendly interface for configuring settings and managing the
unit. Accessing the web-based manager is easy; by using HTTP or a secure HTTPS connection
from any management computer using a web browser. The recommended minimum screen
resolution for properly displaying the web-based manager is 1280 by 1024. Some web
browsers do not correctly display the windows within the web-based manager interface. Verify
that you have a supported web browser by reviewing the Knowledge Base articles, Microsoft
Windows web browsers supported by Fortinet products web-based manager (GUI) web
browsers, and Mac OS browsers for use with Fortinet hardware web-based manager (GUI).
The web-based manager also provides the CLI Console widget, which enables you to connect
to the command line interface (CLI) without exiting out of the web-based manager.
Web-based manager menus and pages
The web-based manager provides access to configuration options for most of the FortiOS
features from the main menus. The web-based manager contains the following main menus:
System Configure system settings, such as network interfaces, virtual domains,
DHCP and DNS services, administrators, certificates, High Availability
(HA), system time, set system options and set display options on the
web-based manager.
Router Configure static, dynamic and multicast routing and view the router
monitor.
Policy Configure firewall policies, protocol options and Central NAT Table.
Firewall Objects Configure supporting content for firewall policies including scheduling,
services, traffic shapers, addresses, virtual IP and load balancing.
UTM Security
Profiles
Configure antivirus and email filtering, web filtering, intrusion protection,
data leak prevention, and application control. This menu also includes
endpoint security features, such as FortiClient configuration and
application detection patterns.
Using information tables
Many of the web-based manager pages contain tables of information which you can filter to
display specific information. Administrators with read and write access can define the filters.
Using page navigation
The web-based manager pages that contain information and lists that span multiple pages. At
the bottom of the page is the page navigation controls that enable you to move between pages.
Figure 1: Page controls
Adding filters to web-based manager lists
To locate a specific set of information or content within multiple pages, you use filters. These are
especially useful in locating specific log entries. Depending on the type of information, the
filtering options vary.
To create a filter, select Filter Settings, or a filter icon in a column heading. When a filter is
applied to a column, the filter icon becomes green.Filter settings are stored in the units configuration
and will be maintained the next time that you access any list for which you have added filters.
Filtering variable can include a numeric range such as 25-50 or an IP address or part of an
address, or any text string combination, including special characters.
Note that the filtering ignores characters following a < unless the followed by a space. For
example, the filtering ignores <string but not < string. Filtering also ignores matched
VPN Configure IPsec and SSL virtual private networking.
User & Device Configure user accounts and user authentication including external
authentication servers.
WAN Opt. & Cache Configure WAN optimization and web caching to improve performance
and security of traffic passing between locations on your wide area
network (WAN) or from the Internet to your web servers.
WiFi & Switch
Controller
Configure the unit to act as a wireless network controller, managing the
wireless Access Point (AP) functionality of FortiWiFi and FortiAP units.
Log&Report Configure logging and alert email as well as reports. View log messages
and reports.
Current VDOM Appears only when VDOMs are enabled on the unit to switch between
VDOMs.
First Page
Previous Page
Total Number of Pages
Current Page
(enter a page number
to display that page)
Last page
Next page
opening and closing (< and >) characters and any characters between them. For example,
filtering will ignore <string>.
For columns that can contain only specific content, such as log message severity, you can only
select a single item from a list.
Using column settings
On pages where large amounts of information is available, not all content can be displayed, or
some content may not be of use to you. Using column settings, you can display only that
content which is important to your requirements.
To configure column settings, right-click the header of a column and select Column Settings.
Any changes that you make to the column settings of a list are stored in the units configuration
and will display the next time that you access the list.
Entering text strings
The configuration of a FortiGate unit is stored as configuration settings in the FortiOS
configuration database. To change the configuration you can use the web-based manager or
CLI to add, delete or change configuration settings. These configuration changes are stored in
the configuration database as you make them.
Individual settings in the configuration database can be text strings, numeric values, selections
from a list of allowed options, or on/off (enable/disable) settings.
Entering text strings (names)
Text strings are used to name entities in the configuration. For example, the name of a firewall
address, administrative user, and so on. You can enter any character in a FortiGate
configuration text string except, to prevent Cross-Site Scripting (XSS) vulnerabilities, text
strings in FortiGate configuration names cannot include the following characters:
(double quote), & (ampersand), ' (single quote), < (less than) and > (greater than)
Most web-based manager text string fields make it easy to add an acceptable number of
characters and prevent you from adding the XSS vulnerability characters.
From the CLI, you can also use the tree command to view the number of characters that are
allowed in a name field. For example, firewall address names can contain up to 64 characters.
When you add a firewall address to the web-based manager you are limited to entering 64
characters in the firewall address name field. From the CLI you can enter the following tree
command to confirm that the firewall address name field allows 64 characters.
config firewall address
tree
-- [address] --*name (64)
|- subnet
|- type
|- start-ip
|- end-ip
|- fqdn (256)
|- cache-ttl (0,86400)
|- wildcard
|- comment (64 xss)
|- associated-interface (16)
+- color (0,32)
The tree command output also shows the number of characters allowed for other firewall
address name settings. For example, the fully-qualified domain name (fqdn) field can contain
up to 256 characters.
Entering numeric values
Numeric values set various sizes, rates, numeric addresses, and other numeric values. For
example, a static routing priority of 10, a port number of 8080, or an IP address of 10.10.10.1.
Numeric values can be entered as a series of digits without spaces or commas (for example, 10
or 64400), in dotted decimal format (for example the IP address 10.10.10.1) or as in the case of
MAC or IPv6 addresses separated by colons (for example, the MAC address
00:09:0F:B7:37:00). Most numeric values are standard base-10 numbers, but some fields (again
such as MAC addresses) require hexadecimal numbers.
Most web-based manager numeric value fields make it easy to add the acceptable number of
digits within the allowed range. CLI help includes information about allowed numeric value
ranges. Both the web-based manager and the CLI prevent you from entering invalid numbers.
Enabling or disabling options
If a configuration option can only be on or off (enabled or disabled) the web-based manager
presents a check box or other control that can only be enabled or disabled. From the CLI you
can set the option to enable or disable.
Dashboard
The Dashboard menu provides a way to access information about network activity and events,
as well as configure basic system settings. You can add more dashboards to contain the
content you need at your fingertips.
Each information chunk is within a widget. Widgets provide an easy and quick way to view a
variety of information, such as statistical information or network activity. There are a selection of
widgets to choose from by selecting the Widgets option.
Administrators must have read and write privileges for adding and configuring dashboards and
widgets.
Adding dashboards and widgets
Dashboards that you create are automatically added under the default status and usage
dashboards. You can add, remove or rename a dashboard, regardless of whether it is default.
You can also reset the Dashboard menu to its default settings by selecting Reset Dashboards. If
VDOMs are enabled, only the dashboards within Global are available for configuration.
To add a dashboard
1. Go to System > Dashboard > Status.
2. Select Dashboard, located at the top left of the page.
3. Select Add Dashboard.
To add a widget to a dashboard, select Widget located at the top left of the dashboard page.
System Information widget
The System Information widget status information on the FortiGate unit and provides the
access point to update the firmware and backup the configurations.
Host Name The name of the FortiGate unit. For details on changing the name, see
Changing the FortiGate units host name.
If the FortiGate unit is in HA mode, this information is not displayed.
Serial Number The serial number of the FortiGate unit. The serial number is specific to
that FortiGate unit and does not change with firmware upgrades.
Operation Mode The current operating mode of the FortiGate unit. A FortiGate unit can
operate in NAT mode or transparent mode. Select Change to switch
between NAT and transparent mode. For more information, see
Changing the operation mode.
If virtual domains are enabled, this field shows the operating mode of
the current virtual domain. The Global System Status dashboard does
not include this information.
HA Status The status of high availability within the cluster. Standalone indicates
the FortiGate unit is not operating in HA mode. Active-Passive or
Active-Active indicate the FortiGate unit is operating in HA mode. Select
Configure, to change the HA configuration.
Cluster Name The name of the HA cluster for this FortiGate unit. The FortiGate unit
must be operating in HA mode to display this field.
Cluster Members The FortiGate units in the HA cluster. Information displayed about each
member includes host name, serial number, and whether the FortiGate
unit is a primary (master) or subordinate (slave) FortiGate unit in the
cluster.
The FortiGate unit must be operating in HA mode with virtual domains
disabled to display this information.
Virtual Cluster 1
Virtual Cluster 2
The role of each FortiGate unit in virtual cluster 1 and virtual cluster 2.
The FortiGate unit must be operating in HA mode with virtual domains
enabled to display this information.
System Time The current date and time. Select Change, to configure the system time.
For more information, see Configuring system time.
Changing the FortiGate units host name
The host name appears in the Host Name row, in the System Information widget. The host name
also appears at the CLI prompt when you are logged in to the CLI and as the SNMP system
name.
The only administrators that can change a FortiGate units host name are administrators whose
admin profiles permit system configuration write access. If the FortiGate unit is part of an HA
cluster, you should use a unique host name to distinguish the FortiGate unit from others in the
cluster.
To change the host name on the FortiGate unit, in the System Information widget, select
Change in the Host Name row.
Changing the operation mode
FortiGate units and individual VDOMs can operate in NAT or transparent mode. From the
System Information dashboard widget you can change the operating mode for your FortiGate
unit or for a VDOM and perform sufficient network configuration to ensure that you can connect
to the web-based manager in the new mode.
NAT mode
In NAT mode (also called NAT mode), the FortiGate unit is visible to the network that it is
connected to. All of its interfaces are on different subnets. Each interface that is connected to a
network must be configured with an IP address that is valid for that subnetwork. The FortiGate
unit functions as a
Firmware Version The version of the current firmware installed on the FortiGate unit.
Select Update to upload a newer or older firmware version. For more
information, see Changing the firmware.
System
Configuration
The time period of when the configuration file was backed up. Select
Backup to back up the current configuration. For more information, see
Backing up the configuration.
To restore a configuration file, select Restore. For more information, see
Restoring your firmware configuration.
Current
Administrator
The number of administrators currently logged into the FortiGate unit.
Select Details to view more information about each administrator that is
currently logged in
If you want to changed the current administrators password, see
Changing the currently logged in administrators password.
Uptime The time in days, hours, and minutes since the FortiGate unit was
started or rebooted.
Virtual Domain Status of virtual domains on your FortiGate unit. Select Enable or
Disable to change the status of virtual domains feature.
If you enable or disable virtual domains, your session will be terminated
and you will need to log in again.
WAN Opt & Cache
Explicit Proxy
Load Balance
The status of each feature. Select Enable or Disable to change the
status of the feature. When enabled, the menu option appears.
You would typically use NAT mode when the FortiGate unit is deployed as a gateway between
private and public networks (or between any networks). In its default NAT mode configuration,
the FortiGate unit functions as a router, routing traffic between its interfaces. Security policies
control communications through the FortiGate unit to both the Internet and between internal
networks. In NAT mode, the FortiGate unit performs network address translation before IP
packets are sent to the destination network.
For example, a company has a FortiGate unit as their interface to the Internet. The FortiGate
unit also acts as a router to multiple sub-networks within the company. In this situation the
FortiGate unit is set to NAT mode. Using this mode, the FortiGate unit can have a designated
port for the Internet, in this example, wan1 with an address of 172.20.120.129, which is the
public IP address. The internal network segments are behind the FortiGate unit and invisible to
the public access, for example port 2 with an address of 10.10.10.1. The FortiGate unit
translates IP addresses passing through it to route the traffic to the correct subnet or the
Internet.
Transparent Mode
In transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the
same subnet and share the same IP address. To connect the FortiGate unit to your network, all
you have to do is configure a management IP address and a default route.
You would typically use the FortiGate unit in transparent mode on a private network behind an
existing firewall or behind a router. In transparent mode, the FortiGate unit also functions as a
firewall. Security policies control communications through the FortiGate unit to the Internet and
internal network. No traffic can pass through the FortiGate unit until you add security policies.
For example, the company has a router or other firewall in place. The network is simple enough
that all users are on the same internal network. They need the FortiGate unit to perform
application control, antivirus and intrusion protection and similar traffic scanning. In this
situation the FortiGate unit is set to transparent mode. The traffic passing through the FortiGate
unit does not change the addressing from the router to the internal network. Security policies
and UTM profiles define the type of scanning the FortiGate unit performs on traffic entering the
network.
To switch from NAT to transparent mode
1. From the System Information dashboard widget select Change beside Operation Mode.
2. From the Operation Mode list, select Transparent.
3. Enter the Management IP address and Netmask. This is the IP address to connect to when
configuring and maintaining the device.
4. Enter the Default Gateway.
5. Select OK.
To change the transparent mode management IP address
2. Enter a new IP address and netmask in the Management IP/Network field as required and
select OK.
Your web browser is disconnected from the web-based manager. To reconnect to the
web-based manager browse to the new management IP address.
To switch from transparent to NAT mode
2. From the Operation Mode list, select NAT.
3. Enter valid IP address and netmask for the network from which you want to manage the FortiGate unit.
4. Select the interface to which the Interface IP/Netmask settings apply
5. Enter the IP address default gateway required to reach other networks from the FortiGate
unit.
6. After the FortiGate unit switches to NAT mode, you may need to to go Router > Static Route
and edit this default route.
For low-end FortiGate units, go to System > Network > Routing.
7. Select OK.
Configuring system time
The FortiGate units system time can be changed using the System Information widget by
selecting Change in the System Time row.
Daylight savings time is enabled by default. You can disable daylight savings time using the CLI
commands:
config system global
set dst disable
end
Changing the firmware
Administrators whose admin profiles permit maintenance read and write access can change the
FortiGate units firmware. Firmware images can be installed from a number of sources including
a local hard disk, a local USB disk, or the FortiGuard Network.
System Time The current system date and time on the FortiGate unit.
Refresh Update the display of the FortiGate units current system date and time.
Time Zone Select the current system time zone for the FortiGate unit.
Set Time Select to set the system date and time to the values.
Synchronize with
NTP Server
Select to use a Network Time Protocol (NTP) server to automatically set
the system date and time. You must specify the server and
synchronization interval.
FortiGate units use NTP Version 4. For more information about NTP see
http://www.ntp.org.
Server Enter the IP address or domain name of an NTP server. To find an NTP
server that you can use, see http://www.ntp.org.
Sync Interval Specify how often the FortiGate unit should synchronize its time with
the NTP server.
To avoid losing configuration settings you should always back up your configuration before
changing the firmware image.
To change the firmware, go to System > Dashboard > Status > System Information widget and
select the Update link on the Firmware Version row.
Backing up the configuration
Administrators can back up the FortiGate units configuration file from the System Information
widget. Select Backup in the System Configuration row, to back up the firmware configuration
file to a local computer, USB disk or to a FortiManager unit.
You should always back up your configuration whenever you make any modifications to the
device configuration or performing any firmware updates or changes.
Upgrade From Select the firmware source from the drop down list of available sources.
Firmware Version This appears only when selecting FortiGuard Network is selected from
the Upgrade From drop-down list. Select a firmware version from the
drop-down list.
If downgrading the firmware on the FortiGate unit, select the check box
beside Allow Firmware Downgrade.
Upgrade File Browse to the location of the firmware image on your local hard disk.
This field is available for local hard disk and USB only.
Allow Firmware
Downgrade
Select to confirm the installation of an older firmware image
(downgrade).
This appears only when selecting FortiGuard Network is selected from
the Upgrade From drop-down list.
Upgrade Partition The number of the partition being updated.
This field is available only if your FortiGate unit has more than one
firmware partition.
Boot the New
Firmware
By default, this is enabled. Select to disable the FortiGate units reboot
process when installing a firmware image to a partition.
This option enables you to install a firmware image to a partition without
the FortiGate unit rebooting itself and making the firmware image the
default firmware that is currently running.
You need to register your FortiGate unit with Customer Support to access firmware updates for
your model. For more information, go to http://support.fortinet.com or contact Customer
Support.
Local PC Select to back up the configuration file to a local management
computer.
FortiManager Select to back up the configuration file to a FortiManager unit. The
Central Management settings must be enabled and a FortiManager unit
connected with the FortiGate unit so that the FortiGate unit can send
the configuration file to the FortiManager unit.
To enable central management, go to System > Admin > Settings.
Formatting USB
The FortiGate unit enables you to back up the configuration of the device to a USB flash drive.
The USB flash drive must be formatted as a FAT16 disk.
To formate the USB flash drive, either use the CLI command exe usb-disk format. or within
Windows at a command prompt, enter the command...
format <drive_letter>: /FS:FAT /V:<drive_label>
... where <drive_letter> is the letter of the connected USB flash drive and <drive_label>
is the name to give the USB drive.
Remote FortiManager backup and restore options
After successfully connecting to the FortiManager unit from your FortiGate unit, you can back
up and restore your configuration to and from the FortiManager unit.
A list of revisions is displayed when restoring the configuration from a remote location. The list
allows you to choose the configuration to restore. To use the FortiManager unit as a method of
backup and restore of configuration files, you must first configure a connection between the two
devices. For more information, see Central management.
Remote FortiGuard backup and restore options
Your FortiGate unit can be remotely managed by a central management server, which is
available when you register for the FortiGuard Analysis and Management Service. FortiGuard
Analysis and Management Service is a subscription-based service and is purchased by
contacting support.
After registering, you can back up or restore your configuration. FortiGuard Analysis and
Management Service is useful when administering multiple FortiGate units without having a
FortiManager unit. Using this service you can also upgrade the firmware. Upgrading the
firmware is available in the Firmware Upgrade section of the backup and restore menu.
USB Disk Select to back up the configuration file to a USB key that is connected
to the FortiGate unit.
Full Config Select to backup the full VDOM configuration. This appears only when
the FortiGate unit has VDOM configuration enabled.
VDOM Config Select to backup the only the VDOM configuration file. This option
backs up only the configuration file within that VDOM. Select the VDOM
from the drop-down list, and select Backup.
Encrypt
configuration file
Select to enable a password to the configuration file for added security.
Password Enter the password that will be used to restore the configuration file.
Confirm Re-enter the password.
When restoring the configuration from a remote location, a list of revisions is displayed so that
you can choose the configuration file to restore.
Restoring your firmware configuration
Administrators can restore a configuration file that was backed up using the System Information
widget. If the configuration file was encrypted, you will need the password to restore the
configuration file.
Viewing online administrators
The System Information widget enables you to view information about the administrators
logged into the FortiGate unit. To view logged in administrators, in the System Information
widget, select Details.
Changing the currently logged in administrators password
Use the System Information widget, to change your password. To do this, select the Change
Password option in the Current Administrator row.
License Information widget
License Information displays the status of your technical support contract and FortiGuard
subscriptions. The FortiGate unit updates the license information status indicators automatically
when attempting to connect to the FortiGuard Distribution Network (FDN). FortiGuard
Subscriptions status indicators are green if the FDN was reachable and the license was valid
during the last connection attempt, grey if the FortiGate unit cannot connect to the FDN, and
orange if the FDN is reachable but the license has expired.
The FortiGuard-FortiManager protocol is used when connecting to the FortiGuard Analysis and
Management Service. This protocol runs over SSL using IPv4/TCP port 541 and includes the
following functions:
detects FortiGate unit dead or alive status
detects management service dead or alive status
notifies the FortiGate units about configuration changes, AV/IPS database update and
firewall changes.
Local PC Select to back up the configuration file to a local management
computer.
FortiManager Select to back up the configuration file to a FortiManager unit. The
Central Management settings must be enabled and a FortiManager unit
connected with the FortiGate unit so that the FortiGate unit can send
the configuration file to the FortiManager unit.
To enable central management, go to System > Admin > Settings.
USB Disk Select to back up the configuration file to a USB key that is connected
to the FortiGate unit.
Filename Select Browse to locate the configuration file.
Password If a password was set when saving the configuration file, enter the
password.
When a new FortiGate unit is powered on, it automatically searches for FortiGuard services. If
the FortiGate unit is configured for central management, it will look for FortiGuard services on
the configured FortiManager system. The FortiGate unit sends its serial number to the
FortiGuard service provider, which then determines whether the FortiGate unit is registered and
has valid contracts for FortiGuard subscriptions and FortiCare support services. If the FortiGate
unit is registered and has a valid contract, the License Information is updated.
If the FortiGate unit is not registered, any administrator with the super_admin profile sees a
reminder message that provides access to a registration form.
When a contract is due to expire within 30 days, any administrator with the super_admin profile
sees a notification message that provides access to an Add Contract form. Simply enter the
new contract number and select Add. Fortinet Support also sends contract expiry reminders.
You can optionally disable notification for registration or contract inquiry using the config
system global command in the CLI. Selecting any of the Configure options will take you to
the Maintenance page.
Manually updating FortiGuard definitions
You can update the definition files for a number of FortiGuard services from the License
Information widget.
To update FortiGuard definitions manually
1. Download the latest update files from Fortinet support site and copy it to the computer that
you use to connect to the web-based manager.
Support Contract Displays details about your current Fortinet Support contract.
If Not Registered appears, select Register to register the FortiGate
unit.
If Expired appears, select Renew for information on renewing your
technical support contract. Contact your local reseller.
If Registered appears the name of the support that registered this
FortiGate unit is also displayed.
You can select Login Now to log into the Fortinet Support account
that registered this FortiGate unit.
The support contract section also includes information on the number of
FortiClient users connecting to the FortiGate unit. It displays the number
of FortiClient connections allowed, and the number of users connecting.
By selecting the Details link for the number of connections, you can
view more information about the connecting user, including IP address,
user name and type of operating system the user is connecting with.
FortiGuard Services Displays the currently installed version of the attack and virus definitions
for the various UTM services from FortiGuard. Select Renew to update
any of the licenses.
Virtual Domain Displays the maximum number of virtual domains the FortiGate unit
supports with the current license.
For high-end models, you can select the Purchase More link to
purchase a license key through Fortinet technical support to increase
the maximum number of VDOMs.
FortiClient Software View information about the latest version of FortiClient licenses and
users connecting using the software.
2. Log in to the web-based manager and locate the License Information widget.
3. In the License Information widget, in the AV Definitions row, select Update.
4. Select Browse and locate the update file, or type the path and filename.
5. Select OK.
6. Verify the update was successful by locating the License Information widget and viewing the
date given in the row.
FortiGate unit Operation widget
The Unit Operation widget is an illustrated version of the FortiGate units front panel that shows
the status of the FortiGate units network interfaces. The interface appears green, when the
interface is connected. Hover the mouse pointer over the interface to view details about the
interface.
Icons around the front panel indicate when the FortiGate unit is connected to a FortiAnalyzer or
FortiManager device, or FortiClient installations. Select the icon in the widget to jump to the
configuration page for each device. When connected to one of these devices, a green check
mark icon appears next to the icon. If the device communication is configured, but the device is
unreachable, a red X appears.
System Resources widget
The System Resources widget displays basic FortiGate unit resource usage. This widget
displays the information for CPU and memory in either real-time or historical data. For FortiGate
units with multiple CPUs, you can view the CPU usage as an average of all CPUs or each one
individually.
This widget also is where you reboot or shutdown the FortiGate unit.
Use the Refresh icon when you want to view current system resource information, regardless of
whether you are viewing real-time or historical type format.
To change the resource view from real-time to historical, or change the CPU view (for multiple
CPU FortiGate units), select the Edit icon (visible when you hover the mouse over the widget).
When viewing CPU and memory usage in the web-based manager, only the information for core
processes displays. CPU for management processes, is excluded. For example, HTTPS
connections to the web-based manager.
Alert Message Console widget
Alert messages help you monitor system events on your FortiGate unit such as firmware
changes, network security events, or virus detection events. Each message shows the date and
time that the event occurred.
You can configure the alert message console settings to control what types of messages are
displayed on the console.
To configure the Alert Message Console
1. Locate the Alert Message Console widget within the Dashboard menu.
2. Select the Edit icon in the Alert Message Console title bar.
3. Select the types of alerts that you do not want to be displayed in the widget.
4. Select OK.
Log and Archive Statistics widget
The Log and Archive Statistics widget displays the activity of what is DLP archiving, network
traffic, and security problems including attack attempts, viruses caught, and spam email
caught.
The information displayed in the Log and Archive Statistics widget is derived from log
messages. Various configuration settings are required to collect data, as described below.
DLP Archive
A summary of the HTTP, HTTPS, MM1, MM3, MM4, MM7, email, FTP IM, and VoIP (also called
session control) traffic that has passed through the FortiGate unit, and has been archived by
DLP. MM1, MM3, MM4, and MM7 are only available in FortiOS Carrier.
This widget also Indicates the average DLP archive bytes per day since the last time it was
reset.
The Details pages list the last items of the selected type and provides links to the FortiAnalyzer
unit where the archived traffic is stored. If logging to a FortiAnalyzer unit is not configured, the
Details pages provide a link to Log & Report > Log Config > Log Settings.
You configure the FortiGate unit to collect DLP archive data for the widget by configuring a DLP
sensor to archive its log data.
You must also add the profile to a security policy. When the security policy receives sessions for
the selected protocols, meta-data is added to the statistics widget.
For FortiOS Carrier, you can configure an MMS profile to collect statistics for MM1, MM3, MM4
and MM7 traffic.
The Email statistics are based on email POP3, IMAP and SMTP protocols. If your FortiGate unit
supports SSL content scanning and inspection, POP3S, IMAPS and SMTPS are also included.
The IM statistics are based on the AIM, ICQ, MSN, and Yahoo! protocols and configured by
selecting Archive in DLP Sensors for IM DLP rules.
The VoIP statistics are based on the SIP, SIMPLE and SCCP session control protocols and
configured by selecting Archive in DLP Sensors for Session Control DLP rules.
Log
A summary of traffic, viruses, attacks, spam email messages, and blocked URLs that the
FortiGate unit has logged.
DLP data loss detected displays the number of sessions that have matched DLP sensor
profiles. DLP collects meta data about all sessions matched by DLP sensors and records this
meta-data in the DLP log. Every time a DLP log message is recorded, the DLP data loss
detected number increases. If you are using DLP for summary or full archiving the DLP data loss
detected number can get very large. This number may not indicate that data has been lost or
leaked.
Viewing DLP archive section of the Log and Archive Statistics widget
From the Log and Archive Statistics widget, you can view statistics about HTTP, HTTPS, FTP
and IM traffic coming through the FortiGate unit. For FortiOS Carrier, you can view the MM1,
MM3, MM4, MM7 email statistics. Select the Details link beside each traffic type to view more
information.
DLP archive information is viewed from the DLP Archive section of the Log and Archive
Statistics widget. You must select Details to view the available archive information.
Viewing the Log section of the Log and Archive Statistics widget
From the Log and Archive Statistics widget, you can view statistics about the network attacks
that the FortiGate unit has stopped, statistics on viruses caught, attacks detected, spam email
detected, and URLs blocked. Select the Details link beside each attack type to view more
information.
CLI Console widget
The CLI Console widget enables you to access the CLI without exiting from the web-based
manager.
The two controls located on the CLI Console widget title bar are Customize, and Detach.
Detach moves the CLI Console widget into a pop-up window that you can resize and
reposition. Select Attach. to move the widget back to the dashboards page.
Customize enables you to change the appearance of the console by selecting fonts and
colors for the text and background.
Session History widget
The Session History widget displays the total session activity on the device. Activity displays on
a per second basis. Select the Edit icon in the title bar (which appears when you hover the
mouse over the widget) to change the time period for the widget.
Top Sessions widget
The Top Sessions widget polls the FortiGate unit for session information for IPv4 or IPv6
addresses, or both. Rebooting the FortiGate unit will reset the Top Session statistics to zero.
When you select Details to view the current sessions list, a list of all sessions currently
processed by the FortiGate unit.
Detailed information is available in System > Monitor > Sessions. Use the following table to
modify the default settings of the Top Sessions widget.
Traffic History widget
The Traffic History widget displays the traffic on one selected interface over a specified time
period.
Only one interface can be monitored at a time. By default, no interface is monitored. Configure
an interface to monitor by selecting the Edit icon in the title bar (which appears when you hover
the mouse over the widget) and choosing the interface from the drop down menu. All traffic
history data is cleared when you select Apply. To expand the information for the widget, select
Enlarge in the title bar area.
RAID monitor widget
The RAID Monitor widget displays the current state of the RAID array and each RAID disk. This
widget does not display unless the FortiGate unit has more than one disk installed, and is not
available for FortiOS Carrier.
RAID disk configuration
The RAID disk is configured from the Disk Configuration page.
Array status icon Displays the status of the RAID array.
Green with a check mark shows a healthy RAID array.
Yellow triangle shows the array is in a degraded state but it is still
functioning. A degraded array is slower than a healthy array. Rebuild
the array to fix the degraded state.
A wrench shows the array is being rebuilt.
Positioning the mouse over the array status icon displays a text
message of the status of the array.
Disk status icon There is one icon for each disk in the array.
Green with a check mark shows a healthy disk.
Red with an X shows the disk has failed and needs attention.
Positioning the mouse over the disk status icon displays the status of
the disk, and the storage capacity of the disk.
RAID Level The RAID level of this RAID array. The RAID level is set as part of
configuring the RAID array.
Status bar The bar shows the percentage of the RAID array that is currently in use.
Used/Free/Total Displays the amount of RAID array storage that is being used, the
amount of storage that is free, and the total storage in the RAID array.
The values are in Gigabytes.
RAID level Select the level of RAID. Options include:
RAID-0 (striping) better performance, no redundancy
RAID-1 (mirroring) half the storage capacity, with redundancy
RAID-5 striping with parity checking, and redundancy
Available RAID level options depend on the available number of hard
disks. Two or more disks are required for RAID 0 or RAID 1. Three or
more disks are required for RAID 5.
Changing the RAID level will erase any stored log information on the
array, and reboot the FortiGate unit. The FortiGate unit will remain offline
while it reconfigures the RAID array. When it reboots, the array will need
to synchronize before being fully operational.
Device Type Distribution widget
The Device Type Distribution widget shows the distribution of Bring Your Own Device (BYOD)
devices in use on the network.
Storage widget
The Storage widget displays the status of disks currently installed on your FortiGate unit. The
status includes how much space is used and how much free space is available. You can find out
more detailed information about a disks status by going to System > Config > Advanced. The
Storage page displays information regarding the disks health, RAID events, visual
representation of the disk, and configuration of the management of the disk.
Status The status, or health, of RAID array. This status can be one of:
OK standard status, everything is normal
OK (Background-Synchronizing) (%) synchronizing the disks after
changing RAID level, Synchronizing progress bar shows percent
complete
Degraded One or more of the disks in the array has failed, been
removed, or is not working properly. A warning is displayed about
the lack of redundancy in this state. Also, a degraded array is slower
than a healthy array. Select Rebuild RAID to fix the array.
Degraded (Background-Rebuilding) (%) The same as degraded, but
the RAID array is being rebuilt in the background. The array
continues to be in a fragile state until the rebuilding is completed.
Size The size of the RAID array in gigabytes (GB). The size of the array
depends on the RAID level selected, and the number of disks in the
array.
Rebuild RAID Select to rebuild the array after a new disk has been added to the array,
or after a disk has been swapped in for a failed disk.
If you try to rebuild a RAID array with too few disks you will get a rebuild
error. After inserting a functioning disk, the rebuild will start.
This button is only available when the RAID array is in a degraded state
and has enough disks to be rebuilt.
You cannot restart a rebuild once a rebuild is already in progress.
Note: If a disk has failed, the number of working disks may not be
enough for the RAID level to function. In this case, replace the failed
disk with a working disk to rebuild the RAID array.
Disk# The disks position in the array. This corresponds to the physical slot of
the disk.
If a disk is removed from the FortiGate unit, the disk is marked as not a
member of the array and its position is retained until a new disk is
inserted in that drive bay.
Status The status of this disk. Options include OK, and unavailable.
A disk is unavailable if it is removed or has failed.
P2P Usage widget
The P2P Usage widget displays the total bytes and total bandwidth for each supported instant
messaging client. These clients are WinNY, BitTorrent, eDonkey, Guntella, and KaZaa. With P2P
Usage, you can only modify the default name of the widget.
Top Clients by Bandwidth widget
The Top clients by Bandwidth widget displays the per-IP address session data. The data,
displays each IP address that initiated the traffic (and its current bandwidth consumption), and
is similar to the top session widget. Instead of viewing the IP address of the person who
initiated the traffic, you can choose to view their name by selecting Resolve Host Name in the
editing window.
VoIP Usage widget
The VoIP Usage widget displays current active VoIP call information (using over SIP and SCCP
protocols), which include complete calls, calls that have been dropped, failed or went
unanswered.
IM Usage widget
The IM Usage widget displays instant messaging clients and their activity that is occurring on
your network, including chats, messages, file transfer between clients, and any voice chats. IM
Usage provides this information for IM, Yahoo!, AIM, and ICQ.
Protocol Usage widget
The Protocol Usage widget displays protocol activity over a defined time period and the amount
of bandwidth used during the activity.
Basic configurations
Before going ahead and configuring security policies, users, and UTM profiles, you should
perform some basic configurations to set up your FortiGate unit.
Changing your administrator password
By default, you can log in to the web-based manager by using the admin administrator account
and no password. It is highly recommended that you add a password to the admin
administrator account. For improved security, you should regularly change the admin
administrator account password and the passwords for any other administrator accounts that
you add.
To change an administrators password, go to System > Admin > Administrators, edit the
administrator account, and then change the password.
For details on selecting a password, and password best practices, see Passwords on
page 54.
If you forget or lose an administrator account password and cannot log in to the unit, see the
Fortinet Knowledge Base article Recovering a lost FortiGate administrator account password.
Changing the web-based manager language
The default language of the web-based manager is English. A selection of localized iterations
are available to selected from. For best results, you should select the language that the
management computer operating system uses.
To change the language, go to System > Admin > Settings. In the Display Settings section,
select the language you want from the Language drop-down list.
Changing administrative access
Through administrative access, an administrator can connect to the FortiGate unit. Access is
available through a number of services including HTTPS and SSH.The default configuration
allows administrative access to one or more of the units interfaces as described in the
QuickStart Guide.
To change administrative access
1. Go to System > Network > Interface.
2. Select the interface.
3. Select the administrative access type or types for that interface.
4. Select OK.
Changing the web-based manager idle timeout
By default, the web-based manager disconnects administrative sessions if no activity occurs for
five minutes. This prevents someone from using the web-based manager if the management PC
is left unattended.
To change the idle timeout
1. Go to System > Admin > Settings.
2. In the Administration Settings section, enter the time in minutes in the Idle Timeout field
3. Select Apply.
Switching VDOMs
When VDOMs are enabled, a menu appears in the left column called Current VDOM. This menu
displays a drop-down list that lists the configured VDOMs.
To switch to a VDOM using the Current VDOM menu, select the VDOM that you want to switch
to from the drop-down list. You are automatically redirected to that VDOM.
VDOMs are enabled on the System Information Dashboard Widget.
Connecting to the CLI from the web-based manager
You can use the CLI to configure all configuration options available from the web-based
manager. Some configuration options are available only from the CLI.
To connect to the CLI console, go to System > Dashboard > Status, and in the CLI Console
widget select inside the window, and are automatically logged in to the CLI. For more
information on using the CLI, see Using the CLI on page 31.
Logging out
Select the Logout icon to quit your administrative session. If you only close the browser or leave
the web-based manager to surf to another web site, you remain logged in until the idle timeout
(default 5 minutes) expires. To change the timeout, see Changing the web-based manager idle
timeout on page 29.
Page 31
Using the CLI
The command line interface (CLI) is an alternative configuration tool to the web-based manager.
Both can be used to configure the FortiGate unit. While the configuration, in the web-based
manager, a point-and-click method, the CLI, would require typing commands, or upload
batches of commands from a text file, like a configuration script.
If you are new to Fortinet products, or if you are new to the CLI, this section can help you to
become familiar.
This section includes the topics:
Connecting to the CLI
Command syntax
Sub-commands
Permissions
Tips
You can access the CLI in two ways:
Locally Connect your computer directly to the FortiGate units console port.
Through the network Connect your computer through any network attached to one of the
FortiGate units network ports. The network interface must have enabled Telnet or SSH
administrative access if you will connect using an SSH/Telnet client, or HTTP/HTTPS
administrative access if you will connect using the CLI Console widget in the web-based
manager.
Local access is required in some cases.
If you are installing your FortiGate unit for the first time and it is not yet configured to connect
to your network, unless you reconfigure your computers network settings for a peer
connection, you may only be able to connect to the CLI using a local serial console
connection. For more information, see Connecting to the CLI on page 52.
Restoring the firmware utilizes a boot interrupt. Network access to the CLI is not available
until after the boot process has completed, and therefore local CLI access is the only viable
option.
Before you can access the CLI through the network, you usually must enable SSH and/or Telnet
on the network interface through which you will access the CLI.
Connecting to the CLI using a local console
Local console connections to the CLI are formed by directly connecting your management
computer or console to the FortiGate unit, using its DB-9 or RJ-45 console port. To connect to
the local console you need:
a computer with an available serial communications (COM) port
the RJ-45-to-DB-9 or null modem cable included in your FortiGate package
terminal emulation software such as HyperTerminal for Microsoft Windows
The following procedure describes connection using Microsoft HyperTerminal software; steps
may vary with other terminal emulators.
To connect to the CLI using a local serial console connection
1. Using the null modem or RJ-45-to-DB-9 cable, connect the FortiGate units console port to
the serial communications (COM) port on your management computer.
2. On your management computer, start HyperTerminal.
3. For the Connection Description, enter a Name for the connection, and select OK.
4. On the Connect using drop-down list box, select the communications (COM) port on your
management computer you are using to connect to the FortiGate unit.
5. Select OK.
6. Select the following Port settings and select OK.
7. Press Enter or Return on your keyboard to connect to the CLI.
8. Type a valid administrator account name (such as admin) and press Enter.
9. Type the password for that administrator account and press Enter. (In its default state, there
is no password for the admin account.)
The CLI displays the following text:
Welcome!
Type ? to list available commands.
You can now enter CLI commands, including configuring access to the CLI through SSH or
Telnet. For details, see Enabling access to the CLI through the network (SSH or Telnet) on
page 32.
Enabling access to the CLI through the network (SSH or Telnet)
SSH or Telnet access to the CLI is accomplished by connecting your computer to the FortiGate
unit using one of its RJ-45 network ports. You can either connect directly, using a peer
connection between the two, or through any intermediary network.
You must enable SSH and/or Telnet on the network interface associated with that physical
network port. If your computer is not connected directly or through a switch, you must also
configure the FortiGate unit with a static route to a router that can forward packets from the
FortiGate unit to your computer. You can do this using either a local console connection or the
the web-based manager.
Bits per second 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
If you do not want to use an SSH/Telnet client and you have access to the web-based manager,
you can alternatively access the CLI through the network using the CLI Console widget in the
web-based manager.
Requirements
a computer with an available serial communications (COM) port and RJ-45 port
terminal emulation software such as HyperTerminal for Microsoft Windows
the RJ-45-to-DB-9 or null modem cable included in your FortiGate package
a network cable
prior configuration of the operating mode, network interface, and static route (for details,
see)
To enable SSH or Telnet access to the CLI using a local console connection
1. Using the network cable, connect the FortiGate units network port either directly to your
computers network port, or to a network through which your computer can reach the
FortiGate unit.
2. Note the number of the physical network port.
3. Using a local console connection, connect and log into the CLI. For details, see Connecting
to the CLI using a local console on page 31.
4. Enter the following command:
config system interface
edit <interface_str>
set allowaccess <protocols_list>
next
end
where:
<interface_str> is the name of the network interface associated with the physical
network port and containing its number, such as port1
<protocols_list> is the complete, space-delimited list of permitted administrative
access protocols, such as https ssh telnet
For example, to exclude HTTP, HTTPS, SNMP, and PING, and allow only SSH and Telnet
administrative access on port1:
set system interface port1 config allowaccess ssh telnet
5. To confirm the configuration, enter the command to display the network interfaces settings.
get system interface <interface_str>
The CLI displays the settings, including the allowed administrative access protocols, for the
network interfaces.
To connect to the CLI through the network interface, see Connecting to the CLI using SSH
on page 33 or Connecting to the CLI using Telnet on page 34.
Connecting to the CLI using SSH
Once the FortiGate unit is configured to accept SSH connections, you can use an SSH client on
your management computer to connect to the CLI.
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI.
FortiGate units support 3DES and Blowfish encryption algorithms for SSH.
Before you can connect to the CLI using SSH, you must first configure a network interface to
accept SSH connections. For details, see Enabling access to the CLI through the network
(SSH or Telnet) on page 32. The following procedure uses PuTTY. Steps may vary with other
SSH clients.
To connect to the CLI using SSH
1. On your management computer, start an SSH client.
2. In Host Name (or IP Address), enter the IP address of a network interface on which you have
enabled SSH administrative access.
3. In Port, enter 22.
4. For the Connection type, select SSH.
5. Select Open.
The SSH client connects to the FortiGate unit.
The SSH client may display a warning if this is the first time you are connecting to the
FortiGate unit and its SSH key is not yet recognized by your SSH client, or if you have
previously connected to the FortiGate unit but it used a different IP address or SSH key. If
your management computer is directly connected to the FortiGate unit with no network
hosts between them, this is normal.
6. Click Yes to verify the fingerprint and accept the FortiGate units SSH key. You will not be
able to log in until you have accepted the key.
7. The CLI displays a login prompt.
9. Type the password for this administrator account and press Enter.
The FortiGate unit displays a command prompt (its host name followed by a #). You can
now enter CLI commands.
Connecting to the CLI using Telnet
Once the FortiGate unit is configured to accept Telnet connections, you can use a Telnet client
on your management computer to connect to the CLI.
Before you can connect to the CLI using Telnet, you must first configure a network interface to
accept SSH connections. For details, see Enabling access to the CLI through the network
(SSH or Telnet) on page 32.
To connect to the CLI using Telnet
1. On your management computer, start a Telnet client.
2. Connect to a FortiGate network interface on which you have enabled Telnet.
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one
minute, then reconnect to attempt the login again.
Telnet is not a secure access method. SSH should be used to access the CLI from the Internet
or any other untrusted network.
4. Type the password for this administrator account and press Enter.
The FortiGate unit displays a command prompt (its host name followed by a #). You can
now enter CLI commands.
Command syntax
When entering a command, the command line interface (CLI) requires that you use valid syntax,
and conform to expected input constraints. It will reject invalid commands.
Fortinet documentation uses the following conventions to describe valid command syntax
Terminology
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
To describe the function of each word in the command line, especially if that nature has
changed between firmware versions, Fortinet uses terms with the following definitions.
Figure 2: Command syntax terminology
command A word that begins the command line and indicates an action that the
FortiGate unit should perform on a part of the configuration or host on the network, such as
config or execute. Together with other words, such as fields or values, that end when you
press the Enter key, it forms a command line. Exceptions include multiline command lines,
which can be entered using an escape sequence. (See Shortcuts and key commands on
page 42.)
Valid command lines must be unambiguous if abbreviated. (See Command abbreviation
on page 43.) Optional words or other command line permutations are indicated by syntax
notation. (See Notation on page 36.)
sub-command A kind of command that is available only when nested within the scope of
another command. After entering a command, its applicable sub-commands are available to
you until you exit the scope of the command, or until you descend an additional level into
If three incorrect login or password attempts occur in a row, you will be disconnected. Wait one
minute, then reconnect to attempt the login again.
Option
Value Field
Command Subcommand
Table
set ip <interface_ipv4mask>
edit <port_name>
set status {up | down}
next
end
Object
another sub-command. Indentation is used to indicate levels of nested commands. (See
Indentation on page 36.)
Not all top-level commands have sub-commands. Available sub-commands vary by their
containing scope. (See Sub-commands on page 38.)
object A part of the configuration that contains tables and/or fields. Valid command lines
must be specific enough to indicate an individual object.
table A set of fields that is one of possibly multiple similar sets which each have a name
or number, such as an administrator account, policy, or network interface. These named or
numbered sets are sometimes referenced by other parts of the configuration that use them.
(See Notation on page 36.)
field The name of a setting, such as ip or hostname. Fields in some tables must be
configured with values. Failure to configure a required field will result in an invalid object
configuration error message, and the FortiGate unit will discard the invalid table.
value A number, letter, IP address, or other type of input that is usually your configuration
setting held by a field. Some commands, however, require multiple input values which may
not be named but are simply entered in sequential order in the same command line. Valid
input types are indicated by constraint notation. (See Notation on page 36.)
option A kind of value that must be one or more words from of a fixed set of options. (See
Notation on page 36.)
Indentation
Indentation indicates levels of nested commands, which indicate what other subcommittees are
available from within the scope. For example, the edit sub-command is available only within a
command that affects tables, and the next sub-command is available only from within the
edit sub-command:
edit port1
set status up
next
end
For information about available sub-commands, see Sub-commands on page 38.
Notation
Brackets, braces, and pipes are used to denote valid permutations of the syntax. Constraint
notations, such as <address_ipv4>, indicate which data types or string patterns are
acceptable value input.
Table 1: Command syntax notation
Convention Description
Square brackets [ ] A non-required word or series of words. For example:
[verbose {1 | 2 | 3}]
indicates that you may either omit or type both the verbose word
and its accompanying option, such as verbose 3.
Angle brackets < > A word constrained by data type. The angled brackets contain a
descriptive name followed by an underscore ( _ ) and suffix that
indicates the valid data type. For example, <retries_int>,
indicates that you should enter a number of retries, such as 5.
Data types include:
<xxx_name>: A name referring to another part of the
configuration, such as policy_A.
<xxx_index>: An index number referring to another part of the
configuration, such as 0 for the first static route.
<xxx_pattern>: A regular expression or word with wild cards
that matches possible variations, such as *@example.com to
match all email addresses ending in @example.com.
<xxx_fqdn>: A fully qualified domain name (FQDN), such as
mail.example.com.
<xxx_email>: An email address, such as admin@example.com.
<xxx_ipv4>: An IPv4 address, such as 192.168.1.99.
<xxx_v4mask>: A dotted decimal IPv4 netmask, such as
255.255.255.0.
<xxx_ipv4mask>: A dotted decimal IPv4 address and netmask
separated by a space, such as
192.168.1.99 255.255.255.0.
<xxx_ipv4/mask>: A dotted decimal IPv4 address and
CIDR-notation netmask separated by a slash, such as
192.168.1.1/24.
<xxx_ipv4range>: A hyphen ( - )-delimited inclusive range of
IPv4 addresses, such as 192.168.1.1-192.168.1.255.
<xxx_ipv6>: A colon( : )-delimited hexadecimal IPv6 address,
such as 3f2e:6a8b:78a3:0d82:1725:6a2f:0370:6234.
<xxx_v6mask>: An IPv6 netmask, such as /96.
<xxx_ipv6mask>: A dotted decimal IPv6 address and netmask
separated by a space.
<xxx_str>: A string of characters that is not another data type,
such as P@ssw0rd. Strings containing spaces or special
characters must be surrounded in quotes or use escape
sequences. See Special characters on page 43.
<xxx_int>: An integer number that is not another data type,
such as 15 for the number of minutes.
Curly braces { } A word or series of words that is constrained to a set of options
delimited by either vertical bars or spaces. You must enter at least
one of the options, unless the set of options is surrounded by square
brackets [ ].
Sub-commands
Each command line consists of a command word that is usually followed by words for the
configuration data or other specific item that the command uses or affects:
get system admin
Sub-commands are available from within the scope of some commands.When you enter a
sub-command level, the command prompt changes to indicate the name of the current
command scope. For example, after entering:
config system admin
the command prompt becomes:
(admin)#
Applicable sub-commands are available to you until you exit the scope of the command, or until
you descend an additional level into another sub-command.
For example, the edit sub-command is available only within a command that affects tables;
the next sub-command is available only from within the edit sub-command:
edit port1
set status up
next
end
Sub-command scope is indicated by indentation. See Indentation on page 36.
Available sub-commands vary by command.From a command prompt within config, two
types of sub-commands might become available:
commands affecting fields
commands affecting tables
Options delimited by
vertical bars |
Mutually exclusive options. For example:
{enable | disable}
indicates that you must enter either enable or disable, but must
not enter both.
Options delimited by
spaces
Non-mutually exclusive options. For example:
{http https ping snmp ssh telnet}
indicates that you may enter all or a subset of those options, in any
order, in a space-delimited list, such as:
ping https ssh
Note: To change the options, you must re-type the entire list. For
example, to add snmp to the previous example, you would type:
ping https snmp ssh
If the option adds to or subtracts from the existing list of options,
instead of replacing it, or if the list is comma-delimited, the exception
will be noted.
Table 2: Commands for tables
clone <table> Clone (or make a copy of) a table from the current object.
For example, in config firewall policy, you could enter the
following command to clone security policy 27 to create security policy 30:
clone 27 to 39
In config antivirus profile, you could enter the following
command to clone an antivirus profile named av_pro_1 to create a new
antivirus profile named av_pro_2:
clone av_pro_1 to av_pro_2
clone may not be available for all tables.
delete <table> Remove a table from the current object.
For example, in config system admin, you could delete an
administrator account named newadmin by typing delete newadmin
and pressing Enter. This deletes newadmin and all its fields, such as
newadmins first-name and email-address.
delete is only available within objects containing tables.
edit <table> Create or edit a table in the current object.
For example, in config system admin:
edit the settings for the default admin administrator account by typing
edit admin.
add a new administrator account with the name newadmin and edit
newadmins settings by typing edit newadmin.
edit is an interactive sub-command: further sub-commands are available
from within edit.
edit changes the prompt to reflect the table you are currently editing.
edit is only available within objects containing tables.
In objects such as security policies, <table> is a sequence number. To
create a new entry without the risk of overwriting an existing one, enter
edit 0. The CLI initially confirms the creation of entry 0, but assigns the
next unused number after you finish editing and enter end.
end Save the changes to the current object and exit the config command.
This returns you to the top-level command prompt.
get List the configuration of the current object or table.
In objects, get lists the table names (if present), or fields and their
values.
In a table, get lists the fields and their values.
For more information on get commands, see the CLI Reference.
Example of table commands
From within the system admin object, you might enter:
edit admin_1
The CLI acknowledges the new table, and changes the command prompt to show that you are
now within the admin_1 table:
new entry 'admin_1' added
(admin_1)#
purge Remove all tables in the current object.
For example, in config forensic user, you could type get to see the
list of user names, then type purge and then y to confirm that you want to
delete all users.
purge is only available for objects containing tables.
Caution: Back up the FortiGate unit before performing a purge. purge
cannot be undone. To restore purged tables, the configuration must be
restored from a backup.
Caution: Do not purge system interface or system admin tables.
purge does not provide default tables. This can result in being unable to
connect or log in, requiring the FortiGate unit to be formatted and restored.
rename <table>
to <table>
Rename a table.
For example, in config system admin, you could rename admin3 to
fwadmin by typing rename admin3 to fwadmin.
rename is only available within objects containing tables.
show Display changes to the default configuration. Changes are listed in the
form of configuration commands.
Table 2: Commands for tables
Table 3: Commands for fields
abort Exit both the edit and/or config commands without saving the fields.
end Save the changes made to the current table or object fields, and exit the
config command. (To exit without saving, use abort instead.)
get List the configuration of the current object or table.
In objects, get lists the table names (if present), or fields and their values.
In a table, get lists the fields and their values.
next Save the changes you have made in the current tables fields, and exit the
edit command to the object prompt. (To save and exit completely to the root
prompt, use end instead.)
next is useful when you want to create or edit several tables in the same
object, without leaving and re-entering the config command each time.
next is only available from a table prompt; it is not available from an object
prompt.
Example of field commands
From within the admin_1 table, you might enter:
set password my1stExamplePassword
to assign the value my1stExamplePassword to the password field. You might then enter the
next command to save the changes and edit the next administrators table.
Permissions
Depending on the account that you use to log in to the FortiGate unit, you may not have
complete access to all CLI commands.
Access profiles control which CLI commands an administrator account can access.
Access profiles assign either read, write, or no access to each area of the FortiGate software. To
view configurations, you must have read access. To make changes, you must have write
access.
Unlike other administrator accounts, the administrator account named admin exists by default
and cannot be deleted. The admin administrator account is similar to a root administrator
account. This administrator account always has full permission to view and change all FortiGate
configuration options, including viewing and changing all other administrator accounts. Its
name and permissions cannot be changed. It is the only administrator account that can reset
another administrators password without being required to enter that administrators existing
password.
For complete access to all commands, you must log in with the administrator account named
admin.
set <field>
<value>
Set a fields value.
For example, in config system admin, after typing edit admin, you
could type set password newpass to change the password of the admin
administrator to newpass.
Note: When using set to change a field containing a space-delimited list,
type the whole new list. For example, set <field> <new-value> will
replace the list with the <new-value> rather than appending <new-value>
to the list.
show Display changes to the default configuration. Changes are listed in the form of
configuration commands.
unset <field> Reset the table or objects fields to default values.
For example, in config system admin, after typing edit admin, typing
unset password resets the password of the admin administrator account
to the default (in this case, no password).
Table 3: Commands for fields
Set a strong password for the admin administrator account, and change the password regularly.
By default, this administrator account has no password. Failure to maintain the password of the
admin administrator account could compromise the security of your FortiGate unit.
Tips
Basic features and characteristics of the CLI environment provide support and ease of use for
many CLI tasks.
Help
To display brief help during command entry, press the question mark (?) key.
Press the question mark (?) key at the command prompt to display a list of the commands
available and a description of each command.
Type a word or part of a word, then press the question mark (?) key to display a list of valid
word completions or subsequent words, and to display a description of each.
Shortcuts and key commands
Table 4: Shortcuts and key commands
Action Keys
List valid word completions or subsequent words.
If multiple words could complete your entry, display all possible completions
with helpful descriptions of each.
?
Complete the word with the next available match.
Press the key multiple times to cycle through available matches.
Tab
Recall the previous command.
Command memory is limited to the current session.
Up arrow, or
Ctrl + P
Recall the next command. Down arrow,
or
Ctrl + N
Move the cursor left or right within the command line. Left or Right
arrow
Move the cursor to the beginning of the command line. Ctrl + A
Move the cursor to the end of the command line. Ctrl + E
Move the cursor backwards one word. Ctrl + B
Move the cursor forwards one word. Ctrl + F
Delete the current character. Ctrl + D
Command abbreviation
You can abbreviate words in the command line to their smallest number of non-ambiguous
characters.
For example, the command get system status could be abbreviated to g sy st.
Environment variables
The CLI supports the following environment variables. Variable names are case-sensitive.
For example, the FortiGate units host name can be set to its serial number.
set hostname $SerialNum
end
As another example, you could log in as admin1, then configure a restricted secondary
administrator account for yourself named admin2, whose first-name is admin1 to indicate
that it is another of your accounts:
config system admin
edit admin2
set first-name $USERNAME
Special characters
The characters <, >, (,), #, ', and are not permitted in most CLI fields. These characters are
special characters, sometimes also called reserved characters.
You may be able to enter special character as part of a strings value by using a special
command, enclosing it in quotes, or preceding it with an escape sequence in this case, a
backslash ( \ ) character.
Abort current interactive commands, such as when entering multiple lines.
If you are not currently within an interactive command such as config or
edit, this closes the CLI connection.
Ctrl + C
Continue typing a command on the next line for a multi-line command.
For each line that you want to continue, terminate it with a backslash ( \ ). To
complete the command line, terminate it by pressing the spacebar and then
the Enter key, without an immediately preceding backslash.
\ then Enter
Table 4: Shortcuts and key commands
$USERFROM The management access type (ssh, telnet, jsconsole for the CLI
Console widget in the web-based manager, and so on) and the IP address of
the administrator that configured the item.
$USERNAME The account name of the administrator that configured the item.
$SerialNum The serial number of the FortiGate unit.
If you need to add configuration via CLI that requires ? as part of config, you need to input
CTRL-V first. If you enter the question mark (?) without first using CTRL-V, the question mark
has a different meaning in CLI: it will show available command options in that section.
For example, if you enter ? without CTRL-V:
edit "*.xe
token line: Unmatched double quote.
If you enter ? with CTRL-V:
edit "*.xe?"
new entry '*.xe?' added
Using grep to filter get and show command output
In many cases the get and show (and diagnose) commands may produce a large amount of
output. If you are looking for specific information in a large get or show command output you
can use the grep command to filter the output to only display what you are looking for. The
grep command is based on the standard UNIX grep, used for searching text output based on
regular expressions.
Information about how to use grep and regular expressions is available on the Internet, just to a
search for grep. For example, see
http://www.opengroup.org/onlinepubs/009695399/utilities/grep.html.
Use the following command to display the MAC address of the FortiGate unit internal interface:
get hardware nic internal | grep Current_HWaddr
Current_HWaddr 00:09:0f:cb:c2:75
Table 5: Entering special characters
Character Keys
? Ctrl + V then ?
Tab Ctrl + V then Tab
Space
(to be interpreted as part of a string value,
not to end the string)
Enclose the string in quotation marks: "Security
Administrator.
Enclose the string in single quotes: 'Security
Administrator'.
Precede the space with a backslash: Security\
Administrator.
'
\'
"
\"
\ \\
Use the following command to display all TCP sessions in the session list and include the
session list line number in the output
get system session list | grep -n tcp
Use the following command to display all lines in HTTP replacement message commands that
contain URL (upper or lower case):
show system replacemsg http | grep -i url
Language support and regular expressions
Characters such as , , symbols, and ideographs are sometimes acceptable input. Support
varies by the nature of the item being configured. CLI commands, objects, field names, and
options must use their exact ASCII characters, but some items with arbitrary names or values
may be input using your language of choice.
For example, the host name must not contain special characters, and so the web-based
manager and CLI will not accept most symbols and other non-ASCII encoded characters as
input when configuring the host name. This means that languages other than English often are
not supported. However, some configuration items, such as names and comments, may be
able to use the language of your choice.
To use other languages in those cases, you must use the correct encoding.
Input is stored using Unicode UTF-8 encoding, but is not normalized from other encodings into
UTF-8 before it is stored. If your input method encodes some characters differently than in
UTF-8, your configured items may not display or operate as expected.
Regular expressions are especially impacted. Matching uses the UTF-8 character values.
If you enter a regular expression using another encoding, or if an HTTP client sends a
request in an encoding other than UTF-8, matches may not be what you expect.
For example, with Shift-JIS, backslashes ( \ ) could be inadvertently interpreted as yen symbols
( ) and vice versa. A regular expression intended to match HTTP requests containing money
values with a yen symbol therefore may not work it if the symbol is entered using the wrong
encoding.
For best results, you should:
use UTF-8 encoding, or
use only the characters whose numerically encoded values are the same in UTF-8, such as
the US-ASCII characters that are also encoded using the same values in ISO 8859-1,
Windows code page 1252, Shift-JIS and other encodings, or
for regular expressions that must match HTTP requests, use the same encoding as your
HTTP clients.
It configure your FortiGate unit using other encodings, you may need to switch language
settings on your management computer, including for your web browser or Telnet/SSH client.
HTTP clients may send requests in encodings other than UTF-8. Encodings usually vary by the
clients operating system or input language. If you cannot predict the clients encoding, you
may only be able to match any parts of the request that are in English, because regardless of
the encoding, the values for English characters tend to be encoded identically. For example,
English words may be legible regardless of interpreting a web page as either ISO 8859-1 or as
GB2312, whereas simplified Chinese characters might only be legible if the page is interpreted
as GB2312.
For instructions on how to configure your management computers operating system language,
locale, or input method, see its documentation.
Similarly to input, your web browser or CLI client should usually interpret display output as
encoded using UTF-8. If it does not, your configured items may not display correctly in the
web-based manager or CLI. Exceptions include items such as regular expressions that you may
have configured using other encodings in order to match the encoding of HTTP requests that
the FortiGate unit receives.
To enter non-ASCII characters in the CLI Console widget
1. On your management computer, start your web browser and go to the URL for the FortiGate
units web-based manager.
2. Configure your web browser to interpret the page as UTF-8 encoded.
3. Log in to the FortiGate unit.
5. In title bar of the CLI Console widget, click Edit (the pencil icon).
6. Enable Use external command input box.
7. Select OK.
8. The Command field appears below the usual input and display area of the CLI Console
widget.
9. In Command, type a command.
Figure 3: Entering encoded characters (CLI Console widget)
10.Press Enter.
In the display area, the CLI Console widget displays your previous command interpreted into
its character code equivalent, such as:
edit \743\601\613\743\601\652
and the commands output.
To enter non-ASCII characters in a Telnet/SSH client
1. On your management computer, start your Telnet or SSH client.
2. Configure your Telnet or SSH client to send and receive characters using UTF-8 encoding.
Support for sending and receiving international characters varies by each Telnet/SSH client.
Consult the documentation for your Telnet/SSH client.
If you choose to configure parts of the FortiGate unit using non-ASCII characters, verify that all
systems interacting with the FortiGate unit also support the same encodings. You should also
use the same encoding throughout the configuration if possible in order to avoid needing to
switch the language settings of the web-based manager and your web browser or Telnet/SSH
client while you work.
4. At the command prompt, type your command and press Enter.
Figure 4: Entering encoded characters (PuTTY)
You may need to surround words that use encoded characters with single quotes ( ' ).
Depending on your Telnet/SSH clients support for your languages input methods and for
sending international characters, you may need to interpret them into character codes
before pressing Enter.
For example, you might need to enter:
edit '\743\601\613\743\601\652'
5. The CLI displays your previous command and its output.
Screen paging
You can configure the CLI to, when displaying multiple pages worth of output, pause after
displaying each pages worth of text. When the display pauses, the last line displays --More--.
You can then either:
press the spacebar to display the next page.
type Q to truncate the output and return to the command prompt.
This may be useful when displaying lengthy output, such as the list of possible matching
commands for command completion, or a long list of settings. Rather than scrolling through or
possibly exceeding the buffer of your terminal emulator, you can simply display one page at a
time.
To configure the CLI display to pause when the screen is full:
config system console
set output more
end
Baud rate
You can change the default baud rate of the local console connection.
To change the baud rate enter the following commands:
set baudrate {115200 | 19200 | 38400 | 57600 | 9600}
end
Editing the configuration file on an external host
You can edit the FortiGate configuration on an external host by first backing up the
configuration file to a TFTP server. Then edit the configuration file and restore it to the FortiGate
unit.
Editing the configuration on an external host can be time-saving if you have many changes to
make, especially if your plain text editor provides advanced features such as batch changes.
To edit the configuration on your computer
1. Use execute backup to download the configuration file to a TFTP server, such as your
management computer.
2. Edit the configuration file using a plain text editor that supports Unix-style line endings.
3. Use execute restore to upload the modified configuration file back to the FortiGate unit.
The FortiGate unit downloads the configuration file and checks that the model information is
correct. If it is, the FortiGate unit loads the configuration file and checks each command for
errors.If a command is invalid, the FortiGate unit ignores the command. If the configuration
file is valid, the FortiGate unit restarts and loads the new configuration.
Using Perl regular expressions
Some FortiGate features, such as spam filtering and web content filtering can use either
wildcards or Perl regular expressions.
See http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular
expressions. For more information on using Perl expressions see the UTM Guide.
Differences between regular expression and wildcard pattern matching
In Perl regular expressions, the period (.) character refers to any single character. It is similar to
the question mark (?) character in wildcard pattern matching. As a result:
fortinet.com not only matches example.com but also matches exampleacom,
examplebcom, exampleccom and so on.
To match a special character such as the period ('.') and the asterisk (*), regular expressions
use the slash (\) escape character. For example:
To match example.com, the regular expression should be example\.com.
In Perl regular expressions, the asterisk (*) means match 0 or more times of the character
before it, not 0 or more times of any character. For example:
exam*\.com matches examiiii.com but does not match eample.com.
To match any character 0 or more times, use .* where . means any character and the *
means 0 or more times. For example:
the wildcard match pattern exam*.com is equivalent to the regular expression
exam.*\.com.
Word boundary
In Perl regular expressions, the pattern does not have an implicit word boundary. For example,
the regular expression test not only matches the word test but also matches any word that
contains the word test such as atest, mytest, testimony, atestb. The notation \b
specifies the word boundary. To match exactly the word test, the expression should be
\btest\b.
Do not edit the first line. The first line(s) of the configuration file (preceded by a # character)
contains information about the firmware version and FortiGate model. If you change the model
number, the FortiGate unit will reject the configuration file when you attempt to restore it.
Case sensitivity
Regular expression pattern matching is case sensitive in the Web and Spam filters. To make a
word or phrase case insensitive, use the regular expression /i. For example, /bad
language/i will block all instances of bad language regardless of case.
Table 6: Perl regular expression examples
Expression Matches
abc abc (that exact character sequence, but anywhere in the string)
âbc abc at the beginning of the string
abc$ abc at the end of the string
a|b either of a and b
âbc|abc$ the string abc at the beginning or at the end of the string
ab{2,4}c an a followed by two, three or four b's followed by a c
ab{2,}c an a followed by at least two b's followed by a c
ab*c an a followed by any number (zero or more) of b's followed by a c
ab+c an a followed by one or more b's followed by a c
ab?c an a followed by an optional b followed by a c; that is, either abc or ac
a.c an a followed by any single character (not newline) followed by a c
a\.c a.c exactly
[abc] any one of a, b and c
[Aa]bc either of Abc and abc
[abc]+ any (nonempty) string of a's, b's and c's (such as a, abba, acbabcacaa)
[âbc]+ any (nonempty) string which does not contain any of a, b and c (such as
defg)
\d\d any two decimal digits, such as 42; same as \d{2}
/i makes the pattern case insensitive. For example, /bad language/i
blocks any instance of bad language regardless of case.
\w+ a "word": a nonempty sequence of alphanumeric characters and low lines
(underscores), such as foo and 12bar8 and foo_1
100\s*mk the strings 100 and mk optionally separated by any amount of white space
(spaces, tabs, newlines)
abc\b abc when followed by a word boundary (e.g. in abc! but not in abcd)
perl\B perl when not followed by a word boundary (e.g. in perlert but not in perl
stuff)
\x tells the regular expression parser to ignore white space that is neither
backslashed nor within a character class. You can use this to break up your
regular expression into (slightly) more readable parts.
Table 6: Perl regular expression examples
Page 51
Basic Administration
The FortiGate unit requires some basic configuration to add it to your network. These basic
steps include assigning IP addresses, adding routing and security policies. Until the
administrator completes these steps inter-network and internet traffic will not flow through the
device.
There are two methods of configuring the FortiGate unit: either the web-based manager or the
command line interface (CLI). This chapter will step through both methods to complete the
basic configurations to put the device on your network. Use whichever you are most
comfortable with.
For setup and configuration of the FortiGate unit on your network, see the QuickStart Guide for
your FortiGate unit.
This chapter also provides guidelines for password and administrator best practices as well as
how to upgrade the firmware.
Connecting to the FortiGate unit
System configuration
Passwords
Administrators
Firmware
Controlled upgrade
Connecting to the FortiGate unit
To configure, maintain and administer the FortiGate unit, you need to connect to it from a
management computer. There are two ways to do this:
using the web-based manager: a GUI interface that you connect to using a current web
browser such as Firefox or Internet Explorer.
using the command line interface (CLI): a command line interface similar to DOS or UNIX
commands that you connect to using SSH or a Telnet terminal.
Connecting to the web-based manager
To connect to the web-based manager, you require:
a computer with an Ethernet connection
Microsoft Internet Explorer version 6.0 or higher or any recent version of a common web
browser
an Ethernet cable.
To connect to the web-based manager
1. Set the IP address of the management computer to the static IP address 192.168.1.2 with
a netmask of 255.255.255.0.
2. Using the Ethernet cable, connect the internal or port 1 interface of the FortiGate unit to the
computer Ethernet connection.
3. Start your browser and enter the address https://192.168.1.99. (remember to include
the s in https://).
To support a secure HTTPS authentication method, the FortiGate unit ships with a
self-signed security certificate, which is offered to remote clients whenever they initiate a
HTTPS connection to the FortiGate unit. When you connect, the FortiGate unit displays two
security warnings in a browser.
The first warning prompts you to accept and optionally install the FortiGate units self-signed
security certificate. If you do not accept the certificate, the FortiGate unit refuses the
connection. If you accept the certificate, the FortiGate login page appears. The credentials
entered are encrypted before they are sent to the FortiGate unit. If you choose to accept the
certificate permanently, the warning is not displayed again.
Just before the FortiGate login page is displayed, a second warning informs you that the
FortiGate certificate distinguished name differs from the original request. This warning
occurs because the FortiGate unit redirects the connection. This is an informational
message. Select OK to continue logging in.
4. Type admin in the Name field and select Login.
The command line interface (CLI) is an alternative method of configuring the FortiGate unit. The
CLI compliments the web-based manager in that it not only has the same configuration options,
but additional settings not available through the web-based manager.
If you are new to FortiOS or a command line interface configuration tool, see Using the CLI on
page 31 for an overview of the CLI, how to connect to it, and how to use it.
System configuration
Once the FortiGate unit is connected and traffic can pass through, several more configuration
options are available. While not mandatory, they will help to ensure better control with the
firewall.
Setting the time and date
For effective scheduling and logging, the FortiGate system date and time should be accurate.
You can either manually set the system date and time or configure the FortiGate unit to
automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.
To set the date and time - web-based manager
2. Under System Information > System Time, select Change.
3. Select your Time Zone.
4. Select Set Time and set the FortiGate system date and time.
5. Select OK.
Set the time and date - CLI
set timezone <zone_value>
end
execute date [<date_str>]
execute time [<time_str>]
Using the NTP Server
The Network Time Protocol enables you to keep the FortiGate time in sync with other network
systems. By enabling NTP on the FortiGate unit, FortiOS will check with the NTP server you
select at the configured intervals. This will also ensure that logs and other time-sensitive
settings on the FortiGate unit are correct.
The FortiGate unit maintains its internal clock using the built-in battery. At startup, the time
reported by the FortiGate unit will indicate the hardware clock time, which may not be accurate.
When using NTP, the system time might change after the FortiGate has successfully obtained
the time from a configured NTP server.
For the NTP server, you can identify a specific port/IP address for this self-originating traffic.
The configuration is performed in the CLI with the command set source-ip. For example, to
set the source IP of NTP to be on the DMZ1 port with an IP of 192.168.4.5, the commands are:
config system ntp
set ntpsyn enable
set syncinterval 5
set source-ip 192.168.4.5
end
Configuring FortiGuard
The FDN is a world-wide network of FortiGuard Distribution Servers (FDS). When the FortiGate
unit connects to the FDN, it connects to the nearest FDS. To do this, all FortiGate units are
programmed with a list of FDS addresses sorted by nearest time zone according to the time
zone configured for the FortiGate unit.
Before you can begin receiving updates, you must register your FortiGate unit from the Fortinet
web page. After which, you need to configure the FortiGate unit to connect to the FortiGuard
Distribution Network (FDN) to update the antivirus, antispam and IPS attack definitions.
Updating antivirus and IPS signatures
After you have registered your FortiGate unit, you can update antivirus and IPS signatures. The
FortiGuard Center enables you to receive push updates, allow push update to a specific IP
address, and schedule updates for daily, weekly, or hourly intervals.
By default, FortiOS has the daylight savings time configuration enabled. The system time must
be manually adjusted after daylight saving time ends. To disable DST, in the CLI enter the
commands:
set dst disable
end
To update antivirus definitions and IPS signatures
1. Go to System > Config > FortiGuard.
2. Select the expand arrow for AntiVirus and IPS Options to expand the options.
3. Select Update Now to update the antivirus definitions.
If the connection to the FDN is successful, the web-based manager displays a message
similar to the following:
Your update request has been sent. Your database will be updated in a few minutes. Please
check your update page for the status of the update.
After a few minutes, if an update is available, the FortiGuard Center Services information on the
Dashboard lists new version information for antivirus definitions. The System Status page also
displays new dates and version numbers for the antivirus definitions. Messages are recorded to
the event log indicating whether or not the update was successful or not.
Passwords
The FortiGate unit ships with a default empty password. That is, there is no password. You will
want to apply a password to prevent anyone from logging into the FortiGate unit and changing
configuration options.
To change the administrator password - web-based manager
1. Go to System > Admin > Administrators.
2. Select the admin account and select Change Password.
3. Enter a new password and select OK.
Set the admin password - CLI
config system admin
edit admin
set password <admin_password>
end
Password considerations
When changing the password, consider the following to ensure better security.
Do not make passwords that are obvious, such as the company name, administrator names
or other obvious word or phrase.
Use numbers in place of letters, for example, passw0rd. Alternatively, spell words with extra
letters, for example, password.
Administrative passwords can be up to 256 characters.
Include a mixture of letters, numbers, and upper and lower case.
Use multiple words together, or possibly even a sentence, for example keytothehighway, or
with a combination of the above suggestions.
Use a password generator.
Updating antivirus definitions can cause a very short disruption in traffic currently being
scanned while the FortiGate unit applies the new signature database. Schedule updates when
traffic is light, for example overnight, to minimize any disruption.
Change the password regularly and always use a code unique (not a variation of the existing
password by adding a 1 to it, for example password, password1).
Write the password down and store it in a safe place away from the management computer,
in case you forget it.
Alternatively, ensure at least two people know the password in the event that one person
becomes ill, is away on vacation or leaves the company. Alternatively have two different
admin logins.
Password policy
The FortiGate unit includes the ability to enforce a password policy for administrator login. with
the policy, you can enforce regular changes and specific criteria for a password including:
minimum length between 8 and 32 characters.
if the password must contain uppercase (A, B, C) and/or lowercase (a, b, c) characters.
if the password must contain numbers (1, 2, 3).
if the password must contain non-alphanumeric characters (!, @, #, $, %, ^, &, *, ().
where the password applies (admin or IPsec or both).
the duration of the password before a new one must be specified.
To apply a password policy - web-based manager
2. Select Enable Password Policy and configure the settings as required.
To apply a password policy - CLI
config system password-policy
set status enable
Configure the other settings as required.
If you add a password policy or change the requirements on an existing policy, the next time
that administrator logs into the FortiGate unit, they are prompted to update their password to
meet the new requirements before proceeding to log in.
Figure 5: Password policy dialog box
Forgotten password?
It happens that the administrator of the FortiGate unit leaves the company and does not have
the opportunity to provide the administrative password or forgets. Or you simply forgot the
password.
In the event you lose or forget the password, you need to contact Customer Support for the
steps required to reset the password. For information on contacting Customer Support, see the
Support web site at web site at https://support.fortinet.com.
Administrators
By default, the FortiGate unit has a super administrator called admin. This user login cannot
be deleted and always has ultimate access over the FortiGate unit. As well you can add
administrators for various functions and one or more VDOMs. Each one can have their own
username and password and set of access privileges.There are two levels of administrator
accounts; regular administrators and system administrators. Regular administrators are
administrators with any admin profile other than the default super_admin. System
administrators are administrators that are assigned the super_admin profile.
Administrator configuration
To create a new administrator account, go to System Admin > Administrators and select Create
New.
You need to use the default admin account, an account with the super_admin admin profile,
or an administrator with read-write access control to add new administrator accounts and
control their permission levels. If you log in with an administrator account that does not have the
super_admin admin profile, the administrators list will show only the administrators for the
current virtual domain.
Regular (password) authentication for administrators
You can use a password stored on the local FortiGate unit to authenticate an administrator.
When you select Regular for Type, you will see Local as the entry in the Type column when you
view the list of administrators.
If you forget or lose an administrator account password and cannot log in to your FortiGate unit,
see the Fortinet Knowledge Base article Recovering a lost FortiGate administrator account
passwords.
Management access
Management access defines how administrators are able to log on to the FortiGate unit to
perform management tasks such as configuration and maintenance. Methods of access can
include local access through the console connection, or remote access over a network or
modem interface using various protocols including Telnet and HTTPS.
You can configure management access on any interface in your VDOM. In NAT mode, the
interface IP address is used for management access. In transparent mode, you configure a
The name of the administrator should not contain the characters <>()#"'. Using these
characters in the administrator account name can result in a cross site scripting (XSS)
vulnerability.
single management IP address that applies to all interfaces in your VDOM that permit
management access. The FortiGate unit also uses this IP address to connect to the FDN for
virus and attack updates.
The system administrator (admin) can access all VDOMs, and create regular administrator
accounts. A regular administrator account can access only the VDOM to which it belongs. The
management computer must connect to an interface in that VDOM. It does not matter to which
VDOM the interface belongs. In both cases, the management computer must connect to an
interface that permits management access and its IP address must be on the same network.
Management access can be via HTTP, HTTPS, telnet, or SSH sessions if those services are
enabled on the interface. HTTPS and SSH are preferred as they are more secure.
You can allow remote administration of the FortiGate unit. However, allowing remote
administration from the Internet could compromise the security of the FortiGate unit. You should
avoid this unless it is required for your configuration. To improve the security of a FortiGate unit
that allows remote administration from the Internet:
Use secure administrative user passwords.
Change these passwords regularly.
Enable two-factor authentication for administrators.
Enable secure administrative access to this interface using only HTTPS or SSH.
Use Trusted Hosts to limit where the remote access can originate from.
Do not change the system idle timeout from the default value of 5 minutes.
Tightening Security
One point of security breach is at the management computer. Administrators who leave their
workstations for a prolonged amount of time while staying logged into the web-based manager
or CLI (whether on purpose or not), leave the firewall open to malicious intent.
Passwords
Do not make passwords that are obvious, such as the company name, administrator names or
other obvious word or phrase. Administrative passwords can be up to 256 characters. For more
information on passwords, see Passwords on page 54.
Preventing unwanted login attempts
Setting trusted hosts for an administrators increases limiting what computers an administrator
can log in from. When you identify a trusted host, the FortiGate unit will only accept the
administrators login from the configured IP address. Any attempt to log in with the same
credentials from any other IP address will be dropped. To ensure the administrator has access
from different locations, you can enter up to ten IP addresses. Ideally, this should be kept to a
minimum. For higher security, use an IP address with a net mask of 255.255.255.255, and enter
an IP address (non-zero) in each of the three default trusted host fields.
Trusted hosts are configured when adding a new administrator by going to System > Admin >
Administrators in the web-based manager or config system admin in the CLI.
The trusted hosts apply to the web-based manager, ping, snmp and the CLI when accessed
through Telnet or SSH. CLI access through the console port is not affected.
Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
Prevent multiple admin sessions
By default, the FortiGate unit enables multiple logins of administrators using the same login
credentials from different locations. To control admin log ins and minimize the potential of
configuration collisions, you can disable concurrent admin sessions. When disabled, only one
administrator can be logged in for a given admin user. When a second admin attempts to
connect, connection is denied with a message that the login attempt failed.
To disable concurrent admin sessions, in the CLI enter:
set admin-concurrent disable
end
On 2U FortiGate units, this option is also available in the Web-Based Manager by going to
System > Admin > Settings and select Allow each admin to log in with multiple sessions.
Disable admin services
On untrusted networks, turn off the weak administrative services such as TLENET and HTTP.
With these services, passwords are passed in the clear, not encrypted.
These services can be disabled by going to System > Network > Interface and deselecting the
required check boxes.
SSH login time out
When logging into the console using SSH, the default time of inactivity is 120 seconds
(2 minutes) to successfully log into the FortiGate unit. To enhance security, you can configure
the time to be shorter. Using the CLI, you can change the length of time the command prompt
remains idle before the FortiGate unit will log the administrator out. The range can be between
10 and 3600 seconds.
To set the logout time enter the following commands:
set admin-ssh-grace-time <number_of_seconds>
end
Administrator lockout
By default, the FortiGate unit includes set number of password retries. That is, the administrator
has a maximum of three attempts to log into their account before they are locked out for a set
amount of time. The number of attempts can be set to an alternate value.
As well, the default wait time before the administrator can try to enter a password again is 60
seconds. You can also change this to further sway would-be hackers. Both settings are
configured only in the CLI
To configure the lockout options:
set admin-lockout-threshold <failed_attempts>
set admin-lockout-duration <seconds>
end
For example, to set the lockout threshold to one attempt and a five minute duration before the
administrator can try again to log in enter the commands
set admin-lockout-threshold 1
set admin-lockout-duration 300
end
Idle time-out
To avoid the possibility of an administrator walking away from the management computer and
leaving it exposed to unauthorized personnel, you can add an idle time-out. That is, if the
web-based manager is not used for a specified amount of time, the FortiGate unit will
automatically log the user out. To continue their work, they must log in to the device again.
The time-out can be set as high as 480 minutes, or eight hours, although this is not recommend.
To set the idle time out - web-based manager
2. In the Administration Settings, enter the amount of time the Administrator login can remain
idol in the Idle Timeout field.
3. Select Apply.
To set the idle time out - CLI
set admintimeout <minutes>
end
Administrative ports
You can set the web-based manager access as through HTTP, HTTPS, SSH and Telnet. In these
cases, the default ports for these protocols are 80, 443, 22 and 23 respectively. You can change
the ports used for network administration to a different, unused port to further limit potential
hackers.
Ensure the port you select is not a port you will be using for other applications. For a list of
assigned port numbers see http://www.iana.org/assignments/port-numbers.
To change the administrative ports - web-based manager
2. In the Web Administration Ports section, change the port numbers.
3. Select Apply.
To change the administrative ports - CLI
set admin-port <http_port_number>
set admin-sport <https_port_number>
set admin-ssh-port <ssh_port_number>
set admin-telnet-port <telnet_port_number>
end
When logging into the FortiGate unit, by default FortiOS will automatically use the default ports.
That is, when logging into the FortiGate IP address, you only need to enter the address, for
example:
https://192.168.1.1
When you change the administrative port number, the port number must be added to the url.
For example, if the port number for HTTPS access is 2112, the administrator must enter the
following address:
https://192.168.1.1:2112
Log in/out warning message
For administrators logging in and out of the FortiGate unit, you can include a login disclaimer.
This disclaimer provides a statement that must be accepted or declined where corporations are
governed by strict usage policiesfor forensics and legal reasons.
The discalimer is enabled through the CLI.
To disable an interface - CLI
set pre-login-banner enable
set post-login-banner enable
end
When set, once the administrator enters their user name and password, the disclaimer appears.
They must select either Accept or Decline to proceed. When the post login is enabled, once the
administrator logs out they are presented with the same message.
Disable the console interface
To prevent any unwanted login attempts using the COM communication port, you can disable
login connections to the FortiGate unit. This is specifically for the COM port. You can still use
FortiExplorer to connect and configure the FortiGate unit if required.
set login <enable>
end
Disable interfaces
If any of the interfaces on the FortiGate unit are not being used, disable traffic on that interface.
This avoids someone plugging in network cables and potentially causing network bypass or
loop issues.
To disable an interface - web-based manager
2. Select the interface from the list and select Edit.
3. For Administrative Access, select Down.
4. Select OK.
edit <inerface_name>
set status down
end
Change the admin username
The default super administrator user name, admin, is a very standard default administrator
name. Leaving this as is, is one half of the key to the FortiGate unit being compromised. The
name can be changed.
To do this, you need to create another super user with full access and log in as that user. Then
go to System > Admin > Administrator, select the admin account and select Edit to change the
user name.
Segregated administrative roles
To minimize the affect of an administrator doing complete harm to the FortiGate configuration
and possibly jeopardize the network, create individual administrative roles where none of the
administrators have super-admin permissions. For example, and admin solely to create security
policies, another for users and groups, another for VPN and so on.
RADIUS authentication for administrators
Remote Authentication and Dial-in User Service (RADIUS) servers provide authentication,
authorization, and accounting functions. FortiGate units use the authentication and
authorization functions of the RADIUS server. To use the RADIUS server for authentication, you
must configure the server before configuring the FortiGate users or user groups that will need it.
If you have configured RADIUS support and a user is required to authenticate using a RADIUS
server, the FortiGate unit sends the users credentials to the RADIUS server for authentication. If
the RADIUS server can authenticate the user, the user is successfully authenticated with the
FortiGate unit. If the RADIUS server cannot authenticate the user, the FortiGate unit refuses the
connection.
If you want to use a RADIUS server to authenticate administrators in your VDOM, you must
configure the authentication before you create the administrator accounts. To do this you need
to:
configure the FortiGate unit to access the RADIUS server
create the RADIUS user group
configure an administrator to authenticate with a RADIUS server.
Configuring LDAP authentication for administrators
Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain
authentication data that may include departments, people, groups of people, passwords, email
addresses, printers, etc.
If you have configured LDAP support and an administrator is required to authenticate using an
LDAP server, the FortiGate unit contacts the LDAP server for authentication. If the LDAP server
cannot authenticate the administrator, the FortiGate unit refuses the connection.
If you want to use an LDAP server to authenticate administrators in your VDOM, you must
to:
configure an LDAP server
create an LDAP user group
configure an administrator to authenticate with an LDAP server.
To view the LDAP server list, go to User & Device > Remote > LDAP.
TACACS+ authentication for administrators
Terminal Access Controller Access-Control System (TACACS+) is a remote authentication
protocol that provides access control for routers, network access servers, and other network
computing devices via one or more centralized servers.
If you have configured TACACS+ support and an administrator is required to authenticate using
a TACACS+ server, the FortiGate unit contacts the TACACS+ server for authentication. If the
TACACS+ server cannot authenticate the administrator, the connection is refused by the
FortiGate unit.
If you want to use an TACACS+ server to authenticate administrators in your VDOM, you must
to:
configure the FortiGate unit to access the TACACS+ server
create a TACACS+ user group
configure an administrator to authenticate with a TACACS+ server.
PKI certificate authentication for administrators
Public Key Infrastructure (PKI) authentication uses a certificate authentication library that takes
a list of peers, peer groups, and user groups and returns authentication successful or denied
notifications. Users only need a valid certificate for successful authentication; no username or
password is necessary.
To use PKI authentication for an administrator, you must configure the authentication before you
create the administrator accounts. To do this you need to:
configure a PKI user
create a PKI user group
configure an administrator to authenticate with a PKI certificate.
Administrator profiles
Administer profiles define what the administrator user can do when logged into the FortiGate
unit. When you set up an administrator user account, you also assign an administrator profile,
which dictates what the administrator user will see. Depending on the nature of the
administrators work, access level or seniority, you can allow them to view and configure as
much, or as little, as required.
super_admin profile
The super_admin administrator is the administrative account that the primary administrator
should have to log into the FortiGate unit. The profile can not be deleted or modified to ensure
there is always a method to administer the FortiGate unit.This user profile has access to all
components of FortiOS, including the ability to add and remove other system administrators.
For some administrative functions, such as backing up and restoring the configuration using
SCP, super_admin access is required.
Creating profiles
To configure administrator profiles go to System > Admin > Admin Profile. You can only assign
one profile to an administrator user.
On the New Admin Profile page, you define the components of FortiOS that will be available to
view and/or edit. For example, if you configure a profile so that the administrator can only
By default, the super_admin user (username is admin), does not have a password. Ensure you
assign a password. You can also change the name of the account from admin to another
name for better security.
access the firewall components, when an administrator with that profile logs into the FortiGate
unit, they will only be able to view and edit any firewall components including policies,
addresses, schedules and any other settings that directly affect security policies.
Figure 6: The view of an administrator with firewall-only access
Global and vdom profiles
By default, when you add a new administrative profile, it is set to have a vdom scope. That is,
only the super_admin has a global profile that enables configuration of the entire FortiGate unit.
There may be instances where additional global administrative profiles may be required. To add
more global profiles, use the following CLI command to set or change an administrative profile
to be global.
config system accprofile
set scope global
...
end
Once the scope is set, you can enable the read and read/write settings.
Adding administrators
When adding administrators, you are setting up the administrators user account. An
administrator account comprises of an administrators basic settings as well as their access
profile. The access profile is a definition of what the administrator is capable of viewing and
editing. For information on administrator profiles, see Administrator profiles on page 62.
To add an administrator - web-based manager
1. Go to System > Admin > Administrators.
2. Select Create New.
3. Enter the administrator name.
4. Select the type of account it will be. If you select Remote, the FortiGate unit can reference a
RADIUS, LDAP or TACAS+ server.
5. When selecting Remote or PKI accounts, select the User Group the account will access.
For information on logging in using remote authentication servers, see the User
Authentication Guide. For an example of setting up a user with LDAP, see LDAP Admin
Access and Authorization on page 64
6. Enter the password for the user.
This may be a temporary password that the administrator can change later. Passwords can
be up to 256 characters in length. For more information on passwords, see Passwords on
page 54.
7. Select OK.
To add an administrator - CLI
config system admin
edit <admin_name>
set password <password>
set accprofile <profile_name>
end
LDAP Admin Access and Authorization
You can use the LDAP server as a means to add administrative users, saving the time to add
users to the FortiGate unit administrator list. After configuring, any user within the selected
LDAP group server can automatically log into the FortiGate unit as an adm i st rat or. Ensure that
the admin profile is the correct level of access, or the users within the LDAP group are the only
ones authorized to configure or modify the configuration of the FortiGate unit.
To do this, requires three steps:
configure the LDAP server
add the LDAP server to a user group
configure the administrator account
Configure the LDAP server
First set up the LDAP server as you normally would, and include a group to bind to.
To configure the LDAP server - web-based manager
1. Go to User & Device > Remote > LDAP and select Create New.
2. Enter a Name for the server.
3. Enter the Server IP address or name.
4. Enter the Common Name Identifier and Distinguished Name.
5. Set the Bind Type to Regular and enter the User DN and Password.
6. Select OK.
To configure the LDAP server - CLI
config user ldap
edit <ldap_server_name>
set server <server_ip>
set cnid cn
set dn DC=XYZ,DC=COM
set type regular
set username CN=Administrator,CN=Users,DC=XYZ,DC=COM
set password <password>
set member-attr <group_binding>
end
Add the LDAP server to a user group
Next, create a user group that will include the LDAP server that was created above.
To create a user group - web-based manager
1. Go to User & Device > User Group > User Group and select Create New.
2. Enter a Name for the group.
3. In the section labelled Remote authentication servers, select Add.
4. Select the Remote Server from the drop-down list.
5. Select OK.
To create a user group - CLI
config user group
edit <group_name>
config match
edit 1
set server-name <LDAP_server>
set group-name <group_name>
end
end
Configure the administrator account
Now you can create a new administrator, where rather than entering a password, you will use
the new user group and the wildcard option for authentication.
To create an administrator - web-based manager
1. Go to System > Admin > Administrators and select Create New.
2. In the Administrator field, enter the name for the administrator.
3. For Type, select Remote.
4. Select the User Group created above from the drop-down list.
5. Select Wildcard.
6. The Wildcard option allows for LDAP users to connect as this administrator.
7. Select an Admin Profile.
8. Select OK.
To create an administrator - CLI
config system admin
edit <admin_name>
set remote-auth enable
set accprofile super_admin
set wildcard enable
set remote-group ldap
end
Monitoring administrators
You can view the administrators logged in using the System Information widget on the
Dashboard. On the widget is the Current Administrator row that shows the administrator logged
in and the total logged in. Selecting Details displays the administrators), where they are logging
in from and how (CLI, web-based manager) and when they logged in.
You are also able to monitor the activities the administrators perform on the FortiGate unit using
the logging of events. Event logs include a number of options to track configuration changes.
To set logging - web-based manager
1. Go to Log & Report > Log Config > Log Setting.
2 Under Event Logging, ensure System activity event is selected.
3 Select Apply.
To set logging - CLI
config log eventfilter
set event enable
set system enable
end
To view the logs go to Log & Report > Event Log.
Trusted hosts
Setting trusted hosts for administrators limits what computers an administrator can log in from.
When you identify a trusted host, the FortiGate unit will only accept the administrators login
from the configured IP address. Any attempt to log in with the same credentials from any other
IP address will be dropped. To ensure the administrator has access from different locations, you
can enter up to ten IP addresses. Ideally, this should be kept to a minimum. For higher security,
use an IP address with a net mask of 255.255.255.255, and enter an IP address (non-zero) in
each of the three default trusted host fields.
Trusted hosts are configured when adding a new administrator by going to System > Admin >
Administrators in the web-based manager and selecting Restrict this Admin Login from Trusted
Hosts Only, or config system admin in the CLI.
The trusted hosts apply to the web-based manager, ping, snmp and the CLI when accessed
through Telnet or SSH. CLI access through the console port is not affected.
Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
General Settings
Go to System > Admin > Settings to configure basic settings for administrative access,
password policies and displaying additional options in the web-based manager.
Administrative port settings
The Administrative Settings enable you to change the default port configurations for
administrative connections to the FortiGate unit for added security. When connecting to the
FortiGate unit when the port has changed, the port must be included, such as
https://<ip_address>:<port>. For example, if you are connecting to the FortiGate unit
using port 99, the url would be https://192.168.1.99:99.
If you make a change to the default port number for HTTP, HTTPS, Telnet, or SSH, ensure that
the port number is unique.
Password policies
Password policies, available by going to System > Admin > Settings, enable you to create a
password policy that any administrator or user who updates their password, must follow. Using
the available options you can define the required length of the password, what it must contain
(numbers, upper and lower case, and so on) and an expiry time frame.
The FortiGate unit will warn of any password that is added and does not meet the criteria.
Display options
To minimize clutter on the web-based manager interface, a number of FortiOS features to not
appear on the web-based manager. By going to System > Admin Settings, you can enable, or if
not needed, disable various features. The change takes effect immediately without having to log
out or reboot the device.
Once you configure the FortiGate unit and it is working correctly, it is extremely important that
you back up the configuration. In some cases, you may need to reset the FortiGate unit to
factory defaults, or perform a TFTP upload of the firmware. In these instances, the configuration
on the device will be lost.
Always back up the configuration and store it on the management computer or off site. It is also
recommended that once the FortiGate is configured, and any further changes are made, that
you back up the configuration immediately, to ensure you have the most current configuration
available.
You have the option to save the configuration file to various locations including the local PC,
USB key, FTP and TFTP site.The latter two are configurable through the CLI only.
If you have VDOMs, you can back up the configuration of the entire FortiGate unit, or only a
specific VDOM. Note that if you are using FortiManager or the Fortinet Management Services
(FAMS), full backups are performed, and the option to backup individual VDOMs will not appear.
To back up the FortiGate configuration - web-based manager
2. On the System Information widget, select Backup for the System Configuration.
3. Select to back up to your Local PC or to a USB key.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can
also backup to the FortiManager using the CLI.
4. If VDOMs are enabled, select to backup the entire FortiGate configuration (Full Config) or
only a specific VDOM configuration (VDOM Config).
5. If backing up a VDOM configuration, select the VDOM name from the list.
6. Select Encrypt configuration file.
Encryption must be enabled on the backup file to back up VPN certificates.
7. Enter a password and enter it again to confirm it. You will need this password to restore the
file.
8. Select Backup.
9. The web browser will prompt you for a location to save the configuration file. The
configuration file will have a .conf extension.
To back up the FortiGate configuration - CLI
execute backup config management-station <comment>
or
execute backup config usb <backup_filename> [<backup_password>]
or for FTP, note that port number, username are optional depending on the FTP site
execute backup config ftp <backup_filename> <ftp_server> [<port>]
[<user_name>] [<password>]
or for TFTP
execute backup config tftp <backup_filename> <tftp_servers>
<password>
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>
It is a good practice to backup the FortiGate configuration after any modification to any of the
FortiGate settings. Alternatively, before performing an upgrade to the firmware, ensure you back
up the configuration before upgrading. Should anything happen during the upgrade that
changes the configuration, you can easily restore the saved configuration.
Backup and restore a configuration file using SCP
You can use secure copy protocol (SCP) to download the configuration file from the FortiGate
unit as an alternative method of backing up the configuration file or an individual VDOM
configuration file. This is done by enabling SCP for and administrator account and enabling
SSH on a port used by the SCP client application to connect to the FortiGate unit. SCP is
enabled using the CLI commands:
set admin-scp enable
end
Use the same commands to backup a VDOM configuration by first entering the commands:
config global
set admin-scp enable
end
config vdom
edit <vdom_name>
Enable SSH access on the interface
SCP uses the SSH protocol to provide secure file transfer. The interface you use for
administration must allow SSH access.
To enable SSH - web-based manager:
2. Select the interface you use for administrative access and select Edit.
3. In the Administrative Access section, select SSH.
4. Select OK.
To enable SSH - CLI:
edit <interface_name>
set allowaccess ping https ssh
end
Using the SCP client
The FortiGate unit downloads the configuration file as sys_conf. Use the following syntax to
download the file:
Linux
scp admin@<FortiGate_IP>:sys_config <location>
Windows
pscp admin@<FortiGate_IP>:sys_config <location>
These examples show how to download the configuration file from a FortiGate-100D, at IP
address 172.20.120.171, using Linux and Windows SCP clients.
Linux client example
To download the configuration file to a local directory called ~/config, enter the following
command:
scp admin@172.20.120.171:sys_config ~/config
Enter the admin password when prompted.
Windows client example
To download the configuration file to a local directory called c:\config, enter the following
command in a Command Prompt window:
pscp admin@172.20.120.171:sys_config c:\config
Enter the admin password when prompted.
SCP public-private key authentication
SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH
accesses the CLI. Instead of using a password, you can configure the SCP client and the
FortiGate unit with a public-private key pair.
To configure public-private key authentication
1. Create a public-private key pair using a key generator compatible with your SCP client.
2. Save the private key to the location on your computer where your SSH keys are stored.
This step depends on your SCP client. The Secure Shell key generator automatically stores
the private key.
When adding to, or removing a protocol, you must type the entire list again. For example, if you
have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
...only PING will be set. In this case, you must type...
set allowaccess https ssh ping
3. Copy the public key to the FortiGate unit using the CLI commands:
config system admin
edit admin
set ssh-public-key1 "<key-type> <key-value>"
end
<key-type> must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the
<key-value>, copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, copy one line at a time and ensure
that you paste each line of key data at the end of the previously pasted data. As well:
Do not copy the end-of-line characters that appear as small rectangles in Notepad.
Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: [2048-bit
dsa,...] lines.
Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
4 Type the closing quotation mark and press Enter.
Your SCP client can now authenticate to the FortiGate unit based on SSH keys rather than the
administrator password.
Restoring a configuration using SCP
To restore the configuration using SCP, use the commands:
scp <local_file> <admin_user>@<FGT_IP>:fgt_restore_config
To use this command/method of restoring the FortiGate configuration, you need to log in as the
admin administrator.
Restoring a configuration
Should you need to restore a configuration file, use the following steps.
To restore the FortiGate configuration - web-based manager
2. On the System Information widget, select Restore for the System Configuration.
3. Select to upload the configuration file to be restored from your Local PC or a USB key.
The USB Disk option will be grayed out if no USB drive is inserted in the USB port. You can
restore from the FortiManager using the CLI.
4. Enter the path and file name of the configuration file, or select Browse to locate the file.
5. Enter a password if required.
6. Select Restore.
To back up the FortiGate configuration - CLI
execute restore config management-station normal 0
or
execute restore config usb <filename> [<password>]
or for FTP, note that port number, username are optional depending on the FTP site
execute backup config ftp <backup_filename> <ftp_server> [<port>]
[<user_name>] [<password>]
or for TFTP
execute backup config tftp <backup_filename> <tftp_server> <password>
The FortiGate unit will load the configuration file and restart. Once the restart has completed,
verify that the configuration has been restored.
Configuration revisions
The Revisions options on the System Information widget enables you to manage multiple
versions of configuration files. Revision control requires either a configured central management
server, or FortiGate units with 512 MB or more of memory. The central management server can
either be a FortiManager unit or the FortiGuard Analysis & Management Service.
When revision control is enabled on your unit, and configurations have been backed up, a list of
saved revisions of those backed-up configurations appears.
Restore factory defaults
There may be a point where need to reset the FortiGate unit to its original defaults, for example,
to begin with a fresh configuration. There are two options when restoring factory defaults.
The first resests the entire device to the original out-of-the-box configuration.
To reset the FortiGate unit to its factory default settings - web-based manager
2. In the System Information widget, select Restore for the System Configuration.
3. Select Restore Factory Defaults at the top of the page.
You can reset using the CLI by entering the command:
execute factoryreset
Alternatively, in the CLI you can reset the factory defaults but retain the interface and VDOM
configuration.
Use the command:
execute factoryreset2
Firmware
Fortinet periodically updates the FortiGate firmware to include new features and address issues.
After you have registered your FortiGate unit, you can download firmware updates from the
support web site, http://support.fortinet.com.
You can also use the instructions in this chapter to revert, to a previous version. The FortiGate
unit includes a number of firmware installation options that enables you to test new firmware
without disrupting the existing installation, and load it from different locations as required.
Fortinet issues patch releases--maintenance release builds that resolve important issues.
Fortinet strongly recommends reviewing the release notes for the patch release, as well as
testing and reviewing the patch release before upgrading the firmware. Follow the steps below:
download and review the release notes for the patch release
download the patch release
back up the current configuration
test the patch release until you are satisfied that it applies to your configuration.
Installing a patch release without reviewing release notes or testing the firmware may result in
changes to settings or unexpected issues.
Only FortiGate admin user and administrators whose access profiles contain system read and
write privileges can change the FortiGate firmware.
Downloading firmware
Firmware images for all FortiGate units is available on the Fortinet Customer Support web site.
You must register your FortiGate unit to access firmware images. Register the FortiGate unit by
visiting http://support.fortinet.com and select Product Registration.
To download firmware
1. Log into the site using your user name and password.
2. Go to Firmware Images > FortiGate.
3. Select the most recent FortiOS version.
4. Locate the firmware for your FortiGate unit, right-click the link and select the Download
option for your browser.
Upgrading the firmware - web-based manager
Installing firmware replaces your current antivirus and attack definitions, along with the
definitions included with the firmware release you are installing. After you install new firmware,
make sure that antivirus and attack definitions are up to date.
Always remember to back up your configuration before doing any firmware upgrade or
downgrade.
To upgrade the firmware
1. Download the firmware image file to your management computer.
2. Log into the web-based manager as the admin administrative user.
4. Under System Information > Firmware Version, select Update.
5. Type the path and filename of the firmware image file, or select Browse and locate the file.
6. Select OK.
The FortiGate unit uploads the firmware image file, upgrades to the new firmware version,
restarts, and displays the FortiGate login. This process takes a few minutes.
Reverting to a previous firmware version
The following procedures revert the FortiGate unit to its factory default configuration and
deletes any configuration settings.
Before beginning this procedures, ensure you back up the FortiGate unit configuration.
Always review the Release Notes for a new firmware release before installing. The Release
Notes can include information that is not available in the regular documentation.
If you are reverting to a previous FortiOS version, you might not be able to restore the previous
configuration from the backup configuration file.
To revert to a previous firmware version
1. Copy the firmware image file to the management computer.
2. Log into the FortiGate web-based manager.
6. Select OK.
The FortiGate unit uploads the firmware image file, reverts to the old firmware version, resets
the configuration, restarts, and displays the FortiGate login. This process takes a few
minutes.
7. Log into the web-based manager.
8. Restore your configuration.
For information about restoring your configuration see Restoring a configuration on
page 70.
Configuration Revision
The Configuration Revisions menu enables you to manage multiple versions of configuration
files on models that have a 512 flash memory and higher. Revision control requires either a
configured central management server, or the local hard drive. The central management server
can either be a FortiManager unit or the FortiGuard Analysis and Management Service.
If central management is not configured on your FortiGate unit, a message appears to tell you to
do one of the following:
enable central management (see Central management)
obtain a valid license.
When revision control is enabled on your FortiGate unit, and configurations have been backed
up, a list of saved revisions of those backed-up configurations appears.
Configuration revisions are viewed in the System Information widget on the Dashboard.
Upgrading the firmware - CLI
make sure that antivirus and attack definitions are up to date. You can also use the CLI
command execute update-now to update the antivirus and attack definitions. For more
information, see the FortiGate Administration Guide.
Before you begin, ensure you have a TFTP server running and accessible to the FortiGate unit.
To upgrade the firmware using the CLI
1. Make sure the TFTP server is running.
Installing firmware replaces the current antivirus and attack definitions, along with the
To use this procedure, you must log in using the admin administrator account, or an
administrator account that has system configuration read and write privileges.
2. Copy the new firmware image file to the root directory of the TFTP server.
3. Log into the CLI.
4. Make sure the FortiGate unit can connect to the TFTP server.
You can use the following command to ping the computer running the TFTP server. For
example, if the IP address of the TFTP server is 192.168.1.168:
execute ping 192.168.1.168
5. Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp <filename> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip4> is the IP
address of the TFTP server. For example, if the firmware image file name is image.out and
the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
The FortiGate unit responds with the message:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
6. Type y.
7. The FortiGate unit uploads the firmware image file, upgrades to the new firmware version,
and restarts. This process takes a few minutes.
8. Reconnect to the CLI.
9. Update antivirus and attack definitions, by entering:
execute update-now
USB Auto-Install
The USB Auto-Install feature automatically updates the FortiGate configuration file and firmware
image file on a system reboot. Also, this feature provides you with an additional backup if you
are unable to save your system settings before shutting down or rebooting your FortiGate unit.
You need an unencrypted configuration file for this feature. Also the required files, must be in
the root directory of the USB key.
To configure the USB Auto-Install - web-based manager
1. Go to System > Config > Advanced.
2. Select the following:
On system restart, automatically update FortiGate configuration file if default file name is
available on the USB disk.
On system restart, automatically update FortiGate firmware image if default image is
available on the USB disk.
3. Enter the configuration and image file names or use the default configuration filename
(system.conf) and default image name (image.out).
4. The default configuration filename should show in the Default configuration file name field.
5. Select Apply.
The FortiGate unit will only load a configuration file from a USB key when the FortiGate unit is
restarted from a factory reset. This means that with any normal reboot commands, the
FortiGate unit will not reload the configuration file.
This was done to ensure that if the USB key was left in the USB port, an older configuration
would not be loaded by accident, losing any configuration settings changed after the initial
save.
To configure the USB Auto-Install using the CLI
2. Enter the following command:
config system auto-install
set default-config-file <filename>
set auto-install-config {enable | disable}
set default-image-file <filename>
set auto-install-image {enable | disable}
end
Reverting to a previous firmware version
This procedure reverts the FortiGate unit to its factory default configuration and deletes IPS
custom signatures, web content lists, email filtering lists, and changes to replacement
messages.
Before beginning this procedure, it is recommended that you:
back up the FortiGate unit system configuration using the command
execute backup config
back up the IPS custom signatures using the command execute
backup ipsuserdefsig
back up web content and email filtering lists
To use the following procedure, you must have a TFTP server the FortiGate unit can connect to.
To revert to a previous firmware version using the CLI
1. Make sure the TFTP server is running
2. Copy the firmware image file to the root directory of the TFTP server.
3. Log into the FortiGate CLI.
4. Make sure the FortiGate unit can connect to the TFTP server execute by using the execute
ping command.
5. Enter the following command to copy the firmware image from the TFTP server to the
FortiGate unit:
execute restore image tftp <name_str> <tftp_ipv4>
Where <name_str> is the name of the firmware image file and <tftp_ip4> is the IP
address of the TFTP server. For example, if the firmware image file name is imagev28.out
and the IP address of the TFTP server is 192.168.1.168, enter:
execute restore image tftp image28.out 192.168.1.168
The FortiGate unit responds with this message:
6. Type y.
The FortiGate unit uploads the firmware image file. After the file uploads, a message similar
to the following appears:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
7. Type y.
8. The FortiGate unit reverts to the old firmware version, resets the configuration to factory
defaults, and restarts. This process takes a few minutes.
9. Reconnect to the CLI.
10.To restore your previous configuration, if needed, use the command:
execute restore config <name_str> <tftp_ip4>
11.Update antivirus and attack definitions using the command:
execute update-now.
Installing firmware from a system reboot using the CLI
This procedure installs a firmware image and resets the FortiGate unit to default settings. You
can use this procedure to upgrade to a new firmware version, revert to an older firmware
version, or re-install the current firmware.
To use this procedure, you must connect to the CLI using the FortiGate console port and a
RJ-45 to DB-9, or null modem cable. This procedure reverts the FortiGate unit to its factory
default configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate internal
interface. The TFTP server should be on the same subnet as the internal interface.
Before beginning this procedure, ensure you back up the FortiGate unit configuration.
If you are reverting to a previous FortiOS version, you might not be able to restore the previous
configuration from the backup configuration file.
To install firmware from a system reboot
1. Connect to the CLI using the RJ-45 to DB-9 or null modem cable.
4. Make sure the internal interface is connected to the same network as the TFTP server.
5. To confirm the FortiGate unit can connect to the TFTP server, use the following command to
ping the computer running the TFTP server. For example, if the IP address of the TFTP
server is 192.168.1.168:
execute ping 192.168.1.168
6. Enter the following command to restart the FortiGate unit.
execute reboot
The FortiGate unit responds with the following message:
This operation will reboot the system!
7 Type y.
As the FortiGate unit starts, a series of system startup messages appears. When the
following messages appears:
Press any key to display configuration menu..........
Immediately press any key to interrupt the system startup.
You have only 3 seconds to press any key. If you do not press a key soon enough, the FortiGate
unit reboots and you must log in and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8. Type G to get to the new firmware image form the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
9. Type the address of the TFTP server and press Enter:
Enter Local Address [192.168.1.188]:
10.Type an IP address the FortiGate unit can use to connect to the TFTP server. The IP address
can be any IP address that is valid for the network the interface is connected to. Make sure
you do not enter the IP address of another device on this network.
Enter File Name [image.out]:
11.Enter the firmware image filename and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and a message similar
to the following appears:
Save as Default firmware/Backup firmware/Run image without saving:
[D/B/R]
12 Type D.
The FortiGate unit installs the new firmware image and restarts. The installation might take a
few minutes to complete.
Backup and Restore from a USB key
Use a USB key to either backup a configuration file or restore a configuration file. You should
always make sure a USB key is properly install before proceeding since the FortiGate unit must
recognize that the key is installed in its USB port.
You can only save VPN certificates if you encrypt the file. Make sure the configuration
encryption is enabled so you can save the VPN certificates with the configuration file. An
encrypted file is ineffective if selected for the USB Auto-Install feature.
To backup configuration using the CLI
2. Enter the following command to backup the configuration files:
exec backup config usb <filename>
3. Enter the following command to check the configuration files are on the key:
exec usb-disk list
To restore configuration using the CLI
2. Enter the following command to restore the configuration files:
exec restore image usb <filename>
The FortiGate unit responds with the following message:
3. Type y.
Backup and Restore an encrypted config file from a USB key
You can save and boot an encrypted configuration file from a USB key. The configuration will
only load when rebooting the FortiGate unit with the USB key inserted.
The administrator must back up the configuration to the USB key using the command:
execute backup config usb-mode <password>
administrtor backup the configuration, to the USB key ("exec backup config usb-mode")
Insert the USB key into any FortiGate unit running the same image/patch release as the
FortiGate unit that created the configuration file
The Administrator runs the CLI command below to reboot the FortiGate unit and load the
configuration file from the USB key:
execute restore config usb-mode <password>)
The FortiGate unit saves the password into the flash memory. When system boots, the
FortiGate unit loads the configurations from the USB key using the saved password in the flash.
This configuration is read-only. That is, no configuration changes can be made while running
with the configuration. The administrator is not permitted to make any configuration changes
while configurations are loaded from USB (read-only)
If the USB key is removed while the FortiGate unit is running , the FortiGate unit deletes the
password from the flash memory and reboots.
Testing new firmware before installing
FortiOS enables you to test a new firmware image by installing the firmware image from a
system reboot and saving it to system memory. After completing this procedure, the FortiGate
unit operates using the new firmware image with the current configuration. This new firmware
image is not permanently installed. The next time the FortiGate unit restarts, it operates with the
originally installed firmware image using the current configuration. If the new firmware image
operates successfully, you can install it permanently using the procedure Upgrading the
firmware - web-based manager on page 72.
To use this procedure, you must connect to the CLI using the FortiGate console port and a
RJ-45 to DB-9 or null modem cable. This procedure temporarily installs a new firmware image
using your current configuration.
For this procedure you install a TFTP server that you can connect to from the FortiGate internal
interface. The TFTP server should be on the same subnet as the internal interface.
To test the new firmware image
1. Connect to the CLI using a RJ-45 to DB-9 or null modem cable.
4. Make sure the FortiGate unit can connect to the TFTP server using the execute ping
command.
5. Enter the following command to restart the FortiGate unit:
execute reboot
6. As the FortiGate unit reboots, press any key to interrupt the system startup. As the FortiGate
unit starts, a series of system startup messages appears.
When the following messages appears:
Press any key to display configuration menu....
7. Immediately press any key to interrupt the system startup.
You have only 3 seconds to press any key. If you do not press a key soon enough, the
FortiGate unit reboots and you must login and repeat the execute reboot command.
If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B[: Boot with backup firmware and set as default
[C]: Configuration and information
[Q]: Quit menu and continue to boot with default
firmware.
[H]: Display this list of options.
Enter G, F, Q, or H:
8. Type G to get the new firmware image from the TFTP server.
Enter TFTP server address [192.168.1.168]:
9. Type the address of the TFTP server and press Enter:
Enter Local Address [192.168.1.188]:
10.Type an IP address of the FortiGate unit to connect to the TFTP server.
The IP address must be on the same network as the TFTP server, but make sure you do not
use the IP address of another device on the network.
Enter File Name [image.out]:
11.Enter the firmware image file name and press Enter.
The TFTP server uploads the firmware image file to the FortiGate unit and the following
appears.
Save as Default firmware/Backup firmware/Run image without saving:
[D/B/R]
12.Type R.
The FortiGate image is installed to system memory and the FortiGate unit starts running the
new firmware image, but with its current configuration.
You can test the new firmware image as required. When done testing, you can reboot the
FortiGate unit, and the FortiGate unit will resume using the firmware that was running before you
installed the test firmware.
Controlled upgrade
Using a controlled upgrade, you can upload a new version of the FortiOS firmware to a separate
partition in the FortiGate memory for later upgrade. The FortiGate unit can also be configured so
that when it is rebooted, it will automatically load the new firmware (CLI only). Using this option,
you can stage a number of FortiGate units to do an upgrade simultaneously to all devices using
FortiManager or script.
To load the firmware for later installation - web-based manager
4. Deselect the Boot the New Firmware option
5. Select OK.
To load the firmware for later installation - CLI
execute restore secondary-image {ftp | tftp | usb}
To set the FortiGate unit so that when it reboots, the new firmware is loaded, use the CLI
command...
execute set-next-reboot {primary | secondary}
... where {primary | secondary} is the partition with the preloaded firmware.
To trigger the upgrade using the web-based manager
2. Under System Information > Firmware Version, select Details.
3. Select the check box for the new firmware version.
The Comments column indicates which firmware version is the current active version.
4. Select Upgrade icon.
Page 81
Central management
Administering one or two FortiGate units is fairly simple enough, especially when they are in the
same room or building. However, if you are administering many FortiGate units that may be
located in locations in a large geographical area, or in the world, you will need a more efficient
method of maintaining firmware upgrades, configuration changes and updates.
The FortiManager family of appliances supply the tools needed to effectively manage any size
Fortinet security infrastructure, from a few devices to thousands of appliances. The appliances
provide centralized policy-based provisioning, configuration, and update management. They
also offer end-to-end network monitoring for added control. Managers can control
administrative access and simplify policy deployment using role-based administration to define
user privileges for specific management domains and functions by aggregating collections of
Fortinet appliances and agents into independent management domains. By locally hosting
security content updates for managed devices and agents, FortiManager appliances minimize
Web filtering rating request response time and maximize network protection.
This chapter describes the basics of using FortiManager as an administration tool for multiple
FortiGate units. It describes the basics of setting up a FortiGate unit in FortiManager, and some
key management features you can use within FortiManager to manage the FortiGate unit. For
full details and instructions on FortiManager, see the FortiManager Administration Guide.
Adding a FortiGate to FortiManager
Configuration through FortiManager
Firmware updates
FortiGuard
Backup and restore configurations
Administrative domains
Adding a FortiGate to FortiManager
Before you can use the FortiManager unit to maintain a FortiGate, you need to add it to the
FortiManager unit. To do this requires configuration on both the FortiGate and FortiManager.
This section describes the basics to configure management using a FortiManager device. For
more information on the interaction of FortiManager with the FortiGate unit, see the
FortiManager documentation.
FortiGate configuration
These steps ensure that the FortiGate unit will be able to receive updated antivirus and IPS
updates, and allow remote management through the FortiManager system. You can add a
FortiGate unit whether it is running in either NAT mode or transparent mode. The FortiManager
unit provides remote management of a FortiGate unit over TCP port 541.
To configure the FortiGate unit - web-based manager
3. Enter the IP address for the FortiManager.
4. Select Send Request.
The FortiManager ID appears in the Trusted FortiManager table, and can now be managed by
the FortiManager unit, once you add it to the Device Manager.
As an additional security measure, you can also select Registration Password and enter a
password to connect to the FortiManager in an upcoming FortiManager release.
To configure the FortiGate unit - CLI
config system central-mamagement
set fmg <ip_address>
end
To use the registration password in an upcoming FortiManager release enter:
execute central-mgmt register-device
<fmg-serial-no><fmg-register-password><fgt-usrname><fgt-password>
Configuring an SSL connection
With FortiManager 4.0 MR2 Patch 6 and FortiOS 4.0 MR3, you can configure an SSL
connection between the two devices, and select the encryption level.
Use the following CLI commands in FortiOS to configure the encryption connection:
config system central-management
set status enable
set enc-algorithm {default* | high | low}
end
The default encryption automatically sets high and medium encryption algorithms. Algorithms
used for high, medium, and low follows openssl definitions:
High - Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
Algorithms are:
DHE-RSA-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-C
BC3-MD5:DHE-RSA-AES128-SHA:AES128-SHA
Low - Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites
Algorithms: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.
If you have not already done so, register the FortiGate unit by visiting
http://support.fortinet.com and select Product Registration. By registering your Fortinet unit,
you will receive updates to threat detection and prevention databases (Antivirus, Intrusion
Detection, etc.) and will also ensure your access to technical support.
You must enable the FortiGate management option so the FortiGate unit can accept
management updates to firmware, antivirus signatures and IPS signatures.
FortiManager configuration
After enabling Central Management and indicating the FortiManager unit that will provide the
management of the FortiGate unit, you can add it to the Device Manager in the FortiManager
web-based manager. For details on completing the configuration, see the FortiManager
Administration Guide.
Configuration through FortiManager
With the FortiManager system, you can monitor and configure multiple FortiGate units from one
location and log in. Within the FortiManager system, you can view a FortiGate unit and its
web-based manager from the Device Manager. From there you can make the usual
configuration updates and changes, without having to log in and out of multiple FortiGate units.
When under control of a FortiManager system, administrators will not be able to configure the
FortiGate unit. When trying to change options, the FortiGate unit displays a message that it is
configured through FortiManager, and any changes may be reverted.
FortiManager enables you to complete the configuration, by going to the Device Manager,
selecting the FortiGate unit and using the same menu structure and pages as you would see in
the FortiGate web-based manager. All changes to the FortiGate configuration are stored locally
on the FortiManager unit until you synchronize with the FortiGate unit.
Global objects
If you are maintaining a number of FortiGate units within a network, many of the policies and
configuration elements will be the same across the corporation. In these instances, the adding
and editing of many of the same policies will be come a tedious and error-prone activity. With
FortiManager global objects, this level of configuration is simplified.
A global object is an object that is not associated specifically with one device or group. Global
objects includes security policies, a DNS server, VPN, and IP pools.
The Global Objects window is where you can configure global objects and copy the
configurations to the FortiManager device database for a selected device or a group of devices.
You can also import configurations from the FortiManager device database for a selected
device and modify the configuration as required.
When configuring or creating a global policy object the interface, prompts, and fields are the
same as creating the same object on a FortiGate unit using the FortiGate web-based manager.
Locking the FortiGate web-based manager
When you use the FortiManager to manager multiple FortiGate units, a local FortiGate unit
becomes locked from any configuration using the web-based manager by an administrator. If
the administrator uses a super_admin profile, or a profile with read/write capabilities, they will
be able to still make modifications to the configuration. The warning when logging in indicates
that this can cause conflict. When an super_admin administrator logs into the FortiGate unit, the
following message appears:
If the administrator selects Login Read Only, an icon appears at the top of the web-based
manager. All configuration options will only have a Return button, rather than the typical OK,
Apply and Cancel buttons.
Any other type of administrator will only be able to view the configuration and not perform any
modifications to the FortiGate configuration.
Selecting Login Read-Write, a warning appears that any changes may cause the configuration
between FortiManager and the FortiGate unit be become out of sync.
Firmware updates
FortiManager can also be the source where firmware updates are performed for multiple
FortiGate units, saving time rather than upgrading each FortiGate unit individually.
The FortiManager unit stores local copies of firmware images by either downloading these
images from the Fortinet Distribution Network (FDN) or by accepting firmware images that you
upload from your management computer.
If you are using the FortiManager unit to download firmware images from the FDN,
FortiManager units first validate device licenses. The FDN validates support contracts and
provides a list of currently available firmware images. For devices with valid Fortinet Technical
Support contracts, you can download new firmware images from the FDN, including release
notes.
After firmware images have been either downloaded from the FDN or imported to the firmware
list, you can either schedule or immediately upgrade/downgrade a device or groups firmware.
See the FortiManager Administration Guide for more information on updating the FortiGate
firmware using the FortiManager central management.
FortiGuard
FortiManager can also connect to the FortiGuard Distribution Network to receive push updates
for IPS signatures and antivirus definitions. These updates can then be used to update multiple
FortiGate units throughout an organization. By the FortiManager as the host for updates,
bandwidth use is minimized by downloading to one source instead of many.
To receive IPS and antivirus updates from FortiManager, indicate an alternate IP address on the
FortiGate unit.
To configure updates from FortiManager
2. Select AntiVirus and IPS Options to expand the options.
3. Select the checkbox next to Use override server address and enter the IP address of the
FortiManager unit.
4. Select Apply.
Backup and restore configurations
FortiManager stores configuration files for backup and restore purposes. FortiManager also
enables you to save revisions of configuration files. Configuration backups occur automatically.
Backups occur when the administrator logs out or the administrator login session expires (times
out).
FortiManager also enables you to view differences between different configurations to view
where changes have been made.
Administrative domains
FortiManager administrative domains enable the admin administrator to create groupings of
devices for configured administrators to monitor and manage. FortiManager can manage a
large number of Fortinet appliances. This enables administrators to maintain managed devices
specific to their geographic location or business division. This also includes FortiGate units with
multiple configured VDOMs.
Each administrator is tied to an administrative domain (ADOM). When that particular
administrator logs in, they see only those devices or VDOMs configured for that administrator
and ADOM. The one exception is the admin administrator account which can see and maintain
all administrative domains and the devices within those domains.
Administrative domains are not enabled by default, and enabling and configuring the domains
can only be performed by the admin administrator. The maximum number of administrative
domains you can add depends on the FortiManager system model.
See the FortiManager Administration Guide for information on the maximums for each model.
Page 86
Best practices
The FortiGate unit is installed, and traffic is moving. With your network sufficiently protected,
you can now fine tune the firewall for the best performance and efficiently. This chapter
describes configuration options that can ensure your FortiGate unit is running at its best
performance.
This section includes the topics on:
Hardware
Shutting down
Performance
Firewall
Intrusion protection
Antivirus
Web filtering
Antispam
Hardware
Environmental specifications
Keep the following environmental specifications in mind when installing and setting up your
FortiGate unit.
Operating temperature: 32 to 104F (0 to 40C) (temperatures may vary, depending on the
FortiGate model)
If you install the FortiGate unit in a closed or multi-unit rack assembly, the operating ambient
temperature of the rack environment may be greater than room ambient temperature.
Therefore, make sure to install the equipment in an environment compatible with the
manufacturer's maximum rated ambient temperature.
Storage temperature: -13 to 158F (-25 to 70C) (temperatures may vary, depending on the
FortiGate model)
Humidity: 5 to 90% non-condensing
Air flow - For rack installation, make sure that the amount of air flow required for safe
operation of the equipment is not compromised.
For free-standing installation, make sure that the appliance has at least 1.5 in. (3.75 cm) of
clearance on each side to allow for adequate air flow and cooling.
This device complies with part FCC Class A, Part 15, UL/CUL, C Tick, CE and VCCI. Operation
is subject to the following two conditions:
This device may not cause harmful interference, and
This device must accept any interference received, including interference that may cause
undesired operation.
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference in a residential installation. This equipment generates,
uses and can radiate radio frequency energy and, if not installed and used in accordance with
the instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does
cause harmful interference to radio or television reception, which can be determined by turning
the equipment off and on, the user is encouraged to try to correct the interference by one or
more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is
connected.
Consult the dealer or an experienced radio/TV technician for help.
The equipment compliance with FCC radiation exposure limit set forth for uncontrolled
Environment.
Grounding
Ensure the FortiGate unit is connected and properly grounded to a lightning and surge
protector. WAN or LAN connections that enter the premises from outside the building should
be connected to an Ethernet CAT5 (10/100 Mb/s) surge protector.
Shielded Twisted Pair (STP) Ethernet cables should be used whenever possible rather than
Unshielded Twisted Pair (UTP).
Do not connect or disconnect cables during lightning activity to avoid damage to the
FortiGate unit or personal injury.
Rack mount instructions
Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the operating
ambient temperature of the rack environment may be greater than room ambient. Therefore,
consideration should be given to installing the equipment in an environment compatible with the
maximum ambient temperature (Tma) specified by the manufacturer.
Reduced Air Flow - Installation of the equipment in a rack should be such that the amount of
air flow required for safe operation of the equipment is not compromised.
Mechanical Loading - Mounting of the equipment in the rack should be such that a hazardous
condition is not achieved due to uneven mechanical loading.
Circuit Overloading - Consideration should be given to the connection of the equipment to the
supply circuit and the effect that overloading of the circuits might have on overcurrent
protection and supply wiring. Appropriate consideration of equipment nameplate ratings should
be used when addressing this concern.
Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained.
Particular attention should be given to supply connections other than direct connections to the
branch circuit (e.g. use of power strips).
Risk of Explosion if battery is replaced by an incorrect type. Dispose of used batteries
according to the instructions.
To reduce the risk of fire, use only No. 26 AWG or larger UL Listed or CSA Certified
Telecommunication Line Cord
Shutting down
Always shut down the FortiGate operating system properly before turning off the power switch
to avoid potential hardware problems.
To power off the FortiGate unit - web-based manager
1. Go to System > Status.
2. In the System Resources widget, select Shutdown.
To power off the FortiGate unit
execute shutdown
Once completing this step you can safely disconnect the power cables from the power supply.
Performance
Disable any management features you do not need. If you dont need SSH or SNMP disable
them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate
unit.
Put the most used firewall rules to the top of the interface list.
Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows
down performance.
Enable only the required application inspections.
Keep alert systems to a minimum. If you send logs to a syslog server, you may not need
SNMP or email alerts, making for redundant processing.
Establish scheduled FortiGuard updates at a reasonable rate. Daily every 4-5 hours for most
situations, or in more heavy-traffic situations, in the evening when more bandwidth can be
available.
Keep UTM profiles to a minimum. If you do not need a profile on a firewall rule, do not
include it.
Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible.
Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows
down traffic.
Firewall
Avoid using the All selection for the source and destination addresses. Use addresses or
address groups.
Avoid using Any for the services.
Use logging on a policy only when necessary. For example, you may want to log all dropped
connections but be aware of the performance impact. However, use this sparingly to sample
traffic data rather than have it continually storing log information you may not use.
Use the comment field to input management data; who requested the rule, who authorized
it, etc.
Avoid FQDN addresses if possible, unless they are internal. It can cause a performance
impact on DNS queries and security impact from DNS spoofing.
If possible, avoid port ranges on services for security reasons.
Use groups whenever possible.
To ensure that all AV push updates occur, ensure you have an AV profile enabled for UTM in
a security policy.
Intrusion protection
Create and use UTM profiles with specific signatures and anomalies you need per-interface
and per-rule.
Do not use predefined or generic profiles. While convenient to supply immediate protection,
you should create profiles to suit your network environment.
If you do use the default profiles, reduce the IPS signatures/anomalies enabled in the profile
to conserver processing time and memory.
If you are going to enable anomalies, make sure you tune thresholds according to your
environment.
If you need protection, but not audit information, disable the logging option.
Tune the IP-protocol parameter accordingly.
Antivirus
Enable only the protocols you need to scan. If you have antivirus scans occurring on the
SMTP server, or using FortiMail, it is redundant to have it occur on the FortiGate unit as well.
Reduce the maximum file size to be scanned. Viruses travel usually in small files of around 1
to 2 megabytes.
Antivirus scanning within an HA cluster can impact performance.
Enable grayware scanning on UTM profiles tied to internet browsing.
Do not quarantine files unless you regularly monitor and review them. This is otherwise a
waste of space and impacts performance.
Use file patterns to avoid scanning where it is not required.
Enable heuristics from the CLI if high security is required using the command
config antivirus heuristic.
Web filtering
Web filtering within an HA cluster impacts performance.
Always review the DNS settings to ensure the servers are fast.
Content block may cause performance overhead.
Local URL filter is faster than FortiGuard web filter, because the filter list is local and the
FortiGate unit does not need to go out to the Internet to get the information from a
FortiGuard web server.
Antispam
If possible use, a FortiMail unit. The antispam engines are more robust.
Use fast DNS servers.
Use specific UTM profiles for the rule that will use antispam.
DNS checks may cause false positive with HELO DNS lookup.
Content analysis (banned words) may impose performance overhead.
Security
Use NTP to synchronize time on the FortiGate and the core network systems such as email
servers, web servers and logging services.
Enable log rules to match corporate policy. For example, log administration authentication
events and access to systems from untrusted interfaces.
Minimize adhoc changes to live systems if possible to minimize interruptions to the network.
When not possible, create backup configurations and implement sound audit systems using
FortiAnalyzer and FortiManager.
If you only need to allow access to a system on a specific port, limit the access by creating
the strictest rule possible.
Page 91
FortiGuard
FortiGuard is a world-wide network of servers. The FortiGuard Distribution Network (FDN) of
servers provides updates to antivirus, antispam and IPS definitions. Worldwide coverage of
FortiGuard services is provided by FortiGuard service points. FortiGuard Subscription Services
provide comprehensive Unified Threat Management (UTM) security solutions to enable
protection against content and network level threats.
Fortinet employs people around the globe monitoring virus, spyware and vulnerability activities.
As these various vulnerabilities are found, signatures are created and pushed to the subscribed
FortiGate unit. The Global Threat Research Team enables Fortinet to deliver a combination of
multi-layered security intelligence and provide true zero-day protection from new and emerging
threats. FortiGuard services are continuously updated year round, 24x7x365.
The FortiGuard Network has data centers around the world located in secure, high availability
locations that automatically deliver updates to the Fortinet security platforms to and protect the
network with the most up-to-date information.
To ensure optimal response and updates, the FortiGate unit will contact a FortiGuard service
point closest to the FortiGate installation, using the configured time zone information.
Every FortiGate unit includes a free 30-day FortiGuard trial license. FortiGuard license
management is performed by Fortinet servers. The FortiGate unit automatically contacts a
FortiGuard service point when enabling FortiGuard services. Contact Fortinet Technical Support
to renew a FortiGuard license after the free trial.
FortiGuard Services
Antivirus and IPS
Web filtering
Email filtering
Security tools
Troubleshooting
FortiGuard Services
The FortiGuard services provide a number of services to monitor world-wide activity and
provide the best possible security. Services include:
Antispam/Web Filtering- The FortiGuard Antispam Service uses both a sender IP
reputation database and a spam signature database, along with sophisticated spam filtering
tools on Fortinet appliances and agents, to detect and block a wide range of spam
messages. Updates to the IP reputation and spam signature databases are provided
continuously via the global FortiGuard distribution network.
Antivirus -The FortiGuard Antivirus Service provides fully automated updates to ensure
protection against the latest content level threats. It employs advanced virus, spyware, and
heuristic detection engines to prevent both new and evolving threats and vulnerabilities from
gaining access to your network.
Intrusion Prevention - The FortiGuard Intrusion Prevention Service uses a customizable
database of more than 4000 known threats to stop attacks that evade conventional firewall
defenses. It also provides behavior-based heuristics, enabling the system to recognize
threats when no signature has yet been developed. It also provides more than 1000
application identity signatures for complete application control.
Web Filtering - Web Filtering provides Web URL filtering to block access to harmful,
inappropriate, and dangerous web sites that may contain phishing/pharming attacks,
malware such as spyware, or objectionable content that can expose your organization to
legal liability. Based on automatic research tools and targeted research analysis, real-time
updates enable you to apply highly-granular policies that filter web access based on 78 web
content categories, over 45 million rated web sites, and more than two billion web pages - all
continuously updated.
DNS and DDNS - The FortiGuard DNS and DDNS services provide an efficient method of
DNS lookups once subscribed to the FortiGuard network. This is the default option. The
FortiGate unit connects automatically to the FortiGuard DNS server. If you do not register,
you need to configure an alternate DNS server.
Configure the DDNS server settings using the CLI commands:
config system fortiguard
set ddns-server-ip
set ddns-server-port
end
SMS Messaging - This is a Fortinet messaging service. By subscribing this service, a secure
email server to be automatically enabled on your FortiGate unit to send alert email, or send
email authentication tokens. With the SMS gateway, you can enter phone numbers where
the FortiGate unit will send the SMS messages. Note that depending on your carrier, there
may be a slight time delay on receiving messages.
Support Contract and FortiGuard Subscription Services
The Support Contract and FortiGuard Subscription Services sections are displayed in
abbreviated form within the License Information widget. A detailed version is available by going
to System > Config > FortiGuard.
The Support Contract area displays the availability or status of your FortiGate units support
contract. The status displays can be either Unreachable, Not Registered or Valid Contract.
The FortiGuard Subscription Services area displays detailed information about your FortiGate
units support contract and FortiGuard subscription services. On this page, you can also
manually update the antivirus and IPS engines.
The status icons for each section Indicates the state of the subscription service. The icon
corresponds to the availability description.
Gray (Unreachable) the FortiGate unit is not able to connect to service.
Orange (Not Registered) the FortiGate unit can connect, but not subscribed.
Yellow (Expired) the FortiGate unit had a valid license that has expired.
Green (Valid license) the FortiGate unit can connect to FDN and has a registered support
contract. If the Status icon is green, the expiry date also appears.
FortiGuard Analysis Service Options
Go to the System Information widget on the Dashboard, and select the FAMS/Messaging
options.
Antivirus and IPS
The FortiGuard network is an always updating service. That is, Fortinet employs developers
around the clock, monitoring for new and mutating virus and intrusion threats. This includes
grayware and signatures for application control. There are two methods of updating the virus
and IPS signatures on your FortiGate unit: manually or through push updates.
Antivirus and IPS Options
Go to System > Config > FortiGuard, and expand the Antivirus and IPS Options section to
configure the antivirus and IPS options for connecting and downloading definition files.
Account ID Enter the name for the FortiGuard Analysis and Management
Service that identifies the account. This is the same account
information used when registering for the service.
To launch the service
portal, please click here
elect to go directly to the FortiGuard Analysis and Management
Service portal web site to view logs or configuration. You can
also select this to register your FortiGate unit with the FortiGuard
Analysis and Management Service.
Use override server
address
Select to configure an override server if you cannot connect to the FDN
or if your organization provides updates using their own FortiGuard
server.
Allow Push Update Select to allow updates sent automatically to your FortiGate unit when
they are available
Allow Push Update
status icon
The status of the FortiGate unit for receiving push updates:
Gray (Unreachable) - the FortiGate unit is not able to connect to push
update service
Yellow (Not Available) - the push update service is not available with
current support license
Green (Available) - the push update service is allowed.
Use override push
IP and Port
Available only if both Use override server address and Allow Push
Update are enabled.
Enter the IP address and port of the NAT device in front of your
FortiGate unit. FDS will connect to this device when attempting to reach
the FortiGate unit.
The NAT device must be configured to forward the FDS traffic to the
FortiGate unit on UDP port 9443.
Manual updates
To manually update the signature definitions file, you need to first go to the Support web site at
https://support.fortinet.com. Once logged in, select FortiGuard Service Updates from the
Download area of the web page. The browser will present you the most current antivirus and
IPS signature definitions which you can download.
Once downloaded to your computer, log into the FortiGate unit to load the definition file.
To load the definition file onto the FortiGate unit
2. Select the Update link for either AV Definitions or IPS Definitions.
3. Locate the downloaded file and select OK.
The upload may take a few minutes to complete.
Automatic updates
The FortiGate unit can be configured to request updates from the FortiGuard Distribution
Network. You can configure this to be on a scheduled basis, or with push notifications.
Scheduling updates
Scheduling updates ensures that the virus and IPS definitions are downloaded to your FortiGate
unit on a regular basis, ensuring that you do not forget to check for the definition files yourself.
As well, by scheduling updates during off-peak hours, such as evenings or weekends, when
network usage is minimal, ensures that the network activity will not suffer from the added traffic
of downloading the definition files.
If you require the most up-to-date definitions as viruses and intrusions are found in the wild, the
FortiGuard Distribution Network can push updates to the FortiGate units as they are developed.
This ensures that your network will be protected from any breakouts of a virus within the
shortest amount of time, minimizing any damaging effect that can occur. Push updates require
that you have registered your FortiGate unit.
Once push updates are enabled, the next time new antivirus or IPS attack definitions are
released, the FDN notifies all the FortiGate unit that a new update is available. Within 60
seconds of receiving a push notification, the unit automatically requests the update from the
FortiGuard servers.
Schedule Updates Select this check box to enable updates to be sent to your FortiGate
unit at a specific time. For example, to minimize traffic lag times, you
can schedule the update to occur on weekends or after work hours.
Note that a schedule of once a week means any urgent updates will not
be pushed until the scheduled time.
However, if there is an urgent update required, select the Update Now
button.
Update Now Select to manually initiate an FDN update.
Submit attack
characteristics
(recommended)
Select to help Fortinet maintain and improve IPS signatures. The
information sent to the FortiGuard servers when an attack occurs, can
be used to keep the database current as variants of attacks evolve.
To enable scheduled updates - web-based manager
2. Click the Expand Arrow for AntiVirus and IPS Options.
3. Select the Scheduled Update check box.
4. Select the frequency of the updates and when within that frequency.
5. Select Apply.
To enable scheduled updates - CLI
config system autoupdate schedule
set status enable
set frequency {every | daily | weekly}
set time <hh:mm>
set day <day_of_week>
end
Push updates
Push updates enable you to get immediate updates when new virus or intrusions have been
discovered and new signatures are created. This ensures that when the latest signature is
available it will be sent to the FortiGate.
When a push notification occurs, the FortiGuard server sends a notice to the FortiGate unit that
there is a new signature definition file available. The FortiGate unit then initiates a download of
the definition file, similar to the scheduled update.
To ensure maximum security for your network, you should have a scheduled update as well as
enable the push update, in case an urgent signature is created, and your cycle of the updates
only occurs weekly.
To enable push updates - web-based manager
1. Got to System > Config > FortiGuard.
2. Click the Expand Arrow for Antivirus and IPS Options.
3. Select Allow Push Update.
4. Select Apply.
To enable push updates - CLI
config system autoupdate push-update
set status enable
end
Push IP override
If the FortiGate unit is behind another NAT device (or another FortiGate unit), to ensure it
receives the push update notifications, you need to use an override IP address for the
notifications. To do this, you create a virtual IP to map to the external port of the NAT device.
Generally speaking, if there are two FortiGate devices as in the diagram below, the following
steps need to be completed on the FortiGate NAT device to ensure the FortiGate unit on the
internal network receives the updates:
Add a port forwarding virtual IP to the FortiGate NAT device that connects to the Internet by
going to Firewall Objects > Virtual IP.
Add a security policy to the FortiGate NAT device that connects to the Internet that includes
the port forwarding virtual IP.
Configure the FortiGate unit on the internal network with an override push IP and port.
On the FortiGate internal device, the virtual IP is entered as the Use push override IP address.
Figure 7: Using a virtual IP for a FortiGate unit behind a NAT device
To enable push update override- web-based manager
2. Click the Expand Arrow for Antivirus and IPS Options.
3. Select Allow Push Update.
4. Select Use push override IP.
5. Enter the virtual IP address configured on the NAT device.
6. Select Apply.
To enable push updates - CLI
config system autoupdate push-update
set status enable
set override enable
set address <vip_address>
end
F
o
r
tG
u
a
r
d
D
is
tr
ib
u
tio
n
N
e
tw
o
r
k
F
o
r
tiG
a
te
N
A
T
D
e
v
ic
e
1
7
2
.2
0
.1
2
0
.7
1
0
.1
0
.1
0
.1
1
0
.1
0
.1
0
.3
V
ir
tu
a
l IP
1
7
2
.2
0
.1
2
0
.8
F
o
r
tiG
a
te
In
te
r
n
a
l
D
e
v
ic
e
Web filtering
The multiple FortiGuard data centers around the world hold the entire categorized URL
database and receive rating requests from customer FortiGate units typically triggered by
browser based URL requests. These rating requests are responded to with the categories
stored for specific URLs, the requesting FortiGate unit will then use its own local profile
configuration to determine what action is appropriate to the category, that is, to blocking,
monitor or permit the request. Fortinets development team has ensured that providing this
powerful filtering capability is as simple as possible to enable.
Further, rating responses can also be cached locally on the FortiGate unit, providing a quicker
response time, while easing load on the FortiGuard servers, aiding in a quicker response time
for less common URL requests. This is a very effective method for common sites. Search
engines and other frequently visited sites for your business can remain cached locally. Other
sites less frequently visited, can be cached locally for a determined amount of time. For a site
such as Google, the frequency of its access can keep it in the cache, other sites can remain in
the cache up to 24 hours, or less depending on the configuration.
By default, the web filtering cache is enabled. The cache includes a time-to-live value, which is
the amount of time a url will stay in the cache before expiring. You can change this value to
shorten or extend the time between 300 and 86400 seconds.
Web Filtering and Email Filtering Options
Go to System > Config > FortiGuard, and expand arrow to view Web Filtering and Email Filtering
options for setting the size of the caches and ports used.
URL verification
If you discover a URL - yours or one you require access to has been incorrectly flagged as an
inappropriate site, you can ask the FortiGuard team to re-evaluate the site. To do this, go to
System > Config > FortiGuard, select the blue arrow for Web Filtering and Email Filtering
Options and select the link for re-evaluation.
Web Filter cache TTL Set the Time To Live value. This is the number of seconds the
FortiGate unit will store a blocked IP or URL locally, saving time and
network access traffic, checking the FortiGuard server. Once the TTL
has expired, the FortiGate unit will contact an FDN server to verify a
web address. The TTL must be between 300 and 86400 seconds.
Antispam cache TTL Set the Time To Live value. This is the number of seconds the
FortiGate unit will store a blocked IP or URL locally, saving time and
network access traffic, checking the FortiGuard server. Once the TTL
has expired, the FortiGate unit will contact an FDN server to verify a
web address. The TTL must be between 300 and 86400 seconds.
Port Section Select the port assignments for contacting the FortiGuard servers.
Select the Test Availability button to verify the connection using the
selected port.
To have a URL's
category rating
re-evaluated, please
click here
Select to re-evaluate a URLs category rating on the FortiGuard Web
Filter service.
To modify the web filter cache size - web-based manager
2. Click the Expand Arrow for Web Filtering and Email Filtering Options.
3. Enter the TTL value for the Web filter cache.
4. Select Apply.
To modify the web filter cache size - CLI
set webfilter-cache-ttl <integer>
end
Further web filtering options can be configured to block specific URLs, and allow others
through. These configurations are available through the UTM > Web Filter menu. For more
information, see the UTM Guide.
Email filtering
Similar to web filtering, FortiGuard data centers monitor and update email databases of known
spam sources. With FortiGuard antispam enabled, the FortiGate unit verifies incoming email
sender address and IPs against the database, and take the necessary action as defined within
the antivirus profiles.
Further, spam source IP addresses can also be cached locally on the FortiGate unit, providing a
quicker response time, while easing load on the FortiGuard servers, aiding in a quicker
response time for less common email address requests.
By default, the antispam cache is enabled. The cache includes a time-to-live value, which is the
amount of time an email address will stay in the cache before expiring. You can change this
value to shorten or extend the time between 300 and 86400 seconds.
To modify the antispam filter cache size - web-based manager
2. Click the Expand Arrow for Web Filtering and Email Filtering Options.
3. Enter the TTL value for the Antispam filter cache.
4. Select Apply.
To modify the web filter cache size - CLI
set antispam-cache-ttl <integer>
end
Further antispam filtering options can be configured to block, allow or quarantine, specific email
addresses. These configurations are available through the UTM Security Profiles > Antispam
menu. For more information, see the UTM Guide.
Security tools
The FortiGuard online center provides a number of online security tools that enable you to verify
or check ratings of web sites, email addresses as well as check file for viruses. These features
are available at http://www.fortiguard.com.
URL lookup
By entering a web site address, you can see if it has been rated and what category and
classification it is filed as. If you find your web site or a site you commonly go to has been
wrongly categorized, use this page to request the site to be re-evaluated.
http://www.fortiguard.com/webfiltering/webfiltering.html
IP and signature lookup
The IP and signature lookup enable you to check whether an IP address is blacklisted in the
FortiGuard IP reputation database, or whether a URL or email address is in the signature
database.
http://www.fortiguard.com/antispam/antispam.html
Online virus scanner
If you discover a suspicious file on your machine, or suspect that a program you downloaded
from the internet might be malicious you can scan it using the FortiGuard online scanner. The
questionable file can be uploaded from your computer to a dedicated server where it will be
scanned using FortiClient Antivirus. Only one file of up to 1 MB can be checked at any one time.
All files will be forwarded to our research labs for analysis.
http://www.fortiguard.com/antivirus/virus_scanner.html
Malware removal tools
Tools have been developed by FortiGuard Labs to disable and remove the specific malware and
related variants. Some tools have been developed to remove specific malware, often tough to
remove. A universal cleaning tool, FortiCleanup, is also available for download.
The FortiCleanup is a tool developed to identify and cleanse systems of malicious rootkit files
and their associated malware. Rootkits consist of code installed on a system with kernel level
privileges, often used to hide malicious files, keylog and thwart detection / security techniques.
The aim of this tool is to reduce the effectiveness of such malware by finding and eliminating
rootkits. The tool offers a quick memory scan as well as a full system scan. FortiCleanup will not
only remove malicious files, but also can cleanse registry entries, kernel module patches, and
other tricks commonly used by rootkits - such as SSDT hooks and process enumeration hiding.
A license to use these applications is provided free of charge, courtesy of Fortinet.
http://www.fortiguard.com/antivirus/malware_removal.html
Troubleshooting
If you are not getting FortiGuard web filtering or antispam services, there are a few things to
verify communication to the FortiGuard Distribution Network (FDN) is working. Before any
troubleshooting, ensure that the FortiGate unit has been registered and you or your company,
has subscribed to the FortiGuard services.
Web-based manager verification
The simplest method to check that the FortiGate unit is communicating with the FDN, is to
check the License Information dashboard widget. Any subscribed services should have a green
check mark beside them indicating that connections are successful. Any other icon indicates a
problem with the connection, or you are not subscribed to the FortiGuard services.
Figure 8: License Information widget showing FortiGuard availability
Alternatively, you can view the FortiGuard connection status by going to System > Config >
FortiGuard.
Figure 9: FortiGuard availability
CLI verification
You can also use the CLI to see what FortiGuard servers are available to your FortiGate unit.
Use the following CLI command to ping the FDN for a connection:
ping guard.fortinet.net
You can also use diagnose command to find out what FortiGuard servers are available:
diagnose debug rating
From this command, you will see output similar to the following:
Locale : english
License : Contract
Expiration : Sun Jul 24 20:00:00 2011
Hostname : service.fortiguard.net
-=- Server List (Tue Nov 2 11:12:28 2010) -=-
IP Weight RTT Flags TZ Packets Curr Lost Total Lost
69.20.236.180 0 10 -5 77200 0 42
69.20.236.179 0 12 -5 52514 0 34
66.117.56.42 0 32 -5 34390 0 62
80.85.69.38 50 164 0 34430 0 11763
208.91.112.194 81 223 D -8 42530 0 8129
216.156.209.26 286 241 DI -8 55602 0 21555
An extensive list of servers are available. Should you see a list of three to five available servers,
the FortiGuard servers are responding to DNS replies to service.FortiGuard.net, but the INIT
requests are not reaching FDS services on the servers.
The rating flags indicate the server status:
The server list is sorted first by weight and then the server with the smallest RTT is put at the top
of the list, regardless of weight. When a packet is lost, that is, no response in two seconds, it will
be resent to the next server in the list. The top position in the list is selected based on RTT while
the other list positions are based on weight.
The weight for each server increases with failed packets and decreases with successful
packets. To lower the possibility of using a faraway server, the weight is not allowed to dip
below a base weight which is calculated as the difference in hours between the FortiGate unit
and the server multiplied by 10. The further away the server is, the higher its base weight and
the lower in the list it will appear.
Port assignment
FortiGate units contact the FortiGuard Distribution Network (FDN) for the latest list of FDN
servers by sending UDP packets with typical source ports of 1027 or 1031, and destination
ports of 53 or 8888. The FDN reply packets have a destination port of 1027 or 1031.
If your ISP blocks UDP packets in this port range, the FortiGate unit cannot receive the FDN
reply packets. As a result, the FortiGate unit will not receive the complete FDN server list.
You can select a different source port range for the FortiGate unit to use. If your ISP blocks the
lower range of UDP ports (around 1024), you can configure your FortiGate unit to use
higher-numbered ports, using the CLI command
set ip-src-port-range <start port>-<end port>
end
where the <start port> and <end port> are numbers ranging of 1024 to 25000.
For example, you could configure the FortiGate unit to not use ports lower than 2048 or ports
higher than the following range:
set ip-src-port-range 2048-20000
end
Trial and error may be required to select the best source port range. You can also contact your
ISP to determine the best range to use. Push updates might be unavailable if:
there is a NAT device installed between the unit and the FDN
your unit connects to the Internet using a proxy server.
D Indicates the server was found via the DNS lookup of the hostname. If the hostname
returns more than one IP address, all of them will be flagged with 'D' and will be used
first for INIT requests before falling back to the other servers.
I Indicates the server to which the last INIT request was sent
F The server has not responded to requests and is considered to have failed.
T The server is currently being timed.
Page 103
Monitoring
With network administration, the first step is installing and configuring the FortiGate unit to be
the protector of the internal network. Once the system is running efficiently, the next step is to
monitor the system and network traffic, to tweak leaks and abusers as well as the overall health
of the FortiGate unit(s) that provide that protection.
This chapter discusses the various methods of monitoring both the FortiGate unit and the
network traffic through a range of different tools available within FortiOS.
Dashboard
sFlow
Monitor menus
Logging
Alert email
SNMP
SNMP get command syntax
Fortinet and FortiGate MIB fields
Dashboard
The FortiOS dashboard provides a location to view real-time system information. By default, the
dashboard displays the key statistics of the FortiGate unit itself, providing the memory and CPU
status, as well as the health of the ports, whether they are up or down and their throughput.
Widgets
Within the dashboard is a number of smaller windows, called widgets, that provide this status
information. Beyond what is visible by default, you can add a number of other widgets that
display other key traffic information including application use, traffic per IP address, top attacks,
traffic history and logging statistics.
You can add multiple dashboards to reflect what data you want to monitor, and add the widgets
accordingly. Dashboard configuration is only available through the web-based manager.
Administrators must have read and write privileges to customize and add widgets when in either
menu. Administrators must have read privileges if they want to view the information.
To add a dashboard and widgets
1. Go to System > Dashboard.
2. Select the Dashboard menu at the top of the window and select Add Dashboard.
3. Enter a name for the widget.
4. Select the Widget menu at the top of the window.
5. From the screen, select the type of information you want to add.
6. When done, select the X in the top right of the widget.
Dashboard widgets provide an excellent method to view real-time data about the events
occurring on the FortiGate unit and the network. For example, by adding the Network Protocol
Usage widget, you can monitor the activity of various protocols over a selected span of time.
Based on that information you can add or adjust traffic shaping and/or security policies to
control traffic.
You can position widgets within the dashboard frame by clicking and dragging it to a different
location.
FortiClient connections
The License Information widget includes information for the FortiClient connections. It displays
the number of FortiClient connections allowed, and the number of users connecting. By
selecting the Details link for the number of connections, you can view more information about
the connecting user, including IP address, user name and type of operating system the user is
connecting with.
sFlow
sFlow is a method of monitoring the traffic on your network to identify areas on the network that
may impact performance and throughput. sFlow is described in http://www.sflow.org. FortiOS
implements sFlow version 5. sFlow uses packet sampling to monitor network traffic. That is, an
sFlow Agent captures packet information at defined intervals and sends them to an sFlow
Collector for analysis, providing real-time data analysis. The information sent is only a sampling
of the data for minimal impact on network throughput and performance.
The sFlow Agent is embedded in the FortiGate unit. Once configured, the FortiGate unit sends
sFlow datagrams of the sampled traffic to the sFlow Collector, also called an sFlow Analyzer.
The sFlow Collector receives the datagrams, and provides real-time analysis and graphing to
indicate where potential traffic issues are occurring. sFlow Collector software is available from a
number of third party software vendors.
sFlow data captures only a sampling of network traffic, not all traffic like the traffic logs on the
FortiGate unit. Sampling works by the sFlow Agent looking at traffic packets when they arrive
on an interface. A decision is made whether the packet is dropped, and sent on to its
destination, or a copy is forwarded to the sFlow Collector. The sample used and its frequency
are determined during configuration.
sFlow is not supported on virtual interfaces such as vdom link, ipsec, ssl.<vdom> or gre.
The sFlow datagram sent to the Collector contains the information:
Packet header (e.g. MAC,IPv4,IPv6,IPX,AppleTalk,TCP,UDP, ICMP)
Sample process parameters (rate, pool etc.)
Input/output ports
Priority (802.1p and TOS)
VLAN (802.1Q)
Source/destination prefix
Next hop address
Source AS, Source Peer AS
Destination AS Path
Communities, local preference
User IDs (TACACS/RADIUS) for source/destination
URL associated with source/destination
Interface statistics (RFC 1573, RFC 2233, and RFC 2358)
sFlow agents can be added to any type of FortiGate interface. sFlow isn't supported on some
virtual interfaces such as VDOM link, IPsec, gre, and ssl.<vdom>.
For more information on sFlow, Collector software and sFlow MIBs, visit www.sflow.org.
Configuration
sFlow configuration is available only from the CLI. Configuration requires two steps: enabling
the sFlow Agent, and configuring the interface for the sampling information.
Enable sFlow
config system sflow
set collector-ip <ip_address>
set collector-port <port_number>
end
The default port for sFlow is UDP 6343. To configure in VDOM, use the commands:
config system vdom-sflow
set vdom-sflow enable
set collector-ip <ip_address>
set collector-port <port_number>
end
Configure sFlow agents per interface.
set sflow-sampler enable
set sample-rate <every_n_packets>
set sample-direction [tx | rx | both]
set polling-interval <seconds>
end
Monitor menus
The Monitor menus enable you to view session and policy information and other activity
occurring on your FortiGate unit. The monitors provide the details of user activity, traffic and
policy usage to show live activity. Monitors are available for DHCP, routing, security policies,
traffic shaping, load balancing, a variety of UTM functionality, VPN, user, firewall, WiFi
controllers and logging.
Logging
FortiOS provides a robust logging environment that enables you to monitor, store and report
traffic information and FortiGate events including attempted log ins and hardware status.
Depending on your requirements, you can log to a number of different hosts.
To configure logging in the web-based manager, go to Log & Report > Log Config > Log Setting.
To configure logging in the CLI use the commands config log <log_location>.
For details on configuring logging see the Logging and Reporting Guide and FortiAnalyzer
Administration Guide.
FortiGate memory
Logs are saved to the internal memory by default. Inexpensive yet volatile, for basic event logs
or verifying traffic, AV or spam patterns, logging to memory is a simple option. However,
because logs are stored in the limited space of the internal memory, only a small amount is
available for logs. As such logs can fill up and be overridden with new entries, negating the use
of recursive data. This is especially true for traffic logs. Also, should the FortiGate unit be shut
down or rebooted, all log information will be lost.
FortiGate hard disk
For those FortiGate units with an internal hard disk or SDHC card, you can store logs to this
location. Efficient and local, the hard disk provides a convenient storage location. If you choose
to store logs in this manner, remember to backup the log data regularly.
Configure log disk settings is performed in the CLI using the commands:
config log disk setting
set status enable
end
Further options are available when enabled to configure log file sizes, and uploading/backup
events.
As well, note that the write speeds of hard disks compared to the logging of ongoing traffic may
cause the dropping such, it is recommended that traffic logging be sent to a FortiAnalyzer or
other device meant to handle large volumes of data.
Syslog server
An industry standard for collecting log messages, for off site storage. In the web-based
manager, you are able to send logs to a single syslog server, however in the CLI you can
configure up to three syslog servers where you can also use multiple configuration options. For
example, send traffic logs to one server, antivirus logs to another. The FortiGate unit sends
Syslog traffic over UIDP port 514. Note that if a secure tunnel is configured for communication
to a FortiAnalyzer unit, then Syslog traffic will be sent over an IPSec connection, using UPD
500/4500, protocol IP/50.
To configure a Syslog server in the web-based manager, go to Log & Report > log Config > Log
Setting. In the CLI use the commands:
config log syslogd setting
set status enable
end
Further options are available when enabled to configure a different port, facility and server IP
address.
For Syslog traffic, you can identify a specific port/IP address for logging traffic. Configuration of
these services is performed in the CLI, using the command set source-ip. When configured,
this becomes the dedicated port to send this traffic over.
For example, to set the source IP of a Syslog server to be on the DMZ1 port with an IP of
192.168.4.5, the commands are:
config log syslogd setting
set status enable
end
FortiGuard Analysis and Management service
The FortiGuard Analysis and Management Service is a subscription-based hosted service. With
this service, you can have centralized management, logging, and reporting capabilities available
in FortiAnalyzer and FortiManager platforms, without any additional hardware to purchase,
install or maintain.
This service includes a full range of reporting, analysis and logging, firmware management and
configuration revision history. It is hosted within the Fortinet global FortiGuard Network for
maximum reliability and performance, and includes reporting, and drill-down analysis widgets
makes it easy to develop custom views of network and security events.
The FortiGate unit sends log messages to the FortiGuard Analysis and Management service
using TCP port 443. Configuration is available once a user account has been set up and
confirmed. To enable the account on the FortiGate unit, go to System > Maintenance >
FortiGuard, select the blue arrow to expand the option, and enter the account ID.
For FortiGuard Analysis and Management traffic, you can identify a specific port/IP address for
logging traffic. Configuration of these services is performed in the CLI, using the command set
source-ip. When configured, this becomes the dedicated port to send this traffic over.
For example, to set the source IP of the FortiGuard Analysis and Management server to be on
the DMZ1 port with an IP of 192.168.4.5, the commands are:
config log fortiguard setting
set status enable
end
From the FortiGate unit, you can configure the connection and sending of log messages to be
sent over an SSL tunnel to ensure log messages are sent securely. To do this, use the CLI
commands to enable the encrypted connection and define the level of encryption.
set status enable
set enc-alogorithm {default | high | low | disable}
end
For more information on each encryption level see Configuring an SSL connection on
page 108.
FortiAnalyzer
The FortiAnalyzer family of logging, analyzing, and reporting appliances securely aggregate log
data from Fortinet devices and other syslog-compatible devices. Using a comprehensive suite
of easily-customized reports, users can filter and review records, including traffic, event, virus,
attack, Web content, and email data, mining the data to determine your security stance and
assure regulatory compliance. FortiAnalyzer also provides advanced security management
functions such as quarantined file archiving, event correlation, vulnerability assessments, traffic
analysis, and archiving of email, Web access, instant messaging and file transfer content.
The FortiGate unit sends log messages over UDP port 514 or OFTP (TCP 514). If a secure
connection has been configured, log traffic is sent over UDP port 500/4500, Protocol IP/50. For
more information on configuring a secure connection see Sending logs using a secure
connection on page 108.
For FortiAnalyzer traffic, you can identify a specific port/IP address for logging traffic.
Configuration of these services is performed in the CLI, using the command set source-ip.
When configured, this becomes the dedicated port to send this traffic over.
For example, to set the source IP of a FortiAnalyzer unit to be on port 3 with an IP of
set status enable
end
Sending logs using a secure connection
From the FortiGate unit, you can configure the connection and sending of log messages over an
SSL tunnel to ensure log messages are sent securely. To do this, use the CLI commands below
to enable the encrypted connection and define the level of encryption.
To configure a secure connection to the FortiAnalyzer unit
On the FortiAnalyzer unit, enter the commands:
config log device
edit <device_name>
set secure psk
set psk <name_of_IPSec_tunnel>
set id <fortigate_device_name_on_the_fortianalyzer>
end
To configure a secure connection on the FortiGate unit
On the FortiGate CLI, enter the commands:
config log fortianalyzer setting
set status enable
set server <ip_address>
set local
set localid <name_of_IPSec_tunnel>
end
Configuring an SSL connection
With FortiAnalyzer 4.0 MR3 and FortiOS 4.0 MR3, you can configure an SSL connection
between the two devices, and select the encryption level.
Use the CLI commands to configure the encryption connection:
set status enable
set enc-algorithm {default* | high | low | disable}
end
These commands are specific to OS versions 4.0 MR3 and higher. IPSec connections will still
be possible between FortiOS 4.0 MR3 and FortiAnalyzer 4.0 MR2 and lower.
You must configure the secure tunnel on both ends of the tunnel, the FortiGate unit and the
FortiAnalyzer unit.
This configuration is for FortiAnalyzer OS version 4.0 MR2 or lower. For version 40 MR3, see
Configuring an SSL connection on page 108.
The default encryption automatically sets high and medium encryption algorithms. Algorithms
used for high, medium, and low follows openssl definitions:
High - Key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
Algorithms are:
DHE-RSA-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:DES-C
BC3-MD5:DHE-RSA-AES128-SHA:AES128-SHA
Medium - Key strengths of 128 bit encryption.
Algorithm are:RC4-SHA:RC4-MD5:RC4-MD
Low - Key strengths of 64 or 56 bit encryption algorithms but excluding export cipher suites
Algorithms: EDH-RSA-DES-CDBC-SHA; DES-CBC-SHA; DES-CBC-MD5.
If you want to use an IPSec tunnel to connect to the FortiAnalyzer unit, you need to first disable
the enc-algorithm:
set status enable
set enc-algorithm disable
Then set the IPSec encryption:
set encrypt enable
set psksecret <preshared_IPSec_tunnel_key>
end
Alert email
As an administrator, you want to be certain you can respond quickly to issues occurring on your
network or on the FortiGate unit. Alert email provides an efficient and direct method of notifying
an administrator of events. By configuring alert messages, you can define the threshold when a
problem becomes critical and needs attention. When this threshold is reached, the FortiGate
unit will send an email to one or more individuals notifying them of the issue.
In the following example, the FortiGate unit is configured to send email to two administrators
(admin1 and admin2) when multiple intrusions are detected every two minutes. The FortiGate
unit has its own email address on the mail server.
To configure the email service
1. Go to System > Config > Messaging Servers.
2. Complete the following and select Apply:
SMTP Server Enter the address or name of the email server. For
example, smtp.example.com.
Default Reply To fortigate@example.com
Authentication Enable authentication if required by the email server.
SMTP User FortiGate
Password *********************
To configure alert email - web-based manager
1. Go to Log & Report > Log Config > Alert E-mail.
2. Enter the information:
3. For the Interval Time, enter 2.
4. Select Intrusion Detected.
5. Select Apply.
To configure alert email - CLI
config system email-server
set port 25
set server smtp.example.com
set authenticate enable
set username FortiGate
set password *************
end
config alertemail setting
set username fortigate@example.com
set mailto1 admin1@example.com
set mailto2 admin2@example.com
set filter category
set IPS-logs enable
end
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your
network. You can configure the hardware, such as the FortiGate SNMP agent, to report system
information and send traps (alarms or event messages) to SNMP managers. An SNMP
manager, or host, is a typically a computer running an application that can read the incoming
trap and event messages from the agent and send out SNMP queries to the SNMP agents. A
FortiManager unit can act as an SNMP manager, or host, to one or more FortiGate units.
FortiOS supports SNMP using IPv4 and IPv6 addressing.
By using an SNMP manager, you can access SNMP traps and data from any FortiGate interface
or VLAN sub interface configured for SNMP management access. Part of configuring an SNMP
manager is to list it as a host in a community on the FortiGate unit it will be monitoring.
Otherwise the SNMP monitor will not receive any traps from that FortiGate unit, or be able to
query that unit.
The FortiGate SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP
managers have read-only access to FortiGate system information through queries and can
receive trap messages from the FortiGate unit.
To monitor FortiGate system information and receive FortiGate traps, you must first compile the
Fortinet and FortiGate Management Information Base (MIB) files. A MIB is a text file that
describes a list of SNMP data objects that are used by the SNMP manager. These MIBs provide
Email from fortigate@example.com
Email to admin1@example.com
admin2@example.com
information the SNMP manager needs to interpret the SNMP trap, event, and query messages
sent by the FortiGate unit SNMP agent.
FortiGate core MIB files are available for download by going to System > Config > SNMP and
selecting the download link on the page.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like
MIB) and most of RFC 1213 (MIB II). For more information, see Fortinet MIBs on page 116.
RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial
support of User-based Security Model (RFC 3414).
SNMP traps alert you to events that occur such as an a full log disk or a virus detected. For
more information about SNMP traps, see Fortinet and FortiGate traps on page 118.
SNMP fields contain information about the FortiGate unit, such as CPU usage percentage or
the number of sessions. This information is useful for monitoring the condition of the unit on an
ongoing basis and to provide more information when a trap occurs. For more information about
SNMP fields, see Fortinet and FortiGate MIB fields on page 121.
The FortiGate SNMP v3 implementation includes support for queries, traps, authentication, and
privacy. Authentication and encryption are configured in the CLI. See the system snmp user
command in the FortiGate CLI Reference.
SNMP configuration settings
Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or
more FortiGate interfaces to accept SNMP connections by going to System > Network >
Interface. Select the interface, and in the Administrative Access, select SNMP.
For VDOMS, SNMP traps can only be sent on interfaces in the management virtual domain.
Traps cannot be sent over other interfaces.
To configure SNMP settings, go to System > Config > SNMP.
SNMP Agent Select to enable SNMP communication.
Description Enter descriptive information about the FortiGate unit. The description
can be up to 35 characters.
Location Enter the physical location of the FortiGate unit. The system location
description can be up to 35 characters long.
Contact Enter the contact information for the person responsible for this
FortiGate unit. The contact information can be up to 35 characters.
SNMP v1/v2c section
To create a new SNMP community, see New SNMP Community page.
Community Name The name to identify the community.
Queries Indicates whether queries protocols (v1 and v2c) are enabled or
disabled. A green checkmark indicates queries are enabled; a gray x
indicates queries are disabled. If one query is disabled and another one
enabled, there will still be a green checkmark.
Traps Indicates whether trap protocols (v1 and v2c) are enabled or disabled. A
green checkmark indicates traps are enabled; a gray x indicates traps
are disabled. If one query is disabled and another one enabled, there
will still be a green checkmark.
Enable Select the check box to enable or disable the community.
SNMP v3 section
To create a new SNMP community, see Create New SNMP V3 User.
User Name The name of the SNMPv3 user.
Security Level The security level of the user.
Notification Host The IP address or addresses of the host.
Queries Indicates whether queries are enabled or disabled. A green checkmark
indicates queries are enabled; a gray x indicates queries are disabled
New SNMP Community page
Community Name Enter a name to identify the SNMP community
Hosts (section)
IP Address Enter the IP address and Identify the SNMP managers that can use the
settings in this SNMP community to monitor the FortiGate unit.
You can also set the IP address to 0.0.0.0 to so that any SNMP manager
can use this SNMP community.
Interface Optionally select the name of the interface that this SNMP manager
uses to connect to the FortiGate unit. You only have to select the
interface if the SNMP manager is not on the same subnet as the
FortiGate unit. This can occur if the SNMP manager is on the Internet or
behind a router.
In virtual domain mode, the interface must belong to the management
VDOM to be able to pass SNMP traps.
Delete Removes an SNMP manager from the list within the Hosts section.
Add Select to add a blank line to the Hosts list. You can add up to eight
SNMP managers to a single community.
Queries (section)
Protocol The SNMP protocol. In the v1 row, this means that the settings are for
SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.
Port Enter the port number (161 by default) that the SNMP managers in this
community use for SNMP v1 and SNMP v2c queries to receive
configuration information from the FortiGate unit. Select the Enable
check box to activate queries for each SNMP version.
Note: The SNMP client software and the FortiGate unit must use the
same port for queries.
Enable Select to enable that SNMP protocol.
Traps (section)
Protocol The SNMP protocol. In the v1 row, this means that the settings are for
SNMP v1. In the v2c row, this means that the settings are for SNMP v2c.
Gigabit interfaces
When determining the interface speed of a FortiGate unit with a 10G interface, the
IF-MIB.ifSpeed may not return the correct value. IF-MIB.ifSpeed is a 32-bit gauge used to
report interface speeds in bits/second, and cannot convert to a 64-bit value. The 32-bit counter
wrap the output too fast to be accurate.
In this case, you can use the value ifHighSpeed. It reports interface speeds in megabits/second.
This ensures that 10Gb interfaces report the correct value.
Local Enter the remote port numbers (port 162 for each by default) that the
FortiGate unit uses to send SNMP v1 or SNMP v2c traps to the SNMP
managers in this community. Select the Enable check box to activate
traps for each SNMP version.
same port for traps.
Remote Enter the remote port number (port 162 is default) that the FortiGate unit
uses to send SNMP v1 or v2c traps to the SNMP managers in this
community.
same port for queries.
Enable Select to activate traps for each SNMP version.
SNMP Event Enable each SNMP event for which the FortiGate unit should send traps
to the SNMP managers in this community.
CPU Overusage traps sensitivity is slightly reduced, by spreading values
out over 8 polling cycles. This prevents sharp spikes due to CPU
intensive short-term events such as changing a policy.
Power Supply Failure event trap is available only on some models.
AMC interfaces enter bypass mode event trap is available only on
models that support AMC modules.
Enable Select to enable the SNMP event.
Create New SNMP V3 User
User Name Enter the name of the user.
Security Level Select the type of security level the user will have.
Notification Host Enter the IP address of the notification host. If you want to add more
than one host, after entering the IP address of the first host, select the
plus sign to add another host.
Enable Query Select to enable or disable the query. By default, the query is enabled.
Port Enter the port number in the field.
Events Select the SNMP events that will be associated with that user.
SNMP agent
You need to first enter information and enable the FortiGate SNMP Agent. Enter information
about the FortiGate unit to identify it so that when your SNMP manager receives traps from the
FortiGate unit, you will know which unit sent the information.
To configure the SNMP agent - web-based manager
1. Go to System > Config > SNMP.
2. Select Enable for the SNMP Agent.
3. Enter a descriptive name for the agent.
4. Enter the location of the FortiGate unit.
5. Enter a contact or administrator for the SNMP Agent or FortiGate unit.
6. Select Apply.
To configure SNMP agent - CLI
config system snmp sysinfo
set status enable
set contact-info <contact_information>
set description <description_of_FortiGate>
set location <FortiGate_location>
end
SNMP community
An SNMP community is a grouping of devices for network administration purposes. Within that
SNMP community, devices can communicate by sending and receiving traps and other
information. One device can belong to multiple communities, such as one administrator
terminal monitoring both a firewall SNMP and a printer SNMP community.
Add SNMP communities to your FortiGate unit so that SNMP managers can connect to view
system information and receive SNMP traps.
You can add up to three SNMP communities. Each community can have a different
configuration for SNMP queries and traps. Each community can be configured to monitor the
FortiGate unit for a different set of events. You can also add the IP addresses of up to 8 SNMP
managers to each community.
When the FortiGate unit is in virtual domain mode, SNMP traps can only be sent on interfaces in
the management virtual domain. Traps cannot be sent over other interfaces.
To add an SNMP v1/v2c community - web-based manager
2. In the SNMP v1/v2c area, select Create New.
3. Enter a Community Name.
4. Enter the IP address and Identify the SNMP managers that can use the settings in this
SNMP community to monitor the FortiGate unit.
5. Select the interface if the SNMP manager is not on the same subnet as the FortiGate unit.
6. Enter the Port number that the SNMP managers in this community use for SNMP v1 and
SNMP v2c queries to receive configuration information from the FortiGate unit. Select the
Enable check box to activate queries for each SNMP version.
7. Enter the Local and Remote port numbers that the FortiGate unit uses to send SNMP v1 and
SNMP v2c traps to the SNMP managers in this community.
8. Select the Enable check box to activate traps for each SNMP version.
9. Select OK.
To add an SNMP v1/v2c community - CLI
config system snmp community
edit <index_number>
set events <events_list>
set name <community_name>
set query-v1-port <port_number>
set query-v1-status {enable | disable}
set query-v2c-port <port_number>
set query-v2c-status {enable | disable}
set status {enable | disable}
set trap-v1-lport <port_number>
set trap-v1-rport <port_number>
set trap-v1-status {enable | disable}
set trap-v2c-lport <port_number>
set trap-v2c-rport <port_number>
set trap-v2c-status {enable | disable}
end
To add an SNMP v3 community - web-based manager
2. In the SNMP v3 area, select Create New.
3. Enter a User Name.
4. Select a Security Level and associated authorization algorithms.
5. Enter the IP address of the Notification Host SNMP managers that can use the settings in
this SNMP community to monitor the FortiGate unit.
6. Enter the Port number that the SNMP managers in this community use to receive
configuration information from the FortiGate unit. Select the Enable check box to activate
queries for each SNMP version.
7. Select the Enable check box to activate traps.
8. Select OK.
To add an SNMP v3 community - CLI
config system snmp user
edit <index_number>
set security-level [auth-priv | auth-no-priv | no-auth-no-priv}
set queries enable
set query-port <port_number>
set notify-hosts <ip_address>
set events <event_selections>
end
Enabling on the interface
Before a remote SNMP manager can connect to the FortiGate agent, you must configure one or
more FortiGate interfaces to accept SNMP connections.
To configure SNMP access - web-based manager
2. Choose an interface that an SNMP manager connects to and select Edit.
3. In Administrative Access, select SNMP.
4. Select OK.
To configure SNMP access - CLI
set allowaccess snmp
end
Fortinet MIBs
The FortiGate SNMP agent supports Fortinet proprietary MIBs as well as standard RFC 1213
and RFC 2665 MIBs. RFC support includes support for the parts of RFC 2665 (Ethernet-like
MIB) and the parts of RFC 1213 (MIB II) that apply to FortiGate unit configuration.
There are two MIB files for FortiGate units - the Fortinet MIB, and the FortiGate MIB. The
Fortinet MIB contains traps, fields and information that is common to all Fortinet products. The
FortiGate MIB contains traps, fields and information that is specific to FortiGate units. Each
Fortinet product has its own MIB. If you use other Fortinet products you will need to download
their MIB files as well. Both MIB files are used for FortiOS and FortiOS Carrier; there are no
additional traps for the Carrier version of the operating system.
The Fortinet MIB and FortiGate MIB along with the two RFC MIBs are listed in tables in this
section. You can download the two FortiGate MIB files from Fortinet Customer Support. The
Fortinet MIB contains information for Fortinet products in general. the Fortinet FortiGate MIB
includes the system information for The FortiGate unit and version of FortiOS. Both files are
required for proper SNMP data collection.
To download the MIB files, go to System > Config > SNMP and select a MIB link in the FortiGate
SNMP MIB section.
Your SNMP manager may already include standard and private MIBs in a compiled database
that is ready to use. You must add the Fortinet proprietary MIB to this database to have access
to the Fortinet specific information.
When using the allowaccess command to add SNMP, you need to also include any other
access for the interface. This command will only use what is entered. That is, if you had HTTPS
and SSH enabled before, these will be disabled if only the above command is used. In this
case, for the allow access command, enter set allowaccess https ssh snmp.
There were major changes to the MIB files between v3.0 and v4.0. You need to use the new
MIBs for v4.0 or you may mistakenly access the wrong traps and fields.
MIB files are updated for each version of FortiOS. When upgrading the firmware ensure that
you updated the Fortinet FortiGate MIB file as well.
SNMP get command syntax
Normally, to get configuration and status information for a FortiGate unit, an SNMP manager
would use an SNMP get commands to get the information in a MIB field. The SNMP get
command syntax would be similar to:
snmpget -v2c -c <community_name> <address_ipv4> {<OID> | <MIB_field>}
where
<community_name> is an SNMP community name added to the FortiGate configuration. You
can add more than one community name to a FortiGate SNMP configuration. The most
commonly used community name is public.
<address_ipv4> is the IP address of the FortiGate interface that the SNMP manager
connects to.
Table 7: Fortinet MIBs
MIB file name or RFC Description
FORTINET-CORE-MIB.mib The Fortinet MIB includes all system configuration
information and trap information that is common to all
Fortinet products.
Your SNMP manager requires this information to monitor
FortiGate unit configuration settings and receive traps
from the FortiGate SNMP agent. For more information,
see Fortinet and FortiGate traps on page 118 and
Fortinet and FortiGate MIB fields on page 121.
FORTINET-FORTIGATE-MIB.mib The FortiGate MIB includes all system configuration
information and trap information that is specific to
FortiGate units.
Your SNMP manager requires this information to monitor
FortiGate configuration settings and receive traps from
the FortiGate SNMP agent. FortiManager systems
require this MIB to monitor FortiGate units.
For more information, see Fortinet and FortiGate traps
on page 118 and Fortinet and FortiGate MIB fields on
page 121.
RFC-1213 (MIB II) The FortiGate SNMP agent supports MIB II groups with
these exceptions.
No support for the EGP group from MIB II (RFC 1213,
section 3.11 and 6.10).
Protocol statistics returned for MIB II groups
(IP/ICMP/TCP/UDP/etc.) do not accurately capture all
FortiGate traffic activity. More accurate information
can be obtained from the information reported by the
Fortinet MIB.
RFC-2665 (Ethernet-like MIB) The FortiGate SNMP agent supports Ethernet-like MIB
information. FortiGate SNMP does not support for the
dot3Tests and dot3Errors groups.
{<OID> | <MIB_field>} is the object identifier (OID) for the MIB field or the MIB field name
itself.
The SNMP get command gets firmware version running on the FortiGate unit. The community
name is public. The IP address of the interface configured for SNMP management access is
10.10.10.1. The firmware version MIB field is fgSysVersion and the OID for this MIB field is
1.3.6.1.4.1.12356.101.4.1.1 The first command uses the MIB field name and the
second uses the OID:
snmpget -v2c -c public 10.10.10.1 fgSysVersion
snmpget -v2c -c public 10.10.10.1 1.3.6.1.4.1.12356.101.4.1.1
Fortinet and FortiGate traps
An SNMP manager can request information from the Fortinet devices SNMP agent, or that
agent can send traps when an event occurs. Traps are a method used to inform the SNMP
manager that something has happened or changed on the Fortinet device.
To receive FortiGate device SNMP traps, you must load and compile the FORTINET-CORE-MIB
and FORTINET-FORTIGATE-MIB files into your SNMP manager. Traps sent include the trap
message as well as the FortiGate unit serial number (fnSysSerial) and hostname (sysName).
The tables in this section include information about SNMP traps and variables. These tables
have been included to help you locate the object identifier number (OID), trap message, and
trap description of the Fortinet trap or variable you need.
The name of the table indicates if the trap is found in the Fortinet MIB or the FortiGate MIB. The
Trap Message column includes the message included with the trap as well as the SNMP MIB
field name to help locate the information about the trap. Traps starting with fn such as
fnTrapCpuThreshold are defined in the Fortinet MIB. Traps starting with fg such as
fgTrapAvVirus are defined in the FortiGate MIB.
The object identifier (OID) is made up of the number at the top of the table with the index added
to the end. For example if the OID is 1.3.6.1.4.1.12356.101.2.0 and the index is 4, the full OID is
1.3.6.1.4.1.12356.101.2.0.4. The OID and the name of the object are how SNMP managers refer
to fields and traps from the Fortinet and FortiGate MIBs.
Indented rows are fields that are part of the message or table associated with the preceding
row.
The tables include:
System traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0)
FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0)
Table 8: System traps (OID1.3.6.1.4.1.12356.1.3.0)
Index Trap message Description
.101 CPU usage high
(fnTrapCpuThreshold)
CPU usage exceeds 80%. This threshold can be set
in the CLI using config system snmp sysinfo,
set trap-high-cpu-threshold.
.102 Memory low
(fnTrapMemThreshold)
Memory usage exceeds 90%. This threshold can be
set in the CLI using config system snmp
sysinfo, set trap-low-memory-threshold.
.103 Log disk too full
(fnTrapLogDiskThreshold)
Log disk usage has exceeded the configured
threshold. Only available on devices with log disks.
This threshold can be set in the CLI using config
system snmp sysinfo, set
trap-log-full-threshold.
.104 Temperature too high
(fnTrapTempHigh)
A temperature sensor on the device has exceeded
its threshold. Not all devices have thermal sensors.
.105 Voltage outside acceptable
range
(fnTrapVoltageOutOfRange)
Power levels have fluctuated outside of normal
levels. Not all devices have voltage monitoring
instrumentation.
.106 Power supply failure
(fnTrapPowerSupplyFailure)
Power supply failure detected. Not available on all
models. Available on some devices which support
redundant power supplies.
.201 Interface IP change
(fnTrapIpChange)
The IP address for an interface has changed.
The trap message includes the name of the
interface, the new IP address and the serial number
of the Fortinet unit. You can use this trap to track
interface IP address changes for interfaces with
dynamic IP addresses set using DHCP or PPPoE.
.999 Diagnostic trap
(fnTrapTest)
This trap is sent for diagnostic purposes.
It has an OID index of .999.
Table 9: FortiGate VPN traps (OID1.3.6.1.4.1.12356.1.3.0)
.301 VPN tunnel is up
(fgTrapVpnTunUp)
An IPSec VPN tunnel has started.
.302 VPN tunnel down
(fgTrapVpnTunDown)
An IPSec VPN tunnel has shut down.
Local gateway address
(fgVpnTrapLocalGateway)
Address of the local side of the VPN tunnel.
This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Remote gateway address
(fgVpnTrapRemoteGatewa
y)
Address of remote side of the VPN tunnel.
This information is associated with both of the VPN
tunnel traps.
(OID1.3.6.1.4.1.12356.101.12.3.2)
Table 8: System traps (OID1.3.6.1.4.1.12356.1.3.0)
Table 10:FortiGate IPS traps (OID1.3.6.1.4.1.12356.1.3.0)
.503 IPS Signature
(fgTrapIpsSignature)
IPS signature detected.
.504 IPS Anomaly
(fgTrapIpsAnomaly)
IPS anomaly detected.
.505 IPS Package Update
(fgTrapIpsPkgUpdate)
The IPS signature database has been updated.
(fgIpsTrapSigId) ID of IPS signature identified in trap.
(OID 1.3.6.1.4.1.12356.101.9.3.1)
(fgIpsTrapSrcIp) IP Address of the IPS signature trigger.
(OID 1.3.6.1.4.1.12356.101.9.3.2)
(fgIpsTrapSigMsg) Message associated with IPS event.
(OID 1.3.6.1.4.1.12356.101.9.3.3)
Table 11:FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0)
.601 Virus detected
(fgTrapAvVirus)
The antivirus engine detected a virus in an infected
file from an HTTP or FTP download or from an email
message.
.602 Oversize file/email detected
(fgTrapAvOversize)
The antivirus scanner detected an oversized file.
.603 Filename block detected
(fgTrapAvPattern)
The antivirus scanner blocked a file that matched a
known virus pattern.
.604 Fragmented file detected
(fgTrapAvFragmented)
The antivirus scanner detected a fragmented file or
attachment.
.605 (fgTrapAvEnterConserve) The AV engine entered conservation mode due to
low memory conditions.
.606 (fgTrapAvBypass) The AV scanner has been bypassed due to
conservation mode.
.607 (fgTrapAvOversizePass) An oversized file has been detected, but has been
passed due to configuration.
Fortinet and FortiGate MIB fields
The FortiGate MIB contains fields reporting the current FortiGate unit status information. The
following tables list the names of the MIB fields and describe the status information available for
each one. You can view more details about the information available from all Fortinet and
FortiGate MIB fields by compiling the FORTINET-CORE-MIB.mib and
FORTINET-FORTIGATE-MIB.mib files into your SNMP manager and browsing the MIB fields
on your computer.
To help locate a field, the object identifier (OID) number for each table of fields has been
included. The OID number for a field is that fields position within the table, starting at 0. For
example fnSysVersion has an OID of 1.3.6.1.4.1.12356.2.
.608 (fgTrapAvOversizeBlock) An oversized file has been detected, and has been
blocked.
(fgAvTrapVirName) The virus name that triggered the event.
(OID1.3.6.1.4.1.12356.101.8.3.1)
Table 12:FortiGate HA traps (OID1.3.6.1.4.1.12356.1.3.0)
.401 HA switch
(fgTrapHaSwitch)
The specified cluster member has switched from a
slave role to a master role.
.402 HA State Change
(fgTrapHaStateChange)
The trap sent when the HA cluster member changes
its state.
.403 HA Heartbeat Failure
(fgTrapHaHBFail)
The heartbeat failure count has exceeded the
configured threshold.
.404 HA Member Unavailable
(fgTrapHaMemberDown)
An HA member becomes unavailable to the cluster.
.405 HA Member Available
(fgTrapHaMemberUp)
An HA member becomes available to the cluster.
(fgHaTrapMemberSerial) Serial number of an HA cluster member. Used to
identify the origin of a trap when a cluster is
configured.
(OID1.3.6.1.4.1.12356.101.13.3.1)
Table 11:FortiGate antivirus traps (OID1.3.6.1.4.1.12356.1.3.0)
Fortinet MIB
Table 13:OIDs for the Fortinet-Core-MIB
MIB Field OID Description
fnSystem 1.3.6.1.4.1.12356.100.1.1
fnSysSerial 1.3.6.1.4.1.12356.100.1.1.1 Device serial number. This is
the same serial number as
given in the ENTITY-MIB
tables for the base entity.
fnMgmt .3.6.1.4.1.12356.100.1.2
fnMgmtLanguage 1.3.6.1.4.1.12356.100.1.2.1 Language used for
administration interfaces.
fnAdmin 1.3.6.1.4.1.12356.100.1.2.100
fnAdminNumber 1.3.6.1.4.1.12356.100.1.2.100.1 The number of admin
accounts in fnAdminTable.
fnAdminTable 1.3.6.1.4.1.12356.100.1.2.100.2 A table of administrator
accounts on the device. This
table is intended to be
extended with platform
specific information.
fnAdminEntry 1.3.6.1.4.1.12356.100.1.2.100.2.1 An entry containing
information applicable to a
particular admin account.
fnAdminIndex 1.3.6.1.4.1.12356.100.1.2.100.2.1.1 An index uniquely defining
an administrator account
within the fnAdminTable.
fmAdminName 1.3.6.1.4.1.12356.100.1.2.100.2.1.2 The user-name of the
specified administrator
account.
fnAddminAddrType 1.3.6.1.4.1.12356.100.1.2.100.2.1.3 The type of address stored
in fnAdminAddr, in
compliance with
INET-ADDRESS-MIB
fnAdminAddr 1.3.6.1.4.1.12356.100.1.2.100.2.1.4 The address prefix
identifying where the
administrator account can
be used from, typically an
IPv4 address. The address
type/format is determined
by fnAdminAddrType.
fnAdminMask 1.3.6.1.4.1.12356.100.1.2.100.2.1.5 The address prefix length (or
network mask) applied to
the fgAdminAddr to
determine the subnet or
host the administrator can
access the device from.
fnTraps 1.3.6.1.4.1.12356.100.1.3
fnTrapsPrefix 1.3.6.1.4.1.12356.100.1.3.0
fnTrapCpuThreshold 1.3.6.1.4.1.12356.100.1.3.0.101 Indicates that the CPU
usage has exceeded the
fnTrapMemThreshold 1.3.6.1.4.1.12356.100.1.3.0.102 Indicates memory usage has
exceeded the configured
threshold.
fnTrapLogDiskThreshold 1.3.6.1.4.1.12356.100.1.3.0.103 Log disk usage has
exceeded the configured
threshold. Only available on
devices with log disks.
fnTrapTempHigh 1.3.6.1.4.1.12356.100.1.3.0.104 A temperature sensor on the
device has exceeded its
threshold. Not all devices
have thermal sensors.
fnTrapVoltageOutOfRang
e
1.3.6.1.4.1.12356.100.1.3.0.105 Power levels have fluctuated
outside of normal levels. Not
all devices have voltage
monitoring instrumentation.
fnTrapPowerSupplyFailur
e
1.3.6.1.4.1.12356.100.1.3.0.106 Power supply failure
detected. Not available on
all models. Available on
some devices which support
redundant power supplies.
fnTrapIpChange 1.3.6.1.4.1.12356.100.1.3.0.201 Indicates that the IP address
of the specified interface
has been changed.
fnTrapTest 1.3.6.1.4.1.12356.100.1.3.0.999 Trap sent for diagnostic
purposes by an
administrator.
fnTrapObjects 1.3.6.1.4.1.12356.100.1.3.1
FortiGate MIB
fnGenTrapMsg 1.3.6.1.4.1.12356.100.1.3.1.1 Generic message
associated with an event.
The content will depend on
the nature of the trap.
fnMIBConformance 1.3.6.1.4.1.12356.100.10
fnSystemComplianceGro
up
1.3.6.1.4.1.12356.100.10.1 Objects relating to the
physical device.
fnMgmtComplianceGrou
p
1.3.6.1.4.1.12356.100.10.2 Objects relating the
management of a device.
fnAdmincomplianceGrou
p
1.3.6.1.4.1.12356.100.10.3 Administration access
control objects.
fnTrapsComplianceGrou
p
1.3.6.1.4.1.12356.100.10.4 Event notifications.
fnNotifObjectsComplianc
eGroup
1.3.6.1.4.1.12356.100.10.5 Object identifiers used in
notifications.
fnMIBCompliance 1.3.6.1.4.1.12356.100.10.100 Object identifiers used in
notifications. Objects are
required if their containing
trap is implemented.
Table 14:OIDs for the Fortinet-FortiGate-MIB
fgModel 1.3.6.1.4.1.12356.101.1
fgTraps 1.3.6.1.4.1.12356.101.2
fgTrapPrefix 1.3.6.1.4.1.12356.101.2.0
fgTrapVpnTunup 1.3.6.1.4.1.12356.101.2.0.301 Indicates that the specified
VPN tunnel has been
brought up.
fgTrapVpnTunDown 1.3.6.1.4.1.12356.101.2.0.302 The specified VPN tunnel
has been brought down.
fgTrapHaSwitch 1.3.6.1.4.1.12356.101.2.0.401 The specified cluster
member has transitioned
from a slave role to a master
role.
fgTrapHaStateChange 1.3.6.1.4.1.12356.101.2.0.402 Trap being sent when the
HA cluster member
changes its state.
fgTrapHaBFail 1.3.6.1.4.1.12356.101.2.0.403 The heartbeat device failure
count has exceeded the
fgTrapHaMemberDown 1.3.6.1.4.1.12356.101.2.0.404 The specified device (by
serial number) is moving to
a down state.
fgTrapHaMemberUp 1.3.6.1.4.1.12356.101.2.0.405 A new cluster member has
joined the cluster.
fgTrapIpsSignature 1.3.6.1.4.1.12356.101.2.0.503 An IPS signature has been
triggered.
fgTrapIpsAnomaly 1.3.6.1.4.1.12356.101.2.0.504 An IPS anomaly has been
detected.
fgTrapIpsPkgUpdate 1.3.6.1.4.1.12356.101.2.0.505 The IPS signature database
has been updated.
fgTrapAvVirus 1.3.6.1.4.1.12356.101.2.0.601 A virus has been detected
by the antivirus engine.
fgTrapAvOversize 1.3.6.1.4.1.12356.101.2.0.602 An oversized file has been
detected by the antivirus
engine.
fgTrapAvPattern 1.3.6.1.4.1.12356.101.2.0.603 The antivirus engine has
blocked a file because it
matched a configured
pattern.
fgTrapAvFragmented 1.3.6.1.4.1.12356.101.2.0.604 The antivirus engine has
detected a fragmented file.
fgTrapAvEnterConserve 1.3.6.1.4.1.12356.101.2.0.605 The antivirus engine has
entered conservation mode
due to low memory
conditions.
fgTrapAvBypass 1.3.6.1.4.1.12356.101.2.0.606 The antivirus engine has
been bypassed due to
conservation mode.
fgTrapAvOversizePass 1.3.6.1.4.1.12356.101.2.0.607 An oversized file has been
detected, but has been
passed due to
configuration.
fgTrapAvOversizeBlock 1.3.6.1.4.1.12356.101.2.0.608 An oversized file has been
detected and has been
blocked.
fgTrapFazDisconnect 1.3.6.1.4.1.12356.101.2.0.701 The device has been
disconnected from the
FortiAnalyzer.
Virtual Domains
fgVirtualDomain 1.3.6.1.4.1.12356.101.3
fgVdInfo 1.3.6.1.4.1.12356.101.3.1
fgVdNumber 1.3.6.1.4.1.12356.101.3.1.1 The number of virtual
domains in vdTable.
fgVdMaxVdoms 1.3.6.1.4.1.12356.101.3.1.2 The maximum number of
virtual domains allowed on
the device as allowed by
hardware and/or licensing.
fgVdEnabled 1.3.6.1.4.1.12356.101.3.1.3 Whether virtual domains are
enabled on this device.
fgVdTables 1.3.6.1.4.1.12356.101.3.2
fgVdTable 1.3.6.1.4.1.12356.101.3.2.1
fgVdEntry 1.3.6.1.4.1.12356.101.3.2.1.1 An entry containing
particular virtual domain.
fgVdEntIndex 1.3.6.1.4.1.12356.101.3.2.1.1.1 Internal virtual domain index
used to uniquely identify
rows in this table. This index
is also used by other tables
referencing a virtual
domain.
fgVdEntName 1.3.6.1.4.1.12356.101.3.2.1.1.2 The name of the virtual
domain.
fgVdEntOpMode 1.3.6.1.4.1.12356.101.3.2.1.1.3 Operation mode of the
virtual domain (NAT or
transparent).
fgVdTpTable 1.3.6.1.4.1.12356.101.3.2.2 A table of virtual domains in
transparent operation
mode. This table has a
dependent relationship with
fgVdTable.
fgVdTpEntry 1.3.6.1.4.1.12356.101.3.2.2.1 An entry containing
particular virtual domain in
transparent mode.
fgVdTpMgmtAddrType 1.3.6.1.4.1.12356.101.3.2.2.1.1 The type of address stored
in fgVdTpMgmtAddr, in
compliance with
INET-ADDRESS-MIB.
fgVdTpMgmtAddr 1.3.6.1.4.1.12356.101.3.2.2.1.2 The management IP
address of the virtual
domain in transparent
mode, typically an IPv4
address.The address
type/format is determined
by fgVdTpMgmtAddrType.
fgVdTpMgmtMask 1.3.6.1.4.1.12356.101.3.2.2.1.3 The address prefix length
(or network mask) applied
to the fgVdTpMgmtAddr.
System
fgSystem 1.3.6.1.4.1.12356.101.4
fgSystemInfo 1.3.6.1.4.1.12356.101.4.1
fgSysVersion 1.3.6.1.4.1.12356.101.4.1.1 Firmware version.
fgSysMgmtVdom 1.3.6.1.4.1.12356.101.4.1.2 Index that identifies the
management virtual
domain. This index
corresponds to the index
used by fgVdTable.
fgSysCpuUsage 1.3.6.1.4.1.12356.101.4.1.3 Current CPU usage
(percentage).
fgSysMemUsage 1.3.6.1.4.1.12356.101.4.1.4 Current memory usage
(percentage).
fgSysMemCapacity 1.3.6.1.4.1.12356.101.4.1.5 Total physical RA installed
(KB)
fgSysDiskUsage 1.3.6.1.4.1.12356.101.4.1.6 Current hard disk usage
(MB), if disk is present.
fgSysDiskCapacity 1.3.6.1.4.1.12356.101.4.1.7 Total hard disk capacity
(MB), if disk is present.
fgSysSesCount 1.3.6.1.4.1.12356.101.4.1.8 Number of active sessions
on the device.
fgSysLowMemUsage 1.3.6.1.4.1.12356.101.4.1.9 Current lowmem utilization
(percentage). Lowmem is
memory available for the
kernel's own data
structures and kernel
specific tables. The system
can get into a bad state if it
runs out of lowmem.
fgSysLowMemCapacity 1.3.6.1.4.1.12356.101.4.1.10 Total lowmem capacity
(KB).
Firewall
fgFirewal 1.3.6.1.4.1.12356.101.5
fgFwPolicies 1.3.6.1.4.1.12356.101.5.1
fgFwPolInfo 1.3.6.1.4.1.12356.101.5.1.1
fgFwPolTables 1.3.6.1.4.1.12356.101.5.1.2
fgFwPolStatsTable 1.3.6.1.4.1.12356.101.5.1.2.1 Security policy statistics
table. This table has a
dependent expansion
relationship with fgVdTable.
Only virtual domains with
enabled policies are present
in this table.
fgFwPolStatsEntry 1.3.6.1.4.1.12356.101.5.1.2.1.1 Security policy statistics on
a virtual domain.
fgFwPolID 1.3.6.1.4.1.12356.101.5.1.2.1.1.1 Security policy ID. Only
enabled policies are present
in this table. Policy IDs are
only unique within a virtual
domain.
fgFwPolPktCount 1.3.6.1.4.1.12356.101.5.1.2.1.1.2 Number of packets
matched to policy (passed
or blocked, depending on
policy action). Count is from
the time the policy became
active.
fgFwPolByteCount 1.3.6.1.4.1.12356.101.5.1.2.1.1.3 Number of bytes in packets
matching the policy. See
fgFwPolPktCount.
fgFwUsers 1.3.6.1.4.1.12356.101.5.2
fgFwUserInfo 1.3.6.1.4.1.12356.101.5.2.1
fgFwUserNumber 1.3.6.1.4.1.12356.101.5.2.1.1 The number of user
accounts in fgFwUserTable.
fgFwUserAuthTimeout 1.3.6.1.4.1.12356.101.5.2.1.2 Idle period after which a
firewall-authentication
user's session is
automatically expired.
fgFwUserTables 1.3.6.1.4.1.12356.101.5.2.2
fgFwUserTable 1.3.6.1.4.1.12356.101.5.2.2.1 A list of local and proxy
(Radius server) user
accounts for use with
firewall user authentication.
fgFwUserEntry 1.3.6.1.4.1.12356.101.5.2.2.1.1 An entry containing
particular user account.
fgFwUserIndex 1.3.6.1.4.1.12356.101.5.2.2.1.1.1 An index for uniquely
identifying the users in
fgFwUserTable.
fgFwUserName 1.3.6.1.4.1.12356.101.5.2.2.1.1.2 User name of the specified
account.
fgFwUserAuth 1.3.6.1.4.1.12356.101.5.2.2.1.1.3 Type of authentication the
account uses (local,
RADIUS, LDAP, etc.).
fgFwUserState 1.3.6.1.4.1.12356.101.5.2.2.1.1.4 Status of the user account
(enabled/disabled).
fgFwUserVdom 1.3.6.1.4.1.12356.101.5.2.2.1.1.5 Virtual domain the user
account exists in. This
index corresponds to the
index used in fgVdTable.
FortiManager and Administration
fgMgmt 1.3.6.1.4.1.12356.101.6
fgFmTrapPrefix 1.3.6.1.4.1.12356.101.6.0
fgFmTrapDeployComplete 1.3.6.1.4.1.12356.101.6.0.1000 Indicates when deployment
of a new configuration has
been completed. Used for
verification by
FortiManager.
fgFmTrapDeployInProgress 1.3.6.1.4.1.12356.101.6.0.1002 Indicates that a
configuration change was
not immediate and that the
change is currently in
progress. Used for
verification by
FortiManager.
fgFmTrapConfChange 1.3.6.1.4.1.12356.101.6.0.1003 The device configuration
has been changed by
something other than the
managing FortiManager
unit.
fgFmTrapIfChange 1.3.6.1.4.1.12356.101.6.0.1004 Trap is sent to the managing
FortiManager if an interface
IP is changed.
fgAdmin 1.3.6.1.4.1.12356.101.6.1
fgAdminOptions 1.3.6.1.4.1.12356.101.6.1.1
fgAdminIdleTimeout 1.3.6.1.4.1.12356.101.6.1.1.1 Idle period after which an
administrator is
automatically logged out of
the system.
fgAdminLcdProtection 1.3.6.1.4.1.12356.101.6.1.1.2 Status of the LCD
protection
(enabled/disabled).
fgAdminTables 1.3.6.1.4.1.12356.101.6.1.2
fgAdminTable 1.3.6.1.4.1.12356.101.6.1.2.1 A table of administrator
accounts on the device.
fgAdminEntry 1.3.6.1.4.1.12356.101.6.1.2.1.1 An entry containing
particular admin account.
fgAdminVdom 1.3.6.1.4.1.12356.101.6.1.2.1.1.1 The virtual domain the
administrator belongs to.
fgMgmtTrapObjects 1.3.6.1.4.1.12356.101.6.2
fgManIfIp 1.3.6.1.4.1.12356.101.6.2.1 IP address of the interface
listed in the trap.
fgManIfMask 1.3.6.1.4.1.12356.101.6.2.2 Mask of subnet the
interface belongs to.
Antivirus
fgAntivirus 1.3.6.1.4.1.12356.101.8
fgAvInfo 1.3.6.1.4.1.12356.101.8.1
fgAvTables 1.3.6.1.4.1.12356.101.8.2
fgAvStatsTable 1.3.6.1.4.1.12356.101.8.2.1 A table of Antivirus statistics
per virtual domain.
fgAvStatsEntry 1.3.6.1.4.1.12356.101.8.2.1.1 Antivirus statistics for a
fgAvVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.1 Number of virus
transmissions detected in
the virtual domain since
start up.
fgAvVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.2 Number of virus
transmissions blocked in
start up.
fgAvHTTPVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.3 Number of virus
transmissions over HTTP
detected in the virtual
domain since start up.
fgAvHTTPVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.4 Number of virus
transmissions over HTTP
blocked in the virtual
fgAvSMTPVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.5 Number of virus
transmissions over SMTP
fgAvSMTPVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.6 Number of virus
transmissions over SMTP
fgAvPOP3VirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.7 Number of virus
transmissions over POP3
fgAvPOP3VirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.8 Number of virus
transmissions over POP3
fgAvIMAPVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.9 Number of virus
transmissions over IMAP
fgAvIMAPVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.10 Number of virus
transmissions over IMAP
fgAvFTPVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.11 Number of virus
transmissions over FTP
fgAvFTPVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.12 Number of virus
transmissions over FTP
fgAvIMVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.13 Number of virus
transmissions over IM
protocols detected in the
virtual domain since start
up.
fgAvIMVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.14 Number of virus
transmissions over IM
protocols blocked in the
virtual domain since start
up.
fgAvNNTPVirusDetected 1.3.6.1.4.1.12356.101.8.2.1.1.15 Number of virus
transmissions over NNTP
fgAvNNTPVirusBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.16 Number of virus
transmissions over NNTP
fgAvOversizedDetected 1.3.6.1.4.1.12356.101.8.2.1.1.17 Number of over-sized file
transmissions detected in
start up.
fgAvOversizedBlocked 1.3.6.1.4.1.12356.101.8.2.1.1.18 Number of over-sized file
transmissions blocked in
start up.
fgAvTrapObjects 1.3.6.1.4.1.12356.101.8.3
fgAvTrapVirName 1.3.6.1.4.1.12356.101.8.3.1 Virus name that triggered
event.
IPS
fgIps 1.3.6.1.4.1.12356.101.9
fgIpsInfo 1.3.6.1.4.1.12356.101.9.1
fgIpsTables 1.3.6.1.4.1.12356.101.9.2
fgIpsStatsTable 1.3.6.1.4.1.12356.101.9.2.1 A table of IPS/IDS statistics
per virtual domain.
fgIpsStatsEntry 1.3.6.1.4.1.12356.101.9.2.1.1 IPS/IDS statistics for a
fgIpsIntrusionDetected 1.3.6.1.4.1.12356.101.9.2.1.1.1 Number of intrusions
detected since start up in
this virtual domain.
fgIpsIntrusionBlocked 1.3.6.1.4.1.12356.101.9.2.1.1.2 Number of intrusions
blocked since start up in
fgIpsCritSevDetections 1.3.6.1.4.1.12356.101.9.2.1.1.3 Number of critical severity
intrusions detected since
start up in this virtual
domain.
fgIpsHighSevDetections 1.3.6.1.4.1.12356.101.9.2.1.1.4 Number of high severity
domain.
fgIpsMedSevDetections 1.3.6.1.4.1.12356.101.9.2.1.1.5 Number of medium severity
domain.
fgIpsLowSevDetections 1.3.6.1.4.1.12356.101.9.2.1.1.6 Number of low severity
domain.
fgIpsInfoSevDetections 1.3.6.1.4.1.12356.101.9.2.1.1.7 Number of informational
severity intrusions detected
since start up in this virtual
domain.
fgIpsSignatureDetections 1.3.6.1.4.1.12356.101.9.2.1.1.8 Number of intrusions
detected by signature since
domain.
fgIpsAnomalyDetections 1.3.6.1.4.1.12356.101.9.2.1.1.9 Number of intrusions
detected as anomalies
since start up in this virtual
domain.
fgIpsTrapObjects 1.3.6.1.4.1.12356.101.9.3
fgIpsTrapSigId 1.3.6.1.4.1.12356.101.9.3.1 ID of IPS signature
identified in trap.
fgIpsTrapSrcIp 1.3.6.1.4.1.12356.101.9.3.2 Source IP Address of the
IPS signature trigger.
fgIpsTrapSigMsg 1.3.6.1.4.1.12356.101.9.3.3 Message associated with
IPS event.
Application Control
fgApplications 1.3.6.1.4.1.12356.101.10
fgWebfilter 1.3.6.1.4.1.12356.101.10.1
fgWebfilterInfo 1.3.6.1.4.1.12356.101.10.1.1
fgWebfilterTables 1.3.6.1.4.1.12356.101.10.1.2
fgWebfilterStatsTable 1.3.6.1.4.1.12356.101.10.1.2.1 A table of Web filter
statistics per virtual domain.
fgWebfilterStatsEntry 1.3.6.1.4.1.12356.101.10.1.2.1.1 Web filter statistics for a
fgWfHTTPBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.1 Number of HTTP sessions
blocked by Web filter since
start up.
fgWfHTTPSBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.2 Number of HTTPS sessions
start up.
fgWfHTTPURLBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.3 Number of HTTP URLs
start up.
fgWfHTTPSURLBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.4 Number of HTTPS URLs
start up.
fgWfActiveXBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.5 Number of ActiveX
downloads blocked by Web
filter since start up.
fgWfCookieBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.6 Number of HTTP Cookies
start up.
fgWfAppletBlocked 1.3.6.1.4.1.12356.101.10.1.2.1.1.7 Number of Applets blocked
by Web-filter since start up.
fgFortiGuardStatsTable 1.3.6.1.4.1.12356.101.10.1.2.2 A table of FortiGuard
fgFortiGuardStatsEntry 1.3.6.1.4.1.12356.101.10.1.2.2.1 FortiGuard statistics for a
fgFgWfHTTPExamined 1.3.6.1.4.1.12356.101.10.1.2.2.1.1 Number of HTTP requests
examined using FortiGuard
since start up.
fgFgWfHTTPSExamined 1.3.6.1.4.1.12356.101.10.1.2.2.1.2 Number of HTTPS requests
examined using FortiGuard
since start up.
fgFgWfHTTPAllowed 1.3.6.1.4.1.12356.101.10.1.2.2.1.3 Number of HTTP requests
allowed to proceed using
FortiGuard since start up.
fgFgWfHTTPSAllowed 1.3.6.1.4.1.12356.101.10.1.2.2.1.4 Number of HTTPS requests
allowed to proceed using
FortiGuard since start up.
fgFgWfHTTPBlocked 1.3.6.1.4.1.12356.101.10.1.2.2.1.5 Number of HTTP requests
blocked using FortiGuard
since start up.
fgFgWfHTTPSBlocked 1.3.6.1.4.1.12356.101.10.1.2.2.1.6 Number of HTTPS requests
blocked using FortiGuard
since start up.
fgFgWfHTTPLogged 1.3.6.1.4.1.12356.101.10.1.2.2.1.7 Number of HTTP requests
logged using FortiGuard
since start up.
fgFgWfHTTPSLogged 1.3.6.1.4.1.12356.101.10.1.2.2.1.8 Number of HTTPS requests
logged using FortiGuard
since start up.
fgFgWfHTTPOverridden 1.3.6.1.4.1.12356.101.10.1.2.2.1.9 Number of HTTP requests
overridden using FortiGuard
since start up.
fgFgWfHTTPSOverridden 1.3.6.1.4.1.12356.101.10.1.2.2.1.1
0
Number of HTTPS requests
overridden using FortiGuard
since start up.
fgAppProxyHTTP 1.3.6.1.4.1.12356.101.10.100
fgApHTTPUpTime 1.3.6.1.4.1.12356.101.10.100.1 HTTP proxy up-time,
in seconds.
fgApHTTPMemUsage 1.3.6.1.4.1.12356.101.10.100.2 HTTP proxy memory usage
(percentage of system
total).
fgApHTTPStatsTable 1.3.6.1.4.1.12356.101.10.100.3 A table of HTTP Proxy
fgApHTTPStatsEntry 1.3.6.1.4.1.12356.101.10.100.3.1 HTTP Proxy statistics for a
fgApHRRPReqProcessed 1.3.6.1.4.1.12356.101.10.100.3.1.1 Number of HTTP requests
in this virtual domain
processed by the HTTP
proxy since start up.
fgApHTTPConnections 1.3.6.1.4.1.12356.101.10.100.4 HTTP proxy current
connections.
fgAppProxySMTP 1.3.6.1.4.1.12356.101.10.101
fgApSMTPUpTime 1.3.6.1.4.1.12356.101.10.101.1 SMTP Proxy up-time, in
seconds.
fgAPSMTPMemUsage 1.3.6.1.4.1.12356.101.10.101.2 SMTP Proxy memory
utilization (percentage of
system total).
fgApSMTPStatsTable 1.3.6.1.4.1.12356.101.10.101.3 A table of SMTP proxy
fgApSMTPStatsEntry 1.3.6.1.4.1.12356.101.10.101.3.1 SMTP Proxy statistics for a
fgApSMTPReqProcessed 1.3.6.1.4.1.12356.101.10.101.3.1.1 Number of requests in this
virtual domain processed
by the SMTP proxy since
start up.
fgApSMTPSpamDetected 1.3.6.1.4.1.12356.101.10.101.3.1.2 Number of spam detected
in this virtual domain by the
SMTP proxy since start up.
fgApSMTPConnections 1.3.6.1.4.1.12356.101.10.101.4 SMTP proxy current
connections.
fgAppProxyPOP3 1.3.6.1.4.1.12356.101.10.102
fgApPOP3UpTime 1.3.6.1.4.1.12356.101.10.102.1 Up time of the POP3 proxy,
in seconds.
fgApPOP3MemUsage 1.3.6.1.4.1.12356.101.10.102.2 Memory usage of the POP3
Proxy (percentage of
system total).
fgApPOP3StatsTable 1.3.6.1.4.1.12356.101.10.102.3 A table of POP3 proxy
fgApPOP3StatsEntry 1.3.6.1.4.1.12356.101.10.102.3.1 Proxy pop3 statistics for a
fgApPOP3ReqProcessed 1.3.6.1.4.1.12356.101.10.102.3.1.1 Number of requests in this
by the POP3 proxy since
start up.
fgApPOP3SpamDetected 1.3.6.1.4.1.12356.101.10.102.3.1.2 Number of spam detected
POP3 Proxy since start up.
fgApPOP3Connections 1.3.6.1.4.1.12356.101.10.102.4 POP3 proxy current
connections.
fgAppProxyIMAP 1.3.6.1.4.1.12356.101.10.103
fgApIMAPUpTime 1.3.6.1.4.1.12356.101.10.103.1 Up time of the IMAP proxy,
in seconds.
fgapIMAPMemUsage 1.3.6.1.4.1.12356.101.10.103.2 Memory utilization of the
IMAP Proxy (as a
percentage of the system
total).
fgApIMAPStatsTable 1.3.6.1.4.1.12356.101.10.103.3 A table of IMAP proxy
fgApIMAPStatsEntry 1.3.6.1.4.1.12356.101.10.103.3.1 IMAP Proxy statistics for a
fgApIMAPReqProcessed 1.3.6.1.4.1.12356.101.10.103.3.1.1 Number of requests in this
by the IMAP proxy since
start up.
fgApIMAPSpamDetected 1.3.6.1.4.1.12356.101.10.103.3.1.2 Number of spam detected
IMAP proxy since start up.
fgApIMAPConnections 1.3.6.1.4.1.12356.101.10.103.4 IMAP proxy current
connections.
fgAppProxyNNTP 1.3.6.1.4.1.12356.101.10.104
fgApNNTPUpTime 1.3.6.1.4.1.12356.101.10.104.1 Up time of the NNTP proxy,
in seconds.
fgApNNTPMemUsage 1.3.6.1.4.1.12356.101.10.104.2 Memory utilization of the
NNTP proxy, as a
percentage of the system
total.
fgApNNTPStatsTable 1.3.6.1.4.1.12356.101.10.104.3 A table of NNTP proxy
fgApNNTPStatsEntry 1.3.6.1.4.1.12356.101.10.104.3.1 NNTP Proxy statistics for a
fgApNNTPReqProcessed 1.3.6.1.4.1.12356.101.10.104.3.1.1 Number of requests in the
by the NNTP proxy since
start up.
fgApNNTPConnections 1.3.6.1.4.1.12356.101.10.104.4 NNTP proxy current
connections.
fgAppProxyIM 1.3.6.1.4.1.12356.101.10.105
fgApIMUpTime 1.3.6.1.4.1.12356.101.10.105.1 Up time of the IM proxy, in
seconds.
fgApIMMemUsage 1.3.6.1.4.1.12356.101.10.105.2 IM Proxy memory usage, as
a percentage of the system
total.
fgApIMStatsTable 1.3.6.1.4.1.12356.101.10.105.3 A table of IM proxy
fgApIMStatsEntry 1.3.6.1.4.1.12356.101.10.105.3.1 IM Proxy statistics for a
fgApIMReqProcessed 1.3.6.1.4.1.12356.101.10.105.3.1.1 Number of requests in this
by the IM proxy since start
up.
fgAppProxySIP 1.3.6.1.4.1.12356.101.10.106
fgApSIPUpTime 1.3.6.1.4.1.12356.101.10.106.1 Up time of the SIP Proxy, in
seconds.
fgApSIPMemUsage 1.3.6.1.4.1.12356.101.10.106.2 SIP Proxy memory
utilization, as a percentage
of the system total.
fgApSIPStatsTable 1.3.6.1.4.1.12356.101.10.106.3 A table of SIP proxy
fgApSIPStatsEntry 1.3.6.1.4.1.12356.101.10.106.3.1 SIP Proxy statistics for a
fgApSIPClientReg 1.3.6.1.4.1.12356.101.10.106.3.1.1 Number of client
registration requests
(Register and Options) in
this virtual domain
processed by the SIP proxy
since start up.
fgApSIPCallHandling 1.3.6.1.4.1.12356.101.10.106.3.1.2 Number of call handling
requests (Invite, Ack, Bye,
Cancel and Refer) in this
by the SIP proxy since start
up.
fgApSIPServices 1.3.6.1.4.1.12356.101.10.106.3.1.3 Number of service requests
(Subscribe, notify and
Message) in this virtual
domain processed by the
SIP proxy since start up.
fgApSIPOtherReq 1.3.6.1.4.1.12356.101.10.106.3.1.4 Number of other sip
requests in this virtual
domain processed by the
SIP proxy since start up.
fgAppScanUnit 1.3.6.1.4.1.12356.101.10.107
fgAppSuNumber 1.3.6.1.4.1.12356.101.10.107.1 The number of scan units in
the fgAppSuStatsTable.
fgAppSuStatsTable 1.3.6.1.4.1.12356.101.10.107.2 A table of scan unit
statistics.
fgAppSuStatsEntry 1.3.6.1.4.1.12356.101.10.107.2.1 Statistics entry for a
particular scan unit.
fgAppSuIndex 1.3.6.1.4.1.12356.101.10.107.2.1.1 Index that uniquely
identifies a scan unit in the
fgAppSuStatsTable.
fgAppSuFileScanned 1.3.6.1.4.1.12356.101.10.107.2.1.2 Number of files scanned by
this scan unit.
fgAppVoIP 1.3.6.1.4.1.12356.101.10.108
fgAppVoIPStatsTable 1.3.6.1.4.1.12356.101.10.108.1 A table of VoIP related
fgAppVoPStatsEntry 1.3.6.1.4.1.12356.101.10.108.1.1 VoIP statistics for a
fgAppVoIPConn 1.3.6.1.4.1.12356.101.10.108.1.1.1 The current number of VoIP
connections on the virtual
domain.
fgAppVoIPCallBlocked 1.3.6.1.4.1.12356.101.10.108.1.1.2 Number of VoIP calls
blocked (SIP Invites
blocked and SCCP calls
blocked) in this virtual
domain.
fgAppP2P 1.3.6.1.4.1.12356.101.10.109
fgAppP2PStatsTable 1.3.6.1.4.1.12356.101.10.109.1 A table of P2P protocol
related statistics per virtual
domain.
fgAppP2PStatsEntry 1.3.6.1.4.1.12356.101.10.109.1.1 P2P statistics for a
fgAppP2PConnBlocked 1.3.6.1.4.1.12356.101.10.109.1.1.1 Number of P2P connections
blocked in this virtual
domain.
fgAppP2PProtoTable 1.3.6.1.4.1.12356.101.10.109.2 A table of peer to peer
statistics per virtual domain
per protocol. This table has
a dependent expansion
relationship with fgVdTable.
fgAppP2PProtoEntry 1.3.6.1.4.1.12356.101.10.109.2.1 P2P statistics for a
particular virtual domain
and protocol.
fgAppP2PProtoEntProto 1.3.6.1.4.1.12356.101.10.109.2.1.1 P2P protocol this row of
statistics is for, within the
specified virtual domain.
fgAppP2PProtoEntBytes 1.3.6.1.4.1.12356.101.10.109.2.1.2 Number of bytes transferred
through this virtual domain
on this P2P protocol since
last reset.
fgAppP2PProtoEntLastRes
et
1.3.6.1.4.1.12356.101.10.109.2.1.3 Time elapsed since the
corresponding
fgAppP2PProtEntBytes was
last reset to 0.
fgAppIM 1.3.6.1.4.1.12356.101.10.110
fgAppIMStatsTable 1.3.6.1.4.1.12356.101.10.110.1 A table of instant
messaging statistics per
virtual domain.
fgAppIMStatsEntry 1.3.6.1.4.1.12356.101.10.110.1.1 IM statistics for a particular
virtual domain.
fgAppIMMessages 1.3.6.1.4.1.12356.101.10.110.1.1.1 Total number of IM
messages processed in this
virtual domain.
fgAppIMFileTransfered 1.3.6.1.4.1.12356.101.10.110.1.1.2 Number of files transferred
through this virtual domain.
fgAppIMFileTxBlocked 1.3.6.1.4.1.12356.101.10.110.1.1.3 Number of blocked file
transfers in this virtual
domain.
fgAppIMConnBlocked 1.3.6.1.4.1.12356.101.10.110.1.1.4 Number of connections
blocked in this virtual
domain.
fgAppProxyFTP 1.3.6.1.4.1.12356.101.10.111
fgApFTPUpTime 1.3.6.1.4.1.12356.101.10.111.1 Up time of the FTP proxy, in
seconds.
fgApFTPMemUsage 1.3.6.1.4.1.12356.101.10.111.2 FTP Proxy memory
utilization, as a percentage
of the system total.
fgApFTPStatsTable 1.3.6.1.4.1.12356.101.10.111.3 A table of FTP proxy
fgApFTPStatsEntry 1.3.6.1.4.1.12356.101.10.111.3.1 FTP Proxy statistics for a
fgApFTPReqProcessed 1.3.6.1.4.1.12356.101.10.111.3.1.1 Number of requests in this
by the FTP proxy since start
up.
fgApFTPConnections 1.3.6.1.4.1.12356.101.10.111.4 FTP proxy current
connections.
fgAppExplicitProxy 1.3.6.1.4.1.12356.101.10.112
fgExplicitProxyInfo 1.3.6.1.4.1.12356.101.10.112.1
fgExplicitProxyUpTime 1.3.6.1.4.1.12356.101.10.112.1.1 Explicit proxy up-time (in
seconds).
fgExplicitProxyMemUsage 1.3.6.1.4.1.12356.101.10.112.1.2 Explicit proxy memory
usage (percentage of
system total).
fgExplicitProxyRequests 1.3.6.1.4.1.12356.101.10.112.1.3 Explicit proxy total number
of requests.
fgExplicitProxyStatsTable 1.3.6.1.4.1.12356.101.10.112.2 A table of explicit proxy
fgExplicitProxyStatsEntry 1.3.6.1.4.1.12356.101.10.112.2.1 Explicit proxy statistics for a
fgExplicitProxyUsers 1.3.6.1.4.1.12356.101.10.112.2.1.1 Number of current users in
fgExplicitProxySessions 1.3.6.1.4.1.12356.101.10.112.2.1.2 Number of current sessions
in this virtual domain.
fgExplicitProxyScanStatsTa
ble
1.3.6.1.4.1.12356.101.10.112.3 A table of explicit proxy
scan statistics per virtual
domain.
fgExplicitProxyScanStatsEn
try
1.3.6.1.4.1.12356.101.10.112.3.1 Explicit proxy scan
statistics for a particular
virtual domain.
fgExplicitProxyScanStatsDi
sp
1.3.6.1.4.1.12356.101.10.112.3.1.1 Disposition of an scan
result.
fgExplicitProxyVirus 1.3.6.1.4.1.12356.101.10.112.3.1.2 Number of viruses in this
virtual domain.
fgExplicitProxyBannedWord
s
1.3.6.1.4.1.12356.101.10.112.3.1.3 Number of elements
containing banned words in
fgExplicitProxyPolicy 1.3.6.1.4.1.12356.101.10.112.3.1.4 Number of elements
violating policy (e.g.
filename or file type rules) in
fgExplicitProxyOversized 1.3.6.1.4.1.12356.101.10.112.3.1.5 Number of oversized
elements in this virtual
domain.
fgExplicitProxyArchNest 1.3.6.1.4.1.12356.101.10.112.3.1.6 Number of too deeply
nested archives in this
virtual domain.
fgExplicitProxyArchSize 1.3.6.1.4.1.12356.101.10.112.3.1.7 Number of archives that
decompress beyond size
limit in this virtual domain.
fgExplicitProxyArchEncrypt
ed
1.3.6.1.4.1.12356.101.10.112.3.1.8 Number of encrypted
archives in this virtual
domain.
fgExplicitProxyArchMultiPar
t
1.3.6.1.4.1.12356.101.10.112.3.1.9 Number of multipart
archives in this virtual
domain.
fgExplicitProxyArchUnsupp
orted
1.3.6.1.4.1.12356.101.10.112.3.1.1
0
Number of archives with
unsupported (but known)
formats in this virtual
domain.
fgExplicitProxyArchBomb 1.3.6.1.4.1.12356.101.10.112.3.1.1
1
Number of archive bombs
fgExplicitProxyArchCorrupt 1.3.6.1.4.1.12356.101.10.112.3.1.1
2
Number of corrupt archives
fgExplicitProxyScriptStatsT
able
script filtering statistics per
virtual domain.
fgExplicitProxyScriptStatsE
ntry
virtual domain.
fgExplicitProxyFilteredAppl
ets
1.3.6.1.4.1.12356.101.10.112.4.1.1 Number of applets filtered
from files in this virtual
domain.
fgExplicitProxyFilteredActiv
eX
1.3.6.1.4.1.12356.101.10.112.4.1.2 Number of ActiveX scripts
filtered from files in this
virtual domain.
fgExplicitProxyFilteredJScri
pt
1.3.6.1.4.1.12356.101.10.112.4.1.3 Number of JScript scripts
filtered from files in this
virtual domain.
fgExplicitProxyFilteredJS 1.3.6.1.4.1.12356.101.10.112.4.1.4 Number of JavaScript
scripts filtered from files in
fgExplicitProxyFilteredVBS 1.3.6.1.4.1.12356.101.10.112.4.1.5 Number of Visual Basic
fgExplicitProxyFilteredOthS
cript
.3.6.1.4.1.12356.101.10.112.4.1.6 Number of other types of
fgExplicitProxyFilterStatsTa
ble
policy enforcement
fgExplicitProxyFilterStatsEn
try
virtual domain.
fgExplicitProxyBlockedDLP 1.3.6.1.4.1.12356.101.10.112.5.1.1 Number of elements
blocked due to Data Leak
Prevention in this virtual
domain.
fgExplicitProxyBlockedCon
Type
1.3.6.1.4.1.12356.101.10.112.5.1.2 Number of elements
blocked due to
Content-Type filtering rules
fgExplicitProxyExaminedUR
Ls
1.3.6.1.4.1.12356.101.10.112.5.1.3 Number of URLs inspected
against filtering rules in this
virtual domain.
fgExplicitProxyAllowedURL
s
1.3.6.1.4.1.12356.101.10.112.5.1.4 Number of URLs explicitly
allowed due to filtering rules
fgExplicitProxyBlockedURL
s
1.3.6.1.4.1.12356.101.10.112.5.1.5 Number of URLs explicitly
blocked due to filtering
rules in this virtual domain.
fgExplicitProxyLoggedURL
s
1.3.6.1.4.1.12356.101.10.112.5.1.6 Number of URLs logged
due to filtering rules in this
virtual domain.
fgExplicitProxyOverriddenU
RLs
1.3.6.1.4.1.12356.101.10.112.5.1.7 Number of URLs access
due to overriding filtering
rules in this virtual domain.
fgAppWebCache 1.3.6.1.4.1.12356.101.10.113
fgWebCacheInfo 1.3.6.1.4.1.12356.101.10.113.1
fgWebCacheRAMLimit 1.3.6.1.4.1.12356.101.10.113.1.1 RAM available for web
cache in bytes.
fgWebCacheRAMUsage 1.3.6.1.4.1.12356.101.10.113.1.2 RAM used by web cache in
bytes.
fgWebCacheRAMHits 1.3.6.1.4.1.12356.101.10.113.1.3 Number of cache hits in
RAM since last reset.
fgWebCacheRAMMisses 1.3.6.1.4.1.12356.101.10.113.1.4 Number of cache misses in
RAM since last reset.
fgWebCacheRequests 1.3.6.1.4.1.12356.101.10.113.1.5 Number of cache requests
since last reset.
fgWebCacheBypass 1.3.6.1.4.1.12356.101.10.113.1.6 Number of cache bypasses
since last reset.
fgWebCacheUpTime 1.3.6.1.4.1.12356.101.10.113.1.7 Web Cache up-time (in
seconds).
fgWebCacheDiskStatsTable 1.3.6.1.4.1.12356.101.10.113.2 A table of the Web Cache
disk statistics per disk.
fgWebCacheDiskStatsEntry 1.3.6.1.4.1.12356.101.10.113.2.1 The Web Cache disk
disk.
fgWebCacheDisk 1.3.6.1.4.1.12356.101.10.113.2.1.1 The Web Cache Disk index.
fgWebCacheDiskLimit 1.3.6.1.4.1.12356.101.10.113.2.1.2 The about of storage (in
bytes) available for the Web
Cache on a particular disk.
fgWebCacheDiskUsage 1.3.6.1.4.1.12356.101.10.113.2.1.3 The about of storage (in
bytes) in use by the Web
fgWebCacheDiskHits 1.3.6.1.4.1.12356.101.10.113.2.1.4 The number of cache hits
on a paricular disk.
fgWebCacheDiskMisses 1.3.6.1.4.1.12356.101.10.113.2.1.5 The number of cache
misses on a paricular disk.
fgAppWanOpt 1.3.6.1.4.1.12356.101.10.114
fgWanOptInfo 1.3.6.1.4.1.12356.101.10.114.1
fgMemCacheLimit 1.3.6.1.4.1.12356.101.10.114.1.1 RAM available for mem
cache in bytes.
fgMemCacheUsage 1.3.6.1.4.1.12356.101.10.114.1.2 RAM used by mem cache in
bytes.
fgMemCacheHits 1.3.6.1.4.1.12356.101.10.114.1.3 Number of hits in mem
cache since last reset.
fgMemCacheMisses 1.3.6.1.4.1.12356.101.10.114.1.4 Number of misses in mem
cache since last reset.
fgByteCacheRAMLimit 1.3.6.1.4.1.12356.101.10.114.1.5 RAM available for byte
cache in bytes.
fgByteCacheRAMUsage 1.3.6.1.4.1.12356.101.10.114.1.6 RAM used by byte cache in
bytes.
fgWanOptUpTime 1.3.6.1.4.1.12356.101.10.114.1.7 Wan Optimization up-time
(in seconds).
fgWanOptStatsTable 1.3.6.1.4.1.12356.101.10.114.2 A table of WAN optimization
fgWanOptStatsEntry 1.3.6.1.4.1.12356.101.10.114.2.1 WAN optimization statistics
for a particular virtual
domain.
fgWanOptTunnels 1.3.6.1.4.1.12356.101.10.114.2.1.1 Number of current tunnels
fgWanOptLANBytesIn 1.3.6.1.4.1.12356.101.10.114.2.1.2 Number of bytes received
on LAN in last 5 seconds.
fgWanOptLANBytesOut 1.3.6.1.4.1.12356.101.10.114.2.1.3 Number of bytes sent on
LAN in last 5 seconds.
fgWanOptWANBytesIn 1.3.6.1.4.1.12356.101.10.114.2.1.4 Number of bytes received
on WAN in last 5 seconds.
fgWanOptWANBytesOut 1.3.6.1.4.1.12356.101.10.114.2.1.5 Number of bytes sent on
WAN in last 5 seconds.
fgWanOptHistoryStatsTable 1.3.6.1.4.1.12356.101.10.114.3 A table of the WAN
optimization history per
protocol.
fgWanOptHistoryStatsEntry 1.3.6.1.4.1.12356.101.10.114.3.1 The WAN optimization
history for a particular
virtual domain, period, and
protocol.
fgWanOptHistPeriod 1.3.6.1.4.1.12356.101.10.114.3.1.1 WAN optimization table
entry period.
fgWanOptProtocol 1.3.6.1.4.1.12356.101.10.114.3.1.2 Internal WAN optimization
table entry protocol.
fgWanOptReductionRate 1.3.6.1.4.1.12356.101.10.114.3.1.3 Reduction rate achieved by
WAN optimization.
fgWanOptLanTraffic 1.3.6.1.4.1.12356.101.10.114.3.1.4 Number of bytes transferred
via LAN.
fgWanOptWanTraffic 1.3.6.1.4.1.12356.101.10.114.3.1.5 Number of bytes transferred
via WAN.
fgWanOptTrafficStatsTable 1.3.6.1.4.1.12356.101.10.114.4 A table of the WAN
optimization traffic for a
particular virtual domain
and protocol.
fgWanOptTrafficStatsEntry 1.3.6.1.4.1.12356.101.10.114.4.1 The WAN optimization
history for a particular
protocol.
fgWanOptLanInTraffic 1.3.6.1.4.1.12356.101.10.114.4.1.1 Amount of traffic received
from the LAN by WAN
optimization.
fgWanOptLanOutTraffic 1.3.6.1.4.1.12356.101.10.114.4.1.2 Amount of traffic sent to the
LAN by WAN optimization.
fgWanOptWanInTraffic 1.3.6.1.4.1.12356.101.10.114.4.1.3 Amount of traffic received
from the WAN by WAN
optimization.
fgWanOptWanOutTraffic 1.3.6.1.4.1.12356.101.10.114.4.1.4 Amount of traffic sent to the
WAN by WAN optimization.
fgWanOptDiskStatsTable 1.3.6.1.4.1.12356.101.10.114.5 A table of the Web Cache
disk statistics per disk.
fgWanOptDiskStatsEntry 1.3.6.1.4.1.12356.101.10.114.5.1 The Web Cache disk
disk.
fgWanOptDisk 1.3.6.1.4.1.12356.101.10.114.5.1.1 The Web Cache Disk index.
fgWanOptDiskLimit 1.3.6.1.4.1.12356.101.10.114.5.1.2 The about of storage (in
bytes) available for the Web
fgWanOptDiskUsage 1.3.6.1.4.1.12356.101.10.114.5.1.3 The about of storage (in
bytes) in use by the Web
Cache on a paricular disk.
fgWanOptDiskHits 1.3.6.1.4.1.12356.101.10.114.5.1.4 The number of cache hits
on a paricular disk.
fgWanOptDiskMisses 1.3.6.1.4.1.12356.101.10.114.5.1.5 The number of cache
misses on a paricular disk.
Protocol and Session Table
fgInetProto 1.3.6.1.4.1.12356.101.11
fgInetProtoInfo 1.3.6.1.4.1.12356.101.11.1
fgInetProtoTables 1.3.6.1.4.1.12356.101.11.2
fgIpSessTable 1.3.6.1.4.1.12356.101.11.2.1
fgIpSessEntry 1.3.6.1.4.1.12356.101.11.2.1.1 Information on a specific
session, including source
and destination.
fgIpSessIndex 1.3.6.1.4.1.12356.101.11.2.1.1.1 An index value that uniquely
identifies an IP session
within the fgIpSessTable.
fgIpSessProto 1.3.6.1.4.1.12356.101.11.2.1.1.2 The protocol the session is
using (IP, TCP, UDP, etc.).
fgIpSessFromAddr 1.3.6.1.4.1.12356.101.11.2.1.1.3 Source IP address (IPv4
only) of the session.
fgIpSessFromPort 1.3.6.1.4.1.12356.101.11.2.1.1.4 Source port number (UDP
and TCP only) of the
session.
fgIpSessToAddr 1.3.6.1.4.1.12356.101.11.2.1.1.5 Destination IP address (IPv4
only) of the session.
fgIpSessToPort 1.3.6.1.4.1.12356.101.11.2.1.1.6 Destination Port number
(UDP and TCP only) of the
session.
fgIpSessExp 1.3.6.1.4.1.12356.101.11.2.1.1.7 Number of seconds
remaining before the
session expires (if idle).
fgIpSessVdom 1.3.6.1.4.1.12356.101.11.2.1.1.8 Virtual domain the session
is part of. This index
used by fgVdTable.
fgIpSessStatsTable 1.3.6.1.4.1.12356.101.11.2.2 IP session statistics table.
fgIpSessStatsEntry 1.3.6.1.4.1.12356.101.11.2.2.1 IP session statistics on a
virtual domain.
fgIpSessNumber 1.3.6.1.4.1.12356.101.11.2.2.1.1 Current number of sessions
on the virtual domain.
VPN
fgVPN 1.3.6.1.4.1.12356.101.12
fgVpnInfo 1.3.6.1.4.1.12356.101.12.1
fgVpnTables 1.3.6.1.4.1.12356.101.12.2
fgVpnDialupTable 1.3.6.1.4.1.12356.101.12.2.1 Dial-up VPN peers
information.
fgVpnDialupEntry 1.3.6.1.4.1.12356.101.12.2.1.1 Dial-up VPN peer info.
fgVpnDialupIndex 1.3.6.1.4.1.12356.101.12.2.1.1.1 An index value that uniquely
identifies an VPN dial-up
peer within the
fgVpnDialupTable.
fgVpnDialupGateway 1.3.6.1.4.1.12356.101.12.2.1.1.2 Remote gateway IP address
of the tunnel.
fgVpnDialupLifetime 1.3.6.1.4.1.12356.101.12.2.1.1.3 Tunnel life time (seconds) of
the tunnel.
fgVpnDialupTimeout 1.3.6.1.4.1.12356.101.12.2.1.1.4 Time before the next key
exchange (seconds) of the
tunnel.
fgVpnDialupSrcBegin 1.3.6.1.4.1.12356.101.12.2.1.1.5 Remote subnet address of
the tunnel.
fgVpnDialupSrcEnd 1.3.6.1.4.1.12356.101.12.2.1.1.6 Remote subnet mask of the
tunnel.
fgVpnDialupDstAddr 1.3.6.1.4.1.12356.101.12.2.1.1.7 Local subnet address of the
tunnel.
fgVpnDialupVdom 1.3.6.1.4.1.12356.101.12.2.1.1.8 Virtual domain tunnel is part
of. This index corresponds
to the index used by
fgVdTable.
fgVpnDialupInOctets 1.3.6.1.4.1.12356.101.12.2.1.1.9 Number of bytes received
on tunnel since
instantiation.
fgVpnDialupOutOctets 1.3.6.1.4.1.12356.101.12.2.1.1.10 Number of bytes sent on
tunnel since instantiation.
fgVpnTunTable 1.3.6.1.4.1.12356.101.12.2.2 Table of non-dial-up VPN
tunnels.
fgVpnTunEntry 1.3.6.1.4.1.12356.101.12.2.2.1 Tunnel VPN peer info.
fgVpnTunEntIndex 1.3.6.1.4.1.12356.101.12.2.2.1.1 An index value that uniquely
identifies a VPN tunnel
within the fgVpnTunTable.
fgVpnTunEntPhase1Name 1.3.6.1.4.1.12356.101.12.2.2.1.2 Descriptive name of phase1
configuration for the tunnel.
fgVpnTunentPhase2Name 1.3.6.1.4.1.12356.101.12.2.2.1.3 Descriptive name of phase2
configuration for the tunnel.
fgVpnTunEntRemGwyIp 1.3.6.1.4.1.12356.101.12.2.2.1.4 IP of remote gateway used
by the tunnel.
fgVpnTunEntRemGwyPort 1.3.6.1.4.1.12356.101.12.2.2.1.5 Port of remote gateway
used by tunnel, if UDP.
fgVpnTunEntLocGwyIp 1.3.6.1.4.1.12356.101.12.2.2.1.6 IP of local gateway used by
the tunnel.
fgVpnTunEntLocGwyPort 1.3.6.1.4.1.12356.101.12.2.2.1.7 Port of local gateway used
by tunnel, if UDP.
fgVpnTunEntSelectorSrcBe
ginIP
1.3.6.1.4.1.12356.101.12.2.2.1.8 Beginning of address range
of source selector.
fgVpnTunEntSelectorSrcEn
dIp
1.3.6.1.4.1.12356.101.12.2.2.1.9 End of address range of
source selector.
fgVpnTunentSelectorSrcPor
t
1.3.6.1.4.1.12356.101.12.2.2.1.10 Source selector port.
fgVonTunEntSelectorDstBe
ginIp
1.3.6.1.4.1.12356.101.12.2.2.1.11 Beginning of address range
of destination selector.
fgVpnTunEntSelectorDstEn
dIp
1.3.6.1.4.1.12356.101.12.2.2.1.12 End of address range of
destination selector.
fgVpnTunEntSelectorDstPor
t
1.3.6.1.4.1.12356.101.12.2.2.1.13 Destination selector port.
fgVpnTunEntSelectorProto 1.3.6.1.4.1.12356.101.12.2.2.1.14 Protocol number for
selector.
fgVpnTunEntLifeSecs 1.3.6.1.4.1.12356.101.12.2.2.1.15 Lifetime of tunnel in
seconds, if time based
lifetime used.
fgVpnTunEntLifeBytes 1.3.6.1.4.1.12356.101.12.2.2.1.16 Lifetime of tunnel in bytes, if
byte transfer based lifetime
used.
fgVpnTunEntTimeout 1.3.6.1.4.1.12356.101.12.2.2.1.17 Timeout of tunnel in
seconds.
fgVpnTunEntInOctets 1.3.6.1.4.1.12356.101.12.2.2.1.18 Number of bytes received
on tunnel.
fgVpnTunEntOutOctets 1.3.6.1.4.1.12356.101.12.2.2.1.19 Number of bytes sent out
on tunnel.
fgVpnTunEntStatus 1.3.6.1.4.1.12356.101.12.2.2.1.20 Current status of tunnel (up
or down).
fgVpnTunEntVdom 1.3.6.1.4.1.12356.101.12.2.2.1.21 Virtual domain the tunnel is
part of. This index
used by fgVdTable.
fgVpnSslStatsTable 1.3.6.1.4.1.12356.101.12.2.3 SSL VPN statistics table.
ffVpnSslStatsEntry 1.3.6.1.4.1.12356.101.12.2.3.1 SSL VPN statistics for a
given virtual domain.
fgVpnSslState 1.3.6.1.4.1.12356.101.12.2.3.1.1 Whether SSL-VPN is
enabled on this virtual
domain.
fgVpnSslStatsLoginUsers 1.3.6.1.4.1.12356.101.12.2.3.1.2 The current number of
users logged in through
SSL-VPN tunnels in the
virtual domain.
fgVpnSslStatsMaxUsers 1.3.6.1.4.1.12356.101.12.2.3.1.3 The maximum number of
total users that can be
logged in at any one time on
the virtual domain.
fgVpnSslStatsActiveWebSe
ssions
1.3.6.1.4.1.12356.101.12.2.3.1.4 The current number of
active SSL web sessions in
the virtual domain.
fgVpnSslStatsMaxWebSess
ions
1.3.6.1.4.1.12356.101.12.2.3.1.5 The maximum number of
active SSL web sessions at
any one time within the
virtual domain.
fgVpnSslStatsActiveTunnels 1.3.6.1.4.1.12356.101.12.2.3.1.6 The current number of
active SSL tunnels in the
virtual domain.
fgVpnSslStatsMaxTunnels 1.3.6.1.4.1.12356.101.12.2.3.1.7 The maximum number of
active SSL tunnels at any
one time in the virtual
domain.
fgVpnSslTunnelTable 1.3.6.1.4.1.12356.101.12.2.4 A list of active SSL VPN
tunnel entries.
fgVpnSslTunnelEntry 1.3.6.1.4.1.12356.101.12.2.4.1 An SSL VPN tunnel entry
containing connection
information and traffic
statistics.
fgVpnSslTunnelIndex 1.3.6.1.4.1.12356.101.12.2.4.1.1 An index value that uniquely
identifies an active SSL
VPN tunnel within the
fgVpnSslTunnelTable.
fgVpnSslTunnelVdom 1.3.6.1.4.1.12356.101.12.2.4.1.2 The index of the virtual
domain this tunnel belongs
to. This index corresponds
to the index used by
fgVdTable.
fgVpnSslTunnelUserName 1.3.6.1.4.1.12356.101.12.2.4.1.3 The user name used to
authenticate the tunnel.
fgVpnbSslTunnelSrcIp 1.3.6.1.4.1.12356.101.12.2.4.1.4 The source IP address of
this tunnel.
fgVpnSslTunnelIp 1.3.6.1.4.1.12356.101.12.2.4.1.5 The connection IP address
of this tunnel.
fgVpnSslTunnelUpTime 1.3.6.1.4.1.12356.101.12.2.4.1.6 The up-time of this tunnel in
seconds.
fgVpnSslTunnelBytesIn 1.3.6.1.4.1.12356.101.12.2.4.1.7 The number of incoming
bytes of L2 traffic through
this tunnel since it was
established.
fgVpnSslTunnelBytesOut 1.3.6.1.4.1.12356.101.12.2.4.1.8 The number of outgoing
bytes of L2 traffic through
this tunnel since it was
established.
fgVpnTrapObjects 1.3.6.1.4.1.12356.101.12.3
fgVpnTrapLocalGateway 1.3.6.1.4.1.12356.101.12.3.2 Local gateway IP address.
Used in VPN related traps.
fgVpnTrapRemoteGateway 1.3.6.1.4.1.12356.101.12.3.3 Remote gateway IP
address. Used in VPN
related traps.
High Availability
fgHighAvailability 1.3.6.1.4.1.12356.101.13
fgHaInfo 1.3.6.1.4.1.12356.101.13.1
fgHaSystemMode 1.3.6.1.4.1.12356.101.13.1.1 High-availability mode
(Standalone, A-A or A-P).
fgHaGroupId 1.3.6.1.4.1.12356.101.13.1.2 HA cluster group ID device
is configured for.
fgHaPriority 1.3.6.1.4.1.12356.101.13.1.3 HA clustering priority of the
device (default = 127).
fgHaOverride 1.3.6.1.4.1.12356.101.13.1.4 Status of a master override
flag.
fgHaAutoSync 1.3.6.1.4.1.12356.101.13.1.5 Configuration of an
automatic configuration
synchronization (enabled or
disabled).
fgHaSchedule 1.3.6.1.4.1.12356.101.13.1.6 Load-balancing schedule of
cluster (in A-A mode).
fgHaGroupName 1.3.6.1.4.1.12356.101.13.1.7 Ha cluster group name.
fgHaTables 1.3.6.1.4.1.12356.101.13.2
fgHaStatsTable 1.3.6.1.4.1.12356.101.13.2.1 Some useful statistics for all
members of a cluster. This
table is also available in
standalone mode.
fgHaStatsEntry 1.3.6.1.4.1.12356.101.13.2.1.1 Statistics for a particular HA
cluster's unit.
fgHaStatsIndex 1.3.6.1.4.1.12356.101.13.2.1.1.1 An index value that uniquely
identifies an unit in the HA
Cluster.
fgHaStatsSerial 1.3.6.1.4.1.12356.101.13.2.1.1.2 Serial number of the HA
cluster member for this row.
fgHaStatsCpuUsage 1.3.6.1.4.1.12356.101.13.2.1.1.3 CPU usage of the specified
cluster member
(percentage).
fgHaStatsMemUsage 1.3.6.1.4.1.12356.101.13.2.1.1.4 Memory usage of the
specified cluster member
(percentage).
fgHaStatsNetUsage 1.3.6.1.4.1.12356.101.13.2.1.1.5 Network bandwidth usage
of specified cluster member
(kbps).
fgHaStatsSesCount 1.3.6.1.4.1.12356.101.13.2.1.1.6 Current session count of
specified cluster member.
fgHaStatsPktCount 1.3.6.1.4.1.12356.101.13.2.1.1.7 Number of packets
processed by the specified
cluster member since start
up.
fgHaStatsByteCount 1.3.6.1.4.1.12356.101.13.2.1.1.8 Number of bytes processed
by the specified cluster
member since start up.
fgHaStatsIdsCount 1.3.6.1.4.1.12356.101.13.2.1.1.9 Number of IDS/IPS events
triggered on the specified
up.
fgHaStatsAvCount 1.3.6.1.4.1.12356.101.13.2.1.1.10 Number of anti-virus events
triggered on the specified
up.
fgHaStatsHostname 1.3.6.1.4.1.12356.101.13.2.1.1.11 Host name of the specified
cluster member.
fgHaTrapObjects 1.3.6.1.4.1.12356.101.13.3
fgHaTrapMemberSerial 1.3.6.1.4.1.12356.101.13.3.1 Serial number of an HA
cluster member. Used to
identify the origin of a trap
when a cluster is
configured.
fgFmTrapGroup 1.3.6.1.4.1.12356.101.100.1 Traps are intended for use
in conjunction with a
FortiManager.
fgFmTrapObjectGroup 1.3.6.1.4.1.12356.101.100.2 These objects support the
traps in the fgFmTrapGroup.
fgAdminObjectGroup 1.3.6.1.4.1.12356.101.100.3 Objects pertaining to
administration of the
device.
fgSystemObjectGroup 1.3.6.1.4.1.12356.101.100.4 Objects pertaining to the
system status of the device.
fgSoftwareObjectGroup 1.3.6.1.4.1.12356.101.100.5 Objects pertaining to
software running on the
device.
fgHwSensorsObjectGroup 1.3.6.1.4.1.12356.101.100.6 Object pertaining to
hardware sensors on the
device.
fgHighAvailabilityObjectGro
up
1.3.6.1.4.1.12356.101.100.7 Objects pertaining to High
Availability clustering of
FortiGate devices.
fgVpnObjectGroup 1.3.6.1.4.1.12356.101.100.8 Objects pertaining to Virtual
Private Networking on
FortiGate devices.
fgFirewallObjectGroup 1.3.6.1.4.1.12356.101.100.9 Objects pertaining to
Firewall functionality on
FortiGate devices.
fgAppServicesObjectGroup 1.3.6.1.4.1.12356.101.100.10 Objects pertaining to
application proxy and
filtering services on
FortiGate devices.
fgAntivirusObjectGroup 1.3.6.1.4.1.12356.101.100.11 Objects pertaining to
Antivirus services on
FortiGate devices.
fgIntrusionPrevtObjectGrou
p
1.3.6.1.4.1.12356.101.100.12 Objects pertaining to
Intrusion Detection and
Prevention services on
FortiGate devices.
fgWebFilterObjectGroup 1.3.6.1.4.1.12356.101.100.13 Objects pertaining to
FortiGate and FortiGuard
based Web Filtering
services on FortiGate
devices.
fgVirtualDomainObjectGrou
p
1.3.6.1.4.1.12356.101.100.14 Objects pertaining to Virtual
Firewall Domain services on
FortiGate devices.
fgAdministrationObjectGrou
p
1.3.6.1.4.1.12356.101.100.15 Objects pertaining to the
administration of FortiGate
device.
fgIntfObjectGroup 1.3.6.1.4.1.12356.101.100.16 Objects pertaining to the
interface table of FortiGate
device.
fgProcessorsObjectGroup 1.3.6.1.4.1.12356.101.100.17 Objects pertaining to the
processors table of
FortiGate device.
fgNotificationGropu 1.3.6.1.4.1.12356.101.100.18 Notifications that can be
generated from a FortiGate
device.
fgObsoleteNotificationsGro
up
1.3.6.1.4.1.12356.101.100.19 Notifications that have been
deprecated, but may still be
generated by older models.
fgMIBCompliance 1.3.6.1.4.1.12356.101.100.100 Model and feature specific.
Page 156
Interfaces
Interfaces, both physical and virtual, enable traffic to flow to and from the internal network, and
the Internet and between internal networks. The FortiGate unit has a number of options for
setting up interfaces and groupings of subnetworks that can scale to a companys growing
requirements.
This chapter includes:
Physical
Interface settings
Software switch
Virtual Switch
Loopback interfaces
Redundant interfaces
On-armed sniffer
Aggregate Interfaces
DHCP on an interface
Administrative access
Wireless
Interface MTU packet size
Secondary IP addresses to an interface
Virtual domains
Virtual LANs
Zones
Physical
FortiGate units have a number of physical ports where you connect ethernet or optical cables.
Depending on the model, they can have anywhere from four to 40 physical ports. Some units
have a grouping of ports labelled as internal, providing a built-in switch functionality.
In FortiOS, the port names, as labeled on the FortiGate unit, appear in the web-based manager
in the Unit Operation the Dashboard. They also appear when you are configuring the interfaces,
by going to System > Network > Interface. As shown below, the FortiGate-100D has 22
interfaces.
Figure 10:FortiGate-100D physical interfaces
Figure 11:FortiGate-100D interfaces on the Dashboard
Figure 12:Configuring the FortiGate-100D ports
Normally the internal interface is configured as a single interface shared by all physical interface
connections - a switch. The switch mode feature has two states - switch mode and interface
mode. Switch mode is the default mode with only one interface and one address for the entire
internal switch. Interface mode enables you to configure each of the internal switch physical
interface connections separately. This enables you to assign different subnets and netmasks to
each of the internal physical interface connections.
The larger FortiGate units can also include Advanced Mezzanine Cards (AMC), which can
provide additional interfaces (ethernet or optical), with throughput enhancements for more
efficient handling of specialized traffic. These interfaces appear in FortiOS as port amc/sw1,
amc/sw2 and so on. In the following illustration, the FortiGate-3810A has three AMC cards
installed: two single-width (amc/sw1, amc/sw2) and one double-width (amc/dw).
Figure 13:FortiGate-3810A AMC card port naming
Interface settings
In System > Network > Interface, you configure the interfaces, physical and virtual, for the
FortiGate unit. There are different options for configuring interfaces when the FortiGate unit is in
NAT mode or transparent mode. On FortiOS Carrier, you can also enable the Gi gatekeeper on
each interface for anti-overbilling.
Interface page
Lists all the interfaces that are default and those that you have created. On this page you can
view the status of each interface, create a new interface, edit an existing interface, or remove
an interface.
Create New Select to add a new interface, zone or, in transparent mode, port pair.
For more information on configuring zones, see Zones.
Depending on the model you can add a VLAN interface, a loopback
interface, a IEEE 802.3ad aggregated interface, or a redundant interface.
When VDOMs are enabled, you can also add Inter-VDOM links.
Column
Settings
Select to change the columns of information that are displayed on the
interface list.
Description
(appears as a
note icon)
Displays a description for the interface when one has been added. Move
your mouse over the icon to view the description.
Name The names of the physical interfaces on your FortiGate unit. This includes
any alias names that have been configured.
When you combine several interfaces into an aggregate or redundant
interface, only the aggregate or redundant interface is listed, not the
component interfaces.
If you have added VLAN interfaces, they also appear in the name list, below
the physical or aggregated interface to which they have been added.
If you have added loopback interfaces, they also appear in the interface list,
below the physical interface to which they have been added. If you have
software switch interfaces configured, you will be able to view them. For
more information, see Software switch on page 163.
If your FortiGate unit supports AMC modules, the interfaces are named
amc-sw1/1, amc-dw1/2, and so on.
IP/Netmask The current IP address/netmask of the interface.
In VDOM mode, when VDOMs are not all in NAT or Transparent mode some
values may not be available for display and will be displayed as -.
Access The administrative access configuration for the interface.
Administrative
Status
Indicates if the interface can be accessed for administrative purposes. If the
administrative status is a green arrow, and administrator could connect to
the interface using the configured access.
If the administrative status is a red arrow, the interface is administratively
down and cannot be accessed for administrative purposes.
Link Status The status of the interface physical connection. Link status can be either up
or down. If link status is up (green arrow) the interface is connected to the
network and accepting traffic. If link status is down (red arrow) the interface
is not connected to the network or there is a problem with the connection.
You cannot change link status from the web-based manager.
Link status is only displayed for physical interfaces.
MAC The MAC address of the interface.
Mode Shows the addressing mode of the interface. The addressing mode can be
manual, DHCP, or PPPoE.
MTU The maximum number of bytes per transmission unit (MTU) for the interface.
Secondary IP Displays the secondary IP addresses added to the interface.
Interface configuration and settings
To configure an interface, go to System > Network > Interface.
Type The type of the interface. Valid types include:
Physical
VLAN
Aggregate
Redundant
VDOM Link
Pair
Switch
Tunnel
Virtual Domain The virtual domain to which the interface belongs. This column is visible
when VDOM configuration is enabled.
VLAN ID The configured VLAN ID for VLAN subinterfaces.
Name Enter a name of the interface. Physical interface names cannot be
changed.
Alias Enter an alternate name for a physical interface on the FortiGate unit. The
alias can be a maximum of 25 characters. The alias name will not appears
in logs. This field appears when editing an existing physical interface.
Link Status Indicates whether the interface is connected to a network (link status is
Up) or not (link status is Down). This field appears when editing an existing
physical interface.
Type Select the type of interface that you want to add.
On some models you can set Type to 802.3ad Aggregate or Redundant
Interface.
Interface Displayed when Type is set to VLAN.
Select the name of the physical interface to which to add a VLAN
interface. Once created, the VLAN interface is listed below its physical
interface in the Interface list.
You cannot change the physical interface of a VLAN interface except when
adding a new VLAN interface.
VLAN ID Displayed when Type is set to VLAN.
Enter the VLAN ID. You cannot change the VLAN ID except when add a
new VLAN interface.
The VLAN ID can be any number between 1 and 4094 and must match the
VLAN ID added by the IEEE 802.1Q-compliant router or switch connected
to the VLAN subinterface.
Virtual Domain Select the virtual domain to add the interface to.
Admin accounts with super_admin profile can change the Virtual Domain.
Physical Interface
Members
This section has two different forms depending on the interface type:
Software switch interface - this section is a display-only field
showing the interfaces that belong to the software switch virtual
interface.
802.3ad aggregate or Redundant interface - this section includes
available interface and selected interface lists to enable adding or
removing interfaces from the interface. For more information, see
Redundant interfaces.
Select interfaces from this Available Interfaces list and select the right
arrow to add an interface to the Selected Interface list.
Addressing mode Select the addressing mode for the interface.
Select Manual and add an IP/Netmask for the interface. If IPv6
configuration is enabled you can add both a IPv4 and an IPv6 IP
address.
Select DHCP to get the interface IP address and other network settings
from a DHCP server. For more information, see DHCP on an interface
Select PPPoE to get the interface IP address and other network
settings from a PPPoE server. For more information, see PPPoE on an
interface.
Select One-Arm Sniffer to enable the interface as a means to detect
possible traffic threats. This option is available on physical ports not
configured for the primary Internet connection. For more information
see On-armed sniffer.
Select Dedicate to FortiAP to have the FortiAP connect exclusively to
the interface. This option is only available when editing a physical
interface, and it has a static IP address. When you enter the IP address
, the FortiGate unit automatically creates a DHCP server using the
subnet entered.
IP/Netmask If Addressing Mode is set to Manual, enter an IPv4 address/subnet mask
for the interface. FortiGate interfaces cannot have IP addresses on the
same subnet.
IPv6 Address If Addressing Mode is set to Manual and IPv6 support is enabled, enter an
IPv6 address/subnet mask for the interface. A single interface can have
both an IPv4 and IPv6 address or just one or the other.
Administrative
Access
Select the types of administrative access permitted for IPv4 connections
to this interface.
HTTPS Allow secure HTTPS connections to the web-based manager through this
interface.
PING Interface responds to pings. Use this setting to verify your installation and
for testing.
HTTP Allow HTTP connections to the web-based manager through this
interface. HTTP connections are not secure and can be intercepted by a
third party.
SSH Allow SSH connections to the CLI through this interface.
SNMP Allow a remote SNMP manager to request SNMP information by
connecting to this interface.
TELNET Allow Telnet connections to the CLI through this interface. Telnet
connections are not secure and can be intercepted by a third party.
FMG-Access Allow FortiManager authorization automatically during the communication
exchange between the FortiManager and FortiGate units.
FCT-Access You can configure a FortiGate interface as an interface that will accept
FortiClient connections. When configured, the FortiGate unit sends
broadcast messages which the FortiClient software running on a end user
PC is listening for.
IPv6
Administrative
Access
Select the types of administrative access permitted for IPv6 connections
to this interface. These types are the same as for Administrative Access.
Detect and
Identify Devices
Select to enable the interface to be used with BYOD hardware such as
iPhones. Define the device definitions by going to User & Device > Device.
Broadcast
Discovery
Messages
Select to enable sends broadcast messages which the FortiClient
software running on a end user PC is listening for.
Once enabled, the FortiGate unit broadcasts a discovery message that
includes the IP address of the interface and listening port number to the
local network. All PCs running FortiClient on that network listen for this
discovery message.
Enable Explicit
Web Proxy
This option is not available for a VLAN interface selection. Select to enable
explicit web proxying on this interface. When enabled, this interface will be
displayed on System > Network > Explicit Proxy under Listen on Interfaces
and web traffic on this interface will be proxied according to the Web
Proxy settings.
Listen for RADIUS
Accounting
Messages
Select to use the interface as a listening port for RADIUS content.
Secondary IP
Address
Add additional IPv4 addresses to this interface. Select the Expand Arrow
to expand or hide the section.
Comments Enter a description up to 63 characters to describe the interface.
Administrative
Status
Select either Up (green arrow) or Down (red arrow) as the status of this
interface.
Up indicates the interface is active and can accept network traffic.
Down indicates the interface is not active and cannot accept traffic.
Gi Gatekeeper
(FortiOS Carrier
only)
For FortiOS Carrier, enable Gi Gatekeeper to enable the Gi firewall as part
of the anti-overbilling configuration. You must also configure Gi
Gatekeeper Settings by going to System > Admin > Settings.
Software switch
A software switch, or soft switch, is a virtual switch that is implemented at the software, or
firmware level, rather than the hardware level. A software switch can be used to simplify
communication between devices connected to different FortiGate interfaces. For example,
using a software switch you can place the FortiGate interface connected to an internal network
on the same subnet as your wireless interfaces. Then devices on the internal network can
communicate with devices on the wireless network without any additional configuration such as
additional security policies, on the FortiGate unit.
It can also be useful if you require more hardware ports on for the switch on a FortiGate unit. For
example, if your FortiGate unit has a 4-port switch, WAN1, WAN2 and DMZ interfaces, and you
need one more port, you can create a soft switch that can include the 4-port switch and the
DMZ interface all on the same subnet. These types of applications also apply to wireless
interfaces and virtual wireless interfaces and physical interfaces such as those with FortiWiFi
and FortiAP unit.
Similar to a hardware switch, a software switch functions like a single interface. A software
switch has one IP address; all of the interfaces in the software switch are on the same subnet.
Traffic between devices connected to each interface are not regulated by security policies, and
traffic passing in and out of the switch are affected by the same policy.
There are a few things to consider when setting up a software switch:
Ensure you create a back up of the configuration.
Ensure you have at least one port or connection such as the console port to connect to the
FortiGate unit. If you accidentally combine too many ports, you will need a way to undo any
errors.
The ports that you include must not have any link or relation to any other aspect of the
FortiGate unit. For example, DHCP servers, security policies, and so on.
For increased security, you can create a captive portal for the switch, allowing only specific
user groups access to the resources connected to the switch.
To create a software switch - CLI
config system switch-interface
edit <switch-name>
set type switch
set member <interface_list>
end
edit <switch_name>
set ip <ip_address>
end
Soft switch example
For this example, the wireless interface (WiFi) needs to be on the same subnet as the DMZ1
interface to facilitate wireless syncing from an iPhone and a local computer. The synching
between two subnets is problematic. By putting both interfaces on the same subnet the
synching will work. The software switch will accomplish this.
Clear the interfaces and back up the configuration
First, ensure that the interfaces are not being used with any other security policy or other use on
the FortiGate unit. Check the WiFi and DMZ1 ports to ensure DHCP is not enabled on the
interface and there are no other dependencies with these interfaces.
Next, save the current configuration, in the event something doesnt work, recovery can be
quick.
Merge the interfaces
The plan is to merge the WiFi port and DMZ1 port. This will create a software switch with a
name of synchro with an IP address of 10.10.21.12. The steps will create the switch, add the
IP and then set the administrative access for HTTPS, SSH and Ping.
To merge the interfaces - CLI
config system switch-interface
edit synchro
set type switch
set member dmz1 wifi
end
edit synchro
set ip 10.10.21.12
end
Final steps
With the switch set up, you can now add security policies, DHCP servers an any other
configuration that you would normally do to configure interfaces on the FortiGate unit.
Virtual Switch
Virtual switch feature enables you create virtual switches on top of the physical switch(es) with
designated interfaces/ports so that a virtual switch can build up its forwarding table through
learning and forward traffic accordingly. When traffic is forwarded among interfaces belonging
to the same virtual switch, the traffic doesn't need to go up to the software stack, but forwarded
directly by the switch. When traffic has to be relayed to interfaces not on the virtual switch, the
traffic will go through the normal data path and be offloaded to NP4 when possible.
This feature is only available on mid to high end FortiGate units, including the 100D, 600C,
1000C, and 1240B.
To enable and configure the virtual switch, enter the CLI commands:
config system virtual-switch
In this example, the soft switch includes a wireless interface. Remember to configure any
wireless security before proceeding. If you leave this interface open without any password or
other security, it leaves open access to not only the wireless interface, but any other interfaces
and devices connected within the software switch.
edit vs1
set physical-switch sw0
config port
edit 1
set port port1
set speed xx
set duplex xx
set status [up|down]
edit 2
set port port2
set ...
end
end
end
Loopback interfaces
A loopback interface is a logical interface that is always up (no physical link dependency) and
the attached subnet is always present in the routing table.
The FortiGate's loopback IP address does not depend on one specific external port, and is
therefore possible to access it through several physical or VLAN interfaces. Multiple loopback
interfaces can be configured in either non-VDOM mode or in each VDOM.
Loopback interfaces still require appropriate firewall policies to allow traffic to and from this type
of interface.
A loopback interface can be used with:
Management access
BGP (TCP) peering
PIM RP
Loopback interfaces are a good practice for OSPF. Setting the OSPF router ID the same as
loopback IP address troubleshooting OSPF easier, and remembering the management IP
addresses (telnet to router ID).
Dynamic routing protocols can be enabled on loopback interfaces
For black hole static route, use the black hole route type instead of the loopback interface.
On some models you can combine two or more physical interfaces to provide link redundancy.
This feature enables you to connect to two or more switches to ensure connectivity in the event
one physical interface or the equipment on that interface fails.
In a redundant interface, traffic is only going over one interface at any time. This differs from an
aggregated interface where traffic is going over all interfaces for distribution of increased
bandwidth. This difference means redundant interfaces can have more robust configurations
with fewer possible points of failure. This is important in a fully-meshed HA configuration.
An interface is available to be in a redundant interface if:
it is a physical interface, not a VLAN interface
it is not already part of an aggregated or redundant interface
it is in the same VDOM as the redundant interface
it has no defined IP address
is not configured for DHCP or PPPoE
it has no DHCP server or relay configured on it
it does not have any VLAN subinterfaces
it is not referenced in any security policy, VIP, or multicast policy
it is not monitored by HA
it is not one of the FortiGate-5000 series backplane interfaces
When an interface is included in a redundant interface, it is not listed on the System > Network
> Interface page. You cannot configure the interface individually and it is not available for
inclusion in security policies, VIPs, or routing.
On-armed sniffer
Available when editing a physical interface that is not the primary connection to the Internet.
Select to configure this interface to operate as a one-armed sniffer as part of configuring a
FortiGate unit to operate as an IDS appliance by sniffing packets for attacks without actually
receiving and otherwise processing the packets. Once the interface is enabled for sniffing you
cannot use the interface for other traffic. You must add sniffer policies for the interface to
actually sniff packets.
When configuring the interface, select specific host, ports and protocols to filter the traffic. You
can also define UTM security profiles to scan traffic with.
Aggregate Interfaces
Link aggregation (IEEE 802.3ad) enables you to bind two or more physical interfaces together to
form an aggregated (combined) link. This new link has the bandwidth of all the links combined.
If a link in the group fails, traffic is transferred automatically to the remaining interfaces with the
only noticeable effect being a reduced bandwidth.
This is similar to redundant interfaces with the major difference being that a redundant interface
group only uses one link at a time, where an aggregate link group uses the total bandwidth of
the functioning links in the group, up to eight.
Support of the IEEE standard 802.3ad for link aggregation is available on some models.
An interface is available to be an aggregate interface if:
it is a physical interface, not a VLAN interface or subinterface
it is not already part of an aggregate or redundant interface
it is in the same VDOM as the aggregated interface. Aggregate ports cannot span multiple
VDOMs.
it does not have an IP address and is not configured for DHCP or PPPoE
it is not referenced in any security policy, VIP, IP Pool or multicast policy
it is not an HA heartbeat interface
it is not one of the FortiGate-5000 series backplane interfaces
Some models of FortiGate units do not support aggregate interfaces. In this case, the
aggregate option is not an option in the web-based manager or CLI. As well, you cannot create
aggregate interfaces from the interfaces in a switch port.
To see if a port is being used or has other dependencies, use the following diagnose command:
diagnose sys checkused system.interface.name <interface_name>
When an interface is included in an aggregate interface, it is not listed on the System > Network
> Interface page. Interfaces will still appear in the CLI, although configuration for those
interfaces will not take affect. You cannot configure the interface individually and it is not
available for inclusion in security policies, VIPs, IP pools, or routing.
Example
This example creates an aggregate interface on a FortiGate-3810A using ports 4-6 with an
internal IP address of 10.13.101.100, as well as the administrative access to HTTPS and SSH.
To create an aggregate interface - web-based manager
1. Go to System > Network > Interface and select Create New.
2. Enter the Name as Aggregate.
3. For the Type, select 802.3ad Aggregate.
If this option does not appear, your FortiGate unit does not support aggregate interfaces.
4. In the Available Interfaces list, select port 4, 5 and 6 and move it to the Selected Interfaces
list.
5. Select the Addressing Mode of Manual.
6. Enter the IP address for the port of 10.13.101.100/24.
7. For Administrative Access select HTTPS and SSH.
8. Select OK.
To create aggregate interface - CLI
edit Aggregate
set type aggregate
set member port4 port5 port6
set vdom root
set ip 172.20.120.100/24
set allowaccess https ssh
end
DHCP on an interface
If you configure an interface to use DHCP, the FortiGate unit automatically broadcasts a DHCP
request from the interface. The interface is configured with the IP address and any DNS server
addresses and default gateway address that the DHCP server provides.
DHCP IPv6 is similar to DHCP IPv4, however there is:
no default gateway option defined because a host learns the gateway using router
advertisement messages
there is no WINS servers because it is obsolete.
For more information about DHCP IPv6, see RFC 3315.
Configure DHCP for an interface in System > Network > Interface and selecting the interface
from the list, and selecting DHCP in the Address Mode. The table describes the DHCP status
information when DHCP is configured for an interface.
PPPoE on an interface
If you configure the interface to use PPPoE, the FortiGate unit automatically broadcasts a
PPPoE request from the interface.
The FortiGate units support many PPPoE RFC features (RFC 2516) including unnumbered IPs,
initial discovery timeout and PPPoE Active Discovery Terminate (PADT).
Addressing mode section of New Interface page for DHCP information
Status Displays DHCP status messages as the interface connects to the
DHCP server and gets addressing information. Select Status to
refresh the addressing mode status message.
Status can be one of:
initializing - No activity.
connecting - interface attempts to connect to the DHCP server.
connected - interface retrieves an IP address, netmask, and
other settings from the DHCP server.
failed - interface was unable to retrieve an IP address and other
settings from the DHCP server.
Obtained
IP/Netmask
The IP address and netmask leased from the DHCP server. Only
displayed if Status is connected.
Renew Select to renew the DHCP license for this interface. Only displayed if
Status is connected.
Expiry Date The time and date when the leased IP address and netmask is no
longer valid for the interface. The IP address is returned to the pool to
be allocated to the next user request for an IP address. Only
displayed if Status is connected.
Default Gateway The IP address of the gateway defined by the DHCP server. Only
displayed if Status is connected, and if Receive default gateway from
server is selected.
Distance Enter the administrative distance for the default gateway retrieved
from the DHCP server. The administrative distance, an integer from
1-255, specifies the relative priority of a route when there are multiple
routes to the same destination. A lower administrative distance
indicates a more preferred route.
Retrieve default
gateway from server
Enable to retrieve a default gateway IP address from the DHCP
server. The default gateway is added to the static routing table.
Override internal DNS Enable to use the DNS addresses retrieved from the DHCP server
instead of the DNS server IP addresses on the DNS page.
When VDOMs are enabled, you can override the internal DNS only
on the management VDOM.
PPPoE is only configurable in the web-based manager on desktop FortiGate units. 1U
FortiGates and up must be configured in the CLI using the commands:
edit <port_name>
set mode pppoe
set username <ISP_username>
set password <ISP_password>
set idle-timeout <seconds>
set distance <integer>
set ipunnumbered <unumbered-IP>
set disc-retry-timeout <seconds>
set padt-retry-timeout <seconds>
set lcp-echo-interval <seconds>
set dns-server-override {enable | disable}
end
Configure PPPoE on an interface in System > Network > Interface. The table describes the
PPPoE status information when PPPoE is configured for an interface.
Addressing mode section of New Interface page
Status Displays PPPoE status messages as the FortiGate unit connects to the
PPPoE server and gets addressing information. Select Status to refresh
the addressing mode status message.
The status is only displayed if you selected Edit.
Status can be any one of the following 4 messages.
Initializing No activity.
Connecting The interface is attempting to connect to the PPPoE server.
Connected The interface retrieves an IP address, netmask, and other settings from
the PPPoE server.
When the status is connected, PPPoE connection information is
displayed.
Failed The interface was unable to retrieve an IP address and other
information from the PPPoE server.
Reconnect Select to reconnect to the PPPoE server.
Only displayed if Status is connected.
User Name The PPPoE account user name.
Password The PPPoE account password.
Unnumbered IP Specify the IP address for the interface. If your ISP has assigned you a
block of IP addresses, use one of them. Otherwise, this IP address can
be the same as the IP address of another interface or can be any IP
address.
Initial Disc Timeout Enter Initial discovery timeout. Enter the time to wait before starting to
retry a PPPoE discovery.
Administrative access
Interfaces, especially the public-facing ports can be potentially accessed by those who you
may not want access to the FortiGate unit. When setting up the FortiGate unit, you can set the
type of protocol an administrator must use to access the FortiGate unit. The options include:
HTTPS
HTTP
SSH
TELNET
PING
SNMP
FortiManager Access (FMG-Access)
FortiClient Access (FCT-Access)
You can select as many, or as few, even none, that are accessible by an administrator.
This example adds an IPv4 address 172.20.120.100 to the WAN1 interface as well as the
administrative access to HTTPS and SSH. As a good practice, set the administrative access
when you are setting the IP address for the port.
To add an IP address on the WAN1 interface - web-based manager
2. Select the WAN1 interface row and select Edit.
5. For Administrative Access, select HTTPS and SSH.
6. Select OK.
Initial PADT timeout Enter Initial PPPoE Active Discovery Terminate (PADT) timeout in
seconds. Use this timeout to shut down the PPPoE session if it is idle
for this number of seconds. PADT must be supported by your ISP. Set
initial PADT timeout to 0 to disable.
Distance Enter the administrative distance for the default gateway retrieved from
the PPPoE server. The administrative distance, an integer from 1-255,
specifies the relative priority of a route when there are multiple routes to
the same destination. A lower administrative distance indicates a more
preferred route. The default distance for the default gateway is 1.
Retrieve default
gateway from server
Enable to retrieve a default gateway IP address from a PPPoE server.
The default gateway is added to the static routing table.
Override internal
DNS
Enable to replace the DNS server IP addresses on the System DNS
page with the DNS addresses retrieved from the PPPoE server.
When VDOMs are enabled, you can override the internal DNS only on
the management VDOM.
To create IP address on the WAN1 interface - CLI
edit wan1
set ip 172.20.120.100/24
end
Wireless
A wireless interface is similar to a physical interface only it does not include a physical
connection. The FortiWiFi units enables you to add multiple wireless interfaces that can be
available at the same time (the FortiWiFi-30B can only have one wireless interface). On FortiWiFi
units, you can configure the device to be either an access point, or a wireless client. As an
access point, the FortiWiFi unit can have up to four separate SSIDs, each on their own subnet
for wireless access. In client mode, the FortiWiFi only has one SSID, and is used as a receiver,
to enable remote users to connect to the existing network using wireless protocols.
Wireless interfaces also require additional security measures to ensure the signal does not get
hijacked and data tampered or stolen.
For more information on configuring wireless interfaces see the Deploying Wireless Networks
Guide.
Interface MTU packet size
You can change the maximum transmission unit (MTU) of the packets that the FortiGate unit
transmits to improve network performance. Ideally, the MTU should be the same as the smallest
MTU of all the networks between the FortiGate unit and the destination of the packets. If the
packets that the FortiGate unit sends are larger than the smallest MTU, they are broken up or
fragmented, which slows down transmission. You can easily experiment by lowering the MTU to
find an MTU size for optimum network performance.
To change the MTU, select Override default MTU value (1 500) and enter the MTU size based on
the addressing mode of the interface
68 to 1 500 bytes for static mode
576 to 1 500 bytes for DHCP mode
576 to 1 492 bytes for PPPoE mode
larger frame sizes if supported by the FortiGate model
Only available on physical interfaces. Virtual interfaces associated with a physical interface
inherit the physical interface MTU size.
Interfaces on some models support frames larger than the traditional 1 500 bytes. Contact
Fortinet Customer Support for the maximum frame sizes that your FortiGate unit supports.
When adding to, or removing a protocol, you must type the entire list again. For example, if you
have an access list of HTTPS and SSH, and you want to add PING, typing:
set allowaccess ping
...only PING will be set. In this case, you must type...
If you need to enable sending larger frames over a route, you need all Ethernet devices on that
route to support that larger frame size, otherwise your larger frames will not be recognized and
are dropped.
If you have standard size and larger size frame traffic on the same interface, routing alone
cannot route them to different routes based only on frame size. However, you can use VLANs to
make sure the larger frame traffic is routed over network devices that support that larger size.
VLANs will inherit the MTU size from the parent interface. You will need to configure the VLAN to
include both ends of the route as well as all switches and routers along the route.
MTU packet size is changed in the CLI. If you select an MTU size larger than your FortiGate unit
supports, an error message will indicate this. In this situation, try a smaller MTU size until the
value is supported.
To change the MTU size, use the following CLI commands:
set mtu-override enable
set mtu <byte_size>
end
Secondary IP addresses to an interface
If an interface is configured with a manual or static IP address, you can also add secondary
static IP addresses to the interface. Adding secondary IP addresses effectively adds multiple IP
addresses to the interface. Secondary IP addresses cannot be assigned using DCHP or PPPoE.
All of the IP addresses added to an interface are associated with the single MAC address of the
physical interface and all secondary IP addresses are in the same VDOM as the interface that
are added to. You configure interface status detection for gateway load balancing separately for
each secondary IP addresses. As with all other interface IP addresses, secondary IP addresses
cannot be on the same subnet as any other primary or secondary IP address assigned to a
FortiGate interface unless they are in separate VDOMs.
To configure a secondary IP, go to System > Network > Interface, select Edit or Create New and
select the Secondary IP Address check box.
Virtual domains
Virtual domains (VDOMs) are a method of dividing a FortiGate unit into two or more virtual units
that function as multiple independent units. A single FortiGate unit is then flexible enough to
serve multiple departments of an organization, separate organizations, or to act as the basis for
a service providers managed security service.
VDOMs provide separate security domains that allow separate zones, user authentication,
security policies, routing, and VPN configurations. By default, each FortiGate unit has a VDOM
named root. This VDOM includes all of the FortiGate physical interfaces, modem, VLAN
subinterfaces, zones, security policies, routing settings, and VPN settings.
If you change the MTU, you need to reboot the FortiGate unit to update the MTU value of VLAN
subinterfaces on the modified interface.
In Transparent mode, if you change the MTU of an interface, you must change the MTU of all
interfaces on the FortiGate unit to match the new MTU.
When a packet enters a VDOM, it is confined to that VDOM. In a VDOM, you can create security
policies for connections between Virtual LAN (VLAN) subinterfaces or zones in the VDOM.
Packets do not cross the virtual domain border internally. To travel between VDOMs, a packet
must pass through a firewall on a physical interface. The packet then arrives at another VDOM
on a different interface, but it must pass through another firewall before entering the VDOM.
Both VDOMs are on the same FortiGate unit. Inter-VDOMs change this behavior in that they are
internal interfaces; however their packets go through all the same security measures as on
physical interfaces.
This example shows how to enable VDOMs on the FortiGate unit and the basic and create a
VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First
enable Virtual Domains on the FortiGate unit. When you enable VDOMs, the FortiGate unit will
log you out.
For desktop and low-end FortiGate units, VDOMs are enabled using the CLI. On larger
FortiGate units, you can enable on the web-based manager or the CLI. Once enabled all further
configuration can me made in the web-based manager or CLI.
To enable VDOMs - web-based manager
2. In the System Information widget, select Enable for Virtual Domain.
The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure
has changed. This reflects the global settings for all Virtual Domains.
To enable VDOMs - CLI
set vdom-admin enable
end
Next, add the VDOM called accounting.
To add a VDOM - web-based manager
1. Go to System > VDOM > VDOM, and select Create New.
2. Enter the VDOM name accounting.
3. Select OK.
To add a VDOM - CLI
config vdom
edit <new_vdom_name>
end
With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP
address.
To assign physical interface to the accounting Virtual Domain - web-based manager
2. Select the DMZ2 port row and select Edit.
3. For the Virtual Domain drop-down list, select accounting.
6. Set the Administrative Access to HTTPS and SSH.
7. Select OK.
To assign physical interface to the accounting Virtual Domain - CLI
config global
edit dmz2
set vdom accounting
set ip 10.13.101.100/24
next
end
Virtual LANs
The term VLAN subinterface correctly implies the VLAN interface is not a complete interface by
itself. You add a VLAN subinterface to the physical interface that receives VLAN-tagged
packets. The physical interface can belong to a different VDOM than the VLAN, but it must be
connected to a network route that is configured for this VLAN. Without that route, the VLAN will
not be connected to the network, and VLAN traffic will not be able to access this interface.The
traffic on the VLAN is separate from any other traffic on the physical interface.
FortiGate unit interfaces cannot have overlapping IP addresses, the IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be configured with
its own IP address and netmask. This rule helps prevent a broadcast storm or other similar
network problems.
Any FortiGate unit, with or without VDOMs enabled, can have a maximum of 255 interfaces in
Transparent operating mode. In NAT/Route operating mode, the number can range from 255 to
8192 interfaces per VDOM, depending on the FortiGate model. These numbers include VLANs,
other virtual interfaces, and physical interfaces. To have more than 255 interfaces configured in
Transparent operating mode, you need to configure multiple VDOMs with many interfaces on
each VDOM.
This example shows how to add a VLAN, vlan_accounting on the FortiGate unit internal
interface with an IP address of 10.13.101.101.
To add a VLAN - web-based manager
1. Go to System > Network > Interface and select Create New.
The Type is by default set to VLAN.
2. Enter a name for the VLAN to vlan_accounting.
3. Select the Internal interface.
4. Enter the VLAN ID.
The VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the
same VLAN ID to be associated together.
8. Select OK.
To add a VLAN - CLI
edit VLAN_1
set interface internal
set type vlan
set vlanid 100
set ip 10.13.101.101/24
next
end
Zones
Zones are a group of one or more FortiGate interfaces, both physical and virtual, that you can
apply security policies to control inbound and outbound traffic. Grouping interfaces and VLAN
subinterfaces into zones simplifies the creation of security policies where a number of network
segments can use the same policy settings and protection profiles. When you add a zone, you
select the names of the interfaces and VLAN subinterfaces to add to the zone. Each interface
still has its own address and routing is still done between interfaces, that is, routing is not
affected by zones. Security policies can also be created to control the flow of intra-zone traffic.
For example, in the illustration below, the network includes three separate groups of users
representing different entities on the company network. While each group has its own set of
port and VLANs, in each area, they can all use the same security policy and protection profiles
to access the Internet. Rather than the administrator making nine separate security policies, he
can add the required interfaces to a zone, and create three policies, making administration
simpler.
Figure 14:Network zones
You can configure policies for connections to and from a zone, but not between interfaces in a
zone. Using the above example, you can create a security policy to go between zone 1 and
zone 3, but not between WAN2 and WAN1, or WAN1 and DMZ1.
This example explains how to set up a zone to include the Internal interface and a VLAN.
To create a zone - web-based manager
2. Select the arrow on the Create New button and select Zone.
3. Enter a zone name of Zone_1.
4. Select the Internal interface and the virtual LAN interface vlan_accounting created previously.
5. Select OK.
To create a zone - CLI
config system zone
edit Zone_1
set interface internal VLAN_1
end
Zone 1 policies
Z
o
n
e

2

p
o
l
i
c
i
e
s
Z
o
n
e

3

p
o
l
i
c
i
e
s
Zone 1
WAN1, DMZ1,
VLAN 1, 2, 4
Zone 2
Internal
ports 1, 2, 3
Zone 3
WAN2, DMZ2,
VLAN 3
Page 177
Virtual LANs
Virtual Local Area Networks (VLANs) multiply the capabilities of your FortiGate unit, and can
also provide added network security. Virtual LANs (VLANs) use ID tags to logically separate
devices on a network into smaller broadcast domains. These smaller domains forward packets
only to devices that are part of that VLAN domain. This reduces traffic and increases network
security.
A Local Area Network (LAN) is a group of connected computers and devices that are arranged
into network broadcast domains. A LAN broadcast domain includes all the computers that
receive a packet broadcast from any computer in that broadcast domain. A switch will
automatically forward the packets to all of its ports; in contrast, routers do not automatically
forward network broadcast packets. This means routers separate broadcast domains. If a
network has only switches and no routers, that network is considered one broadcast domain,
no matter how large or small it is. Smaller broadcast domains are more efficient because fewer
devices receive unnecessary packets. They are more secure as well because a hacker reading
traffic on the network will have access to only a small portion of the network instead of the
entire networks traffic.
Virtual LANs (VLANs) use ID tags to logically separate a LAN into smaller broadcast domains.
Each VLAN is its own broadcast domain. Smaller broadcast domains reduce traffic and increase
network security. The IEEE 802.1Q standard defines VLANs. All layer-2 and layer-3 devices
along a route must be 802.1Q-compliant to support VLANs along that route. For more
information, see VLAN switching and routing on page 178 and VLAN layer-3 routing on
page 181.
VLANs reduce the size of the broadcast domains by only forwarding packets to interfaces that
are part of that VLAN or part of a VLAN trunk link. Trunk links form switch-to-switch or
switch-to-router connections, and forward traffic for all VLANs. This enables a VLAN to include
devices that are part of the same broadcast domain, but physically distant from each other.
VLAN ID tags consist of a 4-byte frame extension that switches and routers apply to every
packet sent and received in the VLAN. Workstations and desktop computers, which are
commonly originators or destinations of network traffic, are not an active part of the VLAN
process. All the VLAN tagging and tag removal is done after the packet has left the computer.
For more information, see VLAN ID rules on page 178.
Any FortiGate unit without VDOMs enabled can have a maximum of 255 interfaces in
transparent operating mode. The same is true for any single VDOM. In NAT mode, the number
can range from 255 to 8192 interfaces per VDOM, depending on the FortiGate model. These
numbers include VLANs, other virtual interfaces, and physical interfaces. To have more than 255
interfaces configured in transparent operating mode, you need to configure multiple VDOMs
that enable you to divide the total number of interfaces over all the VDOMs.
One example of an application of VLANs is a companys accounting department. Accounting
computers may be located at both main and branch offices. However, accounting computers
need to communicate with each other frequently and require increased security. VLANs allow
the accounting network traffic to be sent only to accounting computers and to connect
accounting computers in different locations as if they were on the same physical subnet.
This guide uses the term packet to refer to both layer-2 frames and layer-3 packets.
VLAN ID rules
Layer-2 switches and layer-3 devices add VLAN ID tags to the traffic as it arrives and remove
them before they deliver the traffic to its final destination. Devices such as PCs and servers on
the network do not require any special configuration for VLANs. Twelve bits of the 4-byte VLAN
tag are reserved for the VLAN ID number. Valid VLAN ID numbers are from 1 to 4094, while 0 is
used for high priority frames, and 4095 is reserved.
On a layer-2 switch, you can have only one VLAN subinterface per physical interface, unless
that interface is configured as a trunk link. Trunk links can transport traffic for multiple VLANs to
other parts of the network.
On a FortiGate unit, you can add multiple VLANs to the same physical interface. However, VLAN
subinterfaces added to the same physical interface cannot have the same VLAN ID or have IP
addresses on the same subnet. You can add VLAN subinterfaces with the same VLAN ID to
different physical interfaces.
Creating VLAN subinterfaces with the same VLAN ID does not create any internal connection
between them. For example a VLAN ID of 300 on port1 and VLAN ID of 300 on port2 are
allowed, but they are not connected. Their relationship is the same as between any two
FortiGate network interfaces.
VLAN switching and routing
VLAN switching takes place on the OSI model layer-2, just like other network switching. VLAN
routing takes place on the OSI model layer-3. The difference between them is that during VLAN
switching, VLAN packets are simply forwarded to their destination. This is different from VLAN
routing where devices can open the VLAN packets and change their VLAN ID tags to route the
packets to a new destination.
VLAN layer-2 switching
Ethernet switches are layer-2 devices, and generally are 802.1Q compliant. Layer 2 refers to the
second layer of the seven layer Open Systems Interconnect (OSI) basic networking model; the
Data Link layer. FortiGate units act as layer-2 switches or bridges when they are in transparent
mode. The units simply tag and forward the VLAN traffic or receive and remove the tags from
the packets. A layer-2 device does not inspect incoming packets or change their contents; it
only adds or removes tags and routes the packet.
A VLAN can have any number of physical interfaces assigned to it. Multiple VLANs can be
assigned to the same physical interface. Typically two or more physical interfaces are assigned
to a VLAN, one for incoming and one for outgoing traffic. Multiple VLANs can be configured on
one FortiGate unit, including trunk links.
Layer-2 VLAN example
To better understand VLAN operation, this example shows what happens to a data frame on a
network that uses VLANs.
The network topology consists of two 8-port switches that are configured to support VLANs on
a network. Both switches are connected through port 8 using an 802.1Q trunk link. Subnet 1 is
connected to switch A, and subnet 2 is connected to switch B. The ports on the switches are
configured as follows.
In this example, switch A is connected to the Branch Office and switch B to the Main Office.
1. A computer on port 1 of switch A sends a data frame over the network.
2. Switch A tags the data frame with a VLAN 100 ID tag upon arrival because port 1 is part of
VLAN 100.
3. Switch A forwards the tagged data frame to the other VLAN 100 ports ports 2 through 4.
Switch A also forwards the data frame to the 802.1Q trunk link (port 8) so other parts of the
network that may contain VLAN 100 groups will receive VLAN 100 traffic.
This data frame is not forwarded to the other ports on switch A because they are not part of
VLAN 100. This increases security and decreases network traffic.
Table 15:How ports and VLANs are used on Switch A and B
Switch Ports VLAN
A 1 - 4 100
A 5 - 7 200
A & B 8 Trunk link
B 4 - 5 100
B 6 200
S
w
i
t
c
h

A
S
w
i
t
c
h

B
B
r
a
n
c
h

O
f
f
i
c
e
M
a
i
n

O
f
f
i
c
e
F
r
a
m
e
V
L
A
N

1
0
0
V
L
A
N

2
0
0
V
L
A
N

2
0
0
V
L
A
N

1
0
0
S
w
S
w
i
t
i
t
c
h
c
h
AA
S
w
S
w
i
t
i
t
c
h
c
h
BB
8
0
2
.
1
Q

t
r
u
n
k

l
i
n
k
P
o
r
t
s

1
-
4
P
o
r
t
s

5
-
7
P
o
r
t
s

4
,

5
P
o
r
t

8
P
o
r
t

8
4. Switch B receives the data frame over the trunk link (port 8).
5. Because there are VLAN 100 ports on switch B (ports 4 and 5), the data frame is forwarded
to those ports. As with switch A, the data frame is not delivered to VLAN 200.
If there were no VLAN 100 ports on switch B, the switch would not forward the data frame
and it would stop there.
6. The switch removes the VLAN 100 ID tag before it forwards the data frame to an end
destination.
The sending and receiving computers are not aware of any VLAN tagging on the data frames
that are being transmitted. When any computer receives that data frame, it appears as a normal
data frame.
S
w
it
c
h

A
S
w
it
c
h

B
B
r
a
n
c
h

O
f
f
ic
e
M
a
in

O
f
f
ic
e
F
r
a
m
e
V
L
A
N

1
0
0
V
L
A
N

2
0
0
V
L
A
N

2
0
0
V
L
A
N

1
0
0
S
w
S
w
it it
c
h
c
h
AA
S
w
S
w
it it
c
h
c
h
BB
8
0
2
.
1
Q

t
r
u
n
k

l
i
n
k
P
o
r
t
s

1
-
4
P
o
r
t
s

5
-
7
P
o
r
t
s

4
,

5
P
o
r
t

8
P
o
r
t

8
S
w
it
c
h

A
S
w
it
c
h

B
B
r
a
n
c
h

O
f
f
ic
e
M
a
in

O
f
f
ic
e
F
r
a
m
e
V
L
A
N

1
0
0
V
L
A
N

2
0
0
V
L
A
N

2
0
0
V
L
A
N

1
0
0
S
w
S
w
it it
c
h
c
h
AA
S
w
S
w
it it
c
h
c
h
BB
8
0
2
.
1
Q

t
r
u
n
k

l
i
n
k
P
o
r
t
s

1
-
4
P
o
r
t
s

5
-
7
P
o
r
t
s

4
,

5
P
o
r
t

8
P
o
r
t

8
VLAN layer-3 routing
Routers are layer-3 devices. Layer 3 refers to the third layer of the OSI networking model, the
Network layer. FortiGate units in NAT mode act as layer-3 devices. As with layer 2, FortiGate
units acting as layer-3 devices are 802.1Q-compliant.
The main difference between layer-2 and layer-3 devices is how they process VLAN tags.
Layer-2 switches just add, read and remove the tags. They do not alter the tags or do any other
high-level actions. Layer-3 routers not only add, read and remove tags but also analyze the data
frame and its contents. This analysis allows layer-3 routers to change the VLAN tag if it is
appropriate and send the data frame out on a different VLAN.
In a layer-3 environment, the 802.1Q-compliant router receives the data frame and assigns a
VLAN ID. The router then forwards the data frame to other members of the same VLAN
broadcast domain. The broadcast domain can include local ports, layer-2 devices and layer-3
devices such as routers and firewalls. When a layer-3 device receives the data frame, the device
removes the VLAN tag and examines its contents to decide what to do with the data frame. The
layer-3 device considers:
source and destination addresses
protocol
port number.
The data frame may be forwarded to another VLAN, sent to a regular non-VLAN-tagged
network or just forwarded to the same VLAN as a layer-2 switch would do. Or, the data frame
may be discarded if the proper security policy has been configured to do so.
Layer-3 VLAN example
In this example, switch A is connected to the Branch Office subnet, the same as subnet 1 in the
layer-2 example. In the Main Office subnet, VLAN 300 is on port 5 of switch B. The FortiGate
unit is connected to switch B on port 1 and the trunk link connects the FortiGate units port 3 to
switch A. The other ports on switch B are unassigned.
This example explains how traffic can change VLANs originating on VLAN 100 and arriving at a
destination on VLAN 300. Layer-2 switches alone cannot accomplish this, but a layer-3 router
can.
1. The VLAN 100 computer at the Branch Office sends the data frame to switch A, where the
VLAN 100 tag is added.
2. Switch A forwards the tagged data frame to the FortiGate unit over the 802.1Q trunk link,
and to the VLAN 100 interfaces on Switch A.
Up to this point everything is the same as in the layer-2 example.
3. The FortiGate unit removes the VLAN 100 tag, and inspects the content of the data frame.
The FortiGate unit uses the content to select the correct security policy and routing options.
4. The FortiGate units security policy allows the data frame to go to VLAN 300 in this example.
The data frame will be sent to all VLAN 300 interfaces, but in the example there is only port 1
S
w
itc
h
A
S
w
itc
h
B
B
r
a
n
c
h
O
ffic
e
M
a
in
O
ffic
e
P
o
r
t 1
V
L
A
N
3
0
0
F
r
a
m
e
V
L
A
N
3
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
S
w
S
w
it itc
h
c
h
AA
S
w
S
ww
S
w
S
w
it it it it it tc
h
c
h
c
h
cc
h
c
h
BBB
8
0
2
.1
Q
tr
u
n
k
lin
k
P
o
r
ts
1
-
4
P
o
r
ts
5
-
7
P
o
r
t 1
P
o
r
t 5
P
o
r
t 3
P
o
r
t 8
P
o
r
t t
1111111
3
0
0 000
0
0
r
t
3
S
w
itc
h
A
S
w
itc
h
B
B
r
a
n
c
h
O
ffic
e
M
a
in
O
ffic
e
P
o
r
t 1
V
L
A
N
3
0
0
F
r
a
m
e
V
L
A
N
3
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
S
w
S
w
it itc
h
c
h
AA
S
w
S
ww
S
w
S
w
it it iit it tc
h
c
h
c
h
cc
h
c
h
BBB
8
0
2
.1
Q
tr
u
n
k
lin
k
P
o
r
ts
1
-
4
P
o
r
ts
5
-
7
P
o
r
t 1
P
o
r
t 5
P
o
r
t 3
P
o
r
t 8
P
o
r
t t
111111
3
0
0000
0
0
r
t
3
on the FortiGate unit. Before the data frame leaves, the FortiGate unit adds the VLAN ID 300
tag to the data frame.
This is the step that layer 2 cannot do. Only layer 3 can retag a data frame as a different
VLAN.
5. Switch B receives the data frame, and removes the VLAN ID 300 tag, because this is the last
hop, and forwards the data frame to the computer on port 5.
In this example, a data frame arrived at the FortiGate unit tagged as VLAN 100. After checking
its content, the FortiGate unit retagged the data frame for VLAN 300. It is this change from
S
w
itc
h
A
S
w
itc
h
B
B
r
a
n
c
h
O
ffic
e
M
a
in
O
ffic
e
P
o
r
t 1
V
L
A
N
3
0
0
V
L
A
N
3
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
S
w
S
w
it itc
h
c
h
AA
S
w
S
ww
S
w
S
w
it it it it it tc
h
c
h
c
h
c
h
c
h
c
h
BBBB
8
0
2
.1
Q
tr
u
n
k
lin
k
P
o
r
ts
1
-
4
P
o
r
ts
5
-
7
P
o
r
t 1
P
o
r
t 5
P
o
r
t 3
P
o
r
t 8
P
o
r
t t
111111
3
0
0 000
0
0
r
t
3
F
r
a
m
e
S
w
itc
h
A
S
w
itc
h
B
B
r
a
n
c
h
O
ffic
e
M
a
in
O
ffic
e
P
o
r
t 1
V
L
A
N
3
0
0
F
r
a
m
e
V
L
A
N
3
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
S
w
S
w
it itc
h
c
h
AA
S
w
S
ww
S
w
S
w
it it iit it tc
h
c
h
c
h
cc
h
c
h
BBBB
8
0
2
.1
Q
tr
u
n
k
lin
k
P
o
r
ts
1
-
4
P
o
r
ts
5
-
7
P
o
r
t 1
P
o
r
t 5
P
o
r
t 3
P
o
r
t 8
P
o
r
t t
1111111
3
0
0 000
0
0
r
t
3
F
r
a
m
e
VLAN 100 to VLAN 300 that requires a layer-3 routing device, in this case the FortiGate unit.
Layer-2 switches cannot perform this change.
VLANs in NAT mode
In NAT mode the FortiGate unit functions as a layer-3 device. In this mode, the FortiGate unit
controls the flow of packets between VLANs, but can also remove VLAN tags from incoming
VLAN packets. The FortiGate unit can also forward untagged packets to other networks, such
as the Internet.
In NAT mode, the FortiGate unit supports VLAN trunk links with IEEE 802.1Q-compliant
switches, or routers. The trunk link transports VLAN-tagged packets between physical subnets
or networks. When you add VLAN sub-interfaces to the FortiGate unit physical interfaces, the
VLANs have IDs that match the VLAN IDs of packets on the trunk link. The FortiGate unit directs
packets with VLAN IDs to sub-interfaces with matching IDs.
You can define VLAN sub-interfaces on all FortiGate physical interfaces. However, if multiple
virtual domains are configured on the FortiGate unit, you will have access to only the physical
interfaces on your virtual domain. The FortiGate unit can tag packets leaving on a VLAN
subinterface. It can also remove VLAN tags from incoming packets and add a different VLAN
tag to outgoing packets.
Normally in VLAN configurations, the FortiGate unit's internal interface is connected to a VLAN
trunk, and the external interface connects to an Internet router that is not configured for VLANs.
In this configuration the FortiGate unit can apply different policies for traffic on each VLAN
interface connected to the internal interface, which results in less network traffic and better
security.
Adding VLAN subinterfaces
A VLAN subinterface, also called a VLAN, is a virtual interface on a physical interface. The
subinterface allows routing of VLAN tagged packets using that physical interface, but it is
separate from any other traffic on the physical interface.
Adding a VLAN subinterface includes configuring:
Physical interface
IP address and netmask
VLAN ID
VDOM
Physical interface
The term VLAN subinterface correctly implies the VLAN interface is not a complete interface by
itself. You add a VLAN subinterface to the physical interface that receives VLAN-tagged
packets. The physical interface can belong to a different VDOM than the VLAN, but it must be
connected to a network router that is configured for this VLAN. Without that router, the VLAN
will not be connected to the network, and VLAN traffic will not be able to access this interface.
The traffic on the VLAN is separate from any other traffic on the physical interface.
When you are working with interfaces on your FortiGate unit, use the Column Settings on the
Interface display to make sure the information you need is displayed. When working with
VLANs, it is useful to position the VLAN ID column close to the IP address. If you are working
with VDOMs, including the Virtual Domain column as well will help you troubleshoot problems
more quickly.
To view the Interface display, go to System > Network > Interface.
IP address and netmask
FortiGate unit interfaces cannot have overlapping IP addresses. The IP addresses of all
interfaces must be on different subnets. This rule applies to both physical interfaces and to
virtual interfaces such as VLAN subinterfaces. Each VLAN subinterface must be configured with
its own IP address and netmask pair. This rule helps prevent a broadcast storm or other similar
network problems.
VLAN ID
The VLAN ID is part of the VLAN tag added to the packets by VLAN switches and routers. The
VLAN ID is a number between 1 and 4094 that allow groups of IP addresses with the same
VLAN ID to be associated together. VLAN ID 0 is used only for high priority frames, and 4095 is
reserved.
All devices along a route must support the VLAN ID of the traffic along that route. Otherwise, the
traffic will be discarded before reaching its destination. For example, if your computer is part of
VLAN_100 and a co-worker on a different floor of your building is also on the same VLAN_100,
you can communicate with each other over VLAN_100, only if all the switches and routers
support VLANs and are configured to pass along VLAN_100 traffic properly. Otherwise, any
traffic you send your co-worker will be blocked or not delivered.
VDOM
If VDOMs are enabled, each VLAN subinterface must belong to a VDOM. This rule also applies
for physical interfaces.
VLAN subinterfaces on separate VDOMs cannot communicate directly with each other. In this
situation, the VLAN traffic must exit the FortiGate unit and re-enter the unit again, passing
through firewalls in both directions. This situation is the same for physical interfaces.
A VLAN subinterface can belong to a different VDOM than the physical interface it is part of.
This is because the traffic on the VLAN is handled separately from the other traffic on that
interface. This is one of the main strengths of VLANs.
The following procedure will add a VLAN subinterface called VLAN_100 to the FortiGate internal
interface with a VLAN ID of 100. It will have an IP address and netmask of
172.100.1.1/255.255.255.0, and allow HTTPS, PING, and TELNET administrative access.
Note that in the CLI, you must enter set type vlan before setting the vlanid, and that the
allowaccess protocols are lower case.
To add a VLAN subinterface in NAT mode - web-based manager
1. If Current VDOM appears at the bottom left of the screen, select Global from the list of
VDOMs.
If you are unable to change your existing configurations to prevent IP overlap, enter the CLI
command config system global and set ip-overlap enable to allow IP address
overlap. If you enter this command, multiple VLAN interfaces can have an IP address that is part
of a subnet used by another interface. This command is recommended for advanced users
only.
Interface-related CLI commands require a VDOM to be specified, regardless of whether the
FortiGate unit has VDOMs enabled.
3. Select Create New to add a VLAN subinterface.
4. Enter the following:
5. Select OK.
To view the new VLAN subinterface, select the expand arrow next to the parent physical
interface (the internal interface). This will expand the display to show all VLAN subinterfaces on
this physical interface. If there is no expand arrow displayed, there are no subinterfaces
configured on that physical interface.
For each VLAN, the list displays the name of the VLAN, and, depending on column settings, its
IP address, the Administrative access you selected for it, the VLAN ID number, and which
VDOM it belongs to if VDOMs are enabled.
To add a VLAN subinterface in NAT mode - CLI
edit VLAN_100
set type vlan
set vlanid 100
set ip 172.100.1.1 255.255.255.0
set allowaccess https ping telnet
end
Configuring security policies and routing
Once you have created a VLAN subinterface on the FortiGate unit, you need to configure
security policies and routing for that VLAN. Without these, the FortiGate unit will not pass VLAN
traffic to its intended destination. Security policies direct traffic through the FortiGate unit
between interfaces. Routing directs traffic across the network.
Configuring security policies
Security policies permit communication between the FortiGate units network interfaces based
on source and destination IP addresses. Interfaces that communicate with the VLAN interface
need security policies to permit traffic to pass between them and the VLAN interface.
VLAN Name VLAN_100
Type VLAN
Interface internal
VLAN ID 100
Addressing Mod Manual
IP/Netmask 172.100.1.1/255.255.255.0
Administrative Access HTTPS, PING, TELNET
Each VLAN needs a security policy for each of the following connections the VLAN will be using:
from this VLAN to an external network
from an external network to this VLAN
from this VLAN to another VLAN in the same virtual domain on the FortiGate unit
from another VLAN to this VLAN in the same virtual domain on the FortiGate unit.
The packets on each VLAN are subject to antivirus scans and other UTM measures as they
pass through the FortiGate unit.
Configuring routing
As a minimum, you need to configure a default static route to a gateway with access to an
external network for outbound packets. In more complex cases, you will have to configure
different static or dynamic routes based on packet source and destination addresses.
As with firewalls, you need to configure routes for VLAN traffic. VLANs need routing and a
gateway configured to send and receive packets outside their local subnet just as physical
interfaces do. The type of routing you configure, static or dynamic, will depend on the routing
used by the subnet and interfaces you are connecting to. Dynamic routing can be routing
information protocol (RIP), border gateway protocol (BGP), open shortest path first (OSPF), or
multicast.
If you enable SSH, PING, TELNET, HTTPS and HTTP on the VLAN, you can use those protocols
to troubleshoot your routing and test that it is properly configured. Enabling logging on the
interfaces and using CLI diagnose commands such as diagnose sniff packet
<interface_name> can also help locate any possible configuration or hardware issues.
Example VLAN configuration in NAT mode
In this example two different internal VLAN networks share one interface on the FortiGate unit,
and share the connection to the Internet. This example shows that two networks can have
separate traffic streams while sharing a single interface. This configuration could apply to two
departments in a single company, or to different companies.
There are two different internal network VLANs in this example. VLAN_100 is on the
10.1.1.0/255.255.255.0 subnet, and VLAN_200 is on the 10.1.2.0/255.255.255.0 subnet. These
VLANs are connected to the VLAN switch, such as a Cisco 2950 Catalyst switch.
The FortiGate internal interface connects to the VLAN switch through an 802.1Q trunk. The
internal interface has an IP address of 192.168.110.126 and is configured with two VLAN
subinterfaces (VLAN_100 and VLAN_200). The external interface has an IP address of
172.16.21.2 and connects to the Internet. The external interface has no VLAN subinterfaces.
Figure 15:FortiGate unit with VLANs in NAT mode
When the VLAN switch receives packets from VLAN_100 and VLAN_200, it applies VLAN ID
tags and forwards the packets of each VLAN both to local ports and to the FortiGate unit across
the trunk link. The FortiGate unit has policies that allow traffic to flow between the VLANs, and
from the VLANs to the external network.
This section describes how to configure a FortiGate unit and a Cisco Catalyst 2950 switch for
this example network topology. The Cisco configuration commands used in this section are IOS
commands.
It is assumed that both the FortiGate unit and the Cisco 2950 switch are installed and
connected and that basic configuration has been completed. On the switch, you will need to be
able to access the CLI to enter commands. Refer to the manual for your FortiGate model as well
as the manual for the switch you select for more information.
It is also assumed that no VDOMs are enabled.
General configuration steps
The following steps provide an overview of configuring and testing the hardware used in this
example. For best results in this configuration, follow the procedures in the order given. Also,
note that if you perform any additional actions between procedures, your configuration may
have different results.
1. Configure the FortiGate unit
Configure the external interface
Add two VLAN subinterfaces to the internal network interface
Add firewall addresses and address ranges for the internal and external networks
Add security policies to allow:
the VLAN networks to access each other
the VLAN networks to access the external network.
2. Configure the VLAN switch
V
L
A
N
S
w
itc
h
V
L
A
N
2
0
0
N
e
tw
o
r
k
1
0
.1
.2
.0
U
n
ta
g
g
e
d
p
a
c
k
e
ts
F
a
0
/9
F
a
0
/3
F
a
0
/2
4
8
0
2
.
1
Q

t
r
u
n
k
E
x
te
r
n
a
l
1
7
2
.1
6
.2
1
.2
In
te
r
n
a
l
1
9
2
.1
6
8
.1
1
0
.1
2
6
V
L
A
N
1
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
N
e
tw
o
r
k
1
0
.1
.1
.0
l
6
.2
1
.2

IIIIInn
te
r
n
111111111111111
9999
2
99
2
.1
6
8
1
L
V
L
V
L
V
L
V
L
A
N
A
N
A
N
A
N
A
N
A
N
SSSSSS
ww
i
w
i
w
i
w
i
w
itc tc tc tc tc
hhh
F
a
F
0
/3 /3 3333
0
/2
4
Configure the FortiGate unit
Configuring the FortiGate unit includes:
Add VLAN subinterfaces
Add the firewall addresses
Add the security policies
The FortiGate units external interface will provide access to the Internet for all internal
networks, including the two VLANs.
To configure the external interface - web-based manager
2. Select Edit for the external interface.
3. Enter the following information and select OK:
To configure the external interface - CLI
edit external
set mode static
set ip 172.16.21.2 255.255.255.0
end
This step creates the VLANs on the FortiGate unit internal physical interface. The IP address of
the internal interface does not matter to us, as long as it does not overlap with the subnets of
the VLAN subinterfaces we are configuring on it.
The rest of this example shows how to configure the VLAN behavior on the FortiGate unit,
configure the switches to direct VLAN traffic the same as the FortiGate unit, and test that the
configuration is correct.
Adding VLAN subinterfaces can be completed through the web-based manager, or the CLI.
To add VLAN subinterfaces - web-based manager
Addressing mode Manual
IP/Network Mask 172.16.21.2/255.255.255.0
Name VLAN_100
Interface internal
VLAN ID 100
5. Enter the following information and select OK::
To add VLAN subinterfaces - CLI
edit VLAN_100
set vdom root
set type vlan
set vlanid 100
set mode static
set ip 10.1.1.1 255.255.255.0
next
edit VLAN_200
set vdom root
set type vlan
set vlanid 200
set mode static
set ip 10.1.2.1 255.255.255.0
end
Add the firewall addresses
You need to define the addresses of the VLAN subnets for use in security policies. The
FortiGate unit provides one default address, all, that you can use when a security policy
applies to all addresses as a source or destination of a packet. However, using all is less
secure and should be avoided when possible.
In this example, the _Net part of the address name indicates a range of addresses instead of a
unique address. When choosing firewall address names, use informative and unique names.
To add the firewall addresses - web-based manager
1. Go to Firewall Objects > Address > Address.
IP/Network Mask 10.1.1.1/255.255.255.0
Name VLAN_200
Interface internal
VLAN ID 200
IP/Network Mask 10.1.2.1/255.255.255.0
5. Enter the following information and select OK::
To add the firewall addresses - CLI
edit VLAN_100_Net
set type ipmask
set subnet 10.1.1.0 255.255.255.0
next
edit VLAN_200_Net
set type ipmask
set subnet 10.1.2.0 255.255.255.0
end
Once you have assigned addresses to the VLANs, you need to configure security policies for
them to allow valid packets to pass from one VLAN to another and to the Internet.
If you do not want to allow all services on a VLAN, you can create a security policy for each
service you want to allow. This example allows all services.
To add the security policies - web-based manager
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and the Policy Subtype as Address.
Name VLAN_100_Net
Type Subnet
Subnet / IP Range 10.1.1.0/255.255.255.0
Name VLAN_200_Net
Type Subnet
Subnet / IP Range 10.1.2.0/255.255.255.0
You can customize the Security Policy display by including some or all columns, and customize
the column order onscreen. Due to this feature, security policy screenshots may not appear the
same as on your screen.
Incoming Interface VLAN_100
Source Address VLAN_100_Net
Outgoing Interface VLAN_200
Destination Address VLAN_200_Net
10.Select Create New.
11.Leave the Policy Type as Firewall and the Policy Subtype as Address.
12.Enter the following information and select OK:
Schedule Always
Service ALL
Action ACCEPT
Enable NAT Enable
Outgoing Interface VLAN_100
Destination Address VLAN_100_Net
Schedule Always
Service ALL
Action ACCEPT
Enable NAT Enable
Outgoing Interface external
Destination Address all
Schedule Always
Service ALL
Action ACCEPT
Enable NAT Enable
To add the security policies - CLI
config firewall policy
edit 1
set srcintf VLAN_100
set srcaddr VLAN_100_Net
set dstintf VLAN_200
set dstaddr VLAN_200_Net
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 2
set dstintf VLAN_100
set dstaddr VLAN_100_Net
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 3
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
next
edit 4
Outgoing Interface external
Schedule Always
Service ALL
Action ACCEPT
Enable NAT Enable
set dstintf external
set dstaddr all
set schedule always
set service ALL
set action accept
set nat enable
set status enable
end
Configure the VLAN switch
On the Cisco Catalyst 2950 Catalyst VLAN switch, you need to define VLANs 100 and 200 in the
VLAN database, and then add a configuration file to define the VLAN subinterfaces and the
802.1Q trunk interface.
One method to configure a Cisco switch is to connect over a serial connection to the console
port on the switch, and enter the commands at the CLI. Another method is to designate one
interface on the switch as the management interface and use a web browser to connect to the
switchs graphical interface. For details on connecting and configuring your Cisco switch, refer
to the installation and configuration manuals for the switch.
The switch used in this example is a Cisco Catalyst 2950 switch. The commands used are IOS
commands. Refer to the switch manual for help with these commands.
To configure the VLAN subinterfaces and the trunk interfaces
Add this file to the Cisco switch:
!
interface FastEthernet0/3
switchport access vlan 100
!
!
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the configuration:
Port 0/3 VLAN ID 100
Port 0/9
VLAN ID 200
Port 0/24 802.1Q trunk
To complete the setup, configure devices on VLAN_100 and VLAN_200 with default gateways.
The default gateway for VLAN_100 is the FortiGate VLAN_100 subinterface. The default
gateway for VLAN_200 is the FortiGate VLAN_200 subinterface.
Test the configuration
Use diagnostic commands, such as tracert, to test traffic routed through the FortiGate unit
and the Cisco switch.
Testing traffic from VLAN_100 to VLAN_200
In this example, a route is traced between the two internal networks. The route target is a host
on VLAN_200.
Access a command prompt on a Windows computer on the VLAN_100 network, and enter the
following command:
C:\>tracert 10.1.2.2
Tracing route to 10.1.2.2 over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.
Testing traffic from VLAN_200 to the external network
In this example, a route is traced from an internal network to the external network. The route
target is the external network interface of the FortiGate-800 unit.
From VLAN_200, access a command prompt and enter this command:
C:\>tracert 172.16.21.2
1 <10 ms <10 ms <10 ms 10.1.2.1
2 <10 ms <10 ms <10 ms 172.16.21.2
Trace complete.
VLANs in transparent mode
In transparent mode, the FortiGate unit behaves like a layer-2 bridge but can still provide
services such as antivirus scanning, web filtering, spam filtering and intrusion protection to
traffic. There are some limitations in transparent mode in that you cannot use SSL VPN,
PPTP/L2TP VPN, DHCP server, or easily perform NAT on traffic. The limits in transparent mode
apply to IEEE 802.1Q VLAN trunks passing through the unit.
VLANs and transparent mode
You can insert the FortiGate unit operating in transparent mode into the VLAN trunk without
making changes to your network. In a typical configuration, the FortiGate unit internal interface
accepts VLAN packets on a VLAN trunk from a VLAN switch or router connected to internal
network VLANs. The FortiGate external interface forwards VLAN-tagged packets through
another VLAN trunk to an external VLAN switch or router and on to external networks such as
the Internet. You can configure the unit to apply different policies for traffic on each VLAN in the
trunk.
To pass VLAN traffic through the FortiGate unit, you add two VLAN subinterfaces with the same
VLAN ID, one to the internal interface and the other to the external interface. You then create a
security policy to permit packets to flow from the internal VLAN interface to the external VLAN
interface. If required, you create another security policy to permit packets to flow from the
external VLAN interface to the internal VLAN interface. Typically in transparent mode, you do
not permit packets to move between different VLANs. Network protection features, such as
spam filtering, web filtering and anti-virus scanning, are applied through the UTM profiles
specified in each security policy, enabling very detailed control over traffic.
When the FortiGate unit receives a VLAN-tagged packet at a physical interface, it directs the
packet to the VLAN subinterface with the matching VLAN ID. The VLAN tag is removed from the
packet, and the FortiGate unit then applies security policies using the same method it uses for
non-VLAN packets. If the packet exits the FortiGate unit through a VLAN subinterface, the
VLAN ID for that subinterface is added to the packet and the packet is sent to the
corresponding physical interface. For a configuration example, see Example of VLANs in
transparent mode on page 198.
There are two essential steps to configure your FortiGate unit to work with VLANs in transparent
mode:
Create security policies
You can also configure the protection profiles that manage antivirus scanning, web filtering and
spam filtering. For more information on UTM profiles, see the UTM Guide.
The VLAN ID of each VLAN subinterface must match the VLAN ID added by the
IEEE 802.1Q-compliant router or switch. The VLAN ID can be any number between 1 and 4094,
with 0 being used only for high priority frames and 4095 being reserved. You add VLAN
subinterfaces to the physical interface that receives VLAN-tagged packets.
For this example, we are creating a VLAN called internal_v225 on the internal interface, with a
VLAN ID of 225. Administrative access is enabled for HTTPS and SSH. VDOMs are not enabled.
To add VLAN subinterfaces in transparent mode - web-based manager
3. Enter the following information and select OK.
The FortiGate unit adds the new subinterface to the interface that you selected.
Repeat steps 2 and 3 to add additional VLANs. You will need to change the VLAN ID, Name,
and possibly Interface when adding additional VLANs.
Name internal_v225
Type VLAN
Interface internal
VLAN ID 225
Administrative Access Enable HTTPS, and SSH. These are very secure
access methods.
Comments VLAN 225 on internal interface
To add VLAN subinterfaces in transparent mode - CLI
edit internal_v225
set vlanid 225
set allowaccess HTTPS SSH
set description VLAN 225 on internal interface
set vdom root
end
Create security policies
In transparent mode, the FortiGate unit performs antivirus and antispam scanning on each
VLANs packets as they pass through the unit. You need security policies to permit packets to
pass from the VLAN interface where they enter the unit to the VLAN interface where they exit the
unit. If there are no security policies configured, no packets will be allowed to pass from one
interface to another.
To add security policies for VLAN subinterfaces - web based manager
1. Go to Firewall Objects > Address > Address.
2. Select Create New to add firewall addresses that match the source and destination IP
addresses of VLAN packets.
5. From the Incoming Interface/Zone list, select the VLAN interface where packets enter the
unit.
6. From the Outgoing Interface/Zone list, select the VLAN interface where packets exit the unit.
7. Select the Source and Destination Address names that you added in step 2.
8. Select OK.
To add security policies for VLAN subinterfaces - CLI
edit incoming_VLAN_address
set associated-interface <incoming_VLAN_interface>
set type ipmask
set subnet <IPv4_address_mask)
next
edit outgoing_VLAN_address
set associated-interface <outgoing_VLAN_interface>
set type ipmask
set subnet <IPv4_address_mask>
next
end
edit <unused_policy_number>
set srcintf <incoming_VLAN_interface>
set srcaddr incoming_VLAN_address
set destintf <outgoing_VLAN_interface>
set destaddr outgoing_VLAN_address
set service <protocol_to_allow_on VLAN>
set action ACCEPT
next
end
Example of VLANs in transparent mode
In this example, the FortiGate unit is operating in transparent mode and is configured with two
VLANs: one with an ID of 100 and the other with ID 200. The internal and external physical
interfaces each have two VLAN subinterfaces, one for VLAN_100 and one for VLAN_200.
The IP range for the internal VLAN_100 network is 10.100.0.0/255.255.0.0, and for the internal
VLAN_200 network is 10.200.0.0/255.255.0.0.
The internal networks are connected to a Cisco 2950 VLAN switch, which combines traffic from
the two VLANs onto one the FortiGate unit internal interface. The VLAN traffic leaves the
FortiGate unit on the external network interface, goes on to the VLAN switch, and on to the
Internet. When the FortiGate units receives a tagged packet, it directs it from the incoming
VLAN subinterface to the outgoing VLAN subinterface for that VLAN.
This section describes how to configure a FortiGate-800 unit, Cisco switch, and Cisco router in
the network topology shown in Figure 180.
Figure 16:VLAN transparent network topology
General configuration steps
The following steps summarize the configuration for this example. For best results, follow the
procedures in the order given. Also, note that if you perform any additional actions between
procedures, your configuration may have different results.
V
L
A
N
r
o
u
te
r

1
0
.1
0
0
.0
.1
1
0
.2
0
0
.0
.1
V
L
A
N
S
w
itc
h
V
L
A
N
2
0
0
N
e
tw
o
r
k
1
0
.2
0
0
.0
.0
F
a
0
/9
F
a
0
/3
F
a
0
/2
4
8
0
2
.
1
Q

t
r
u
n
k
V
L
A
N

1
,

2
E
x
te
r
n
a
l
In
te
r
n
a
l
V
L
A
N
1
0
0
V
L
A
N
2
0
0
V
L
A
N
1
0
0
N
e
tw
o
r
k
1
0
.1
0
0
.0
.0
e
r
n
a
l
IIIIIn IIn In Inn
tte
r
n
a
V
L
V
L
V
L
V
L
V
A
N
A
N
A
N
A
N
A
N
A
N
SSSSSS
ww
i
w
i
w
i
ww
ittc tc tc t
hhh
F
a
F
0
/3 /3333
0
/2
4
1. Configure the FortiGate unit which includes
Adding VLAN subinterfaces
Adding the security policies
2. Configure the Cisco switch and router
Configure the FortiGate unit
The FortiGate unit must be configured with the VLAN subinterfaces and the proper security
policies to enable traffic to flow through the FortiGate unit.
For each VLAN, you need to create a VLAN subinterface on the internal interface and another
one on the external interface, both with the same VLAN ID.
To add VLAN subinterfaces - web-based manager
Name VLAN_100_int
Interface internal
VLAN ID 100
Name VLAN_100_ext
Interface external
VLAN ID 100
Name VLAN_200_int
Interface internal
VLAN ID 200
Name VLAN_200_ext
Interface external
VLAN ID 200
To add VLAN subinterfaces - CLI
edit VLAN_100_int
set status down
set type vlan
set vlanid 100
next
edit VLAN_100_ext
set status down
set type vlan
set interface external
set vlanid 100
next
edit VLAN_200_int
set status down
set type vlan
set vlanid 200
next
edit VLAN_200_ext
set status down
set type vlan
set interface external
set vlanid 200
end
Security policies allow packets to travel between the VLAN_100_int interface and the
VLAN_100_ext interface. Two policies are required; one for each direction of traffic. The same is
required between the VLAN_200_int interface and the VLAN_200_ext interface, for a total of four
required security policies.
To add the security policies - web-based manager
Incoming Interface VLAN_100_int
Source Address all
Outgoing Interface VLAN_100_ext
Schedule Always
Service ALL
Action ACCEPT
10.Select Create New.
11.Leave the Policy Type as Firewall and the Policy Subtype as Address.
12.Enter the following information and select OK::
Incoming Interface VLAN_100_ext
Source Address all
Outgoing Interface VLAN_100_int
Schedule Always
Service ALL
Action ACCEPT
Incoming Interface VLAN_200_int
Source Address all
Outgoing Interface VLAN_200_ext
Schedule Always
Service ALL
Action ACCEPT
Enable NAT Enable
Incoming Interface VLAN_200_ext
Source Address all
Outgoing Interface VLAN_200_int
Schedule Always
Service ALL
Action ACCEPT
To add the security policies - CLI
edit 1
set srcintf VLAN_100_int
set srcaddr all
set dstintf VLAN_100_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 2
set srcintf VLAN_100_ext
set srcaddr all
set dstintf VLAN_100_int
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 3
set srcintf VLAN_200_int
set srcaddr all
set dstintf VLAN_200_ext
set dstaddr all
set action accept
set schedule always
set service ALL
next
edit 4
set srcintf VLAN_200_ext
set srcaddr all
set dstintf VLAN_200_int
set dstaddr all
set action accept
set schedule always
set service ALL
end
Configure the Cisco switch and router
This example includes configuration for the Cisco Catalyst 2900 ethernet switch, and for the
Cisco Multiservice 2620 ethernet router. If you have access to a different VLAN enabled switch
or VLAN router you can use them instead, however their configuration is not included in this
document.
Configure the Cisco switch
On the VLAN switch, you need to define VLAN_100 and VLAN_200 in the VLAN database and
then add a configuration file to define the VLAN subinterfaces and the 802.1Q trunk interface.
Add this file to the Cisco switch:
!
!
switchport trunk encapsulation dot1q
switchport mode trunk
!
The switch has the following configuration:
Configure the Cisco router
You need to add a configuration file to the Cisco Multiservice 2620 ethernet router. The file
defines the VLAN subinterfaces and the 802.1Q trunk interface on the router. The 802.1Q trunk
is the physical interface on the router.
The IP address for each VLAN on the router is the gateway for that VLAN. For example, all
devices on the internal VLAN_100 network will have 10.100.0.1 as their gateway.
Add this file to the Cisco router:
!
!
interface FastEthernet0/0.1
encapsulation dot1Q 100
ip address 10.100.0.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 200
ip address 10.200.0.1 255.255.255.0
!
The router has the following configuration:
Port 0/0.1 VLAN ID 100
Port 0/0.2 VLAN ID 200
Test the configuration
Use diagnostic network commands such as traceroute (tracert) and ping to test traffic routed
through the network.
Testing traffic from VLAN_100 to VLAN_200
In this example, a route is traced between the two internal networks. The route target is a host
on VLAN_200. The Windows traceroute command tracert is used.
From VLAN_100, access a Windows command prompt and enter this command:
C:\>tracert 10.1.2.2
1 <10 ms <10 ms <10 ms 10.1.1.1
2 <10 ms <10 ms <10 ms 10.1.2.2
Trace complete.
Troubleshooting VLAN issues
Several problems can occur with your VLANs. Since VLANs are interfaces with IP addresses,
they behave as interfaces and can have similar problems that you can diagnose with tools such
as ping, traceroute, packet sniffing, and diag debug.
Asymmetric routing
You might discover unexpectedly that hosts on some networks are unable to reach certain other
networks. This occurs when request and response packets follow different paths. If the
FortiGate unit recognizes the response packets, but not the requests, it blocks the packets as
invalid. Also, if the FortiGate unit recognizes the same packets repeated on multiple interfaces,
it blocks the session as a potential attack.
This is asymmetric routing. By default, the FortiGate unit blocks packets or drops the session
when this happens. You can configure the FortiGate unit to permit asymmetric routing by using
the following CLI commands:
config vdom
edit <vdom_name>
config system settings
set asymroute enable
end
end
If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the
problem. If this solves your blocked traffic issue, you know that asymmetric routing is the cause.
But allowing asymmetric routing is not the best solution, because it reduces the security of your
network.
For a long-term solution, it is better to change your routing configuration or change how your
FortiGate unit connects to your network. The Asymmetric Routing and Other FortiGate Layer-2
Installation Issues technical note provides detailed examples of asymmetric routing situations
and possible solutions.
Layer-2 and Arp traffic
By default, FortiGate units do not pass layer-2 traffic. If there are layer-2 protocols such as IPX,
PPTP or L2TP in use on your network, you need to configure your FortiGate unit interfaces to
pass these protocols without blocking. Another type of layer-2 traffic is ARP traffic. For more
information on ARP traffic, see ARP traffic on page 205.
You can allow these layer-2 protocols using the CLI command:
config vdom
edit <vdom_name>
edit <name_str>
set l2forward enable
end
end
where <name_str> is the name of an interface.
If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the
problem. If you enable layer-2 traffic, you may experience a problem if packets are allowed to
repeatedly loop through the network. This repeated looping, very similar to a broadcast storm,
occurs when you have more than one layer-2 path to a destination. Traffic may overflow and
bring your network to a halt. You can break the loop by enabling Spanning Tree Protocol (STP)
on your networks switches and routers. For more information, see STP forwarding on
page 1262.
ARP traffic
Address Resolution Protocol (ARP) packets are vital to communication on a network, and ARP
support is enabled on FortiGate unit interfaces by default. Normally you want ARP packets to
pass through the FortiGate unit, especially if it is sitting between a client and a server or
between a client and a router.
ARP traffic can cause problems, especially in transparent mode where ARP packets arriving on
one interface are sent to all other interfaces including VLAN subinterfaces. Some layer-2
switches become unstable when they detect the same MAC address originating on more than
one switch interface or from more than one VLAN. This instability can occur if the layer-2 switch
does not maintain separate MAC address tables for each VLAN. Unstable switches may reset
and cause network traffic to slow down considerably.
Note that the default ARP timeout value is 300 seconds. This is not a configurable value.
Multiple VDOMs solution
By default, physical interfaces are in the root domain. If you do not configure any of your VLANs
in the root VDOM, it will not matter how many interfaces are in the root VDOM.
The multiple VDOMs solution is to configure multiple VDOMs on the FortiGate unit, one for each
VLAN. In this solution, you configure one inbound and one outbound VLAN interface in each
If you enable asymmetric routing, antivirus and intrusion prevention systems will not be
effective. Your FortiGate unit will be unaware of connections and treat each packet individually.
It will become a stateless firewall.
VDOM. ARP packets are not forwarded between VDOMs. This configuration limits the VLANs in
a VDOM and correspondingly reduces the administration needed per VDOM.
As a result of this configuration, the switches do not receive multiple ARP packets with
duplicate MACs. Instead, the switches receive ARP packets with different VLAN IDs and
different MACs. Your switches are stable.
However, you should not use the multiple VDOMs solution under any of the following
conditions:
you have more VLANs than licensed VDOMs
you do not have enough physical interfaces
Instead, use one of two possible solutions, depending on which operation mode you are using:
In NAT mode, you can use the vlan forward CLI command.
In transparent mode, you can use the forward-domain CLI command. But you still need to
be careful in some rare configurations.
Vlanforward solution
If you are using NAT mode, the solution is to use the vlanforward CLI command for the
interface in question. By default, this command is enabled and will forward VLAN traffic to all
VLANs on this interface. When disabled, each VLAN on this physical interface can send traffic
only to the same VLAN. There is no cross-talk between VLANs, and ARP packets are forced
to take one path along the network which prevents the multiple paths problem.
In the following example, vlanforward is disabled on port1. All VLANs configured on port1
will be separate and will not forward any traffic to each other.
edit port1
set vlanforward disable
end
Forward-domain solution
If you are using transparent mode, the solution is to use the forward-domain CLI command.
This command tags VLAN traffic as belonging to a particular collision group, and only VLANs
tagged as part of that collision group receive that traffic. It is like an additional set of VLANs. By
default, all interfaces and VLANs are part of forward-domain collision group 0. The many
benefits of this solution include reduced administration, the need for fewer physical interfaces,
and the availability of more flexible network solutions.
In the following example, forward-domain collision group 340 includes VLAN 340 traffic on
port1 and untagged traffic on port 2. Forward-domain collision group 341 includes VLAN 341
traffic on port 1 and untagged traffic on port 3. All other interfaces are part of forward-domain
collision group 0 by default. This configuration separates VLANs 340 and 341 from each other
on port 1, and prevents the ARP packet problems from before.
Use these CLI commands:
edit port1
next
edit port2
set forward_domain 340
next
edit port3
next
edit port1-340
set interface port1
set vlanid 340
next
edit port1-341
set interface port1
set vlanid 341
end
You may experience connection issues with layer-2 traffic, such as ping, if your network
configuration has:
packets going through the FortiGate unit in transparent mode more than once
more than one forwarding domain (such as incoming on one forwarding domain and
outgoing on another)
IPS and AV enabled.
Now IPS and AV is applied the first time packets go through the FortiGate unit, but not on
subsequent passes. Only applying IPS and AV to this first pass fixes the network layer-2 related
connection issues.
NetBIOS
Computers running Microsoft Windows operating systems that are connected through a
network rely on a WINS server to resolve host names to IP addresses. The hosts communicate
with the WINS server by using the NetBIOS protocol.
To support this type of network, you need to enable the forwarding of NetBIOS requests to a
WINS server. The following example will forward NetBIOS requests on the internal interface for
the WINS server located at an IP address of 192.168.111.222.
edit internal
set netbios_forward enable
set wins-ip 192.168.111.222
end
These commands apply only in NAT mode. If VDOMs are enabled, these commands are per
VDOM. You must set them for each VDOM that has the problem.
STP forwarding
The FortiGate unit does not participate in the Spanning Tree Protocol (STP). STP is an IEEE
802.1 protocol that ensures there are no layer-2 loops on the network. Loops are created when
there is more than one route for traffic to take and that traffic is broadcast back to the original
switch. This loop floods the network with traffic, reducing available bandwidth to nothing.
If you use your FortiGate unit in a network topology that relies on STP for network loop
protection, you need to make changes to your FortiGate configuration. Otherwise, STP
recognizes your FortiGate unit as a blocked link and forwards the data to another path. By
default, your FortiGate unit blocks STP as well as other non-IP protocol traffic.
Using the CLI, you can enable forwarding of STP and other layer-2 protocols through the
interface. In this example, layer-2 forwarding is enabled on the external interface:
edit external
set l2forward enable
set stpforward enable
end
By substituting different commands for stpforward enable, you can also allow layer-2
protocols such as IPX, PPTP or L2TP to be used on the network. For more information, see
Layer-2 and Arp traffic on page 205.
Too many VLAN interfaces
Any virtual domain can have a maximum of 255 interfaces in transparent mode. This includes
VLANs, other virtual interfaces, and physical interfaces. NAT mode supports from 255 to 8192
depending on the FortiGate model. This total number of interfaces includes VLANs, other virtual
interfaces, and physical interfaces.
Your FortiGate unit may allow you to configure more interfaces than this. However, if you
configure more than 255 interfaces, your system will become unstable and, over time, will not
work properly. As all interfaces are used, they will overflow the routing table that stores the
interface information, and connections will fail. When you try to add more interfaces, an error
message will state that the maximum limit has already been reached.
If you see this error message, chances are you already have too many VLANs on your system
and your routing has become unstable. To verify, delete a VLAN and try to add it back. If you
have too many, you will not be able to add it back on to the system. In this case, you will need to
remove enough interfaces (including VLANs) so that the total number of interfaces drops to 255
or less. After doing this, you should also reboot your FortiGate unit to clean up its memory and
buffers, or you will continue to experience unstable behavior.
To configure more than 255 interfaces on your FortiGate unit in transparent mode, you have to
configure multiple VDOMs, each with many VLANs. However, if you want to create more than
the default 10 VDOMs (or a maximum of 2550 interfaces), you must buy a license for additional
VDOMs. Only FortiGate models 3000 and higher support more than 10 VDOMs.
With these extra licenses, you can configure up to 500 VDOMs, with each VDOM containing up
to 255 VLANs in transparent mode. This is a theoretical maximum of over 127 500 interfaces.
However, system resources will quickly get used up before reaching that theoretical maximum.
To achieve the maximum number of VDOMs, you need to have top-end hardware with the most
resources possible.
In NAT mode, if you have a top-end model, the maximum interfaces per VDOM can be as high
as 8192, enough for all the VLANs in your configuration.
Your FortiGate unit has limited resources, such as CPU load and memory, that are divided
between all configured VDOMs. When running 250 or more VDOMs, you may need to monitor
the system resources to ensure there is enough to support the configured traffic processing.
Page 209
PPTP and L2TP
A virtual private network (VPN) is a way to use a public network, such as the Internet, as a
vehicle to provide remote offices or individual users with secure access to private networks.
FortiOS supports the Point-to-Point Tunneling Protocol (PPTP), which enables interoperability
between FortiGate units and Windows or Linux PPTP clients. Because FortiGate units support
industry standard PPTP VPN technologies, you can configure a PPTP VPN between a FortiGate
unit and most third-party PPTP VPN peers.
This section describes how to configure PPTP and L2TP VPNs as well as PPTP passthrough.
How PPTP VPNs work
FortiGate unit as a PPTP server
Configuring the FortiGate unit for PPTP VPN
Configuring the FortiGate unit for PPTP pass through
Testing PPTP VPN connections
Logging VPN events
Configuring L2TP VPNs
L2TP configuration overview
How PPTP VPNs work
The Point-to-Point Tunneling Protocol enables you to create a VPN between a remote client and
your internal network. Because it is a Microsoft Windows standard, PPTP does not require
third-party software on the client computer. As long as the ISP supports PPTP on its servers,
you can create a secure connection by making relatively simple configuration changes to the
client computer and the FortiGate unit.
PPTP uses Point-to-Point protocol (PPP) authentication protocols so that standard PPP
software can operate on tunneled PPP links. PPTP packages data in PPP packets and then
encapsulates the PPP packets within IP packets for transmission through a VPN tunnel.
When the FortiGate unit acts as a PPTP server, a PPTP session and tunnel is created as soon as
the PPTP client connects to the FortiGate unit. More than one PPTP session can be supported
on the same tunnel. FortiGate units support PAP, CHAP, and plain text authentication. PPTP
clients are authenticated as members of a user group.
Traffic from one PPTP peer is encrypted using PPP before it is encapsulated using Generic
Routing Encapsulation (GRE) and routed to the other PPTP peer through an ISP network. PPP
packets from the remote client are addressed to a computer on the private network behind the
FortiGate unit. PPTP packets from the remote client are addressed to the public interface of the
FortiGate unit. See Figure 17 on page 210
.
Figure 17:Packet encapsulation
In Figure 17, traffic from the remote client is addressed to a computer on the network behind the
FortiGate unit. When the PPTP tunnel is established, packets from the remote client are
encapsulated and addressed to the FortiGate unit. The FortiGate unit forwards disassembled
packets to the computer on the internal network.
When the remote PPTP client connects, the FortiGate unit assigns an IP address from a
reserved range of IP addresses to the client PPTP interface. The PPTP client uses the assigned
IP address as its source address for the duration of the connection.
When the FortiGate unit receives a PPTP packet, the unit disassembles the PPTP packet and
forwards the packet to the correct computer on the internal network. The security policy and
protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed
securely.
PPTP control channel messages are not authenticated, and their integrity is not protected.
Furthermore, encapsulated PPP packets are not cryptographically protected and may be read
or modified unless appropriate encryption software such as Secure Shell (SSH) or Secure File
Transfer Protocol (SFTP) is used to transfer data after the tunnel has been established.
As an alternative, you can use encryption software such as Microsoft Point-to-Point Encryption
(MPPE) to secure the channel. MPPE is built into Microsoft Windows clients and can be
installed on Linux clients. FortiGate units support MPPE.
3
1
2
3
1
2
3
1
2
T
r
a
ffic
d
e
s
tin
a
tio
n
1
9
2
.1
6
8
.2
0
.2
T
r
a
ffic
d
e
s
tin
a
tio
n
1
9
2
.1
6
8
.2
0
.2
P
P
T
P
p
a
c
k
e
ts
d
e
s
tin
a
tio
n
1
7
2
.1
6
.3
0
.1
3
1
2
P
P
T
P
p
a
c
k
e
ts
d
e
s
tin
a
tio
n
1
7
2
.1
6
.3
0
.1
1
7
2
.1
6
.3
0
.1
PPTP clients must be authenticated before a tunnel is established. The authentication process
relies on FortiGate user group definitions, which can optionally use established authentication
mechanisms such as RADIUS or LDAP to authenticate PPTP clients. All PPTP clients are
challenged when a connection attempt is made.
FortiGate unit as a PPTP server
In the most common Internet scenario, the PPTP client connects to an ISP that offers PPP
connections with dynamically-assigned IP addresses. The ISP forwards PPTP packets to the
Internet, where they are routed to the FortiGate unit.
Figure 18:FortiGate unit as a PPTP server
If the FortiGate unit will act as a PPTP server, there are a number of steps to complete:
Configure user authentication for PPTP clients.
Enable PPTP.
Specify the range of addresses that are assigned to PPTP clients when connecting
Configure the security policy.
Configuring user authentication for PPTP clients
To enable authentication for PPTP clients, you must create user accounts and a user group to
identify the PPTP clients that need access to the network behind the FortiGate unit. Within the
user group, you must add a user for each PPTP client.
You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS, LDAP, or TACACS+ server. If password protection will be
provided through a RADIUS, LDAP, or TACACS+ server, you must configure the FortiGate unit to
forward authentication requests to the authentication server.
This example creates a basic user/password combination.
Configuring a user account
To add a local user - web-based manager
1. Go to User & Device > User > User Definition and select Create New.
2. Enter a User Name.
3. Enter a Password for the user. The password should be at least six characters.
4. Select OK.
I
n
t
e
r
n
a
l

N
e
t
w
o
r
k
P
P
T
P
_
C
l
i
e
n
t
_
1
P
P
T
P
_
C
l
i
e
n
t
_
3
P
P
T
P
_
C
l
i
e
n
t
_
2
To add a local user - CLI
config user local
edit <username>
set type password
set passwd <password>
end
Configuring a user group
To ease configuration, create user groups that contain users in similar categories or
departments.
To create a user group - web-based manager
1. Go to User & Device > User > User Group and select Create New.
2. Enter a Name for the group.
3. Select the Type of Firewall.
4. From the Available Users list, select the required users and select the right-facing arrow to
add them to the Members list.
5. Select OK.
To create a user group - CLI
config user group
edit <group_name>
set group-type firewall
set members <user_names>
end
Enabling PPTP and specifying the PPTP IP address range
The PPTP address range specifies the range of addresses reserved for remote PPTP clients.
When a PPTP client connects to the FortiGate unit, the client is assigned an IP address from
this range. Afterward, the FortiGate unit uses the assigned address to communicate with the
PPTP client.
The address range that you reserve can be associated with private or routable IP addresses. If
you specify a private address range that matches a network behind the FortiGate unit, the
assigned address will make the PPTP client appear to be part of the internal network.
PPTP requires two IP addresses, one for each end of the tunnel. The PPTP address range is the
range of addresses reserved for remote PPTP clients. When the remote PPTP client establishes
a connection, the FortiGate unit assigns an IP address from the reserved range of IP addresses
to the client PPTP interface or retrieves the assigned IP address from the PPTP user group. If
you use the PPTP user group, you must also define the FortiGate end of the tunnel by entering
the IP address of the unit in Local IP (web-based manager) or local-ip (CLI). The PPTP client
uses the assigned IP address as its source address for the duration of the connection.
PPTP configuration is only available through the CLI. In the example below, PPTP is enabled
with the use of an IP range of 182.168.1.1 to 192.168.1.10 for addressing.
The start and end IPs in the PPTP address range must be in the same 24-bit subnet, for
example, 192.168.1.1 - 192.168.1.254.
config vpn pptp
set status enable
set ip-mode range
set eip 192.168.1.10
set sip 192.168.1.1
end
In this example, PPTP is enabled with the use of a user group for addressing, where the IP
address of the PPTP server is 192.168.1.2 and the user group is hr_admin.
config vpn pptp
set status enable
set ip-mode range
set local-ip 192.168.2.1
set usrgrp hr_admin
end
Adding the security policy
The security policy specifies the source and destination addresses that can generate traffic
inside the PPTP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.
To configure the firewall for the PPTP tunnel - web-based manager
3. Complete the following and select OK:
Do not select identity-based policy, as this will cause the PPTP access to fail. Authentication is
configured in the PPTP configuration setup
Incoming Interface The FortiGate interface connected to the Internet.
Source Address Select the name that corresponds to the range of addresses
that you reserved for PPTP clients.
Outgoing Interface The FortiGate interface connected to the internal network.
Destination Address Select the name that corresponds to the IP addresses
behind the FortiGate unit.
Schedule always
Service ALL
Action ACCEPT
To configure the firewall for the PPTP tunnel - CLI
edit 1
set srcintf <interface to internet>
set dstintf <interface to internal network>
set srcaddr <reserved_range>
set dstaddr <internal_addresses>
set action accept
set schedule always
set service ALL
end
Configuring the FortiGate unit for PPTP VPN
To arrange for PPTP packets to pass through the FortiGate unit to an external PPTP server,
perform the following tasks in the order given:
Configure user authentication for PPTP clients.
Enable PPTP on the FortiGate unit and specify the range of addresses that can be assigned
to PPTP clients when they connect.
Configure PPTP pass through on the FortiGate unit.
Configuring the FortiGate unit for PPTP pass through
To forward PPTP packets to a PPTP server on the network behind the FortiGate unit, you need
to perform the following configuration tasks on the FortiGate unit:
Define a virtual IP address that points to the PPTP server.
Create a security policy that allows incoming PPTP packets to pass through to the PPTP
server.
Configuring a virtual IP address
The virtual IP address will be the address of the PPTP server host.
To define a virtual IP for PPTP pass through - web-based manager
1. Go to Firewall Objects > Virtual IP > Virtual IP.
3. Enter the name of the VIP, for example, PPTP_Server.
4. Select the External Interface where the packets will be received for the PPTP server.
5. Enter the External IP Address for the VIP.
6. Select Port Forwarding.
7. Set the Protocol to TCP.
The address range is the external (public) ip address range which requires access to the internal
PPTP server through the FortiGate virtual port-forwarding firewall.
IP addresses used in this document are fictional and follow the technical documentation
guidelines specific to Fortinet. Real external IP addresses are not used.
8. Enter the External Service Port of 1723, the default for PPTP.
9. Enter the Map to Port to 1723.
10.Select OK.
To define a virtual IP for PPTP pass through - web-based manager
config firewall vip
edit PPTP_Server
set extinf <interface>
set extip <ip_address>
set portforward enable
set protocol tcp
set extport 1723
set mappedport 1723
end
Configuring a port-forwarding security policy
To create a port-forwarding security policy for PPTP pass through you must first create an
address range reserved for the PPTP clients.
To create an address range - web-based manager
1. Go to Firewall Objects > Address > Address and select Create New.
2. Enter a Name for the range, for example, External_PPTP.
3. Select a Type of Subnet/IP Range.
4. Enter the IP address range.
5. Select the Interface to the Internet.
6. Select OK.
To create an address range - CLI
edit External_PPTP
set iprange <ip_range>
set start-ip <ip_address>
set end-ip <ip_address>
set associated-interface <internet_interface>
end
With the address set, you can add the security policy.
To add the security policy - web-based manager
3. Complete the following and select OK:
Incoming Interface The FortiGate interface connected to the Internet.
Source Address Select the address range created in the previous step.
Outgoing Interface The FortiGate interface connected to the PPTP server.
Destination Address Select the VIP address created in the previous steps.
To add the security policy - CLI
edit <policy_number>
set srcintf <interface to internet>
set dstintf <interface to PPTP server>
set srcaddr <address_range>
set dstaddr <PPTP_server_address>
set action accept
set schedule always
set service PPTP
end
Testing PPTP VPN connections
To confirm that a PPTP VPN between a local network and a dialup client has been configured
correctly, at the dialup client, issue a ping command to test the connection to the local network.
The PPTP VPN tunnel initializes when the dialup client attempts to connect.
Logging VPN events
PPTP VPN, activity is logged when enabling VPN logging. The FortiGate unit connection events
and tunnel status (up/down) are logged.
To log VPN events
2. Enable the storage of log messages to one or more locations.
3. Select VPN activity event.
4. Select Apply.
To view event logs
1. Go to Log & Report > Event Log > VPN.
2. If the option is available from the Log Type list, select the log file from disk or memory.
Configuring L2TP VPNs
This section describes how to configure a FortiGate unit to establish a Layer Two Tunneling
Protocol (L2TP) tunnel with a remote dialup client. The FortiGate implementation of L2TP
enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly.
According to RFC 2661, an Access Concentrator (LAC) can establish an L2TP tunnel with an
L2TP Network Server (LNS). In a typical scenario, the LAC is managed by an ISP and located on
the ISP premises; the LNS is the gateway to a private network. When a remote dialup client
connects to the Internet through the ISP, the ISP uses a local database to establish the identity
Schedule always
Service PPTP
Action ACCEPT
of the caller and determine whether the caller needs access to an LNS through an L2TP tunnel.
If the services registered to the caller indicate that an L2TP connection to the LNS is required,
the ISP LAC attempts to establish an L2TP tunnel with the LNS.
A FortiGate unit can be configured to act as an LNS. The FortiGate implementation of L2TP
enables a remote dialup client to establish an L2TP tunnel with the FortiGate unit directly,
bypassing any LAC managed by an ISP. The ISP must configure its network access server to
forward L2TP traffic from the remote client to the FortiGate unit directly whenever the remote
client requires an L2TP connection to the FortiGate unit.
When the FortiGate unit acts as an LNS, an L2TP session and tunnel is created as soon as the
remote client connects to the FortiGate unit. The FortiGate unit assigns an IP address to the
client from a reserved range of IP addresses. The remote client uses the assigned IP address as
its source address for the duration of the connection.
More than one L2TP session can be supported on the same tunnel. FortiGate units can be
configured to authenticate remote clients using a plain text user name and password, or
authentication can be forwarded to an external RADIUS or LDAP server. L2TP clients are
authenticated as members of a user group.
Traffic from the remote client must be encrypted using MPPE before it is encapsulated and
routed to the FortiGate unit. Packets originating at the remote client are addressed to a
computer on the private network behind the FortiGate unit. Encapsulated packets are
addressed to the public interface of the FortiGate unit. See Figure 19.
When the FortiGate unit receives an L2TP packet, the unit disassembles the packet and
forwards the packet to the correct computer on the internal network. The security policy and
protection profiles on the FortiGate unit ensure that inbound traffic is screened and processed
securely.
Figure 19:L2TP encapsulation
FortiGate units support L2TP with Microsoft Point-to-Point Encryption (MPPE) encryption only.
Later implementations of Microsoft L2TP for Windows use IPSec and require certificates for
authentication and encryption. If you want to use Microsoft L2TP with IPSec to connect to a
FortiGate unit, the IPSec and certificate elements must be disabled on the remote client
3
1
2
3
1
2
3
1
2
T
ra
ffic
d
e
s
tin
a
tio
n
1
9
2
.1
6
8
.2
0
.2
T
ra
ffic
d
e
s
tin
a
tio
n
1
9
2
.1
6
8
.2
0
.2
L
2
T
P
p
a
c
k
e
ts
d
e
s
tin
a
tio
n
1
7
2
.1
6
.3
0
.1
3
1
2
L
2
T
P
p
a
c
k
e
ts
d
e
s
tin
a
tio
n
1
7
2
.1
6
.3
0
.1
1
7
2
.1
6
.3
0
.1
FortiGate units cannot deliver non-IP traffic such as Frame Relay or ATM frames encapsulated
in L2TP packets FortiGate units support the IPv4 and IPv6 addressing schemes only
Network topology
The remote client connects to an ISP that determines whether the client requires an L2TP
connection to the FortiGate unit. If an L2TP connection is required, the connection request is
forwarded to the FortiGate unit directly.
Figure 20:Example L2TP configuration
L2TP infrastructure requirements
The FortiGate unit must be operating in NAT mode and have a static public IP address.
The ISP must configure its network access server to forward L2TP traffic from remote clients
to the FortiGate unit directly.
The remote client must not generate non-IP traffic (Frame Relay or ATM frames).
The remote client includes L2TP support with MPPE encryption. If the remote client includes
Microsoft L2TP with IPSec, the IPSec and certificate components must be disabled.
L2TP configuration overview
To configure a FortiGate unit to act as an LNS, you perform the following tasks:
Create an L2TP user group containing one user for each remote client.
Enable L2TP on the FortiGate unit and specify the range of addresses that can be assigned
to remote clients when they connect.
Define firewall source and destination addresses to indicate where packets transported
through the L2TP tunnel will originate and be delivered.
Create the security policy and define the scope of permitted services between the source
and destination addresses.
Configure the remote clients.
I
n
t
e
r
n
a
l

N
e
t
w
o
r
k
R
e
m
o
t
e
_
C
l
i
e
n
t
_
1
R
e
m
o
t
e
_
C
l
i
e
n
t
_
3
R
e
m
o
t
e
_
C
l
i
e
n
t
_
2
Authenticating L2TP clients
L2TP clients must be authenticated before a tunnel is established. The authentication process
relies on FortiGate user group definitions, which can optionally use established authentication
mechanisms such as RADIUS or LDAP to authenticate L2TP clients. All L2TP clients are
challenged when a connection attempt is made.
To enable authentication, you must create user accounts and a user group to identify the L2TP
clients that need access to the network behind the FortiGate unit.
You can choose to use a plain text password for authentication or forward authentication
requests to an external RADIUS or LDAP server. If password protection will be provided through
a RADIUS or LDAP server, you must configure the FortiGate unit to forward authentication
requests to the authentication server.
Enabling L2TP and specifying an address range
The L2TP address range specifies the range of addresses reserved for remote clients. When a
remote client connects to the FortiGate unit, the client is assigned an IP address from this
range. Afterward, the FortiGate unit uses the assigned address to communicate with the remote
client.
The address range that you reserve can be associated with private or routable IP addresses. If
you specify a private address range that matches a network behind the FortiGate unit, the
assigned address will make the remote client appear to be part of the internal network.
To enable L2TP and specify the L2TP address range, use the config vpn l2tp CLI
command.
The following example shows how to enable L2TP and set the L2TP address range using a
starting address of 192.168.10.80 and an ending address of 192.168.10.100 for an
existing group of L2TP users named L2TP_users:
config vpn l2tp
set sip 192.168.10.80
set eip 192.168.10.100
set status enable
set usrgrp L2TP_users
end
Defining firewall source and destination addresses
Before you define the security policy, you must define the source and destination addresses of
packets that are to be transported through the L2TP tunnel:
For the source address, enter the range of addresses that you reserved for remote L2TP
clients (for example 192.168.10.[80-100]).
For the destination address, enter the IP addresses of the computers that the L2TP clients
need to access on the private network behind the FortiGate unit (for example,
172.16.5.0/24 for a subnet, or 172.16.5.1 for a server or host, or
192.168.10.[10-15] for an IP address range).
To define the firewall source address
2. In the Address Name field, type a name that represents the range of addresses that you
reserved for remote clients (for example, Ext_L2TPrange).
3. In Type, select Subnet / IP Range.
4. In the Subnet / IP Range field, type the corresponding IP address range.
5. In Interface, select the FortiGate interface that connects to the clients.
6. This is usually the interface that connects to the Internet.
7. Select OK.
To define the firewall destination address
2. In the Address Name field, type a name that represents a range of IP addresses on the
network behind the FortiGate unit (for example, Int_L2TPaccess).
3. In Type, select Subnet / IP Range.
4. In the Subnet / IP Range field, type the corresponding IP address range.
5. In Interface, select the FortiGate interface that connects to the network behind the FortiGate
unit.
6. Select OK.
Adding the security policy
The security policy specifies the source and destination addresses that can generate traffic
inside the L2TP tunnel and defines the scope of services permitted through the tunnel. If a
selection of services are required, define a service group.
To define the traffic and services permitted inside the L2TP tunnel
3. Enter these settings:
4. Select OK.
Configuring a Linux client
This procedure outlines how to install L2TP client software and run an L2TP tunnel on a Linux
computer. Obtain an L2TP client package that meets your requirements (for example,
rp-l2tp). If needed to encrypt traffic, obtain L2TP client software that supports encryption
using MPPE.
Incoming Interface Select the FortiGate interface to the Internet.
Source Address Select the name that corresponds to the address range that
reserved for L2TP clients (for example, Ext_L2TPrange).
Outgoing Interface Select the FortiGate interface to the internal (private)
network.
Destination Address Select the name that corresponds to the IP addresses
behind the FortiGate unit (for example, Int_L2TPaccess).
Service Select ALL, or if selected services are required instead,
select the service group that you defined previously.
Action ACCEPT
To establish an L2TP tunnel with a FortiGate unit that has been set up to accept L2TP
connections, you can obtain and install the client software following these guidelines:
1. If encryption is required but MPPE support is not already present in the kernel, download
and install an MPPE kernel module and reboot your computer.
2. Download and install the L2TP client package.
3. Configure an L2TP connection to run the L2TP program.
4. Configure routes to determine whether all or some of your network traffic will be sent
through the tunnel. You must define a route to the remote network over the L2TP link and a
host route to the FortiGate unit.
5. Run l2tpd to start the tunnel.
Follow the software suppliers documentation to complete the steps.
To configure the system, you need to know the public IP address of the FortiGate unit, and the
user name and password that has been set up on the FortiGate unit to authenticate L2TP
clients. Contact the FortiGate administrator if required to obtain this information.
Monitoring L2TP sessions
You can display a list of all active sessions and view activity by port number. By default, port
1701 is used for L2TP VPN-related communications. If required, active sessions can be
stopped from this view. Use the Top Sessions Dashboard Widget.
Testing L2TP VPN connections
To confirm that a VPN between a local network and a dialup client has been configured
correctly, at the dialup client, issue a ping command to test the connection to the local network.
The VPN tunnel initializes when the dialup client attempts to connect.
Logging L2TP VPN events
You can configure the FortiGate unit to log VPN events. For L2TP VPNs, connection events and
tunnel status (up/down) are logged.
To log VPN events - web-based manager
2. Enable the storage of log messages to one or more locations.
3. Select Enable, and then select VPN activity event.
4. Select Apply.
To log VPN events - CLI
config log memory setting
set diskfull overright
set status enable
end
config log eventfilter
set ppp
end
Page 222
Session helpers
The FortiOS firewall can analyze most TCP/IP protocol traffic by comparing packet header
information to security policies. This comparison determines whether to accept or deny the
packet and the session that the packet belongs to.
Some protocols include information in the packet body (or payload) that must be analyzed to
successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP
control packets with a standard destination port to set up SIP calls. But the packets that carry
the actual conversation can use a variety of UDP protocols with a variety of source and
destination port numbers. The information about the protocols and port numbers used for a SIP
call is contained in the body of the SIP TCP control packets. To successfully process SIP VoIP
calls, FortiOS must be able to extract information from the body of the SIP packet and use this
information to allow the voice-carrying packets through the firewall.
FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and
adjust the firewall to allow those protocols to send packets through the firewall.
Viewing the session helper configuration
Changing the session helper configuration
DCE-RPC session helper (dcerpc)
DNS session helpers (dns-tcp and dns-udp)
File transfer protocol (FTP) session helper (ftp)
H.245 session helpers (h245I and h245O)
H.323 and RAS session helpers (h323 and ras)
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
ONC-RPC portmapper session helper (pmap)
PPTP session helper for PPTP traffic (pptp)
Remote shell session helper (rsh)
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
Session Initiation Protocol (SIP) session helper (sip)
Trivial File Transfer Protocol (TFTP) session helper (tftp)
Oracle TNS listener session helper (tns)
Viewing the session helper configuration
You can view the session helpers enabled on your FortiGate unit in the CLI using the commands
below. The following output shows the first two session helpers. The number of session helpers
can vary to around 20.
show system session-helper
config system session-helper
edit 1
set name pptp
set port 1723
set protocol 6
end
next
set name h323
set port 1720
set protocol 6
next
end
.
.
The configuration for each session helper includes the name of the session helper and the port
and protocol number on which the session helper listens for sessions. Session helpers listed on
protocol number 6 (TCP) or 17 (UDP). For a complete list of protocol numbers see: Assigned
Internet Protocol Numbers.
For example, the output above shows that FortiOS listens for PPTP packets on TCP port 1723
and H.323 packets on port TCP port 1720.
If a session helper listens on more than one port or protocol the more than one entry for the
session helper appears in the config system session-helper list. For example, the pmap
session helper appears twice because it listens on TCP port 111 and UDP port 111. The rsh
session helper appears twice because it listens on TCP ports 514 and 512.
Changing the session helper configuration
Normally you will not need to change the configuration of the session helpers. However in some
cases you may need to change the protocol or port the session helper listens on.
Changing the protocol or port that a session helper listens on
Most session helpers are configured to listen for their sessions on the port and protocol that
they typically use. If your FortiGate unit receives sessions that should be handled by a session
helper on a non-standard port or protocol you can use the following procedure to change the
port and protocol used by a session helper. The following example shows how to change the
port that the pmap session helper listens on for Sun RPC portmapper TCP sessions. By default
pmap listens on TCP port 111.
To change the port that the pmap session helper listens on to TCP port 112
1. Confirm that the TCP pmap session helper entry is 11 in the session-helper list:
show system session-helper 11
edit 11
set name pmap
set port 111
set protocol 6
next
end
2. Enter the following command to change the TCP port to 112.
edit 11
set port 112
end
3. The pmap session helper also listens on UDP port 111. Confirm that the UDP pmap session
helper entry is 12 in the session-helper list:
edit 12
set name pmap
set port 111
set protocol 17
next
end
4. Enter the following command to change the UDP port to 112.
edit 12
set port 112
end
end
Use the following command to set the h323 session helper to listen for ports on the UDP
protocol.
To change the protocol that the h323 session helper listens on
1. Confirm that the h323 session helper entry is 2 in the session-helper list:
edit 2
set name h323
set port 1720
set protocol 6
next
end
2. Enter the following command to change the protocol to UDP.
edit 2
set protocol 17
end
end
If a session helper listens on more than one port or protocol, then multiple entries for the
session helper must be added to the session helper list, one for each port and protocol
combination. For example, the rtsp session helper listens on TCP ports 554, 7070, and 8554 so
there are three rtsp entries in the session-helper list. If your FortiGate unit receives rtsp packets
on a different TCP port (for example, 6677) you can use the following command to configure the
rtsp session helper to listen on TCP port 6677.
To configure a session helper to listen on a new port and protocol
edit 0
set name rtsp
set port 6677
set protocol 6
end
Disabling a session helper
In some cases you may need to disable a session helper. Disabling a session helper just means
removing it from the session-helper list so that the session helper is not listening on a port. You
can completely disable a session helper by deleting all of its entries from the session helper list.
If there are multiple entries for a session helper on the list you can delete one of the entries to
prevent the session helper from listening on that port.
To disable the mgcp session helper from listening on UDP port 2427
1. Enter the following command to find the mgcp session helper entry that listens on UDP port
2427:
.
.
.
edit 19
set name mgcp
set port 2427
set protocol 17
next
.
.
.
2. Enter the following command to delete session-helper list entry number 19 to disable the
mgcp session helper from listening on UDP port 2427:
delete 19
By default the mgcp session helper listens on UDP ports 2427 and 2727. The previous
procedure shows how to disable the mgcp protocol from listening on port 2427. The following
procedure completely disables the mgcp session helper by also disabling it from listening on
UDP port 2727.
To completely disable the mgcp session helper
1. Enter the following command to find the mgcp session helper entry that listens on UDP port
2727:
.
.
.
edit 20
set name mgcp
set port 2727
set protocol 17
next
.
.
.
2. Enter the following command to delete session-helper list entry number 20 to disable the
mgcp session helper from listening on UDP port 2727:
delete 20
DCE-RPC session helper (dcerpc)
Distributed Computing Environment Remote Procedure Call (DCE-RPC) provides a way for a
program running on one host to call procedures in a program running on another host.
DCE-RPC (also called MS RPC for Microsoft RPC) is similar to ONC-RPC. Because of the large
number of RPC services, for example, MAPI, the transport address of an RPC service is
dynamically negotiated based on the service program's universal unique identifier (UUID). The
Endpoint Mapper (EPM) binding protocol in FortiOS maps the specific UUID to a transport
address.
To accept DCE-RPC sessions you must add a security policy with service set to any or to the
DEC-RPC pre-defined service (which listens on TCP and UDP ports 135). The dcerpc session
helper also listens on TCP and UDP ports 135.
The session allows FortiOS to handle DCE-RPC dynamic transport address negotiation and to
ensure UUID-based security policy enforcement. You can define a security policy to permit all
RPC requests or to permit by specific UUID number.
In addition, because a TCP segment in a DCE-RPC stream might be fragmented, it might not
include an intact RPC PDU. This fragmentation occurs in the RPC layer; so FortiOS does not
support parsing fragmented packets.
DNS session helpers (dns-tcp and dns-udp)
FortiOS includes two DNS session helpers, dns-tcp, a session helper for DNS over TCP, and
dns-udp, a session helper for DNS over UDP. The DNS session helpers monitor DNS query and
reply packets and close sessions if the DNS flag indicates the packet is a reply message.
To accept DNS sessions you must add a security policy with service set to any or to the DNS
pre-defined service (which listens on TCP and UDP ports 53). The dns-udp session helper also
listens on UDP port 53. By default the dns-tcp session helper is disabled. If needed you can use
the following command to enable the dns-tcp session helper to listen for DNS sessions on TCP
port 53:
edit 0
set name dns-tcp
set port 53
set protocol 6
end
File transfer protocol (FTP) session helper (ftp)
The FTP session helper monitors PORT, PASV and 227 commands and NATs the IP addresses
and port numbers in the body of the FTP packets and opens ports on the FortiGate unit as
required.
To accept FTP sessions you must add a security policy with service set to any or to the FTP,
FTP_Put, and FTP_GET pre-defined services (which all listen on TCP port 21).
H.245 session helpers (h245I and h245O)
H.245 is a control channel protocol used for H.323 and other similar communication sessions.
H.245 sessions transmit non-telephone signals. H.245 sessions carry information needed for
multimedia communication, such as encryption, flow control jitter management and others.
FortiOS includes two H.245 sessions helpers, h245I which is for H.245 call in and h245O which
is for H.245 call out sessions. There is no standard port for H.245. By default the H.245 sessions
helpers are disabled. You can enable them as you would any other session helper. When you
enable them, you should specify the port and protocol on which the FortiGate unit receives
H.245 sessions.
H.323 and RAS session helpers (h323 and ras)
The H.323 session helper supports secure H.323 voice over IP (VoIP) sessions between terminal
endpoints such as IP phones and multimedia devices. In H.323 VoIP networks, gatekeeper
devices manage call registration, admission, and call status for VoIP calls. The FortiOS h323
session helper supports gatekeepers installed on two different networks or on the same
network.
To accept H.323 sessions you must add a security policy with service set to any or to the H323
pre-defined service (which listens on TCP port numbers 1720 and 1503 and on UDP port
number 1719). The h323 session helper listens on TCP port 1720.
The ras session helper is used with the h323 session helper for H.323 Registration, Admission,
and Status (RAS) services. The ras session helper listens on UDP port 1719.
Alternate H.323 gatekeepers
The h323 session helper supports using H.323 alternate gatekeepers. All the H.323 end points
must register with a gatekeeper through the Registration, Admission, and Status (RAS) protocol
before they make calls. During the registration process, the primary gatekeeper sends
Gatekeeper Confirm (GCF) and Registration Confirm (RCF) messages to the H.323 end points
that contain the list of available alternate gatekeepers.
The alternate gatekeeper provides redundancy and scalability for the H.323 end points. If the
primary gatekeeper fails the H.323 end points that have registered with that gatekeeper are
automatically registered with the alternate gatekeeper. To use the H.323 alternate gatekeeper,
you need to configure security policies that allow H.323 end points to reach the alternate
gatekeeper.
Media Gateway Controller Protocol (MGCP) session helper (mgcp)
The Media Gateway Control Protocol (MGCP) is a text-based application layer protocol used for
VoIP call setup and control. MGCP uses a master-slave call control architecture in which the
media gateway controller uses a call agent to maintain call control intelligence, while the media
gateways perform the instructions of the call agent.
To accept MGCP sessions you must add a security policy with service set to any or to the
MGCP pre-defined service (which listens on UDP port numbers 2427 and 2727). The h323
session helper also listens on UDP port numbers 2427 and 2727.
The MGCP session helper does the following:
VoIP signalling payload inspection. The payload of the incoming VoIP signalling packet is
inspected and malformed packets are blocked.
Signaling packet body inspection. The payload of the incoming MGCP signaling packet is
inspected according to RFC 3435. Malformed packets are blocked.
Stateful processing of MGCP sessions. State machines are invoked to process the parsed
information. Any out-of-state or out-of-transaction packet is identified and properly handled.
MGCP Network Address Translation (NAT). Embedded IP addresses and ports in packet
bodies is properly translated based on current routing information and network topology,
and is replaced with the translated IP address and port number, if necessary.
Manages pinholes for VoIP traffic. To keep the VoIP network secure, the IP address and port
information used for media or signalling is identified by the session helper, and pinholes are
dynamically created and closed during call setup.
ONC-RPC portmapper session helper (pmap)
Open Network Computing Remote Procedure Call (ONC-RPC) is a widely deployed remote
procedure call system. Also called Sun RPC, ONC-RPC allows a program running on one host
to call a program running on another. The transport address of an ONC-RPC service is
dynamically negotiated based on the service's program number and version number. Several
binding protocols are defined for mapping the RPC program number and version number to a
transport address.
To accept ONC-RPC sessions you must add a security policy with service set to any or to the
ONC-RPC pre-defined service (which listens on TCP and UDP port number 111). The RPC
portmapper session helper (called pmap) handles the dynamic transport address negotiation
mechanisms of ONC-RPC.
PPTP session helper for PPTP traffic (pptp)
The PPTP session help supports port address translation (PAT) for PPTP traffic. PPTP provides
IP security at the Network Layer. PPTP consists of a control session and a data tunnel. The
control session runs over TCP and helps in establishing and disconnecting the data tunnel. The
data tunnel handles encapsulated Point-to-Point Protocol (PPP) packets carried over IP.
To accept PPTP sessions that pass through the FortiGate unit you must add a security policy
with service set to any or to the PPTP pre-defined service (which listens on IP port 47 and TCP
port 1723). The pptp session helper listens on TCP port 1723.
PPTP uses TCP port 1723 for control sessions and Generic Routing Encapsulation (GRE) (IP
protocol 47) for tunneling the encapsulated PPP data. The GRE traffic carries no port number,
making it difficult to distinguish between two clients with the same public IP address. PPTP
uses the source IP address and the Call ID field in the GRE header to identify a tunnel. When
multiple clients sharing the same IP address establish tunnels with the same PPTP server, they
may get the same Call ID. The call ID value can be translated in both the control message and
the data traffic, but only when the client is in a private network and the server is in a public
network.
PPTP clients can either directly connect to the Internet or dial into a network access server to
reach the Internet. A FortiGate unit that protects PPTP clients can translate the clients private
IP addresses to a pool of public IP addresses using NAT port translation (NAT-PT). Because the
GRE traffic carries no port number for address translation, the pptp session helper treats the
Call ID field as a port number as a way of distinguishing multiple clients.
After the PPTP establishing a TCP connection with the PPTP server, the client sends a start
control connection request message to establish a control connection. The server replies with a
start control connection reply message. The client then sends a request to establish a call and
sends an outgoing call request message. FortiOS assigns a Call ID (bytes 12-13 of the control
message) that is unique to each PPTP tunnel. The server replies with an outgoing call reply
message that carries its own Call ID in bytes 12-13 and the clients call ID in bytes 14-15. The
pptp session helper parses the control connection messages for the Call ID to identify the call to
which a specific PPP packet belongs. The session helper also identifies an outgoing call
request message using the control message type field (bytes 8-9) with the value 7. When the
session helper receives this message, it parses the control message for the call ID field (bytes
12-13). FortiOS translates the call ID so that it is unique across multiple calls from the same
translated client IP. After receiving outgoing call response message, the session helper holds
this message and opens a port that accepts GRE traffic that the PPTP server sends. An
outgoing call request message contains the following parts:
The protocol used for the outgoing call request message (usually GRE)
Source IP address (PPTP server IP)
Destination IP address (translated client IP)
Destination port number (translated client call ID)
The session helper identifies an outgoing call reply message using the control message type
field (bytes 8-9) with the value 8. The session helper parses these control messages for the call
ID field (bytes 12-13) and the clients call ID (bytes 14-15). The session helper then uses the
clients call ID value to find the mapping created for the other direction, and then opens a
pinhole to accept the GRE traffic that the client sends.
An outgoing call reply message contains the following parts:
Protocol used for the outgoing call reply message (usually GRE)
Source IP address (PPTP client IP)
Destination IP address (PPTP server IP)
Destination port number (PPTP server Call ID)
Each port that the session opens creates a session for data traffic arriving in that direction. The
session helper opens the following two data sessions for each tunnel:
Traffic from the PPTP client to the server, using the servers call ID as the destination port
Traffic from the PPTP server to the client, using the clients translated call ID as the
destination port
The default timeout value of the control connection is 30 minutes. The session helper closes the
pinhole when the data session exceeds the timeout value or is idle for an extended period.
Remote shell session helper (rsh)
Using the remote shell program (RSH), authenticated users can run shell commands on remote
hosts. RSH sessions most often use TCP port 514. To accept RSH sessions you must add a
security policy with service set to any or to the RSH pre-defined service (which listens on TCP
port number 514).
FortiOS automatically invokes the rsh session helper to process all RSH sessions on TCP port
514. The rsh session helper opens ports required for the RSH service to operate through a
FortiGate unit running NAT or transparent and supports port translation of RSH traffic.
Real-Time Streaming Protocol (RTSP) session helper (rtsp)
The Real-Time Streaming Protocol (RTSP) is an application layer protocol often used by SIP to
control the delivery of multiple synchronized multimedia streams, for example, related audio
and video streams. Although RTSP is capable of delivering the data streams itself it is usually
used like a network remote control for multimedia servers. The protocol is intended for selecting
delivery channels (like UDP, multicast UDP, and TCP) and for selecting a delivery mechanism
based on the Real-Time Protocol (RTP). RTSP may also use the SIP Session Description
Protocol (SDP) as a means of providing information to clients for aggregate control of a
presentation consisting of streams from one or more servers, and non-aggregate control of a
presentation consisting of multiple streams from a single server.
To accept RTSP sessions you must add a security policy with service set to any or to the RTSP
pre-defined service (which listens on TCP ports 554, 770, and 8554 and on UDP port 554). The
rtsp session helper listens on TCP ports 554, 770, and 8554.
The rtsp session help is required because RTSP uses dynamically assigned port numbers that
are communicated in the packet body when end points establish a control connection. The
session helper keeps track of the port numbers and opens pinholes as required. In Network
Address Translation (NAT) mode, the session helper translates IP addresses and port numbers
as necessary.
In a typical RTSP session the client starts the session (for example, when the user selects the
Play button on a media player application) and establishes a TCP connection to the RTSP
server on port 554. The client then sends an OPTIONS message to find out what audio and
video features the server supports. The server responds to the OPTIONS message by
specifying the name and version of the server, and a session identifier, for example, 24256-1.
The client then sends the DESCRIBE message with the URL of the actual media file the client
wants to play. The server responds to the DESCRIBE message with a description of the media
in the form of SDP code. The client then sends the SETUP message, which specifies the
transport mechanisms acceptable to the client for streamed media, for example RTP/RTCP or
RDT, and the ports on which it receives the media.
In a NAT configuration the rtsp session helper keeps track of these ports and addresses
translates them as necessary. The server responds to the SETUP message and selects one of
the transport protocols. When both client and server agree on a mechanism for media transport
the client sends the PLAY message, and the server begins streaming the media.
Session Initiation Protocol (SIP) session helper (sip)
The sip session helper is described in VoIP Solutions: SIP Guide.
Trivial File Transfer Protocol (TFTP) session helper (tftp)
To accept TFTP sessions you must add a security policy with service set to any or to the TFTP
pre-defined service (which listens on UDP port number 69). The TFTP session helper also
listens on UTP port number 69.
TFTP initiates transfers on UDP port 69, but the actual data transfer ports are selected by the
server and client during initialization of the connection. The tftp session helper reads the
transfer ports selected by the TFTP client and server during negotiation and opens these ports
on the firewall so that the TFTP data transfer can be completed. When the transfer is complete
the tftp session helper closes the open ports.
Oracle TNS listener session helper (tns)
The Oracle Transparent Network Substrate (TNS) listener listens on port TCP port 1521 for
network requests to be passed to a database instance. The Oracle TNS listener session helper
(tns) listens for TNS sessions on TCP port 1521. TNS is a foundation technology built into the
Oracle Net foundation layer and used by SQLNET.
Page 232
Advanced concepts
This chapter provides configuration concepts and techniques to enhance your network security.
Dual internet connections
Single firewall vs. multiple virtual domains
Modem
DHCP servers and relays
Assigning IP address by MAC address
DNS services
Dynamic DNS
FortiClient discovery and registration
IP addresses for self-originated traffic
Administration for schools
Tag management
Replacement messages list
Disk
CLI Scripts
Rejecting PING requests
Opening TCP 113
Obfuscate HTTP headers
Dual internet connections
Dual internet connection, dual WAN, or redundant internet connection refers to using two
FortiGate interfaces to connect to the Internet. Dual internet connections can be used in three
ways:
redundant interfaces, should one interface go down, the second automatically becomes the
main internet connection
for load sharing to ensure better throughput.
a combination of redundancy and load sharing.
Redundant interfaces, ensures that should your internet access be no longer available through a
certain port, the FortiGate unit will use an alternate port to connect to the Internet.
Figure 21:Configuring redundant interfaces
In this scenario, two interfaces, WAN1 and WAN2 are connected to the Internet using two
different ISPs. WAN1 is the primary connection. In an event of a failure of WAN1, WAN2
automatically becomes the connection to the Internet. For this configuration to function
correctly, you need to configure three specific settings:
configure a ping server to determine when the primary interface (WAN1) is down and when
the connection returns
configure a default route for each interface.
configure security policies to allow traffic through each interface to the internal network.
Ping server
Adding a ping server is required for routing fail over traffic. A ping server will confirm the
connectivity of the devices interface
To add a ping server - web-based manager
1. Go to Router > Static > Settings and select Create New.
For low-end FortiGate units, go to System > Network > Routing and select Create New.
2. Select the Interface that will send ping requests.
3. For the Ping Server field, enter the IP address of a server that the FortiGate unit will send
ping requests to. This is typically a next hop router or gateway device.
4. Select the Detect Protocol type.
5. For the Ping Interval, enter the number of seconds to send ping requests.
6. For the Failover Threshold, enter the number of lost pings is acceptable before the port is
determined to be down.
7. Select OK.
Backup ISP
Primary ISP
Computers on
a private internal
network
I
n
t
e
r
n
a
l
1
9
2
.
1
6
8
.
1
.
9
9
W
A
N
1
1
7
2
.
2
0
.
1
2
0
.
1
2
W
A
N
2
D
H
C
P
To add a ping server - CLI
config router gwdetect
edit wan1
set server <ISP_IP_address>
set failtime <failure_count>
set interval <seconds>
end
Routing
You need to configure a default route for each interface and indicate which route is preferred by
specifying the distance. The lower distance is declared active and placed higher in the routing
table.
To configure the routing of the two interfaces - web-based manager
1. Go to Router > Static > Static Route and select Create New.
For low-end FortiGate units, go to System > Network > Routing and select Create New.
2. Set the Destination IP/Mask to the address and netmask to 0.0.0.0/0.0.0.0.
3. Select the Device to the primary connection, WAN1.
4. Enter the Gateway address.
5. Select Advanced.
6. Set the Distance to 10.
7. Select OK.
8. Repeat steps 1 through 7 setting the Device to WAN2 and a Distance of 20.
To configure the routing of the two interfaces - CLI
config router static
edit 1
set dst 0.0.0.0 0.0.0.0
set device WAN1
set gateway 0.0.0.0 0.0.0.0
set distance 10
next
edit 1
set dst <ISP_Address>
set device WAN2
set gateway <gateway_address>
set distance 20
next
end
When you have dual WAN interfaces that are configured to provide fail over, you might not be
able to connect to the backup WAN interface because the FortiGate unit may not route traffic
(even responses) out of the backup interface. The FortiGate unit performs a reverse path lookup
to prevent spoofed traffic. If no entry can be found in the routing table which sends the return
traffic out the same interface, then the incoming traffic is dropped.
Security policies
When creating security policies, you need to configure duplicate policies to ensure that after
traffic fails over WAN1, regular traffic will be allowed to pass through WAN2 as it did with WAN1.
This ensures that fail-over will occur with minimal affect to users. For more information on
creating security policies see the Firewall Guide.
Load sharing
Load sharing enables you to use both connections to the internet at the same time, but do not
provide fail over support. When configuring for load sharing, you need to ensure routing is
configured for both external ports, for example, WAN1 and WAN2, have static routes with the
same distance and priority.
Further configuration can be done using Equal Cost Multiple Path (ECMP). For more information
on ECMP and load sharing, see the Advanced Routing Guide.
Link redundancy and load sharing
In this scenario, both links are available to distribute Internet traffic over both links. Should one
of the interfaces fail, the FortiGate unit will continue to send traffic over the other active
interface. Configuration is similar to the Redundant interfaces configuration, with the main
difference being that the configured routes should have equal distance settings.
This means both routes will remain active in the routing table. To make one interface the
preferred interface, use a default policy route to indicate the interface that is preferred for
accessing the Internet. If traffic matches the security policy, the policy overrides all entries in the
routing table, including connected routes. You may need to add a specific policy routes that
override these default policy routes.
To redirect traffic over the secondary interface, create policy routes to direct some traffic onto it
rather than the primary interface. When adding the policy route, only define the outgoing
interface and leave the gateway blank. This ensures that the policy route will not be active when
the link is down.
Single firewall vs. multiple virtual domains
A typical FortiGate setup, with a small to mid-range appliance, enables you to include a number
of subnets on your network using the available ports and switch interfaces. This can potentially
provide a means of having three or more mini networks for the various groups in a company.
Within this infrastructure, multiple network administrators have access to the FortiGate to
maintain security policies.
However, the FortiGate unit may not have enough interfaces to match the number of
departments in the organization. If the FortiGate unit it running in transparent mode however,
there is only one interface, and multiple network branches through the FortiGate are not
possible.
A FortiGate unit with Virtual Domains (VDOMs) enabled, provides a means to provide the same
functionality in transparent mode as a FortiGate in NAT mode. VDOMs are a method of dividing
a FortiGate unit into two or more virtual units that function as multiple independent units.
VDOMs can provide separate security policies and, in NAT mode, completely separate
configurations for routing and VPN services for each connected network. For administration, an
administrator can be assigned to each VDOM, minimizing the possibility of error or fouling
network communications.
By default, your FortiGate unit supports a maximum of 10 VDOMs. For FortiGate models 3000
and higher, you can purchase a license key to increase the number of VODMs to 25, 50, 100 or
250.
The FortiGate-20C and 30B and FortiWifi-20C and 30B do not support VDOMs.
Single firewall vs. vdoms
When VDOMs are not enabled, and the FortiGate unit is in transparent mode, all the interfaces
on your unit become broadcast interfaces. The problem is there are no interfaces free for
additional network segments.
A FortiGate with three interfaces means only limited network segments are possible without
purchasing more FortiGate devices.
With multiple VDOMs you can have one of them configured in transparent mode, and the rest in
NAT mode. In this configuration, you have an available transparent mode FortiGate unit you can
drop into your network for troubleshooting, and you also have the standard.
W
A
N
1
I
n
t
e
r
n
a
l
G
a
t
e
w
a
y

t
o

p
u
b
lic
n
e
t
w
o
r
k
D
M
Z
I
nn
W
A
N
1
N
1
DDD
M
Z
A
ll
in
t
e
r
f
a
c
e
s

o
n
t
h
e

s
a
m
e

s
u
b
n
e
t
W
A
N
1
G
a
t
e
w
a
y

t
o

p
u
b
lic
n
e
t
w
o
r
k
I
n
t
e
r
n
a
l
a
l
W
A
N
1
N
1
IIII
nn
I
nnn
I
n
I
nn
t
e
t
e
r
n
D
M
Z
This example shows how to enable VDOMs on the FortiGate unit and the basic and create a
VDOM accounting on the DMZ2 port and assign an administrator to maintain the VDOM. First
enable Virtual Domains on the FortiGate unit.
To enable VDOMs - web-based manager
2. In the System Information widget, select Enable for Virtual Domain.
Note that on FortiGate-60 series and lower models, you need to enable VDOMs in the CLI only.
The FortiGate unit logs you out. Once you log back in, you will notice that the menu structure
has changed. This reflects the global settings for all Virtual Domains.
To enable VDOMs - CLI
set vdom-admin enable
end
Next, add the VDOM called accounting.
To add a VDOM - web-based manager
1. Go to Global > VDOM > VDOM, and select Create New.
2. Enter the VDOM name accounting.
3. Select OK.
To add a VDOM - CLI
config vdom
edit <new_vdom_name>
end
With the Virtual Domain created, you can assign a physical interface to it, and assign it an IP
address.
To assign physical interface to the accounting Virtual Domain - web-based manager
1. Go to Global > Network > Interface.
2. Select the DMZ2 port row and select Edit.
3. For the Virtual Domain drop-down list, select accounting.
7. Select OK.
To assign physical interface to the accounting Virtual Domain - CLI
config global
edit dmz2
set vdom accounting
set ip 10.13.101.100/24
next
end
Modem
FortiGate units support the use of wireless, 3G and 4G modems connected using the USB port
or, if available, the express card slot. Modem access provides either primary or secondary
(redundant) access to the Internet. For FortiGate units that do not include an internal modem
(those units with an M designation), the modem interface will not appear in the web-based
manager until enabled in the CLI. To enable the modem interface enter the CLI commands:
config system modem
set status enable
end
You will need to log out of the FortiGate and log back in to see the modem configuration page at
System > Network > Modem. Once enabled, modem options become available by going to
System > Network > Interface.
Note that the modem interface is only available when the FortiGate unit is in NAT mode.
To configure modem settings, go to System > Network > Modem.
Configuring the modem settings is a matter of entering the ISP phone number, user name and
password. Depending on the modem, additional information may need to be supplied such as
product identifiers, and initialization strings.
The FortiGate unit includes a number of common modems within its internal database. You can
view these by selecting the Configure Modem link on the Modem Settings page. If your modem
is not on the list, select Create New to add the information. This information is stored on the
device, and will remain after a reboot.
Fortinet has an online database of modem models and configuration settings through
FortiGuard. A subscription to the FortiGuard services is not required to access the information.
As models are added, you can select the Configure Modem link and select Update Now to
download new configurations.
USB modem port
Each USB modem has a specific dial-out ttyusb port. This will be indicated with the
documentation for your modem. To enable the correct USB port, use the CLI commands:
config system modem
set wireless-port {ttyusb0 | ttyusb1 | ttyusb2}
end
To test the port, use the diagnose command:
diagnose sys modem com /ttyusb1
The ttyusb1 will be the value of your USB port selected. The response will be:
Serial port: /dev/ttyusb1
Press Ctrl+W to exit.
If the port does not respond the output will be:
Can not open modem device /dev/ttyusb1 : Broken pipe
Modes
The FortiGate unit allows for two modes of operation for the modem; stand alone and
redundant. In stand alone mode, the modem connects to a dialup ISP account to provide the
connection to the Internet. In redundant mode, the modem acts as a backup method of
connecting to the Internet, should the primary port for this function fails.
Configuring either stand alone or redundant modes are very similar. The primary difference is
the selection of the interface that the modem will replace in the event of it failing, and the
configuration of a PING server to monitor the chosen interface.
Configuring stand alone mode
Configuring stand alone mode is a matter of configuring the modem information and the dialing
mode. The dial mode is either Always Connect or Dial on demand. Selecting Always Connect
ensures that once the modem has connected, it remains connected to the ISP. Selecting Dial on
Demand, the modem only calls the ISP if packets are routed to the modem interface. Once sent,
the modem will disconnect after a specified amount of time.
To configure standalone mode as needed - web-based manager
1. Go to System > Network > Modem.
2. Select the Mode of Standalone.
3. Select the Dial Mode of Dial on Demand.
4. Enter the Idle Timeout of 2 minutes.
5. Select the number of redials the modem attempts if connection fails to 5.
6. Select Apply.
To configure standalone mode as needed- CLI
config system modem
set mode standalone
set auto-dial enable
set idle-timer 2
set redial 5
end
Configuring redundant mode
Redundant mode provides a backup to an interface, typically to the Internet. If that interface
fails or disconnects, the modem automatically dials the configured phone number(s). Once
connected, the FortiGate unit routes all traffic to the modem interface until the monitored
interface is up again. The FortiGate unit pings the connection to determine when it is back
online.
For the FortiGate to verify when the interface is back up, you need to configure a Ping server for
that interface. You will also need to configure security policies between the modem interface
and the other interfaces of the FortiGate unit to ensure traffic flow.
To configure redundant mode as needed - web-based manager
1. Go to System > Network > Modem.
2. Select the Mode of Redundant.
3. Select the interface the modem takes over from if it fails.
4. Select the Dial Mode of Dial on Demand.
5. Enter the Idle Timeout of 2 minutes.
6. Select the number of redials the modem attempts if connection fails to 5.
7. Select Apply.
To configure standalone mode as needed- CLI
config system modem
set mode redundant
set interface wan1
set auto-dial enable
set idle-timer 2
set redial 5
end
Ping server
Adding a ping server is required for routing fail over traffic. A ping server will confirm the
connectivity of the devices interface.
For low-end FortiGate units, go to System > Admin > Settings and enable Dynamic Routing
before continuing.
To add a ping server - web-based manager
1. Go to Router > Static > Settings and select Create New.
2. Select the Interface that will send ping requests.
3. For the Ping Server field, enter the IP address of a server that the FortiGate unit will send
ping requests to. This is typically a next hop router or gateway device.
4. Select the Detect Protocol type ICMP Ping.
5. For the Ping Interval, enter the number of seconds to send ping requests.
6. For the Failover Threshold, enter the number of lost pings is acceptable before the port is
determined to be down.
7. Select OK.
To add a ping server - CLI
config router gwdetect
edit wan1
set server <ISP_IP_address>
set failtime <failure_count>
set interval <seconds>
end
Additional modem configuration
The CLI provides additional configuration options when setting up the modem options including
adding multiple ISP dialing and initialization options and routing. For more information, see the
CLI Reference.
Modem interface routing
The modem interface can be used in FortiOS as a dedicated interface. Once enabled and
configured, you can use it in security policies and define static and dynamic routing. Within the
CLI commands for the modem, you can configure the distance and priority of routes involving
the modem interface. The CLI commands are:
config sysetm modem
set distance <route_distance>
set priority <priority_value>
end
For more information on the routing configuration in the CLI, see the CLI Reference. For more
information on routing and configuring routing, see the Advanced Routing Guide.
DHCP servers and relays
Note that DHCP server options are not available in transparent mode.
A DHCP server provides an address to a client on the network, when requested, from a defined
address range.
An interface cannot provide both a server and a relay for connections of the same type (regular
or IPSec). However, you can configure a Regular DHCP server on an interface only if the
interface is a physical interface with a static IP address. You can configure an IPSec DHCP
server on an interface that has either a static or a dynamic IP address.
You can configure one or more DHCP servers on any FortiGate interface. A DHCP server
dynamically assigns IP addresses to hosts on the network connected to the interface. The host
computers must be configured to obtain their IP addresses using DHCP.
If an interface is connected to multiple networks via routers, you can add a DHCP server for
each network. The IP range of each DHCP server must match the network address range. The
routers must be configured for DHCP relay.
You can configure a FortiGate interface as a DHCP relay. The interface forwards DHCP requests
from DHCP clients to an external DHCP server and returns the responses to the DHCP clients.
The DHCP server must have appropriate routing so that its response packets to the DHCP
clients arrive at the unit.
DHCP Server configuration
To add a DHCP server, go to System > Network > DHCP Server, select Create New and
complete the following
Interface Name Select an interface from the drop-down list.
Mode Select the type of DHCP server.
Enable Select to enable the DHCP server.
Type Select the type of DHCP server.
You cannot configure a regular DHCP server on an interface that has a
dynamic IP address.
DHCP Server IP This appears only when Mode is Relay. Enter the IP address of the
DHCP server where the FortiGate unit obtains the requested IP address.
IP Enter the start and end for the range of IP addresses that this DHCP
server assigns to DHCP clients.
Network Mask Enter the netmask of the addresses that the DHCP server assigns.
Default Gateway Enter the IP address of the default gateway that the DHCP server
assigns to DHCP clients.
DNS Service Select to use either a specific DNS server or the systems DNS settings.
You can add multiple DNS servers by selecting the plus sign (+) beside
DNS Server 1.
For more information see DNS services and DNS server.
DNS Server 1 Enter the DNS server.
DNS Server 2 Enter the second DNS server. If you need to add more DNS servers,
select the plus sign (+).
MAC Address
Access Control List
Select to match an IP address from the DHCP server to a specific client
or device using its MAC address.
In a typical situation, an IP address is assigned ad hoc to a client, and
that assignment times out after a specific time of inactivity from the
client, known as the lease time. To ensure a client or device always has
the same IP address, that is, there is no lease time, use IP reservation.
For more information, see Assigning IP address by MAC address on
page 244.
Add from DHCP
Client List
If the client is currently connected and using an IP address from the
DHCP server, you can select this option to select the client from the list.
Advanced section of the New DHCP Service page
Domain Enter the domain that the DHCP server assigns to clients.
Lease Time Set the length of time an IP address remains assigned to a client. Once
the lease expires, the address is released for allocation to the next client
request for an IP address. To set the lease to never expire, select
Unlimited.
IP Assignment
Mode
Configure how the IP addresses for an IPSec DHCP server are assigned
to dialup IPSec VPN users. These options are available when the DHCP
server type is IPsec. Select:
Server IP Range - The IPSec DHCP server will assign the IP
addresses as specified in IP Range, and Exclude Ranges.
User-group defined method - The IP addresses will be assigned by a
user group used to authenticate the user. The user group is used to
authenticate XAUTH users.
When User-group defined method is selected, the IP Range fields are
greyed out, and the Exclude Ranges table and controls are not visible.
WINS Server 0
WINS Server 1
Add the IP addresses of one or two WINS servers that the DHCP server
assigns to DHCP clients.
DHCP in IPv6
You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going
to System > Admin > Settings and enable IPv6. Use the CLI command
config system dhcp6.
For more information on the configuration options, see the CLI Reference.
Service
On low-end FortiGate units, a DHCP server is configured, by default on the Internal interface:
These settings are appropriate for the default Internal interface IP address of 192.168.1.99. If
you change this address to a different network, you need to change the DHCP server settings to
match.
Alternatively, after the FortiGate unit assigns an address, you can go to System > Monitor >
DHCP Monitor, locate the particular user. Select the check box for the user and select Add to
Reserved.
DHCP options
When adding a DHCP server, you have the ability to include DHCP codes and options. The
DHCP options are BOOTP vendor information fields that provide additional vendor-independent
configuration parameters to manage the DHCP server. For example, you may need to configure
Options When adding a DHCP server, you have the ability to include DHCP
codes and options. The DHCP options are BOOTP vendor information
fields that provide additional vendor-independent configuration
parameters to manage the DHCP server. For example, you may need to
configure a FortiGate DHCP server that gives out a separate option as
well as an IP address. For example, an environment that needs to
support PXE boot with Windows images.
The option numbers and codes are specific to the particular application.
The documentation for the application will indicate the values to use.
Option codes are represented in a option value/HEX value pairs. The
option is a value 1 and 255.
You can add up to three DHCP code/option pairs per server.
Exclude Ranges Enter a range of IP addresses from the IP range that should not be
assigned. This option is only available when the DHCP type is IPsec,
and the IP Assignment Mode is Server IP range.
IP Range
192.168.1.110 to
192.168.1.210
Netmask 255.255.255.0
Default gateway 192.168.1.99
Lease time 7 days
DNS Server 1 192.168.1.99
a FortiGate DHCP server that gives out a separate option as well as an IP address. For example,
an environment that needs to support PXE boot with Windows images.
The option numbers and codes are specific to the particular application. The documentation for
the application will indicate the values to use. Option codes are represented in a option
value/HEX value pairs. The option is a value 1 and 255.
You can add up to three DHCP code/option pairs per DHCP server.
To configure option 252 with value http://192.168.1.1/wpad.dat - web-based manager
1. Go to System > Network > DHCP Server and select Create New.
2. Select a Mode of Server.
3. Select the blue arrow to expand the Advanced options.
4. Select Options.
5. Enter a Code of 252.
6. Enter the Options of
687474703a2f2f3139322e3136382e312e312f777061642e646174.
In the CLI, use the commands:
config system dhcp server
edit <server_entry_number>
set option1 252
687474703a2f2f3139322e3136382e312e312f777061642e646174
end
For detailed information about DHCP options, see RFC 2132, DHCP Options and BOOTP
Vendor Extensions.
DHCP Monitor
To view information about DHCP server connections, go to System > Monitor > DHCP Monitor.
On this page, you can also add IP address to the reserved IP address list.
Breaking a address lease
Should you need to end an IP address lease, you can break the lease using the CLI. This is
useful if you have limited addresses, longer lease times where leases are no longer necessary.
For example, with corporate visitors.
To break a lease enter the CLI command:
execute dhcp lease-clear <ip_address>
Assigning IP address by MAC address
To prevent users in the from changing their IP addresses and causing IP address conflicts or
unauthorized use of IP addresses, you can bind an IP address to a specific MAC address using
DHCP.
Use the CLI to reserve an IP address for a particular client identified by its device MAC address
and type of connection. The DHCP server then always assigns the reserved IP address to the
client. The number of reserved addresses that you can define ranges from 10 to 200 depending
on the FortiGate model.
After setting up a DHCP server by going to System > Network > DHCP Server, select the blue
arrow next to MAC Address Access Control List to expand the options. If you know the MAC
address of the system select Create New to add it, or if the system has already connected,
locate it in the list, select its check box and select Add from DHCP Client List.
You can also match an address to a MAC address in the CLI. In the example below, the IP
address 10.10.10.55 for User1 is assigned to MAC address 00:09:0F:30:CA:4F.
config system dhcp reserved-address
edit User1
set ip 10.10.10.55
set mac 00:09:0F:30:CA:4F
set type regular
end
DNS services
A DNS server is a public service that converts symbolic node names to IP addresses. A Domain
Name System (DNS) server implements the protocol. In simple terms, it acts as a phone book
for the Internet. A DNS server matches domain names with the computer IP address. This
enables you to use readable locations, such as fortinet.com when browsing the Internet.
FortiOS supports DNS configuration for both IPv4 and IPv6 addressing.
The FortiGate unit includes default DNS server addresses. However, these should be changed
to those provided by your Internet Service Provider. The defaults are DNS proxies and are not
as reliable as those from your ISP.
Within FortiOS, there are two DNS configuration options; each provide a specific service, and
can work together to provide a complete DNS solution.
DNS queries
Basic DNS queries are configured on interfaces that connect to the Internet. When a web site is
requested, for example, the FortiGate unit will look to the configured DNS servers to provide the
IP address to know which server to contact to complete the transaction.
DNS server addresses are configured by going to System > Network > DNS. Here you specify
the DNS server addresses. Typically, these addresses are supplied by your ISP. An additional
option is available if you have local Microsoft domains on the network, by entering a domain
name in the Local Domain Name field.
In a situation where all three fields are configured, the FortiGate unit will first look to the local
domain. If no match is found, a request is sent to the external DNS servers.
If virtual domains are enabled, you create a DNS database in each VDOM. All of the interfaces in
a VDOM share the DNS database in that VDOM.
Additional DNS CLI configuration
Further options are available from the CLI with the command config system dns. Within this
command you can set the following commands:
dns-cache-limit - enables you to set how many DNS entries are stored in the cache.
Entries that remain in the cache provide a quicker response to requests than going out to the
Internet to get the same information.
dns-cache-ttl - enables you to set how long entries remain in the cache in seconds,
between 60 and 86,400 (24 hours).
cache-notfound-responses - when enabled, any DNS requests that are returned with
NOTFOUND can be stored in the cache.
source-ip - enables you to define a dedicated IP address for communications with the
DNS server.
DNS server
You can also create local DNS servers for your network. Depending on your requirements, you
can manually maintain your entries (master DNS server), or use it as a jumping point, where the
server refers to an outside source (slave DNS server). A local master DNS server works similarly
to the DNS server addresses configured in System > Network > DNS, but all entries must be
added manually. This enables you to add a local DNS server to include specific URL/IP address
combinations.
The DNS server options are not visible in the web-based manager by default. To enable the
server, go to System > Admin > Settings and select DNS Database.
While a master DNS server is an easy method of including regularly used addresses to save on
going to an outside DNS server, it is not recommended to make it the authoritative DNS server.
IP addresses may change, and maintaining any type of list can quickly become labor-intensive.
A FortiGate master DNS server is best set for local services. For example, if your company has
a web server on the DMZ that is accessed by internal employees as well as external users, such
as customers or remote users. In this situation, the internal users when accessing the site would
send a request for website.example.com, that would go out to the DNS server on the web, to
return an IP address or virtual IP. With an internal DNS, the same site request is resolved
internally to the internal web server IP address, minimizing inbound/outbound traffic and access
time.
As a slave, DNS server, the FortiGate server refers to an external or alternate source as way to
obtain the url/IP combination. This useful if there is a master DNS server for a large company
where a list is maintained. Satellite offices can then connect to the master DNS server to obtain
the correct addressing.
The DNS server entries does not allow CNAME entries, as per rfc 1912, section 2.4.
To configure a master DNS server - web-based manager
1. Go to System > Network > DNS Server, and select Create New.
2. Select the Type of Master.
3. Select the View as Shadow.
4. The view is the accessibility of the DNS server. Selecting Public, external users can access,
or use, the DNS server. Selecting Shadow, only internal users can use it.
5. Enter the DNS Zone, for example, WebServer.
6. Enter the domain name for the zone, for example example.com.
7. Enter the hostname of the DNS server, for example, Corporate.
8. Enter the contact address for the administrator, for example, admin@example.com.
9. Set Authoritative to Disable.
10.Select OK.
11.Enter the DNS entries for the server by selecting Create New.
12.Select the Type, for example, Address (A).
13.Enter the Hostname, for example web.example.com.
14.Enter the remaining information, which varies depending on the Type selected.
15.Select OK.
To configure a DNS server - CLI
config system dns-database
edit WebServer
set domain example.com
set type master
set view shadow
set ttl 86400
set primary-name corporate
set contact admin@exmple.com
set authoritative disable
config dns-entry
edit 1
set hostname web.example.com
set type A
set ip 192.168.21.12
set status enable
end
end
end
Recursive DNS
You can set an option to ensure these types of DNS server is not the authoritative server. When
configured, the FortiGate unit will check its internal DNS server (Master or Slave). If the request
cannot be fulfilled, it will look to the external DNS servers. This is known as a split DNS
configuration.
You can also have the FortiGate unit look to an internal server should the Master or Slave not
fulfill the request by using the CLI commands:
config system dns-database
edit example.com
...
set view shadow
end
For this behavior to work completely, for the external port, you must set the DNS query for the
external interface to be recursive. This option is configured in the CLI only.
To set the DNS query
config system dns-server
edit wan1
set mode recursive
end
Dynamic DNS
If your ISP changes the your external IP address on a regular basis, and you have a static
domain name, you can configure the external interface to use a dynamic DNS service to ensure
external users and/or customers can always connect to your company firewall.
If you have a FortiGuard subscription, you can use FortiGuard as your DDNS server. To
configure dynamic DNS in the web-based manager, go to System > Network > DNS, select
Enable FortiGuard DDNS, and enter the relevant information for the interface communicating to
the server, and which server to use, and relevant information.
If you do not have a FortiGuard subscription, or want to use an alternate server, you can
configure dynamic DNS in the CLI use the commands below. Within the CLI you can configure a
DDNS for each interface. Only the first configured port appears in the web-based manager.
Additional commands vary with the DDNS server you select.
config system ddns
edit <instance_value>
set monitor-interface <external_interface>
set ddns-server <ddns_server_selection>
end
You can also use FortiGuard (when subscribed) as a DDNS as well. To configure, use the CLI
commands:
set ddns-server-ip
set ddns-server-port
end
FortiClient discovery and registration
FortiOS provides a means of allowing users running FortiClient Endpoint Control software to
connect to specific interfaces when connecting to the FortiGate unit. As well as ensuring that
remote or local users have FortiClient Endpoint Control software installed on their PC or mobile
device.
FortiClient discovery
You can configure a FortiGate interface as an interface that will accept FortiClient connections.
When configured, the FortiGate unit sends broadcast messages which the FortiClient software
running on a end user PC is listening for.
To enable the broadcast message
2. Edit the interface to send the broadcast messages.
3. Select FCT-Access.
4. In Device Management, select Broadcast Discovery Messages.
5. Select OK.
Once enabled, the FortiGate unit broadcasts a discovery message that includes the IP address
of the interface and listening port number to the local network. All PCs running FortiClient on
that network listen for this discovery message.
You also have the option of including a registration key. When the FortiClient discovers the
FortiGate unit, it is prompted to enter a registration key, defined by the administrator.
To add a registration key
2. Select Enable Registration Key for FortiClient, and enter the key.
3. Select Apply.
Ensure you distribute the key to the users that need to connect to the FortiGate unit.
FortiClient Registration
On the end user side, if FortiClient has not been registered with the FortiGate unit, it is
continually listening for the FortiGate discovery message. When this message is detected the
un-registered client will pop-up a FortiGate Detected message. The user can choose to either
register or ignore the message.
Clients that have registered with that FortiGate unit will not be listening for these messages and
will not display the message again.
If you enabled the registration key, the user is prompted to enter the key before a connection
can be completed.
For more information on FortiGate registration, see the FortiClient Administration Guide.
IP addresses for self-originated traffic
On the FortiGate unit, there are a number of protocols and traffic that is specific to the internal
workings of FortiOS. For many of these traffic sources, you can identify a specific port/IP
address for this self-originating traffic. The following traffic can be configured to a specific
port/IP address:
SNMP
Syslog
alert email
FortiManager connection IP
FortiGuard services
FortiAnalyzer logging
NTP
DNS
Authorization requests such as RADIUS
FSAE
Configuration of these services is performed in the CLI. In each instance, there is a command
set source-ip. For example, to set the source IP of NTP to be on the DMZ1 port with an IP of
config system ntp
set ntpsyn enable
set syncinterval 5
end
To see which services are configured with source-ip settings, use the get command:
get system source-ip status
The output will appear similar to the sample below:
NTP: x.x.x.x
DNS: x.x.x.x
SNMP: x.x.x.x
Central Management: x.x.x.x
FortiGuard Updates (AV/IPS): x.x.x.x
FortiGuard Queries (WebFilter/SpamFilter): x.x.x.x
Administration for schools
For system administrator in the school system it is particularly difficult to maintain a network
and access to the Internet. There are potential legal liabilities if content is not properly filtered
and children are allowed to view pornography and other non-productive and potentially
dangerous content. For a school, too much filtering is better than too little. This section
describes some basic practices administrators can employ to help maintain control without
being too draconian for access to the internet.
Security policies
The default security policies in FortiOS allow all traffic on all ports and all IP addresses. Not the
most secure. While applying UTM profiles can help to block viruses, detect attacks and prevent
spam, this doesnt provide a solid overall security option. The best approach is a layered
approach; the first layer being the security policy.
When creating outbound security policies, you need to know the answer to the question What
are the students allowed to do? The answer is surf the web, connect to FTP sites, send/receive
email, and so on.
Once you know what the students need to do, you can research the software used and
determine the ports the applications use. For example, if the students only require web surfing,
then there are only two ports (80 - HTTP and 443 - HTTPS) needed to complete their tasks.
Setting the security policies to only allow traffic through two ports (rather than all 65,000), this
will significantly lower any possible exploits. By restricting the ports to known services, mean s
stopping the use of proxy servers, as many of them operate on a non-standard port to hide their
traffic from URL filtering or HTTP inspection.
DNS
Students should not be allowed to use whatever DNS they want. this opens another port for
them to use and potentially smuggle traffic on. The best approach is to point to an internal DNS
server and only allow those devices out on port 53. Its the same approach one would use for
SMTP. Only allow the mail server to use port 25 since nothing else should be sending email.
If there is no internal DNS server, then the list of allowed DNS servers they can use should be
restrictive. One possible exploit would be for them to set up their own DNS server at home that
serves different IPs for known hosts, such as having Google.com sent back the IP for
playboy.com.
Encrypted traffic (HTTPS)
Generally speaking, students should not be allowed to access encrypted web sites. Encrypted
traffic cannot be sniffed, and therefore, cannot be monitored. HTTPS traffic should only be
allowed when necessary. Most web sites a student needs to access are HTTP, not HTTPS. Due
to the nature of HTTPS protocol, and the fact that encryption is an inherent security risk to your
network, its use should be restricted.
Adding a security policy that encompasses a list of allowed secure sites will ensure that any
HTTPS sites that are required are the only sites a student can go to.
FTP
For the most part, students should not be using FTP. FTP is not HTTP or HTTPS so you cannot
use URL flitting to restrict where they go. This can be controlled with destination IPs in the
security policy. With a policy that specifically outlines which FTP addresses are allowed, all
other will be blocked.
Example security policies
Given these requirements, an example set of security policies could look like the following
illustration. In a large setup, all the IPs for the students are treated by one of these four policies.
Figure 22:Simple security policy setup
The last policy in the list, included by default, is a deny policy.This adds to the potential of error
that could end up allowing unwanted traffic to pass. The deny policy ensures that any traffic
making it to this point is stopped. It can also help in further troubleshooting by viewing the logs
for denied traffic.
With these policies in place, even before packet inspection occurs, the FortiGate, and the
network are fairly secure. Should any of the UTM profiles fail, there is still a basic level of
security.
UTM security profiles
Antivirus profiles
Antivirus screening should be enabled for any service you have enabled in the security policies.
In the case above, HTTP, FTP, as well as POP3 and SMTP (assuming there is email access for
students). There is not a virus scan option for HTTPS, because the content is encrypted.
Generally speaking, most of the network traffic will be students surfing the web.
To configure antivirus profiles in the web-based manager, go to UTM Security Profiles >
Antivirus > Profile, or use the CLI commands under config antivirus profile.
Web filtering
The actual filtering of URLs - sites and content - should be performed by FortiGuard. It is easier
and web sites are constantly being monitored, and new ones reviewed and added to the
FortiGuard databases every day. The FortiGuard categories provide an extensive list of
offensive, and non-productive sites.
As well, there are additional settings to include in a web filtering profile to best contain a
students web browsing.
Web URL filtering should be enabled to set up exemptions for web sites that are blocked or
reasons other than category filtering. It also prevents the us of IP addresses to get around
web filtering.
Block invalid URLs - HTTPS only. This option inspects the HTTPS certificate and looks at the
URL to ensure its valid. It is common for proxy sites to create an HTTPS certificate with a
garbage URL. If the site is legitimate, it should be set up correctly. If the site approach to
security is to ignore it, then their security policy puts your network at risk and the site should
be blocked.
Web filtering options are configured in the web-based manager by going to UTM Security
Profiles > Web filter > Profile, or in the CLI under config webfilter profile.
Advanced options
There are a few Advanced options to consider for a web filtering profile:
Enable Provide details for blocked HTTP 4xx and 5xx errors. Under normal circumstances
there are exploits that can be used with 400 and 500 series messages to access the web
site. While most students probably wont know how to do this, there is no harm in being
cautious. It only takes one.
Enable Rate Images by URL. This option only works with Google images. It examines the
URL that the images is stored at to get a rating on it, then blocks or allows the image based
on the rating of the originating URL. It does not inspect the image contents. Most image
search engines to a prefect and pass the images directly to the browser.
Enable Block HTTP redirects by rating. An HTTP redirect is one method of getting around
ratings. Go to one web site that has an allowed rating, and it redirects to another web site
that may want blocked.
Categories and Classifications
For the selection of what FortiGuard categories and classifications that should be blocked, that
is purely based on the school system and its Internet information policy.
Email Filtering
Other than specific teacher-led email inboxes, there is no reason why a student should be able
to access, read or send personal email. Ports for POP3, SMTP and IMAP should not be opened
in a security policies.
IPS
The intrusion protection profiles should be used to ensure the student PCs are not vulnerable to
attacks, nor do you want students making attacks. As well, IPS can do more than simple
vulnerability scans. With a FortiGuard subscription, IPS signatures are pushed to the FortiGate
unit. New signatures are released constantly for various intrusions as they are discovered.
FortiOS includes a number of predefined IPS sensors that you can enable by default. Selecting
the all_default signature is a good place to start as it includes the major signatures.
To configure IPS sensors in the web-based manager, go to UTM Security Profiles > Intrusion
Protection > IPS Sensor, on the CLI use commands under config ips sensor.
Application control
Application control uses IPS signatures to limit the use of instant messaging and peer-to-peer
applications which can lead to possible infections on a students PC. FortiOS includes a
number of pre-defined application categories. To configure and maintain application control
profiles in the web-based manager, go to UTM Security Profiles > Application Control >
Application Sensor. In the CLI use commands under config application list.
Some applications to consider include proxies, botnets, toolbars and P2P applications.
Logging
Turn on all logging - every option in this section should be enabled. This is not where you decide
what you are going to log. It is simply defining what the UTM profiles can log.
Logging everything is a way to monitor traffic on the network, see what students are utilizing
the most, and locate any potential holes in your security plan. As well, keeping this information
may help to prove negligence later in necessary.
Tag management
Tag management provide a method of categorizing, or labelling objects within FortiOS using
keywords. You can give the following elements a tag, similar to a keyword:
IPS signature
application signature
security policy
firewall address
Tagging is way to organize the various elements, especially if you have a large number of
addresses, security policies to manage and keep track of. Tagging enables you to break these
elements into groups, but each element can belong to more than one group. Tags help you find
elements which have something in common, be it a group, user or location. This is very similar
to tagging found on photo sharing sites.
To use tagging, you need to enable it for 1U FortiGate units. It is enabled by default on all 2U
FortiGate units and blades.
To enable tagging - web-based manager
2. Select Object Tagging and Coloring.
3. Select Apply.
To enable tagging - CLI
config system settings
set gui-object-tags
end
Adding and removing tags
You add and remove tags when you create the various elements. For example, when adding a
firewall address, a section below the Interface selection enables you to add tags for that
element, such as the department, region, or really, anything to help identify the element. When
editing, applied tags appear as well. To add a tag, right-click on the element you want to add a
tag to.
Figure 23:Adding tags to a new address.
To remove a tag, in the element, click the tag in the Applied Tags list.
Reviewing tags
Tags can be reviewed in one location by going to System > Config > Tag Management. In this
screen, all tags used appear. The visual size of the tag name indicates the usage; the bigger the
size, the more it is used. By hovering over the keyword, a fly out indicates how many times it
has been used.
To see where it was used, click the keyword. An Object Usage window displays all the reference
categories where the keyword was used, and the number of times. Selecting the expand arrow
further details its use.
Further, for security policies for example, you can select the View icon and see the details of the
particular element. If need be, select the Edit icon to modify the element.
Figure 24:Viewing the address information for a tagged object
Tagging guidelines
Given the ease that tags can be added to elements in FortiOS, it makes sense to jump right in
and begin applying tags to elements and object. However, this type of methodology will lead to
problems down the road as new elements are added.
A methodology should be considered and developed before applying tags. This doesnt mean
you need to develop an entire thesaurus or reference guide for all possibilities of tags. However,
taking some time to develop a methodology for the keywords you intend to use will benefit later
when new security policies, addresses, and so on are added. Some things to consider when
developing a tag list:
the hierarchy used for the organization such as region, city location, building location
department names and if short forms or long forms are used
will acronyms be used or terms spelled out.
how granular will the tagging be
As tags are added, previously used tags appear so there is an opportunity to use previously
used tags. However, you want to avoid a situation where both accounting and acct are both
options. This is also important if there are multiple administrators in different locations to ensure
consistency.
At any time, you can change or even remove tags. It is best to do a bit of planning ahead of time
to avoid unnecessary work later on.
Replacement messages list
The replacement message list in System > Config > Replacement Message.
The replacement messages list enables you to view and customize replacement messages. Use
the expand arrow beside each type to display the replacement messages for that category.
Select the Edit icon beside each replacement message to customize that message for your
requirements.
Should you make a major error to the code, you can select the Restore Default to return to the
original message and code base.
If you are viewing the replacement messages list in a VDOM, any messages that have been
customized for that VDOM are displayed with a Reset icon that you can use to reset the
replacement message to the global version.
For connections requiring authentication, the FortiGate unit uses HTTP to send an
authentication disclaimer page for the user to accept before a security policy is in effect.
Therefore, the user must initiate HTTP traffic first in order to trigger the authentication disclaimer
page. Once the disclaimer is accepted, the user can send whatever traffic is allowed by the
security policy.
Replacement message images
You can add images to replacement messages to:
disclaimer pages
login pages
declined disclaimer pages
login failed page
login challenge pages
keepalive pages
Image embedding is also available to the endpoint NAC download portal and recommendation
portal replacement messages, as well as HTTP replacement messages.
Supported image formats are GIF, JPEG, TIFF and PNG. The maximum file size supported is
6000 bytes.
Adding images to replacement messages
To upload an image for use in a message
1. Go to System > Config > Replacement Message.
2. Select Manage Images at the top of the page.
4. Enter a Name for the image.
5. Select the Content Type.
6. Select Browse to locate the file and select OK.
The image that you include in a replacement message, must have the following html:
<img src=%%IMAGE: <config_image_name>%% size=<bytes> >
For example:
<img src=%%IMAGE: logo_hq%% size=4272>
Modifying replacement messages
Replacement messages can be modified to include a message or content that suits your
organization.
Use the expand arrows to view the replacement message list for a given category. Messages
are in HTML format. For descriptions of the replacement message tags, see Replacement
message tags.
To change a replacement message, go to System > Config > Replacement Message select the
replacement message that you want to modify. At the bottom pane of the window, you can the
message on one side and the HTML code on the other side. The message view changes in
real-time as you change the content.
A list of common replacement messages appears in the main window. To see the entire list and
all categories of replacement messages, in the upper-right corner of the window, select
Extended View.
Replacement message tags
Replacement messages can include replacement message tags, or variables. When users
receive the message, the message tag is replaced with content relevant to the message. The
table lists the replacement message tags that you can use.
Table 16:Replacement message tags
Tag Description
%%AUTH_LOGOUT%% The URL that will immediately delete the current policy and close
the session. Used on the auth-keepalive page.
%%AUTH_REDIR_URL%% The auth-keepalive page can prompt the user to open a new
window which links to this tag.
%%CATEGORY%% The name of the content category of the web site.
%%DEST_IP%% The IP address of the request destination from which a virus was
received. For email this is the IP address of the email server that
sent the email containing the virus. For HTTP this is the IP
address of web page that sent the virus.
%%DURATION%%
(FortioS Carrier
only)
The amount of time in the reporting period. This is user defined in
the protection profile.
%%EMAIL_FROM%% The email address of the sender of the message from which the
file was removed.
%%EMAIL_TO%% The email address of the intended receiver of the message from
which the file was removed.
%%FAILED_MESSAGE%% The failed to login message displayed on the auth-login-failed
page.
%%FILE%% The name of a file that has been removed from a content stream.
This could be a file that contained a virus or was blocked by
antivirus file blocking. %%FILE%% can be used in virus and file
block messages.
%%FORTIGUARD_WF%% The FortiGuard - Web Filtering logo.
%%FORTINET%% The Fortinet logo.
%%LINK%% The link to the FortiClient Host Security installs download for the
Endpoint Control feature.
%%HTTP_ERR_CODE%% The HTTP error code. 404 for example.
%%HTTP_ERR_DESC%% The HTTP error description.
%%KEEPALIVEURL%%
(FortiOS Carrier
only)
auth-keepalive-page automatically connects to this URL every
%%TIMEOUT%% seconds to renew the connection policy.
%%MMS_SENDER%%
(FortiOS Carrier
only)
Senders MSISDN from message header.
%%MMS_RECIPIENT%%
(FortiOS Carrier
only)
Recipients MSISDN from message header.
%%MMS_SUBJECT%%
(FortiOS Carrier
only)
MMS Subject line to help with message identity.
Table 16:Replacement message tags (continued)
Tag Description
%%MMS_HASH_CHECKSUM%
%
Value derived from hash calculation - will only be shown on
duplicate message alerts.
%%MMS_THRESH%% Mass MMS alert threshold that triggered this alert.
%%NIDSEVENT%% The IPS attack message. %%NIDSEVENT%% is added to alert
email intrusion messages.
%%NUM_MSG%%
(FortiOS Carrier
only)
The number of time the device tried to send the message with
banned content within the reporting period.
%%OVERRIDE%% The link to the FortiGuard Web Filtering override form. This is
visible only if the user belongs to a group that is permitted to
create FortiGuard web filtering overrides.
%%OVRD_FORM%% The FortiGuard web filter block override form. This tag must be
present in the FortiGuard Web Filtering override form and should
not be used in other replacement messages.
%%PROTOCOL%% The protocol (http, ftp, pop3, imap, or smtp) in which a virus was
detected. %%PROTOCOL%% is added to alert email virus
messages.
%%QUARFILENAME%% The name of a file that has been removed from a content stream
and added to the quarantine. This could be a file that contained a
virus or was blocked by antivirus file blocking.
%%QUARFILENAME%% can be used in virus and file block
messages. Quarantining is only available on FortiGate units with
a local disk.
%%QUOTA_INFO%% Display information about the traffic shaping quota setting that is
blocking the user. Used in traffic quota control replacement
messages.
%%QUESTION%% Authentication challenge question on auth-challenge page.
Prompt to enter username and password on auth-login page.
%%SERVICE%% The name of the web filtering service.
%%SOURCE_IP%% The IP address of the request originator who would have
received the blocked file. For email this is the IP address of the
users computer that attempted to download the message from
which the file was removed.
%%TIMEOUT%% Configured number of seconds between authentication keepalive
connections. Used on the auth-keepalive page.
Tag Description
Administration replacement message
If you enter the following CLI command the FortiGate unit displays the Administration Login
Disclaimer whenever an administrator logs into the FortiGate units web-based manager or CLI.
set access-banner enable
end
The web-based manager administrator login disclaimer contains the text of the Login
Disclaimer replacement message as well as Accept and Decline buttons. The administrator
must select accept to login.
Alert Mail replacement messages
The FortiGate unit adds the alert mail replacement messages listed in the following table to alert
email messages sent to administrators. If you enable the option Send alert email for logs based
on severity, whether or not replacement messages are sent by alert email depends on how you
set the alert email in Minimum log level.
Authentication replacement messages
The FortiGate unit uses the text of the authentication replacement messages for various user
authentication HTML pages that are displayed when a user is required to authenticate because
a security policy includes at least one identity-based policy that requires firewall users to
authenticate.
These replacement message pages are for authentication using HTTP and HTTPS. You cannot
customize the firewall authentication messages for FTP and Telnet.
The authentication login page and the authentication disclaimer include replacement tags and
controls not found on other replacement messages.
Users see the authentication login page when they use a VPN or a security policy that requires
authentication. You can customize this page in the same way as you modify other replacement
messages.
%%URL%% The URL of a web page. This can be a web page that is blocked
by web filter content or URL blocking. %%URL%% can also be used
in http virus and file block messages to be the URL of the web
page from which a user attempted to download a file that is
blocked.
%%VIRUS%% The name of a virus that was found in a file by the antivirus
system. %%VIRUS%% can be used in virus messages
Tag Description
There are some unique requirements for these replacement messages:
The login page must be an HTML page containing a form with ACTION="/" and
METHOD="POST"
The form must contain the following hidden controls:
<INPUT TYPE="hidden" NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%">
<INPUT TYPE="hidden" NAME="%%STATEID%%" VALUE="%%STATEVAL%%">
<INPUT TYPE="hidden" NAME="%%REDIRID%%" VALUE="%%PROTURI%%">
The form must contain the following visible controls:
<INPUT TYPE="text" NAME="%%USERNAMEID%%" size=25>
<INPUT TYPE="password" NAME="%%PASSWORDID%%" size=25>
Example
The following is an example of a simple authentication page that meets the requirements listed
above.
<HTML><HEAD><TITLE>Firewall Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
<FORM ACTION="/" method="post">
<INPUT NAME="%%MAGICID%%" VALUE="%%MAGICVAL%%" TYPE="hidden">
<TABLE ALIGN="center" BGCOLOR="#00cccc" BORDER="0"
CELLPADDING="15" CELLSPACING="0" WIDTH="320"><TBODY>
<TR><TH>Username:</TH>
<TD><INPUT NAME="%%USERNAMEID%%" SIZE="25" TYPE="text"> </TD></TR>
<TR><TH>Password:</TH>
<TD><INPUT NAME="%%PASSWORDID%%" SIZE="25" TYPE="password">
</TD></TR>
<TR><TD COLSPAN="2" ALIGN="center" BGCOLOR="#00cccc">
<INPUT NAME="%%STATEID%%" VALUE="%%STATEVAL%%" TYPE="hidden">
<INPUT NAME="%%REDIRID%%" VALUE="%%PROTURI%%" TYPE="hidden">
<INPUT VALUE="Continue" TYPE="submit"> </TD></TR>
</TBODY></TABLE></FORM></BODY></HTML>
Captive Portal Default replacement messages
The Captive Portal Default replacement messages are used for wireless authentication only. You
must have a VAP interface with the security set as captive portal to trigger these replacement
messages.
Device Detection Portal replacement message
The FortiGate unit displays the replacement message when the FortiGate unit cannot determine
the type of BYOD or handheld device is used to connect the network.
Email replacement messages
The FortiGate unit sends the mail replacement messages to email clients using IMAP, POP3, or
SMTP when an event occurs such as antivirus blocking a file attached to an email that contains
a virus. Email replacement messages are text messages.
If the FortiGate unit supports SSL content scanning and inspection these replacement
messages can also be added to IMAPS, POP3S, and SMTPS email messages.
Endpoint Control replacement message
The FortiGate unit displays the replacement message when the FortiClient Endpoint Security
software is not installed or registered correctly with the FortiGate unit.
FTP replacement messages
The FortiGate unit sends the FTP replacement messages listed in the table below to FTP clients
when an event occurs such as antivirus blocking a file that contains a virus in an FTP session.
FTP replacement messages are text messages.
FortiGuard Web Filtering replacement messages
The FortiGate unit sends the FortiGuard Web Filtering replacement messages listed in the table
to web browsers using the HTTP protocol when FortiGuard web filtering blocks a URL, provides
details about blocked HTTP 4xx and 5xx errors, and for FortiGuard overrides. FortiGuard Web
Filtering replacement messages are HTTP pages.
If the FortiGate unit supports SSL content scanning and inspection and if Protocol Recognition
> HTTPS Content Filtering Mode is set to Deep Scan in the antivirus profile, these replacement
messages can also replace web pages downloaded using the HTTPS protocol.
HTTP replacement messages
The FortiGate unit sends the HTTP replacement messages listed in the following table to web
browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that
contains a virus in an HTTP session. HTTP replacement messages are HTML pages.
If the FortiGate unit supports SSL content scanning and inspection, and if under HTTPS in the
protocol option list has Enable Deep Scan enabled, these replacement messages can also
replace web pages downloaded using the HTTPS protocol.
IM replacement messages
The FortiGate unit sends the IM replacement messages listed in to IM clients using AIM, ICQ,
MSN, or Yahoo! Messenger when an event occurs such as antivirus blocking a file attached to
an email that contains a virus. IM replacement messages are text messages.
NNTP replacement messages
The FortiGate unit sends the NNTP replacement messages listed in the following table to NNTP
clients when an event occurs such as antivirus blocking a file attached to an NNTP message
that contains a virus. NNTP replacement messages are text messages.
Spam replacement messages
The FortiGate unit adds the Spam replacement messages listed in the following table to SMTP
server responses if the email message is identified as spam and the spam action is discard. If
the FortiGate unit supports SSL content scanning and inspection these replacement messages
can also be added to SMTPS server responses.
NAC quarantine replacement messages
The page that is displayed for the user depends on whether NAC quarantine blocked the user
because a virus was found, a DoS sensor detected an attack, an IPS sensor detected an attack,
or a DLP rule with action set to Quarantine IP address or Quarantine Interface matched a
session from the user.
The default messages inform the user of why they are seeing this page and recommend they
contact the system administrator. You can customize the pages as required, for example to
include an email address or other contact information or if applicable a note about how long the
user can expect to be blocked.
SSL VPN replacement message
The SSL VPN login replacement message is an HTML replacement message that formats the
FortiGate SSL VPN portal login page. You can customize this replacement message according
to your organizations needs. The page is linked to FortiGate functionality and you must
construct it according to the following guidelines to ensure that it will work.
The login page must be an HTML page containing a form with ACTION="%%SSL_ACT%%"
and METHOD="%%SSL_METHOD%%"
The form must contain the %%SSL_LOGIN%% tag to provide the login form.
The form must contain the %%SSL_HIDDEN%% tag.
Web Proxy replacement messages
The FortiGate unit sends Web Proxy replacement messages listed in the table below when a
web proxy event occurs that is detected and matches the web proxy configuration. These
replacement messages are web pages that appear within your web browser.
The following web proxy replacement messages require an identity-based security policy so
that the web proxy is successful. You can also enable FTP-over-HTTP by selecting the FTP
option in System > Network > Explicit Proxy.
Traffic quota control replacement messages
When user traffic is going through the FortiGate unit and it is blocked by traffic shaping quota
controls, users see the Traffic shaper block message or the Per IP traffic shaper block message
when they attempt to connect through the FortiGate unit using HTTP.
The traffic quota HTTP pages should contain the %%QUOTA_INFO%% tag to display information
about the traffic shaping quota setting that is blocking the user.
MM1 replacement messages
MM1 replacement messages are sent when, during MMS content scanning, FortiOS Carrier
detects, for example a virus, using the MMS profile.
You must have Remove Blocked selected within the MMS profile if you want to remove the
content that is intercepted during MMS scanning on the FortiGate unit.
You must have Remove Blocked selected within the MMS profile if you want to remove the
content that is intercepted during MMS scanning on the unit.
MMS replacement messages
The MMS replacement message is sent when a section of an MMS message has been replaced
because it contains a blocked file. This replacement message is in HTML format.
The message text is:
<HTML><BODY>This section of the message has been replaced because it
contained a blocked file</BODY></HTML>
Replacement message groups
You can configure the replacement message groups from System > Config > Replacement
Message Group. All new replacement message groups that you add inherit from the default
group. Modifying messages in the default group automatically changes any messages that are
unmodified in the other groups.
Replacement message groups are not enabled by default. To enable them, go to System >
Admin > Settings and select the Replacement Message Groups check box, or use the CLI
commands:
config sysetm global
set gui-replacement-message-groups enable
end
If you enable virtual domains (VDOMs) on the FortiGate unit, replacement message groups are
configured separately for each virtual domain. Each virtual domain has its own default
replacement message group, configured from System > Config > Replacement Message Group.
When you modify a message in a replacement message group, a Reset icon appears beside the
message in the group. You can select this Reset icon to reset the message in the replacement
message group to the default version.
All MM1/4/7 notification messages for FortiOS Carrier (and MM1 retrieve-conf messages) can
contain a SMIL layer and all MM4 notification messages can contain an HTML layer in the
message. These layers can be used to brand messages by using logos uploaded to the
FortiGate unit via the 'Manage Images' link found on the replacement message group
configuration page.
Disk
To view the status and storage information of the local disk on your FortiGate unit, go to System
> Config > Advanced. The Disk menu appears only on FortiGate units with an internal hard or
flash disk.
Formatting the disk
The internal disk of the FortiGate unit (if available) can be formatted by going to System >
Config > Disk and selecting Format.
Formatting the disk will erase all data on it, including databases for antivirus and IPS; logs,
quarantine files, and WAN optimization caches. The FortiGate unit requires a reboot once the
disk has been formatted.
Setting space quotas
If the FortiGate unit has an internal hard or flash disk, you can allocate the space on the disk for
specific logging and archiving, and WAN optimization. By default, the space is used on an as
required basis. As such, a disk can fill up with basic disk logging, leaving less potential space
for quarantine.
By going to System > Config > Disk, you can select the Edit icon for Logging and Archiving and
WAN Optimization & Web Cache and define the amount of space each log, archive and WAN
optimization has on the disk.
CLI Scripts
To upload bulk CLI commands and scripts, go to System > Config > Advanced.
Scripts are text files containing CLI command sequences. Scripts can be used to deploy
identical configurations to many devices. For example, if all of your devices use identical
security policies, you can enter the commands required to create the security policies in a
script, and then deploy the script to all the devices which should use those same settings.
Use a text editor such as Notepad or other application that creates simple text files. Enter the
commands in sequence, with each line as one command, similar to examples throughout the
FortiOS documentation set.
If you are using a FortiGate unit that is not remotely managed by a FortiManager unit or the
FortiGuard Analysis and Management Service, the scripts you upload are executed and
discarded. If you want to execute a script more than once, you must keep a copy on your
management PC.
If your FortiGate unit is configured to use a FortiManager unit, you can upload your scripts to
the FortiManager unit, and run them from any FortiGate unit configured to use the FortiManager
unit. If you upload a script directly to a FortiGate unit, it is executed and discarded.
If your FortiGate unit is configured to use FortiGuard Analysis and Management Service, scripts
you upload are executed and stored. You can run uploaded scripts from any FortiGate unit
configured with your FortiGuard Analysis and Management Service account. The uploaded
script files appear on the FortiGuard Analysis and Management Service portal web site.
Uploading script files
After you have created a script file, you can then upload it through System > Config >
Advanced. When a script is uploaded, it is automatically executed.
Commands that require the FortiGate unit to reboot when entered in the command line will also
force a reboot if included in a script.
To execute a script
2. Verify that Upload Bulk CLI Command File is selected.
3. Select Browse to locate the script file.
4. Select Apply.
If the FortiGate unit is not configured for remote management, or if it is configured to use a
FortiManager unit, uploaded scripts are discarded after execution. Save script files to your
management PC if you want to execute them again later.
If the FortiGate unit is configured to use the FortiGuard Analysis and Management Service, the
script file is saved to the remote server for later reuse. You can view the script or run it from the
FortiGuard Analysis and Management Service portal web site.
Rejecting PING requests
The factory default configuration of your FortiGate unit allows the default external interface to
respond to ping requests. Depending on the model of your FortiGate unit the actual name of
this interface will vary. For the most secure operation, you should change the configuration of
the external interface so that it does not respond to ping requests. Not responding to ping
requests makes it more difficult for a potential attacker to detect your FortiGate unit from the
Internet. One such potential threat are Denial of Service (DoS) attacks.
A FortiGate unit responds to ping requests if ping administrative access is enabled for that
interface.
To disable ping administrative access - web-based manager
2. Choose the external interface and select Edit.
3. Clear the Ping Administrative Access check box.
4. Select OK.
In the CLI, when setting the allowaccess settings, by selecting the access types and not
including the PING option, that option is then not selected. In this example, only HTTPS is
selected.
To disable ping administrative access - CLI
edit external
set allowaccess https
end
Opening TCP 113
Although seemingly contrary to conventional wisdom of closing ports from hackers, this port,
which is used for ident requests, should be opened.
Port 113 initially was used as an authentication port, and later defined as an identification port
(see RFC 1413). Some servers may still use this port to help in identifying users or other servers
and establish a connection. Because port 113 receives a lot of unsolicited traffic, many routers,
including on the FortiGate unit, close this port.
The issue arises in that unsolicited requests are stopped by the FortiGate unit, which will send a
response saying that the port is closed. In doing so, it also lets the requesting server know there
is a device at the given address, and thus announcing its presence. By enabling traffic on port
113, requests will travel to this port, and will most likely, be ignored and never responded to.
By default, the ident port is closed. To open it, use the following CLI commands:
edit <port_name>
set ident_accept enable
end
You could also further use port forwarding to send the traffic to a non-existent IP address and
thus never have a response packet sent.
Obfuscate HTTP headers
The FortiGate unit can obfuscate the HTTP header information being sent to external web
servers to better cloak the source. By default this option is not enabled. To obfuscate HTTP
headers, use the following CLI command:
set http-obfucate {none | header-only | modified | no-error}
end
Where:
none do not hide the FortiGate web server identity.
header-only hides the HTTP server banner.
modified provides modified error responses.
no-error suppresses error responses.
Index
Numerics
3DES 33
802.1Q 177, 181, 184
802.3ad 166
A
abort 40
access controls 41
adding
DHCP relay agent 243
SNMP community 114
adding, configuring defining
administrator password 56
administrator settings 66
backing up configuration 19
changing administrators password 21
dashboards 15
DHCP interface settings 167
DHCP server 241
firmware version 18
formatting USB disks 20
general system settings 66
interface 160
LDAP authentication for administrators 61
manually updating FortiGuard definitions 22
password authentication 56
password, administrator 56
PKI authentication, administrators 62
RADIUS authentication, administrators 61
RAID disk 26
replacement message images 256
replacement messages 256
restoring configuration 21
secondary IP address 172
synchronizing with NTP server 18
system configuration backup and restore,
FortiManager 20
system time 18
TACACS+ authentication 61
text strings (names) 13
uploading scripts 264
Address Resolution Protocol (ARP) 205
admin
administrator account 28
concurrent sessions 57
disclaimer, login
disclaimer 60
password 54
password length 57
administration
schools 250
administrative access 170
changing 29
administrative interface. See web-based manager
administrator
account 28
lockout 58
password 28
administrator profiles
global 63
vdom 63
administrator settings 66
administrators
LDAP authentication 61
management access 56
monitoring See also widgets 21
viewing list 56
Agent, sFlow 104
aggregate interfaces 166
air flow 86
alert message console
viewing 23
allow access 170
ambient temperature 86
antivirus updates 95
manual 22
ASCII 45
asymmetric routing 208
attack updates
manual 22
scheduling 95
authenticating
L2TP clients 219
PPTP clients 211
authentication
PKI certificate, administrators 62
RADIUS for administrators 61
SCP 69
authentication server, external
for L2TP 219
for PPTP 211
authorization, LDAP 64
auto-install 74
B
backing up configuration
See widgets, system information
backup and restore configuration, central management
20
backup configuration
SCP 68
USB 77
baud rate 47
bits per second (bps) 32
Blowfish 33
boot interrupt 31
border gateway protocol (BGP). See routing, BGP
broadcast
domains 177
storm 205
C
captive portal 163
case sensitivity
Perl regular expressions 49
central management
backup and restore configuration 20
certificate, security 52
changing units host name 16
CHAP 209
CIDR 37
Cisco
router configuration 188, 203
switch configuration 188, 194, 202
CLI 11
connecting 31
connecting to from the web-based manager 29
connecting to the 31
Console widget 32
upgrading the firmware 73
CLI console 25
CNAME 246
collector agent, sFlow 104
column settings
configuring 13
command 35
abbreviation 43
completion 42
help 42
multi-line 43
concurrent sessions 57
configuration lock 83
configuration revisions 71
configure
FortiGuard 53
restore 70
connecting
to the CLI using SSH 33
to the CLI using Telnet 34
to the console 31
web-based manager 51
conservation mode 120
console 31
controlled upgrade 79
conventions 35
cp1252 45
Cross-Site Scripting
protection from 13
D
dashboards
adding 15
date and time 52
DB-9 31
DCE-RPC 226
dcerps
session helper 226
default route 187
VLAN 187
defaults 71
definitions 35
delete, shell command 39
DHCP
servers and relays 241
service 243
dhcp
IPv6 243
lease breaking 244
DHCP (Dynamic Host Configuration Protocol)
configuring on an interface 167
DHCP interface 167
diagnostics, tracert 195
disabling 225
disclaimer 60
disk status, viewing 263
Distributed Computing Environment Remote
Procedure Call (DCE-RPC) 226
DLP archive
viewing 24
DNS 226, 245
CNAME 246
external servers 245
loal domains 245
public 246
recursive 247
server
server, DNS 246
shadow 246
slave 246
split 247
DNS master 246
dns-tcp, session helper 226
dns-udp, session helper 226
domain name server 245
dotted decimal 37
downloading firmware 72
dual internet connection 232
dual WAN
link redundancy 232
load sharing 235
duplicate MAC 206
E
earthing 87
edit, shell command 39
_email 37
end
command in an edit shell 40
end, shell command 39
Endpoint Mapper (EPM) 226
entering text strings (names) 13
environment variables 43
escape sequence 43
execute shutdown 88
F
factory reset 71
field 36
File transfer protocol (FTP) 226
filter
filtering information on web-based manager lists 12
web-based manager lists 12
firewall IP addresses, defining L2TP 219
firmware
backup and restore from USB 77
download 72
from system reboot 76
installing 76
revert from CLI 75
reverting with web-based manager 72
testing before use 78
testing new firmware 78
upgrade from CLI 73
upgrade with web-based manager 72
upgrading using the CLI 73
flow control 32
formatting USB disks 20
FortiGuard 53
manually configuring definition updates 22
push update 93, 95
FortiGuard definitions
manually updating 22
FortiGuard Services
analysis service options 93
licenses 21
management and analysis service options 93
support contract 92
web filtering and antispam options 97
FortiGuard services 22
FortiGuard, backup and restore configuration 20
FortiManager
remote backup and restore options 20
Fortinet MIB 116, 121
_fqdn 37
fully qualified domain name (FQDN) 37
G
GB2312 45
Generic Routing Encapsulation (GRE) 209
get
edit shell command 40
shell command 39
gigabit interfaces, SNMP 113
graphical user interface. See web-based manager
grounding 87
GUI. See web-based manager
H
H.245 227
h245I
session helper 227
H323, session helper 227
hardware switch 164
host name 16
HTTPS 11, 57
humidity 86
I
ID tag 178, 181
idle timeout
changing for the web-based manager 29
IEEE 802.1Q 177, 181
ifHighSpeed 113
IF-MIB.ifSpeed 113
indentation 36
_index 37
index number 37
_int 37
interface
802.1Q trunk 184, 194
external, VLAN NAT example 189
external, VLAN NAT/Route example 189
maximum number 177, 208
software switch 163
VLAN subinterface 184, 188, 189, 194
interfaces
aggregate 166
AMC card 157
DHCP 167
loopback 165
MTU packet size 171
physical 156
PPPoE 168
redundant 165
secondary IP address 172
virtual domains 172
virtual LANs 174
wireless 171
zones 175
International characters 45
IP address
overlapping 185
_ipv4 37
_ipv4/mask 37
_ipv4mask 37
_ipv4range 37
IPv6
dhcp 243
_ipv6 37
_ipv6mask 37
IPX, layer-2 forwarding 205
ISO 8859-1 45
K
K-12 250
key 34
L
L2TP VPN
authentication method 219
configuration steps 218
enabling 219
firewall IP addresses, defining 219
infrastructure requirements 218
network configuration 218
security policy, defining 220
VIP address range 219
language
changing the web-based manager language 29
layer-2 178, 181, 184
example 178
forwarding 205
layer-3 181
LDAP authorization 64
LDAP server, external
for L2TP 219
for PPTP 211
lease breaking
dhcp 244
length 57
length, password 57
licenses
viewing 21
line endings 48
link redundancy 232
lists
using web-based manager 12
load sharing 235
local console access 31
local domain name 245
locking configuration 83
lockout
administrator 58
logging out
login 60
restricting unwanted 57
loopback interfaces 165
lost password
recovering 28
M
MAC address 206
maintenance
configuration revision 73
disk 263
management access 56
Management Information Base (MIB) 110
management IP address
changing 17
master DNS server 246
memory 208
merge interfaces 163
message, warning 60
MGCP 227
session helper 227
MIB 121
FortiGate 116
RFC 1213 116
RFC 2665 116
Microsoft Point-to-Point Encryption (MPPE) 210
modem 238
routing 240
modem modes 238
monitoring
administrators 21
DHCP 244
RAID 25
more 47
MS RPC 226
MTU packet size, interface 171
multi-line command 43
multiple pages 47
N
_name 37
NAT
port translation (NAT-PT) 228
VLAN example 189
NAT mode 16
NetBIOS, for Windows networks 207
network instability 205
Network Time Protocol server (NTP) 18
next 40
NTP server 53
null modem 31, 33
O
object 36
object identifier (OID) 121
ONC-RPC 226, 228
open shortest path first (OSPF). See routing, OSPF
Open Systems Interconnect (OSI) 178
operating temperature 86
operation mode 17
option 36
P
packet header 104
packets
layer-3 routing 181
VLAN-tagged 184
page controls
paging 47
PAP 209
parity 32
password 57
changing, administrator 21
configuring authentication 56
recovering lost password 28
password, changing 54
_pattern 37
pattern 37
Perl regular expressions, using 48
permissions 41
ping server 233, 240
pmap
session helper 228
Point-to-Point Tunneling Protocol (PPTP) 209
port 47 228
port, session helper 223
power off 88
PPPoE interface 168
PPTP
external server 214
layer-2 forwarding 205
session helper 228
PPTP VPN
authentication method 211
configuring pass through 214
enabling 212
FortiGate implementation 209
security policy, defining 213
VIP address range 212
protocol, session helper 223
publis DNS server 246
purge, shell command 40
push update 93, 95
override 95
R
RADIUS server, external
for L2TP 219
for PPTP 211
RAS, session helper 227
read & write access level
read only access level
reboot, upgrade 79
recursive DNS 247
redundant interface 165
redundant interfaces 232
redundant mode 238
Registration, Admission, and Status (RAS) 227
regular expression 37
relay
DHCP 241
relay, DHCP 243
remote administration 57
remote client, L2TP VPN 220
remote FortiManager options 20
remote shell 229
rename, shell command 40
replacement message group 263
replacement messages
administration 259
alert mail 259
captive portal default 260
Device Detection Portal 260
Endpoint Control 261
FortiGuard web filtering 261
FTP 261
HTTP 261
IM, P2P 261
images 255
mail 260
MM1 262
MM3 262
MM4 263
MM7 263
modifying 256
NAC quarantine 261
NNTP 261
spam 261
SSL VPN 262
tags 256
traffic quota control 262
user authentication 259
viewing 255
web proxy 262
reserved characters 43
restore 70
restore defaults 71
restoring configuration See widgets
restricting login attempts 57
reverting firmware 72
revisions 71
RFC
1213 111, 116
2516 168
2665 111, 116
RJ-45 31
RJ-45-to-DB-9 31, 33
routing
asymmetric 208
BGP 187
modem 240
OSPF 187
RIP 187
STP 207
routing information protocol (RIP). See routing, RIP
routing, default 187
rsh, session helper 229
RTSP, session helper 230
S
schedule
antivirus and attack definition updates 95
school administration 250
SCP
authentication 69
backup configuration 68
client application 69
restore configuration 70
SSH access 68
screen resolution
minimum recommended 11
scripts
uploading 264
Secure Shell (SSH)
key 34
security certificate 52
security IP addresses
defining L2TP 219
security policy
defining L2TP 219, 220
defining PPTP 213
VLAN 186
VLAN example 191
VLAN transparent mode 197, 200
serial communications (COM) port 31
server
DHCP 241
service, DHCP 243
session helper 222, 225, 226, 227, 228, 229, 231
changing the configuration 223
dcerpc 226
DNS 226
H.245 227
h245O 227
h323 227
mgcp 227
pmap 228
port 223
PPTP 228
protocol 223
ras 227
rsh 229
rtsp 230
sip 230
TFTP 230
tns 231
viewing 222
session-helper 222
set 41
setting administrative access for SSH or Telnet 32
settings 66
administrators 66
sFlow 104
shadow DNS server 246
shell command
delete 39
edit 39
end 39
get 39
purge 40
rename 40
show 40
shielded twisted pair 87
Shift-JIS 45
show 41
shell command 40
shut down 88
signatures, update 53
SIP, session helper 230
slave DNS server 246
SNMP
configuring community 114
get command 117
gigabit interfaces 113
manager 110, 114
MIB 121
MIBs 116
queries 112, 114, 115
RFC 12123 116
RFC 2665 116
traps 118
v3 110, 112
SNMP Agent 111
soft switch 163
soft-switch 163
softswith 163
software switch interface 163
Spanning Tree Protocol (STP) 205, 207
special characters 43, 45
split DNS 247
SQLNET
session helper 231
SSH 32, 33, 57
key 34
standalone mode 238
STP, forwarding 207
_str 37
string 37
sub-command 35, 38
subinterface
VLAN NAT/Route 184
switch 163
hardware 164
switching vdoms 29
syntax 35
system idle timeout 57
system reboot, installing 76
system resources
viewing 23
system time
configuring 18
system, session-helper 222
T
table 36
TACACS+ server
authentication 61
tags
replacement messages 256
TCP
port 111 223
port 135 226
port 1720 223
port 1723 223, 228
port 21 226
port 512 223
port 514 223
Telnet 32, 34
testing
VDOM transparent mode 204
VLAN 195
text strings (names) 13
TFTP server 76
TFTP, session helper 230
time
and date 52
configuring 18
NTP 53
protocol 53
zone 52
TNS 231
tns
session helper 231
top sessions
viewing 25
tracert 195
transparent mode 17, 195
management IP address 17
security policy 197, 200
VDOM example 199, 202, 203
VLAN example 198
VLAN subinterface 196
traps, SNMP 118
trunk
interface 184, 194
links 178
U
UDP
port 111 223
port 135 226
port 1719 227
port 2427 227
port 2727 227
Unicode 45
unit operation
viewing 23
universal unique identifier (UUID) 226
unknown action 35
unset 41
unwanted login attempts 57
update signatures 53
updating
antivirus and IPS, web-based manager 53
upgrade after reboot 79
upgrading, firmware using the CLI 73
uploading scripts 264
USB
auto-install 74
backup 77
USB disks, formatting 20
using the CLI 31
UTF-8 45
V
_v4mask 37
_v6mask 37
value 36
VDOM
limited resources 208
maximum interfaces 177, 208
transparent mode 195
vdoms, switching 29
veiwing
DLP archive, log and archive statistics widget 24
viewing
administrators list 56
Alert Message Console 23
configuration revisions 73
disk status 263
DLP archive 24
FortiGuard support contract 92
licenses 21
log, log and archive statistics widget 25
session history, widget 25
system information 15
system resources 23
top sessions 25
unit operation 23
VIP address
L2TP clients 219
PPTP clients 212
virtual domains 172
virtual LANs 174
VLAN
application 177
jumbo traffic frames 172
maximum number 177, 208
security policy 186
subinterface 184, 188, 189, 194
tagged packets 184
VLAN ID 181
range 178
tag 178
VLAN subinterface
VDOM transparent mode example 199
VLAN NAT example 189
VLAN NAT/Route example 189
VoIP 228
VPN, configuring L2TP 218
vulnerability
Cross-Site Scripting 13
XSS 13
W
warning message 60
wdigets
unit operation 23
web filtering service 258
web site, content category 257
Web UI. See web-based manager
web-based manager 11, 51
changing the language 29
connecting to the CLI 29
idle timeout 29
logging out 30
pages 11
screen resolution 11
using web-based manager lists 12
web-based manager, lock 83
web-based manager, switching vdoms 29
widgets 21
alert message console 23
CLI console 25
disk storage 27
IM usage 28
licence information 21
log and archive statistics 24
network protocol usage 28
P2P usage 28
RAID monitor 25
session history 25
system information 15
system resources 23
top application usage 27
top history 25
top sessions 25
VoIP usage 28
wild cards 37
wildcard pattern matching 48
Windows networks
enabling NetBIOS 207
WINS 207
wireless 171
word boundary, Perl regular expressions 48
X
XSS vulnerability
protection from 13
Z
zones 175

FortiOS 5.0 Handbook

Uploaded by

Copyright:

Available Formats

FortiOS 5.0 Handbook

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiOS 5.0 Handbook

Uploaded by

Copyright:

Available Formats

FortiOS Handbook

Install and System Administration for FortiOS 5.0

You might also like